Can't write data on FlexNT

Hey!

I got my FlexNT installed little over a month ago and it has been working great for the past month. I just tried to add my medical records to my tag in the first order of my records to test it out. I’ve been using NFC Tools PRO. After writing that to my tag I tried to test it and it didn’t do anything so I moved it down on the list and tried to write again to it and get error. I tried to write it multiple times and even remove the record but it didn’t do anything. Then I tried to erase the tag and got the error from that also. Then switched to taginfo to see if there’s any data on my tag and seems that there’s no NDEF data but I could see it in a full scan that there was some data. I managed to format the tag using the format memory option on the Tools Pro app and after that I didn’t see my data anymore on the full scan. But it still doesn’t let me write any data to it. I also tried to add data via tagwriter and format it. It won’t let me erase & format as NDEF and gives me error on it. The Erase to factory default option seems to work but doesn’t do anything. I’ve changed my lock bits and wrote them up so I don’t think I’ve bricked my device but any help would be much needed. I’ve only used this implant with my phone (OnePlus 8 Pro). I also have proxmark3 if that’s helpful in this.

How much data are you trying to write? Is there a chance you overflowed the available space?

I’m not completely sure how much exactly but I’m quite confident that it was below 500 bytes for the whole set of data. Two youtube links, wifi record, simple vcard record (name and number) and the medical info (emergency contact and organ donor settings set).

Hi @shadowtux could we please get a full scan of your flexNT using NXP TagInfo, with UID redacted if you’d like to keep that private?

I’m quite sure I redacted the UID right even tho I’m not using it for anything.

** TagInfo scan (version 4.24.7) 2021-07-10 01:38:50 **
Report Type: External

– IC INFO ------------------------------

IC manufacturer:

Unknown Manufacturer

IC type:

Unknown Mifare class IC, possibly cloned

Applications:

Multi-application card
Card publisher sector: 1

  • NFC applications
    • NXP Semiconductors

– NDEF ------------------------------

No NDEF data storage populated:

– EXTRA ------------------------------

Memory size:

1 kB

  • 16 sectors, with 4 blocks per sector
  • 64 blocks, with 16 bytes per block

Application Directory:

CRC sector 0: OK
Application classes:

DIR NDEF NDEF NDEF NDEF NDEF NDEF NDEF
NDEF NDEF NDEF NDEF NDEF NDEF NDEF NDEF

– FULL SCAN ------------------------------

Technologies supported:

ISO/IEC 14443-3 (Type A) compatible

Android technology information:

Tag description:

  • TAG: Tech [android.nfc.tech.NfcA, android.nfc.tech.MifareClassic, android.nfc.tech.NdefFormatable]
  • Maximum transceive length: 253 bytes
  • Default maximum transceive time-out: 618 ms

Detailed protocol information:

ID: ID
ATQA: 0x0400
SAK: 0x08

Memory content:

Sector 0 (0x00)
[00] r-- UID |…m4b…bcdefghi|
[01] rW- 14 01 03 E1 03 E1 03 E1 03 E1 03 E1 03 E1 03 E1 |…|
[02] rW- 03 E1 03 E1 03 E1 03 E1 03 E1 03 E1 03 E1 03 E1 |…|
[03] WXW A0:A1:A2:A3:A4:A5 78:77:88 C1 XX:XX:XX:XX:XX:XX
MAD access key (unknown key)

Sector 1 (0x01)
[04] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[05] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[06] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[07] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 2 (0x02)
[08] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[09] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[0A] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[0B] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 3 (0x03)
[0C] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[0D] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[0E] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[0F] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 4 (0x04)
[10] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[11] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[12] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[13] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 5 (0x05)
[14] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[15] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[16] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[17] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 6 (0x06)
[18] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[19] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[1A] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[1B] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 7 (0x07)
[1C] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[1D] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[1E] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[1F] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 8 (0x08)
[20] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[21] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[22] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[23] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 9 (0x09)
[24] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[25] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[26] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[27] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 10 (0x0A)
[28] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[29] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[2A] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[2B] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 11 (0x0B)
[2C] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[2D] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[2E] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[2F] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 12 (0x0C)
[30] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[31] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[32] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[33] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 13 (0x0D)
[34] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[35] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[36] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[37] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 14 (0x0E)
[38] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[39] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[3A] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[3B] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

Sector 15 (0x0F)
[3C] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[3D] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[3E] rwi 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…|
[3F] WXW XX:XX:XX:XX:XX:XX 7F:07:88 40 FF:FF:FF:FF:FF:FF
(unknown key) Factory default key

r/R=read, w/W=write, i/I=increment,
d=decr/transfer/restore, x=r+w, X=R+W
data block: r/w/i/d:key A|B, R/W/I:key B only,
I/i implies d, *=value block
trailer (order: key A, AC, key B): r/w:key A,
W:key B, R:key A|B, (r)=readable key
AC: W implies R+r, R implies r


Huh, that looks like it’s a flexM1, not a flexNT… Sure it was a flexNT?

According to my installer and what I could remember seeing before it got installed it was FlexNT. I was supposed to get NExT but dangerous things had sent my installer FlexNT so I got that installed and he had xEM extra also so got that also same time. This was installed in the only Finnish body modification partner that dangerous things has here.

I have to confirm this tomorrow with my installer but I’m sure that we had been talking about FlexNT for the whole time. If it’s the M1 I would be able to clone my public transport card to this that I’ve been eyeing little bit tho. If it happens to be the FlexM1 would it make a difference for a basic tag scanning applications compared to FlexNT?

yes it would… the Mifare chip type is not NFC compliant and it’s only supported on some phones. Additionally it looks like somehow the access bits for each sector were altered, making key A unreadable. Something seriously wrong has happened here… possibly the wrong implant, and now something very strange has happened to it to change key A on every sector.

Got the confirmation form my installer that it’s flexNT.

Its the only implant that DT sell that looks like this

Yup. That’s the one.

1 Like

Weird, that full scan from TagInfo really looks like it’s a Mifare Classic chip. Any chance you could run hf 14a info / hf search on a proxmark?

Yeah. I get home in a few hours so I give the results then what comes up.

Both return this which confirms the weirdness with the chip.

[usb] pm3 → hf 14a info

[+] UID: UID
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] POSSIBLE TYPE: MIFARE Classic 1K / Classic 1K CL2
[+] POSSIBLE TYPE: MIFARE Plus 2K / Plus EV1 2K
[+] POSSIBLE TYPE: MIFARE Plus CL2 2K / Plus CL2 EV1 2K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: weak

UID redacted tho

So a flexNT thats scanning as a mifar chip :thinking:

How many bytes is the uid?

ID has like this A1:B2:C3:44
and on the sector 0 it says the longer form of the same A1 B2 C3 44 55 66 77 88

That is a flexM1 magic 1k chip for sure… you can tell by the sequential ID… so strange. The good news is a proxmark3 should be able to wipe it back to defaults.

1 Like

Or could it have been one like this?

Oh right… At least some good news. Seems like I’ll be ordering myself the chips from you guys.

How do I recover the chip?