Changing info on a password protected NExT implant

Hello, I have recently got my NExT implanted, set my contact onto it with the NFC Tools app. Since I was unable to set a password onto it, I dug around and found out that the default password is either FFFFFFFF or 4E457854 (I don’t remember which one it was, but I could write onto the chip indiscriminately). So after setting up the contact I used TagWriter to set a password to 69696969, but now I can’t seem to be able to change it to anything else and I don’t know how to rewrite the info. Any ideas?

I thought I did the same but I was still able to write to it. Are you totally unable to write? The NExT product page says (if you scroll down and expand “NTAG Chip Security”)

Regardless of what some NFC smartphone apps indicate, it is not possible to remove or disable the password, it is only possible to set the password to the factory default hexadecimal value of 0xFF 0xFF 0xFF 0xFF. If the password is not changed, and is set to the factory default, then anyone could easily authenticate, change your password, then write data or change protection options for your chip implant to lock you out of your own chip. Because of this, we set a default password value of 0x44 0x4E 0x47 0x52 which is ASCII code for DNGR (some older batches of NExT chips have the password 0x4E 0x45 0x78 0x54 which is the ASCII code for NExT).

1 Like

Nope, writing fails, when I tried to add information instead of rewriting, it just said that some parts of it are password protected.


I can see from the screenshot that you changed the protected memory space from only the configuration bytes to the entire user memory. You can see the AUTH0 byte now has a value of 04 which means password protect all memory pages from 04 down.

You’ll need the correct password in order to make any changes to any part of the memory. If tagwriter is not working correctly to update information on the ntag216 then it is very likely a tagwriter bug. That team does their best but there are still bugs that crop up from time to time.

So what do you suggest? Should I just wait for a possible fix, or is there a way to fix it with proxmark3 easy?

Edit: I have managed to change my password to FFFFFFFF, but when I try to write anything on it it still says “Store failed” and the AUTH0 still has a value of 04.

I am assuming that you poked around with the password options in NFC Tools and possibly TagWriter, telling both apps that this tag has a password that does not match FF FF FF FF. So when TagWriter is attempting to authenticate so it can write changes, it is supplying the wrong password and failing. Check that you either clear out cached passwords from NFC Tools and TagWriter or set them to FF FF FF FF and it should work.

If that doesn’t work, then you have to deal directly with the NTAG216 by sending commands. You can use NFC Shell to do this;

Send the following lines in NFC Shell;

1B FF FF FF FF
A2 E3 04 00 00 E3

The first line sends PWD_AUTH command (1B) followed by the password. The second line writes the AUTH0 byte back to E3 so only the configuration data pages are password protected. After that you should be able to write normally to the user memory.

Tap send button…

Tap implant to phone

3 Likes

Will this tool from NFC Tools work too? I am unable to download NFC Shell

I don’t know how to issue multiple commands at the same time using NFC tools. You need to authenticate and then perform the write command during the same session (same tap). But yeah if you can issue multiple commands in a row per tap then it should work.

2 Likes

Great, thank you very much, everything works as it should now. Also, I found out that you can issue multiple commands in, as long as you separate them with a comma (1BFFFFFFFF,A2E3040000E3).

5 Likes

yay!

1 Like