Hello, I have recently got my NExT implanted, set my contact onto it with the NFC Tools app. Since I was unable to set a password onto it, I dug around and found out that the default password is either FFFFFFFF or 4E457854 (I don’t remember which one it was, but I could write onto the chip indiscriminately). So after setting up the contact I used TagWriter to set a password to 69696969, but now I can’t seem to be able to change it to anything else and I don’t know how to rewrite the info. Any ideas?
I thought I did the same but I was still able to write to it. Are you totally unable to write? The NExT product page says (if you scroll down and expand “NTAG Chip Security”)
Regardless of what some NFC smartphone apps indicate, it is not possible to remove or disable the password, it is only possible to set the password to the factory default hexadecimal value of 0xFF 0xFF 0xFF 0xFF. If the password is not changed, and is set to the factory default, then anyone could easily authenticate, change your password, then write data or change protection options for your chip implant to lock you out of your own chip. Because of this, we set a default password value of 0x44 0x4E 0x47 0x52 which is ASCII code for DNGR (some older batches of NExT chips have the password 0x4E 0x45 0x78 0x54 which is the ASCII code for NExT).
1 Like
Nope, writing fails, when I tried to add information instead of rewriting, it just said that some parts of it are password protected.
I can see from the screenshot that you changed the protected memory space from only the configuration bytes to the entire user memory. You can see the AUTH0 byte now has a value of 04 which means password protect all memory pages from 04 down.
You’ll need the correct password in order to make any changes to any part of the memory. If tagwriter is not working correctly to update information on the ntag216 then it is very likely a tagwriter bug. That team does their best but there are still bugs that crop up from time to time.
So what do you suggest? Should I just wait for a possible fix, or is there a way to fix it with proxmark3 easy?
Edit: I have managed to change my password to FFFFFFFF, but when I try to write anything on it it still says “Store failed” and the AUTH0 still has a value of 04.
I am assuming that you poked around with the password options in NFC Tools and possibly TagWriter, telling both apps that this tag has a password that does not match FF FF FF FF. So when TagWriter is attempting to authenticate so it can write changes, it is supplying the wrong password and failing. Check that you either clear out cached passwords from NFC Tools and TagWriter or set them to FF FF FF FF and it should work.
If that doesn’t work, then you have to deal directly with the NTAG216 by sending commands. You can use NFC Shell to do this;
https://play.google.com/store/apps/details?id=com.emutag.nfcshell&hl=en_US&gl=US
Send the following lines in NFC Shell;
1B FF FF FF FF
A2 E3 04 00 00 E3
The first line sends PWD_AUTH command (1B) followed by the password. The second line writes the AUTH0 byte back to E3 so only the configuration data pages are password protected. After that you should be able to write normally to the user memory.
Tap send button…
Tap implant to phone
4 Likes
Will this tool from NFC Tools work too? I am unable to download NFC Shell
I don’t know how to issue multiple commands at the same time using NFC tools. You need to authenticate and then perform the write command during the same session (same tap). But yeah if you can issue multiple commands in a row per tap then it should work.
2 Likes
Great, thank you very much, everything works as it should now. Also, I found out that you can issue multiple commands in, as long as you separate them with a comma (1BFFFFFFFF,A2E3040000E3).
5 Likes
yay!
2 Likes
Sorry for the comment on an old post but im running into a similar issue when trying to use the flipper zero. I was able to send the commands to change the AUTH0 bit to E3 but when i try to write to the tag with the flipper it says that it cant due to password protection. Any ideas as to why that might be happening?
1 Like
Your config looks correct to me. Bug in the flipper script / program not parsing things correctly? It’s probably erroring based on parsing not on actually attempting to write. Try writing / updating with your phone … should work.
1 Like
@amal I used the format memory option in NFC tools and now E0 on my NExT is 0’d out. Can I use the following in NFC Shell or RawNFC to apply the NExT password again?
1B 4E 45 78 54
A2 E3 04 00 00 E3
E0 and E1 are just normal user memory pages but due to quirks of how the capability container works and Android, iPhone, and basically every mobile phone OS not properly respecting the standard for calculating available memory pages, those two pages are basically orphaned. I just decided to put the word NExT in there. It doesn’t do anything really.
The commands you listed above will authenticate (1B) with the factory default password. The next command writes page E3 which sets some config bytes including the AUTH0 byte, but has nothing to do with changing the password.
Do you think somehow the password got reset to factory default?
Ahhh, that makes sense. I think the format memory option just erased that E1 block. I need to read the datasheet again, it’s been a while.
1 Like
I was able to verify with RawNFC. Using the Dangerous Things specific password for the NExT gives me an output 0000. I’m guessing that means it successfully authenticated.
if the PAK wasn’t changed from factory default 00 00 then yep that’s correct 
Say my current password was FF FF FF FF.
Would this change the password to “NExT”?
1B FF FF FF FF
A2 E5 4E 45 78 54
yes absolutely. the AUTH0 byte in page E3 controls which memory pages are affected by password authentication. If it is set to E3 as is our default setting we set during manufacturing, then to modify (write) to page E3 or lower (E4, E5, etc.) then you must authenticate first. If you set AUTH0 to say 04 then you would need to authenticate before you can write to any user memory page (page 04 on down). The password is basically whatever 4 bytes exist in page E5, so this means you must authenticate before you can change the content of page E5, thus changing the password. Funny enough, if you change AUTH0 to FF or some page that is lower than the last actual memory page, then the password becomes irrelevant.. you could directly write to page E5 without needing to first authenticate, because AUTH0 being set to FF dictates that page E5 is not password protected.
So yes, 1B authenticates with the default FF FF FF FF password and A2 writes to page E5 with 4E 45 78 54, effectively changing the password from default.
2 Likes