Dangerous NFC app issues

amal · August 3, 2020, 5:19am

This also seems silly, but what version of DNFC are you using?

Change Log:
v1.0.3 - updated copy on main screen
v1.0.2 - alternate keyboard compatibility fix
v1.0.1 - bug fix
v1.0 - initial release

anon3825968 · August 3, 2020, 5:33am

** TagInfo scan (version 4.24.6) 2020-08-03 08:20:32 **
Report Type: External

-- IC INFO ------------------------------

# IC manufacturer:
NXP Semiconductors

# IC type:
NTAG216

-- NDEF ------------------------------

# No NDEF data storage populated:

-- EXTRA ------------------------------

# Memory size:
888 bytes user memory
* 222 pages, with 4 bytes per page

# IC detailed information:
Full product name: NT2H1611G0DUx
Capacitance: 50 pF

# Version information:
Vendor ID: NXP (0x04)
Type: NTAG (0x04)
Subtype: 50 pF (0x02)
Major version: 1 (0x01)
Minor version: V0 (0x00)
Storage size: 888 bytes (0x13)
Protocol: ISO/IEC 14443-3 (0x03)

# Configuration information:
ASCII mirror disabled
NFC counter: disabled
No limit on wrong password attempts
Strong load modulation enabled

# Originality check:
Signature verified with NXP public keyECDSA signature:
* r: 0xDC3F76F86683AF4F6893847C518FB8EB
* s: 0x8E88A2B45855BB352DB92F15D38E7FB3

-- FULL SCAN ------------------------------

# Technologies supported:
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.NfcA, android.nfc.tech.MifareUltralight, android.nfc.tech.NdefFormatable]
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 618 ms
No MIFARE Classic support present in Android

# Detailed protocol information:
ID: 04:04:80:2A:1A:4E:81
ATQA: 0x4400
SAK: 0x00

# Memory content:
[00] *  04:04:80 08 (UID0-UID2, BCC0)
[01] *  2A:1A:4E:81 (UID3-UID6)
[02] .  FF 48 00 00 (BCC1, INT, LOCK0-LOCK1)
[03] .  E1:10:6D:00 (OTP0-OTP3)
[04] .  00 00 00 00 |␀␀␀␀|
[05] .  00 00 00 00 |␀␀␀␀|
[06] .  00 00 00 00 |␀␀␀␀|
[07] .  00 00 00 00 |␀␀␀␀|
[08] .  00 00 00 00 |␀␀␀␀|
[09] .  00 00 00 00 |␀␀␀␀|
[0A] .  00 00 00 00 |␀␀␀␀|
[0B] .  00 00 00 00 |␀␀␀␀|
[0C] .  00 00 00 00 |␀␀␀␀|
[0D] .  00 00 00 00 |␀␀␀␀|
[0E] .  00 00 00 00 |␀␀␀␀|
[0F] .  00 00 00 00 |␀␀␀␀|
[10] .  00 00 00 00 |␀␀␀␀|
[11] .  00 00 00 00 |␀␀␀␀|
[12] .  00 00 00 00 |␀␀␀␀|
[13] .  00 00 00 00 |␀␀␀␀|
[14] .  00 00 00 00 |␀␀␀␀|
[15] .  00 00 00 00 |␀␀␀␀|
[16] .  00 00 00 00 |␀␀␀␀|
[17] .  00 00 00 00 |␀␀␀␀|
[18] .  00 00 00 00 |␀␀␀␀|
[19] .  00 00 00 00 |␀␀␀␀|
[1A] .  00 00 00 00 |␀␀␀␀|
[1B] .  00 00 00 00 |␀␀␀␀|
[1C] .  00 00 00 00 |␀␀␀␀|
[1D] .  00 00 00 00 |␀␀␀␀|
[1E] .  00 00 00 00 |␀␀␀␀|
[1F] .  00 00 00 00 |␀␀␀␀|
[20] .  00 00 00 00 |␀␀␀␀|
[21] .  00 00 00 00 |␀␀␀␀|
[22] .  00 00 00 00 |␀␀␀␀|
[23] .  00 00 00 00 |␀␀␀␀|
[24] .  00 00 00 00 |␀␀␀␀|
[25] .  00 00 00 00 |␀␀␀␀|
[26] .  00 00 00 00 |␀␀␀␀|
[27] .  00 00 00 00 |␀␀␀␀|
[28] .  00 00 00 00 |␀␀␀␀|
[29] .  00 00 00 00 |␀␀␀␀|
[2A] .  00 00 00 00 |␀␀␀␀|
[2B] .  00 00 00 00 |␀␀␀␀|
[2C] .  00 00 00 00 |␀␀␀␀|
[2D] .  00 00 00 00 |␀␀␀␀|
[2E] .  00 00 00 00 |␀␀␀␀|
[2F] .  00 00 00 00 |␀␀␀␀|
[30] .  00 00 00 00 |␀␀␀␀|
[31] .  00 00 00 00 |␀␀␀␀|
[32] .  00 00 00 00 |␀␀␀␀|
[33] .  00 00 00 00 |␀␀␀␀|
[34] .  00 00 00 00 |␀␀␀␀|
[35] .  00 00 00 00 |␀␀␀␀|
[36] .  00 00 00 00 |␀␀␀␀|
[37] .  00 00 00 00 |␀␀␀␀|
[38] .  00 00 00 00 |␀␀␀␀|
[39] .  00 00 00 00 |␀␀␀␀|
[3A] .  00 00 00 00 |␀␀␀␀|
[3B] .  00 00 00 00 |␀␀␀␀|
[3C] .  00 00 00 00 |␀␀␀␀|
[3D] .  00 00 00 00 |␀␀␀␀|
[3E] .  00 00 00 00 |␀␀␀␀|
[3F] .  00 00 00 00 |␀␀␀␀|
[40] .  00 00 00 00 |␀␀␀␀|
[41] .  00 00 00 00 |␀␀␀␀|
[42] .  00 00 00 00 |␀␀␀␀|
[43] .  00 00 00 00 |␀␀␀␀|
[44] .  00 00 00 00 |␀␀␀␀|
[45] .  00 00 00 00 |␀␀␀␀|
[46] .  00 00 00 00 |␀␀␀␀|
[47] .  00 00 00 00 |␀␀␀␀|
[48] .  00 00 00 00 |␀␀␀␀|
[49] .  00 00 00 00 |␀␀␀␀|
[4A] .  00 00 00 00 |␀␀␀␀|
[4B] .  00 00 00 00 |␀␀␀␀|
[4C] .  00 00 00 00 |␀␀␀␀|
[4D] .  00 00 00 00 |␀␀␀␀|
[4E] .  00 00 00 00 |␀␀␀␀|
[4F] .  00 00 00 00 |␀␀␀␀|
[50] .  00 00 00 00 |␀␀␀␀|
[51] .  00 00 00 00 |␀␀␀␀|
[52] .  00 00 00 00 |␀␀␀␀|
[53] .  00 00 00 00 |␀␀␀␀|
[54] .  00 00 00 00 |␀␀␀␀|
[55] .  00 00 00 00 |␀␀␀␀|
[56] .  00 00 00 00 |␀␀␀␀|
[57] .  00 00 00 00 |␀␀␀␀|
[58] .  00 00 00 00 |␀␀␀␀|
[59] .  00 00 00 00 |␀␀␀␀|
[5A] .  00 00 00 00 |␀␀␀␀|
[5B] .  00 00 00 00 |␀␀␀␀|
[5C] .  00 00 00 00 |␀␀␀␀|
[5D] .  00 00 00 00 |␀␀␀␀|
[5E] .  00 00 00 00 |␀␀␀␀|
[5F] .  00 00 00 00 |␀␀␀␀|
[60] .  00 00 00 00 |␀␀␀␀|
[61] .  00 00 00 00 |␀␀␀␀|
[62] .  00 00 00 00 |␀␀␀␀|
[63] .  00 00 00 00 |␀␀␀␀|
[64] .  00 00 00 00 |␀␀␀␀|
[65] .  00 00 00 00 |␀␀␀␀|
[66] .  00 00 00 00 |␀␀␀␀|
[67] .  00 00 00 00 |␀␀␀␀|
[68] .  00 00 00 00 |␀␀␀␀|
[69] .  00 00 00 00 |␀␀␀␀|
[6A] .  00 00 00 00 |␀␀␀␀|
[6B] .  00 00 00 00 |␀␀␀␀|
[6C] .  00 00 00 00 |␀␀␀␀|
[6D] .  00 00 00 00 |␀␀␀␀|
[6E] .  00 00 00 00 |␀␀␀␀|
[6F] .  00 00 00 00 |␀␀␀␀|
[70] .  00 00 00 00 |␀␀␀␀|
[71] .  00 00 00 00 |␀␀␀␀|
[72] .  00 00 00 00 |␀␀␀␀|
[73] .  00 00 00 00 |␀␀␀␀|
[74] .  00 00 00 00 |␀␀␀␀|
[75] .  00 00 00 00 |␀␀␀␀|
[76] .  00 00 00 00 |␀␀␀␀|
[77] .  00 00 00 00 |␀␀␀␀|
[78] .  00 00 00 00 |␀␀␀␀|
[79] .  00 00 00 00 |␀␀␀␀|
[7A] .  00 00 00 00 |␀␀␀␀|
[7B] .  00 00 00 00 |␀␀␀␀|
[7C] .  00 00 00 00 |␀␀␀␀|
[7D] .  00 00 00 00 |␀␀␀␀|
[7E] .  00 00 00 00 |␀␀␀␀|
[7F] .  00 00 00 00 |␀␀␀␀|
[80] .  00 00 00 00 |␀␀␀␀|
[81] .  00 00 00 00 |␀␀␀␀|
[82] .  00 00 00 00 |␀␀␀␀|
[83] .  00 00 00 00 |␀␀␀␀|
[84] .  00 00 00 00 |␀␀␀␀|
[85] .  00 00 00 00 |␀␀␀␀|
[86] .  00 00 00 00 |␀␀␀␀|
[87] .  00 00 00 00 |␀␀␀␀|
[88] .  00 00 00 00 |␀␀␀␀|
[89] .  00 00 00 00 |␀␀␀␀|
[8A] .  00 00 00 00 |␀␀␀␀|
[8B] .  00 00 00 00 |␀␀␀␀|
[8C] .  00 00 00 00 |␀␀␀␀|
[8D] .  00 00 00 00 |␀␀␀␀|
[8E] .  00 00 00 00 |␀␀␀␀|
[8F] .  00 00 00 00 |␀␀␀␀|
[90] .  00 00 00 00 |␀␀␀␀|
[91] .  00 00 00 00 |␀␀␀␀|
[92] .  00 00 00 00 |␀␀␀␀|
[93] .  00 00 00 00 |␀␀␀␀|
[94] .  00 00 00 00 |␀␀␀␀|
[95] .  00 00 00 00 |␀␀␀␀|
[96] .  00 00 00 00 |␀␀␀␀|
[97] .  00 00 00 00 |␀␀␀␀|
[98] .  00 00 00 00 |␀␀␀␀|
[99] .  00 00 00 00 |␀␀␀␀|
[9A] .  00 00 00 00 |␀␀␀␀|
[9B] .  00 00 00 00 |␀␀␀␀|
[9C] .  00 00 00 00 |␀␀␀␀|
[9D] .  00 00 00 00 |␀␀␀␀|
[9E] .  00 00 00 00 |␀␀␀␀|
[9F] .  00 00 00 00 |␀␀␀␀|
[A0] .  00 00 00 00 |␀␀␀␀|
[A1] .  00 00 00 00 |␀␀␀␀|
[A2] .  00 00 00 00 |␀␀␀␀|
[A3] .  00 00 00 00 |␀␀␀␀|
[A4] .  00 00 00 00 |␀␀␀␀|
[A5] .  00 00 00 00 |␀␀␀␀|
[A6] .  00 00 00 00 |␀␀␀␀|
[A7] .  00 00 00 00 |␀␀␀␀|
[A8] .  00 00 00 00 |␀␀␀␀|
[A9] .  00 00 00 00 |␀␀␀␀|
[AA] .  00 00 00 00 |␀␀␀␀|
[AB] .  00 00 00 00 |␀␀␀␀|
[AC] .  00 00 00 00 |␀␀␀␀|
[AD] .  00 00 00 00 |␀␀␀␀|
[AE] .  00 00 00 00 |␀␀␀␀|
[AF] .  00 00 00 00 |␀␀␀␀|
[B0] .  00 00 00 00 |␀␀␀␀|
[B1] .  00 00 00 00 |␀␀␀␀|
[B2] .  00 00 00 00 |␀␀␀␀|
[B3] .  00 00 00 00 |␀␀␀␀|
[B4] .  00 00 00 00 |␀␀␀␀|
[B5] .  00 00 00 00 |␀␀␀␀|
[B6] .  00 00 00 00 |␀␀␀␀|
[B7] .  00 00 00 00 |␀␀␀␀|
[B8] .  00 00 00 00 |␀␀␀␀|
[B9] .  00 00 00 00 |␀␀␀␀|
[BA] .  00 00 00 00 |␀␀␀␀|
[BB] .  00 00 00 00 |␀␀␀␀|
[BC] .  00 00 00 00 |␀␀␀␀|
[BD] .  00 00 00 00 |␀␀␀␀|
[BE] .  00 00 00 00 |␀␀␀␀|
[BF] .  00 00 00 00 |␀␀␀␀|
[C0] .  00 00 00 00 |␀␀␀␀|
[C1] .  00 00 00 00 |␀␀␀␀|
[C2] .  00 00 00 00 |␀␀␀␀|
[C3] .  00 00 00 00 |␀␀␀␀|
[C4] .  00 00 00 00 |␀␀␀␀|
[C5] .  00 00 00 00 |␀␀␀␀|
[C6] .  00 00 00 00 |␀␀␀␀|
[C7] .  00 00 00 00 |␀␀␀␀|
[C8] .  00 00 00 00 |␀␀␀␀|
[C9] .  00 00 00 00 |␀␀␀␀|
[CA] .  00 00 00 00 |␀␀␀␀|
[CB] .  00 00 00 00 |␀␀␀␀|
[CC] .  00 00 00 00 |␀␀␀␀|
[CD] .  00 00 00 00 |␀␀␀␀|
[CE] .  00 00 00 00 |␀␀␀␀|
[CF] .  00 00 00 00 |␀␀␀␀|
[D0] .  00 00 00 00 |␀␀␀␀|
[D1] .  00 00 00 00 |␀␀␀␀|
[D2] .  00 00 00 00 |␀␀␀␀|
[D3] .  00 00 00 00 |␀␀␀␀|
[D4] .  00 00 00 00 |␀␀␀␀|
[D5] .  00 00 00 00 |␀␀␀␀|
[D6] .  00 00 00 00 |␀␀␀␀|
[D7] .  00 00 00 00 |␀␀␀␀|
[D8] .  00 00 00 00 |␀␀␀␀|
[D9] .  00 00 00 00 |␀␀␀␀|
[DA] .  00 00 00 00 |␀␀␀␀|
[DB] .  00 00 00 00 |␀␀␀␀|
[DC] .  00 00 00 00 |␀␀␀␀|
[DD] .  00 00 00 00 |␀␀␀␀|
[DE] .  00 00 00 00 |␀␀␀␀|
[DF] .  00 00 00 00 |␀␀␀␀|
[E0] .  00 00 00 00 |␀␀␀␀|
[E1] .r 00 00 00 00 |␀␀␀␀|
[E2] .r 00 00 00 BD (LOCK2-LOCK4, CHK)
[E3] .r 04 00 00 E1 (CFG, MIRROR, AUTH0)
[E4] .r 00 05 -- -- (ACCESS)
[E5] +P XX XX XX XX (PWD0-PWD3)
[E6] +P XX XX -- -- (PACK0-PACK1)

  *:locked & blocked, x:locked,
  +:blocked, .:un(b)locked, ?:unknown
  r:readable (write-protected),
  p:password protected, -:write-only
  P:password protected write-only

--------------------------------------

PhoneS - I tried with two phones with vastly different Android versions (9 for one, 5 for the other). The second one is a hacking phone: it had nothing on it apart from Tagwriter and the DT app.

Must be me then - bad vibes from yours truly

I literally did the following, step by step:

Pull the strip of tags out of the box, cut one tag off the strip
Put the PM3 in 14a-sniff mode
Put the tag on the PM3
Started the DT app, entered ABCD in the password
Slapped the phone onto the tag on the PM3 (DT app reported “transceive failed”)
Stopped the sniffing on the PM3 and saved it - the relevant excerpt of which I posted above.

It’s not so much that I’m the common denominator, I think it’s more like I’m possibly the first one who’s paranoid and OCD enough to have a close look on test tags before running the app on my valuable doNExT.

I bet you anything there are plenty of implants that don’t answer to PWD_AUTH out there, with the DT app having reported an error, but people ignored it because, ultimately, nobody gives a flying fuck and it works fine to store and read NDEFs.

It would be interesting to code a diagnostics app and ask the forum dwellers who used the DT app to run it on their implant, don’t you think? Or simply ask them to do a Taginfo and report if they see E1 in AUTH0. That’s easy enough to do.

And as a suggestion for the next version of the DT app, it should check that it can do what it intends to do first and report if there’s something amiss.

anon3825968 · August 3, 2020, 5:40am

v1.1.0. I downloaded it from Aptoide, as I don’t have a Google account and can’t access the Google Play Store - for reasons obvious to anybody who knows me

anon3825968 · August 3, 2020, 2:23pm

Well, amazingly enough, I managed to brute-force the password of one of my failed bullseyes! Didn’t think it’d work. Running a few more tests here, I’ll try to brute-force the 2 other fucked-up tags, and I’ll report back (and post the brute-forcing script).

amal · August 3, 2020, 2:38pm

tenor (13)

anon3825968 · August 3, 2020, 3:19pm

Right. So…

First of all, before I go any further: FUCK TAGWRITER WITH A BROOMSTICK. More on that later.

Secondly: I recovered access to all my fucked-up tags - those that were fucked up right off the bat, and those that were fucked up after Tagwriter went over it. The password was 12345678 in all of them. No idea why or where that password comes from. But it doesn’t come from Tagwriter.

I’m still convinced the chips were (or still are and I’m claiming victory too soon?) weirded out by the DT app’s writing BD in E2, simply because unless they were programmed like that from the factory, which is virtually impossible, I did nothing else but run the DT app on them to fuck them up - or rather, set that password somehow. So, that’s pretty clear.

But at least the chips were not dead. They just silently refused to answer if the wrong password was supplied. Another thing I learned incidentally: when you supply the wrong password, they go to HALT on their own. You need to turn off the field and re-select if you want to try again.

Now then, why should Tagwriter be fucked with a broomstick:

Reason #1: when you ask it to set the password, it sets the password, but also a whole bunch of other stuff without telling you - particularly the dynamic lock bits. Who the hell told Tagwriter to do that? Jesus H. Christ on a spit! The E1 value in AUTH0 comes from it also.

Reason #2: when you ask it to “remove the password”, it does NOT set the password to FFFFFFFF, as I assumed. What it does in fact is authenticate with whatever password you supply, then goof around with the dynamic lock bits, but it leaves the password in place.

It even tells you so when it’d done doing its thing: it says “Password protection removed”. Notice the subtle difference: the password protection is removed, but not the password itself, as the drop-down menu selection suggests.

Best guess: they didn’t have enough characters in the drop-down menu, so instead of calling the option “Remove password protection”, they shortened it to “Remove password”. Confusing as hell!

Anyhow, that’s what I was able to find out. I’m still not confident using the DT app on my doNExT, because that 12345678 password cannot come from anywhere else but something goofy happening as a result of running the DT app. But at least there’s a way to recover the chips. At least until I go to bed and try again tomorrow and it doesn’t work once more

Here’s the script to bruteforce the password, if you need it. It’s a Python script that drives the Proxmark3 client (easier and more flexible than a LUA script):

#!/usr/bin/python3

### Parameters
pm3_client = "/usr/local/bin/proxmark3"
pm3_dev_file = "/dev/ttyACM0"



### Modules
import re
import os
import sys
from pty import openpty
from select import select
from subprocess import Popen, DEVNULL, PIPE



# "Obvious" passwords dictionary
pwd_dict=(
0x00000001, 0x00000010, 0x00000100, 0x00001000, 0x00010000, 0x00100000,
0x01000000, 0x10000000, 0x00000002, 0x00000020, 0x00000200, 0x00002000,
0x00020000, 0x00200000, 0x02000000, 0x20000000, 0x00000003, 0x00000030,
0x00000300, 0x00003000, 0x00030000, 0x00300000, 0x03000000, 0x30000000,
0x00000004, 0x00000040, 0x00000400, 0x00004000, 0x00040000, 0x00400000,
0x04000000, 0x40000000, 0x00000005, 0x00000050, 0x00000500, 0x00005000,
0x00050000, 0x00500000, 0x05000000, 0x50000000, 0x00000006, 0x00000060,
0x00000600, 0x00006000, 0x00060000, 0x00600000, 0x06000000, 0x60000000,
0x00000007, 0x00000070, 0x00000700, 0x00007000, 0x00070000, 0x00700000,
0x07000000, 0x70000000, 0x00000008, 0x00000080, 0x00000800, 0x00008000,
0x00080000, 0x00800000, 0x08000000, 0x80000000, 0x00000009, 0x00000090,
0x00000900, 0x00009000, 0x00090000, 0x00900000, 0x09000000, 0x90000000,
0x0000000a, 0x000000a0, 0x00000a00, 0x0000a000, 0x000a0000, 0x00a00000,
0x0a000000, 0xa0000000, 0x0000000b, 0x000000b0, 0x00000b00, 0x0000b000,
0x000b0000, 0x00b00000, 0x0b000000, 0xb0000000, 0x0000000c, 0x000000c0,
0x00000c00, 0x0000c000, 0x000c0000, 0x00c00000, 0x0c000000, 0xc0000000,
0x0000000d, 0x000000d0, 0x00000d00, 0x0000d000, 0x000d0000, 0x00d00000,
0x0d000000, 0xd0000000, 0x0000000e, 0x000000e0, 0x00000e00, 0x0000e000,
0x000e0000, 0x00e00000, 0x0e000000, 0xe0000000, 0x0000000f, 0x000000f0,
0x00000f00, 0x0000f000, 0x000f0000, 0x00f00000, 0x0f000000, 0xf0000000,
0x00000000, 0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x55555555,
0x66666666, 0x77777777, 0x88888888, 0x99999999, 0xaaaaaaaa, 0xbbbbbbbb,
0xcccccccc, 0xdddddddd, 0xeeeeeeee, 0xffffffff, 0x12345678, 0x23456789,
0x3456789a, 0x456789ab, 0x56789abc, 0x6789abcd, 0x789abcde, 0x89abcdef,
0xfedcba98, 0xedcba987, 0xdcba9876, 0xcba98765, 0xba987654, 0xa9876543,
0x98765432, 0x87654321)



### Main routine
def main():
  """Main routine
  """

  # Possible Proxmark3 console prompts
  pm3_prompts_regex=re.compile("^(proxmark3>|\[.*\] pm3 -->)$")

  # Console command to send the PWD_AUTH authentication command to the NTAG
  authcmd = "hf 14a raw -c -s 1b{pwd:08x}"

  # Create a PTY pair to fool the Proxmark3 client into working interactively
  pty_master, pty_slave = openpty()

  # Spawn the Proxmark3 client
  pm3_proc = Popen([pm3_client, pm3_dev_file], bufsize=0, env={},
			stdin=pty_slave, stdout=PIPE, stderr=DEVNULL)

  # Start with the first password in the dictionary
  pwd_dict_i = 0
  pwd = pwd_dict[pwd_dict_i]

  # Interact with the Proxmark3 client
  recvbuf = ""
  sendcmd = True

  expect_reply_bytes = 0

  while True:

    # Read lines from the Proxmark3 client
    rlines = []

    for c in pm3_proc.stdout.read(256).decode("ascii"):

      if c == "\n" or c == "\r" or pm3_prompts_regex.match(recvbuf):
        rlines.append(recvbuf)
        recvbuf = ""

      elif len(recvbuf)<256 and c.isprintable():
        recvbuf += c

    # Process the lines from the client
    for l in rlines:

      # If we detect a fatal error from the client, exit
      if re.search("(proxmark failed|offline|OFFLINE|unknown command)", l):
        return(-1)

      # Do we have a prompt
      if pm3_prompts_regex.match(l):

        # Stop if we're going to overflow
        if pwd > 0xffffffff:
          sys.stdout.write("PWD_AUTH unsuccessful\n")
          return(0)

        # Issue another PWD_AUTH command
        os.write(pty_master, (authcmd.format(pwd=pwd) + "\r").encode("ascii"))

        # Inform the user
        sys.stdout.write("\rTrying password {:08x}... ".format(pwd))

        # Next password in dictionary, or iterate after running out
        if pwd_dict_i < len(pwd_dict) - 1:
          pwd_dict_i += 1
          pwd = pwd_dict[pwd_dict_i]

        elif pwd_dict_i == len(pwd_dict) -1:
          pwd_dict_i += 1
          pwd = 0x00000000
          while pwd in pwd_dict:
            pwd += 1

        else:
          pwd += 1
          while pwd in pwd_dict:
            pwd += 1

      # Are we expecting 4 bytes (indicating a PACK + CRC was returned)?
      elif expect_reply_bytes == 4:

        reply_bytes_ascii = l.split()
        pack = (int(reply_bytes_ascii[0], 16) << 8) + \
		int(reply_bytes_ascii[1], 16)

        sys.stdout.write("PWD_AUTH successful: PACK = {:04x}\n".format(pack))
        return(0)

      else:

        # Did we get a "received x bytes" line?
        m = re.findall("received ([0-9]+) bytes", l)

        if m:
          expect_reply_bytes = int(m[0])
          if expect_reply_bytes != 4:
            expect_reply_bytes = 0

      

### Jump to the main routine
if __name__ == "__main__":
  sys.exit(main())

amal · August 3, 2020, 3:36pm

I’m going to stand my ground on this one… it’s never been a problem before… but looking forward to your analysis.

anon3825968 · August 3, 2020, 3:39pm

To be honest, I’m (possibly - not sure yet) COVID-19-sick right now, so while I have time at home to do some analysis, that’s as much as I’m gonna do today - and probably for quite some time. I think I’m put on a movie with Steven Seagal right now, to have a good night sleep instead. I haven’t found nothing better than a movie with Steven Seagal to fall asleep in a hurry, apart from reading a couple pages off the Book of Mormon.

Compgeek · August 3, 2020, 3:42pm

Is it possible the bullseyes ship with the password set to 12345678 and that’s why the DT app fails?

At least that’s where my money is, either at factory or somewhere along the line.

Works in with Amal’s theory that the app isn’t really doing anything since it can’t authenticate, and explains the thousands of implants written with the data the app writes without issue.

amal · August 3, 2020, 3:43pm

rest-up

anon3825968 · August 3, 2020, 3:43pm

Nah. My KSEC-supplied tag was passworded 12345678 also. It was never touched by Amal - just the DT app.

amal · August 3, 2020, 3:44pm

insulted

hahah

Compgeek · August 3, 2020, 3:45pm

Your words, not mine!

And hindsight makes idiots of us all haha

Compgeek · August 3, 2020, 3:46pm

Hmmm, well I’ve tried nuffin and I’m all out of ideas!

Compgeek · August 18, 2020, 9:22am

Were there any more discoveries on progress made on this? Trying to figure out if I’m better to just run raw commands to protect my tag instead of the app.

anon3825968 · August 18, 2020, 9:57am

Well, the short of it is this:

1/ the boss says it’s okay, he’s used the app a thousand times before without problems, and my tags were messed up from the get-go - which, I agree 100%, is completely logical and corroborated by the fact that it only happened with my tags.

2/ Conversely, I know I ran the app two sets of NTAGs from two different sources straight out of the box, with two different cellphones from different brands with different Android versions, running nothing other than the app. So they couldn’t possibly have been passworded before the app touched them, and nothing on my cellphones could have passworded them. The password I brute-forced out of the tags, I had never seen before. Something set it, I have no idea what or when, but it wasn’t on my cellphones for sure, unless Android itself does that sort of thing, which is highly unlikely.

In other words, Amal knows it’s safe from prior use, and I know my test conditions were as clean as can be. Both logics are flawless and contradict themselves perfectly.

Now you decide whether it’s safe

Compgeek · August 18, 2020, 10:12am

Were there any tags you couldn’t revive? They all had the same password, right?

So if i try and it fails, it shouldn’t be a big deal to get in there with NFC Shell and un-ruin my day?

anon3825968 · August 18, 2020, 10:50am

Just to be clear, they were all “alive”. Just denying me authentication with the password.

All of them had 12345678 as a password. The question is this: where did it come from?

Not from my cellphones - I used two different ones
Not from a cellphone app - I only had the DT app running on both cellphones
Not pre-programmed in the cards - I used bullseyes from DT and a NTAG216 card from KSEC
99.99% sure not from Android
Not from the DT app directly - it never set that password when I traced the exchange

So my conclusion is, it came as weird side effect of the DT app writing BD in E2 when it shouldn’t. I totally agree that it sounds completely and utterly unlikely, but when you discount all other possibilities, whatever remains must be the truth

I can see you want me to give you advice on this, and I won’t, because I don’t know what happened to my tag with that app, and that’s enough to give me the willies running it on my doNExT. I’ll probably end up doing what it does, but manually, and more importantly correctly, and doing the checks it should do before doing something.

If you do run the app and it fails, you can’t reverse all that it did, unfortunately: either it works all the way, or you’re left with a half-configured chip with read-only sectors and there ain’t nothing you can do about it afterwards. The chip will still be functional for reading and writing NDEFs though.

Compgeek · August 18, 2020, 11:01am

Thats the bit I was most looking for, whether it’d be a no harm done attempt, or still leave me in an odd state. I’ll go with the datasheet and manual work to be safe i think.

amal · August 19, 2020, 12:48am

@Satur9 had a similarly strange thing happen with his implant while using TagWriter … TagWriter suddenly decided to change the auth0 byte to page 04… just out of the blue.