Not yet but I did run a .net app I wrote for windows that runs these commands via acr122u and ran that on some of the flexNExT (not all) without issue.
I’ll do more testing with the app and my stockpile of bullseye tags.
Good thinking but the documentation hasn’t been updated since 2015 and the bullseye tags in using are from the same month that we commissioned the xNTs… they have been sitting here a long time waiting for a good application.
ACR122U == better coupling than my shite telephones, that’s for sure 
Bad news: it seems ALL my tags that underwent the Dangerous NFC app treatement are writeoffs after all. None of them answer PWD_AUTH anymore.
Also, weird thing: when I read page E3, on all of them, AUTH0 is set to E1. This is doubly odd because the Dangerous NFC app set it to E2, and also because on the “transceive failed” tags, it didn’t even have a chance to set it at all!
I reckon I’m beating a dead horse here…
That’s actually good news, it is repeatable. Did you get tag lost or transceive failed on all of them?
No. Half of them. The “successful” trace above is one of them.
ah right… ok.
I’m guessing for now then I should play it safe and not use Dnagerous NFC on my flexNExT?
For now please wait. I am in contact with NXP.
Ok poking around in the specs and testing on good tags, a timeout is normal for a failed password. This is my data after sending a good password auth (default) and a bad auth;
1549744 | 1557904 | Rdr |1b ff ff ff ff 63 00 | ok | PWD-AUTH KEY: 0xffffffff
5642448 | 5647216 | Rdr |50 00 57 cd | ok | HALT
The tag’s attempt at a bit of tarpitting… so no error code is returned on a bad password, just a timeout.
You mentioned you’re getting this on tags that have been through “transitive failed” and “tag lost” on… but were these products we sent out or the bullseye tags you had laying there? Both?
Follow up to that, have you attempted to auth with the password you actually wanted to set? Is it possible the password got changed on those tags from the default to something else?
Just sending logs to NXP now… but don’t hold your breath… let’s push on and figure this out if we can.
It’s more than tarpitting: even if you instruct the PM3 to wait several seconds, nothing comes back. But yeah, I thought the chip might just go silent when a bad password is supplied.
Okay, it’s a bit more complicated than that. Here’s what happened:
Strictly speaking, initially, PWD_AUTH went silent on tags with which I got “transceive failed” with the Dangerous NFC app (didn’t get no “tag lost” though) and worked as it should on those tags that went through ok (i.e. I’d get the “DT” PACK back, and then I could do stuff to the password protected pages).
The transceive-failed-and-silent-pwd-auth issue has happened with 2 bullseyes and 1 KSEC NTAG-216 card. The “survivor” tags were 2 bullseyes.
On the two survivors, I manually set the PACK to 0x0000 (after authenticating to the chip). No problems. I manually tried PWD_AUTH on them after changing the PACK, and 0x0000 came back. So far so good.
And then - and that’s when it gets more complicated - I used TagWriter to change the password back to 0xFFFFFFFF from the 0x41424344 I had set in the Dangerous NFC app, which went fine. Content that I had de-passworded my survivor tags, I then went to bed.
The next morning, for shits and giggles, I tried to issue a 1B FF FF FF FF command with my PM3 on the two survivors and… nothing. Same thing with NFC Shell. And TagWriter now tells me it can’t change the password because “parts of the tag are protected”.
I very much doubt TagWriter set a secret password instead of the FFFFFFFF I requested, so I assume whatever happened immediately to the 3 fucked up tags when running the Dangerous NFC app happened later to the 2 survivors. Or said another way, the 3 fucked up tags got weirded out immediately when using the Dangerous NFC tag, but the survivors were also in some undefined state and finally went loco when I used TagWriter on them.
Can you detail exactly how you did this with TagWriter? Did you tell it to use FF FF FF FF or did you use the “remove password” feature (which really just resets it to FF FF FF FF because you cannot actually “remove” the password).
Well, being paranoid, I explicitely told it to change from 0x41424344 (old password) to 0xFFFFFFFF (new password). I figured the “remove password” was just another way of saying “set it to 0xFFFFFFFF” but I don’t trust “implicit” or “obvious” stuff in software, so I did it manually.
hmm… did you sniff this process with the proxmark3? My hunch is that it did not set the password to FF FF FF FF as you requested. A screenshot of the password screen as you configured it would be good… I will do some testing on this side and post results.
Sadly I didn’t. I thought those tags were good to go and I didn’t think I’d have to be suspicious on them anymore, so I did it like that.
I’m not sure how to take a screenshot with a cellphone. But… well, it’s the Protect tags > Password protection menu item, tick “Current password”, enter old password, select “Change password” in the drop-down, then specify the New password
I’m thinking of writing a LUA script to try and bruteforce the password with the PM3… Might take a while though
Is this exactly how you told TagWriter to change the password? Did you use any spaces or anything other notation?
Yep that’s what I did exactly. No spaces. It’s not possible to enter anything other than 8 hex digits in the fields, so it’s not possible to set spaces of 0x or h.
FWIW, I tried to authenticate with 00000000, big- and little-endian variations of 41424344, and other plausible incorrect values like FF000000, 000000FF, FFFF0000, 0000FFFF but nothing worked.
ok a few things…
proxmark3 sniffing doesn’t always catch the entire conversation as I’m learning… on my first test, it totally missed the part where the password was actually updated… but it did work… changed back to FF FF FF FF and I can auth against it.
tagwriter also changes auth0 to 04 … without asking… boo.
tagwriter password functions are vastly different from the last time I’ve ever even looked at them. It wants hex now, which it did not before… we actually modeled our ascii input field on TagWriter, thinking it would be basically the same… but now it’s expecting hex data… so it looks like I have to update my thinking and my rally cry as well when it comes to tagwriter… and now I suppose I’ll have to look at NFC Tools again too… maybe everyone came to their senses and just moved to hex and did away with all this transform nonsense… maybe there is a possibility of being compatible now… I can definitely see a need to update DNFC to just go with hex now for the password setting.
I ran a few tests on a few tags and all results were the same, so I will just outline one “session” here. This is me using NFC Shell to set the password to 41 42 43 44;
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
-----------±-----------±----±------------------------------------------------------------------------±----±-------------------
1364368 | 1374832 | Rdr |93 70 88 04 03 2a a5 85 b8 | ok | SELECT_UID
1376068 | 1379588 | Tag |04 da 17 | |
1387664 | 1398192 | Rdr |95 70 72 d5 38 81 1e 82 38 | ok | SELECT_UID-2
1399380 | 1402964 | Tag |00 fe 51 | |
2072576 | 2081888 | Rdr |a2 e5 41 42 43 44 79 63 | ok | WRITEBLOCK(229) (?)
2083140 | 2083780 | Tag |00! | |
2140512 | 2145280 | Rdr |50 00 57 cd | ok | HALT
2246832 | 2247824 | Rdr |52 | | WUPA
Now this is me using TagWriter to “change” the password to FF FF FF FF;
Start | End | Src | Data (! denotes parity error) | CRC | Annotation
------------+------------+-----+-------------------------------------------------------------------------+-----+--------------------
20272480 | 20282944 | Rdr |93 70 88 04 03 2a a5 85 b8 | ok | SELECT_UID
20284180 | 20287700 | Tag |04 da 17 | |
20295280 | 20305808 | Rdr |95 70 72 d5 38 81 1e 82 38 | ok | SELECT_UID-2
20306996 | 20310580 | Tag |00 fe 51 | |
20374864 | 20383024 | Rdr |1b 41 42 43 44 16 22 | ok | PWD-AUTH KEY: 0x41424344
20384276 | 20388948 | Tag |00 00 a0 1e | |
20445472 | 20454784 | Rdr |a2 e5 ff ff ff ff 0c 41 | ok | WRITEBLOCK(229) (?)
20510436 | 20511012 | Tag |0a! | |
20552656 | 20561968 | Rdr |a2 e6 00 00 00 00 59 af | ok | WRITEBLOCK(230) (?)
20617604 | 20618180 | Tag |0a! | |
20651104 | 20655808 | Rdr |30 e3 97 7d | ok | READBLOCK(227)
20657044 | 20677908 | Tag |04 00 00 04 00 05 00 00 00 00 00 00 00 00 00 00 25 7c | ok |
20723104 | 20732416 | Rdr |a2 e3 04 00 00 04 c5 bd | ok | WRITEBLOCK(227) (?)
20788068 | 20788644 | Tag |0a! | |
20888528 | 20897904 | Rdr |a2 e4 00 05 00 00 6c 80 | ok | WRITEBLOCK(228) (?)
20953476 | 20954052 | Tag |0a! | |
21045072 | 21049840 | Rdr |50 00 57 cd | ok | HALT
21150672 | 21151664 | Rdr |52 | | WUPA
21152900 | 21155268 | Tag |44 00 | |
At this point I think I will just assume that your 3 “survivors” have now somehow had their passwords changed to something other than what you specified… a brute force attempt would be quite interesting I think.
Let’s focus on the “dead” tags which did not “survive” the Dangerous NFC… do you have one of those that has not been altered in any way since the attempt to protect it with Dangerous NFC? If so, I’d like a full scan with TagInfo to be posted… specifically I want to see the static lock bytes, dynamic lock bytes, and all the config pages… so pages 02, 03, and E2-E4
Save yourself the effort: NFC Tool still takes any old string and does black magic with it.
Yep. My first fucked-up bullseyes is untouched.
Ask and you shall receive
** TagInfo scan (version 4.24.6) 2020-08-03 06:14:44 ** Report Type: External -- IC INFO ------------------------------ # IC manufacturer: NXP Semiconductors # IC type: NTAG216 -- NDEF ------------------------------ # No NDEF Message present: -- EXTRA ------------------------------ # Memory size: 888 bytes user memory * 222 pages, with 4 bytes per page # IC detailed information: Full product name: NT2H1611G0DUx Capacitance: 50 pF # Version information: Vendor ID: NXP (0x04) Type: NTAG (0x04) Subtype: 50 pF (0x02) Major version: 1 (0x01) Minor version: V0 (0x00) Storage size: 888 bytes (0x13) Protocol: ISO/IEC 14443-3 (0x03) # Configuration information: ASCII mirror disabled NFC counter: disabled No limit on wrong password attempts Strong load modulation enabled # Originality check: Signature verified with NXP public keyECDSA signature: * r: 0xFBE5F41155C776611177DDCA30C7D000 * s: 0xB27FD2843B9E11E9D84771ADD31D3B5E -- FULL SCAN ------------------------------ # Technologies supported: ISO/IEC 14443-3 (Type A) compatible ISO/IEC 14443-2 (Type A) compatible # Android technology information: Tag description: * TAG: Tech [android.nfc.tech.NfcA, android.nfc.tech.MifareUltralight, android.nfc.tech.Ndef] * Maximum transceive length: 253 bytes * Default maximum transceive time-out: 618 ms No MIFARE Classic support present in Android # Detailed protocol information: ID: 04:03:80:2A:1A:4E:81 ATQA: 0x4400 SAK: 0x00 # Memory content: [00] * 04:03:80 0F (UID0-UID2, BCC0) [01] * 2A:1A:4E:81 (UID3-UID6) [02] * FF 48 0F 00 (BCC1, INT, LOCK0-LOCK1) [03] * E1:12:6D:00 (OTP0-OTP3) [04] + 03 00 FE 00 |␃␀.␀| [05] + 00 00 00 00 |␀␀␀␀| [06] + 00 00 00 00 |␀␀␀␀| [07] + 00 00 00 00 |␀␀␀␀| [08] + 00 00 00 00 |␀␀␀␀| [09] + 00 00 00 00 |␀␀␀␀| [0A] + 00 00 00 00 |␀␀␀␀| [0B] + 00 00 00 00 |␀␀␀␀| [0C] + 00 00 00 00 |␀␀␀␀| [0D] + 00 00 00 00 |␀␀␀␀| [0E] + 00 00 00 00 |␀␀␀␀| [0F] + 00 00 00 00 |␀␀␀␀| [10] . 00 00 00 00 |␀␀␀␀| [11] . 00 00 00 00 |␀␀␀␀| [12] . 00 00 00 00 |␀␀␀␀| [13] . 00 00 00 00 |␀␀␀␀| [14] . 00 00 00 00 |␀␀␀␀| [15] . 00 00 00 00 |␀␀␀␀| [16] . 00 00 00 00 |␀␀␀␀| [17] . 00 00 00 00 |␀␀␀␀| [18] . 00 00 00 00 |␀␀␀␀| [19] . 00 00 00 00 |␀␀␀␀| [1A] . 00 00 00 00 |␀␀␀␀| [1B] . 00 00 00 00 |␀␀␀␀| [1C] . 00 00 00 00 |␀␀␀␀| [1D] . 00 00 00 00 |␀␀␀␀| [1E] . 00 00 00 00 |␀␀␀␀| [1F] . 00 00 00 00 |␀␀␀␀| [20] . 00 00 00 00 |␀␀␀␀| [21] . 00 00 00 00 |␀␀␀␀| [22] . 00 00 00 00 |␀␀␀␀| [23] . 00 00 00 00 |␀␀␀␀| [24] . 00 00 00 00 |␀␀␀␀| [25] . 00 00 00 00 |␀␀␀␀| [26] . 00 00 00 00 |␀␀␀␀| [27] . 00 00 00 00 |␀␀␀␀| [28] . 00 00 00 00 |␀␀␀␀| [29] . 00 00 00 00 |␀␀␀␀| [2A] . 00 00 00 00 |␀␀␀␀| [2B] . 00 00 00 00 |␀␀␀␀| [2C] . 00 00 00 00 |␀␀␀␀| [2D] . 00 00 00 00 |␀␀␀␀| [2E] . 00 00 00 00 |␀␀␀␀| [2F] . 00 00 00 00 |␀␀␀␀| [30] . 00 00 00 00 |␀␀␀␀| [31] . 00 00 00 00 |␀␀␀␀| [32] . 00 00 00 00 |␀␀␀␀| [33] . 00 00 00 00 |␀␀␀␀| [34] . 00 00 00 00 |␀␀␀␀| [35] . 00 00 00 00 |␀␀␀␀| [36] . 00 00 00 00 |␀␀␀␀| [37] . 00 00 00 00 |␀␀␀␀| [38] . 00 00 00 00 |␀␀␀␀| [39] . 00 00 00 00 |␀␀␀␀| [3A] . 00 00 00 00 |␀␀␀␀| [3B] . 00 00 00 00 |␀␀␀␀| [3C] . 00 00 00 00 |␀␀␀␀| [3D] . 00 00 00 00 |␀␀␀␀| [3E] . 00 00 00 00 |␀␀␀␀| [3F] . 00 00 00 00 |␀␀␀␀| [40] . 00 00 00 00 |␀␀␀␀| [41] . 00 00 00 00 |␀␀␀␀| [42] . 00 00 00 00 |␀␀␀␀| [43] . 00 00 00 00 |␀␀␀␀| [44] . 00 00 00 00 |␀␀␀␀| [45] . 00 00 00 00 |␀␀␀␀| [46] . 00 00 00 00 |␀␀␀␀| [47] . 00 00 00 00 |␀␀␀␀| [48] . 00 00 00 00 |␀␀␀␀| [49] . 00 00 00 00 |␀␀␀␀| [4A] . 00 00 00 00 |␀␀␀␀| [4B] . 00 00 00 00 |␀␀␀␀| [4C] . 00 00 00 00 |␀␀␀␀| [4D] . 00 00 00 00 |␀␀␀␀| [4E] . 00 00 00 00 |␀␀␀␀| [4F] . 00 00 00 00 |␀␀␀␀| [50] . 00 00 00 00 |␀␀␀␀| [51] . 00 00 00 00 |␀␀␀␀| [52] . 00 00 00 00 |␀␀␀␀| [53] . 00 00 00 00 |␀␀␀␀| [54] . 00 00 00 00 |␀␀␀␀| [55] . 00 00 00 00 |␀␀␀␀| [56] . 00 00 00 00 |␀␀␀␀| [57] . 00 00 00 00 |␀␀␀␀| [58] . 00 00 00 00 |␀␀␀␀| [59] . 00 00 00 00 |␀␀␀␀| [5A] . 00 00 00 00 |␀␀␀␀| [5B] . 00 00 00 00 |␀␀␀␀| [5C] . 00 00 00 00 |␀␀␀␀| [5D] . 00 00 00 00 |␀␀␀␀| [5E] . 00 00 00 00 |␀␀␀␀| [5F] . 00 00 00 00 |␀␀␀␀| [60] . 00 00 00 00 |␀␀␀␀| [61] . 00 00 00 00 |␀␀␀␀| [62] . 00 00 00 00 |␀␀␀␀| [63] . 00 00 00 00 |␀␀␀␀| [64] . 00 00 00 00 |␀␀␀␀| [65] . 00 00 00 00 |␀␀␀␀| [66] . 00 00 00 00 |␀␀␀␀| [67] . 00 00 00 00 |␀␀␀␀| [68] . 00 00 00 00 |␀␀␀␀| [69] . 00 00 00 00 |␀␀␀␀| [6A] . 00 00 00 00 |␀␀␀␀| [6B] . 00 00 00 00 |␀␀␀␀| [6C] . 00 00 00 00 |␀␀␀␀| [6D] . 00 00 00 00 |␀␀␀␀| [6E] . 00 00 00 00 |␀␀␀␀| [6F] . 00 00 00 00 |␀␀␀␀| [70] . 00 00 00 00 |␀␀␀␀| [71] . 00 00 00 00 |␀␀␀␀| [72] . 00 00 00 00 |␀␀␀␀| [73] . 00 00 00 00 |␀␀␀␀| [74] . 00 00 00 00 |␀␀␀␀| [75] . 00 00 00 00 |␀␀␀␀| [76] . 00 00 00 00 |␀␀␀␀| [77] . 00 00 00 00 |␀␀␀␀| [78] . 00 00 00 00 |␀␀␀␀| [79] . 00 00 00 00 |␀␀␀␀| [7A] . 00 00 00 00 |␀␀␀␀| [7B] . 00 00 00 00 |␀␀␀␀| [7C] . 00 00 00 00 |␀␀␀␀| [7D] . 00 00 00 00 |␀␀␀␀| [7E] . 00 00 00 00 |␀␀␀␀| [7F] . 00 00 00 00 |␀␀␀␀| [80] . 00 00 00 00 |␀␀␀␀| [81] . 00 00 00 00 |␀␀␀␀| [82] . 00 00 00 00 |␀␀␀␀| [83] . 00 00 00 00 |␀␀␀␀| [84] . 00 00 00 00 |␀␀␀␀| [85] . 00 00 00 00 |␀␀␀␀| [86] . 00 00 00 00 |␀␀␀␀| [87] . 00 00 00 00 |␀␀␀␀| [88] . 00 00 00 00 |␀␀␀␀| [89] . 00 00 00 00 |␀␀␀␀| [8A] . 00 00 00 00 |␀␀␀␀| [8B] . 00 00 00 00 |␀␀␀␀| [8C] . 00 00 00 00 |␀␀␀␀| [8D] . 00 00 00 00 |␀␀␀␀| [8E] . 00 00 00 00 |␀␀␀␀| [8F] . 00 00 00 00 |␀␀␀␀| [90] . 00 00 00 00 |␀␀␀␀| [91] . 00 00 00 00 |␀␀␀␀| [92] . 00 00 00 00 |␀␀␀␀| [93] . 00 00 00 00 |␀␀␀␀| [94] . 00 00 00 00 |␀␀␀␀| [95] . 00 00 00 00 |␀␀␀␀| [96] . 00 00 00 00 |␀␀␀␀| [97] . 00 00 00 00 |␀␀␀␀| [98] . 00 00 00 00 |␀␀␀␀| [99] . 00 00 00 00 |␀␀␀␀| [9A] . 00 00 00 00 |␀␀␀␀| [9B] . 00 00 00 00 |␀␀␀␀| [9C] . 00 00 00 00 |␀␀␀␀| [9D] . 00 00 00 00 |␀␀␀␀| [9E] . 00 00 00 00 |␀␀␀␀| [9F] . 00 00 00 00 |␀␀␀␀| [A0] . 00 00 00 00 |␀␀␀␀| [A1] . 00 00 00 00 |␀␀␀␀| [A2] . 00 00 00 00 |␀␀␀␀| [A3] . 00 00 00 00 |␀␀␀␀| [A4] . 00 00 00 00 |␀␀␀␀| [A5] . 00 00 00 00 |␀␀␀␀| [A6] . 00 00 00 00 |␀␀␀␀| [A7] . 00 00 00 00 |␀␀␀␀| [A8] . 00 00 00 00 |␀␀␀␀| [A9] . 00 00 00 00 |␀␀␀␀| [AA] . 00 00 00 00 |␀␀␀␀| [AB] . 00 00 00 00 |␀␀␀␀| [AC] . 00 00 00 00 |␀␀␀␀| [AD] . 00 00 00 00 |␀␀␀␀| [AE] . 00 00 00 00 |␀␀␀␀| [AF] . 00 00 00 00 |␀␀␀␀| [B0] . 00 00 00 00 |␀␀␀␀| [B1] . 00 00 00 00 |␀␀␀␀| [B2] . 00 00 00 00 |␀␀␀␀| [B3] . 00 00 00 00 |␀␀␀␀| [B4] . 00 00 00 00 |␀␀␀␀| [B5] . 00 00 00 00 |␀␀␀␀| [B6] . 00 00 00 00 |␀␀␀␀| [B7] . 00 00 00 00 |␀␀␀␀| [B8] . 00 00 00 00 |␀␀␀␀| [B9] . 00 00 00 00 |␀␀␀␀| [BA] . 00 00 00 00 |␀␀␀␀| [BB] . 00 00 00 00 |␀␀␀␀| [BC] . 00 00 00 00 |␀␀␀␀| [BD] . 00 00 00 00 |␀␀␀␀| [BE] . 00 00 00 00 |␀␀␀␀| [BF] . 00 00 00 00 |␀␀␀␀| [C0] . 00 00 00 00 |␀␀␀␀| [C1] . 00 00 00 00 |␀␀␀␀| [C2] . 00 00 00 00 |␀␀␀␀| [C3] . 00 00 00 00 |␀␀␀␀| [C4] . 00 00 00 00 |␀␀␀␀| [C5] . 00 00 00 00 |␀␀␀␀| [C6] . 00 00 00 00 |␀␀␀␀| [C7] . 00 00 00 00 |␀␀␀␀| [C8] . 00 00 00 00 |␀␀␀␀| [C9] . 00 00 00 00 |␀␀␀␀| [CA] . 00 00 00 00 |␀␀␀␀| [CB] . 00 00 00 00 |␀␀␀␀| [CC] . 00 00 00 00 |␀␀␀␀| [CD] . 00 00 00 00 |␀␀␀␀| [CE] . 00 00 00 00 |␀␀␀␀| [CF] . 00 00 00 00 |␀␀␀␀| [D0] . 00 00 00 00 |␀␀␀␀| [D1] . 00 00 00 00 |␀␀␀␀| [D2] . 00 00 00 00 |␀␀␀␀| [D3] . 00 00 00 00 |␀␀␀␀| [D4] . 00 00 00 00 |␀␀␀␀| [D5] . 00 00 00 00 |␀␀␀␀| [D6] . 00 00 00 00 |␀␀␀␀| [D7] . 00 00 00 00 |␀␀␀␀| [D8] . 00 00 00 00 |␀␀␀␀| [D9] . 00 00 00 00 |␀␀␀␀| [DA] . 00 00 00 00 |␀␀␀␀| [DB] . 00 00 00 00 |␀␀␀␀| [DC] . 00 00 00 00 |␀␀␀␀| [DD] . 00 00 00 00 |␀␀␀␀| [DE] . 00 00 00 00 |␀␀␀␀| [DF] . 00 00 00 00 |␀␀␀␀| [E0] . 00 00 00 00 |␀␀␀␀| [E1] .r 00 00 00 00 |␀␀␀␀| [E2] .r 00 00 00 BD (LOCK2-LOCK4, CHK) [E3] .r 04 00 00 E1 (CFG, MIRROR, AUTH0) [E4] .r 00 05 -- -- (ACCESS) [E5] +P XX XX XX XX (PWD0-PWD3) [E6] +P XX XX -- -- (PACK0-PACK1) *:locked & blocked, x:locked, +:blocked, .:un(b)locked, ?:unknown r:readable (write-protected), p:password protected, -:write-only P:password protected write-only --------------------------------------