It’s more than tarpitting: even if you instruct the PM3 to wait several seconds, nothing comes back. But yeah, I thought the chip might just go silent when a bad password is supplied.
Okay, it’s a bit more complicated than that. Here’s what happened:
Strictly speaking, initially, PWD_AUTH went silent on tags with which I got “transceive failed” with the Dangerous NFC app (didn’t get no “tag lost” though) and worked as it should on those tags that went through ok (i.e. I’d get the “DT” PACK back, and then I could do stuff to the password protected pages).
The transceive-failed-and-silent-pwd-auth issue has happened with 2 bullseyes and 1 KSEC NTAG-216 card. The “survivor” tags were 2 bullseyes.
On the two survivors, I manually set the PACK to 0x0000 (after authenticating to the chip). No problems. I manually tried PWD_AUTH on them after changing the PACK, and 0x0000 came back. So far so good.
And then - and that’s when it gets more complicated - I used TagWriter to change the password back to 0xFFFFFFFF from the 0x41424344 I had set in the Dangerous NFC app, which went fine. Content that I had de-passworded my survivor tags, I then went to bed.
The next morning, for shits and giggles, I tried to issue a 1B FF FF FF FF command with my PM3 on the two survivors and… nothing. Same thing with NFC Shell. And TagWriter now tells me it can’t change the password because “parts of the tag are protected”.
I very much doubt TagWriter set a secret password instead of the FFFFFFFF I requested, so I assume whatever happened immediately to the 3 fucked up tags when running the Dangerous NFC app happened later to the 2 survivors. Or said another way, the 3 fucked up tags got weirded out immediately when using the Dangerous NFC tag, but the survivors were also in some undefined state and finally went loco when I used TagWriter on them.