yeah no… this is odd… and I have no idea what might have done this. I will communicate this along with the other info to NXP and see if they have any ideas.
Yeah okay.
I’m of the same opinion as you: logically, the most likely cause of this should be something setting up the tag before the DT app has a go at it.
But it’s just not possible: I force-stopped all the apps that would have had any remote chance of messing things up, and I did not do anything at all before with those tags.
In fact, I specifically pulled them out of the box to use them for tracing, after I realized the PM3’s sim function wasn’t cutting it: I pulled them out and presented them to the DT app straightaway for that very purpose.
So I’m not discounting something funny happening with the BD value written incorrectly in E2.
Also, bear in mind that the two survivors worked, and then stopped working later on. They weren’t setup before the DT app, obviously. Only Tagwriter touched them after the DT app.
In fact, the “transceive failed” trace I posted yesterday was done with a totally unused tag. I’m 100% sure of that one.
1 Like
Ok I’ve emailed NXP with all the relevant info. We’ll see.
I just have to discount this based on the literally thousands of tags that this has been done to in the past with nothing like this happening ever… including bullseye tags.
We can dive into the survivors that failed later tomorrow… for now though could you post the full taginfo for one of those that was ok then failed?
Ultimately the only common denominator is you / your phone… I don’t want to collapse it down to that, but it hardly makes sense otherwise. Did you do anything to them with the pm3 before going to the phone?
This also seems silly, but what version of DNFC are you using?
Change Log:
v1.0.3 - updated copy on main screen
v1.0.2 - alternate keyboard compatibility fix
v1.0.1 - bug fix
v1.0 - initial release
** TagInfo scan (version 4.24.6) 2020-08-03 08:20:32 ** Report Type: External -- IC INFO ------------------------------ # IC manufacturer: NXP Semiconductors # IC type: NTAG216 -- NDEF ------------------------------ # No NDEF data storage populated: -- EXTRA ------------------------------ # Memory size: 888 bytes user memory * 222 pages, with 4 bytes per page # IC detailed information: Full product name: NT2H1611G0DUx Capacitance: 50 pF # Version information: Vendor ID: NXP (0x04) Type: NTAG (0x04) Subtype: 50 pF (0x02) Major version: 1 (0x01) Minor version: V0 (0x00) Storage size: 888 bytes (0x13) Protocol: ISO/IEC 14443-3 (0x03) # Configuration information: ASCII mirror disabled NFC counter: disabled No limit on wrong password attempts Strong load modulation enabled # Originality check: Signature verified with NXP public keyECDSA signature: * r: 0xDC3F76F86683AF4F6893847C518FB8EB * s: 0x8E88A2B45855BB352DB92F15D38E7FB3 -- FULL SCAN ------------------------------ # Technologies supported: ISO/IEC 14443-3 (Type A) compatible ISO/IEC 14443-2 (Type A) compatible # Android technology information: Tag description: * TAG: Tech [android.nfc.tech.NfcA, android.nfc.tech.MifareUltralight, android.nfc.tech.NdefFormatable] * Maximum transceive length: 253 bytes * Default maximum transceive time-out: 618 ms No MIFARE Classic support present in Android # Detailed protocol information: ID: 04:04:80:2A:1A:4E:81 ATQA: 0x4400 SAK: 0x00 # Memory content: [00] * 04:04:80 08 (UID0-UID2, BCC0) [01] * 2A:1A:4E:81 (UID3-UID6) [02] . FF 48 00 00 (BCC1, INT, LOCK0-LOCK1) [03] . E1:10:6D:00 (OTP0-OTP3) [04] . 00 00 00 00 |␀␀␀␀| [05] . 00 00 00 00 |␀␀␀␀| [06] . 00 00 00 00 |␀␀␀␀| [07] . 00 00 00 00 |␀␀␀␀| [08] . 00 00 00 00 |␀␀␀␀| [09] . 00 00 00 00 |␀␀␀␀| [0A] . 00 00 00 00 |␀␀␀␀| [0B] . 00 00 00 00 |␀␀␀␀| [0C] . 00 00 00 00 |␀␀␀␀| [0D] . 00 00 00 00 |␀␀␀␀| [0E] . 00 00 00 00 |␀␀␀␀| [0F] . 00 00 00 00 |␀␀␀␀| [10] . 00 00 00 00 |␀␀␀␀| [11] . 00 00 00 00 |␀␀␀␀| [12] . 00 00 00 00 |␀␀␀␀| [13] . 00 00 00 00 |␀␀␀␀| [14] . 00 00 00 00 |␀␀␀␀| [15] . 00 00 00 00 |␀␀␀␀| [16] . 00 00 00 00 |␀␀␀␀| [17] . 00 00 00 00 |␀␀␀␀| [18] . 00 00 00 00 |␀␀␀␀| [19] . 00 00 00 00 |␀␀␀␀| [1A] . 00 00 00 00 |␀␀␀␀| [1B] . 00 00 00 00 |␀␀␀␀| [1C] . 00 00 00 00 |␀␀␀␀| [1D] . 00 00 00 00 |␀␀␀␀| [1E] . 00 00 00 00 |␀␀␀␀| [1F] . 00 00 00 00 |␀␀␀␀| [20] . 00 00 00 00 |␀␀␀␀| [21] . 00 00 00 00 |␀␀␀␀| [22] . 00 00 00 00 |␀␀␀␀| [23] . 00 00 00 00 |␀␀␀␀| [24] . 00 00 00 00 |␀␀␀␀| [25] . 00 00 00 00 |␀␀␀␀| [26] . 00 00 00 00 |␀␀␀␀| [27] . 00 00 00 00 |␀␀␀␀| [28] . 00 00 00 00 |␀␀␀␀| [29] . 00 00 00 00 |␀␀␀␀| [2A] . 00 00 00 00 |␀␀␀␀| [2B] . 00 00 00 00 |␀␀␀␀| [2C] . 00 00 00 00 |␀␀␀␀| [2D] . 00 00 00 00 |␀␀␀␀| [2E] . 00 00 00 00 |␀␀␀␀| [2F] . 00 00 00 00 |␀␀␀␀| [30] . 00 00 00 00 |␀␀␀␀| [31] . 00 00 00 00 |␀␀␀␀| [32] . 00 00 00 00 |␀␀␀␀| [33] . 00 00 00 00 |␀␀␀␀| [34] . 00 00 00 00 |␀␀␀␀| [35] . 00 00 00 00 |␀␀␀␀| [36] . 00 00 00 00 |␀␀␀␀| [37] . 00 00 00 00 |␀␀␀␀| [38] . 00 00 00 00 |␀␀␀␀| [39] . 00 00 00 00 |␀␀␀␀| [3A] . 00 00 00 00 |␀␀␀␀| [3B] . 00 00 00 00 |␀␀␀␀| [3C] . 00 00 00 00 |␀␀␀␀| [3D] . 00 00 00 00 |␀␀␀␀| [3E] . 00 00 00 00 |␀␀␀␀| [3F] . 00 00 00 00 |␀␀␀␀| [40] . 00 00 00 00 |␀␀␀␀| [41] . 00 00 00 00 |␀␀␀␀| [42] . 00 00 00 00 |␀␀␀␀| [43] . 00 00 00 00 |␀␀␀␀| [44] . 00 00 00 00 |␀␀␀␀| [45] . 00 00 00 00 |␀␀␀␀| [46] . 00 00 00 00 |␀␀␀␀| [47] . 00 00 00 00 |␀␀␀␀| [48] . 00 00 00 00 |␀␀␀␀| [49] . 00 00 00 00 |␀␀␀␀| [4A] . 00 00 00 00 |␀␀␀␀| [4B] . 00 00 00 00 |␀␀␀␀| [4C] . 00 00 00 00 |␀␀␀␀| [4D] . 00 00 00 00 |␀␀␀␀| [4E] . 00 00 00 00 |␀␀␀␀| [4F] . 00 00 00 00 |␀␀␀␀| [50] . 00 00 00 00 |␀␀␀␀| [51] . 00 00 00 00 |␀␀␀␀| [52] . 00 00 00 00 |␀␀␀␀| [53] . 00 00 00 00 |␀␀␀␀| [54] . 00 00 00 00 |␀␀␀␀| [55] . 00 00 00 00 |␀␀␀␀| [56] . 00 00 00 00 |␀␀␀␀| [57] . 00 00 00 00 |␀␀␀␀| [58] . 00 00 00 00 |␀␀␀␀| [59] . 00 00 00 00 |␀␀␀␀| [5A] . 00 00 00 00 |␀␀␀␀| [5B] . 00 00 00 00 |␀␀␀␀| [5C] . 00 00 00 00 |␀␀␀␀| [5D] . 00 00 00 00 |␀␀␀␀| [5E] . 00 00 00 00 |␀␀␀␀| [5F] . 00 00 00 00 |␀␀␀␀| [60] . 00 00 00 00 |␀␀␀␀| [61] . 00 00 00 00 |␀␀␀␀| [62] . 00 00 00 00 |␀␀␀␀| [63] . 00 00 00 00 |␀␀␀␀| [64] . 00 00 00 00 |␀␀␀␀| [65] . 00 00 00 00 |␀␀␀␀| [66] . 00 00 00 00 |␀␀␀␀| [67] . 00 00 00 00 |␀␀␀␀| [68] . 00 00 00 00 |␀␀␀␀| [69] . 00 00 00 00 |␀␀␀␀| [6A] . 00 00 00 00 |␀␀␀␀| [6B] . 00 00 00 00 |␀␀␀␀| [6C] . 00 00 00 00 |␀␀␀␀| [6D] . 00 00 00 00 |␀␀␀␀| [6E] . 00 00 00 00 |␀␀␀␀| [6F] . 00 00 00 00 |␀␀␀␀| [70] . 00 00 00 00 |␀␀␀␀| [71] . 00 00 00 00 |␀␀␀␀| [72] . 00 00 00 00 |␀␀␀␀| [73] . 00 00 00 00 |␀␀␀␀| [74] . 00 00 00 00 |␀␀␀␀| [75] . 00 00 00 00 |␀␀␀␀| [76] . 00 00 00 00 |␀␀␀␀| [77] . 00 00 00 00 |␀␀␀␀| [78] . 00 00 00 00 |␀␀␀␀| [79] . 00 00 00 00 |␀␀␀␀| [7A] . 00 00 00 00 |␀␀␀␀| [7B] . 00 00 00 00 |␀␀␀␀| [7C] . 00 00 00 00 |␀␀␀␀| [7D] . 00 00 00 00 |␀␀␀␀| [7E] . 00 00 00 00 |␀␀␀␀| [7F] . 00 00 00 00 |␀␀␀␀| [80] . 00 00 00 00 |␀␀␀␀| [81] . 00 00 00 00 |␀␀␀␀| [82] . 00 00 00 00 |␀␀␀␀| [83] . 00 00 00 00 |␀␀␀␀| [84] . 00 00 00 00 |␀␀␀␀| [85] . 00 00 00 00 |␀␀␀␀| [86] . 00 00 00 00 |␀␀␀␀| [87] . 00 00 00 00 |␀␀␀␀| [88] . 00 00 00 00 |␀␀␀␀| [89] . 00 00 00 00 |␀␀␀␀| [8A] . 00 00 00 00 |␀␀␀␀| [8B] . 00 00 00 00 |␀␀␀␀| [8C] . 00 00 00 00 |␀␀␀␀| [8D] . 00 00 00 00 |␀␀␀␀| [8E] . 00 00 00 00 |␀␀␀␀| [8F] . 00 00 00 00 |␀␀␀␀| [90] . 00 00 00 00 |␀␀␀␀| [91] . 00 00 00 00 |␀␀␀␀| [92] . 00 00 00 00 |␀␀␀␀| [93] . 00 00 00 00 |␀␀␀␀| [94] . 00 00 00 00 |␀␀␀␀| [95] . 00 00 00 00 |␀␀␀␀| [96] . 00 00 00 00 |␀␀␀␀| [97] . 00 00 00 00 |␀␀␀␀| [98] . 00 00 00 00 |␀␀␀␀| [99] . 00 00 00 00 |␀␀␀␀| [9A] . 00 00 00 00 |␀␀␀␀| [9B] . 00 00 00 00 |␀␀␀␀| [9C] . 00 00 00 00 |␀␀␀␀| [9D] . 00 00 00 00 |␀␀␀␀| [9E] . 00 00 00 00 |␀␀␀␀| [9F] . 00 00 00 00 |␀␀␀␀| [A0] . 00 00 00 00 |␀␀␀␀| [A1] . 00 00 00 00 |␀␀␀␀| [A2] . 00 00 00 00 |␀␀␀␀| [A3] . 00 00 00 00 |␀␀␀␀| [A4] . 00 00 00 00 |␀␀␀␀| [A5] . 00 00 00 00 |␀␀␀␀| [A6] . 00 00 00 00 |␀␀␀␀| [A7] . 00 00 00 00 |␀␀␀␀| [A8] . 00 00 00 00 |␀␀␀␀| [A9] . 00 00 00 00 |␀␀␀␀| [AA] . 00 00 00 00 |␀␀␀␀| [AB] . 00 00 00 00 |␀␀␀␀| [AC] . 00 00 00 00 |␀␀␀␀| [AD] . 00 00 00 00 |␀␀␀␀| [AE] . 00 00 00 00 |␀␀␀␀| [AF] . 00 00 00 00 |␀␀␀␀| [B0] . 00 00 00 00 |␀␀␀␀| [B1] . 00 00 00 00 |␀␀␀␀| [B2] . 00 00 00 00 |␀␀␀␀| [B3] . 00 00 00 00 |␀␀␀␀| [B4] . 00 00 00 00 |␀␀␀␀| [B5] . 00 00 00 00 |␀␀␀␀| [B6] . 00 00 00 00 |␀␀␀␀| [B7] . 00 00 00 00 |␀␀␀␀| [B8] . 00 00 00 00 |␀␀␀␀| [B9] . 00 00 00 00 |␀␀␀␀| [BA] . 00 00 00 00 |␀␀␀␀| [BB] . 00 00 00 00 |␀␀␀␀| [BC] . 00 00 00 00 |␀␀␀␀| [BD] . 00 00 00 00 |␀␀␀␀| [BE] . 00 00 00 00 |␀␀␀␀| [BF] . 00 00 00 00 |␀␀␀␀| [C0] . 00 00 00 00 |␀␀␀␀| [C1] . 00 00 00 00 |␀␀␀␀| [C2] . 00 00 00 00 |␀␀␀␀| [C3] . 00 00 00 00 |␀␀␀␀| [C4] . 00 00 00 00 |␀␀␀␀| [C5] . 00 00 00 00 |␀␀␀␀| [C6] . 00 00 00 00 |␀␀␀␀| [C7] . 00 00 00 00 |␀␀␀␀| [C8] . 00 00 00 00 |␀␀␀␀| [C9] . 00 00 00 00 |␀␀␀␀| [CA] . 00 00 00 00 |␀␀␀␀| [CB] . 00 00 00 00 |␀␀␀␀| [CC] . 00 00 00 00 |␀␀␀␀| [CD] . 00 00 00 00 |␀␀␀␀| [CE] . 00 00 00 00 |␀␀␀␀| [CF] . 00 00 00 00 |␀␀␀␀| [D0] . 00 00 00 00 |␀␀␀␀| [D1] . 00 00 00 00 |␀␀␀␀| [D2] . 00 00 00 00 |␀␀␀␀| [D3] . 00 00 00 00 |␀␀␀␀| [D4] . 00 00 00 00 |␀␀␀␀| [D5] . 00 00 00 00 |␀␀␀␀| [D6] . 00 00 00 00 |␀␀␀␀| [D7] . 00 00 00 00 |␀␀␀␀| [D8] . 00 00 00 00 |␀␀␀␀| [D9] . 00 00 00 00 |␀␀␀␀| [DA] . 00 00 00 00 |␀␀␀␀| [DB] . 00 00 00 00 |␀␀␀␀| [DC] . 00 00 00 00 |␀␀␀␀| [DD] . 00 00 00 00 |␀␀␀␀| [DE] . 00 00 00 00 |␀␀␀␀| [DF] . 00 00 00 00 |␀␀␀␀| [E0] . 00 00 00 00 |␀␀␀␀| [E1] .r 00 00 00 00 |␀␀␀␀| [E2] .r 00 00 00 BD (LOCK2-LOCK4, CHK) [E3] .r 04 00 00 E1 (CFG, MIRROR, AUTH0) [E4] .r 00 05 -- -- (ACCESS) [E5] +P XX XX XX XX (PWD0-PWD3) [E6] +P XX XX -- -- (PACK0-PACK1) *:locked & blocked, x:locked, +:blocked, .:un(b)locked, ?:unknown r:readable (write-protected), p:password protected, -:write-only P:password protected write-only --------------------------------------
PhoneS - I tried with two phones with vastly different Android versions (9 for one, 5 for the other). The second one is a hacking phone: it had nothing on it apart from Tagwriter and the DT app.
Must be me then - bad vibes from yours truly 
I literally did the following, step by step:
- Pull the strip of tags out of the box, cut one tag off the strip
- Put the PM3 in 14a-sniff mode
- Put the tag on the PM3
- Started the DT app, entered ABCD in the password
- Slapped the phone onto the tag on the PM3 (DT app reported “transceive failed”)
- Stopped the sniffing on the PM3 and saved it - the relevant excerpt of which I posted above.
It’s not so much that I’m the common denominator, I think it’s more like I’m possibly the first one who’s paranoid and OCD enough to have a close look on test tags before running the app on my valuable doNExT.
I bet you anything there are plenty of implants that don’t answer to PWD_AUTH out there, with the DT app having reported an error, but people ignored it because, ultimately, nobody gives a flying fuck and it works fine to store and read NDEFs.
It would be interesting to code a diagnostics app and ask the forum dwellers who used the DT app to run it on their implant, don’t you think? Or simply ask them to do a Taginfo and report if they see E1 in AUTH0. That’s easy enough to do.
And as a suggestion for the next version of the DT app, it should check that it can do what it intends to do first and report if there’s something amiss.
v1.1.0. I downloaded it from Aptoide, as I don’t have a Google account and can’t access the Google Play Store - for reasons obvious to anybody who knows me
Well, amazingly enough, I managed to brute-force the password of one of my failed bullseyes! Didn’t think it’d work. Running a few more tests here, I’ll try to brute-force the 2 other fucked-up tags, and I’ll report back (and post the brute-forcing script).
1 Like
3 Likes
Right. So…
First of all, before I go any further: FUCK TAGWRITER WITH A BROOMSTICK. More on that later.
Secondly: I recovered access to all my fucked-up tags - those that were fucked up right off the bat, and those that were fucked up after Tagwriter went over it. The password was 12345678 in all of them. No idea why or where that password comes from. But it doesn’t come from Tagwriter.
I’m still convinced the chips were (or still are and I’m claiming victory too soon?) weirded out by the DT app’s writing BD in E2, simply because unless they were programmed like that from the factory, which is virtually impossible, I did nothing else but run the DT app on them to fuck them up - or rather, set that password somehow. So, that’s pretty clear.
But at least the chips were not dead. They just silently refused to answer if the wrong password was supplied. Another thing I learned incidentally: when you supply the wrong password, they go to HALT on their own. You need to turn off the field and re-select if you want to try again.
Now then, why should Tagwriter be fucked with a broomstick:
Reason #1: when you ask it to set the password, it sets the password, but also a whole bunch of other stuff without telling you - particularly the dynamic lock bits. Who the hell told Tagwriter to do that? Jesus H. Christ on a spit! The E1 value in AUTH0 comes from it also.
Reason #2: when you ask it to “remove the password”, it does NOT set the password to FFFFFFFF, as I assumed. What it does in fact is authenticate with whatever password you supply, then goof around with the dynamic lock bits, but it leaves the password in place.
It even tells you so when it’d done doing its thing: it says “Password protection removed”. Notice the subtle difference: the password protection is removed, but not the password itself, as the drop-down menu selection suggests.
Best guess: they didn’t have enough characters in the drop-down menu, so instead of calling the option “Remove password protection”, they shortened it to “Remove password”. Confusing as hell!
Anyhow, that’s what I was able to find out. I’m still not confident using the DT app on my doNExT, because that 12345678 password cannot come from anywhere else but something goofy happening as a result of running the DT app. But at least there’s a way to recover the chips. At least until I go to bed and try again tomorrow and it doesn’t work once more
Here’s the script to bruteforce the password, if you need it. It’s a Python script that drives the Proxmark3 client (easier and more flexible than a LUA script):
#!/usr/bin/python3
### Parameters
pm3_client = "/usr/local/bin/proxmark3"
pm3_dev_file = "/dev/ttyACM0"
### Modules
import re
import os
import sys
from pty import openpty
from select import select
from subprocess import Popen, DEVNULL, PIPE
# "Obvious" passwords dictionary
pwd_dict=(
0x00000001, 0x00000010, 0x00000100, 0x00001000, 0x00010000, 0x00100000,
0x01000000, 0x10000000, 0x00000002, 0x00000020, 0x00000200, 0x00002000,
0x00020000, 0x00200000, 0x02000000, 0x20000000, 0x00000003, 0x00000030,
0x00000300, 0x00003000, 0x00030000, 0x00300000, 0x03000000, 0x30000000,
0x00000004, 0x00000040, 0x00000400, 0x00004000, 0x00040000, 0x00400000,
0x04000000, 0x40000000, 0x00000005, 0x00000050, 0x00000500, 0x00005000,
0x00050000, 0x00500000, 0x05000000, 0x50000000, 0x00000006, 0x00000060,
0x00000600, 0x00006000, 0x00060000, 0x00600000, 0x06000000, 0x60000000,
0x00000007, 0x00000070, 0x00000700, 0x00007000, 0x00070000, 0x00700000,
0x07000000, 0x70000000, 0x00000008, 0x00000080, 0x00000800, 0x00008000,
0x00080000, 0x00800000, 0x08000000, 0x80000000, 0x00000009, 0x00000090,
0x00000900, 0x00009000, 0x00090000, 0x00900000, 0x09000000, 0x90000000,
0x0000000a, 0x000000a0, 0x00000a00, 0x0000a000, 0x000a0000, 0x00a00000,
0x0a000000, 0xa0000000, 0x0000000b, 0x000000b0, 0x00000b00, 0x0000b000,
0x000b0000, 0x00b00000, 0x0b000000, 0xb0000000, 0x0000000c, 0x000000c0,
0x00000c00, 0x0000c000, 0x000c0000, 0x00c00000, 0x0c000000, 0xc0000000,
0x0000000d, 0x000000d0, 0x00000d00, 0x0000d000, 0x000d0000, 0x00d00000,
0x0d000000, 0xd0000000, 0x0000000e, 0x000000e0, 0x00000e00, 0x0000e000,
0x000e0000, 0x00e00000, 0x0e000000, 0xe0000000, 0x0000000f, 0x000000f0,
0x00000f00, 0x0000f000, 0x000f0000, 0x00f00000, 0x0f000000, 0xf0000000,
0x00000000, 0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x55555555,
0x66666666, 0x77777777, 0x88888888, 0x99999999, 0xaaaaaaaa, 0xbbbbbbbb,
0xcccccccc, 0xdddddddd, 0xeeeeeeee, 0xffffffff, 0x12345678, 0x23456789,
0x3456789a, 0x456789ab, 0x56789abc, 0x6789abcd, 0x789abcde, 0x89abcdef,
0xfedcba98, 0xedcba987, 0xdcba9876, 0xcba98765, 0xba987654, 0xa9876543,
0x98765432, 0x87654321)
### Main routine
def main():
"""Main routine
"""
# Possible Proxmark3 console prompts
pm3_prompts_regex=re.compile("^(proxmark3>|\[.*\] pm3 -->)$")
# Console command to send the PWD_AUTH authentication command to the NTAG
authcmd = "hf 14a raw -c -s 1b{pwd:08x}"
# Create a PTY pair to fool the Proxmark3 client into working interactively
pty_master, pty_slave = openpty()
# Spawn the Proxmark3 client
pm3_proc = Popen([pm3_client, pm3_dev_file], bufsize=0, env={},
stdin=pty_slave, stdout=PIPE, stderr=DEVNULL)
# Start with the first password in the dictionary
pwd_dict_i = 0
pwd = pwd_dict[pwd_dict_i]
# Interact with the Proxmark3 client
recvbuf = ""
sendcmd = True
expect_reply_bytes = 0
while True:
# Read lines from the Proxmark3 client
rlines = []
for c in pm3_proc.stdout.read(256).decode("ascii"):
if c == "\n" or c == "\r" or pm3_prompts_regex.match(recvbuf):
rlines.append(recvbuf)
recvbuf = ""
elif len(recvbuf)<256 and c.isprintable():
recvbuf += c
# Process the lines from the client
for l in rlines:
# If we detect a fatal error from the client, exit
if re.search("(proxmark failed|offline|OFFLINE|unknown command)", l):
return(-1)
# Do we have a prompt
if pm3_prompts_regex.match(l):
# Stop if we're going to overflow
if pwd > 0xffffffff:
sys.stdout.write("PWD_AUTH unsuccessful\n")
return(0)
# Issue another PWD_AUTH command
os.write(pty_master, (authcmd.format(pwd=pwd) + "\r").encode("ascii"))
# Inform the user
sys.stdout.write("\rTrying password {:08x}... ".format(pwd))
# Next password in dictionary, or iterate after running out
if pwd_dict_i < len(pwd_dict) - 1:
pwd_dict_i += 1
pwd = pwd_dict[pwd_dict_i]
elif pwd_dict_i == len(pwd_dict) -1:
pwd_dict_i += 1
pwd = 0x00000000
while pwd in pwd_dict:
pwd += 1
else:
pwd += 1
while pwd in pwd_dict:
pwd += 1
# Are we expecting 4 bytes (indicating a PACK + CRC was returned)?
elif expect_reply_bytes == 4:
reply_bytes_ascii = l.split()
pack = (int(reply_bytes_ascii[0], 16) << 8) + \
int(reply_bytes_ascii[1], 16)
sys.stdout.write("PWD_AUTH successful: PACK = {:04x}\n".format(pack))
return(0)
else:
# Did we get a "received x bytes" line?
m = re.findall("received ([0-9]+) bytes", l)
if m:
expect_reply_bytes = int(m[0])
if expect_reply_bytes != 4:
expect_reply_bytes = 0
### Jump to the main routine
if __name__ == "__main__":
sys.exit(main())
2 Likes
I’m going to stand my ground on this one… it’s never been a problem before… but looking forward to your analysis.
To be honest, I’m (possibly - not sure yet) COVID-19-sick right now, so while I have time at home to do some analysis, that’s as much as I’m gonna do today - and probably for quite some time. I think I’m put on a movie with Steven Seagal right now, to have a good night sleep instead. I haven’t found nothing better than a movie with Steven Seagal to fall asleep in a hurry, apart from reading a couple pages off the Book of Mormon.
2 Likes
Is it possible the bullseyes ship with the password set to 12345678 and that’s why the DT app fails?
At least that’s where my money is, either at factory or somewhere along the line.
Works in with Amal’s theory that the app isn’t really doing anything since it can’t authenticate, and explains the thousands of implants written with the data the app writes without issue.
Nah. My KSEC-supplied tag was passworded 12345678 also. It was never touched by Amal - just the DT app.
hahah
Your words, not mine!
And hindsight makes idiots of us all haha
1 Like
Hmmm, well I’ve tried nuffin and I’m all out of ideas!
1 Like
Were there any more discoveries on progress made on this? Trying to figure out if I’m better to just run raw commands to protect my tag instead of the app.
Well, the short of it is this:
1/ the boss says it’s okay, he’s used the app a thousand times before without problems, and my tags were messed up from the get-go - which, I agree 100%, is completely logical and corroborated by the fact that it only happened with my tags.
2/ Conversely, I know I ran the app two sets of NTAGs from two different sources straight out of the box, with two different cellphones from different brands with different Android versions, running nothing other than the app. So they couldn’t possibly have been passworded before the app touched them, and nothing on my cellphones could have passworded them. The password I brute-forced out of the tags, I had never seen before. Something set it, I have no idea what or when, but it wasn’t on my cellphones for sure, unless Android itself does that sort of thing, which is highly unlikely.
In other words, Amal knows it’s safe from prior use, and I know my test conditions were as clean as can be. Both logics are flawless and contradict themselves perfectly.
Now you decide whether it’s safe
1 Like