DT App - incomplete write?

I was just trying to use the app to secure a new xNT implant, and moving my phone to get the ‘sweet spot’ lined up, the app started to write while I was stil moving the phone then I got an error that the tag was lost.

Reading the tag with NXP TagInfo, I can see that the lock bytes in address 03 were written but the stuff at e2 onwards was not.

The app won’t let me try again now as it says the lock bits are already altered.

So from what I can see, LOCK0 and LOCK1 were written but LOCK2 - LOCK4, the password, and the PACK bytes were not.

Here’s the lines in question from the TagInfo app:

02 * 51 48 0f 00
03 * e1 12 6d 00

e0 . 00 00 00 00
e1 . 00 00 00 00
e2 . 00 00 00 bd
e3 . 04 00 00 e2
e4 . 00 05 – --
e5 +P xx xx xx xx
e6 +P xx xx – --

How badly is this going to affect things? I’m guessing that technically those LOCK2-LOCK4 and Password bytes can still be written to as they’re not marked as locked or blocked? But the DT app won’t do it any more?

Yep you got it… the app basically did not complete the write and the dynamic lock bits are still active. The DNFC app itself is too dumb to fix this as it is right now… so you will need to manually send commands to your chip to fix this.

First read this thread and install the NFC Shell app linked within it; https://forum.dangerousthings.com/t/can-my-xnt-be-easily-set-to-read-only (you will probably have to sideload it from the local APK uploaded to this forum)

You will use the NFC Shell app to send custom commands to the chip to complete the setup. The primary thing you are going to do is update page E2… I have no idea why this happened, but it appears that page E2 was not updated, but page E3, the password, and the pack value were all updated… so it will mean you will need to authenticate with the password you used, then update page E2 to disable those dynamic lock bits.

On the other hand, at this point it appears nobody can update the dynamic lock bits in page E2 without first authenticating, because the AUTH byte in page E3 is set to E2, meaning page E2 through page E6 are all protected by password against writing… so if you left it as-is, you would be fairly safe in my opinion.

Ok, assuming you have loaded NFC Shell on to your phone, you will want to send the following commands:

1B h1 h2 h3 h4
A2 E2 00 00 7F BD

The first line starting with 1B is the PWD_AUTH command, and the h1 h2 h3 h4 values need to be replaced with the HEX value of the password you set for your xNT. So, if your password was 1234 then the HEX values of the ASCII characters 1, 2, 3, and 4 are 31 32 33 34. Check ye’ olde ASCII chart for a reference.

The second line, starting with A2, updates the dynamic lock byte in page E3 to lock themselves from any further changes.

Thanks Amal!

I’ll see if I can get the app sideloaded and check it out.

Will these commands work on any NTAG216? Like if I wanted to experiment with another nfc tag before doing it on the implanted chip?

Kinda nervous about doing something wrong and I’d rather risk borking a $3 stickertag instead of the one implanted in my hand lol.

Oh! I just realized in my original post I put wrong info… I had been comparing this tag to my first xNT and was looking at two sets of data. The E5 and E6 lines in my first post are wrong, they should be:

e5 +P ff ff ff ff
e6 +P 00 00 – --

which I believe is the ‘default’ state.

ah ok… so the password is still set to factory… but the AUTH byte is still set, so you will still have to authenticate… so the first like should be 1B FF FF FF FF

Yes you can test on any other NTAG216

Thanks again Amal!

I got the xNT all set up, got the password changed and set the PACK to DT etc so it’s all good now and everything looks like it should. And I learned a bunch more about ‘low-level’ NTAG stuff!

great!