I was successfully installed flexMN and want to write Rick Roll on it, but i don’t know what i’m doing wrong. I’m impersonate implant as NTAG216F in proxmark3 then i’m trying to write something in NFC Tools/TagWriter and got error that no memory available in tag. I’m tried to format as NDEF in NTAG216/NTAG216F but TagWriter writes that “This tag can’t be formatted”. I’m new to this so please write in detail what i need to fix that.
If I use NTAG216F will I be able to use NFC Tools or can I only use the TagWriter?
the taginfo scan looks good but there might be a shitty TLV programmed in there that you need to get out… page 00 and 01 would have this. if you can set those pages to nulls, it should work.
or if you use tagwriter to “format” the tag first… that might also solve it.
If I do something wrong in proxmark3/TagWriter, can I permanently break the chip? Or can everything be restored with the “hf_mfu_magicwrite -w” command?
Writing this to “block zero” won’t work either… I believe this is only applicable to a mifare classic, and writing zeros to the first block of a mifare classic or an ntag will fuck things up because that’s where the special stuff is like UID and config stuff.
I don’t have it memorized but after you set the chip type with the lua script, there are kind of these formatting commands you use to set UID and set up the memory lock bit emulation for ntag. Poke around a bit in the script commands.
First of all, why do you need NTAG216F (type 13) vs NTAG216 (type 7)? The magic chip does not actually have a field detect pin in hardware. Are you attempting to clone / copy an existing NTAG216F and want to make it as legit as possible?
Regardless, I would try NTAG216 first just to ensure it can be set up correctly. So, I would;
script run hf_mfu_magicwrite -w
script run hf_mfu_magicwrite -t7
script run hf_mfu_magicwrite -u 01020304050607
script run hf_mfu_magicwrite -o E1106D00
script run hf_mfu_magicwrite -v 0004040201001303
Basically the first thing you do is wipe the chip, then set the type which should set up the memory pages correctly for an NTAG216. After that setting the UID, OTP bytes, and version info… that should be enough that when you scan with taginfo on android it should scan properly and return memory contents.
If you are trying to clone a chip and want to set the signature then you will have to read the signature from your source chip and write it with the -s command so it will match/verify properly.
You can verify after by running the read command;
script run hf_mfu_magicwrite -c
Post the results to ensure the tag has been set up properly as NTAG216, then once you are sure you can go about writing to memory pages. The first page of user writable memory is page 04 and each page is 4 bytes long, written 4 bytes or one page at a time.
since its not possible to not have a password… the password must always have a value, the question is whether or not its the factory default value or not… i would try setting uid and otp with the password option and use the factory default password of FFFFFFFF (4 bytes all FF)
also the taginfo scan looks correct now… it has all the memory pages and settings look correct… the OTP bytes are not correct though, which carry the NFC capability container (CC) so try to get those set first then try writing.
I edited the script and installed OTP successfully. The result is below. NFC tools are still in read-only mode, and TagWriter writes that store failed.