flexMN 0 bytes; store failed; this tag can't be formatted

I was successfully installed flexMN and want to write Rick Roll on it, but i don’t know what i’m doing wrong. I’m impersonate implant as NTAG216F in proxmark3 then i’m trying to write something in NFC Tools/TagWriter and got error that no memory available in tag. I’m tried to format as NDEF in NTAG216/NTAG216F but TagWriter writes that “This tag can’t be formatted”. I’m new to this so please write in detail what i need to fix that.
If I use NTAG216F will I be able to use NFC Tools or can I only use the TagWriter?

proxmark3

image

Tag writer


11-22-33-55-66-77-88_2023-02-02 11-24-38_taginfo_scan.txt (4.0 KB)
11-22-33-55-66-77-88_2023-02-02 11-24-38_taginfo_scan.xml.txt (10.2 KB)

the taginfo scan looks good but there might be a shitty TLV programmed in there that you need to get out… page 00 and 01 would have this. if you can set those pages to nulls, it should work.

or if you use tagwriter to “format” the tag first… that might also solve it.

“Format” in TagWriter and “hf_mfu_magicwrite like -t 13” does not help. How to set nulls on pages 00 and 01? Will it work with the commands below?

  1. hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 00000000000000000000000000000000
  2. hf mf wrbl --blk 0 -k FFFFFFFFFFFF -d 00000000000000000000000000000000

If I do something wrong in proxmark3/TagWriter, can I permanently break the chip? Or can everything be restored with the “hf_mfu_magicwrite -w” command?

bump… please?

Do you have a Magic NTAG Card?

If I’m ever unsure about writing to my implant, I use a card to test on first.
I have a test card for evey implant I have.

I highly recommend the packs from KSEC. as it is a one stop shop, and you’ll be set up for most eventualities.

Magic card pack
Test card bundle

at the very least, grab yourself a Magic NTAG.

Depending on what country you are in, there are other suppliers.

Sneak Technology
LAB401
Amazon
eBay
etc

1 Like

Thanks for the advice, but I can’t test it yet. I can get the magic NTAG to test in at least 1-2 months.

So, if there is no other idea how to safely fix the chip, I will try to find the magic NTAG for the test.

On second look, your first 3 pages of memory are kinda fucked up.

Writing this to “block zero” won’t work either… I believe this is only applicable to a mifare classic, and writing zeros to the first block of a mifare classic or an ntag will fuck things up because that’s where the special stuff is like UID and config stuff.

I don’t have it memorized but after you set the chip type with the lua script, there are kind of these formatting commands you use to set UID and set up the memory lock bit emulation for ntag. Poke around a bit in the script commands.

hf_mfu_magicwrite.lua script trace
hf_mfu_magicwrite.lua.txt (20.4 KB)

set_type

send and connect funcs

write_version

write_type

wipe func btw. Can this help?

What should i try next?

First of all, why do you need NTAG216F (type 13) vs NTAG216 (type 7)? The magic chip does not actually have a field detect pin in hardware. Are you attempting to clone / copy an existing NTAG216F and want to make it as legit as possible?

Regardless, I would try NTAG216 first just to ensure it can be set up correctly. So, I would;

script run hf_mfu_magicwrite -w

script run hf_mfu_magicwrite -t7

script run hf_mfu_magicwrite -u 01020304050607

script run hf_mfu_magicwrite -o E1106D00

script run hf_mfu_magicwrite -v 0004040201001303

Basically the first thing you do is wipe the chip, then set the type which should set up the memory pages correctly for an NTAG216. After that setting the UID, OTP bytes, and version info… that should be enough that when you scan with taginfo on android it should scan properly and return memory contents.

If you are trying to clone a chip and want to set the signature then you will have to read the signature from your source chip and write it with the -s command so it will match/verify properly.

You can verify after by running the read command;

script run hf_mfu_magicwrite -c

Post the results to ensure the tag has been set up properly as NTAG216, then once you are sure you can go about writing to memory pages. The first page of user writable memory is page 04 and each page is 4 bytes long, written 4 bytes or one page at a time.

1 Like

I don’t need F version, NTAG216 is enough.

Wipe was failed.

Wipe output


2

Btw, the flipper now says that this chip is mifare ultralight 11. Before that there was NTAG216, if I’m not confused.

Ok let’s just try to read with the -c command

hf_mfu_magicwrite -c

ok interesting… so the type was set… what if you now try to set uid, otp, and version;

script run hf_mfu_magicwrite -u 01020304050607

script run hf_mfu_magicwrite -o E1106D00

script run hf_mfu_magicwrite -v 0004040201001303

Commands output

Feels like some kind of password issue. Can you get a full scan again and try to get to the lower pages like E2?

Also the magic ntag chip is notoriously sensitive to field issues… the chip is not stable overall … one reason we don’t make the flexMN anymore

The last full scan looks the same as the first. How can I try to scan below [83]?

Could this issue be related to the fact that the password was set via the DT NFC app?

Possibly password related… I believe the script has a password parameter option… try adding that and do the wipe and type set again?

Wipe with 00000000 password is success. Next i impersonated NTAG216 and tried to set uid, otp and version.

uid, otp and version

-c

Writing a tag to the TagWriter now reports that the store failed, but shows 868 bytes available. NFC tools say tag is read-only.

In flipper tag detected as NTAG216.

04-11-22-33-44-55-66_2023-02-09 15-27-09_taginfo_scan.txt (7.9 KB)
04-11-22-33-44-55-66_2023-02-09 15-27-09_taginfo_scan.xml.txt (25.7 KB)

since its not possible to not have a password… the password must always have a value, the question is whether or not its the factory default value or not… i would try setting uid and otp with the password option and use the factory default password of FFFFFFFF (4 bytes all FF)

also the taginfo scan looks correct now… it has all the memory pages and settings look correct… the OTP bytes are not correct though, which carry the NFC capability container (CC) so try to get those set first then try writing.

I edited the script and installed OTP successfully. The result is below. NFC tools are still in read-only mode, and TagWriter writes that store failed.

Summary

04-11-22-33-44-55-66_2023-02-10 12-37-44_taginfo_scan.txt (7.9 KB)
04-11-22-33-44-55-66_2023-02-10 12-37-44_taginfo_scan.xml.txt (25.7 KB)

If i try to set uid, otp and version after impersonate, then i got error write error as above.