This doesn’t look good. Once the OTP bits are switched from 0 to 1 in most NTAGs they can’t be switched back. You can bitwise OR to change them to 1, but the binary of 12h and 6Dh are exact opposites
@Jirvin or @Equipter might have some idea of an exploit to trick the OTP bytes to write, but I wouldn’t count on it. Hopefully Amal comes back and says the CC bytes on a magic tag are also magic.
Thanks a lot @Satur9 !
Will wait for the inputs from @amal , @Jirvin or @Equipter
Thanks in advance for your help guys!
the -o parameter lets you overwrite the OTP bits.
If the tutorial is enough to get you up and running great, if not yeah wait for somone that can walk you through it, I have not actually done it myself so cant give extra advice, but it should be a good start.
if its nor working after using the OTp commands just inbox me or @ me
I could change the OTP using -o E1106D00
Wiped it and formatted it back to NTAG216, but still cannot write any data on it, “Store failed”.
Good thing is that now TagWriter shows 863 bytes and the full scan (pasted below) seems that the OTP is correct.
Any thoughts of what could be wrong? @Equipter
** TagInfo scan (version 4.24.7) 2021-08-26 12:46:41 **
Report Type: External
-- IC INFO ------------------------------
# IC manufacturer:
NXP Semiconductors
# IC type:
NTAG216
-- NDEF ------------------------------
# No NDEF Message present:
# Control TLVs:
Lock Control TLV at address 0x04, offset 0
* Dynamic lock bytes at address 0x28, offset 0
- 12 lock bits
- 8 bytes locked per lock bit
01 03 A0 0C 34 |....4 |
-- EXTRA ------------------------------
# Memory size:
888 bytes user memory
* 222 pages, with 4 bytes per page
# IC detailed information:
Full product name: NT2H1611G0DUx
Capacitance: 50 pF
# Version information:
Vendor ID: NXP
Type: NTAG
Subtype: 50 pF
Major version: 1
Minor version: V0
Storage size: 888 bytes
Protocol: ISO/IEC 14443-3
# Configuration information:
ASCII mirror disabled
NFC counter: disabled
No limit on wrong password attempts
Strong load modulation disabled
# Originality check:
Signature cannot be verified
-- FULL SCAN ------------------------------
# Technologies supported:
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible
# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.NfcA, android.nfc.tech.MifareUltralight, android.nfc.tech.Ndef]
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 618 ms
# Detailed protocol information:
ID: 04:11:22:33:44:55:66
ATQA: 0x4400
SAK: 0x00
# Memory content:
[00] * 04:11:22 BF (UID0-UID2, BCC0)
[01] * 33:44:55:66 (UID3-UID6)
[02] . 44 48 00 00 (BCC1, INT, LOCK0-LOCK1)
[03] . E1:10:6D:00 (OTP0-OTP3)
[04] . 01 03 A0 0C |....|
[05] . 34 03 00 FE |4...|
[06] . 00 00 00 00 |....|
[07] . 00 00 00 00 |....|
[08] . 00 00 00 00 |....|
[09] . 00 00 00 00 |....|
[0A] . 00 00 00 00 |....|
[0B] . 00 00 00 00 |....|
[0C] . 00 00 00 00 |....|
[0D] . 00 00 00 00 |....|
[0E] . 00 00 00 00 |....|
[0F] . 00 00 00 00 |....|
[10] . 00 00 00 00 |....|
[11] . 00 00 00 00 |....|
[12] . 00 00 00 00 |....|
[13] . 00 00 00 00 |....|
[14] . 00 00 00 00 |....|
[15] . 00 00 00 00 |....|
[16] . 00 00 00 00 |....|
[17] . 00 00 00 00 |....|
[18] . 00 00 00 00 |....|
[19] . 00 00 00 00 |....|
[1A] . 00 00 00 00 |....|
[1B] . 00 00 00 00 |....|
[1C] . 00 00 00 00 |....|
[1D] . 00 00 00 00 |....|
[1E] . 00 00 00 00 |....|
[1F] . 00 00 00 00 |....|
[20] . 00 00 00 00 |....|
[21] . 00 00 00 00 |....|
[22] . 00 00 00 00 |....|
[23] . 00 00 00 00 |....|
[24] . 00 00 00 00 |....|
[25] . 00 00 00 00 |....|
[26] . 00 00 00 00 |....|
[27] . 00 00 00 00 |....|
[28] . 00 00 00 00 |....|
[29] . 00 00 00 FF |....|
[2A] . 00 05 00 00 |....|
[2B] . 00 00 00 00 |....|
[2C] . 00 00 00 00 |....|
[2D] . 00 00 00 00 |....|
[2E] . 00 00 00 00 |....|
[2F] . 00 00 00 00 |....|
[30] . 00 00 00 00 |....|
[31] . 00 00 00 00 |....|
[32] . 00 00 00 00 |....|
[33] . 00 00 00 00 |....|
[34] . 00 00 00 00 |....|
[35] . 00 00 00 00 |....|
[36] . 00 00 00 00 |....|
[37] . 00 00 00 00 |....|
[38] . 00 00 00 00 |....|
[39] . 00 00 00 00 |....|
[3A] . 00 00 00 00 |....|
[3B] . 00 00 00 00 |....|
[3C] . 00 00 00 00 |....|
[3D] . 00 00 00 00 |....|
[3E] . 00 00 00 00 |....|
[3F] . 00 00 00 00 |....|
[40] . 00 00 00 00 |....|
[41] . 00 00 00 00 |....|
[42] . 00 00 00 00 |....|
[43] . 00 00 00 00 |....|
[44] . 00 00 00 00 |....|
[45] . 00 00 00 00 |....|
[46] . 00 00 00 00 |....|
[47] . 00 00 00 00 |....|
[48] . 00 00 00 00 |....|
[49] . 00 00 00 00 |....|
[4A] . 00 00 00 00 |....|
[4B] . 00 00 00 00 |....|
[4C] . 00 00 00 00 |....|
[4D] . 00 00 00 00 |....|
[4E] . 00 00 00 00 |....|
[4F] . 00 00 00 00 |....|
[50] . 00 00 00 00 |....|
[51] . 00 00 00 00 |....|
[52] . 00 00 00 00 |....|
[53] . 00 00 00 00 |....|
[54] . 00 00 00 00 |....|
[55] . 00 00 00 00 |....|
[56] . 00 00 00 00 |....|
[57] . 00 00 00 00 |....|
[58] . 00 00 00 00 |....|
[59] . 00 00 00 00 |....|
[5A] . 00 00 00 00 |....|
[5B] . 00 00 00 00 |....|
[5C] . 00 00 00 00 |....|
[5D] . 00 00 00 00 |....|
[5E] . 00 00 00 00 |....|
[5F] . 00 00 00 00 |....|
[60] . 00 00 00 00 |....|
[61] . 00 00 00 00 |....|
[62] . 00 00 00 00 |....|
[63] . 00 00 00 00 |....|
[64] . 00 00 00 00 |....|
[65] . 00 00 00 00 |....|
[66] . 00 00 00 00 |....|
[67] . 00 00 00 00 |....|
[68] . 00 00 00 00 |....|
[69] . 00 00 00 00 |....|
[6A] . 00 00 00 00 |....|
[6B] . 00 00 00 00 |....|
[6C] . 00 00 00 00 |....|
[6D] . 00 00 00 00 |....|
[6E] . 00 00 00 00 |....|
[6F] . 00 00 00 00 |....|
[70] . 00 00 00 00 |....|
[71] . 00 00 00 00 |....|
[72] . 00 00 00 00 |....|
[73] . 00 00 00 00 |....|
[74] . 00 00 00 00 |....|
[75] . 00 00 00 00 |....|
[76] . 00 00 00 00 |....|
[77] . 00 00 00 00 |....|
[78] . 00 00 00 00 |....|
[79] . 00 00 00 00 |....|
[7A] . 00 00 00 00 |....|
[7B] . 00 00 00 00 |....|
[7C] . 00 00 00 00 |....|
[7D] . 00 00 00 00 |....|
[7E] . 00 00 00 00 |....|
[7F] . 00 00 00 00 |....|
[80] . 00 00 00 00 |....|
[81] . 00 00 00 00 |....|
[82] . 00 00 00 00 |....|
[83] . 00 00 00 FF |....|
[84] . 00 05 00 00 |....|
[85] . 00 00 00 00 |....|
[86] . 00 00 00 00 |....|
[87] . 00 00 00 00 |....|
[88] . 00 00 00 00 |....|
[89] . 00 00 00 00 |....|
[8A] . 00 00 00 00 |....|
[8B] . 00 00 00 00 |....|
[8C] . 00 00 00 00 |....|
[8D] . 00 00 00 00 |....|
[8E] . 00 00 00 00 |....|
[8F] . 00 00 00 00 |....|
[90] . 00 00 00 00 |....|
[91] . 00 00 00 00 |....|
[92] . 00 00 00 00 |....|
[93] . 00 00 00 00 |....|
[94] . 00 00 00 00 |....|
[95] . 00 00 00 00 |....|
[96] . 00 00 00 00 |....|
[97] . 00 00 00 00 |....|
[98] . 00 00 00 00 |....|
[99] . 00 00 00 00 |....|
[9A] . 00 00 00 00 |....|
[9B] . 00 00 00 00 |....|
[9C] . 00 00 00 00 |....|
[9D] . 00 00 00 00 |....|
[9E] . 00 00 00 00 |....|
[9F] . 00 00 00 00 |....|
[A0] . 00 00 00 00 |....|
[A1] . 00 00 00 00 |....|
[A2] . 00 00 00 00 |....|
[A3] . 00 00 00 00 |....|
[A4] . 00 00 00 00 |....|
[A5] . 00 00 00 00 |....|
[A6] . 00 00 00 00 |....|
[A7] . 00 00 00 00 |....|
[A8] . 00 00 00 00 |....|
[A9] . 00 00 00 00 |....|
[AA] . 00 00 00 00 |....|
[AB] . 00 00 00 00 |....|
[AC] . 00 00 00 00 |....|
[AD] . 00 00 00 00 |....|
[AE] . 00 00 00 00 |....|
[AF] . 00 00 00 00 |....|
[B0] . 00 00 00 00 |....|
[B1] . 00 00 00 00 |....|
[B2] . 00 00 00 00 |....|
[B3] . 00 00 00 00 |....|
[B4] . 00 00 00 00 |....|
[B5] . 00 00 00 00 |....|
[B6] . 00 00 00 00 |....|
[B7] . 00 00 00 00 |....|
[B8] . 00 00 00 00 |....|
[B9] . 00 00 00 00 |....|
[BA] . 00 00 00 00 |....|
[BB] . 00 00 00 00 |....|
[BC] . 00 00 00 00 |....|
[BD] . 00 00 00 00 |....|
[BE] . 00 00 00 00 |....|
[BF] . 00 00 00 00 |....|
[C0] . 00 00 00 00 |....|
[C1] . 00 00 00 00 |....|
[C2] . 00 00 00 00 |....|
[C3] . 00 00 00 00 |....|
[C4] . 00 00 00 00 |....|
[C5] . 00 00 00 00 |....|
[C6] . 00 00 00 00 |....|
[C7] . 00 00 00 00 |....|
[C8] . 00 00 00 00 |....|
[C9] . 00 00 00 00 |....|
[CA] . 00 00 00 00 |....|
[CB] . 00 00 00 00 |....|
[CC] . 00 00 00 00 |....|
[CD] . 00 00 00 00 |....|
[CE] . 00 00 00 00 |....|
[CF] . 00 00 00 00 |....|
[D0] . 00 00 00 00 |....|
[D1] . 00 00 00 00 |....|
[D2] . 00 00 00 00 |....|
[D3] . 00 00 00 00 |....|
[D4] . 00 00 00 00 |....|
[D5] . 00 00 00 00 |....|
[D6] . 00 00 00 00 |....|
[D7] . 00 00 00 00 |....|
[D8] . 00 00 00 00 |....|
[D9] . 00 00 00 00 |....|
[DA] . 00 00 00 00 |....|
[DB] . 00 00 00 00 |....|
[DC] . 00 00 00 00 |....|
[DD] . 00 00 00 00 |....|
[DE] . 00 00 00 00 |....|
[DF] . 00 00 00 00 |....|
[E0] . 00 00 00 00 |....|
[E1] . 00 00 00 00 |....|
[E2] . 00 00 00 00 (LOCK2-LOCK4, CHK)
[E3] . 00 00 00 FF (CFG, MIRROR, AUTH0)
[E4] . 00 05 -- -- (ACCESS)
[E5] +P FF FF FF FF (PWD0-PWD3)
[E6] +P 00 00 -- -- (PACK0-PACK1)
*:locked & blocked, x:locked,
+:blocked, .:un(b)locked, ?:unknown
r:readable (write-protected),
p:password protected, -:write-only
P:password protected write-only
--------------------------------------
Could be just the app being fucky. Do you have NFC Tools (Can do it with others just the one I use so might be called diffrent things)
I’d try formatting the tag, it might just be a poorly formatted ndef record / some other data at the start of the user data messing with things (the data in block 4 and 5)
as samuel has said it either the app being shitty or theres a partially formed ndef record that needs clearing. try wiping it with nfctools but the icinfo you posted looks good.
Tried formatting through NFC Tools and got an error with no details. Also using the proxmark3 wipe command didn’t seem to work either. The data in block 4 and 5 is still there.
Any way to clean this portion of data?
The raw commands:
A20400000000
A20500000000
Should wipe those blocks. NFC Tools has a raw commands option and the PM3 can send them too.
For what it’s worth, I was never able to get my flexMN to be phone-writable. I’ve experimented over the course of a few months to try and arrive at a solution, but ultimately couldn’t get it. I had success writing to it both from the proxmark as well as sending raw commands through an ACR, but phone writes always eluded success. I think @amal had mentioned getting one to write successfully at a certain point but couldn’t reliable replicate it, so it could be that either a) the phone antennas don’t provide a reliable enough connection to write the data out or b) that the nature of a magic chip is trigger an unintended response from the nfc writing apps, which are interpreting the signal as a write fail. At one point, trying to send raw commands through the phone to the chip was on the agenda to see if I could get it to write that way (as those raw commands are how I’m querying the chip on the proxmark software I wrote to write to it), but life got in the way, as it has a knack of doing.
Raw commands worked through pm3!
Still can’t write NDEF using TagWriter “Store Failed. Format card before use”, but again no way to format it through the app.
Is there a way to write NDEF using the PM3?
A2060000031F
A207D1011B55
A20803666F72
A209756D2E64
A20A616E6765
A20B726F7573
A20C7468696E
A20D67732E63
A20E6F6D2FFE
That set of commands should (bit long soz 
) but not sure there is an easy way with the pm3 no.
Odd that the apps are having such issues.
Really sad
I was patient enough to write a full NDEF VCARD using the PM3
Block. by. block
Aaaand it worked!
Reading the tag on Android is working fine!
I still can’t edit/write new records using TagWriter 
Anyways, I’m happy that I can finally use NDEF on my flexMN!
Thanks everyone for your support!
Im glad it worked, out of curosity do any other writer apps work?
Very interesting, well if you have a usb pc/sc reader you could probably find some software that cou;d write it a bit easier, sounds like some app/android nfc lib fuckyness, because the app should be sending those commands…
Nice! I have an ACR122U, gonna try some software with it and get back with the results later
Btw, if someone has any suggestions of software to use with the ACR, I’ll gladly accept it!
ACR122U SDK v1.3 Starter Kit
There’s a bit more info on the product page
I use ndeftool and tagtool under Linux with an ACR122U to write all my NDEFs. Very flexible, works beautifully. It’s much easier to use than a cellphone, more versatile, and more reliable.
You can find a sample script that uses them here. But they’re perfectly usable directly on the command line.
Small little program I wrote would ley you send it as ome ; deliminated line but also just an example of sending it commands.