flexNT Default Configuration?

Heyo people much smarter than me!

What’s the out-of-the-box configuration meant to be for the flexNT? Mine just arrived and I did a test read, appears there’s no password (ie set to FFFFFFFF) despite the “NTAG Chip Security” info. Now I’m concerned about the “lock and config” bits (I noticed in cfg0, “pages don’t need authentication” which seems wrong).

flexNT, pm3 hf mfu info (´・_・`)

Used ChatGPT to sanitise the data so disregard the “redacted”.

[=] --- Tag Information --------------------------
[+]       TYPE: NTAG 216 888bytes
[+]        UID: [REDACTED]
[+]     UID[0]: [REDACTED]
[+]       BCC0: 14 ( ok )
[+]       BCC1: 07 ( ok )
[+]   Internal: 48 ( default )
[+]       Lock: 00 00  - 0000000000000000
[+]        OTP: E1 10 6D 00  - 11100001000100000110110100000000

[=] --- NDEF Message
[+] Capability Container: E1 10 6D 00
[+]   E1: NDEF Magic Number
[+]   10: version 0.1 supported by tag
[+]        : Read access granted without any security / Write access granted without any security
[+]   6D: Physical Memory Size: 872 bytes
[+]   6D: NDEF Memory Size: 872 bytes
[+]   00: Additional feature information
[+]   00000000
[+]   000 .... - RFU
[+]   ...0 ... - Don't support special frame
[+]   ....0 .. - Don't support lock block
[+]   .....00  - RFU
[+]   .......0 - IC don't support multiple block reads

[=] --- Tag Counter
[=]        [02]: 00 00 00
[+]             - BD tearing ( ok )

[=] --- Tag Signature
[=]  IC signature public key name: NXP NTAG21x (2013)
[=] IC signature public key value: [REDACTED]
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: [REDACTED]
[+]        Signature verification ( successful )

[=] --- Tag Silicon Information
[=]        Wafer Counter: [REDACTED]
[=]    Wafer Coordinates: x [REDACTED], y [REDACTED]
[=]            Test Site: 2

[=] --- Tag Version
[=]        Raw bytes: 00 04 04 02 01 00 13 03
[=]        Vendor ID: 04, NXP Semiconductors Germany
[=]     Product type: NTAG
[=]  Product subtype: 02, 50pF
[=]    Major version: 01
[=]    Minor version: 00
[=]             Size: 13, (1024 <-> 512 bytes)
[=]    Protocol type: 03, ISO14443-3 Compliant

[=] --- Tag Configuration
[=]   cfg0 [227/0xE3]: 04 00 00 FF
[=]                     - strong modulation mode disabled
[=]                     - pages don't need authentication
[=]   cfg1 [228/0xE4]: 00 05 00 00
[=]                     - Unlimited password attempts
[=]                     - NFC counter disabled
[=]                     - NFC counter not protected
[=]                     - user configuration writeable
[=]                     - write access is protected with password
[=]                     - 05, Virtual Card Type Identifier is default
[=]   PWD  [229/0xE5]: 00 00 00 00 - ( cannot be read )
[=]   PACK [230/0xE6]: 00 00       - ( cannot be read )
[=]   RFU  [230/0xE6]:       00 00 - ( cannot be read )

[+] --- Known EV1/NTAG passwords
[+] Password... FFFFFFFF  pack... 0000
[=]
[=] --- Fingerprint
[=] n/a

Thought I’d ask here before researching any more.

2 Likes

Yeah that’s not right… it should be configured… but it appears it’s not been. NFC shell used to be the go-to tool but now it’s not on the store anymore for modern phones. NFC Tools advanced command mode will be needed to fix

I’ll sort out the commands tomorrow… too tired to reliably recall them from memory

3 Likes

NFC Shell 1.0.apk (15.6 KB)

3 Likes


677

3 Likes

Cool, ty!

Glad I’ve already got NFC Tools Pro on iOS. I’ll check back tomorrow to blindly run commands :laughing:

5 Likes

@amal bump

1 Like

Ok, so, here are the commands;

A2 02 xx xx 0F 00 - lock static lock bytes
A2 E2 00 00 7F BD - lock dynamic lock bytes
A2 E3 04 00 00 E3 - set auth0 byte to password protect config
A2 E5 xx xx xx xx - set password

In the above commands, A2 is the write command, the next byte is the 4 byte memory page to write to, and the following 4 bytes are the data to write to the page. You must write all 4 bytes to the page in the write command, even if you’re only wanting to change the first byte.

The first line includes two bytes which are shown as xx xx, and that’s because you need to first read memory page 02 and get the value of those bytes, which are different for every tag. Get those byte values using taginfo or whatever can read the pages out properly, then update the command to use those two bytes plus 0F 00.

The bottom line is just a 4 byte password you can choose. The default password is FF FF FF FF which leaves you open to pretty easy attacks using tagwriter or nfc tools. There is no way remove the password, so choose one other than the default and remember what you chose :slight_smile:

Here’s a video I sent recently to someone explaining the password feature which is actually pretty apt here:

fml… great preview image… pff

5 Likes

Thanks for the commands but having an issue setting the password.

Verified 02/E2/E3 had changed by reading the memory again but E5 is stored securely (for obvious reasons) so returns 00:00:00:00. I sent a PWD_AUTH command to verify this one and although it was acknowledged when setting, hasn’t changed;

>> A2 E5 44 4E 47 52 (DNGR)
00
>> 1B 41 42 43 44 (ABCD)
Error: Tag connection lost

>> 1B 44 4E 47 52 (DNGR)
Error: Tag connection lost

>> 1B FF FF FF FF (no pwd)
<< 00 00
02/E2/E3 before/after fyi
02: xx:xx:00:00 --> xx:xx:0F:00
E2: 00:00:00:00 --> 00:00:7F:BD
E3: 00:04:C1:59 --> 04:00:00:E3

…that thumbnail image deserves to be your pfp :laughing:

1 Like

Ok so what happens now when you auth first then write?

1B FF FF FF FF
A2 E5 44 4E 47 52

Those commands must be sent one after the other during the same session… you can’t auth then remove the tag and then try to change the pw.

I think this is actually quite difficult to do with NFC Tools… I’ve never liked NFC Tools… NFC shell needs a revamp and release…or maybe DT should do something…

1 Like

As same session, doesn’t change;

>> 1B FF FF FF FF
<< 00 00
>> A2 E5 44 4E 47 52
<< 00
>> 1B 41 42 43 44
Error: Tag connection lost
>> 1B FF FF FF FF
<< 00 00

Trying to send them together just results in an err (not sure if this is even a viable command);

>> 1B FF FF FF FF A2 E5 44 4E 47 52
Error: Tag connection lost

NFC Tools seems to have issues with pwd advanced commands, can this be done using pm3? :confused:

1 Like

Hmm well you can’t re-auth during the same session… just send the auth and then the write… then remove the tag and try to auth again using the updated pwd

1 Like

Also this doesn’t make sense to me… you’re writing a pwd of 44 4E 47 52 but then trying to immediately re-auth a pwd of 41 42 43 44?

Yeah this isn’t workable… I think you need to literally hold the phone to the tag to send multiple commands… awkward at best… if it’s even possible.

1 Like

Oh wait I think I read somewhere that you can separate commands with a comma (or something equally as stupid as that)… check documentation.

1 Like

Yeah on Android it’s a comma… so whatever.

2 Likes

So this should work…

1B FF FF FF FF,A2 E5 44 4E 47 52

2 Likes

My intention was was to write DNGR, check if ABCD & FFFF was invalid, then check DNGR with the hope it would be valid. Just sanity checking.

Tried this but iOS sends lots of individual reads.

SUCCESS, v silly but if it works, it works. Thank you.

3 Likes

Ok we’re working on an update to a very old project called RawNFC to replace NFC Shell… it’ll have an awesome feature though which will allow us to make a library of useful commands anyone can easily use / add to.

5 Likes

test
test 2

1 Like