How set password on HF side of NExT

Today I got two NExT implants, one in either hand. I had successfully pre-programmed the LF side with my PM3E, but I hadn’t done anything on the HF side as that wasn’t why I purchased them. Either way, when reading the Important Things to Know section of the product page, it states:

We set a default password value of 0x4E 0x45 0x78 0x54 or NExT, but strongly suggest you change it after installation.

Though I’ve not read anywhere how to change the password. I don’t see a way to do this using either the suggested app, NXP’s TagWriter or my preferred iOS NFC app, NFC Tools (Orange icon). Is there collateral available either here in the forums or on the product page on doing this that I missed?

I’ve read somewhere you can reset the password to ff:ff:ff:ff, I guess you can then change from that!?!
standby I will see if I can find the reference…

I found THIS

Pretty sure that’s the one I was thinking of.
here’s the quote from Amal

Dont forget to search for xNT as well as NExT being the same HF Chip

Thanks for the effort, but that’s not very definitive.

@amal Is there a manual or HowTo available for these chips?

Yes, the datasheet says everything you need to know about how to auth and change the chip… but it’s dry as hell. I’ve stated the problem elsewhere on the forum but basically the apps available do not just use the password you type… they transform the data somehow… so in the Dangerous NFC app for example, when you set a password for the xNT, if you type NExT then the password block will be set to 0x4E 0x45 0x78 0x54 however if you use TagWriter to set the password, type NExT, then the password block is not set to 0x4E 0x45 0x78 0x54 it’s set to something else… same with NFC Tools. I have no idea why they do this… it’s down right dumb… but the end result is that if you want to use either of those tools to change the password, they will ask you to type it… and if you type NExT then those apps will try to auth with something that isn’t 0x4E 0x45 0x78 0x54… so you get a failure. I don’t know why software developers do this… it only hurts you.

There are a few threads on the forum where I mention the use of NFC Shell, which is a great app that lets you chain together raw commands and send them to the tag. NFC Tools has a similar feature in the advanced section, but critically you can only send one command at a time, which is virtually useless when dealing with authentication processes, which always require an auth command before any changes to protected areas can be changed.

https://forum.dangerousthings.com/search?q=nfc%20shell

If you use NFC Shell you can auth with 0x4E 0x45 0x78 0x54 then write FF FF FF FF to the password block… which is the factory default… then you can use NFC Tools or TagWriter to make whatever changes you want and set the password or whatever…

My primary question though is - why do you want to change or remove the password on your NExT… by default it does nothing but protect the configuration pages from accidental or malicious changes.

2 Likes

Thanks for the response, I understood it differently. The way I interpreted the product post was that a password could be set to prevent reading unless you had the password, but it sounds like that’s not a mechanism in place. I would be better off writing encrypted data and require a public key to decrypt it. I would like to do more of this work with my PM3E as it seems to be the most powerful way to interface with these chips. I can’t however seem to read the HF side using my PM3E, but ironically have no problem using the stock, LF antenna to do the same.

Yes this is an option… you can set the AUTH0 byte to determine which pages are protected with the password, and the PROT bit of the ACCESS byte determine what type of protection that is… write protection or read/write protection. Default PROT bit is 0 which is write protection only… so anyone can read the user memory (all of it) but only an authenticated session can write to any protected blocks.

1 Like

@Amal,

Sorry to bring you back to an outdated post but this thread seems the most appropriate for where I am at currently as well. On the page for NExT it is stated:

We set a default password value of 0x4E 0x45 0x78 0x54 or NExT, but strongly suggest you change it after installation.

I am looking at trying to change mine from the community default just to protect the config blocks but I haven’t had luck. I see that you’ve spoken about NFC Tools and NXP Tagwriter being no good for this, I am guessing the DT App is what I should use if I want to make this change?

To clear anything up, I don’t want to change the configuration blocks at all, I just want to protect them from others and I am trying to stick with the guidelines on the purchase page.

Search for NFC shell. It’s an app that lets you chain commands to the chip on scan. You’ll need to send the auth command and password, then a write command to the password memory block to change the password.

3 Likes

Sounds good. Thanks @amal

1 Like