I have read several posts about this on this forum, but have not been able to find a solution. When I scan my implant with NXP Tag Info, I get the following information:
NXP NTAG216 Type 2 Tag
Signature verified with NXP public key
ASCII mirror disabled
NFC counter disabled
Strong load modulation enabled
NFC data set access Read & Write
However, I have been unable to change any of the (outdated) information that’s on it. So it’s basically useless, because when people scan it, they get old contact data. Nor am I able to use it for other purposes. Every time I scan it using NXP Tag Writer and try to change something, I get red error texts like: “removal failed” or “this tag can not be formatted”.
How can I reset it, wipe it, restore factory settings or just edit it?
I think I shared which implant it is (NXP NTAG216 Type 2 Tag), at least that’s what the reader tells me about the type. I don’t know when it was purchased, but it must have been at least 7 years ago. I have an Android Phone, Google Pixel 9 Pro XL.
Several implants have an NTAG216 in them, most notably the NExT and xNT
My first step would be to check whether the implant responds to the default password, but that has varied a little from implant to implant and over time
If you install the APK on the release page here:
You can try to authenticate with the chip with the two likely factory passwords by opening these links in that app:
Wow, thanks. I must say, this goes a little over my head, not sure how to perform these steps.
Do I go to the GitHub link and install that software on my Android Phone? And what do I do next?
That’s correct, you can also download the app directly from here:
Once you have the app installed, click on the DNGR and NExT links I posted above which should take you to that app, then just present your Implant to the phone and see what the response is
Let’s just start with understanding how the chip is currently configured. Can you scan with taginfo and post the data (you should omit / redact sensitive info, if you want). I’m mostly interested in memory pages 02, 03 and E2-E4
Still debating whether I can trust this, my phone seems to have second thoughts, the download is not taking place. Probably I have to tick trust third party content somewhere.
your lock bits are not set, so the user programmable memory pages are not locked by those
your AUTH0 byte is set to 00 though, so the user programmable memory is being subjected to password authentication requirements
your PROT bit is set to 0 so the user memory is only write protected (anyone can read), which is what you indicated by being able to read but not write.
This tells me that what you have is not an implant… at least not one sold by us. Therefore the authentication suggestion made above by @Aoxhwjfoavdlhsvfpzha will not work for you. You need to figure out what 4 byte password was used to protect this transponder, and set that in TagWriter for this tag. It might also be the default password 00 00 00 00 or could also be the alternative default of FF FF FF FF.
First of all, it’s an implant that was placed in my hand by someone representing your company, long ago.
I am a little confused by the password thing: when I click the settings gear, and scroll down to password, it says FFFFFFFF. Would that be the password?? Could I somehow enter that somewhere and unlock it that way? Or am I misunderstanding your point here?
ah … this might be why it’s not got anything set… the original xNT was sold with factory defaults for everything… but people started locking themselves out of their chips by setting lock bits, not knowing you cannot change the lock bits once set… and apps like TagWriter did not warn people before setting “tag protections”.
The password on the NTAG216 is 4 bytes, represented in hexadecimal format. Take a look at this ASCII chracter table;
This table shows the “Dec” (decimal value) and Hx (hexadecimal value) for your standard ASCII characters 0 through 127. Many of these characters are not typable on a keyboard, so instead we deal with giving the password value in “hex format” as it’s known. Otherwise, your total number of possible password combinations would be extremely short if we limited things to just what you can type on the keyboard (the actual full 8 bit ASCII table goes to 255)… and since the chip has a 4 byte password, that would take no time at all to crack it if it were limited to just the keys on the keyboard you could type.
Another note about how the NTAG216 chip works - the 4 bytes in memory page E5 are used to store the password. That means whatever these 4 bytes are set to IS the password. The physical memory cells are physical… meaning you can’t remove them from the chip… so likewise there is no way to “remove” the password… whatever those memory bytes contain IS the password… even if those bytes are all 00 (null)… there will always be a value of some kind. This is why the factory default password is FF FF FF FF (or FFFFFFFF without spaces). There is no way to unset it.
What you CAN do though, is set / change AUTH0 after you have authenticated. The AUTH0 byte of the NTAG216 configuration tells the chip “Password protection (authentication hence AUTH) will be applied to whatever memory page is given in AUTH0 downward” … so if AUTH0 is set to 00 then all memory pages from the top down have password protection applied. If you set AUTH0 to E2 then only the sensitive configuration memory pages (including the password page) has password protections applied. This is how we program our implants now by default - AUTH0 is set to E2 and the password is changed from the default to DNGR (in hex that is 44 4e 47 52).
So, you might try changing the password in TagWriter to 444E4752 and see if that works? I don’t recall if we ever set a password on the xNT while not setting the lock bits to disable themselves or not, but it’s worth a shot.
One side note - there is a setting in the configuration pages which limits the number of attempts you can try to authenticate before the chip locks itself. This has not been set in your configuration though, so don’t worry. Just a note, this is why we now set the default value of AUTH0 to E2 to protect these configuration pages because changing this setting could be… bad.
I have tried changing the password via settings (gear icon) to FFFFFFFF and 00000000 and 444E4752, but could still not write to the chip. Resetting to factory settings was the only thing that I managed to do, however I tried wiping or writing and kept getting write errors.
I know someone who owns a Proxmark3 and offered to try brute forcing it, but do you know of any other alternatives?
