I am locked out of and can't edit or wipe my implant

amal · February 12, 2025, 9:59am

Can you send an updated scan of these pages from taginfo?

Maarten · February 12, 2025, 10:13am

Yes, here you go:

[02] . 55 48 00 00 (BCC1, INT, LOCK0-LOCK1)
[03] .r E1:10:6D:00 (OTP0-OTP3)
[E2] .r 00 00 00 BD (LOCK2-LOCK4, CHK)
[E3] .r 04 00 00 00 (CFG, MIRROR, AUTH0)
[E4] .r 00 05 – – (ACCESS)
[E5] +P XX XX XX XX (PWD0-PWD3)
[E6] +P XX XX – – (PACK0-PACK1)

amal · February 12, 2025, 4:52pm

Ok, so as it stands now;

The password on this chip has been set to something we (Dangerous Things) didn’t set
The auth0 byte has been changed to 00 (we also never do this)
No other configuration options have been changed

This tells me that at some point, quite unknowingly, you may have tried a “protect” feature of TagWriter, NFC Tools, or some other NFC app… a feature that may have been extremely vague about what it was actually doing. I know that over the years TagWriter has been particularly notorious about this.

For example, for a long time if you wrote to any tag a checkbox option simply said “Protect tag” but if you checked it, this would lock the tag forever using the lock bits. Other methods of protection offered inclueded password protecting the tag, but there was a time where it would accept normal keyboard input, not hexadecimal values… this created chaos because the keyboard ASCII characters being typed would be converted to hex to be written to the tag as the set password, however the user was allowed to enter long passwords like “mypassword” and some sort of truncation / customized hashing was done to reduce this down to 4 bytes… and this process was opaque, so if someone set the password with TagWriter, then NFC Tools would have no way to enter or calculate this password. Worse, when TagWriter decided better and changed this feature to hexadecimal entry, it effectively stranded people who wrote their passwords with the old system because nobody knew the hex values for those passwords.

At this point, I think your only option is to work with someone with a Proxmark to crack the current password so you can change the AUTH0 byte from 00 to E2, and perhaps change the password to a hex value you’ll remember.

Maarten · February 26, 2025, 2:35pm

Hi Amal, I would like to mention the product in an article that I am writing for a computer magazine. Can I interview you for this?

amal · February 26, 2025, 7:13pm

Sure I’ll DM you a link to schedule a chat

Maarten · February 27, 2025, 9:14am

Thanks