New Member, stuck with a problem

Hi all, I am new to all of this, but hope big.
I implanted myself, last week the NExT Chip, pretty easy, no bleeding. Thanks to all the videos on YouTube.
I’am interested to know every project you can do with it.

I am still trying to figure out the LF cloning and usage.

With the HF I just have one problem, I always could read it, but not write into it.
At first i thought, because it is early, there is too much space in between the reader and the chip, but now, I think there must be a default password protecting it.
So I come to you all for the help I so desperately need. It seems I must have missed a step…
Here is what i got with NXP TagInfo:

# Memory content:
[00] *  04:8F:79 7A (UID0-UID2, BCC0)
[01] *  32:0A:54:81 (UID3-UID6)
[02] *  ED 48 0F 00 (BCC1, INT, LOCK0-LOCK1)
[03] *r E1:10:6D:00 (OTP0-OTP3)
[04] +r 03 11 D1 01 |....|
[05] +r 0D 55 03 64 |.U.d|
[06] +r 6E 67 72 2E |ngr.|
[07] +r 75 73 2F 4E |us/N|
[08] +r 45 78 54 FE |ExT.|
[09] +r 00 00 00 00 |....|
[0A] +r 00 00 00 00 |....|
[0B] +r 00 00 00 00 |....|
[0C] +r 00 00 00 00 |....|
[0D] +r 00 00 00 00 |....|
[0E] +r 00 00 00 00 |....|
[0F] +r 00 00 00 00 |....|
[10] +r 00 00 00 00 |....|
[11] +r 00 00 00 00 |....|
[12] +r 00 00 00 00 |....|
[13] +r 00 00 00 00 |....|
[14] +r 00 00 00 00 |....|
[15] +r 00 00 00 00 |....|
[16] +r 00 00 00 00 |....|
[17] +r 00 00 00 00 |....|
[18] +r 00 00 00 00 |....|
[19] +r 00 00 00 00 |....|
[1A] +r 00 00 00 00 |....|
[1B] +r 00 00 00 00 |....|
[1C] +r 00 00 00 00 |....|
[1D] +r 00 00 00 00 |....|
[1E] +r 00 00 00 00 |....|
[1F] +r 00 00 00 00 |....|
[20] +r 00 00 00 00 |....|
[21] +r 00 00 00 00 |....|
[22] +r 00 00 00 00 |....|
[23] +r 00 00 00 00 |....|
[24] +r 00 00 00 00 |....|
[25] +r 00 00 00 00 |....|
[26] +r 00 00 00 00 |....|
[27] +r 00 00 00 00 |....|
[28] +r 00 00 00 00 |....|
[29] +r 00 00 00 00 |....|
[2A] +r 00 00 00 00 |....|
[2B] +r 00 00 00 00 |....|
[2C] +r 00 00 00 00 |....|
[2D] +r 00 00 00 00 |....|
[2E] +r 00 00 00 00 |....|
[2F] +r 00 00 00 00 |....|
[30] +r 00 00 00 00 |....|
[31] +r 00 00 00 00 |....|
[32] +r 00 00 00 00 |....|
[33] +r 00 00 00 00 |....|
[34] +r 00 00 00 00 |....|
[35] +r 00 00 00 00 |....|
[36] +r 00 00 00 00 |....|
[37] +r 00 00 00 00 |....|
[38] +r 00 00 00 00 |....|
[39] +r 00 00 00 00 |....|
[3A] +r 00 00 00 00 |....|
[3B] +r 00 00 00 00 |....|
[3C] +r 00 00 00 00 |....|
[3D] +r 00 00 00 00 |....|
[3E] +r 00 00 00 00 |....|
[3F] +r 00 00 00 00 |....|
[40] +r 00 00 00 00 |....|
[41] +r 00 00 00 00 |....|
[42] +r 00 00 00 00 |....|
[43] +r 00 00 00 00 |....|
[44] +r 00 00 00 00 |....|
[45] +r 00 00 00 00 |....|
[46] +r 00 00 00 00 |....|
[47] +r 00 00 00 00 |....|
[48] +r 00 00 00 00 |....|
[49] +r 00 00 00 00 |....|
[4A] +r 00 00 00 00 |....|
[4B] +r 00 00 00 00 |....|
[4C] +r 00 00 00 00 |....|
[4D] +r 00 00 00 00 |....|
[4E] +r 00 00 00 00 |....|
[4F] +r 00 00 00 00 |....|
[50] +r 00 00 00 00 |....|
[51] +r 00 00 00 00 |....|
[52] +r 00 00 00 00 |....|
[53] +r 00 00 00 00 |....|
[54] +r 00 00 00 00 |....|
[55] +r 00 00 00 00 |....|
[56] +r 00 00 00 00 |....|
[57] +r 00 00 00 00 |....|
[58] +r 00 00 00 00 |....|
[59] +r 00 00 00 00 |....|
[5A] +r 00 00 00 00 |....|
[5B] +r 00 00 00 00 |....|
[5C] +r 00 00 00 00 |....|
[5D] +r 00 00 00 00 |....|
[5E] +r 00 00 00 00 |....|
[5F] +r 00 00 00 00 |....|
[60] +r 00 00 00 00 |....|
[61] +r 00 00 00 00 |....|
[62] +r 00 00 00 00 |....|
[63] +r 00 00 00 00 |....|
[64] +r 00 00 00 00 |....|
[65] +r 00 00 00 00 |....|
[66] +r 00 00 00 00 |....|
[67] +r 00 00 00 00 |....|
[68] +r 00 00 00 00 |....|
[69] +r 00 00 00 00 |....|
[6A] +r 00 00 00 00 |....|
[6B] +r 00 00 00 00 |....|
[6C] +r 00 00 00 00 |....|
[6D] +r 00 00 00 00 |....|
[6E] +r 00 00 00 00 |....|
[6F] +r 00 00 00 00 |....|
[70] +r 00 00 00 00 |....|
[71] +r 00 00 00 00 |....|
[72] +r 00 00 00 00 |....|
[73] +r 00 00 00 00 |....|
[74] +r 00 00 00 00 |....|
[75] +r 00 00 00 00 |....|
[76] +r 00 00 00 00 |....|
[77] +r 00 00 00 00 |....|
[78] +r 00 00 00 00 |....|
[79] +r 00 00 00 00 |....|
[7A] +r 00 00 00 00 |....|
[7B] +r 00 00 00 00 |....|
[7C] +r 00 00 00 00 |....|
[7D] +r 00 00 00 00 |....|
[7E] +r 00 00 00 00 |....|
[7F] +r 00 00 00 00 |....|
[80] +r 00 00 00 00 |....|
[81] +r 00 00 00 00 |....|
[82] +r 00 00 00 00 |....|
[83] +r 00 00 00 00 |....|
[84] +r 00 00 00 00 |....|
[85] +r 00 00 00 00 |....|
[86] +r 00 00 00 00 |....|
[87] +r 00 00 00 00 |....|
[88] +r 00 00 00 00 |....|
[89] +r 00 00 00 00 |....|
[8A] +r 00 00 00 00 |....|
[8B] +r 00 00 00 00 |....|
[8C] +r 00 00 00 00 |....|
[8D] +r 00 00 00 00 |....|
[8E] +r 00 00 00 00 |....|
[8F] +r 00 00 00 00 |....|
[90] +r 00 00 00 00 |....|
[91] +r 00 00 00 00 |....|
[92] +r 00 00 00 00 |....|
[93] +r 00 00 00 00 |....|
[94] +r 00 00 00 00 |....|
[95] +r 00 00 00 00 |....|
[96] +r 00 00 00 00 |....|
[97] +r 00 00 00 00 |....|
[98] +r 00 00 00 00 |....|
[99] +r 00 00 00 00 |....|
[9A] +r 00 00 00 00 |....|
[9B] +r 00 00 00 00 |....|
[9C] +r 00 00 00 00 |....|
[9D] +r 00 00 00 00 |....|
[9E] +r 00 00 00 00 |....|
[9F] +r 00 00 00 00 |....|
[A0] +r 00 00 00 00 |....|
[A1] +r 00 00 00 00 |....|
[A2] +r 00 00 00 00 |....|
[A3] +r 00 00 00 00 |....|
[A4] +r 00 00 00 00 |....|
[A5] +r 00 00 00 00 |....|
[A6] +r 00 00 00 00 |....|
[A7] +r 00 00 00 00 |....|
[A8] +r 00 00 00 00 |....|
[A9] +r 00 00 00 00 |....|
[AA] +r 00 00 00 00 |....|
[AB] +r 00 00 00 00 |....|
[AC] +r 00 00 00 00 |....|
[AD] +r 00 00 00 00 |....|
[AE] +r 00 00 00 00 |....|
[AF] +r 00 00 00 00 |....|
[B0] +r 00 00 00 00 |....|
[B1] +r 00 00 00 00 |....|
[B2] +r 00 00 00 00 |....|
[B3] +r 00 00 00 00 |....|
[B4] +r 00 00 00 00 |....|
[B5] +r 00 00 00 00 |....|
[B6] +r 00 00 00 00 |....|
[B7] +r 00 00 00 00 |....|
[B8] +r 00 00 00 00 |....|
[B9] +r 00 00 00 00 |....|
[BA] +r 00 00 00 00 |....|
[BB] +r 00 00 00 00 |....|
[BC] +r 00 00 00 00 |....|
[BD] +r 00 00 00 00 |....|
[BE] +r 00 00 00 00 |....|
[BF] +r 00 00 00 00 |....|
[C0] +r 00 00 00 00 |....|
[C1] +r 00 00 00 00 |....|
[C2] +r 00 00 00 00 |....|
[C3] +r 00 00 00 00 |....|
[C4] +r 00 00 00 00 |....|
[C5] +r 00 00 00 00 |....|
[C6] +r 00 00 00 00 |....|
[C7] +r 00 00 00 00 |....|
[C8] +r 00 00 00 00 |....|
[C9] +r 00 00 00 00 |....|
[CA] +r 00 00 00 00 |....|
[CB] +r 00 00 00 00 |....|
[CC] +r 00 00 00 00 |....|
[CD] +r 00 00 00 00 |....|
[CE] +r 00 00 00 00 |....|
[CF] +r 00 00 00 00 |....|
[D0] +r 00 00 00 00 |....|
[D1] +r 00 00 00 00 |....|
[D2] +r 00 00 00 00 |....|
[D3] +r 00 00 00 00 |....|
[D4] +r 00 00 00 00 |....|
[D5] +r 00 00 00 00 |....|
[D6] +r 00 00 00 00 |....|
[D7] +r 00 00 00 00 |....|
[D8] +r 00 00 00 00 |....|
[D9] +r 00 00 00 00 |....|
[DA] +r 00 00 00 00 |....|
[DB] +r 00 00 00 00 |....|
[DC] +r 00 00 00 00 |....|
[DD] +r 00 00 00 00 |....|
[DE] +r 00 00 00 00 |....|
[DF] +r 00 00 00 00 |....|
[E0] +r 00 00 00 00 |....|
[E1] +r 00 00 00 00 |....|
[E2] *r 00 00 7F BD (LOCK2-LOCK4, CHK)
[E3] .r 04 00 00 00 (CFG, MIRROR, AUTH0)
[E4] .r 00 05 -- -- (ACCESS)
[E5] +P FF FF FF FF (PWD0-PWD3)
[E6] +P 00 00 -- -- (PACK0-PACK1)

  *:locked & blocked, x:locked,
  +:blocked, .:un(b)locked, ?:unknown
  r:readable (write-protected),
  p:password protected, -:write-only
  P:password protected write-only

Thanks in advance for your help.

What apps have you used with the chip so far? What do you have for equipment (readers/witers)?

1 Like

I have tried the apps : NFC Tools, Tag Writer, with my android Phone and a NFC Card Reader/Writer.

This is your problem. Somehow you’ve set AUTH0 to page 00 which means all memory is password protected. The PROT bit is set to 0 also so this means free read but password protected writes. Luckily your password appears to be factory default FF FF FF FF.

Thanks @amal to answer.

Which one is the PROT bit and how can i change the Prot bit to free read & write ?

Hey @Neko42

I can walk you through changing your AUTH0 byte to E3 (so it only password protects the config pages) but I think it’s important to know why this happened in the first place to make sure it doesn’t happen again. You should always be careful and try things out on a similar tag outside your body first. When you were using those apps, did you use a “Factory Reset” setting or anything like that? Some apps have a mind of their own and do nonsensical things. They’re intended to be used on disposable tags so don’t trust them unless you know what they’re doing.

I won’t be able to write up instructions until later today because it’s a bit complicated and we can’t have anything go awry.

2 Likes

Hi @Satur9 I would gladly accept your help on that, Thanks in advance.
In fact, yes I used the Factory Reset of NFC Tools at the start, I will remember to test first on another tag!

1 Like

To be clear the PROT bit only instructs the password protection function what level of protection to enforce. The only options are 1) free read, protected write, 2) protected read and write. In protected mode you must authenticate first before you can perform the action.

The AUTH0 byte tells the password protection function at which memory page to begin protecting memory. Setting it to 00 means everything from page 00 down is protected. As @Satur9 suggested, setting AUTH0 to page E3 will protect the configuration bytes only (a very good idea).

1 Like

I was trying to figure out a way you could send two commands (password authenticate and write) in one go with NFC Tools “Advanced NFC commands” functionality, but it doesn’t seem to be possible.

The best way to fix this with just an android phone is to download the NFC Shell app, install it, and then run only the commands I list here. I was trying to avoid suggesting this because this tool is very powerful. Please only run the two commands below. Enter them both in the box at the bottom of the app on separate lines.

1BFFFFFFFF
A2E3040000E3

1B is the password authentication command, and we’re going to authenticate with the default password you have FFFFFFFF

A2 is the write command, we’re writing to page E3, and we’re going to write the data 040000E3. The last byte E3 is going to be your new AUTH0, and it means only the config bytes at the end will be password protected. The user memory should be freed up.

Let us know how it goes and please be careful in the future.

6 Likes

Thanks a lot that was perfect, I can finally write to it!
I have learned from this experience that I have a lot of reading to catch up, and need to first test it on another tag.

6 Likes

For future reference Jirvin asked the wakedev guy and he said the delimiter is a comma, so it can be done with NFC Tools.

4 Likes

Thanks for the share, nice to know.
I have a question thought, why is NFC Shell such a powerful app, what do you mean by that?

Because it is a “direct line” to the implant / nfc tag. It allows raw read and write commands to be done byte by byte.

Alright, thanks for the clarification @Devilclarke

Yeah in this context I more meant “powerful” in that typing a single letter incorrectly could potentially brick an implant, so more like “great and terrible” power.

1 Like

Is using NFC Tools in the same manner any worse / less powerful?

Or does it have a nice warning screen when you first click on advanced NFC commands explaining what could go wrong?

Well, I didn’t know NFC Tools could do that until recently, but yeah I guess NFC Tools is “powerful” too

200

2 Likes