POPL - It works, but a warning to go with it

POPL

HOW TO USE POPL

Generate a URL and write THAT to your implant, this is the safest option and it works.

HOW NOT TO USE POPL

DO NOT use the write to a POPL card function
it will write a password to your implant, and will take some tools and knowledge to remove it.

image

HOW TO FIX / REPAIR YOUR IMPLANT / FOB / CARD etc.

A while ago, I was fucking around with POPL, and whilst you can easily setup a POPL link and write that to your implant as an NDEF URL link; I also know they sell various NFC products, In the app, you can enable a new product, so I thought I would try a “bring your own” ( which they don’t offer by the way)

So, I grabbed a couple of NTAG216 / 213 stickers ( Bullseye - Ex :DT_Logo: Product )
image

I wrote to it no problem
scanned it, and it worked perfectly
I then tried to wipe it,but

Ruh Roh GIFs | Tenor
No Go

I scanned with TagInfo, and it was Password locked aka If it was an implant it would no longer be rewritable as anything else…

THIS IS WHY WE TEST WRITE TO TEST PRODUCTS AND NOT OUR IMPLANTS TEAM!!!

So I pulled out my Flipper Zero :flipperzero_white: , and tried another write to another Bullseye, and sniffed the password with the Flipper (bloody great tool)
Changed the password to FFFFFFFF
so that’s all good.
BUT

Page3 OTP

The lock bits are open and the capability
container in page 3 is fine. It is password
protected though because the AUTHO
byte is set to page 4.

There’s no such thing as removing the
password. Even with the factory default
value of FFFFFF, you still need to run the
PWD_AUTH command and pass the
password in so you can write to the
memory blocks protected by the
password.
What you need to do is authenticate, then
change the authO byte to ff or E2

This can all be done with NFC shell easily

The authentication command can be found in
the datasheet

image

This gets sent first
Then send the write command to change authO

1B FF FF FF FF
A2 E3 04 00 00 E2

NFC Shell

This should recover your IMPLANT / FOB / CARD

Always \ use \ a \ test \ card \ BEFORE \ writing \ to \ an \ implant

You’re Welcome

9 Likes

Thanks for the PSA!

How do you do this part ?

1 Like


Select your saved card Empty_NTAG216 in this example

Put you Test card on the Flipper then place it on the reader/writer (Phone in this case)

As the POPL writes to the card, the flipper should grab the password

7 Likes

This this. Flipper is great in a pinch for grabbing this data

4 Likes

Somehow I expected them to use a better password and to use that to verify that you’re using one of their cards.

I guess that their fobs look kinda cool and that’s enough.

2 Likes

Thought I better provide the ACTUAL password

Popl Password

74 65 73 29
or
74657329

4 Likes

So funny they didn’t use some kind of password derivative based on UID or signature or something

1 Like

It was the same for 2 I tried, BUT I guess that could be off my specific account.

If somebody else tries it and it doesn’t work, at least the HOW TO is documented above.

But in reality, the purpose of this thread is to stop people enrolling a Card/ fob/ sticker/ implant, and simply just writing the link.

I guess this the fix, if anybody on the interwebs needs it

4 Likes

I know this is an old thread now but for those wanting to avoid the POPL issues but still have a digital business card generator app, https://www.hihello.me/ seems to fit the bill. The great part is unlike many other digital business card sellers they specifically DON’T sell their own NFC cards:

“HiHello does not supply or sell NFC tags, unlike several NFC-only business card providers. We do this for a reason—at HiHello, we don’t believe in charging customers an inflated price for something available at a minimal cost on third-party sites like Amazon and Etsy.”

Their app will write to the implant but doesn’t try to lock it down as far as I can tell. I didn’t even think about that part when I wrote the BC to my implant (NExT) but after reading this tried re-programming with another tool (my flipper0) and had no issues. So just figured I would mention it as an alternative.

Thank you for the guide to fixing the password issue with a flipper0. Bookmarked for future ref just in case :slight_smile:

2 Likes