POPL - It works, but a warning to go with it

Support
1

POPL

HOW TO USE POPL

Generate a URL and write THAT to your implant, this is the safest option and it works.

HOW NOT TO USE POPL

DO NOT use the write to a POPL card function
it will write a password to your implant, and will take some tools and knowledge to remove it.

Screenshot_20230803_091447_Popl
Screenshot_20230803_091447_Popl1079×467 64.7 KB

image

HOW TO FIX / REPAIR YOUR IMPLANT / FOB / CARD etc.

A while ago, I was fucking around with POPL, and whilst you can easily setup a POPL link and write that to your implant as an NDEF URL link; I also know they sell various NFC products, In the app, you can enable a new product, so I thought I would try a “bring your own” ( which they don’t offer by the way)

Screenshot_20230823_174303_Popl
Screenshot_20230823_174303_Popl1079×819 72.4 KB

Screenshot_20230823_174331_Popl
Screenshot_20230823_174331_Popl1071×4470 240 KB

So, I grabbed a couple of NTAG216 / 213 stickers ( Bullseye - Ex :DT_Logo: Product )
image

I wrote to it no problem
scanned it, and it worked perfectly
I then tried to wipe it,but

Ruh Roh GIFs | Tenor
No Go

I scanned with TagInfo, and it was Password locked aka If it was an implant it would no longer be rewritable as anything else


Screenshot_20230809_063634_Chrome
Screenshot_20230809_063634_Chrome689×1111 84.6 KB

THIS IS WHY WE TEST WRITE TO TEST PRODUCTS AND NOT OUR IMPLANTS TEAM!!!

So I pulled out my Flipper Zero :flipperzero_white: , and tried another write to another Bullseye, and sniffed the password with the Flipper (bloody great tool)
Changed the password to FFFFFFFF
so that’s all good.
BUT

Page3 OTP

The lock bits are open and the capability
container in page 3 is fine. It is password
protected though because the AUTHO
byte is set to page 4.

There’s no such thing as removing the
password. Even with the factory default
value of FFFFFF, you still need to run the
PWD_AUTH command and pass the
password in so you can write to the
memory blocks protected by the
password.
What you need to do is authenticate, then
change the authO byte to ff or E2

This can all be done with NFC shell easily

The authentication command can be found in
the datasheet

image

This gets sent first
Then send the write command to change authO

1B FF FF FF FF
A2 E3 04 00 00 E2

NFC Shell

Screenshot_20230807_172604_Chrome
Screenshot_20230807_172604_Chrome707×1270 80.5 KB

This should recover your IMPLANT / FOB / CARD

Always \ use \ a \ test \ card \ BEFORE \ writing \ to \ an \ implant

You’re Welcome

9 Likes
2

Thanks for the PSA!

How do you do this part ?

1 Like
3

Screenshot_20230823_200431_Flipper
Screenshot_20230823_200431_Flipper1079×1200 132 KB

Screenshot_20230823_200455_Flipper
Screenshot_20230823_200455_Flipper1079×1200 98.8 KB

Select your saved card Empty_NTAG216 in this example
Screenshot_20230823_200530_Flipper
Screenshot_20230823_200530_Flipper938×1148 122 KB

Screenshot_20230823_200548_Flipper
Screenshot_20230823_200548_Flipper1079×1194 104 KB

Put you Test card on the Flipper then place it on the reader/writer (Phone in this case)

Screenshot_20230823_200559_Flipper
Screenshot_20230823_200559_Flipper1079×1186 110 KB

As the POPL writes to the card, the flipper should grab the password

7 Likes
4

This this. Flipper is great in a pinch for grabbing this data

5 Likes
5

Somehow I expected them to use a better password and to use that to verify that you’re using one of their cards.

I guess that their fobs look kinda cool and that’s enough.

2 Likes
6

Thought I better provide the ACTUAL password

Popl Password

74 65 73 29
or
74657329

4 Likes
7

So funny they didn’t use some kind of password derivative based on UID or signature or something

1 Like
8

It was the same for 2 I tried, BUT I guess that could be off my specific account.

If somebody else tries it and it doesn’t work, at least the HOW TO is documented above.

But in reality, the purpose of this thread is to stop people enrolling a Card/ fob/ sticker/ implant, and simply just writing the link.

I guess this the fix, if anybody on the interwebs needs it

4 Likes
9

I know this is an old thread now but for those wanting to avoid the POPL issues but still have a digital business card generator app, https://www.hihello.me/ seems to fit the bill. The great part is unlike many other digital business card sellers they specifically DON’T sell their own NFC cards:

“HiHello does not supply or sell NFC tags, unlike several NFC-only business card providers. We do this for a reason—at HiHello, we don’t believe in charging customers an inflated price for something available at a minimal cost on third-party sites like Amazon and Etsy.”

Their app will write to the implant but doesn’t try to lock it down as far as I can tell. I didn’t even think about that part when I wrote the BC to my implant (NExT) but after reading this tried re-programming with another tool (my flipper0) and had no issues. So just figured I would mention it as an alternative.

Thank you for the guide to fixing the password issue with a flipper0. Bookmarked for future ref just in case :slight_smile:

2 Likes