Hello People,
Last night I had a problem writing to my nFC implant (nXP NTAG216 ISO/IEC 14443-3):
- I decided to test the Password Protected feature… It worked;
- Then I removed the password protected and wrote again, this time two records (one text string and a btc pubkey);
- Then I protected again with the same password, but this time the writing did not end completely and gave a error, I think I took it too early;
But after reading again It was password protected and didnt accept my password anymore. Is there a possibility that writing error have corrupted by settings a different password?
I’ve tried a lot of password variations, it’s a relatively complex 9 legth password w/ uppercase, spaces and simbols (#@!).
Maybe some illegal character truncated the password?
Is there any way to bruteforce it?
I noticed that NFC Tools stores the password differently from the default (4 digit pin). Could anyone tell me details of how NFC Tools stores the password? so I have an idea how to build a wordlist to bruteforce it.
It stores a hash? theres a way to extract the hash and bruteforce offline?
Yes, i’ve already read similar topics like this:
Also tried the shell app… but looks like it didn’t authenticate (1B FF FF FF FF returns RX: 0000, not NAK or PAK);
## Some details of current reading state:
# IC manufacturer:
NXP Semiconductors
# IC type:
NTAG216
# NFC Forum NDEF-compliant tag:
Type 2 Tag
# Detailed protocol information:
ID: 00:00:00:00:00:00:00
ATQA: 0x4400
SAK: 0x00
[ Read-Only ] Addr. 00 : UID0 - UID2 / BCC0
[ Read-Only ] Addr. 01 : UID3 - UDI6
[ Readable & Writable ] Addr. 02 : BCC1 / INT. / LOCK0 - LOCK1
...
[ Readable, write protected by password ] Addr. E2 : LOCK2 - LOCK4
[ Readable, write protected by password ] Addr. E3 : CFG 0 (MIRROR / AUTH0)
[ Readable, write protected by password ] Addr. E4 : CFG 1 (ACCESS)
[ Write-Only ] Addr. E5 : PWD0 - PWD3
[ Write-Only ] Addr. E6 : PACK0 - PACK1
# Memory content:
[00] * 00:00:00 31 (UID0-UID2, BCC0)
[01] * 00:00:00:00 (UID3-UID6)
[02] . EC 48 00 00 (BCC1, INT, LOCK0-LOCK1)
[03] .r E1:10:6D:00 (OTP0-OTP3)
[04] .r 03 4A 91 01 |.J..|
[05] .r 17 54 02 65 |.T.e|
[06] .r 00 00 00 00 |naaa|
[07] .r 00 00 27 73 |aa's|
[08] .r 20 6C 65 66 | lef|
[09] .r 74 20 68 61 |t ha|
[0A] .r 6E 64 20 3A |nd :|
[0B] .r 29 51 01 2B |)Q.+|
[0C] .r 55 00 62 69 |U.bi|
[0D] .r 74 63 6F 69 |tcoi|
[0E] .r 6E 3A 00 00 |n:xx|
[0F] .r 00 00 00 00 |xxxx|
[10] .r 00 00 00 00 |xxxx|
[11] .r 00 00 00 00 |xxxx|
[12] .r 00 00 00 00 |xxxx|
[13] .r 00 00 00 00 |xxxx|
[14] .r 00 00 00 00 |xxxx|
[15] .r 00 00 00 00 |xxxx|
[16] .r 00 00 00 00 |xxxx|
[17] .r FE 00 00 00 |....|
[18] .r 00 00 00 00 |....|
....
[E1] .r 00 00 00 00 |....|
[E2] .r 00 00 00 BD (LOCK2-LOCK4, CHK)
[E3] .r 04 00 00 00 (CFG, MIRROR, AUTH0)
[E4] .r 00 05 -- -- (ACCESS)
[E5] +P FF FF FF FF (PWD0-PWD3)
[E6] +P 00 00 -- -- (PACK0-PACK1)
*:locked & blocked, x:locked,
+:blocked, .:un(b)locked, ?:unknown
r:readable (write-protected),
p:password protected, -:write-only
P:password protected write-only
# Technologies supported:
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible
# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.NfcA, android.nfc.tech.MifareUltralight, android.nfc.tech.Ndef]
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 618 ms
# Memory size:
888 bytes user memory
* 222 pages, with 4 bytes per page
# IC detailed information:
Full product name: NT2H1611G0DUx
Capacitance: 50 pF
# Version information:
Vendor ID: NXP
Type: NTAG
Subtype: 50 pF
Major version: 1
Minor version: V0
Storage size: 888 bytes
Protocol: ISO/IEC 14443-3
# Configuration information:
ASCII mirror disabled
NFC counter: disabled
No limit on wrong password attempts
Strong load modulation enabled
# Originality check:
Signature verified with NXP public key
# NDEF Capability Container (CC):
Mapping version: 1.0
Maximum NDEF data size: 872 bytes
NDEF access: Read & Write
E1 10 6D 00
# IC manufacturer:
NXP Semiconductors
# IC type:
NTAG216
# NFC Forum NDEF-compliant tag:
Type 2 Tag
-- NDEF ------------------------------
# NFC data set information:
NDEF message containing 2 records
Current message size: 74 bytes
Maximum message size: 868 bytes
NFC data set access: Read & Write
Can be made Read-Only
# Record #1: Text record:
Type Name Format: NFC Forum well-known type
Short Record
type: "T"
encoding: UTF-8
lang: "en"
text: "xxxxx's left hand :)"
Payload length: 23 bytes
Payload data:
[00] 02 65 6E 00 00 00 00 00 27 73 20 6C 65 66 74 20 |.enaaaaa's left |
[10] 68 61 6E 64 20 3A 29 |hand :) |
# Record #2: URI record:
Type Name Format: NFC Forum well-known type
Short Record
type: "U"
protocol field: [none]
URI field: bitcoin:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Payload length: 43 bytes
Payload data:
[00] 00 62 69 74 63 6F 69 6E 3A 00 00 00 00 00 00 00 |.bitcoin:xxxxxxx|
[10] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |xxxxxxxxxxxxxxxx|
[20] 00 00 00 00 00 00 00 00 00 00 00 |xxxxxxxxxxx |
# NDEF message:
[00] 91 01 17 54 02 65 6E 69 6E 74 72 64 27 73 20 6C |...T.enxxxxx's l|
[10] 65 66 74 20 68 61 6E 64 20 3A 29 51 01 2B 55 00 |eft hand :)Q.+U.|
[20] 62 69 74 63 6F 69 6E 3A 00 00 00 00 00 00 00 00 |bitcoin:xxxxxxxx|
[30] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |xxxxxxxxxxxxxxxx|
[40] 00 00 00 00 00 00 00 00 00 00 |xxxxxxxxxx |
Thank you.