Problem after writing on my nFC implant (nXP NTAG216 ISO/IEC 14443-3)

Hello People,

Last night I had a problem writing to my nFC implant (nXP NTAG216 ISO/IEC 14443-3):

  • I decided to test the Password Protected feature… It worked;
  • Then I removed the password protected and wrote again, this time two records (one text string and a btc pubkey);
  • Then I protected again with the same password, but this time the writing did not end completely and gave a error, I think I took it too early;

But after reading again It was password protected and didnt accept my password anymore. Is there a possibility that writing error have corrupted by settings a different password?

I’ve tried a lot of password variations, it’s a relatively complex 9 legth password w/ uppercase, spaces and simbols (#@!).

Maybe some illegal character truncated the password?
Is there any way to bruteforce it?

I noticed that NFC Tools stores the password differently from the default (4 digit pin). Could anyone tell me details of how NFC Tools stores the password? so I have an idea how to build a wordlist to bruteforce it.

It stores a hash? theres a way to extract the hash and bruteforce offline?

Yes, i’ve already read similar topics like this:

Also tried the shell app… but looks like it didn’t authenticate (1B FF FF FF FF returns RX: 0000, not NAK or PAK);

## Some details of current reading state:

# IC manufacturer:
NXP Semiconductors

# IC type:
NTAG216

# NFC Forum NDEF-compliant tag:
Type 2 Tag

# Detailed protocol information:
ID: 00:00:00:00:00:00:00
ATQA: 0x4400
SAK: 0x00

[ Read-Only ] Addr. 00 : UID0 - UID2 / BCC0
[ Read-Only ] Addr. 01 : UID3 - UDI6
[ Readable & Writable ] Addr. 02 : BCC1 / INT. / LOCK0 - LOCK1
...
[ Readable, write protected by password ] Addr. E2 : LOCK2 - LOCK4
[ Readable, write protected by password ] Addr. E3 : CFG 0 (MIRROR / AUTH0)
[ Readable, write protected by password ] Addr. E4 : CFG 1 (ACCESS)
[ Write-Only ] Addr. E5 : PWD0 - PWD3
[ Write-Only ] Addr. E6 : PACK0 - PACK1

# Memory content:
[00] *  00:00:00 31 (UID0-UID2, BCC0)
[01] *  00:00:00:00 (UID3-UID6)
[02] .  EC 48 00 00 (BCC1, INT, LOCK0-LOCK1)
[03] .r E1:10:6D:00 (OTP0-OTP3)
[04] .r 03 4A 91 01 |.J..|
[05] .r 17 54 02 65 |.T.e|
[06] .r 00 00 00 00 |naaa|
[07] .r 00 00 27 73 |aa's|
[08] .r 20 6C 65 66 | lef|
[09] .r 74 20 68 61 |t ha|
[0A] .r 6E 64 20 3A |nd :|
[0B] .r 29 51 01 2B |)Q.+|
[0C] .r 55 00 62 69 |U.bi|
[0D] .r 74 63 6F 69 |tcoi|
[0E] .r 6E 3A 00 00 |n:xx|
[0F] .r 00 00 00 00 |xxxx|
[10] .r 00 00 00 00 |xxxx|
[11] .r 00 00 00 00 |xxxx|
[12] .r 00 00 00 00 |xxxx|
[13] .r 00 00 00 00 |xxxx|
[14] .r 00 00 00 00 |xxxx|
[15] .r 00 00 00 00 |xxxx|
[16] .r 00 00 00 00 |xxxx|
[17] .r FE 00 00 00 |....|
[18] .r 00 00 00 00 |....|
....
[E1] .r 00 00 00 00 |....|
[E2] .r 00 00 00 BD (LOCK2-LOCK4, CHK)
[E3] .r 04 00 00 00 (CFG, MIRROR, AUTH0)
[E4] .r 00 05 -- -- (ACCESS)
[E5] +P FF FF FF FF (PWD0-PWD3)
[E6] +P 00 00 -- -- (PACK0-PACK1)

  *:locked & blocked, x:locked,
  +:blocked, .:un(b)locked, ?:unknown
  r:readable (write-protected),
  p:password protected, -:write-only
  P:password protected write-only


# Technologies supported:
ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

# Android technology information:
Tag description:
* TAG: Tech [android.nfc.tech.NfcA, android.nfc.tech.MifareUltralight, android.nfc.tech.Ndef]
* Maximum transceive length: 253 bytes
* Default maximum transceive time-out: 618 ms

# Memory size:
888 bytes user memory
* 222 pages, with 4 bytes per page

# IC detailed information:
Full product name: NT2H1611G0DUx
Capacitance: 50 pF

# Version information:
Vendor ID: NXP
Type: NTAG
Subtype: 50 pF
Major version: 1
Minor version: V0
Storage size: 888 bytes
Protocol: ISO/IEC 14443-3

# Configuration information:
ASCII mirror disabled
NFC counter: disabled
No limit on wrong password attempts
Strong load modulation enabled

# Originality check:
Signature verified with NXP public key

# NDEF Capability Container (CC):
Mapping version: 1.0
Maximum NDEF data size: 872 bytes
NDEF access: Read & Write
 E1 10 6D 00    

 # IC manufacturer:
NXP Semiconductors

# IC type:
NTAG216

# NFC Forum NDEF-compliant tag:
Type 2 Tag

-- NDEF ------------------------------

# NFC data set information:
NDEF message containing 2 records
Current message size: 74 bytes
Maximum message size: 868 bytes
NFC data set access: Read & Write
Can be made Read-Only

# Record #1: Text record:
Type Name Format: NFC Forum well-known type
Short Record
type: "T"
encoding: UTF-8
lang: "en"
text: "xxxxx's left hand :)"
Payload length: 23 bytes
Payload data:

[00] 02 65 6E 00 00 00 00 00 27 73 20 6C 65 66 74 20 |.enaaaaa's left |
[10] 68 61 6E 64 20 3A 29                            |hand :)         |

# Record #2: URI record:
Type Name Format: NFC Forum well-known type
Short Record
type: "U"
protocol field: [none]
URI field: bitcoin:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Payload length: 43 bytes
Payload data:

[00] 00 62 69 74 63 6F 69 6E 3A 00 00 00 00 00 00 00 |.bitcoin:xxxxxxx|
[10] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |xxxxxxxxxxxxxxxx|
[20] 00 00 00 00 00 00 00 00 00 00 00                |xxxxxxxxxxx     |

# NDEF message:
[00] 91 01 17 54 02 65 6E 69 6E 74 72 64 27 73 20 6C |...T.enxxxxx's l|
[10] 65 66 74 20 68 61 6E 64 20 3A 29 51 01 2B 55 00 |eft hand :)Q.+U.|
[20] 62 69 74 63 6F 69 6E 3A 00 00 00 00 00 00 00 00 |bitcoin:xxxxxxxx|
[30] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |xxxxxxxxxxxxxxxx|
[40] 00 00 00 00 00 00 00 00 00 00                   |xxxxxxxxxx      |

Thank you.

Ops! i just fixed it by authenticating w/ default password and resetting the AUTH0 byte to E2, thank you!

1BFFFFFFFF
A2E3040000E2

Just for note…
sending 1BFFFFFFFF (default pw) returned 0000 not PAK! (this confused me).

Now to be ok I need to set 1B password different from default and set E4 to 80050000 to make config pages protected for reading right?

The default PAK is 0000, and this is.what the PAK is shown to be in your data posted above (page E6), so you were getting the PAK back.

The Auth0 byte sets protection range, so change page E3 to 04 00 00 E2 and leave page E4 alone.