Trying to remove/reset xNT passcode - CFGLCK & AUTHLIM possibly locked?


#1

I have a feeling I’ve fubared my XNT — after reading this forum post (DNFC and password protection) I’m pretty sure that my misapplied attempts to reset/brute force my pin has resulted in the CFGLCK and AUTHLIM locking down any chance of removing/resetting the pin. I was using the NFCTools app which now I understand has issues with passwords.

I’m wonder if a) it’s still possible to reset or remove the passcode, or b) possible to completely wipe the xNT?
Is there anything I can do with a more specialized bit of hardware like a Proxmark, rather than relying on Android apps? I’m not an NFC/RFID guru, but I can read man pages pretty well.

Dump from the xNT Support Tool below:

Get Version: 00 04 04 02 01 00 13 03
Page 00: 04 E8 04 60
Page 01: 12 FF 38 84
Page 02: 51 48 0F 00
Page 03: E1 12 6D 00
Page 04: 03 FF 01 F1
Page 05: 91 01 4A 54

Page E2 :00 00 7F BD
Page E3 :00 00 00 00
Page E4 :00 05 00 00


#2

Ok first, how did you do this? How did you write page E3 to all 00 00 00 00 ?

In short, the CFGLCK and AUTHLIM bits are in page E4 and that page still holds default values. Page E3 holds your data mirroring configuration and modulation mode, as well as AUTH0. The default value after using Dangerous NFC should be 04 00 00 E2, the last byte of course being AUTH0… so you can set that to 00 or 03 or whatever you want really… but at this point it’s set to 00 so that means to change anything on the tag, including any user data, you will need to authenticate first.

Unfortunately, if you set your password with Dangerous NFC, that means none of the other tools which support the NTAG216 password feature will work. For whatever reason, if you enter an ASCII value password with the keyboard of say… ABCD… in hex that value is 41 42 43 44 … and that’s what the Dangerous NFC app writes as your password to page E5… simple right? Well NFC Tools and NFC TagWriter from NXP apparently use something completely different… and so when you attempt to use those tools to make changes, it asks for your password, you type in ABCD, and it errors. No idea why. Nothing about password user input translations in the documentation. Insane.

So the way to fix this is very annoying. You’ll have to use the NFC Shell… actually, start by reading this thread; https://forum.dangerousthings.com/t/can-my-xnt-be-easily-set-to-read-only and grab NFC Shell from the link in that thread.

Type in the following lines in the NFC Shell box;

1B h1 h2 h3 h4
A2 E3 04 00 00 E2

The first line starting with 1B is the PWD_AUTH command, and the h1 h2 h3 h4 value needs to be replaced with the HEX value of the password you set for your xNT. So, if your password was 1234 then the HEX values of the ASCII characters 1, 2, 3, and 4 are 31 32 33 34. Check ye’ olde ASCII chart for a reference.

The second line, starting with A2, updates the AUTH0 byte to page E2… protecting the configuration pages of your tag with the password you’ve set.

Press the SEND button and then scan your tag. You should receive in the shell window, something like this;

TX: 1Bh1h2h3h4
RX: 4454
TX: A2 E3 04 00 00 04
RX:

That means success… no RX after successful write command means success. If it fails, you’ll get an RX: NAK back.