Unable to overwrite NFC chip

Damn, thank you for the quick update mate

yes… for now… muhahahaa mmmuuuuuHAHAHAHAHAHAHAHAHAAAAA

I am beginning to feel like you enjoy being asked

“Any updates on this”

Given how much you tease us

I actually hate that I have such a problem getting new things out… it’s probably the most fun thing I do around here - launching new things… but it’s more like, when someone asks… I start thinking about it and that gets me excited too…

Frankly I’m very impressed with your turn around time give how “cutting edge” this market is.

We like that part too

Hi all! Thanks for checking in!

Before I give my update, let me make it very clear to anyone who is interested in copying an amiibo to their xNT implant — DON’T!

Hopefully that inkling of foreshadow doesn’t spoil my story’s unfortunate ending. Either way, let’s begin!

Unfortunately, I lost contact with Connor after June. In August or so, I decided to get serious about finding a way to crack this myself. I got an actual NFC Reader/Writer (previously I was only using my Android), along with a dozen NTAG216 stickers and a dozen NTAG215 stickers. I stumbled onto this site: https://nfc.toys which was an initiative for hacking amiibos to do other things. Perfect.

Now, my memory is a bit foggy (it’s been about a year now), so I’ll try to paint the picture in broad strokes. I cloned my xNT implant to an NTAG216 sticker and used this for experimenting — I’ve learned my lesson in playing with a “production” environment, hehe. The creator of the NFC toys site has steps listed here for “hacking” an amiibo: https://nfc.toys/workflow-ami.html

One of the first instructions is to calculate a password that Nintendo uses to protect all the pages of an amiibo’s memory. I generated the password for a Resetti amiibo (the awesome character trapped on my hand), and attempted to write to a few pages that I saw had nothing but zeroes. But this didn’t work. Long story short, after hours of banging my head against the wall and cleaning off the blood, I discovered that even though these pages were showing as “password protected,” a password of an empty string allowed me to successfully write to these pages. Things got severely borked since amiibo was designed for NTAG215, while the xNT uses NTAG216. I’ve attached a screenshot of the very first glimmering hope of success I experienced — I wrote the defacto “Hello world” to my hand and was successfully able to read it in a memory dump. But, scanning it with an actual NFC app did not work.

These were written without types. If I recall correctly, the NFC protocol follows the “NFC Data Exchange Format” (NDEF), which has different types for the data represented. So now, when I scan my hand, those pages don’t appear with any kind of type. The “NFC Tools” app on my phone doesn’t show a row with that text. The only way I can see it is by dumping the memory, scrolling down to the random handful of pages I wrote to, and then decoding them from hexadecimal to ASCII. I can’t write my subway pass to it, nor my work badge, not even a simple “Hi, thank you for scanning my hand” message that could be readable using a standard NFC phone app. I’ve been thwarted. I tried my hardest to find a way to write a message and specify the type, but it was not possible. (I think the bit or bits set for the type were locked and therefore immutable.)

So where do I go from here? Well, in the next few months or so, once I get a break from uni, I’ll spend some time on coming up with a little project of my own that’ll operate based on the serial ID of my xNT. Nothing crazy like unlocking my front door, but more in tune with waving my hand to turn on/off my living room lights.

Do I regret any of this? Not at all. I spent days studying the NFC protocol, NDEF, and basic system architecture (pages & memory). I learned from this experience, and that’s more valuable than the $5 toy I would have had embedded on my hand.

Do I recommend anyone else do this? HELL NO. The emotional turmoil I went through in all of this was horrifying.
Learn from my mistake. Before you start experimenting with your new implant, do some research. Understand what’s actually going on “under the hood” — learn about the different types of NFC tags. And most importantly, experiment using tags that are outside your body. Had I just spent $5 on some NTAG216 stickers and tested with those beforehand, I really would have saved so much headache and even some heartache.

Hope that gives you all some closure.

resetti4048×3036 4.09 MB

I think if memory serves, the amiibo tags do not use an NFC capability container (also called CC, page 03 that uses 4 OTP or One Time Programmable bytes) and the data is binary, not written in NDEF format… so cloning page 03 from an amiibo to a generic NTAG216 is not going to be able to include page 03 because the bit flips required to go from an NFC capability container to an amiibo capability container is not possible with the OTP bits already being set for NFC… however, it might not matter at all if the Nintendo game doesn’t even bother to check page 03. The point here is, don’t fuck with page 03 because you can’t change it to the necessary byte data anyway and changing it will definitely destroy the ability to use the tag with NFC smartphones (and other NFC devices that comply with the NFC Forum specification).

The binary data issue means that your run-of-the-mill NFC apps for Android or iPhone will be totally unable to deal with the data on the tag. It is possible to issue direct commands to the tags to directly manipulate each memory page one at a time and write whatever binary data you want to each, but none of the NFC apps do that… they all leverage the Android NDEF library to 1) automatically wrap the data into an NDEF record within an NDEF message for you, and 2) automatically split that data up into a series of write commands that properly splits the data across all the required memory pages… but because the NDEF library on the phone must work with NDEF encapsulated data, it just borks when you want to try working with raw or binary data.

So… in short… to clone data you will need to get down to the binary folks… which is what it looks like the amiibo hacking link is doing… though don’t do anything with page 03… skip that page if it’s in the instructions.

Is there any NTAG215 implant?
U know, people can clone their Amiibos on blank cards or stickers. Perhaps is a 1 time only deal, but some might not mind having an implant with their favorite amiibo forever.

Sort of The FlexMN can emulate NTAG215

Chip emulation support

A list of NFC chips that can be emulated by the Magic NTAG chip

• UL_EV1 48 bytes (Mifare Ultralight EV1)
• UL_EV1 128 bytes (Mifare Ultralight EV1)
• NTAG 210
• NTAG 212
• NTAG 213 (true)
• NTAG 215 (true)
• NTAG 216 (true)
• NTAG I2C 1K
• NTAG I2C 2K

Ahhh a flex

Yes, but you can get the FlexMN in the FlexWedge form factor

Screenshot_20210111-064426_Chrome900×364 48.7 KB

You can install that with a custom needle

The whole procedure is VERY similar to an xSeries installation

Remember that julio is in Japan needles are a tough get in Japan I.e. cant import it from dt or would be difficult.

I thought so too, But Not so much anymore, due to Julio and Amals work

So YAY

The Vivokey Japan site looks amazing btw.

I got an NeXT a few weeks ago and had some questions regarding all of this (and yes, I do plan to ask a stupid question).

You said you can go through and manually edit all pages in binary? Does that include locked pages? What is the best hardware/software to use to do these binary writes? Anything recommended on arduino?

Now for the stupid question, I’m surprised there isn’t a way to completely wipe a chip to factory, no matter what ‘state’ the chip is in. Is there any way a feature like this could be built into future implants?

Tha was very Impulsive of you James

You mean like this?

Screenshot_20210128-170428_TagWriter1080×1592 131 KB

Screenshot_20210128-170447_TagWriter1080×554 120 KB

More in regards to issues like this

You can easily send raw commands to your chip using the free version of NFC Tools on Android. Just be very careful about the config bytes at the beginning and the end.

Here is a scan of my NExT before an edit

Screenshot_20210131-0138471080×2220 223 KB

Here is the correct option on NFC Tools

Screenshot_20210131-013906~21080×2220 133 KB

Here is the command interface. The syntax is A2[write]0F[memory page] 01020304[whatever data bytes]

Screenshot_20210131-0139451080×2220 110 KB

Here’s my NExT after the successful write

Screenshot_20210131-014005~21080×2220 222 KB

The problem your talking about has nothing to do with the user memory. It’s an inescapable part of the chip. There are config bytes you can change, and then there are some One-Time Programmable (OTP) bytes that if you change they can never be changed back.

Luckily on the NExT DT has password protected all the vulnerable config bytes with the password “NExT” so that users won’t accidentally brick their chip by locking in an undesirable configuration. The post you are referencing was relating to an xNT, which is older and was not protected by default (to give users more flexibility). Users have to opt in to the protection by using the DT app on their chip. If you do that there’s nothing to worry about.

Sadly I learned this very lesson years ago and have had a zero suit samus permanently locked in my forearm for about 10 years now… I should habe picked bayonetta … if its any comfort you can scan it with the tagmo amiino scanner app and see who you’ve chained yourself to lol