Unable to overwrite NFC chip

amal · May 2, 2020, 1:34am

I actually hate that I have such a problem getting new things out… it’s probably the most fun thing I do around here - launching new things… but it’s more like, when someone asks… I start thinking about it and that gets me excited too…

NiamhAstra · May 2, 2020, 1:42am

Frankly I’m very impressed with your turn around time give how “cutting edge” this market is.

We like that part too

santaman123 · May 4, 2020, 1:18am

Hi all! Thanks for checking in!

Before I give my update, let me make it very clear to anyone who is interested in copying an amiibo to their xNT implant — DON’T!

Hopefully that inkling of foreshadow doesn’t spoil my story’s unfortunate ending. Either way, let’s begin!

Unfortunately, I lost contact with Connor after June. In August or so, I decided to get serious about finding a way to crack this myself. I got an actual NFC Reader/Writer (previously I was only using my Android), along with a dozen NTAG216 stickers and a dozen NTAG215 stickers. I stumbled onto this site: https://nfc.toys which was an initiative for hacking amiibos to do other things. Perfect.

Now, my memory is a bit foggy (it’s been about a year now), so I’ll try to paint the picture in broad strokes. I cloned my xNT implant to an NTAG216 sticker and used this for experimenting — I’ve learned my lesson in playing with a “production” environment, hehe. The creator of the NFC toys site has steps listed here for “hacking” an amiibo: Writing your own data to a Nintendo Amiibo NFC toy

One of the first instructions is to calculate a password that Nintendo uses to protect all the pages of an amiibo’s memory. I generated the password for a Resetti amiibo (the awesome character trapped on my hand), and attempted to write to a few pages that I saw had nothing but zeroes. But this didn’t work. Long story short, after hours of banging my head against the wall and cleaning off the blood, I discovered that even though these pages were showing as “password protected,” a password of an empty string allowed me to successfully write to these pages. Things got severely borked since amiibo was designed for NTAG215, while the xNT uses NTAG216. I’ve attached a screenshot of the very first glimmering hope of success I experienced — I wrote the defacto “Hello world” to my hand and was successfully able to read it in a memory dump. But, scanning it with an actual NFC app did not work.

These were written without types. If I recall correctly, the NFC protocol follows the “NFC Data Exchange Format” (NDEF), which has different types for the data represented. So now, when I scan my hand, those pages don’t appear with any kind of type. The “NFC Tools” app on my phone doesn’t show a row with that text. The only way I can see it is by dumping the memory, scrolling down to the random handful of pages I wrote to, and then decoding them from hexadecimal to ASCII. I can’t write my subway pass to it, nor my work badge, not even a simple “Hi, thank you for scanning my hand” message that could be readable using a standard NFC phone app. I’ve been thwarted. I tried my hardest to find a way to write a message and specify the type, but it was not possible. (I think the bit or bits set for the type were locked and therefore immutable.)

So where do I go from here? Well, in the next few months or so, once I get a break from uni, I’ll spend some time on coming up with a little project of my own that’ll operate based on the serial ID of my xNT. Nothing crazy like unlocking my front door, but more in tune with waving my hand to turn on/off my living room lights.

Do I regret any of this? Not at all. I spent days studying the NFC protocol, NDEF, and basic system architecture (pages & memory). I learned from this experience, and that’s more valuable than the $5 toy I would have had embedded on my hand.

Do I recommend anyone else do this? HELL NO. The emotional turmoil I went through in all of this was horrifying.
Learn from my mistake. Before you start experimenting with your new implant, do some research. Understand what’s actually going on “under the hood” — learn about the different types of NFC tags. And most importantly, experiment using tags that are outside your body. Had I just spent $5 on some NTAG216 stickers and tested with those beforehand, I really would have saved so much headache and even some heartache.

Hope that gives you all some closure.

amal · May 4, 2020, 5:01pm

I think if memory serves, the amiibo tags do not use an NFC capability container (also called CC, page 03 that uses 4 OTP or One Time Programmable bytes) and the data is binary, not written in NDEF format… so cloning page 03 from an amiibo to a generic NTAG216 is not going to be able to include page 03 because the bit flips required to go from an NFC capability container to an amiibo capability container is not possible with the OTP bits already being set for NFC… however, it might not matter at all if the Nintendo game doesn’t even bother to check page 03. The point here is, don’t fuck with page 03 because you can’t change it to the necessary byte data anyway and changing it will definitely destroy the ability to use the tag with NFC smartphones (and other NFC devices that comply with the NFC Forum specification).

The binary data issue means that your run-of-the-mill NFC apps for Android or iPhone will be totally unable to deal with the data on the tag. It is possible to issue direct commands to the tags to directly manipulate each memory page one at a time and write whatever binary data you want to each, but none of the NFC apps do that… they all leverage the Android NDEF library to 1) automatically wrap the data into an NDEF record within an NDEF message for you, and 2) automatically split that data up into a series of write commands that properly splits the data across all the required memory pages… but because the NDEF library on the phone must work with NDEF encapsulated data, it just borks when you want to try working with raw or binary data.

So… in short… to clone data you will need to get down to the binary folks… which is what it looks like the amiibo hacking link is doing… though don’t do anything with page 03… skip that page if it’s in the instructions.

RyuuzakiJulio · January 9, 2021, 11:05pm

Is there any NTAG215 implant?
U know, people can clone their Amiibos on blank cards or stickers. Perhaps is a 1 time only deal, but some might not mind having an implant with their favorite amiibo forever.

Pilgrimsmaster · January 10, 2021, 12:11am

Sort of The FlexMN can emulate NTAG215

Chip emulation support

A list of NFC chips that can be emulated by the Magic NTAG chip

UL_EV1 48 bytes (Mifare Ultralight EV1)
UL_EV1 128 bytes (Mifare Ultralight EV1)
NTAG 210
NTAG 212
NTAG 213 (true)
NTAG 215 (true)
NTAG 216 (true)
NTAG I2C 1K
NTAG I2C 2K

RyuuzakiJulio · January 10, 2021, 3:12pm

Ahhh a flex

Pilgrimsmaster · January 10, 2021, 5:47pm

Yes, but you can get the FlexMN in the FlexWedge form factor

You can install that with a custom needle

The whole procedure is VERY similar to an xSeries installation

Devilclarke · January 10, 2021, 7:02pm

Remember that julio is in Japan needles are a tough get in Japan I.e. cant import it from dt or would be difficult.

Pilgrimsmaster · January 10, 2021, 7:11pm

I thought so too, But Not so much anymore, due to Julio and Amals work

So YAY

Channing · January 10, 2021, 7:47pm

The Vivokey Japan site looks amazing btw.

Pilgrimsmaster · January 10, 2021, 7:48pm

ImpulsiveJames · January 28, 2021, 2:08am

I got an NeXT a few weeks ago and had some questions regarding all of this (and yes, I do plan to ask a stupid question).

You said you can go through and manually edit all pages in binary? Does that include locked pages? What is the best hardware/software to use to do these binary writes? Anything recommended on arduino?

Now for the stupid question, I’m surprised there isn’t a way to completely wipe a chip to factory, no matter what ‘state’ the chip is in. Is there any way a feature like this could be built into future implants?