xNT stuck in read only mode

Greetings.

I recently was implanted with an xNT and was able to read/write to it. However, after setting a password via NFC Tools I have been unsuccessful at removing the password to edit existing data or write new data to the implant. I am certain of the password used as NFC Tools prints the password in clear text as you’re typing it into the application. I’m looking for a way to get the implant out of ‘read only’ and back to editable. I have tried blanking the NDEF using the DT support tool, as well as writing/erasing the tag using NFC Tools and NXT NFCWriter without success. Thanks for any information or direction you’re able to provide.

The dump of the tag follows:
** TagInfo scan (version 4.23) 2018-09-26 19:21:32 **
Report Type: External

– IC INFO ------------------------------

IC manufacturer:

NXP Semiconductors

IC type:

NTAG216

NFC Forum NDEF-compliant tag:

Type 2 Tag

– NDEF ------------------------------

NFC data set information:

NDEF message containing 1 record
Current message size: 29 bytes
Maximum message size: 868 bytes
NFC data set access: Read & Write
Can be made Read-Only

Record #1: Text record:

Type Name Format: NFC Forum well-known type
Short Record
type: “T”
encoding: UTF-8
lang: “en”
text: “Looking for something?”
Payload length: 25 bytes
Payload data:

[00] 02 65 6E 4C 6F 6F 6B 69 6E 67 20 66 6F 72 20 73 |.enLooking for s|
[10] 6F 6D 65 74 68 69 6E 67 3F |omething? |

NDEF message:

[00] D1 01 19 54 02 65 6E 4C 6F 6F 6B 69 6E 67 20 66 |…T.enLooking f|
[10] 6F 72 20 73 6F 6D 65 74 68 69 6E 67 3F |or something? |

NDEF Capability Container (CC):

Mapping version: 1.0
Maximum NDEF data size: 872 bytes
NDEF access: Read & Write
E1 10 6D 00 |…m. |

– EXTRA ------------------------------

Memory size:

888 bytes user memory

  • 222 pages, with 4 bytes per page

IC detailed information:

Full product name: NT2H1611G0DUx
Capacitance: 50 pF

Version information:

Vendor ID: NXP
Type: NTAG
Subtype: 50 pF
Major version: 1
Minor version: V0
Storage size: 888 bytes
Protocol: ISO/IEC 14443-3

Configuration information:

ASCII mirror disabled
NFC counter: disabled
No limit on wrong password attempts
Strong load modulation enabled

Originality check:

Signature verified with NXP public key

– FULL SCAN ------------------------------

Technologies supported:

ISO/IEC 14443-3 (Type A) compatible
ISO/IEC 14443-2 (Type A) compatible

Android technology information:

Tag description:

  • TAG: Tech [android.nfc.tech.NfcA, android.nfc.tech.MifareUltralight, android.nfc.tech.Ndef]
  • Maximum transceive length: 253 bytes
  • Default maximum transceive time-out: 618 ms

Detailed protocol information:

ID: 04:AE:0B:12:FF:38:84
ATQA: 0x4400
SAK: 0x00

Memory content:

[00] * 04:AE:0B 29 (UID0-UID2, BCC0)
[01] * 12:FF:38:84 (UID3-UID6)
[02] . 51 48 00 00 (BCC1, INT, LOCK0-LOCK1)
[03] .r E1:10:6D:00 (OTP0-OTP3)
[04] .r 03 1D D1 01 |…|
[05] .r 19 54 02 65 |.T.e|
[06] .r 6E 4C 6F 6F |nLoo|
[07] .r 6B 69 6E 67 |king|
[08] .r 20 66 6F 72 | for|
[09] .r 20 73 6F 6D | som|
[0A] .r 65 74 68 69 |ethi|
[0B] .r 6E 67 3F FE |ng?.|
[0C] .r 00 00 00 00 |…|
[0D] .r 00 00 00 00 |…|
[0E] .r 00 00 00 00 |…|
[0F] .r 00 00 00 00 |…|
[10] .r 00 00 00 00 |…|
[11] .r 00 00 00 00 |…|
[12] .r 00 00 00 00 |…|
[13] .r 00 00 00 00 |…|
[14] .r 00 00 00 00 |…|
[15] .r 00 00 00 00 |…|
[16] .r 00 00 00 00 |…|
[17] .r 00 00 00 00 |…|
[18] .r 00 00 00 00 |…|
[19] .r 00 00 00 00 |…|
[1A] .r 00 00 00 00 |…|
[1B] .r 00 00 00 00 |…|
[1C] .r 00 00 00 00 |…|
[1D] .r 00 00 00 00 |…|
[1E] .r 00 00 00 00 |…|
[1F] .r 00 00 00 00 |…|
[20] .r 00 00 00 00 |…|
[21] .r 00 00 00 00 |…|
[22] .r 00 00 00 00 |…|
[23] .r 00 00 00 00 |…|
[24] .r 00 00 00 00 |…|
[25] .r 00 00 00 00 |…|
[26] .r 00 00 00 00 |…|
[27] .r 00 00 00 00 |…|
[28] .r 00 00 00 00 |…|
[29] .r 00 00 00 00 |…|
[2A] .r 00 00 00 00 |…|
[2B] .r 00 00 00 00 |…|
[2C] .r 00 00 00 00 |…|
[2D] .r 00 00 00 00 |…|
[2E] .r 00 00 00 00 |…|
[2F] .r 00 00 00 00 |…|
[30] .r 00 00 00 00 |…|
[31] .r 00 00 00 00 |…|
[32] .r 00 00 00 00 |…|
[33] .r 00 00 00 00 |…|
[34] .r 00 00 00 00 |…|
[35] .r 00 00 00 00 |…|
[36] .r 00 00 00 00 |…|
[37] .r 00 00 00 00 |…|
[38] .r 00 00 00 00 |…|
[39] .r 00 00 00 00 |…|
[3A] .r 00 00 00 00 |…|
[3B] .r 00 00 00 00 |…|
[3C] .r 00 00 00 00 |…|
[3D] .r 00 00 00 00 |…|
[3E] .r 00 00 00 00 |…|
[3F] .r 00 00 00 00 |…|
[40] .r 00 00 00 00 |…|
[41] .r 00 00 00 00 |…|
[42] .r 00 00 00 00 |…|
[43] .r 00 00 00 00 |…|
[44] .r 00 00 00 00 |…|
[45] .r 00 00 00 00 |…|
[46] .r 00 00 00 00 |…|
[47] .r 00 00 00 00 |…|
[48] .r 00 00 00 00 |…|
[49] .r 00 00 00 00 |…|
[4A] .r 00 00 00 00 |…|
[4B] .r 00 00 00 00 |…|
[4C] .r 00 00 00 00 |…|
[4D] .r 00 00 00 00 |…|
[4E] .r 00 00 00 00 |…|
[4F] .r 00 00 00 00 |…|
[50] .r 00 00 00 00 |…|
[51] .r 00 00 00 00 |…|
[52] .r 00 00 00 00 |…|
[53] .r 00 00 00 00 |…|
[54] .r 00 00 00 00 |…|
[55] .r 00 00 00 00 |…|
[56] .r 00 00 00 00 |…|
[57] .r 00 00 00 00 |…|
[58] .r 00 00 00 00 |…|
[59] .r 00 00 00 00 |…|
[5A] .r 00 00 00 00 |…|
[5B] .r 00 00 00 00 |…|
[5C] .r 00 00 00 00 |…|
[5D] .r 00 00 00 00 |…|
[5E] .r 00 00 00 00 |…|
[5F] .r 00 00 00 00 |…|
[60] .r 00 00 00 00 |…|
[61] .r 00 00 00 00 |…|
[62] .r 00 00 00 00 |…|
[63] .r 00 00 00 00 |…|
[64] .r 00 00 00 00 |…|
[65] .r 00 00 00 00 |…|
[66] .r 00 00 00 00 |…|
[67] .r 00 00 00 00 |…|
[68] .r 00 00 00 00 |…|
[69] .r 00 00 00 00 |…|
[6A] .r 00 00 00 00 |…|
[6B] .r 00 00 00 00 |…|
[6C] .r 00 00 00 00 |…|
[6D] .r 00 00 00 00 |…|
[6E] .r 00 00 00 00 |…|
[6F] .r 00 00 00 00 |…|
[70] .r 00 00 00 00 |…|
[71] .r 00 00 00 00 |…|
[72] .r 00 00 00 00 |…|
[73] .r 00 00 00 00 |…|
[74] .r 00 00 00 00 |…|
[75] .r 00 00 00 00 |…|
[76] .r 00 00 00 00 |…|
[77] .r 00 00 00 00 |…|
[78] .r 00 00 00 00 |…|
[79] .r 00 00 00 00 |…|
[7A] .r 00 00 00 00 |…|
[7B] .r 00 00 00 00 |…|
[7C] .r 00 00 00 00 |…|
[7D] .r 00 00 00 00 |…|
[7E] .r 00 00 00 00 |…|
[7F] .r 00 00 00 00 |…|
[80] .r 00 00 00 00 |…|
[81] .r 00 00 00 00 |…|
[82] .r 00 00 00 00 |…|
[83] .r 00 00 00 00 |…|
[84] .r 00 00 00 00 |…|
[85] .r 00 00 00 00 |…|
[86] .r 00 00 00 00 |…|
[87] .r 00 00 00 00 |…|
[88] .r 00 00 00 00 |…|
[89] .r 00 00 00 00 |…|
[8A] .r 00 00 00 00 |…|
[8B] .r 00 00 00 00 |…|
[8C] .r 00 00 00 00 |…|
[8D] .r 00 00 00 00 |…|
[8E] .r 00 00 00 00 |…|
[8F] .r 00 00 00 00 |…|
[90] .r 00 00 00 00 |…|
[91] .r 00 00 00 00 |…|
[92] .r 00 00 00 00 |…|
[93] .r 00 00 00 00 |…|
[94] .r 00 00 00 00 |…|
[95] .r 00 00 00 00 |…|
[96] .r 00 00 00 00 |…|
[97] .r 00 00 00 00 |…|
[98] .r 00 00 00 00 |…|
[99] .r 00 00 00 00 |…|
[9A] .r 00 00 00 00 |…|
[9B] .r 00 00 00 00 |…|
[9C] .r 00 00 00 00 |…|
[9D] .r 00 00 00 00 |…|
[9E] .r 00 00 00 00 |…|
[9F] .r 00 00 00 00 |…|
[A0] .r 00 00 00 00 |…|
[A1] .r 00 00 00 00 |…|
[A2] .r 00 00 00 00 |…|
[A3] .r 00 00 00 00 |…|
[A4] .r 00 00 00 00 |…|
[A5] .r 00 00 00 00 |…|
[A6] .r 00 00 00 00 |…|
[A7] .r 00 00 00 00 |…|
[A8] .r 00 00 00 00 |…|
[A9] .r 00 00 00 00 |…|
[AA] .r 00 00 00 00 |…|
[AB] .r 00 00 00 00 |…|
[AC] .r 00 00 00 00 |…|
[AD] .r 00 00 00 00 |…|
[AE] .r 00 00 00 00 |…|
[AF] .r 00 00 00 00 |…|
[B0] .r 00 00 00 00 |…|
[B1] .r 00 00 00 00 |…|
[B2] .r 00 00 00 00 |…|
[B3] .r 00 00 00 00 |…|
[B4] .r 00 00 00 00 |…|
[B5] .r 00 00 00 00 |…|
[B6] .r 00 00 00 00 |…|
[B7] .r 00 00 00 00 |…|
[B8] .r 00 00 00 00 |…|
[B9] .r 00 00 00 00 |…|
[BA] .r 00 00 00 00 |…|
[BB] .r 00 00 00 00 |…|
[BC] .r 00 00 00 00 |…|
[BD] .r 00 00 00 00 |…|
[BE] .r 00 00 00 00 |…|
[BF] .r 00 00 00 00 |…|
[C0] .r 00 00 00 00 |…|
[C1] .r 00 00 00 00 |…|
[C2] .r 00 00 00 00 |…|
[C3] .r 00 00 00 00 |…|
[C4] .r 00 00 00 00 |…|
[C5] .r 00 00 00 00 |…|
[C6] .r 00 00 00 00 |…|
[C7] .r 00 00 00 00 |…|
[C8] .r 00 00 00 00 |…|
[C9] .r 00 00 00 00 |…|
[CA] .r 00 00 00 00 |…|
[CB] .r 00 00 00 00 |…|
[CC] .r 00 00 00 00 |…|
[CD] .r 00 00 00 00 |…|
[CE] .r 00 00 00 00 |…|
[CF] .r 00 00 00 00 |…|
[D0] .r 00 00 00 00 |…|
[D1] .r 00 00 00 00 |…|
[D2] .r 00 00 00 00 |…|
[D3] .r 00 00 00 00 |…|
[D4] .r 00 00 00 00 |…|
[D5] .r 00 00 00 00 |…|
[D6] .r 00 00 00 00 |…|
[D7] .r 00 00 00 00 |…|
[D8] .r 00 00 00 00 |…|
[D9] .r 00 00 00 00 |…|
[DA] .r 00 00 00 00 |…|
[DB] .r 00 00 00 00 |…|
[DC] .r 00 00 00 00 |…|
[DD] .r 00 00 00 00 |…|
[DE] .r 00 00 00 00 |…|
[DF] .r 00 00 00 00 |…|
[E0] .r 00 00 00 00 |…|
[E1] .r 00 00 00 00 |…|
[E2] .r 00 00 00 BD (LOCK2-LOCK4, CHK)
[E3] .r 04 00 00 00 (CFG, MIRROR, AUTH0)
[E4] .r 00 05 – – (ACCESS)
[E5] +P XX XX XX XX (PWD0-PWD3)
[E6] +P XX XX – – (PACK0-PACK1)

*:locked & blocked, x:locked,
+:blocked, .:un(b)locked, ?:unknown
r:readable (write-protected),
p:password protected, -:write-only
P:password protected write-only

So I’m a newbie but I’m learning fast and I wanted to tell you of my experiences today just in case it helps you. I was recently implanted with a NTAG216 3-4 days ago. I just wrote and read-back data to it for the first time today and it went well.

Your post and predicament made me wonder about how the locking works, because I borrowed a friends Google Pixel 2 today (as I don’t have Android myself) to do the recommended locking and password by using the Dangerous Things Beta App, that supposedly completed successfully, I was surprised at the brevity of the success message, I don’t know why but I was expecting something more.

Anyway, a short while after I took my hand to my Dell Latitude 5580 with built-in RFID/NFC (Broadcom) and on Windows 10 I used the “TagWriter” by NXP from the Windows 10 Store to successfully write a text message (Hello world!) to the Tag, it completely so fast. I then took my hand back to my friend’s Android phone and it displayed my text :slight_smile:

I didn’t think much more about it as it worked successfully, or at least I thought - but then your post has me wondering, should I have been able to write to it OK like that? Is that an indication that the lock didn’t work as it is meant to?

Or is it that the lock-down only protects certain areas of the memory (configuration bits and OTP) - that was my understanding of it. So perhaps it isn’t that yours is locked in read-only but rather you just need to find the right application to write to a user-space? No doubt others more experienced here will be able to clarify but I just thought I would share the software I used and my experiences above in case it helps you in anyway.

1 Like

Auth0 has been set to 00, which means that apps need to ‘authorize’ with the password before writing to any address from 00 down.

So in other words, the entire memory contents require password authorization to write to them. (But its all accessable as readonly without password.)

Normally you’d have Auth0 set to E2 which would protect those important memory locations by password, while leaving the rest of the tag’s memory as read/write.

You mentioned setting the password with NFC Tools. There is also a ‘remove password’ option in NFC Tools Pro (maybe in the free version too?), have you tried that? It should set Auth0 back to FF (the default state) and set the PWD0-PWD3 bytes to FF FF FF FF (the default password).

Then you’ll be able to write to the tag again. At that point, I’d suggest using the Dangerous Things app to protect the tag.

Cheers!

2 Likes

Thanks for the replies. Violet, I have tried removing the password using NFC tools but I get a “Write Error Identification Failed!” error message when trying to remove the password. Is there a way to query the password/password hash that was applied to the NFC tag?

Hi @variableLabel,

As far as I know, there is no way to read back the password that is saved on the tag. That would pretty much render all tag security pointless if it were possible.

There’s something else you can try, if you are adventurous and understand the risks etc.

There’s an Android app that lets you write commands directly to the tag, and assuming you know the correct password, will let you directly manipulate the various lock bytes in question, so as to regain access to the tag.

In another thread, @amal provided a link to the app NFC Shell cos it’s not available via the play store any more:
https://forum.dangerousthings.com/uploads/default/original/1X/6b6999b1515b5d7dfa47368938daf2b488c3bcf3.apk
(You’ll have to side-load it to get it in your phone.)

I really suggest you play around with it on a spare tag (any NTAG216 will work just like your xNT) before you go at your implant. Just to get a feel for the app.

But generally, you send a series of hex commands through the app.

1B p1 p2 p3 p4
A2 E3 04 00 00 E2

1B is the ‘authorization’ command, p1 p2 p3 p4 are your password in hex. So if your password was 1234, in hex it’d be 31 32 33 34. If your password was ABCD it’d be 41 42 43 44. See an ascii chart for the conversions.

A2 is the ‘write’ command, E3 is the page you want to write, and the data 04 00 00 E2 is the page data to set Auth0 so that only the special pages at the end of memory are password protected.

You need to put both commands into the app and ‘run’ them all at once; the authorization only lasts as long as the tag is in the active field. So if you like, authorize, then type in the next command, it won’t work.

If you want to just test the password, you can just use the 1B p1 p2 p3 p4 command on its own. If you get the password wrong you’ll see RX: NAK. If you get the password wright, you’ll get the two byte PAK. I think the default is 0000 but the DT app changes it to 4454.

Your ACCESS byte is set to 00 so there’s no limit on bad password attempts, so you could try and brute-force the password. Like if you think you know what it is ,but maybe there was a typo or something, you could try variations. Not fun tho. :frowning:

I learned all this stuff in this thread: DT App - incomplete write? - #2 by amal when I had an incomplete write to my tag and had to manually finish the ‘security’ process.

Good luck.

2 Likes

Just a follow-up, I’ve been playing with the NFC Tools app’s password functions and a spare NTAG and the app is doing something funky with the password. It allows for more than 4 bytes, like you can key in whatever you want, and it does something (hash, convert, whatever) to make it a 32-bit password behind the scenes.

It does this even if you only enter 4 bytes.

The remove password does function, if you get the password right. I’ve added and removed passwords 3 or 4 times now on this tag using that app.

Unfortunately what it means is that even if you know what password you put into NFC Tools, the NFC Shell method won’t work because putting in “1234” as the password in NFC Tools, will not give you “31 32 33 34” in the tag’s PWD page. :frowning_face:

I tried snooping with my PM3Easy to see what NFC Tools was actually writing, but my Easy does not seem to register the phone side of the conversation, so I can’t grab the data its writing. :frowning:

Sorry. At this point, I’d say if you’re using the free version of NFC Tools, try the pro one and maybe it’ll work better? Or try variations of your password incase you did put in a typo or something. Maybe there’s a Return at the end that you forgot about? (the app lets you put Returns into the password field.)

Good luck.

1 Like

Try checking the first 4 bytes and the last 4 bytes, just to see if it’s doing a simple truncation.

Actually, you cannot remove the password from an NTAG216. You can only do one of two things; 1) you can set it to the factory default value of FF FF FF FF, or 2) you can make it irrelevant by setting AUTH0 to any value greater than E5 since AUTH0 sets the page at which password protection applies (setting AUTH0 to page E5 means you must still authenticate to write changes to the PACK which is on page E6).

1 Like

Hi @amal, I did try first four & last four digits, incase it was just truncating but it isn’t. And even if you set only 4 characters via NFC Tools, whatever it sets the PWD bytes to, they aren’t those four characters.

Eg. I set 1234 as the password. Then tested with NFC Shell and the password was not 31323334, nor was it 00001234, nor 12340000, nor 01020304. I have no idea what the app is doing but not just using the provided characters for the password.

I know the password isn’t really removed but that’s what NFC Tools calls it. You’re right @amal, what it does ‘behind the scenes’ is set AUTH0 to FF and sets the password to FFFFFFFF and PACK to 00.

1 Like

Fuckin BOOOOOOOOOOOOOOO… no wonder people who set their passwords with the Dangerous NFC app can’t change it with NFC Tools. I seem to think that maybe TagWriter from NXP also takes this approach… not sure… just annoyed.

3 Likes

Thanks for all of the information. I’ll play around with it some more, though I do think I may end up having to brute force a modified character set. Shouldn’t be too bad though.

I just tested with NFC TagWriter, and it works like the DangerousThings app – it only allowed for 4 characters in the password, and the four characters were copied exactly to the PWD page of the tag. Eg. ‘1234’ became 31323334 and ‘ABCD’ became 41424344.

So it seems only NFC Tools is doing some sort of obfuscation or hash to the password. :frowning:

Edited to add: NFC TagWriter is not a good option either. :frowning_face:

It doesn’t mangle the password, but it does have two big issues - it changes AUTH0 to 04, regardless of what its already set to. Eg. if you use TagWriter to change the password and the DT app has AUTH0 set to E2, well now it’s 04 and the whole tag is password protected. :frowning:

And second, it freaks out and refuses to do anything, if PACK is not 0000. It just gives an error message “this tag can’t be protected. (Parts of) tag protected.” :frowning_woman:

So it’s not a good option at all for handling / changing passwords on the tags.

1 Like

Damnit… looks like we will have to go ahead and update the Dangerous NFC app … eventually… man, why can’t anyone do it right?

2 Likes

Replying to this just in case anyone else finds this thread with a similar issue to mine, where after setting a password using the DT App I had a tonne of issues figuring out how to actually write any content to my xNT. The assumption that I incorrectly had was that the password I had set using the DT App would actually be required for writing content to the tag from then on, which is not the case. In some apps like NXP Tag Writer and NFC Tools Pro there is an option when you’re choosing what to write for an existing password or something along those lines. Using this option is not necessary whatsoever, the password being set with the DT App is just for protecting the config bits from being improperly written to, as that can be an issue with various android phones/apps not writing to tags correctly. (Or at least that’s my surface level understanding.)

I came to threads like this thinking I had a much bigger issue, when it was 100% pebcak.

3 Likes