Hi @variableLabel,
As far as I know, there is no way to read back the password that is saved on the tag. That would pretty much render all tag security pointless if it were possible.
There’s something else you can try, if you are adventurous and understand the risks etc.
There’s an Android app that lets you write commands directly to the tag, and assuming you know the correct password, will let you directly manipulate the various lock bytes in question, so as to regain access to the tag.
In another thread, @amal provided a link to the app NFC Shell cos it’s not available via the play store any more:
https://forum.dangerousthings.com/uploads/default/original/1X/6b6999b1515b5d7dfa47368938daf2b488c3bcf3.apk
(You’ll have to side-load it to get it in your phone.)
I really suggest you play around with it on a spare tag (any NTAG216 will work just like your xNT) before you go at your implant. Just to get a feel for the app.
But generally, you send a series of hex commands through the app.
1B p1 p2 p3 p4
A2 E3 04 00 00 E2
1B is the ‘authorization’ command, p1 p2 p3 p4 are your password in hex. So if your password was 1234, in hex it’d be 31 32 33 34. If your password was ABCD it’d be 41 42 43 44. See an ascii chart for the conversions.
A2 is the ‘write’ command, E3 is the page you want to write, and the data 04 00 00 E2 is the page data to set Auth0 so that only the special pages at the end of memory are password protected.
You need to put both commands into the app and ‘run’ them all at once; the authorization only lasts as long as the tag is in the active field. So if you like, authorize, then type in the next command, it won’t work.
If you want to just test the password, you can just use the 1B p1 p2 p3 p4 command on its own. If you get the password wrong you’ll see RX: NAK. If you get the password wright, you’ll get the two byte PAK. I think the default is 0000 but the DT app changes it to 4454.
Your ACCESS byte is set to 00 so there’s no limit on bad password attempts, so you could try and brute-force the password. Like if you think you know what it is ,but maybe there was a typo or something, you could try variations. Not fun tho.
I learned all this stuff in this thread: DT App - incomplete write? - #2 by amal when I had an incomplete write to my tag and had to manually finish the ‘security’ process.
Good luck.