xSIID Noob Questions

SlurpDemon · June 5, 2022, 12:14am

Hey! I got my first implant today, a white xSIID. Happy to report it went well, and I was able to read it and see that wonderful blink as soon as it was in! As I’ve been preparing to mess around a bit, I stumbled across some older forum posts mentioning some strange effects of the 2kb memory, and I mostly understand the mechanics behind it, and I think I understand what the issue is and why it happens, but I’m not sure I 100% understand what I need to do about it, if anything. I’ve got a PM3 Easy and I’ve messed around with my magic ring before getting the xSIID, (Got to help my dad out and make him a copy of his gym fob, big thanks to @Compgeek for dropping his solution after 2 months of nothing in this thread, it worked perfectly!).

So after looking around the forums and the product pages, I think that I should use the Dangerous NFC app to set up the tag before I go about doing much else to it? I’m not worried about any actual security measures, as I mostly just mess with Arduinos and the RC552 reader for that, and don’t have any access control that needs any security. I’m mostly just trying to make sure that I protect the tag from myself, so that I don’t accidentally do something stupid and brick/mess it up. My use (for now and the foreseeable future) is mostly just for fun, so I don’t need to do anything crazy with it. I will most likely just use TagWriter to throw in a link or plain text, etc., until I’m more comfortable with the proxmark and it’s workings, but I have it if I were to need it for anything. So should I use the Dangerous NFC app? Not worry about it and just write to it? Do something with proxmark? Any advice would be appreciated, and if there’s anything else I should know about before I think about writing to it, let me know! Thanks!

Pilgrimsmaster · June 5, 2022, 12:35am

Sounds like a perfect plan.
NFC Tools is also a very good option.

This very thorough thread which should give you some really good info about the xSIID and also answer a bunch of your questions…even some you didn’t know to ask.

Happy blinking

SlurpDemon · June 5, 2022, 12:43am

Thanks for the reply!

That’s the one I’ve read through a couple of times. It mostly makes sense, I think I just need to do some more general reading about the intricacies of RFID data to make it click a bit better, at least for the technical side of things.

So do you think I should set it up with the Dangerous NFC app first? or should I not worry and just write with tagwriter. I think I’ve become a bit paranoid after starting out working with the magic mifare and reading about how I could permanently brick it lol, but I figure better safe than sorry.

and thanks! After lurking for months I am honored to have the great pilgrim respond to me

Pilgrimsmaster · June 5, 2022, 1:20am

It was only ever the early xNTs that needed protection, I believe the xSIID is sorted out at the factory during their production.

Are you happy with the 1k you currently have easy access to?
Or do you want to utilise the full 2k?

Either way, you won’t do any damage simply writing a Dataset of your choosing to it now.

Welcome to your coming out of the shadows party

SlurpDemon · June 5, 2022, 2:43am

I think 1k will be fine for me, I don’t plan on doing much complicated with it.
I’ve been reading this thread and its been very helpful as well, in case anyone else stumbles across this thread.

From that thread:
“The current batch of NExT does have a password set, but we decided to leave the xSIID password set to factory default FF FF FF FF. We did set AUTH0 to enable protections, just to ensure there was an extra step at least to alter those bytes… but it was a gamble… so many badly written NFC apps will gladly issue the PWDAUTH command with factory default just as a check mechanism, and in doing so, may possibly impact the AUTHLIM counter (if it’s enabled) which is a terrible disservice as an app to take a potentially destructive action without even informing the user… but then once PWDAUTH is issued, it can freely overwrite config bytes by accident… if it’s badly written… so you see it’s a bit of a risk for our users to not set a password on the xSIID…”

So from what I can tell, and from what I scanned on the chip, page 00 through 03 are locked by page 02, which also locks itself and can’t be changed, to keep the reading apps from trying to mess with sector 1.

Then, E2 basically locks itself and nothing else, to keep it from unintentionally locking other stuff (I think, that part confuses me), and E3 is random config stuffs and also makes it so that the password is in effect for E2 and above. E4 makes the password limit unlimited, and makes it so you need the password to change the values that are protected by it, and E5 contains the password, which is the default of 00000000 (or is this not readable and has a password set already? (FFFFFFFF but it displays as 0s because its hidden?) and E6 deals with what the chip returns when its sent a password.

and there’s therefore a slight chance that if a bad nfc app sends that PWDAUTH command with the default password, it could theoretically have write permissions to E2 and above, and the worst case is it changing the password without you knowing it. However, it shouldn’t attempt to write a new password or change anything, unless you specifically ask for it, as page 03 makes sector 1 basically just dead space, so it shouldn’t mess with anything but sector 0 and stop at page E1

So all in all, setting a password is essentially just to keep a bad app (or nefarious RFID enthusiast) from automatically sending that PWDAUTH command to gain write permissions to your E2 and above pages.

I think the main part that confuses me is page E2, I don’t quite understand how that part works, from my assumptions, they’re one time writable, and they’re set to lock nothing, and can’t be changed from that setting. Though, the “dynamic” part confuses me, and I can’t seem to find anything else about it.

That’s how I understood it, at least. Not 100% confident, but I think that’s mostly correct. Feel free to have a chuckle at me if not.

StarGazer1258 · June 5, 2022, 2:48am

Obligatory,

SlurpDemon · June 5, 2022, 3:04am

So I’ve been looking trough the nxp documentation, and I think I get E2 now. It basically means “these pages shall not be locked” and then follows up with “nobody is allowed to change those page’s status as blocked or unblocked”. That makes much more sense now. Woohoo, learning!

SlurpDemon · June 5, 2022, 3:05am

Can’t wait for it to be healed! Now I just need to figure out how to sneak it into every conversation I have!

StarGazer1258 · June 5, 2022, 3:06am

That’s the best part! Haha!

I always love hearing the many responses, ranging from “That is so cool!” to “Why the hell would you do that!”

Zwack · June 5, 2022, 4:06am

Of course you need to have a record on it pointing to https://dngr.us/xsiid

StarGazer1258 · June 5, 2022, 4:57am

Totally didn’t fall for that…