by IMcPwn

How to hack NTAG213 write-protected NFC tags to unlock a Popl digital business card.

HEX: 74657329
Text: Tes)

I received my Nomad case in the mail today—feels great in the hand. We’ll see how it wears over time. A neat feature I forgot about until it arrived was the NFC business card feature. I figured it would allow me to tap the built-in NFC card in the back of the case to someone else’s phone to open my website, so we could connect later. Unfortunately, I was wrong.

After grabbing the required Popl app, I activated my card and was greeted with a not-so-welcome \$77/year subscription to be able to add a logo or change my profile’s theme. Not cool.

Instead of paying for a subscription to use an NFC tag that I purchased and now own, I decided to change the raw NFC data that is hardcoded to the popl.com domain. I would then be able to make it go directly to my personal site or wherever I wanted.

Here’s what happened when I tried:

After failing to write with the NFC Tools app, I did a read and I discovered that it was write-password protected.

The default password is typically 00000000 or FF:FF:FF:FF. These were both unsuccessful.

Next attempt was using the new Flipper Zero “Unlock NTAG” NFC Action. This also was unsuccessful with the default passwords, so I know that it was not unique to the app I was using.

What next? Let’s try reading it with a Proxmark. I recently picked up an iCopy, which is a Proxmark under the hood. I first attempted copying the key.

We can see it is an NTAG123 and here is the raw output:

{
"Created": "proxmark3",
"FileType": "mfu",
"Card": {
"UID": "047DCB2A0XXXXX",
"Version": "0004040201000F03",
"TBO_0": "0000",
"TBO_1": "00",
"Signature": "626EEB018948CF5E5FDD2C6ED508F04EC4ED178EA9FC6E60A377BB24E0B12AE7",
"Counter0": "000000",
"Tearing0": "00",
"Counter1": "000000",
"Tearing1": "00",
"Counter2": "000000",
"Tearing2": "BD"
},
"blocks": {
"0": "047DCB3A",
"1": "XXXXXXXX",
"2": "D9480000",
"3": "E1101200",
"4": "032BD101",
"5": "27550470",
"6": "6F706C6D",
"7": "652E636F",
"8": "2F707857",
"9": "7A416472",
"10": "382F6E6F",
"11": "6D616430",
"12": "34374443",
"13": "42324130",
"14": "37373438",
"15": "30FE0000",
"16": "00000000",
"17": "00000000",
"18": "00000000",
"19": "00000000",
"20": "00000000",
"21": "00000000",
"22": "00000000",
"23": "00000000",
"24": "00000000",
"25": "00000000",
"26": "00000000",
"27": "00000000",
"28": "00000000",
"29": "00000000",
"30": "00000000",
"31": "00000000",
"32": "00000000",
"33": "00000000",
"34": "00000000",
"35": "00000000",
"36": "00000000",
"37": "00000000",
"38": "00000000",
"39": "00000000",
"40": "000000BD",
"41": "04000000",
"42": "00050000",
"43": "00000000",
"44": "00000000"
}
}


After loading up a Proxmark shell, we first run auto to see if it can provide us any information that NFC Tools missed. Here we can see it is an NTAG 20x card with a proprietary format. We can see it is ISO14443-A, so most of our commands going forward will be prefixed withhf 14a.

No valuable information from the reader command.

The mfu dump above didn’t appear to include the password on line 32 as shown in the manufacturer spec page:

    "32": "00000000",


This means the password could not be captured by reading the card, so how do we get the password? To try cracking, assuming it takes 200ms to communicate each time with the NFC tag yields us about 27 years to crack. Let’s not do that.

How about we just sniff the password, as the iOS app has to transmit it in clear text over the air to program the card when the user first activates it? Thankfully, the app allows you to reprogram an unlimited number of times, which made testing a lot easier.

I went ahead and set my phone adjacent to the iCopy and NFC tag and ran hf 14a sniff.

After pressing Begin Activation on my iPhone, I pushed the “Button” key on my iCopy and subsequently ran trace list and received the following output:

After briefly scanning the output, I quickly came to see something wonderful: PWD-AUTH KEY: 0x74657329

Eureka, the password! I quickly returned to the NFC Tools app and ran “Remove password”, entered 74657329 and received the following message:

After converting the value to text, I got the string test). Entering this returned the same result… Huh, I’m almost certain that I got the password, but I can’t remove it for some reason. Next I sniffed the conversation between NFC Tools and the card and strangely this is what I saw:

###### Here I wanted to show a screenshot that the *NFC Tools* app was sending an entirely different password than what I was entering into the app. Unfortunately, I have not yet figured out how to re-lock the card exactly the same way the manufacturer Popl did, so you’ll just have to trust me on this.

After trying all the iOS NFC writing apps, I found that the only one with password removal capabilities was the app I had already tried.

Up next, let’s figure out the protocol and try to replicate what the iPhone is sending and with NFC Tools’s own Advanced NFC commands editor. I was able to trigger a 00 response from the tag by sending the correct password following the PWD-AUTH command.

Unfortunately, after sending each line, I would see the following popup:

It was as if I couldn’t send multiple commands in a row without iOS taking over and trying to scan the tag fresh after each command I would send. This would likely mean I was unauthenticated again after authenticating, so I was unable to change the data with a command like this: a2:09:6F:68:6B:64

This command means:

1. a2: change
3. the new data to write

In this example, I tried changing “ohkF” to “ohkd” just to verify I could change the data after I authenticated—and I could not.

On this page, I found the command that would finally remove the write-protection:

After trying the script run mfu_magic -w command, I received 251 errors and there was no change after reading on iOS. I ran just this command to get more info script run mfu_magic.

And there it was: -k, the option to use a password while wiping. Finally, with the following command I was able to remove the write protection: script run mfu_magic -k 74657329 -w

After running NFC Tools, note the change under “Protected by password”.

Let’s try writing:

It works!

When we try to write it again with Popl:

I did try restoring it in the end to have better screenshots for this write-up. My command was mfu restore e r f ntag.bin

It does return the link to popl as shown by NFC Tools, but it never returned the password protection:

Proxmark

NTAG213-

Cracking with Proxmark