By Danilo ( https://twitter.com/intrd , http://dann.com.br/ )
15 Aug 2019

I haven't updated this blog for a long time. Too busy with the new job. But I got some time to tell you an interesting tale of a n00b on BioHacking Village @ DEF CON 27.

Biohacking is an exciting thing, something that combines minimalism with Open Source technology that allows me to load a few bytes of data into my body that can be wireless readable, it always seemed like a good idea to me. Amal Graafstra, founder and CEO of @DangerousThings was the pioneer, a good overview here: TEDx talk. Looking for a professional body piercers

So, while watching some talks on DEF CON 27, I found a tweet from @c00p3r_7 (Dangerous Minds) saying there would be some implants available on Biohacking village.

[IMAGE of a tweet]

..so I rushed to Biohacking village

[IMAGE of location to visit to have the implant implanted]
Choosing the implant

Did a little research on available chips and choose the xNT NFC Chip:

[IMAGE of implant using coins for scale]

A 13.56MHz ISO14443A & NFC Type 2 chip (2x12mm cylindrical sterile bioglass implant) w/ 886 bytes of user read/write memory. Perfect size/capacity for the applications that I want.Quality of the bioglass? take a look at x-series stress tests by Dangerousthings. The implant

So no frills, a nice and very professionally girl made the implant, video:

[VIDEO of an implant being implanted]

Implant technical details? Professional Guide to 2x12mm GlassTransponder Installation published by Dangerousthings.

Also, if you are curious about how to remove it, here is a random video (graphic). Read/Write test

A few hours later when I arrived back to the hotel, so I did the first reading/writing using NFC Tools on a mobile phone.

[IMAGE of a mobile device screen and implant status]Soft bricking the NFC implant

I live to break/fix things, already imagined that would brick my implant (but not so fast). And of course, I didn't RTFM and did not used the official DT app (that prepares the user memory pages protecting the config pages to read/write).

So after a few read/writes with NFC Tools Pro, while writing some records (a String text and a BTC pubkey), I've write protected it by setting a password.Now, no application had writing permission on my implant, even the official one. Also tried to send some low-level authentication instructions, but it returns NAK (denied).

[IMAGE screenshot(s) of errors trying to read implant]

I even thought I could have written the password in half or some symbol truncated the password, because I'd tried to set a strong password, tried just a few bytes, possible mutations, but no success.[IMAGE of text/console NFC data dump]
Second NFC implant

My permanent tattoo was ok, but I liked the thing, So why not do another implant? Then I did it!

Meet @c00p3r_7 (Dangerous Minds) at @toool Lockpick Village.

[IMAGE of 3 people at front of room, with projected image of hand on a table, likely prepared to get an implant. Faced of 3 people have been blurred]

..and got a new one on my right hand! This time I didn't even touch the implants until I back home.

[IMAGE: blurry, showing mark on hand where implant was probably implants]
RTFM & Unbricking the implant

Now with a computer, proper devices and time to read the datasheet documentation and all material from the DangerThings forum, i'm ready to try some things.

After understanding the memory organization, the function of ACCESS, MIRROR page.

[IMAGE showing data storage structure, field names, and purpose for implant]

..and AUTH0/PROT/PWD configuration parameters, I finally figured out what happened.

[IMAGE: table showing NFC field names, bit location/size, default values, and descriptions, highlighting AUTH0 , PROT and further down, PWD]

Comparing w/ my bricked NFC implant config pages parameters:

[IMAGE: console, text dump of NFC details showing values and status for password / PWD]

As you can see, NFC Tools Pro write every record ok, also set the E2 page read-only locking permissions dependent of a password, and changed the AUTH0 config flag to mark every page below the 00 as read-only (everything including user memory and config page), but the connection broken while setting the password page which remained the standard. Luckily we can still read the config page including the password.So, I authed with the default password 1B FFFFFFFF (it returns 0000 if the default pw is correct not PAK or NAK). Then sent A2 E3040000E2 to change AUTH0 from 00 to E2.

[IMAGE: showing TX/RX (TRansmit Receive)]
[IMAGE: console NFC dump showing new values for AUTH0]

And done, I am able to write to it again!

[IMAGE1: showing write success][IMAGE2: showing console dump of data sent to implant with value]

I've changed the default pw and now after sending A2 E480050000 to set config pages password-dependent also for reading the config pages are returned like this:

[IMAGE: showing new values in console NFC dump of implant data, with real hex-value data replaced with "XX" to hide new password and details]

[IMAGE: appears to be an x-ray image of bones of two out-stretched humans hands and an implant embedded in the fold of skin that follows in the curve of skin between the thumb and index finger for each hand. The implant in the left hand appears to be larger than the one in the right hand.]

Awesome, now I have about 2kb storage wireless readable built-in in my body!

DEF CON as always providing amazing experiences. Recommended tools

• Dangerous NFC (BETA) - https://play.google.com/store/apps/d...ings.nfc&hl=en
• NFC TagInfo by NXP - https://play.google.com/store/apps/d...infolite&hl=en
• NFC Tools Pro Edition - https://play.google.com/store/apps/d...ools.pro&hl=en
• NFC TagWriter by NXP - https://play.google.com/store/apps/d...agwriter&hl=en
• NFC Mobile Shell - https://forum.dangerousthings.com/up...b488c3bcf3.apk

Recommended hardware

• Dangerous KBR1 (ISO14443A) - https://cyborg.ksecsolutions.com/kit/dt-kbr1/
• Chameleon Mini RevE Rebooted, ISO14443A Codec Mifare Ultralight emulation (emulation and reader) - https://hackerwarehouse.com/product/...reve-rebooted/
• ACR122U 13,56 mhz ISO14443 A/B (NTAG213, NTAG215 e NTAG216) reader/writer - https://www.acs.com.hk/en/download-m...R122U-2.04.pdf

References

• Biohacking, the forefront of a new kind of human evolution by Amal Graafstra at TEDxSFU - https://www.youtube.com/watch?v=7DxVWhFLI6E
• Tests we’ve performed on our x-series tags - https://forum.dangerousthings.com/t/...eries-tags/474
• Dangerous Minds Podcast - https://www.dangerousminds.io/
• Help! Can’t write to xNT - https://forum.dangerousthings.com/t/...-to-xnt/3131/2
• xNT stuck in read only mode - https://forum.dangerousthings.com/t/...only-mode/2782
• TOOOL - https://twitter.com/toool
• Removal of RFID implant (graphic) - https://www.youtube.com/watch?v=_Qpj2ZztycE
• Professional Guide to 2x12mm GlassTransponder Installation - https://dangerousthings.com/wp-conte...stallation.pdf
• Biohacking Village @ DEF CON - https://twitter.com/dc_bhv
• DangerousThings - https://twitter.com/DangerousThings
• Chip My Life - https://chipmylife.io
• NTAG213/215/216NFC Forum Type 2 Tag compliant IC with 144/504/888 bytes user memory - https://dangerousthings.com/wp-conte...13_215_216.pdf
• I got a computer chip implanted into my hand - https://www.vox.com/2015/9/11/930799...s-rfid-implant