DEF CON Forum Site Header Art


No announcement yet.

How I got two NFC implants, why I bricked and how fixed it,, Danilo, DEF CON 27


  • How I got two NFC implants, why I bricked and how fixed it,, Danilo, DEF CON 27

    Their Title 1: BIOHACKING : How I got two NFC implants @ DEF CON 27, why I bricked and how fixed it?

    Originally posted by URL1
    By Danilo ( , )
    15 Aug 2019

    I haven't updated this blog for a long time. Too busy with the new job. But I got some time to tell you an interesting tale of a n00b on BioHacking Village @ DEF CON 27.

    Biohacking is an exciting thing, something that combines minimalism with Open Source technology that allows me to load a few bytes of data into my body that can be wireless readable, it always seemed like a good idea to me. Amal Graafstra, founder and CEO of @DangerousThings was the pioneer, a good overview here: TEDx talk. Looking for a professional body piercers

    So, while watching some talks on DEF CON 27, I found a tweet from @c00p3r_7 (Dangerous Minds) saying there would be some implants available on Biohacking village.

    [IMAGE of a tweet] I rushed to Biohacking village

    [IMAGE of location to visit to have the implant implanted]
    Choosing the implant

    Did a little research on available chips and choose the xNT NFC Chip:

    [IMAGE of implant using coins for scale]

    A 13.56MHz ISO14443A & NFC Type 2 chip (2x12mm cylindrical sterile bioglass implant) w/ 886 bytes of user read/write memory. Perfect size/capacity for the applications that I want.
    Passive NFC chips are magnetically coupled devices that power themselves and communicate data over a shared magnetic field the reader generates. It has no battery, when it is out of the magnetic field it is useless like a splinter.
    Quality of the bioglass? take a look at x-series stress tests by Dangerousthings. The implant

    So no frills, a nice and very professionally girl made the implant, video:

    [VIDEO of an implant being implanted]

    Implant technical details? Professional Guide to 2x12mm GlassTransponder Installation published by Dangerousthings.

    Also, if you are curious about how to remove it, here is a random video (graphic). Read/Write test

    A few hours later when I arrived back to the hotel, so I did the first reading/writing using NFC Tools on a mobile phone.

    [IMAGE of a mobile device screen and implant status]
    I noticed that the power of the smartphone reader that's enough but not so strong/stable, so a minimum movement would end up damaging the reading/writing operation.
    Soft bricking the NFC implant

    I live to break/fix things, already imagined that would brick my implant (but not so fast). And of course, I didn't RTFM and did not used the official DT app (that prepares the user memory pages protecting the config pages to read/write).

    So after a few read/writes with NFC Tools Pro, while writing some records (a String text and a BTC pubkey), I've write protected it by setting a password.
    ..but this time the writing did not end entirely and threw a writing an error, I think I took it too early and confirmed bricked my NFC implant.
    Now, no application had writing permission on my implant, even the official one. Also tried to send some low-level authentication instructions, but it returns NAK (denied).

    [IMAGE screenshot(s) of errors trying to read implant]

    I even thought I could have written the password in half or some symbol truncated the password, because I'd tried to set a strong password, tried just a few bytes, possible mutations, but no success.
    No problem, my 1st NFC implant become bricked but not useless, reading still works, a cool text string and my btc pubkey was stored, like a permanent tattoo :)
    [IMAGE of text/console NFC data dump]
    Second NFC implant

    My permanent tattoo was ok, but I liked the thing, So why not do another implant? Then I did it!

    Meet @c00p3r_7 (Dangerous Minds) at @toool Lockpick Village.

    [IMAGE of 3 people at front of room, with projected image of hand on a table, likely prepared to get an implant. Faced of 3 people have been blurred]

    ..and got a new one on my right hand! This time I didn't even touch the implants until I back home.

    [IMAGE: blurry, showing mark on hand where implant was probably implants]
    RTFM & Unbricking the implant

    Now with a computer, proper devices and time to read the datasheet documentation and all material from the DangerThings forum, i'm ready to try some things.

    After understanding the memory organization, the function of ACCESS, MIRROR page.

    [IMAGE showing data storage structure, field names, and purpose for implant]

    ..and AUTH0/PROT/PWD configuration parameters, I finally figured out what happened.

    [IMAGE: table showing NFC field names, bit location/size, default values, and descriptions, highlighting AUTH0 , PROT and further down, PWD]

    Comparing w/ my bricked NFC implant config pages parameters:

    [IMAGE: console, text dump of NFC details showing values and status for password / PWD]

    As you can see, NFC Tools Pro write every record ok, also set the E2 page read-only locking permissions dependent of a password, and changed the AUTH0 config flag to mark every page below the 00 as read-only (everything including user memory and config page), but the connection broken while setting the password page which remained the standard. Luckily we can still read the config page including the password.
    That's why the password I was using didn't work anymore and that combination was not accepted by GUI NFC applications.
    So, I authed with the default password 1B FFFFFFFF (it returns 0000 if the default pw is correct not PAK or NAK). Then sent A2 E3040000E2 to change AUTH0 from 00 to E2.

    [IMAGE: showing TX/RX (TRansmit Receive)]
    [IMAGE: console NFC dump showing new values for AUTH0]

    And done, I am able to write to it again!

    [IMAGE1: showing write success][IMAGE2: showing console dump of data sent to implant with value]

    I've changed the default pw and now after sending A2 E480050000 to set config pages password-dependent also for reading the config pages are returned like this:

    [IMAGE: showing new values in console NFC dump of implant data, with real hex-value data replaced with "XX" to hide new password and details]

    [IMAGE: appears to be an x-ray image of bones of two out-stretched humans hands and an implant embedded in the fold of skin that follows in the curve of skin between the thumb and index finger for each hand. The implant in the left hand appears to be larger than the one in the right hand.]

    Awesome, now I have about 2kb storage wireless readable built-in in my body!

    DEF CON as always providing amazing experiences. Recommended tools

    Recommended hardware


      Posting comments is disabled.

    Article Tags


    Latest Articles