NFC

The NFC function is pretty simple, handled by a few €-Cent part from NXP, a NTAG203(F), with a fixed data record which contains an “application/vnd.bluetooth.ep.oob”, see below, for which the documentation can be found here. The interesting part is that the contents of the NFC chip is not write protected at all, i.e. everyone with access to the device can program arbitrary stuff into the 144 bytes of user memory. Pretty bad idea. Even worse, a bad guy could reprogram and lock it! So you would even not be able to restore it. Very bad idea.

The contained NDEF records show that it does not support any simple pairing scheme, just the transmission of the device’s MAC address (BDADDR in Bluetooth jargon).

-- INFO ------------------------------

# IC manufacturer:
NXP Semiconductors

# IC type:
NTAG203(F) (NTAG203(F))

# NFC Forum NDEF-compliant tag:
Type 2 Tag

-- NDEF ------------------------------

# NFC data set information:
NDEF message containing 2 records
Current message size: 81 bytes
Maximum message size: 137 bytes
NFC data set access: Read & Write
Can be made Read-Only

# Record #1: Handover Select record:
Type Name Format: NFC Forum well-known type
Short Record
type: "Hs"
version: 1.2
	# Alternative Carrier record
	type: "ac"
	* carrier power state: Active
	* carrier data record: "0"
	* no auxiliary data records
Payload length: 10 bytes
Payload data:

[00] 12 D1 02 04 61 63 01 01 30 00                   |....ac..0.      |

# Record #2: Bluetooth Secure Simple Pairing record:
Type Name Format: MIME type (RFC 2046)
Short Record, ID Length present
ID: "0"
type: "application/vnd.bluetooth.ep.oob"
OOB data length: 27 bytes
* Error: length should include length field
MAC address: xx:xx:xx:xx:xx:xx
* Manufacturer: PARROT SA
Complete local name: "Parrot ZIK 2.0"
Device class: 20:04:04
* Service class:
	- Audio
* Major type: Audio/Video
* Minor type: Wearable headset
* Format type: Format #1
Payload length: 29 bytes
Payload data:

[00] 1B 00 xx xx xx xx xx xx 0F 09 50 61 72 72 6F 74 |.... .....Parrot|
[10] 20 5A 49 4B 20 32 2E 30 04 0D 04 04 20          | ZIK 2.0....    |

# NDEF message:
[00] 91 02 0A 48 73 12 D1 02 04 61 63 01 01 30 00 5A |...Hs....ac..0.Z|
[10] 20 1D 01 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76 | ..application/v|
[20] 6E 64 2E 62 6C 75 65 74 6F 6F 74 68 2E 65 70 2E |nd.bluetooth.ep.|
[30] 6F 6F 62 30 1B 00 xx xx xx xx xx xx 0F 09 50 61 |oob0.... =....Pa|
[40] 72 72 6F 74 20 5A 49 4B 20 32 2E 30 04 0D 04 04 |rrot ZIK 2.0....|
[50] 20                                              |                |

# NDEF Capability Container (CC):
Mapping version: 1.0
Maximum NDEF data size: 144 bytes
NDEF access: Read & Write
 E1 10 12 00                                     |....            |

# Control TLVs:
Lock Control TLV at address 0x04, offset 0
* Dynamic lock bytes at address 0x28, offset 0
	- 16 lock bits
	- 16 bytes locked per lock bit
 01 03 A0 10 44                                  |....D           |

-- EXTRA ------------------------------

# Memory size:
168 bytes total memory
* 42 pages, with 4 bytes per page
* 144 bytes user memory (36 pages)

# IC detailed information:
Full product name:
* NT2H0301G0DUD or NT2H0301F0DTx

-- TECH ------------------------------

# Detailed protocol information:
ID: xx:xx:xx:xx:xx:xx:xx
ATQA: 0x4400
SAK: 0x00

# Memory content:
[00] * xx:xx:xx D2 (UID0-UID2, BCC0)
[01] * xx:xx:xx:xx (UID3-UID6)
[02] . 31 48 00 00 (BCC1, INT, LOCK0-LOCK1)
[03] . E1:10:12:00 (OTP0-OTP3)
[04] . 01 03 A0 10 |....|
[05] . 44 03 51 91 |D.Q.|
[06] . 02 0A 48 73 |..Hs|
[07] . 12 D1 02 04 |....|
[08] . 61 63 01 01 |ac..|
[09] . 30 00 5A 20 |0.Z |
[0A] . 1D 01 61 70 |..ap|
[0B] . 70 6C 69 63 |plic|
[0C] . 61 74 69 6F |atio|
[0D] . 6E 2F 76 6E |n/vn|
[0E] . 64 2E 62 6C |d.bl|
[0F] . 75 65 74 6F |ueto|
[10] . 6F 74 68 2E |oth.|
[11] . 65 70 2E 6F |ep.o|
[12] . 6F 62 30 1B |ob0.|
[13] . 00 xx xx xx |... |
[14] . xx xx xx 0F |....|
[15] . 09 50 61 72 |.Par|
[16] . 72 6F 74 20 |rot |
[17] . 5A 49 4B 20 |ZIK |
[18] . 32 2E 30 04 |2.0.|
[19] . 0D 04 04 20 |... |
[1A] . FE 00 00 00 |....|
[1B] . 00 00 00 00 |....|
[1C] . 00 00 00 00 |....|
[1D] . 00 00 00 00 |....|
[1E] . 00 00 00 00 |....|
[1F] . 00 00 00 00 |....|
[20] . 00 00 00 00 |....|
[21] . 00 00 00 00 |....|
[22] . 00 00 00 00 |....|
[23] . 00 00 00 00 |....|
[24] . 00 00 00 00 |....|
[25] . 00 00 00 00 |....|
[26] . 00 00 00 00 |....|
[27] . 00 00 00 00 |....|
[28] . 00 00 -- -- (LOCK2-LOCK3)
[29] . 00 00 -- -- (CNT0-CNT1, value: 0)


  *:locked & blocked, x:locked,
  +:blocked, .:un(b)locked