{"id":611,"date":"2016-04-13T13:47:43","date_gmt":"2016-04-13T11:47:43","guid":{"rendered":"http:\/\/nf.dpin.de\/?page_id=611"},"modified":"2016-04-13T13:47:43","modified_gmt":"2016-04-13T11:47:43","slug":"nfc","status":"publish","type":"page","link":"https:\/\/www.dpin.de\/nf\/computer-it-nerdine-geek\/geraete-devices-toys\/parrot-zik2\/nfc\/","title":{"rendered":"NFC"},"content":{"rendered":"<p>The NFC function is pretty simple, handled by a few \u20ac-Cent part from NXP, a NTAG203(F), with a fixed data record which contains an &#8222;application\/vnd.bluetooth.ep.oob&#8220;, see below, for which the documentation can be found <a href=\"http:\/\/members.nfc-forum.org\/apps\/group_public\/download.php\/18688\/NFCForum-AD-BTSSP_1_1.pdf\" target=\"_blank\">here<\/a>. The interesting part is that the contents of the NFC chip is <em>not<\/em> write protected at all, i.e. everyone with access to the device can program arbitrary stuff into the 144 bytes of user memory. Pretty bad idea. Even worse, a bad guy could reprogram and lock it! So you would even not be able to restore it. Very bad idea.<\/p>\n<p>The contained NDEF records show that it does not support any simple pairing scheme, just the transmission of the device&#8217;s MAC address (BDADDR in Bluetooth jargon).<\/p>\n<pre>-- INFO ------------------------------\n\n# IC manufacturer:\nNXP Semiconductors\n\n# IC type:\nNTAG203(F) (NTAG203(F))\n\n# NFC Forum NDEF-compliant tag:\nType 2 Tag\n\n-- NDEF ------------------------------\n\n# NFC data set information:\nNDEF message containing 2 records\nCurrent message size: 81 bytes\nMaximum message size: 137 bytes\nNFC data set access: Read &amp; Write\nCan be made Read-Only\n\n# Record #1: Handover Select record:\nType Name Format: NFC Forum well-known type\nShort Record\ntype: \"Hs\"\nversion: 1.2\n\t# Alternative Carrier record\n\ttype: \"ac\"\n\t* carrier power state: Active\n\t* carrier data record: \"0\"\n\t* no auxiliary data records\nPayload length: 10 bytes\nPayload data:\n\n[00] 12 D1 02 04 61 63 01 01 30 00                   |....ac..0.      |\n\n# Record #2: Bluetooth Secure Simple Pairing record:\nType Name Format: MIME type (RFC 2046)\nShort Record, ID Length present\nID: \"0\"\ntype: \"application\/vnd.bluetooth.ep.oob\"\nOOB data length: 27 bytes\n* Error: length should include length field\nMAC address: xx:xx:xx:xx:xx:xx\n* Manufacturer: PARROT SA\nComplete local name: \"Parrot ZIK 2.0\"\nDevice class: 20:04:04\n* Service class:\n\t- Audio\n* Major type: Audio\/Video\n* Minor type: Wearable headset\n* Format type: Format #1\nPayload length: 29 bytes\nPayload data:\n\n[00] 1B 00 xx xx xx xx xx xx 0F 09 50 61 72 72 6F 74 |.... .....Parrot|\n[10] 20 5A 49 4B 20 32 2E 30 04 0D 04 04 20          | ZIK 2.0....    |\n\n# NDEF message:\n[00] 91 02 0A 48 73 12 D1 02 04 61 63 01 01 30 00 5A |...Hs....ac..0.Z|\n[10] 20 1D 01 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76 | ..application\/v|\n[20] 6E 64 2E 62 6C 75 65 74 6F 6F 74 68 2E 65 70 2E |nd.bluetooth.ep.|\n[30] 6F 6F 62 30 1B 00 xx xx xx xx xx xx 0F 09 50 61 <code class=\"moz-txt-verticalline\"><span class=\"moz-txt-tag\">|<\/span>oob0.... =....Pa<span class=\"moz-txt-tag\">|<\/span><\/code>\n[40] 72 72 6F 74 20 5A 49 4B 20 32 2E 30 04 0D 04 04 |rrot ZIK 2.0....|\n[50] 20                                              |                |\n\n# NDEF Capability Container (CC):\nMapping version: 1.0\nMaximum NDEF data size: 144 bytes\nNDEF access: Read &amp; Write\n E1 10 12 00                                     |....            |\n\n# Control TLVs:\nLock Control TLV at address 0x04, offset 0\n* Dynamic lock bytes at address 0x28, offset 0\n\t- 16 lock bits\n\t- 16 bytes locked per lock bit\n 01 03 A0 10 44                                  |....D           |\n\n-- EXTRA ------------------------------\n\n# Memory size:\n168 bytes total memory\n* 42 pages, with 4 bytes per page\n* 144 bytes user memory (36 pages)\n\n# IC detailed information:\nFull product name:\n* NT2H0301G0DUD or NT2H0301F0DTx\n\n-- TECH ------------------------------\n\n# Detailed protocol information:\nID: xx:xx:xx:xx:xx:xx:xx\nATQA: 0x4400\nSAK: 0x00\n\n# Memory content:\n[00] * xx:xx:xx D2 (UID0-UID2, BCC0)\n[01] * xx:xx:xx:xx (UID3-UID6)\n[02] . 31 48 00 00 (BCC1, INT, LOCK0-LOCK1)\n[03] . E1:10:12:00 (OTP0-OTP3)\n[04] . 01 03 A0 10 |....|\n[05] . 44 03 51 91 |D.Q.|\n[06] . 02 0A 48 73 |..Hs|\n[07] . 12 D1 02 04 |....|\n[08] . 61 63 01 01 |ac..|\n[09] . 30 00 5A 20 |0.Z |\n[0A] . 1D 01 61 70 |..ap|\n[0B] . 70 6C 69 63 <code class=\"moz-txt-verticalline\"><span class=\"moz-txt-tag\">|<\/span>plic<span class=\"moz-txt-tag\">|<\/span><\/code>\n[0C] . 61 74 69 6F <code class=\"moz-txt-verticalline\"><span class=\"moz-txt-tag\">|<\/span>atio<span class=\"moz-txt-tag\">|<\/span><\/code>\n[0D] . 6E 2F 76 6E <code class=\"moz-txt-verticalline\"><span class=\"moz-txt-tag\">|<\/span>n\/vn<span class=\"moz-txt-tag\">|<\/span><\/code>\n[0E] . 64 2E 62 6C <code class=\"moz-txt-verticalline\"><span class=\"moz-txt-tag\">|<\/span>d.bl<span class=\"moz-txt-tag\">|<\/span><\/code>\n[0F] . 75 65 74 6F <code class=\"moz-txt-verticalline\"><span class=\"moz-txt-tag\">|<\/span>ueto<span class=\"moz-txt-tag\">|<\/span><\/code>\n[10] . 6F 74 68 2E |oth.|\n[11] . 65 70 2E 6F <code class=\"moz-txt-verticalline\"><span class=\"moz-txt-tag\">|<\/span>ep.o<span class=\"moz-txt-tag\">|<\/span><\/code>\n[12] . 6F 62 30 1B |ob0.|\n[13] . 00 xx xx xx |... |\n[14] . xx xx xx 0F |....|\n[15] . 09 50 61 72 |.Par|\n[16] . 72 6F 74 20 |rot |\n[17] . 5A 49 4B 20 |ZIK |\n[18] . 32 2E 30 04 |2.0.|\n[19] . 0D 04 04 20 |... |\n[1A] . FE 00 00 00 |....|\n[1B] . 00 00 00 00 |....|\n[1C] . 00 00 00 00 |....|\n[1D] . 00 00 00 00 |....|\n[1E] . 00 00 00 00 |....|\n[1F] . 00 00 00 00 |....|\n[20] . 00 00 00 00 |....|\n[21] . 00 00 00 00 |....|\n[22] . 00 00 00 00 |....|\n[23] . 00 00 00 00 |....|\n[24] . 00 00 00 00 |....|\n[25] . 00 00 00 00 |....|\n[26] . 00 00 00 00 |....|\n[27] . 00 00 00 00 |....|\n[28] . 00 00 -- -- (LOCK2-LOCK3)\n[29] . 00 00 -- -- (CNT0-CNT1, value: 0)\n\n\n  *:locked &amp; blocked, x:locked,\n  +:blocked, .:un(b)locked\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>The NFC function is pretty simple, handled by a few \u20ac-Cent part from NXP, a NTAG203(F), with a fixed data record which contains an &#8222;application\/vnd.bluetooth.ep.oob&#8220;, see below, for which the documentation can be found here. The interesting part is that the contents of the NFC chip is not write protected at all, i.e. everyone with access to the device can&#8230; <a href=\"https:\/\/www.dpin.de\/nf\/computer-it-nerdine-geek\/geraete-devices-toys\/parrot-zik2\/nfc\/\">Read more &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":589,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-611","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.dpin.de\/nf\/wp-json\/wp\/v2\/pages\/611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dpin.de\/nf\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.dpin.de\/nf\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.dpin.de\/nf\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dpin.de\/nf\/wp-json\/wp\/v2\/comments?post=611"}],"version-history":[{"count":0,"href":"https:\/\/www.dpin.de\/nf\/wp-json\/wp\/v2\/pages\/611\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/www.dpin.de\/nf\/wp-json\/wp\/v2\/pages\/589"}],"wp:attachment":[{"href":"https:\/\/www.dpin.de\/nf\/wp-json\/wp\/v2\/media?parent=611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}