Topic: unable to overwrite OTP

hello,

I have a UL tag and OTP seems to be not writable even if the lock bit is unset, can you explain why?

$ nfc-mfultralight r tag.dmp
NFC device: SCM Micro / SCL3711-NFC&RW opened
Found MIFARE Ultralight card with UID:xxxxxxxx74081
Reading 16 pages |................|
Done, 16 of 16 pages readed.
Writing data to file: tag.dmp ... Done.
$ xxd tag.dmp
0000000: xxxx xxxx xxxx 4081 a448 00f0 ca77 ffff  ......@..H...w..
0000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000020: d000 1000 0000 0000 2b8e 3109 bb89 5d95  ........+.1...].
0000030: bc27 6ea9 5bf0 baa1 dadf ce23 3693 3823  .'n.[......#6.8#

as you can see the lock bytes are "00f0" so the pages "3, 4, 5, 6, 7, 8, 9, 10, 11" are writable (the OTP page is 3, starting from 0, tye bytes "ca77 ffff")

I edited it manually in the file, so:
$ xxd tag.dmp
0000000: xxxx xxxx xxxx 4081 a448 00f0 0000 0000  ......@..H......
0000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000020: d000 1000 0000 0000 2b8e 3109 bb89 5d95  ........+.1...].
0000030: bc27 6ea9 5bf0 baa1 dadf ce23 3693 3823  .'n.[......#6.8#

I try to write on the tag now:

$ nfc-mfultralight w tag.dmp
NFC device: SCM Micro / SCL3711-NFC&RW opened
Found MIFARE Ultralight card with UID: xxxxxxxxxx4081
Write OTP bytes ? [yN] y
Write Lock bytes ? [yN] n
Write UID bytes (only for special writeable UID cards) ? [yN] n
nfc_initiator_transceive_bytes: Timeout
nfc_initiator_transceive_bytes: Timeout
nfc_initiator_transceive_bytes: Timeout
nfc_initiator_transceive_bytes: Timeout
Writing 16 pages |sss.........xxxx|
Done, 9 of 16 pages written (3 pages skipped).

re-read from the tag:

$ nfc-mfultralight r tag.dmp
NFC device: SCM Micro / SCL3711-NFC&RW opened
Found MIFARE Ultralight card with UID: xxxxxxxxxx4081
Reading 16 pages |................|
Done, 16 of 16 pages readed.
Writing data to file: ticket_used.dmp ... Done.
$ xxd tag.dmp
0000000: xxxx xxxx xxxx 4081 a448 00f0 ca77 ffff  ......@..H...w..
0000010: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000020: d000 1000 0000 0000 2b8e 3109 bb89 5d95  ........+.1...].
0000030: bc27 6ea9 5bf0 baa1 dadf ce23 3693 3823  .'n.[......#6.8#

as you can see the OTP bytes are not changed...

thanks in advance,
spk

Re: unable to overwrite OTP

OTP stands for one-time programmable. It doesn't matter what the lock bits are, you can never unset a bit in the OTP segment. That is to say, you can only increase these values. Instead of thinking about it as 4 OTP bytes, think of it as 32 OTP bits. You can only ever set these bits, and you can never unset them.

So, if one of your OTP bytes is 0b00001111, you can make it 0b00011111, but never 0b00000000.