Locking Memory on EPC Gen 2 RFID Tags

Locking Memory on EPC Gen 2 RFID Tags

Published by Shain Armstrong on 31st Mar 2020

Introduction

Locking the memory on EPC GEN 2 compliant RFID Tags is an often misunderstood process. Many think that it is simply a matter of changing the access password to a non-zero value (the default for Gen 2 tags) and then the tag is 'locked' but this is not the case. This posting will review how tag locking works for EPC RFID tags and show you how to lock the Impinj Monza tags using .NET version 1.0.0.6 of the Octane Software Development Kit (SDK).

GEN 2 Tag Passwords

An EPC GEN 2 tag has two separate passwords -- an access password and a kill password; each are 32 bits, and are stored in the reserved bank (bank 00) of the tag memory.

States

When a tag is singulated, it enters one of two states:

1.  Secured (if access password is all zeros, which is the factory default)
2.  Open (if non-zero access password has been programmed to the tag)

A tag in the open state can be moved to secured by providing the previously programmed non-zero access password.

The key thing to remember is that assigning a non-zero access password does not, in itself, prevent anyone with a GEN 2 RFID reader from reading or changing data on the tag. It only requires that any future users must provide the access password in order to change the lock state and is simply one step in effectively locking tag memory.

Each memory bank can be in one of four lock states:

1.  Unlocked
2.  Perma-unlocked (can never be locked)
3.  Locked
4.  Perma-locked (can never be unlocked)

This is illustrated below when programming the lock state of the tag.

Lock Procedures

The steps for locking a Gen 2 RFID Tag are (for a factory default tag):

1. Lock (or perma-lock) the selected memory bank using default password of all zeros.

2. Assign a 32 bit (8 hex character) access password.  (This will prevent the tag lock state from being changed.)

3. Lock the access password.  (This will prevent the password from being read or over-written.)  Not doing this step would allow any user to simply read the access password, then use it to unlock and over-write memory on the tag (unless it has been perma-locked).

Only the reserved memory bank (access and kill passwords) can be both WRITE and READ locked - all others (EPC, TID, and User) can be write-locked only. Typically the Tag Identification (TID) memory bank is perma-locked at the factory.

Each tag memory bank can be individually write locked as shown below.

Sample Code

Here is an example of locking user memory in C# using the Octane SDK.

Other Useful Notes

In addition to the increased memory size, the Impinj Monza 4QT tag chips offer the ability to independently lock four fixed, 128-bit sections of user memory (block permalock). This feature is particularly useful for situations such as in a supply chain, where various participants along the chain may want to record data, but not necessarily have it be openly available to all parties.

Lock status cannot be read, it can only be inferred. So there is no direct way to query a tag and have it reply if it is locked or not. However, in some cases when attempting to access a tag memory bank, it will return a pretty specific error "tag memory locked".

Conclusion

If you would like to learn more about all things RFID, check out our  website, our YouTube channel, comment below, or contact us.


To read about more RFID Memory Banks applications, check out the links below!