UHF RFID Tag Locking and Unlocking

When an RFID Reader "reads" an RFID tag, it obtains the EPC data that is written into the tag's integrated circuit chip. If the EPC data inside the tag is not locked, then anyone can use an RFID reader and simple RFID software to change the data on this tag and crack the data. In this case, if someone maliciously tampers with the data of the RFID tag, the retailer will suffer huge losses.

As more and more retailers move toward using RFID technology at the checkout counter, locking RFID sticky notes is also becoming more important. Because if the RFID tags are not locked, shoplifters can use these devices to easily change the tag information of valuable items into lower-priced items, and then take them to the checkout line to pay.

Currently widely used Gen 2 RFID tag memory is divided into 4 states: unlocked state, permanently unlocked state (can never be locked), locked state and permanently locked state (can never be unlocked).

After the retailer locks the RFID tag, the password can be used to modify the information on the tag. However, the cost of password maintenance, unlocking, rewriting and re-locking the tag will be far more expensive than replacing the tag. Even if a retailer locks the tag and hides the code, there is a chance that the code could be discovered and destroyed. For the above reasons, I recommend retailers to permanently lock the EPC data on all RFID tags.

All retailers using RFID technology should conduct an early review and understanding of the tag locking strategy in order to understand the possible impact of others maliciously tampering with RFID tags.

The UHF tag is actually a small storage space. The RFID reader only reads the data in the tag through special commands, so the length of data that can be read and written is determined by the RFID electronic tag itself. For details, you can ask the RFID tag supplier .

Chip storage partitions and operation commands

UHF RFID tag chips need to conform to the EPC C1Gen2 standard (Gen2 protocol for short), that is to say, the internal storage structure of all UHF RFID tag chips is roughly the same. As shown in Figure 4-31, the storage area of the tag chip is divided into four areas (Bank), which are Bank 0 Reserved Area (Reserved), Bank 1 Electronic Code Area (EPC), Bank 2 Manufacturer Code Area (TID), Bank 3 User area (User).

Among them, the Bank 0 reserved area is also called the password area. There are two sets of 32-bit passwords inside, which are the access password (Access Password) and the kill password (Kill Password). The kill password is commonly known as the kill password. When the lock command is used, some areas of the chip can be read and written only through the access password. When the chip needs to be killed, the chip can be completely killed by killing the password.

Bank 1 is the electronic coding area, which is the most familiar EPC area. According to the Gen2 protocol, the first information to be obtained from the tag is the EPC information, and then other storage areas can be accessed for access. The EPC area is divided into three parts:

The CRC16 check part has a total of 16 bits, and is responsible for checking whether the EPC obtained by the reader is correct during communication.

The PC part (Protocol Control) has a total of 16 bits, which controls the length of the EPC. The binary number of the first 5 bits is multiplied by 16 to be the length of the EPC. For example, when the PC is 96 bits EPC=3000, the first 5 bits are 00110, and the corresponding decimal is 6, multiplied by 16 is 96Bit. According to the protocol requirements, the PC can be equal to 0000 to F100, which is equivalent to the length of the EPC being 0, 32 bits, 64 bits until 496 bits. However, in general, the length of EPC in UHF RFID applications is between 64 bits and 496 bits, that is to say, the PC value is between 2800 and F100. In normal applications, people often do not understand the role of PC in EPC, and they will get stuck in the setting of EPC length, which will cause a lot of trouble.

The EPC part, this part is the electronic code of the chip obtained by the end user from the application layer.

Bank 2 is the manufacturer's code area, and each chip has its own unique code. Section 4.3.3 will focus on the introduction.

Bank 3 is the user storage area. According to the agreement, the minimum space of this storage area is 0, but most chips increase the user storage space for the convenience of customer applications. The most common storage space is 128 bits or 512 bits.

After understanding the storage area of the tag, it is necessary to further understand several operation commands of Gen2, namely read (Read), write (Write), lock (Lock), and kill (Kill). The commands of Gen2 are very simple, there are only 4 operation commands, and there are only two states of the storage area of the tag: locked and unlocked.

Because the read and write commands are related to whether the data area is locked or not, let's start with the lock command. The lock command has four decomposition commands for the four storage areas, which are Lock, Unlock, Permanent Lock, and Permanent Unlock. As long as the access password is not all 0, the lock command can be performed.

The read command, as the name implies, is to read the data in the storage area. If the storage area is locked, you can access the data area through the Access command and the access password. The specific read operation is shown in Table 3-2.

The write command is similar to the read command. If the storage area is not locked, it can be directly operated. If the storage area is locked, you need to access the data area through the Access command and the access password. The specific read operation is shown in Table 3-3.

The kill command is a command to end the life of the chip. Once the chip is killed, it can no longer be brought back to life. It is not like the lock command that can also be unlocked. As long as the reserved area is locked and the kill password is not all 0s, the kill command can be initiated. In general, the kill command is rarely used, and the chip will be killed only in some confidential or privacy-related applications. If you want to obtain the TID number of the chip after the chip is killed, the only way is to dissect the chip. Dissecting the chip costs a lot, so try not to start the kill command in normal applications. Also in the project, it is also necessary to prevent others from destroying it. The best way is to lock the reserved area and protect the access password.

Manufacturer code TID

Manufacturer ID (TID) is the most important identification of the chip and the only reliable code accompanying its life cycle. There are many passwords hidden in this string of numbers. Figure 4-32 shows the TID of an H3 chip: E20034120614141100734886, where:

The E2 field represents the chip type, and the tag type of all UHF RFID tag chips is E2;

The 003 field is the manufacturer code, and 03 stands for Alien Technology; the first field of the manufacturer code can be 8 or 0. For example, the manufacturer code of Impinj generally starts with E2801.

The 412 field represents the chip type Higgs-3;

The following 64 bits are the serial number of the chip, and the number that can be represented by 64 bits is 2 to the 64th power. It is already an astronomical number. Every grain of sand on the earth can be numbered, so you don't have to worry about the problem of repeated numbers.