Hi Dan,
Glad you’re happy with your xNT!
So there are a couple ways to go about this…
-
Lock your tag. This is permanent and irrevocable. Your tag would need to be removed and thrown out if you ever had to change your key.
-
Protect your xNT’s contents from unsolicited writes with a password. You can still read it (anyone could), but your content would not be updated without first authenticating.
-
Protect your xNT’s contents from unsolicited reads and writes with a password. You could’t even read your xNT without first authenticating.
-
Lock your xNT and also implement a password to protect against unsolicited reads.
For option 1, you can lock your tag, simply use TagWriter, go to Protect Tags, and Lock Tag. It’ll lock it. You’re done.
For options 2 and 3, we recommend disabling the locking feature all together. The lock bytes being changeable is simply a liability. Instead I would disable locking and set a password by using Dangerous NFC. Then, if you wanted to set specific password protections for your tag… well that is done by changing the PROT bit of the ACCESS configuration byte in page E4 (0=write protected, 1=read & write protected), and changing the AUTH byte to at least 04 (00 is also ok, but doesn’t actually protect the UID).
How one does this is, at the moment, difficult. No apps (not even ours) is really that good at being granular enough to dig into the details. Take a deep breath… we’re doing digital surgery here…
1) Read the datasheet
… particularly pages 18 and 19. Be really careful with CFGLCK and AUTHLIM … screwing up either of those will really wreck your xNT hard… which is one reason Dangerous NFC protects these configuration pages.
Configuration Pages
ACCESS BYTE (Page E4)
AUTH & PROT
2) Download and install NFC Shell
I’m jealous of this app… I want it’s code inside Dangerous NFC so bad (under an “advanced” section).
3) Send these commands
Type in the following lines in the shell box;
1B h1 h2 h3 h4
A2 E3 04 00 00 04
A2 E4 80 05 00 00
The first line starting with 1B is the PWD_AUTH command, and the h1 h2 h3 h4 value needs to be replaced with the HEX value of the password you set for your xNT. So, if your password was 1234 then the HEX values of the ASCII characters 1, 2, 3, and 4 are 31 32 33 34. Check ye’ olde ASCII chart for a reference.
The second line, starting with A2, updates the AUTH0 byte to page 04… protecting the memory contents of your tag with the password you’ve set.
The third line, also starting with A2, changes the PROT bit to 1 to ensure nothing protected with AUTH0 + PWD can be read without first authenticating. If instead you want to write protect the tag but still let anyone read it without authenticating first, then change that line to A2 E4 00 00 00 00
Press the SEND button and then scan your tag. You should receive in the shell window, something like this;
TX: 1Bh1h2h3h4
RX: 4454
TX: A2 E3 04 00 00 04
RX:
TX: A2 E4 80 05 00 00
RX:
That means success… no RX after successful write command means success. If it fails, you’ll get an RX: NAK back.
At this point, once you remove the tag from the field, you will need to authenticate with the password before you can read the contents.
If you have any cheap spare NTAG216s around, I’d test on those first. Good luck!