Ok, so here are the NFC Shell commands to prevent writing pages 04 onwards (user memory) without the password, keeping the default password of DNGR converted to hex using ascii codes:
1B444E4752
A2E300000004
If you want to change the password too, here’s the short way:
1B444E4752
A2E300000004
A2E5XXXXXXXX
An explanation:
First is the PWD_AUTH command (1B), using the DT set default password of DNGR (44 4E 47 52). This allows us to now write to any protected memory, which if I recall correctly is pages E2 onwards from DT factory.
Then we write (command A2) to page E3, which contains the AUTH0 byte, setting which page onwards is protected by the password set in page E5. For the NTAG I2C plus, user memory in sector one starts at page 4, hence the 04. The other (first) 3 bytes in that page are RFU (reserved for future use) and are thus written as 0.
Finally, a new password can be written (command A2) to page E5… replace XXXXXXXX with 4 bytes worth of hex characters (8 hexadecimal characters). Note that if this goes wrong / if you forget the password, there is no easy way, if at all, to recover. If you want to really be paranoid, here’s how I’d do it:
1B444E4752
A2E3000000FF
A2E5XXXXXXXX
This sets no pages, including password and configuration pages, to be protected, thus making it easy to rectify a mistake. I would then take the chip away from the reader then back into range and send 1BXXXXXXXX, making sure it returns PAK (00 by default). This indicates that the password was successfully set, and then A2E300000004 will write protect the data on the chip.
The datasheet is very helpful: https://dangerousthings.com/wp-content/uploads/doc_NT3H2111_2211.pdf
See page 51 for the PWD_AUTH command, page 55 for the WRITE command, page 14 for the NFC memory map, and pages 27-29 for password and access configuration information. If you wish to look at preventing reading the data on the tag without the password too, look at the NFC_PROT bit in the ACCESS byte… but be careful, there’s some pretty nasty settings in that page.
Also, I’d seriously recommend trying it on a NTAG I2C test card first (I’m happy to do so when I’m back from my holiday on the 11th of January), as I would not like to be responsible for bricking someones xSIID.
Another thing to note is that I’m not sure how apps support writing to password protected tags… it may be necessary to set the AUTH0 byte in page E3 back to E2 or FF to allow apps to easily write to the tag.
Please, do let me know if you need any more information / clarification, though I am off to bed so will respond in the morning. Hope this helps!