The NTAG216 was designed for use in more typical NFC applications such as smart posters, labels, and other disposable use cases where the memory contents would typically be written and then locked so it could not be changed. This is done using built-in “lock bytes” which are OTP (one time programmable). That means that once the lock bytes are turned on to protect memory blocks, they can never be unlocked. Once any memory block is locked, it will forever be read-only, which is not ideal for the flexNExT. Many NFC applications offer ways to “lock” or “protect” your tag, which will end up locking the tag read-only. Because of this,
we have disabled the ability to change or set the lock bits in the flexNExT’s NTAG216 chip.
Before disabling the lock bytes however, there is one page of user memory we do lock down as read-only. That is the CC or Capability Container, located in memory page 03. This page of 4 bytes is required to have a specific format of data so the tag can be recognized and used as an NFC Type 2 tag. This memory page is also special in that the data stored there uses OTP bits, or “One Time Programmable” bits, meaning once a bit is flipped from 0 to 1, it cannot be flipped back to 0. It is critical that this memory page be locked as read-only so a malicious attacker can’t mess up your Capability Container, thus ruining the chip for use as an NFC compliant transponder. We set lock bytes to mark the Capability Container as read-only, then we disable the lock bytes so no other memory pages can be permanently set as read-only.
In addition to lock bytes, the NTAG216 offers a 32bit password protection function. It can be used to password-protect just writing to or both reading from and writing to the user memory space of the NTAG216 chip. Regardless of what some NFC smartphone apps indicate, it is not possible to remove or disable the password. It is only possible to set the password to the default hexadecimal value of 0xFF 0xFF 0xFF 0xFF. If the password is set to the default value, then anyone could easily authenticate, change the password, then write data or change protection options for your tag, and change the password to some unknown value. Because it is also possible to protect memory blocks from unauthenticated reads using a password, this could make the tag completely useless by not allowing any memory blocks to even be read. We set a default password value of 0x4E 0x45 0x78 0x54 or NExT, but strongly suggest you change it after installation.
Finally, many of the critical configuration bytes used by the NTAG216 chip are stored in the last few memory pages of the tag. This means that it may be possible for an NFC application that does not properly detect or honor the flexNExT’s NTAG216 chip memory schema to accidentally attempt to write binary or NDEF record data (the data you’re trying to store on the tag) overtop of the configuration bytes. For example, if the data you are attempting to write is longer than the user memory blocks available, the remainder of the data might be written overtop of configuration bytes, which contain settings that are potentially dangerous to modify such as the config lock byte. It is not possible to disable the configuration lock byte, so accidentally writing to that byte could result in your configuration being irreversibly locked. We password-protect the configuration bytes from being able to be written to or updated using the password feature of the NTAG216 chip. Overall, the flexNExT leaves the factory with the entire user memory space accessible and writable, while at the same time the configuration bytes and password values at the bottom end of the NTAG216 chip’s memory space are protected.
Once your flexNExT is installed, you’ll be able to use any NFC smartphone app to write data to the tag and not need to be afraid of accidentally locking the tag, or changing the configuration bytes, or someone maliciously locking your tag or changing your password. We suggest using NXP’s TagWriter app.
