Unable to write to ST25DV04k registers to block RF writes as eternal tags can write /erase user area 1.

RR C.1 · ‎2021-04-22

Hi, I am using ST25DV04k Tag and I can see an external tool can write to my Tag over RF.

I am trying to read RFA1SS, LOCK_CCFILE, LOCKFILE registers over I2C but always getting values as zeros. even if I write LOCK_CFG=1, LOCK_CCFILE=0x03, RFA1SS=0x0C, still external tool can write or erase user area 1 data.

please suggest me why all my system configs are reading as zeros and why I am unable to write or change the register values to lock/block RF write?

Thanks

Rakesh

JL. Lebon · ‎2021-06-01

Dear Rakesh,

Yes, your configuration is ok.

With RFA1SS=0x0C, RF will never be able to write area1, and will never be able to unlock it.

LOCK_CCFILE=0x00 is ok here, as you are using RFA1SS to write lock area1.

LOCK_CFG=0x01 will prevent RF to change configuration, that is to change RFA1SS (this is not mandatory since access to configuration registers is protected from RF write by password 0, but it is anyway a good additional security).

Best regards.

View solution in original post

JL. Lebon · ‎2021-05-04

Hello Rakesh,

The correct register to use to prevent RF from writing in user memory are RFA1SS, RFA2SS, RFA3SS and RFA4SS.

From which interface are you trying to write RFA1SS ? I2C or RF ?

To write RFA1SS from I2C, you should:

present I2C password (default password is 00 00 00 00 00 00 00 00)
you can check that I2C security session is opened by reading byte I2C_SSO (should read 01): Start/AEh/sAck/20h/sAck/04h/sAck/Start/AFh/sAck/01h/mNoAck/Stop
then you can write RFA1SS register, with for example value 05 (protected in write with password 1): Start/AEh/sAck/00h/sAck/04h/sAck/05h/sAck/Stop
EEPROM programing time will take 5ms to write the data into memory. It is mandatory to wait this time before being able to read/write again.
you can read back the RFA1SS to check, and should read 05: Start/AEh/sAck/00h/sAck/04h/sAck/Start/AFh/sAck/05h/mNoAck/Stop
then write from RF in area 1 should be impossible until the correct password 1 is presented first.

You can also write RFA1SS from RF (assuming you have not locked the configuration):

send Present Password command with password number 0 (default is 00 00 00 00 00 00 00 00)
send Write Config command with pointer 04 and value 05.

Of course, your area1 size must be configured accordingly. RFA1SS is protecting area1 only. So if you try to write to area 2 and RFA2SS is not configured to write protection, write will work.

Best reagrds.

RR C.1 · ‎2021-06-01

Hello Rebon,

Great response and Helped a lot.

I can block RF write and read all config registers including RFA1SS, LOCK_CFG, and LOCK_CCFILE after opening the secured I2C session.

Just can you check if the below configurations good for blocking all write over RF (user area 1 only)

RFA1SS =0x0C

LOCK_CCFILE=0x00

LOCK_CFG=0x01