How to password protect writing to NFC NTAG216 tag on iOS 13 using NFC Core

问题

I'm trying to password protect an NFC NTAG216 sticker using iOS 13. I need the NFC tag to be readable by anyone but I want to limit the writing to the NFC tag unless you have the preset password. According to the specs of the tag, this should be possible but the API for writing NDEF tags is very limited it seems. I found out that the API for NDEF tags is mostly limited to writing full message payloads. I also found that the NFCISO15693Tag API does allow some low-level operations according to Apple documentation https://developer.apple.com/documentation/corenfc/nfciso15693tag/3043817-writesingleblock

Could anyone give me a hint on how to password protect NDEF216 tags using NFC Core in iOS 13? Seeing the NTAG216 spec sheet we should work with a PWD and PACK parameter but I don't see how to write these to the sticker with only having the option to write full message payloads?

The behavior I'm looking for:

1. The user receives an empty NFC tag
2. The user uses the ios app to write data to NFC tag
3. User can nog choose a password to protect the tag from getting overwritten

Then after a while, the user will need to update the tag himself, so I want this behavior

1. User Enters password for unlocking the NFC tag
2. User unlocks the chip by tapping the phone on a chip
3. The user now writes new data to the chip
4. The user now locks the chip again using the same or new password-free of choice

Any help into the right direction is very appreciated

回答1:

You can use the following method in iOS for sending any command to NTAG:

func sendCommand(data: CmdData, completionHandler: @escaping(Data?, Error?) -> Void) {
    tag?.sendMiFareCommand(commandPacket: data, completionHandler: { (data, error) in
        completionHandler(data, error)
    })
}

where, parameter data is the command APDU and tag object is of type NFCMiFareTag.

Command APDU to write password & PACK to NFC Tag:

1. Password (FF FF FF FF): [Write cmd: CMD | Address | Data] -> A2 E5 FF FF FF FF
2. PACK (01 02): [Write cmd: CMD | Address | Data] -> A2 E6 01 02 RFU RFU

Note: In place of RFU you can simply write 00h or you can retain the values by following steps:

• Read page E6h ----> You will receive 16 bytes (4 page) data ----> Take out the first 4 bytes, which will be the data on E6 page ----> Replace 0th and 1st byte with PACK value to be written ----> Write the updated 4 bytes data to E6h using write command as mentioned above.

Activating Protection

Once the Password and PACK values are configured onto NFC tag, next step would be to activate the protection by defining from which page the read/write access must need authentication. In order to do that:

• Read page E3h ---> Copy the first 4 bytes into data[]
• Over-write the AUTH0 value at index 3, with the first user page number 04h, which means any page starting from 04h will need authentication for read (by default) access

Accessing Read protected pages

1. User Enters PWD & PACK for unlocking the Tag
2. Authenticate the tag using the entered data, using following command:
   • Authenticate: [Command(1Bh) | PWD] --> 1B FF FF FF FF
   • The Tag will respond with the PACK value, which can be verified by matching it with the PACK value that you have for extra security
3. Now that the tag is in authenticated state, data can be written to tag. **Note: Once the tag goes out of the field, the authentication state gets reset. Therefore, you have to authenticate and write the data in the same session.
4. Unless there is need of changing the PWD/PACK, no further action is needed as the tag goes back to protected state every time the session is complete i.e. comes out of field.

You can refer NTAG 213/215/216 Data sheet

回答2:

NTAG 216 is a Mifare Ultralight Tag

Use https://developer.apple.com/documentation/corenfc/nfcmifaretag/3043838-sendmifarecommand

If you look at the datasheet https://www.nxp.com/docs/en/data-sheet/NTAG213_215_216.pdf

Section 8.8.1

The 32-bit PWD and the 16-bit PACK need to be programmed into the configuration pages, see Section 8.5.7

https://stackoverflow.com/a/44546511/2373819 goes in to detail about setting and using the password on the same type of tag, while this is for Android it is the same concept.

Use a normal ultralight write command A2h to write the PWD to E5h page (page addresses are for the NTAG 216) and the PACK to bytes 0 & 1 of the E6h

Again use the normal ultralight write command to byte 3 of page E3h to configure the first page that is password protected (probably you would want 4h as the first page)

Again use the normal ultralight write command to write the right bits in page E4h to enable the right level of protect and other parameters (you might want to read this page first to get the current values)

The Doc on Apples website seem wrong about the CRC see https://stackoverflow.com/a/60463724/2373819 for an example for sending to a Mifare Ultralight tag on iOS.

Just a note I've not actually tried setting a password with iOS.

来源：https://stackoverflow.com/questions/63206619/how-to-password-protect-writing-to-nfc-ntag216-tag-on-ios-13-using-nfc-core