Monza R6 Permalock Memory


This note will outline how to permalock memory of Monza R6. Monza R6 may be permalocked by sending a Gen2 compliant lock command with a payload of FFFFFh. This command will permalock (or lock permalock) all memory on a Monza R6 chip. By sending this command to a Monza R6 tag chip, EPC memory and Reserved memory (including AutoTune Enable/Disable bits) will be permanently locked.

Hardware Required

  • Windows host PC
  • Speedway Revolution with a Mini-Guardrail antenna, connected via Ethernet to the computer
  • An unlocked (ie factory default) Monza R6 tag

Software Required

Sample Application

First verify that the tag chip is not locked by writing a new EPC. Make sure the Monza R6 tag is in the field of view (FOV) of the reader antenna. Open ItemTest, connect to the reader, and start an inventory. Once the Monza R6 tag is inventoried, stop the inventory run, right click the tag inventoried, and select "Change EPC". By default, Monza R6 EPCs start with the characters "E280-1160-6000". Enter a new EPC such as "1111-2222-3333-4444-5555-6666", make sure you select the correct reader, and click "Apply".

Figure 1. New EPC written to Monza R6 tag

After successfully writing an EPC to the tag to verify the tag is not locked, exit ItemTest.

Next, use the sample application to perform a permalock operation. Extract the folder and open the project file "LockMR6EpcMemory.csproj" using Microsoft Visual C# 2010 or newer. Using the Solutions Explorer pane, open "SolutionConstraints.cs" and change the ReaderHostname to match the reader.

When the program runs, it will permalock any tags in the FOV of the reader antenna. Remove any tags from the FOV and select Debug->Start Debugging in Visual Studios. The program should display the text "Press enter to exit." Now move the R6 tag into the FOV to lock the chip.


Figure 2. Permalock Monza R6 tag

Once "Status : Success" appears on the screen, press enter to exit. The tag has been locked successfully! Note that if the status is "NoResponseFromTag", try moving the tag out and back in the FOV.

Verification of Permalock Status

To verify that a Monza R6 has been permalocked, there are two options available.

Option 1. Attempt to Re-Write EPC

A Monza R6 tag that has been permalocked cannot have its EPC changed. Attempting to re-write the tag with a new EPC will fail, with the tag response that the tag is locked.


Open ItemTest and attempt to write an EPC again to a permalocked Monza R6 tag. The write command failing means that the Monza R6 tag chip has been successfully permalocked!

Figure 3. New EPC failed to write to permalocked Monza R6 tag

Option 2. Read the Monza R6 Permalock Status Bit

Monza R6 tags have a status bit that is user readable to determine if the tag has been permalocked. This bit will only be set to 1 after the tag has been permalocked using the Gen2 lock command. The permalock status bit is 51h in Reserved memory. See the example below, which uses ItemTest to perform an inventory and then a tag memory access.

Read word 5 of Reserved memory. Bit 51h is the permalock bit (in bold below).

Unlocked Monza R6 tag
Hex:        3       A       9       8
Decimal: 0011 1010 1001 1000

After permalocking the tag using the sample application above, here is the result.

Permalocked Monza R6 tag
Hex:        7       A       9       8
Decimal: 0111 1010 1001 1000

mceclip0.pngFigure 4. Reading Reserved memory of a permalocked Monza R6 tag

The permalock status bit for the tag above is 1, so it has been permalocked.

Gen2 Lock Payload Explained

The lock payload structure for Monza R6 is formatted differently than what is used with other Monza tag chips while still being Gen2 compliant. The Gen2 lock command payload is outlined below, showing figure 6.25 and table 6.50 from EPCglobal Gen2 Specification V2.0.0. The payload consists of Mask and Action fields. To permanently lock or permalock all memory of Monza R6, send a payload of FFFFFh or 11111111111111111111b. This is the equivalent payload of lock permalocking Kill pwd, Access pwd, EPC memory, TID memory, and File_0 memory (or user memory, when present). 


This process is further outlined in the EPCglobal Gen2 Specification V2.0.0 in section Lock(mandatory):

A Tag shall implement memory locking and the Lock command. However, a Tag need not support all the Action fields in Figure 6.25, depending on whether a Tag implements the memory location associated with the Action field and that memory location is lockable and/or unlockable. If a Tag receives a Lock it cannot execute because one or more memory locations do not exist, or one or more of the Action fields attempt to change a permalocked value, or one or more of the memory locations are either not lockable or not unlockable, then the Tag shall not execute the Lock and instead treat the command’s parameters as unsupported (see Table C.30). The only exception to this general rule is for a Tag that (a) does not support File_N, N>0 and (b) whose only lock functionality is to permanently lock all memory (i.e. all memory banks and all passwords) at once; such a Tag shall execute a Lock whose payload is FFFFFh, and shall backscatter an error code for any payload other than FFFFFh.



Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.