Tag Encoding & EPC Memory

Every EPC Gen2 tag has exactly 4 memory banks, each serving a specific purpose. Understanding this structure is essential for encoding, reading, and securing your tags.

Bank 00 (Reserved): Contains the 32-bit Kill Password and 32-bit Access Password. Default values are 0x00000000. The kill password permanently disables the tag when sent — irreversible. The access password locks memory banks to prevent unauthorized writes.

Bank 01 (EPC): Contains StoredCRC (16 bits, auto-calculated), StoredPC/Protocol Control (16 bits, indicates EPC length and tag capabilities), and the EPC value itself — typically 96 bits (12 bytes) for SGTIN-96. Some tags support 128-bit or even 496-bit EPCs.

Bank 10 (TID): Factory-programmed Tag Identifier. Contains the chip manufacturer code, model number, and a unique serial number. This bank is read-only and can never be changed — making it invaluable for anti-counterfeiting and tag authentication.

Bank 11 (User): Optional additional storage. Size varies by chip: NXP UCODE 9 has 0 bits (no user memory), Quanray QStar-7U has 512 bits (64 bytes). Use it for batch numbers, inspection dates, temperature thresholds, or maintenance records. Always check available capacity before writing.

SGTIN-96 is the most widely used EPC scheme. It encodes a GTIN-14 (your product barcode) plus a unique serial number into exactly 96 bits (12 bytes). This allows up to 274 billion unique serial numbers per product type.

The 96-bit structure: Header (8 bits, always 0x30 for SGTIN-96) → Filter (3 bits: 0=all, 1=POS, 2=full case, 3=reserved, 4=inner pack, 5=reserved, 6=unit load, 7=component) → Partition (3 bits: defines how bits are split between company prefix and item reference) → Company Prefix (20–40 bits) → Item Reference (4–24 bits) → Serial Number (38 bits).

The Partition value (0–6) determines the Company Prefix length: P=0 → 40-bit prefix (12 digits), P=1 → 37-bit (11 digits), P=2 → 34-bit (10 digits), P=3 → 30-bit (9 digits), P=4 → 27-bit (8 digits), P=5 → 24-bit (7 digits), P=6 → 20-bit (6 digits). Your GS1 company prefix length determines which partition value to use.

┌────────┬──────┬─────┬──────────────┬──────────────┬──────────────┐
│ Header │Filter│Part │Company Prefix│Item Reference│   Serial     │
│ 8 bits │3 bits│3bits│  20-40 bits  │   4-24 bits  │   38 bits    │
│  0x30  │ 0-7  │ 0-6 │  GS1 prefix  │  product ref │  unique ID   │
└────────┴──────┴─────┴──────────────┴──────────────┴──────────────┘

Partition table (defines prefix/item bit allocation):
P=0: 40-bit prefix (12 digits)  P=4: 27-bit prefix (8 digits)
P=1: 37-bit prefix (11 digits)  P=5: 24-bit prefix (7 digits)
P=2: 34-bit prefix (10 digits)  P=6: 20-bit prefix (6 digits)
P=3: 30-bit prefix (9 digits)

Example: 3034257BF7194E4000001A85
  Header=0x30 Filter=1 Part=5 Prefix=0614141
  Item=812345 Serial=6789 → GTIN-14: 80614141123458

Beyond SGTIN-96, GS1 defines several other 96-bit EPC schemes for different supply chain identifiers. Each has its own header byte.

Reading tags during inventory is passive — the reader broadcasts a query and tags respond with their EPC from Bank 01. But you can also explicitly read any memory bank by sending a READ command with the bank number, word offset, and word count.

Writing to tags requires more precision. The tag must be singulated (only one tag responding), and writes happen one word (16 bits) at a time. A full 96-bit EPC write requires 6 sequential word writes. Each write takes 10–20ms, so encoding a single tag takes 60–120ms for EPC data alone.

Common write failures: Tag too far from antenna (needs stronger signal for writes than reads — bring tag within 1m). Multiple tags in field (singulation failed — isolate the target tag). Tag memory locked (access password required). Write verify failed (retry, or tag may be defective — typical defect rate is 1–3 per 10,000).

TX → 5A 00 01 02 11 00 0C [EPC_12_BYTES] [CRC16]

Write per 16-bit word: 10-20ms
Full 96-bit EPC = 6 words = 60-120ms total

With access password:
TX → 5A 00 01 02 11 00 10 [PWD_4B] [EPC_12B] [CRC16]

EPC Gen2 tags support two 32-bit passwords for security. The Access Password locks specific memory banks — once set, that bank requires the password before any read or write operation. The Kill Password permanently disables the tag when transmitted — an irreversible operation primarily used for consumer privacy in retail (destroying the tag after checkout).

Security best practices: Never use the default all-zeros password (0x00000000) in production — it provides zero security. Generate unique passwords per tag batch or use your company prefix as a seed. Store passwords in your backend system, never on the tag itself (the password memory can be read if the tag is unlocked). Lock the password banks after programming. Consider Untraceable mode (available on newer chips) which hides TID and reduces EPC, providing privacy without killing the tag.

GS1 Digital Link bridges physical RFID tags with web-accessible digital information. It converts EPC data into a standard URI that resolves to product information, authentication services, recall notices, or sustainability data.

The flow: Tag EPC (e.g., 3034257BF7194E4000001A85) → Decode to GTIN-14 (80614141123458) + Serial (6789) → Build URI: https://id.gs1.org/01/80614141123458/21/6789. This URI can resolve to your product page, authentication API, or any service registered in the GS1 Digital Link resolver network.

Practical uses: Scan a tagged garment in a retail store → URI resolves to product care instructions, sizing guide, and sustainability certifications. Scan a tagged pharmaceutical → URI resolves to authentication (is this product genuine?), expiry date, and recall status. Scan a tagged asset → URI resolves to maintenance history and inspection schedule.