Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2014-09-15 20:13:54

titon
Member
Registered: 2014-09-15
Posts: 7

Configuration cards

There seem to be very little documentation about such cards and what settings can be changed with it.

Does anyone on this forum have docs and/or even better some dumps of iClass "configuration cards" ?

Offline

#2 2014-09-16 05:51:13

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Configuration cards

The cards are easy to work out.
I'm not going to give the answers (or dumps - they contain keys) but I'll point you in the right direction...

There are a number of configuration card 'types'.
* Reader configuration.
* Firmware upgrade.
* Key management.

This might be of interest if you're a MS person with basic reversing skills...
http://www.hidglobal.com/drivers?field_brand_tid=2566&product_id=All&os=All
...download iclass_plugin_2.4.0.10.ise.

Offline

#3 2014-09-16 19:39:58

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Configuration cards

0xFFFF wrote:

This might be of interest if you're a MS person with basic reversing skills...
http://www.hidglobal.com/drivers?field_brand_tid=2566&product_id=All&os=All
...download iclass_plugin_2.4.0.10.ise.

That sounded so interesting, so I went ahead and downloaded it. It appears to be a password-protected zip-file - I'm not familiar with the ise extension, and from what I could see on the site, I didn't find any obvious ways to open the archive or install the driver(s). Any pointers here?

Offline

#4 2014-09-16 19:47:07

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Configuration cards

Are you looking for any specific information on configuration cards or just information in general?
As 0xFFFF stated, some configuration cards do contain 64-bit key data so they can't be disseminated on a public forum.
Those configuration cards allow a user to place a reader into high security mode using a new high security/Elite key or to simply modify the HID Master authentication key (if you have the correct 32-bit password).
The key information itself is encrypted on the card so it wouldn't be of much help to you unless you already have the HID Encryption keys.

On the other hand, the reader configuration type cards are much simpler to understand. Those cards are typically used to modify specific bytes in the reader EEPROM memory. An example card is shown below. In the example you can see in Block 7 that the card modifies EEPROM bytes 0xAC,0xA8, 0xA7, and 0xA9 with data byte values of 0x00,0x8F,0x80, and 0x01 respectively. These byte changes are usually intended to modify reader operation with regards to the LED's, beeper, output format, etc.

AV1 Configuration Card
Blk Stored Value      
00  3CDFA200FBFF12E0  
01  3FFFFFFFF9BFFF3C  
02  FEFFFFFFFFFFFFFF  
03  FFFFFFFFFFFFFFFF  
04  FFFFFFFFFFFFFFFF  
05  FFFFFFFFFFFFFFFF  
06  000000000000BF18  
07  AC00A88FA780A901  
08  0000000000000000  
09  0000000000000000  
0A  0000000000000000  
0B  0000000000000000  
0C  0000000000000000  
0D  0000000000000000  
0E  0000000000000000  
0F  0000000000000000  
10  0000000000000000  
11  0000000000000000  
12  0000000000000000  
13  FFFFFFFFFFFFFFFF  
14  FFFFFFFFFFFFFFFF  
15  FFFFFFFFFFFFFFFF  
16  FFFFFFFFFFFFFFFF  
17  FFFFFFFFFFFFFFFF  
18  FFFFFFFFFFFFFFFF  
19  FFFFFFFFFFFFFFFF  
1A  FFFFFFFFFFFFFFFF  
1B  FFFFFFFFFFFFFFFF  
1C  FFFFFFFFFFFFFFFF  
1D  FFFFFFFFFFFFFFFF  
1E  FFFFFFFFFFFFFFFF  
1F  FFFFFFFFFFFFFFFF 

The "Reset" Configuration card (shown below) can be your best friend. It is used to reset the reader back to its default (factory) configuration including the keys and all other user configurable options. This allows you to hopefully recover if you ever happen to screw up any of the normal operating parameters.

Reset Card
Blk Stored Value      
00  2CD3A700FBFF12E0  
01  3FFFFFFFF9BFFF3C  
02  FEFFFFFFFFFFFFFF  
03  FFFFFFFFFFFFFFFF  
04  FFFFFFFFFFFFFFFF  
05  FFFFFFFFFFFFFFFF  
06  000000000000001C  
07  0000000000000000  
08  0000000000000000  
09  0000000000000000  
0A  0000000000000000  
0B  0000000000000000  
0C  0000000000000000  
0D  0000000000000000  
0E  0000000000000000  
0F  0000000000000000  
10  0000000000000000  
11  0000000000000000  
12  0000000000000000  
13  FFFFFFFFFFFFFFFF  
14  FFFFFFFFFFFFFFFF  
15  FFFFFFFFFFFFFFFF  
16  FFFFFFFFFFFFFFFF  
17  FFFFFFFFFFFFFFFF  
18  FFFFFFFFFFFFFFFF  
19  FFFFFFFFFFFFFFFF  
1A  FFFFFFFFFFFFFFFF  
1B  FFFFFFFFFFFFFFFF  
1C  FFFFFFFFFFFFFFFF  
1D  FFFFFFFFFFFFFFFF  
1E  FFFFFFFFFFFFFFFF  
1F  FFFFFFFFFFFFFFFF 

Offline

#5 2014-09-16 21:24:00

titon
Member
Registered: 2014-09-15
Posts: 7

Re: Configuration cards

Awesome. Thanks Carl55, these information are useful.
I was interested in the reader configuration type cards (i.e. disable buzzer, change output format, etc.), so the dumps you sent are quite useful to understand how it actually works.

Offline

#6 2014-09-16 21:49:38

proxmarkzzz
Contributor
Registered: 2014-04-23
Posts: 12

Re: Configuration cards

holiman wrote:
0xFFFF wrote:

This might be of interest if you're a MS person with basic reversing skills...
http://www.hidglobal.com/drivers?field_brand_tid=2566&product_id=All&os=All
...download iclass_plugin_2.4.0.10.ise.

That sounded so interesting, so I went ahead and downloaded it. It appears to be a password-protected zip-file - I'm not familiar with the ise extension, and from what I could see on the site, I didn't find any obvious ways to open the archive or install the driver(s). Any pointers here?

Indeed, under the hood it seems to be a (renamed) zip file which is password protected.

...

...

...

Offline

#7 2014-09-16 22:19:08

titon
Member
Registered: 2014-09-15
Posts: 7

Re: Configuration cards

proxmarkzzz wrote:

For more insight, you might want to have a closer look at the first conditional branch in the function ... of the ... class, located in the ... ibrary.

Gotta love .NET applications. smile

[...]
  ...
[...]

Offline

#8 2014-09-16 23:05:31

titon
Member
Registered: 2014-09-15
Posts: 7

Re: Configuration cards

carl55 wrote:

On the other hand, the reader configuration type cards are much simpler to understand. Those cards are typically used to modify specific bytes in the reader EEPROM memory. An example card is shown below. In the example you can see in Block 7 that the card modifies EEPROM bytes 0xAC,0xA8, 0xA7, and 0xA9 with data byte values of 0x00,0x8F,0x80, and 0x01 respectively. These byte changes are usually intended to modify reader operation with regards to the LED's, beeper, output format, etc.

One additional point to be added (based on my testing), the reader configuration card should be within reading distance of the reader when the reader is powered on in order for the EEPROM modification to happen.

Instructions are as follow:
1) Turn off the reader
2) Put the card within reading distance of the reader and leave it there
3) Turn on the reader
4) Holding the card to the reader until it stops beeping and the LED is solid red or flashing red/blue.
5) Remove the card and restart the reader

Offline

#9 2014-09-17 06:38:20

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Configuration cards

titon wrote:

Gotta love .NET applications. smile

.

Offline

#10 2014-09-17 08:48:41

piwi
Contributor
Registered: 2013-06-04
Posts: 704

Re: Configuration cards

@Moderator or titon: I suggest that you remove or edit post #7 and maybe even #6. This opens a can of worms.

Offline

#11 2014-09-17 19:53:10

holiman
Contributor
Registered: 2013-05-03
Posts: 566

Re: Configuration cards

Oh c'mon, weren't we a bit too self-censoring just now? Most of the deleted info was ok to have public, imo, the only problematic part was *possibly* the source code excerpt.

Offline

#12 2014-09-18 05:16:11

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Configuration cards

holiman wrote:

Oh c'mon, weren't we a bit too self-censoring just now? Most of the deleted info was ok to have public, imo, the only problematic part was *possibly* the source code excerpt.

Yeah,...
The posts were modified to protect HID customers.

Offline

#13 2016-09-02 07:26:37

kchung
Contributor
Registered: 2016-04-18
Posts: 25

Re: Configuration cards

I was able to crack the zip file with some reverse engineering of an application as discussed earlier but it's somewhat difficult to determine what the contents of the zip file really are. Does anyone have any light to shed on what the XML files are?

Offline

#14 2016-09-30 08:26:01

prof_abrasive
Contributor
From: Sydney
Registered: 2016-09-30
Posts: 11

Re: Configuration cards

I'd be interested in helping - I would like to rekey some iClass readers - but HID have done a pretty good job of expunging the .ise from the Web. Can anyone point me in the direction of that file? I've happily reversed the key from the modern version of the app, too.

modhex(hlhbhthgiedtichthbidhnfchrhbhkidhfdtiihbhjduhuhgif)

Offline

#15 2016-10-03 12:26:00

prof_abrasive
Contributor
From: Sydney
Registered: 2016-09-30
Posts: 11

Re: Configuration cards

So I came across readerconfig_plugin_2.4.0.10.ise, and see that my search was unnecessary: the PluginConfig and hive XML files are now included with the public Asure download along with the DataMapper DLL.

What I don't see are any useful details on the reader config bytes - there's nothing I can see about reader output formats, key rolling et cetera. Was this functionality superseded at some point? I do see quite a lot about the newer DESfire/Mifare and Seos systems.

What *is* quite interesting is those hives - probably moreso to someone working on the newer systems. They are a mangled form of .NET assemblies which seems to be targeted at an embedded interpreter running on the Artemis SAM. It's a pretty serious piece of work; I wonder if it's a commercial product?

They do seem to be signed and there shouldn't be any key material in there, but there should be enough to puzzle out the reader rekeying format.

I put together a little parser which handles just the legacy config card programmer; the format's pretty hairy but it shouldn't be hard to fix it to work with them all. It doesn't parse the IL bytecodes but you can pull them apart by hand easily enough; where anything refers to types see the type and method tables dumped at the end of output.
https://gist.github.com/abrasive/b7f28e … 9e9425d78a

Of course after all this I find a) I still need the card and content encryption keys and b) it would probably have been easier (if way more expensive) to dump a reader. Now to try and find a RevA or two in Australia...

Offline

#16 2016-10-05 05:41:36

prof_abrasive
Contributor
From: Sydney
Registered: 2016-09-30
Posts: 11

Re: Configuration cards

And now updated with a disassembler. Handles several of the files (though not all of them). Looks like it doesn't always get call targets correct, though. The "unknown" region of each file seems to contain referable data - many contain OIDs, for example.

https://gist.github.com/abrasive/d99660 … 27865a2078

Offline

#17 2016-11-08 05:50:37

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Configuration cards

@prof_abrasive, I'm also trying to track down the ise, can you point me in the right direction as to where abouts you found it?

Does this ise file contain all configuration card data?

Offline

#18 2016-11-14 04:39:22

prof_abrasive
Contributor
From: Sydney
Registered: 2016-09-30
Posts: 11

Re: Configuration cards

The .ise files don't appear to contain anything particularly useful for config card analysis. Everything in the .ise files I've seen can also be found in the latest public version of Asure ID. Perhaps there's an older one?

I did spend an afternoon with the RW400 firmware; here are the probable EEPROM config values I found in that time. I didn't find the readout encoding control, funnily enough (which is the one I care about).

EEPROM Options:
    0xA0 = wiegand pulse length
    0xA1 = wiegand interbit time

    0xA4: probably heartbeat interval
        if & 0x80, in units of 10 minutes?
        else, in units of 10 seconds?

    0xA5: heartbeat value (byte sent as heartbeat)

    0xA8:
        & 0x80: invert green LED in sub at 5f2c
        & 0x40: invert red LED in sub at 5f2c
        & 0x20: invert green LED?
        & 0x10: invert red LED?
        & 0x08: send a UART status from a routine at 6388
        & 0x04: heartbeat over Wiegand
        & 0x02: heartbeat over UART (possibly also global UART en/disable)
        & 0x01: global LED/beep disable? or external control

    0xA9:
        & 0x02: external LED/beep control?
            if set, pin RB5 = red, RB6 = green, RA6? = beeper, RB4 = HOLD?

    0xA6: beep pitch

    0xA7:
        & 0x02: controls RD1 initial state
        & 0x10: changes beep

Offline

#19 2016-11-14 05:09:54

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Configuration cards

This is gold! You wouldn't happen to be selling your RW400? I'm looking for one, I'd love to get a copy of the firmware, how did you reverse? IDA Pro?

I see you're in Sydney, I am as well, perhaps we could have coffee?

Offline

#20 2016-11-18 05:59:27

prof_abrasive
Contributor
From: Sydney
Registered: 2016-09-30
Posts: 11

Re: Configuration cards

Some clarifications:

Config cards are read whenever presented - you don't need to cycle power. Key change cards are only accepted at power on afaict.

If the reader is in high security mode, it will only accept config cards that also have the high security key. This means that your reset card to go back to low security mode needs to have the high sec key too. Do be careful changing keys.

Option A8:
  & 0x80: blink green on card read
  & 0x40: blink red on card read
  & 0x20: green when idle
  & 0x10: red when idle

Setting it to 0x5x, for example, LED remains red in both card read and idle, while still allowing external control. 0x3x will set it to orange in idle and off in read.

Offline

#21 2016-11-18 06:05:42

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Configuration cards

Awwww yeah! big_smile

Offline

#22 2016-11-18 06:08:50

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Configuration cards

Where abouts do you write this to? Like what block?

Offline

#23 2016-11-18 06:15:01

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Configuration cards

So for instance if I wanted to make a reader green on idle, I'd just need AC00A820A700A900 in block 7?

Last edited by dylanger (2016-11-18 06:15:28)

Offline

#24 2016-11-19 01:24:29

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Configuration cards

@prof_abrasive I can see you've likely opened the dumped firmware into IDA, would it be possible for you to post the dump? Even just a screenshot of sub-routine 0x5f2c

Offline

#25 2016-11-19 18:37:12

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Configuration cards

Here are the Default iClass Reader EEPROM Settings (After Reset Configuration Card)
Location 0xA8 = Beep On, Red LED (Idle), Flash Green on read

A0   07 50 28 19 00 AA 60 A0
A8   9F 00 88 01 02 0D 00 00
B0   42 1E 01 00 00 00 00 00
B8   00 00 00 00 00 00 00 00

Other Possible Reader LED Settings controlled by 0xA8 are as follows:

0xA8	Idle	Read
----	----	----

0F	Off	Off
1F	Red	Off
2F	Grn	Off
3F	Amber	Off	
4F	Off	Red
5F	Red	Red
6F	Grn	Red
7F	Amber	Red
8F	Off	Grn
9F	Red	Grn
AF	Grn	Grn
BF	Amber	Grn
CF	Off	Amber
DF	Red	Amber
EF	Grn	Amber
FF	Amber	Amber

EXAMPLE: If you want the reader LED to be Green on idle and flash Red on a read then you would use a configuration card that modifies Block 6 and Block 7 as follows:

Blk Stored Value      
00  2CDFA300FBFF12E0  
01  3FFFFFFFF9BFFF3C  
02  FEFFFFFFFFFFFFFF  
03  FFFFFFFFFFFFFFFF  
04  FFFFFFFFFFFFFFFF  
05  FFFFFFFFFFFFFFFF  
06  000000000000BF18  
07  A86F000000000000  
08  0000000000000000  
09  0000000000000000  
0A  0000000000000000  
0B  0000000000000000  
0C  0000000000000000  
0D  0000000000000000  
0E  0000000000000000  
0F  0000000000000000  
10  0000000000000000  
11  0000000000000000  
12  0000000000000000  
13  FFFFFFFFFFFFFFFF  
14  FFFFFFFFFFFFFFFF  
15  FFFFFFFFFFFFFFFF  
16  FFFFFFFFFFFFFFFF  
17  FFFFFFFFFFFFFFFF  
18  FFFFFFFFFFFFFFFF  
19  FFFFFFFFFFFFFFFF  
1A  FFFFFFFFFFFFFFFF  
1B  FFFFFFFFFFFFFFFF  

Here is the disassembled subroutine at 0x5F2C if you are still interested.

                      sub
005F2C 0x0E00             MOVLW 0x0                 ; 
005F2E 0xEC2A, 0xF006     CALL sub11                ; 
005F32 0x0E04             MOVLW 0x4                 ; 
005F34 0xCFE8, 0xF0F7     MOVFF WREG, 0xF7          ; 
005F38 0x0E6F             MOVLW 0x6F                ; 
005F3A 0x6EE9             MOVWF FSR0L, A            ; 
005F3C 0x0E01             MOVLW 0x1                 ; 
005F3E 0x6EEA             MOVWF FSR0H, A            ; 
005F40 0x50EF             MOVF INDF0, W, A          ; 
005F42 0xEC08, 0xF005     CALL sub5                 ; extract bit 0-7 (specified by F7) in WReg
005F46 0x6E00             MOVWF 0xF00, A            ; 
005F48 0x6A01             CLRF 0xF01, A             ; 
005F4A 0x5001             MOVF 0xF01, W, A          ; 
005F4C 0x1000             IORWF 0xF00, W, A         ; 
005F4E 0xB4D8             BTFSC STATUS, Z, A        ; 
005F50 0xD044             BRA 0x5FDA                ; 
005F52 0x0E6F             MOVLW 0x6F                ; 
005F54 0x6EE9             MOVWF FSR0L, A            ; 
005F56 0x0E01             MOVLW 0x1                 ; 
005F58 0x6EEA             MOVWF FSR0H, A            ; 
005F5A 0x50EF             MOVF INDF0, W, A          ; 
005F5C 0x0B0F             ANDLW 0xF                 ; 
005F5E 0xCFE8, 0xF5B4     MOVFF WREG, 0x5B4         ; 
005F62 0x0105             MOVLB 0x5                 ; 
005F64 0x0E30             MOVLW 0x30                ; 
005F66 0x27B4             ADDWF 0xB4, F, BANKED     ; 
005F68 0xC170, 0xF000     MOVFF 0x170, 0x0          ; 
005F6C 0x0EC0             MOVLW 0xC0                ; 
005F6E 0x1600             ANDWF 0xF00, F, A         ; 
005F70 0xC5B4, 0xFFE8     MOVFF 0x5B4, WREG         ; 
005F74 0x2400             ADDWF 0xF00, W, A         ; 
005F76 0xCFE8, 0xF5B4     MOVFF WREG, 0x5B4         ; 
005F7A 0x0E70             MOVLW 0x70                ; 
005F7C 0x6EE9             MOVWF FSR0L, A            ; 
005F7E 0x0E01             MOVLW 0x1                 ; 
005F80 0x6EEA             MOVWF FSR0H, A            ; 
005F82 0x50EF             MOVF INDF0, W, A          ; 
005F84 0x0BC0             ANDLW 0xC0                ; 
005F86 0x0F20             ADDLW 0x20                ; 
005F88 0xCFE8, 0xF5B6     MOVFF WREG, 0x5B6         ; 
005F8C 0xAC81             BTFSS PORTB, 6, A         ; 
005F8E 0xD004             BRA 0x5F98                ; 
005F90 0x0105             MOVLB 0x5                 ; 
005F92 0x8FB4             BSF 0xB4, 7, BANKED       ; 
005F94 0x0105             MOVLB 0x5                 ; 
005F96 0x8FB6             BSF 0xB6, 7, BANKED       ; 
005F98 0x0E00             MOVLW 0x0                 ; 
005F9A 0xBA81             BTFSC PORTB, 5, A         ; 
005F9C 0x0E01             MOVLW 0x1                 ; 
005F9E 0x6E00             MOVWF 0xF00, A            ; 
005FA0 0x6A01             CLRF 0xF01, A             ; 
005FA2 0x0E01             MOVLW 0x1                 ; 
005FA4 0xCFE8, 0xF0F7     MOVFF WREG, 0xF7          ; 
005FA8 0x0E71             MOVLW 0x71                ; 
005FAA 0x6EE9             MOVWF FSR0L, A            ; 
005FAC 0x0E01             MOVLW 0x1                 ; 
005FAE 0x6EEA             MOVWF FSR0H, A            ; 
005FB0 0x50EF             MOVF INDF0, W, A          ; 
005FB2 0xEC08, 0xF005     CALL sub5                 ; extract bit 0-7 (specified by F7) in WReg
005FB6 0x6E02             MOVWF 0xF02, A            ; 
005FB8 0x6A03             CLRF 0xF03, A             ; 
005FBA 0x5000             MOVF 0xF00, W, A          ; 
005FBC 0x1402             ANDWF 0xF02, W, A         ; 
005FBE 0x6EF6             MOVWF TBLPTRL, A          ; 
005FC0 0x5001             MOVF 0xF01, W, A          ; 
005FC2 0x1403             ANDWF 0xF03, W, A         ; 
005FC4 0x6EF7             MOVWF TBLPTRH, A          ; 
005FC6 0x10F6             IORWF TBLPTRL, W, A       ; 
005FC8 0xB4D8             BTFSC STATUS, Z, A        ; 
005FCA 0xD004             BRA 0x5FD4                ; 
005FCC 0x0105             MOVLB 0x5                 ; 
005FCE 0x8DB4             BSF 0xB4, 6, BANKED       ; 
005FD0 0x0105             MOVLB 0x5                 ; 
005FD2 0x8DB6             BSF 0xB6, 6, BANKED       ; 
005FD4 0xEC30, 0xF005     CALL sub20                ; Call LED/Sounder Routine

005FD8 0xD09E             BRA 0x6116                ; 
005FDA 0x0E6B             MOVLW 0x6B                ; 
005FDC 0x6EE9             MOVWF FSR0L, A            ; 
005FDE 0x0E01             MOVLW 0x1                 ; 
005FE0 0x6EEA             MOVWF FSR0H, A            ; 
005FE2 0x50EF             MOVF INDF0, W, A          ; 
005FE4 0xB4D8             BTFSC STATUS, Z, A        ; 
005FE6 0xD097             BRA 0x6116                ; 
005FE8 0x0E06             MOVLW 0x6                 ; 
005FEA 0xCFE8, 0xF0F7     MOVFF WREG, 0xF7          ; 
005FEE 0x0E70             MOVLW 0x70                ; 
005FF0 0x6EE9             MOVWF FSR0L, A            ; 
005FF2 0x0E01             MOVLW 0x1                 ; 
005FF4 0x6EEA             MOVWF FSR0H, A            ; 
005FF6 0x50EF             MOVF INDF0, W, A          ; 
005FF8 0xEC08, 0xF005     CALL sub5                 ; extract bit 0-7 (specified by F7) in WReg
005FFC 0x6E00             MOVWF 0xF00, A            ; 
005FFE 0x3000             RRCF 0xF00, W, A          ; 
006000 0xA0D8             BTFSS STATUS, C, A        ; 
006002 0xD002             BRA 0x6008                ; 
006004 0x8481             BSF PORTB, 2, A           ; Turn on Red LED 
006006 0xD001             BRA 0x600A                ; 
006008 0x9481             BCF PORTB, 2, A           ; Turn off Red LED
00600A 0x0E07             MOVLW 0x7                 ; 
00600C 0xCFE8, 0xF0F7     MOVFF WREG, 0xF7          ; 
006010 0x0E70             MOVLW 0x70                ; 
006012 0x6EE9             MOVWF FSR0L, A            ; 
006014 0x0E01             MOVLW 0x1                 ; 
006016 0x6EEA             MOVWF FSR0H, A            ; 
006018 0x50EF             MOVF INDF0, W, A          ; 
00601A 0xEC08, 0xF005     CALL sub5                 ; extract bit 0-7 (specified by F7) in WReg
00601E 0x6E00             MOVWF 0xF00, A            ; 
006020 0x3000             RRCF 0xF00, W, A          ; 
006022 0xA0D8             BTFSS STATUS, C, A        ; 
006024 0xD002             BRA 0x602A                ; 
006026 0x8281             BSF PORTB, 1, A           ;  Turn on Green LED (if valid card)
006028 0xD001             BRA 0x602C                ; 
00602A 0x9281             BCF PORTB, 1, A           ;  Turn off Green LED
00602C 0xBC81             BTFSC PORTB, 6, A         ; 
00602E 0x8281             BSF PORTB, 1, A           ;  Turn on Green LED 
006030 0x0E00             MOVLW 0x0                 ; 
006032 0xBA81             BTFSC PORTB, 5, A         ; 
006034 0x0E01             MOVLW 0x1                 ; 
006036 0x6E00             MOVWF 0xF00, A            ; 
006038 0x6A01             CLRF 0xF01, A             ; 
00603A 0x0E01             MOVLW 0x1                 ; 
00603C 0xCFE8, 0xF0F7     MOVFF WREG, 0xF7          ; 
006040 0x0E71             MOVLW 0x71                ; 
006042 0x6EE9             MOVWF FSR0L, A            ; 
006044 0x0E01             MOVLW 0x1                 ; 
006046 0x6EEA             MOVWF FSR0H, A            ; 
006048 0x50EF             MOVF INDF0, W, A          ; 
00604A 0xEC08, 0xF005     CALL sub5                 ; extract bit 0-7 (specified by F7) in WReg
00604E 0x6E02             MOVWF 0xF02, A            ; 
006050 0x6A03             CLRF 0xF03, A             ; 
006052 0x5000             MOVF 0xF00, W, A          ; 
006054 0x1402             ANDWF 0xF02, W, A         ; 
006056 0x6EF6             MOVWF TBLPTRL, A          ; 
006058 0x5001             MOVF 0xF01, W, A          ; 
00605A 0x1403             ANDWF 0xF03, W, A         ; 
00605C 0x6EF7             MOVWF TBLPTRH, A          ; 
00605E 0x10F6             IORWF TBLPTRL, W, A       ; 
006060 0xA4D8             BTFSS STATUS, Z, A        ; 
006062 0x8481             BSF PORTB, 2, A           ;  Turn on Red LED 
006064 0x0E07             MOVLW 0x7                 ; 
006066 0xCFE8, 0xF0F7     MOVFF WREG, 0xF7          ; 
00606A 0x0E6F             MOVLW 0x6F                ; 
00606C 0x6EE9             MOVWF FSR0L, A            ; 
00606E 0x0E01             MOVLW 0x1                 ; 
006070 0x6EEA             MOVWF FSR0H, A            ; 
006072 0x50EF             MOVF INDF0, W, A          ; 
006074 0xEC08, 0xF005     CALL sub5                 ;extract bit 0-7 (specified by F7) in WReg 
006078 0x6E00             MOVWF 0xF00, A            ; 
00607A 0x6A01             CLRF 0xF01, A             ; 
00607C 0x5001             MOVF 0xF01, W, A          ; 
00607E 0x1000             IORWF 0xF00, W, A         ; 
006080 0xB4D8             BTFSC STATUS, Z, A        ; 
006082 0xD01E             BRA 0x60C0                ; 
006084 0x0E6E             MOVLW 0x6E                ; 
006086 0x6EE9             MOVWF FSR0L, A            ; 
006088 0x0E01             MOVLW 0x1                 ; 
00608A 0x6EEA             MOVWF FSR0H, A            ; 
00608C 0x50EF             MOVF INDF0, W, A          ; 
00608E 0x0FFE             ADDLW 0xFE                ; 
006090 0x6ECB             MOVWF PR2, A              ; 
006092 0x0EFE             MOVLW 0xFE                ; 
006094 0x6E00             MOVWF 0xF00, A            ; 
006096 0x0EFF             MOVLW 0xFF                ; 
006098 0x6E01             MOVWF 0xF01, A            ; 
00609A 0x0E6E             MOVLW 0x6E                ; 
00609C 0x6EE9             MOVWF FSR0L, A            ; 
00609E 0x0E01             MOVLW 0x1                 ; 
0060A0 0x6EEA             MOVWF FSR0H, A            ; 
0060A2 0x50EF             MOVF INDF0, W, A          ; 
0060A4 0x2400             ADDWF 0xF00, W, A         ; 
0060A6 0x6E02             MOVWF 0xF02, A            ; 
0060A8 0x0E00             MOVLW 0x0                 ; 
0060AA 0x2001             ADDWFC 0xF01, W, A        ; 
0060AC 0x6E03             MOVWF 0xF03, A            ; 
0060AE 0x3403             RLCF 0xF03, W, A          ; 
0060B0 0x3203             RRCF 0xF03, F, A          ; 
0060B2 0x3202             RRCF 0xF02, F, A          ; 
0060B4 0x5002             MOVF 0xF02, W, A          ; 
0060B6 0x6EBB             MOVWF CCPR2L, A           ; 
0060B8 0x0E07             MOVLW 0x7                 ; 
0060BA 0x6ECA             MOVWF T2CON, A            ; 
0060BC 0x0E0C             MOVLW 0xC                 ; 
0060BE 0x6EBA             MOVWF CCP2CON, A          ; 
0060C0 0x0E6B             MOVLW 0x6B                ; 
0060C2 0x6EE9             MOVWF FSR0L, A            ; 
0060C4 0x0E01             MOVLW 0x1                 ; 
0060C6 0x6EEA             MOVWF FSR0H, A            ; 
0060C8 0x50EF             MOVF INDF0, W, A          ; 
0060CA 0xEC7F, 0xF004     CALL sub48                ; 
0060CE 0x0E05             MOVLW 0x5                 ; 
0060D0 0xCFE8, 0xF0F7     MOVFF WREG, 0xF7          ; 
0060D4 0x0E70             MOVLW 0x70                ; 
0060D6 0x6EE9             MOVWF FSR0L, A            ; 
0060D8 0x0E01             MOVLW 0x1                 ; 
0060DA 0x6EEA             MOVWF FSR0H, A            ; 
0060DC 0x50EF             MOVF INDF0, W, A          ; 
0060DE 0xEC08, 0xF005     CALL sub5                 ;extract bit 0-7 (specified by F7) in WReg 
0060E2 0x6E00             MOVWF 0xF00, A            ; 
0060E4 0x3000             RRCF 0xF00, W, A          ; 
0060E6 0xA0D8             BTFSS STATUS, C, A        ; 
0060E8 0xD002             BRA 0x60EE                ; 
0060EA 0x8281             BSF PORTB, 1, A           ;  Turn on Green LED 
0060EC 0xD001             BRA 0x60F0                ; 
0060EE 0x9281             BCF PORTB, 1, A           ;  Turn off Green LED
0060F0 0x0E04             MOVLW 0x4                 ; 
0060F2 0xCFE8, 0xF0F7     MOVFF WREG, 0xF7          ; 
0060F6 0x0E70             MOVLW 0x70                ; 
0060F8 0x6EE9             MOVWF FSR0L, A            ; 
0060FA 0x0E01             MOVLW 0x1                 ; 
0060FC 0x6EEA             MOVWF FSR0H, A            ; 
0060FE 0x50EF             MOVF INDF0, W, A          ; 
006100 0xEC08, 0xF005     CALL sub5                 ;extract bit 0-7 (specified by F7) in WReg 
006104 0x6E00             MOVWF 0xF00, A            ; 
006106 0x3000             RRCF 0xF00, W, A          ; 
006108 0xA0D8             BTFSS STATUS, C, A        ; 
00610A 0xD002             BRA 0x6110                ; 
00610C 0x8481             BSF PORTB, 2, A           ;  Turn on Red LED 
00610E 0xD001             BRA 0x6112                ; 
006110 0x9481             BCF PORTB, 2, A           ; Turn off Red LED
006112 0x6ABA             CLRF CCP2CON, A           ; 
006114 0x9282             BCF PORTC, 1, A           ; 
006116 0xAA81             BTFSS PORTB, 5, A         ; 
006118 0xBC81             BTFSC PORTB, 6, A         ; 
00611A 0xD002             BRA 0x6120                ; 
00611C 0xAE81             BTFSS PORTB, 7, A         ; 
00611E 0xD013             BRA 0x6146                ; 
006120 0x0E00             MOVLW 0x0                 ; 
006122 0xCFE8, 0xF0F7     MOVFF WREG, 0xF7          ; 
006126 0x0E70             MOVLW 0x70                ; 
006128 0x6EE9             MOVWF FSR0L, A            ; 
00612A 0x0E01             MOVLW 0x1                 ; 
00612C 0x6EEA             MOVWF FSR0H, A            ; 
00612E 0x50EF             MOVF INDF0, W, A          ; 
006130 0xEC08, 0xF005     CALL sub5                 ; extract bit 0-7 (specified by F7) in WReg
006134 0x6E00             MOVWF 0xF00, A            ; 
006136 0x6A01             CLRF 0xF01, A             ; 
006138 0x5001             MOVF 0xF01, W, A          ; 
00613A 0x1000             IORWF 0xF00, W, A         ; 
00613C 0xB4D8             BTFSC STATUS, Z, A        ; 
00613E 0xD003             BRA 0x6146                ; 
006140 0x0E01             MOVLW 0x1                 ; 
006142 0xCFE8, 0xF5A0     MOVFF WREG, 0x5A0         ; 
006146 0xC5A0, 0xFFE8     MOVFF 0x5A0, WREG         ; 
00614A 0x0900             IORLW 0x0                 ; 
00614C 0xB4D8             BTFSC STATUS, Z, A        ; 
00614E 0x0012             RETURN                    ; 

Offline

#26 2016-11-19 22:39:49

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Configuration cards

This is great, thank you! Does Blk 6 need to be edited too? I can see BF == 18 is that required for writing to EEPROM directly?

Offline

#27 2016-11-20 01:18:22

kchung
Contributor
Registered: 2016-04-18
Posts: 25

Re: Configuration cards

Very confused here. Do configuration cards work without cycling power?

Offline

#28 2016-11-20 04:19:33

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Configuration cards

I have analyzed quite a few HID Configuration cards. The instructions on both the card and on the HID website state that the user must present the card within the first thirty seconds of power-up in order for the configuration card to be recognized. This requirement seems to hold true for every configuration card that I have ever analyzed and tested. I am not aware of any exceptions.
The information that is stored in Block 6 is relevant for all configuration cards. It must be written since it informs the reader how the information in all subsequent data blocks are to be used.

Offline

#29 2016-11-21 00:52:35

prof_abrasive
Contributor
From: Sydney
Registered: 2016-09-30
Posts: 11

Re: Configuration cards

Some more testing is informative. My 6100AKN0000 will continue to accept a reset or key card at any time - at least out to more than five minutes - but only in High Security mode. When in regular mode it stops accepting cards shortly after poweron.

Offline

#30 2016-11-21 01:09:43

dylanger
Contributor
From: Sydney
Registered: 2016-06-22
Posts: 30

Re: Configuration cards

Interesting, more public research is needed, it seems some modes allow config cards, you guys have firmware dumps, perhaps HID have undocumented cards that are always allowed also?

Offline

#31 2016-11-21 03:28:09

prof_abrasive
Contributor
From: Sydney
Registered: 2016-09-30
Posts: 11

Re: Configuration cards

Do the same config cards apply to iClass SE readers? I'm finding the reader will request block 6, then a read4 of blocks 6-9, then gives up trying to talk. Again I'm stuck trying to get the HS keys into the reader hmm

Offline

#32 2016-11-21 04:15:05

carl55
Contributor
From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Configuration cards

The following question and answer is from the HID Technical Support Knowledge Base website.

Why is the configuration card not being read on my iCLASS SE readers?
 
Version: 1.1
Part Numbers Affected: iCLASS/multiCLASS SE Readers (9XXX)
Firmware Version: N/A
Software Version: N/A
Serial Numbers: N/A
 
Problem: Why is the configuration card not being read on my iCLASS SE readers?
 
Solution: Confirm the following:
The configuration card is for an iCLASS SE reader. Legacy iCLASS Configuration cards can not be used on iCLASS SE readers.
You are presenting the configuration card during the period the LED is Magenta/Purple (usually the first five to thirty seconds after power up).
If the card still will not read, try disconnecting the LED wires from the reader to the panel:
If you try to load a configuration card onto an iCLASS SE reader that has the LED wires connected to a panel, the reader will not accept it.   The LED's will not change from "solid idle red state" and the reader does not accept configuration card.  The LED lines wired to panel prevent reader from accepting configuration card.  Disconnect LED lines from panel and reader will accept configuration card.

Offline

#33 2016-11-21 04:38:00

prof_abrasive
Contributor
From: Sydney
Registered: 2016-09-30
Posts: 11

Re: Configuration cards

Thanks Carl, I wish I'd been careful enough to find that (or check with your expertise!) before buying the wrong readers then smile

Last edited by prof_abrasive (2016-11-21 04:39:14)

Offline

#34 2016-12-09 01:23:12

prof_abrasive
Contributor
From: Sydney
Registered: 2016-09-30
Posts: 11

Re: Configuration cards

Some final notes:

RevC readers require some flags and the new key to be present in blocks 13-15 as well. This rules out using regular iClass cards with application limit 0x12 as config cards. You'd have to reprogram existing key configuration cards (if you can) or personalise a new PicoPass from scratch.

I managed to configure a couple of RevC readers by using a Proxmark to simulate a suitable card. Unfortunately the iClass tag emulation is basically unusable on my RevA and RevC readers, though it worked on the SE readers I had.

The software UART discards half the input samples, and with the peak detect timing on my Proxmark and the modulation timing on the readers it would miss edges and drop most of the packets most of the time. Interestingly, the effect varied with the Vcc supplied to the reader!

I wrote a total 1of4 replacement that uses all the input samples, up at http://github.com/abrasive/proxmark3 - which works great on RevCs. I haven't done any work to dial in reasonable timing in the higher level packet handling code so it doesn't seem to work on my RevA (the reader repeatedly issues READCHECK/CHECK 15 times and gives up).

Offline

#35 2018-01-03 00:42:15

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: Configuration cards

Has anyone played around with config cards for multiClass/iClass SE readers? I'm curious if they could be simulated / cloned at all using a PM3 (e.g. encoding the config data using legacy iClass, etc.?). Or is the only option for SE readers to either purchase pre-programmed cards from HID or purchase an official HID iClass SE encoder?

Offline

#36 2018-12-10 00:09:20

brantz
Contributor
Registered: 2014-03-19
Posts: 50

Re: Configuration cards

aaronml wrote:

Has anyone played around with config cards for multiClass/iClass SE readers? I'm curious if they could be simulated / cloned at all using a PM3 (e.g. encoding the config data using legacy iClass, etc.?). Or is the only option for SE readers to either purchase pre-programmed cards from HID or purchase an official HID iClass SE encoder?

Most likely for iclass SE readers, you need to purchase HID manufactured config cards, or you can use Asure ID to program one with the configuration files ordered from HID (Asure ID doesn't include them by default), such key rolling, whether response to legacy iclass/iclass SR credentials or SO only.

Offline

#37 2018-12-10 01:00:34

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Configuration cards

I can create my own configuration cards (keys & behavior) but I'm only achieving this using the CP1000/OK5427UE at the moment.
This can be done by writing your own software or using the necessary DLLs (included with a number of packages). Configuration cards are required but they can be reprogrammed.

Offline

#38 2018-12-10 05:31:39

Heru
Contributor
Registered: 2017-10-08
Posts: 78

Re: Configuration cards

brantz wrote:
aaronml wrote:

Has anyone played around with config cards for multiClass/iClass SE readers? I'm curious if they could be simulated / cloned at all using a PM3 (e.g. encoding the config data using legacy iClass, etc.?). Or is the only option for SE readers to either purchase pre-programmed cards from HID or purchase an official HID iClass SE encoder?

Most likely for iclass SE readers, you need to purchase HID manufactured config cards, or you can use Asure ID to program one with the configuration files ordered from HID (Asure ID doesn't include them by default), such key rolling, whether response to legacy iclass/iclass SR credentials or SO only.

@ brants

How can I contact you

Offline

#39 2019-07-02 22:28:46

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: Configuration cards

Interestingly (and not sure if it's been discussed here or not), the iClass SE reader config cards appear to be DESFire 4K cards. I'm surprised they didn't use PicoPass / normal "iClass SE" cards for this. The cards also seem to contain a contact-based smart card chip/interface...... anyone know what that is for?

Offline

#40 2019-07-03 00:10:02

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Configuration cards

Interesting. I don't recall seeing any DESFire cards used for configuration purposes.
The most common appears to be SmartMX P5CD081 running JCOP 31 v2.4.1 R3.

* Not all cards have a 7816 interface.
* I've never seen anyone use the contact interface.

Offline

#41 2019-07-03 02:23:15

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: Configuration cards

0xFFFF wrote:

Interesting. I don't recall seeing any DESFire cards used for configuration purposes.
The most common appears to be SmartMX P5CD081 running JCOP 31 v2.4.1 R3.

* Not all cards have a 7816 interface.
* I've never seen anyone use the contact interface.

I'm probably mistaken in that case.....

My output was:
pm3 --> hf search
UID : [REDACTED]           
ATQA : 00 48         
SAK : 20 [1]         
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41         
MANUFACTURER : NXP Semiconductors Germany         
ATS : 14 78 F7 B1 02 80 59 01 80 41 52 54 45 43 46 47 73 00 01 1B AA 09           
       -  TL : length is 20 bytes         
       -  T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)         
       - TA1 : different divisors are NOT supported, DR: [2, 4, 8], DS: [2, 4, 8]         
       - TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 11 (FWT = 8388608/fc)         
       - TC1 : NAD is NOT supported, CID is supported         
[=] Answers to magic commands: NO         
         
[+] Valid ISO14443-A Tag Found




I didn't actually realize that NXP made JCOP cards smile. Is there a way of using a PM3 to find out for sure? AFAIK there isn't currently a PM3 command set for JCOP. Thanks!

Offline

#42 2019-07-03 05:52:22

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Configuration cards

Ah ok. I can see why you would've made that assumption now.
I wouldn't rely on the type or manufacturer information. It is certainly helpful when inspecting cards but I would advise further inspection.
These configuration cards are very interesting (especially the older ones)!

You might want to have a look at Global Platform - gpshell, GlobalPlatformPro.

Offline

#43 2019-07-09 03:22:18

aaronml
Contributor
Registered: 2018-01-02
Posts: 30

Re: Configuration cards

0xFFFF wrote:

Ah ok. I can see why you would've made that assumption now.
I wouldn't rely on the type or manufacturer information. It is certainly helpful when inspecting cards but I would advise further inspection.
These configuration cards are very interesting (especially the older ones)!

You might want to have a look at Global Platform - gpshell, GlobalPlatformPro.

Thanks — will do! Interestingly enough, the OmniKey 5027 reader does appear to use DESFire EV1-based config cards https://www.hidglobal.com/doclib/files/resource_files/plt-03824_a.0_-_omnikey_5027_software_developer_guide.pdf though that is obviously a different use case.

The use of JCOP technology for SE Reader config cards is interesting though.... I guess they liked it enough to develop SEOS with it smile

Offline

#44 2019-07-09 05:05:53

0xFFFF
Administrator
From: Vic - Australia
Registered: 2011-05-31
Posts: 632

Re: Configuration cards

The OmniKey configuration cards are totally different (IIRC).
Not sure if there is anything worth investigating there. Either way it is a project for another time.

Offline

Board footer

Powered by FluxBB