Proxmark3 community
Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Announcement
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
Pages: 1
#1 2014-09-15 20:13:54
- titon
- Member
- Registered: 2014-09-15
- Posts: 7
Configuration cards
There seem to be very little documentation about such cards and what settings can be changed with it.
Does anyone on this forum have docs and/or even better some dumps of iClass "configuration cards" ?
Offline
#2 2014-09-16 05:51:13
- 0xFFFF
- Administrator
- From: Vic - Australia
- Registered: 2011-05-31
- Posts: 632
Re: Configuration cards
The cards are easy to work out.
I'm not going to give the answers (or dumps - they contain keys) but I'll point you in the right direction...
There are a number of configuration card 'types'.
* Reader configuration.
* Firmware upgrade.
* Key management.
This might be of interest if you're a MS person with basic reversing skills...
http://www.hidglobal.com/drivers?field_brand_tid=2566&product_id=All&os=All
...download iclass_plugin_2.4.0.10.ise.
Offline
#3 2014-09-16 19:39:58
- holiman
- Contributor
- Registered: 2013-05-03
- Posts: 566
Re: Configuration cards
This might be of interest if you're a MS person with basic reversing skills...
http://www.hidglobal.com/drivers?field_brand_tid=2566&product_id=All&os=All
...download iclass_plugin_2.4.0.10.ise.
That sounded so interesting, so I went ahead and downloaded it. It appears to be a password-protected zip-file - I'm not familiar with the ise extension, and from what I could see on the site, I didn't find any obvious ways to open the archive or install the driver(s). Any pointers here?
Offline
#4 2014-09-16 19:47:07
- carl55
- Contributor
- From: Arizona USA
- Registered: 2010-07-04
- Posts: 175
Re: Configuration cards
Are you looking for any specific information on configuration cards or just information in general?
As 0xFFFF stated, some configuration cards do contain 64-bit key data so they can't be disseminated on a public forum.
Those configuration cards allow a user to place a reader into high security mode using a new high security/Elite key or to simply modify the HID Master authentication key (if you have the correct 32-bit password).
The key information itself is encrypted on the card so it wouldn't be of much help to you unless you already have the HID Encryption keys.
On the other hand, the reader configuration type cards are much simpler to understand. Those cards are typically used to modify specific bytes in the reader EEPROM memory. An example card is shown below. In the example you can see in Block 7 that the card modifies EEPROM bytes 0xAC,0xA8, 0xA7, and 0xA9 with data byte values of 0x00,0x8F,0x80, and 0x01 respectively. These byte changes are usually intended to modify reader operation with regards to the LED's, beeper, output format, etc.
AV1 Configuration Card
Blk Stored Value
00 3CDFA200FBFF12E0
01 3FFFFFFFF9BFFF3C
02 FEFFFFFFFFFFFFFF
03 FFFFFFFFFFFFFFFF
04 FFFFFFFFFFFFFFFF
05 FFFFFFFFFFFFFFFF
06 000000000000BF18
07 AC00A88FA780A901
08 0000000000000000
09 0000000000000000
0A 0000000000000000
0B 0000000000000000
0C 0000000000000000
0D 0000000000000000
0E 0000000000000000
0F 0000000000000000
10 0000000000000000
11 0000000000000000
12 0000000000000000
13 FFFFFFFFFFFFFFFF
14 FFFFFFFFFFFFFFFF
15 FFFFFFFFFFFFFFFF
16 FFFFFFFFFFFFFFFF
17 FFFFFFFFFFFFFFFF
18 FFFFFFFFFFFFFFFF
19 FFFFFFFFFFFFFFFF
1A FFFFFFFFFFFFFFFF
1B FFFFFFFFFFFFFFFF
1C FFFFFFFFFFFFFFFF
1D FFFFFFFFFFFFFFFF
1E FFFFFFFFFFFFFFFF
1F FFFFFFFFFFFFFFFF The "Reset" Configuration card (shown below) can be your best friend. It is used to reset the reader back to its default (factory) configuration including the keys and all other user configurable options. This allows you to hopefully recover if you ever happen to screw up any of the normal operating parameters.
Reset Card
Blk Stored Value
00 2CD3A700FBFF12E0
01 3FFFFFFFF9BFFF3C
02 FEFFFFFFFFFFFFFF
03 FFFFFFFFFFFFFFFF
04 FFFFFFFFFFFFFFFF
05 FFFFFFFFFFFFFFFF
06 000000000000001C
07 0000000000000000
08 0000000000000000
09 0000000000000000
0A 0000000000000000
0B 0000000000000000
0C 0000000000000000
0D 0000000000000000
0E 0000000000000000
0F 0000000000000000
10 0000000000000000
11 0000000000000000
12 0000000000000000
13 FFFFFFFFFFFFFFFF
14 FFFFFFFFFFFFFFFF
15 FFFFFFFFFFFFFFFF
16 FFFFFFFFFFFFFFFF
17 FFFFFFFFFFFFFFFF
18 FFFFFFFFFFFFFFFF
19 FFFFFFFFFFFFFFFF
1A FFFFFFFFFFFFFFFF
1B FFFFFFFFFFFFFFFF
1C FFFFFFFFFFFFFFFF
1D FFFFFFFFFFFFFFFF
1E FFFFFFFFFFFFFFFF
1F FFFFFFFFFFFFFFFF Offline
#5 2014-09-16 21:24:00
- titon
- Member
- Registered: 2014-09-15
- Posts: 7
Re: Configuration cards
Awesome. Thanks Carl55, these information are useful.
I was interested in the reader configuration type cards (i.e. disable buzzer, change output format, etc.), so the dumps you sent are quite useful to understand how it actually works.
Offline
#6 2014-09-16 21:49:38
- proxmarkzzz
- Contributor
- Registered: 2014-04-23
- Posts: 12
Re: Configuration cards
0xFFFF wrote:This might be of interest if you're a MS person with basic reversing skills...
http://www.hidglobal.com/drivers?field_brand_tid=2566&product_id=All&os=All
...download iclass_plugin_2.4.0.10.ise.That sounded so interesting, so I went ahead and downloaded it. It appears to be a password-protected zip-file - I'm not familiar with the ise extension, and from what I could see on the site, I didn't find any obvious ways to open the archive or install the driver(s). Any pointers here?
Indeed, under the hood it seems to be a (renamed) zip file which is password protected.
...
...
...
Offline
#7 2014-09-16 22:19:08
- titon
- Member
- Registered: 2014-09-15
- Posts: 7
Re: Configuration cards
For more insight, you might want to have a closer look at the first conditional branch in the function ... of the ... class, located in the ... ibrary.
Gotta love .NET applications. 
[...]
...
[...]Offline
#8 2014-09-16 23:05:31
- titon
- Member
- Registered: 2014-09-15
- Posts: 7
Re: Configuration cards
On the other hand, the reader configuration type cards are much simpler to understand. Those cards are typically used to modify specific bytes in the reader EEPROM memory. An example card is shown below. In the example you can see in Block 7 that the card modifies EEPROM bytes 0xAC,0xA8, 0xA7, and 0xA9 with data byte values of 0x00,0x8F,0x80, and 0x01 respectively. These byte changes are usually intended to modify reader operation with regards to the LED's, beeper, output format, etc.
One additional point to be added (based on my testing), the reader configuration card should be within reading distance of the reader when the reader is powered on in order for the EEPROM modification to happen.
Instructions are as follow:
1) Turn off the reader
2) Put the card within reading distance of the reader and leave it there
3) Turn on the reader
4) Holding the card to the reader until it stops beeping and the LED is solid red or flashing red/blue.
5) Remove the card and restart the reader
Offline
#9 2014-09-17 06:38:20
- 0xFFFF
- Administrator
- From: Vic - Australia
- Registered: 2011-05-31
- Posts: 632
Re: Configuration cards
Gotta love .NET applications.
.
Offline
#10 2014-09-17 08:48:41
- piwi
- Contributor
- Registered: 2013-06-04
- Posts: 704
Re: Configuration cards
@Moderator or titon: I suggest that you remove or edit post #7 and maybe even #6. This opens a can of worms.
Offline
#11 2014-09-17 19:53:10
- holiman
- Contributor
- Registered: 2013-05-03
- Posts: 566
Re: Configuration cards
Oh c'mon, weren't we a bit too self-censoring just now? Most of the deleted info was ok to have public, imo, the only problematic part was *possibly* the source code excerpt.
Offline
#12 2014-09-18 05:16:11
- 0xFFFF
- Administrator
- From: Vic - Australia
- Registered: 2011-05-31
- Posts: 632
Re: Configuration cards
Oh c'mon, weren't we a bit too self-censoring just now? Most of the deleted info was ok to have public, imo, the only problematic part was *possibly* the source code excerpt.
Yeah,...
The posts were modified to protect HID customers.
Offline
#13 2016-09-02 07:26:37
- kchung
- Contributor
- Registered: 2016-04-18
- Posts: 25
Re: Configuration cards
I was able to crack the zip file with some reverse engineering of an application as discussed earlier but it's somewhat difficult to determine what the contents of the zip file really are. Does anyone have any light to shed on what the XML files are?
Offline
#14 2016-09-30 08:26:01
- prof_abrasive
- Contributor
- From: Sydney
- Registered: 2016-09-30
- Posts: 11
Re: Configuration cards
I'd be interested in helping - I would like to rekey some iClass readers - but HID have done a pretty good job of expunging the .ise from the Web. Can anyone point me in the direction of that file? I've happily reversed the key from the modern version of the app, too.
modhex(hlhbhthgiedtichthbidhnfchrhbhkidhfdtiihbhjduhuhgif)
Offline
#15 2016-10-03 12:26:00
- prof_abrasive
- Contributor
- From: Sydney
- Registered: 2016-09-30
- Posts: 11
Re: Configuration cards
So I came across readerconfig_plugin_2.4.0.10.ise, and see that my search was unnecessary: the PluginConfig and hive XML files are now included with the public Asure download along with the DataMapper DLL.
What I don't see are any useful details on the reader config bytes - there's nothing I can see about reader output formats, key rolling et cetera. Was this functionality superseded at some point? I do see quite a lot about the newer DESfire/Mifare and Seos systems.
What *is* quite interesting is those hives - probably moreso to someone working on the newer systems. They are a mangled form of .NET assemblies which seems to be targeted at an embedded interpreter running on the Artemis SAM. It's a pretty serious piece of work; I wonder if it's a commercial product?
They do seem to be signed and there shouldn't be any key material in there, but there should be enough to puzzle out the reader rekeying format.
I put together a little parser which handles just the legacy config card programmer; the format's pretty hairy but it shouldn't be hard to fix it to work with them all. It doesn't parse the IL bytecodes but you can pull them apart by hand easily enough; where anything refers to types see the type and method tables dumped at the end of output.
https://gist.github.com/abrasive/b7f28e … 9e9425d78a
Of course after all this I find a) I still need the card and content encryption keys and b) it would probably have been easier (if way more expensive) to dump a reader. Now to try and find a RevA or two in Australia...
Offline
#16 2016-10-05 05:41:36
- prof_abrasive
- Contributor
- From: Sydney
- Registered: 2016-09-30
- Posts: 11
Re: Configuration cards
And now updated with a disassembler. Handles several of the files (though not all of them). Looks like it doesn't always get call targets correct, though. The "unknown" region of each file seems to contain referable data - many contain OIDs, for example.
Offline
#17 2016-11-08 05:50:37
- dylanger
- Contributor
- From: Sydney
- Registered: 2016-06-22
- Posts: 30
Re: Configuration cards
@prof_abrasive, I'm also trying to track down the ise, can you point me in the right direction as to where abouts you found it?
Does this ise file contain all configuration card data?
Offline
#18 2016-11-14 04:39:22
- prof_abrasive
- Contributor
- From: Sydney
- Registered: 2016-09-30
- Posts: 11
Re: Configuration cards
The .ise files don't appear to contain anything particularly useful for config card analysis. Everything in the .ise files I've seen can also be found in the latest public version of Asure ID. Perhaps there's an older one?
I did spend an afternoon with the RW400 firmware; here are the probable EEPROM config values I found in that time. I didn't find the readout encoding control, funnily enough (which is the one I care about).
EEPROM Options:
0xA0 = wiegand pulse length
0xA1 = wiegand interbit time
0xA4: probably heartbeat interval
if & 0x80, in units of 10 minutes?
else, in units of 10 seconds?
0xA5: heartbeat value (byte sent as heartbeat)
0xA8:
& 0x80: invert green LED in sub at 5f2c
& 0x40: invert red LED in sub at 5f2c
& 0x20: invert green LED?
& 0x10: invert red LED?
& 0x08: send a UART status from a routine at 6388
& 0x04: heartbeat over Wiegand
& 0x02: heartbeat over UART (possibly also global UART en/disable)
& 0x01: global LED/beep disable? or external control
0xA9:
& 0x02: external LED/beep control?
if set, pin RB5 = red, RB6 = green, RA6? = beeper, RB4 = HOLD?
0xA6: beep pitch
0xA7:
& 0x02: controls RD1 initial state
& 0x10: changes beepOffline
#19 2016-11-14 05:09:54
- dylanger
- Contributor
- From: Sydney
- Registered: 2016-06-22
- Posts: 30
Re: Configuration cards
This is gold! You wouldn't happen to be selling your RW400? I'm looking for one, I'd love to get a copy of the firmware, how did you reverse? IDA Pro?
I see you're in Sydney, I am as well, perhaps we could have coffee?
Offline
#20 2016-11-18 05:59:27
- prof_abrasive
- Contributor
- From: Sydney
- Registered: 2016-09-30
- Posts: 11
Re: Configuration cards
Some clarifications:
Config cards are read whenever presented - you don't need to cycle power. Key change cards are only accepted at power on afaict.
If the reader is in high security mode, it will only accept config cards that also have the high security key. This means that your reset card to go back to low security mode needs to have the high sec key too. Do be careful changing keys.
Option A8:
& 0x80: blink green on card read
& 0x40: blink red on card read
& 0x20: green when idle
& 0x10: red when idle
Setting it to 0x5x, for example, LED remains red in both card read and idle, while still allowing external control. 0x3x will set it to orange in idle and off in read.
Offline
#21 2016-11-18 06:05:42
- dylanger
- Contributor
- From: Sydney
- Registered: 2016-06-22
- Posts: 30
Re: Configuration cards
Awwww yeah! 
Offline
#22 2016-11-18 06:08:50
- dylanger
- Contributor
- From: Sydney
- Registered: 2016-06-22
- Posts: 30
Re: Configuration cards
Where abouts do you write this to? Like what block?
Offline
#23 2016-11-18 06:15:01
- dylanger
- Contributor
- From: Sydney
- Registered: 2016-06-22
- Posts: 30
Re: Configuration cards
So for instance if I wanted to make a reader green on idle, I'd just need AC00A820A700A900 in block 7?
Last edited by dylanger (2016-11-18 06:15:28)
Offline
#24 2016-11-19 01:24:29
- dylanger
- Contributor
- From: Sydney
- Registered: 2016-06-22
- Posts: 30
Re: Configuration cards
@prof_abrasive I can see you've likely opened the dumped firmware into IDA, would it be possible for you to post the dump? Even just a screenshot of sub-routine 0x5f2c
Offline
#25 2016-11-19 18:37:12
- carl55
- Contributor
- From: Arizona USA
- Registered: 2010-07-04
- Posts: 175
Re: Configuration cards
Here are the Default iClass Reader EEPROM Settings (After Reset Configuration Card)
Location 0xA8 = Beep On, Red LED (Idle), Flash Green on read
A0 07 50 28 19 00 AA 60 A0
A8 9F 00 88 01 02 0D 00 00
B0 42 1E 01 00 00 00 00 00
B8 00 00 00 00 00 00 00 00
Other Possible Reader LED Settings controlled by 0xA8 are as follows:
0xA8 Idle Read
---- ---- ----
0F Off Off
1F Red Off
2F Grn Off
3F Amber Off
4F Off Red
5F Red Red
6F Grn Red
7F Amber Red
8F Off Grn
9F Red Grn
AF Grn Grn
BF Amber Grn
CF Off Amber
DF Red Amber
EF Grn Amber
FF Amber AmberEXAMPLE: If you want the reader LED to be Green on idle and flash Red on a read then you would use a configuration card that modifies Block 6 and Block 7 as follows:
Blk Stored Value
00 2CDFA300FBFF12E0
01 3FFFFFFFF9BFFF3C
02 FEFFFFFFFFFFFFFF
03 FFFFFFFFFFFFFFFF
04 FFFFFFFFFFFFFFFF
05 FFFFFFFFFFFFFFFF
06 000000000000BF18
07 A86F000000000000
08 0000000000000000
09 0000000000000000
0A 0000000000000000
0B 0000000000000000
0C 0000000000000000
0D 0000000000000000
0E 0000000000000000
0F 0000000000000000
10 0000000000000000
11 0000000000000000
12 0000000000000000
13 FFFFFFFFFFFFFFFF
14 FFFFFFFFFFFFFFFF
15 FFFFFFFFFFFFFFFF
16 FFFFFFFFFFFFFFFF
17 FFFFFFFFFFFFFFFF
18 FFFFFFFFFFFFFFFF
19 FFFFFFFFFFFFFFFF
1A FFFFFFFFFFFFFFFF
1B FFFFFFFFFFFFFFFF Here is the disassembled subroutine at 0x5F2C if you are still interested.
sub
005F2C 0x0E00 MOVLW 0x0 ;
005F2E 0xEC2A, 0xF006 CALL sub11 ;
005F32 0x0E04 MOVLW 0x4 ;
005F34 0xCFE8, 0xF0F7 MOVFF WREG, 0xF7 ;
005F38 0x0E6F MOVLW 0x6F ;
005F3A 0x6EE9 MOVWF FSR0L, A ;
005F3C 0x0E01 MOVLW 0x1 ;
005F3E 0x6EEA MOVWF FSR0H, A ;
005F40 0x50EF MOVF INDF0, W, A ;
005F42 0xEC08, 0xF005 CALL sub5 ; extract bit 0-7 (specified by F7) in WReg
005F46 0x6E00 MOVWF 0xF00, A ;
005F48 0x6A01 CLRF 0xF01, A ;
005F4A 0x5001 MOVF 0xF01, W, A ;
005F4C 0x1000 IORWF 0xF00, W, A ;
005F4E 0xB4D8 BTFSC STATUS, Z, A ;
005F50 0xD044 BRA 0x5FDA ;
005F52 0x0E6F MOVLW 0x6F ;
005F54 0x6EE9 MOVWF FSR0L, A ;
005F56 0x0E01 MOVLW 0x1 ;
005F58 0x6EEA MOVWF FSR0H, A ;
005F5A 0x50EF MOVF INDF0, W, A ;
005F5C 0x0B0F ANDLW 0xF ;
005F5E 0xCFE8, 0xF5B4 MOVFF WREG, 0x5B4 ;
005F62 0x0105 MOVLB 0x5 ;
005F64 0x0E30 MOVLW 0x30 ;
005F66 0x27B4 ADDWF 0xB4, F, BANKED ;
005F68 0xC170, 0xF000 MOVFF 0x170, 0x0 ;
005F6C 0x0EC0 MOVLW 0xC0 ;
005F6E 0x1600 ANDWF 0xF00, F, A ;
005F70 0xC5B4, 0xFFE8 MOVFF 0x5B4, WREG ;
005F74 0x2400 ADDWF 0xF00, W, A ;
005F76 0xCFE8, 0xF5B4 MOVFF WREG, 0x5B4 ;
005F7A 0x0E70 MOVLW 0x70 ;
005F7C 0x6EE9 MOVWF FSR0L, A ;
005F7E 0x0E01 MOVLW 0x1 ;
005F80 0x6EEA MOVWF FSR0H, A ;
005F82 0x50EF MOVF INDF0, W, A ;
005F84 0x0BC0 ANDLW 0xC0 ;
005F86 0x0F20 ADDLW 0x20 ;
005F88 0xCFE8, 0xF5B6 MOVFF WREG, 0x5B6 ;
005F8C 0xAC81 BTFSS PORTB, 6, A ;
005F8E 0xD004 BRA 0x5F98 ;
005F90 0x0105 MOVLB 0x5 ;
005F92 0x8FB4 BSF 0xB4, 7, BANKED ;
005F94 0x0105 MOVLB 0x5 ;
005F96 0x8FB6 BSF 0xB6, 7, BANKED ;
005F98 0x0E00 MOVLW 0x0 ;
005F9A 0xBA81 BTFSC PORTB, 5, A ;
005F9C 0x0E01 MOVLW 0x1 ;
005F9E 0x6E00 MOVWF 0xF00, A ;
005FA0 0x6A01 CLRF 0xF01, A ;
005FA2 0x0E01 MOVLW 0x1 ;
005FA4 0xCFE8, 0xF0F7 MOVFF WREG, 0xF7 ;
005FA8 0x0E71 MOVLW 0x71 ;
005FAA 0x6EE9 MOVWF FSR0L, A ;
005FAC 0x0E01 MOVLW 0x1 ;
005FAE 0x6EEA MOVWF FSR0H, A ;
005FB0 0x50EF MOVF INDF0, W, A ;
005FB2 0xEC08, 0xF005 CALL sub5 ; extract bit 0-7 (specified by F7) in WReg
005FB6 0x6E02 MOVWF 0xF02, A ;
005FB8 0x6A03 CLRF 0xF03, A ;
005FBA 0x5000 MOVF 0xF00, W, A ;
005FBC 0x1402 ANDWF 0xF02, W, A ;
005FBE 0x6EF6 MOVWF TBLPTRL, A ;
005FC0 0x5001 MOVF 0xF01, W, A ;
005FC2 0x1403 ANDWF 0xF03, W, A ;
005FC4 0x6EF7 MOVWF TBLPTRH, A ;
005FC6 0x10F6 IORWF TBLPTRL, W, A ;
005FC8 0xB4D8 BTFSC STATUS, Z, A ;
005FCA 0xD004 BRA 0x5FD4 ;
005FCC 0x0105 MOVLB 0x5 ;
005FCE 0x8DB4 BSF 0xB4, 6, BANKED ;
005FD0 0x0105 MOVLB 0x5 ;
005FD2 0x8DB6 BSF 0xB6, 6, BANKED ;
005FD4 0xEC30, 0xF005 CALL sub20 ; Call LED/Sounder Routine
005FD8 0xD09E BRA 0x6116 ;
005FDA 0x0E6B MOVLW 0x6B ;
005FDC 0x6EE9 MOVWF FSR0L, A ;
005FDE 0x0E01 MOVLW 0x1 ;
005FE0 0x6EEA MOVWF FSR0H, A ;
005FE2 0x50EF MOVF INDF0, W, A ;
005FE4 0xB4D8 BTFSC STATUS, Z, A ;
005FE6 0xD097 BRA 0x6116 ;
005FE8 0x0E06 MOVLW 0x6 ;
005FEA 0xCFE8, 0xF0F7 MOVFF WREG, 0xF7 ;
005FEE 0x0E70 MOVLW 0x70 ;
005FF0 0x6EE9 MOVWF FSR0L, A ;
005FF2 0x0E01 MOVLW 0x1 ;
005FF4 0x6EEA MOVWF FSR0H, A ;
005FF6 0x50EF MOVF INDF0, W, A ;
005FF8 0xEC08, 0xF005 CALL sub5 ; extract bit 0-7 (specified by F7) in WReg
005FFC 0x6E00 MOVWF 0xF00, A ;
005FFE 0x3000 RRCF 0xF00, W, A ;
006000 0xA0D8 BTFSS STATUS, C, A ;
006002 0xD002 BRA 0x6008 ;
006004 0x8481 BSF PORTB, 2, A ; Turn on Red LED
006006 0xD001 BRA 0x600A ;
006008 0x9481 BCF PORTB, 2, A ; Turn off Red LED
00600A 0x0E07 MOVLW 0x7 ;
00600C 0xCFE8, 0xF0F7 MOVFF WREG, 0xF7 ;
006010 0x0E70 MOVLW 0x70 ;
006012 0x6EE9 MOVWF FSR0L, A ;
006014 0x0E01 MOVLW 0x1 ;
006016 0x6EEA MOVWF FSR0H, A ;
006018 0x50EF MOVF INDF0, W, A ;
00601A 0xEC08, 0xF005 CALL sub5 ; extract bit 0-7 (specified by F7) in WReg
00601E 0x6E00 MOVWF 0xF00, A ;
006020 0x3000 RRCF 0xF00, W, A ;
006022 0xA0D8 BTFSS STATUS, C, A ;
006024 0xD002 BRA 0x602A ;
006026 0x8281 BSF PORTB, 1, A ; Turn on Green LED (if valid card)
006028 0xD001 BRA 0x602C ;
00602A 0x9281 BCF PORTB, 1, A ; Turn off Green LED
00602C 0xBC81 BTFSC PORTB, 6, A ;
00602E 0x8281 BSF PORTB, 1, A ; Turn on Green LED
006030 0x0E00 MOVLW 0x0 ;
006032 0xBA81 BTFSC PORTB, 5, A ;
006034 0x0E01 MOVLW 0x1 ;
006036 0x6E00 MOVWF 0xF00, A ;
006038 0x6A01 CLRF 0xF01, A ;
00603A 0x0E01 MOVLW 0x1 ;
00603C 0xCFE8, 0xF0F7 MOVFF WREG, 0xF7 ;
006040 0x0E71 MOVLW 0x71 ;
006042 0x6EE9 MOVWF FSR0L, A ;
006044 0x0E01 MOVLW 0x1 ;
006046 0x6EEA MOVWF FSR0H, A ;
006048 0x50EF MOVF INDF0, W, A ;
00604A 0xEC08, 0xF005 CALL sub5 ; extract bit 0-7 (specified by F7) in WReg
00604E 0x6E02 MOVWF 0xF02, A ;
006050 0x6A03 CLRF 0xF03, A ;
006052 0x5000 MOVF 0xF00, W, A ;
006054 0x1402 ANDWF 0xF02, W, A ;
006056 0x6EF6 MOVWF TBLPTRL, A ;
006058 0x5001 MOVF 0xF01, W, A ;
00605A 0x1403 ANDWF 0xF03, W, A ;
00605C 0x6EF7 MOVWF TBLPTRH, A ;
00605E 0x10F6 IORWF TBLPTRL, W, A ;
006060 0xA4D8 BTFSS STATUS, Z, A ;
006062 0x8481 BSF PORTB, 2, A ; Turn on Red LED
006064 0x0E07 MOVLW 0x7 ;
006066 0xCFE8, 0xF0F7 MOVFF WREG, 0xF7 ;
00606A 0x0E6F MOVLW 0x6F ;
00606C 0x6EE9 MOVWF FSR0L, A ;
00606E 0x0E01 MOVLW 0x1 ;
006070 0x6EEA MOVWF FSR0H, A ;
006072 0x50EF MOVF INDF0, W, A ;
006074 0xEC08, 0xF005 CALL sub5 ;extract bit 0-7 (specified by F7) in WReg
006078 0x6E00 MOVWF 0xF00, A ;
00607A 0x6A01 CLRF 0xF01, A ;
00607C 0x5001 MOVF 0xF01, W, A ;
00607E 0x1000 IORWF 0xF00, W, A ;
006080 0xB4D8 BTFSC STATUS, Z, A ;
006082 0xD01E BRA 0x60C0 ;
006084 0x0E6E MOVLW 0x6E ;
006086 0x6EE9 MOVWF FSR0L, A ;
006088 0x0E01 MOVLW 0x1 ;
00608A 0x6EEA MOVWF FSR0H, A ;
00608C 0x50EF MOVF INDF0, W, A ;
00608E 0x0FFE ADDLW 0xFE ;
006090 0x6ECB MOVWF PR2, A ;
006092 0x0EFE MOVLW 0xFE ;
006094 0x6E00 MOVWF 0xF00, A ;
006096 0x0EFF MOVLW 0xFF ;
006098 0x6E01 MOVWF 0xF01, A ;
00609A 0x0E6E MOVLW 0x6E ;
00609C 0x6EE9 MOVWF FSR0L, A ;
00609E 0x0E01 MOVLW 0x1 ;
0060A0 0x6EEA MOVWF FSR0H, A ;
0060A2 0x50EF MOVF INDF0, W, A ;
0060A4 0x2400 ADDWF 0xF00, W, A ;
0060A6 0x6E02 MOVWF 0xF02, A ;
0060A8 0x0E00 MOVLW 0x0 ;
0060AA 0x2001 ADDWFC 0xF01, W, A ;
0060AC 0x6E03 MOVWF 0xF03, A ;
0060AE 0x3403 RLCF 0xF03, W, A ;
0060B0 0x3203 RRCF 0xF03, F, A ;
0060B2 0x3202 RRCF 0xF02, F, A ;
0060B4 0x5002 MOVF 0xF02, W, A ;
0060B6 0x6EBB MOVWF CCPR2L, A ;
0060B8 0x0E07 MOVLW 0x7 ;
0060BA 0x6ECA MOVWF T2CON, A ;
0060BC 0x0E0C MOVLW 0xC ;
0060BE 0x6EBA MOVWF CCP2CON, A ;
0060C0 0x0E6B MOVLW 0x6B ;
0060C2 0x6EE9 MOVWF FSR0L, A ;
0060C4 0x0E01 MOVLW 0x1 ;
0060C6 0x6EEA MOVWF FSR0H, A ;
0060C8 0x50EF MOVF INDF0, W, A ;
0060CA 0xEC7F, 0xF004 CALL sub48 ;
0060CE 0x0E05 MOVLW 0x5 ;
0060D0 0xCFE8, 0xF0F7 MOVFF WREG, 0xF7 ;
0060D4 0x0E70 MOVLW 0x70 ;
0060D6 0x6EE9 MOVWF FSR0L, A ;
0060D8 0x0E01 MOVLW 0x1 ;
0060DA 0x6EEA MOVWF FSR0H, A ;
0060DC 0x50EF MOVF INDF0, W, A ;
0060DE 0xEC08, 0xF005 CALL sub5 ;extract bit 0-7 (specified by F7) in WReg
0060E2 0x6E00 MOVWF 0xF00, A ;
0060E4 0x3000 RRCF 0xF00, W, A ;
0060E6 0xA0D8 BTFSS STATUS, C, A ;
0060E8 0xD002 BRA 0x60EE ;
0060EA 0x8281 BSF PORTB, 1, A ; Turn on Green LED
0060EC 0xD001 BRA 0x60F0 ;
0060EE 0x9281 BCF PORTB, 1, A ; Turn off Green LED
0060F0 0x0E04 MOVLW 0x4 ;
0060F2 0xCFE8, 0xF0F7 MOVFF WREG, 0xF7 ;
0060F6 0x0E70 MOVLW 0x70 ;
0060F8 0x6EE9 MOVWF FSR0L, A ;
0060FA 0x0E01 MOVLW 0x1 ;
0060FC 0x6EEA MOVWF FSR0H, A ;
0060FE 0x50EF MOVF INDF0, W, A ;
006100 0xEC08, 0xF005 CALL sub5 ;extract bit 0-7 (specified by F7) in WReg
006104 0x6E00 MOVWF 0xF00, A ;
006106 0x3000 RRCF 0xF00, W, A ;
006108 0xA0D8 BTFSS STATUS, C, A ;
00610A 0xD002 BRA 0x6110 ;
00610C 0x8481 BSF PORTB, 2, A ; Turn on Red LED
00610E 0xD001 BRA 0x6112 ;
006110 0x9481 BCF PORTB, 2, A ; Turn off Red LED
006112 0x6ABA CLRF CCP2CON, A ;
006114 0x9282 BCF PORTC, 1, A ;
006116 0xAA81 BTFSS PORTB, 5, A ;
006118 0xBC81 BTFSC PORTB, 6, A ;
00611A 0xD002 BRA 0x6120 ;
00611C 0xAE81 BTFSS PORTB, 7, A ;
00611E 0xD013 BRA 0x6146 ;
006120 0x0E00 MOVLW 0x0 ;
006122 0xCFE8, 0xF0F7 MOVFF WREG, 0xF7 ;
006126 0x0E70 MOVLW 0x70 ;
006128 0x6EE9 MOVWF FSR0L, A ;
00612A 0x0E01 MOVLW 0x1 ;
00612C 0x6EEA MOVWF FSR0H, A ;
00612E 0x50EF MOVF INDF0, W, A ;
006130 0xEC08, 0xF005 CALL sub5 ; extract bit 0-7 (specified by F7) in WReg
006134 0x6E00 MOVWF 0xF00, A ;
006136 0x6A01 CLRF 0xF01, A ;
006138 0x5001 MOVF 0xF01, W, A ;
00613A 0x1000 IORWF 0xF00, W, A ;
00613C 0xB4D8 BTFSC STATUS, Z, A ;
00613E 0xD003 BRA 0x6146 ;
006140 0x0E01 MOVLW 0x1 ;
006142 0xCFE8, 0xF5A0 MOVFF WREG, 0x5A0 ;
006146 0xC5A0, 0xFFE8 MOVFF 0x5A0, WREG ;
00614A 0x0900 IORLW 0x0 ;
00614C 0xB4D8 BTFSC STATUS, Z, A ;
00614E 0x0012 RETURN ; Offline
#26 2016-11-19 22:39:49
- dylanger
- Contributor
- From: Sydney
- Registered: 2016-06-22
- Posts: 30
Re: Configuration cards
This is great, thank you! Does Blk 6 need to be edited too? I can see BF == 18 is that required for writing to EEPROM directly?
Offline
#27 2016-11-20 01:18:22
- kchung
- Contributor
- Registered: 2016-04-18
- Posts: 25
Re: Configuration cards
Very confused here. Do configuration cards work without cycling power?
Offline
#28 2016-11-20 04:19:33
- carl55
- Contributor
- From: Arizona USA
- Registered: 2010-07-04
- Posts: 175
Re: Configuration cards
I have analyzed quite a few HID Configuration cards. The instructions on both the card and on the HID website state that the user must present the card within the first thirty seconds of power-up in order for the configuration card to be recognized. This requirement seems to hold true for every configuration card that I have ever analyzed and tested. I am not aware of any exceptions.
The information that is stored in Block 6 is relevant for all configuration cards. It must be written since it informs the reader how the information in all subsequent data blocks are to be used.
Offline
#29 2016-11-21 00:52:35
- prof_abrasive
- Contributor
- From: Sydney
- Registered: 2016-09-30
- Posts: 11
Re: Configuration cards
Some more testing is informative. My 6100AKN0000 will continue to accept a reset or key card at any time - at least out to more than five minutes - but only in High Security mode. When in regular mode it stops accepting cards shortly after poweron.
Offline
#30 2016-11-21 01:09:43
- dylanger
- Contributor
- From: Sydney
- Registered: 2016-06-22
- Posts: 30
Re: Configuration cards
Interesting, more public research is needed, it seems some modes allow config cards, you guys have firmware dumps, perhaps HID have undocumented cards that are always allowed also?
Offline
#31 2016-11-21 03:28:09
- prof_abrasive
- Contributor
- From: Sydney
- Registered: 2016-09-30
- Posts: 11
Re: Configuration cards
Do the same config cards apply to iClass SE readers? I'm finding the reader will request block 6, then a read4 of blocks 6-9, then gives up trying to talk. Again I'm stuck trying to get the HS keys into the reader 
Offline
#32 2016-11-21 04:15:05
- carl55
- Contributor
- From: Arizona USA
- Registered: 2010-07-04
- Posts: 175
Re: Configuration cards
The following question and answer is from the HID Technical Support Knowledge Base website.
Why is the configuration card not being read on my iCLASS SE readers?
Version: 1.1
Part Numbers Affected: iCLASS/multiCLASS SE Readers (9XXX)
Firmware Version: N/A
Software Version: N/A
Serial Numbers: N/A
Problem: Why is the configuration card not being read on my iCLASS SE readers?
Solution: Confirm the following:
The configuration card is for an iCLASS SE reader. Legacy iCLASS Configuration cards can not be used on iCLASS SE readers.
You are presenting the configuration card during the period the LED is Magenta/Purple (usually the first five to thirty seconds after power up).
If the card still will not read, try disconnecting the LED wires from the reader to the panel:
If you try to load a configuration card onto an iCLASS SE reader that has the LED wires connected to a panel, the reader will not accept it. The LED's will not change from "solid idle red state" and the reader does not accept configuration card. The LED lines wired to panel prevent reader from accepting configuration card. Disconnect LED lines from panel and reader will accept configuration card.Offline
#33 2016-11-21 04:38:00
- prof_abrasive
- Contributor
- From: Sydney
- Registered: 2016-09-30
- Posts: 11
Re: Configuration cards
Thanks Carl, I wish I'd been careful enough to find that (or check with your expertise!) before buying the wrong readers then
Last edited by prof_abrasive (2016-11-21 04:39:14)
Offline
#34 2016-12-09 01:23:12
- prof_abrasive
- Contributor
- From: Sydney
- Registered: 2016-09-30
- Posts: 11
Re: Configuration cards
Some final notes:
RevC readers require some flags and the new key to be present in blocks 13-15 as well. This rules out using regular iClass cards with application limit 0x12 as config cards. You'd have to reprogram existing key configuration cards (if you can) or personalise a new PicoPass from scratch.
I managed to configure a couple of RevC readers by using a Proxmark to simulate a suitable card. Unfortunately the iClass tag emulation is basically unusable on my RevA and RevC readers, though it worked on the SE readers I had.
The software UART discards half the input samples, and with the peak detect timing on my Proxmark and the modulation timing on the readers it would miss edges and drop most of the packets most of the time. Interestingly, the effect varied with the Vcc supplied to the reader!
I wrote a total 1of4 replacement that uses all the input samples, up at http://github.com/abrasive/proxmark3 - which works great on RevCs. I haven't done any work to dial in reasonable timing in the higher level packet handling code so it doesn't seem to work on my RevA (the reader repeatedly issues READCHECK/CHECK 15 times and gives up).
Offline
#35 2018-01-03 00:42:15
- aaronml
- Contributor
- Registered: 2018-01-02
- Posts: 30
Re: Configuration cards
Has anyone played around with config cards for multiClass/iClass SE readers? I'm curious if they could be simulated / cloned at all using a PM3 (e.g. encoding the config data using legacy iClass, etc.?). Or is the only option for SE readers to either purchase pre-programmed cards from HID or purchase an official HID iClass SE encoder?
Offline
#36 2018-12-10 00:09:20
- brantz
- Contributor
- Registered: 2014-03-19
- Posts: 50
Re: Configuration cards
Has anyone played around with config cards for multiClass/iClass SE readers? I'm curious if they could be simulated / cloned at all using a PM3 (e.g. encoding the config data using legacy iClass, etc.?). Or is the only option for SE readers to either purchase pre-programmed cards from HID or purchase an official HID iClass SE encoder?
Most likely for iclass SE readers, you need to purchase HID manufactured config cards, or you can use Asure ID to program one with the configuration files ordered from HID (Asure ID doesn't include them by default), such key rolling, whether response to legacy iclass/iclass SR credentials or SO only.
Offline
#37 2018-12-10 01:00:34
- 0xFFFF
- Administrator
- From: Vic - Australia
- Registered: 2011-05-31
- Posts: 632
Re: Configuration cards
I can create my own configuration cards (keys & behavior) but I'm only achieving this using the CP1000/OK5427UE at the moment.
This can be done by writing your own software or using the necessary DLLs (included with a number of packages). Configuration cards are required but they can be reprogrammed.
Offline
#38 2018-12-10 05:31:39
- Heru
- Contributor
- Registered: 2017-10-08
- Posts: 78
Re: Configuration cards
aaronml wrote:Has anyone played around with config cards for multiClass/iClass SE readers? I'm curious if they could be simulated / cloned at all using a PM3 (e.g. encoding the config data using legacy iClass, etc.?). Or is the only option for SE readers to either purchase pre-programmed cards from HID or purchase an official HID iClass SE encoder?
Most likely for iclass SE readers, you need to purchase HID manufactured config cards, or you can use Asure ID to program one with the configuration files ordered from HID (Asure ID doesn't include them by default), such key rolling, whether response to legacy iclass/iclass SR credentials or SO only.
@ brants
How can I contact you
Offline
#39 2019-07-02 22:28:46
- aaronml
- Contributor
- Registered: 2018-01-02
- Posts: 30
Re: Configuration cards
Interestingly (and not sure if it's been discussed here or not), the iClass SE reader config cards appear to be DESFire 4K cards. I'm surprised they didn't use PicoPass / normal "iClass SE" cards for this. The cards also seem to contain a contact-based smart card chip/interface...... anyone know what that is for?
Offline
#40 2019-07-03 00:10:02
- 0xFFFF
- Administrator
- From: Vic - Australia
- Registered: 2011-05-31
- Posts: 632
Re: Configuration cards
Interesting. I don't recall seeing any DESFire cards used for configuration purposes.
The most common appears to be SmartMX P5CD081 running JCOP 31 v2.4.1 R3.
* Not all cards have a 7816 interface.
* I've never seen anyone use the contact interface.
Offline
#41 2019-07-03 02:23:15
- aaronml
- Contributor
- Registered: 2018-01-02
- Posts: 30
Re: Configuration cards
Interesting. I don't recall seeing any DESFire cards used for configuration purposes.
The most common appears to be SmartMX P5CD081 running JCOP 31 v2.4.1 R3.* Not all cards have a 7816 interface.
* I've never seen anyone use the contact interface.
I'm probably mistaken in that case.....
My output was:
pm3 --> hf search
UID : [REDACTED]
ATQA : 00 48
SAK : 20 [1]
TYPE : NXP MIFARE DESFire 4k | DESFire EV1 2k/4k/8k | Plus 2k/4k SL3 | JCOP 31/41
MANUFACTURER : NXP Semiconductors Germany
ATS : 14 78 F7 B1 02 80 59 01 80 41 52 54 45 43 46 47 73 00 01 1B AA 09
- TL : length is 20 bytes
- T0 : TA1 is present, TB1 is present, TC1 is present, FSCI is 8 (FSC = 256)
- TA1 : different divisors are NOT supported, DR: [2, 4, 8], DS: [2, 4, 8]
- TB1 : SFGI = 1 (SFGT = 8192/fc), FWI = 11 (FWT = 8388608/fc)
- TC1 : NAD is NOT supported, CID is supported
[=] Answers to magic commands: NO
[+] Valid ISO14443-A Tag Found
I didn't actually realize that NXP made JCOP cards . Is there a way of using a PM3 to find out for sure? AFAIK there isn't currently a PM3 command set for JCOP. Thanks!
Offline
#42 2019-07-03 05:52:22
- 0xFFFF
- Administrator
- From: Vic - Australia
- Registered: 2011-05-31
- Posts: 632
Re: Configuration cards
Ah ok. I can see why you would've made that assumption now.
I wouldn't rely on the type or manufacturer information. It is certainly helpful when inspecting cards but I would advise further inspection.
These configuration cards are very interesting (especially the older ones)!
You might want to have a look at Global Platform - gpshell, GlobalPlatformPro.
Offline
#43 2019-07-09 03:22:18
- aaronml
- Contributor
- Registered: 2018-01-02
- Posts: 30
Re: Configuration cards
Ah ok. I can see why you would've made that assumption now.
I wouldn't rely on the type or manufacturer information. It is certainly helpful when inspecting cards but I would advise further inspection.
These configuration cards are very interesting (especially the older ones)!You might want to have a look at Global Platform - gpshell, GlobalPlatformPro.
Thanks — will do! Interestingly enough, the OmniKey 5027 reader does appear to use DESFire EV1-based config cards https://www.hidglobal.com/doclib/files/resource_files/plt-03824_a.0_-_omnikey_5027_software_developer_guide.pdf though that is obviously a different use case.
The use of JCOP technology for SE Reader config cards is interesting though.... I guess they liked it enough to develop SEOS with it
Offline
#44 2019-07-09 05:05:53
- 0xFFFF
- Administrator
- From: Vic - Australia
- Registered: 2011-05-31
- Posts: 632
Re: Configuration cards
The OmniKey configuration cards are totally different (IIRC).
Not sure if there is anything worth investigating there. Either way it is a project for another time.
Offline
Pages: 1