Ok it has been almost a month since my last post so I thought I better quickly put something down before I forget.
The readers arrived a few weeks ago as did my GIS TS-RW36 *yay*  The RW63 is a USB HID Device (Device Device? ;P)  Initially when I plugged it into my mac it came up as a keyboard, which was cool because the software I have for it is windows, which is not so cool. Anyway I launched VMWare Fusion assuming it would just pass the USB Device through and I would be able to use it, unfortunately Fusion did not do this and it couldn’t see the device at all. I then tried a few tweeks that were suggested to me but still no joy, so I downloaded Parallels and it worked! So I am now a Parallels user (take that VMWare! *stabby*).

So with the RW36 I can now read all the pages of the HitagS chip.  I haven’t spent much time with this but I have learnt a few things.
All my chips where sent to me in Plain mode with the all the bits set so I can R/W, it was also set to transmit Pages 4 and 5.  This is how it emulates an EM4102. When playing around with the Hitag S whatever you do, do not change the AUT bit in CON1 on Page 01, it will brick your tag unless you have a NXP reader/writer (phillips proprietary shiz I believe).

Ok so here is the break down of the chip.  Page 00 is used as the UID (This is not to be confused with the EM4102 emulation as this uses the data in pages 04 and 05), Page 01 contains 3 configuration bytes and this is used to configure the chip (duh), going from MSB to LSB you have Reserved and CON2 to CON0. CON0 you have 8 bits (going from MSB still) RES 5 to RES 0 are exactly that, they are reserved. Bits 1 and 0 are the memory bits, this tells us what size chip it is.  Next is CON1 these are the Mode and Lock bits. Again if you change the AUT But to 1 (Auth mode you will probably brick your chip). The other bits you may be interested here is the Lock Configuration Bit (LCON) which is bit 1, if you change this to 1 then CON1 becomes read-only meaning you can no longer write changes to it and CON2 becomes one time programmable meaning as part of this write you will no long be able to change CON2.  (I hope this makes sense). The next bits that are interesting is the Transponder Talks First Bits TTFM0 and TTFM1, bits 2 and 3 respectively.  As I mentioned previously this is set to Pages 4 and 5 to transmit in TTF State.  This allows it to work with most 125khz readers, obviously if you change this to TTF mode disabled (Reader talks first) then standard readers can no longer read this chip.  I am looking at getting a few more RWD that claim to work with these chips and perform some form of authentication but that will have to wait for now, so at this stage I will leave my chips in transmit pages 4 and 5 mode. There are a number of other bits that should be left alone like the LKP bit (Lock key and Password) this should be set to 0 until you know what you are doing as should all 8 bits in CON2.  If you want more information about this please feel free to contact me or check out http://www.timfanelli.com/rfid/Main most of the information has now been added to Tim’s wiki and we will continue to add stuff as we discover more.

Well thats about it for the information on the HitagS chip, just to finish up my rfid readers are now installed and controlling the strike locks via my alarm panel and a secondary 12 volt PSU (with battery backup).  The locks I have used are fail secure as you can still override them manually from the inside.  All that is left with the alarm panel is to add a few more PIRs and integrate it into my HA.

Here are a few shots of the readers, Sorry for the poor quality I didn’t have my flash with me and I wanted to get as much of the blue/green colour in the shot. Blue indicates that the Reader is on/ready green indicates card accept/door unlocked.