RFID Readers
- May 19th, 2010
- Posted in RFID Stuff
- Write comment
Ok it has been almost a month since my last post so I thought I better quickly put something down before I forget.
The readers arrived a few weeks ago as did my GIS TS-RW36 *yay* Â The RW63 is a USB HID Device (Device Device? ;P) Â Initially when I plugged it into my mac it came up as a keyboard, which was cool because the software I have for it is windows, which is not so cool. Anyway I launched VMWare Fusion assuming it would just pass the USB Device through and I would be able to use it, unfortunately Fusion did not do this and it couldn’t see the device at all. I then tried a few tweeks that were suggested to me but still no joy, so I downloaded Parallels and it worked! So I am now a Parallels user (take that VMWare! *stabby*).
So with the RW36 I can now read all the pages of the HitagS chip. Â I haven’t spent much time with this but I have learnt a few things.
All my chips where sent to me in Plain mode with the all the bits set so I can R/W, it was also set to transmit Pages 4 and 5. Â This is how it emulates an EM4102. When playing around with the Hitag S whatever you do, do not change the AUT bit in CON1 on Page 01, it will brick your tag unless you have a NXP reader/writer (phillips proprietary shiz I believe).
Ok so here is the break down of the chip. Â Page 00 is used as the UID (This is not to be confused with the EM4102 emulation as this uses the data in pages 04 and 05), Page 01 contains 3 configuration bytes and this is used to configure the chip (duh), going from MSB to LSB you have Reserved and CON2 to CON0. CON0 you have 8 bits (going from MSB still) RES 5 to RES 0 are exactly that, they are reserved. Bits 1 and 0 are the memory bits, this tells us what size chip it is. Â Next is CON1 these are the Mode and Lock bits. Again if you change the AUT But to 1 (Auth mode you will probably brick your chip). The other bits you may be interested here is the Lock Configuration Bit (LCON) which is bit 1, if you change this to 1 then CON1 becomes read-only meaning you can no longer write changes to it and CON2 becomes one time programmable meaning as part of this write you will no long be able to change CON2. Â (I hope this makes sense). The next bits that are interesting is the Transponder Talks First Bits TTFM0 and TTFM1, bits 2 and 3 respectively. Â As I mentioned previously this is set to Pages 4 and 5 to transmit in TTF State. Â This allows it to work with most 125khz readers, obviously if you change this to TTF mode disabled (Reader talks first) then standard readers can no longer read this chip. Â I am looking at getting a few more RWD that claim to work with these chips and perform some form of authentication but that will have to wait for now, so at this stage I will leave my chips in transmit pages 4 and 5 mode. There are a number of other bits that should be left alone like the LKP bit (Lock key and Password) this should be set to 0 until you know what you are doing as should all 8 bits in CON2. Â If you want more information about this please feel free to contact me or check out http://www.timfanelli.com/rfid/Main most of the information has now been added to Tim’s wiki and we will continue to add stuff as we discover more.
Well thats about it for the information on the HitagS chip, just to finish up my rfid readers are now installed and controlling the strike locks via my alarm panel and a secondary 12 volt PSU (with battery backup). Â The locks I have used are fail secure as you can still override them manually from the inside. Â All that is left with the alarm panel is to add a few more PIRs and integrate it into my HA.
Here are a few shots of the readers, Sorry for the poor quality I didn’t have my flash with me and I wanted to get as much of the blue/green colour in the shot. Blue indicates that the Reader is on/ready green indicates card accept/door unlocked.
Out of interest, do the reader’s you’re using double as writers?
It seems to me that given the ability to read rfid tags from a short distance(1), that it would be a better idea to update the code on your tag each time it was read/acknowledged. This would mean that *if* someone did get a copy of the key, they’d have a very limited window within which to use it. Obv thou if you’re working with more than one lock then you’d either a) have to work out some way of ensuring all readers got an updated code or b) break the code up somehow as to be recognisable by each reader with their current code independently.
(1) Don’t get me wrong, an RFID tag is much better security than a key IMHO simply due to there being a limited number of people who can understand and attempt to break in. Compared with physical key security problems (bump key, lockpick set, etc etc) it’s a great idea.
[…] http://www.slampt.net/2010/05/19/rfid-readers/ [Translate] […]
The current readers on the house only support EM41xx style chips, to they only read. The chip in my hand however is a HitagS 2048, while the authentication mech in this chip is somewhat proprietary, there are ways to get some low level encryption/authentication going. However the reader has to support this.
My alarm panel currently only supports their own RFID reader or any reader that outputs wiegand, this makes it hard to add anymore level of security to the system, you still however need to punch in a code to disarm the alarm. I am looking into some other RFID readers from ibtech that apparently you can program up a challenge key in them and then write said key to a section of member on the HitagS so it will then only read the UID if the challenge matches up. Not a huge improvement but given i have 2048 bits (65 pages) to play with you would need to know which page my key lives in.
Also you need to be < 2cm away from my hand to read it 😛