Archives 2014

rfidscan-tool : driving your Prox'N'Roll RFID Scanner's LEDs and buzzer

The rfidscan-tool command line

The rfidscan-tool command line application is available for any OS that supports libusb, HID-API or hidraw.

We've tested it on:

  • Windows XP / Vista / 7 / 8
  • Mac OS X
  • Linux (Ubuntu, Debian, etc)
  • Raspberry Pi (on Raspbian distro)

rfidscan-tool has been inspired by blink1-tool, the command-line application that controls the blink(1) USB notification light. Most of the source code comes from this application. and therefore we use the same licence model.

Note for Mac OS X: currently the tool is able to send commands to the RFID Scanner, but fails to receive its response (IOHIDDeviceGetReport always returns a timeout error -- without waiting). This issue is under investigation.

Binary download

To get rfidscan-tool for your machine, visit our github releases page, and search for a version supported by your OS / target CPU.

Here's 4 direct links to the first public version (v14.11):

Source code download

To compile your own version of rfidscan-tool, just checkout the rfidscan project from github and compile the rfidscan-tool subproject. Something like the below will work 99% of the time:


# git clone https://github.com/springcard/rfidscan-tool.git
# cd rfidscan-tool
# make

For a Windows target, we provide .SLN projects to be opened with the (free of charge) Microsoft Visual C++ 2010 Express IDE.

Usage

On Windows, you may invoke the binary from any command line box without restriction.

On MacOS X and on most versions of Linux (including on Raspberry Pi), you will need to either run as root (sudo rfidscan-tool <...>) or install udev rules as described in https://github.com/springcard/rfidscan-tool/blob/master/51-rfidscan.rules.

When running rfidscan-tool without any argument, it will print a help page like the one below.

rfidscan-tool-win

Here's the detail of all commands:

rfidscan-tool <cmd> [options]

rfidscan-tool --list

List all connected RFID Scanners.

rfidscan-tool --version

Show the RFID Scanner's firmware version.

rfidscan-tool --test

Perform a routine test on the RFID Scanner(s).

rfidscan-tool --leds <red>,<green>,<blue> [--during <time_ms>]

Drive the RFID Scanner's LEDs. Allowed values for the red, green and blue parameters are

  • off : the LED is switched OFF
  • on : the LED is switched ON
  • slow : slow blinking
  • fast : fast blinking
  • heart : "heart beat"
  • slowinv : slow blinking, inverted
  • fastinv : fast blinking, inverted
  • heartinv : "heart beat", inverted

The during parameter is optionnal ans specify how long (in milliseconds) the specified value remains active, before the RFID Scanner goes back to the default sequence.

If this parameter is missing, the LED command lasts forever (at least until another LED command is issued).

rfidscan-tool --leds-default

Let the RFID Scanner drives its LEDs itself as usual.

rfidscan-tool --beep [--during <time_ms>]

Switch ON the RFID Scanner's buzzer for the specified time (in milliseconds).

rfidscan-tool --read <addr>

Read the configuration register at the specified address.

rfidscan-tool --write <addr>=<value>

Write the specified value into the configuration register at the specified address. Leavevalue empty to erase the register.

rfidscan-tool --dump

Dump all the configuration registers.

Note: the "sensitive" registers (keys for the Master Card and password) are hidden by "XX" chars.

rfidscan-tool --write-conf <filename>

Write the configuration registers from the specified file (use a file produced by MultiConf software).

Usage options

Values for [options] are

  • -d <device num> --devices <device num> : perform the command only to this device (from --list), default is all devices (same as -d all)
  • -q --quiet : suppress most output messages
  • -v --verbose : verbose debugging messages
  • -r --reset : reset the RFID Scanner (to apply the new configuration)
  • -p --password <password> : to access a RFID Scanner that is password-protected

Other tool

On this page you will find a Python script used to control the LEDs and Buzzer of a Prox'N'Roll (thanks Armel Esnault)

Reading and writing data in a Mifare UltraLight Card, with a Prox'N'Roll

DOWNLOAD AND READ THE DOCUMENTATIONS

First thing to do is to obtain the documentation of the card from the manufacturer (NXP in this case) and the Prox'N'Roll developer's reference manual.

From the card's functional specifications, we can see that the memory is structured in 16 pages of 4 bytes. The four first pages (0-3) contain special bytes: so, we'll only cover pages 4 to 16.

STEP BY STEP PROCEDURE

The goal is to read and write the card memory.

READ BINARY

In the developer's reference manual, the READ BINARY instruction is described in §2.2.4 at the time of this writing.

The APDU is :

  • CLA: FF
  • INS: B0
  • P1: Address MSB
  • P2: Address LSB
  • Lc: not needed
  • Data in: not needed
  • Le: number of bytes to be read

The specifics to read Mifare Ultralight cards are detailed in §4.3.3.a (at the time of this writing).
Here, we can see that :

  • P1 must be 00
  • P2 is the address of the first page to be read
  • Le must a multiple of 4.

We want to read the whole memory, starting from page 4: this means we want to read 12 pages of 4 bytes, so 48 bytes (ie: 30 in hexadecimal).
So the APDU is :
FF B0 00 04 30

To send this APDU, please use our PC/SC Diagnostic tool, available on our main site (QuickStart for PC/SC).

Put the card on the reader: its ATR prints. To understand what this means, you can check §4.1.2 (at the time of this writing) in the developer's reference manual.

ATRNow, double-clic on the line corresponding to the reader and enter the above-mentioned APDU :

read_capduClic on Transmit, or press "Enter": the APDU is sent to the card and its response is printed in the bottom.

read_rapduThe card has obviously been previously written and the ASCII translation is provided: "Mifare Ultralight card, used with Prox'N'Roll".
Please note that the card's reponse ends with "90 00", which means success.

UPDATE BINARY

In the developer's reference manual, the UPDATE BINARY instruction is described in §2.2.5 at the time of this writing.

The APDU is :

  • CLA: FF
  • INS: D6
  • P1: Address MSB
  • P2: Address LSB
  • Lc: Lenght of Data In
  • Data in: Bytes to be written
  • Le: not needed

The specifics to write Mifare Ultralight cards are detailed in §4.3.3.b (at the time of this writing).
Here, we can see that :

  • P1 must be 00
  • P2 is the address of the unique page to be written
  • Le must be 4.

We want to replace "Prox'N'Roll" by "SpringCard" in the card memory, so we first have to determine which pages must be updated. Remember that Le must be 4 : this means that we can write exactely 4 bytes at a time (one page), no more, no less.

To determine the content of each page, just use the READ BINARY APDU.
For example, for page 12, the APDU should be : FF B0 00 0C 04

read_single_pageUsing those commands, we can see that:

  • content of page 12 (0x0C) is 68 20 50 72 (in ASCII : "h Pr")
  • content of page 13 (0x0D) is 6F 78 27 4E (in ASCII: "ox'N")
  • content of page 14 (0x0E) is 27 52 6F 6C (in ASCII: "'Rol")
  • content of page 15 (0x0F) is 6C 00 00 00 (in ASCII: "l" followed by invalid characters)

So, we'll need to change 4 pages : pages 12, 13, 14 and 15.

SpringCard in ASCII is : "53 70 72 69 6E 67 43 61 72 64"

The 4 APDUs (one for each page) should be:

  • page 12: FF D6 00 0C 04 68 20 53 70 (the first two bytes remain unchanged)
  • page 13: FF D6 00 0D 04 72 69 6E 67
  • page 14: FF D6 00 0E 04 43 61 72 64
  • page 15: FF D6 00 0F 04 00 00 00 00 (we replace the first byte)

Enter those APDUs and click on "Transmit" :

write_single_pageOperation is successful if the card answers 90 00.

Now, you can read back the whole memory, using FF B0 00 04 0C:

final_readWe can see that "Prox'N'Roll" has been replaced by "SpringCard" in the card memory.

 

 

PC/SC Troubleshooting on Windows

Following our PC/SC installation guide on Windows, you've installed the appropriate driver, and made sure the "Smart Card" service is running on your Windows computer.
But still, your PC/SC reader doens't appear on PC/SC Diagnostic.

Please first check in your device manager that your SpringCard PC/SC reader is properly installed (it should appear under Smart Card Reader).

Now, if the drivers are properly installed, the "Smart Card" service is running, but the reader doesn't show up on the diagnostic tool, the reason must be one of the following :

  1. A third party security-related software or single-login solution takes full control over the PC/SC subsystem
  2. The computer is either running in a virtual machine or in a remote session on a terminal server
  3. Access to PC/SC readers has been disabled by the corporate administrators through a group policy
  4. A driver from one of our competitors has corrupted the registry

For reasons 1 and 2, SpringCard cannot offer any help.

For reason 3 : you should try to run a copy of our PC/SC Diagnostic tool, located on the C: drive, being logged in as Administrator. If this works, your reader is properly installed.

For reason 4, the problem is in the registry permission for LOCAL_SERVICE :
Open the registry editor ("regedit") :

  1. Right-click on the key HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Calais and select Permissions...
  2. Click Add.
  3. Click Advanced.
  4. Click Locations.
  5. Click on the computer name and click OK.
  6. In the window 'Select user or groups', click on Find now.
  7. Select LOCAL SERVICE.
  8. Click OK.
  9. In the window 'Select user or groups', click OK.
  10. In the window 'Permissions for Calais', click on LOCAL SERVICE and make sure 'Full control' , 'Read' and 'special permissions' are allowed.
  11. In the window "Advance Security Settings for Calais", deactivate the options "Inherit from parent the permission entries that apply to child objects..."
  12. When the window "Security" appears, click Copy.
  13. In the window "Advance Security Settings for Calais", activate the option "Replace permission entries on all child objects with entries shown here that apply to child objects" and click OK.
  14. In the window "Security" click Yes
  15. In the window "Permissions for Calais", click OK.

Restart the computer.

Accessing Reader's configuration from command line and in batch mode

All SpringCard PC/SC Readers feature a set of Configuration Registers that allow to alter the Reader behaviour to match a particular hardware setup or end-user requirement.

Editing the configuration is easy thanks to MultiConf, the new versatile configuration tool that covers all SpringCard products. But MultiConf is a GUI-application. When it comes to configuring numerous readers at once (with the same settings of course), a command-line tool, suitable to operate in batch mode, could be preferred.

This is typically the aim of pcscconf, a simple command-line utility (targetting Windows systems).

Getting started with pcscconf

Download pcscconf (and its companion tool pcscinfo) (ZIP)

Extract the ZIP archive in the directory of the choice. There are 3 files in the archive:

  • pcscconf.exe, the tool we'll be using
  • pcscinfo.exe, a software to retrieve all information regarding the connected readers (version, serial numbers, etc)
  • pcsctool.dll, the library that makes both software work.

Open a command-line box in the directory where you've extracted the archive, and at the prompt enter

pcscconf

pcscconf-1
pcscconf-2

Reading current configuration

Enter

pcscconf -d

to dump the current configuration.

pcscconf-3

It is also possible to enter

pcscconf -d <Filename>

to dump the configuration to a file. pcscconf uses the same file format as MultiConf.

If the file already exists, use

pcscconf -df <Filename>

to force the overwrite.

Changing a configuration register

Use syntax

pcscconf -s <RegisterAddress>=<RegisterValue>

 

pcscconf-4

To erase a register (i.e. restore product's default value), use syntax

pcscconf -s <RegisterAddress>

Applying a new configuration from a file

Use syntax

pcscconf -u <Filename>

to upload the configuration from the file into the reader.

There's no confirmation prompt or 'Are you sure' dialog box. Be sure to double-check the content of your file before uploading it into the reader.

pcscconf-5

Do not forget...

Changing a reader's configuration will change its behaviour! You're using this software at one risk. Always refer to the reader's detailed Developer's Guide or use MultiConf to choose the appropriate values.

Some registers play a special role and are therefore protected before delivery. This is the case of registers C0 and F0 to FF. Trying to write in one of these registers will always fail.

pcscconf targets the SpringCard PC/SC Readers only (and not the RFID Scanners, /RDR family and access control readers, nor the Legacy products).

pcscconf is able to work with only one PC/SC Reader at once. If you run pcscconf with two readers or more connected to your computer, the software will issue a warning and exit.

Introducing the new FunkyGate-IP NFC

SpringCard's technical team is proud to announce the launch of a new generation of contactless readers for high-end access control applications, the FunkyGate NFC family.

Using the same shell as previous generation's FunkyGate-DW (Dataclock, Wiegand and RS485 interfaces) and FunkyGate-SU (RS232 and USB interfaces), the FunkyGate NFC family introduces a brand-new member, the FunkyGate-IP NFC.

As the name suggests, the FunkyGate-IP NFC brings the power of TCP/IP up to the door or gate. A standard RJ45 plug connects the reader to any Ethernet LAN (10 or 100 Mbps). More than that, the FunkyGate-IP+POE NFC reader is powered directly by the network (Power Over Ethernet), thus removing the need for the classical 12V power cable.

The FunkyGate-IP+POE eases the job of wiring the building to before installing the access control system. With only a single Cat5e right to the door, the reader is operational as soon as it is plugged to the network.

The FunkyGate-IP+POE eases the job of wiring the building before installing the access control system. With only a single Cat5e right to the door, the reader is operational as soon as it is plugged to the network.

The FunkyGate-IP NFC and FunkyGate-IP+POE NFC readers take full benefit of SpringCard's know-how in all the various 13.56MHz protocols, and pave the way for a easier and wider use of NFC mobile phones in access control and identification applications.

SpringCard MultiConf is a new, versatile, configuration application for all SpringCard products. Define the FunkyGate-IP NFC's configuration, write this configuration into a Master Card, apply this Card to all the readers you want to configure, and voila!

SpringCard MultiConf is a new, versatile, configuration application for all SpringCard products. Define the FunkyGate-IP NFC's configuration, write this configuration into a Master Card, apply this Card to all the readers you want to configure, and voila!

Thanks to the 4 card processing templates -a concept shared with the Prox'N'Roll RFID Scanner and among all SpringCard standalone readers-, the FunkyGate-IP NFC is able to fetch virtually any data from current contactless cards and RFID tags.

The 'NFC' in the product's name denotes the exclusive ability to support new reading schemes based on NFC Forum's concepts :

  • Read an NDEF record stored on a NFC Tag and retrieve its data,
  • Receive an NDEF message from a mobile phone, using NFC Peer-to-peer technology (SNEP over LLCP, Push mode : PUT request from smartphone to reader),
  • Get data from a card-emulation application, possibly running on an Android system thanks to the HCE (Host Card Emulation) feature.
Thanks to Android's 4.4 HCE mode, the FunkyGate-IP is able to get an identifier or perform a transaction over the NFC smartphone, even in screen-off mode. (this is also an unusual selfie)

Thanks to Android's 4.4 HCE mode, the FunkyGate-IP is able to get an identifier or perform a transaction over the NFC smartphone, even in screen-off mode.
(this is also an unusual selfie)

When it comes to communication with the access control system (embedded control unit or computer running an access control server application), FunkyGate-IP NFC provides an efficient, low-overhead, fully secured communication protocol using TCP sockets and AES cipher for authentication, integrity and confidentiality.

An SDK will be released soon, together with a demo of an access control server application running on a small Linux system, typically a Raspberry Pi.

The reader also embeds a tiny HTTP server that makes it possible to develop a client application in no-time using high-level languages. A simple REST API exposes the reader's behaviour (basically controlling the LEDs and buzzer) and the card/tag numbers to the outer world.

An example setup of using the FunkyGate-IP in the cloud: the reader provides data using a REST API (HTTP request, JSON content). The demo application runs in the browser (JavaScript).

An example setup of using the FunkyGate-IP in the cloud: the reader provides data using a REST API (HTTP request, JSON content). The demo application runs in the browser (JavaScript).
(click the image to enlarge)

FunkyGate-IP NFC HTTP access (REST) demo-page

Using the FunkyGate-IP NFC through HTTP: a demo-page showing how to use the REST API from a JavaScript application (if you have a FunkyGate-IP, use the demo at www.springcard.com/goto/iwm2/

First batches of FunkyGate-IP NFC (and FunkyGate-IP+POE NFC) are already shipping to our early-adopters. Don't hesitate to contact us for a demo or to evaluate the product.

New documents and the SDK will be published on our web site in the oncoming weeks. In a second step, the E663, which is the core the FunkyGate-IP NFC is built on, will be offered to developers and integrators as a versatile Ethernet-based RFID/NFC OEM module. Stay tuned !

The FunkyGate-IP is built upon the new SpringCard E663 core. Supporting Ethernet and TCP/IP, this OEM RFID/NFC module could be the basis of new generation solutions that closes the gap between contactless smartcard technologies and today's cloud architectures.

The FunkyGate-IP is built upon the new SpringCard E663 core. Supporting Ethernet and TCP/IP, this OEM RFID/NFC module could be the basis of new generation solutions that closes the gap between contactless smartcard technologies and today's cloud architectures.

.

EAS management for ICODE SLI/SLI-X (standard, type S and type L)

ICODE SLI are ISO 15693 compliant but feature proprietary extensions not implemented in the reader's firmware. However, you can use those features in transparent mode. The following post will focus on EAS management with this type of tag. The function entries described are available in the CSB6 SDK.


EAS management in the different ICODE SLI types 

The way to access to the EAS field depend on the type of ICODE used. With ICODE SLI/SLI-X type L and S, EAS field can be password protected. Once password protected, a "set password" command must be sent to the card once in the RF field or if the password is modified. It will allow the execution of most of the other commands. This security is not available on classic ICODE SLI/SLI-X.


Transparent mode APDU structure

Most of the frames sent to the card contains :

Flags (1 byte) :
Those are detailed in the ISO 15693 documentation.

Command ID (1 byte) :
Allows to identify the type of command sent.

IC manufacturing code (1 byte) :
It refers to the tag type and is contained in the UID of the tag. For NXP Semiconductors, This code is 04h.

UID (8 bytes).

Some other fields are command specific and will be detailed below.


Command available in the SDK

*** AVAILABLE FOR ALL ICODE SLI TYPES ***

Set EAS
Available with void set_EAS(BYTE snr[8]);  
Set EAS status to 1.                                                                        

Reset EAS
Available with void reset_EAS(BYTE snr[8]); 
Set
 EAS status to 1.

Lock EAS
Available with void lock_EAS(BYTE snr[8]); 
This field is commented in the source code. Once locked, EAS cannot be modified anymore.

AVAILABLE FOR ICODE SLI/SLI-X S and L types

Protect EAS
Available with void protect_EAS(BYTE snr[8]);
This command allows to protect the EAS field with a password. Once set, this field cannot be changed and you will have to use the "set password" command to modify the EAS status.

Get random number
Available with short get_random_nb(BYTE snr[8], BYTE * rd_nb)      
It will request a 2 bytes randomly generated code required for a proper use of the "set password" command.

Set password
Available with void set_password(BYTE snr[8], BYTE password[4])
This command requires specific fileds : a password ID to inform the card of which fields are needed to be unlocked, and the previously stored password XOR two random numbers acquired with the "get random number" command.

ex :  if the last password was (00 00 00 00)h, and the last "get random number" command return you (0A 25)h, the 4 bytes to pass as command parameters will be (0A 25 0A 25)h.

Write password
Available with void write_password(BYTE snr[8], BYTE password[4])
Write a new password in the card (if the password field has not been locked).

Lock password
Available with void lock_password(BYTE snr[8])
This function is commented in the source code. Once locked, the password cannot be changed.


 About the reference application

The application manual is available via the executable call.
A simple [EXECUTABLE NAME] [COM] [HELP] will display the commands available.