OSDP specification
Open Supervised Device Protocol (OSDP) is an access control communications standard maintained by the Security Industry Association (SIA). This page describes how we've implemented the official OSDP specification in our reader firmware. Currently, we support version 2.1.7. Make sure you're familiar with the specification as the below documentation refers to it.
Supported hardware
OSDP is supported by BALTECH ACCESS200 readers. They include the following components:
- Tamper switch The firmware monitors the tamper switch and sends tamper alarm notifications as osdp_ACK replies.
- Brownout detection
The firmware provides brownout monitoring and sends notifications as osdp_ACK replies. - Relay
It is controlled by output 0. - 1 tri-color LED (red/green/blue)
- 1 beeper
Operation mode
OSDP requires our readers to run in Autoread mode. All other operation modes are not supported.
Supported commands
| Command | Value | Meaning | Data |
|---|---|---|---|
| osdp_POLL | 0x60 | Poll | None |
| osdp_ID | 0x61 | ID Report Request | ID type |
| osdp_CAP | 0x62 | PD Capabilities Request | Reply type |
| osdp_LSTAT | 0x64 | Local Status Report Request | None |
| osdp_OSTAT | 0x66 | Output Status Report Request | None |
| osdp_RSTAT | 0x67 | Reader Status Report Request | None |
| osdp_OUT | 0x68 | Output Control Command | Output settings |
| osdp_LED | 0x69 | Reader Led Control Command | LED settings |
| osdp_BUZ | 0x6A | Reader Buzzer Control Command | Buzzer settings |
| osdp_COMSET | 0x6E | PD Communication Configuration Command | Com settings |
| osdp_KEYSET | 0x75 | Encryption Key Set Command | Encryption key |
| osdp_CHLNG | 0x76 | Challenge and Secure Session Initialization Request | Challenge data |
| osdp_SCRYPT | 0x77 | Server Cryptogram | Encryption data |
| osdp_MFG | 0x80 | Manufacturer Specific Command | Any |
Supported Replies
| Reply | Value | Meaning | Data |
|---|---|---|---|
| osdp_ACK | 0x40 | Command accepted, nothing else to report | None |
| osdp_NACK | 0x41 | Command not processed | Reason for rejecting command |
| osdp_PDID | 0x45 | PD ID Report | Report data |
| osdp_PDCAP | 0x46 | PD Capabilities Report | Report data |
| osdp_LSTATR | 0x48 | Local Status Report | Report data |
| osdp_OSTATR | 0x4A | Output Status Report | Report data |
| osdp_RSTATR | 0x4B | Reader Status Report | Report data |
| osdp_RAW | 0x50 | Reader Data - Raw bit image of card data | Card data |
| osdp_FMT | 0x51 | Reader Data - Formatted character stream | Card data |
| osdp_KEYPAD | 0x53 | Keypad Data | Keypad data |
| osdp_COM | 0x54 | PD Communications Configuration Report | Comm data |
| osdp_CCRYPT | 0x76 | Client's ID, Random Number, and Cryptogram | Encryption data |
| osdp_RMAC_I | 0x78 | Initial R-MAC | Encryption data |
| osdp_BUSY | 0x79 | PD is Busy reply | None |
| osdp_MFGREP | 0x90 | Manufacturer Specific Reply | Any |
Exchange BRP frames
You can send BRP commands to the reader using the manufacturer specific command osdp_MFG (see chapter 3.20 in the OSDP specification). The BRP command frame is transmitted as command specific data (bytes 4-n). The reader will respond with an osdp_MFGREP reply. The BRP response frame is transmitted as reply specific data (bytes 4-n).
For BRP security, you can implement AES authentication and encryption with strongly scalable access conditions. To send secured OSDP messages, you have to authenticate via security level 1 by default. Unsecured OSDP messages will be sent via an unencrypted connection.
Enable OSDP and set bus address
By default, ACCESS200 readers have Wiegand enabled. You can switch to OSDP by setting a bus address on each reader. Options to do so are described here.
Configuration
Below, you'll find a description of the configuration values and their default settings. To make changes, you have the following possibilities:
- Use the host interface component
for OSDP in BALTECH ConfigEditor.
Where this is possible, the corresponding option in the component is indicated. - Order a custom configuration.
- Change the value via the OSDP controller if you create your own one.
Bus address
- Configuration value: Address
- Default: 0
To set a bus address, see section Enable OSDP and set bus address.
Baud rate
-
Configuration value: BaudRate
This value corresponds to the Baud Rate option in the host interface component of BALTECH ConfigEditor. -
Default: 9600
Inter-character timeout
- Configuration value: CharTimeOut
- Default: 20 ms
OSDP message type
-
Configuration value: DataMode
-
Default: BitstreamRaw (corresponds to the OSDP message type OSDP_raw)
Host message format
The reader converts data read from the card to ASCII decimal. If the host expects a different format, the reader reconverts the ASCII data to that format (learn more).
- Configuration value: HostMsgFormatTemplate
- Default: Binary
This default setting matches the default message type osdp_RAW (i.e. DataMode set to BitstreamRaw or BitstreamWiegand). It's automatically set when OSDP is enabled.
If the message type is changed to osdp_FMT (i.e. DataMode is set to Ascii), HostMsgFormatTemplate must be disabled.
Protocol encryption
This configuration value is needed to enable encryption as described in Appendix D of the OSDP specification. You can use it to enable install and/or secure mode.
-
Configuration value: SecureInstallMode (reflects version 2 of the OSDP specification)
This value corresponds to the Spec Compliance option in the host interface component of BALTECH ConfigEditor. -
Default: Communication without security (reflects version 1 of the OSDP specification)
Default Secure Channel Base Key (SDBK-D)
-
Configuration value: SCBKeyDefault
-
Default: 0x30..0x3F
The value is read protected and is applied in conjunction with OSDP protocol encryption. You can change this value to a different SDBK-D. To do so, you can specify a diversified or non-diversified key. In the latter case, set the parameter DiversifyFlag to WillBeDiversified. The reader will then diversify the key according to Appendix D.4.1 of the OSDP specification (v2.1.7) and delete the non-diversified key afterwards.
Secure Channel Base Key (SDBK)
- Configuration value: SCBKey
- Default: none; communication is unencrypted
This configuration value stores the SDBK key once you've deployed it. The value is read protected and is applied in conjunction with OSDP protocol encryption.
To deploy the SDBK, you have 2 options:
- OSDP install mode
Enable install mode, authenticate with the SDBK-D and deploy the (diversified) SDBK. After the SDBK has been deployed, install mode is automatically terminated. - BALTECH ConfigCard
Alternatively, you can use a BALTECH ConfigCard to deploy an SCBK. If you want the SCBK to be diversified, set the parameter DiversifyFlag to WillBeDiversified. The reader will then diversify the key according to Appendix D.4.1 of the OSDP specification (v2.1.7) and delete the non-diversified key afterwards.
Firmware upgrades
When upgrading the reader firmware via the OSDP controller, you need to deploy the new firmware version in BEC2 format, i.e. packaged with a configuration
This feature required firmware 1100 v2.00.06 or above.
Do not use a BF2 or BF3 file: Deploying these files will require you to do a factory reset first, which deletes the reader's bus address and makes any further communication with the reader impossible.