Analyze card structure

Here's how you can analyze the structure of your project cards to find the PCN you want to read from them.

This works for the most important 13.56 MHz card types:

  • LEGIC
  • MIFARE DESFire
  • MIFARE Classic
  • MIFARE Plus

View card structure

  1. Connect a test reader to your computer.
  2. Open BALTECH ID-engine Explorer.

    If you haven't installed it yet, you can download it herecall_made as part of BALTECH ToolSuite.

  3. Click the reader, then click Select.

    • If several interfaces are shown for the reader, please select HID.
    • Connecting an Ethernet reader currently only works in maintenance mode or with PKI encryption (learn more).

    Screenshot: Select a reader in BALTECH ID-engine Explorer

  4. Place the card you want to analyze on the reader.
    It will be shown in the upper part of the window including card type and UID. Screenshot: Preview of an example 13.56 MHz card in BALTECH ID-engine Explorer

  5. Click the card.

A tree view opens, showing the card's memory structure.
Are there sections marked with Access denied? Then first identify the encryption keys you need. Otherwise, continue by looking for relevant data on the card.

Try encryption keys

Locations marked with Access denied are encrypted, so one or more encryption keys may be necessary to access them. If you don't know the keys, please ask your project owner/card issuer. In BALTECH ID-engine Explorer, you can try the keys to explore the card's entire memory and find out which keys you need for your project.

To try encryption keys in BALTECH ID-engine Explorer:

  1. Open the treeview of the card's memory (see above).
  2. In the Known Key of Card (hex) field, enter a key and click Try Key.

    Screenshot: Try an encryption key in BALTECH ID-engine Explorer

  3. If it works, the decrypted location will expand in the tree view, and you can now start looking for the relevant data as described below.
    The key will be shown in plain text in the treeview.

You can also add multiple keys, and BALTECH ID-engine Explorer will try them for all storage locations on the card. This means that you don't have to know which key fits where.

All keys will be added to the Entered Keys, so you can always see which ones you've already tried.

If you switch cards, BALTECH ID-engine Explorer remembers the Entered Keys and will try them for the new card, too. The keys will be removed when you close the application.

Screenshot: Encryption key entered in BALTECH ID-engine Explorer

Look for PCN

Where to look for the PCN depends on the card type. Here's how it works for the most common ones:

LEGIC

Structure

Memory is structured by segments. The content of each segment consists of the following:

  • Stamp: This is the identifier of the application. On LEGIC advant cards, the stamp is highlighted in bold.
    On LEGIC prime cards, stamps can't be highlighted. However, most LEGIC prime cards use a "Kaba Group Header": In this case the first 4 bytes of a segment are the stamp.

Screenshot: Stamp of a LEGIC advant card shown in BALTECH ID-engine Explorer
- Payload: This is the part of the content where data is stored. It starts right after the stamp. Screenshot: Example content of a LEGIC card shown in BALTECH ID-engine Explorer

Find PCN

In the Content sections, look for the PCN. It may be displayed in various ways depending on its encoding:

  • If you find the PCN as it is, it's encoded in BCD.

    On LEGIC prime cards with Kaba Group Header, the PCN is usually BCD-encoded and covers the 3 bytes after the stamp.

  • Otherwise, please follow these steps to find a PCN with different encoding.

Info needed project settings

  • Segment stamp, e.g. AD FF 01, or segment number, e.g. 1
  • Address of PCN in the segment, i.e. number of starting byte and byte length.
    A byte is a pair of 2 characters.

    Start counting the bytes from the stamp.
    Example: If the stamp covers bytes no. 0, 1, and 2, then the first byte of the payload is byte no. 3.

  • Encoding, e.g. BCD

Once you have all the info, you can add project settings to your configuration.

MIFARE DESFire

Structure

Memory is structured by applications and files.
Screenshot: Applications and files on a MIFARE DESFire card show in BALTECH ID-engine explorer

Once you've decrypted a file, you can see its content for each byte.
Screenshot: Content of a file on a MIFARE DESFire card show in BALTECH ID-engine explorer

Find PCN

In the Content sections, look for the PCN. It may be displayed in various ways depending on its encoding:

Info needed for project settings

  • Application ID (AID), e.g. AD0001
  • File number (File No) without leading zeros, e.g. 3
  • Address of PCN in the file: number of starting byte and byte length.
    A byte is a pair of 2 characters.
  • Encoding, e.g. BCD
  • The key to read the file: key number, key in cleartext

    For security reasons, please only use the Read Access key, i.e. the key that gives you the minimum permissions needed.

  • Application Crypto Method, e.g. AES

  • Communication Settings, e.g. Encrypted

Once you have all the info, you can add project settings to your configuration.

MIFARE Classic/Plus

Structure

On cards with an MAD (MIFARE Application Directory) displayed in plain text, you can see a list of AIDs (Application IDs). Each application associates an AID with a list of sectors. Use these AIDs to identify the relevant sector on the card.

On cards without a MAD, you only see the sectors. Here, you can use the sector number as a fallback to identify the sector.

Each sector (or each group of sectors in case of an MAD) consists of blocks. Each block is 16 bytes in size. This is where the data is stored. (An exception is the last block of each sector: It contains keys and access rights).

Screenshot: A MIFARE Classic card with a MAD shown in BALTECH ID-engine Explorer   Screenshot: A MIFARE Classic card without a MAD shown in BALTECH ID-engine Explorer

Once you've decrypted a block, you can see its content for each byte.
Screenshot: Content of a block on a MIFARE Classic card show in BALTECH ID-engine explorer

Find PCN

In the Content sections, look for the PCN. It may be displayed in various ways depending on its encoding:

Info needed for project settings

  • Application ID (AID), e.g. "48 44", or sector number, e.g. 0
  • Block number, e.g. 1

    Please use the number shown in brackets.

  • Address of PCN in the block, i.e. number of starting byte and byte length.
    A byte is a pair of 2 characters.

  • Encoding, e.g. BCD
  • The key to read the data: Key A or Key B in cleartext

    For security reasons, please use the key that gives you read access only, i.e. the minimum permissions needed.

Once you have all the info, you can add project settings to your configuration.