Skip to content

Analyze card structure

If you want the reader to autonomously read a programmed card number (PCN) e.g. in a file, sector, or segment of the card, you can analyze the structure of a sample card to collect the info needed to configure the reader.

This works for the most important 13.56 MHz card types:

  • LEGIC
  • MIFARE DESFire
  • MIFARE Classic
  • MIFARE Plus

Equipment & requirements

  • Any ToolSuite version
  • Reader: We recommend ID-engine ZB Brick or ACCESS200

    Legacy readers with a firmware ID other than 1100 will not work.

View card structure

  1. Connect a test reader to your computer.

    I have an Ethernet reader.

    To work with BALTECH tools, an Ethernet reader must be unconfigured, or required permissions must be granted in PKI Authentication and Encryption settings.

  2. Open BALTECH ID-engine Explorer.
    If you haven't installed it yet, you can download it here as part of BALTECH ToolSuite.

  3. At the top left, click Analyze Sample Card.

    Screenshot: Button "Analyze Sample Card" in BALTECH ID-engine Explorer

  4. Place the card you want to analyze on the reader.
    It will be shown in the dialog including card type and UID.

  5. Click the card.

    Screenshot: Preview of an example 13.56 MHz card in BALTECH ID-engine Explorer

A tree view opens, showing the card's memory structure.
Are there sections marked with Access denied? Then first identify the encryption keys you need. Otherwise, continue by looking for relevant data on the card.

Try encryption keys

Locations marked with Access denied are encrypted, so one or more encryption keys may be necessary to access them. If you don't know the keys, please ask your project owner/card issuer. In BALTECH ID-engine Explorer, you can try the keys to explore the card's entire memory and find out which keys you need for your project.

To try encryption keys in BALTECH ID-engine Explorer:

  1. Open the treeview of the card's memory (see above).
  2. In the Known Key of Card (hex) field, enter a key and click Try Key.

    Screenshot: Try an encryption key in BALTECH ID-engine Explorer

  3. If it works, the decrypted location will expand in the tree view, and you can now start looking for the relevant data as described below.
    The key will be shown in plain text in the treeview.

You can also add multiple keys, and BALTECH ID-engine Explorer will try them for all storage locations on the card. This means that you don't have to know which key fits where.

All keys will be added to the Entered Keys, so you can always see which ones you've already tried.

If you switch cards, BALTECH ID-engine Explorer remembers the Entered Keys and will try them for the new card, too. The keys will be removed when you close the application.

Screenshot: Encryption key entered in BALTECH ID-engine Explorer

Look for PCN

Where to look for the PCN depends on the card type. Here's how it works for the most common ones:

LEGIC

Structure

Memory is structured by segments. The content of each segment consists of the following:

  • Stamp: This is the identifier of the application. On LEGIC advant cards, the stamp is highlighted in bold.
    On LEGIC prime cards, stamps can't be highlighted. However, most LEGIC prime cards use a "Kaba Group Header": In this case the first 4 bytes of a segment are the stamp.

Screenshot: Stamp of a LEGIC advant card shown in BALTECH ID-engine Explorer
- Payload: This is the part of the content where data is stored. It starts right after the stamp. Screenshot: Example content of a LEGIC card shown in BALTECH ID-engine Explorer

Find PCN

In the Content sections, look for the PCN. It may be displayed in various ways depending on its encoding:

  • If you find the PCN as it is, it's encoded in BCD.

    On LEGIC prime cards with Kaba Group Header, the PCN is usually BCD-encoded and covers the 3 bytes after the stamp.

  • Otherwise, please follow these steps to find a PCN with different encoding.

Info needed to configure the RFID interface

  • Segment stamp, e.g. AD FF 01, or segment number, e.g. 1
  • PCN start position, i.e. number of starting byte
  • PCN length, i.e. length in bytes.
    A byte is a pair of 2 characters.

    Start counting the bytes from the stamp.
    Example: If the stamp covers bytes no. 0, 1, and 2, then the first byte of the payload is byte no. 3.

  • Encoding, e.g. BCD

Specify this info in the RFID interface component of your configuration.

MIFARE DESFire

Structure

Memory is structured by applications and files.
Screenshot: Applications and files on a MIFARE DESFire card show in BALTECH ID-engine explorer

Once you've decrypted a file, you can see its content for each byte.
Screenshot: Content of a file on a MIFARE DESFire card show in BALTECH ID-engine explorer

Find PCN

In the Content sections, look for the PCN. It may be displayed in various ways depending on its encoding:

Info needed to configure the RFID interface

  • Application ID (AID), e.g. AD0001
  • File number (File No) without leading zeros, e.g. 3
  • PCN start position, i.e. number of starting byte
  • PCN length, i.e. length in bytes.
    A byte is a pair of 2 characters.
  • Encoding, e.g. BCD
  • The key to read the file: key number, key in cleartext

    For security reasons, please only use the Read Access key, i.e. the key that gives you the minimum permissions needed.

  • Application Crypto Method, e.g. AES

  • Communication Settings, e.g. Encrypted

Specify this info in the RFID interface component of your configuration.

MIFARE Classic/Plus

Structure

On cards with an MAD (MIFARE Application Directory) displayed in plain text, you can see a list of AIDs (Application IDs). Each application associates an AID with a list of sectors. Use these AIDs to identify the relevant sector on the card.

On cards without a MAD, you only see the sectors. Here, you can use the sector number as a fallback to identify the sector.

Each sector (or each group of sectors in case of an MAD) consists of blocks. Each block is 16 bytes in size. This is where the data is stored. An exception is the last block of each sector, referred to as sector trailer: It contains keys A and B as well as access rights.

Screenshot: A MIFARE Classic card with a MAD shown in BALTECH ID-engine Explorer   Screenshot: A MIFARE Classic card without a MAD shown in BALTECH ID-engine Explorer

Once you've decrypted a block, you can see its content for each byte.
Screenshot: Content of a block on a MIFARE Classic card show in BALTECH ID-engine explorer

Find PCN

In the Content sections, look for the PCN. It may be displayed in various ways depending on its encoding:

Info needed to configure the RFID interface

  • Application ID (AID), e.g. "48 44", or sector number, e.g. 0
  • Number of block within sector, e.g. 1

    Please use the number shown in brackets.

  • PCN start position, i.e. number of starting byte

  • PCN length, i.e. length in bytes.
    A byte is a pair of 2 characters.
  • Encoding, e.g. BCD
  • Key to read the data: Key A or Key B in cleartext

    For security reasons, please use the key that gives you read access only, i.e. the minimum permissions needed.

Specify this info in the RFID interface component of your configuration.

Title