Analyze card structure
If you want the reader to autonomously read a programmed card number (PCN) e.g. in a file, sector, or segment of the card, you can analyze the structure of a sample card to collect the info needed to configure the reader.
This works for the most important 13.56 MHz card types:
- LEGIC
- MIFARE DESFire
- MIFARE Classic
- MIFARE Plus
Equipment & requirements
- Any ToolSuite version
-
Reader: We recommend ID-engine ZB Brick or ACCESS200
Legacy readers with a firmware ID other than 1100 will not work.
View card structure
-
Connect a test reader to your computer.
-
Open BALTECH ID-engine Explorer.
If you haven't installed it yet, you can download it here as part of BALTECH ToolSuite. -
At the top left, click Analyze Sample Card.
-
Place the card you want to analyze on the reader.
It will be shown in the dialog including card type and UID. -
Click the card.
A tree view opens, showing the card's memory structure.
Are there sections marked with Access denied? Then first identify the encryption keys you need.
Otherwise, continue by looking for relevant data on the card.
Try encryption keys
Locations marked with Access denied are encrypted, so one or more encryption keys may be necessary to access them. If you don't know the keys, please ask your project owner/card issuer. In BALTECH ID-engine Explorer, you can try the keys to explore the card's entire memory and find out which keys you need for your project.
To try encryption keys in BALTECH ID-engine Explorer:
- Open the treeview of the card's memory (see above).
-
In the Known Key of Card (hex) field, enter a key and click Try Key.
-
If it works, the decrypted location will expand in the tree view, and you can now start looking for the relevant data as described below.
The key will be shown in plain text in the treeview.
You can also add multiple keys, and BALTECH ID-engine Explorer will try them for all storage locations on the card. This means that you don't have to know which key fits where.
All keys will be added to the Entered Keys, so you can always see which ones you've already tried.
If you switch cards, BALTECH ID-engine Explorer remembers the Entered Keys and will try them for the new card, too. The keys will be removed when you close the application.
Look for PCN
Where to look for the PCN depends on the card type. Here's how it works for the most common ones:
LEGIC
Structure
Memory is structured by segments. The content of each segment consists of the following:
- Stamp: This is the identifier of the application.
On LEGIC advant cards, the stamp is highlighted in bold.
On LEGIC prime cards, stamps can't be highlighted. However, most LEGIC prime cards use a "Kaba Group Header": In this case the first 4 bytes of a segment are the stamp.
- Payload: This is the part of the content where data is stored. It starts right after the stamp.
Find PCN
In the Content sections, look for the PCN. It may be displayed in various ways depending on its encoding:
-
If you find the PCN as it is, it's encoded in BCD.
On LEGIC prime cards with Kaba Group Header, the PCN is usually BCD-encoded and covers the 3 bytes after the stamp.
-
Otherwise, please follow these steps to find a PCN with different encoding.
Info needed to configure the RFID interface
- Segment stamp, e.g. AD FF 01, or segment number, e.g. 1
- PCN start position, i.e. number of starting byte
-
PCN length, i.e. length in bytes.
A byte is a pair of 2 characters.Start counting the bytes from the stamp.
Example: If the stamp covers bytes no. 0, 1, and 2, then the first byte of the payload is byte no. 3. -
Encoding, e.g. BCD
Specify this info in the RFID interface component of your configuration.
MIFARE DESFire
Structure
Memory is structured by applications and files.
Once you've decrypted a file, you can see its content for each byte.
Find PCN
In the Content sections, look for the PCN. It may be displayed in various ways depending on its encoding:
- If you find the PCN as it is, it's encoded in BCD.
- Otherwise, please follow these steps to find a PCN with different encoding.
Info needed to configure the RFID interface
- Application ID (AID), e.g. AD0001
- File number (File No), e.g. 3
- PCN start position, i.e. number of starting byte
- PCN length, i.e. length in bytes.
A byte is a pair of 2 characters. - Encoding, e.g. BCD
-
The key to read the file: key number, key in cleartext
For security reasons, please only use the Read Access key, i.e. the key that gives you the minimum permissions needed.
-
Application Crypto Method, e.g. AES
- Communication Settings, e.g. Encrypted
Specify this info in the RFID interface component of your configuration.
MIFARE Classic/Plus
Structure
On cards with an MAD (MIFARE Application Directory) displayed in plain text, you can see a list of AIDs (Application IDs). Each application associates an AID with a list of sectors. Use these AIDs to identify the relevant sector on the card.
On cards without a MAD, you only see the sectors. Here, you can use the sector number as a fallback to identify the sector.
Each sector (or each group of sectors in case of an MAD) consists of blocks. Each block is 16 bytes in size. This is where the data is stored. An exception is the last block of each sector, referred to as sector trailer: It contains keys A and B as well as access rights.
Once you've decrypted a block, you can see its content for each byte.
Find PCN
In the Content sections, look for the PCN. It may be displayed in various ways depending on its encoding:
- If you find the PCN as it is, it's encoded in BCD.
- Otherwise, please follow these steps to find a PCN with different encoding.
Info needed to configure the RFID interface
- Application ID (AID), e.g. "48 44", or sector number, e.g. 0
-
Number of block within sector, e.g. 1
Please use the number shown in brackets.
-
PCN start position, i.e. number of starting byte
- PCN length, i.e. length in bytes.
A byte is a pair of 2 characters. - Encoding, e.g. BCD
-
Key to read the data: Key A or Key B in cleartext
For security reasons, please use the key that gives you read access only, i.e. the minimum permissions needed.
Specify this info in the RFID interface component of your configuration.