Research, development and trades concerning the powerful Proxmark3 device.
Remember; sharing is caring. Bring something back to the community.
"Learn the tools of the trade the hard way." +Fravia
You are not logged in.
Time changes and with it the technology
Proxmark3 @ discord
Users of this forum, please be aware that information stored on this site is not private.
I saw a post for someone looking for these readers. I have THREE of these, all unused. I know that this is their "special" writer that was used to perform low-level formatting of cards. This is the size of the normal RW-400, but the "PRGM" suffix is definitely unique.
I have a feeling that someone here can use these. I came here to post these in case someone in this community was looking for them.
This place was very helpful in the past to me, so I am going to hang onto these for a short while, before trying to unload them on EBay.
So...anybody interested in these readers?
Offline
Ohh.. That sounds interesting! I'm definitely interested...
Edit: martin at swende dot se
Offline
Sure, I'm interested too [myname] at iuse dot se
Last edited by iceman (2015-07-15 20:33:07)
Offline
I am also interested.
Please contact me using the following email if you have any more available. Thanks.
info at proxclone dot com
Offline
if none of the wonderful folks above do not take all of them, i'm interested - [mynamehere] rf at g mail dot c0m
Offline
OK, I am sending a few messages out now.
I guess that I am glad that I checked with you guys first!
seriously, this place has been great, and I wanted to give the members here first dibs.
Offline
Yup, yr email arrived.
Offline
Just wanted to make sure that everyone knew what these readers were; they are a "seperate" part number than the standard iClass RW-400 reader. I am not sure what the specific difference might be (other than RS-232 support). Identical readers were used in a pilot some years ago, and these were used to initialize/program the cards. There was software in the client PC that controlled the programmer, which was connected via RS-232 port.
Offline
Unfortunately it appears as though you do not have any documentation for this reader. Since it has a "PRGM" suffix appended to the part number it may be the RW400 variant that is used in the CP400 programmer.
If that is the case then it may simply have a different model/ID number stored in EEPROM. The CP400 programmer software reads this EEPROM configuration information to determine if it is talking to a CP400 or not. If not, the HID programming software will fail to execute.
It may also have the HID master authentication keys stored in the EEPROM User Key locations that are used with the iClass Serial Protocol application. The other(main) set of authentication keys are "only" accessible to the HID access control application. Normally, if you want to use the iclass serial protocol to control the RW300/400 readers you must first load the keys into the user key space using a rather complicated procedure.
Other than the possibilities listed above I can't think of any other feature that it may include. A normal RW300/400 reader provides the capability to initialize,read, write and modify all data blocks (excluding UID) of the iclass card via the RS232 interface, assuming you have knowledge of the proper keys and iClass Serial Protocol documentation.
Offline
Maybe Carl, since he is in the states, can verify these readers? He would be the most competent for the job
Offline
Iceman,
Thanks for the vote of confidence.
Once I receive a reader I would be happy to post any information that I learn from my analysis .
Offline
i assume none of the original software would come with the reader... ?
Offline
I got my hands on one of these puppies.
Offline
I received my RW400-PRGM reader yesterday. Here is what I have learned while doing my preliminary analysis.
1. When powered up, the reader turns on the red LED's and then emits a series of five stair-step (increasing frequency) tones. (This is different from the standard RW400's three beeps). The LED's are then turned off.
2. The reader gives no reaction when presented with a standard iclass card.
3. The reader's 13.56 Mhz carrier signal is not active. It acts as though the iClass access control application has been disabled, thus probably explaining #2 above. This theory was further re-enforced by monitoring the reader power consumption and noting that it was only drawing about a third of the normal RW400 power. (56ma vs. 170ma)
4. To test the theory that the reader might be the same unit used in the HID CP400 iClass programmer I hooked it up to a PC running the CP400 iClass programmer application. The CP400 software would not start up and displayed the following message:
"Unrecognized ID String from Device - Failed to open comunication port".
When hooked up to a standard RW400 reader I get the following message:
"iClass Card Reader - Device is not a card programmer".
5. The iClass RS-232 serial communication application does appear to work since I was able to communicate with the reader using the iClass Serial Protocol.
By reading the "Product ID and Version" information that is stored in the first few bytes of reader EEPROM I learned that the reader does NOT contain the same firmware load as the standard RW400 reader.
The first four bytes of the standard RW400 reader EEPROM contains 0x69,0x43,0x4C,0x02 ("iCL" 02)
The first four bytes of the RW400-PRGM reader EEPROM contains 0x4C,0x6E,0x6C,0x01 ("Lnl" 01)
It appears as though this reader is sold by Lenel and contains their custom "Rev 01" firmware.
6. I then proceeded to see if I could read a card via the RS232 interface using the iClass serial protocol.
When the card was "selected" , the reader RF field became energized and power consumption rose to the normal 170 ma level. However, since the HID Master authentication key is apparently not loaded into the "User Key" EEPROM locations the card would not authenticate and thus could not be read.
Since HID normally stores the default PicoPass authentication keys in User key locations 1 and 2, I modified the diversified key of a standard iClass card to use the PicoPass default key to see if that allowed me to read the card.
That worked!! I was now able to read and write all data block of the card just like I do with the normal RW400 reader.
Summary:
My guess is that this is just a slightly modified RW400 reader that is sold by Lenel. The reader firmware has been modified to disable the normal access control function so it can only function as a card programmer. The keys needed to allow it to program normal iClass cards have not yet been installed. (Note: This can be done via the RS232 interface but I have resisted doing so in order to preserve the original EEPROM image for the time being).
I tried most of the instructions supported by the "iClass Serial Protocol" and they all seem to work the same as the standard RW400 reader.
After some further testing I intend to extract the firmware (and EEPROM) contents from the reader to determine if there is any additional hidden functionality or if it contains any "yet undiscovered" keys.
Offline