HID Access Control: Controlled.

A glance into the technology designed to keep you out!

Table of Contents:

:. Introduction & Warnings about AC tampering

:. HID EntryProx AC (Access Control) system overview

:. The Wiegand Protocol/Effect - A dirty primer

:. Programming AC Keypad units and encoding proximity cards

:. Conclusion

.:::::::::::::::::.

.: Introduction & Warnings about AC tampering :.

Access Control measures are employed by many private and government organizations,
big businesses and industrial facilities to identify and grant access to anyone
who belongs within the area they attempt to access. These systems come in a wide
array of shapes and sizes and since just about all HID systems look unique they
can be identified by their physical design alone. This will give pertinent
information about the security policies in place and the limitations and features
of the unit in question.

These HID systems are not only used to lock and unlock doors. They can be used to
store personal information, charge personal accounts for things like lunch in a
college cafeteria, turn on or off office lighting, grant access to computer
networks via a reader built into a keyboard and allow the use of office equipment
like copiers and fax machines and a lot more.

These systems may use a contact card in which the card must be slid into or through
the unit so it may read a small chip built into the card. They can also combine
biometrics and card authentication by requiring a finger print and card to be
presented for access.

The leading company developing todays Access Control technology is the Hughes
Identification Devices company called HID (referred to as H.I.D.). HID was formed
in 1991 as a subsidiary of Hughes Aircraft and was acquired by ASSA ABLOY in 2000.
The ASSA ABLOY Group claims to be the "world's leading manufacturer and supplier of
locking solutions dedicated to satisfying end-user needs for security, safety and
convenience." The ASSA ABLOY Group is 30,000 workers strong and rakes in about 3
Billion EUR annually.

This article will focus on the HID EntryProx series of cards and readers. The unit
is mounted on the wall next to an entryway to any secure area. A reader and a reader
with a built-in keypad. This keypad will be what we are looking for in attempts to
re/program the HID EntryProx unit. We will learn a little more about what happens
when you punch in your five digit code or wave that magic Wiegand card.

The following a generic log which will help you understand why the next paragraphs
are important:

04/15/04

# Time Action
1 20:32 User 0015 Print
2 20:23 User 0011 ACCESS
3 20:22 User 0011 ACCESS
4 20:22 REX
5 20:22 Forced Door
6 20:21 User 0011 ACCESS
7 20:21 Forced Door
8 20:21 User 0011 ACCESS
9 20:20 Forced Door
0 20:20 User 0002 ACCESS
1 20:20 User 0002 ACCESS
2 20:19 User 0002 ACCESS
3 20:19 User 0003 ACCESS

A few things to note for safe playing would be to keep in mind that the company or
people monitoring these units will review access logs (see above). If they see that
a unit entered program mode, changed or encoded a card, exited, followed by your
code being entered to grant access only moments after - it's safe to say any well
monitored system will end in your questioning.

Play with codes, never use your own if you plan exploring. Most companies will have
a rather strict format in their codes which will allow you to easily guess other
codes. These found codes will aid in your anonymity if you plan on playing with AC
units in your workplace.

Your company will more than likely frown on this type of exploration and may end in
revoked access or even termination from the company. There is a fine line these days
between "terrorism" and information. It's a very scary thought. Just be safe and use
common sense.

.:::::::::::::::::.

.: HID EntryProx AC (Access Control) system overview :.

Though HID develops a wide array of AC systems in use today, we will be looking at
the EntryProx (Model# 4045) reader equipped with a keypad. The EntryProx has a long
list of features which makes it great for this article. Most of the features and
programming meathods can be applied to other AC units as well. The EntryProx is
pictured below.

http://www.hidcorp.com/products/proximityproducts/entryprox.html

The reader is black in color and usually mounted on the wall directly next to the
secure area. The reader has a very impressive list of programmable features which
we will review later in this article. The unit is is 5.25"x2.75"x1.625" in size
and has a typical range of 1" to 3" (depending on the card used) and will auto
delay one second between card reads to prevent the unit from reading the card more
than once per swipe.

These systems are equipped with an internal tamper switch which will activate an
alarm if the unit is dismantled. The EntryProx can be mounted indoors or outside
and will resist temperatures of -31 to 150 degrees Fahrenheit or -35 to 66 degrees
Celsius.

The standard format of code entries are 12345#. The * key may be used before entering
a code to clear any pre buffered or incorrect codes before entering your code and
pressing # (or essentially 'enter'). The unit in an active (non program) mode will
store or buffer 10 keys (with parity, 11 without) before transferring the information
over the wire. With all access codes being only five digits it is essential but not
always necessary to be able to clear pre buffered keys by using the * key before
starting. The system will delay 5 seconds before auto clearing any buffered key
entries, so you must press each key within 5 seconds of each other or start over.

The unit will contain three main LEDs. A Bi-Color (Red/Green) and Amber LED to serve
as our display and also an Infrared which can be used to communicate with an optional
palm printer. The unit also has an audio feature to beep when keys are pressed or in
program mode to give audio conformation of a correct of incorrect code or command.

The status of these LEDs will be reviewed in the "Programming HID AC Keypad units
and encoding proximity cards" section of this article. As a good rule of thumb
though, green means open, red means locked, amber means you are in programming mode.

The keypad is arranged like any standard telephone keypad. The reader will output
each key as an ASCII hexadecimal digit which is sent to the host system. The host
system will be running software which will monitor and deploy entry and user codes
to specified door numbers in which a user will be given access.

So by the rather bland list above we see the important features these systems have.
We know we can gain access by entering our preprogrammed five digit code or simply
by waving our encoded card in front of the unit itself.

In the next section we'll find out what happens when we use a Proximity or Wiegand
card and how it works.

.:::::::::::::::::.

.: The Wiegand Protocol/Effect - A dirty primer :.

If you have ever looked up information about access control you have without a doubt
heard about the Wiegand Protocol. The only problem is, you never really see or read
about how this Wiegand Protocol works. So let's check it out.

First of all it's good to know that the Wiegand Protocol is also known as the Wiegand
Effect and that it was discovered by John R. Wiegand and took nearly 40 years of
research to develop. This sensor technology was first used in access control systems
developed by HID and is now a standard for most of todays AC systems.

A lot of the magic involved with the Wiegand Effect is in the underlying wiring of
the card itself. Yes, these Wiegand cards have actual Wiegand wire right inside.
Take this 'simple' explanation of the Weigand Effect:

"Wiegand Effect technology employs unique magnetic properties of specially processed,

small diameter ferromagnetic wire. By causing the magnetic field of this wire to
suddenly reverse, a sharp, uniform voltage pulse is generated. This pulse is referred
to as a Wiegand Pulse."

OK let's be honest, you probably have no clue what ferromagnetic means so just to make
sure you understand this, here it is:

fer·ro·mag·net·ic - adj.
Of or characteristic of substances such as iron, nickel, or cobalt and various alloys
that exhibit extremely high magnetic permeability, a characteristic saturation point,
and magnetic hysteresis.

Have you ever looked at the definition of a word, then had to look up a word found in
that definition? Well now you have.

hys·ter·e·sis - n.
The lagging of an effect behind its cause, as when the change in magnetism of a body
lags behind changes in the magnetic field.

OK, let's make sure we not only read this, but comprehend it as well.

We see now that the card will have this ferromagnetic Wiegand wire coiled right inside
of the card itself. This wring has special magnetic properties which are created by the
actual twisting and coiling process used to make these wires. The EntryProx wall unit
has a sensor built in that will trigger when a Wiegand wire (which is in the card) is
presented. This happens in the very simplest of terms by changing polarity referred to
as the Wiegand Pulse. This pulse or jump in voltage is essentially what triggers the
unit to unlock the door. The exact amplitude of the Wiegand Pulse can vary depending
on the sensor and card but the pulse will generally stay the same allowing it to trigger
the wall unit.

Now when you read this you might be wondering if any Wiegand card will open or activate
any sensor/reader. The answer is yes and no. These cards can be encoded, or rather the
Wiegand wire can be processed to create a card which will handle up to 84bits which can
actually create up to 137 billion unique codes, very impressive! The standard Wiegand
card will be 26bits however and will handle a total of 65,535 unique codes. Due to the
cost many, some what smaller companies will probably use this. HID will resell these
same cards to various companies. Which does mean yes, if you have a 24bit Wiegand card,
there is another reader out there that will accept your unique Wiegand pulse for entry!
Don't get too excited though this is a very slim chance. A cool thing about it though
is once you finger hack a five digit code (aka PIN) on the keypad to grant access, you
can program a card to have it's Wiegand pulse associated with your five digit PIN.
Meaning you absolutely can make your very own ProxCard, though you will need a working
PIN first and a ProxCard to encode.

Okay before we move on here it is to be understood that the above is a very dirty primer
to this technology. I assure you Mr. Wiegand himself would slap me across the face for
taking 40 years of his research and presenting it in such a dumbed down way. However
for those interested I will be listing a few of documents in which I have studied to
create this article. Please, take the time to read these if this interests you, the
science, mathematics and technology behind this is very interesting and will no doubt
excite you.

First up is the "Introduction to Magnetochemistry" by David Young.

This article is packed with great information on study of magnetochemistry.
Second is "Theoretical Analysis of the Influence of Different Microstructure on
Barkhausen Noise" by Li Qiang of the College of Mechanical and electric Engineering,
Beijing. This delves into Barkhausen Noise which occurs in the Wiegand effect. This
was not covered to limit the complexity of this article.

Third would be "The Science of Hysteresis" by Gianfranco Durin and Stefano Zapperi.
If you get a change to read some of the amazing things these two have written you
will see why this all goes far beyond the scope of this article.

Now that you have a basic idea of what happens in the Wiegand Effect lets go ahead and
get to some of the fun stuff.

.:::::::::::::::::.

.: Programming AC Keypad units and encoding proximity cards :.

Yeah that's right these babies are programmable! We can enter a program mode to do some
pretty neat things once inside. The only thing is, well need a master code. Now this
master code is thankfully only four digits long and will in most cases, be very generic.
The default master code on these units is 1234*. Pretty funny right? Well what's more is
that in HID documentation and installation manuals they suggest changing this right away,
but never say something ultra uncommon like say 7246*. HID actually makes reference to
changing this code to 4321*. Now any moron will know this isn't any more secure than 1234*
but in big business people lose jobs, they come and go and policies are changed. Many
companies will want a very easy to remember code such as the address, or part of the
companies main telephone number. Keep these things in mind when hunting for the master
code. Were not looking for the master code of the installer himself, we looking for the
master code of the company which uses these systems. If your company forgets this master
code, a service call from HID is their only hope. Most companies want to stay away from
this expense.

Once we know the master code the system will, with correct number sequence, obey our
every command. Let's go ahead and take a look at what we can do once inside.

\\\\
Master Code: Default to 1234*
This master code allows for just about anything. Programming new codes, erasing old ones.
Etc. You'll see as you read.

Self test mode: 7890#123456*

This will light the LEDs and make sure all keys are functioning.
////

Program Commands:

Enter program mode:

99 # (Master Code) * :: If things are kept default this would be 99#1234* :: If
successful the Amber light will slowly blink, and you will now be in program mode.

Changing the Master Code:

1 # (new master code) * (new master code again) * :: In many of the technical manuals
available they suggest changing the master code right away. Too bad they suggest a new
master code like 4321*. Obviously this is just an example given by them, but I'm sure
there are quite a few companies using this code believing it's more secure. Obviously
changing this code will piss a few people off once they find out and may end your
programming fun by means of increased logging and security measures.

Setting the main relay time:

11#tt#0#** :: tt = 1-99 seconds and uses a two digit format.

Setting AUX relay output:

15#output#0#** :: Output = 0/Disabled, 1/Shunt, 2/Forced door, 3/Propped door.

Deleting Users:
user-location#** :: Facility location codes.

Print a transaction log:

70#0#0#** :: This might freak some of the monitoring staff out when you print this up.

Setting or clearing standard options:

30#option#set/clear#** :: Option is a value from 1 to 13. Set/clear is either 0 or 1
(off or on respectively) these options and values are listed below:

0. Audio Key press (key beep) // 0=OFF, 1=ON // On by Default

1. Visual Key press (LED light up on key press) // 0=OFF, 1=ON // On by default

2. Auto Entry Enable // 0=OFF, 1=ON // Off by default

3. Standalone/Wiedand mode (Turn on/off ProxCard access) // 0=Standalone, 1=Wiegand //

Standalone by default.

4. Facility Code Access // 0=OFF, 1=ON // Off by default

5. Forced Door Alert (Kick the door open and the system is notified) // 0=OFF, 1=ON //
On by default.

6. Propped Door Alert (Keep the door open and the unit will beep) // 0=OFF, 1=ON // On
by default.

7. Internal rex switch (Request Exit switch) // 0=OFF, 1=ON // Varies by model.

8. US/EU Date Format // 0=OFF, 1=ON // 0=US, 1=European // US (0) by default.

9. Wiegand red LED enable (Flash red LED when ProxCard cannot access) // 0=OFF, 1=ON
// On by default.

10. Wiegand red LED active state // 0=LOW, 1=HIGH // Low by default.

11. Wiegand green LED enable (Flash green on access) // 0=OFF, 1=ON // On by default.

12. Wiegand green LED active // 0=LOW, 1=HIGH // High by default.

13. Daylight Savings time (set DST support) // 0=OFF, 1=ON // On by default.

Print a programmed user list:

25#0#0#** :: This will print all users & their corresponding codes which are
programmed for access.

Print a programmed user list starting with a certain user:

25#0#starting user#**

Change Wiegand Parameters:

32#parameter#value#** :: See below for parameters and their values.

Parameter:
0 = Wiegand pulse count :: Value = 1-255
1 = Wiegand interpulse :: Value = 1-255
2 = Facility code :: Value 0-255 :: Default is set to 0.

Set system time:

41#hhmm#0#** :: Keep in mind the system uses the 24 hour time format.

Set system date:

42#mmddyy#dow#** :: dow stands for day of week. 1 = Sunday, 2 = Monday,
3 = Tuesday, etc...

Set door number:

43#nnnn#0#** :: nnnn equals the corresponding doors number, in a four digit format.

Set propped door timer: (Set to 30 sec. & alarm will sound after 30 seconds.)
44#ttt#0#** :: ttt = Time in Values of 10's, Valid entries are 10-990 :: Default
is 30 seconds.

Set forced door timer: (Alarm will sound xx seconds after door was forced open.)
45#ttt#0#** :: ttt = Time in Values of 10's, Valid entries are 10-990 :: Default
is 10 seconds.

Delete memory/Restore system defaults: (Note: This will not delete the user list.)
40#00000#00000#**

Delete all memory & Restore defaults: (Note: I believe this will delete the use
list.) 46#00000#00000#**

Program user: (This will program the a new code only)

50#user-type#userlocation#code*repeatcode* :: Se below for values.

User type = 0/Toggle latch door strike, 1/Normal access, 2/Log Dump, 3/Lockout.
User Location = This may be set to 0 in most cases as this is referring to the
facility code. Code = New 5 digit user code. Repeat code = Enter the 5 digit
code again.

Program user & Card: (This will program a user & encode a ProxCard card.)
50#user-type#userlocation#code*repeatcode*<present card> :: On <present card>,
hold the proxcard to the unit.

Program card only: (This will take a current user code and program it to a card)
50#usertype#userlocation#**<present card> :: On <present card>, hold the proxcard
to the unit.

Program card user manually: (Use this to enter a precoded ProxCard into the system
26-bit Cards only) 51#usertype#userlocation#card PIN*card PIN* :: The card PIN will
appear on the ProxCard, the facility code must be entered first.

Program User: (Code or a Card.)

52#usertype#userlocation#code*repeatcode*<present card>

Program codes in batch: (Program xx amount of cards at once.)

56#totalusers#userlocation#card PIN*card PIN* :: (I understand why the format is
easy to guess now ;P)

Print Transaction Log via IR port. (You can print out an entire days worth of
access logs) 70#0#0** :: This will print the access log but not the PINs.

Printing a programmed user list:(You can print out an entire days worth of access
logs complete with access times and PIN numbers! This log differs from the one
found in the intro section in that it is more detailed.) 25#0#0#** :: Imagine
printing a log of coming and going users & their codes from the unit to a small
IR printer in a backpack, talk about access. Note that the IR sensor must be
placed in line of sight to the wall unit and must be held very close.

Set transaction log mask: (set or clear event logging :: 1=set, 2=clear)
73#event#set/clear#** :: (events listed below)

Event:
01 = Access Denied
02 = Program Denied
03 = Program Mode
04 = REX (Request to Exit)
05 = Door Ajar
06 = Door Closed
07 = Forced Door
08 = Log Erased
09 = Facility Access
16 = Print
17 = Access
20 = Toggle ON
21 = Toggle OFF
24 = Lockout ON
25 = Lockout OFF
27 = Mismatch

Reset/Erase transaction log:

76#00000#00000#**

Exit Program Mode:

*(after final command) :: Amber light will stop flashing.
\\\\

As you can see these Access Control units have quite a few features available to
them straight from the keypad. It also helps to know that what we are doing is
either working or not. Beeps and LEDs will be your guide.

////
LED Status and meanings.
The Amber LED:
Slow blink = Unit is in program mode.
Rapid Blink = Verify mode is active.
Steady (always on) = Program error. To clear simply press *
Very rapid blink = Memory (EEPROM) erase is in progress.

The Red & Green LEDs:

Steady red = Door strike is locked.
Steady green = Strike is energized (timed open and will auto lock in xx amount
of time) Solid green w/red flicker = Door strike is locked and the user has
activated the lockout sequence. Red/Green alternating = Waiting for second PIN
during the card and code access attempt. Red blink = User lockout is active and
strike is locked.

Sounder (Beeps):
Short beep = Propped door is active
1/2 sec on, 1/2 off = Forced door is active.
3 rapid beeps after code or card is presented = Code or card is not found.
3 Slow beeps then a single beep = Self test is finished.
1 single beep = Valid card access
\\\\

Now another cool and very scary note is that a ASSA ABLOY company called Sargent
makes a line of electro-mechanical keypad units for home use. Yeah, people are
installing these on their front doors for easy access without a key. The only
problem is, they can be programmed very easily (see above section, it does apply
to these aswell). If you get a chance you can head down to your local hardware
store and see these on display - you can play with them without doing much harm.

.:::::::::::::::::.

.: Conclusion :.

As we now know access control is the art of physical authentication to access

secure areas. This form of security by no means ends here, there is a world of
information out there just waiting to be uncovered about these clever little
systems. It is also important to note that since HID is the company developing
this technology a lot of other access control system developers are following
suit in the way their units are programmed. Which yes, means these program
codes can be used in systems and applications from HID, Paxton Access, Inter-
national Electronics Inc. (IEI), IB Technology, Impro and others! These
systems can be found anywhere from your home or office, even candy machines.
Seriously, if you score some candy hook me up!

I encourage anyone who is inspired by access control security to contribute

information about biometrics or even time clocking using this technology.

This is merely a scratch on the surface of access control and I hope all who
read it feel it was worth their time. Ignorance is not a form of security so
read, contribute and help others understand that the things we do are not with
malicious intent. Use this information to your liking but remember, like guns
the information we have can be used to protect or harm, everything has its
rewards and consequences. Sleep well.

- GLHeX (11/23/04)