HID RFID Data Formats
Interfacing with an HID Reader and reading the data was one thing, but understanding what the data meant was another. My kiosk application was just looking at the raw hex data and had no understanding of what it actually meant. I wanted to break down the bits and see if it matched anything on my card.
Access Control Formats
RFID has many applications, but here I was looking at low frequency (125kHz) RFID used for access control. These cards or keyfobs usually must be presented in front of a reader to get into a building or parking garage. Specifically, I was looking at HID Proximity cards, which is one of the more popular systems. As it turns out, there are many different data formats. RFID cards used for access control will typically be programmed to transmit 26 to 40 bits, although some systems will use more or less. That's it. The data is read by the "dumb" reader, which then sends the bits to the access controller. The access controller will determine if the particular card is authorized, then can open the door or gate.
These bits can be broken down into 3 catagories: facility code, card code, and parity bits. The "card code" is the code assigned to your particular card. It should be unique within the sytem, and is usually printed on the card itself. The "facility code" allows different buildings, regions or companies to have the same card codes but still have a different card overall. Parity bits are used for verifying the integrity of the data transmitted at the access control system.
Usually bits are sent to the access controller over Wiegand, but when they are sent over serial as hex data, some extra bits are added. A 1 bit is added before the rest of the bits so that you know exactly how many bits you have for format decoding (otherwise, if your first bit is a 0, you might decode improperly). Second, sometimes a checksum byte is added at the end, which is just the binary sum of all the other bits.
The 26 bit format
The 26 bit format is an industry standard open format. Any access controller can understand it and anyone can buy cards with this format without any restrictions. This is by far this is the most common format, and most systems that I've encounter use this format. Here's an image of the format:
The 26 bits are broken down into an 8 bit facility code, a 16 bit card code, and two parity bits. The first bit is an even parity bit and covers the first 13 bits. Bits 2 to 9 are the facility code and bits 10-25 are the card code, stored big endian. The last bit is an odd parity bit and covers the last 13 bits. There's only 255 possible facility codes and 65,535 possible card codes, so there's definitely duplicate cards out there.
The 35 bit HID Corporate 1000 format
The 35 bit HID Corporate 1000 format is a proprietary format used by HID. They control the sale of cards with this format to ensure there are no duplicates. This is the card format my school uses, and I had a difficult time figuring it out. I was able to determine the facility code and card code bit locations by just scanning a lot of my friends card and looking at the data. Since the card code is printed on the card, it wasn't too difficult. My school actually uses two site codes, one is reserved specifically for the research division. For a while, I just ignored the parity bits since I only cared about the facility code and card code. However, when I wanted to start emulating cards, I had to figure it out so that I could generate the correct bits. Extensive searching eventually led me to an old access controller manual that specified the format.
This format uses a 12 bit facility code (bits 3-14) and a 20 bit card code (bits 15-34). Bit 1 is an odd parity bit that covers all 35 bits. Bit 2 is an even parity covering bits 3,4,6,7,9,10,12,13,15,16,28,19,21,22,24,25,27,28,30,31,33,34. Bit 35 is odd parity, covering bits 2,3,5,6,8,9,11,12,14,15,17,18,20,21,23,24,26,27,29,30,32,33. When calculating the parity bits, you must calculate bit 2, bit 35, and finally bit 1. What a weird format. I'm guessing this parity scheme is supposed to add another layer of obscurity.
Using this data
There are plenty of other formats out there. This card calculator I found online will decode some other formats, and you can look at the source to see how they decode the bits. Once you understand the card data format, it's easy to decode cards for your system.
It's also important to mention that a lot people seem to think these RFID cards have encryption or other security. While there are a lot of newer card technologies out there that do have security, these low frequnecy cards do not.
Decode / Encode Utility
I wrote a small C# utility that can decode hex data from a reader into the facility code and card code. It can also encode a facility code and card code into the correct bit format with parity. It only does the 26 and 35 bit formats, but I may add more in the future.
[download available soon]
March 2009 @ GT