Updated date:

Decoding HID proximity cards

Author:
decoding-hid-prox-cards

Do you manage a card-key system?

I do. And until recently, I've been buffaloed by being unable to integrate cards (and key fobs) from other systems into our own.

Well, I've recently learned how to do this, and I'm writing it up to share it with you. I hope it helps. When I went googling for information on this, I couldn't find anything useful.

The system I manage uses Ademco Passpoint Plus. I believe that Ademco was absorbed by Honeywell a while ago, and I've lately had trouble finding much Ademco branded information online.

decoding-hid-prox-cards

Getting down and dirty - card codes in HEX

There are lots of different "formats" for these cards, but it seems that all the cards my system can detect produce a "card id" which is an 8-byte string. When I look at this in "raw format" it is show as 16 hex characters like this:

0123-4567-89AB-CDEF

The following information has been gleaned from observation and experimentation, and may be incorrect in some detail, but it is close enough for me to work with. If you have more or better information, please let me know so I can correct this post.

Digits 0 through 3 identify the "card type". Depending on the card type, the remaining digits are parceled out into various fields with cryptic names, like "RCM code" "facility code" and "card stamp". RCM codes and facility codes seem to exist solely to allow batches of related cards to be managed without having to manage all the bits that make up the total card code.

Card stamp is the last 4 or 5 hex digits; the 26-bit formats use 4, and the 34-bit formats use 5.

decoding-hid-prox-cards

Facility Code, RCM code

The RCM code and facility code occupy varying parts of the remaining bits; some of the formats convert cleanly from hex to decimal and some I haven't figured out yet.

My system recognizes a number of card types including (with their corresponding values):

26 bit raw card image (0000)

26 bit Wiegand NCC (8101)

26 bit prox ncc (8201)

26 bit mag stripe ncc (8301)

34 bit raw ADEMCO prox (0000)

34 bit ADEMCO Prox NCC (8206)

ABA TRACK II Mag Stripe - format C (C000)

ABA TRACK II Mag Stripe - format D (D000)

ABA TRACK II Mag Stripe - format E (E000)

ABA TRACK II Mag Stripe - format F (F000)

EMPI-II Wiegand NCC (8105)

EMPI-II Prox NCC (8205)

EMPI-II Mag Stripe NCC (8305)

34 bit Northern Wiegand NCC (8107)

34 bit Northern Prox NCC (8207)

34 Bit Northern Mag Stripe NCC (8307)

Each card format has its own rules for what to do with the digits that aren't the "card stamp," but the card stamp seems to consistently be in the last 4 or 5 digits of the code.

My system also supports a "raw code image" format that lets you enter a RAW card code, so if you know a card's code but you can't decode the card format and other fields, you can still enter the card and manage it like any other card.

The images above are related; the raw card code "8206-EFFF-0000-FFFF" shown above is related to the details in the next image; the image shows a 34 bit ADEMCO Prox NCC (8206), with RCM code 14 (E) and Facility code 4095 (FFF). The third group of four digits is unused, and the card code/card stamp for this card is 65535 (FFFF), although it's not show in any of these images.

decoding-hid-prox-cards

What do you do with an unknown card?

So you have a card from a foreign system, and you don't know the card type or any of the other fields you need to make it work. How do you get the information you need?

There are a number of choices depending on your situation. If your card key system includes an "enrollment reader" you can use that to swipe cards and automatically add them to your system. Unfortunately, my system does NOT have an enrollment reader, so I needed another solution.

In my Passpoint's "System Administration Options" menu (pull down "Config" and select "Admin") there is an option "Denial Override." When selected, it has two effects. First of all, this is dangerous to leave active for any period of time, because "Denial override" is what this does; any card swipe will open the door, even an unknown card... do don't leave this setting activated! The other effect it has, though, is to include the card code in the message log, so it's easy to capture the code for an unknown card.

So, to use an unknown card:

1) swipe it on a reader. If the reader doesn't beep, it is incompatible with the system.

2) on the Passpoint control station, set the "denial override" feature, and upload the changes to the MLB

3) swipe your unknown cards and record the card codes from the log

4) turn off "denial override" and upload the change to the MLB

5) create new card records for your unknown cards. If you can decode the card type and other fields, great. If not, just use the RAW card type, and put in the full card code reported when you had "denial override" active.

6) upload the new cards to the MLB, and test.

WooHoo!

Easy hex conversions

If you have trouble converting between decimal and hex in your head, there's a very simple tool already installed on most computers that will do this for you.

The calculator program included with MS Windows knows how to do base conversions. Rather than re-invent the wheel here, though, I'll refer you to

another article that covers this topic. I just wanted to mention it here, in case you as a reader were wondering where to get an easy hex-to-decimal converter, or vice versa.

If you've found this to be useful...

Please consider a donation to Rescue Animal Placements, an animal rescue organization that could really use your support, or your local animal shelter.

Your comments, please...

fatboy1271 on May 09, 2017:

So the HID 1326 cards do beep on my system. I've entered the Facility Code that I was given; yet, when I try out the card WinDSX does not show anything at all on the screen regarding the card... If I use a FOB without a name attached it will show the card number. If I use a FOB that isn't programmed to a reader it will say Access Denied. These new 1326 cards don't kick back any messages.

fatboy1271 on May 08, 2017:

So it can be safely assumed that no beep absolutely means incompatible card?

anonymous on October 08, 2014:

Thank you for posting this information. You saved me time and for that Sir you are awesome!

Jeff on September 19, 2014:

Thanks, this helped me add the cards we had to order from Amazon since our security company wouldn't sell any to us since "our system is too old!"

mcs610 (author) on December 05, 2012:

@anonymous: So glad this was helpful. Maybe I should publish a separate guide for migrating off Passpoint, since it has been discontinued for so long!

anonymous on December 05, 2012:

@mcs610: ^^ This just saved my life. I needed to export data to migrate to a totally new system, and you have revealed to me that "debug interactive" actually means "Open Query Builder"! All this time I didn't know. *sigh* Thank you!

mcs610 (author) on October 03, 2012:

@anonymous: In Passpoint, pull down "Tools" and select "Reporting."

In the passpoint reporter, select the report "Cardholders (all)" and select the "debug interactive" mode. Click the "Run Report" button, which will open the MK Query Builder screen. Assuming you need the card codes in the export, in the data structure under "Cards" double-click on "CardCode" to add it to the field list. Now click the "Lightning bolt" icon to run the query. After the query runs, you'll see some of your results. One of the icons at the bottom is for "Export" ... click that, select the fields you want to export, then the format you want to export into (probably Excel DDE in your case), then click Export. Voila, a spreadsheet with your cardholders and their card codes. It sounds confusing without pictures, let me know if you need more details.

anonymous on October 03, 2012:

We are changing out a passpoint system to a Keri door control since we can't get replacemnt parts for the honeywell system. we need to export the card data to an excel format to reenter the data in the Keri application. do you know how we can get this accomplished. jerry D. comtecsecurity@verizon.net

mcs610 (author) on August 06, 2012:

@anonymous: The *only* information in one of these prox cards is a serial number. All the data about what was done with the card is accumulated in the systems that read the serial number. You can't alter or erase the serial number that's burned into the chip. By bending a prox card you CAN make it stop working, by breaking the wire that's inside it. There's a coil of wire that goes almost along the perimeter of the card, when you wave it in front of a reader, a magnetic field in the reader induces current in the card, which powers the chip inside and lets it respond with its code.

anonymous on August 06, 2012:

Can I erase the information on it or deactivate it with out a card reader/programmer? Eg* rubbing it against a strong magnet or bending/flexing it

mcs610 (author) on July 23, 2012:

@anonymous: An interesting concept, I hope they improve their site. There seems to be no pricing or availability information online.

anonymous on July 19, 2012:

DigiOn24.com offers a prox encoder and cards that can be programmed and re-programmed as needed

anonymous on March 13, 2012:

I have an old Northern system (very old!) when I swipe card on a reader attached to my PC I get " %E? " (minus the quotes of course)

how can I decode this? I have another system that I have figured out and want to use same card for boths systems if I can figure out the Northern System

mcs610 (author) on March 10, 2012:

@anonymous: That's why you need to use a hex conversion tool, like the windows calculator. https://hubpages.com/education/base-conversions-wi...

anonymous on March 09, 2012:

@mcs610: not change the code but the number which shown when we swap the card from the reader, it is usually decimal number... tks for comment

mcs610 (author) on March 08, 2012:

@anonymous: You cannot change the code on an HID cards/fobs/etc. This is hard-coded onto the chip when it's manufactured.

anonymous on March 08, 2012:

hi.. there is any body know what kind software for HID reader that i can change the code.. to manage by my self, tks for kindness

anonymous on July 23, 2010:

@anonymous: both messages have a pri set. found this on hw website, but afraid what it will do when i download, the download screen comes up and says in red letters, "Caution: Enters RC".

PassPoint

Subject: Cards

Question:

Does PassPoint read other card formats, such as 32 or 40-Bit proximity cards?

Answer: From the main PassPoint window, go to Config > Admin and enable Denial Override. Go to Config > Hardware > Configure > System Wide Options and select the Card Tech tab. Enter 255 in the Card Lengths, Proximity Card Bits box. This will allow all cards to unlock all doors and show the Card Code. Turn off Denial Override to restore security. You can an Enrollment reader in PassPoint Version 1.1 or higher. This will allow you to enroll the cards. Request the Technical Note "Configuring an Enrollment Reader."

anonymous on July 23, 2010:

@anonymous: look in config -> system wide configuration -> priorities (this is a tab).

Here you set the priority level for each message passpoint generates, and what to do with it (display, display and log, etc). You might want to look for message "acc deny ovr unkn" and "egr deny ovr unkn" to make sure they have some priority other than "none"

anonymous on July 23, 2010:

@anonymous: here's the event view, see my admin options edited when i check denial override, then i swiped the card a few times and nothing appears.

http://www.mediafire.com/?4hwz1b1uqx4zh47

anonymous on July 23, 2010:

@anonymous: Yes, it shows Access Denied, whos name is on the card and date/time. where do i change logging options in passpoint plus?

anonymous on July 23, 2010:

@anonymous: Does your real time log usually show denials? If not, you'll need to mess with the logging options to enable that.

Have you enabled "Denial override" AND uploaded the changes to the MLB?

anonymous on July 23, 2010:

real time log doesn't show the card code, reader does beep though when i swipe.

anonymous on September 10, 2009:

Here is a thread I found with some good PassPoint info in it. Post number 18 explains the same method described here.

http://discussions.hardwarecentral.com/showthread....

It would be nice to find or form an active user group for tips and troubleshooting PassPoint issues.

mcs610 (author) on July 08, 2009:

[in reply to Mike] Thanks for letting me know this was useful to you. That's exactly why I wrote it, and I'm glad to know that even a year later, it's still helping someone here and there.

anonymous on July 08, 2009:

You saved me a lot of time and frustration with adding some older cards to our system. THANKS!

anonymous on September 19, 2008:

I can't tell you how much time this saved me. My cards actually came from our security company and getting assistance from them is like pulling teeth. Here are the specifics on the type card I had my problems with:

Card Tech is 26 Bit Prox NNC.

The raw code looks like:

8201-0000-blah-blah

the third and forth set are the keys.

The Third set is the hex value for the facility code.

The Forth set is the hex value for the card stamp.

Never would have figured this out without your help. I'd treat you to a drink if I could.

mcs610 (author) on August 08, 2008:

I hope you found this useful. Let me know if there's anything I can add to help you more.

anonymous on August 08, 2008:

Wow! Good Job! Thank you, thank you, thank you!!