History
▪ Part 1 - Omron hybrid card reader - New toy
▪ Part 2 - Omron hybrid card reader protocol partly reversed
▪ Part 3 - Demo of implementation (This one)



FYI : 2 Readers are still up for sale on ebay : here and here
Official Product page is here

About: Hitachi Omrons Card readers are used in various commercial setups. Identity management, payement systems, parking systems are a few of these. The effort displayed on this blog is purely done out of research and awareness purposes. The "bad guys"a lot more advanced and will not require information displayed within here.

I recently implemented the barebone protocol and functions to read out ISO Track 1+2+3. I will briefly dive into the protocol in this post for those interested. The protocol itself is pretty simple, though bad specifications make it a pain to implement correctly.

Brief how-to:
▪ To initialize the reader for use connect to RS232 port (or a virtual usb com port as in my case) and send the DTR signal. Failure to send the DTR signal will result in no answer to commands and a non-functioning device.
▪ The session (protocol flow) works as described in Figure 2 below. First we send our command in hexadecimal following the syntax described by Figure 1 :

Figure 1

You might ask yourself what the heck DLE stands for, DLE (Data Link Escape) is a control character within ASCII, specificaly it is 16 and 0x10, ETX (End of TeXt) = 0x03 ASCI 4.

Following the diagram above the sequence to send would be :
<DLE><STX>COMMAND HERE<DLE><ETX>BCC

What the hell is BCC then, BCC is the checksum/parity Hitachi introduced into the protocol, the documentation is a bit unclear about how exactly to proceed here's is the correct way :

Each byte from the command is to be XORed with each other, then XOR with ETX (0x03).

Example (BCC calc):
▪ 10 02 43 32 30 10 03 42
▪ DLE STX C 6 0 DLE ETX BCC
BCC = 43 XOR 32 XOR 30 XOR 03 = 42

Figure 2

Figure 2 shows the protocol handshaking taking place :
1. Host sends command
2. Device acknowledges the receipt with DLE ACK
3. Host sends the enquiry command with DLE ENQ
4. Device sends the reponse to the command

Here is a video of the C# prototype working on a VISA card (Click the full screen icon to get the details) :

0 comments

Post a Comment