This was more of a challenge than you may expect because the manufacturers don't publish the protocol (except under NDA). Why?!?
- It does not stop people getting the data, as is apparent!
- It means there is also misinformation out there which cannot easily be corrected by reference to the official manual.
- It puts people off using the product, which cannot be good for sales.
- It means subtle details in the official manual will not be known, which could lead to failures in edge cases, making the product look bad.
- It does not help security - as any secure system must not rely on secret specifications.
I have written up what I have found out so far: PDF on github
So, why not just use one of the few (unofficial) libraries out there?
- I probably will for the host application on linux anyway.
- Coding it myself helped me learn more about the cards and how they work and what they can do.
- It was fun!
- The code on my ESP8266 devices to read cards does not need what is in a library - half of it is for handling legacy formats, and DES and 2KDES and 3KDES whereas I need a few specific operations using AES only.
The result - I have managed quite a lot, and made the door control system use cards which cannot simply be copied (unlike the 125kHz proxy tags, which can be, very very easily).
I have even managed to convert from DES to AES for the master key, and crucially I have documented detailed examples of this, and the CMAC logic, and so on, in the manual I have written. A lot of what I have learned has come from other sources as listed at the top, but I have gone through testing things directly and coding stuff myself to confirm things as well.
I have a cyclic record file on the card logging usage (door ID, and timestamp). I still need to add some handling for expiry, and time period controls on the card, maybe.
I am a tad concerned over response times. I am selecting the app, authenticating, getting file list, writing a usage log record and updating a counter, and you notice the slight delay using the card, which is a concern. This may be something that can be improved, not sure. I have not worked out how much is the card, and how much is the ESP8266 doing AES!
But it is working! I am even checking the CMAC on responses to confirm no man-in-the-middle upgrade attack (making one card seem like another once it has done AES handshake).