Handheld pin pad device with msr/contact/contactless (247 pages)
Summary of Contents for Magtek MagneSafe V5
Page 1
MagneSafe V5 COMMUNICATION REFERENCE MANUAL PART NUMBER 99875475-10 NOVEMBER 2012 REGISTERED TO ISO 9001:2008 1710 Apollo Court Seal Beach, CA 90740 Phone: (562) 546-6400 FAX: (562) 546-6301 Technical Support: (651) 415-6800 www.magtek.com...
Page 2
Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of MagTek, Inc. MagTek is a registered trademark of MagTek, Inc.
Page 3
This warranty shall be provided only for a period of one year from the date of the shipment of the product from MagTek (the “Warranty Period”). This warranty shall apply only to the “Buyer” (the original purchaser, unless that entity resells the product as authorized by MagTek, in which event this warranty shall apply only to the first repurchaser).
Page 4
FCC WARNING STATEMENT This equipment has been tested and was found to comply with the limits for a Class B digital device pursuant to Part 15 of FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a residential environment.
Page 6
Command Number ..........................22 Data Length ............................23 Data ..............................23 Result Code ............................23 GET AND SET PROPERTY COMMANDS .................... 23 Get Property Command ........................23 Set Property Command ........................24 Result Codes ............................24 PROPERTIES ............................24 Property ID............................24 Property Default Values ........................
Page 7
Card Inserted Property (Insert Reader Only) ..................55 Send Clear AAMVA Card Data Property .................... 56 HID SureSwipe Flag Property (HID) ....................56 Software ID 2 Property (Wireless USB Reader Only) ................ 57 Inter-Key Delay Property (BulleT KB) ....................58 COMMAND LIST ............................
(e.g., via RS-232 communication), the reader sends data in the SureSwipe format as defined in MagTek document 99875206. The default SureSwipe mode can be changed to allow the reader to send data in the V5 format as described in this document but the MagnePrint data will not be sent.
MagneSafe V5 Annex A. Note that data supplied to the MAC algorithm should NOT be converted to the ASCII-Hex, rather it should be supplied in its raw binary form. The MAC key to be used is as specified in the same document (“Request PIN Entry 2” bullet 2). Calculating the MAC requires knowledge of the current DUKPT KSN, which can be retrieved using the Get DUKPT KSN and Counter command.
SECTION 2. COMMUNICATIONS The USB readers covered in this document conform to the USB specification revision 1.1 and to the Human Interface Device (HID) class specification version 1.1. The USB readers communicate to the host either as a vendor-defined HID device or as a HID Keyboard Emulation device.
MagneSafe V5 MAGNETIC STRIPE READER USAGE PAGE (HID) Magnetic Stripe Reader usage page 0xFF00: Usage ID Usage Name Usage Report (Hex) Type Type Decoding reader device Collection None Track 1 decode status Data Input Track 2 decode status Data Input...
Section 2. Communications REPORT DESCRIPTOR (HID) The Report Descriptor is made available to the hosting system during USB enumeration. The descriptor is shown here for completeness. Typically the hosting operating system will provide the ability to parse HID Reports based on the actual Report Descriptor, using the assigned Usage IDs.
Page 17
Section 2. Communications Card data is only sent to the host on the Interrupt In pipe using an Input Report. The reader will send only one Input Report per card swipe. If the host requests data from the reader when no data is available, the reader will send a NAK to the host to indicate that it has nothing to send.
MagneSafe V5 Track 1 Decode Status Bits Value Reserved Error This is a one-byte value, which indicates the status of decoding track 1. Bit position zero indicates if there was an error decoding track 1 if the bit is set to one. If it is zero, then no error occurred.
Section 2. Communications Track 3 Encrypted Data Length This one-byte value indicates the number of bytes in the Track 3 encrypted data field. The field is always a multiple of 8 bytes in length. This value will be zero if there was no data on the track or if there was an error decoding the track.
MagneSafe V5 may vary. Therefore, the Input Report always contains the maximum amount of bytes that can be encoded on the card and the number of valid bytes in each track is indicated by the Encrypted Data Length field. The encrypted data from each track is decoded and converted to ASCII, and then is encrypted.
MagneSafe V5 Encrypted MagnePrint Data This 128 byte Binary field contains the MagnePrint data. Only the number of bytes specified in the MagnePrint data length field are valid. The least significant bit of the first byte of data in this field corresponds to the first bit of MagnePrint data.
Section 2. Communications masked; all other card types are either entirely masked or sent totally in the clear. There is a separate masking property for ISO/ABA cards and AAMVA cards. See the ISO Track Masking property and the AAMVA Track Masking property for more information. (Refer to Appendix E. Identifying ISO/ABA and AAMVA Cards for a description on how ISO/ABA and AAMVA cards are identified.) Each of these properties allows the application to specify masking details for the Primary...
MagneSafe V5 For an AAMVA card, the DL/ID# is masked as follows: • The specified number of initial characters are sent unmasked. The specified number of trailing characters are sent unmasked. If Mod 10 correction is specified, all but one of the intermediate characters of the DL/ID#PAN are set to zero;...
Section 2. Communications MagneSafe Version Number This eight byte field contains the MagneSafe Version Number with at least one terminating byte of zero to make string manipulation convenient. See the MagneSafe Version Number Property for more information. Hashed Track 2 Data This twenty (20) byte field contains the hashed track 2 data with SHA1 algorithm.
Page 26
ASCII character range). When the reader is in Security Level 2, the factory default settings cause the data to be transmitted in the SureSwipe format (see MagTek manual 99875206). The card data format for all programmable configuration options is as follows:...
Most users will not need to know these details because the reader will be configured at the factory or by a program supplied by MagTek. Most users may want to skip over the next few sections on low level communications and continue with the details of the...
Section 2. Communications Low Level Communications It is strongly recommended that application software developers become familiar with the HID USB specification before attempting to communicate directly with this reader. This document assumes that the reader is familiar with these specifications. These specifications can be downloaded free from www.usb.org.
MagneSafe V5 Privileged Commands Some commands are, for security purposes, privileged. These commands are: 1. Set Property 2. Reset Device* 3. Set Key Map Item 4. Save Custom Key Map 5. Set Security Level† * The Reset Device command is usually not Privileged. The exception is during a sequence to Activate the Authenticated Mode.
Section 2. Communications Value Command Number Description Power Down Command (Wireless Powers down the MSR circuits (if running on 0x28 USB Reader Only) battery turns reader off). Get Battery Status Command 0x29 Gets Charge Status of battery (Wireless USB Reader Only) 0x30 Encrypt Bulk Data Encrypts Bulk Data...
MagneSafe V5 Get Property Request Data: Data Offset Value Property ID Get Property Response Data: Data Offset Value 0 – n Property Value Set Property Command Command number: 0x01 Description: The Set Property command sets a property in the reader. For security purposes, this command is privileged.
Page 33
Section 2. Communications Property ID Property Description Value Other mode mode 0x05 0x05 0x05 Track ID Enable Track enable / ID enable 0x07 0x07 0x07 ISO Track Mask Specifies Masking factors for ISO cards Specifies Masking factors for AAMVA 0x08 0x08 0x08 AAMVA Track Mask...
MagneSafe V5 Property ID Property Description Value Other mode mode 0x2F 0x2F ES Track 3 End sentinel char for track 3 Enables/disables sending of Encryption 0x30 0x30 Send Encryption Counter Counter Enables/disables masking of cards that 0x31 0x31 0x31 Mask Other Cards don’t meet the ISO Financial or the...
Section 2. Communications to the host using a USB cable, as is the case when doing firmware updates, this property will return the software ID of the wireless reader. Example Get Software ID property Request (Hex): Cmd Num Data Len Prp ID Example Get Software ID property Response (Hex): Result Code...
MagneSafe V5 Polling Interval Property (USB) Property ID: 0x02 Property Type: Byte Length: 1 byte Get Property: Set Property: Default Value: 0x01 Description: The value is a byte that represents the reader’s polling interval for the Interrupt In Endpoint. The value can be set in the range of 1 – 255 and has units of milliseconds.
Section 2. Communications Device Serial Num Property Property ID: 0x03 Property Type: String Length: 0 – 15 bytes Get Property: Set Property: Yes (Once only) Default Value: ASCII device serial number set when the reader is configured. Description: The value is an ASCII string that represents the reader serial number. This string can be 0 –...
MagneSafe V5 Example Get MagneSafe Version Number property Request (Hex): Cmd Num Data Len Prp ID Example Get MagneSafe Version Number property Response (Hex): Result Code Data Len Prp Value 56 30 35 Track ID Enable Property Property ID: 0x05...
Section 2. Communications Example Get Track ID Enable property Response (Hex): Result Code Data Len Prp Value ISO Track Mask Property Property ID: 0x07 Property Type: String Length: 6 bytes Get Property: Set Property: Default Value: ”04040Y” Description: This property specifies the factors for masking data on ISO/ABA type cards: •...
MagneSafe V5 o The PAN will be masked according to the rules of this property (the Send Clear AAMVA Card Data property is ignored) o The character used for masking the PAN will be ‘0’ o All data after the PAN will be sent without masking •...
Section 2. Communications Example Set Max Packet Size property Response (Hex): Result Code Data Len Data Example Get Max Packet Size property Request (Hex): Cmd Num Data Len Prp ID Example Get Max Packet Size property Response (Hex): Result Code Data Len Prp Value UART/RS-232 COMMUNICATIONS PROPERTY (UART/RS-232 READERS ONLY)
Section 2. Communications Bluetooth Disconnect Message Property (BulleT Only) Property ID: 0x0D Property Type: String Length: 7 bytes Get Property: Set Property: Default Value: No string with a length of zero. Description: This property specifies a string to be used as part of a Bluetooth Disconnect Message.
MagneSafe V5 Example Set Track Data Transmission Delay property Response (Hex): Result Code Data Len Data Example Get Track Data Transmission Delay property Request (Hex): Cmd Num Data Len Prp ID Example Get Track Data Transmission Delay property Response (Hex):...
Page 45
Section 2. Communications This property should be the first property changed so that all other communications will not conflict with other pairs that may be in range. After this property is changed, the reader should be reset (see Command Number 2) before changing any other properties.
MagneSafe V5 Interface Type Property Property ID: 0x10 Property Type: Byte Length: 1 byte Get Property: Set Property: Default Value: 0x00 (HID) Description: The value is a byte that represents the reader’s interface type. With USB readers, the value can be set to 0x00 for the HID interface or to 0x01 for the Keyboard Emulation interface.
Section 2. Communications Track Data Send Flags Property (KB, BulleT SPP, Bullet KB, UART, RS-232) Property ID: 0x14 Property Type: Byte Length: 1 byte Get Property: Set Property: Default Value: 0x63 for all models except BulleT KB which defaults to 0x6B Description: This property is defined as follows: 0 –...
MagneSafe V5 When minimizing key reports, the minimum number of key reports is sent to represent each character. When the ASCII-to-keypress conversion type property is set to ACTIVE KEYMAP, this consists of one key report per character (key down) if not sending the same key usage ID that was sent in the last key report...
Section 2. Communications This property is stored in non-volatile memory, so it will persist when the unit is power cycled. When this property is changed, the unit must be reset (see Command Number 2) or power cycled to have these changes take effect. Active Keymap Property (KB) Property ID: 0x16...
MagneSafe V5 Example Get Active Keymap property Response (Hex): Result Code Data Len Prp Value ASCII to Keypress Conversion Type Property (KB) Property ID: 0x17 Property Type: Byte Length: 1 byte Get Property: Set Property: Default Value: 0x00 (keymap) Description: The value is a byte that represents the reader’s ASCII-to-keypress conversion...
Section 2. Communications Example Set ASCII To Keypress Conversion Type property Response (Hex): Result Code Data Len Data Example Get ASCII To Keypress Conversion Type property Request (Hex): Cmd Num Data Len Prp ID Example Get ASCII To Keypress Conversion Type property Response (Hex): Result Code Data Len Prp Value...
This property enables/disables SureSwipe emulation when the Security Level is 2 and the Interface Type is Keyboard. The default is SureSwipe emulation enabled, keyboard data will be emitted in the SureSwipe format (see MagTek document 99875206). This allows clients to receive a reader without security enabled (Security Level 2) and use it exactly like a SureSwipe reader.
Section 2. Communications This property is stored in non-volatile memory, so it will persist when the unit is power cycled. When this property is changed, the unit must be reset (see Command Number 2) or power cycled for these changes to take effect. Example Set property Request (Hex): Cmd Num Data Len...
MagneSafe V5 ES JIS Type 2 Property Property ID: 0x1D Property Type: Byte Length: 1 byte Get Property: Set Property: Default Value: 0x7F ‘DEL’ Description: This character is sent as the end sentinel for cards that are encoded in the JIS type 2 format.
Section 2. Communications Post Card String Property (KB, BulleT, UART, RS-232) Property ID: 0x1F Property Type: String Length: 0 – 7 bytes Get Property: Set Property: Default Value: No string with a length of zero. Description: The value is an ASCII string that represents the reader’s post card string. This string can be 0 –...
MagneSafe V5 Example Set Pre Track String property Response (Hex): Result Code Data Len Data Example Get Pre Track String property Request (Hex): Cmd Num Data Len Prp ID Example Get Pre Track String property Response (Hex): Result Code Data Len...
Section 2. Communications Termination String Property (KB, BulleT, UART, RS-232) Property ID: 0x22 Property Type: String Length: 0-7 bytes Get Property: Set Property: Default Value: 0x0D (carriage return) Description: This string is sent after the all the data for a transaction. The string can be 0 – 7 bytes long.
MagneSafe V5 SS Track 2 ISO ABA Property (KB, BulleT, UART, RS-232) Property ID: 0x25 Property Type: Byte Length: 1 byte Get Property: Set Property: Default Value: 0x3B ‘;’ Description: This character is sent as the track 2 start sentinel for cards that have track 2 encoded in ISO/ABA format.
Section 2. Communications SS Track 2 7bits Property (KB, BulleT, UART, RS-232) Property ID: 0x28 Property Type: Byte Length: 1 byte Get Property: Set Property: Default Value: 0x40 (‘@’) Description: This character is sent as the track 2 start sentinel for cards that have track 2 encoded in 7 bits per character format.
The application sends four characters, but only the last three will be set. The first character is reserved for MagTek use. A value of ‘0’ in the first character means the Format Code is defined by MagTek; a value of ‘1’...
Section 2. Communications ES Track 2 Property (KB, BulleT, UART, RS-232) Property ID: 0x2E Property Type: Byte Length: 1 byte Get Property: Set Property: Default Value: 0xFF (use ES property) Description: This character is sent as the end sentinel for track 2 with any format. If the value is 0 no character is sent.
MagneSafe V5 NOTE: If this property is set to 0x01 and the Format Code is currently “0001”, the Format Code will be changed to “0002”. This property is stored in non-volatile memory, so it will persist when the unit is power cycled. When this property is changed, the unit must be reset (see Command Number 2) or power cycled to have these changes take effect.
Section 2. Communications This property is stored in non-volatile memory, so it will persist when the unit is power cycled. When this property is changed, the unit must be reset (see Command Number 2) or power cycled to have these changes take effect.
MagneSafe V5 Send Clear AAMVA Card Data Property Property ID: 0x34 Property Type: Byte Length: 1 byte Get Property: Set Property: Default Value: 0x00 Description: This property is used to control how to send out AAMVA card data when the security level is above 2.
Section 2. Communications This property controls whether, when the reader is configured with Interface Type HID and at Security Level 2, the reader functions as described in this manual or as described in 99875191 (USB HID SURESWIPE & USB HID SWIPE READER TECHNICAL REFERENCE MANUAL).
MagneSafe V5 wireless reader. To get the software ID from the dongle use the “SOFTWARE ID” property. Example Get Software ID 2 property Request (Hex): Cmd Num Data Len Prp ID Example Get Software ID 2 property Response (Hex): Result Code...
Section 2. Communications Example Set Inter-Key Delay property Response (Hex): Result Code Data Len Data Example Get Inter-Key Delay property Request (Hex): Cmd Num Data Len Prp ID Example Get Inter-Key Delay property Response (Hex): Result Code Data Len Data COMMAND LIST The following commands are available for use with the readers.
MagneSafe V5 Example Reset Device Response (Hex): Result Code Data Len Data Get Keymap Item Command (KB) Command number: 0x03 Description: This command is used to get a key map item from the active key map. The active key map is determined by the active key map property. Data from a magnetic stripe card is a sequence of ASCII characters.
Section 2. Communications Response Data: Offset Field Name Description Key Usage ID The value of the USB key usage ID that is mapped to the given ASCII value. For example, for the United States keyboard map, usage ID 56 (0x38) (keyboard / and ?) is mapped to ASCII character ‘?’.
Page 70
MagneSafe V5 Starting with the firmware release with software ID 21042812F01, when both the key usage ID and the key modifier byte are set to 0xFF for a given ASCII value, the ALT ASCII code is sent instead of the key map values.
Example Save Custom Keymap Response (Hex): Result Code Data Len Data DUKPT Operation Since key loading is proprietary and performed at MagTek, there are no user commands to support key injection. Get DUKPT KSN and Counter Command Command number: 0x09...
MagneSafe V5 Example Get DUKPT KSN and Counter Request (Hex): Cmd Num Data Len Data None Example Get DUKPT KSN and Counter Response (Hex): Result Code Data Len Data FFFF 9876 5432 10E0 0001 Set Session ID Command Command number:...
Section 2. Communications Activate Authenticated Mode Command Command number: 0x10 Description: This command is used to Activate the Authenticated Mode. When set to Security Level 4, this reader will not transmit card data unless it is in the Authenticated Mode. The Authenticated Mode may only be entered by this command.
MagneSafe V5 Response Data: Offset Field Name Description Current Key This eighty-bit field includes the Initial Key Serial Number Serial Number in the leftmost 59 bits and a value for the Encryption Counter in the rightmost 21 bits. Challenge 1...
Section 2. Communications If the reader decrypts the CR response correctly the Activate Authenticated Mode has succeeded. If the reader can not decrypt the CR command correctly the Activate Authenticated Mode has failed, the DUKPT KSN advances. Data structure: Request Data: Offset Field Name Description...
MagneSafe V5 behavior is intended to discourage denial of service attacks. Exiting the Authenticated Mode by timeout or card swipe always increments the KSN, exiting Authenticated Mode by the Deactivate Authenticated Mode command may increment the KSN. Data structure: Request Data:...
Page 77
Section 2. Communications Data Structure: Request Data: None Response Data: The first byte specifies the current state as follows: Current Reader State Value Name Meaning 0x00 WaitActAuth Waiting for Activate Authenticated Mode. The reader requires Authentication before swipes are accepted. 0x01 WaitActRply Waiting for Activation Challenge Reply.
MagneSafe V5 Set Security Level Command Command number: 0x15 Description: This command is used to set the Security Level (see Section 1). The Security Level can be set higher, but never lower. There are two versions of this command, the first one is used to retrieve the current Security Level and does not require MACing.
Section 2. Communications Get Transaction Count Command (Flash Reader Only) Command number: 0x16 Description: This command is used to get the count of stored transactions (card swipes) currently stored in the reader. It will return one byte giving the count of stored transactions.
MagneSafe V5 Example Response Read Oldest Transaction (Hex): Result Code Data Len Data Erase Oldest Transaction Command (Flash Reader Only) Command number: 0x18 Description: This command is used to erase the oldest transaction (card swipe) stored in the reader. It has no request and no response data. The response indicates whether or not a transaction was erased.
Section 2. Communications Request Data: None Response Data: Offset Field Name Description Device Serial # 16 bytes, if DSN is shorter than 15 bytes, left justify and fill with binary zeroes. At least one byte (usually the last one) must contain binary zero. Actual Encryption This three byte field returns the current value of the Counter...
MagneSafe V5 Get Battery Status Command (Wireless USB Reader Only) Command number: 0x29 Description: This command is used to get the status of the battery. Data structure: Request Data: None Response Data: Offset Field Name Description Battery Status Value of 0x00 indicates battery charge is low;...
Page 83
Section 2. Communications DSN – Device Serial Number, this data field will always be fixed at 16 bytes. If the serial number is less than 15 bytes, it will be left justified. The 16 byte will always be set to NULL. Cryptogram –...
SECTION 3. DEMO PROGRAM The demo program, which is written in Visual Basic, can be used to do the following: • Send command requests to the reader and view the command responses. • Guide application developers in their application development by providing examples, in source code, of how to properly communicate with the reader using the standard Windows APIs.
MagneSafe V5 • To send commands to the reader, click the Send Commands tab (if not already selected). • Enter a command in the Message edit box. All data entered should be in hexadecimal bytes with a space between each byte. Enter the command number followed by the command data if there is any.
APPENDIX A. KEYBOARD USAGE ID DEFINITIONS This appendix is from the following document found on www.usb.org: Universal Serial Bus HID Usage Tables, Version 1.12 and specifically for this manual, Section 10, Keyboard/Keypad Page (0x07). KEYBOARD/KEYPAD PAGE (0X07) This section is the Usage Page for key codes to be used in implementing a USB keyboard. A Boot Keyboard (84-, 101- or 104-key) should at a minimum support all associated usage codes as indicated in the “Boot”...
Page 88
MagneSafe V5 Ref: Usage ID Usage ID Typical Usage Name Boot (Dec) (Hex) AT-101 Position √ √ √ Keyboard i and I 4/101/104 √ √ √ Keyboard j and J 4/101/104 √ √ √ Keyboard k and K 4/101/104 √...
Page 89
Appendix A. Keyboard Usage Ref: Usage ID Usage ID Typical Usage Name Boot (Dec) (Hex) AT-101 Position √ √ √ Keyboard ‘ and “ 4/101/104 √ √ √ Keyboard Grave Accent and Tilde 4/101/104 √ √ √ Keyboard, and < 4/101/104 √...
Page 90
MagneSafe V5 Ref: Usage ID Usage ID Typical Usage Name Boot (Dec) (Hex) AT-101 Position √ √ √ Keypad 4 and Left Arrow 4/101/104 √ √ √ Keypad 4 and Left Arrow 4/101/104 √ √ √ Keypad 4 and Left Arrow 4/101/104 √...
Page 91
Appendix A. Keyboard Usage Ref: Usage ID Usage ID Typical Usage Name Boot (Dec) (Hex) AT-101 Position √ Keyboard Locking Scroll Lock Keypad Comma Keypad Equal Sign 15-28 Keyboard International1 Keyboard International2 Keyboard International3 Keyboard International4 Keyboard International5 Keyboard International6 Keyboard International7 Keyboard International8 Keyboard International9...
Page 92
MagneSafe V5 Ref: Usage ID Usage ID Typical Usage Name Boot (Dec) (Hex) AT-101 Position Keypad ( Keypad ) Keypad { Keypad} Keypad Tab Keypad Backspace Keypad A Keypad B Keypad C Keypad D Keypad E Keypad F Keypad XOR...
Page 93
Appendix A. Keyboard Usage Ref: Usage ID Usage ID Typical Usage Name Boot (Dec) (Hex) AT-101 Position 222-223 DE-DF Reserved √ √ √ Keyboard LeftControl √ √ √ Keyboard LeftShift √ √ √ Keyboard LeftA;t 10;23 √ √ √ Keyboard Left GUI √...
Page 94
MagneSafe V5 29. Used on AS/400 keyboards. 30. Defines the Katakana key for Japanese USB word-processing keyboards. 31. Defines the Hiragana key for Japanese USB word-processing keyboards. 32. Usage 0x94 (Keyboard LANG5) “Defines the Zenkaku/Hankaku key for Japanese USB word-processing keyboards.
APPENDIX B. MODIFIER BYTE DEFINITIONS This appendix is from the following document found on www.usb.org: Device Class Definition for Human Interface Devices (HID) Version 1.11, and specifically for this manual, Section 8.3 Report Format for Array Items. The modifier byte is defined as follows: Table B-1.
APPENDIX C. GUIDE ON DECRYPTING DATA The key that was used to encrypt each data block can be determined by using the Key Serial Number field along with the Base Derivation Key associated with this reader. The resulting DUKPT key, as described in ANS X9.24 Part 1, is the key which was used to encrypt the data. (The key is described as the PIN key in the standard but since there are no PINs being used in this application, the derived key is used.) These sequences are based on the following data:...
APPENDIX D. COMMAND EXAMPLES This Appendix gives examples of command sequences and cryptographic operations. The intent is to clarify any ambiguities the user might find in the body of the document. Each example shows a sequence as it actually runs, thus the user can check algorithms against the examples to assure they are computing correctly. Example 1: Configuring a reader before encryption is enabled (Security Level 2).
Page 100
MagneSafe V5 01 02 05 85 ; Set to read only Tracks 1 & 2 Request : CMND=01, LEN=02, DATA=05 85 Response : RC= 00, LEN=00, DATA= 00 01 07 ; Get current ISO Track Mask Request : CMND=00, LEN=01, DATA=07...
Page 102
MagneSafe V5 01 02 02 02 ; Set Polling Interval to 2 ms Request : CMND=01, LEN=02, DATA=02 02 Response : RC= 00, LEN=00, DATA= 00 01 03 ; Get current Device Serial Number Request : CMND=00, LEN=01, DATA=03 Response...
Page 103
Appendix D. Command Examples 00 01 20 ; Get current Pre Track String Request : CMND=00, LEN=01, DATA=20 Response : RC= 00, LEN=00, DATA= 01 07 20 54524B545354 ; Set to "TRKTST" Request : CMND=01, LEN=07, DATA=20 54 52 4B 54 53 54 Response : RC= 00, LEN=00, DATA=...
Page 104
MagneSafe V5 00 01 19 ; Get current CRC Flags (should return 03) Request : CMND=00, LEN=01, DATA=19 Response : RC= 00, LEN=01, DATA=03 00 01 1A ; Get Current SureSwipe Flag (should return 00, if Set was done) Request...
Page 105
Appendix D. Command Examples |010002AC501724CC063E08E2C52B53793DD53167753CDC3CE8EBC5C3555E30B68B73E4DB8912E6372CA772E 723EFEAADC02F02048C76 |B000795 |0000000000000000 |DB3E |1234 TXEND Example 3: HID reader card swipe in Security Level 2: This example shows the data received in a HID report for a reader at Security Level 2. Raw HID Report: Byte Content 00 00 00 3C 25 1F 00 25 42 35 34 35 32 33 30 30 35 35 31 32...
Page 106
MagneSafe V5 00 00 00 00 00 00 00 00 00 00 00 00 3C 25 1F 36 According to the USB MagneSafe Swipe Reader Technical Reference Manual the HID report is broken down like this: Offset Usage Name Track 1 decode status...
Page 109
Appendix D. Command Examples 63000050000445=000000000000?|0200|%B54523005512271 89^HOGAN/PAUL ^08043210000000725000000?|;5452 300551227189=080432100000007250?|+5163499080020445 =000000000000?||||0000000000000000||6F36||1000 According to the MagneSafe Swipe Reader Technical Reference Manual the Data is broken down like this: [P30] [P32] [Tk1 SS] [Tk1 Masked Data] [ES] [P33] [P32] [Tk2 SS] [Tk2 Masked Data] [ES] [P33] [P32] [Tk3 SS] [Tk3 Masked Data] [ES] [P33] [P31] [P35] [Reader Encryption Status]...
Page 110
MagneSafe V5 |0000000000000000 |6F36 |1000 Note: The Device Serial Number field is empty because the DSN has not been set. Note: The MagnePrint Status, the MagnePrint Data, the DUKPT serial number/counter and Encrypted CRC fields are empty because this reader is at Security Level 2 (encryption not enabled).
Page 111
Appendix D. Command Examples 02 00 ; Reset so changes take effect Request : CMND=02, LEN=00, DATA= Response : RC= 00, LEN=00, DATA= Delay : (waited 5 seconds) 09 00 ; Get current KSN (should be FFFF9876543210E00002) Request : CMND=09, LEN=00, DATA= Response : RC= 00, LEN=0A, DATA=FF FF 98 76 54 32 10 E0 00 02...
Page 112
MagneSafe V5 Response : RC= 00, LEN=0A, DATA=FF FF 98 76 54 32 10 E0 00 02 15 00 ; Get current Security Level (Should be 04) Request : CMND=15, LEN=00, DATA= Response : RC= 00, LEN=01, DATA=04 Example 8: Changing from Security Level 3 to Security Level 4: ;...
Page 113
Appendix D. Command Examples Example 9: Configuring a reader after encryption is enabled (Security Level 3 or 4). In this example the reader is in Keyboard Mode: ; This script demonstrates configuration commands for KB mode. ; It assumes the reader is at Security Level 3 or 4 and that the KSN counter ;...
Page 114
MagneSafe V5 00 01 20 ; Get current Pre Track String Request : CMND=00, LEN=01, DATA=20 Response : RC= 00, LEN=00, DATA= ; Form MAC for Set Property command Message to be sent is: 01 05 20 nnnnnnnn (nnnnnnnn is the MAC)
Page 115
Appendix D. Command Examples MAC is first four bytes: D1538615 01 09 2C 31303030 D1538615 ; Set to "1000" Request : CMND=01, LEN=09, DATA=2C 31 30 30 30 D1538615 Response : RC= 00, LEN=00, DATA= 02 00 ; Reset so changes take effect Request : CMND=02, LEN=00, DATA= Response...
Page 117
Appendix D. Command Examples ; Build a Deactivate Authenticated Mode command (cmd, len, cryptogram) 12 08 XXXXXXXXXXXXXXXX The clear text input for the cryptogram is composed of the first seven bytes of the decrypted Challenge 2 followed by one byte specifying whether to increment the DUKPT KSN or not (00 = no increment, 01 = increment).
Page 119
Appendix D. Command Examples Track 2 decode status Track 3 decode status Track 1 encrypted data length 40 (64 bytes, always in multiples of 8) Track 2 encrypted data length 28 (40 bytes, always in multiples of 8) Track 3 encrypted data length 20 (32 bytes, always in multiples of 8) Card encode type (ISO/ABA) 7 - 118...
Page 121
Appendix D. Command Examples As Track 1 Encrypted Data Length cites 64 bytes only, we can eliminate the trailing blocks: Block # 1 C25C1D1197D31CAA 87285D59A8920474 26D9182EC11353C0 51ADD6D0F072A6CB 3436560B3071FC1F D11D9F7E74886742 D9BEE0CFD1EA1064 C213BB55278B2F12 Appendix C tells us to decrypt the last block: C213BB55278B2F12 TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets E98ED0F0D1EA1064 XOR D9BEE0CFD1EA1064...
Page 122
MagneSafe V5 Ordering the decrypted blocks 1st to last we get: ASCII 2542353435323330 %B545230 3035353132323731 05512271 38395E484F47414E 89^HOGAN 2F5041554C202020 /PAUL 2020205E30383034 ^0804 3332313030303030 32100000 3030373235303030 00725000 3030303F00000000 000? We can ignore the last four bytes because the Track 1 Absolute Length field cites only 60 characters.
Page 123
Appendix D. Command Examples Continue on in reverse block order: F0FEAE7908801093 TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets 47796C85E4CE30FF XOR 724C5DB7D6F901C7 gets 3535313232373138 (decrypted block 2) Continue on in reverse block order: 724C5DB7D6F901C7 TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets 3B35343532333030 (decrypted block 1) Ordering the decrypted blocks 1st to last we get: ASCII 3B35343532333030...
Page 124
MagneSafe V5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 As MagnePrint Data Length cites 56 bytes only, we can eliminate the trailing blocks: Block # 1 4703576BC5C2CB20 BC04C68B5CE1972A E89E087B1C4D47D5 D0E31706106903E6 0B82030792690A57...
Page 125
Appendix D. Command Examples BEA104C4EF584ED5 CE07C0D55B810000 We can ignore the last four bytes because the MagnePrint Data Absolute Length field cites only 54 characters. 01000184EA10B939408C872A5C513C90C78B57A6F3FAA663CE0678B879D0D78B7FADBCE8591AE7E4BEA104C4 EF584ED5CE07C0D55B81 This is an accurate decryption of the MagnePrint data. Encrypted Session ID (user didn't load, all zeroes) 21 68 5F 15 8B 5C 6B E0 As this is a simple eight byte block, we only need decrypt it with the appropriate key:...
Page 126
MagneSafe V5 [P35] [Encrypted Session ID] [P35] [DUKPT serial number/counter] [P35] [Clear Text CRC] [P35] [Encrypted CRC] [P35] [Format Code] [P34] Each of the Pxx elements has the default value in this configuration, thus we can reinterpret the format as: %[Tk1 Masked Data]? ;[Tk2 Masked Data]?
Page 127
Appendix D. Command Examples Note that all other fields are represented as Hexadecimal data, that is, two ASCII characters together give the value of a single byte. The data is coherent structurally, let's work on decryption. First, we note the KSN = FFFF9876543210E00008, counter is 8. For the standard ANSI key example, counter 8 gets us the following Encryption Key: 27F66D5244FF621E AA6F6120EDEB427F...
Page 128
MagneSafe V5 26D9182EC11353C0 TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets BF110311E7D5453A XOR 87285D59A8920474 gets 38395E484F47414E (decrypted block 3) Continue on in reverse block order: 87285D59A8920474 TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets F2692820A5E12B9B XOR C25C1D1197D31CAA gets 3035353132323731 (decrypted block 2) Continue on in reverse block order:...
Page 129
Appendix D. Command Examples F0FEAE7908801093 TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets 47796C85E4CE30FF XOR 724C5DB7D6F901C7 gets 3535313232373138 (decrypted block 2) Continue on in reverse block order: 724C5DB7D6F901C7 TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets 3B35343532333030 (decrypted block 1) Ordering the decrypted blocks 1st to last we get: ASCII 3B35343532333030 ;5452300...
Page 130
MagneSafe V5 We can ignore the last byte because it is hex 00 and falls after the End Sentinel. ASCII string "+5163499080020443=000000000000? " This is an accurate decryption of the track. MagnePrint data Block # 1 8628E664C59BBAA2 32BA90BFB3E6B41D 6F4B691E633C311C BE6EE7466B81196E...
Page 131
Appendix D. Command Examples 010002D4B69CD2C0 C7617D0463316E85 3F9CB00FE2C5A355 6E9CE5A9B2E6DB89 14A6372CA7736703 6EFAADC02F02C4FB 76C6CFD8A59C0000 We can ignore the last two bytes because we know the MagnePrint data is actually 54 bytes long. 010002D4B69CD2C0C7617D0463316E853F9CB00FE2C5A3556E9CE5A9B2E6DB8914A6372C A77367036EFAADC02F02C4FB76C6CFD8A59C0000 This is an accurate decryption of the MagnePrint data. Encrypted Session ID (user didn't load, all zeroes) 21685F158B5C6BE0 As this is a simple eight byte block, we only need decrypt it with...
APPENDIX E. IDENTIFYING ISO/ABA AND AAMVA CARDS ISO/ABA FINANCIAL CARDS 1. If low level decoding algorithm finds data for available tracks to be in the ISO format particular to each track, the card is classified as ISO. In order to be considered for ISO Financial masking, the card must first be classed as ISO.
Track 2 is formatted per ISO Track 2 rules, and Track 3 is formatted per ISO Track 1 rules, the card is considered to be an AAMVA card. Some MagTek readers do not support reading of Track 3, so this rule will not apply on such readers.
APPENDIX F. LIST OF PROPERTIES This list shows all of the properties that are supported among the MagneSafe reader families. The properties associated with a particular MagneSafe model are indicated with a check mark. The default setting for each property is indicated. Dynamag Dynamo BulleT...