Bluetooth Hacking?
HID iClass R10CGNN and 6100CGN Reader Firmware Programmer Pinout

From OpenBeacon

Jump to: navigation, search
R10CGNN and 6100CGN iCLASS reader programming plug
Connecting a PICkit2 Programmer to a CGN 20 pin programming connector using a adapter PCB
20 pin adapter PCB for connecting a PICkit2 programmer to a iCLASS R10/R6100 reader CGN


During our security research on HID iCLASS access control system security we evaluated several hardware revisions of HID iCLASS RFID readers. All the readers we evaluated (AKN, BKN, CGN revisions) have their in-system programming interfaces accessible on the back. This allows certain attacks on the systems like the installation of backdoors and reading out the system encryption keys in some selected cases.

This particular reader revision (CGN) doesn't seem to be vulnerable to key extraction over the 20 pin interface as a modern PIC CPU (PIC18F67J11) is used where the problems we found are fixed.

Please refer to HID iClass demystified for further information and read our whitepaper.

Programming Connector Pinout

R10CGNN and 6100CGN iCLASS readers have a more sophisticated programming connector than AKN and BKN readers (6 pin layout as seen in our whitepaper). It's a fine pitch 2x10 pin connector with 0.5mm spacing:

Signal Pin Pin Signal
YEL-Beeper 19 20 VCC+5V
VIO-Tamper 17 18 BRN-Red LED
ORN-Green LED 15 16
13 14 /MCLR
11 12
07 08 GRN-DATA0
PGC 05 06
PGD 03 04
red+12V 01 02

You need to select the PIC18F_J (PIC18F67J11) architecture in your PICkit2 programming software to be able to access the programming interface.

The counterpart to this connector is available at Digi-Key and has the part number H11714CT-ND. It's a Hirose DF12A(3.0)-20DS-0.5V(81) plug.