← Guides / NFC Readers
February 4, 2025

Configuring a VTAP reader

NFC Readers
Auston Bunsen
Overview
VTAP for access!
VTAP for access!

In this guide, we're going to cover how to configure the VTAP reader to read Apple Access MIFARE DESFire credentials. This is a very narrow use-case for access control. It should work for the following models:

  • VTAP100-USB
  • VTAP100-PAC-W
  • VTAP100-PAC-485-OEM
  • VTAP100-PRO-BW-OEM
  • VTAP100-OEM
  • VTAP200-MOD
  • VTAP200-OEM
  • VTAP200
  • VTAP100-PRO-POE-OEM
  • VTAP200 ESS (elumo)
  • VTAP50-MOD
  • VTAP100-PRO-BW
  • VTAP100-PAC-W-OEM
  • VTAP100-PAC-485
  • VTAP100-PRO-POE
  • VTAP100
  • VTAP50
  • VTAP50-OEM
  • VTAP50-USB
We'll go over some of the requirements for DESFire keys and application structure. We will also take a look at the VTAP config file, and set some other files to read the passes you issue. Then we'll test our set up and go from there!
Generating keys and other DESFire values
Before we dive into changing the config.txt for the VTAP reader, you have to understand some things about MIFARE DESFire. Particularly, you need to understand that MIFARE DESFire keys are just arbitrary hexadecimal values. You can create a DES key, an AES key or a 3DES key. Each are different lengths, but we'll use AES which is 16 bytes. Here's the openssl command to do so:

openssl rand -hex 16

If you want to do it in python, here's a little snippet you can use as well:

import os key = os.urandom(16) print(key.hex())

Now that we have a solid way to create keys, let's save the commands so we can easily reference them later. We'll need at least one key in our config.

Let's move into the DESFire application id, also known as the AID. This is a 3 byte value - it's also largely arbitrary - it just needs to be a hexadecimal value. We'll use FE99BA as the AID in our DESFire app structure. 
Config.txt
Now we will dive in and create a config for the reader. There are a number of important configs:

  • AccessTCI - This is a TCI value that you get from Apple
  • NFCType4 - This is going to be D which stands for DESFire 
  • DESFireAppID - We will use the AID we created in the last section FE99BA
  • DESFireCrypto - We will set this to 3 which is the code for AES on VTAP
  • DESFireFileID - This is the file ID in the DESFire application structure (we're only going to have 1)
  • DESFireKeyNum - This is the key ID in the DESFire application structure
  • DESFireKeySlot - Which slot on the reader do we want to use the value of for the key
  • DESFireFormat - This is to tell the VTAP what format to pass the data back in, 0 means raw
So here's all of the values put together in a VTAP config.txt:

!VTAPconfig ; Apple Access TCI value (insert your TCI value here) AccessTCI=020000 NFCType4=D ; Read type 4 cards and Wallet passes as DESFire DESFireAppID=F56401 DESFireFileID=0 DESFireCrypto=3 DESFireKeyNum=1 DESFireKeySlot=1 ; use appkey1 DESFireFormat=0 ; means no format pass values raw

Go ahead and load that into your VTAP buy plugging it in via USB and dropping that into the config.txt - we're not done yet though! Keep reading, we still need to add in our key files.
Key files
Next is key files. Go ahead and generate a key using one of the techniques we shared in the section above. Now, you need to put them into a file named appkey1.txt - it's named appkey1.txt because we put DESFireKeySlot=1 into our config.txt

It's very important to put "key=" at the beginning of the file otherwise this won't work

Here's an example of how the appkey1.txt should look:

key=0123456789ABCDEF01234567890ABDEF

That's it. Now unmount and unplug the VTAP for the settings to take effect. We're ready to test.
Making it easier with AccessGrid
If you think this is hard, you're not alone. That's why we created AccessGrid. Here is an easier way to set up the VTAP configuration.

Login to AccessGrid.com, and navigate to Reader config section

Next, on the top right hand side, select Create reader config+  which will open this Generate a reader config page.

In this page you are going to type and insert the following options.

  • Info: vtap-config
  • Reader: Dot Origin - VTAP
  • Card templates: Apple Pass...select all that apply to your organization
  • Card Format: Key-ID
  • Reader transport method: Wiegand
Note: KEY-ID is a proprietary card format from DotOrigin that allows for 26 bit wiegand data to reside in the desfire file contents.

Below is a screenshot of how it should look like.

Generate a reader config
Generate a reader config


Now click "Save & download" config on the bottom right.

Next, in the Reader Config page, go ahead and find the newly created config from the table, and it should save in your downloads folder as config.zip.

Finally, plug the VTAP back in, unpack the Config.zip file, navigate into it, drag the contents into the VTAP reader, and you should be all set. Don't forget to unplug it so the changes to the VTAP are in effect.
Testing it
Now plug your VTAP back in (or wire it up with Wiegand or RS485), install an NFC key (hopefully you've used accessgrid.com for this) and try to scan. You should hear a beep and see a teal light. Congrats! 🎉 

After reading this guide, you should understand a bit more about how to configure your VTAP for your Apple Access passes. If you have any trouble at all, please don't hesitate to reach out via the chat in the bottom right or just email [email protected].

Thanks!

© AccessGrid 2024
Privacy
Terms