In this guide, we're going to cover how to configure the VTAP reader to read Apple Access MIFARE DESFire credentials. This is a very narrow use-case for access control. It should work for the following models:
VTAP100-USB
VTAP100-PAC-W
VTAP100-PAC-485-OEM
VTAP100-PRO-BW-OEM
VTAP100-OEM
VTAP200-MOD
VTAP200-OEM
VTAP200
VTAP100-PRO-POE-OEM
VTAP200 ESS (elumo)
VTAP50-MOD
VTAP100-PRO-BW
VTAP100-PAC-W-OEM
VTAP100-PAC-485
VTAP100-PRO-POE
VTAP100
VTAP50
VTAP50-OEM
VTAP50-USB
We'll go over some of the requirements for DESFire keys and application structure. We will also take a look at the VTAP config file, and set some other files to read the passes you issue. Then we'll test our set up and go from there!
Generating keys and other DESFire values
Before we dive into changing the config.txt for the VTAP reader, you have to understand some things about MIFARE DESFire. Particularly, you need to understand that MIFARE DESFire keys are just arbitrary hexadecimal values. You can create a DES key, an AES key or a 3DES key. Each are different lengths, but we'll use AES which is 16 bytes. Here's the openssl command to do so:
openssl rand -hex 16
If you want to do it in python, here's a little snippet you can use as well:
import os
key = os.urandom(16)
print(key.hex())
Now that we have a solid way to create keys, let's save the commands so we can easily reference them later. We'll need at least one key in our config.
Let's move into the DESFire application id, also known as the AID. This is a 3 byte value - it's also largely arbitrary - it just needs to be a hexadecimal value. We'll use FE99BA as the AID in our DESFire app structure.
Config.txt
Now we will dive in and create a config for the reader. There are a number of important configs:
AccessTCI - This is a TCI value that you get from Apple
NFCType4 - This is going to be D which stands for DESFire
DESFireAppID - We will use the AID we created in the last section FE99BA
DESFireCrypto - We will set this to 3 which is the code for AES on VTAP
DESFireFileID - This is the file ID in the DESFire application structure (we're only going to have 1)
DESFireKeyNum - This is the key ID in the DESFire application structure
DESFireKeySlot - Which slot on the reader do we want to use the value of for the key
DESFireFormat - This is to tell the VTAP what format to pass the data back in, 0 means raw
So here's all of the values put together in a VTAP config.txt:
!VTAPconfig
; Apple Access TCI value (insert your TCI value here)
AccessTCI=020000
NFCType4=D ; Read type 4 cards and Wallet passes as DESFire
DESFireAppID=F56401
DESFireFileID=0
DESFireCrypto=3
DESFireKeyNum=1
DESFireKeySlot=1 ; use appkey1
DESFireFormat=0 ; means no format pass values raw
Go ahead and load that into your VTAP buy plugging it in via USB and dropping that into the config.txt - we're not done yet though! Keep reading, we still need to add in our key files.
Key files
Next is key files. Go ahead and generate a key using one of the techniques we shared in the section above. Now, you need to put them into a file named appkey1.txt - it's named appkey1.txt because we put DESFireKeySlot=1 into our config.txt
It's very important to put "key=" at the beginning of the file otherwise this won't work
Here's an example of how the appkey1.txt should look:
key=0123456789ABCDEF01234567890ABDEF
That's it. Now unmount and unplug the VTAP for the settings to take effect. We're ready to test.
Making it easier with AccessGrid
If you think this is hard, you're not alone. That's why we created AccessGrid. Here is an easier way to set up the VTAP configuration.
Login to AccessGrid.com, and navigate to Reader config section
Next, on the top right hand side, select Create reader config+ which will open this Generate a reader config page.
In this page you are going to type and insert the following options.
Info: vtap-config
Reader: Dot Origin - VTAP
Card templates: Apple Pass...select all that apply to your organization
Card Format: Key-ID
Reader transport method: Wiegand
Note: KEY-ID is a proprietary card format from DotOrigin that allows for 26 bit wiegand data to reside in the desfire file contents.
Below is a screenshot of how it should look like.
Generate a reader config
Now click "Save & download" config on the bottom right.
Next, in the Reader Config page, go ahead and find the newly created config from the table, and it should save in your downloads folder as config.zip.
Finally, plug the VTAP back in, unpack the Config.zip file, navigate into it, drag the contents into the VTAP reader, and you should be all set. Don't forget to unplug it so the changes to the VTAP are in effect.
Testing it
Now plug your VTAP back in (or wire it up with Wiegand or RS485), install an NFC key (hopefully you've used accessgrid.com for this) and try to scan. You should hear a beep and see a teal light. Congrats! 🎉
After reading this guide, you should understand a bit more about how to configure your VTAP for your Apple Access passes. If you have any trouble at all, please don't hesitate to reach out via the chat in the bottom right or just email [email protected].
