iDynamo MagneSafe V5 COMMUNICATION REFERENCE MANUAL PART NUMBER 99875483-6 MARCH 2014 REGISTERED TO ISO 9001:2008 1710 Apollo Court Seal Beach, CA 90740 Phone: (562) 546-6400 FAX: (562) 546-6301 Technical Support: (651) 415-6800 www.magtek.
Copyright© 2001-2015 MagTek®, Inc. Printed in the United States of America Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of MagTek, Inc. MagTek is a registered trademark of MagTek, Inc. MagnePrint is a registered trademark of MagTek, Inc. MagneSafe™ is a trademark of MagTek, Inc. Magensa™ is a trademark of MagTek, Inc.
LIMITED WARRANTY MagTek warrants that the products sold pursuant to this Agreement will perform in accordance with MagTek’s published specifications. This warranty shall be provided only for a period of one year from the date of the shipment of the product from MagTek (the “Warranty Period”). This warranty shall apply only to the “Buyer” (the original purchaser, unless that entity resells the product as authorized by MagTek, in which event this warranty shall apply only to the first repurchaser).
FCC WARNING STATEMENT This equipment has been tested and was found to comply with the limits for a Class B digital device pursuant to Part 15 of FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a residential environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference with radio communications.
TABLE OF CONTENTS SECTION 1. SECURITY ................................................................................................ 1 SECURITY LEVEL 3 ................................................................................................................................ 1 COMMANDS AND SECURITY LEVELS .................................................................................................. 2 SECTION 2. COMMUNICATIONS ......................................................................
FS Property ........................................................................................................................................ 24 SS Track 1 ISO ABA Property ............................................................................................................ 24 SS Track 2 ISO ABA Property ............................................................................................................ 24 SS Track 3 ISO ABA Property ....................................................
SECTION 1. SECURITY The iDynamo is a secure card reader authenticator (SCRA) designed to work with the Apple devices that use a 30 pin connector; including iPhone 4, iPhone 3GS, iPhone 3G, iPod touch and iPad. The iDynamo 5 is an iDynamo SCRA that uses the Lightning connector for use with the iPhone 5, iPad mini, iPad with Retina display, and iPod touch 5th gen devices.
iDynamo MagneSafe V5 Communication Manual COMMANDS AND SECURITY LEVELS The following table shows how security levels affect the various commands. “Y” means the command can run. “N” means the command is prohibited. “S” means the command is protected (requires MACing). “X” means other (notes to follow).
SECTION 2. COMMUNICATIONS CARD DATA The details about how the card data and commands are structured follow later in this section. The reader will send only one swipe message per card swipe. When a card is swiped, the swipe message will be sent even if the data is not decodable. If no data is detected on a track then nothing will be transmitted for that track. If an error is detected on a track, the ASCII character “E” will be sent in place of the track data to indicate an error.
iDynamo MagneSafe V5 Communication Manual The card data format for all programmable configuration options is as follows: [P30] [P32] [Tk1 SS] [Tk1 Masked Data] [ES] [P33] [P32] [Tk2 SS] [Tk2 Masked Data] [ES] [P33] [P32] [Tk3 SS] [Tk3 Masked Data] [ES] [P33] [P31] [P35] [Reader Encryption Status] [P35] [Tk1 Encrypted Data (including TK1 SS and ES)] [P35] [Tk2 Encrypted Data (including TK1 SS and ES)] [P35] [Tk3 Encrypted Data (including TK1 SS and ES)] [P35] [MagnePrint Status] [P35] [Encrypted MagnePrint
Section 2. Communications Masked Track Data If decodable track data exists for a given track, it is located in the Masked Track Data field that corresponds to the track number. The Masked Track Data is decoded and converted to ASCII and then it is “masked”. The Masked Track Data includes all data starting with the start sentinel and ending with the end sentinel. Much of the data is “masked”; a specified mask character is sent instead of the actual character read from the track.
iDynamo MagneSafe V5 Communication Manual • • • The Expiration Date is transmitted unmasked. All Field Separators are sent unmasked. All other characters are set to the specified mask character. For an AAMVA card, the DL/ID# is masked as follows: • The specified number of initial characters are sent unmasked. The specified number of trailing characters are sent unmasked.
Section 2. Communications Bit 13 = Bits 14-15 = DUKPT Key Variant used to encrypt MagnePrint data. 0 = PIN Variant, 1 = Data Variant/Bidirectional Unassigned (always set to Zero) Notes: (1) Encryption will only be performed when Encryption Enabled (bit 2) and Initial DUKPT key Injected (bit 1) are set. Otherwise, data that are normally encrypted are sent in the clear in ASCII HEX format; the DUKPT Serial Number/counter will not be sent.
iDynamo MagneSafe V5 Communication Manual Track 2 Encrypted Data This Binary field contains the encrypted track data for track 2. Track 3 Encrypted Data This Binary field contains the encrypted track data for track 3. MagnePrint Status This Binary field represents 32 bits of MagnePrint status information. Each character represents 4 bits (hexadecimal notation).
Section 2. Communications null terminator, is 15 bytes. This device serial number can also be retrieved and set with the device serial number property explained in the property section of this document. This field is stored in non-volatile memory, so it will persist when the unit is power cycled. Encrypted Session ID This eight byte Binary field contains the encrypted version of the current Session ID. Its primary purpose is to prevent replays.
iDynamo MagneSafe V5 Communication Manual “1”. The application may change the final three characters, but making such a change will automatically cause the first character to a “1”. PROGRAMMABLE CONFIGURATION OPTIONS This reader has a number of programmable configuration properties. These properties are stored in non-volatile memory. These properties can be configured at the factory or by the end user using a program supplied by MagTek.
Section 2. Communications command is Privileged to prevent a hacker from using this sequence to exhaust DUKPT keys, thereby rendering the reader unusable. The privileged commands must be MACed in order to be accepted. If a MAC is required but not present or incorrect, RC = 07 will be returned. Command Number This one-byte field contains the value of the requested command number. The following table lists all the existing commands.
iDynamo MagneSafe V5 Communication Manual Result Code This one-byte field contains the value of the result code. There are two types of result codes: generic result codes and command-specific result codes. Generic result codes always have the most significant bit set to zero. Generic result codes have the same meaning for all commands and can be used by any command. Command-specific result codes always have the most significant bit set to one.
Section 2. Communications Property ID Property ID is a one-byte field that contains a hex value that identifies the property.
iDynamo MagneSafe V5 Communication Manual Property Type Byte String Description This is a one-byte value. The valid values depend on the property. This is a multiple byte ASCII string. Its length can be zero to a maximum length that depends on the property. The value and length of the string does not include a terminating NUL character. Property Default Values Each property specifies a default value.
Section 2.
iDynamo MagneSafe V5 Communication Manual 01 – Track Enabled 10 – Track Enabled/Required (Error if blank) This property is stored in non-volatile memory, so it will persist when the unit is power cycled. When this property is changed, the unit must be reset (see Command Number 2) or power cycled for these changes to take effect.
Section 2. Communications AAMVA Track Mask Property Property ID: Property Type: Length: Get Property: Set Property: Default Value: Description: • • • • 0x08 String 6 bytes Yes Yes ”04040Y” This property specifies the factors for masking data on AAMVA type cards: The first two bytes specify how many of the leading characters of the Driver’s License/ID Number (DL/ID#) should be sent unmasked. The range of masking is from “00” to “99.
iDynamo MagneSafe V5 Communication Manual Track Data Send Flags Property Property ID: Property Type: Length: Get Property: Set Property: Default Value: Description: ICL 0x14 Byte 1 byte Yes Yes 0x63 This property is defined as follows: SS ES 0 0 LC Er Er ICL 0 – Changing the state of the caps lock key will not affect the case of the data 1 – Changing the state of the caps lock key will affect the case of the data SS 0 – Don’t send Start Sentinel for each track 1 – Send Start Sentinel for each tr
Section 2. Communications This property is stored in non-volatile memory, so it will persist when the unit is power cycled. When this property is changed, the unit must be reset (see Command Number 2) or power cycled for these changes to take effect.
iDynamo MagneSafe V5 Communication Manual This property is stored in non-volatile memory, so it will persist when the unit is power cycled. When this property is changed, the unit must be reset (see Command Number 2) or power cycled for these changes to take effect.
Section 2. Communications This property is stored in non-volatile memory, so it will persist when the unit is power cycled. When this property is changed, the unit must be reset (see Command Number 2) or power cycled for these changes to take effect. Pre Card String Property Property ID: Property Type: Length: Get Property: Set Property: Default Value: Description: 0x1E String 0 – 7 bytes Yes Yes The default value is no string with a length of zero.
iDynamo MagneSafe V5 Communication Manual Cmd Num 01 Data Len 04 Prp ID 1F Prp Value 31 32 33 Example Set Post-Card String property Response (Hex): Result Code 00 Data Len 00 Data Example Get Post-Card String property Request (Hex): Cmd Num 00 Data Len 01 Prp ID 1F Example Get Post-Card String property Response (Hex): Result Code 00 Data Len 03 Prp Value 31 32 33 Pre-Track String Property Property ID: Property Type: Length: Get Property: Set Property: Default Value: Description: 0x20 String 0-
Section 2. Communications Post Track String Property Property ID: Property Type: Length: Get Property: Set Property: Default Value: Description: 0x21 String 0-7 bytes Yes Yes No string with a length of zero This string is sent after the data for each track. The string can be 0 – 7 bytes long. If the value is 0 no character is sent. This property is stored in non-volatile memory, so it will persist when the unit is power cycled.
iDynamo MagneSafe V5 Communication Manual FS Property Property ID: Property Type: Length: Get Property: Set Property: Default Value: Description: 0x23 Byte 1 byte Yes Yes 0x7C ‘|’ This character is sent as the field separator to delimit additional data (MagnePrint info, Device info, DUKPT info, etc.). If the value is 0 no character is sent. If the value is in the range 1 – 127 then the equivalent ASCII character will be sent.
Section 2. Communications SS Track 3 ISO ABA Property Property ID: Property Type: Length: Get Property: Set Property: Default Value: Description: 0x26 Byte 1 byte Yes Yes 0x2B (‘+’) This character is sent as the track 3 start sentinel for cards that have track 3 encoded in ISO/ABA format. If the value is 0 no character is sent. If the value is in the range 1 – 127 then the equivalent ASCII character will be sent.
iDynamo MagneSafe V5 Communication Manual SS Track 3 7bits Property Property ID: Property Type: Length: Get Property: Set Property: Default Value: Description: 0x29 Byte 1 byte Yes Yes 0x26 (‘&’) This character is sent as the track 3 start sentinel for cards that have track 3 encoded in 7 bits per character format. If the value is 0 no character is sent. If the value is in the range 1 – 127 then the equivalent ASCII character will be sent.
Section 2. Communications ES Track 1 Property Property ID: Property Type: Length: Get Property: Set Property: Default Value: Description: 0x2D Byte 1 byte Yes Yes 0xFF (use ES property) This character is sent as the end sentinel for track 1 with any format. If the value is 0 no character is sent. If the value is in the range 1 – 127 then the equivalent ASCII character will be sent. If the value is 0xFF then the value of the ES property will be used instead of this property.
iDynamo MagneSafe V5 Communication Manual Send Encryption Counter Property Property ID: Property Type: Length: Get Property: Set Property: Default Value: Description: 0x30 Byte 1 byte Yes Yes 0x00 (don’t send Encryption Counter) This property is used to designate whether or not the Encryption Counter is sent as part of a keyboard message. If the property is set to 0x00, neither the Encryption Counter nor the field separator will be sent.
Section 2. Communications This property is stored in non-volatile memory, so it will persist when the unit is power cycled. When this property is changed, the unit must be reset (see Command Number 2) or power cycled for these changes to take effect. 0 – send out masked AAMVA card data 1 – send out clear AAMVA card data Example Set Send Clear AAMVA Card Data property Request (Hex): Cmd Num 01 Data Len 06 Prp ID 34 Data 01 xx xx xx xx * * where “xx xx xx xx” is the MAC.
iDynamo MagneSafe V5 Communication Manual Example Get Device Serial Number property Response (Hex): Result Code 00 Data Len 0A Prp Value 57 39 34 32 51 46 4E 56 4D SDK Protocol Token String Property Property ID: Property Type: Length: Get Property: Set Property: Default Value: Description: 0x51 String 50 bytes Yes Yes The default value is com.magtek.idynamo The value is an ASCII string that represents the reader SDK Protocol Token string, sometimes referred to as the Reverse DNS string.
Section 2. Communications This property is stored in non-volatile memory, so it will persist when the unit is power cycled. When this property is changed, the unit must be reset (see Command Number 2) or power cycled to have these changes take effect.
iDynamo MagneSafe V5 Communication Manual COMMAND LIST The following commands are used with this reader. Reset Device Command Command number: Description: 0x02 This command resets the reader. It can be used to make previously changed properties take effect without power cycling the reader. Note When the reader begins an Authentication Sequence, the Reset command will not be honored until after the Authentication Sequence has successfully completed, the user swipes a card, or the unit is power cycled.
Section 2. Communications Example Response (Hex): Result Code 00 Data Len 0A Data FFFF 9876 5432 10E0 0001 Set Session ID Command Command number: Description: 0x0A This command is used to set the current Session ID. The new Session ID stays in effect until one of the following occurs: 1. Another Set Session ID command is received. 2. The reader is powered down. 3. The reader is put into Suspend mode. The Session ID is used by the host to uniquely identify the present transaction.
iDynamo MagneSafe V5 Communication Manual The reader responds with two challenges (Challenge 1 and Challenge 2) encrypted using a variant of the current DUKPT PIN Encryption Key (Key XOR F0F0 F0F0 F0F0 F0F0 F0F0 F0F0 F0F0 F0F0). When decrypted, Challenge 1 contains 6 bytes of random number (used in the Activation Challenge Reply command) followed by the last two bytes of the KSN.
Section 2. Communications Example Activate Authenticated Mode Response (Hex): Result Code 00 Data Len 20 Data FFFF 0123 4567 8000 0003 9845 A48B 7ED3 C294 7987 5FD4 03FA 8543 Activation Challenge Reply Command Command number: Description: 0x11 This command is used as the second part of an Activate Authentication sequence.
iDynamo MagneSafe V5 Communication Manual Example Activation Challenge Reply Request (Hex): Cmd Num 11 Data Len 08 Data 8579 8275 2157 3495 Example Activation Challenge Reply Response (Hex): Result Code 00 Data Len 00 Data Deactivate Authenticated Mode Command Command number: Description: 0x12 This command is used to exit the Authenticated Mode command. It can be used to exit the mode with or without incrementing the DUKPT transaction counter (lower 21 bits of the KSN).
Section 2. Communications 00 00 Get Reader State Command Command Number: Description: 0x14 This command is used to get the current state of the reader. The state is returned as two bytes that represent the Current State of the reader and how it got to that state (Antecedent). For more information see Reader States.
iDynamo MagneSafe V5 Communication Manual Result Code 00 Data Len 02 Data 00 00 Get Encryption Counter Command Command number: Description: 0x1C This command is used to Get the Encryption Counter. The Encryption Counter gives the maximum number of transactions that can be performed by the reader. A transaction is either an encrypted card swipe or a correctly completed Activation Sequence (Activate Authenticated Mode followed by correct Activation Challenge Reply).
Section 2. Communications The DUKPT key counter/pointer will be incremented before processing this command.
iDynamo MagneSafe V5 Communication Manual Cmd Num A0 Data Len 01 Data 01 Example Read ASIC Control Response (Hex): Result Code 00 40 Data Len 00 Data
APPENDIX A. GUIDE ON DECRYPTING DATA The key that was used to encrypt each data block can be determined by using the Key Serial Number field along with the Base Derivation Key associated with this reader. The resulting DUKPT key, as described in ANS X9.24 Part 1, is the key which was used to encrypt the data. (The key is described as the PIN key in the standard but since there are no PINs being used in this application, the derived key is used.
iDynamo MagneSafe V5 Communication Manual 42
APPENDIX B. COMMAND EXAMPLE This Appendix gives an example of command sequences and cryptographic operations. The intent is to clarify any ambiguities the user might find in the body of the document. The example shows a sequence as it actually runs, thus the user can check algorithms against the example to assure they are computing correctly. Example 1: Swipe decryption, iDynamo MagneSafe V5 Reader: This example shows the data received in a Card Swipe for a reader at Security Level 3, KSN Count = 8.
iDynamo MagneSafe V5 Communication Manual |[MagnePrint Status] |[Encrypted MagnePrint data] |[Device serial number] |[Encrypted Session ID] |[DUKPT serial number/counter] |[Clear Text CRC] |[Encrypted CRC] |[Format Code] Using this information, we can put the respective data from the Raw Data into the structure: %B5452000000007189^HOGAN/PAUL ^08040000000000000000000? ;5452000000007189=080400000000000000? +5163000050000445=000000000000? |0600 |C25C1D1197D31CAA87285D59A892047426D9182EC11353C051ADD6D0F
Appendix B – Command Examples 2 3 4 5 6 7 8 87285D59A8920474 26D9182EC11353C0 51ADD6D0F072A6CB 3436560B3071FC1F D11D9F7E74886742 D9BEE0CFD1EA1064 C213BB55278B2F12 Appendix A tells us to decrypt the last block: C213BB55278B2F12 TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets E98ED0F0D1EA1064 XOR D9BEE0CFD1EA1064 gets 3030303F00000000 (decrypted last block) Continue on in reverse block order: D9BEE0CFD1EA1064 TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets E12DA84C41B85772 XOR D11D9F7E74886742 get
iDynamo MagneSafe V5 Communication Manual 2F5041554C202020 /PAUL 2020205E30383034 ^0804 3332313030303030 32100000 3030373235303030 00725000 3030303F00000000 000? We can ignore the last four bytes because they are all hex 00 and fall after the End Sentinel. ASCII string "%B5452300551227189^HOGAN/PAUL ^08043210000000725000000?" This is an accurate decryption of the track.
Appendix B – Command Examples ASCII string ";5452300551227189=080432100000007250?" This is an accurate decryption of the track.
iDynamo MagneSafe V5 Communication Manual gets 76C6CFD8A59C0000 (decrypted last block) Continue on in reverse block order: 7FD0E212B479C60B TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets AE81BFA4A2C80006 XOR C07B12648DCAC4FD gets 6EFAADC02F02C4FB (decrypted block 6) Continue on in reverse block order: C07B12648DCAC4FD TDES Dec with 27F66D5244FF621E AA6F6120EDEB427F gets AAC8D06ACCF27E6D XOR BE6EE7466B81196E gets 14A6372CA7736703 (decrypted block 5) Continue on in reverse block order: BE6EE7466B81196E
Appendix B – Command Examples gets 0000000000000000 This is an accurate decryption of the Encrypted Session ID, which was not loaded by the application and thus was all zeroes.
iDynamo MagneSafe V5 Communication Manual 50
APPENDIX C. IDENTIFYING ISO/ABA AND AAMVA CARDS ISO/ABA FINANCIAL CARDS 1. If a low-level decoding algorithm finds data for available tracks to be in the ISO format particular to each track, the card is classified as ISO. In order to be considered for ISO Financial masking, the card must first be classed as ISO. 2. In order for any track on a card to be considered for ISO/ABA masking, the card must be classified as ISO by the low-level decoding algorithm. 3.
iDynamo MagneSafe V5 Communication Manual AAMVA DRIVER LICENSES 1. If the card reader reads three tracks of data and Track 1 is formatted per ISO Track 1 rules, Track 2 is formatted per ISO Track 2 rules, and Track 3 is formatted per ISO Track 1 rules, the card is considered to be an AAMVA card. Some MagTek readers do not support the reading of Track 3, so this rule will not apply to such readers. 2.
