From OpenPCD
Introduction
During our security research on HID iCLASS access control system security we evaluated several hardware revisions of HID iCLASS RFID readers. All the readers we evaluated (AKN, BKN, CGN revisions) have their in-system programming interfaces accessible on the back. This allows certain attacks on the systems like the installation of backdoors and reading out the system encryption keys in some selected cases.
This particular reader revision (CGN) doesn't seem to be vulnerable to key extraction over the 20 pin interface as a modern PIC CPU (PIC18F67J11) is used where the problems we found are fixed.
Please refer to HID iClass demystified for further information and read our whitepaper.
Programming Connector Pinout
R10CGNN and 6100CGN iCLASS readers have a more sophisticated programming connector than AKN and BKN readers (6 pin layout as seen in our whitepaper). It's a fine pitch 2x10 pin connector with 0.5mm spacing:
| Signal | Pin | Pin | Signal |
|---|---|---|---|
| YEL-Beeper | 19 | 20 | VCC+5V |
| VIO-Tamper | 17 | 18 | BRN-Red LED |
| ORN-Green LED | 15 | 16 | |
| 13 | 14 | /MCLR | |
| 11 | 12 | ||
| BLK-GND | 09 | 10 | BLK-GND |
| 07 | 08 | GRN-DATA0 | |
| PGC | 05 | 06 | |
| PGD | 03 | 04 | |
| red+12V | 01 | 02 |
You need to select the PIC18F_J (PIC18F67J11) architecture in your PICkit2 programming software to be able to access the programming interface.
The counterpart to this connector is available at Digi-Key and has the part number H11714CT-ND. It's a Hirose DF12A(3.0)-20DS-0.5V(81) plug.