By /

Back to: Advanced Physical Security Integration (APSI)

0

Lesson 4.3: Communication Protocols (Wiegand vs. OSDP)

Module: 4 – Access Control Systems (ACS)

Prerequisites: Lesson 4.2 (Reader Tech)

Estimated Time: 45–60 Minutes

1. Learning Objectives

By the end of this lesson, you will be able to:

  • Decode the structure of the 26-bit Wiegand format (Facility Codes vs. Card Numbers).
  • Analyze the electrical signaling of Wiegand (Data 0 / Data 1) to troubleshoot voltage issues.
  • Compare the wiring topology of Wiegand (Point-to-Point) vs. OSDP (Daisy Chain RS-485).
  • Implement OSDP “Secure Channel” to prevent man-in-the-middle attacks.

2. The Legacy Standard: Wiegand

Named after John Wiegand (who discovered the magnetic effect in the 1970s), this is the “language” used by 80% of existing access control systems.

A. The Wiring (5-6 Conductors)

  • Green: Data 0
  • White: Data 1
  • Red/Black: Power (12VDC)
  • Orange/Brown: LED Control (to turn the light green/red) and Buzzer control.

B. The Electrical Signal (The Pulse)

Wiegand is a one-way communication. The reader talks; the controller listens.

  • Rest State: Both Green (D0) and White (D1) wires sit at +5VDC.
  • Sending a “0”: The Green wire drops to 0V for 50 microseconds.
  • Sending a “1”: The White wire drops to 0V for 50 microseconds.

Troubleshooting Tip: If you put a multimeter on the Green/White wires, you should see 5V. If you see 0V or 12V, you have a short or a wiring error.

C. The Data Format (26-Bit Standard)

When a badge is swiped, the reader sends a string of binary. The most common format is H10301 (Standard 26-Bit).

P FFFFFFFF NNNNNNNNNNNNNNNN P

  1. Bit 1 (P): Even Parity (Error checking for the first half).
  2. Bits 2-9 (FFFFFFFF):Facility Code (FC). (Range: 0-255).
    • Purpose: Acts as a “Site ID.” If you buy cards with FC 100, and your neighbor uses FC 200, their cards won’t work on your building even if the card number matches.
  3. Bits 10-25 (NN…): Card Number. (Range: 0-65,535).
  4. Bit 26 (P): Odd Parity (Error checking for the second half).

The Integrator’s Nightmare:

  • If you program the system for “26-Bit” but the client buys “35-Bit Corporate 1000” cards, the system will reject every swipe as “Unknown Format” or read the wrong numbers. Always verify the bit format before ordering cards.

3. The Modern Standard: OSDP (Open Supervised Device Protocol)

Wiegand is dumb (one-way) and insecure (unencrypted). The industry has moved to OSDP, which is built on RS-485 serial communication.

A. The Wiring (4 Conductors)

  • Twisted Pair (A/B): Data + and Data – (RS-485).
  • Red/Black: Power.
  • Note: No separate wires for LEDs or Buzzers. The controller sends a software command to turn the light green.

B. Key Features

  1. Bi-Directional: The controller can ask the reader: “Are you okay?” The reader replies: “Yes, I am online.” (Supervision).
    • Wiegand Failure: If a Wiegand reader dies, you don’t know until the CEO tries to enter and fails.
    • OSDP Success: If an OSDP reader dies, the system alerts you immediately (“Reader Offline”).
  2. Daisy Chaining: You can wire Reader 1 $\rightarrow$ Reader 2 $\rightarrow$ Reader 3 on the same cable run (if the controller supports it), saving massive amounts of wire.
  3. Encryption (Secure Channel): OSDP uses AES-128 encryption.
    • The “Man-in-the-Middle” Fix: If a hacker puts a listening device behind the reader, all they see is scrambled encrypted garbage.

C. Configuration

Unlike Wiegand (plug and play), OSDP requires setup.

  • Addressing: You must set an ID for each reader (0, 1, 2, 3) using DIP switches on the back of the reader or a configuration app.
  • Baud Rate: Must match the controller (usually 9600 or 38400).

4. Security Vulnerability: The “Bleed” Attack

Why are we killing Wiegand?

  • The Attack: A hacker unscrews the reader from the exterior wall. They attach a tiny battery-powered device (like an ESPKey) to the Green and White wires and screw the reader back on.
  • The Result: The device records every card number that swipes. Later, the hacker returns, connects to the device via Wi-Fi, downloads the numbers, and clones a card.
  • The Solution: OSDP with Secure Channel. Even if they tap the wires, they cannot decode the key.

5. Clock & Data (Magnetic Stripe)

Legacy Technology – Rare but still out there.

  • Used for old “Swipe” cards (like credit cards).
  • Wiring: “Clock” wire (tells the controller when to read) and “Data” wire (binary info).
  • Action: If you encounter this on a takeover, recommend an immediate upgrade. The readers wear out physically from friction.