Dot Origin VTAP100-PAC-W User manual

Installation Guide -
VTAP100 WiegandReader
VTAP100-PAC-W
Revised November 2023 v3.1

If you need help to set up or use your VTAP100, beyond what is contained in this Installation
Guide, then please contact our support team.
Email: [email protected]
Download the latest documentation and firmware from https://vtapnfc.com
Telephone UK and Europe: +44 (0) 1428 685861
Telephone North America and Latin America: +1 (562) 262-9642
If you have any feedback on setting up or using your VTAP100 or this documentation, then
please contact our support team. The product is constantly being reviewed and improved and
we value feedback about your experience.
Copyright 2023 Dot Origin Ltd. All rights reserved.
No part of this Installation Guide may be published or reproduced without the written
permission of Dot Origin Ltd except for personal use. This Installation Guide relates to correct
use of the VTAP100 only. No liability can be accepted under any circumstances relating to the
operation of the user’s own PC, network or infrastructure.
Dot Origin Ltd
Unit 7, Coopers Place Business Park, Combe Lane, Wormley
Godalming GU8 5SZ United Kingdom
+44 (0) 1428 685861

Contents
1 Using this guide 1
2 How the VTAP100 works 2
2.1 Test using factory settings 3
2.2 Start reading your own passes 3
2.3 Check status in BOOT.TXT 7
2.4 Send pass payload over a Wiegand interface 9
2.5 Wiegand wiring (for model VTAP100-PAC-W only) 12
3 Choose a location for your VTAP100 21
4 Obtain a custom label for the case 23
5 Mount a VTAP100 25
6 Hardware lock to disable USB mass storage device 27
7 Find your hardware version 29
8 Disposal 30
VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE I
VTAP MOBILE WALLET READERS

Safety instructions
WARNING: INTENDEDUSE
The VTAP100-PAC-W are boxed products for end-users. Although the enclosure may be
opened when the device is not connected, components mounted on the VTAP PCB are not
user-serviceable.
WARNING: ESD PRECAUTIONS
If the enclosure is opened to access the PCB, we recommend careful handling of
Electrostatic Sensitive Devices (ESDs) .
WARNING: POWERSUPPLY
Use a standard micro-USB cable to connect the VTAP100-PAC-W model to a PC or
alternatively power the unit by connecting it to an access controller, using the Wiegand
connector cable. If the VTAP100 is being powered through its Wiegand connector, you can
still make an additional USB data connection to a PC, provided that the PC is already
powered before the connection is made.
EMC emissions and immunity certifications are only valid when using the VTAP100-PAC-W
with the supplied cable.
VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE II
VTAP MOBILE WALLET READERS

1 Using this guide
This guide is for first-time users of the VTAP100-PAC-W.
Figure 1-1 VTAP100 in compact (-CC) or square (-SQ) case
It contains the information you need to install your VTAP100.
Consult the VTAP Configuration Guide for more about custom configuration and
maintenance features for any VTAP100, including how to update the firmware on your
VTAP100-PAC-W, when a new release is available.
If you need help beyond what is contained in this guide please contact
VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 1
VTAP MOBILE WALLET READERS

VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 2
2 How the VTAP100 works
With the VTAP100-PAC-W connected to a PC, simply tap your smartphone against the
VTAP. Your mobile NFC pass will be read and data sent to the connected PC. The extra
facility with the VTAP100-PAC-W model only, is that it can alternatively be connected to an
access controller, using the Wiegand connector supplied.
Of course, the data can only be read if your phone contains a mobile NFC pass, which has
been issued in connection with the Merchant ID(s)/Collector ID(s) and ECC key(s) that are
known to the VTAP. The unit comes with default values, so that you can test Test using
factory settings before you begin customising any settings.
When the VTAP100-PAC-W is connected to a computer it appears as a generic mass storage
device (like a memory stick). To configure your VTAP, you simply edit or create text files.
These will be read automatically, and control the operation of the VTAP. There is information
in Start reading your own passes to take the first steps to configure your VTAP for use. The
VTAP100-PAC-W must be configured over USB from a PC, before it will send pass data over
the Wiegand interface. After being configured it does not need to be connected to a PC.
Consult the VTAP Configuration Guide for more detail.
By default the VTAP is fully upgradable in the field. However, the VTAP can be locked in
software or hardware, before deploying the unit, so that operation is no longer easily
changed.
VTAP MOBILE WALLET READERS

2.1 Test using factory settings
Before anyone changes the configuration from its default, you can confirm that the unit is
working.
These steps demonstrate that the hardware can detect and interact with an OriginPass demo
mobile NFC pass, which is ready to work with the default configuration of your VTAP100.
1. Obtain an OriginPass from Dot Origin by visiting https://originpass.com/VTAP/ and add it
to Google or Apple Wallet. (You will require a username and password - contact
[email protected] to get these.)
2. Connect the VTAP100 to your PC, using a USB cable.
3. Open a text editor, such as Windows Notepad.
4. When you tap the OriginPass on the VTAP100:
lPass contents will be displayed in the open text editor, through keyboard/barcode
emulation.
lThe feedback LEDs on the VTAP100 PCB will flash green.
lYour smartphone may signal with a buzz or beep.
Note: Some Android phones will only interact if their screen is on, although it does not
need to be unlocked. You may need to enable NFC in the settings for the smartphone.
Note: If the pass detected does not match the key and ID on the VTAP, or is moved away
too quickly to be read, the pass contents displayed may be an 8 digit random hex string,
such as '08E22AC1', different on each presentation. OriginPass contents will be a
consistent string, such as '3~ffymeK9f_mziYtA6~53999301628695~Valued'. Any
separator, such as '~' or '|', will depend on your keyboard language settings. (See VTAP
Commands Reference Guide for option to ignore random UIDs if needed.)
Note: If local security settings prevent or limit the use of removable storage devices, or
the connection of additional keyboards, an administrator may need to alter those
permissions.
2.2 Start reading your own passes
If you navigate to the VTAP in the computer's file system, it will appear as an attached mass
storage device and list the files contained, including the main config.txt file.
To read any mobile NFC pass, you will need to provide your pass reading parameters in the
config.txt file. This means a collector ID or merchant ID and ECC keys. These allow you to
read and decrypt pass data that is held by your users, on their smartphones.
VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 3
VTAP MOBILE WALLET READERS

VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 4
This first time, you will need to connect the VTAP100 to your PC, using a USB cable. (If
needed, you can make changes remotely in future over a virtual COM port or serial port, see
VTAP Serial Interface Guide.)
Step 1: Upload private key file(s) to your VTAP100
1. Ensure these are ECC private key(s), and each is stored in a file with the name
private#.pem, following the .pem format, where # is replaced with a number from 1
to 6, matching the key slot you will save it in. (The demo passes are accessed using the
key in KeySlot 6, so don't overwrite this one unless you are finished with demo passes.)
Note: You cannot use more than 6 key files.
2. Load your keys by copying these files onto your VTAP100, which shows up in the file
system of your PC as a mass storage device.
Note: When you reboot the VTAP100 your key will have been stored in hardware, and
will no longer be listed as a file on the device. You can confirm key file(s) have been
loaded when you Check status in BOOT.TXT. If the key file does not disappear and
there is an error in Boot.txt, check your .pem file as it is likely it did not adhere to the
standard - perhaps it was not an ECC key?
VTAP MOBILE WALLET READERS

Step 2:Declare Merchant ID(s)/Collector ID(s) in the config.txt file
1. Open the file config.txt in a text editor (such as Windows Notepad). It already
contains parameters for accessing the demo passes, prefixed VAS1 and ST1, both relying
on KeySlot 6. You can overwrite these, or keep them in addition to your own pass
reading parameters.
2. Add your pass reading parameters in the config.txt file to access up to 6 Apple
VAS and up to 6 Google Smart Tap IDs, and identify the keys to be used in each case.
Note: Although the VTAP100 supports multiple IDs, Apple expect most users will only
use one. Multiple collector IDs are not supported by Android, which means you cannot
request more than one Collector ID from Google. Only one should be live at any one
time. Multiple IDs is an advanced feature that should be used with care. The VAS# and
ST# numbers define the order in which IDs will be requested from Apple or Android
phones respectively. The lowest numbered ID will be requested first, then continuing in
ascending numeric order.
Put each parameter on a new line. Order of parameters does not matter to the
VTAP100, but could help other people who need to edit the file. Start any comment
lines in the config.txt file, that the VTAP100 should ignore, with a semicolon. Each
parameter should only appear once - if it accidentally appears more than once then only
the last instance will take effect.
Example:Settings in config.txt to interact with both
Apple VASand Google Smart Tap mobile passes
!VTAPconfig
VAS1MerchantID=<yourmerchantID>
VAS1KeySlot=1
;Thissaysusethekeyaddedasfile'private1.pem'toreadand
;decryptanypassconnectedtoyourmerchantIDonanAppleiPhone
ST1CollectorID=<yourcollectorID>
ST1KeySlot=2
ST1KeyVersion=1
;Thissaysusethekeyaddedasfile'private2.pem'atkeyversion1
;toreadanddecryptanypassconnectedtoyourcollectorID
;onanAndroidphone
3. Save the amended config.txt file and these changes will take effect immediately. (A small
number of changes to the config.txt file require a reboot to take effect, for instance
to the status of the virtual COM port, but these are highlighted in later sections).
VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 5
VTAP MOBILE WALLET READERS

VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 6
Note: If a VAS#KeySlot parameter is omitted, or set to 0, then all available keys will be
automatically tried to choose the right key. If the data received by the VTAP100 cannot be
decrypted, the Apple iphone will register a pass read, but the data will not be output.
Note: If an ST#KeySlot parameter is omitted, or set to 0, then authentication will be
omitted and decryption will not be performed. In this case, Google Smart Tap data will be
received and sent on by the VTAP100, only if the pass does not require authentication by
the terminal.
VTAP MOBILE WALLET READERS

2.3 Check status in BOOT.TXT
If you navigate to the VTAP100 in the computer's file system. It will appear as an attached
mass storage device and list the files contained, including the BOOT.TXT file.
Inspecting BOOT.TXT will give you essential information about your VTAP100 set up, at time
of last reboot, which might be helpful when troubleshooting.
Figure 2-1 Example VTAP100 v5 BOOT.TXTfile
You are most likely to need:
l('ATCA' on VTAP100 v4a or earlier) - the serial number for your VTAP100.
l'Firmware' - the VTAP100 firmware version in use. You will find the latest firmware
versions at https://www.vtapnfc.com/download/
l'Hardware' - the VTAP100 hardware version in use.
l'KeySlots used:' - Indicates the ECC private keys loaded on the VTAP to access VAS or
Smart Tap passes. Helps you check whether you have uploaded the necessary ECC private
keys, which can be unclear as the files are deleted when they are uploaded. These two
examples show how to read this information:
o'KeySlots used:------' shows that no keys have been uploaded.
o'KeySlots used: 12--56' shows that key files 1 and 2 have been successfully uploaded, in
addition to the defaults 5 and 6.
l'AppKeys used:' Indicates the application keys (if any) uploaded to the VTAP for any other
applications. For example 'DESFire' if keys have been loaded to use with DESFire
applications.
l'VCP enabled', if included - indicates that the virtual COM port has been enabled.
l'Status' - should be 0 if operating normally, anything else indicates an error state.
VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 7
VTAP MOBILE WALLET READERS

VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 8
l'Expansion:' shows the name of the expansion board (if any) connected to the VTAP, for
example: 'VTAP100W' for a Wiegand expansion board.
l'Boot time' - The time at boot, which defaults to 1970/00/00 00:00:00 if power is removed
to reboot.
If the configuration has been locked the BOOT.TXT file will end with the words LOCKED S/W
or LOCKED H/W.
VTAP MOBILE WALLET READERS

2.4 Send pass payload over a Wiegand interface
The Wiegand interface allows mobile NFC pass payload to be passed straight to an access
controller, like data from any other card reader.
1. To enable the Wiegand interface you will need to make changes to the config.txt file.
Example:Changes to config.txt to enable the Wiegand interface
!VTAPconfig
WiegandMode=1
WiegandSource=A1
Here WiegandMode=1 chooses to send data over the Wiegand interface, for all passes
cards/tags that can be read, by using WiegandSource=A1.
VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 9
VTAP MOBILE WALLET READERS

VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 10
If you choose WiegandPassMode=1 all of the settings for pass payload handling can also
be used with the appropriate Wiegand prefix. This allows you to extract a short character
sequence from the pass payload, which can then be interpreted as a decimal or
hexadecimal number and sent over the Wiegand interface as a bit sequence.
Example:Changes to config.txt using PassWiegandBits
for Wiegand data (on VTAP100-PAC-W only)
to extract bit data in a standard format, such as 26bit H10301
!VTAPconfig
WiegandMode=1
WiegandPassMode=1
WiegandPassSeparator=|
WiegandPassSection=2
PassWiegandBits=26
In this case the content expected from the pass is a hex number, which
represents an H10301 26 bit card ID: an even parity bit (calculated over the 12
most significant bits), a facility code and then the card number, ending with an
odd parity bit (calculated over the 12 least significant bits). Data will be encoded
after being padded with trailing zeros to make a whole number of bytes.
Figure 2-2 Separator |, Section 2, PassWiegandBits 26 for Wiegand data (on
VTAP100-PAC-W only)
2. Wiegand data is usually a short bit pattern, rather than a sequence of characters. So there
are several optional settings to use in config.txt, which are specific to control the
transfer of data over a Wiegand connection:
VTAP MOBILE WALLET READERS

lPassFormat=d is a setting to interpret ASCII pass payload characters as either hex (h)
or decimal (d), when converting the pass payload to a Wiegand bit sequence.
lPassWiegandBits=56 lets you specify the number of bits (1 to 255) to output over
the Wiegand interface from the start of the filtered pass payload. If omitted it defaults
to 56. TagWiegandBits does the same for card/tag data.
lWiegandPassTypeIdent=1 inserts an additional leading byte of pass type identifier
(01 for Apple VAS, or 02 for Google ST) in the Wiegand output, to make it possible to
distinguish between cards/tags and mobile wallet passes. Overrides
PassWiegandBits and results in Wiegand bit length of 64 bits. The default =0 turns
this feature off.
lIf you are not sending a whole number of bytes, for example you require 36bit output,
there are a number of commands you can use to do the necessary truncation, shifting,
padding or addition of parity bits needed to get the output format you require.:
oPassWiegandParity=1 adds this number of 'parity bits' to pass payload if
PassFormat=d. It allows the use of card number formats that include parity bits, as
long as the parity bit(s) are not being tested for validity. Again, the default =0 turns
this feature off.
oOther settings for handling card or tag data in a similar way include TagByteOrder,
TagReadFormat, TagReadRightShift, TagReadLength, TagReadOffset
which are all detailed in the Advanced Configuration Guide.
lStartupDelayMS=5000 might be needed to delay full start up by a number of
milliseconds to allow the power supply to stabilise. We recommend that you use a value
such as 5000ms when using an external power supply, to prevent possible file system
corruption during installation if VTAP could be wired up to a live external power supply
(typically when using Wiegand or RS485 expansions).
CAUTION: We strongly recommend that power is disconnected from the installation
cable before wiring the VTAP100 connector.
3. After making the necessary changes to your config.txt file and saving it, you can
connect the VTAP100 to your access controller. You can leave the USB connection in
place at the same time, if you want to test the configuration before disconnecting.
Passes will then be read by VTAP100 with data passed direct to your access controller.
For more information about the Wiegand interface refer to the VTAP Application Notes on
Access Control.
VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 11
VTAP MOBILE WALLET READERS

VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 12
2.5 Wiegand wiring (for model VTAP100-PAC-W only)
Use the Wiegand connector supplied to make a Wiegand wiring connection to a configured
VTAP100 Wiegand reader from your access controller, like any other reader.
Use 24-26AWG shielded multi-core, overall screened, cable for the connection between
VTAP100 Wiegand reader and controller (for example Belden CR9538).
Note: Screened cable should always be used to connect VTAP100 readers to door
controllers, to avoid interference from other equipment. The cable screen must be
connected electrically to GND at both the VTAP100 reader and controller ends of the cable,
using the bare wire 'drain' conductor.
If you have a square (SQ) case you will need to open the case to access the Wiegand
connector. Press with a screwdriver in the slot at the base of the back to release the catch and
open the case.
Figure 2-3 Where to press, to open the square case
If you have a compact (CC) case you need to remove the screw from the case (which may be
either a security screw or phillips head screw).
You may need to break the label, which covers the large hole in the back, for access to the
Wiegand connector. Then pass the cable through that hole in the back of the case.
VTAP MOBILE WALLET READERS

Figure 2-4 Where to pass cable into the compact case
Screw the back of the VTAP100 case to the wall before connecting the cable to the Wiegand
connector.
CAUTION: If the VTAP100 is being powered through its Wiegand connection, you can
still make an additional USB data connection to a PC, provided that the PC is already
powered before the connection is made. (This avoids the risk of damage to the USB interface
on the PC, if the PC is not powered.)
Follow an appropriate figure and table to make the right connections in your access controller:
VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 13
VTAP MOBILE WALLET READERS

VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 14
Figure 2-5 Connection between VTAP100-PAC-W v4a or v5
and HID EH400 access controller
HID EH400 Controller Signal Name Wire colour
(typical)
VTAP100 Signal Name
(v4a or v5 hardware)
Beep Yellow BEEP
RED LED Brown RED
GRN LED Orange GRN
D1 White D1
D0 Green D0
GND Black GND
PWR Red PWR+
VTAP MOBILE WALLET READERS

Figure 2-6 Connection between VTAP100-PAC-W v4a or v5
and HID V2000 access controller
HID V2000 Controller Signal Name Wire colour
(typical)
VTAP100 Signal Name
(v4a or v5 hardware)
Beep Yellow BEEP
RED LED Brown RED
GRN LED Orange GRN
D1 White D1
D0 Green D0
GND Black GND
PWR Red PWR+
VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 15
VTAP MOBILE WALLET READERS

VTAP100-PAC-W INSTALLATION GUIDE © DOT ORIGIN PAGE 16
Figure 2-7 Connection between VTAP100-PAC-W v4a or v5
and Axis A1001 access controller
Axis A1001 Controller Signal Name Wire colour
(typical)
VTAP100 Signal Name
(v4a or v5 hardware)
READER I/O 1: 6 Yellow BEEP
READER I/O 1: 4 Brown RED
READER I/O 1: 5 Orange GRN
READER DATA 1: 6 White D1
READER DATA 1: 5 Green D0
READER I/O 1: âBlack GND
READER I/O 1: 12V Red PWR+
VTAP MOBILE WALLET READERS
Table of contents
Other Dot Origin Card Reader manuals