Skip to content

ADR-005: CONLAN M1200 Terminal with Wiegand Interface

Status: Accepted Date: 2026-02-25

Context

We need an outdoor NFC terminal that reads MIFARE DESFire EV2/EV3 cards and communicates the authenticated card UID to the ESP32. The terminal must be weather-resistant (IP67) and handle the DESFire challenge-response authentication, since implementing the full DESFire protocol on the ESP32 would be complex and require a separate NFC reader IC.

Options Considered

A) PN532/RC522 NFC Module + ESP32 DESFire Implementation

  • Pro: Cheap (~5-15 EUR)
  • Pro: Direct SPI/I2C connection, no protocol overhead
  • Con: Must implement full DESFire EV2/EV3 challenge-response in firmware
  • Con: DESFire crypto is complex (AES-128, CMAC, session keys)
  • Con: No outdoor housing — must be custom-built
  • Con: No tamper detection

B) CONLAN M1200 with Wiegand Output

  • Pro: IP67 outdoor-rated, designed for door installations
  • Pro: Handles DESFire authentication internally (anti-cloning built in)
  • Pro: Wiegand 26/34-bit output is simple to decode (two-wire, ISR-based)
  • Pro: Tamper detection output available
  • Pro: Established product with industrial reliability
  • Con: More expensive (~80-120 EUR)
  • Con: Wiegand protocol is unencrypted on the wire (mitigated by running wires inside the wall)
  • Con: Wiegand is one-way (terminal → controller), no back-channel

C) OSDP-Compatible Reader

  • Pro: Encrypted communication (AES-128)
  • Pro: Bidirectional (reader ↔ controller)
  • Con: OSDP implementation on ESP32 is more complex
  • Con: Fewer affordable OSDP readers with DESFire support
  • Con: Overkill for a hackerspace with wires running inside the wall

Decision

CONLAN M1200 with Wiegand (Option B).

The M1200 handles all the DESFire complexity internally, reducing firmware development effort. Wiegand decoding on the ESP32 is straightforward (two GPIO interrupts). The security trade-off of unencrypted Wiegand is acceptable because the wires run inside the wall from the outdoor terminal to the indoor ESP32.

Wiegand Protocol Details

  • 26-bit Wiegand: 1 even-parity bit + 8 facility code bits + 16 card number bits + 1 odd-parity bit
  • 34-bit Wiegand: 1 even-parity bit + 16 facility code bits + 16 card number bits + 1 odd-parity bit
  • Timing: Each bit is a ~50µs LOW pulse on D0 (logic 0) or D1 (logic 1), idle HIGH
  • Frame timeout: 50ms after last bit indicates frame complete

The ESP32 decodes Wiegand using GPIO interrupts (IRAM_ATTR ISRs) on GPIO 16 (D0) and GPIO 17 (D1), with a 5V → 3.3V level shifter in between.

Future Consideration

If Wiegand wire security becomes a concern (e.g., terminal mounted in an accessible location), upgrading to an OSDP reader with encrypted communication is the recommended next step. This would require firmware changes to the communication layer but not to the access decision logic.

Consequences

  • ESP32 firmware includes a Wiegand decoder module (ISR-based, ~100 lines)
  • A bidirectional level shifter is required (5V Wiegand ↔ 3.3V ESP32)
  • DESFire key management is handled on the CONLAN M1200 via master cards (not in our firmware)
  • The NFC UID format from the terminal depends on Wiegand bit length configuration