Skip to content

Dev Hardware Setup

A minimal, low-cost hardware setup for firmware development. Uses a PN532 NFC module with cheap NTAG215 tags instead of the production CONLAN M1200 Wiegand terminal.

For the production hardware setup, see hardware-setup.md.

Bill of Materials

Component Model Price Notes
Controller ESP32 DevKit V1 ~5 EUR Same as production
NFC Reader PN532 breakout board ~6 EUR I2C mode, 3.3V compatible
NFC Tags NTAG215 stickers/cards (10-pack) ~5 EUR 7-byte UID, ISO14443A
Shutdown Button Momentary push button ~1 EUR Same as production
Green LED 5mm + 220 Ohm resistor ~0.20 EUR Optional for dev
Red LED 5mm + 220 Ohm resistor ~0.20 EUR Optional for dev
Buzzer 3.3V active piezo ~1 EUR Optional for dev
Total ~18 EUR vs ~150+ EUR production

No level shifter, no 12V power supply, no outdoor enclosure needed. The PN532 runs on 3.3V and communicates via I2C.

Wiring Diagram

    ESP32 DevKit V1                PN532 Module
    ┌──────────────┐              ┌──────────────┐
    │              │              │              │
    │  GPIO 21 ────┼──────────────┼── SDA        │
    │  GPIO 22 ────┼──────────────┼── SCL        │
    │  3V3 ────────┼──────────────┼── VCC        │
    │  GND ────────┼──────────────┼── GND        │
    │              │              │              │
    │              │              └──────────────┘
    │              │
    │  GPIO 25 ────┼── [220 Ohm] ── Green LED ── GND  (optional)
    │  GPIO 26 ────┼── [220 Ohm] ── Red LED ── GND    (optional)
    │  GPIO 27 ────┼── Buzzer ── GND                   (optional)
    │  GPIO 33 ────┼── Shutdown Button ── GND           (optional)
    │              │   (internal pull-up)
    └──────────────┘

PN532 Module Configuration

Set the DIP switches on the PN532 module for I2C mode:

Switch Position
SEL0 (Switch 1) ON
SEL1 (Switch 2) OFF

If your PN532 module has a different switch labeling, consult its datasheet. I2C address is 0x24.

Pin Assignments

ESP32 GPIO Function Direction Notes
GPIO 21 PN532 SDA Bidirectional I2C data
GPIO 22 PN532 SCL Output I2C clock
GPIO 25 Green LED Output Access granted (optional)
GPIO 26 Red LED Output Access denied (optional)
GPIO 27 Buzzer Output Audio feedback (optional)
GPIO 33 Shutdown Button Input Internal pull-up, active LOW (optional)

Building and Flashing

Use the esp32dev-pn532 PlatformIO environment:

cd firmware

# Build
pio run -e esp32dev-pn532

# Flash
pio run -e esp32dev-pn532 -t upload

# Monitor serial output
pio device monitor

On first boot you should see:

OpenLatch firmware starting...
[INIT] Card reader: PN532 (dev hardware)
[PN532] Found chip PN532, firmware 1.6

Reading Tag UIDs

Present an NTAG215 tag to the PN532 module. The serial monitor shows:

[CARD] UID (7 bytes): 04 A1 B2 C3 D4 E5 F6

Use this hex UID when registering the tag as an NFC key in the backend:

{
  "member_id": "uuid",
  "uid": "04A1B2C3D4E5F6",
  "label": "Dev tag #1",
  "key_type": "ntag215"
}

Compatible NFC Tags

The PN532 reads any ISO14443A tag. For development, cheap options include:

Tag Type UID Length Price Notes
NTAG215 7 bytes ~0.50 EUR Recommended for dev
NTAG213 7 bytes ~0.30 EUR Less memory, same UID
MIFARE Classic 1K 4 bytes ~0.20 EUR 4-byte UID, cloneable
MIFARE DESFire EV2 7 bytes ~3 EUR Same as production cards

The allow-list protocol supports UIDs of 4, 7, or 10 bytes, so any of these work.

DESFire cards work too: The PN532 reads DESFire EV2/EV3 UIDs via the standard ISO14443A anti-collision sequence — no code changes needed. You can test with both cheap NTAG215 tags and your actual production DESFire cards interchangeably.

DESFire Authentication

The production CONLAN M1200 performs full DESFire challenge-response authentication (AES-128) internally before outputting the UID. This proves the card is genuine and prevents cloning.

The PN532 dev reader currently only reads the UID without authentication. This is sufficient for development, since the allow-list lookup is UID-based.

Future upgrade path: The PN532 hardware supports full DESFire EV2/EV3 authentication in software via its APDU passthrough mode (inDataExchange). This would allow the dev setup to match production behavior:

  • Send ISO 7816-4 APDUs through the PN532 to the DESFire card
  • Implement the 3-pass AES-128 challenge-response (AuthenticateEV2First / AuthenticateEV2NonFirst)
  • Verify card authenticity before accepting the UID
  • Requires managing DESFire application keys on the ESP32 (stored in NVS)

This is not implemented yet but is architecturally possible without hardware changes.

Differences from Production Setup

Aspect Production Dev
NFC Terminal CONLAN M1200 (outdoor, IP67) PN532 breakout module
Communication Wiegand 26/34-bit via GPIO ISR I2C (Wire library)
Card Authentication DESFire challenge-response (in terminal) UID-only (no crypto auth)
Level Shifter Required (5V Wiegand → 3.3V ESP32) Not needed (3.3V native)
Power Supply 12V for terminal + regulator for ESP32 USB power only
Build Environment pio run -e esp32dev pio run -e esp32dev-pn532
Build Flag -DUSE_WIEGAND -DUSE_PN532

Security note: The dev setup reads plain UIDs without DESFire authentication. This is fine for development but means the tags can be trivially cloned. The production CONLAN M1200 terminal handles DESFire challenge-response internally, providing clone protection.

NUKI Smart Lock

The NUKI BLE integration is identical for both dev and production setups. See the NUKI pairing instructions in the production hardware setup guide.

For development without a NUKI lock, the firmware will log lock/unlock commands to serial output.