User's Manual
USER MANUAL PREVIEW
PTM 535BZ – BLUETOOTH AND ZIGBEE GREEN POWER PUSHBUTTON TRANSMITTER
© 2022 EnOcean | www.enocean.com F-710-017, V1.0 PTM 535BZ User Manual | v1.2 | July 2021 | Page 120/121
F. Calulcating the NFC PIN hash
As described in Chapter 5.7.5.1, PTM 535BZ provides hash representations of USER1_PIN
and USER2_PIN to allow an NFC tool to determine with high likelihood if it possesses the
required pin code. This appendix provides two examples how a tool would generate such
hash representation and use it to verify if it possesses the correct NFC pin code.
F.1 USER1_PIN_HASH example
We consider a PTM 535BZ module with the following 64 bit globally unique NFC ID:
NFC_ID = E0022400F340E0D4
PTM 535BZ provides the following USER1_PIN_HASH:
USER1_PIN_HASH = DEAE
We further consider that a connected NFC tool wants to test if PTM 535BZ uses the default
USER1_PIN (as described in Chapter 5.1.2):
USER1_PIN = 020035E5
To do so, we first construct the hash input as described in Chapter 5.7.5.1:
Byte 0 Byte 1…4 Byte 5..12 Byte 13…15
USER_ID PIN_CODE NFC_ID PADDING
01 (USER1)
020035E5
E0022400F340E0D4
800068
With these settings, we obtain HASH_INPUT:
HASH_INPUT = 01020035E5E0022400F340E0D4800068
We now encrypt HASH_INPUT using AES128 and a key of {0}, meaning the zero vector.
At the time of writing, an online AES128 calculator could be found in [8]. With this, we can
calculate H1 as follows:
H1 = AES128(HASH_INPUT, {0})
H1 = AES128(01020035E5E0022400F340E0D4800068,00000000000000000000000000000000)
H1 = DEAE1F602E8343F680EA1F2D606669AC
USER1_PIN_HASH equals the most significant 16 bit of H1, meaning:
USER1_PIN_HASH = DEAE
The calculated USER1_PIN_HASH matches the one provided by PTM 535BZ; it is therefore
likely that PTM 535BZ uses the tested USER1_PIN (020035E5).