Cryptocard RB-1 (DES) invalid PIN entry calculation

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

I have got hold of a CryptoCard RB-1 Token. (Series 1998)

I initalize the token with the following values:

PIN = 00000000
DES KEY = 0x 40 40 40 40 40 40 40 40 (Plain: @@@@@@@@)

Init sequence:
ON 225371 (Locked) ENT (Options?)
000 -> 000 -> 011 -> ENT (Key1?)
100 -> 100 -> 100 -> 100 -> 100 -> 100 -> 100 -> 100 -> ENT
(C4B738CD) ENT
(New PSC?)
00000000 ENT
00000000 ENT
(Card OK)

Then I use the token with Correct PIN and challenge:

I get the response:

If I DES-encrypt the ASCII string "0000000" (0x 30 30 30 30 30 30 30
30) with the key "@@@@@@@@" in ECB mode, I get the following result:

This means that the token are displaying the value of the truncated
DES result of the challenge in ASCII.

But now comes to the question: If I log on to the token with a
incorrect PIN, lets say: 11111111
and perform a authentication, I get for the challenge "00000000":

I tested a different incorrect PIN, got a new response for same
I initalized the token with a new key, and attempted PIN 11111111, and
challenge "00000000", and got a new result.

So as long as: The incorrect PIN entered, the key programmed into
token, and challenge is the same, the response is same too....

It seems it obfuscates the response or challenge using something from
the incorrect PIN that was entered, if a incorrect PIN is entered.

How can I calculate the response from:
The incorrect PIN entered
The challenge entered
The DES Key programmed in into the token

Anyone that have any ideas, which algoritm is applied to the challenge
and incorrect PIN, when a incorrect PIN is used with the token?

Have also found out that the incorrect PIN's:

00000000 (if it would be incorrect), 11111111, 01010101, 11110000 and
so on, would generate the same response.

22222222, 23232323 and 33333333 also generates same response,same with
4+5, 6+7 and 8+9.

Also found out that if the PIN is specified as a DES key to something,
either as ASCII or some other encoding, the DES response will be same
since the last bit of each byte in a DES key is parity.

So the incorrect PIN is used somewhere as a DES key.

If any could found out this for me.

Site Timeline