STM32F103+RTT从零开始—— S50门禁卡复制
Posted 湖广午王
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了STM32F103+RTT从零开始—— S50门禁卡复制相关的知识,希望对你有一定的参考价值。
近期因为各种原因,重新租了个房子住,小区外面有门禁系统,楼下也有个门禁系统。房东只给了一套门禁卡,而我家人也需要门禁卡,所以我就去小区物业那里补卡,结果小区物业那里只能补小区的门禁卡,楼下的门禁卡需要在另外个地方补。物业工作人员给说了下地方,我找了下没找到,又想起了我一年前买了个RFID模块和十几个空白门禁卡,还没开封。又正好时值国庆,空闲时间比较多,不如自己来复制吧。
基础知识
一两个月前,我写了两篇STM32F103+RTT的入门博客。那两篇是非常基础的,到这里直接就是复制门禁卡,看起来好像不是循序渐进。不过也是没法子,毕竟现在从事的工作和这些完全不沾边,工作又忙,所以没太多时间来一步一步学习并且写博客,只能玩到哪是哪了。
先看了下门禁卡的分类和一些基础资料,了解到我新租住的房子所在的小区用的门禁卡是S50类型的。它具有16个 扇区,每个扇区具有四个Block,分别为0、1、2、3,每个Block可以存储16字节的数据。其中每个扇区的Block3存储的为6字节A密码+4字节控制位+6字节B密码。另外第一扇区的Block0存储的为卡号以及厂商的基本信息。卡就是下面的这个鬼样子:
一般来说,第一扇区的Block0下内容是不能更改的,我原以为小区门禁卡是通过其他扇区的数据来做验证的,后面写好了读数据的代码,发现从门禁卡中从数据块中读取的数据都是0,只有密码区、控制区及ID下第一扇区的Block0中有数据。所以我们的那个小区中的门禁卡应该是通过卡的第一扇区的Block0中的信息来验证的。也就是说我们要做的是复制整个卡,包括第一扇区的Block0。
要复制第一扇区的Block0,普通的IC卡就不行了,我之前买的卡就是普通的IC卡,鼓捣了很久,一直以为是程序写的有问题,后来才发现是卡不行。没办法,只能重新买卡了。
选卡也要选择合适的卡,查了下资料,能够修改第一扇区Block0的兼容S50类型的卡,有UID卡(可以使用后门指令无限制重复修改第一扇区Block0,会响应后门指令)、CUID卡(可以使用后门指令无限制重复修改第一扇区的Block0,不会响应后门指令)、FUID卡(使用普通指令,只能修改一次第一扇区的Block0)等。根据上面的说明,可以知道,UID卡可以无限制修改,但是由于会响应后门指令,所以如果门禁系统有检测后门指令并且禁用,那就不能用了。CUID不响应后门指令,但是由于可以用后面指令修改,门禁系统如果先去修改一下,确认不能修改,再进行门禁验证,那么CUID的卡就也不能用了。FUID显然是最保险的,但是从价格来说,FUID(2.2元) > CUID(1.3元) > UID(0.78元)。
所以我先试了下房东给的门禁卡,发现它是可以被修改的,而且也会响应后门指令,那么考虑性价比,当然是买UID卡了。10块钱13个还包邮,加上8块钱不到的一个RFID-RC522,一共18块钱(PS : 物业那里20块钱一个门禁卡,真坑)。
门禁卡复制实现
上面提到修改门禁卡第一扇区Block0是需要使用后门指令的,直接按照普通的写数据的方式进行修改,是无法修改的。既然主要目的是复制门禁卡,懒得重复去造轮子了。我之前买的RFID-RC522模块,使用的是SPI的通信模式,淘宝上搜索,应该很多都是这样的,如下图所示:
对,买的就是这样没焊脚的,然后我又买了个电烙铁套装。。。
然后上位机还是使用之前的那个STM32F103C8T6。
RC522驱动程序
然后再网上找了下STM32F103下RC522的驱动程序,并增加利用后门指令写第一扇区block0的代码如下:
驱动头文件rc522.h
#ifndef __RC522_H
#define __RC522_H
#define MF522_RST_PIN GPIO_Pin_0
#define MF522_RST_PORT GPIOB
#define MF522_RST_CLK RCC_APB2Periph_GPIOB
#define MF522_MISO_PIN GPIO_Pin_6
#define MF522_MISO_PORT GPIOA
#define MF522_MISO_CLK RCC_APB2Periph_GPIOA
#define MF522_MOSI_PIN GPIO_Pin_7
#define MF522_MOSI_PORT GPIOA
#define MF522_MOSI_CLK RCC_APB2Periph_GPIOA
#define MF522_SCK_PIN GPIO_Pin_5
#define MF522_SCK_PORT GPIOA
#define MF522_SCK_CLK RCC_APB2Periph_GPIOA
#define MF522_NSS_PIN GPIO_Pin_4
#define MF522_NSS_PORT GPIOA
#define MF522_NSS_CLK RCC_APB2Periph_GPIOA
#define RST_H GPIO_SetBits(MF522_RST_PORT, MF522_RST_PIN)
#define RST_L GPIO_ResetBits(MF522_RST_PORT, MF522_RST_PIN)
#define MOSI_H GPIO_SetBits(MF522_MOSI_PORT, MF522_MOSI_PIN)
#define MOSI_L GPIO_ResetBits(MF522_MOSI_PORT, MF522_MOSI_PIN)
#define SCK_H GPIO_SetBits(MF522_SCK_PORT, MF522_SCK_PIN)
#define SCK_L GPIO_ResetBits(MF522_SCK_PORT, MF522_SCK_PIN)
#define NSS_H GPIO_SetBits(MF522_NSS_PORT, MF522_NSS_PIN)
#define NSS_L GPIO_ResetBits(MF522_NSS_PORT, MF522_NSS_PIN)
#define READ_MISO GPIO_ReadInputDataBit(MF522_MISO_PORT, MF522_MISO_PIN)
// ????
void PcdInit(void);
char PcdReset(void);
void PcdAntennaOn(void);
void PcdAntennaOff(void);
char PcdRequest(unsigned char req_code,unsigned char *pTagType);
char PcdAnticoll(unsigned char *pSnr);
char PcdSelect(unsigned char *pSnr);
char PcdAuthState(unsigned char auth_mode,unsigned char addr,unsigned char *pKey,unsigned char *pSnr);
char PcdRead(unsigned char addr,unsigned char *pData);
char PcdWrite(unsigned char addr,unsigned char *pData);
char PcdValue(unsigned char dd_mode,unsigned char addr,unsigned char *pValue);
char PcdBakValue(unsigned char sourceaddr, unsigned char goaladdr);
char PcdHalt(void);
char PcdComMF522(unsigned char Command,
unsigned char *pInData,
unsigned char InLenByte,
unsigned char *pOutData,
unsigned int *pOutLenBit);
void CalulateCRC(unsigned char *pIndata,unsigned char len,unsigned char *pOutData);
void WriteRawRC(unsigned char Address,unsigned char value);
unsigned char ReadRawRC(unsigned char Address);
void SetBitMask(unsigned char reg,unsigned char mask);
void ClearBitMask(unsigned char reg,unsigned char mask);
char M500PcdConfigISOType(unsigned char type);
void delay_10ms(unsigned int _10ms);
void WaitCardOff(void);
char PcdSpicelWrite(unsigned char *pData);
#define PCD_IDLE 0x00
#define PCD_AUTHENT 0x0E
#define PCD_RECEIVE 0x08
#define PCD_TRANSMIT 0x04
#define PCD_TRANSCEIVE 0x0C
#define PCD_RESETPHASE 0x0F
#define PCD_CALCCRC 0x03
#define PICC_REQIDL 0x26
#define PICC_REQALL 0x52
#define PICC_ANTICOLL1 0x93
#define PICC_ANTICOLL2 0x95
#define PICC_AUTHENT1A 0x60
#define PICC_AUTHENT1B 0x61
#define PICC_READ 0x30
#define PICC_WRITE 0xA0
#define PICC_DECREMENT 0xC0
#define PICC_INCREMENT 0xC1
#define PICC_RESTORE 0xC2
#define PICC_TRANSFER 0xB0
#define PICC_HALT 0x50
#define PCD_SPECIAL_COPY 0x43
#define DEF_FIFO_LENGTH 64
#define RFU00 0x00
#define CommandReg 0x01
#define ComIEnReg 0x02
#define DivlEnReg 0x03
#define ComIrqReg 0x04
#define DivIrqReg 0x05
#define ErrorReg 0x06
#define Status1Reg 0x07
#define Status2Reg 0x08
#define FIFODataReg 0x09
#define FIFOLevelReg 0x0A
#define WaterLevelReg 0x0B
#define ControlReg 0x0C
#define BitFramingReg 0x0D
#define CollReg 0x0E
#define RFU0F 0x0F
// PAGE 1
#define RFU10 0x10
#define ModeReg 0x11
#define TxModeReg 0x12
#define RxModeReg 0x13
#define TxControlReg 0x14
#define TxAutoReg 0x15
#define TxSelReg 0x16
#define RxSelReg 0x17
#define RxThresholdReg 0x18
#define DemodReg 0x19
#define RFU1A 0x1A
#define RFU1B 0x1B
#define MifareReg 0x1C
#define RFU1D 0x1D
#define RFU1E 0x1E
#define SerialSpeedReg 0x1F
// PAGE 2
#define RFU20 0x20
#define CRCResultRegM 0x21
#define CRCResultRegL 0x22
#define RFU23 0x23
#define ModWidthReg 0x24
#define RFU25 0x25
#define RFCfgReg 0x26
#define GsNReg 0x27
#define CWGsCfgReg 0x28
#define ModGsCfgReg 0x29
#define TModeReg 0x2A
#define TPrescalerReg 0x2B
#define TReloadRegH 0x2C
#define TReloadRegL 0x2D
#define TCounterValueRegH 0x2E
#define TCounterValueRegL 0x2F
// PAGE 3
#define RFU30 0x30
#define TestSel1Reg 0x31
#define TestSel2Reg 0x32
#define TestPinEnReg 0x33
#define TestPinValueReg 0x34
#define TestBusReg 0x35
#define AutoTestReg 0x36
#define VersionReg 0x37
#define AnalogTestReg 0x38
#define TestDAC1Reg 0x39
#define TestDAC2Reg 0x3A
#define TestADCReg 0x3B
#define RFU3C 0x3C
#define RFU3D 0x3D
#define RFU3E 0x3E
#define RFU3F 0x3F
#define REQ_ALL 0x52
#define KEYA 0x60
#define KEYB 0x61
#define MI_OK (char)0
#define MI_NOTAGERR (char)(-1)
#define MI_ERR (char)(-2)
#endif
驱动实现rc522.c
#include "rc522.h"
#include "stm32f10x_gpio.h"
#define MAXRLEN 18
void PcdInit()
GPIO_InitTypeDef GPIO_InitStructure;
/* Enable the GPIO Clock */
RCC_APB2PeriphClockCmd(MF522_RST_CLK, ENABLE);
/* Configure the GPIO pin */
GPIO_InitStructure.GPIO_Pin = MF522_RST_PIN;
GPIO_InitStructure.GPIO_Mode = GPIO_Mode_Out_PP;
GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;
GPIO_Init(MF522_RST_PORT, &GPIO_InitStructure);
/* Enable the GPIO Clock */
RCC_APB2PeriphClockCmd(MF522_MISO_CLK, ENABLE);
/* Configure the GPIO pin */
GPIO_InitStructure.GPIO_Pin = MF522_MISO_PIN;
GPIO_InitStructure.GPIO_Mode = GPIO_Mode_IN_FLOATING;
GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;
GPIO_Init(MF522_MISO_PORT, &GPIO_InitStructure);
/* Enable the GPIO Clock */
RCC_APB2PeriphClockCmd(MF522_MOSI_CLK, ENABLE);
/* Configure the GPIO pin */
GPIO_InitStructure.GPIO_Pin = MF522_MOSI_PIN;
GPIO_InitStructure.GPIO_Mode = GPIO_Mode_Out_PP;
GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;
GPIO_Init(MF522_MOSI_PORT, &GPIO_InitStructure);
/* Enable the GPIO Clock */
RCC_APB2PeriphClockCmd(MF522_SCK_CLK, ENABLE);
/* Configure the GPIO pin */
GPIO_InitStructure.GPIO_Pin = MF522_SCK_PIN;
GPIO_InitStructure.GPIO_Mode = GPIO_Mode_Out_PP;
GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;
GPIO_Init(MF522_SCK_PORT, &GPIO_InitStructure);
/* Enable the GPIO Clock */
RCC_APB2PeriphClockCmd(MF522_NSS_CLK, ENABLE);
/* Configure the GPIO pin */
GPIO_InitStructure.GPIO_Pin = MF522_NSS_PIN;
GPIO_InitStructure.GPIO_Mode = GPIO_Mode_Out_PP;
GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;
GPIO_Init(MF522_NSS_PORT, &GPIO_InitStructure);
char PcdRequest(unsigned char req_code,unsigned char *pTagType)
char status;
unsigned int unLen;
unsigned char ucComMF522Buf[MAXRLEN];
ClearBitMask(Status2Reg,0x08);
WriteRawRC(BitFramingReg,0x07);
SetBitMask(TxControlReg,0x03);
ucComMF522Buf[0] = req_code;
status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,1,ucComMF522Buf,&unLen);
// if(status == MI_OK )
// LED_GREEN =0 ;
// else LED_GREEN =1 ;
if ((status == MI_OK) && (unLen == 0x10))
*pTagType = ucComMF522Buf[0];
*(pTagType+1) = ucComMF522Buf[1];
else
status = MI_ERR;
return status;
char PcdAnticoll(unsigned char *pSnr)
char status;
unsigned char i,snr_check=0;
unsigned int unLen;
unsigned char ucComMF522Buf[MAXRLEN];
ClearBitMask(Status2Reg,0x08);
WriteRawRC(BitFramingReg,0x00);
ClearBitMask(CollReg,0x80);
ucComMF522Buf[0] = PICC_ANTICOLL1;
ucComMF522Buf[1] = 0x20;
status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,2,ucComMF522Buf,&unLen);
if (status == MI_OK)
for (i=0; i<4; i++)
*(pSnr+i) = ucComMF522Buf[i];
snr_check ^= ucComMF522Buf[i];
if (snr_check != ucComMF522Buf[i])
status = MI_ERR;
SetBitMask(CollReg,0x80);
return status;
char PcdSelect(unsigned char *pSnr)
char status;
unsigned char i;
unsigned int unLen;
unsigned char ucComMF522Buf[MAXRLEN];
ucComMF522Buf[0] = PICC_ANTICOLL1;
ucComMF522Buf[1] = 0x70;
ucComMF522Buf[6] = 0;
for (i=0; i<4; i++)
ucComMF522Buf[i+2] = *(pSnr+i);
ucComMF522Buf[6] ^= *(pSnr+i);
CalulateCRC(ucComMF522Buf,7,&ucComMF522Buf[7]);
ClearBitMask(Status2Reg,0x08);
status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,9,ucComMF522Buf,&unLen);
if ((status == MI_OK) && (unLen == 0x18))
status = MI_OK;
else
status = MI_ERR;
return status;
char PcdAuthState(unsigned char auth_mode,unsigned char addr,unsigned char *pKey,unsigned char *pSnr)
char status;
unsigned int unLen;
unsigned char i,ucComMF522Buf[MAXRLEN];
ucComMF522Buf[0] = auth_mode;
ucComMF522Buf[1] = addr;
for (i=0; i<6; i++)
ucComMF522Buf[i+2] = *(pKey+i);
for (i=0; i<6; i++)
ucComMF522Buf[i+8] = *(pSnr+i);
// memcpy(&ucComMF522Buf[2], pKey, 6);
// memcpy(&ucComMF522Buf[8], pSnr, 4);
status = PcdComMF522(PCD_AUTHENT,ucComMF522Buf,12,ucComMF522Buf,&unLen);
if ((status != MI_OK) || (!(ReadRawRC(Status2Reg) & 0x08)))
status = MI_ERR;
return status;
char PcdRead(unsigned char addr,unsigned char *pData)
char status;
unsigned int unLen;
unsigned char i,ucComMF522Buf[MAXRLEN];
ucComMF522Buf[0] = PICC_READ;
ucComMF522Buf[1] = addr;
CalulateCRC(ucComMF522Buf,2,&ucComMF522Buf[2]);
status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,4,ucComMF522Buf,&unLen);
if ((status == MI_OK) && (unLen == 0x90))
// memcpy(pData, ucComMF522Buf, 16);
for (i=0; i<16; i++)
*(pData+i) = ucComMF522Buf[i];
else
status = MI_ERR;
return status;
char PcdWrite(unsigned char addr,unsigned char *pData)
char status;
unsigned int unLen;
unsigned char i,ucComMF522Buf[MAXRLEN];
ucComMF522Buf[0] = PICC_WRITE;
ucComMF522Buf[1] = addr;
CalulateCRC(ucComMF522Buf,2,&ucComMF522Buf[2]);
status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,4,ucComMF522Buf,&unLen);
if ((status != MI_OK) || (unLen != 4) || ((ucComMF522Buf[0] & 0x0F) != 0x0A))
status = MI_ERR;
if (status == MI_OK)
//memcpy(ucComMF522Buf, pData, 16);
for (i=0以上是关于STM32F103+RTT从零开始—— S50门禁卡复制的主要内容,如果未能解决你的问题,请参考以下文章
STM32F103+RTT从零开始——RTT系统中点亮LED
STM32F103+RTT从零开始——RTT系统中点亮LED