微耕控制器实现远程开门与普通刷卡的反潜回

     

方案适用于第三方系统通过TCP发起的远程卡号开门 (注意:该开门方式会验证控制器内部的卡权限,不属于强制开门)

     

先上图

     

微耕控制器实现远程开门与普通刷卡的反潜回_第1张图片

     

再吐槽微耕工程师的种种不答理

     

上操作步骤:

  1. 开启反潜回:62号参数设置值为2,132号参数设置为1(可通过界面设置)

    最好设置下反潜的方式

    微耕控制器实现远程开门与普通刷卡的反潜回_第2张图片

         

  2. 开启手机模拟卡功能:参数表第152号参数设置值为165
  3. 使用函数RemoteOpenDoorIP_V546发送模拟卡号开门指令(对不起,标准软件只发进门信号,出门请破解或让微耕增加函数原型,这几年我们提出的需求,虽然他们不爱答理 ,但最后都增加进软件了,口号是:一直迭代,绝不改单)
  4. RemoteOpenDoorIP_V546函数在未启用手机模拟卡功能时,会无视控制器内部卡权限,强制开门,相当于RemoteOpenDoorIP的带卡号远程开门(而不是发送卡号远程开门)

 

数据包解析

发出

1A 29 C3 E4 E1 0D 5F 00 09 F9 0B 0B C5 92 4F 3C 10 11 12 13 F3 FE 9E BB FB F6 A6 84 CD C3 A2 80

F1 FF 9E BC F5 FB 9A B8 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

解密

19 28 c1 e7 e5 08 59 07 01 f0 01 00 c9 9f 41 33 00 00 00 00 e7 eb 88 ac e3 ef bc 9f d1 de bc 9f d1 de bc 9f d1 de bc 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

分析

字节位置

HEX

含义

0

19

type=25

1

28

code=40

2

c1 e7

crc

4

e5 08 59 07

Sn= 123275493

8至56(0至48)

01

DoorID=1

 

F0

Cmdoption=240

 

01

进或出

 

00

 
 

c9 9f 41 33

cardno=859938761

 

00 00 00 00

 
 

e7 eb 88 ac e3 ef bc 9f d1 de bc 9f d1 de bc 9f

 

(28至32)

d1 de bc 9f

ticks

     
     
     

流程

先以卡号0,门号1,时间作为OpenKeyCrc,操作数240,获取真正的CRC

再以真实卡号真实门号,获取到的CRC 发出进出门

 

数据包

1A 29 2F 9C E1 0D 5F 00 09 F8 0A 0B 0C 0D 0E 0F 10 11 12 13 3F 2F B5 9D 37 27 8D A2 01 12 89 A6

3D 2E B5 9A 39 2A B1 9E 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

 

1A 29 BD FF E1 0D 5F 00 09 09 0D 7B CC A5 04 74 17 07 14 12 EB 15 16 17 18 19 1A 1B 1C 1D 1E 1F

20 21 22 23 55 D2 AF 10 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

 

1A 29 AA BC E1 0D 5F 00 09 F9 0A 0B C5 92 4F 3C 10 11 12 13 53 D7 AB 13 5B DF 93 2C 6D EA 97 28

51 D6 AB 14 55 D2 AF 10 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

 

1A 29 D9 71 E1 0D 5F 00 09 0A 0D 7B CC A5 04 74 17 07 14 12 EB 15 16 17 18 19 1A 1B 1C 1D 1E 1F

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

 

解密后

19 28 2d 9f e5 08 59 07 01 f1 00 00 00 00 00 00 00 00 00 00 2b 3a a3 8a 2f 3e 97 b9 1d 0f 97 b9 1d 0f 97 b9 1d 0f 97 b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

19 28 bf fc e5 08 59 07 01 00 07 70 c0 a8 0a 7b 07 16 06 01 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 71 f7 89 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

19 28 a8 bf e5 08 59 07 01 f0 00 00 c9 9f 41 33 00 00 00 00 47 c2 bd 04 43 c6 89 37 71 f7 89 37 71 f7 89 37 71 f7 89 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

19 28 db 72 e5 08 59 07 01 03 07 70 c0 a8 0a 7b 07 16 06 01 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 

参考代码

 

Struct_Deal deal = new Struct_Deal();

deal._控制器序列号 = machineInfo.MachineID;

 

byte[] data = new byte[11];

data[4] = 1;

data[5] = 241;

 

DateTime now = DateTime.Now;

data[7] = (byte)now.Ticks;

data[8] = (byte)(now.Ticks >> 8);

data[9] = (byte)(now.Ticks >> 16);

data[10] = (byte)(now.Ticks >> 24);

 

deal.Send(ENUM_CMD_AC.模拟卡号开门, data);

byte[] buff = deal.ToByteArray();

ushort crc = Machine.WG.WG_API.calCRC_WGPacket(60, buff);

Array.Copy(BitConverter.GetBytes(crc), 0, buff, 2, 2);

 

byte[] openKey = new byte[4];

UdpSocket(controller.IPAddress, controller.Port, ENUM_CMD_AC.模拟卡号开门, buff, ref openKey, ref outMsg);

 

deal = new Struct_Deal();

deal._控制器序列号 = machineInfo.MachineID;

data = new byte[11];

byte[] bufCardSerNo = BitConverter.GetBytes(uint.Parse(machineInfo.OtherInfo1));

Array.Copy(bufCardSerNo, data, 4);

data[4] = (byte)doorParam._门号;

data[5] = 240;

data[6] = (byte)doorParam._进或出;

Array.Copy(openKey, 0, data, 7, 4);

deal.Send(ENUM_CMD_AC.模拟卡号开门, data);

buff = deal.ToByteArray();

crc = Machine.WG.WG_API.calCRC_WGPacket(60, buff);

Array.Copy(BitConverter.GetBytes(crc), 0, buff, 2, 2);

string status = string.Empty;

return UdpSocket(controller.IPAddress, controller.Port, ENUM_CMD_AC.模拟卡号开门, buff, ref status, ref outMsg);

 

 

 

 

   

你可能感兴趣的:(微耕控制器实现远程开门与普通刷卡的反潜回)