近期因为各种原因,重新租了个房子住,小区外面有门禁系统,楼下也有个门禁系统。房东只给了一套门禁卡,而我家人也需要门禁卡,所以我就去小区物业那里补卡,结果小区物业那里只能补小区的门禁卡,楼下的门禁卡需要在另外个地方补。物业工作人员给说了下地方,我找了下没找到,又想起了我一年前买了个RFID模块和十几个空白门禁卡,还没开封。又正好时值国庆,空闲时间比较多,不如自己来复制吧。
一两个月前,我写了两篇STM32F103+RTT的入门博客。那两篇是非常基础的,到这里直接就是复制门禁卡,看起来好像不是循序渐进。不过也是没法子,毕竟现在从事的工作和这些完全不沾边,工作又忙,所以没太多时间来一步一步学习并且写博客,只能玩到哪是哪了。
先看了下门禁卡的分类和一些基础资料,了解到我新租住的房子所在的小区用的门禁卡是S50类型的。它具有16个 扇区,每个扇区具有四个Block,分别为0、1、2、3,每个Block可以存储16字节的数据。其中每个扇区的Block3存储的为6字节A密码+4字节控制位+6字节B密码。另外第一扇区的Block0存储的为卡号以及厂商的基本信息。卡就是下面的这个鬼样子:
一般来说,第一扇区的Block0下内容是不能更改的,我原以为小区门禁卡是通过其他扇区的数据来做验证的,后面写好了读数据的代码,发现从门禁卡中从数据块中读取的数据都是0,只有密码区、控制区及ID下第一扇区的Block0中有数据。所以我们的那个小区中的门禁卡应该是通过卡的第一扇区的Block0中的信息来验证的。也就是说我们要做的是复制整个卡,包括第一扇区的Block0。
要复制第一扇区的Block0,普通的IC卡就不行了,我之前买的卡就是普通的IC卡,鼓捣了很久,一直以为是程序写的有问题,后来才发现是卡不行。没办法,只能重新买卡了。
选卡也要选择合适的卡,查了下资料,能够修改第一扇区Block0的兼容S50类型的卡,有UID卡(可以使用后门指令无限制重复修改第一扇区Block0,会响应后门指令)、CUID卡(可以使用后门指令无限制重复修改第一扇区的Block0,不会响应后门指令)、FUID卡(使用普通指令,只能修改一次第一扇区的Block0)等。根据上面的说明,可以知道,UID卡可以无限制修改,但是由于会响应后门指令,所以如果门禁系统有检测后门指令并且禁用,那就不能用了。CUID不响应后门指令,但是由于可以用后面指令修改,门禁系统如果先去修改一下,确认不能修改,再进行门禁验证,那么CUID的卡就也不能用了。FUID显然是最保险的,但是从价格来说,FUID(2.2元) > CUID(1.3元) > UID(0.78元)。
所以我先试了下房东给的门禁卡,发现它是可以被修改的,而且也会响应后门指令,那么考虑性价比,当然是买UID卡了。10块钱13个还包邮,加上8块钱不到的一个RFID-RC522,一共18块钱(PS : 物业那里20块钱一个门禁卡,真坑)。
上面提到修改门禁卡第一扇区Block0是需要使用后门指令的,直接按照普通的写数据的方式进行修改,是无法修改的。既然主要目的是复制门禁卡,懒得重复去造轮子了。我之前买的RFID-RC522模块,使用的是SPI的通信模式,淘宝上搜索,应该很多都是这样的,如下图所示:
对,买的就是这样没焊脚的,然后我又买了个电烙铁套装。。。
然后上位机还是使用之前的那个STM32F103C8T6。
然后再网上找了下STM32F103下RC522的驱动程序,并增加利用后门指令写第一扇区block0的代码如下:
驱动头文件rc522.h
#ifndef __RC522_H
#define __RC522_H
#define MF522_RST_PIN GPIO_Pin_0
#define MF522_RST_PORT GPIOB
#define MF522_RST_CLK RCC_APB2Periph_GPIOB
#define MF522_MISO_PIN GPIO_Pin_6
#define MF522_MISO_PORT GPIOA
#define MF522_MISO_CLK RCC_APB2Periph_GPIOA
#define MF522_MOSI_PIN GPIO_Pin_7
#define MF522_MOSI_PORT GPIOA
#define MF522_MOSI_CLK RCC_APB2Periph_GPIOA
#define MF522_SCK_PIN GPIO_Pin_5
#define MF522_SCK_PORT GPIOA
#define MF522_SCK_CLK RCC_APB2Periph_GPIOA
#define MF522_NSS_PIN GPIO_Pin_4
#define MF522_NSS_PORT GPIOA
#define MF522_NSS_CLK RCC_APB2Periph_GPIOA
#define RST_H GPIO_SetBits(MF522_RST_PORT, MF522_RST_PIN)
#define RST_L GPIO_ResetBits(MF522_RST_PORT, MF522_RST_PIN)
#define MOSI_H GPIO_SetBits(MF522_MOSI_PORT, MF522_MOSI_PIN)
#define MOSI_L GPIO_ResetBits(MF522_MOSI_PORT, MF522_MOSI_PIN)
#define SCK_H GPIO_SetBits(MF522_SCK_PORT, MF522_SCK_PIN)
#define SCK_L GPIO_ResetBits(MF522_SCK_PORT, MF522_SCK_PIN)
#define NSS_H GPIO_SetBits(MF522_NSS_PORT, MF522_NSS_PIN)
#define NSS_L GPIO_ResetBits(MF522_NSS_PORT, MF522_NSS_PIN)
#define READ_MISO GPIO_ReadInputDataBit(MF522_MISO_PORT, MF522_MISO_PIN)
// ????
void PcdInit(void);
char PcdReset(void);
void PcdAntennaOn(void);
void PcdAntennaOff(void);
char PcdRequest(unsigned char req_code,unsigned char *pTagType);
char PcdAnticoll(unsigned char *pSnr);
char PcdSelect(unsigned char *pSnr);
char PcdAuthState(unsigned char auth_mode,unsigned char addr,unsigned char *pKey,unsigned char *pSnr);
char PcdRead(unsigned char addr,unsigned char *pData);
char PcdWrite(unsigned char addr,unsigned char *pData);
char PcdValue(unsigned char dd_mode,unsigned char addr,unsigned char *pValue);
char PcdBakValue(unsigned char sourceaddr, unsigned char goaladdr);
char PcdHalt(void);
char PcdComMF522(unsigned char Command,
unsigned char *pInData,
unsigned char InLenByte,
unsigned char *pOutData,
unsigned int *pOutLenBit);
void CalulateCRC(unsigned char *pIndata,unsigned char len,unsigned char *pOutData);
void WriteRawRC(unsigned char Address,unsigned char value);
unsigned char ReadRawRC(unsigned char Address);
void SetBitMask(unsigned char reg,unsigned char mask);
void ClearBitMask(unsigned char reg,unsigned char mask);
char M500PcdConfigISOType(unsigned char type);
void delay_10ms(unsigned int _10ms);
void WaitCardOff(void);
char PcdSpicelWrite(unsigned char *pData);
#define PCD_IDLE 0x00
#define PCD_AUTHENT 0x0E
#define PCD_RECEIVE 0x08
#define PCD_TRANSMIT 0x04
#define PCD_TRANSCEIVE 0x0C
#define PCD_RESETPHASE 0x0F
#define PCD_CALCCRC 0x03
#define PICC_REQIDL 0x26
#define PICC_REQALL 0x52
#define PICC_ANTICOLL1 0x93
#define PICC_ANTICOLL2 0x95
#define PICC_AUTHENT1A 0x60
#define PICC_AUTHENT1B 0x61
#define PICC_READ 0x30
#define PICC_WRITE 0xA0
#define PICC_DECREMENT 0xC0
#define PICC_INCREMENT 0xC1
#define PICC_RESTORE 0xC2
#define PICC_TRANSFER 0xB0
#define PICC_HALT 0x50
#define PCD_SPECIAL_COPY 0x43
#define DEF_FIFO_LENGTH 64
#define RFU00 0x00
#define CommandReg 0x01
#define ComIEnReg 0x02
#define DivlEnReg 0x03
#define ComIrqReg 0x04
#define DivIrqReg 0x05
#define ErrorReg 0x06
#define Status1Reg 0x07
#define Status2Reg 0x08
#define FIFODataReg 0x09
#define FIFOLevelReg 0x0A
#define WaterLevelReg 0x0B
#define ControlReg 0x0C
#define BitFramingReg 0x0D
#define CollReg 0x0E
#define RFU0F 0x0F
// PAGE 1
#define RFU10 0x10
#define ModeReg 0x11
#define TxModeReg 0x12
#define RxModeReg 0x13
#define TxControlReg 0x14
#define TxAutoReg 0x15
#define TxSelReg 0x16
#define RxSelReg 0x17
#define RxThresholdReg 0x18
#define DemodReg 0x19
#define RFU1A 0x1A
#define RFU1B 0x1B
#define MifareReg 0x1C
#define RFU1D 0x1D
#define RFU1E 0x1E
#define SerialSpeedReg 0x1F
// PAGE 2
#define RFU20 0x20
#define CRCResultRegM 0x21
#define CRCResultRegL 0x22
#define RFU23 0x23
#define ModWidthReg 0x24
#define RFU25 0x25
#define RFCfgReg 0x26
#define GsNReg 0x27
#define CWGsCfgReg 0x28
#define ModGsCfgReg 0x29
#define TModeReg 0x2A
#define TPrescalerReg 0x2B
#define TReloadRegH 0x2C
#define TReloadRegL 0x2D
#define TCounterValueRegH 0x2E
#define TCounterValueRegL 0x2F
// PAGE 3
#define RFU30 0x30
#define TestSel1Reg 0x31
#define TestSel2Reg 0x32
#define TestPinEnReg 0x33
#define TestPinValueReg 0x34
#define TestBusReg 0x35
#define AutoTestReg 0x36
#define VersionReg 0x37
#define AnalogTestReg 0x38
#define TestDAC1Reg 0x39
#define TestDAC2Reg 0x3A
#define TestADCReg 0x3B
#define RFU3C 0x3C
#define RFU3D 0x3D
#define RFU3E 0x3E
#define RFU3F 0x3F
#define REQ_ALL 0x52
#define KEYA 0x60
#define KEYB 0x61
#define MI_OK (char)0
#define MI_NOTAGERR (char)(-1)
#define MI_ERR (char)(-2)
#endif
驱动实现rc522.c
#include "rc522.h"
#include "stm32f10x_gpio.h"
#define MAXRLEN 18
void PcdInit()
{
GPIO_InitTypeDef GPIO_InitStructure;
/* Enable the GPIO Clock */
RCC_APB2PeriphClockCmd(MF522_RST_CLK, ENABLE);
/* Configure the GPIO pin */
GPIO_InitStructure.GPIO_Pin = MF522_RST_PIN;
GPIO_InitStructure.GPIO_Mode = GPIO_Mode_Out_PP;
GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;
GPIO_Init(MF522_RST_PORT, &GPIO_InitStructure);
/* Enable the GPIO Clock */
RCC_APB2PeriphClockCmd(MF522_MISO_CLK, ENABLE);
/* Configure the GPIO pin */
GPIO_InitStructure.GPIO_Pin = MF522_MISO_PIN;
GPIO_InitStructure.GPIO_Mode = GPIO_Mode_IN_FLOATING;
GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;
GPIO_Init(MF522_MISO_PORT, &GPIO_InitStructure);
/* Enable the GPIO Clock */
RCC_APB2PeriphClockCmd(MF522_MOSI_CLK, ENABLE);
/* Configure the GPIO pin */
GPIO_InitStructure.GPIO_Pin = MF522_MOSI_PIN;
GPIO_InitStructure.GPIO_Mode = GPIO_Mode_Out_PP;
GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;
GPIO_Init(MF522_MOSI_PORT, &GPIO_InitStructure);
/* Enable the GPIO Clock */
RCC_APB2PeriphClockCmd(MF522_SCK_CLK, ENABLE);
/* Configure the GPIO pin */
GPIO_InitStructure.GPIO_Pin = MF522_SCK_PIN;
GPIO_InitStructure.GPIO_Mode = GPIO_Mode_Out_PP;
GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;
GPIO_Init(MF522_SCK_PORT, &GPIO_InitStructure);
/* Enable the GPIO Clock */
RCC_APB2PeriphClockCmd(MF522_NSS_CLK, ENABLE);
/* Configure the GPIO pin */
GPIO_InitStructure.GPIO_Pin = MF522_NSS_PIN;
GPIO_InitStructure.GPIO_Mode = GPIO_Mode_Out_PP;
GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;
GPIO_Init(MF522_NSS_PORT, &GPIO_InitStructure);
}
char PcdRequest(unsigned char req_code,unsigned char *pTagType)
{
char status;
unsigned int unLen;
unsigned char ucComMF522Buf[MAXRLEN];
ClearBitMask(Status2Reg,0x08);
WriteRawRC(BitFramingReg,0x07);
SetBitMask(TxControlReg,0x03);
ucComMF522Buf[0] = req_code;
status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,1,ucComMF522Buf,&unLen);
// if(status == MI_OK )
// { LED_GREEN =0 ;}
// else {LED_GREEN =1 ;}
if ((status == MI_OK) && (unLen == 0x10))
{
*pTagType = ucComMF522Buf[0];
*(pTagType+1) = ucComMF522Buf[1];
}
else
{ status = MI_ERR; }
return status;
}
char PcdAnticoll(unsigned char *pSnr)
{
char status;
unsigned char i,snr_check=0;
unsigned int unLen;
unsigned char ucComMF522Buf[MAXRLEN];
ClearBitMask(Status2Reg,0x08);
WriteRawRC(BitFramingReg,0x00);
ClearBitMask(CollReg,0x80);
ucComMF522Buf[0] = PICC_ANTICOLL1;
ucComMF522Buf[1] = 0x20;
status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,2,ucComMF522Buf,&unLen);
if (status == MI_OK)
{
for (i=0; i<4; i++)
{
*(pSnr+i) = ucComMF522Buf[i];
snr_check ^= ucComMF522Buf[i];
}
if (snr_check != ucComMF522Buf[i])
{ status = MI_ERR; }
}
SetBitMask(CollReg,0x80);
return status;
}
char PcdSelect(unsigned char *pSnr)
{
char status;
unsigned char i;
unsigned int unLen;
unsigned char ucComMF522Buf[MAXRLEN];
ucComMF522Buf[0] = PICC_ANTICOLL1;
ucComMF522Buf[1] = 0x70;
ucComMF522Buf[6] = 0;
for (i=0; i<4; i++)
{
ucComMF522Buf[i+2] = *(pSnr+i);
ucComMF522Buf[6] ^= *(pSnr+i);
}
CalulateCRC(ucComMF522Buf,7,&ucComMF522Buf[7]);
ClearBitMask(Status2Reg,0x08);
status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,9,ucComMF522Buf,&unLen);
if ((status == MI_OK) && (unLen == 0x18))
{ status = MI_OK; }
else
{ status = MI_ERR; }
return status;
}
char PcdAuthState(unsigned char auth_mode,unsigned char addr,unsigned char *pKey,unsigned char *pSnr)
{
char status;
unsigned int unLen;
unsigned char i,ucComMF522Buf[MAXRLEN];
ucComMF522Buf[0] = auth_mode;
ucComMF522Buf[1] = addr;
for (i=0; i<6; i++)
{ ucComMF522Buf[i+2] = *(pKey+i); }
for (i=0; i<6; i++)
{ ucComMF522Buf[i+8] = *(pSnr+i); }
// memcpy(&ucComMF522Buf[2], pKey, 6);
// memcpy(&ucComMF522Buf[8], pSnr, 4);
status = PcdComMF522(PCD_AUTHENT,ucComMF522Buf,12,ucComMF522Buf,&unLen);
if ((status != MI_OK) || (!(ReadRawRC(Status2Reg) & 0x08)))
{ status = MI_ERR; }
return status;
}
char PcdRead(unsigned char addr,unsigned char *pData)
{
char status;
unsigned int unLen;
unsigned char i,ucComMF522Buf[MAXRLEN];
ucComMF522Buf[0] = PICC_READ;
ucComMF522Buf[1] = addr;
CalulateCRC(ucComMF522Buf,2,&ucComMF522Buf[2]);
status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,4,ucComMF522Buf,&unLen);
if ((status == MI_OK) && (unLen == 0x90))
// { memcpy(pData, ucComMF522Buf, 16); }
{
for (i=0; i<16; i++)
{ *(pData+i) = ucComMF522Buf[i]; }
}
else
{ status = MI_ERR; }
return status;
}
char PcdWrite(unsigned char addr,unsigned char *pData)
{
char status;
unsigned int unLen;
unsigned char i,ucComMF522Buf[MAXRLEN];
ucComMF522Buf[0] = PICC_WRITE;
ucComMF522Buf[1] = addr;
CalulateCRC(ucComMF522Buf,2,&ucComMF522Buf[2]);
status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,4,ucComMF522Buf,&unLen);
if ((status != MI_OK) || (unLen != 4) || ((ucComMF522Buf[0] & 0x0F) != 0x0A))
{ status = MI_ERR; }
if (status == MI_OK)
{
//memcpy(ucComMF522Buf, pData, 16);
for (i=0; i<16; i++)
{ ucComMF522Buf[i] = *(pData+i); }
CalulateCRC(ucComMF522Buf,16,&ucComMF522Buf[16]);
status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,18,ucComMF522Buf,&unLen);
if ((status != MI_OK) || (unLen != 4) || ((ucComMF522Buf[0] & 0x0F) != 0x0A))
{ status = MI_ERR; }
}
return status;
}
//这个是写第一扇区Block0的代码
char PcdSpicelWrite(unsigned char *pData)
{
char status;
unsigned int unLen;
unsigned char i,ucComMF522Buf[MAXRLEN];
//需要使用以下步骤开启后门
PcdHalt();
WriteRawRC(BitFramingReg, 0x07);
//WriteRawRC(CommandReg, 0x40);
ucComMF522Buf[0] = 0x40;
PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,1,ucComMF522Buf,&unLen);
WriteRawRC(BitFramingReg, 0x00);
ucComMF522Buf[0] = 0x43;
PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,1,ucComMF522Buf,&unLen);
return PcdWrite(0, pData);
}
char PcdHalt(void)
{
unsigned int unLen;
unsigned char ucComMF522Buf[MAXRLEN];
ucComMF522Buf[0] = PICC_HALT;
ucComMF522Buf[1] = 0;
CalulateCRC(ucComMF522Buf,2,&ucComMF522Buf[2]);
PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,4,ucComMF522Buf,&unLen);
return MI_OK;
}
//?MF522??CRC16??
void CalulateCRC(unsigned char *pIndata,unsigned char len,unsigned char *pOutData)
{
unsigned char i,n;
ClearBitMask(DivIrqReg,0x04);
WriteRawRC(CommandReg,PCD_IDLE);
SetBitMask(FIFOLevelReg,0x80);
for (i=0; i<len; i++)
{ WriteRawRC(FIFODataReg, *(pIndata+i)); }
WriteRawRC(CommandReg, PCD_CALCCRC);
i = 0xFF;
do
{
n = ReadRawRC(DivIrqReg);
i--;
}
while ((i!=0) && !(n&0x04));
pOutData[0] = ReadRawRC(CRCResultRegL);
pOutData[1] = ReadRawRC(CRCResultRegM);
}
char PcdReset(void)
{
RST_H;
delay_10ms(1);
RST_L;
delay_10ms(1);
RST_H;
delay_10ms(10);
if(ReadRawRC(0x02) == 0x80)
{
}
WriteRawRC(CommandReg,PCD_RESETPHASE);
WriteRawRC(ModeReg,0x3D);
WriteRawRC(TReloadRegL,30);
WriteRawRC(TReloadRegH,0);
WriteRawRC(TModeReg,0x8D);
WriteRawRC(TPrescalerReg,0x3E);
WriteRawRC(TxAutoReg,0x40);
return MI_OK;
}
char M500PcdConfigISOType(unsigned char type)
{
if (type == 'A')
{
ClearBitMask(Status2Reg,0x08);
WriteRawRC(ModeReg,0x3D);//3F
WriteRawRC(RxSelReg,0x86);//84
WriteRawRC(RFCfgReg,0x7F); //4F
WriteRawRC(TReloadRegL,30);//tmoLength);// TReloadVal = 'h6a =tmoLength(dec)
WriteRawRC(TReloadRegH,0);
WriteRawRC(TModeReg,0x8D);
WriteRawRC(TPrescalerReg,0x3E);
delay_10ms(1);
PcdAntennaOn();
}
else{ return (char)-1; }
return MI_OK;
}
unsigned char ReadRawRC(unsigned char Address)
{
unsigned char i, ucAddr;
unsigned char ucResult=0;
NSS_L;
ucAddr = ((Address<<1)&0x7E)|0x80;
for(i=8;i>0;i--)
{
SCK_L;
if(ucAddr&0x80)
MOSI_H;
else
MOSI_L;
SCK_H;
ucAddr <<= 1;
}
for(i=8;i>0;i--)
{
SCK_L;
ucResult <<= 1;
SCK_H;
if(READ_MISO == 1)
ucResult |= 1;
}
NSS_H;
SCK_H;
return ucResult;
}
void WriteRawRC(unsigned char Address, unsigned char value)
{
unsigned char i, ucAddr;
SCK_L;
NSS_L;
ucAddr = ((Address<<1)&0x7E);
for(i=8;i>0;i--)
{
if(ucAddr&0x80)
MOSI_H;
else
MOSI_L;
SCK_H;
ucAddr <<= 1;
SCK_L;
}
for(i=8;i>0;i--)
{
if(value&0x80)
MOSI_H;
else
MOSI_L;
SCK_H;
value <<= 1;
SCK_L;
}
NSS_H;
SCK_H;
}
void SetBitMask(unsigned char reg,unsigned char mask)
{
char tmp = 0x0;
tmp = ReadRawRC(reg);
WriteRawRC(reg,tmp | mask); // set bit mask
}
void ClearBitMask(unsigned char reg,unsigned char mask)
{
char tmp = 0x0;
tmp = ReadRawRC(reg);
WriteRawRC(reg, tmp & ~mask); // clear bit mask
}
char PcdComMF522(unsigned char Command,
unsigned char *pInData,
unsigned char InLenByte,
unsigned char *pOutData,
unsigned int *pOutLenBit)
{
char status = MI_ERR;
unsigned char irqEn = 0x00;
unsigned char waitFor = 0x00;
unsigned char lastBits;
unsigned char n;
unsigned int i;
switch (Command)
{
case PCD_AUTHENT:
irqEn = 0x12;
waitFor = 0x10;
break;
case PCD_TRANSCEIVE:
case PCD_SPECIAL_COPY:
irqEn = 0x77;
waitFor = 0x30;
break;
default:
break;
}
WriteRawRC(ComIEnReg,irqEn|0x80);
ClearBitMask(ComIrqReg,0x80);
WriteRawRC(CommandReg,PCD_IDLE);
SetBitMask(FIFOLevelReg,0x80);
for (i=0; i<InLenByte; i++)
{ WriteRawRC(FIFODataReg, pInData[i]); }
WriteRawRC(CommandReg, Command);
if (Command == PCD_TRANSCEIVE)
{ SetBitMask(BitFramingReg,0x80); }
i = 2000;
do
{
n = ReadRawRC(ComIrqReg);
i--;
}
while ((i!=0) && !(n&0x01) && !(n&waitFor));
ClearBitMask(BitFramingReg,0x80);
if (i!=0)
{
if(!(ReadRawRC(ErrorReg)&0x1B))
{
status = MI_OK;
if (n & irqEn & 0x01)
{ status = MI_NOTAGERR; }
if (Command == PCD_TRANSCEIVE)
{
n = ReadRawRC(FIFOLevelReg);
lastBits = ReadRawRC(ControlReg) & 0x07;
if (lastBits)
{ *pOutLenBit = (n-1)*8 + lastBits; }
else
{ *pOutLenBit = n*8; }
if (n == 0)
{ n = 1; }
if (n > MAXRLEN)
{ n = MAXRLEN; }
for (i=0; i<n; i++)
{ pOutData[i] = ReadRawRC(FIFODataReg); }
}
}
else
{ status = MI_ERR; }
}
SetBitMask(ControlReg,0x80); // stop timer now
WriteRawRC(CommandReg,PCD_IDLE);
return status;
}
void PcdAntennaOn()
{
unsigned char i;
i = ReadRawRC(TxControlReg);
if (!(i & 0x03))
{
SetBitMask(TxControlReg, 0x03);
}
}
void PcdAntennaOff()
{
ClearBitMask(TxControlReg, 0x03);
}
void WaitCardOff(void)
{
char status;
unsigned char TagType[2];
while(1)
{
status = PcdRequest(REQ_ALL, TagType);
if(status)
{
status = PcdRequest(REQ_ALL, TagType);
if(status)
{
status = PcdRequest(REQ_ALL, TagType);
if(status)
{
return;
}
}
}
delay_10ms(10);
}
}
void delay_10ms(unsigned int _10ms)
{
unsigned int i, j;
for(i=0; i<_10ms; i++)
{
for(j=0; j<60000; j++);
}
}
后门代码实现依据来源于这篇博客,RC522驱动代码来源于这篇博客,在此表示感谢。
按照之前点亮LED的经验,我们使用RTthread来进行进行门禁卡的检测和复制。主要代码如下:
复制代码被注释了,我们先使用检测并读取的代码,读取出原卡的内容,然后把读取内容记录下来,复制到新卡上去。正确的做法应该是使用完整逻辑来实现这个流程,这里为了方便,直接手动记录,然后修改代码重新编译来进行卡的复制,有兴趣有需要的朋友可在此基础上自行补充完成。
#include
#include
#include "led.h"
#include "rc522.h"
ALIGN(RT_ALIGN_SIZE)
static rt_uint8_t led_stack[ 512 ];
static struct rt_thread led_thread;
static void led_thread_entry(void* parameter)
{
unsigned int count=0;
rt_hw_led_init();
while (1)
{
count++;
rt_hw_led_on(0);
rt_thread_delay( RT_TICK_PER_SECOND/2 ); /* sleep 0.5 second and switch to other thread */
rt_hw_led_off(0);
rt_thread_delay( RT_TICK_PER_SECOND/2 );
}
}
static void ShowID(u8 *p)
{
u8 num[9];
u8 i;
for(i=0; i<4; i++)
{
num[i*2]=p[i]/16;
num[i*2]>9?(num[i*2]+='7'):(num[i*2]+='0');
num[i*2+1]=p[i]%16;
num[i*2+1]>9?(num[i*2+1]+='7'):(num[i*2+1]+='0');
}
num[8]=0;
rt_kprintf("ID>>>%s\r\n", num);
}
static rt_uint8_t rfid_stack[ 512 ];
static struct rt_thread rfid_thread;
static void rfid_thread_entry(void* parameter)
{
unsigned int count=0;
char status;
unsigned char snr, buf[16], TagType[2], SelectedSnr[4], DefaultKey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
PcdInit();
PcdReset();
PcdAntennaOff();
PcdAntennaOn();
M500PcdConfigISOType( 'A' );
rt_kprintf( "rc522 init over!\n" );
while(1){
status= PcdRequest( REQ_ALL , TagType );
if(!status) {
status = PcdAnticoll(SelectedSnr);
if(!status){
status=PcdSelect(SelectedSnr);
if(!status){
ShowID(SelectedSnr);
/*unsigned char inDoor[16] = {
0x91, 0x94, 0x09, 0xa5, 0xa9, 0x88, 0x04, 0x00,
0x85, 0x00, 0xb4, 0x2e, 0xf0, 0xbb, 0x6a, 0xa8
};
unsigned char outDoor[16] = {
0x1c, 0x6a, 0xa0, 0xa5, 0x73, 0x88, 0x04, 0x00,
0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
status = PcdSpicelWrite(inDoor);*/
if(!status){
for(int i = 0;i < 16 ;i++){
snr = i;
status = PcdAuthState(KEYB, (snr*4+3), DefaultKey, SelectedSnr);
for(int j = 0; j < 4; j++){
status = PcdRead((snr*4+j), buf);
//status = PcdWrite((snr*4+0), "way2");
if(!status){
uint16_t * e = 0;
e = (uint16_t *)TagType;
//rt_kprintf("Snr Index : %d, type = %x \n", snr * 4 + j, *e);
for(int n = 0; n < 16; n++){
rt_kprintf("%x ", (uint16_t)buf[n]);
}
rt_kprintf("\n");
}
}
}
}
rt_kprintf("operate finished! %x \n", status);
WaitCardOff();
}
}
}
}
}
void rt_init_thread_entry(void* parameter)
{
#ifdef RT_USING_COMPONENTS_INIT
/* initialization RT-Thread Components */
rt_components_init();
#endif
}
int rt_application_init(void)
{
rt_thread_t init_thread;
rt_err_t result;
/* init led thread */
result = rt_thread_init(&led_thread,
"led",
led_thread_entry,
RT_NULL,
(rt_uint8_t*)&led_stack[0],
sizeof(led_stack),
20,
5);
if (result == RT_EOK)
{
rt_thread_startup(&led_thread);
}
result = rt_thread_init(&rfid_thread,
"rfid",
rfid_thread_entry,
RT_NULL,
(rt_uint8_t*)&rfid_stack[0],
sizeof(rfid_stack),
22,
5);
if (result == RT_EOK)
{
rt_thread_startup(&rfid_thread);
}
#if (RT_THREAD_PRIORITY_MAX == 32)
init_thread = rt_thread_create("init",
rt_init_thread_entry, RT_NULL,
2048, 8, 20);
#else
init_thread = rt_thread_create("init",
rt_init_thread_entry, RT_NULL,
2048, 80, 20);
#endif
if (init_thread != RT_NULL)
rt_thread_startup(init_thread);
return 0;
}
/*@}*/
工程源码挂载在CSDN下载频道,攒点下载分备用。欢迎转载,转载博客请注明出处湖广午王的博客。