微耕控制器實現遠程開門與普通刷卡的反潛回

     

方案適用於第三方系統經過TCP發起的遠程卡號開門 （注意：該開門方式會驗證控制器內部的卡權限，不屬於強制開門）

     

先上圖

     

     

再吐槽微耕工程師的種種不答理

     

上操做步驟：

1. 開啓反潛回：62號參數設置值爲2，132號參數設置爲1（可經過界面設置）

   最好設置下反潛的方式

        

2. 開啓手機模擬卡功能：參數表第152號參數設置值爲165
3. 使用函數RemoteOpenDoorIP_V546發送模擬卡號開門指令（對不起，標準軟件只發進門信號，出門請破解或讓微耕增長函數原型，這幾年咱們提出的需求，雖然他們不愛答理 ，但最後都增長進軟件了，口號是：一直迭代，毫不改單） 、
4. RemoteOpenDoorIP_V546函數在未啓用手機模擬卡功能時，會無視控制器內部卡權限，強制開門，至關於RemoteOpenDoorIP的帶卡號遠程開門（而不是發送卡號遠程開門）

 

數據包解析

發出	1A 29 C3 E4 E1 0D 5F 00 09 F9 0B 0B C5 92 4F 3C 10 11 12 13 F3 FE 9E BB FB F6 A6 84 CD C3 A2 80 F1 FF 9E BC F5 FB 9A B8 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
解密	19 28 c1 e7 e5 08 59 07 01 f0 01 00 c9 9f 41 33 00 00 00 00 e7 eb 88 ac e3 ef bc 9f d1 de bc 9f d1 de bc 9f d1 de bc 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
分析	字節位置	HEX	含義
	0	19	type=25
	1	28	code=40
	2	c1 e7	crc
	4	e5 08 59 07	Sn= 123275493
	8至56(0至48)	01	DoorID=1
		F0	Cmdoption=240
		01	進或出
		00
		c9 9f 41 33	cardno=859938761
		00 00 00 00
		e7 eb 88 ac e3 ef bc 9f d1 de bc 9f d1 de bc 9f
	（28至32）	d1 de bc 9f	ticks

流程

先以卡號0，門號1，時間做爲OpenKeyCrc，操做數240，獲取真正的CRC

再以真實卡號真實門號，獲取到的CRC 發出進出門

 

數據包

1A 29 2F 9C E1 0D 5F 00 09 F8 0A 0B 0C 0D 0E 0F 10 11 12 13 3F 2F B5 9D 37 27 8D A2 01 12 89 A6 3D 2E B5 9A 39 2A B1 9E 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F   1A 29 BD FF E1 0D 5F 00 09 09 0D 7B CC A5 04 74 17 07 14 12 EB 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 55 D2 AF 10 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F   1A 29 AA BC E1 0D 5F 00 09 F9 0A 0B C5 92 4F 3C 10 11 12 13 53 D7 AB 13 5B DF 93 2C 6D EA 97 28 51 D6 AB 14 55 D2 AF 10 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F   1A 29 D9 71 E1 0D 5F 00 09 0A 0D 7B CC A5 04 74 17 07 14 12 EB 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F   解密後 19 28 2d 9f e5 08 59 07 01 f1 00 00 00 00 00 00 00 00 00 00 2b 3a a3 8a 2f 3e 97 b9 1d 0f 97 b9 1d 0f 97 b9 1d 0f 97 b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 28 bf fc e5 08 59 07 01 00 07 70 c0 a8 0a 7b 07 16 06 01 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 71 f7 89 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 28 a8 bf e5 08 59 07 01 f0 00 00 c9 9f 41 33 00 00 00 00 47 c2 bd 04 43 c6 89 37 71 f7 89 37 71 f7 89 37 71 f7 89 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 28 db 72 e5 08 59 07 01 03 07 70 c0 a8 0a 7b 07 16 06 01 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

 

參考代碼

 

Struct_Deal deal = new Struct_Deal(); deal._控制器序列號 = machineInfo.MachineID;   byte[] data = new byte[11]; data[4] = 1; data[5] = 241;   DateTime now = DateTime.Now; data[7] = (byte)now.Ticks; data[8] = (byte)(now.Ticks >> 8); data[9] = (byte)(now.Ticks >> 16); data[10] = (byte)(now.Ticks >> 24);   deal.Send(ENUM_CMD_AC.模擬卡號開門, data); byte[] buff = deal.ToByteArray(); ushort crc = Machine.WG.WG_API.calCRC_WGPacket(60, buff); Array.Copy(BitConverter.GetBytes(crc), 0, buff, 2, 2);   byte[] openKey = new byte[4]; UdpSocket(controller.IPAddress, controller.Port, ENUM_CMD_AC.模擬卡號開門, buff, ref openKey, ref outMsg);   deal = new Struct_Deal(); deal._控制器序列號 = machineInfo.MachineID; data = new byte[11]; byte[] bufCardSerNo = BitConverter.GetBytes(uint.Parse(machineInfo.OtherInfo1)); Array.Copy(bufCardSerNo, data, 4); data[4] = (byte)doorParam._門號; data[5] = 240; data[6] = (byte)doorParam._進或出; Array.Copy(openKey, 0, data, 7, 4); deal.Send(ENUM_CMD_AC.模擬卡號開門, data); buff = deal.ToByteArray(); crc = Machine.WG.WG_API.calCRC_WGPacket(60, buff); Array.Copy(BitConverter.GetBytes(crc), 0, buff, 2, 2); string status = string.Empty; return UdpSocket(controller.IPAddress, controller.Port, ENUM_CMD_AC.模擬卡號開門, buff, ref status, ref outMsg);