微耕控制器实现远程开门与普通刷卡的反潜回

时间 2019-12-05

标签控制器实现远程开门普通刷卡反潜繁體版

原文原文链接

方案适用于第三方系统经过TCP发起的远程卡号开门（注意：该开门方式会验证控制器内部的卡权限，不属于强制开门）函数

先上图 ui

再吐槽微耕工程师的种种不答理 spa

上操做步骤： 3d

开启反潜回：62号参数设置值为2，132号参数设置为1（可经过界面设置）
最好设置下反潜的方式 code
开启手机模拟卡功能：参数表第152号参数设置值为165
使用函数RemoteOpenDoorIP_V546发送模拟卡号开门指令（对不起，标准软件只发进门信号，出门请破解或让微耕增长函数原型，这几年咱们提出的需求，虽然他们不爱答理，但最后都增长进软件了，口号是：一直迭代，毫不改单）、
RemoteOpenDoorIP_V546函数在未启用手机模拟卡功能时，会无视控制器内部卡权限，强制开门，至关于RemoteOpenDoorIP的带卡号远程开门（而不是发送卡号远程开门）

数据包解析 blog

发出原型	1A 29 C3 E4 E1 0D 5F 00 09 F9 0B 0B C5 92 4F 3C 10 11 12 13 F3 FE 9E BB FB F6 A6 84 CD C3 A2 80 string F1 FF 9E BC F5 FB 9A B8 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3Fit
解密io	19 28 c1 e7 e5 08 59 07 01 f0 01 00 c9 9f 41 33 00 00 00 00 e7 eb 88 ac e3 ef bc 9f d1 de bc 9f d1 de bc 9f d1 de bc 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
分析	字节位置	HEX	含义
	0	19	type=25
	1	28	code=40
	2	c1 e7	crc
	4	e5 08 59 07	Sn= 123275493
	8至56(0至48)	01	DoorID=1
		F0	Cmdoption=240
		01	进或出
		00
		c9 9f 41 33	cardno=859938761
		00 00 00 00
		e7 eb 88 ac e3 ef bc 9f d1 de bc 9f d1 de bc 9f
	（28至32）	d1 de bc 9f	ticks

流程

先以卡号0，门号1，时间做为OpenKeyCrc，操做数240，获取真正的CRC

再以真实卡号真实门号，获取到的CRC 发出进出门

数据包

1A 29 2F 9C E1 0D 5F 00 09 F8 0A 0B 0C 0D 0E 0F 10 11 12 13 3F 2F B5 9D 37 27 8D A2 01 12 89 A6

3D 2E B5 9A 39 2A B1 9E 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

1A 29 BD FF E1 0D 5F 00 09 09 0D 7B CC A5 04 74 17 07 14 12 EB 15 16 17 18 19 1A 1B 1C 1D 1E 1F

20 21 22 23 55 D2 AF 10 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

1A 29 AA BC E1 0D 5F 00 09 F9 0A 0B C5 92 4F 3C 10 11 12 13 53 D7 AB 13 5B DF 93 2C 6D EA 97 28

51 D6 AB 14 55 D2 AF 10 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

1A 29 D9 71 E1 0D 5F 00 09 0A 0D 7B CC A5 04 74 17 07 14 12 EB 15 16 17 18 19 1A 1B 1C 1D 1E 1F

20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F

解密后

19 28 2d 9f e5 08 59 07 01 f1 00 00 00 00 00 00 00 00 00 00 2b 3a a3 8a 2f 3e 97 b9 1d 0f 97 b9 1d 0f 97 b9 1d 0f 97 b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

19 28 bf fc e5 08 59 07 01 00 07 70 c0 a8 0a 7b 07 16 06 01 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 71 f7 89 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

19 28 a8 bf e5 08 59 07 01 f0 00 00 c9 9f 41 33 00 00 00 00 47 c2 bd 04 43 c6 89 37 71 f7 89 37 71 f7 89 37 71 f7 89 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

19 28 db 72 e5 08 59 07 01 03 07 70 c0 a8 0a 7b 07 16 06 01 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

参考代码

Struct_Deal deal = new Struct_Deal();

deal._控制器序列号 = machineInfo.MachineID;

byte[] data = new byte[11];

data[4] = 1;

data[5] = 241;

DateTime now = DateTime.Now;

data[7] = (byte)now.Ticks;

data[8] = (byte)(now.Ticks >> 8);

data[9] = (byte)(now.Ticks >> 16);

data[10] = (byte)(now.Ticks >> 24);

deal.Send(ENUM_CMD_AC.模拟卡号开门, data);

byte[] buff = deal.ToByteArray();

ushort crc = Machine.WG.WG_API.calCRC_WGPacket(60, buff);

Array.Copy(BitConverter.GetBytes(crc), 0, buff, 2, 2);

byte[] openKey = new byte[4];

UdpSocket(controller.IPAddress, controller.Port, ENUM_CMD_AC.模拟卡号开门, buff, ref openKey, ref outMsg);

deal = new Struct_Deal();

deal._控制器序列号 = machineInfo.MachineID;

data = new byte[11];

byte[] bufCardSerNo = BitConverter.GetBytes(uint.Parse(machineInfo.OtherInfo1));

Array.Copy(bufCardSerNo, data, 4);

data[4] = (byte)doorParam._门号;

data[5] = 240;

data[6] = (byte)doorParam._进或出;

Array.Copy(openKey, 0, data, 7, 4);

deal.Send(ENUM_CMD_AC.模拟卡号开门, data);

buff = deal.ToByteArray();

crc = Machine.WG.WG_API.calCRC_WGPacket(60, buff);

Array.Copy(BitConverter.GetBytes(crc), 0, buff, 2, 2);

string status = string.Empty;

return UdpSocket(controller.IPAddress, controller.Port, ENUM_CMD_AC.模拟卡号开门, buff, ref status, ref outMsg);