方案适用于第三方系统通过TCP发起的远程卡号开门 (注意:该开门方式会验证控制器内部的卡权限,不属于强制开门)
先上图
再吐槽微耕工程师的种种不答理
上操作步骤:
- 开启反潜回:62号参数设置值为2,132号参数设置为1(可通过界面设置)
最好设置下反潜的方式
- 开启手机模拟卡功能:参数表第152号参数设置值为165
- 使用函数RemoteOpenDoorIP_V546发送模拟卡号开门指令(对不起,标准软件只发进门信号,出门请破解或让微耕增加函数原型,这几年我们提出的需求,虽然他们不爱答理 ,但最后都增加进软件了,口号是:一直迭代,绝不改单) 、
- RemoteOpenDoorIP_V546函数在未启用手机模拟卡功能时,会无视控制器内部卡权限,强制开门,相当于RemoteOpenDoorIP的带卡号远程开门(而不是发送卡号远程开门)
数据包解析
发出 | 1A 29 C3 E4 E1 0D 5F 00 09 F9 0B 0B C5 92 4F 3C 10 11 12 13 F3 FE 9E BB FB F6 A6 84 CD C3 A2 80 F1 FF 9E BC F5 FB 9A B8 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F | ||
解密 | 19 28 c1 e7 e5 08 59 07 01 f0 01 00 c9 9f 41 33 00 00 00 00 e7 eb 88 ac e3 ef bc 9f d1 de bc 9f d1 de bc 9f d1 de bc 9f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ||
分析 | 字节位置 | HEX | 含义 |
0 | 19 | type=25 | |
1 | 28 | code=40 | |
2 | c1 e7 | crc | |
4 | e5 08 59 07 | Sn= 123275493 | |
8至56(0至48) | 01 | DoorID=1 | |
F0 | Cmdoption=240 | ||
01 | 进或出 | ||
00 | |||
c9 9f 41 33 | cardno=859938761 | ||
00 00 00 00 | |||
e7 eb 88 ac e3 ef bc 9f d1 de bc 9f d1 de bc 9f | |||
(28至32) | d1 de bc 9f | ticks | |
流程
先以卡号0,门号1,时间作为OpenKeyCrc,操作数240,获取真正的CRC
再以真实卡号真实门号,获取到的CRC 发出进出门
数据包
1A 29 2F 9C E1 0D 5F 00 09 F8 0A 0B 0C 0D 0E 0F 10 11 12 13 3F 2F B5 9D 37 27 8D A2 01 12 89 A6 3D 2E B5 9A 39 2A B1 9E 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
1A 29 BD FF E1 0D 5F 00 09 09 0D 7B CC A5 04 74 17 07 14 12 EB 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 55 D2 AF 10 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
1A 29 AA BC E1 0D 5F 00 09 F9 0A 0B C5 92 4F 3C 10 11 12 13 53 D7 AB 13 5B DF 93 2C 6D EA 97 28 51 D6 AB 14 55 D2 AF 10 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
1A 29 D9 71 E1 0D 5F 00 09 0A 0D 7B CC A5 04 74 17 07 14 12 EB 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
解密后 19 28 2d 9f e5 08 59 07 01 f1 00 00 00 00 00 00 00 00 00 00 2b 3a a3 8a 2f 3e 97 b9 1d 0f 97 b9 1d 0f 97 b9 1d 0f 97 b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 28 bf fc e5 08 59 07 01 00 07 70 c0 a8 0a 7b 07 16 06 01 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 71 f7 89 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 28 a8 bf e5 08 59 07 01 f0 00 00 c9 9f 41 33 00 00 00 00 47 c2 bd 04 43 c6 89 37 71 f7 89 37 71 f7 89 37 71 f7 89 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 28 db 72 e5 08 59 07 01 03 07 70 c0 a8 0a 7b 07 16 06 01 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
参考代码
Struct_Deal deal = new Struct_Deal(); deal._控制器序列号 = machineInfo.MachineID;
byte[] data = new byte[11]; data[4] = 1; data[5] = 241;
DateTime now = DateTime.Now; data[7] = (byte)now.Ticks; data[8] = (byte)(now.Ticks >> 8); data[9] = (byte)(now.Ticks >> 16); data[10] = (byte)(now.Ticks >> 24);
deal.Send(ENUM_CMD_AC.模拟卡号开门, data); byte[] buff = deal.ToByteArray(); ushort crc = Machine.WG.WG_API.calCRC_WGPacket(60, buff); Array.Copy(BitConverter.GetBytes(crc), 0, buff, 2, 2);
byte[] openKey = new byte[4]; UdpSocket(controller.IPAddress, controller.Port, ENUM_CMD_AC.模拟卡号开门, buff, ref openKey, ref outMsg);
deal = new Struct_Deal(); deal._控制器序列号 = machineInfo.MachineID; data = new byte[11]; byte[] bufCardSerNo = BitConverter.GetBytes(uint.Parse(machineInfo.OtherInfo1)); Array.Copy(bufCardSerNo, data, 4); data[4] = (byte)doorParam._门号; data[5] = 240; data[6] = (byte)doorParam._进或出; Array.Copy(openKey, 0, data, 7, 4); deal.Send(ENUM_CMD_AC.模拟卡号开门, data); buff = deal.ToByteArray(); crc = Machine.WG.WG_API.calCRC_WGPacket(60, buff); Array.Copy(BitConverter.GetBytes(crc), 0, buff, 2, 2); string status = string.Empty; return UdpSocket(controller.IPAddress, controller.Port, ENUM_CMD_AC.模拟卡号开门, buff, ref status, ref outMsg); |