Intercom multi-key and everything about the imitation of "tablets"
Yes, this is a terribly battered topic. The universal intercom key “tablet” was probably made by every second who began to study microcontrollers. There are a lot of articles on this topic and ready-made solutions on the Internet. However, interest in this fade does not cease even with the massive transition to RFID. This is not surprising, because many people want to assemble such a device that performs not only a very interesting task, but also always with them. In addition, it is not so difficult to manufacture.
In this post I would like to gather in one place all the necessary information for those who want to make such a key. Now I will try to talk about what contact intercom keys are, how they work, how to imitate them, what kind of pitfalls there are, and also to tell about my own realization of such a device and how you can assemble the same thing yourself.
')
Attention! This key does not allow illegal penetration anywhere. This device is only to carry one key instead of several.
In fact, such keys in the MicroCAN package come in different types, although they look almost the same in appearance. The only thing that unites them is that the key has two contacts, the earth and the data, and parasitic power is used, i.e. the key is powered directly from the data line. To open the door, the serial number is used, which is given at the factory. That is, this is not the key that is programmed to open the doorphone, but a list of keys that can open it is entered into the memory of the doorphone. Consider them in more detail.
The most popular type of intercom keys is iButton, namely DS1990A from Dallas, it works using the 1-Wire protocol. The protocol is very tricky, it implies two-way interaction - you can send various commands to the key, to which it reacts differently. The serial number has a size of six bytes, which gives 2 8 * 6 = 281474976710656 different combinations and implies that all keys issued must be unique. If you are lucky and you have an original iButton, then this number in hexadecimal must be engraved on it with a laser:
That is, theoretically, someone else's such a key can be faked, if you just write down somewhere or take a picture of these numbers!
To interact with the iButton, it is enough to connect it to the microcontroller and pull the data line to the power supply (2.8-5 volts) through a resistor:
Most likely for many, this is all already old as the world, but still I will briefly tell you how 1-Wire works. Data exchange takes place due to the alternate pressing of the line to the ground, the information being coded by the duration of such signals. It happens like this:
Further, it all depends on the sent command. Usually it is 33h - " READ ROM ", reading the serial number, after which the master reads 64 bits (1 byte is the device type, 6 bytes is the number itself, 1 byte is the CRC). Reading of each bit is initialized by the master, for this it sends a pulse of 1-15 microseconds. If after that the line is pressed to the ground from the side of the key for 60-120 microseconds, then zero is read, otherwise - one.
As you can see, the key is easy to read. It is much more difficult to imitate a key, especially as many intercoms use various tricks. Here are the main pitfalls:
SEARCH ROM Pro (F0h) is a command for searching all 1-Wire devices on a bus. The fact is that theoretically it is possible to connect in parallel many keys and get a list of all serial numbers. In reality, this is not used for iButton, because one key is always attached to the intercom. However, some intercoms send this command, expecting to find a single serial number. The algorithm is very interesting. Each of the devices on the bus simultaneously sends the bit of its serial number, with it twice (i.e. the master must read two bits). First, in the usual way, and then inverted. What is the result? If the device has a unit in the serial number, then "10" is sent. If zero, then "01". And everything is fine, as long as all devices have these bits are the same. And if not ... I wrote above that when reading, the presence of a long signal is 0, and the absence is 1, i.e. 0 is dominant. Thus, when conflicts arise, two zeroes are read. After receiving “10,” “01,” or “00,” the master must send the newly read bit to the line. In the case of “00,” he thus chooses which group of devices to work with next. As a result, after N iterations, a binary tree of N serial numbers is obtained.
Responding to such a command is somewhat more complicated than to the usual READ ROM . You need to send each bit twice - normal and inverted, and then check whether the response received from the master matches it, and if it doesn’t match, then ignore further commands.
The key “Digital DC-2000A” is a domestic development. It is much easier to interact with them, because they are very stupid - do not accept any commands. Simply power up the key and it will immediately start sending code endlessly, changing its resistance. If you give it 5 volts by connecting through a 1 kΩ resistor, then you can see something like this on the oscilloscope:
The key changes its resistance between about 800 ohms and 400 ohms, if I'm not mistaken, and therefore the current consumption. We can say that the signal is analog, and this complicates things a little from the hardware point of view. Although sometimes it can be simplified. For example, the key can be read by simply connecting it to the microphone input of a computer and recording an audio file.
And yes, the intercom after that can be opened with the most ordinary MP3 player. But we are interested in more civilized methods, right?
Coding is a bit strange. The key cyclically sends nine nibbles (four bits), changing its resistance. If it remains low for about 50 microseconds, then this is a logical zero, and if 100 microseconds it is one. But the data is encoded not by logical zeros and ones, but by the position of the units among the zeros! That is, the key when sending a code can give out only one of the four combinations: “1000”, “0100”, “0010” and “0001”. However, the combination “0111” is also used as the starting sequence. As a result, the key data may look something like this: “0111 1000 0100 0010 0001 1000 0100 0010 0001”, where “0111” indicates the beginning. There is no checksum - the code is simply read several times for confidence.
A total of eight sequences in which four combinations are possible. It is not difficult to calculate that this gives us 65,536 key options. Not so much, they are clearly often repeated. Theoretically, if there are 50 apartments at the entrance, each of which has three keys, you can pick one of them by going through a total of 436 combinations. But I did not do that.
How is it better to read the keys to Cyfral? As I said, analog levels. Option two: analog-to-digital converter and comparator. The latter seems to me more reliable. Everything works fine if you connect a data line pulled to Vdd with a 650 Ohm resistor to one of the inputs of the comparator, and exactly half Vdd to the second, for which you can use a voltage divider from two identical resistors. After this, the result of the comparator output can be confidently perceived as high and low key resistance.
How to imitate such a key? At first glance, it seems that you also need to change the resistance, but the results showed that intercoms do not need such accuracy - you can safely close the line to the ground instead of low resistance and completely release it when you need high.
Another domestic development is Metakom on-door speakerphones and K1233KT2 keys. Like Cyfral, it just infinitely sends code, changing its resistance / current consumption. Fortunately, official documentation is available on the Internet:
That's all you need to know to work with this key. It sends four bytes of data, but in each of them one bit goes to parity. Total comes 28 useful bits, and 2 28 = 268435456 combinations.
Alas, I could not find any such key to experiment with it. However, on the Internet it is easy to find a universal code that opens 99% of intercoms by Metacom. One of them is just in the next doorway from me. I wrote a program that sends this code based only on technical documentation. The next entrance opened on the first attempt. It seems that this intercom also does not really matter the exact resistance. On this, I left Metacom alone and decided that reading their keys is not so necessary.
In fact, universal keys for intercoms - it is rather a myth. Developers almost never make for themselves some kind of special code for all doors, with the exception of only Vizit.
But there is a legend which says that after reading the key code, many intercoms check it with all the codes that are recorded in the memory cells. However, in cells where nothing else has been written, FFs or zeros are. Thus, the intercom can be opened by sending a key only from zeros or only from the FF.
Sounds like utter nonsense. How do you need to be a programmer to prevent such a bug? But ... it does work often. Yes, in the latest firmware this is usually fixed, but many intercoms remain unchanged for years. Unbelievable, but it is a fact.
Any other key codes issued for universal ones are usually just service keys for the employees of the post office, LCD or the intercom company itself, and they work only in certain localities.
Let's move on to practice! Yes, I tried to combine in one device and imitation of keys, and their reading (except Metacom), and synchronization with a computer via USB. Here is a diagram of what happened (clickable):
Components and their purpose:
Printed circuit board (clickable):
It was still time before buying a 3D printer, when I designed the devices for the enclosures, not the enclosures for the devices. A very nice copy in the form of a keychain and with a button fell into my hands. Just perfect, it remained only to make holes for USB and LEDs. Alas, I still can not find on sale exactly the same body. The result was something like this:
Batteries under the board. By the way, I had enough of them for a year, until I accidentally climbed up to swim, forgetting to pull out the keys.
Control is done with just one button. When you first press it, the device turns on. By briefly pressing the button, the key is selected, the number of which is displayed by the LEDs. When the key is selected, it is enough to attach the contacts to the intercom reader.
A long press on the button switches the device to the key reading mode, while the middle LED flashes. At this point, you need to attach the key to the contacts of the key reader (for this purpose, I have a screw screwed in from the bottom). If the reading is successful, the number under which the key is stored in memory will be displayed.
When connected via USB, the device is seen as a virtual COM port. For simplicity, the client was written under Windows:
It allows you to read keys from the device, and automatically enters them into the database. Of course, the keys can and write.
The firmware sources are here: github.com/ClusterM/ibutton
Client sources here: github.com/ClusterM/ibutton_client
It is very convenient in one device to have the keys to the house, relatives, work and friends' entrances. Especially important for those who have not conducted an intercom handset in the apartment. But creating a multi-key was not so much useful as interesting. This is a great practice for learning microcontrollers. Yes, it was from this that I started in my time. In addition, each new non-opening staircase caused a storm of interest. Running around the city and solving logical problems in order to open a door is like a video game in real life! Damn exciting. Lacking only fights with Gopniki and grannies at the entrances in the form of bosses;)
In this post I would like to gather in one place all the necessary information for those who want to make such a key. Now I will try to talk about what contact intercom keys are, how they work, how to imitate them, what kind of pitfalls there are, and also to tell about my own realization of such a device and how you can assemble the same thing yourself.
')
Attention! This key does not allow illegal penetration anywhere. This device is only to carry one key instead of several.
Although nothing prevents you from writing into it the universal codes for opening door phones.
Types of intercom keys "tablets"
In fact, such keys in the MicroCAN package come in different types, although they look almost the same in appearance. The only thing that unites them is that the key has two contacts, the earth and the data, and parasitic power is used, i.e. the key is powered directly from the data line. To open the door, the serial number is used, which is given at the factory. That is, this is not the key that is programmed to open the doorphone, but a list of keys that can open it is entered into the memory of the doorphone. Consider them in more detail.
iButton
The most popular type of intercom keys is iButton, namely DS1990A from Dallas, it works using the 1-Wire protocol. The protocol is very tricky, it implies two-way interaction - you can send various commands to the key, to which it reacts differently. The serial number has a size of six bytes, which gives 2 8 * 6 = 281474976710656 different combinations and implies that all keys issued must be unique. If you are lucky and you have an original iButton, then this number in hexadecimal must be engraved on it with a laser:
That is, theoretically, someone else's such a key can be faked, if you just write down somewhere or take a picture of these numbers!
To interact with the iButton, it is enough to connect it to the microcontroller and pull the data line to the power supply (2.8-5 volts) through a resistor:
Most likely for many, this is all already old as the world, but still I will briefly tell you how 1-Wire works. Data exchange takes place due to the alternate pressing of the line to the ground, the information being coded by the duration of such signals. It happens like this:
- Reset - the master presses the line to the ground for at least 480 microseconds, this indicates the start of data transfer.
- Presence - after some time, the key responds with a pulse of about 120 microseconds, which confirms its presence on the line.
- Command - the master sends a command of eight bits, while the logical unit is 1-15 microseconds, and zero - 60-120.
Further, it all depends on the sent command. Usually it is 33h - " READ ROM ", reading the serial number, after which the master reads 64 bits (1 byte is the device type, 6 bytes is the number itself, 1 byte is the CRC). Reading of each bit is initialized by the master, for this it sends a pulse of 1-15 microseconds. If after that the line is pressed to the ground from the side of the key for 60-120 microseconds, then zero is read, otherwise - one.
As you can see, the key is easy to read. It is much more difficult to imitate a key, especially as many intercoms use various tricks. Here are the main pitfalls:
- You must always respond to a reset , even if it is sent during data transfer. A pulse longer than 480 microseconds suggests that you need to start over.
- The moment of applying the key from his point of view is also a reset , because before that there was no power. Therefore, theoretically, the intercom may not send a reset , and should periodically respond with a presence signal at its own initiative.
- The keys can react to other commands: 0Fh as an alternative to 33h, SKIP ROM (CCh), MATCH ROM (55h) and the most cunning thing, which I will discuss separately below, is SEARCH ROM (F0h). Some intercoms can send various combinations of such commands to make sure that the key is real.
- There is also a reverse situation - the intercom sends a command to which the key should not respond. The fact is that some programmable keys still react to them, and this is how another check happens. It is necessary to completely ignore everything that follows these commands until the reset is sent.
- For timing, it is better to use an asynchronous timer in the microcontroller, since the count goes on microseconds. However, the installation of quartz will be unnecessary.
SEARCH ROM Pro (F0h) is a command for searching all 1-Wire devices on a bus. The fact is that theoretically it is possible to connect in parallel many keys and get a list of all serial numbers. In reality, this is not used for iButton, because one key is always attached to the intercom. However, some intercoms send this command, expecting to find a single serial number. The algorithm is very interesting. Each of the devices on the bus simultaneously sends the bit of its serial number, with it twice (i.e. the master must read two bits). First, in the usual way, and then inverted. What is the result? If the device has a unit in the serial number, then "10" is sent. If zero, then "01". And everything is fine, as long as all devices have these bits are the same. And if not ... I wrote above that when reading, the presence of a long signal is 0, and the absence is 1, i.e. 0 is dominant. Thus, when conflicts arise, two zeroes are read. After receiving “10,” “01,” or “00,” the master must send the newly read bit to the line. In the case of “00,” he thus chooses which group of devices to work with next. As a result, after N iterations, a binary tree of N serial numbers is obtained.
Responding to such a command is somewhat more complicated than to the usual READ ROM . You need to send each bit twice - normal and inverted, and then check whether the response received from the master matches it, and if it doesn’t match, then ignore further commands.
Cyfral
The key “Digital DC-2000A” is a domestic development. It is much easier to interact with them, because they are very stupid - do not accept any commands. Simply power up the key and it will immediately start sending code endlessly, changing its resistance. If you give it 5 volts by connecting through a 1 kΩ resistor, then you can see something like this on the oscilloscope:
The key changes its resistance between about 800 ohms and 400 ohms, if I'm not mistaken, and therefore the current consumption. We can say that the signal is analog, and this complicates things a little from the hardware point of view. Although sometimes it can be simplified. For example, the key can be read by simply connecting it to the microphone input of a computer and recording an audio file.
And yes, the intercom after that can be opened with the most ordinary MP3 player. But we are interested in more civilized methods, right?
Coding is a bit strange. The key cyclically sends nine nibbles (four bits), changing its resistance. If it remains low for about 50 microseconds, then this is a logical zero, and if 100 microseconds it is one. But the data is encoded not by logical zeros and ones, but by the position of the units among the zeros! That is, the key when sending a code can give out only one of the four combinations: “1000”, “0100”, “0010” and “0001”. However, the combination “0111” is also used as the starting sequence. As a result, the key data may look something like this: “0111 1000 0100 0010 0001 1000 0100 0010 0001”, where “0111” indicates the beginning. There is no checksum - the code is simply read several times for confidence.
A total of eight sequences in which four combinations are possible. It is not difficult to calculate that this gives us 65,536 key options. Not so much, they are clearly often repeated. Theoretically, if there are 50 apartments at the entrance, each of which has three keys, you can pick one of them by going through a total of 436 combinations. But I did not do that.
How is it better to read the keys to Cyfral? As I said, analog levels. Option two: analog-to-digital converter and comparator. The latter seems to me more reliable. Everything works fine if you connect a data line pulled to Vdd with a 650 Ohm resistor to one of the inputs of the comparator, and exactly half Vdd to the second, for which you can use a voltage divider from two identical resistors. After this, the result of the comparator output can be confidently perceived as high and low key resistance.
How to imitate such a key? At first glance, it seems that you also need to change the resistance, but the results showed that intercoms do not need such accuracy - you can safely close the line to the ground instead of low resistance and completely release it when you need high.
Metacom
Another domestic development is Metakom on-door speakerphones and K1233KT2 keys. Like Cyfral, it just infinitely sends code, changing its resistance / current consumption. Fortunately, official documentation is available on the Internet:
That's all you need to know to work with this key. It sends four bytes of data, but in each of them one bit goes to parity. Total comes 28 useful bits, and 2 28 = 268435456 combinations.
Alas, I could not find any such key to experiment with it. However, on the Internet it is easy to find a universal code that opens 99% of intercoms by Metacom. One of them is just in the next doorway from me. I wrote a program that sends this code based only on technical documentation. The next entrance opened on the first attempt. It seems that this intercom also does not really matter the exact resistance. On this, I left Metacom alone and decided that reading their keys is not so necessary.
Universal key codes
In fact, universal keys for intercoms - it is rather a myth. Developers almost never make for themselves some kind of special code for all doors, with the exception of only Vizit.
But there is a legend which says that after reading the key code, many intercoms check it with all the codes that are recorded in the memory cells. However, in cells where nothing else has been written, FFs or zeros are. Thus, the intercom can be opened by sending a key only from zeros or only from the FF.
Sounds like utter nonsense. How do you need to be a programmer to prevent such a bug? But ... it does work often. Yes, in the latest firmware this is usually fixed, but many intercoms remain unchanged for years. Unbelievable, but it is a fact.
Any other key codes issued for universal ones are usually just service keys for the employees of the post office, LCD or the intercom company itself, and they work only in certain localities.
Multi-key creation
Let's move on to practice! Yes, I tried to combine in one device and imitation of keys, and their reading (except Metacom), and synchronization with a computer via USB. Here is a diagram of what happened (clickable):
Components and their purpose:
- IC1 - ATMEGA8 / ATMEGA8A / ATMEGA8L microcontroller;
- U1 - USB controller FT232RL, needed to connect the device to the computer;
- CON1 - miniUSB connector;
- BT1 - Batteries giving 3-5 volts;
- D1 and D2 - diodes (preferably schottky), which isolate the battery power from the USB;
- P1 - “tablet” iButton, used to connect to intercoms;
- P2 - contacts of the key reader, used to connect to the keys;
- R1 - resistor, pull-up line 1-wire to VCC;
- R2 - current-lowering resistor to control the transistor Q2;
- R3 is a resistor, an even stronger pull-up line to VCC for reading Cyfral keys;
- R4 - current-lowering resistor, used to open Q1 and determine the connection to USB;
- R5 - pulls the base Q1 to the ground to close it when there is no USB connection;
- R6 - current-lowering resistor for LEDs, one is enough, because at the same time they do not burn;
- R7 and R8 - voltage divider for one of the comparator inputs to read Cyfral keys;
- Q1 - transistor to determine the connection to USB;
- Q2 - a transistor for turning on the ground on the reader and the emulator, in order not to put the batteries, accidentally closing the contacts in your pocket;
- C1 , C2 and C3 - power filter capacitors;
- SW1 - the only button to control the device;
- LEDS - seven LEDs in the shape of a figure eight to display the key number.
Printed circuit board (clickable):
It was still time before buying a 3D printer, when I designed the devices for the enclosures, not the enclosures for the devices. A very nice copy in the form of a keychain and with a button fell into my hands. Just perfect, it remained only to make holes for USB and LEDs. Alas, I still can not find on sale exactly the same body. The result was something like this:
Batteries under the board. By the way, I had enough of them for a year, until I accidentally climbed up to swim, forgetting to pull out the keys.
Control is done with just one button. When you first press it, the device turns on. By briefly pressing the button, the key is selected, the number of which is displayed by the LEDs. When the key is selected, it is enough to attach the contacts to the intercom reader.
A long press on the button switches the device to the key reading mode, while the middle LED flashes. At this point, you need to attach the key to the contacts of the key reader (for this purpose, I have a screw screwed in from the bottom). If the reading is successful, the number under which the key is stored in memory will be displayed.
When connected via USB, the device is seen as a virtual COM port. For simplicity, the client was written under Windows:
It allows you to read keys from the device, and automatically enters them into the database. Of course, the keys can and write.
The firmware sources are here: github.com/ClusterM/ibutton
Client sources here: github.com/ClusterM/ibutton_client
Conclusion
It is very convenient in one device to have the keys to the house, relatives, work and friends' entrances. Especially important for those who have not conducted an intercom handset in the apartment. But creating a multi-key was not so much useful as interesting. This is a great practice for learning microcontrollers. Yes, it was from this that I started in my time. In addition, each new non-opening staircase caused a storm of interest. Running around the city and solving logical problems in order to open a door is like a video game in real life! Damn exciting. Lacking only fights with Gopniki and grannies at the entrances in the form of bosses;)
Source: https://habr.com/ru/post/229843/
All Articles