Intercom multi-key and everything about simulation "Tablets. The key is from all doors. Emulator keys from the intercom how the key is arranged. Tablet

There is a fairly common amateur view that inside the intercom is located a magnet, which opens the door when contacting the lock. However, this is not the case! The device of the intercom key is much more complicated - the key is constantly memorizing the device located inside it (serial number). When the key is made to the place of reading on the intercom, the information is read from the non-volatile key memory device and the intercom unlocks the lock.

The principle of the key of the entrepreneur in detail

The principle of the key of the intercom is next. A constantly storage device is a non-volatile memory of the TouchMemory of a specific brand, which "exchanges" with information with the intercom with the help of the so-called One-Wire bus. At the same time, the features of this tire are such that it allows not only to communicate with several devices, but also to transmit food for them using one single "wire". For this purpose, a condenser is built into the key of the intercom (about 60 PCF), which provides short-term power to the constant memory at the time of its "communication" with the main block of the intercom. To this end, the main device generates a logical unit signal at least than every 120 μs, to ensure the optimal charge of the capacitor and the power of the key memory chip.

Operation Principle ONE-WIRE

All responsibility for the work of yourself takes the main block of the intercom, because The key is a passive device without batteries and is not able to generate any pulses. Its only task is to close the tire and holding it in zero. The domain block of the intercom is constantly waiting for the key and periodically generates a discharge signal. At the time of the time, the key is waiting for the generation of the discharge signal and generates a presence pulse, showing the main module that the key is present and you can work with it.

If this pulse is very long - the main module perceives it as a short circuit and does not take action, but otherwise it gives a signal to read the key memory.

The mechanism of transmission of the logical "zero" and "units"

When interacting with the passive device, nothing remains, except for how to start a logical unit to the Earth. But in the key of the intercom, this process is organized especially. So, if a logical unit is transmitted, then a short-term rejection occurs, a duration of about 1 microsecond, and if a logical zero is transmitted - then the duration of the reasancement becomes noticeably longer. Such a process of interaction is also organized in order to charge the built-in capacitor and, accordingly, power supply.

Key and Intercom

After the process of interaction between the key and the intercom is adjusted, the intercom withstands a small pause and begins to generate pulses to read the information from the key. Total pulses generated 64 and, thus, 64 bits of information are received. In this case, the key task is only correctly matching the durations: if the key wants to pass the logical zero, then it snaps up for a while, and if the logical unit is simply depressed. Further analysis of information performs the intercom.

When installing the intercom set, the installer is initially configured by the main device with the numbers of all the keys that will unscruit the lock. When applying the key, the intercom reads its number and checks with its data - if the key is present in the list, the lock is unluckled. Otherwise, the main module of the intercom generates an error signal.

Answers to your questions!

You can also learn about whether it is its principle of interaction with all devices. If you are interested in this topic, then do not miss how to choose the right intercom to you.

Conclusion

Given the complexity of the interaction of the key and the main block of the intercom, the manufacture of a duplicate of such a key is not easy task. If the key is lost, contact the company, which made the installation of the intercom, or to a specialized company, which is engaged in the manufacture of duplicates. At the same time, the key should be kept with it, the duplicate of which must be made. If the attackers picked up the code to the entrance of the entrance, it is immediately necessary to recoding the keys. It should be remembered that the safety of the housing lies on the shoulders of residents living in it!

Some people think that in the intercom keys, simple magnets, opening the door during contact with the lock, are installed. This is quite common delusion. In reality, the tablets are ROM, inside which there is a sewn identifier. Such a type of memory is called Touch Memory.

The tablet supports intercom connection with the One-Wire bus is a single-wire interface. Such a tire was developed by Dallas, it can be communicated with several devices using it using one wire. If the device is passive, then the bus is transmitted to the tire by means of one conductor.

In the photo - the internal composition of the key

As part of the tablet there is a capacitor to 60 picofarad, providing short-term meals for a response period. The master device constantly generates a single signal to charge the aforementioned capacitor so that the ROM could eat calmly.

All you need for the normal operation of the identifier is transmitted using one wire. The 1-Wire tire turned out so successful that with its use organize whole industrial networks.

What are the principles of the device?

Plants producing intercom systems independently make copies with unique non-repeating codes. During the installation of the intercom device, the installer company prescribes all products in the memory of the system. Each time the key is deposited to a special reader, the device is checked by its information with the intercom controller. If the code in the memory of the controller and the key coincides, then the door will open.

Many intercoms remain a lot of free memory, the characters of which also contain the key. Checking the product code information, the intercom defines it as recorded in memory, then opens the door.

The universal key contains certain information that the intercom is read by being in normal mode.

When a universal tablet is used, all operations are performed for a few seconds slower than during the reading of the original products. In this case, the panel screen displays such information: Open, BAXTA, FL355, FL256, ERROR-OPEN, -, -_. Such instances are universal for all intercoms.

The work of such devices does not depend on the intercom, the country or the city in which it is installed, or from the company engaged in the installation and maintenance of intercoms. The principle of its work is similar to ordinary keys. The only difference is that the usual can open only one castle, and the universal - thousands.

However, it is advisable to have the right set. The universal key is good, but his one may not be enough for all intercoms that are in big cities.

On video - demonstration of the work of a universal key:

Why do you need a complete set of keys?

To be able to open absolutely all doors, you need to have a complete set, which includes different products:

• Four tablets;
• Pair of radiometers;
• Two contact key.

Such a set has many different identifiers even for new devices with radio players, as well as a regular key operating with two-contact devices.

Now you can meet intercoms or electronic locks working using Touch Memory technology. Many use ordinary identifiers to get into their home. In order not to wear several different tablets, in addition to standard products for mechanical locks, it is worth using a universal identifier that opens any intercom.

You do not need to have a whole set, if there is no particular need.

In the photo - a complete set of identifiers

By purchasing a universal key, you can get rid of extra problems. No longer need to stand and freeze under the door or for a long time to remember the apartment's room number you came to visit. No need to spend money from mobile to calls to ask for relatives or friends to open an entrance. Universal keys are capable of opening a lot of intercoms.

People of many professions need not one key, but the whole set. It will come in handy:

• Direct marketing and advertising agencies that have their own distribution service;
• Courier delivery services;
• Marketing and sociological services that are engaged in quarterly population surveys;
• Peppermakers of newspapers and postmen;
• Advertising distributors;
• Private entrepreneurs;
• Work housing and public utilities;
• Internet providers.

The solution from several is necessary, because some manufacturers use different systems. In general, universal keys are a means of service access to intercoms provided by manufacturers.

On video - information on how to program the key from the intercom:

You lost the keys to the intercom and you can not make a duplicate. Want to visit the girlfriend, but you have no keys from her entrance. Or just you need to help your departure, but you can't get to her house, then this article is for you.

A couple of words about the principle of operation ...
There is an opinion that a magnet is in tablets from the intercom, and it opens the door. No, it is not. The tablet is the ROM, with a tough key in it. It is called this ROM - Touch Memory, the DS1990A brand. DS1990A is a brand of intercom keys. Communicates with the intercom on the One-Wire bus (single-wire interface). This tire is developed by Dallas and allows you to communicate with two devices in just one wire. If the device is passive (as in our case), then it also transmits it to feed on this wire. It is necessary to note that another common wire is needed (so that the circuit is closed), but, as a rule, all the lands of devices connected to this bus are connected together. In the key there is a condenser on 60 picofarad, which provides short-term power of the key at the time of response. But the master device must constantly (at least 120 microseconds) generate a single signal to charge this capacitor so that the ROM in the tablet continues to eat.

Interior tablet device

ONE-WIRE tire organization
ONE-WIRE bus works as follows. There is a master master, and a slave device, in our case a passive key. The main signals generate a master, logical unit signals and zero. The slave can only be forced to generate zero signals (i.e., simply delay the tire to the ground through the transistor). The simplified diagram of the master and slave device is shown in the pictures.

Masters scheme

If you look at the scheme, it is not difficult to notice that by default the master is always +5 volts, a la logical unit. To transmit logical zero, the master through the transistor closes the tire to the ground, and for the transfer of the unit, it simply opens. This is done in order to ensure the power of the slave device. The slave was done similarly, only it does not generate +5 volts. It can only delay the tire on the ground, thereby transmitting a logical zero. The logical unit is transmitted simply by the "silence" of the device.

Protocol of work
You can immediately clearly note that the parade is ruled only the master, the key itself DS1990A either holds the land (the master himself exposes the tire to zero), or simply dismounts, in case he wants to convey the unit, he is just silent. We look at the drawing.

An example of reading a key intercom.

After generating the PREFERENCE pulse, the master device waits for some time and gives the command to read the ROM, usually this code of the family, in our case 33h. Pay attention to how zero and units are made. In any case, the impulse "drops" to the ground, but if the unit is transmitted, it is rapidly restored (about 1 microsecond), but if it should be zero, then the impulse is "hanging" on Earth, then returns again into one. The return to one is needed in order for the passive device to constantly replenish the energy of the capacitor, and it was power. Next, the intercom withstands some time and begins to generate impulses of information reception, only 64 pulses (i.e., takes 64 bits of info). The key only must properly compare the duration. If he wants to withdraw zero, he keeps the tire for some time in zero, if not, it's just silent. Everything else does the intercom makes him.

The contents of the key DS1990A.
In intercoms, and just devices where such devices are used to open doors, the DS1990A key is used. This device is an 8-byte ROM, with information recorded by a laser.

Key dump scheme.

The younger pate contains the family code. For DS1990A, it will always be equal to 01h. The six subsequent bytes contain the serial number of the key. That is the most intimate, which identifies the key. The last byte is called CRC, this is controlling the authenticity of the transmitted data. It is calculated from the seven previous bytes. By the way, it is not that this is not the only standard. There are rewritable ROMs where you can wear information, there are also encryption keys. But all the diversity of Dalla pills simply unrealistic to consider within the framework of one article, they can be read about them on the disk.

Physical device key.
Probably, all of the above dismissed every desire to engage in emulators of keys, because the key must be read, and this is such a hemorrr. It turns out no! Dallas manufacturers took care of us and all the information you need posted directly on the key, while in the hexadecimal system! It is engraved on it and it is quite possible to read, and then in the future to sew in our wonderful emulator.

Maid Klya

We are interested in all this information as follows:

CC \u003d CRC is byte control of the 7th byte in the firmware
SSSSSSSSSSSS \u003d Twelve Nibls // NOWB \u003d 1/2 byte // Serial Number, i.e. The key in Heme codes.
FF \u003d Family Code, in our case is 01H - zero bytes of our key.

It turns out that we can simply write a program, to score the key in it, by rewriting with the handles visually from the present key dump, and we get a ready-made emulator. It is enough just to take a key from the enemone in the hands and rewrite what is written on it. That I generally with success and did. :)

Emulator.
So we reached the most delicious - emulator of keys from the intercom. At first I found a ready emulator on some site, sewed it in my AT89С51 and he did not earn (which is not surprising). But it is not sporty to use other people's firmware and capture other people, specially left, bugs in the code. Some I began to make my emulators and write my programs under them. In general, I tried to make an emulator on 6 different microcontrollers, different architectures belonging to two AVR and I8051 families, all ATMEL production. Earned not at all, and programs were written. At first, Napoleonic tasks were put at all, to make a universal emulator with the possibility of a key selection, but then I left this idea due to its hemorrhoids and meaninglessness, let her do other people who are interested in this article. But the cost of the emulator, not counting the time spent less than 70-80 re, can even be put in 30 re, if you do, for example, attiny12.

The principle of action of the emulator.
We considered in some detail the principle of operation of the intercom, and, accordingly, it will not be a big problem to describe the DS1990A emulator program algorithm. We look carefully chart, and think that you have to do. And you need to do the following. The microcontroller's leg hanging in the air (not yet attached to the ground, the reset pulse) will be considered a controller with a logical unit. This is so, after supplying nutrition to the Kotroller should wait until our leg will go to the ground, and in zero. As we heard zero, rejoice, waiting for some time and translate the port from the read mode to the recording mode. Then drop the tire to zero, and keep it for a while - generating the PRESENCE Impulse (look at the duration of pulses). Further we translate the tire into the reading mode, and we wait for us to say the master - the intercom. He will tell us the reading command consisting of 8 bits. It will not be decoded, because In 99.999% of cases, he will tell us the team to give his dump, and La 33h, just count the 8th pulses and do not be patted. Further waiting. And the most difficult and interesting thing begins - it is necessary to quickly watch what the intercom tells us and answer him too quickly. We need to break the serial number, consisting of 8 bytes, which I said above. I did this as follows (it doesn't matter which microcontroller, the principle will be everywhere else), loaded bytes to some free register, and shifted it to the right, and watched the transfer bit. As soon as the intercom drops the tire to zero, then if I have a transfer flag installed in poen, then I simply deposit on this impulse, and wait for the generation of the next impulse to read the wizard. If I have zero in my flag of transfer, then after the intercom dropping the tire to zero, I translate the port of the microcontroller into the output mode and forcibly holding the tire in zero for a while, then let go and reverse the port of the controller into read mode. According to the pulse duration in the earth, the master understands, whether the unit or zero was transferred. In principle, everything, then the intercom should joyfully push and open the door.

Practice.

Board tester. Vinta Dallas inscription.

After a small hemorrhoids and war with the debugger, the code turned out. Here is an example of the output code of the intercom on AT89C2051. (In general, AT89C2051 is, though the popular, but obsolete controller. One of the first that I programmed. Peripherals at least, memory is also all anything. It is only a high-voltage programmer. Although there is its new replacement of the AT89S2051 it can already be installed intravochno through some kind of AVR ISP, but Maybe through AVRDUDE - did not check. The most curious thing is that it is compatible for the legs with attiny2313 so the code can be ported and on a tinky. approx. di halt)

Di Halt:
This ads code we wrote in with long 2006 in the apartment. Cut up to Ikota over their stupidups. I then felt the AVR for the first time. I was captured on a completely unfamiliar assembler of reading procedure from EEPROM, the length of the demosplant for my future emulator was painted. My joke with a wuffog was particularly remembered when I was resettled while writing in the ENPROM and drinking the I2C memory from the board with a cutting circle. Eh ... Nicho, I move to Moscow again Inexed!

; \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d; Issuance in the line of the serial; in: r0-address where there is a serial with a type of tablet and CRC8; Use: A, B, R0, R1, R2; \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d DEMUL_SENDSER: MOV R2, # 8 SS3: MOV ACC, @ R0 MOV R1, # 8 SS2: JB Touchfuck, $; expect when the tire is raised in zero 1-\u003e 0 rrc a; c: \u003d a.0; SHIFT A; MOV TouchFuck, C; TouchFuck: \u003d C; MOV B, # 9 DJNZ B, $; Delay 20 US Setb TouchFuck JNB TouchFuck, $; cycle while 0 DJNZ R1, SS2 Inc R0 DJNZ R2, SS3 RET; \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d

Results.
As a result, I received many emulators. True, some of them must be brought to mind. Although several 100% workers. Examples of emulators you can see on pictures.

Photos of emulators

The most interesting is the CRC check, which is carried out by the intercom. You need it if you want to put a Dallas castle for example on your computer. An example of CRC calculation on the A89C2051 (although this code will work on all microcontrants of the I8051 family.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Do_crc: Push Acc; Save Accumulator Push B; Save the B Register Push ACC; Save Bits To Be Shifted Mov B, # 8; Set SHIFT \u003d 8 BITS; CRC_LOOP: XRL A, CRC; Calculate CRC RRC A; Move It To the Carry Mov A, CRC; Get The Last CRC Value JNC ZERO; SKIP IF Data \u003d 0 XRL A, # 18H; Update The CRC Value; Zero: RRC A; Position The New CRC MOV CRC, a; Store The New CRC Pop ACC; GET THE REMAINING BITS RR A; POSITION THE NEXT BIT PUSH ACC; SAVE THE REMAINING BITS DJNZ B, CRC_LOOP; REPEAT FOR EIGHT BITS POP ACC ; Clean Up the Stack Pop B; Restore The B Register Pop ACC; Restore The Accumulator Ret

Do_crc: Push Acc; Save Accumulator Push B; Save the B Register Push ACC; Save Bits To Be Shifted Mov B, # 8; Set SHIFT \u003d 8 BITS; CRC_LOOP: XRL A, CRC; Calculate CRC RRC A; Move It To the Carry Mov A, CRC; Get The Last CRC Value JNC ZERO; SKIP IF Data \u003d 0 XRL A, # 18H; Update The CRC Value; Zero: RRC A; Position The New CRC MOV CRC, a; Store The New CRC Pop ACC; GET THE REMAINING BITS RR A; POSITION THE NEXT BIT PUSH ACC; SAVE THE REMAINING BITS DJNZ B, CRC_LOOP; REPEAT FOR EIGHT BITS POP ACC ; Clean Up the Stack Pop B; Restore The B Register Pop ACC; Restore The Accumulator Ret

Conclusion.
As you can see the intercom keys are not so simple, as it seems. However, to emit them accessible to each who owns programming and soldering iron.

Di Halt:
The affairs of the long-lasting days, a dedication of antiquities deep ... Long - WDR! (It will understand only dedicated;)))))

Dornedactic version of the article from the journal Hacker

It began with the fact that I had to wear a few keys (tablets) from the intercom. Searching on the Internet found an acceptable scheme and repeating it came to delight from trouble-free work.

This is the tablet of Maxim's DS1990A microcircuit. The device allows you to read into memory and emulate up to 10 such keys.

The key communicates with the intercom on a two-wire 1-Wire bus, but it receives food.

The device scheme for keys emulation is very simple. The basis is the attribrony2313 microcontroller, for display I used a single-digit seven indicator, which displays the operating mode of the cell. C3 - Switches modes, C2 - cell number. To indicate the recording mode, I used the photo to configure the usual diode. All key replacement for intercoms consumes a current of only 10 mA.

Takes out of the built-in generator with a frequency of 8 MHz, when the firmware, you must enable the BOD (program the Bodlevel0 fuse, Bodlevel1 erase Bodlevel2), otherwise, when the power is turned off, EEPROM data is turned off.

Working with a key for intercom:

Key programming. When pressing C3, an additional LED lights up. Select the C2 cell number, and brings the tablet key to contacts. The key data from the key is copied to the EEPROM of the controller and the LED automatically goes out.

Emulation of the key. To emulate the key, select the cell number on the indicator, and then poke contacts in the DMOMFON

Yes, it is a terribly betting theme. Universal intercom key "Tablet" made probably every second who began to study microcontrollers. On the Internet there are a lot of articles on this topic, and ready-made solutions. However, interest in this does not stop even with a mass transition to RFID. It is not surprising, because many want to collect such a device that performs not only a very interesting task, but also with me. In addition, it is not so complex in the manufacture.

In this post, I would like to collect all the necessary information in one place for those who want to make such a key. Now I will try to tell about what is the contact intercom keys, how they work, how to imitate them, what are underwater stones, as well as to tell about their implementation of such a device and how to collect similar to themselves.

Attention! This key does not allow illegally to penetrate somewhere. This device is only in order to wear one key instead of several.

Although nothing prevents you from writing universal intercom opening codes into it.

Types of intercom keys "Tablets"

iButton.

The most popular type of intercom keys is iButton, namely DS1990A from Dallas, works on 1-Wire protocol. The protocol is very cunning, implies a bilateral interaction - the key can be sent to the key to which it reacts in different ways. The serial number has a size of six bytes, which gives 2 8 * 6 \u003d 281474976710656 different combinations and implies that all released keys must be unique. If you are lucky and you have an original iButton, then this number in hexadecimal should be engraved on it with a laser:

That is, theoretically someone else's such key can be faked, if you just write down somewhere or photographed these numbers!

To interact with iButton, it is enough to connect it to the microcontroller and tighten the data line to the power supply (2.8-5 volts) through the resistor:

Most likely, for many, it's all old as the world, but still I will tell you the principle of operation 1-Wire. Data exchange occurs due to the alternate pressure of the line to the ground, the information is encoded with a duration of such signals. It happens like this:

• Reset. - The master presses the line to the ground at least 480 microseconds, it speaks of the start of data transfer.
• PRESENCE - After some time, the key corresponds to a pulse of about 120 microseconds, which confirms its presence on the line.
• Team - The master sends the command from eight bits, while the logical unit is 1-15 microseconds, and zero - 60-120.

Then everything depends on the sent command. Usually it is 33h - " Read Rom", reading the serial number, after which the master reads 64 bits (1 byte - device type, 6 byte - the number, 1 byte - CRC). Read each bit is initialized by the master, for this it sends a pulse in 1-15 microseconds. If after This line is pressed to Earth from the key of 60-120 microseconds, then read zero, otherwise - one.

• You must always respond to reset.Even if he is sent during data transfer. The pulse is longer than 480 microseconds says that it is necessary to start all over again.
• The moment of applying the key from its point of view is also reset., After all, before that, there was no power. Therefore, theoretically, the intercom may not send reset.and one should periodically respond to the signal pRESENCE on their own initiative.
• Keys can react to other commands: 0fh as an alternative to 33h, Skip ROM. (CCH), Match Rom (55h) and the most cunning, what I will tell separately below, - Search Rom (F0h). Some intercoms can send a variety of combinations of such commands to make sure that the key is real.
• There is a reverse situation - the intercom sends the command to which the key should not be reacting. The fact is that some programmable keys are still reacting for them, and so another check is happening. It is necessary to fully ignore everything that goes behind these teams will not be sent reset..
• For time reference, it is better to use an asynchronous timer in a microcontroller, because The score goes to microseconds. However, the installation of quartz will be unnecessary.

Pro Search Rom (F0H) is a search command for all 1-Wire devices on the bus. The fact is that you can theoretically connect in parallel a lot of keys and get a list of all serial numbers. In reality, it is not used for iButton, because one key is always applied to the intercom. However, some intercoms send this command, waiting for one single serial number. The algorithm is very interesting. Each of the devices on the bus simultaneously sends the bits of its serial number, which is twice (i.e. the master should read two bits). First in the usual way, and then inverted. What happens in the end? If the device in the serial number is one unit, then "10" is sent. If zero, then "01". And everything is fine, until all the devices have these bits. And if not ... Above, I wrote that when reading, the presence of a long signal is 0, and the absence is 1, i.e. 0 is dominant. Thus, when conflicts occur, two zero are read. After receiving the "10", "01" or "00", the master must send the bit to the line just read. In the case of "00", it thus chooses which group of devices to work further. As a result, after n iterations, a binary tree is obtained from N serial numbers.
Answer this command is somewhat more complicated than the usual Read Rom. You need to send each bit twice - the usual and inverted, and then check whether the answer received from the master is the answer, and if it does not coincide, then ignore further commands.

Cyfral.

The key "DC-2000A" is domestic development. It is much easier to interact with them, because They are very stupid - do not accept any teams. It is enough just to file the key to the key, and it immediately starts to infinitely send the code by changing its resistance. If you give it 5 volts, connecting through a resistor in 1 com, then on an oscilloscope you can see approximately such a picture:

The key changes its resistance to about 800 ohms and 400 ohms, if I'm not mistaken, and therefore current consumption. It can be said that the signal is analog, and this all complicates a little from a hardware point of view. Although sometimes it can simplify. For example, the key can be read by simply by connecting it to the microphone input of the computer and writing an audio file.

And yes, the intercom then can be opened with the most common MP3 player. But we are also interested in more civilized methods, right?

Coding is a bit strange. The key cyclically sends nine nibbles (four bits) by changing their resistance. If it is saved by low about 50 microseconds, then this is a logical zero, and if 100 microseconds is a unit. But the data is encoded not by logical zeros and units, but the position of units among zeros! That is, the key when sending the code can only be given one of four combinations: "1000", "0100", "0010" and "0001". However, the combination "0111" as a start sequence is also used. As a result, the data from the key may look something like this: "0111 1000 0100 0010 0001 1000 0100 0010 0001", where "0111" indicates the beginning. There is no checksum - the code is simply reading several times for confidence.

Total eight sequences in which four combinations are possible. It is not difficult to calculate that it gives us 65536 key options. Not so much, they are clearly repeated. Theoretically, if in the entrance of the apartments, each of which has three keys issued, you can choose one of them by a passing of only 436 combinations. But I did not do that.

How best to read Cyfral keys? As I said, the levels are analog. Options Two: Analog-digital converter and comparator. The latter seems to me more reliable. Everything works fine if you connect the data line to a 650 ohm, one from the comparator's inputs, and the second half of the VDD is exactly half the VDD, for which the voltage divider from two identical resistors can be used. After that, the result of the output of the comparator can with confidence perceive as high and low key resistance.

How to imitate such a key? At first glance, it seems that it also needs to be changed resistance, but the results have shown that the intercoms do not need such accuracy - you can safely close the line on the ground instead of low resistance and completely release it when you need to be high.

Metak

Another domestic development is Metakom and K1233k2 keys. Like Cyfral, he simply infinites the code by changing its resistance / consumed current. Fortunately, official documentation is available on the Internet:

That's all you need to know to work with this key. It sends four data bytes, but in each of them one bit goes to check. It turns out 28 useful bits, and 2 28 \u003d 268435456 combinations.

Alas, I could not find any such key to experiment with him. However, on the Internet it is easy to find a universal code that opens 99% of intercoms with metal. One of them is just in the entrance from me. I wrote a program that sends this code based only on the technical documentation. Neighboring entrance opened with the first attempt. It seems that accurate resistance is also not so important to this intercom. On this I left Metak alone and decided that reading their keys is not so necessary.

Universal keys codes

In fact, the universal keys from intercoms is rather a myth. The developers almost never make any special code for all doors for themselves, the exception is only VIZIT.

But there is a legend that says that after reading the key code, many intercoms are checked with all codes that are recorded in memory cells. However, in cells where nothing else was recorded, there are FFs or zeros. Thus, the intercom can be opened by sending the key only from zeros or only from FF.

Sounds as complete nonsense. What should be a programmer to allow such a bug? But ... it really works often. Yes, in fresh firmware it is usually fixed, but many intercoms are standing without change. Unbelievable, but it is a fact.

Any other key codes issued for universal are usually just the service keys for employees of mail, FSO or the most intercom company, and they work only in certain settlements.

Creating a multi-key

Let's go to practice! Yes, I tried to combine in one device and imitation of keys, and their reading (except for metal), and synchronization with a USB computer. Here is a scheme that happened (clickable):

Components and their purpose:

• IC1 - ATMEGA8 / ATMEGA8A / ATMEGA8L microcontroller;
• U1. - USB controller FT232RL, is needed to connect the device to a computer;
• Con1 - miniusb connector;
• BT1. - batteries giving 3-5 volts;
• D1. and D2. - diodes (preferably Schottki) that areolating power from a USB power battery;
• P1 - "Tablet" iButton is used to connect to intercoms;
• P2. - key reader contacts are used to connect to keys;
• R1 - resistor pulling the 1-Wire line to VCC;
• R2 - Clean resistor to control the Q2 transistor;
• R3 - resistor, even stronger pulling line to VCC to read Cyfral keys;
• R4. - a transit resistor, used to open Q1 and determine the connection to USB;
• R5 - pulls the base Q1 to the ground to close it when there is no connection to USB;
• R6. - a transit resistor for LEDs, one is enough, because At the same time they are not lit;
• R7 and R8. - voltage divider for one of the comparator's inputs to read Cyfral keys;
• Q1. - transistor to determine the connection to USB;
• Q2. - transistor to turn on the Earth on the reader and the emulator so as not to plant the batteries, accidentally closed the contacts in your pocket;
• C1., C2. and C3. - capacitors for filtering nutrition;
• SW1 - the only button to control the device;
• Leds. - seven LEDs in the form of an eighth. To display the key number.

PCB (clickable):

It was still time before buying a 3D printer, when I designed devices under the housing, and not the case under the device. A very pleasant instance in the form of a keychain and with a button. Just perfect, it remained only to do the holes for USB and LEDs. Alas, I still can not find on sale exactly the same case. As a result, it turned out something like this:

Batteries under the board. By the way, I was enough for a year, until I accidentally get into battle, forgetting to pull the keys.

The control is made only one button. When it is first pressing the device turns on. Short-term pressing the button select the key whose number is displayed by LEDs. When the desired key is selected, it is enough to attach contacts to the intercom reader.

Long pressing the button takes the device to the key reading mode, the average LED flashes. At this point, you need to attach the key to the key reader contacts (it is for this that I have been screwed down from below). If the reading has passed successfully, a number appears under which the key is entered into memory.

When connected via a USB, the device is seen as a virtual COM port. For ease of work, a client was written under Windows:

It allows you to read the keys from the device, while automatically enters them into the database. Of course, the keys can be recorded.

The source firmware is here.