You've lost your intercom keys and can't make a duplicate. You want to visit a friend, but you don’t have the keys to her entrance. Or you just need to give a shit to your enemy, but you can’t get into his house, then this article is for you.
A few words about the principle of operation...
There is an opinion that there is a magnet in the intercom tablets, and it opens the door. No, that's not true. The tablet is a ROM with a key hard-wired into it. This ROM is called Touch Memory, brand DS1990A. DS1990A is a brand of intercom keys. Communicates with the intercom via the one-wire bus (single-wire interface). This bus was developed by Dallas and allows two devices to communicate using just one wire. If the device is passive (as in our case), then it also transmits power to it through this wire. It should also be noted that a common wire is also needed (for the circuit to close), but, as a rule, all the grounds of the devices connected to this bus are connected together. The key contains a 60 picofarad capacitor, which provides short-term power to the key at the time of response. But the master device must constantly (at least every 120 microseconds) generate a one signal to charge this capacitor so that the ROM in the tablet continues to be powered.
Internal structure of the tablet
One-wire bus organization
The One-wire bus works as follows. There is a master device and a slave device, in our case a passive key. The main signals are generated by the master, logical one and zero signals. The slave device can only forcibly generate zero signals (i.e., simply drive the bus to ground through the transistor). A simplified diagram of a master and slave device is shown in the pictures.
Master circuit
If you look at the diagram, it is easy to notice that by default the master is always +5 volts, a la logical unit. To transmit a logical zero, the master closes the bus to ground through a transistor, and to transmit a 1, it simply opens it. This is done to provide power to the slave device. The slave device is made similarly, only it does not generate +5 volts. It can only sag the bus to the ground, thereby transmitting a logical zero. A logical unit is transmitted simply by the “silence” of the device.
Work protocol
You can immediately clearly notice that only the Master rules the parade, the DS1990A key itself either holds the ground (the master himself sets the bus to zero), or simply remains silent; if he wants to transfer a unit, then he simply remains silent. Let's look at the drawing.
An example of an intercom reading a key.
After the PREFERENCE pulse is generated by the key, the master device waits for some time and issues a command to read the ROM, usually this is a family code, in our case 33H. Pay attention to how the transmission of zero and one is done. In any case, the pulse “drops” to the ground, but if one is transmitted, then it is quickly restored (about 1 microsecond), but if there should be zero, then the pulse “hangs” on the ground for some time, then returns to one again. Returning to unity is necessary so that the passive device constantly replenishes the energy of the capacitor, and there is power on it. Next, the intercom waits for some time and begins to generate pulses for receiving information, 64 pulses in total (i.e., it receives 64 bits of information). The key is just to match the durations correctly. If he wants to output zero, then he keeps the bus at zero for some time, but if not, then he simply remains silent. The intercom does the rest for him.
Contents of the DS1990A key.
In intercoms, and simply devices where similar devices are used to open doors, a key of the DS1990A standard is used. This device is an 8-byte ROM with information recorded by a laser.
 |
Key dump diagram.
The low byte contains the family code. For DS1990A it will always be 01h. The next six bytes contain the key serial number. The very secret thing that identifies the key. The last byte is called CRC, this is a parity check that ensures the authenticity of the transmitted data. It is calculated from the previous seven bytes. By the way, note that this is not the only standard. There are rewritable ROMs on which information can be stored, and there are also encryption keys. But the whole variety of Dallas tablets is simply impossible to consider in one article; you can read about them on the disk.
Physical device of the key.
Probably, all of the above has discouraged any desire to work with key emulators, because the key must be read, and this is such a hemorrhoid. It turns out not! The Dallas manufacturers took care of us and placed all the information we needed directly on the key, and in hexadecimal at that! It is engraved on it and can be read, and then later sewn into our wonderful emulator.
 |
Key muzzle
From all this information we are interested in the following:
CC = CRC is the parity byte 7th byte in the firmware
SSSSSSSSSSSS = twelve nibls //nibl = 1/2 byte // serial number, i.e. the key itself in hex codes.
FF = family code, in our case it is equal to 01h - the zero byte of our key.
It turns out that we can simply write a program, put the entire key into it, manually copying the dump visually from the real key, and we will get a ready-made emulator. It is enough to simply take the key from your enemy and rewrite what is written on it. Which I generally did with success. :)
Emulator.
Now we have come to the most delicious thing - an intercom key emulator. First, I found a ready-made emulator on some website, installed it in my AT89C51 and it didn’t work (which is not surprising). But it’s not fun to use other people’s firmware and catch other people’s specially left bugs in the code. Therefore, I started making my own emulators and writing my own programs for them. In general, I tried to make an emulator on 6 different microcontrollers, different architectures, belonging to two families of AVR and i8051, all made by Atmel. Not all of them made money, and a lot of programs were written. At first, the general Napoleonic tasks were set to make a universal emulator with the ability to select a key, but then I abandoned this idea due to its messiness and pointlessness, let other people who would be interested in this article take care of it. But the cost of the emulator, not counting the labor expended, is less than 70-80 rubles, you can even keep it at 30 rubles if you do it, for example, on ATtiny12.
The principle of operation of the emulator.
We have examined in some detail the principle of operation of the intercom, and accordingly it will not be a big problem to describe the algorithm of the DS1990A emulator program. We look carefully at the diagram and think about what needs to be done. And you need to do the following. The leg of the microcontroller hanging in the air (not yet connected to the ground, the reset pulse) will be considered a logical unit by the controller. It means that after supplying power to the controller, we must wait until our leg goes to the ground, and to zero. As soon as we heard zero, we rejoice, wait a while and switch the port from read mode to write mode. Then we drop the bus to zero and hold it for a while - generating a PRESENCE pulse (see the pulse duration in the datasheet). Then we switch the bus to read mode again, and wait for what the intercom master will tell us. He will tell us a read command consisting of 8 bits. We will not decode it, because... in 99.999% of cases he will tell us the command to give his dump, a la 33H, we just count 8 pulses and don’t worry. We wait further. And the most difficult and interesting part begins - we need to quickly look at what the intercom is telling us and answer it quickly too. We need to output the serial number bit by bit, consisting of the 8 bytes that I mentioned above. I did it in the following way (no matter what microcontroller, the principle will be the same everywhere), loaded a byte into some free register, and shifted it to the right, and looked at the carry bit. As soon as the intercom drops the bus to zero, then if my carry flag is set to one, then I simply remain silent for this impulse and wait for the generation of the next bit reading impulse from the master. If I have a zero in the transfer flag, then after the intercom drops the bus to zero, I switch the microcontroller port to output mode and forcefully hold the bus at zero for a while, then release it and switch the controller port back to read mode. Based on the duration of the pulse in the ground, the device master understands whether a one or a zero was transmitted to it. In principle, that’s it, then the intercom should beep joyfully and open the door.
Practice.
Tester board. Seeing the inscription Dallas.
After a little hesitation and a war with the debugger, the code turned out. Here is an example of the data output code for the intercom on the AT89C2051. (In general, the AT89C2051 is a popular, but outdated controller. One of the first that I programmed. The peripherals are minimal, the memory is also nothing. It can only be sewn with a high-voltage programmer. Although there is a new replacement for it, the AT89S2051, it can already be flashed in-circuit through some kind of AVR ISP, and maybe through AVRDUDE - I haven’t checked. The most interesting thing is that it is compatible with ATTiny2313, so the code can be ported to Tinka. Note: DI HALT)
DI HALT:
We wrote this hellish code with Dlin back in 2006 in his apartment. They were laughing to the point of hiccups over their stupid things. That was the first time I touched AVR. I sat fiddling with a procedure for reading from EEPROM in an assembler that was completely unfamiliar to me, while Dliny was tinkering with a demo board for his future emulator. I especially remember my joke with the watchdog, when my MK was reset while writing to EEPROM and cutting out an i2c memory chip from the board using a cutting wheel. Eh... never mind, I’ll drive you to Moscow and we’ll have a blast again!
;===================================================== ; Serial serialization; in: R0- address where the serial number with the tablet type and CRC8 is located; USES: A,B,R0,R1,R2 ;==================================================== =================== DEMUL_SendSer: mov R2,#8 SS3: mov ACC,@R0 mov R1,#8 SS2: JB TouchFuck,$ ;waiting for the tire to be dropped in zero 1->0 RRC A ;C:=A.0; shift A; mov TouchFuck,C ;TouchFuck:=C; MOV B,#9 DJNZ B,$ ;Delay 20 us setb TouchFuck JNB TouchFuck,$ ;cycle while 0 DJNZ R1,SS2 inc R0 DJNZ R2,SS3 ret ;=============== =======================================================
Results.
As a result, I got a lot of emulators. True, some of them still need to be brought to fruition. Although a few are 100% working. You can see examples of emulators in the photos.
 |
 |
Photos of emulators
The most interesting is the CRC check, which is carried out by the intercom. You will need this if you want to install a Dallas lock on your computer, for example. An example of calculating CRC on the A89C2051 (although this code will work on all microcontrollers of the i8051 family.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 DO_CRC: PUSH ACC ;save accumulator PUSH B ;save the B register PUSH ACC ;save bits to be shifted MOV B,#8 ;set shift = 8 bits ; CRC_LOOP: XRL A,CRC ;calculate CRC RRC A ;move it to the carry MOV A,CRC ;get the last CRC value JNC ZERO ;skip if data = 0 XRL A,#18H ;update the CRC value ; ZERO: RRC A ;position the new CRC MOV CRC,A ;store the new CRC POP ACC ;get the remaining bits RR A ;position the next bit PUSH ACC ;save the remaining bits DJNZ B,CRC_LOOP ;repeat for eight bits POP ACC ;clean up the stack POP B ;restore the B register POP ACC ;restore the accumulator RET DO_CRC: PUSH ACC ;save accumulator PUSH B ;save the B register PUSH ACC ;save bits to be shifted MOV B,#8 ;set shift = 8 bits ; CRC_LOOP: XRL A,CRC ;calculate CRC RRC A ;move it to the carry MOV A,CRC ;get the last CRC value JNC ZERO ;skip if data = 0 XRL A,#18H ;update the CRC value ; ZERO: RRC A ;position the new CRC MOV CRC,A ;store the new CRC POP ACC ;get the remaining bits RR A ;position the next bit PUSH ACC ;save the remaining bits DJNZ B,CRC_LOOP ;repeat for eight bits POP ACC ;clean up the stack POP B ;restore the B register POP ACC ;restore the accumulator RET
Conclusion.
As you can see, intercom keys are not as simple as they seem. However, they can be emulated by anyone who knows programming and a soldering iron.
DI HALT:
Deeds of bygone days, deep legends... Long - WDR! (will be clear only to the initiated;)))))
Pre-edited version of an article from Hacker magazine
Recently arrived, but firmly established in everyday life, intercoms are deservedly popular among the capital's residents. In the bustle of the metropolis, it is important to maintain the safety of personal space, maintain cleanliness, order, and silence in the house. A high-quality intercom is not only a reliable device and a handset with good audibility, but also a practical tablet key that will not let you down at a crucial moment. Manufacturing keys for tablets is one of the main areas of work of our company.
Intercoms differ greatly in design and purpose. There are audio and video intercoms, and the latter can be equipped with either a monochrome or color display. Digital and coordinate matrix, small and multi-subscriber intercoms are distinguished by the same variety of unlocking devices. The most common of them are key tablets in Moscow, which almost every capital resident has. In general, there are several types of unlocking devices, duplicates of which can be made in our workshop.
Keys for intercoms are united by the principle of operation. Each duplicate tablet key sends a signal to the reader, which processes the information received in a matter of seconds and unlocks the door. A special code is applied during manufacture. If you need to make a new tablet key, you just need to read the information from the original provided and apply it to a clean blank. However, the task, which takes only a few minutes, requires professional knowledge, because each manufacturer has its own way of encoding keys.
Our workshop is well known to residents of the capital - thousands of Muscovites have our intercom keys on their bundles, which, judging by the reviews of regular customers, work flawlessly in any conditions. The quality of the tablet key, the price of which is quite reasonable and about 10% lower than the Moscow average, is the main reason that engineers and entrepreneurs, doctors and teachers from all metropolitan areas come to our company. They are confident that our keys, made to the highest standards, will not fail under any circumstances.
It is not difficult to order tablet keys in the capital - almost every workshop will undertake their production. The question is how long the product will last, whether it will break during operation, or whether it will decode during intensive use. By contacting the World of Keys company, you get rid of the need to wait for a representative of the company that installed the intercom, and you will receive high-quality tablets in the shortest possible time. We are proud that when the need arises again, customers come back here again and recommend the workshop to family, friends, and colleagues: keys made using modern equipment will serve faithfully for many years.
Nowadays, various electronic locks with electronic keys in the form of a “tablet” or “flash drive” are very popular. The key is a storage device in which a certain digital code is stored. And the basis of the lock is a microcomputer, which reads and analyzes this code.
I will not argue about the advantages and disadvantages of such locks, I simply bring to the attention of readers my development of a similar device operating on an analog principle.
The essence of the matter is that in my lock the key is a zener diode for a certain stabilization voltage. If the zener diode in the key matches the stabilization voltage with the zener diode in the lock, the door opens.
Moreover, outwardly everything looks as if it is a digital lock with a digital key. Of course, the number of “code combinations” of my lock is disproportionately less than a digital one, but... who knows that you need to select a zener diode? I can imagine the hysteria of an “advanced” thief trying to guess the digital code to my lock.
The diagram of the first version of the lock is shown in Figure 1. The key is connector X1.1, which is connected to the mating connector X1.2. Ideally, you need to use a housing from a tablet key, such as an iButton, and the corresponding connector for connecting it. But you can make any imitation, or use any two-pin connector pair, for example, from audio equipment.
Fig.1. Schematic diagram of a combination lock for working with an analog tablet.
The key contains a zener diode, in this case, 8.2V, and a 1N4148 diode connected in series with it. When connected to connector X1.2, they and resistor R1 form a stabilized source of constant voltage equal to the sum of the zener diode voltage and the forward voltage of the diode.
A two-threshold comparator is made on the comparators of the A1 LM339 chip. The reference voltage at its inputs is set by a circuit consisting of resistor R2, two diodes VD4, VD5 and a zener diode, the same as in the switch.
When you connect your own key, a voltage is established on pins 4 and 7 of A1, which is greater than the voltage on the pin by the amount of forward voltage on the 1N4148 diode. 6 A1.2 and the same amount less voltage at the pin. 5 A1.1.
Thus, the voltage at pins 4 and 7 of A1 connected together is between the voltages at pins 6 and 5. As a result, the voltage at the direct input of A1.1 will be less than at the inverse input, and at the output it will be unity. In exactly the same way on A1.2, the output is one. The key on transistor VT1 opens and supplies current to relay K1.
If the zener diode in the key is not at the same voltage as in the lock, then at least one of the comparators will be at zero at the output, and the voltage at the base of VT1 will not be enough to open it.
The peculiarity of the LM339 microcircuit is that its outputs are made according to public key circuits, so they can be connected together, but they must be connected to the power positive with a resistor (R3). Of course, the zener diodes do not have to be 8.2V, they can be for any voltage from zero to 10V, but they must be the same.
Capacitor C1 serves to slow down the response to the correct voltage, so that accidental opening does not occur if pulses or some kind of alternating voltage are received at the input. So to speak, protection from accidents.
Fig.2. Diagram of a more complex lock with a double analog key.
The diagram of a more complex lock is shown in Figure 2. A key in the form of a flash drive is used here. It is very similar to a flash drive, it has the same USB connector, but instead of a memory chip inside there are only two zener diodes and two diodes. Now the “secrecy” of the castle is twice as great.
And all comparators of the LM339 chip are used. There are two zener diodes in the key, they can be the same, they can be different, but it is important that VD2 is the same as VD3, and VD7 is the same as VD11.
Relay K1 type KUTS-1M, from an old Soviet TV. This relay has a high-resistance 12V winding, and two closing contact pairs, for a current of up to 2A each at a voltage of 220V. But you can choose an imported analogue, the winding should be 12V and the current should not exceed 30mA.
No setup required. It is very important that all the diodes are the same, and the zener diodes in the key are exactly the same as in the lock, and from the same batch.
Magnetic keys This is not only daily access to the entrance, it is the so-called identifier of the person who owns such a device. Electronic code media is actively used both in security systems and in various semi-automatic engineering systems. We sometimes rarely think about where we can apply knowledge about magnetic code carriers. But more detailed knowledge sometimes helps us in life. We will try to tell you a little about magnetic keys, cards and key fobs.
There are many identifier models. Some serve as access cards to the office, others open entrance doors, others launch ventilation controls, and others open safes.
1. Electromagnetic access keys
2. Access cards
3. Key rings with code
4. Magnetic bracelets
5. Active and passive tags
The most common devices in everyday life. We actively use magnetic keys and blanks for intercoms every day. We used to call them " intercom key", "tablet", "magnetic key" etc. In fact, these names do not accurately reflect the correct name. Some people really believe that such a key can " magnetize". This is also not correct. The correct name is electromagnetic key or electronic identifier. And its operating principle is simple - the device itself contains non-volatile memory on which a unique identification number is recorded. Sometimes this number (code) can be changed.
1. Factory coded (not rewritable) . This code is assigned immediately when the key is produced. Both numbers and letters are used. There are billions of combinations of unique codes. The chance of meeting a double (double) is in hundredths of a percent. This is the cheapest option for a magnetic key. The most common model, both for entrances and in any systems.
2. Rewritable blanks . Outwardly, they are no different from their “brothers”. But they cost a little more. All because of the advanced functionality of the key. For such models you can have a code delete and write a new one. Such keys are not used very often. The main scope of application is companies engaged in the production of intercom keys for entrances.
3.Recordable blanks . Just like rewritable ones, they do not differ in design. The functionality is a little more modest - they can be recorded only once. That is, the code can be programmed once and forever. Since they cheaper of the second category (overwritten many times), then this is the key to which your " tablet from the entrance".
4. Universal . In fact, an interesting option is simply a set of ready-made keys that fit many intercoms. There are different options. The essence of such a set is simple - to make keys to all entrances in one bunch. The secret lies in the fact that almost all entrance intercoms produced have a sewn-in serial number, which is copied onto magnetic key in such a set. Prices for universal sets different, as they include different numbers of magnetic tablets.
The main advantages of such products are their durability and practically indestructible functionality. Made with the expectation that they will hang around for years together with the keys to the apartment, on one bunch. These can last forever. There are practically no disadvantages, except for their possibility " demagnetize"But you need very strong objects nearby (with a strong magnetic field) to damage the internal key code.
Magnetic cards access are essentially clones of “tablets”. The principle of operation of cards is exactly the same as that of magnetic keys. There are few differences: a different design, several additional functions for some models, ease of storage.
For the full operation of many systems (including access control and management), special “electronic keys” are required. These keys have many names: access cards, tablets, key fobs, magnetic cards, identifiers, tags, key fobs, etc. But all of them are designed to recognize the visitor or user.
Identifiers can be used to access the premises, quickly arm (or disarm), confirm entered actions, and launch a specific control scenario.
Typically, the cost of cards and key fobs is not high, since they are easy to manufacture. A special feature of these additional devices is the presence of non-volatile (in rare cases dependent) memory, which contains an electronic (alphanumeric) code. In some cases it can be changed, in some cases additional data about the key owner can be stored in memory.
Please note that electronic key duplicators are located in the "Measuring Instruments" section.
Important! Be sure to read the instructions for the device as there are several electronic key formats (TouchMemory, HID, EM-marin, MIFARE and others).
There are a large number of beautiful design solutions for door opening buttons on the market. Now there are wireless buttons, touch-sensitive, and piezoelectronic. But the most reliable, as always, are buttons with mechanical metal filling. Such buttons are not afraid of temperature changes and moisture. We invite you to view and purchase any door opening buttons (locking, remote, illuminated) in our online store.
The specialists of the ABars systems protection company will be happy to select for you additional equipment for an access control system for any type of facility.
You can order and buy all these products through the online access control store of our website or order delivery or professional installation in Moscow from the ABars company (when purchasing cards, keys or buttons for an amount over 8 thousand rubles, delivery is free).
If you find it difficult to choose the desired card format or have other questions about the characteristics, call our company.
.jpg)
