Intercom key copier on pic12f675. How to make a copy of the intercom key at home

Intercom equipment in new buildings is now a prerequisite, and in old houses it is. This significantly increases the safety of residents and helps maintain order in the entrance. But what if the key to the intercom is lost or broken? Previously, installer companies were monopolists and raised the price of backup devices, now many companies and workshops have appeared that can rewrite the intercom key for a relatively small amount. However, the same steps can be performed independently.

There are two main ways to obtain a new key, depending on the type of devices used - this is the introduction of a code into the intercom system.

touch memory

Touch memory is a non-volatile identifier that includes a memory device, a real-time clock and a rechargeable battery. Reading or writing information is done by simply touching the body of the device. There are many varieties of Touch memory. They differ not only, but also models in terms of memory size. Compatibility with the installed equipment must be considered when purchasing blanks for writing codes.

Touch memory models

The Dallas model is the most common model. The plastic holder can bear the emblem or inscription of the intercom equipment manufacturer: Sean, Eltis, Vizit or the Dallas logo. To copy the code, TM2004 blanks are used.

Some Vizit intercom systems do not support work with TM2004 blanks, in this case you can use the more expensive universal model TM08.
Metacom model. Domestic production, are a complete analogue of the Dallas model. Fully match the electrical characteristics. They must be marked both on the plastic holder and on the metal case of the device itself - the inscription Metakom or MT. Workpieces TM2004 and TM08 are suitable.
Model "Cyfral". They have a similar inscription on the holder. TM2004 blanks are suitable for older models, TM7 for new ones. Resistor model "Digital". Outdated equipment, which is quite rare. Such devices do not have a chip with a recorded code. They use a resistor with a rating corresponding to a particular intercom. You can distinguish such a device by the recess located in the central part of the case. Copying is done by soldering the appropriate resistor to any of the Touch memory blanks. Its capacity is determined by an ohmmeter using a working key.

Contactless RFID

Recently, contactless reading systems have become widespread, where RFID keys or proximity cards are used. Outwardly, they resemble an ordinary plastic keychain or a bank card. The devices do not have their own power supply. The transmission of the code to the receiving device is carried out after receiving the radio signal, the energy of the wave radiation and acts as an energy supply. Therefore, activation occurs only at a distance of 10-15 cm from the lock. Otherwise, the device and the action of the tag do not differ from the similar Touch memory.

The keys themselves look like key fobs no larger than a five-ruble coin and 5 mm thick. Contactless cards have a format similar to bank cards and are somewhat thicker - up to 3 mm. The interchangeability of cards and key fobs, despite the same functioning technology, is not always feasible, since a violation of the intensity of the transmitted signal is possible. Currently for copying RFID keys various manufacturers almost any workpiece is suitable: HID Prox II, EM-Marin, Indala, etc.

Recording on a workpiece

on media is carried out using special devices, programmers. For example, the Keymaster PRO 4 RF device is a universal programmer for both the Touch memory standard and contactless RFID devices. Allows you to copy keys to blanks:

RW/TM 2004;
CS 1, 3;
TM - 01, 07, 08;
RW 1990, 2007, 125RF.

Supports the standards of the most common manufacturers:

For touch memory:

Cyfral;
- Dallas;
For RFID:
- HID ProxII;
- EM Marin;
- Indala and some others.

Recording of the workpiece is done with one touch. The algorithm for copying the key is as follows:

A key is brought to the reader, which must be copied.
The device independently determines the type, manufacturer and model of the recommended workpiece.
The blank is brought to the reader. And the record button is pressed.
The key is being written to.

In addition, the device can record without a source key if the code stored in memory is known. The duplicator is connected to the PC via USB port and has its own software that stores the last 500 records in memory, and manages the distribution of Touch memory and RFID records. This is beyond the reach of most ordinary users, but there are simpler models with limited functionality:

Key Master 3;
KeyMaster 3 RF - supports contactless tags;
TMD-5 RFID;
TM Pro.

Intercom programming

Entering information about new keys can also be carried out directly on the intercom equipment. Naturally, different manufacturers have developed different instructions for programming intercoms.

Entering information into the intercom memory is possible only if the installers have not changed the factory access code in the device. Usually, installers rarely change the access password, and most of the default passwords are 1234.

Manufacturer Raimann

To enter the settings - the reader button is pressed;
Login password from 9 to 4, after (wait 10-15 seconds) dial from 1 to 6;
The symbol "P" appears on the monitor;
Menu items from 2 to 8. The item responsible for the introduction of new keys No. 2.

Manufacturer VIZIT

Entering the settings - # 99 is typed on the keyboard;
After the beep, the password 1234 is entered, then the beep again;
Programming and prescribing new keys - point number 3;
The apartment number is entered, the key is applied and # is pressed;
Then press * to switch to operating mode.

If there are no * and # buttons on the keyboard, then they are replaced by the C and K buttons, respectively.

Manufacturer Eltis

To enter the menu, press button B, keep it pressed for 7 seconds;
System password 1234;
After the menu loads on the screen, select the “Key master” item;
We dial the apartment number and press the button B;
After the LF command appears on the screen, you need to lean the key against the reader;
The recording is completed if the message ADD appears on the screen (if there were no keys for this apartment in memory before) or the apartment number.

Each intercom key has its own number - it is this number that serves as the key identifier. It is by the number of the key that the intercom decides - its own or someone else's. Therefore, the copying algorithm is as follows: first you need to find out the number of the allowed key, and then assign this number to another key - the clone. For the intercom, it makes no difference whether the original key or its copy was attached. After checking the number with his database of allowed numbers, he will open the door.

Intercom keys that we will connect to the Arduino (they are sometimes called iButton or touch memory) are read and written via 1-wire interface. Therefore, the connection scheme is very simple. All we need is a couple of wires and a 2.2 kΩ pull-up resistor. The connection diagram is shown in the figure.

The assembled circuit might look something like this:

2 Read iButton Key ID using Arduino

To work with the 1-wire interface, there are ready-made libraries for Arduino. You can use, for example, this one. Download the archive and unpack it into a folder /libraries/ located in the Arduino IDE directory. Now we can very simply work with this protocol.

Upload this sketch to Arduino in the standard way:

iButton Key Reading Sketch with Arduino(expands) #include OneWire iButton(10); // create a 1-wire object on pin 10 void setup(void)( Serial.begin(9600); ) void loop(void) ( delay(1000); // delay 1 sec byte addr; // array for storing key data if (!iButton.search(addr)) ( // if the key is not attached Serial.println("No key connected..."); // report this return; // and abort the program ) Serial.print("Key: "); for(int i=0; i )

This sketch shows the key number for the intercom that is connected to the circuit. This is what we need now: we need to find out the number of the key we want to make a copy of. Let's connect the Arduino to the computer. Let's start the serial port monitor: Tools Serial Port Monitor(or keyboard shortcut Ctrl+Shift+M).

Now let's connect the key to the circuit. The port monitor will show the key number. Let's remember this number.

And here is what exchange takes place on a single-wire line when reading the key identifier (for more details, see below):

The figure, of course, does not show all the implementation details. Therefore, at the end of the article, I attach a timing diagram in the *.logicdata format, taken with the help of a logic analyzer and the program Saleae Logic Analyzer and opened to her. The program is free and can be downloaded from the official Saleae website. To open the *.logicdata file, you need to run the program, press Ctrl + O or in the menu Options(located at the top right) select an item open capture / setup.

3 Dallas Key Identifier Record using Arduino

Now let's write a sketch for writing data to the memory of the iButton key.

iButton key writing sketch with Arduino(expands) #include // include the library const int pin = 10; // declare the OneWire pin number iButton(pin); // declare OneWire object on pin 10 // key number we want to write to iButton: byte key_to_write = ( 0x01, 0xF6, 0x75, 0xD7, 0x0F, 0x00, 0x00, 0x9A ); void setup(void) ( Serial.begin(9600); pinMode(pin, OUTPUT); ) void loop(void) ( delay(1000); // delay by 1 sec iButton.reset(); // device reset 1-wire delay(50); iButton.write(0x33); // send "read" command byte data; // array for storing key data iButton.read_bytes(data, 8); // read the data of the attached key, 8x8=64 bits if (OneWire::crc8(data, 7) != data) ( // check the checksum of the attached key Serial. println("CRC error!"); // if the CRC is not is correct, report it return; // and abort the program ) if (data & data & data & data & data & data & data & data == 0xFF) ( return; // if the key is not attached to the reader, abort the program and wait while ) Serial.print("Start programming..."); // start of the process of writing data to the key for (int i = 0; i ) // Initialization of writing data to the iButton key-tablet: void send_programming_impulse() ( digitalWrite(pin, HIGH); delay(60); digitalWrite(pin, LOW); delay(5); digitalWrite(pin, HIGH); delay(50); }

Don't forget to set the number of your original key in the array key_to_write which we learned earlier.

Upload this sketch to the Arduino. Open the serial port monitor (Ctrl+Shift+M). Let's connect a key to the scheme, which will be a clone of the original key. The serial port monitor will display a corresponding message about the result of programming.

If this sketch didn't work, try replacing the code after Serial.print("Start programming...") until the end of the function loop() to the next one:

Additional sketch for writing iButton key using Arduino(expand) delay(200); iButton.skip(); iButton.reset(); iButton.write(0x33); // read current key number Serial.print("ID before write:"); for (byte i=0; i<8; i++){ Serial.print(" "); Serial.print(iButton.read(), HEX); } Serial.print("\n"); iButton.skip(); iButton.reset(); iButton.write(0xD1); // команда разрешения записи digitalWrite(pin, LOW); pinMode(pin, OUTPUT); delayMicroseconds(60); pinMode(pin, INPUT); digitalWrite(pin, HIGH); delay(10); // выведем ключ, который собираемся записать: Serial.print("Writing iButton ID: "); for (byte i=0; i<8; i++) { Serial.print(key_to_write[i], HEX); Serial.print(" "); } Serial.print("\n"); iButton.skip(); iButton.reset(); iButton.write(0xD5); // команда записи for (byte i=0; i<8; i++) { writeByte(key_to_write[i]); Serial.print("*"); } Serial.print("\n"); iButton.reset(); iButton.write(0xD1); // команда выхода из режима записи digitalWrite(pin, LOW); pinMode(pin, OUTPUT); delayMicroseconds(10); pinMode(pin, INPUT); digitalWrite(pin, HIGH); delay(10); Serial.println("Success!"); delay(10000);

Here the function writeByte() will be as follows:

int writeByte(byte data) ( int data_bit; for(data_bit=0; data_bit<8; data_bit++) { if (data & 1) { digitalWrite(pin, LOW); pinMode(pin, OUTPUT); delayMicroseconds(60); pinMode(pin, INPUT); digitalWrite(pin, HIGH); delay(10); } else { digitalWrite(pin, LOW); pinMode(pin, OUTPUT); pinMode(pin, INPUT); digitalWrite(pin, HIGH); delay(10); } data = data >> 1; ) return 0; )

It is pointless to show the timing diagram of the operation of the key identifier recording sketch, because it is long and will not fit in the picture. However, the *.logicdata file for the logic analyzer program is attached at the end of the article.

Intercom keys come in different types. This code is not suitable for all keys, but only for RW1990 or RW1990.2. Programming keys of other types can lead to key failure!

If desired, you can rewrite the program for a key of a different type. To do this, use the technical description of your key type (datasheet) and change the sketch in accordance with the description. Download datasheet for iButton keys can be attached to the article.

By the way, some modern intercoms read not only the key identifier, but also other information recorded on the original key. Therefore, making a clone by copying only the number will not work. You need to completely copy the key data.

4 Description of single wire 1-Wire interface

Let's take a closer look at the One-wire interface. In organization, it is similar to the I2C interface: it must also contain a master device (master) that initiates the exchange, as well as one or more slave devices (slave). All devices are connected to one common bus. iButton devices are always slaves. The master is usually a microcontroller or PC. The data rate is 16.3 kbps. The idle bus is at logic "1" (HIGH). This protocol provides only 5 types of signals:

reset pulse (master)
presence pulse (slave)
write bit "0" (master)
write bit "1" (master)
read bit (master)

With the exception of the presence pulse, all others are generated by the master. The exchange always takes place according to the scheme: 1) Initialization 2) Commands for working with ROM 3) Commands for working with PROM 4) Data transfer.

1) Initialization

Initialization consists in the fact that the master sets the reset condition RESET (lowers the line to "0" for a period of 480 μs or more, and then releases it, and due to the pull-up resistor, the line rises to the state "1"), and the slave no later than 60 µs after that, it must confirm the presence by also lowering the line to "0" for 60 ... 240 µs and then freeing it:

2) Commands for working with ROM

If no acknowledgment signal is received after the initialization pulse, the master repeats the polling of the bus. If the confirmation signal is received, then the master understands that there is a device on the bus that is ready for the exchange, and sends it one of the four 8-bit ROM commands:

(*) By the way, there are quite a few families of iButton devices, some of them are listed in the table below.

iButton family codes(unfolds)

Family code	iButton devices	Description
0x01	DS1990A, DS1990R, DS2401, DS2411	Unique serial number-key
0x02	DS1991	Multikey, 1152-bit secure EEPROM
0x04	DS1994, DS2404	4 kb NV RAM + clock, timer and alarm
0x05	DS2405	Single addressable key
0x06	DS1993	4 KB NV RAM
0x08	DS1992	1 KB NV RAM
0x09	DS1982, DS2502	1 kb PROM
0x0A	DS1995	16 KB NV RAM
0x0B	DS1985, DS2505	16 KB EEPROM
0x0C	DS1996	64 KB NV RAM
0x0F	DS1986, DS2506	64 KB EEPROM
0x10	DS1920, DS1820, DS18S20, DS18B20	temperature sensor
0x12	DS2406, DS2407	1 kb EEPROM + dual channel addressable key
0x14	DS1971, DS2430A	256 bit EEPROM and 64 bit PROM
0x1A	DS1963L	4 KB NV RAM + write cycle counter
0x1C	DS28E04-100	4 KB EEPROM + dual channel addressable key
0x1D	DS2423	4 KB NV RAM + external counter
0x1F	DS2409	Two-channel addressable key with the possibility of switching to the return bus
0x20	DS2450	Four-channel ADC
0x21	DS1921G, DS1921H, DS1921Z	Thermochronic sensor with data acquisition function
0x23	DS1973, DS2433	4 kb EEPROM
0x24	DS1904, DS2415	Real time clock
0x26	DS2438	Temperature sensor, ADC
0x27	DS2417	Real time clock with interrupt
0x29	DS2408	Bidirectional 8-bit I/O port
0x2C	DS2890	Single channel digital potentiometer
0x2D	DS1972, DS2431	1 kb EEPROM
0x30	DS2760	Temperature sensor, current sensor, ADC
0x37	DS1977	32 KB password protected EEPROM
0x3A	DS2413	Dual Channel Addressable Switch
0x41	DS1922L, DS1922T, DS1923, DS2422	High-resolution thermochronic and hygrochronous sensors with data acquisition
0x42	DS28EA00	Digital thermometer with programmable resolution, serial link capability and programmable I/O ports
0x43	DS28EC20	20 kb EEPROM

Data is transmitted sequentially, bit by bit. The transmission of each bit is initiated by the master. When recording, the leader lowers the line to zero and holds it. If the line holding time is 1…15 µs, then bit "1" is written. If the hold time is 60 µs or more, bit "0" is written.

Reading bits is also initiated by the master. At the start of reading each bit, the master pulls the bus low. If the slave wants to send a "0", it holds the bus in the LOW state for 60 to 120 µs, and if it wants to send a "1", it keeps the bus in the LOW state for about 15 µs. After that, the slave releases the line, and due to the pull-up resistor, it returns to the HIGH state.

This is how, for example, the timing diagram of the Search ROM (0xF0) search command looks. Bit writing commands are marked in red in the diagram. Pay attention to the order of the bits when transmitting over 1-Wire: the most significant bit is on the right, the least significant bit is on the left.

3) Commands for working with PROM

Before considering the commands for working with the iButton PROM, it is necessary to say a few words about the dongle memory structure. The memory is divided into 4 equal sections: three of them are designed to store three unique keys, and the fourth is for temporary data storage. This temporary buffer serves as a kind of draft where data is prepared for writing keys.

To work with the PROM, there are 6 commands:

Name	Team	Purpose
Write to temporary buffer (Write Scratchpad)	0x96	Used to write data to a temporary buffer (scratchpad).
Read from temporary buffer (Read Scratchpad)	0x69	Used to read data from a temporary buffer.
Copy from temporary clipboard (Copy Scratchpad)	0x3C	Used to transfer data prepared in a temporary buffer to the selected key.
Write key password (Write Password)	0x5A	Used to record the password and unique identifier of the selected key (one of three).
Write a key (Write SubKey)	0x99	Used to directly write data to the selected key (bypassing the temporary buffer).
Read Key (Read SubKey)	0x66	Used to read the data of the selected key.

4) Data transfer

To be continued...

5 Possible mistakes when compiling the sketch

1) If an error occurs while compiling the sketch WConstants.h: No such file or directory #include "WConstants.h", then, as an option, follows in the file OneWire.cpp replace the first block after the comments with the following:

#include #include extern "C" (#include #include }

2) If an error occurs during compilation class OneWire has no member named read_bytes, then find and try to use another library to work with the OneWire interface.

You have lost your intercom keys and cannot make a duplicate. Do you want to visit a friend, but you do not have the keys to her entrance. Or you just need to take a shit to your enemy, but you can't get into his house, then this article is for you.

A few words about the principle of work ...
There is an opinion that there is a magnet in the tablets from the intercom, and it opens the door. No, it's not. The tablet is a ROM, with a hard-wired key in it. This ROM is called - Touch Memory, brand DS1990A. DS1990A is the brand of intercom keys. Communicates with the intercom via the one-wire bus (single-wire interface). This bus was developed by Dallas and allows two devices to communicate over just one wire. If the device is passive (as in our case), then it also transmits power to it through this wire. It should also be noted that a common wire is also needed (so that the circuit closes), but, as a rule, all the grounds of devices connected to this bus are connected together. The key contains a 60 picofarad capacitor, which provides short-term power to the key at the time of the answer. But the host device must constantly (at least once every 120 microseconds) generate a one signal to charge this capacitor so that the ROM in the tablet continues to be powered.

Tablet internals

Organization of the One-wire bus
The One-wire bus works as follows. There is a master device, and a slave device, in our case a passive key. The main signals are generated by the master, logic one and zero signals. The slave device can only force zero signals (i.e. just pull the bus to ground through the transistor). A simplified diagram of the master and slave is shown in the pictures.

Wizard scheme

If you look at the circuit, it is easy to see that by default the master always has +5 volts, a la logical unit. To transfer a logical zero, the master closes the bus to ground through a transistor, and to transfer a unit, it simply opens it. This is done in order to provide power to the slave device. The slave device is made similarly, only it does not generate +5 volts. It can only sink the bus to ground, thereby transmitting a logical zero. The logical unit is transmitted simply by the “silence” of the device.

Work protocol
You can immediately notice that only the Master rules the parade, the DS1990A key itself either holds the ground (the master sets the bus to zero himself), or simply remains silent, in case he wants to transfer a unit, he simply remains silent. Let's look at the drawing.

An example of reading a key by an intercom.

After generating the PREFERENCE pulse by the key, the master device waits for some time and issues a command to read the ROM, usually this is the family code, in our case 33H. Pay attention to how the transfer of zero and one is done. In any case, the impulse “drops” to the ground, but if a unit is transmitted, then it is quickly restored (about 1 microsecond), if it should be zero, then the impulse “hangs” on the ground for some time, then returns to one again. A return to unity is necessary so that the passive device constantly replenishes the energy of the capacitor, and there is power on it. Further, the intercom withstands for some time and begins to generate pulses for receiving information, a total of 64 pulses (that is, it receives 64 bits of information). The key is just to match the durations correctly. If he wants to display zero, then he keeps the bus at zero for some time, if not, then he simply remains silent. The intercom does everything else for him.

Contents of the DS1990A key.
In intercoms, and simply devices where such devices are used to open doors, a key of the DS1990A standard is used. This device is an 8-byte ROM, with information recorded by a laser.

Key dump schema.

The low byte contains the family code. For DS1990A it will always be 01h. The next six bytes contain the serial number of the key. The most intimate thing that identifies the key. The last byte is called CRC, this is a parity check that ensures the authenticity of the transmitted data. It is calculated from the previous seven bytes. By the way, this is not the only standard. There are rewritable ROMs on which information can be carried, and there are also encryption keys. But the whole variety of Dallas tablets is simply unrealistic to consider within the framework of one article, you can read about them on the disk.

The physical device of the key.
Probably, all of the above discouraged any desire to deal with key emulators, because the key must be read, and this is such a hemorrhage. It turns out not! Dallas manufacturers took care of us and placed all the information we needed directly on the key, moreover, in the hexadecimal system! It is engraved on it and it is quite possible to read it, and then later sew it into our wonderful emulator.

Key muzzle

We are interested in the following from all this information:

CC = CRC is the parity check byte of the 7th byte in the firmware
SSSSSSSSSSSS = twelve nibbles //nibbles = 1/2 bytes// of the serial number, i.e. the key itself in hex codes.
FF = family code, in our case it is 01h - zero byte of our key.

It turns out that we can simply write a program, hammer the whole key into it, rewriting the dump visually from the real key with pens, and we will get a ready-made emulator. It is enough just to take the key in the hands of the enemy and rewrite what is written on it. Which I did with great success. :)

emulator.
So we got to the most delicious - the emulator of the keys from the intercom. First, I found a ready-made emulator on some site, sewed it into my AT89C51 and it didn’t work (which is not surprising). But it's not sporty to use other people's firmware and catch other people's, specially left, bugs in the code. Therefore, I began to make my own emulators and write my own programs for them. In general, I tried to make an emulator on 6 different microcontrollers, different architectures, belonging to two families AVR and i8051, all manufactured by Atmel. It did not work for everyone, and a lot of programs were written. At first, Napoleonic tasks were generally set to make a universal emulator with the ability to select a key, but then I left this idea because of its hemorrhoids and meaninglessness, let other people who are interested in this article take care of it. But the cost of the emulator, not counting the labor expended, is less than 70-80 re, you can even meet 30 re, if you do it, for example, on ATtiny12.

The principle of the emulator.
We have examined in detail the principle of operation of the intercom, and accordingly it will not be a big problem to describe the algorithm of the DS1990A emulator program. We look carefully at the diagram and think about what needs to be done. And you need to do the following. The foot of the microcontroller hanging in the air (until it is connected to the ground, the reset pulse) will be considered by the controller as a logical unit. It means that after supplying power to the controller, we must wait until our leg goes to the ground, a la to zero. As we heard zero, we rejoice, wait a while and transfer the port from read mode to write mode. Then we drop the bus to zero, and hold it for a while - we generate a PRESENCE pulse (see the datasheet for the duration of the pulses). Then we again transfer the bus to read mode, and we are waiting for what the master - intercom will tell us. He will tell us the read command, consisting of 8 bits. We will not decode it, because in 99.999% of cases, he will tell us the command to give his dump, a la 33H, just count 8 pulses and don’t worry. We are waiting further. And the most difficult and interesting thing begins - you need to quickly look at what the intercom is telling us and answer it quickly too. We need to bit by bit issue a serial number consisting of 8 bytes, which I mentioned above. I did it as follows (it doesn't matter which microcontroller, the principle will be the same everywhere), loaded the byte into some free register, and shifted it to the right, and watched the transfer bit. As soon as the intercom drops the bus to zero, then if I have the transfer flag set to one, then I simply remain silent on this pulse and wait for the generation of the next bit reading pulse from the master. If I have a zero in the transfer flag, then after the intercom drops the bus to zero, I put the microcontroller port in output mode and forcibly hold the bus at zero for a while, then release it and switch the controller port back to read mode. According to the duration of the pulse in the ground, the master device understands whether a unit or zero was transmitted to it. In principle, everything, then the intercom should joyfully beep and open the door.

Practice.

Tester board. I can see the inscription dallas.

After a little hemorrhoids and a war with the debugger, the code turned out. Here is an example code for outputting data to the intercom on the AT89C2051. (In general, the AT89C2051 is a popular, but outdated controller. One of the first that I programmed. The minimum peripherals, the memory is also nothing. It is sewn only with a high-voltage programmer. Although there is its new replacement AT89S2051, it can already be flashed in-circuit through some kind of AVR ISP, and maybe through AVRDUDE - I didn't check it. The most curious thing is that it is compatible with ATTiny2313 on the legs, so the code can be ported to Tinka as well. note DI HALT)

D.I. HALTS:
We wrote this hellish code with Long back in 2006 in his apartment. Hurried to hiccups over their blunts. I then felt the AVR for the first time. I was sitting on a completely unfamiliar assembler for the procedure for reading from EEPROM, while Long was picking a demo board for his future emulator. I especially remember my joke with the watchdog when my MK was reset while writing to EEPROM and cutting out the i2c memory chip from the board using a cutting wheel. Eh ... nothing, I'm driving to Moscow, we'll burn it again!

;======================================= ; Issuance of a serial number; in: R0- address where the serial is with the tablet type and CRC8; USES: A,B,R0,R1,R2 ;===================================== ================== DEMUL_SendSer: mov R2,#8 SS3: mov ACC,@R0 mov R1,#8 SS2: JB TouchFuck,$ ; zero 1->0 RRC A ;C:=A.0; shift A; mov TouchFuck,C ;TouchFuck:=C; MOV B,#9 DJNZ B,$ ;Delay 20 us setb TouchFuck JNB TouchFuck,$ ;loop until 0 DJNZ R1,SS2 inc R0 DJNZ R2,SS3 ret ;=============== ========================================

Results.
As a result, I got a lot of emulators. True, some of them still need to be brought to mind. Although a few 100% working. Examples of emulators you can look at the pictures.

Photos of emulators

The most interesting is the CRC check, which is carried out by the intercom. You will need this if you want to put Dallas lock on your computer for example. An example of calculating CRC on A89C2051 (although this code will work on all microcontrollers of the i8051 family.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 DO_CRC: PUSH ACC ;save accumulator PUSH B ;save the B register PUSH ACC ;save bits to be shifted MOV B,#8 ;set shift = 8 bits ; CRC_LOOP: XRL A,CRC ;calculate CRC RRC A ;move it to the carry MOV A,CRC ;get the last CRC value JNC ZERO ;skip if data = 0 XRL A,#18H ;update the CRC value ; ZERO: RRC A ;position the new CRC MOV CRC,A ;store the new CRC POP ACC ;get the remaining bits RR A ;position the next bit PUSH ACC ;save the remaining bits DJNZ B,CRC_LOOP ;repeat for eight bits POP ACC ;clean up the stack POP B ;restore the B register POP ACC ;restore the accumulator RET
DO_CRC: PUSH ACC ;save accumulator PUSH B ;save the B register PUSH ACC ;save bits to be shifted MOV B,#8 ;set shift = 8 bits ; CRC_LOOP: XRL A,CRC ;calculate CRC RRC A ;move it to the carry MOV A,CRC ;get the last CRC value JNC ZERO ;skip if data = 0 XRL A,#18H ;update the CRC value ; ZERO: RRC A ;position the new CRC MOV CRC,A ;store the new CRC POP ACC ;get the remaining bits RR A ;position the next bit PUSH ACC ;save the remaining bits DJNZ B,CRC_LOOP ;repeat for eight bits POP ACC ;clean up the stack POP B ;restore the B register POP ACC ;restore the accumulator RET

Conclusion.
As you can see, intercom keys are not as simple as they seem. However, emulating them is available to anyone who owns programming and a soldering iron.

D.I. HALTS:
Cases of bygone days, legends of antiquity deep ... Long - WDR! (it will be clear only to the initiated;)))))

Pre-edited version of an article from Hacker magazine

Good afternoon! Somehow I got tired of paying 150 rubles for a copy of the intercom key and decided to assemble a simple, budget iButton duplicator on Arduino. The prices for such ready-made devices “bite”, although their functionality is wider, they copy almost everything, including wireless dongles. A simple copy of the iButton key a la "button" is enough for me. Interesting? Please under "cut"!

So let's get started! To begin with, "technical assignment", what should this device be able to do:
1) Read the contents of the key, it's interesting what is sewn up there.
2) Copy the keys, no matter how strange it sounds :)
3) Flash the "universal" key. By the word "universal" we mean any of our own keys, which will be recorded by default.

UPD. Very important! If the first byte, family code, is 00 , for example 00 :12:34:56:AB:CD:EF: AA, then after the firmware the key will “die”, it will not be read by this programmer, and possibly by others. Found by experience, thanks to a friend 16 :AB:CD:EF:E0 with a naturally incorrect checksum E0. Since the checksum is incorrect, the intercom ignores this sequence when reading. This intercom ruined all rewritable keys, while I figured out what was going on and why the data in the keys “by itself” changes. As a result, it was not possible to make a duplicate for this intercom, I had to go to a service organization and order a key for 100 rubles. :)

As a result, we get a thing useful in the household for ridiculous money, “blanks” for recording are sold, although we can find offline for 30 rubles apiece, for copiers on the market for 100 - 150 rubles :).
UPD. We read about what types of keys can be written with this duplicator. Thanks for the help comrade.
UPD. If the key is not written, follow the comrade. I plan to buy +197 Add to favorites Liked the review +95 +184

Everyone knows that any mechanism deteriorates over time, and it has to be changed, especially for elements subject to frequent physical exertion.

Electronics in this sense is more reliable, and if it is well protected electrically, it can last quite a long time.

The loss of keys from a mechanical lock is often associated with the replacement of the latter. Losing an electronic chip, it is enough to make a copy of it using.

How a duplicator is arranged and works

What models and types of key duplicators are

All duplicators of intercom keys available in nature can be classified into three different types:

Programmers for flashing contactless keys tmd;
Duplicators for making copies of contact intercom keys;
A universal type of duplicators that can reflash any kind of intercom chips.

Each of these types of devices have their modifications.

Contactless Duplicators

Among them there are three modifications of devices.

The first modification includes programmers that make the RFID standard EM-Marin, HID and Indala (tmd duplicators), the second modification supports the Mifare standard, the third modification of duplicators works with keys of the TECH-COM or TKRF standard.

Contact type devices

Devices are presented in two types. The first type is designed to work with dallas contact type keys, the second type of programmers duplicates type keys or.

The Dallas chip has a hexadecimal code, and the digital one is flashed with a protocol type code, which is large in size.

Universal key programming devices

Universal intercom key duplicators, in addition to being able to create a copy of any digital chip, have a number of additional functions:

Ability to update;
The presence of a memory base;
Code generation.

Considering the first function, it must be said that when new modifications of keys with the original encoding are released, the base of the programming device can be flashed for these chips, and it will be able to make copies of them.

The second function makes it possible to clone keys without the original. That is, after the first flashing, the chip code is simply written to the device base and reproduced as needed.

The third function allows you to flash keys with original codes, for example, for company employees, each of whom must have their own personal access code to the lock. Then you can track the number of visits to a particular object by a specific person.

What you need to make a do-it-yourself intercom key duplicator

When making a key copier with your own hands, you can take the Arduino module as a basis.

The element base that will be needed to manufacture the device:

The microcontroller of the “Arduino Nano” type is the main “brains” of the device, where information is processed and data is recorded;
RFID RC522 board, which acts as a module that reads codes and redirects information to the microcontroller;
Piezoelectric type buzzer;
Two LED elements for the monitor;
Two 330 ohm resistors;
Keyboard block type 4X4;
I2C type liquid crystal display adapter (LCM1602), which acts as an LCD converter to an Arduino-compatible format;
Liquid crystal display type LCD16X2BL.

The liquid crystal screen is connected to the contact group of the adapter using sixteen pins. On both modules, the contacts are numbered.

Next, power wires are connected to the display adapter from the rf ID RC522 module: red - to the VCC (+) contact and black - to the GND (common) contact. The control wires are soldered to the SDA and SCL pins. LED elements are installed in tandem with current limiting resistors.

The principle of flashing keys

Intercom chips, which are in the form of tablets and whose surface must be applied to the intercom contact, do not contain magnetic elements inside.

The circuitry of the device is based on the use of non-volatile memory (in other words, ROM).

In such a memory, a sequence of characters of a digital unique code is written.

The principle of rewriting such keys is that the tmd duplicator reads the code and recreates it on a pure chip platform.

The RFID system is built on the transmission of a code not by contact, but by a certain radio frequency.

The key circuit contains an oscillatory circuit. If it is excited, the data from the memory will be transmitted to the reader through space.

Such an excitatory signal will be a signal coming from the antenna of the intercom or duplicator. Otherwise, the principle of how to copy the code into memory, its further reproduction is no different from the principle of operation of the contact device.

The only difference is that programmers can only store and play back a certain type of digital signal. The exception is universal devices that can be programmed to work with any type of digital data.

Conclusion

Making chips for an intercom with your own hands can be not only a solution to the problem of losing personal keys, but also an opportunity to build your business on it.

To begin with, you can make a simple intercom key copier for the most popular “blanks”.

The most important thing is that such earnings do not require large initial investments, and services will always be in demand, especially in large cities.

Video: Do-it-yourself intercom key duplicator