STM32F103+RTT从零开始（三）—

近期因为各种原因，重新租了个房子住，小区外面有门禁系统，楼下也有个门禁系统。房东只给了一套门禁卡，而我家人也需要门禁卡，所以我就去小区物业那里补卡，结果小区物业那里只能补小区的门禁卡，楼下的门禁卡需要在另外个地方补。物业工作人员给说了下地方，我找了下没找到，又想起了我一年前买了个RFID模块和十几个空白门禁卡，还没开封。又正好时值国庆，空闲时间比较多，不如自己来复制吧。

基础知识

一两个月前，我写了两篇STM32F103+RTT的入门博客。那两篇是非常基础的，到这里直接就是复制门禁卡，看起来好像不是循序渐进。不过也是没法子，毕竟现在从事的工作和这些完全不沾边，工作又忙，所以没太多时间来一步一步学习并且写博客，只能玩到哪是哪了。
先看了下门禁卡的分类和一些基础资料，了解到我新租住的房子所在的小区用的门禁卡是S50类型的。它具有16个扇区，每个扇区具有四个Block，分别为0、1、2、3，每个Block可以存储16字节的数据。其中每个扇区的Block3存储的为6字节A密码+4字节控制位+6字节B密码。另外第一扇区的Block0存储的为卡号以及厂商的基本信息。卡就是下面的这个鬼样子：

一般来说，第一扇区的Block0下内容是不能更改的，我原以为小区门禁卡是通过其他扇区的数据来做验证的，后面写好了读数据的代码，发现从门禁卡中从数据块中读取的数据都是0，只有密码区、控制区及ID下第一扇区的Block0中有数据。所以我们的那个小区中的门禁卡应该是通过卡的第一扇区的Block0中的信息来验证的。也就是说我们要做的是复制整个卡，包括第一扇区的Block0。
要复制第一扇区的Block0，普通的IC卡就不行了，我之前买的卡就是普通的IC卡，鼓捣了很久，一直以为是程序写的有问题，后来才发现是卡不行。没办法，只能重新买卡了。
选卡也要选择合适的卡，查了下资料，能够修改第一扇区Block0的兼容S50类型的卡，有UID卡（可以使用后门指令无限制重复修改第一扇区Block0，会响应后门指令）、CUID卡（可以使用后门指令无限制重复修改第一扇区的Block0，不会响应后门指令）、FUID卡（使用普通指令，只能修改一次第一扇区的Block0）等。根据上面的说明，可以知道，UID卡可以无限制修改，但是由于会响应后门指令，所以如果门禁系统有检测后门指令并且禁用，那就不能用了。CUID不响应后门指令，但是由于可以用后面指令修改，门禁系统如果先去修改一下，确认不能修改，再进行门禁验证，那么CUID的卡就也不能用了。FUID显然是最保险的，但是从价格来说，FUID（2.2元） > CUID（1.3元） > UID（0.78元）。
所以我先试了下房东给的门禁卡，发现它是可以被修改的，而且也会响应后门指令，那么考虑性价比，当然是买UID卡了。10块钱13个还包邮，加上8块钱不到的一个RFID-RC522，一共18块钱（PS : 物业那里20块钱一个门禁卡，真坑)。

门禁卡复制实现

上面提到修改门禁卡第一扇区Block0是需要使用后门指令的，直接按照普通的写数据的方式进行修改，是无法修改的。既然主要目的是复制门禁卡，懒得重复去造轮子了。我之前买的RFID-RC522模块，使用的是SPI的通信模式，淘宝上搜索，应该很多都是这样的，如下图所示：

对，买的就是这样没焊脚的，然后我又买了个电烙铁套装。。。

然后上位机还是使用之前的那个STM32F103C8T6。

RC522驱动程序

然后再网上找了下STM32F103下RC522的驱动程序，并增加利用后门指令写第一扇区block0的代码如下：
驱动头文件rc522.h

#ifndef __RC522_H
#define __RC522_H#define MF522_RST_PIN                    GPIO_Pin_0
#define MF522_RST_PORT                   GPIOB
#define MF522_RST_CLK                    RCC_APB2Periph_GPIOB#define MF522_MISO_PIN                   GPIO_Pin_6
#define MF522_MISO_PORT                  GPIOA
#define MF522_MISO_CLK                   RCC_APB2Periph_GPIOA#define MF522_MOSI_PIN                   GPIO_Pin_7
#define MF522_MOSI_PORT                  GPIOA
#define MF522_MOSI_CLK                   RCC_APB2Periph_GPIOA#define MF522_SCK_PIN                    GPIO_Pin_5
#define MF522_SCK_PORT                   GPIOA
#define MF522_SCK_CLK                    RCC_APB2Periph_GPIOA#define MF522_NSS_PIN                    GPIO_Pin_4
#define MF522_NSS_PORT                   GPIOA
#define MF522_NSS_CLK                    RCC_APB2Periph_GPIOA#define RST_H                            GPIO_SetBits(MF522_RST_PORT, MF522_RST_PIN)
#define RST_L                            GPIO_ResetBits(MF522_RST_PORT, MF522_RST_PIN)
#define MOSI_H                           GPIO_SetBits(MF522_MOSI_PORT, MF522_MOSI_PIN)
#define MOSI_L                           GPIO_ResetBits(MF522_MOSI_PORT, MF522_MOSI_PIN)
#define SCK_H                            GPIO_SetBits(MF522_SCK_PORT, MF522_SCK_PIN)
#define SCK_L                            GPIO_ResetBits(MF522_SCK_PORT, MF522_SCK_PIN)
#define NSS_H                            GPIO_SetBits(MF522_NSS_PORT, MF522_NSS_PIN)
#define NSS_L                            GPIO_ResetBits(MF522_NSS_PORT, MF522_NSS_PIN)
#define READ_MISO                        GPIO_ReadInputDataBit(MF522_MISO_PORT, MF522_MISO_PIN)// ????
void PcdInit(void);
char PcdReset(void);
void PcdAntennaOn(void);
void PcdAntennaOff(void);
char PcdRequest(unsigned char req_code,unsigned char *pTagType);
char PcdAnticoll(unsigned char *pSnr);
char PcdSelect(unsigned char *pSnr);
char PcdAuthState(unsigned char auth_mode,unsigned char addr,unsigned char *pKey,unsigned char *pSnr);
char PcdRead(unsigned char addr,unsigned char *pData);
char PcdWrite(unsigned char addr,unsigned char *pData);
char PcdValue(unsigned char dd_mode,unsigned char addr,unsigned char *pValue);
char PcdBakValue(unsigned char sourceaddr, unsigned char goaladdr);
char PcdHalt(void);
char PcdComMF522(unsigned char Command,unsigned char *pInData, unsigned char InLenByte,unsigned char *pOutData, unsigned int  *pOutLenBit);
void CalulateCRC(unsigned char *pIndata,unsigned char len,unsigned char *pOutData);
void WriteRawRC(unsigned char Address,unsigned char value);
unsigned char ReadRawRC(unsigned char Address);
void SetBitMask(unsigned char reg,unsigned char mask);
void ClearBitMask(unsigned char reg,unsigned char mask);
char M500PcdConfigISOType(unsigned char type);
void delay_10ms(unsigned int _10ms);
void WaitCardOff(void);
char PcdSpicelWrite(unsigned char *pData);#define PCD_IDLE              0x00
#define PCD_AUTHENT           0x0E
#define PCD_RECEIVE           0x08
#define PCD_TRANSMIT          0x04
#define PCD_TRANSCEIVE        0x0C
#define PCD_RESETPHASE        0x0F
#define PCD_CALCCRC           0x03              #define PICC_REQIDL           0x26
#define PICC_REQALL           0x52
#define PICC_ANTICOLL1        0x93
#define PICC_ANTICOLL2        0x95
#define PICC_AUTHENT1A        0x60
#define PICC_AUTHENT1B        0x61
#define PICC_READ             0x30
#define PICC_WRITE            0xA0
#define PICC_DECREMENT        0xC0
#define PICC_INCREMENT        0xC1
#define PICC_RESTORE          0xC2
#define PICC_TRANSFER         0xB0
#define PICC_HALT             0x50    #define PCD_SPECIAL_COPY          0x43#define DEF_FIFO_LENGTH       64                 #define     RFU00                 0x00
#define     CommandReg            0x01
#define     ComIEnReg             0x02
#define     DivlEnReg             0x03
#define     ComIrqReg             0x04
#define     DivIrqReg             0x05
#define     ErrorReg              0x06
#define     Status1Reg            0x07
#define     Status2Reg            0x08
#define     FIFODataReg           0x09
#define     FIFOLevelReg          0x0A
#define     WaterLevelReg         0x0B
#define     ControlReg            0x0C
#define     BitFramingReg         0x0D
#define     CollReg               0x0E
#define     RFU0F                 0x0F
// PAGE 1
#define     RFU10                 0x10
#define     ModeReg               0x11
#define     TxModeReg             0x12
#define     RxModeReg             0x13
#define     TxControlReg          0x14
#define     TxAutoReg             0x15
#define     TxSelReg              0x16
#define     RxSelReg              0x17
#define     RxThresholdReg        0x18
#define     DemodReg              0x19
#define     RFU1A                 0x1A
#define     RFU1B                 0x1B
#define     MifareReg             0x1C
#define     RFU1D                 0x1D
#define     RFU1E                 0x1E
#define     SerialSpeedReg        0x1F
// PAGE 2
#define     RFU20                 0x20
#define     CRCResultRegM         0x21
#define     CRCResultRegL         0x22
#define     RFU23                 0x23
#define     ModWidthReg           0x24
#define     RFU25                 0x25
#define     RFCfgReg              0x26
#define     GsNReg                0x27
#define     CWGsCfgReg            0x28
#define     ModGsCfgReg           0x29
#define     TModeReg              0x2A
#define     TPrescalerReg         0x2B
#define     TReloadRegH           0x2C
#define     TReloadRegL           0x2D
#define     TCounterValueRegH     0x2E
#define     TCounterValueRegL     0x2F
// PAGE 3
#define     RFU30                 0x30
#define     TestSel1Reg           0x31
#define     TestSel2Reg           0x32
#define     TestPinEnReg          0x33
#define     TestPinValueReg       0x34
#define     TestBusReg            0x35
#define     AutoTestReg           0x36
#define     VersionReg            0x37
#define     AnalogTestReg         0x38
#define     TestDAC1Reg           0x39
#define     TestDAC2Reg           0x3A
#define     TestADCReg            0x3B
#define     RFU3C                 0x3C
#define     RFU3D                 0x3D
#define     RFU3E                 0x3E
#define     RFU3F                       0x3F#define     REQ_ALL               0x52
#define     KEYA                  0x60
#define     KEYB                  0x61#define MI_OK                          (char)0
#define MI_NOTAGERR                    (char)(-1)
#define MI_ERR                         (char)(-2)#endif

驱动实现rc522.c

#include "rc522.h"
#include "stm32f10x_gpio.h"#define MAXRLEN 18                        void PcdInit()
{GPIO_InitTypeDef  GPIO_InitStructure;/* Enable the GPIO Clock */RCC_APB2PeriphClockCmd(MF522_RST_CLK, ENABLE);/* Configure the GPIO pin */GPIO_InitStructure.GPIO_Pin = MF522_RST_PIN;GPIO_InitStructure.GPIO_Mode = GPIO_Mode_Out_PP;GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;GPIO_Init(MF522_RST_PORT, &GPIO_InitStructure);/* Enable the GPIO Clock */RCC_APB2PeriphClockCmd(MF522_MISO_CLK, ENABLE);/* Configure the GPIO pin */GPIO_InitStructure.GPIO_Pin = MF522_MISO_PIN;GPIO_InitStructure.GPIO_Mode = GPIO_Mode_IN_FLOATING;GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;GPIO_Init(MF522_MISO_PORT, &GPIO_InitStructure);/* Enable the GPIO Clock */RCC_APB2PeriphClockCmd(MF522_MOSI_CLK, ENABLE);/* Configure the GPIO pin */GPIO_InitStructure.GPIO_Pin = MF522_MOSI_PIN;GPIO_InitStructure.GPIO_Mode = GPIO_Mode_Out_PP;GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;GPIO_Init(MF522_MOSI_PORT, &GPIO_InitStructure);/* Enable the GPIO Clock */RCC_APB2PeriphClockCmd(MF522_SCK_CLK, ENABLE);/* Configure the GPIO pin */GPIO_InitStructure.GPIO_Pin = MF522_SCK_PIN;GPIO_InitStructure.GPIO_Mode = GPIO_Mode_Out_PP;GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;GPIO_Init(MF522_SCK_PORT, &GPIO_InitStructure);/* Enable the GPIO Clock */RCC_APB2PeriphClockCmd(MF522_NSS_CLK, ENABLE);/* Configure the GPIO pin */GPIO_InitStructure.GPIO_Pin = MF522_NSS_PIN;GPIO_InitStructure.GPIO_Mode = GPIO_Mode_Out_PP;GPIO_InitStructure.GPIO_Speed = GPIO_Speed_2MHz;GPIO_Init(MF522_NSS_PORT, &GPIO_InitStructure);
}char PcdRequest(unsigned char req_code,unsigned char *pTagType)
{char status;  unsigned int  unLen;unsigned char ucComMF522Buf[MAXRLEN]; ClearBitMask(Status2Reg,0x08);WriteRawRC(BitFramingReg,0x07);SetBitMask(TxControlReg,0x03);ucComMF522Buf[0] = req_code;status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,1,ucComMF522Buf,&unLen);
//     if(status  == MI_OK )
//   { LED_GREEN  =0 ;}
//   else {LED_GREEN =1 ;}if ((status == MI_OK) && (unLen == 0x10)){    *pTagType     = ucComMF522Buf[0];*(pTagType+1) = ucComMF522Buf[1];}else{   status = MI_ERR;   }return status;
}char PcdAnticoll(unsigned char *pSnr)
{char status;unsigned char i,snr_check=0;unsigned int  unLen;unsigned char ucComMF522Buf[MAXRLEN]; ClearBitMask(Status2Reg,0x08);WriteRawRC(BitFramingReg,0x00);ClearBitMask(CollReg,0x80);ucComMF522Buf[0] = PICC_ANTICOLL1;ucComMF522Buf[1] = 0x20;status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,2,ucComMF522Buf,&unLen);if (status == MI_OK){for (i=0; i<4; i++){   *(pSnr+i)  = ucComMF522Buf[i];snr_check ^= ucComMF522Buf[i];}if (snr_check != ucComMF522Buf[i]){   status = MI_ERR;    }}SetBitMask(CollReg,0x80);return status;
}char PcdSelect(unsigned char *pSnr)
{char status;unsigned char i;unsigned int  unLen;unsigned char ucComMF522Buf[MAXRLEN]; ucComMF522Buf[0] = PICC_ANTICOLL1;ucComMF522Buf[1] = 0x70;ucComMF522Buf[6] = 0;for (i=0; i<4; i++){ucComMF522Buf[i+2] = *(pSnr+i);ucComMF522Buf[6]  ^= *(pSnr+i);}CalulateCRC(ucComMF522Buf,7,&ucComMF522Buf[7]);ClearBitMask(Status2Reg,0x08);status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,9,ucComMF522Buf,&unLen);if ((status == MI_OK) && (unLen == 0x18)){   status = MI_OK;  }else{   status = MI_ERR;    }return status;
}char PcdAuthState(unsigned char auth_mode,unsigned char addr,unsigned char *pKey,unsigned char *pSnr)
{char status;unsigned int  unLen;unsigned char i,ucComMF522Buf[MAXRLEN]; ucComMF522Buf[0] = auth_mode;ucComMF522Buf[1] = addr;for (i=0; i<6; i++){    ucComMF522Buf[i+2] = *(pKey+i);   }for (i=0; i<6; i++){    ucComMF522Buf[i+8] = *(pSnr+i);   }//   memcpy(&ucComMF522Buf[2], pKey, 6); //   memcpy(&ucComMF522Buf[8], pSnr, 4); status = PcdComMF522(PCD_AUTHENT,ucComMF522Buf,12,ucComMF522Buf,&unLen);if ((status != MI_OK) || (!(ReadRawRC(Status2Reg) & 0x08))){   status = MI_ERR;   }return status;
}char PcdRead(unsigned char addr,unsigned char *pData)
{char status;unsigned int  unLen;unsigned char i,ucComMF522Buf[MAXRLEN]; ucComMF522Buf[0] = PICC_READ;ucComMF522Buf[1] = addr;CalulateCRC(ucComMF522Buf,2,&ucComMF522Buf[2]);status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,4,ucComMF522Buf,&unLen);if ((status == MI_OK) && (unLen == 0x90))//   {   memcpy(pData, ucComMF522Buf, 16);   }{for (i=0; i<16; i++){    *(pData+i) = ucComMF522Buf[i];   }}else{   status = MI_ERR;   }return status;
}char PcdWrite(unsigned char addr,unsigned char *pData)
{char status;unsigned int  unLen;unsigned char i,ucComMF522Buf[MAXRLEN]; ucComMF522Buf[0] = PICC_WRITE;ucComMF522Buf[1] = addr;CalulateCRC(ucComMF522Buf,2,&ucComMF522Buf[2]);status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,4,ucComMF522Buf,&unLen);if ((status != MI_OK) || (unLen != 4) || ((ucComMF522Buf[0] & 0x0F) != 0x0A)){   status = MI_ERR;   }if (status == MI_OK){//memcpy(ucComMF522Buf, pData, 16);for (i=0; i<16; i++){    ucComMF522Buf[i] = *(pData+i);   }CalulateCRC(ucComMF522Buf,16,&ucComMF522Buf[16]);status = PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,18,ucComMF522Buf,&unLen);if ((status != MI_OK) || (unLen != 4) || ((ucComMF522Buf[0] & 0x0F) != 0x0A)){   status = MI_ERR;   }}return status;
}//这个是写第一扇区Block0的代码
char PcdSpicelWrite(unsigned char *pData)
{char status;unsigned int  unLen;unsigned char i,ucComMF522Buf[MAXRLEN]; //需要使用以下步骤开启后门PcdHalt();WriteRawRC(BitFramingReg, 0x07);//WriteRawRC(CommandReg, 0x40);ucComMF522Buf[0] = 0x40;PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,1,ucComMF522Buf,&unLen);WriteRawRC(BitFramingReg, 0x00);ucComMF522Buf[0] = 0x43;PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,1,ucComMF522Buf,&unLen);return PcdWrite(0, pData);
}char PcdHalt(void)
{unsigned int  unLen;unsigned char ucComMF522Buf[MAXRLEN]; ucComMF522Buf[0] = PICC_HALT;ucComMF522Buf[1] = 0;CalulateCRC(ucComMF522Buf,2,&ucComMF522Buf[2]);PcdComMF522(PCD_TRANSCEIVE,ucComMF522Buf,4,ucComMF522Buf,&unLen);return MI_OK;
}//?MF522??CRC16??
void CalulateCRC(unsigned char *pIndata,unsigned char len,unsigned char *pOutData)
{unsigned char i,n;ClearBitMask(DivIrqReg,0x04);WriteRawRC(CommandReg,PCD_IDLE);SetBitMask(FIFOLevelReg,0x80);for (i=0; i<len; i++){   WriteRawRC(FIFODataReg, *(pIndata+i));   }WriteRawRC(CommandReg, PCD_CALCCRC);i = 0xFF;do {n = ReadRawRC(DivIrqReg);i--;}while ((i!=0) && !(n&0x04));pOutData[0] = ReadRawRC(CRCResultRegL);pOutData[1] = ReadRawRC(CRCResultRegM);
}char PcdReset(void)
{RST_H;delay_10ms(1);RST_L;delay_10ms(1);RST_H;delay_10ms(10);if(ReadRawRC(0x02) == 0x80){}WriteRawRC(CommandReg,PCD_RESETPHASE);WriteRawRC(ModeReg,0x3D);           WriteRawRC(TReloadRegL,30);           WriteRawRC(TReloadRegH,0);WriteRawRC(TModeReg,0x8D);WriteRawRC(TPrescalerReg,0x3E);WriteRawRC(TxAutoReg,0x40);     return MI_OK;
}char M500PcdConfigISOType(unsigned char type)
{if (type == 'A'){ ClearBitMask(Status2Reg,0x08);WriteRawRC(ModeReg,0x3D);//3FWriteRawRC(RxSelReg,0x86);//84WriteRawRC(RFCfgReg,0x7F);   //4FWriteRawRC(TReloadRegL,30);//tmoLength);// TReloadVal = 'h6a =tmoLength(dec) WriteRawRC(TReloadRegH,0);WriteRawRC(TModeReg,0x8D);WriteRawRC(TPrescalerReg,0x3E);delay_10ms(1);PcdAntennaOn();}else{ return (char)-1; }return MI_OK;
}unsigned char ReadRawRC(unsigned char Address)
{unsigned char i, ucAddr;unsigned char ucResult=0;NSS_L;ucAddr = ((Address<<1)&0x7E)|0x80;for(i=8;i>0;i--){SCK_L;if(ucAddr&0x80)MOSI_H;elseMOSI_L;SCK_H;ucAddr <<= 1;}for(i=8;i>0;i--){SCK_L;ucResult <<= 1;SCK_H;if(READ_MISO == 1)ucResult |= 1;}NSS_H;SCK_H;return ucResult;
}void WriteRawRC(unsigned char Address, unsigned char value)
{  unsigned char i, ucAddr;SCK_L;NSS_L;ucAddr = ((Address<<1)&0x7E);for(i=8;i>0;i--){if(ucAddr&0x80)MOSI_H;elseMOSI_L;SCK_H;ucAddr <<= 1;SCK_L;}for(i=8;i>0;i--){if(value&0x80)MOSI_H;elseMOSI_L;SCK_H;value <<= 1;SCK_L;}NSS_H;SCK_H;
}void SetBitMask(unsigned char reg,unsigned char mask)
{char tmp = 0x0;tmp = ReadRawRC(reg);WriteRawRC(reg,tmp | mask);  // set bit mask
}void ClearBitMask(unsigned char reg,unsigned char mask)
{char tmp = 0x0;tmp = ReadRawRC(reg);WriteRawRC(reg, tmp & ~mask);  // clear bit mask
} char PcdComMF522(unsigned char Command, unsigned char *pInData, unsigned char InLenByte,unsigned char *pOutData, unsigned int  *pOutLenBit)
{char status = MI_ERR;unsigned char irqEn   = 0x00;unsigned char waitFor = 0x00;unsigned char lastBits;unsigned char n;unsigned int i;switch (Command){case PCD_AUTHENT:irqEn   = 0x12;waitFor = 0x10;break;case PCD_TRANSCEIVE:case PCD_SPECIAL_COPY:irqEn   = 0x77;waitFor = 0x30;break;default:break;}WriteRawRC(ComIEnReg,irqEn|0x80);ClearBitMask(ComIrqReg,0x80);WriteRawRC(CommandReg,PCD_IDLE);SetBitMask(FIFOLevelReg,0x80);for (i=0; i<InLenByte; i++){   WriteRawRC(FIFODataReg, pInData[i]);    }WriteRawRC(CommandReg, Command);if (Command == PCD_TRANSCEIVE){    SetBitMask(BitFramingReg,0x80);  }i = 2000;do {n = ReadRawRC(ComIrqReg);i--;}while ((i!=0) && !(n&0x01) && !(n&waitFor));ClearBitMask(BitFramingReg,0x80);if (i!=0){    if(!(ReadRawRC(ErrorReg)&0x1B)){status = MI_OK;if (n & irqEn & 0x01){   status = MI_NOTAGERR;   }if (Command == PCD_TRANSCEIVE){n = ReadRawRC(FIFOLevelReg);lastBits = ReadRawRC(ControlReg) & 0x07;if (lastBits){   *pOutLenBit = (n-1)*8 + lastBits;   }else{   *pOutLenBit = n*8;   }if (n == 0){   n = 1;    }if (n > MAXRLEN){   n = MAXRLEN;   }for (i=0; i<n; i++){   pOutData[i] = ReadRawRC(FIFODataReg);    }}}else{   status = MI_ERR;   }}SetBitMask(ControlReg,0x80);           // stop timer nowWriteRawRC(CommandReg,PCD_IDLE); return status;
}void PcdAntennaOn()
{unsigned char i;i = ReadRawRC(TxControlReg);if (!(i & 0x03)){SetBitMask(TxControlReg, 0x03);}
}void PcdAntennaOff()
{ClearBitMask(TxControlReg, 0x03);
}void WaitCardOff(void)
{char          status;unsigned char TagType[2];while(1){status = PcdRequest(REQ_ALL, TagType);if(status){status = PcdRequest(REQ_ALL, TagType);if(status){status = PcdRequest(REQ_ALL, TagType);if(status){return;}}}delay_10ms(10);}
}void delay_10ms(unsigned int _10ms)
{unsigned int i, j;for(i=0; i<_10ms; i++){for(j=0; j<60000; j++);}
}

后门代码实现依据来源于这篇博客，RC522驱动代码来源于这篇博客，在此表示感谢。

主要控制逻辑

按照之前点亮LED的经验，我们使用RTthread来进行进行门禁卡的检测和复制。主要代码如下：
复制代码被注释了，我们先使用检测并读取的代码，读取出原卡的内容，然后把读取内容记录下来，复制到新卡上去。正确的做法应该是使用完整逻辑来实现这个流程，这里为了方便，直接手动记录，然后修改代码重新编译来进行卡的复制，有兴趣有需要的朋友可在此基础上自行补充完成。


#include <board.h>
#include <rtthread.h>
#include "led.h"
#include "rc522.h"ALIGN(RT_ALIGN_SIZE)
static rt_uint8_t led_stack[ 512 ];
static struct rt_thread led_thread;
static void led_thread_entry(void* parameter)
{unsigned int count=0;rt_hw_led_init();while (1){count++;rt_hw_led_on(0);rt_thread_delay( RT_TICK_PER_SECOND/2 ); /* sleep 0.5 second and switch to other thread */rt_hw_led_off(0);rt_thread_delay( RT_TICK_PER_SECOND/2 );}
}static void ShowID(u8 *p)
{u8 num[9];u8 i;for(i=0; i<4; i++){num[i*2]=p[i]/16;num[i*2]>9?(num[i*2]+='7'):(num[i*2]+='0');num[i*2+1]=p[i]%16;num[i*2+1]>9?(num[i*2+1]+='7'):(num[i*2+1]+='0');}num[8]=0;rt_kprintf("ID>>>%s\r\n", num);
}static rt_uint8_t rfid_stack[ 512 ];
static struct rt_thread rfid_thread;
static void rfid_thread_entry(void* parameter)
{unsigned int count=0;char status;unsigned char snr, buf[16], TagType[2], SelectedSnr[4], DefaultKey[6] = {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};PcdInit();PcdReset();PcdAntennaOff();PcdAntennaOn();M500PcdConfigISOType( 'A' );rt_kprintf( "rc522 init over!\n" );while(1){status= PcdRequest( REQ_ALL , TagType );if(!status) {status = PcdAnticoll(SelectedSnr);if(!status){status=PcdSelect(SelectedSnr);if(!status){ShowID(SelectedSnr);/*unsigned char inDoor[16] = {0x91, 0x94, 0x09, 0xa5, 0xa9, 0x88, 0x04, 0x00, 0x85, 0x00, 0xb4, 0x2e, 0xf0, 0xbb, 0x6a, 0xa8};unsigned char outDoor[16] = {0x1c, 0x6a, 0xa0, 0xa5, 0x73, 0x88, 0x04, 0x00,0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};status = PcdSpicelWrite(inDoor);*/if(!status){for(int i = 0;i < 16 ;i++){snr = i;status = PcdAuthState(KEYB, (snr*4+3), DefaultKey, SelectedSnr);for(int j = 0; j < 4; j++){status = PcdRead((snr*4+j), buf);//status = PcdWrite((snr*4+0), "way2"); if(!status){uint16_t * e = 0;e = (uint16_t *)TagType;//rt_kprintf("Snr Index : %d, type = %x \n", snr * 4 + j, *e);for(int n = 0; n < 16; n++){rt_kprintf("%x ", (uint16_t)buf[n]);}  rt_kprintf("\n"); }}}}rt_kprintf("operate finished! %x \n", status);WaitCardOff();}}}}
}void rt_init_thread_entry(void* parameter)
{#ifdef RT_USING_COMPONENTS_INIT/* initialization RT-Thread Components */rt_components_init();
#endif
}int rt_application_init(void)
{rt_thread_t init_thread;rt_err_t result;/* init led thread */result = rt_thread_init(&led_thread,"led",led_thread_entry,RT_NULL,(rt_uint8_t*)&led_stack[0],sizeof(led_stack),20,5);if (result == RT_EOK){rt_thread_startup(&led_thread);}result = rt_thread_init(&rfid_thread,"rfid",rfid_thread_entry,RT_NULL,(rt_uint8_t*)&rfid_stack[0],sizeof(rfid_stack),22,5);if (result == RT_EOK){rt_thread_startup(&rfid_thread);}#if (RT_THREAD_PRIORITY_MAX == 32)init_thread = rt_thread_create("init",rt_init_thread_entry, RT_NULL,2048, 8, 20);
#elseinit_thread = rt_thread_create("init",rt_init_thread_entry, RT_NULL,2048, 80, 20);
#endifif (init_thread != RT_NULL)rt_thread_startup(init_thread);return 0;
}/*@}*/

工程源码

工程源码挂载在CSDN下载频道，攒点下载分备用。欢迎转载，转载博客请注明出处湖广午王的博客。