project:brmdoor:start
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
project:brmdoor:start [2018/04/20 15:16] – added howto abyssal | project:brmdoor:start [2023/09/17 20:35] (current) – [Raspberry support] pysftp dropped and changed to paramiko for SFTP abyssal | ||
---|---|---|---|
Line 16: | Line 16: | ||
For hackerspace more secure and without the annoyance of physical keys. DIY digital lock control, open/closed space status monitor and burglar alarm. | For hackerspace more secure and without the annoyance of physical keys. DIY digital lock control, open/closed space status monitor and burglar alarm. | ||
- | **Status:** Currently, we have digital lock control and open/closed space status monitor, doorbell. Burglar alarm is TODO long-in-the-future. | + | **System architecture:** Raspberry Pi + Adafruit PN532 shield. Supports ISO14443 cards (Mifare Classic, Desfire, Yubikey, you could even use Visa/Mastercard NFC payment cards; Android NFC Host Card Emulation could be used as well with some changes). Authentication: via UID, challenge-response with Yubikey Neo, signed public-key cryptography |
- | + | ||
- | **System Architecture:** Digital lock, card reader and Club Mate panel are hooked up on an Arduino. The Arduino needs just power - it unlocks the door autonomously, the list of allowed cards is stored internally. The Arduino is further | + | |
===== Unlocking the Door ===== | ===== Unlocking the Door ===== | ||
- | Executive summary, how to get in without a key - arrange registering your RFID card with stick first, then you need to sometime come physically to brmlab to meet with him; he will add your ID to the Arduino sketch code. (We do not use external database out of security concerns.) | + | Executive summary, how to get in without a key - arrange registering your RFID card (ISO-14443A, e.g. Mifare Classic, Mifare DESFire) with council |
- | + | ||
- | If your card is registered, just put it at the door around the place with the " | + | |
===== BrmDoor Hardware ===== | ===== BrmDoor Hardware ===== | ||
- | | + | * We have [[https:// |
- | * [DONE] MiFare RFID cards (e.g. ISIC, OpenCard, or plain tokens) | + | * MCU/ |
- | | + | * OS: Raspbian or Ubuntu (other may work as well if you can get required packages to build and install) |
- | * We have it wired up and can detect a card and receive its serial id. Tested on ISIC and OpenCard, works like a charm! | + | * Lock device |
- | * It is already duct-taped at the inner side of the door. Most rfid cards have no trouble with talking through the wooden door; a sticked by chido marks the spot. The wires are routed off the door through UTP cable. | + | * From inside, it is possible to open the door anytime by just pushing the handle. |
- | * Lock device: | + | * From outside, it is possible to open the door by turning the lock by the key, OR by pushing the handle if the voltage |
- | * [DONE] | + | * Lock specs say 12-24V should be used, but from experience 12 V is not enough. Use 24 V. |
- | * From inside, it is possible to open the door anytime by just pushing the handle. | + | |
- | * From outside, it is possible to open the door by turning the lock by the key, OR by pushing the handle if +15V is fed in. | + | |
- | * We have it wired up and can control it fine. The wires are routed off the door through UTP cable. | + | |
- | * AxTheB breadboarded a Darlington IC that switches the 15V based on 5V TTL input. The power source | + | |
- | Communication is over SPI: both SEL0 and SEL1 are shorted which turns communication to be over SPI. | + | Communication is over SPI: both SEL0 and SEL1 are shorted which turns communication to be over SPI. Docs say SEL1 closed, board says both closed, both closed work. |
Documentation of Adafruit PN532 shield (our revision is 1.2): | Documentation of Adafruit PN532 shield (our revision is 1.2): | ||
Line 49: | Line 41: | ||
===== BrmDoor Firmware ===== | ===== BrmDoor Firmware ===== | ||
- | Source repository: https:// | + | Source repository: https:// |
+ | ===== Raspberry support ===== | ||
+ | |||
+ | Brmdoor was tried on: | ||
+ | |||
+ | * Raspberry 1B (very slow import, but works ok) | ||
+ | * Raspberry 3B+ | ||
+ | * Raspberry 4B | ||
+ | |||
+ | Tested Raspbian 9 and 10 (Raspi OS 2021-03-04). Still works on 2023-09-17, when we needed to drop '' | ||
+ | |||
+ | Raspberry 1 and 2 - it's just slow, everything is slow there. Raspberry 3B+ or 4 with USB boot and USB flash instead of SDcard recommended. | ||
+ | |||
+ | Make sure you enable SPI in device tree or '' | ||
===== List of authorized cards ===== | ===== List of authorized cards ===== | ||
- | Card list is on brmlab VPS (vps.brmlab.cz) are exported from JendaSAP, on / | + | Card list is on brmlab VPS (vps.brmlab.cz) are exported from JendaSAP, on '' |
+ | ===== Adding a new card to JendaSAP and import to brmdoor ===== | ||
+ | |||
+ | Put the card next to the reader, then look into a log (on brmdoor raspi in ''/ | ||
+ | |||
+ | Login to vps.brmlab.cz. In ''/ | ||
+ | |||
+ | < | ||
+ | card 0102ab89 | ||
+ | </ | ||
+ | |||
+ | On '' | ||
+ | |||
+ | < | ||
+ | cd /root/sap | ||
+ | parse.py | ||
+ | </ | ||
+ | |||
+ | This will create '' | ||
+ | |||
+ | < | ||
+ | cd brmdoor_libnfc/; | ||
+ | </ | ||
+ | |||
+ | No need to restart brmdoor daemon. Note that the import can take even a minute since the brmdoor Raspberry 1 is fucking slow. | ||
+ | |||
+ | <note important> | ||
+ | Commit the changes to '' | ||
+ | </ | ||
+ | |||
+ | In the '' | ||
+ | |||
+ | < | ||
+ | git commit -m "Added card for member Ctulhu" | ||
+ | </ | ||
+ | |||
+ | ===== Adding a new Desfire with authentication to JendaSAP and import to brmdoor ===== | ||
+ | |||
+ | This is similar to above, but has extra step in programming the Desfire. | ||
+ | |||
+ | <note important> | ||
+ | The Desfire needs to be programmed with correct signature first, otherwise brmdoor will reject it. | ||
+ | </ | ||
+ | |||
+ | Writing a signature on a Desfire card (can be done on raspi or using PN532 reader that is in the lab). You must know the private Ed25519 key matching the public key in brmdoor' | ||
+ | |||
+ | < | ||
+ | ./ | ||
+ | </ | ||
+ | |||
+ | Similar to above, but you add line " | ||
+ | |||
+ | < | ||
+ | desfire 04631982cc2280 | ||
+ | </ | ||
+ | |||
+ | The parse.py mentioned above will also create '' | ||
+ | |||
+ | < | ||
+ | cd brmdoor_libnfc/; | ||
+ | </ | ||
+ | |||
+ | <note important> | ||
+ | If you are using old libfreefare 0.4.x, you will need to patch the hardcoded infinte timeouts, otherwise Desfire stuff may deadlock. | ||
+ | </ | ||
+ | |||
+ | In general, set the timeout param in '' | ||
+ | |||
+ | So '' | ||
+ | |||
+ | < | ||
+ | DEB_BUILD_OPTIONS=' | ||
+ | </ | ||
+ | |||
+ | ==== Fixed Raspbian libfreefare .deb files ==== | ||
+ | |||
+ | Link to zip with the rebuilt .deb files for current brmdoor (Raspian 9), just install with dpkg -i like usual: | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Latest versions of libfreefare have this fixed, there is either non-infinite timeout or configurable timeout in very latest versions. | ||
+ | ==== Checking that the signature on Desfire ==== | ||
+ | |||
+ | Can be done with brmdoor, PN352 reader on PC or also on mobile app that can show NFC NDEF data: | ||
+ | |||
+ | < | ||
+ | cd brmdoor_libnfc/; | ||
+ | </ | ||
+ | |||
+ | You should see something like: | ||
+ | |||
+ | < | ||
+ | {" | ||
+ | </ | ||
+ | ===== Restarting brmdoor remotely ===== | ||
+ | |||
+ | If brmdoor stops responding for some reason, restart it using: | ||
+ | |||
+ | < | ||
+ | systemctl restart brmdoor.service | ||
+ | </ | ||
+ | |||
+ | In order to get to brmdoor from outside, you'll need to find a hop server accessible from outside, like bbs.brmlab.cz | ||
+ | |||
+ | Sample entry in '' | ||
+ | |||
+ | < | ||
+ | Host = bbs.brmlab.cz | ||
+ | VerifyHostKeyDNS = yes | ||
+ | User = root | ||
+ | IdentityFile = ~/ | ||
+ | ForwardX11 = no | ||
+ | UsePrivilegedPort = no | ||
+ | Protocol 2 | ||
+ | |||
+ | Host = brmdoor-external | ||
+ | ProxyCommand = ssh bbs.brmlab.cz nc %h 22 | ||
+ | Hostname = 192.168.77.30 | ||
+ | Port = 22 | ||
+ | User = root | ||
+ | IdentityFile = ~/ | ||
+ | ForwardX11 = no | ||
+ | UsePrivilegedPort = no | ||
+ | Protocol 2 | ||
+ | </ | ||
+ | |||
+ | ===== OPEN/CLOSED switch with update of topic on IRC and SpaceAPI format on VPS ===== | ||
+ | |||
+ | In '' | ||
+ | update to work. | ||
+ | |||
+ | The first part of the topic until '' | ||
+ | OPEN/CLOSED will be prepended). | ||
+ | |||
+ | Configuration needs setting a file that is read once per second, '' | ||
+ | " | ||
+ | will be read by brmdoor daemon. | ||
+ | |||
+ | For a simple switch (that just closes/ | ||
+ | configure a PIN in input mode and turn on internal pullup on the input PIN. An example of this is in the | ||
+ | '' | ||
+ | |||
+ | <code bash> | ||
+ | #!/bin/bash | ||
+ | export PIN=22 | ||
+ | |||
+ | if [ ' | ||
+ | echo $PIN > / | ||
+ | echo in > / | ||
+ | fi | ||
+ | |||
+ | python -c " | ||
+ | </ | ||
+ | |||
+ | If the switch is in open position (connected to ground), the " | ||
+ | of the internal pull-up). | ||
+ | |||
+ | The numbering scheme is the same as in the lock configuration (BCM GPIO numbering, | ||
+ | https:// | ||
+ | '' | ||
+ | |||
+ | ==== Changing OPEN/CLOSED status remotely with software ==== | ||
+ | |||
+ | Any IRC user in ''# | ||
+ | until the physical switch changes the value. | ||
+ | |||
+ | ==== Reporting/ | ||
+ | |||
+ | Currently since v 0.2 brmdoor can upload the status and information in [[http:// | ||
+ | |||
+ | The status JSON is mapped currently is mapped to [[https:// | ||
+ | of json is in under " | ||
+ | |||
+ | Currently to be compatible with old URL (https:// | ||
+ | for the spaceAPI.net since we can't change it and can't submit new, there is alias | ||
+ | in ''/ | ||
+ | uploaded by brmdoor (it's over SFTP with internal-sftp chroot, ssh-key login, so that in case of compromise of brmdoor there | ||
+ | is not much the attacker could do with it (and password can't be bruteforced). | ||
+ | ===== PIN assignments ===== | ||
+ | |||
+ | General GPIO PIN assignments are configurable, | ||
+ | pinouts. Raspi pinouts for all versions: https:// | ||
+ | |||
+ | (Follow whatever Rpi is installed for pinout as power sources keep killing them time to time) | ||
+ | |||
+ | Numbering scheme used by brmdoor for lock and open switch (based on BCM GPIO numbering, different from P1 | ||
+ | header physical PIN numbers): | ||
+ | https:// | ||
+ | |||
+ | PIN assignemnts (physical PINs on P1 header, with BCM GPIO numbers used in config): | ||
+ | |||
+ | * Raspberry power - via USB | ||
+ | * 5V power out into Adafruit PN532 reader: #4 | ||
+ | * Ground for Adafruit PN352: physical #6 | ||
+ | * BERA-E lock open/close: physical #22, BCM GPIO #25 | ||
+ | * Open/close switch input PIN: physical #15, BCM GPIO #22 (/ | ||
+ | * SPI pins for Adafruit PN532 reader - SPI PINs on Raspberry - physical #19, #21, #23, #24 | ||
+ | * electrical measurement (ask Jenda) : physical #12 signal, ground physical #14 | ||
+ | * grounds not mentioned just connect to any ground | ||
+ | |||
+ | |||
+ | ===== microSD card extra vs Sandisk Extra USB experiment (2021-05-20) ===== | ||
+ | |||
+ | I'e bought a 16 GB USB flash that should theoretically be more stable than SD card. | ||
+ | |||
+ | I've copied the 32-GB card, extended the filesystem to 16 GB (from original 4 GB). | ||
+ | |||
+ | The copy is available in my trezor. I benchmarked SD card and the USB boot device, did not find any significant differences. We did thought with rainbof limit the max CPU/GPU freq. | ||
+ | |||
+ | To this day I am not sure whether that " | ||
+ | |||
+ | Nevertheless, | ||
+ | |||
+ | Jenda/Mrkva were politely asked whether they want to design a single board for all future brmdoors. Since there is like 10 parts and foundries will make the poplated boards at $10/piece. | ||
===== GitHub, last commits ===== | ===== GitHub, last commits ===== | ||
- | {{rss> | + | {{rss> |
+ | |||
+ | ===== Photos of cable connections of Raspi + PN532 shield (location Ke kaplicce 20) - old Raspi 1 rev B2 - OBSOLETE ===== | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ===== Updated photos after replacing Raspi 1 rev B2 with Raspi 3B+ (18 May 2021) - OBSOLETE ===== | ||
+ | |||
+ | Power source fried the Raspi 3B+ sometimes in 2022, replaced again with Raspi 2B | ||
+ | |||
+ | Added on left side is a stepdown that works with Raspi 3B+ power consumption. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ===== Updated photos after replacing fried Raspi 3B+ for old Raspi 2B and changing casing (14 Jan 2022) ===== | ||
+ | |||
+ | {{: | ||
+ | |||
+ | {{: | ||
- | ===== Photos (location Ke kaplicce 18) ===== | + | {{: |
- | {{: | + | {{: |
- | {{: | + | ==== Outside view of PN532 shield (14 Jan 2022) ==== |
- | {{: | + | {{: |
+ | {{: | ||
===== Brmdoor HOWTO (displayed after you login as root, in /etc/motd) ===== | ===== Brmdoor HOWTO (displayed after you login as root, in /etc/motd) ===== | ||
< | < | ||
Line 73: | Line 320: | ||
Full README is at https:// | Full README is at https:// | ||
+ | |||
+ | A preferred way to add a card is to add it to JendaSAP, then import (see below). | ||
+ | |||
+ | ## Import cards.txt from JendaSAP' | ||
+ | |||
+ | cd brmdoor_libnfc/ | ||
+ | ./ | ||
+ | |||
+ | If `brmdoor.sqlite` does not exist, it will be created. If it exists, the `authorized_uids` | ||
+ | table will be replaced with UIDs/nick pairs from `cards.txt` (other tables are not touched). | ||
## Adding card by UID | ## Adding card by UID | ||
+ | |||
+ | Note: this is useful for adding card temporarily since import from JendaSAP will remove it | ||
- find out the UID: | - find out the UID: | ||
1. put the card near the reader, | 1. put the card near the reader, | ||
- | 2. as root, look into the log, currently | + | 2. as root, look into the log, currently |
- | - look into log for the unknown UID, look for `Unknown UID` message | + | - look into the log for the unknown UID, look for `Unknown UID` message |
- | - the following command will add card as authenticated by UID, for other methods see full README | + | - the following command will add a card as authenticated by UID, for other methods see full README |
cd brmdoor_libnfc/ | cd brmdoor_libnfc/ | ||
./ | ./ | ||
- | |||
- | ## Import cards.txt from JendaSAP' | ||
- | |||
- | cd brmdoor_libnfc/ | ||
- | ./ | ||
- | |||
- | If `target_db.sqlite` does not exist, it will be created. If it exists, the `authorized_uids` | ||
- | table will be replaced with UIDs/nick pairs from `cards.txt` (other tables are not touched). | ||
## List authorized cards UIDs + nicks from DB | ## List authorized cards UIDs + nicks from DB | ||
Line 102: | Line 353: | ||
systemctl stop brmdoor.service | systemctl stop brmdoor.service | ||
Systemd unit location: `/ | Systemd unit location: `/ | ||
+ | |||
</ | </ | ||
Line 126: | Line 378: | ||
* Setting topic is not finished (python-irc has fairly bad API to retrieve topic) | * Setting topic is not finished (python-irc has fairly bad API to retrieve topic) | ||
+ | ===== Remote access from outside brmlab ===== | ||
+ | |||
+ | Add following to your ~/ | ||
+ | |||
+ | You need to have access to '' | ||
+ | |||
+ | You need ssh that supports '' | ||
+ | |||
+ | < | ||
+ | |||
+ | Host data.brmlab.cz | ||
+ | User root | ||
+ | Port 22 | ||
+ | IdentityFile = ~/ | ||
+ | Protocol 2 | ||
+ | |||
+ | Host = brmdoor-via-data | ||
+ | ProxyJump = data.brmlab.cz | ||
+ | Hostname = 192.168.77.30 | ||
+ | Port = 22 | ||
+ | User = root | ||
+ | IdentityFile = ~/ | ||
+ | ForwardX11 = no | ||
+ | UsePrivilegedPort = no | ||
+ | Protocol 2 | ||
+ | </ | ||
+ | |||
+ | Then using | ||
+ | |||
+ | < | ||
+ | ssh brmdoor-via-data | ||
+ | </ | ||
+ | |||
+ | will get proxyjump over data into brmdoor. | ||
project/brmdoor/start.1524237413.txt.gz · Last modified: 2018/04/20 15:16 by abyssal