Introducing the Masterlock 1500eXD
I picked up one of those newfangled Masterlock 1500eXD’s in order to tear it down and figure it out. The 1500eXD is an electromechanical combination padlock that can accept up to 4 owner-programmable codes. You select which code you will be entering by picking a direction, then press the up, down, left, and right buttons in proper sequence to enter the combination for that direction. Each combination can be between 4 and 12 positions in length. Only the up position has the right to set and remove the other three using a central programming button. This gives you one administrator code and three guest codes. Finally, you can register the lock online and give them a special code from a sticker attached to the manual and receive a backup recovery code that is keyed in using the center button as the “direction”. This code and the original administrator code are already set when you buy your lock. The recovery code can set a new admin code and can set or remove any guest code. I chose not to register and get this code as the end user license agreement was a bit vague about a few things and I didn’t want to agree to it considering I was about to tear apart their product.
While I was waiting for it to arrive I did some research to see if I could find any FCC ID number or patent numbers related to it, but came up with nothing. I fully expected it to be a piece of junk that would fall over as soon as I looked at it but I was pleasantly surprised to find that it is a very professional piece of work. The lock looks and feels VERY sturdy. It’s heavy, nothing looks cheap, nothing rattles, and nothing is loose. Pulling on the shackle is like pulling on a railroad car; there’s no give. The buttons are just firm enough to make it obvious that you’ve pressed them. The LED’s behind the buttons are programmable RGB types, so each one can independently display different shades and brightness. They clearly communicate by way of color, pulsing, and brightness what you have done correctly or incorrectly in much the same way that some Apple products do. Best of all: no annoying beeping things. Worst of all: I have to write all sorts of nice things about a company that isn’t paying me.
When you put in the correct combination and open the shackle you hear a slight buzzing from a motor or solenoid so I tried subjecting it to dropping/whacking it really hard to see if a jolt would open it the way you can open a lot of cheap handgun safes. No luck there. When you close the shackle you hear the same buzzing and the shackle is kind of sucked back into the lock body. I tried tricking it into thinking the lock was closed when it was really open by lowering the shackle behind and in front of the lock body but that was ineffective. I also tried closing the shackle really fast and then pulling it out again and succeeded in getting the buzzing-closed noise, but it wasn’t fooled. It wouldn’t act as if it was in the closed state and when I lowered the shackle again it buzzed again and locked correctly. They seem to have taken into account most of the odd things that people will do when they get their hands on something new and shiny.
One interesting aspect of the lock is the way they handle the dead battery problem. The battery holder is in the bottom of the lock and you can pull it open with your fingernail. If the shackle is open it descends fully so you can replace the coin cell battery. If the shackle is closed, it descends only a few millimeters and exposes two metal leads and an indentation into which you can poke a 3V coin cell battery horizontally and hold it there while pressing in your combination. It’s like a jump start for your lock. Once done, you can open the shackle, and then open the battery holder completely to insert the new battery. The battery holder seems a bit flimsy and one of the metal leads tried to pop out but their dead battery solution is really elegant.
The 1500eXD meets Mr. Drill Press
I read the manual, played with the lock, and looked for FCC ID #’s or patent numbers on the outside but only came up with a single obscure number that didn’t give me any clues (I assume it’s a lot number for quality assurance purposes). Next step, breaking in! This was harder than I expected. There are three domed rivets visible from the back and they are made of some very hard metal. I went at them with a drill press and broke two drill bits in the process. In retrospect it would have been easier to use larger bits and lean in a lot harder, but I was trying to be surgically precise. I didn’t know where anything sensitive was. I finally made it through and was able to lift off the back plate gently. The result… very impressive. Removing the back plate exposes the purely mechanical parts of the lock. The electronics are obviously on the other side beneath the buttons. The design and layout of the lock’s internals demonstrates that the engineers who designed it were really on the ball for this project. The longer I worked with the lock, the more I appreciated the many mechanical details that were executed in style.
I’ll take up the interesting bits point by point so they can be followed on the picture. 1) the shackle is held in place by a pair of greased cylinders. Also note that the shackle is “dead”, not spring loaded so you must actually pull on it to open after entering a correct code. 2) The shackle engages a cylinder that, in turn, blocks the battery holder from descending fully when the shackle is still closed. This is how they can expose that battery “jump start” feature. 3) The two shackle cylinders are held in place by a spring-loaded component closely resembling the “butterfly” mechanism in the legendary Sargent & Greenleaf 8008 (I refer to it as legendary because it makes me feel better about my failed attempt to manipulate one, even when using sensitive mechanical test equipment). I’ll call it a butterfly since I don’t know what it’s supposed to be called. 4) The butterfly is, in turn, held in place by a rotating cam below it. This prevents the descent of the butterfly while in one orientation, but allows it in the other, thus giving the shackle cylinders room to move and allowing you to open the shackle. 5) The orientation of the cam is controlled by a simple motor like you would see in a very small toy.
With the components removed, some more interesting things come to light. 1) There are “JTAG” test points accessible on the circuit board from the mechanical side of the lock. These are commonly used for programming, testing, or debugging an embedded device. They are also one of the things that put a smile on the face of a hardware hacker. I have a theory as to why Masterlock would want these points accessible in a partially finished lock. They aren’t an electronics manufacturer (that I know of). I’ll bet they have a contract manufacturer produce the entire electronic portion for them (based on their design) and have it built into a partially assembled lock before being delivered to them and then they program the device and plug in the admin and recovery codes. Masterlock could then finish the lock by installing the mechanical parts and riveting it closed. That way their proprietary software and the all-important admin and recovery codes never leave their control. I also note that while the shackle is closed, the JTAG points are entirely blocked by the shackle itself. Try drilling through that to hack the device while it’s still locked! It’s a very nice design detail and more evidence they didn’t just bang out a cheap piece of junk for the masses. 2) The butterfly rides over a switch. This switch is clearly the way that the electronic part of the lock knows if the shackle is open or closed. 3) A ledge prevents the shackle from descending far enough to push the butterfly onto the switch when it is in any orientation other than directly inside the two shackle holes. Nice simplicity of design. 4) There is an access hole at the center as well. I’m guessing this is how they supply power to the device while testing and programming since there probably wouldn’t be a battery installed by then.
The motor is really simple. It can spin in one direction or the other and the speed and duration can be determined by the microcontroller on the circuit board. When you put in a correct code it spins in one direction briefly, rotating the cam. This allows you to pull up the shackle shoving the cylinders out of the way and pushing down the butterfly which opens up the switch. The microcontroller now knows that you have opened the shackle. When you close it later the butterfly is allowed to spring back up out of the way of the cam and the switch is re-engaged. This signals the microcontroller to spin the motor in the other direction, causing the cam to rotate and block the butterfly from being pushed down again.
Overall it’s a really nice design with a lot of important details taken care of with simple mechanics. There are no obvious flaws to exploit. I will note that the only way into the lock without A) breaking it, B) knowing the code, or C) knowing some trick of logic that bypasses the codes on the electronics is the access port to the battery which is fairly close to the position of the pins that control the motor. However, this is not as easy to exploit as it might seem. The tolerances are very tight and you have to supply power. It seems like this should work given enough effort to make a tool to do it.
That's it for now. I've already begun working backwards from the circuit board to fully understand the operation of the lock and will be making attempts to communicate with the only component on the board having any storage or control ability.
Reason: At request of OP