Page 1 of 2

Electronic Lock - Torn Down and "Manipulated"

PostPosted: Fri May 02, 2014 12:53 am
by rohare
Electronic Lock Teardown and Reversed Engineered

Note: This is not a post about destructive entry. In fact it’s not a post about entry at all. These sorts of safe locks can be bypassed in ridiculously simple ways (search youtube for “safe cracked with a potato” if you don’t believe me) so there’s not much point in posting about breaking into such a safe. This post is only about the mechanism of the lock and it’s workings. Because there is so little data about them to be found on the internet, even at such sites as keypicking and lp101, I figured I’d step up and do the research. It’s a bit long winded but I hope it will serve as a general go-to for the basic design and function of these cheap electronic locks.

So let’s get right down into it. I acquired this lock from a friend who had to remove a safe and verify it was empty since nobody could remember the combo. Knowing that I was into locks and such, he kindly preserved the locking mechanism and electronics in good working order (very considerate since HIS method of opening safes would probably involve a cutting torch or power tools). I proceeded to immediately place them in my “drawer full of stuff”. Months later I ran across a fascinating online game at http://www.microcorruption.com in which you are challenged to reverse engineer a series of hypothetical electronic locks using data from a real microcontroller architecture. I got through the first few levels and then got stumped. But it inspired me to get to work on the real thing! So, I delved deep and recovered this hardware from my terrifying “drawer full of stuff”.

P1000178.JPG


Let’s take a quick look at what we’ve got here. There is a keypad to enter your code, two chips, a solenoid that prevents the handle on the safe from turning when the safe is locked, some LED’s, an annoying beeping thing (which i’ve covered with electrical tape in an only partially successful attempt to muffle it), and… a mystery cable, but more about that later. The rest of the stuff on the board is a variety of electrical components that pretty much just ensure that signals don’t have too much voltage, get routed the wrong way, and that the two chips are communicating to each other at the same speed. Aside from the fact that the whole setup doesn’t work without them, they can pretty much be ignored.

First thing first, I took a look at the codes written on the surface of each chip and then searched for their data sheets. A data sheet is just a document written by the company that produces a chip that details it’s function and operation. That way somebody who wants to use the product can know whether or not it will work for their purposes. In reading the data sheets I learned that the smaller chip is of a class of memory devices called an EEPROM (Electronically Erasable Programmable ROM). That basically just means two important things for the lock; 1) Data can be written to the chip many times without special hardware or the necessity to remove it from the circuit it is in, and 2) It doesn’t lose it’s memory if the battery dies. That sounds a lot like a good place to store a bit of data that you don’t want to lose… like a passcode. The second chip is a microcontroller. It’s actually a Chinese knockoff of a rather popular microcontroller made by Atmel. I’ll bet it breaks all sorts of copyright laws. If you don’t know about microcontrollers, just think of them like very tiny microprocessors plus a bit of memory and some pins you can use like serial ports on a computer or like electronic switches, but all wrapped up into a single chip. You can write a program and put it onto the microcontroller itself and it will faithfully execute that program until the apocalypse or the batteries die, whichever comes first. The data sheet for the microcontroller didn’t hold any great surprises. The people who made the locking mechanism apparently just picked the cheapest microcontroller they could find, wrote a little bit of code, and sent the plan to the fabrication plant. Nevertheless, more study of the data sheets was necessary to continue investigation.

One of the things you will always find in a data sheet is the definition of what each and every pin on the chip is and does. This is indispensable information. However, it is important to understand that because a microcontroller is programmable, the definition of a pin is, in many cases, a definition of the various possible things it could do. Without dumping the code from the microcontroller and reverse engineering that, you have to take the pin definitions AND observation of it’s behavior in action to understand what it really is doing. That sort of observation can be accomplished through the use of a handy little tool called a logic probe. Basically you hook up it’s power and ground cables to the power and ground of the device you are probing and then poke the poky bit (technical term) at a wire or a pin going into a chip. It will beep with one tone and light up one color if the pin, wire etc. has a voltage and will beep and light up differently if it does not have a voltage. This is “digital 1” and “digital 0”. Red light means 1/on/voltage high, green light means 0/off/voltage low. A yellow “pulse” light flashes if the state of the pin being probed is rapidly shifting (i.e. data being transmitted across that line). Pretty simple, very effective.

P1000177.JPG


So, armed with logic probe and data sheets, I proceeded into reverse engineering battle and advanced upon the enemy. First, I followed the traces of each pin on the microcontroller and each pin on the EEPROM and took copious notes. Then I poked every pin (no jokes please) and noted it’s behavior under the following circumstances; turning the unit on, pressing each of the 12 buttons on the keypad, and the unit telling me that I had an incorrect code entered. This would have been 28 pins times 14 measurements for a total of 392 measurements but I was able to cheat a bit when I worked out which pins were just inputs of the keypad and which pins were simply attached to the plus or minus sides of the battery, etc. Regardless, I still took over 100 measurements. Doing this investigation in such ridiculous detail revealed a surprising datum. The “mystery port” mentioned earlier was attached to a pin on the microcontroller that was not attached to anything else whatsoever. In other words, it was an input to the microcontroller that no other combination of actions could duplicate. It was entirely unique, but was clearly an input device of some sort. So I fiddled with it! The inside of the port showed two pieces of metal about 1/4 inch apart. One of those metal pins was routed to the microcontroller as previously mentioned, and one was attached to the battery power. So, if you connected the two of them, you would have basically sent a digital “1” to the pin on the microcontroller. I jammed a piece of wire in there and all sorts of lights and beeps started going off, the electronic lock equivalent of new-years eve. However, that didn’t help me figure out what I had just done.

I actually got a bit downcast about the whole thing at this point because I wasn’t sure where to go from there, so I hopped onto keypicking and searched around for electronic locks. Eureka! I found pictures (now no longer available from flickr) that showed the inside of an electronic door lock that looked suspiciously familiar. The person posting noted that a code reset button was present on the circuit board that, when pressed, allowed you to enter any arbitrary code you wanted. That sounded too good to be true, but I gave it a shot. I stuck a piece of wire into the mystery port and pressed 1-1-1 after the beeping stopped, then I pressed the enter key (“A” on my keypad). It beeped once more, and went quiet. I then entered 1-1-1 on the keypad and pressed enter again. The solenoid retracted, and I was “in”. I had successfully reprogrammed the lock.

That was nice and all, but I wanted to go further. I wanted to read the data stored in the EEPROM and manipulate it. In an effort to do this I purchased a neat little product called a bus pirate that allows you to hook up to chips and do all sorts of nefarious things. Unfortunately, I had to de-solder the chip from the board and I accidentally let the smoke out of the EEPROM. Apparently, once the magic smoke is gone, EEPROM’s stop working. I didn’t see that in the data sheet. Oh well, maybe next time.

So there you have it. A long-winded, but hopefully interesting dissertation on the design and function of really, really insecure electronic safe locks.

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Fri May 02, 2014 12:59 am
by elbowmacaroni
Wow! I gotta say, nice write up there! I think that is going to have to be stickied!

Even if it's not the best mechanism in the world or anything, it was still a good coverage of em.

Keep it up

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Fri May 02, 2014 1:06 am
by faygo6
Very Nice!

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Fri May 02, 2014 6:20 am
by elbowmacaroni
Oh yeah... for some reason last night it must have somehow not clicked or something... your "mystery port" is very much most likely to be to apply "emergency power" for when the internal battery craps out. You hold a 9v battery onto it so that you can power the circuit and open the safe when it cannot on its own.

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Fri May 02, 2014 9:40 am
by rohare
elbowmacaroni wrote:your "mystery port" is very much most likely to be to apply "emergency power" for when the internal battery craps out. You hold a 9v battery onto it so that you can power the circuit and open the safe when it cannot on its own.


That was one of my hypothesis (what the heck is the plural of that?) as well, but it doesn't appear to be the case. There's no voltage regulation whatsoever in the circuit so hooking up anything more than about 6 volts (I don't recall the exact voltage spec, but it's not much higher than 5V) would destroy the Microcontroller. Also, the port is only wired up to one of the "digital input/output" pins of the microcontroller. That pin cannot serve as a power source for the microcontroller, just a signal. The port definitly does allow for the safe to be opened, but it seems to be a straight up reset button in disguise, not a backup power source.

I've never seen the actual safe this circuit was installed in, but I imagine one of two scenarios being true. 1) The port is accessible from the outside, but hidden. Perhaps you have to remove the face of the keypad or outside surface and then jam a wire through a tiny hole and that allows a safe technician to reset the code for the hapless owner who forgot it. Or possibly 2) The port is in a known location in the door of the safe where drilling a small hole will give a safe technician access to it. In any event, whenever I run across a cheap electronicly locked safe in the future, I'm going to keep my eyes open for any tiny holes, removable faceplates, any access ports near the batteries, etc. Anything that looks like it might allow a small metal rod or wire to get in there.

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Fri May 02, 2014 12:51 pm
by dmasters
I bet it's a 1-Wire connection. You said two pins, one to an input on the MC and the other to the battery... would it be the Ground? Probably for an override key, was this a hotel-type safe?

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Fri May 02, 2014 2:02 pm
by rohare
dmasters wrote:I bet it's a 1-Wire connection. You said two pins, one to an input on the MC and the other to the battery... would it be the Ground? Probably for an override key, was this a hotel-type safe?


Nah, it was to positive. It didn't do serial communication or anything, just a straight up input. All it did was pull that particular Microcontroller pin high and it was evidently programmed that if that pin went high, it would reset the passcode and wait for a new code to be input. I even experimented with ignoring the port entirely and just shorting the pin to the battery and it let me put in a new code. It certainly was intended for an "override key", but only if you consider any piece of metal that fit into the plastic "port" housing to be a key. As to the safe, I have no idea what brand, type, size, etc. It was already disposed of before I could take a look.

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Fri May 02, 2014 2:20 pm
by scudo
I think it maybe the reset button. I have one that is a Yale I will take the cover off it and get a picture as it may help if you see a connected one .

safea.jpg


board.jpg

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Fri May 02, 2014 11:06 pm
by rohare
Hey Scudo, that's very similar in design but I don't see a separate memory chip. The microcontroller itself probably has a small on-board bit of non-volatile memory that the lock designers are using instead of a separate chip. As to the reset feature, I suppose it is possible that this "port" is actually just a broken piece of what used to be a simple push-button, but I didn't notice any sign of breakage/damage. In either case, it serves the same purpose.

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Sat May 03, 2014 3:38 pm
by LockManipulator
I understood very little :???: I took a look at that site with the game and didn't even understand the tutorial! lol. How do I get into this stuff? Reverse engineering electronic hardware sounds super awesome!!

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Sat May 03, 2014 3:50 pm
by scudo
I suppose it is possible that this "port" is actually just a broken piece of what used to be a simple push-button


Do you want further picture of the reset button (close ups) I could have a look and see if I can disassemble the button and what it looks like with the button removed, with the cheapness of these safes I wouldnt be surprised if bits just fall off. I only have it because it was my sons and I `bumped` it open in seconds so he told me to keep the heap of S...!

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Sat May 03, 2014 7:54 pm
by rohare
Scudo: nah, don't trouble yourself. The fact is I'll never know for sure, and the really important part is that this back door exists at all and seems to be prevalent in various different versions of the basic circuit. Looks like a lot of people have been copying each others bad design.

Hey Daggers, If you really want, you can see how far down the rabbit hole goes... but I'll break it down a bit. "Reverse Engineering" is, obviously, figuring out how something was engineered in the first place by analyzing the finished product. This applies to both hardware and software. You could reverse engineer a software product (that's how serial numbers and copy protection get's cracked) and I know next to nothing about that subject. You can also reverse engineer electronic hardware products, which is mostly a matter of learning about electronics. Then there's the the magical fusion of the two, which is reverse engineering an "embedded system". You've got an embedded system any time you have software running on hardware and that software is not intended to be heavily interacted with by a user, except perhaps as an appliance. I'm not sure that's a fantastic definition, but take your coffee maker as an example. If you can do anything fancy with it such schedule when it brews, then you are interacting with an embedded system. Somewhere in that coffee machine will be a microcontroller that is running software that a programmer wrote to control the physical activity of a hardware system. That's an embedded system, the fusion of hardware and software. There's embedded systems in your car, microwave, stereo, alarm clock, etc. so there's no shortage of things for you to experiment on (start with the alarm clock, not the car... or the microwave). Just take something small and simple, which has some measure of "intelligence", and take it apart (unplug it first!). Look at the different components and search the internet for explanations of what they are. Look up data sheets, look up the words in data sheets, read copiously everything you can find on each word you don't understand (this was once referred to by someone on the interwebs as "doing a deep geek"). Or, even better, buy yourself an Arduino Uno and start hacking. I'm not even kidding, you'll be making your own embedded systems in a few days and that's worth taking apart 20 alarm clocks in terms of education (cheaper too). You'll be learning electronics and embedded software development at the same time.

Finally, if you want to get to the rock bottom of the rabbit hole, you need to study microprocessor architecture and the relationship between assembly language and machine code. It is NOT necessary to do this in order to have a ton of fun and learn a heck of a lot about embedded systems. But if you really want to do it, start with an educational project I did a few years ago called the "Elementary Microprocessor". I tried to make it as painless as possible, but don't say I didn't warn you. :shock: I did that project because I was sick and tired of knowing that, even though I knew a lot about computers, I still didn't honestly understand how they did anything. I got down to the processor and just said "it's black magic inside that box". :twisted: So I learned myself up on some microprocessor architecture and now I can honestly say I understand how a computer works.

I got stumped on the microcorruption challenge because I was simultaneously trying to learn the low level hardware design of an embedded system I've never used before, learn it's assembly language, and learn the entire subject of software reverse engineering at the same time. Don't even worry about that stuff until you've got a good foundation to build on. Either get the Arduino and go the electronics/embedded systems route, or get some software tools for reverse engineering software and go that route. The microcorruption challenge assumes you've got a good grounding in both.

Have fun, and don't get discouraged when nothing works. It'll come to you. PM me next week if it hasn't driven you crazy. :smile:

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Sun May 04, 2014 6:20 am
by LockManipulator
Wow that sounds like some pretty serious learning O.O I'll take a crack at it and let you know how it goes, though it sounds like it might actually drive me crazy! Electronics are not my forte lol

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Mon May 12, 2014 7:29 pm
by Oldfast
So I've been following along here.... or more like 'trying to keep up' lol.

This stuff is simply beyond me, but nevertheless interesting!

Thanks for sharing your hard work here rohare.

Re: Electronic Lock - Torn Down and "Manipulated"

PostPosted: Sat Mar 21, 2015 10:06 am
by 00247
Very interesting. I have absolutely nothing that I can contribute, but as I need to replace a S&G mechanical, your information reinforces my thoughts of staying as far away as possible from electronic locks. All those itty bitty things look like enemies to me. I will stay mechanical.