FAQ  •  Register  •  Login
UKLockpickers.co.uk Lockpicking supplies such as Lockpicks, tools, and more! COMMANDOLOCK.COM Military grade padlock systems lockpickshop.com A source for lockpicking supplies such as lockpicks, locksmith tools, and more!

Masterlock 1500eXD Teardown

<<

rohare

Familiar Face

Posts: 34

Joined: Sat Sep 21, 2013 8:56 pm

Location: Los Angeles, CA

Post Wed Mar 04, 2015 2:49 am

Masterlock 1500eXD Teardown

It’s time for another episode of "Voiding Your Warranty In Style"!

Introducing the Masterlock 1500eXD

Image

I picked up one of those newfangled Masterlock 1500eXD’s in order to tear it down and figure it out. The 1500eXD is an electromechanical combination padlock that can accept up to 4 owner-programmable codes. You select which code you will be entering by picking a direction, then press the up, down, left, and right buttons in proper sequence to enter the combination for that direction. Each combination can be between 4 and 12 positions in length. Only the up position has the right to set and remove the other three using a central programming button. This gives you one administrator code and three guest codes. Finally, you can register the lock online and give them a special code from a sticker attached to the manual and receive a backup recovery code that is keyed in using the center button as the “direction”. This code and the original administrator code are already set when you buy your lock. The recovery code can set a new admin code and can set or remove any guest code. I chose not to register and get this code as the end user license agreement was a bit vague about a few things and I didn’t want to agree to it considering I was about to tear apart their product.

While I was waiting for it to arrive I did some research to see if I could find any FCC ID number or patent numbers related to it, but came up with nothing. I fully expected it to be a piece of junk that would fall over as soon as I looked at it but I was pleasantly surprised to find that it is a very professional piece of work. The lock looks and feels VERY sturdy. It’s heavy, nothing looks cheap, nothing rattles, and nothing is loose. Pulling on the shackle is like pulling on a railroad car; there’s no give. The buttons are just firm enough to make it obvious that you’ve pressed them. The LED’s behind the buttons are programmable RGB types, so each one can independently display different shades and brightness. They clearly communicate by way of color, pulsing, and brightness what you have done correctly or incorrectly in much the same way that some Apple products do. Best of all: no annoying beeping things. Worst of all: I have to write all sorts of nice things about a company that isn’t paying me.

Image

When you put in the correct combination and open the shackle you hear a slight buzzing from a motor or solenoid so I tried subjecting it to dropping/whacking it really hard to see if a jolt would open it the way you can open a lot of cheap handgun safes. No luck there. When you close the shackle you hear the same buzzing and the shackle is kind of sucked back into the lock body. I tried tricking it into thinking the lock was closed when it was really open by lowering the shackle behind and in front of the lock body but that was ineffective. I also tried closing the shackle really fast and then pulling it out again and succeeded in getting the buzzing-closed noise, but it wasn’t fooled. It wouldn’t act as if it was in the closed state and when I lowered the shackle again it buzzed again and locked correctly. They seem to have taken into account most of the odd things that people will do when they get their hands on something new and shiny.

One interesting aspect of the lock is the way they handle the dead battery problem. The battery holder is in the bottom of the lock and you can pull it open with your fingernail. If the shackle is open it descends fully so you can replace the coin cell battery. If the shackle is closed, it descends only a few millimeters and exposes two metal leads and an indentation into which you can poke a 3V coin cell battery horizontally and hold it there while pressing in your combination. It’s like a jump start for your lock. Once done, you can open the shackle, and then open the battery holder completely to insert the new battery. The battery holder seems a bit flimsy and one of the metal leads tried to pop out but their dead battery solution is really elegant.

The 1500eXD meets Mr. Drill Press

Image

I read the manual, played with the lock, and looked for FCC ID #’s or patent numbers on the outside but only came up with a single obscure number that didn’t give me any clues (I assume it’s a lot number for quality assurance purposes). Next step, breaking in! This was harder than I expected. There are three domed rivets visible from the back and they are made of some very hard metal. I went at them with a drill press and broke two drill bits in the process. In retrospect it would have been easier to use larger bits and lean in a lot harder, but I was trying to be surgically precise. I didn’t know where anything sensitive was. I finally made it through and was able to lift off the back plate gently. The result… very impressive. Removing the back plate exposes the purely mechanical parts of the lock. The electronics are obviously on the other side beneath the buttons. The design and layout of the lock’s internals demonstrates that the engineers who designed it were really on the ball for this project. The longer I worked with the lock, the more I appreciated the many mechanical details that were executed in style.

I’ll take up the interesting bits point by point so they can be followed on the picture. 1) the shackle is held in place by a pair of greased cylinders. Also note that the shackle is “dead”, not spring loaded so you must actually pull on it to open after entering a correct code. 2) The shackle engages a cylinder that, in turn, blocks the battery holder from descending fully when the shackle is still closed. This is how they can expose that battery “jump start” feature. 3) The two shackle cylinders are held in place by a spring-loaded component closely resembling the “butterfly” mechanism in the legendary Sargent & Greenleaf 8008 (I refer to it as legendary because it makes me feel better about my failed attempt to manipulate one, even when using sensitive mechanical test equipment). I’ll call it a butterfly since I don’t know what it’s supposed to be called. 4) The butterfly is, in turn, held in place by a rotating cam below it. This prevents the descent of the butterfly while in one orientation, but allows it in the other, thus giving the shackle cylinders room to move and allowing you to open the shackle. 5) The orientation of the cam is controlled by a simple motor like you would see in a very small toy.

Image

With the components removed, some more interesting things come to light. 1) There are “JTAG” test points accessible on the circuit board from the mechanical side of the lock. These are commonly used for programming, testing, or debugging an embedded device. They are also one of the things that put a smile on the face of a hardware hacker. I have a theory as to why Masterlock would want these points accessible in a partially finished lock. They aren’t an electronics manufacturer (that I know of). I’ll bet they have a contract manufacturer produce the entire electronic portion for them (based on their design) and have it built into a partially assembled lock before being delivered to them and then they program the device and plug in the admin and recovery codes. Masterlock could then finish the lock by installing the mechanical parts and riveting it closed. That way their proprietary software and the all-important admin and recovery codes never leave their control. I also note that while the shackle is closed, the JTAG points are entirely blocked by the shackle itself. Try drilling through that to hack the device while it’s still locked! It’s a very nice design detail and more evidence they didn’t just bang out a cheap piece of junk for the masses. 2) The butterfly rides over a switch. This switch is clearly the way that the electronic part of the lock knows if the shackle is open or closed. 3) A ledge prevents the shackle from descending far enough to push the butterfly onto the switch when it is in any orientation other than directly inside the two shackle holes. Nice simplicity of design. 4) There is an access hole at the center as well. I’m guessing this is how they supply power to the device while testing and programming since there probably wouldn’t be a battery installed by then.

Image

The motor is really simple. It can spin in one direction or the other and the speed and duration can be determined by the microcontroller on the circuit board. When you put in a correct code it spins in one direction briefly, rotating the cam. This allows you to pull up the shackle shoving the cylinders out of the way and pushing down the butterfly which opens up the switch. The microcontroller now knows that you have opened the shackle. When you close it later the butterfly is allowed to spring back up out of the way of the cam and the switch is re-engaged. This signals the microcontroller to spin the motor in the other direction, causing the cam to rotate and block the butterfly from being pushed down again.

Overall it’s a really nice design with a lot of important details taken care of with simple mechanics. There are no obvious flaws to exploit. I will note that the only way into the lock without A) breaking it, B) knowing the code, or C) knowing some trick of logic that bypasses the codes on the electronics is the access port to the battery which is fairly close to the position of the pins that control the motor. However, this is not as easy to exploit as it might seem. The tolerances are very tight and you have to supply power. It seems like this should work given enough effort to make a tool to do it.

That's it for now. I've already begun working backwards from the circuit board to fully understand the operation of the lock and will be making attempts to communicate with the only component on the board having any storage or control ability.
You do not have the required permissions to view the files attached to this post.
Last edited by Riyame on Tue Apr 28, 2015 2:14 am, edited 3 times in total.
Reason: At request of OP
<<

Robotnik

Familiar Face

Posts: 154

Joined: Sat Nov 29, 2014 2:01 pm

Location: Oregon

Post Wed Mar 04, 2015 1:28 pm

Re: Masterlock 1500eXD Teardown

Nice teardown. First I've heard of this lock. I've gotta get myself one of these! I've cracked the 1590D and the 1500iD, so it's going to bother me if I can't break this one :smile: .
<<

Oldfast

User avatar

OldddffAASSTT the Spin Master Extraordinaire and American Lock Slayer
OldddffAASSTT the Spin Master Extraordinaire and American Lock Slayer

Posts: 4412

Joined: Thu Mar 31, 2011 9:16 am

Location: Michigan

Post Wed Mar 04, 2015 7:35 pm

Re: Masterlock 1500eXD Teardown

Very nice breakdown & write-up rohare! Thanks :)

I'm not real big on electrical things -- even so, it was an interesting read.
" Enjoy the journey AS MUCH as the destination."
<<

elbowmacaroni

User avatar

Site Owner

Posts: 1354

Joined: Mon Nov 16, 2009 3:28 pm

Location: Florida

Post Thu Mar 05, 2015 3:50 am

Re: Masterlock 1500eXD Teardown

Rohare, thanks for the great write-up! This was a very interesting read and the supplementation with just the right images was well executed too. I am making this a sticky, so that people have a chance to read this without it getting buried. I sincerely hope that there is more to come in regards to other locks as well! Keep up the great work!
"Cave ab homine unius libri" - Beware of anyone who has just one book

(2014.02.09 - 23:26:03) huxleypig: i freaking love cream
(2014.02.09 - 23:27:11) huxleypig: hey, come on, cream is nice
(2014.02.09 - 23:27:37) huxleypig: aww, i suddenly feel very sick

(23:37:46) LocksmithArmy: you should see my school girl outfit
(23:37:50) LocksmithArmy: wait... what

(13:19:50) xeo: that chick will never be satisfied by a real dick
(13:19:54) NNFAK: I would man...

(22:59:49) PhoneMan: how do you let a forum die if users keep using it? kill the servers?

May those who love us, love us; and those who don't love us, may God turn their hearts; and if He doesn't turn their hearts, may he turn their ankles so we'll know them by their limping

If someone had prince albert in a can, does that mean they'd have a killer codpiece?

(00:52:02) WolfSpring: elbow could sell a sandbox to an egyptian
<<

rohare

Familiar Face

Posts: 34

Joined: Sat Sep 21, 2013 8:56 pm

Location: Los Angeles, CA

Post Sat Mar 07, 2015 3:21 am

Re: Masterlock 1500eXD Teardown

On to the electronic portion of the lock.

Image

Here you can see the body of the lock, the side of the circuit board with most of the interesting features, and the battery/battery holder. In the center of the board are several copper pads that the battery and the leads on the battery holder connect to in order to supply power. The large one in the center touches the negative (ground) side of the battery and the smaller one to the upper right connects to the positive side of the battery via the lead on the battery holder. When the battery holder is pulled down to access the “jump-start” feature, the leads on the battery holder are lower and touch the two pads to the left (ground) and right(jump-start power). The ground connector is the same in both states, but the jump-start power is physically separate from the normal power pad and the two do not connect. When you use the jump-start feature the power you supply to it goes through a different power supply circuit which includes a fuse and some additional protection from over-voltage. In fact, the ground connector for the jump-start doesn’t even touch the ground of the battery meaning that the main battery is not in circuit with any power supplied by the jump-start. I guess they are accounting for the inevitability that vandals will try to break somebody’s lock by applying too much voltage to it. In that case, as far as I can tell, they will just blow the fuse and the owner will still be able to push the battery holder back in and open their lock. If I’m reading the design right, only the jump-start feature would be broken. That’s really thinking ahead.

Near the top of the board, to the left of the switch that is controlled by the butterfly mechanism, you’ll see the microcontroller. That’s just a slow small computer with a little bit of memory and some inter-chip communications capabilities designed for embedded devices. It’s a Texas Instruments MSP430 which is known for being inexpensive and extremely power efficient which makes it popular for battery powered devices.

ImageImage


Here is the side of the board that the user interfaces with. It includes the input devices (five buttons) and the output devices (five LED’s, four of them blue, and one of them three-colored). In the first photo the thin film with the convex push buttons is in place and in the second photo it is peeled away, exposing the circuit board. The text on the top of the board appears to be an internal project number and the current revision of the circuit. The text to the bottom left is (I believe) just a variety of standards compliance data. For instance, the “94 V-0” text indicates the fire resistance standard of the board material.

ImageImage

Here are both sides of the board displayed so that you can better see the copper traces connecting up the various components on the board. If you look carefully, you can see that there are traces not appearing on either side. There is at least one layer of copper traces sandwiched inside the board. This is not necessarily a security feature because it is a very common practice (some boards can have eight or more separate layers of copper), but it does make tracing out the circuit more challenging, even with only one internal layer.

Okay, that’s installment two. Next up, the various ways I tried to investigate the board and interrogate it’s components.
You do not have the required permissions to view the files attached to this post.
<<

rohare

Familiar Face

Posts: 34

Joined: Sat Sep 21, 2013 8:56 pm

Location: Los Angeles, CA

Post Sun Mar 08, 2015 1:08 am

Re: Masterlock 1500eXD Teardown

After checking out the mechanical and electronic layout of the lock, I wanted to investigate specific components or the traffic between components on the board. This turned out to be a disappointment. The only component that has any logic or memory on it is the MSP30 microcontroller. There is no external memory, no sensors (other than buttons and switches), no communications components, nothing. Which is quite appropriate for a security device.

Image

First, I soldered up some wires to the power and ground and moved the battery off to a breadboard so that I could ensure I didn’t break the device while attacking it with a drill press and dismantling it. Everything worked just fine. Then I needed to see which JTAG test points were which. There are four that are necessary; power, clock, data in, and data out. This might seem like it should be obvious but board designers can do whatever they want with the layout so you actually have to check. Using the continuity test feature on a multi-meter, and with power disconnected, you can probe a test point and then poke the chip’s pins to see which one the test point connects to, then check the datasheet to see what that pin is. I checked this out and also probed a few other things to make a working schematic of the board. While it is very incomplete, it covers the parts I was interested in.

Image

After that I wanted to see if I could dump working memory (where data is stored) or program memory (where the program itself is stored) and poke around so I soldered some header pins to the JTAG test points and wired up. This was the first time I’ve ever tried to work with this particular component, so when things didn’t work out I started doing some research. Unfortunately I found out that the MSP430 uses a substantially non-standard implementation of the JTAG protocol and my equipment didn’t know how to talk to it. I could get a programmer that would do the trick, but that would cost actual money just to satisfy my curiosity. In addition to that, there are internal fuses in the device that the programmers can blow after programming and testing a unit. These disconnect the JTAG pins from the rest of the device internally. While I can’t test whether or not this was done, I can’t imagine that the guys and girls at Masterlock would fail to take such an obvious security measure when they’ve done such a good job on the rest of the lock.

Image

That pretty much does it for the lock except to try building a tool to implement the non-destructive bypass method I suspect may be possible.
You do not have the required permissions to view the files attached to this post.
<<

rohare

Familiar Face

Posts: 34

Joined: Sat Sep 21, 2013 8:56 pm

Location: Los Angeles, CA

Post Wed Mar 11, 2015 2:19 am

Re: Masterlock 1500eXD Teardown

Well, the bypass technique works after a fashion. I managed it once by luck and couldn't repeat it. The technique is to pull the battery holder down to expose the jump-start port. Then, insert two wires, one about a 1/10 inch higher, underneath the battery holder and move them approximately one inch up and then rotate them to the right. This brings them into contact with the exposed motor pins. The ends of the wires should be attached to a three volt battery and the higher of the two wires should be attached to the positive side of the battery. The one time I managed it, I heard the motor spin, but no blinking lights (since I bypassed the microcontroller). I opened the shackle no problem. When I closed the shackle it locked again and continued to work perfectly afterwards.

A more reliable way would be to get some plastic shim stock about 0.03 inches thick and melt two uninsulated solid core wires (I think 22 gauge would do it) into it with their ends exposed to the right side of the tip, one about 1/10 inch higher. The other ends of the wires would lead to the battery. This arrangement would keep the wires from shorting against each other and keep them from wandering around the circuit board unintentionally, and finally, would keep their tips at the correct spacing to contact the exposed motor pins. I could make one, but why bother? I'll just pick one up when they show up on lockpickshop (yeah right). :smile:

Return to Safes, Strongboxes & Combination Locks

Who is online

Users browsing this forum: No registered users

Don't forget to visit our sponsors for all of your lockpicking needs!
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Grop
"CA Black" theme designed by stsoftware