Electronic Lock - Torn Down and "Manipulated"
Note: This is not a post about destructive entry. In fact it’s not a post about entry at all. These sorts of safe locks can be bypassed in ridiculously simple ways (search youtube for “safe cracked with a potato” if you don’t believe me) so there’s not much point in posting about breaking into such a safe. This post is only about the mechanism of the lock and it’s workings. Because there is so little data about them to be found on the internet, even at such sites as keypicking and lp101, I figured I’d step up and do the research. It’s a bit long winded but I hope it will serve as a general go-to for the basic design and function of these cheap electronic locks.
So let’s get right down into it. I acquired this lock from a friend who had to remove a safe and verify it was empty since nobody could remember the combo. Knowing that I was into locks and such, he kindly preserved the locking mechanism and electronics in good working order (very considerate since HIS method of opening safes would probably involve a cutting torch or power tools). I proceeded to immediately place them in my “drawer full of stuff”. Months later I ran across a fascinating online game at http://www.microcorruption.com in which you are challenged to reverse engineer a series of hypothetical electronic locks using data from a real microcontroller architecture. I got through the first few levels and then got stumped. But it inspired me to get to work on the real thing! So, I delved deep and recovered this hardware from my terrifying “drawer full of stuff”.
Let’s take a quick look at what we’ve got here. There is a keypad to enter your code, two chips, a solenoid that prevents the handle on the safe from turning when the safe is locked, some LED’s, an annoying beeping thing (which i’ve covered with electrical tape in an only partially successful attempt to muffle it), and… a mystery cable, but more about that later. The rest of the stuff on the board is a variety of electrical components that pretty much just ensure that signals don’t have too much voltage, get routed the wrong way, and that the two chips are communicating to each other at the same speed. Aside from the fact that the whole setup doesn’t work without them, they can pretty much be ignored.
First thing first, I took a look at the codes written on the surface of each chip and then searched for their data sheets. A data sheet is just a document written by the company that produces a chip that details it’s function and operation. That way somebody who wants to use the product can know whether or not it will work for their purposes. In reading the data sheets I learned that the smaller chip is of a class of memory devices called an EEPROM (Electronically Erasable Programmable ROM). That basically just means two important things for the lock; 1) Data can be written to the chip many times without special hardware or the necessity to remove it from the circuit it is in, and 2) It doesn’t lose it’s memory if the battery dies. That sounds a lot like a good place to store a bit of data that you don’t want to lose… like a passcode. The second chip is a microcontroller. It’s actually a Chinese knockoff of a rather popular microcontroller made by Atmel. I’ll bet it breaks all sorts of copyright laws. If you don’t know about microcontrollers, just think of them like very tiny microprocessors plus a bit of memory and some pins you can use like serial ports on a computer or like electronic switches, but all wrapped up into a single chip. You can write a program and put it onto the microcontroller itself and it will faithfully execute that program until the apocalypse or the batteries die, whichever comes first. The data sheet for the microcontroller didn’t hold any great surprises. The people who made the locking mechanism apparently just picked the cheapest microcontroller they could find, wrote a little bit of code, and sent the plan to the fabrication plant. Nevertheless, more study of the data sheets was necessary to continue investigation.
One of the things you will always find in a data sheet is the definition of what each and every pin on the chip is and does. This is indispensable information. However, it is important to understand that because a microcontroller is programmable, the definition of a pin is, in many cases, a definition of the various possible things it could do. Without dumping the code from the microcontroller and reverse engineering that, you have to take the pin definitions AND observation of it’s behavior in action to understand what it really is doing. That sort of observation can be accomplished through the use of a handy little tool called a logic probe. Basically you hook up it’s power and ground cables to the power and ground of the device you are probing and then poke the poky bit (technical term) at a wire or a pin going into a chip. It will beep with one tone and light up one color if the pin, wire etc. has a voltage and will beep and light up differently if it does not have a voltage. This is “digital 1” and “digital 0”. Red light means 1/on/voltage high, green light means 0/off/voltage low. A yellow “pulse” light flashes if the state of the pin being probed is rapidly shifting (i.e. data being transmitted across that line). Pretty simple, very effective.
So, armed with logic probe and data sheets, I proceeded into reverse engineering battle and advanced upon the enemy. First, I followed the traces of each pin on the microcontroller and each pin on the EEPROM and took copious notes. Then I poked every pin (no jokes please) and noted it’s behavior under the following circumstances; turning the unit on, pressing each of the 12 buttons on the keypad, and the unit telling me that I had an incorrect code entered. This would have been 28 pins times 14 measurements for a total of 392 measurements but I was able to cheat a bit when I worked out which pins were just inputs of the keypad and which pins were simply attached to the plus or minus sides of the battery, etc. Regardless, I still took over 100 measurements. Doing this investigation in such ridiculous detail revealed a surprising datum. The “mystery port” mentioned earlier was attached to a pin on the microcontroller that was not attached to anything else whatsoever. In other words, it was an input to the microcontroller that no other combination of actions could duplicate. It was entirely unique, but was clearly an input device of some sort. So I fiddled with it! The inside of the port showed two pieces of metal about 1/4 inch apart. One of those metal pins was routed to the microcontroller as previously mentioned, and one was attached to the battery power. So, if you connected the two of them, you would have basically sent a digital “1” to the pin on the microcontroller. I jammed a piece of wire in there and all sorts of lights and beeps started going off, the electronic lock equivalent of new-years eve. However, that didn’t help me figure out what I had just done.
I actually got a bit downcast about the whole thing at this point because I wasn’t sure where to go from there, so I hopped onto keypicking and searched around for electronic locks. Eureka! I found pictures (now no longer available from flickr) that showed the inside of an electronic door lock that looked suspiciously familiar. The person posting noted that a code reset button was present on the circuit board that, when pressed, allowed you to enter any arbitrary code you wanted. That sounded too good to be true, but I gave it a shot. I stuck a piece of wire into the mystery port and pressed 1-1-1 after the beeping stopped, then I pressed the enter key (“A” on my keypad). It beeped once more, and went quiet. I then entered 1-1-1 on the keypad and pressed enter again. The solenoid retracted, and I was “in”. I had successfully reprogrammed the lock.
That was nice and all, but I wanted to go further. I wanted to read the data stored in the EEPROM and manipulate it. In an effort to do this I purchased a neat little product called a bus pirate that allows you to hook up to chips and do all sorts of nefarious things. Unfortunately, I had to de-solder the chip from the board and I accidentally let the smoke out of the EEPROM. Apparently, once the magic smoke is gone, EEPROM’s stop working. I didn’t see that in the data sheet. Oh well, maybe next time.
So there you have it. A long-winded, but hopefully interesting dissertation on the design and function of really, really insecure electronic safe locks.