e-LockPicking: Opening Electronic Doors

1. Introduction to the Device:

I bought this lock under the brand of Tafta2015-04-07 00.54.05 but it seems the the original manufacturer, which seems to OEM it, is SoHoMiLL YL-99 Electronic Door (pointed by @revskills).

It is basically a lock which runs on batteries and allows the user to store different code entries. The master code, which has to start with 0, is the one that allows you to change the entry code of any other user (codes start from 1 to 9, so it can have 9 different codes besides the master one). We will later see why each of them starts with a different number.

In the manual you can find how to operate with it.

2. Architecture:

As can be seen in the schematic draw, the lock has the batteries and the electronics inside each knob.

The indoor part has, along with the batteries, a button to reset the passwords to the initial state; it supposed to be in the indoor knob because it is more secure ; ), The outdoors knob is pretty easy to open, it has 6 screws which can be removed in less than 2 minutes with an allen type screwdriver.

TAFTA LockDoor
Hight-Level description of the Lock

Since the electronics are hold inside the knob outdoors the power and the reset button are carried using three wires red, black and yellow (reset signal) from the back to the front of the lock, as can be seen below:

2015-04-07 12.47.03
Battery holder and reset button

The main components controlling the lock are the two noted below:

  • em78p156e: The main microcontroller, this is first time I see it, is a PIC clone, there is not much info about it around the internet. It wasn’t even easy to find the datasheet.
  • HK24c02: A simple I2C EEPROM memory.

3. Reading the eeprom

The first thing I did, after opening and studying the components, was to go straight away and sniff the EEPROM’s I2C port which will, for sure, hold some interesting data. I had to removed some resin before being able to hook the logic analyser, something pretty common on designs that go outdoors since it prevents damages caused by humidity.

The pic below shows the hooks on the eeprom and how good my phone’s optics are…

2015-04-07 08.37.01
Sniffing the I2C bus

 

The sniffed data shows some expected results, the eeprom holds the unencrypted numeric passcodes! And, if you remember from above, the master key has to start with 0, why? it is used as the eeprom address to get the code from.

Each time the micro receives and input code from the keypad and, before validating it, issues a i2c read at the address indicated by the first number of the sequence. Then it reads 6 bytes, each byte holding 2 pass-code numbers in each number, in backwards order.

To trigger this capture I just pressed 0 and the # key to trigger the whole code verifying process so I could be able to record the real passcode store in the EEPROM.

The below capture shows a real sequence:

  1. The first value 51h is the i2c command
  2. The 00h is the actual address where we want get the data from. We are trying to get the master code.
  3. The B3h: 0x03 is the number of digits the stored passcode has, in this case it is 3.
  4. 0x32, 0x1A: The real code is 123, the 0xA is some kind of mark for the end of the code.
master-pass-key
Capture from the I2C bus

 

4. Reseting the device

Another way of abusing this device from outside, is to issue a reset command so all the passwords are set to default (01234 for master code). This thing is the easiest since there is even a labeled contact point for it!

The reset signal is active low so this means that at steady state it is at 6V, if we want to trigger the associated action we have to move it to 0V; this can be seen in the picture below:

Triggering the Reset Signal
Triggering the Reset Signal

After a few seconds holding the reset pad connected to the ground we will see a beep sequence that shows the reset has been performed, a 3secs video below:

 

5. Conclusion

Well, beside my phone shoots pretty good damn photos… you can make your own ; )

5 thoughts on “e-LockPicking: Opening Electronic Doors

  1. Great work. But there isnt a easier attack? If relay is in outdoor knob.. why not simply hot wire relay and open door?

  2. how is the board “pair” or secured to the other side or to the lock. Why not scout the lock of the victim go buy the same lock set up my own code 123 pop open their cut the wire then connect my board already programed with 123? I under stand thats defeating the whole point of what you are doing here and it would not longer be stealth but ..

Comments are closed.