e-LockPicking: Opening Electronic Doors

I bought this lock under the brand of Tafta

but it seems the the original manufacturer, which seems to OEM it, is SoHoMiLL YL-99 Electronic Door (pointed by @revskills).

It is basically a lock which runs on batteries and allows the user to store different code entries. The master code, which has to start with 0, is the one that allows you to change the entry code of any other user (codes start from 1 to 9, so it can have 9 different codes besides the master one). We will later see why each of them starts with a different number.

In the manual you can find how to operate with it.

2. Architecture:

As can be seen in the schematic draw, the lock has the batteries and the electronics inside each knob.

The indoor part has, along with the batteries, a button to reset the passwords to the initial state; it supposed to be in the indoor knob because it is more secure ; ), The outdoors knob is pretty easy to open, it has 6 screws which can be removed in less than 2 minutes with an allen type screwdriver.

Since the electronics are hold inside the knob outdoors the power and the reset button are carried using three wires red, black and yellow (reset signal) from the back to the front of the lock, as can be seen below:

The main components controlling the lock are the two noted below:

• em78p156e: The main microcontroller, this is first time I see it, is a PIC clone, there is not much info about it around the internet. It wasn’t even easy to find the datasheet.
• HK24c02: A simple I2C EEPROM memory.

3. Reading the eeprom

The first thing I did, after opening and studying the components, was to go straight away and sniff the EEPROM’s I2C port which will, for sure, hold some interesting data. I had to removed some resin before being able to hook the logic analyser, something pretty common on designs that go outdoors since it prevents damages caused by humidity.

The pic below shows the hooks on the eeprom and how good my phone’s optics are…

The sniffed data shows some expected results, the eeprom holds the unencrypted numeric passcodes! And, if you remember from above, the master key has to start with 0, why? it is used as the eeprom address to get the code from.

Each time the micro receives and input code from the keypad and, before validating it, issues a i2c read at the address indicated by the first number of the sequence. Then it reads 6 bytes, each byte holding 2 pass-code numbers in each number, in backwards order.

To trigger this capture I just pressed 0 and the # key to trigger the whole code verifying process so I could be able to record the real passcode store in the EEPROM.

The below capture shows a real sequence:

1. The first value 51h is the i2c command
2. The 00h is the actual address where we want get the data from. We are trying to get the master code.
3. The B3h: 0x03 is the number of digits the stored passcode has, in this case it is 3.
4. 0x32, 0x1A: The real code is 123, the 0xA is some kind of mark for the end of the code.

4. Reseting the device

Another way of abusing this device from outside, is to issue a reset command so all the passwords are set to default (01234 for master code). This thing is the easiest since there is even a labeled contact point for it!

The reset signal is active low so this means that at steady state it is at 6V, if we want to trigger the associated action we have to move it to 0V; this can be seen in the picture below:

After a few seconds holding the reset pad connected to the ground we will see a beep sequence that shows the reset has been performed, a 3secs video below:

5. Conclusion

Well, beside my phone shoots pretty good damn photos… you can make your own ; )

Originally published at http://www.gabrielgonzalezgarcia.com on April 15, 2015.