I, Hacker

Receiving compile error below...
sketch_jul25a:212: error: missing terminating ' character
sketch_jul25a:213: error: missing terminating ' character
sketch_jul25a.cpp: In function 'void dump()':
sketch_jul25a:213: error: expected `)' before numeric constant
sketch_jul25a:219: error: expected `;' at end of input
sketch_jul25a:219: error: expected `}' at end of input

for the following line...

Serial.print('
'); for(int i = 0; i < 3; ++i) { int val = EEPROM.read(4 + i); if(val < 16) Serial.print('0'); Serial.print(val, HEX); } Serial.print(' '); for(int i = 0; i < 64; ++i) { int val = EEPROM.read(4 + 3 + i); if(val < 16) Serial.print('0'); Serial.print(val, HEX); if((i & 3) == 3) Serial.print(' '); } Serial.print(' '); }

Hey, sorry about that; that's what I get for making edits on the fly and not testing *grumble*.

I've updated the paper with a known-absolutely-good version; let me know if you have any problems with it.

Can you recommend a microprocessor here in the uk?

It seems someone is liquidating a hotel on eBay right now and you can pick up your own lock for < $100. What timing....

Would you share how you obtained or figured out the communication protocol and the structure of the electrical signal?

Would you share how you obtained or figured out the communication protocol and the structure of the electrical signal?

I see we're still trying to piss off and educate the populous Cody...I miss those days back in Comp Tech :D

Is an Arduino with 128k memory really needed? Would a cheaper Arduino do? What is minimum memory needed?

Brilliant- You deserve a prize for that work.
Not clear if the board is powered by a battery or does it get power from the socket?

N8ZACH: I'll be posting about the discovery of all this stuff in the near future.

xmitman: I just had this board sitting around; I'm sure you could do it with far, far less memory and all that. Let me know if you have success with other boards.

ty tower: Thanks! The lock is powered by its batteries, the Arduino has to be powered separately; I just hooked a 9v battery up to the DC port on my mega.

Think you could post some example encrypted and decrypted cards and 32bit keys, so that we can port the code to other languages, and verify the crypto is working correctly?

Definite fail in security for being able to just read out the memory like that.

CaitSith2: You really don't need any example data/keys; the keys are totally random (or at least, I hope they are -- Onity assigns them) and the keycards aren't really important for the crypto. You can just generate a data blob and a key and test it out yourself. Make some datasets using the code in the paper, and you can test that.

Won't you have problem for this ? How do you discovered this fail ? PS: nice work

Wayyyy coool...

If you have all the code right and you have the balls to post it. Conrats should rock a few cages in a month or two. Nice.

I copied the newest code and put it straight on an Arduino uno. It worked 100% first time using latested version of arduino software. I pulled pin 3 high with a resistor and connected it to barrell connector. The door opened 100%. I noticed that it does not spit the site code out the serial port (probably the lastest code has that taken out). Also you need to connect barrell connector FIRST, then power on Arduino, then the door opens 100%, not the other way around. The uno has no press to reset button so I just pulled out the USB power/data lead, and once plugged in the light on the door went green. As I also have a valid room key for the room so no harm no foul but smiles all round!!

I am guessing the quick fit for hotels is to put some sort of capacitor in line, or cut a trace so the battery can still be charged via this connector but it cannot be used to read the memory contents. This would not allow programming/repair via this port but it would make it more difficult for script kiddies to enter rooms.

Use your knowledge for good people.

Glad to hear that others have been able to reproduce this.

The latest version indeed doesn't have the serial stuff; I went back to my original, known-good version. In fact, I wonder if the addition of all the new code is what threw off the timing and made it fail so much during testing for the Forbes article...

One question: Did I get the size of the connector right in the paper? I was pretty sure I did from memory, but I didn't have the exact size handy when I wrote that.

Despite what you may think, this was a good talk - one of my favorite at BlackHat this year. Thanks for presenting!

Does this work on the uno too? Or a mega 2560? And where can i get a hold of the barrel plug for this, cant seem to find those dimentions anywhere. Very good job, and thanks for the how to.

Was the barrel connector a male or female plug? Cant find the male version 5x2.1mm but found a female one... Maybe the plugs dimensions are actually 5.5mm x 2.1 mm? That seemed readily available for purchase. Please reply! Thx

T: Thanks!

conmor: According to A nony moose, it works on the Uno, but I've only tested on the Mega 128 myself. I bet it'll work on anything, though. As for the barrel plug, it's male (should put that in the paper...) and it may be 5.mm x 2.1mm; don't have the exact size handy. I picked mine up at Radioshack

so does appendix b have anything to do with the arduino sketch, or if i am using arduino can i completely ignore it? what would the python script be for if this is arduino based?? thanks.

cmor: Appendix B has nothing to do with opening the lock or the Arduino sketch; it's just the encryption used for cards.

Ok thanks for the help. One more question: do you need to take off anything from the lock to access the female plug on the lock? (ie remove a lid or a piece of plastic from the outside of the lock?) thanks so much.

conmor: No, the port is completely accessible.

Cody: first off.. awesome paper.. i have all intentions on testing this next week. I have a few questions: 1.) would you mind posting a full parts list? 2.) could you link to the software used to read the cards directly? I have an msr606 with default software and I can not read the tracks on the cards.. I get no data reads from the reader.. and many hours of searching have lead no where for software.

I look forward for more information and will follow this paper tightly.. thanks again!

RicksToyRoom: The full parts list for the opening device is listed in the paper. As for the software, I'll have to whip something up when I have time, but I've not had any problem reading cards using the raw mode on the MSR805 -- any of the MSR206-based encoders should work perfectly. Just keep in mind that Onity only uses track 3.

Is there anu chance that this may set off an alarm or silent alarm? Is it safe to try it on your hotel room? Thx

Did you ever confirm the dc plug size? Thanks

A couple of suggestions:

1. Changing the declarations "unsigned char bval" to "volatile unsigned char bval" to prevent certain compiler optimizations from breaking the code (see http://arduino.cc/en/Reference/Volatile for more info on this.) Not a big deal, as it apparently works now, but the current code could break under certain circumstances.

1. For anyone wanting a source for the male barrel plug, DigiKey.com stocks them. For a 5.5 mm OD and 2.5 mm ID, order part CP3-1001-ND. For a 2.2 ID, order part CP3-1000-ND. Both are $1.36 quantity 1.

I can confirm that 5.0mm x 2.1mm works fine.. it plugs in perfectly snuggly.. my issue was possible bad code.. have updated new code that will be tested this week.

failed to load PDF for the slides, can you check the link please

Hey Cody - any alternate timings for the lock? I'm not having a lot of luck here getting the lock to work at the moment. It's not responding at all.

I've confirmed via a logic probe that i'm sending the correct data to the lock as per the paper. 20us sync pulses separated by 200us for 0 bit and pulling the line low for 12us between sync pulses for signalling a one bit. I've got the 1 bit being signaled at the same offsets as the pdf (sandwiched between a 60us high and 128us high) and i'm including the trailing sync pulse.

I've converted your code to C for a plain atmega168 on a custom board I've made - but that's sort of by-the-by. The output looks correct per the paper but the lock isn't playing ball.

I also know the lock is getting power as i'm getting voltages at various points on the lock's circuit.

Did you find any UART test points or JTAG points on the lock's circuit?

Here's an example of the logic probe trace showing a 200us high with a 12us low to signal a 1 bit http://i.imgur.com/futHq.png

kevin: Give it a try again -- seems to be fine for me. If it still doesn't work, let me know and I'll mirror it elsewhere.

make sure your barrel connecter is all the way in.. I used the original code from cody that he used in the news article.. and I plugged into a lock tonight -- didnt kick off.. I pushed the connecter a little and found out it wasnt all the way in the lock.. hit the button again and poof.. unlocked the door..

I put mine in a kit box from radio shack.. got a few other parts and basiclly added a switch.. one of the earlier post said that it works when you add power AFTER plugging into the lock - which I did.. and presto.. I need to re-work my prototype a little now.. maybe some quick disconnects on the switch.. some header pins to make a better connection.. and find a way to slim down the box.. I have photos of my rig on flickr.. http://www.flickr.com/photos/shdwknt/7701285502/in/set-72157630876614480/

I want try doing this myself. If I buy a Onity Lockset, do I need to buy the Portable programmer too? Or can I just make it work with the locks?

Ash: You don't need to program the locks for this to work, but if you want to do things like map out the memory, you'll need to be able to load the memory.

I ported this to an msp430 and built a device for less than $6. Here's my build http://vay8.net/osk

Zashi: Awesome stuff! It got me thinking, why not use the ATtiny45? Should be as cheap and as easy. (If not easier) I'll probably try doing that. Should be as small as your's. Best part, I can just use the arduino code. :D Only thing is I won't have an onity lock to test it out when I build it. :X

Onity claims they are working on a firmware update. Probably trying to calm there customers down
http://en.onity.com/support/Pages/Onity-Statement.aspx

Since it's a binary data stream, I don't see any reason this can't be ported to an iPhone or Android app, using a standard headphone jack connected to K-size DC connector (aside from maybe voltage).

Thoughts on this?

Me: I've actually been thinking about that. There are two issues: 1) headphone jacks don't provide enough power, and 2) the circuitry required to handle the bi-directional stream would be kind of a pain in the ass. I can't see how it'd be possible, but I'm not an EE.

I'm thinking about how the Onity system is applied in many college housing situations (I work for a college housing department with Onity locks). The end-user software hides pretty much all of the operational details of the system, which left me wondering how 'suite' or 'common area' situations are handled. For example, if you have a common room which all of the residents of a building can unlock. I haven't been able to come up with an explanation of how this works that doesn't involve a card having more than one key value, which I don't think is allowed. Unless some other value is used for this purpose? Thanks for any explanation or ideas you have.

Oops... with more research I just answered my own question. It's pretty easy to find this in the technical manual that's available online, but I didn't look at it for a while because of my strong dislike for Scribd, which is the only place I can find it (anyone that knows of another source of this manual would be much appreciated).

HT24s can be programmed to various 'modes', the most common of which is 'normal mode', which operates the way Brocious' paper describes. There are several other modes of interest though, two of which are Foyer Mode and Selective Mode.

From what I see in the manual, a lock in Foyer Mode only checks to see if the site code is correct and if the card has 'any applicable authorization'. I assume this means that the authorization byte Brocious mentioned can be used as a mask or an authorization code to allow only some cards access to foyer locks (maybe for separate buildings or different departments, for example). The manual says that locks in Foyer mode do not use the key code at all.

The other mode of interest is Selective Mode. This mode lets a lock accept up to 500 different keys, but it does check key codes so that you can specify exactly which keys. The manual says that if you want to authorize more than 250 keys the audit log must be disabled, so this strongly suggests to me that selective mode just works by making the code keys section of lock memory reallllyyy long. So pairings of, e.g., lounges to rooms are determined at programming time. This is potentially useful, because it means that reading out the memory of a lock on a common room would allow you to get the guest key values for a large number of rooms. Fortunately I do not think there is a way to correspond these key values to specific other rooms without trying them all.

Sorry if this is common knowledge, it's new to me.

This might be a neat use for the upcoming Digispark using the attiny85

This is a hallmark of poor design - why didn't these idiots put the data port on the INSIDE of the hotel room? That way, only people who can gain entry to the room legitimately can access the data port. Stupid stupid stupid.

frank booth - manufactures want streamlined products. to put the port inside would obviate the ability to charge dead batteries. but you are correct in asserting that the data port should be inside and the power port left out

monoolan: The port is not used for charging at all; batteries are exposed on the outside and replaced as needed.

@frank booth - try thinking things through, its not difficult. one of the functions of the PP is to open the door, including deadbolt override, in an emergency situation. also, when the batteries die, at least on some models, the lock needs to be re-programmed with the PP before a card will work correctly.