ObliqueView posts an interesting series of images of the inside of a Kaba Mas X-09 electronic combination lock (link to manufacturer page and full set). These locks are expensive, but very highly regarded by many locksmiths. At the same time, many old-school locksmiths seem to distrust anything electronic. This seems to have hindered the security analysis of these locks.
I’ve not seen one of these away from a secure filing cabinet. They are very expensive, so this is a nice little insight into their workings. Some quick notes on what I can observe:
- The top of the large (ultra?) cap has been blanked out. I can’t imagine what you would need to hide.
- The pink/orange dots look like UV sensitive ink. This might be for post-intrusion forensics.
- The board has a conformal coating or lacquer. I’m surprised it isn’t fully potted – it would be better for security.
- It looks like a simple two-layer PCB.
- Something odd is going on with the vias. There are a lot of normal small circular vias covered by green solder mask. But a lot are large square, and not covered by solder mask. They might be test points, but that is a lot of them. (edit – I asked on Electronics Stackexchange, without seeding anyone’s mind, what they were – and got test points back. I can only assume because this has to be so reliable, they are into heavy testing)
- Looks like markings on the chips have been removed. This is token. You can identify nearly all processors and chips without markings.
- One of U1 looks like a serial EEPROM, from one side being common and the proximity to the larger chips. It looks like the footprint is designed to take two different sized ICs.
- PCB design is messy, not pleasing to the eye. I can’t work out if this is because it was autorouted, routed by someone inexperienced, or if it is just meant to be confusing to make probing hard.
If anyone has a broken one of these, I’d take it off your hands…
John
July 7, 2013 at 12:59pmRe: Looks like markings on the chips have been removed. This is token. You can identify nearly all processors and chips without markings.
Could you share any other tips for this? I’ll use an oscilloscope to look for activity on the pins to determine what they may be, but am not sure if I’m missing anything like a database of chips searchable by package, pin count, and some pin types 🙂
Great blog 🙂
-John