Extended version of the Mailbag 1483 teardown of the Kaba Mas X-09 High Security Electronic Lock Teardown
Support the EEVblog on:
Patreon: http://www.patreon.com/eevblog
Odysee: https://odysee.com/ @eevblog:7
Web Site: http://www.eevblog.com
EEVblog2: http://www.youtube.com/EEVblog2
EEVdiscover: https://www.youtube.com/eevdiscover
AliExpress Affiliate: http://s.click.aliexpress.com/e/c2LRpe8g
Buy anything through that link and Dave gets a commission at no cost to you.
Donate With Bitcoin & Other Crypto Currencies!
https://www.eevblog.com/crypto-currency/
T-Shirts: http://teespring.com/stores/eevblog
#ElectronicsCreators #Teardown #lock
Support the EEVblog on:
Patreon: http://www.patreon.com/eevblog
Odysee: https://odysee.com/ @eevblog:7
Web Site: http://www.eevblog.com
EEVblog2: http://www.youtube.com/EEVblog2
EEVdiscover: https://www.youtube.com/eevdiscover
AliExpress Affiliate: http://s.click.aliexpress.com/e/c2LRpe8g
Buy anything through that link and Dave gets a commission at no cost to you.
Donate With Bitcoin & Other Crypto Currencies!
https://www.eevblog.com/crypto-currency/
T-Shirts: http://teespring.com/stores/eevblog
#ElectronicsCreators #Teardown #lock
What is? I guess we're going to take this top thing apart and figure out what this sensor is. Um, but like there's no Ca. Oh yeah, no no no. it's going to say there's no cables going to it.
There's a little ribbon going down there. so I huh aha. I thought the name Kaaba rung a bell? Yes, Carver actually? uh, manufacture. Um, high security electronic locks.
Um for safes and other, you know, vault doors and other high security installations and stuff like that. And that's what we've got here. This is not a stepper motor. This is a this is the back part of this safe lock.
so that goes inside the safe. the part you want to, uh, secure and outside. Here you have what looks and feels like your traditional safe tumbler. So this carber X09, which I believe this one is and probably the X10 is probably the same and this is designed to simulate the look and feel the user interface of a Tumblr lock, but actually make it instead of having a mechanical uh lock on the back.
You know you spin it. You know, four times this way to the right number and then you spin it three times in the other direction to the right number and then two. and then one and that will open the uh, your traditional uh tumbler lock. Safe lock.
Well, this one simulates that, but with an electronic interface and I was um, thinking, well, where where are the numbers you know. I usually have like 0 to 99 around here and like an arrow so you know exactly where you turn it to. Well, this up here looks like it's actually an Lcd, so it looks like it would actually display the number and this would be mounted on the front of the door. Of course.
either safe door or other uh door it's mounted in like this. All you've got between them is a couple of ribbon cables like this because, um, this won't have any active electronics in it because in a high security electronic lock? Uh, you want to minimize the Um attack methods and I've done a whole video on electronic safe locks and uh, trying to actually do a side channel attack on them. So it looks like there's actually two. So I know three.
There's three ribbon cables inside this, just tiny little a couple, only a couple of, uh, three, or four uh pins each or something. So this would have an encoder in it which then sends the signals down uh, to here, and then, uh, the microcontroller inside the actual lock. Part of it will, uh, decode. Um, you know, how many times you spin it this way, how many times you spin it that way, and I would assume it's going to display a two digit number on there.
It wouldn't be any more than that, It wouldn't be any less. So, a two digit number. So that has the same look and feel as a Tumblr lock. So this is really cool, but it looks like check out down here.
somebody. somebody's had fun. Holy Toledo, somebody had fun. They've obviously attempted to drill into this thing um to get it open? So is.
Did this come from like a uh, an attempted cracked um safe or something like that because if you don't know, any decent safe will actually have Not only the safe door sits in between here and it could be you know, huge, hardened uh steel safe door. or you know, a vault door or something like that. That's why it's so wide. it can have like a really thick uh door like this. um but they'll often have, uh, like manganese is often not used as like an anti-drill plate on here. I don't think this would actually have actually be like a manganese steel anti-drill type thing. Obviously somebody's able to drill into this thing, but you can integrate those into our space. They'll have like an anti-drill plate that actually dulls the drill bits as you try and uh, drill through them.
And the safe or vault doors often are. They won't be like large solid steel. They'll have a, you know, a decent amount of steel in that might be, you know, 10 15 millimeters worth or something like that. But inside, they'll often, uh, contain like dulling, uh compounds in there like a material that actually, um, dulls your drill bit if you try and actually drill through because if you try one of the attack methods for says is to actually drill through it like you know you could rip this thing off the front.
you can pry it off, but then you can actually drill through the door. and if you drill through in the right location, here is the can we pull that out? Yeah, here's the locking bolt that comes out. If you drill through in the right location, you can actually get through and either you know, did all the mechanism in there that holds his bolt in place and actually retract it, pull it and retract it back and that's how you would uh get in via a drill attack method And another attack method might be uh to try and like feed in like you know, high voltage into here to try and uh back power the electronics in here and then open the uh solenoid that way because this has an electronic uh solenoid in it and if you apply power to the solenoid, boom the latch comes out or goes back in. Uh so yeah, that's one of the other attack methods, but these kaaba uh locks, this is, you know, a really expensive, uh, probably high security, uh meets, You know, probably.
You know international security standards and stuff like that, so this would likely be very expensive. Certified. Probably incredibly difficult if not impossible to actually, um, hack? I don't know. Leave it in the comments if you know if this Carver X09 has actually, uh, been hacked.
So you know really. unless you know the combination or you can attack the door um so or the safe some other way you ain't getting in there. And one of the other methods are for getting into uh space would be magnet of course because the solenoid is operated magnetically so you know you get a big ass magnet like next to if you've got a real flimsy safe, door and stuff like you can maybe put a large magnet in the correct big neodymium magnet in the correct location and it can actually open the solenoid. But you know your high security uh, certified ones would not be uh, vulnerable to those sort of magnetic attacks either. So let's take this part and see what we've got. So this is the front spinnery thing. I don't know how you would enter the Uh numbers like this, so can you? Is that gonna, Is that gonna push? No, I think maybe you just uh, like you know, spin it until it gets to a number and then you wait and for a second and then you'd reverse direction. um and then you would reverse direction again and it knows which number it gets to um on the Uh display here and then this thing like will just continually spin forever and the micro controller in here would do the decoding and display your number on here for the user as they enter.
so you know it just simulates the look and feel. But anyway, so that is interface to there if we crack this open. So if we get all this off, that comes off so that's just uh designed to go into the shaft and that just goes into the top there. Very nice.
It's got a seal around there, weatherproof rubber, baby buggy bumper seal on there, that's nice. and then inside here here's your uh interface so that would be your encoder to actually, uh, encode that and uh, it looks like it just goes into yeah, a zebra interface down here, zebra strip and that's just an elastomeric connector like this and that. just um interfaces. So they've gone to a lot of effort in there to sort of like interface the rotary encoder here with that.
And then we've got a couple of other ribbons here which go into this little board. There's no electronics in there, that's just a uh interface. Oh, we can take the yep and take the whole lot off. Up here will be our display.
Ah yep, that comes out like that. And there you go. Yep, that's right, that's just an Lcd, so I'll have to put up the uh, the I'm assuming I can get a manual for this thing and uh yeah, it'll um, have the indicator of what's on here. But I reckon it's going to be a two-digit display to simulate the look and feel of an old traditional Tumblr jobby.
So as you can see, there's no electronics in there at all because you don't want any attack methods into the lock. by having the electronics on this side. it's just the rotor encoder here and the Lcd that gets the feedback so you know it's not like you can like override. You know you can tap into the Lcd pins and then try and get into the micro uh controller that way.
Although I guess in theory that might be possible for a power line attack or something like that, perhaps. But I got to think that you know a big reputable certified brand like Archaba would have, uh, you know, thought of that sort of thing. But anyway, in theory, uh, like a maybe like a power line attack might be uh possible as well because you've got these access to these ribbon cables. but all you've got to do is like filter on the other side and bob's your uncle. so if we open this up, you can see what's in there. We've got ourselves a shaft here which comes through and this piece just fell out and it looks like that goes into the inside right in there that looks like it's sheared off there. so that would be part of the uh bolt that comes out there. So this would be uh, looks like your little motor solenoidy thing that just moves this arm up here which then moves your plate out like that and then that's what.
uh, locks your door of course. So all of your strength is in this bolt here. But of course, if you look inside a safe, you're like a large safe. You'll see that this then pushes on.
um other big armatures which then might have you know, three or four big bolts. Huge big, you know, 30 millimeter diameter job is that then go into the side of the safe. So this just like pushes on. Uh, you know, a big mechanical arm inside here.
I'll see if I can get a photo and uh, put one up. So this might you know on a small safe this might be. uh, this here might be the only mechanical thing that you know prevents the safe, uh, from opening, but this can, actually, um, be extended out into uh, larger things. Uh, depending on how you want the installation, um, in whatever size, safe, or vault door, or whatever you're doing.
And here's the Pcb and you'll note from the shiny shiny that's all potted, completely potted for, uh, moisture ingress. Then we've got this thing here which presses in. And I originally thought that this might have been like, you know, if you press the front of this, this is how you enter a number and then that presses on that. But it's not because the shaft actually goes in here like this.
So yeah, that looks like it goes down into there somewhere so I'm not sure I don't know, Is that an anti-tamper um, thing or not. I'm not sure whether or not that has something to do with sensing whether or not this is open, but it doesn't seem to be right. Anyway, I won't go into uh, the full details there, but anyway, we've got ourselves a supercap and of course, one thing you might be wondering here is how they actually power this thing. Um, there is no internal battery and that's what the supercap's for.
You might think of the supercaps for holding the uh combination when it loses power, but no. um, the combination is stored in a secure E-squared uh, problem here. That'd be the micro there. I'm not sure what that other, uh, chippy up there is, don't know.
But anyway, it doesn't matter. So what I think happens here is I have to confirm this with the manual or whack it up. Um, but it has to be right. You know, by deduction, Um, this thing actually.
this encoder here of course generates a uh voltage. You know it could be like a quadrature output or something. Um, but then that can be used. You can actually rectify that and build the charge up on the cap. And that's why I think they've got this reduction gear mechanism in here so it spins this faster and then you can use that. you can rectify that and then store it in the capacitor. So what I reckon happens is that you, you know, spin this a couple of times to build up enough power to turn the lock on. So when you walk up to the door and it's been de-powered for a while, you won't see anything on the Lcd, but you spin it a few times and I reckon that builds up enough charge in here.
You know, for a minute of operation or whatever. and then as you, um, you know, spin the dial to enter the combination. it puts even more and more charge in there. and then that's enough charge to operate the micro controller.
And also, it's got to operate the uh, the solenoid motor thing down here which then deactivates that. So yeah, you can. You know you have to get a decent amount of energy out of that to power it. but this thing is not externally battery powered anyway.
I won't go through and uh, look at the details on that board. but uh, suffice it to say this would almost be certainly be uh, certified to a standard and you probably can't change the firmware at all. Once you, uh, you know, certify this uh thing with the certification authority. um, they would you know you can't change the firmware or anything.
Um, if you wanted to do that, you probably have to re, uh, certify uh the thing. But yeah. anyway, there's the pin interface which then goes down to the pins down here which goes through those ribbon cables going over to oh, the front end. and I was going to say they have multiple ones for a redundancy but it doesn't look like it.
That's a five pin jobby, that's a four pin jobby and then another couple of pins, then going another four or five going over to your, uh, encoder, um on the front. and I'm trying to get Medieval on its ass here. but it's like you can see it's all gunked inside there. I'm trying to get this out.
so sorry to all you Carver aficionados, this is probably sacrilege. but yeah, um, I don't think I like my chances of getting that out intact. Oh goodness. gonna need a bigger boat.
Yeah, here we go. I think I think I got it. Oh look at that. Oh wow.
Oh, there's all the stuff on the bottom as well. Wow, that's interesting. Uh, what were these two pins down here? I'm not sure what they went to and yes, uh, we have voided the, uh, avoided the warranty on this. Yeah, there's a it's a little two-pin interface down there.
Does that? actually? Could that be a battery interface? Maybe I'm wrong about it being self-powered But yeah. anyway. there's the back of the board. Still can't really figure out what that does.
Doesn't does it do anything? Not sure that does anything at all. Um, that just might be part of the mechanical that might be just required for the mechanical interface. And the board just got in the way. so they had to put a hole through it. Um, yeah, not entirely sure. But anyway, there is a lot of stuff in there. isn't there for one of these electronic locks. So yeah, they're quite complicated.
and uh, yes, they're designed to be not hackable, but maybe in theory as a way to get through them. Oh no. Look at that. The pot in the potting ripped off those poor sot 23 jobbies.
Oh no. ripped off some of the board as well. I thought for a second that there was another board embedded in that pot in. but there's not.
Well, there kind of is. Partially, but it was part of this top board. It just. it just ripped off a whole bunch of the components.
Yeah, you can see why that has that, uh, exposed copper there and half the slot 23s are missing. Nice. And there was another little la coggy thing which goes down in there somewhere. I'm not absolutely sure of that.
But there you go. That is a uh Kaba X09 high security electronic lock for safes, vault doors. um, even regular. You know, doors in a high security installation or something like that.
and this puppy wouldn't be uh, cheap. I see if I can find a uh price on this, but uh, you're not gonna get any change for many, many hundreds of dollars. Let me tell you, someone's had a hairy hacker at this? one. Um, unfortunately, we didn't get a note with it.
So uh, we don't know the uh, history of this, but thank you very much for sending that in. I've got uh, real interest in electronic, uh, safe locks and these are fascinating things and there's a lot of engineering effort and certification and testing and standards and stuff that go into these electronic locks to ensure that they aren't um, you know, hackable. That's why there's no electronics on the door. um, side of things over here with the knob, that's just the uh encoder and the Lcd? uh, feedback, uh, display.
And yeah, I'm not sure like you'd be able to, um, put any like high energy high voltage pulses into this and then back feed the solenoid in here, which opens this sort of thing. They would have been, you know, thoroughly, uh, tested and certified. uh for those sorts of attacks. Of course, you're cheap.
no name one hung low brand electronic locks. Yeah, they're not going to be built uh to the same standard. this is this one. but uh yeah, I'm sure this is why you pay a pretty penny for it.
Um, and it doesn't look like a new design either. Aha, there you go. Scraped off the potting that's an 85 66 Phillips. Um.
Lcd driver. Hard to get the numbers at the right angle and this is a Phillips Micro. There you go. There you go.
p Something or other 87c something I can't read on my cams call to screen. But yeah, that's the micro and that's where the code is stored in this thing. I don't see a secure E-squared prom externally, now it's just internal to the micro. But of course the whole idea is that you don't have access to this electronics because it's inside the safe. It's on the other side of that vault. Um, and unless you can like, uh, drill through and probe it or you know, in theory, like do a power line attack over the Lcd cable or something like that, then um, yeah, but it's you. Know, it's not hard to, you know, design out those attack scenarios if you're aware of them. I'm sure Kaaba are because they know what they're doing.
They're a big name in the business, so there you go. That is a fascinating hope you enjoyed that uh, look inside these high security electronic safe locks as much as I did. And if you did, give it a big thumbs up. And as always, discuss down below, catch you next time.
The only problem I see with this mechanism is you could possibly brute force the combo a lot like an automatic safe dialer if you knew the what data protocol the system uses. And it would probably go a lot faster as well due to you not having to use a stepper motor to spin the dial.
This was just pure comedy; ๐๐๐๐ค Trying to do a video on a security device and at the same time not trying to give too much away.. Favourite bits: " hmmm, eeeh, eeeh… not really sure, i think, em the thingy goes here and em, em no codes stored."….etc etc..๐คฃlolzzzz…PS, a little heads up, if you trying to keep things on the hush hush, you might want to keep the alan key nut on the lock dial away from camera shot…then it wont matter what thickness door was between that dial and bolt….did someone mention iron ox……..๐๐๐๐๐๐
OMG
LOL the profit margin on that thing. I am in the wrong business.
"Philips microcontroller 87C something"……..likely 80C51 based, thus tried, tested and well proven 8-bit micro.
Back two pins is for when user opens vault and has to reset all PW or add more pw+user.
It takes like 2hrs (if you are dead on precise) to drill the kabamas open. No criminal has that time. Most likely, the users forgot the password or failed so many times it died permanently. Needing a drill out to place a whole new one.
I use to work with the newest kabamas. Those things are top notch security.
I would place a board in the knob that transmits "Fuck you" to those who try EMI based attacks when decoded.
Never say it can't be defeated, Dave. There is a lockmaster born, every minute, I would guess.
If the lock hasnโt been unlocked in a while (or is getting old) you have to spin the dial back and forth quickly until a little lightning bolt appears on the screen to show that itโs recharged
I would like to see the lock picking lawyer take on one of these.
Every classified room or safe Iโve ever been in uses X-09 locks
We have KABA locks on the trains where I work. They're simple keyswitches, nowhere near as big and fancy as these X-09 ones.
to me whats even more interesting,
is that this shows pretty much the exact way and bit placement to destructively open the lock,
they drilled the handle pin, drilled out access to the setscrews and then drilled exactly tho the latch to free the bolt, then they may have drilled a second time into the bolt area to push the bolt open.
of course there would have been a door of plate steel in the way between the inside and outside, so probably a bunch of carbine bits were involved i guess.
My understanding is that this model is not allowed in high security areas anymore.
The 2 pins are for changing the combination. The button is to unlock it from the inside, when installed on a door. They can be set up for 2 combination, supervisor mode (1 code 1/2 unlocks it so the user code can open it), or single combination.
Surprised that super cap has enough skook to drive a solenoid after a few cranks of the dial. I wouldโve thought thatโd take a few hundred turns to charge up from the dial.
That pin is an anti-tamper mechanism that prevents opening the back of the lock without tampering.
"The Lock On Back Cover (LOBC) feature provides a locking mechanism that locks the back
cover in place after installation. The design is such that the back cover cannot be removed
without visible damage unless the combination is known, regardless of whether the lock is
locked or unlocked"
The two pin connector is used when you change the combination. There's a special tool you get with the lock that lets you do that The combination on these style locks usually get changed frequently.
You think they could have put all the gizmos in the rear bit with just the display up front to improve security
I think the 2 pins are to download the access log.
I wonder if the UI relies on change of direction (edit: of the knob) to know the selected number. Mechanical combination locks that I've seen have to spin in reverse to specify the next number. Plus, it generates that much more power for that super cap.
Yes, spinning the knob will generate power for the lock and will start with a new random (number) position each time it powers on. If you spin it too fast, it will lock you out even if you enter the combo correctly. If you enter too many incorrect combos, it will make you wait to try again. These features are designed to prevent automated attacks such as a robot.
@eevblog you are correct. Knob act as power generator and user interface. First rotate the knob to generate some change. Then display comes up with a number. This number should be the key for generating the one time pin. Usually the user will inform the number displayed to call center and get the pin and enter the pin using the knob
Would have liked more detailed dive into the board, thanks anyway Dave!
Whoever's reading this, i pray that whatever you're going through gets better and whatever you're struggling with or worrying about is going to be fine and that everyone has a fantastic day! Amen