Extended version of the Mailbag 1483 teardown of the Kaba Mas X-09 High Security Electronic Lock Teardown
Support the EEVblog on:
Patreon: http://www.patreon.com/eevblog
Odysee: https://odysee.com/ @eevblog:7
Web Site: http://www.eevblog.com
EEVblog2: http://www.youtube.com/EEVblog2
EEVdiscover: https://www.youtube.com/eevdiscover
AliExpress Affiliate: http://s.click.aliexpress.com/e/c2LRpe8g
Buy anything through that link and Dave gets a commission at no cost to you.
Donate With Bitcoin & Other Crypto Currencies!
https://www.eevblog.com/crypto-currency/
T-Shirts: http://teespring.com/stores/eevblog
#ElectronicsCreators #Teardown #lock

What is? I guess we're going to take this top thing apart and figure out what this sensor is. Um, but like there's no Ca. Oh yeah, no no no. it's going to say there's no cables going to it.

There's a little ribbon going down there. so I huh aha. I thought the name Kaaba rung a bell? Yes, Carver actually? uh, manufacture. Um, high security electronic locks.

Um for safes and other, you know, vault doors and other high security installations and stuff like that. And that's what we've got here. This is not a stepper motor. This is a this is the back part of this safe lock.

so that goes inside the safe. the part you want to, uh, secure and outside. Here you have what looks and feels like your traditional safe tumbler. So this carber X09, which I believe this one is and probably the X10 is probably the same and this is designed to simulate the look and feel the user interface of a Tumblr lock, but actually make it instead of having a mechanical uh lock on the back.

You know you spin it. You know, four times this way to the right number and then you spin it three times in the other direction to the right number and then two. and then one and that will open the uh, your traditional uh tumbler lock. Safe lock.

Well, this one simulates that, but with an electronic interface and I was um, thinking, well, where where are the numbers you know. I usually have like 0 to 99 around here and like an arrow so you know exactly where you turn it to. Well, this up here looks like it's actually an Lcd, so it looks like it would actually display the number and this would be mounted on the front of the door. Of course.

either safe door or other uh door it's mounted in like this. All you've got between them is a couple of ribbon cables like this because, um, this won't have any active electronics in it because in a high security electronic lock? Uh, you want to minimize the Um attack methods and I've done a whole video on electronic safe locks and uh, trying to actually do a side channel attack on them. So it looks like there's actually two. So I know three.

There's three ribbon cables inside this, just tiny little a couple, only a couple of, uh, three, or four uh pins each or something. So this would have an encoder in it which then sends the signals down uh, to here, and then, uh, the microcontroller inside the actual lock. Part of it will, uh, decode. Um, you know, how many times you spin it this way, how many times you spin it that way, and I would assume it's going to display a two digit number on there.

It wouldn't be any more than that, It wouldn't be any less. So, a two digit number. So that has the same look and feel as a Tumblr lock. So this is really cool, but it looks like check out down here.

somebody. somebody's had fun. Holy Toledo, somebody had fun. They've obviously attempted to drill into this thing um to get it open? So is.

Did this come from like a uh, an attempted cracked um safe or something like that because if you don't know, any decent safe will actually have Not only the safe door sits in between here and it could be you know, huge, hardened uh steel safe door. or you know, a vault door or something like that. That's why it's so wide. it can have like a really thick uh door like this.
um but they'll often have, uh, like manganese is often not used as like an anti-drill plate on here. I don't think this would actually have actually be like a manganese steel anti-drill type thing. Obviously somebody's able to drill into this thing, but you can integrate those into our space. They'll have like an anti-drill plate that actually dulls the drill bits as you try and uh, drill through them.

And the safe or vault doors often are. They won't be like large solid steel. They'll have a, you know, a decent amount of steel in that might be, you know, 10 15 millimeters worth or something like that. But inside, they'll often, uh, contain like dulling, uh compounds in there like a material that actually, um, dulls your drill bit if you try and actually drill through because if you try one of the attack methods for says is to actually drill through it like you know you could rip this thing off the front.

you can pry it off, but then you can actually drill through the door. and if you drill through in the right location, here is the can we pull that out? Yeah, here's the locking bolt that comes out. If you drill through in the right location, you can actually get through and either you know, did all the mechanism in there that holds his bolt in place and actually retract it, pull it and retract it back and that's how you would uh get in via a drill attack method And another attack method might be uh to try and like feed in like you know, high voltage into here to try and uh back power the electronics in here and then open the uh solenoid that way because this has an electronic uh solenoid in it and if you apply power to the solenoid, boom the latch comes out or goes back in. Uh so yeah, that's one of the other attack methods, but these kaaba uh locks, this is, you know, a really expensive, uh, probably high security, uh meets, You know, probably.

You know international security standards and stuff like that, so this would likely be very expensive. Certified. Probably incredibly difficult if not impossible to actually, um, hack? I don't know. Leave it in the comments if you know if this Carver X09 has actually, uh, been hacked.

So you know really. unless you know the combination or you can attack the door um so or the safe some other way you ain't getting in there. And one of the other methods are for getting into uh space would be magnet of course because the solenoid is operated magnetically so you know you get a big ass magnet like next to if you've got a real flimsy safe, door and stuff like you can maybe put a large magnet in the correct big neodymium magnet in the correct location and it can actually open the solenoid. But you know your high security uh, certified ones would not be uh, vulnerable to those sort of magnetic attacks either.
So let's take this part and see what we've got. So this is the front spinnery thing. I don't know how you would enter the Uh numbers like this, so can you? Is that gonna, Is that gonna push? No, I think maybe you just uh, like you know, spin it until it gets to a number and then you wait and for a second and then you'd reverse direction. um and then you would reverse direction again and it knows which number it gets to um on the Uh display here and then this thing like will just continually spin forever and the micro controller in here would do the decoding and display your number on here for the user as they enter.

so you know it just simulates the look and feel. But anyway, so that is interface to there if we crack this open. So if we get all this off, that comes off so that's just uh designed to go into the shaft and that just goes into the top there. Very nice.

It's got a seal around there, weatherproof rubber, baby buggy bumper seal on there, that's nice. and then inside here here's your uh interface so that would be your encoder to actually, uh, encode that and uh, it looks like it just goes into yeah, a zebra interface down here, zebra strip and that's just an elastomeric connector like this and that. just um interfaces. So they've gone to a lot of effort in there to sort of like interface the rotary encoder here with that.

And then we've got a couple of other ribbons here which go into this little board. There's no electronics in there, that's just a uh interface. Oh, we can take the yep and take the whole lot off. Up here will be our display.

Ah yep, that comes out like that. And there you go. Yep, that's right, that's just an Lcd, so I'll have to put up the uh, the I'm assuming I can get a manual for this thing and uh yeah, it'll um, have the indicator of what's on here. But I reckon it's going to be a two-digit display to simulate the look and feel of an old traditional Tumblr jobby.

So as you can see, there's no electronics in there at all because you don't want any attack methods into the lock. by having the electronics on this side. it's just the rotor encoder here and the Lcd that gets the feedback so you know it's not like you can like override. You know you can tap into the Lcd pins and then try and get into the micro uh controller that way.

Although I guess in theory that might be possible for a power line attack or something like that, perhaps. But I got to think that you know a big reputable certified brand like Archaba would have, uh, you know, thought of that sort of thing. But anyway, in theory, uh, like a maybe like a power line attack might be uh possible as well because you've got these access to these ribbon cables. but all you've got to do is like filter on the other side and bob's your uncle.
so if we open this up, you can see what's in there. We've got ourselves a shaft here which comes through and this piece just fell out and it looks like that goes into the inside right in there that looks like it's sheared off there. so that would be part of the uh bolt that comes out there. So this would be uh, looks like your little motor solenoidy thing that just moves this arm up here which then moves your plate out like that and then that's what.

uh, locks your door of course. So all of your strength is in this bolt here. But of course, if you look inside a safe, you're like a large safe. You'll see that this then pushes on.

um other big armatures which then might have you know, three or four big bolts. Huge big, you know, 30 millimeter diameter job is that then go into the side of the safe. So this just like pushes on. Uh, you know, a big mechanical arm inside here.

I'll see if I can get a photo and uh, put one up. So this might you know on a small safe this might be. uh, this here might be the only mechanical thing that you know prevents the safe, uh, from opening, but this can, actually, um, be extended out into uh, larger things. Uh, depending on how you want the installation, um, in whatever size, safe, or vault door, or whatever you're doing.

And here's the Pcb and you'll note from the shiny shiny that's all potted, completely potted for, uh, moisture ingress. Then we've got this thing here which presses in. And I originally thought that this might have been like, you know, if you press the front of this, this is how you enter a number and then that presses on that. But it's not because the shaft actually goes in here like this.

So yeah, that looks like it goes down into there somewhere so I'm not sure I don't know, Is that an anti-tamper um, thing or not. I'm not sure whether or not that has something to do with sensing whether or not this is open, but it doesn't seem to be right. Anyway, I won't go into uh, the full details there, but anyway, we've got ourselves a supercap and of course, one thing you might be wondering here is how they actually power this thing. Um, there is no internal battery and that's what the supercap's for.

You might think of the supercaps for holding the uh combination when it loses power, but no. um, the combination is stored in a secure E-squared uh, problem here. That'd be the micro there. I'm not sure what that other, uh, chippy up there is, don't know.

But anyway, it doesn't matter. So what I think happens here is I have to confirm this with the manual or whack it up. Um, but it has to be right. You know, by deduction, Um, this thing actually.

this encoder here of course generates a uh voltage. You know it could be like a quadrature output or something. Um, but then that can be used. You can actually rectify that and build the charge up on the cap.
And that's why I think they've got this reduction gear mechanism in here so it spins this faster and then you can use that. you can rectify that and then store it in the capacitor. So what I reckon happens is that you, you know, spin this a couple of times to build up enough power to turn the lock on. So when you walk up to the door and it's been de-powered for a while, you won't see anything on the Lcd, but you spin it a few times and I reckon that builds up enough charge in here.

You know, for a minute of operation or whatever. and then as you, um, you know, spin the dial to enter the combination. it puts even more and more charge in there. and then that's enough charge to operate the micro controller.

And also, it's got to operate the uh, the solenoid motor thing down here which then deactivates that. So yeah, you can. You know you have to get a decent amount of energy out of that to power it. but this thing is not externally battery powered anyway.

I won't go through and uh, look at the details on that board. but uh, suffice it to say this would almost be certainly be uh, certified to a standard and you probably can't change the firmware at all. Once you, uh, you know, certify this uh thing with the certification authority. um, they would you know you can't change the firmware or anything.

Um, if you wanted to do that, you probably have to re, uh, certify uh the thing. But yeah. anyway, there's the pin interface which then goes down to the pins down here which goes through those ribbon cables going over to oh, the front end. and I was going to say they have multiple ones for a redundancy but it doesn't look like it.

That's a five pin jobby, that's a four pin jobby and then another couple of pins, then going another four or five going over to your, uh, encoder, um on the front. and I'm trying to get Medieval on its ass here. but it's like you can see it's all gunked inside there. I'm trying to get this out.

so sorry to all you Carver aficionados, this is probably sacrilege. but yeah, um, I don't think I like my chances of getting that out intact. Oh goodness. gonna need a bigger boat.

Yeah, here we go. I think I think I got it. Oh look at that. Oh wow.

Oh, there's all the stuff on the bottom as well. Wow, that's interesting. Uh, what were these two pins down here? I'm not sure what they went to and yes, uh, we have voided the, uh, avoided the warranty on this. Yeah, there's a it's a little two-pin interface down there.

Does that? actually? Could that be a battery interface? Maybe I'm wrong about it being self-powered But yeah. anyway. there's the back of the board. Still can't really figure out what that does.

Doesn't does it do anything? Not sure that does anything at all. Um, that just might be part of the mechanical that might be just required for the mechanical interface. And the board just got in the way. so they had to put a hole through it.
Um, yeah, not entirely sure. But anyway, there is a lot of stuff in there. isn't there for one of these electronic locks. So yeah, they're quite complicated.

and uh, yes, they're designed to be not hackable, but maybe in theory as a way to get through them. Oh no. Look at that. The pot in the potting ripped off those poor sot 23 jobbies.

Oh no. ripped off some of the board as well. I thought for a second that there was another board embedded in that pot in. but there's not.

Well, there kind of is. Partially, but it was part of this top board. It just. it just ripped off a whole bunch of the components.

Yeah, you can see why that has that, uh, exposed copper there and half the slot 23s are missing. Nice. And there was another little la coggy thing which goes down in there somewhere. I'm not absolutely sure of that.

But there you go. That is a uh Kaba X09 high security electronic lock for safes, vault doors. um, even regular. You know, doors in a high security installation or something like that.

and this puppy wouldn't be uh, cheap. I see if I can find a uh price on this, but uh, you're not gonna get any change for many, many hundreds of dollars. Let me tell you, someone's had a hairy hacker at this? one. Um, unfortunately, we didn't get a note with it.

So uh, we don't know the uh, history of this, but thank you very much for sending that in. I've got uh, real interest in electronic, uh, safe locks and these are fascinating things and there's a lot of engineering effort and certification and testing and standards and stuff that go into these electronic locks to ensure that they aren't um, you know, hackable. That's why there's no electronics on the door. um, side of things over here with the knob, that's just the uh encoder and the Lcd? uh, feedback, uh, display.

And yeah, I'm not sure like you'd be able to, um, put any like high energy high voltage pulses into this and then back feed the solenoid in here, which opens this sort of thing. They would have been, you know, thoroughly, uh, tested and certified. uh for those sorts of attacks. Of course, you're cheap.

no name one hung low brand electronic locks. Yeah, they're not going to be built uh to the same standard. this is this one. but uh yeah, I'm sure this is why you pay a pretty penny for it.

Um, and it doesn't look like a new design either. Aha, there you go. Scraped off the potting that's an 85 66 Phillips. Um.

Lcd driver. Hard to get the numbers at the right angle and this is a Phillips Micro. There you go. There you go.

p Something or other 87c something I can't read on my cams call to screen. But yeah, that's the micro and that's where the code is stored in this thing. I don't see a secure E-squared prom externally, now it's just internal to the micro. But of course the whole idea is that you don't have access to this electronics because it's inside the safe.
It's on the other side of that vault. Um, and unless you can like, uh, drill through and probe it or you know, in theory, like do a power line attack over the Lcd cable or something like that, then um, yeah, but it's you. Know, it's not hard to, you know, design out those attack scenarios if you're aware of them. I'm sure Kaaba are because they know what they're doing.

They're a big name in the business, so there you go. That is a fascinating hope you enjoyed that uh, look inside these high security electronic safe locks as much as I did. And if you did, give it a big thumbs up. And as always, discuss down below, catch you next time.


Avatar photo

By YTB

26 thoughts on “Eevblog 1484 – kaba mas x-09 high security electronic lock teardown”
  1. Avataaar/Circle Created with python_avatars Hola! walter park says:

    Hoping you amd yours — and five million I’m Sydney— are Ok in this flooding. Seems to portend difficult, expensive futures coming soon in neighborhoods near all us.

    SYDNEY (AP) — More than 30,000 residents of Sydney and its surrounds were told to evacuate or prepare to abandon their homes Monday as Australia’s largest city faces its fourth, and possibly worst, round of flooding in less than a year and a half.

    Days of torrential rain caused dams to overflow and waterways to break their banks, bringing a new flood emergency to parts of the city of 5 million people.

    “The latest information we have is that there’s a very good chance that the flooding will be worse than any of the other three floods that those areas had in the last 18 months,” Emergency Management Minister Murray Watt said.

    The current flooding might affect areas that were spared during the previous floods in March last year, March this year and April, Watt added. and five million Sydney residents — are Ok. This does portend an annoying, expensive future coming soon to a neighborhood near all of us.

  2. Avataaar/Circle Created with python_avatars Steven Bliss says:

    I assume I am missing something, but there is WAY OVER THE TOP too much electronics in there!

  3. Avataaar/Circle Created with python_avatars Peter Sage says:

    I think most safes this would be used on would have a glass relocker; if the drill comes anywhere close to the locking bolt, the glass breaks and another mechanism engages the locking pins.

    It's a shame the locking bolt is broken; I'd love to see TheLockpickingLawyer have a go at this.

  4. Avataaar/Circle Created with python_avatars logmeindog says:

    I've been working on these X-0 locks for nearly 20 years now. Fascinating and well thought out for sure but quite simple once you've dealt with them for a bit. The X-09 you have is an earlier one and they had a common issue where the generator would crap out on them and no longer power up or generate enough power to actuate the unlocking catch paw. Kaba somehow avoided a recall and I'd wager what is what happened to your lock.

  5. Avataaar/Circle Created with python_avatars The Workey Project says:

    That has to be the most interesting lock, I have ever seen!

  6. Avataaar/Circle Created with python_avatars Ajit Gupta says:

    it would be fun if it generates a random number every turn. for example a normal good old lock goes like 1-2-3-4-… in a sequential fashion when you turn it, but it will be good if it shows random number every turn like 24-19-98-44-… and so on. it will potentially takes forever to get to the correct number for the combination and annoy the heck out of the user.

  7. Avataaar/Circle Created with python_avatars cpnscarlet says:

    These were used on doors. OMG I hated these! Worked in a closed facility for decades. There was a requirement to mount them a certain height above the floor and if you were short, you had to stand on your toes to see the unlit display. Also had a non-linear, random rate sensor so that you had to spin the dial at different speeds to get the same number rate of change – actually clever for defeating some cracking mechanism.

  8. Avataaar/Circle Created with python_avatars tx5brent says:

    These locks can be a bit painful. The screen can only be read from the perfect viewing angle (that's a feature), you need to spin the knob first to power it, but don't spin it too fast or you'll be locked out. They are great when you use them regularly, but if you're not that used to them they are tricky to use

  9. Avataaar/Circle Created with python_avatars Anamnesia says:

    Locksmiths are often hired to go on 'raids' to premises where investigations have been approved to take place. It's possible the damaged X-09 tumbler you received came from such a raid

  10. Avataaar/Circle Created with python_avatars Anamnesia says:

    The Two Pins are used to place the lock into Program mode, to program the combination. However, don’t got too excited, the Programming “tool” is just a plastic holder, with a bent piece of copper wire. It’s just a jumper to set the combination while the door is open. You remove the jumper “tool” when the combination has been programmed.

  11. Avataaar/Circle Created with python_avatars Hola! Obin Robinson says:

    Excellent video! These are very high quality locks.

  12. Avataaar/Circle Created with python_avatars Anamnesia says:

    Spinning the dial powers the device. Spinning Left to XX three times, Right to YY two times, then Left to ZZ one time, places the combination into 'Unlock' mode, then you rotate the tumbler Right until OP & you hear the 'Click'! Something along those lines. We have KABA X-10's at my work, but I don't use them much. The X-10 is the only SCEC Endorsed combination lock, suitable for "Protected" (or Negative Vetting level 1, or NV-1) security classification.

  13. Avataaar/Circle Created with python_avatars Anamnesia says:

    AUD$3,000 for the X-10

  14. Avataaar/Circle Created with python_avatars F!@#Guilt says:

    "this is, the lock picking lawyer, and I'm here today because i could smell this video before it actually got uploaded."

  15. Avataaar/Circle Created with python_avatars Christopher Guy says:

    These locks being self powered make them the choice for government equipment. The S & G electronic dial locks had a battery that needed changing. You got ample warning but if the battery went flat you'd need to drill it open.

  16. Avataaar/Circle Created with python_avatars The Teenage Engineer says:

    The only problem I see with this mechanism is you could possibly brute force the combo a lot like an automatic safe dialer if you knew the what data protocol the system uses. And it would probably go a lot faster as well due to you not having to use a stepper motor to spin the dial.

  17. Avataaar/Circle Created with python_avatars lyrical natty says:

    This was just pure comedy; 😂😂😂🤐 Trying to do a video on a security device and at the same time not trying to give too much away.. Favourite bits: " hmmm, eeeh, eeeh… not really sure, i think, em the thingy goes here and em, em no codes stored."….etc etc..🤣lolzzzz…PS, a little heads up, if you trying to keep things on the hush hush, you might want to keep the alan key nut on the lock dial away from camera shot…then it wont matter what thickness door was between that dial and bolt….did someone mention iron ox……..😜😜🎇😎😎😎

  18. Avataaar/Circle Created with python_avatars Private says:

    OMG

  19. Avataaar/Circle Created with python_avatars DGO says:

    LOL the profit margin on that thing. I am in the wrong business.

  20. Avataaar/Circle Created with python_avatars IanScottJohnston says:

    "Philips microcontroller 87C something"……..likely 80C51 based, thus tried, tested and well proven 8-bit micro.

  21. Avataaar/Circle Created with python_avatars Azure Hydra says:

    Back two pins is for when user opens vault and has to reset all PW or add more pw+user.

  22. Avataaar/Circle Created with python_avatars Azure Hydra says:

    It takes like 2hrs (if you are dead on precise) to drill the kabamas open. No criminal has that time. Most likely, the users forgot the password or failed so many times it died permanently. Needing a drill out to place a whole new one.

  23. Avataaar/Circle Created with python_avatars Azure Hydra says:

    I use to work with the newest kabamas. Those things are top notch security.

  24. Avataaar/Circle Created with python_avatars GeneralPurposeVehicl says:

    I would place a board in the knob that transmits "Fuck you" to those who try EMI based attacks when decoded.

  25. Avataaar/Circle Created with python_avatars Don Matejek says:

    Never say it can't be defeated, Dave. There is a lockmaster born, every minute, I would guess.

  26. Avataaar/Circle Created with python_avatars bob g says:

    to me whats even more interesting,
    is that this shows pretty much the exact way and bit placement to destructively open the lock,
    they drilled the handle pin, drilled out access to the setscrews and then drilled exactly tho the latch to free the bolt, then they may have drilled a second time into the bolt area to push the bolt open.

    of course there would have been a door of plate steel in the way between the inside and outside, so probably a bunch of carbine bits were involved i guess.

Leave a Reply

Your email address will not be published. Required fields are marked *