Tap it again on the lock in such a way as to trigger the unlock - then re-scan and upload again. It could be a counter? I’ve checked and block 0 doesn’t match any standard CRC.
Yeah, taginfo both please.
Interesting. I’m guessing the Spark doesn’t work because the NDEF isn’t writeable…
Unfortunate, as I suspect it won’t work with any of our Spark line.
My current guess of the mode of operation is, in short:
Enrolled tags get the lock ID written to block zero.
The app uses the lock as a reader over bluetooth and does some online validation of tag UID and lock ID and defaults to no-go if can’t access.
There’s absolutely no actual cryptography undertaken by the phone, chip or reader. The tag is just a block storage device with a 15693 interface.
What you could test is to get a hold of LRi2K chips and try to enroll them. They might do factory enrolment but I doubt it.
If you can point me to where to order one, I’ll do it. Or if I can make my proxmark easy emulate one… 
Unfortunately only place i found was a guy selling hacked ICODE SLIX chips with changeable UID on Aliexpress… which I ordered. Has Iceman in the doco, some kind of lua script he wrote?
1 Like
Hmm… If I have time I may dive down the Iceman rabbit hole. But it’s more likely it will be up to someone else… Again, I’m sure we can all play round robin with the gizmo 
Thanks, again, for taking the time to poke around!
I suspect that it’ll be any standard ISO15693 EEPROM style chip that can be enrolled. Unfortunately I don’t know enough on the Proxmark side to emulate one but I think it can be done?
Well, maybe it’s less important to reverse engineer the authentication system than it is the hardware–assuming the unreliability can be sorted. I trust in Amal–and by extension all of you fine folks.
It looks like this supplier is able to provide these ST chips with changeable UIDs even. Would be an awfully fun experiment to break the lock security. I’m currently in negotiations to buy some with my SLIX clones.
1 Like
Well, I’m going to ship mine to @Zwack for physical testing… Maybe he could be convinced to send it your way after?
1 Like
Unfortunately I’m a world away (Australia), but I can ensure Amal gets at least one of this ST 2k chips and can ship it to someone if desired.
Edit: if you order the SLIX white cards on that link and note “ST 2k please” they will send you ST 2K UID change cards
2 Likes
Tempting but I will be unreachable by mail for 2-6 months soon. I guess we’ll see if someone volunteers to take up the challenge?
1 Like
I can ship it to Australia, but it will take a bit longer to get there. Or I can send it back to @tac0s or whatever is needed.
1 Like
As soon as it enters the mailbox, it’s property of the Dangerous Things community so far as I’m concerned. I trust you all to sort out the best home/use for it.
2 Likes
No, if you want to put it on a right hand door it works just as well. The lock comes in three main pieces (excluding the strike box).
The external plate/cylinder, the internal knob and the bolt itself. Even though the bolt is motorised it doesn’t care which side is the inside and which the outside. Once the bolt has been inserted into the door the outside piece is attached, and then the inside piece.
2 Likes
I tried a few other ISO 15693 tags for shits and giggles… SLI and SLIX 2 both throw the same error as scanning a Spark 1 or Vivokey Dev card but the SLIX tags give the same “card not found” as the Level card that I didn’t add.
I wonder if they’re checking NXP config and identify flags?
1 Like
Well, the lock arrived in Oregon today and I have already taken it apart and I am not all that impressed. The cylinder is set up for 5 pins, and unlike most Schlage style cylinders cannot have a sixth pin added.
Worse, all of the pins are standard pins, no spools, serrated or mushroom pins at all.
I was not impressed with the bitting either, but that is presumably random, so you could get good or bad.
Once I have run some errands I will put it back together and try to pick or rake it.
1 Like
Well, I got home, put the lock back together (I haven’t improved the security on it, if @tac0s wants it back I will put security pins in before sending it back), and spent an enjoyable time picking it…
I am not the most skillful lockpicker, certainly not up to LPL standards, but it took no more than 15 minutes for me to reassemble the lock and pick it.
For physical security I would class this as about as low as you can get for a deadbolt. It is not as secure as the “advantage” brand, class 2 deadbolt (SC4, so same key way but six pins) that I bought a couple of weeks ago for $25 (plus shipping).
I have measured the battery compartment in the bolt, and while I am not going to perform any destructive testing to this lock, I am concerned that with the bolt extended the end of the battery is exactly at the lock end of the bolt. This means that cutting through the bolt on a locked door would only require you to cut through the tube of the bolt itself and not the battery. While the tube seems pretty strong I can’t imagine it will take as long to cut through as a more substantial bolt.
2 Likes