Modding a Door Lock

Apologies if this should be tagged for Support, I wasn’t sure where it should go. Right now I’ve got a NeXT in my right hand and I have been eyeing adding LF functionality with the xEM ACv2 to my current room door lock of an RFID hotel-style keycard lock. The current entry card is a Mifare Ultralight Ev1, so cloning it to my NExT is a little out of the question. The lock in question can be found here in this video, as its a “Vingard Signature RFID” according to the website. However, the deeper I get into this project, the more unfeasible it is beginning to seem.

First off, the battery pack only has an output of 6v (see below) at most, so I don’t think it would be able to power the board with it and would therefore mean I have to invest in an extension cord setup mounted to the door.

As for the actual wiring, it’s a little compact in there and I’m not totally certain what’s going on, despite the videos I’ve watched and their technical guide. I’d feel a little nervous going in there and rewiring with the connectors to the ACv2 board without knowing exactly what everything does. The only other point of entry would be the port on the front used at the end of the above installation video for programming it into the system, but I suspect it requires a specialized cord and access to the door lock server, which I don’t have.

The main reason I’m doing this is because the reader can’t sense my NExT with the case on and I have been unsuccessful in asking the system admins to put me on (granted I’m a lot more informed now after watching all these systems videos). So the next logical step would be to install a new reader for my LF, and we find ourselves here. At this point, I’m thinking the second best cours eof action would be to grab a flexMT and ask politely ask them to load whatever Mifare card I throw on there.

Finally, making this all the more difficult, I don’t think my landlord would be super chill with me replacing the entire lock so the goal is to make it very ~low-key~. Long rant over, but any help or advice would be greatly appreciated. Thanks!

Below you can find the photos for the batteries, back port connection, and front port:

So this lock uses MIFARE type cards? that is what it looks like in the specs of the lock. If this is the case. I would suggest just buying another lock as i do not think simply changing the reader will work. What kind of reader cloner are you using to program your implants? MIFARE will take something along the lines of a proxmark to clone as you will need to run a script to gain the hash tags to break the encryption to clone the card. I also do not think the t5577 can do MIFARE.

Look for a lock that is HID or em41xx type

For the LF side, I’ll be using the classic blue cloner and the HF side is handled by my phone. I’ve looked around but haven’t really seen a reason to buy a writer/reader for my HF side. As for breaking the encryption, I’ve tried before but have been unsuccessful with the cracking software.

I have had great success with MIFARE and proxmark. But your implant will not work for MIFARE even if you did crack it if you are using the blue cloner get an hid lock quick and simple.

I see three batteries X 1.5V, so 4.5 volts max.

The xAC V2 specs are 9-12V.

The xAC V1 specs are 9-15V. But, I got it to work as low as 4.3V when I was pushing the limits for a different issue.

I don’t think I’d recommend running it like that, but you could mount a larger 12v battery pack, then use a voltage regulator to drop the power down to 4.5 for the door lock.

Running the xAC continously will run your batteries down. I did a project that ran into the same issues. Read through it and you’ll see there were alot of ways discussed how to prevent constant power drain.

If you wanna try messing with the lock, then think of the xAC as just a simple switch. Once you get rid of the RFID that’s all it really is. You could figure out your lock by just jumping two wires with a paperclip. That should let you figure out where you need to tap into it at.

If I wanted to clone a MiFare to the NTAG216 NFC part of the NExT, are there any cheaper options to the proxmark you can reccomend?

Keep in mind I have never worked with the chameleon but know people who really love it. SO do some research of course but it looks like it can do what you are after for MIFARE I know it runs the same scripts as the proxmark

Oh awesome that’s good info to know. Granted the extension cord method would solve the power drain method of the xAC board, but the 12v battery bank and regulator isn’t a bad idea either. I went through your project and I’m glad to see my fears of using the batteries to power everything were not unfounded. As for the messing around, I think I may just do that and disassemble it all to get a sense of what’s going on. I’ll just have to connect random ends on those molex-style connectors and see what comes of it.

You cant clone anything to the hf side of the NExT, it is what it is a NTAG216.

A good alternative to your current plan maybe to use a xAC with a electronic latch plate that would allow the door to swing open even if you locked the latch.

Just an FYI, you can’t clone Mifare to a NExT. Mifare Classics are cloneable, but you’d need an xM1. The HF part of the NExTs aren’t cloneable.

First, I’d take a real hard look at it. Identify what the pieces of it do as much as you can. See if you can find the motor. Maybe the sensor it uses. Follow the traces on the board back to the wires. Try to get a sense of how it works. No need to hook obviously unrelated things together. There may not even be a simple way to do it. You’ll just have to research and learn.

Ah alright this means then I would have to get the UID of the NExT registered to the system. More points to investing in the flexMT then.

You already have a bunch of advice :arrow_double_up:

If you are interested in any more

THIS IS WHAT I WOULD DO
slightly different from what has been said above

Here are a couple/ few different options:-
Some of it will depend on how much :moneybag: you want to throw at it.

RFID Specifications:

  • 13,56MHz technology
  • Compatible with the following standards:
  • ISO 14443 A (MIFARE including Desfire)

I think it is relatively clear that although it is 13.56MHz & ISO14443a like the NExT - xNT it is specifically referencing MIFARE ( Remember, this is marketing, not an actual specification )

You mentioned getting a FlexMT, which is a viable option, however, I would say that you will still have the system admins enrollment issue.

Here is where I see your options:-

  • I think your “best” option would be a FlexM1gen1a or gen 2 (depending on your preference) and you can clone your UID to this yourself, job done.

  • Look at getting a replacement “motherboard” from the supplier and swap just that out into your current one and you can enroll whatever implant is compatible,
    Which leads me to Get a test card pack from KSEC and CONFIRM what implants are compatible.
    Your list should be any of the below
    FlexM1gen1a or gen 2
    FlexMT
    FlexDF1
    FlexDF2
    xDF2

  • If you were still going down the LF option, I would be doing what @ODaily was suggesting
    pick up the motor wires, which should be relatively easy as they are colour coded (if you were going to run parallel with the other system, remember to put in a diode) Then get your xAC (V1 or V2 ) throw in a 12V supply and voltage regulator to the motor.

Anyway, some options for you

Keep us up to date, any questions just ask

1 Like

I did some more disassembly of the system and I can’t seem to actually pull the lockcase (houses motor and the true “guts” of the system) out of the door due to the presence of that external “physical” lock in the final picture. I find that convincing them to use the key (which I suspect is a master for all the apartments) will probably be a hard task, especially when they then ask why I need it unlocked. I’ve thought about trying to pick is, which is possible, but it does not seem like an especially beginner-friendly lock based off the amount of pins (7) and the paracentric keyway.

I also attempted shorting each of the wire holes on the rainbow cable to their respective black box ports to see if I could send an “open” signal, but to no avail. In an idiot move, I hadn’t considered that those AAA batteries provide power to the outside reader (right rainbow cable) and internal motor (left rainbow cable) through the appropriately colored black box. Therefore, without any further testing, I would imagine it’s the specific red and black cables for power, but I’d have to bridge those and then test each of the other colored wires to see what happens.

As for the flexMT vs. the flexM1, I lean more towards the flexMT because the read range from my current NExT does not work for all off the LF readers I interact and I’d be pretty down with having the extra range from the MT. Nonetheless, I’ll try to do some more testing on the black box/rainbow cables to see if I can get a response from the motor.

Intro question possibly but when it comes to cloning Mifare cards to a flexM1 for instance, where do the possibilities of using an phone with NFC end and the benefits of something like the proxMark or chameleon begin?

I guess it comes down to what you have access to/ what you are familiar with/ what you prefer.
Some more info on the Mifare implants :arrow_down_small:

gen1a vs gen2

Basically, gen1a chips are “safer” because you can always recover mistakes, but require special hardware or software to change sector 0 (where the serial number lives) or recover from locked sectors. With gen2 chips, you can easily use an NFC smartphone to write to sector 0 using an app, but if you accidentally lock a sector you cannot recover it (just like a real Mifare “classic” 1k chip). For more info about this exact difference, check out this post .

gen1a
The gen1a magic Mifare chip requires a special back door command that opens up all sectors to writing, including sector 0. The advantage of this is that even if you have lost the crypto1 keys for a particular sector that is marked as protected by the access bits for that sector, you can still overwrite it after issuing the back door command. The down side is, the back door command is issued to the chip after it supposedly enters the halt state, which means only certain devices can issue the back door command. Smartphones generally cannot do this because the chips and firmware in the phone do not allow further communications after the halt state has been entered. Furthermore, certain readers, especially in Asia, look for magic chips by issuing the back door command and if the chip answers, it shuts down to avoid allowing a possibly cloned chip to access whatever door or service the reader is attached to.

gen2
The gen2 magic Mifare chip has no back door command. All sectors are simply open for writing. The advantage of the gen2 magic chip is that even NFC capable smartphones can simply issue write commands for any sector, including sector 0. This means a smartphone app could be used change the ID of the chip along with all the data in the manufacturing block. In addition to this, readers looking for magic chips ultimately have no good way to really tell if the chip is a magic chip or not. The down side is that the real Mifare S50 1k chip’s operation is emulated completely and accurately. There is no back door, so if one or more sectors on the chip become protected by access bit changes, you need valid keys in order to make further changes. In addition to this, if you set access bits such that the sector becomes locked, there is no way to recover that sector… it will be locked forever.

Here is the Thread link if you need more info

3 Likes

I am not sure as I have never used a phone. A quick google search did turn up a few articles on doing it. I have always used proxmark or that type of platform in my rf id work as I find it more robust and less problematic for me.

I did however just order a chameleon so when it comes in I will keep the forum up to date on my implant work and its use. On that note I suppose I should order a xm1 implant to work with. I was looking for an excuse for yet another implant anyway lol.

Basically there are two routes here.

  • Find a way to enroll your chip in the system.
  • Bypass the system with an external system of your own (xAC).

Either way is cool, and I’d advise you to make your own choice here. Don’t wanna seem like I’m pushing one way or another.

I might be able to help a bit with the 2nd one. I was reading the spec sheet on your lock when I came across the following feature.

This implies to me, that there is some kind of mechanism, most likely a switch, installed in the inside handle to detect when you’re trying to leave through a locked door. That is the most likely place for you to attack the system. If it is a simple switch, short it, either manually or via xAC, and the door just opens…

If that’s the case, you may be able to add a small plug into the side of the unit so that you can plug and unplug your xAC so the landlord doen’t get all upsettable if he needs to come in for some reason. You could velcro it to the door, or hang from the top of the door, whatever works. Just unplug and detach the unit while he’s there.

1 Like

Thank you for the info! It’s a shame the flexMT is only running the gen1a Mifare Chip as the gen2 sounds a little easier to write to, but I can just get my hands on an ACR122U and run the specialized tools Amal posted. I also double checked the current hotel key I use and it’s only got 4 bytes per sector, so I should be good to get my hand enrolled without issue on that front. All that’s left is to convince my system admin to let me.

In another interesting discovery, I learned that when the keycards aren’t functioning correctly, the front desk staff will take the card and rewrite it with a reader/writer they have there. I’m wondering if I could convince them to try to enroll my flexMT versus having to go higher ups, but we’ll have to see. If I can figure out what the reader/writer is, I’ll let y’all know.

1 Like

Haha I’m glad to have have provided a valid reason and definitely keep me updated!