Is that meant to go to a document? I found that link too but I just get redirected to a homepage and didn’t see anything relevant
Saw this earler, but wasn’t in a place I could reply. Got some serious mulling done as a result. There’s alot of possibilities here, and I’m gonna divide them into two camps.
Camp Funky Variables.
I can think of a bunch of scenarios that fit this. For instance there could be some kind of floating input on the unused pins that triggered a master key event. The eeprom being corupted is another. All of these scenarios share the common theme of an unlikely psuedo random happenstance that caused a triggering event.
Camp Secret Knock
In this camp I put all the scenarios that are based around an unkown combination activating an enrolling process. Could be an on - off cycle bink code, could be something else. The point is there is a repeatable process that got stumbled upon.
At this point we need to totally renounce Camp Funky Variables and all it’s inhabitants. Why? Cause they’re non repeatable within any reasonable time frame. It would take the proverbial million monkeys pounding away for a million years. It’s not that Camp Funky Variables is invalid, it’s just pointless to waste effort on. That lets us concentrate all our effort on what we can solve for, the answers in Camp Secret Knock.
We have some Secret Knock clues.
Clue One.
The power was intermittent, and / or being cycled.
Clue Two.
Compgeek was presenting his implant during this process.
Clue Three.
Comes from human nature. People tend to repeat what works for them. For example, were Amal to introduce a new implant, better than average odds that it’s name would start with x. If Pilgrimaster builds something, it’ll be measured in mm, and the components will be spaced accordingly. So if you try to guess the distance to the next piece, take an educated guess in a nice round metric number. If I designed it, that would be in decimal inches.
We don’t have any other products from the designer of the xAC, but he did leave us two processes that we can examine. To enroll a new tag, hold the master for 5 seconds, and then present the new tag. To erase all tags, hold the master for 10 seconds. Clearly he uses tag presentation and timing in design work. It’s VERY reasonable to assume any secret knock would as well.
Unfortunately it’s gonna take guess work to figure it out.
Using the clues we have, I’d start by hazarding a guess that the secret knock involves presenting a tag to the reader at power up, and holding it there for a set period of time. 5 seconds perhaps.
Compgeek may be able to narrow the field down if he can be more specific as to what was / was not going on during the time that the master key got re-written / swapped.
Questions;
1 Was the power cycled while your tag was presented?
2 Was the original Master key in play in any way?
3 Was your implant held on the reader for a period of time? If so, how long?
4 Did you at anytime experience a short circuit?
5 Don’t let all the questions fluster you, but details are gonna be super helpful. Watchya got?
2 Likes
Random thought. Any chance something like the Wayback Machine could retrieve any of this? Not something I have any in depth knowledge of. It just seems like a possibility. Maybe. If. Sorta. Kinda.
1 Like
I had a good dig (1hr +) didn’t find anything 
2 Likes
Funny you should mention that, After my initial bumbling around to re-find it, I thought the same thing, but I am not sure of the page address to look it up, I looked back in my history to find it and it doesn’t go far enough back.
I also tried the document link I attached above ~“page not archived”.
@anon3825968 was there much more recently than I was, he may either remember the address or have it in his browser history to search Wayback Machine
Alright, let’s get some detail and answers up in here!
The actual problem I was fixing was an intermittent ground. It was working perfectly fine at the start of the day, then I unscrewed the load output on my battery charger that powers it to add in another pair of wires for a floodlight install (well below rated load, no voltage drop or anything weird)
The annoyance came with the cheap Chinese screw terminals to connect the wires into, they didn’t apply enough clamping force and I didn’t notice at first. Light worked fine (decent size capacitor so I didn’t notice any flicker) and thought I’d retest the garage before closing it. I heard a few random relay clicks from my output relay which was strange, and it didn’t respond to my implant.
I’m not sure if this was the point where I became the master or if it just couldn’t read with unreliable power.
I removed the wires from the power supply, crimped connectors to them, and securely got a small bit of wire into the screws (have I mentioned I hate screw terminals?) - power issues resolved, door lock still didn’t work for me, but worked for my Dad… after I had just tried… we thought maybe it had ‘unlearned’ me through some freak glitch, then I remembered seeing once that someone else had this issue at one point. I grabbed the ‘master’ and tried to program my implant in the usual way and it didn’t work. I then tried the other way around, and the master started operating the relay. I later confirmed this with a spare fob, I was definitely the master at this point.
Probably Yes, but not intentionally
When it happened, no, I grabbed it after I realised what had happened to verify. It is now programmed as a user key. I had heard of one other case on the internet of this happening (can’t find the link now) so I had a good suspicion about what had happened.
Yep, at times, I was tracking down a relay clicking, so was presenting the tag for a few seconds at a time, this is when we narrowed down the ground issue, so it was probably power cycling at this time. Not really sure how long I’m afraid, wouldn’t have been more than 15 seconds at a time I don’t think.
No, I had an intermittent open circuit for a while, but no shorts.
I got some answers! Thanks for taking the time to ask, it all helps in putting the events together into something that hopefully makes sense.
3 Likes
Were these clicks occuring when you attempted to scan or just randomly. (trying to wrap my head around the sequence of events.)
Your Dad’s implant still worked when you first couldn’t get in? Did his stop working when you became master.
Been playing with a spare xAC trying to guess my way in. No joy so far.
1 Like
The relay clicks were random, i suspect a product of the bad ground. Sometimes with a tag the output would ‘drop’ and other times without a tag near. Now that the power is fixed, this isn’t occurring.
His key fob ‘always worked’ but the first time he tried, I had presented mine before him within 5 seconds, so likely would have programmed him in.
All other tags did get deleted though, so the whole device was cleared/reset in some way, we just didn’t notice at first with his since he was with me for the rewiring and touched soon after my attempt failed. It’s unclear at the moment if the change in master tag happened during the ‘bad ground’ or the ‘power restored’ first boot, but my money is on it happening during the intermittent ground
2 Likes
Just tried browning out my xAC. I’ve got it on a variable power supply. Started at 12V, with an active tag propped on the scanner. LED stayed on til 4.3V or so. I tried messing with various combos, but still no luck. Read range was not reduced at all. It might also have still been functioning below 4.3V, but had insufficient voltage for the LED due to the inline resistor.
I found… something.
I have the power supply back at 12V.
There is no tag being read.
The positive is firmly connected.
I’m brushing the frayed end of the negative against the Negative alligator clip very rapidly.
First I noticed that I could occasionally get a flicker from the LED when it should have stayed dark.
Then I managed to stop (connected to negative) when the LED was illuminated. It stayed on, but still no tag.
I tried presenting the enrolled tag, but no difference. After power off, and back on, it works normally. The enrolled tag is NOT master, and no changes are apparent.
1 Like
Interesting, that would explain potentially my random relay clicks, it rebooting rapidly and occasionally turning on the output.
That’s definitely something replicated - now just to figure out how to use that!
Supply voltage off my battery at the time was 13.7V if that helps set some parameters
Well, so far, it makes a nifty night light!
2 Likes
Most reports of master tag reprogramming have been during brown out conditions, scanning a tag, that tag becomes master… and sometimes the first scan after restoration of full power. That’s all I know.
2 Likes
That hardly uncommon in many devices. The trick is, is it predictable enough to be controllable?
1 Like
I’ve got it! video coming up soon, I’ve just reprogrammed my test bench one 6 times in 5 minutes. It’s definitely a dodgy ground issue causing it to reset, then first tag is set as master.
I’ve got a repeatable setup, it’s janky but works. Will share details as soon as I’m at my computer
3 Likes
1 Like
I just love good hacking done right.
Well done Sir.
1 Like
Once you see how it’s done, I don’t know if you’d agree its ‘good’ or ‘done right’ - but you will agree it’s done!
Took a little while to do it on the actual reader, but it did work!
There needs to be a load on the power wires of the reader (in my case, a 10k resistor between positive and negative) to make the capacitors discharge quickly and make the power less stable, then connect up the positive and rapidly tapping the negative. Do this while you have an enrolled tag that you want to become the master resting on the antenna. You want the light to be flickering as much as you can (the worst power you can deliver!) with the goal that the light should stop responding when the reader has power (the behaviour you’ll see of a master tag).
Once this happens, it should now be the new master. I imagine you can do this without the tag held to the antenna, but this gives it a good indication of if it worked and makes sure the first one it sees is the one you want as master.
7 Likes
Most excellent. You extended the functionality of the device. This IS hacking done right. Love it!
4 Likes
Thanks everyone for jumping in with ideas, thoughts and suggestions, and a special shout out to those who set up a test bench and experimented alongside me!
This is definitely one of the best forums on the internet, and you people are the reason why!
7 Likes