I invoke the mighty @Pilgrimsmaster he will know what to do 
1 Like
Well, I have an idea 
at least, Standby…
2 Likes
So my ideas were, Dependant on the time and effort you wanted to throw at it.
I was wondering if this AWESOME hack by @TamablePumpkin
might be something you wanted to try and see if that works for your xSIID 
Alternatively, this MAY work
If you let me know what you decide, I will update the matrix accordingly if you have success ( or not).
thanks! I’ll look into the first method and consider doing it if I can get the parts here and do it all before the return window closes on my samsung lock. I’ll get back to you soon I hope!
1 Like
Cool, good luck.
Don’t be afraid to ask for help if you need it 
1 Like
Hey Pilgrimsmaster, is that second solution something I can do to my xSIID chip with permanently altering it? I didn’t think that Mifare was something related to this chip. I’m not super familiar with the technologies outside of the ones used for the xSIID and even then I’m not knowledgeable about the technical stuff.
It’s not, that suggestion was more of a Hail Mary. pinning hopes on the shared ISO14443A
The first option was the much better and most likely option
1 Like
Didn’t someone on here pull firmware from a working samsung lock and flash it to a new model to get it to work?
1 Like
Yep, Linked 
and now again 
5 Likes
Hey Amal,
I’m very good with embedded systems, but what you’re trying to do isn’t possible. First, if one can read the firmware of some system(and that’s a big IF) it is compiled and a disassembler is required to get some assembler code. It would take very long time to reverse engineer the functionality of the device with this method.
The best would be to use the hardware from the SAMSUNG lock and make a new controller for it on which you can put your own firmware. If you would make this firmware open source SAMSUNG probably will hate you for it. It’s like the guy’s did with the DD-WRT Firmware for routers.
However, I love SAMSUNG, everything in my house is SAMSUNG(washer, dryer, stove, computer and all phones). I will buy one of those locks and try to make it work and let you know the outcome.
1 Like
Stupid question,
But has anyone tried to reach out not to “Samsung” but the actual code gremlins,
Might be easier to convince the people actually working on the product to re enable it in current firmware, than some random Samsung customer support who’s never even seen the lock
1 Like
and in our products, it’s encrypted too - because we have strong suspicions that our products have been reverse-engineered in the past.
If it’s not encrypted though, disassembling a firmware is nothing tricky. It’s just long and tedious if it wasn’t made with a standard compiler. If it was however, many disassemblers will be able to put something ressembling the original source code back together. If you’re really lucky, some of the original symbols will even be left in the compiled code
The link above is the firmware samsung shs3321 lock, so that big if is sorted 
The board has got a programing header and the micro has no fuses set. If your interested in decompiling the firmware I dumped or writing your own system for the PIC18 micro, that post is probably a good place to start.
1 Like
Good news!! It’s not encrypted!!
I’ve added the disassembly of both the new(Broken) version and the old (works with NeXT) firmware dumps to the git repo. PIC18 assembly isn’t in my wheelhouse, but maybe that’ll be helpful to someone else?
These were made using the MPLAB X IDE just importing the hex dump as a new project.
2 Likes
Hey TamablePumpkin thanks for the repo.
Some more questions:
- What is the second chip(U6 the 32 pin chip) besides the PIC18 on the board?
- Can you post a picture from the backside of the board?
@Intector Its got markings 3A Logistics TRH031M S-1623
and a reverse photo is now included
as well as an RE page in the git wiki
@TamablePumpkin thanks again for the info, the TRH031M is the NFC reader and it’s obsolete, I guess the newer version of the 3321 has a different chip for that.
I had a quick glance at the assembler code and found some added functionality and something what looks like code optimization(but that’s not sure). It looks like SAMSUNG added a software filter for the NFC tags which allows the blocking of everything but their cards.
It would take quite some time to reverse engineer the functionality from the assembler code which is probably not worth the effort.
The PCB seems to be a 2-layer board which would simplify things somewhat. I added the board overlay picture where the front and the back is together.
I kind of go with the idea to make a new controller using the CR95HF from STMicroelectronics and maybe a ESP32 or a nRF52840 from NORDIC as MCU, this would give me WiFi or Bluetooth.
I’m unsure what the new chip is as my “New” lock is potted better and I can’t read the markings. If it has changed it’s a drop-in replacement as I have flashed the old firmware to the new lock and it works perfectly.
That is the running theory, there was some talk about changing that function and probably the EEPROM read/write functions to allow tags with longer UUID’s, or use stored data rather than the UUID
I think the board is at least 4 layers, shining a torch at U3 and viewing the other side as shown has some shadows of traces I can’t see on the top or bottom side?
Backlit Board
Thank you for the overlay, I have merged that change.
I also like the idea, does the CR95HF cover a fair selection of DT implants?
1 Like
I think the CR95HF will cover the major NFC DT tags, here is the description from the datasheet:
Typical protocols supported:
- ISO/IEC 14443-3 Type A and B tags
- ISO/IEC 15693 tags
- ISO/IEC 18000-3M1 tags
- NFC Forum tags: Types 1, 2, 3 and 4
I ordered this from MOUSER for testing:
I got some ESP32 module laying around which would give me wireless ethernet and Bluetooth.
Personally I like the RAYTAC MDBT50Q-1MV2 module. It’s a nRF52840 from Nordic as a super small module.
Here is a evaluation board for it:
This board is a little bigger than a credit card, just to see how small the MDBT50Q module is.
Unfortunately, the nRF52840 provides “only” Bluetooth. Having wireless ethernet would be good for a door look. On the other hand the Nordic chip could be used to setup a Mesh network with other controllers in the house. An “ESP32-Hub” could be easy added to open the door to the internet.
3 Likes