SHS3321 Firmware rollback

LordSethos2000 · March 19, 2021, 9:51pm

Well - Houston, we have a problem…

The problem is, the key industry lost a customer today. Thanks all who got me the help I needed.
The firmware patch went perfectly and I didn’t lose any of the codes I had previously created.

Woo welcome to the future!

TamablePumpkin · March 20, 2021, 1:10am

Great news mate! Lmk if you ran into any speed bumps I need to add to that wiki!
Test_Pass++!!

LordSethos2000 · March 20, 2021, 1:48am

None it was perfect

Eriequiet · March 20, 2021, 3:48am

I might need to do this,

Curious if I could recore the lock to comply with my current bitting, might be able to get away with it in my apt if I’m using the same key

TamablePumpkin · March 20, 2021, 4:08am

@Eriequiet The SHS3320 uses a KIK cylinder I’m pretty sure. So you should just be able to swap the tail piece between that and your current lock. I

~~ll post some photos of the inside of my spair 3321 when I get Home so you can compare.~~

Edit: this is the 3321, which has a blanking plate rather than the key barrel face plate, but the internal void fits a KIK cylinder!

Satur9 · March 21, 2021, 7:04pm

I really gotta figure out how those 4 layer PCB antennas with the copper plane covering the top and bottom work. The ACR122U has the same design.

IronTooch · June 5, 2021, 2:45am

@TamablePumpkin, can you add me as a Contributor to your Github repo? I ran into an issue that I was able to solve, and want to add a bit to the wiki. Username on Github is the same as here, thanks!

TamablePumpkin · June 5, 2021, 5:35am

I’d rather you submit an issue on github than me give you elevated privileges at this time. I know that’s not a great solution however I’ll work on a method for pull requests to be made to the wiki as well as the code base

Zwack · June 5, 2021, 7:44am

The TownSteel ESmart 5000 uses a Schlage 5 pin keyway and is easy to rekey. It’s harder to swap the cord out as a 6 pin core is fairly common in SC1 locks (It’s an SC4 with only 5 pins in place) but the SC1 core is shorter. I have no issues with it and ring/tags.

Barediver · June 20, 2021, 7:11pm

About to go through this proces. Just need to wait on the PicKit. That said I’m trying to understand all of this stuff and was looking for some info. Currently the lock “unflashed” will read the chip but wont accept it as a tag. Can anyone explain why exactly? is it becuase the NExT serial number is too long? Different protocol? I know I need to roll back the firmware, just not entirely sure what that does and why it makes the device compatible.

Satur9 · June 21, 2021, 2:54am

I answered this in the Discord, so I’ll transplant it here:

"So just brief context:

First there was LF (125kHz) with lots of incompatible competing standards
Then NXP created the MIFARE structure at HF (13.56MHz) which uses a 4 byte NUID which was too small so now they’re recycling IDs. It has memory sectors broken up into blocks. They can still be read by the ISO 14443a compliant readers, but they need some MIFARE specific commands to function completely
Now there are tons of different NFC tags that comply to ISO 14, but many of the ones by NXP (like the NTAG216 in the NExT) use a 7 byte UID and a memory structure (usually with 1 continuous sector) broken up into pages, which respond to generic ISO 14 commands

They’re fundamentally different, but also Samsung specifically didn’t want it to work, so it doesn’t. They want you to buy cards from them like razor blades"

TamablePumpkin · June 21, 2021, 3:35am

Without reverse engineering the software it’s hard to know for sure what exactly they changed, but given that we can roll back the firmware of the current hardware revision I suspect that version 1 had a bug that didn’t check the length of the UUID.

Now that I’m writing this I should probably check that using a 7 byte UUID card doesn’t over flow and corrupt the next ID location.

Any new users should avoid using sequential ID locations until that’s been tested.

Barediver · June 24, 2021, 5:11pm

https://www.amazon.com/gp/product/B08RMQP6YP/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1

are these the correct connectors?

edit: posting a pic as well so none needs to click the link

4nti · June 27, 2021, 7:27pm

Considering that the hardware has the ability to read the chip and the software denies accepting the code (in the current, unflashed version) I think this points to the simple solution that Samsung specifically only wants their chips or chip numbers to work with the lock, to get more people to buy their specific products.

I could see them arguing about something from a safety/security perspective, but if the software used to read any chip, and now only reads Samsung chips, that’s a pretty good “why” it seems.

Barediver · June 29, 2021, 3:31pm

I DID IT! Thanks for all the support above. DM me if anyone has issues with this process is was actually pretty straight forward.

Eriequiet · October 4, 2022, 6:09am

Out of curiosity, it’s been over a year since any activity or chatter on this lock…. Any chance they’ve changed the firmware again to allow for added tags?

TamablePumpkin · October 4, 2022, 6:56am

Hey mate,
I’ve not touched this in a year, my “rolled back” lock has been working with my NeXT since the first publish date on the git repo and I’ve not run into the collision problem I last wrote about in practice, however I’ve also not tried to debug it either.

I doubt Samsung has made any changes to allow for more types of tags.

PIC reverse engineering is a rabbit hole I don’t have the time to chase at this point either.

TLDR:
Probably not

mikeymo101 · December 26, 2022, 10:31pm

I just got done installing the Samsung SHS-3321 Everything is working great!

My experience:

Creating the cable was super easy. Basic soldering, no one should be scared to do.
Learning PCKit3: Super easy, especially didn’t have to do anything except plug and play (pay attention to the status lights, I killed some time trying to figure out if everything was working or not when I should have just trusted it was fine)
Using MPLab IPE: super easy. Ensure you follow the screenshots I’m happy I made the back up. My firmware didn’t flash correctly the first time, and the lock would play the music on repeat. I flashed it back to the original and started from scratch and everything worked great.
Ensure you do not have any batteries in the lock. That is the reason the first attempt didn’t work.

Other than that super easy, had great instructions, and works way better than the previous lock I had in there.

Eriequiet · December 26, 2022, 11:16pm

Not to be presumptuous,

But have you considered offering to rollback for others now that you know how to do it?

Could be a blessing for some on the forum

mikeymo101 · December 27, 2022, 12:21am

I would love to!

To anyone who would like some help, please let me know! I’m more than happy to help walk through, or if you pay shipping roll it back for you.