Yale Doorman V2N cracking by iceman

FYI…

http://www.proxmark.org/forum/viewtopic.php?id=7043

Amal

5 Likes

The cracking project seems stalled. Too bad because the Yale Doorman is pretty much the only possible option I have left to install a commercial RFID lock on my stupid Finnish-standard lock, since I rent the house and I can’t undertake heavy modifications to the door or the frame.

However, seeing as though the lock writes to the fob to rotate the key at each opening, I’m not really sure I want one: I don’t much like something that performs a write several times a day. It’s bound to miss a write after a read at some point, and then I’m left with an inoperable implant. Not to mention, it’ll overwrite my NDEF records. In any case, I’m not even sure it can read (and more importantly, write) an implant as reliably as it does a full-size fob.

So all in all, that product comes with a lot of unknowns and don’t-wants for me. Still, I’d like to see it cracked, just for shits and giggles.

Having said that, you gotta admire Yale’s commitment to securing the totally insecure M1k platform. Talk about polishing a turd… It’s even managed to thwart the hacking efforts of quite a few very competent people so far :slight_smile:

I live in an apartment with a uPVC door and wasn’t really looking to modify the door to add an american style deadbolt lock so I ended up going for this.

It’s just a cylinder lock and I love it. Managed to remove the house keys from my everyday carry, hopefully the wallet will be the next thing to go

1 Like

Well, the problem with my lock is it’s a special kind found pretty much only in Finland. Else I’d have purchased a new cylinder also. There aren’t very many devices that would fit on it, and they’re all made by Finnish or scandinavian companies.

But not to worry, I might have found a Rube Goldberg solution to the problem. I’m only waiting for an email confirming some technical specs from one of the manufacturers that makes a Bluetooth electronic doorknob that would fit on my lock, and then I think I’ll be able to put something together with an old cellphone and a couple of Tasker scripts. If it works, I’ll describe the solution here.

1 Like

I guess you also have this type @anon3825968?
We should also be able to swap out the locks and the mechanism in the center to the standard EU one according to my locksmith, she’s checking out dimensions too see what will fit into a standard Scandinavian door.
I’ll update you when I hear from her on Monday if you’d like?

Kippis from Norway :grin:

My lock case is an Abloy 4190 and the cylinder is an Abloy Classic. So no, it’s probably not the same beast as the one you showed.

The Yale Doorman comes with a BL907 replacement lock case that, crucially, fits the SFS 5209 mortise the Abloy 4190 and LC100 fit in. So while I would have to ask the homeowner’s permission to replace the lock case and door handles, and provide him with a fob should he agree, I wouldn’t have to modify or change the door. It would be quite inconvenient to ask permission, but the Doorman looks like a nice, integrated solution, and it would be worth asking if it wasn’t such a bitch to make it work with my M1k implant.

The alternative solution I’m investigating is a BT-only Danalock v3 knob, to replace the Abloy Classic’s indoor thumb tumbler, controlled by an old NFC-enabled cellphone running the Danalock app, and Tasker to trigger the app upon reading my implant’s UID to unlock the door. The cellphone would be kept behind the door, and I would only have to either solder an external NFC coil to the phone, or make/buy an NFC patch kit and tape it to the ouside of the door.

For this contraption to work, I need to be sure the Danalock works with my lock case. I’m 99% certain by virtue of seeing this photo, but I figured I’d ask confirmation to Danalock because my lock case is a cheap version made in 1985-1990 with slight differences.

But more importantly, I need to be sure the app can create a proper “open door” shortcut on the cellphone’s home screen for Tasker to call. I believe it does, because I installed the app and I can see it listed in the list of widgets. But I can’t be entirely sure without pairing it to a lock. So I asked Danalock confirmation for that too before buying.

If I can get the above scheme to work, it’ll be a bit shit and overly complicated if I’m honest. But at least I’ll be sure it works with my implant (I already use Tasker to trigger reading my mail on my cellphone when I scan my implant) and I won’t have to change anything other than the thumbturn on my door, without changing the keys or asking permission to the owner of the house.

Another device that could have worked with my lock using the same idea is the Oviku Nero, which is specifically made for the Finnish market. But the Oviku app doesn’t create shortcuts on the home screen. No shortcuts, no Tasker. So that’s out.

Can you tell I’ve done my research? :slight_smile:

1 Like

I can tell :stuck_out_tongue:

I have this lock case (assa abloy C2002). it seems to share the characteristics of yours, in how the cylinder and knob interacts with the case, so I think that if one of us figures a way to hack it then the other one could use the same method :slightly_smiling_face:
I’ve done some tests with servos, but the really small that I had can’t turn it. I’ll do some testing with bigger ones when I get home in a week or two.
I was originally planing on an arduino based lock that replaces the knob on the inside, but I’m having trouble finding the right driving force, I could utilize a NEMA17 stepper motor but I’d say that’s overkill😅

I’ll try to see if I can measure the force needed by using a small torquewrench, but I can’t remember how low the smallest one I have goes :stuck_out_tongue:

But to be honest, if the M1flex is released before I get the time to finish tinkering with my own solution I might just go for a V2N and copy a one fob to the flex😅

You could also remove the spring inside the lock case, if you’re certain your software is going to drive the servo to lock the door without fail.

I’m back from the local hardware store where they have two Yale Doorman V2Ns on display. I went there with my trusty RFID and a magic Chinese M1k card, to perform a few tests.

With that, I answered my own question: the Yale Doorman V2N just plain doesn’t work with glass implants. Period. It might work with the Flex M1 and its larger coil when it comes out, but injectables are right out.

Same problem as with all such battery-powered devices: the Doorman emits one weak RF pulse every second to detect the presence of a card, and only goes to full power to perform a series of readings at full tilt after it does, to preserve the batteries. And of course, my implant doesn’t trigger it. Hell, even the RFID Detection Card doesn’t trigger it…

The only way to make it read my implant was to present the full size M1k card to start the fast series of reads, stick my hand on top of it juuuust so, then quickly slide the M1k card out. At one point, the Doorman kept reading stuff out of my implant when I did that. It had to try it 15 times before I managed to pull it off though, and only on one of the two devices the store had on display.

So then, I’ll just scratch that thing as a lock I can install on my door, since I don’t really plan on implanting yet another Mifare Classic.

Incidentally, the RFID detection card is incredibly useful: I keep it in my wallet at all times because it turns out that I use it much more often than I thought I would!

2 Likes

Thanks for the input @anon3825968, too bad that the x-series won’t work -.- "

Then I’ll just see what I get done before the M1flex is released, then see if I feel up for swaping out the x- for a flex.

I’d like not to do this as I want the servo to write to lock, then write back to a middle position, thus entabeling the lock cylinder functional and as a backup solution.

Just got a reply from Danalock:

Sooo… scratch the Danalock :frowning: It looks more and more like I’m gonna have to go full DIY to open my front door with RFID…

Dammit I won’t be undone!

Tonight I’m gonna go buy the Oviku Nero at my local hardware store, and I’ll take a punt on Tasker being able to control the Oviku app with Autoinput. I’ll report if it works :slight_smile:

1 Like

Aaaand… it’s going back to the store tomorrow. Why? Because the app is terrible: only an older version runs on my older Android phone. But it requires the internet. Why does it require the internet - as opposed to using the internet when it’s there but you can do without when it ain’t? God only knows… And what happens when I enable the wifi? It halts, tells me a new version is available, then locks up (since the new version isn’t compatible).

In short:

1/ if you don’t buy a newer telephone, you’re left with a brick. If I had a working product before, that suddenly stopped working when the manufacturer released their newer update and forced it down my throat without checking whether it’d work, I’d be livid - not to mention, locked out of my home. Right now I’m only pissed off because I bought a useless product that didn’t work from the get-go. Still, I’m REALLY pissed off because I rode my bike 20 miles to the store and parted with EUR 250 of my hard-earned cash to get that turd.

2/ If your internet goes down, you can’t open your fucking door and you’re locked out. Seriously? How dumb is that?

God I hate the internet of things :frowning:

Incidentally @amal: this is exactly why I wanted to know if I could make use of Vivokey products without software from Vivokey the other day. See here, I have an EUR 250 product that’s completely useless because I’m held hostage by the the manufacturer’s stupidity, and there ain’t nothing I can do about it because the crappy app is closed-source. See why I insist on open-source?

I’m nothing if not persistent!

So, I went back to the store with the DT RFID Diagnostic Card, I taped it to the demontration Yale Doorman V2N lock, then I tried methodically to find a sweet spot to get the damn thing to read my implant. Then, after 45 minutes under the suspicious eyes of the salescritters… success! Check this out:

https://www.dailymotion.com/embed/video/x7sgfkc?queue-enable=false

Once you know where it is and you know how to “make the right hand” for it, it’s even fairly easily repeatable. And to make extra sure, I tried it on the other demonstration lock they had in the store, and it worked on that one rightaway also.

Of course, it doesn’t solve the main issues, which are that it’s apparently difficult to clone a working card and make the clone working also, and that it’ll overwrite my NDEF data if I do, and that it’ll write to the chip each time I unlock the door - which I don’t much like. But at least the Doorman isn’t a totally lost cause.

So… progress at last :slight_smile:

3 Likes

Okay, I took the plunge and purchased a Yale Doorman V2N today. If no hacking is happening, someone’s gotta pick up the slack :slight_smile: I’m thinking, even if I can’t get my implant to work, it has a keypad, and entering a code beats goofing around with stupid Finnish-standard keys when it’s freezing cold outside any day. Getting in with my implant would be the best case scenario, but punching a keycode is also an improvement - albeit an expensive one at EUR 350.

The thing comes with 3 “authorized” Yale Mifare Classic tags. So my plan is this:

  • Install the lock on my door. Duh…
  • Clone tag #1 into a gen1a magic Chinese card. See if the lock picks it up. If it does, the original tag #1 will become unusable with my lock.
  • If the cloned card works reliably, clone tag #2 into my gen1a magic Chinese implant (exact same chip as the card’s). If everything goes well, I should be able to get in with my implant. If not, well bummer… In any case, the original tag #2 will also become unusable with my lock.
  • Send my original tags #1 and #2 to Iceman if he wants to use them to do some hacking of his own with his own Doorman lock.
  • Keep using my implant, the magic Chinese card and tag #3 with the lock, but taking care to dump the keys and the data after each successful entry, to create a log of what changed on all 3 working tags. Over time, hopefully I’ll have enough data to do some reverse engineering on the crypto algorithm.

I’ve already created a clone of tag #1 in the magic Chinese card. It took a while, to make sure the entire card matches the original byte to byte - UID, manufacturer block on the second half of block zero, keys and all - but now the clone is indistinguisable from the original. The only way to tell them apart is to test if the magic Chinese command works - which, to my knowledge, the lock doesn’t do. But I’ll see soon enough.

So, stay tuned to see if I manage to make something out of the damned thing :slight_smile:

1 Like

Great minds think alike (read: Scandinavians with stupid door & lock standards think alike) @anon3825968
I’ll grab my own Yale doorman V2N tomorrow, the local Coop OBS has a sale this week, 270€👍
I’ll try and clone one key to the M1flex that hopefully ships out Wednesday and see how that works out :grin:

That’s almost annoying :slight_smile:

Heres hoping it works and isn’t a issue with the antenna not being big enough

If there is any chance the FlexM1 will be it

FlexM1 hasnt been available for a while now though no?