Yale Doorman V2N cracking by iceman

You could also remove the spring inside the lock case, if you’re certain your software is going to drive the servo to lock the door without fail.

I’m back from the local hardware store where they have two Yale Doorman V2Ns on display. I went there with my trusty RFID Diagnostic Card and a magic Chinese M1k card, to perform a few tests.

With that, I answered my own question: the Yale Doorman V2N just plain doesn’t work with glass implants. Period. It might work with the Flex M1 and its larger coil when it comes out, but injectables are right out.

Same problem as with all such battery-powered devices: the Doorman emits one weak RF pulse every second to detect the presence of a card, and only goes to full power to perform a series of readings at full tilt after it does, to preserve the batteries. And of course, my implant doesn’t trigger it. Hell, even the RFID Detection Card doesn’t trigger it…

The only way to make it read my implant was to present the full size M1k card to start the fast series of reads, stick my hand on top of it juuuust so, then quickly slide the M1k card out. At one point, the Doorman kept reading stuff out of my implant when I did that. It had to try it 15 times before I managed to pull it off though, and only on one of the two devices the store had on display.

So then, I’ll just scratch that thing as a lock I can install on my door, since I don’t really plan on implanting yet another Mifare Classic.

Incidentally, the RFID detection card is incredibly useful: I keep it in my wallet at all times because it turns out that I use it much more often than I thought I would!


Thanks for the input @anon3825968, too bad that the x-series won’t work -.- "

Then I’ll just see what I get done before the M1flex is released, then see if I feel up for swaping out the x- for a flex.

I’d like not to do this as I want the servo to write to lock, then write back to a middle position, thus entabeling the lock cylinder functional and as a backup solution.

Just got a reply from Danalock:

Sooo… scratch the Danalock :frowning: It looks more and more like I’m gonna have to go full DIY to open my front door with RFID…

Dammit I won’t be undone!

Tonight I’m gonna go buy the Oviku Nero at my local hardware store, and I’ll take a punt on Tasker being able to control the Oviku app with Autoinput. I’ll report if it works :slight_smile:

1 Like

Aaaand… it’s going back to the store tomorrow. Why? Because the app is terrible: only an older version runs on my older Android phone. But it requires the internet. Why does it require the internet - as opposed to using the internet when it’s there but you can do without when it ain’t? God only knows… And what happens when I enable the wifi? It halts, tells me a new version is available, then locks up (since the new version isn’t compatible).

In short:

1/ if you don’t buy a newer telephone, you’re left with a brick. If I had a working product before, that suddenly stopped working when the manufacturer released their newer update and forced it down my throat without checking whether it’d work, I’d be livid - not to mention, locked out of my home. Right now I’m only pissed off because I bought a useless product that didn’t work from the get-go. Still, I’m REALLY pissed off because I rode my bike 20 miles to the store and parted with EUR 250 of my hard-earned cash to get that turd.

2/ If your internet goes down, you can’t open your fucking door and you’re locked out. Seriously? How dumb is that?

God I hate the internet of things :frowning:

Incidentally @amal: this is exactly why I wanted to know if I could make use of Vivokey products without software from Vivokey the other day. See here, I have an EUR 250 product that’s completely useless because I’m held hostage by the the manufacturer’s stupidity, and there ain’t nothing I can do about it because the crappy app is closed-source. See why I insist on open-source?

I’m nothing if not persistent!

So, I went back to the store with the DT RFID Diagnostic Card, I taped it to the demontration Yale Doorman V2N lock, then I tried methodically to find a sweet spot to get the damn thing to read my implant. Then, after 45 minutes under the suspicious eyes of the salescritters… success! Check this out:

Once you know where it is and you know how to “make the right hand” for it, it’s even fairly easily repeatable. And to make extra sure, I tried it on the other demonstration lock they had in the store, and it worked on that one rightaway also.

Of course, it doesn’t solve the main issues, which are that it’s apparently difficult to clone a working card and make the clone working also, and that it’ll overwrite my NDEF data if I do, and that it’ll write to the chip each time I unlock the door - which I don’t much like. But at least the Doorman isn’t a totally lost cause.

So… progress at last :slight_smile:


Okay, I took the plunge and purchased a Yale Doorman V2N today. If no hacking is happening, someone’s gotta pick up the slack :slight_smile: I’m thinking, even if I can’t get my implant to work, it has a keypad, and entering a code beats goofing around with stupid Finnish-standard keys when it’s freezing cold outside any day. Getting in with my implant would be the best case scenario, but punching a keycode is also an improvement - albeit an expensive one at EUR 350.

The thing comes with 3 “authorized” Yale Mifare Classic tags. So my plan is this:

  • Install the lock on my door. Duh…
  • Clone tag #1 into a gen1a magic Chinese card. See if the lock picks it up. If it does, the original tag #1 will become unusable with my lock.
  • If the cloned card works reliably, clone tag #2 into my gen1a magic Chinese implant (exact same chip as the card’s). If everything goes well, I should be able to get in with my implant. If not, well bummer… In any case, the original tag #2 will also become unusable with my lock.
  • Send my original tags #1 and #2 to Iceman if he wants to use them to do some hacking of his own with his own Doorman lock.
  • Keep using my implant, the magic Chinese card and tag #3 with the lock, but taking care to dump the keys and the data after each successful entry, to create a log of what changed on all 3 working tags. Over time, hopefully I’ll have enough data to do some reverse engineering on the crypto algorithm.

I’ve already created a clone of tag #1 in the magic Chinese card. It took a while, to make sure the entire card matches the original byte to byte - UID, manufacturer block on the second half of block zero, keys and all - but now the clone is indistinguisable from the original. The only way to tell them apart is to test if the magic Chinese command works - which, to my knowledge, the lock doesn’t do. But I’ll see soon enough.

So, stay tuned to see if I manage to make something out of the damned thing :slight_smile:

1 Like

Great minds think alike (read: Scandinavians with stupid door & lock standards think alike) @anon3825968
I’ll grab my own Yale doorman V2N tomorrow, the local Coop OBS has a sale this week, 270€👍
I’ll try and clone one key to the M1flex that hopefully ships out Wednesday and see how that works out :grin:

That’s almost annoying :slight_smile:

Heres hoping it works and isn’t a issue with the antenna not being big enough

If there is any chance the FlexM1 will be it

FlexM1 hasnt been available for a while now though no?

They are “on their way” soon
FlexM1 gen1a and gen2

Not readily available no @CanuckCold I got to buy a pre production unit from Amal for testing on this perticular project, a Gen1A for that matter :slightly_smiling_face:

If you return yours @anon3825968 could buy one for you and ship it of you’d like? :slightly_smiling_face:

hmmm, I was going to put xM1 in the back of my wrist anyway… might as well go with one of those when they are available.

The flex units will be available in some months when the kung flu dies down a bit :slightly_smiling_face:

Either really good word play or not so great choice of words you be the judge :rofl:

1 Like

07:00 me is not the brightest, but let’s say it was a planned wordplay :rofl::rofl::rofl:


The Doorman is on the door. Note to self: don’t install a fucking door lock when it’s -10C outside and the sun has gone down…

I’ve presented the cloned M1k card to the reader for registration as a working key, and it seems to be accepted. But I let the registration process time out, to see if the lock wrote anything into the tag just by presenting it once. And then I quit playing with it for now, because it’s 8:30pm and the missus is starting to get mad at me for letting the cold air in, and because the Doorman is friggin’ loud…

1 Like