Yale Doorman V2N cracking by iceman

Aaand… I finally have me an NFC-enabled door lock that works with my implant. Woohoo!

I couldn’t resist: I found the command to lower the lock’s volume, and nevermind the cold: I really wanted to get that thing going. I couldn’t wait for tomorrow.

So, the lock does write to my implant each time I open the door - always the same bytes on the same sector, which bothers the hell out of me. But, well, there really isn’t anything I can do about it if I want a door that I unlocks with my implant. I suppose that sector will go dead in 273 years (=100,000 write) :slight_smile:

As planned, I have real Yale tag #1 cloned into a gen1a magic Chinese card, and real Yale tag #2 cloned into my implant. Both clones work perfectly, but the originals are now off-limit from the lock: normally they should just be rejected, but I don’t want to risk the clones being struck off the list of working tag in the lock’s memory. Real Yale tag #3 is registered with the lock normally, and will be the missus’ key to get into the house.

I also have a full log of the magic Chinese card and my implant (keys and data) in the following states:

1/ Blank (transport configuration)
2/ After cloning (exact clone, byte-to-byte)
3/ After presenting the clone to the lock for registration, but letting the process time out (1st time)
4/ After presenting the clone to the lock for registration, but letting the process time out (2nd time)
5/ After presenting the clone to the lock for registration, completing the registration
6/ After unlocking the door, 1st time
7/ After unlocking the door, 2nd time
8/ After unlocking the door, 3rd time
9/ After unlocking the door, 4th time
10/ After unlocking the door, 5th time

At no point after cloning do the M1k keys change (A nor B, any sector/block). The lock does not rewrite the keys at all, apparently. But interestingly, it does change 3 bytes to in sector 0 / block 2 just by presenting the card for registration, even if the process isn’t carried out all the way:

image

I’m not sure why it does that. But in theory, it means another lock is able to know that the tag is not entirely “virgin”. What it does with that information, I don’t know.

Once the tag is registered, the lock writes to sector 2 / block 1 (first and only registered lock, out of 6 possible registered locks for a given tag) each time the tag is presented and the lock opens. But again interestingly, at the very first opening, the lock also writes again to sector 0 / block 2:

image

I assume it’s some sort of flag set by the lock to know the working sector / block has been written to after the first opening, so it rotates the keys - or whatever it does - in there instead of resetting it to the same value over and over as if it was the first opening each time the tag is presented. But I don’t think it needs that to properly “follow” a tag’s encrypted sequence in sector 2 / block 1. So maybe not.

I’ll goof around some more with it when I have time. But at least right now I finally have a friggin’ NFC lock on my door, and that’s something. At long last!

Finally, a thought occurred to me: maybe Iceman’s hacking effort isn’t terribly useful after all: if his ultimate goal is to be able to create cheap-ass tags that work with Doorman locks instead of getting ripped off by Yale for genuine tags, the only thing a lock owner needs is a dump of a genuine, unused tag that hasn’t been registered with their lock yet. Since those things aren’t connected, even if one million locks around the world share the same tag, neither the locks nor Yale would able to know that.

And it’s perfectly secure too: even if my neighbor had a Doorman lock and used a cloned tag based on one of mine, as soon as it’s registered with his lock and one of us uses their tag at least once more than the other, his tag couldn’t be used with my lock, nor mine with his.

So, if a few of us posted, say, a dozen unused Yale tag dumps, each and every Doorman owner in the world could create a dozen cheap tags for themselves with that pool of dumps.

Ergo, no need for hacking. Unless of course the hacking effort is for its own sake - for the beauty of it - which is a perfectly valid justification also :slight_smile:

4 Likes

I also got my lock up and running.
Tell me @anon3825968 do you trigger the lock on the * button to det a read on your x-series, my lock is even tricky to get the read on the original tags sometimes😅
I’ll have a go today or tomorrow for fi ding the sweetspot :slightly_smiling_face:

The scans that you want u can provide 2-3 of these as long as I can get it without a proxmark, my acr122u might get the trick done? :slightly_smiling_face:

1 Like

As far as I could tell doing experiments at the hardware store with the RF diagnostic card, the keypad is used strictly for keycode entry and for configuration. It has zero interaction with the NFC reader during normal operations. In other words, punching a key won’t wake it up or force it to perform a read at full power - which is exactly what I tried to find out when I experimented with it at the hardware store, when I still thought my implant couldn’t wake it up on its own. Turning the handle won’t wake it up either.

The original tags aren’t exactly hard to read, but they need to be right up against the reader. The issue comes from the RF pings that the reader sends out every second to sense if a tag is present: they’re much weaker than the RF field generated for actively reading or writing. The reason why the reader’s range feels so bad is because it is during the tag discovery phase.

You’ll probably find it at or very close to the very center of the reader, where the embossed NFC logo is. Don’t bother trying to find it at the edge of the reader, like you normally would on a desktop reader: for some reason it’s not there.

You’ll have to “make a fist” to get your chip to poke out as much as possible, and you’ll have to ram your hand real good against the reader to stand a chance to trigger the lock. If your chip is implanted a little too deep, it might even fail to work altogether. That’s how finicky it is. But if you do manage to trigger it, very soon you’ll be able to perform the trick repeatedly quite reliably.

Also, when you look for the sweet spot, give it a second or two, because like I said, the lock only sends out a discovery ping every second.

You can find the keys with an ACR122. There are a couple utilities for Linux that do that (mfcuk comes to mind). Then getting a dump is doable too. But I’m not too sure you can reprogram a magic Chinese tag - sector 0 and all - with that hardware. You should be able to, but I’ve never tried.

I don’t need anymore dumps for the moment though. I have mine to peruse and try to make sense of right now. But at some point I’ll do some change-react testing with the magic Chinese card, and most likely that’ll “burn” a tag after each failure. So I’ll need some more “virgin” tag dumps to continue testing.

1 Like


I think I should be okay, it’ll be fun to see how it works with the xM1vs. flex vs. Original😮

I’ll try to get a few dumps of my virgin cards and save them :slightly_smiling_face:

1 Like

That’s a floater :slight_smile:
Yeah, you should be okay with that one.

1 Like

In the spirit of “video or it didn’t happen”, here’s a video of me unlocking my Yale Doorman V2N door lock with my implant:

1 Like

Your front door opens out??

1 Like

Hmm yes. What’s so odd about it? :slight_smile:

Like most Finnish houses, mine has an eteinen - a heated vestibule or entrance hallway in which you leave your shoes, your cold clothes and whatever snow or grime you picked up outside behind. My house is small, and so is the eteinen. So if the door opened inward, it would waste a lot of space.

2 Likes

At least in the states, most doors open inward. Which makes them very easy to kick down, unfortunately

I have a small hallway at my place too. I don’t like wearing shoes inside so jackets and shoes get taken off and left there. Mines not heated though :pensive:

Here in Ireland, and the UK too I think, uPVC doors are the most prevalent for homes and use a multipoint locking mechanism.

edit: which is why I couldn’t get a deadbolt NFC lock

1 Like

The doors open outwards in Norway too :slightly_smiling_face:
Med deling with the ACR122U here to copy one of my yale doorman fobs to my xM1 :slightly_smiling_face:
Door lock was installed earlier today, and I can agree with @anon3825968, fiddling with this in the Scandinavian winter is no fun for four fingers :stuck_out_tongue_closed_eyes:

I grabbed myself a few extra fobs today too, so I can leave one in the xM1 and one in the M1flex, to see wich one works better over time :slightly_smiling_face:

I’ve played some more with the test magic Chinese card. I tried to see if I could add a NDEF message / record after the Yale Doorman sectors without invalidating the card with the lock. The idea was to use my implant as a key for the lock, and also as a business card that vanilla cellphones could read.

That didn’t go very far: I replaced sector 0 key A with a0a1a2a3a4a5 (the default public key to access the mifare classic’s MAD), and left everything else intact. That immediately disabled the card as a key. The good news is, the lock didn’t strike the card off its memory based on the UID alone: I rewrote the original Yale sector 0 key A and the card started working again.

In any case, it looks like the Yale Doorman uses sector 0 / blocks 1 and 2 for its own purposes, completely subverting the Mifare MAD mechanism. So even if the card had worked with the default public key, I probably couldn’t have written a valid MAD to point to a NFC Forum NDEF message. Yale apparently uses sector 0 / block 1 to store a unique but immutable proprietary key, and the 3 first bytes of sector 0 / block 2 to store flags.

So, screw that idea. It looks like I’m gonna have to implant a new chip to share NDEF records with other people :frowning: Fuck Yale…

Also, I have another idea to unlock my Yale Doorman with my EM4xxx (LF) implant: install the YL-119 remote control receiver module in the lock, get a YL-120 keyfob and a DT xEM Access Controller, one resistor and one 3V zener diode, and activate the fob with the xEM Access Controller.

It’s an expensive proposition though: we’re talking EUR 69.90 for the receiver, EUR 69.00 for the fob, and $24 for the xEM Access Controller - not to mention the insane price of the Yale Doorman lock itself. That make for a pricy dual-frequency NFC / RFID door lock. But… I have all the parts, and I’m almost ready to fire up the ole soldering iron :slight_smile:

I’m a firm believer in “there are no stupid questions”
So I shall, being very ignorant of this level of RFID tinkering, ask a possibly dumb question.

Are you writing the Yale key AND THEN writing the business card info?

Is there a way to compile the two together and then do a single write to the implant? possibly avoiding an overwriting of dependent sectors?

1 Like

Well it doesn’t matter how you write things to the tag. What’s important is that the lock doesn’t throw a fit when it sees an unusual data structure on it, and cellphones recognize it as a valid NDEF message bearer.

In this case, I started off with a valid Doorman tag and tweaked a sector a bit. I could also have wiped it and written an entire, suitably doctored dump. The end result would have been the same.

But that case of dual use with a Doorman tag ain’t gonna happen - unless you build your own compatible app for the second use, which is perfectly doable. Like if you want to use the remaining sectors to store personal data or something.

1 Like

Actually there might be a way to unlock a Yale Doorman and deliver NDEF message to cellphones with the same tag: if the chip is a magic Chinese Mifare Classic >1k, it might be possible to store the NDEF message and record above 1k and register the sector in MAD2, provided:

  • The Doorman accepts Mifare Classics >1k as valid and doesn’t try to write to sector 0 to check for funny business (gen2 magic Chinese chips let you do that without a special command)
  • Android / iOS read MAD2 and check if there are NFC Forum sectors above 1k. I have no idea if recent versions of those OSes do that. Somehow I doubt it, but maybe…

But with the gen1a 1k chip in my hand, that’s off.

That sounds like your trying to convince yourself to get a gen2 chip :smirk: :smirk:

Quite the opposite: I’m trying to maximize the use cases with the implant I currently have :slight_smile: Right now it unlocks my Yale Doorman, my Linux computers at home, and my Windows computers at work. But to get the functionality with the Yale Doorman, I lost the ability to share the URL to my homepage with other people.

If I implant something else, it’ll be a flex-something that plays better with cellphones than glass transponders in terms of read range, and possibly will be able interact with “difficult” readers, like the one on the Idesco Door Handle 7N also. But I’m not keen.

Don’t forget that only phones with NXP reader ICs will be able to read the non-NFC Mifare memory structure. Using Mifare classic for NFC literally needs a license from NXP to do so, and that license comes with the NXP reader IC in the phone… but phones with say, a broadcom reader chip, won’t be able to read any memory from a Mifare classic tag beyond the NUID it gets from the ISO14443A session select process.

Well that’s odd because my cellphone has a Qualcomm chipset and it reads Mifare Classics just fine. What it can’t do however is write to them.

EDIT: Hmm, maybe it does have an NXP chip in after all: https://www.nfcw.com/2015/05/05/335060/qualcomm-and-nxp-team-up-for-nfc-on-snapdragon-platforms/

1 Like