Yale Doorman V2N cracking by iceman

Also, I have another idea to unlock my Yale Doorman with my EM4xxx (LF) implant: install the YL-119 remote control receiver module in the lock, get a YL-120 keyfob and a DT Access Controller, one resistor and one 3V zener diode, and activate the fob with the xEM Access Controller.

It’s an expensive proposition though: we’re talking EUR 69.90 for the receiver, EUR 69.00 for the fob, and $24 for the xEM Access Controller - not to mention the insane price of the Yale Doorman lock itself. That make for a pricy dual-frequency NFC / RFID door lock. But… I have all the parts, and I’m almost ready to fire up the ole soldering iron :slight_smile:

I’m a firm believer in “there are no stupid questions”
So I shall, being very ignorant of this level of RFID tinkering, ask a possibly dumb question.

Are you writing the Yale key AND THEN writing the business card info?

Is there a way to compile the two together and then do a single write to the implant? possibly avoiding an overwriting of dependent sectors?

1 Like

Well it doesn’t matter how you write things to the tag. What’s important is that the lock doesn’t throw a fit when it sees an unusual data structure on it, and cellphones recognize it as a valid NDEF message bearer.

In this case, I started off with a valid Doorman tag and tweaked a sector a bit. I could also have wiped it and written an entire, suitably doctored dump. The end result would have been the same.

But that case of dual use with a Doorman tag ain’t gonna happen - unless you build your own compatible app for the second use, which is perfectly doable. Like if you want to use the remaining sectors to store personal data or something.

1 Like

Actually there might be a way to unlock a Yale Doorman and deliver NDEF message to cellphones with the same tag: if the chip is a magic Chinese Mifare Classic >1k, it might be possible to store the NDEF message and record above 1k and register the sector in MAD2, provided:

  • The Doorman accepts Mifare Classics >1k as valid and doesn’t try to write to sector 0 to check for funny business (gen2 magic Chinese chips let you do that without a special command)
  • Android / iOS read MAD2 and check if there are NFC Forum sectors above 1k. I have no idea if recent versions of those OSes do that. Somehow I doubt it, but maybe…

But with the gen1a 1k chip in my hand, that’s off.

That sounds like your trying to convince yourself to get a gen2 chip :smirk: :smirk:

Quite the opposite: I’m trying to maximize the use cases with the implant I currently have :slight_smile: Right now it unlocks my Yale Doorman, my Linux computers at home, and my Windows computers at work. But to get the functionality with the Yale Doorman, I lost the ability to share the URL to my homepage with other people.

If I implant something else, it’ll be a flex-something that plays better with cellphones than glass transponders in terms of read range, and possibly will be able interact with “difficult” readers, like the one on the Idesco Door Handle 7N also. But I’m not keen.

Don’t forget that only phones with NXP reader ICs will be able to read the non-NFC Mifare memory structure. Using Mifare classic for NFC literally needs a license from NXP to do so, and that license comes with the NXP reader IC in the phone… but phones with say, a broadcom reader chip, won’t be able to read any memory from a Mifare classic tag beyond the NUID it gets from the ISO14443A session select process.

Well that’s odd because my cellphone has a Qualcomm chipset and it reads Mifare Classics just fine. What it can’t do however is write to them.

EDIT: Hmm, maybe it does have an NXP chip in after all: Qualcomm and NXP team up for NFC on Snapdragon platforms • NFCW

1 Like

Recently picked up a Yale connexis L1. New in the box but non-working. With in 15 minutes or so I had it up and running. From an NFC pov operation is the same as the V2N, which obviously makes sense. I’m sure it’s all the same electronics but minus the keypad. I really wanted a multiple connexis lock, single implant (tag) solution for my home. With the way the Yale works that ain’t gonna fly. Fair play to Yale for polishing that 4 byte Mifare turd. I possibly might utilise all the mechanics and add my own electronics. All a bit PITA really but as expected. Only £70 as opposed to £200. Oh and it was the plug on the ribbon cable that joins the two boards wasn’t fully home. Rapid flashing blue LED was the fault code.

1 Like

You’re right. They really did implement pretty good security around the M1k actually.

The only (unavoidable) weakness is when someone manages to scan your tag, make a clone and unlock your door before you do. But that means it’s not covert entry because you’d notice when your own tag doesn’t work anymore. And broken as it is, it still takes some time to crack a hardened Mifare Classic.

So yeah, pretty decent security in my book.

Not true: you can enroll the same tag in up to 6 locks. They use 6 different sectors on each chip. I use mine on two V2Ns, so I know it works. Unless the Conexis isn’t quite the same as the V2N of course.

Oh that’s interesting. Not sure how I came to that conclusion but I’ll investigate some more. An advantage of the V2N is of course you’ve still got a keypad should the NFC fail. No such luck with the Connexis. This writing to the tag does bother me a bit.

Does the Conexis have the remote control option? I haven’t looked it up to be honest, so I’m being lazy here :slight_smile: With the V2N, you can buy a way overpriced radio receiver module that clicks into the lock, and equally overpriced remote control keychain thingies to open the door with a button. I equipped the V2N on my front door with that setup for my mom. It’s pretty nice actually, and it lets you have a backup unlocking method.

It bothers me too. But I have to say, I’ve been running both my M1k implants on my locks and there hasn’t been a problem so far.

Yes it does, I’m kinda not bothered about that really. I’m not fussed about the app and stuff either. Some things I prefer to be totally independent. I’ve three doors into my house and one will always be key entry so that’ll be it in the event of the two NFC locks failing. Unlikely but you never know. EBay doesn’t seem short of broken ones :disappointed:.

There must be a reason why it’s so much cheaper than the V2N I guess. The V2N is considered a solid, reliable product. But yeah, it ain’t cheap. Still, it’s less expensive than my gloriously spendy 450 euro NFC door handle, so it’s okay :slight_smile:

By the way, if you want to save on tags for your Conexis, I can send you PM3 dumps of my own genuine Yale tags - assuming they’re compatible.

The hardware is pretty solid. When it turned up I was surprised how heavy it was. I think some of the busted ones are installers errors. Seen a couple where they’ve turned the round connecting cable into something that looks like ribbon cable :grin:

Cheers but I’m alright as I got a couple with it and it’s only me that lives here. I’ll keep it in mind though.

Well I contacted Yale regarding multiple locks with the same tag and got this…

I’m not totally convinced by the answer so when I get time I’ll pop up the local DIY, get another lock and do my own test. I’ll just take it back if it doesn’t work out. If it is the case that you can’t share a tag across multiple locks then that is total wank on Yale’s part.

Maybe the Conexis is artificially limited to account for the cheaper price. Wouldn’t surprise me one bit. What wouldn’t surprise me neither is that they told you any old shit to get you to spring for the spendier V2N but it’s actually the exact same firmware :slight_smile:

In the name of convenience, let’s replace one key for a fob…

So… if I have 8 doors I use the same key for, I only need… 8 fobs!!
that sure does sound convenient! :relieved:

2 Likes