I know there are a bunch of sharp people on here so I figured I'd post this up and ask for some help before I get too involved with this project.
I offered to replace a 9 volt battery connector in a small wall mount Mossberg electronic gun safe for a good buddy of mine a couple of weeks ago. One of the leads to the battery connection had come off due to flexing over the years, and it was an easy project to solder in a new one. He told me the 4 digit code to the safe, and during the fix while I was playing around locking and unlocking it, I inadvertently reset the unlock code with some 4 digit code that for the life of me I can't remember. I didn't have the manual at the time and I still don't know how in the heck I managed to reset the code just playing around with the thing but apparently I did. I have contacted Mossberg but they shut down their safe division years ago and don't have anyone that can help.
Here is a picture of the safe I'm dealing with, a Mossberg 7700 series InstantAccess wall safe.
Electronic lock circuit board.
Keypad side
Pretty simple circuit really. The cop8s chip is a one time programmable micro-controller that is the brains of the operation, and just to the right of it on the circuit board is a 93c46 1K serial eeprom. The micro-controller reads the keypad inputs, compares the code to what is stored in eeprom, locks out any more keypresses for 30 seconds after 16 incorrect digits, etc. I believe that the code inked on the circuit board is what you would supply Mossberg to get an actual reset code for the safe, it doesn't work to unlock the safe.
Anyway, I have talked to my friend and he understands the situation and doesn't really want me to worry about getting this thing working, but if I can't figure this out, I'm going to end up buying him a used one on ebay and it's going to be a costly lesson for me not to work on friends stuff any more!
Here are some of my thoughts on cracking this thing.
The safe comes from the factory programmed with a default access code of 0000. I'm thinking that when this circuit board is put together the firmware is already on the microprocessor and that after it's first boot it recognized a virgin eeprom chip and programs a certain set of default values including the 0000 access code. Unfortunately, if the 4 digit code printed on the circuit board is a unique identifier for this board it means that the eeprom is actually programmed at manufacture with it's own unique data and I could possibly brick this thing, or it could be programmed manually via the keypad after it's first boot-up...
My second thought is to wire up an Arduino or something similar and have it step through and try all possible 10,000 4 digit combinations and just brute force this thing. Even though there is a 30 second lockout after 16 incorrect key presses, shorting microprocessor line 21 to ground resets it so not really an issue.
Any other thoughts on this from the micrcontroller gurus on here? I don't want to spend a ton of time and effort on this but it is a unique puzzle and I'm hoping I'm missing some easy solution.
Here is the manual for the safe -
7700 Safe Microcontroller datasheet -
cop8saa728m9Eeprom datasheet -
93C46