Electronics > Microcontrollers

Help/Suggestions with electronic lock

(1/2) > >>

I know there are a bunch of sharp people on here so I figured I'd post this up and ask for some help before I get too involved with this project.

I offered to replace a 9 volt battery connector in a small wall mount Mossberg electronic gun safe for a good buddy of mine a couple of weeks ago.  One of the leads to the battery connection had come off due to flexing over the years, and it was an easy project to solder in a new one.  He told me the 4 digit code to the safe, and during the fix while I was playing around locking and unlocking it, I inadvertently reset the unlock code with some 4 digit code that for the life of me I can't remember.  I didn't have the manual at the time and I still don't know how in the heck I managed to reset the code just playing around with the thing but apparently I did.  I have contacted Mossberg but they shut down their safe division years ago and don't have anyone that can help.

Here is a picture of the safe I'm dealing with, a Mossberg 7700 series InstantAccess wall safe.

Electronic lock circuit board.

Keypad side

Pretty simple circuit really.  The cop8s chip is a one time programmable micro-controller that is the brains of the operation, and just to the right of it on the circuit board is a 93c46 1K serial eeprom.  The micro-controller reads the keypad inputs, compares the code to what is stored in eeprom, locks out any more keypresses for 30 seconds after 16 incorrect digits, etc.  I believe that the code inked on the circuit board is what you would supply Mossberg to get an actual reset code for the safe, it doesn't work to unlock the safe.

Anyway, I have talked to my friend and he understands the situation and doesn't really want me to worry about getting this thing working, but if I can't figure this out, I'm going to end up buying him a used one on ebay and it's going to be a costly lesson for me not to work on friends stuff any more!

Here are some of my thoughts on cracking this thing. 

The safe comes from the factory programmed with a default access code of 0000.  I'm thinking that when this circuit board is put together the firmware is already on the microprocessor and that after it's first boot it recognized a virgin eeprom chip and programs a certain set of default values including the 0000 access code.  Unfortunately, if the 4 digit code printed on the circuit board is a unique identifier for this board it means that the eeprom is actually programmed at manufacture with it's own unique data and I could possibly brick this thing, or it could be programmed manually via the keypad after it's first boot-up...

My second thought is to wire up an Arduino or something similar and have it step through and try all possible 10,000 4 digit combinations and just brute force this thing.  Even though there is a 30 second lockout after 16 incorrect key presses, shorting microprocessor line 21 to ground resets it so not really an issue.

Any other thoughts on this from the micrcontroller gurus on here?  I don't want to spend a ton of time and effort on this but it is a unique puzzle and I'm hoping I'm missing some easy solution.

Here is the manual for the safe - 7700 Safe
Microcontroller datasheet - cop8saa728m9
Eeprom datasheet - 93C46

Here's a few idle thoughts... don't blame me if the unit ends up toast, though!!

- it looks as though the microcontroller has no EEPROM internally, only the external one. So if you can read the EEPROM contents directly (eg. by removing it from the board and reading it with some other device), then at worst you can get back to where you are now by taking a backup before you start work and restoring it any time you think you might be stuck.

- trace out that debug header at the bottom of the board. It might connect to the same I/O pins as the keys themselves, which would give you something you can connect to in order to simulate keypresses. There's probably a reset line there too.

- can you tap the interface between the microcontroller and EEPROM to see what memory locations the MCU is reading? The code might be simply stored in the clear in the EEPROM, you could read it in binary straight off the screen of your scope.

- I quite like the brute force approach, provided there's no limit on the number of times you can enter a wrong number. It might be worth checking to see if the EEPROM is getting written to when a wrong number is entered. If it is, you should definitely make the effort to back up the device first.

Try dumping the EEPROM. The passcode is likely stored in clear text, and even if it isn't a backup lets you experiment more freely.

90-degree PCB traces, that's not something you see often... :o

Agree with dumping the EEPROM. Once you have the contents backed up, erase it and see if the default code will work.

Bruteforce is also a viable option in this case.

Thanks for the replies guys!  Yeah, I think the first step is going to be to remove the eeprom chip and read it.  There are arduino programs out there that should work perfect for this and I just ordered some replacement 93C46's from digi-key in both the SO and DIP version. 

An interesting side note - while I was googling the 93C46 eeprom I found out that this and the 93C56 are very commonly used to store odometer (mileage) data for quite a few automobiles.  This is apparently a pretty robust little memory chip good for over 1 million write cycles and a 40 year data retention.  Anyway, apparently it's pretty easy to pull these things off a dashboard cluster circuit board and reprogram it with whatever mileage you want your car to read.  Something to keep in mind if buying used...

I'll update once I get further along with this.


[0] Message Index

[#] Next page

There was an error while thanking
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod