2008-02-18

Tinkering with the ComboGard 2

This article is a derivative of an article I wrote a while back ago, which was published in 2600: The Hacker Quarterly 21:4 (Winter 2004-2005). If it looks familiar, that's why.

The LaGard ComboGard series of digital combination locks (Model 33E) is a mainstay of the vault lock industry. It was designed to be a drop-in, high-tech replacement for the old dial-type combination locks for safes and vaults. The actual lock mechanism has the same dimensions as most run-of-the-mill group 1 or group 2 combination locks. The spindle that connects the keypad to the lock mechanism (to retract the bolt of the lock) is in the same location as the spindle that connects the dial to the lock mechanism on old combination locks, and the keypad will mount using similar mounting hardware and at the same location as an old combination lock. Quite literally, you can use a ComboGard lock to replace an aging mechanical lock on an otherwise good vault.

Safe and vault manufacturers can also buy these locks and install them from the factory. You can find one of these in use at many restaurants, stores, and businesses. They're not all that expensive, so their widespread popularity is no mystery. Are they more secure? Arguably, yes. A typical mechanical lock has about 27 million possibilities, whereas a 6-digit combination lock such as the ComboGard has a mere 1,000,000 possibilities. Mechanical locks have other weaknesses though. Many of them can be manipulated and listened to. Digital locks cannot be easily manipulated. Digital locks can also enforce a lock-out policy much like networked systems, where no further combinations can be tried until a penalty time has expired. This limits attacks to 3 tries per penalty period, with a 5 minute penalty, only 36 combinations can be tried per hour. At this pace, it would take years to go through every possible combination.

Lock Parts:
The lock's main electronics board is housed inside the lock assembly, which is secured within the vault itself. There's a single 9-volt battery that powers the whole thing, which can last for years if it's opened daily. It's contained within a small plastic box, connected to the lock assembly through a proprietary connector. The keypad has an identical connector, and they're easy to confuse, and they will plug into the wrong ports. The keypad is a circuitboard with a membrane touch pad, with an LED and speaker, covered with rubber keys and housed in a metal case with a plastic bezel. In the event that the owner fails to act on the lock's low-battery warnings, there are terminals located on the keypad so that an emergency battery can be attached to operate the lock temporarily. The lock case and keypad are connected via a square-shaped brass spindle which can be cut to the proper length to accommodate different thicknesses of vault doors. The keypad electronics connects back to the lock case with standard-issue two-pair phone cable, with the same proprietary connector on the end.

Operating:
When you enter the correct combination, the keypad is allowed to rotate counter-clockwise, retracting the lock bolt. There are numerous other features that are programmable, either with a special tool that service personnel have, or via the keypad for owners. The online manual at LaGard's website has all this information. What if you forget the combination? As far as I know, there is no master combination. You're left to do what a locksmith would do to a mechanical lock that can't be opened: drill it. Unless drilled in a very precise location, the lock will never open. On some revisions of the case, there is a raised circular area that designates the optimal spot to drill.

Dumpster Diving for Locks!
For some reason, a local place has been discarding these locks, and I've managed to find a few in a dumpster. Some have been opened up and no longer have the factory warranty. Some of them have had their spindles cut and have been installed and uninstalled. One thing holds true though, none of them have the default combination (1-2-3-4-5-6) and none of them have been reset by a technician (in which case the combo would be 5-5-5-5-5-5). Lately, I've been seeing several of them turn up on eBay and other auction sites, some selling for $50 or less. This is definitely a bargain. I called LaGard and asked them if they knew how to reset a lock, and they informed me that I needed to call the people I bought the lock from. Well, since I found it by dumpster diving, that was out of the question. I called the place whose dumpster I've been finding them in, and they informed me that I needed to call some company in Kansas, as they service all of their ComboGard locks. They were of little assistance. After a bit of social engineering and a call back to LaGard, I had a fax in my grubby little hands that outlined in great detail exactly how to reset these gems.

Resetting (without any fancy tools)
I've since lost the actual fax, but the process remains engrained in my head. Whether it's exactly the same as the fax I received, I can't remember, but I do know that it works! It also voids the warranty, since it involves breaking the tamper-resistant seal tape (hint: a razor blade and a hair dryer does wonders.) On with resetting the lock. I've included some photos to help with the process.

1) Remove the keypad and battery from the lock case.

2) Cut or otherwise remove the tamper seal tape. This is the only thing that holds the back plate onto the lock case.

3) Remove the back plate of the lock

4) Locate the reset jumper holes. There's a central DIPP IC. If you hold the lock with the bolt facing away from you, the jumper holes are directly to the left of that IC. They're larger holes than the rest, and they have exposed tinning around them. They're about 1/4 inch apart.





5) Place a jumper wire into the two reset jumper holes.

6) Attach the keypad. It goes into the port closest to the corner of the case.

7) With the jumper wire still attached, connect the battery.

8) Within 5 seconds, press the "5" key on the keypad.

9) Wait 60 seconds, then disconnect the battery and remove the jumper wire. Test the lock with the combination "5-5-5-5-5-5". If it doesn't work, start over again. Timing is critical, and the jumper wire must be secure and connected for the duration of the procedure. Changing the combination: 0-0-0-0-0-0, Old Combination, New combination


blog comments powered by Disqus