You may have seen the talk and demonstration by Cody Brocious that allows him to open an Onity hotel room door lock with an Arduino, which is totally James Bond. However, wouldn't it be even better if someone was able to get it down to the size of a marker or pen? Working as a pentester for Trustwave SpiderLabs, I have access to many different pens, I have blue pens, red pens, green pens, and even the normal boring black pens. Most of these write just fine, and I sometimes wonder why I'm getting paid to test them, but I digress. While the initial idea was to get everything working inside a pen, it quickly became apparent that we wouldn't be able to do it right away. So instead we opted to get it inside of a dry erase marker.
I'm not going to get into the technical details of how this hack works, or why it works. Cody does a great job on his own site over at http://demoseen.com/bhpaper.html. So if you have any questions about the hack itself or the details, it is best to ask him, as he is the one who discovered this. I only made the device smaller. :)
Now that we have our goal, we needed to gather supplies. In order to build and test all of this yourself you will need the following:
- 1 Arduino (Almost any kind works, Cody used a Arduino Mega 128)
- 1 DC barrel jack, 5mm outer diameter, 2.1mm inner diameter
- 1 5.6k resistor
- 1 Onity Door lock
I already had the door lock from a previous eBay purchase that I may or may not fully remember. The next step was getting an Arduino. This part wasn't too hard either since every hacker and their grandmother should have about 50 of these laying around. I just so happen to have one from "The Worlds Number 1 Hacker" contest a few years back that I won at DEF CON. And the barrel jack and connector I had laying around.
With the parts listed above I was able to build the Arduino circuit and load up the Arduino sketch that Cody provided at http://demoseen.com/bhpaper.html. Testing that it worked was as easy as plugging in the barrel connector and waiting for the green light on the lock to light up. Now that I knew this was working, it was time to build the working prototype that would fit in a dry erase marker.
I went over to the local hacker space to get some help with the circuit diagram from my friends Josh Krueger and Jordan Bunker. We knew that we needed a crystal to have correct timing for the code to work and unlock the door. We also needed to supply the Arduino with about 3-5 volts, and the digital 3 pin with 3.3v for the one-wire serial to work. Getting the circuit this small isn't that much of a hassle, but it can be a bit of a pain doing it with limited parts on hand. After a bit of back and forth on the design we agreed on the following parts to complete the project that night. This is by no means the best solution or the only solution to make this fit into a pen, but for what we had available and with the time we had to do it, it's what we were able to come up with.
The parts we used to complete this build are the following:
- 1 ATMega328 (pre-loaded with the sketch)
- 1 5.6k resistor
- 1 30 ohm resistor
- 1 16Mhz Crystal
- 1 3.3v Zener diode
- 1 A23 12V Battery
- 1 SPST tall mini push button (momentary on)
- 1 DC (coaxial) barrel connector, 5mm outer diameter, 2.1mm inner diameter
- 1 Protoboard 1-3/4in. X 1-1/2in
If you follow the diagram below you should be able to built and create your own hotel door opener pen.
Your finished product should look something like this.
And then because everyone loves a video demo, here is the marker in action with my hotel door lock.
R1 shown in the photograph is not 30 ohms or anything near it. For it to be 30 ohms the third stripe would need to be black.
The stripes look to me to be Orange/Orange/Brown which would be 330 ohms or Orange/Orange/Red Which would be 3300 ohms or 3.3 kohms.
If this is really a 30 ohm resistor there is .3 amps (300 mamps) going through that resistor. Which would be 2.6 watts!!! going through maybe a 1/2 watt resistor (more than likely 1/4 watt). Yeah it would burn up pretty quick. If it's a 330 ohm resistor then you have 229 mwatts going through it. Little less than 1/4 watt. The amount of current through the Zener will depend on what is in use by the rest of the circuit.
Just out of curiosity why a 12 volt battery? Why not something at a lower voltage? Perhaps it's what works for the physical size constraints?
Posted by: Robert Woodruff | 14 May 2013 at 17:24
Can I buy it off of you? You can name your price
Posted by: Charles1 | 02 February 2013 at 00:02
I have a couple questions about the clock timing:
1) If you're shooting for a minimum-component build, why use an external 16MHz crystal? Why not use the 8MHz internal clock and double any relevant time delays in the code?
2) Since you're using a crystal, where are the 20-24pf load capacitors on each side of it (XTAL1 and XTAL2 to ground)? Without these it's likely that the timing is rather imprecise, and if precision timing isn't needed then why not just bypass the crystal altogether as in #1?
Posted by: Ehryk Menze | 26 January 2013 at 03:14
Anyone knows what kind of battery holder is being used (and maybe where I could get one)? All the holders I found where like this: http://image.made-in-china.com/2f0j00cCwabTfICLoA/Cell-Box-Batter-Holder-Batteries-Accessories-KLS5-Type-.jpg
Posted by: Zulakis | 01 January 2013 at 21:44
I'm surprised nobody has pointed this out yet, but using a SMD (surface mount device) ATtiny85, this could conceivable be fit inside a standard ball point pen, though it may need to be dead-bug wired to fit.
Posted by: SurprisingEdge | 11 December 2012 at 16:41
hi...
to be specific about the (possible) errors commented on that I still see present in the diagram are:
[quote]
A close look at the circuit diagram and the build photos posted on the linked site suggests there are two errors on the schematic. The first is the 30 ohm resistor from the battery to the zener which is clearly too small. The photo suggests it is 3k3 which is, arguably, too small. The correct value should be around 470 or 560 ohms IMHO. Using 30 ohms would probably seriously stress that zener and the (small) batteries suggested.
The second error is the connection between the connector barrel and the 3.3V rail which does not match the original designer’s description. It should instead go directly to pin 5. A close look at the build photo suggests that was actually the arrangement used.
[/quote]
and
[quote]
The 5.6K should be used to pull the barrel high, with the barrel inner connected directly to PD3. The circuit diagram is wrong. I don’t seem to be able to comment on his page.
[/quote]
can we please get some updated/corrected info?
thanks
Posted by: D | 29 November 2012 at 16:27
bump..
I too would like an updated schematic.
I had read comments here and hackaday that there were some errors?
Is the current 'drawing' the most updated/correct schematic?
thanks
-whispers
Posted by: D | 29 November 2012 at 12:20
Hi Daniel,
Are there any updated schematics for this? I would like building one right away. So do you have an updated schematic and maybe some pictures of the final product and the board without tape?
Posted by: Jastr | 06 November 2012 at 03:21
Can someone just make me one and I'll pay them? Hahaha. I'm so confused by all these partssss
Posted by: kaydp16 | 23 October 2012 at 09:04
@Joe: Resistor appearance can vary considerably, if your not sure about the value of your resistor check out the color code. LMWTFY: http://en.wikipedia.org/wiki/Electronic_color_code . Zener diodes are only available from the Zener corporation in Switzerland. No wait, you can get them from a crap ton of places just google it. Regardless, trying to have us guess-tronic your tool together over the internet via blog comments is a pain. Check out some local hacker space or , failing that a local community college that has a electronics program. People at those places with like be overjoyed to help you out, sans the internet sarcasm.
Posted by: NY-Carl | 09 October 2012 at 12:48
I picked up a 30ohm and it looks NOTHING like the one in the photo.. can we get confirmation on what that resistor actually is.. and still no response on a good place to get a 3.3v zener :(
Posted by: Joe | 09 October 2012 at 11:16
anyone have a link to a place where I can get the 3.3 zener diode?
Posted by: Joe | 08 October 2012 at 15:54
The circuit diagram has been updated. R2 is now in the correct place. In previous comments I made a mistake and sometimes said PD1 when I meant PD3.
Posted by: Daniel Cussen | 08 October 2012 at 14:54
Thanks Jaku! I cant wait to get this build started.. I ordered most of my parts from newark.. a few pieces I still need.
David, I actually built two versions of the original design using the audrino uno and using an audrino 256.
http://www.forbes.com/sites/andygreenberg/2012/08/28/videos-show-hackers-reproducing-and-refining-hotel-lock-trick-that-opens-millions-of-rooms/1
I'm the clown in the still shot on the page.. the hack/device works.. I just definitly want to shrink it down further.. using the uno I was able to get the project down to the size of a nerf replacement darts box.. but even then its too big for my personal liking.
Posted by: Joe | 05 October 2012 at 14:30
Joe,
I hope I'm replying to you. This is kinda hard from a phone. Anyways we have an updated diagram that will be getting posted soon. I'll try to get to your other questions when I'm back in front of an actual computer as well.
Posted by: jaku | 05 October 2012 at 13:44
You wouldnt need a battery connector if you soldered directly to the leads on the battery.. I will concur however I would like more detailed view of the soldered circuit that is pictured here - that or at least some follow up from the original poster about the connection questions peole have.
Posted by: Joe | 05 October 2012 at 13:21
I based the wiring based on the circuit described in the demoseen.com website. The talk is here: http://demoseen.com/bhtalk2.pdf
and here:
http://daeken.com/blackhat-paper (site seems to be down)
The main info is here:
http://demoseen.com/bhpaper.html
R2 should be between VCC and PD1 while barrell inner should connect directly to PD1.
Best to try the circuit first using an arduino board as in the initial talk, then shrink things down.
I don't see any reason other chips cannot be used except for all the time needed to change the code. Best to keep it simple.
Posted by: Daniel Cussen | 05 October 2012 at 11:51
After examining the pics, counting pins and trying to make sense of that solder blob under the red wire, I tend to agree with Daniel's assessment. Presuming the yellow wire goes to the inner barrel, that is... because the yellow wire appears to connect directly to PD3, with the 'short leg' of R2 connected to VCC in the aforementioned blob.
If I haven't totally forgotten the mnemomic, R1 in the pic's actually a 33.2 or 33.3 ohm (can't really tell if the 3rd band's red or orange), for what it's worth.
I guess we're to assume the mini-switch in the parts list is mounted on or integrated into one of the battery holders (which are NOT on the parts list)... it looks like there's a hole in the bottom cap for actuating it while assembled, but I don't really see it in the pics. Perhaps that's what the 'cold' blob on the anode end of the zener is waiting to flow around?
Posted by: DarrDarr | 05 October 2012 at 08:20
Nice Job. Going to test it next week.
Apart from buying a bareduino (not a plug) on Amazon. Hey they got the arduino bootloader already installed so you're halfway there and you've got the crystal caps and a voltage regulator for $6.95-8.95
Wonder if this work will a Teensy? Besides changing the iopin to pin 7 I'll have to look at the timing differences. Hmmm. Anybody care to chime in?
Posted by: Just Me | 04 October 2012 at 15:53
Have we confirmed that the circuit board sketch is correct or not? And anyone have a good source for the parts.. Radio Shack only carries some of the parts and I would like to work on this project this weekend.
Posted by: Joe | 04 October 2012 at 08:04
The circuit diargam shown is wrong. R2 is in the wrong place. It should be between the Zener and the barrel inner and not as shown. The barrel inner should connect directly to PD3. You seem to have wired it correctly on the stripboard. Probably just a mistake. PD3 pulls the line low to give a 0 data pulse to the door, while the resistor holds it high to 3.3V when the chip is not pulling it low.
Not essential but I am slightly concerned about R1 I=V/R (12V-3,3V/30R)means 300mA flowing through D1 (probably slightly less due to door lock and chip). At least make sure to use a high power zener, but better to try and measure the current flowing through D1 and increase R1 greatly.
Otherwise a billiant hack and it's great to help.
Posted by: Daniel Cussen | 03 October 2012 at 16:47
Why is the Barrel Inner connected to VCC ??
Posted by: mpd | 02 October 2012 at 22:37
I can't think of a reason why it wouldn't work with the ATTiny85. It might need some changes in timing but it should still be possible.
Posted by: jaku | 02 October 2012 at 20:58
I was actually able to screw it into the plastic tip of the marker. I created the thread as I screwed it in, so it worked out perfectly. :)
Posted by: jaku | 02 October 2012 at 20:57
I would really like to see the complete parts list and where to get them ;)
Posted by: Joe | 02 October 2012 at 20:56