Wanna see something you're NEVER SUPPOSED TO POST ON THE INTERNET? Really, the manual warns you like 5 times not to do this... but I'm gonna.

So this is a Tzumi Klic padlock... cover your eyes.

DUN DUN DUN! I have violated all the warrantees and now Tzumi is crying.
It's the QR code for this lock!
And yes, this lock has a FCC ID. That's a bad sign.

So the bottom of this padlock shows that there's no key slot.
Instead there's a power button, 4 digits, and... a USB port!?

Yeah, that's a microUSB port, because you can charge this lock.

So here's how this lock works: You scan that QR code, then the app can pair your phone with the lock, and it can send an unlock message.

Unfortunately my secondary camera fucked up when I recorded this, so... yeah. 2 frames per second.

So obviously there's two things to do with this lock:
1. figure out how the app works and hack the bluetooth
2. take it apart with some screwdrivers and hammers and spudgers

I went with #2, because it's easier to do while waiting on other stuff to complete.

So first the bottom part is a sticker (a SECURE sticker)
Then it's plastic (SECURE PLASTIC!) and some secure one-way screws.
Fun fact: with enough force and a properly sized flathead screwdriver, you can just back these out.

oh look we're in.
Unfortunately one of the screws got wedged and worn out so I had to break it.

Boy, everything seems shoved in there.

wow, everything is just floating in mid air now

So that top PCB (the one you can access from the bottom of the lock) is actually designed according to proper security design! It's just buttons, no smarts. So you can't hack your way in from here.
It's called an MMS-B-Key--V1, it's got 5 buttons and an red/green LED.

The other side shows that there's one more feature on this PCB: the bluetooth antenna! You don't usually see those on the end of a ribbon cable, but it works I guess.

The USB connector is here, on its own PCB (expensive!)
it's labeled MMS-B-USB--V1, and good news: it only has the power connectors wired up.
So you can't do any kind of USB hacking on this thing.

That PCB is even DOUBLE SIDED for NO REASON because apparently the designers didn't feel like saving money.

And yes, two wires: only power.

The battery is an ST601225 3.7v 120mAh LiPo battery.

So, the main PCB is here.
It's the MMS-B-V1.
It's got 6 wires and a ribbon cable coming off it:
Ribbon cable goes to button/antenna-board, the wires go to the motor, battery, and USB board.

This chip here is a Puya Semiconductor P24C02A:
That's a 256 ENTIRE BYTES i²c serial eeprom.
This has gotta be for storing shit like the key combination unlock and bluetooth pairing info, it's too tiny for anything else.

I'm not 100% sure because it has so little markings, but I think this is an HM533 voltage regulator.
It takes in the voltage from the battery or USB power and turns it into 3.3v, for the microcontroller.

Speaking of which, let's flip that PCB!
We've got one big chip, two smaller chips, and a 12mhz oscillator/crystal.

That chip is a ST17H26. It's a bluetooth microcontroller, with a 32bit core, 6 kilobytes of on chip ram, and 16 kilobytes of one-time-programmable program ROM.
It's got built in support for BLE and power management, so it's ideal for this sort of application.

This chip was apparently designed by Lenze, who have some weird pictures on their website
http://lenzetech.com/us/ 

They've also got some docs up on github, which is nice: https://github.com/17HXX/ 

I've not been able to figure out what core they're building this on. possibly something proprietary that they designed?
seems unlikely, but there's no references to any other cores.

ANYWAY back to the teardown.
Here we've got an LTH7: that's a Linear Technology LTC4054, a Li-Ion battery charger.
You feed in up to 10v and it'll charge the battery up to full capacity (at a max current of 800mA), with optional thermal protection.

This over here... I'm not really sure.
It's an AD5?27, but I'm guessing just by how this is hooked up that it's a motor driver.

Well, that's all the electronics parts. What's left? The motor and the mechanical parts.
This here is the padlock core.

So it's got a 2 wire device in the middle. It's either a small motor or a solenoid. (spoiler alert: it's a motor)

That fits into this part which holds all the PCBs and such, and yes it's entirely plastic. This is not a secure device, by any stretch of the imagination.
A battery powered drill will get you through this in like 30 seconds.

So, that tape on the mechanical parts was to hold two pins in, before you slide on the rest of the case that keeps them in place.

Here's the main shackle pulled out.
It's got a spring to try to push it out, and a little cut into it that's used with the locking part.

The two pins are not really special, they're not like cylinders of a lock, they're just pins.

And yes, the motor/solenoid is, in fact, a motor! like I said.
It's got a tiny gearbox on top, hooked up to a little peg sticking out. The peg has a metal ring around it to keep it from wearing down

The gearbox unclips from the motor.
The motor shaft just slides into the middle.

The gearbox is surprisingly complex, but I guess it has to be to be this small.
So the top bit (with the peg) has an internal set of gears, then there's the motorized part that fits inside it, right?

The motorized part is actually a set of 3 smaller gears connected together

You can see from the top that there is a space between all 3 gears, they're not actually in contact with each other

Then the part the motor's shaft goes into fits in between the 3 gears, and rotates them from the middle.

So, when you trigger it to unlock, the MCU tells it to run the motor 5 rotations clockwise, then 5 rotations counterclockwise.

It's not actually going to rotate that much in practice: I suspect part of this gearing system is to let it slip once it hits too much resistance.

So what does the motor do?
Well, look down the hole where the motor goes.
See that little bit in the middle? that can slide back and forth. The motor fits in there, and can shove it to the left.

Here's how that works: There's a spring on the right that shoves this little cylinder into the cutout on the shackle, keeping it from opening.
The motor can then rotate and push it right, allowing the (shackle) spring to push out the shackle.

The two pins? They go here and here.
One keeps the slide from sliding too far back or two far in, and the other keeps the shackle from popping out when the motor ejects it.

So, is this a good lock? No. This is a terrible lock. Even if it wasn't bluetooth, it'd be a terrible lock.
But if you have to bypass one of these and you don't have the digit code or QRcode, how would you bypass it?

well the obvious option would be to hack the bluetooth messages.
That sounds hard though, and it's definitely not the easiest way... they could have made it hard to do that. I didn't check.

Here's the really obvious easy way:
These two secure screws under the plastic sticker.
Unscrew them or drill them out, then push down on all the mechanism. Or heck, just take a hammer to this and break the plastic.

The whole thing will just slide right out.
Once you do that, you have access to all the pins. pull them out and the whole thing falls apart. Whack it with a hammer here if it's stuck.

Alternatively, here's the thing: outer case and the parts that hold the motor in place are not magnetic. The motor (of course), IS.
So if you have a way to produce a rotating magnetic field, you could probably shove the motor into rotating from outside the case.

the @LockPickingLwyr used that attack on this fingerprint padlock:

Another magnet based attack that might work if you have a big enough magnet: the slider bit isn't attracted to magnets, but the spring that holds it in place IS.
Put a big enough magnet on the side of the case and you may pull the magnet down enough that you can open the shackle

Interestingly, the QRCode is printed with a thermal printer, so after a little while of screwing around with this thing... it got warm enough to erase itself.

If you want to get into more esoteric computery hacks, along with the QRCode (that's explicitly the same as knowing the combination), there's also a permanently etched serial number.
Is the QRCode linked to the serial number? quite possibly.

so you might be able to figure out the unlocking code from the serial number with enough reverse engineering.

BTW that QR code just resolves to a URL containing the unlock code listed below (the GTS160118986 one, not the serial number)

they did at least obfuscate the java code used in the app.
that's not gonna stop people from hacking it, but it makes it not instantly easy.

and it does seem to use some actual encryption. There's RSA key functions and such!

unfortunately it seems there's also a lot of keys/passwords embedded in the app, so... yeah.

BTW this thing DOES have to talk to the remote Klic server.
I think you can still unlock a lock without talking to the server, IF you have it already added onto your phone?

but that just delays when your lock will get bricked.

so keep good track of the back-up number. That'll still work if the servers die, since you can always recharge it from the USB port and then type in the code.

well, until the battery dies.

I really don't know and I'm not sure I want to know why the app has game code from Tencent, creators of WeChat and co-owners of Fortnite

anyway the app is surprisingly complicated and I didn't do any bluetooth capturing while I had this thing in a working condition, so I'm probably not gonna hack the protocol today.

I got this thing at walmart for 20$ a while back, and just recently got around to tearing it down to figure out how it worked.
If you want one: https://www.walmart.com/ip/tzumi-Klic-Smart-Lock-Bluetooth-App-Driven-Padlock/634382287

and if you liked this thread and would like to donate a dollar or two to future teardowns, my ko-fi is here: https://ko-fi.com/fooneturing 

and if you want more, my (not actually complete, but it's a good start) list of teardown threads is over here on my wiki:
https://floppy.foone.org/w/Reverse_Engineering_documentation#Teardown_Threads

do you ever think back about the old days, when your padlock didn't need an SQL database?

nothing says "secure" like home-rolled encryption/hashing code.

looks like it's a form of TEA (hopefully XTEA):
https://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm

TEA would make sense for this kind of application. You can run TEA into a very small microcontroller, like the one that powers this thing.

Also @rdzien alerted me that @thelocklab has done a video on this lock!

and it turns out @intrd already hacked this lock over bluetooth: https://twitter.com/intrd/status/1308161954524082176

I love this shit.
This class is totally obfuscated! I'll never be able to find out what it was originally called! Damn you!

oh unless it includes its name in the exceptions it throws