Schlage E-Bolt

[David_Parker]

So I've recently come across the Schlage E-Bolt, and after doing some research, I've come up with very little.



The little that I've gained on the E-Bolt from Google is this:
-ANSI Grade 2 Security & Performance
-Pick-proof Deadbolt
-Resident Key uses a read only Dallas i-Button with unique identity code
Note: there are over 3 billion code combinations
-Theres a jump start key which can be used in the event of battery loss.
-Programming Key requires software
-Retails for about $150
-Not really popular among the lock-consumer community

What I want to know is: has anyone dealt with these before? Or taken a look at the inside of the lock housing? All the keys are non-cut, just blanks with a small electric tab sticking out of the gray housing.

What makes these pick proof?


-Dave.

[stick]

The fact that it doesn't use pin tumblers, but an electronic system makes it impervious to standard picks, but that, by no means, means it's pick-proof. It just means something has to be developed, if something hasn't already been.

[MrB]

Just as an aside, the Dallas i-Button looks almost identical to one of those little button cells, like a hearing aid battery. It seems to have a program-once-only memory, so each time you want to change the code you program a fresh button and throw the old one away.

[dry132]

The dallas I-buttons are a pretty simple, "1-wire" protocol for relaying some information, usually a serial number, encryption key, or up to 16kb of other data. The protocol specs are published publicly at maxim/dallas website in the datasheets if you want to read about how they work.

The main security flaw with the dallas I-buttons are that anything can read the serial number off the key, and subsequently reproduce it to gain entrance. There are several types of ibuttons, and I'm not sure which one the keys use. None are easy to break without having access to the ibutton, but with a few minutes access to the ibutton pretty much any of the widely used ibutton systems can be hacked quickly and cheaply.

The non-security ibutton basically has a serial number it spits out whenever power is applied. So the sequence goes insert key, the lock supplies power and reads the serial number. If the serial number is on the "access" list, then open the lock, otherwise reject and reset the sequence. This method is secure through the large number of serial numbers possible. I think the ibuttons store something like a minimum of a 64-bit ID, or roughly 2*10^19 possibilities. Trying this many combos on a slow ibutton interface would take ages. But of course, if you could simply nab the key for a few minutes and read the serial number off it, then you would just have to devise a method to regurgitate the same number to the lock to open it. This is alarmingly easy, much akin to "impressioning" a key in wax or clay, but easier.

The security ibutton has a pretty simple query-response type interface, and costs more since it just doesn't spout out a serial #. As I understand it, the "lock" spits out some data to the "key", then the "key" performs some sort of secret algorithm on the data and returns the permuted data. The lock checks to make sure the proper algorithm was applied, and if correct signals the door to open.

This is a step up from the basic serial-ibutton, and is somewhat harder to bypass. It is possible, however, given access to the key and the lock for a short time.

The ibutton bus is notoriously slow, so a "brute force" attack would take prohibitively long. Other methods include gathering a sufficient number of proper query/response codes and reverse engineering the algorithm with a PC. As far as I know, the ibutton encryption is proprietary and fairly tough.

I guess to go on more, try to post whatever you can find out about your key on here, then from that we'll deduce which ibutton is in it.


In general locksmithing, if someone were to lose their ibutton key, there is not really a good way to bypass the locks since most of the bypass methods require prior access to the key. Once you have access to the lock from the inside, you can disassemble and reprogram it to accept a new key. The good news is that Dallas probably keeps a record of the key/lock combinations, and you could have them issue a new key to fit the lock, or perhaps issue the serial # to produce a new key.

[c123]

Schlage dis-continued the eBolt about a year ago. I installed about 250 of them at a large apartment complex. It's a good idea, but the real problem is reliability. I think the reason for the high number of "won't read my key" is simply a dirty connection at the lock and key.

There were 2 levels of software and programming procedures. the old style was a small reader that plugged directly into a 9 pin serial port. The latest version uses "Locklink Express" and is compatible with pda's & such

[Chucklz]

For dirty electrical contacts in all applications, I can HIGHLY recommend De-Oxit. I've used it in pro-audio applications (i mean professional as in I was paid to do it, rather than look at how much money ive spent on my stero without xlr connections), and my father now uses it in antique radio restoration.

[linty]

you can cut the key if you want, so that it can match a regular schlage lock.

[raimundo]

I had never even heard of this lock before this thread, Im almost positive this is the only mention of it on the lp101 site, (no I haven't read the entire site, but I look for topics a lot)
the idea immediatly made me think unreliable, because this key could be shorted out by mositure, sweat, humitity, an electronic key should not rely on physical metal contacts.

[n2oah]

It's only a grade 2 deadbolt, and that's pretty weak. The best way to face one of these would probably be a size 12 boot.