Uhlmann & Zacher, problem solved?

There is a new video on the Uhlmann & Zacher lock on YouTube.

It seems to show the effect of the much discussed firmware update. Problem solved?!?

18 Responses to “Uhlmann & Zacher, problem solved?”

  1. renzo says:

    so they failed again?

  2. renzo, I don’t see any fail in that.

  3. renzo says:

    that is still doesnt protect against the ring

  4. Tom says:

    Appears to me that they first demonstrate the flaw with the original firmware, then they update the firmware (with that grey box), and then they show that the attack indeed no longer works.

    An open question is still wether the attack will work again if you manage to cut off the power to the lock/drain its battery…

  5. Vito (vrocco) says:

    My question would be: what does it take to upgrade the firmware?? It seems to me maybe the lock is first scanned with some type of “programming card” that puts it into a program mode and then the firmware is flashed from the grey box shown. If this is the case, is the “programming card” unique to that lock? Or could I use my programming card to flash someone else’s lock back to the old firmware and make it vulnerable again? If this is the case, it’s not really a fix.

  6. Jeroen says:

    My guess is they use some kind of signing of the new firmware so that even if you know the protocol to speak to the lock, the lock won’t accept the new firmware if it isn’t signed.

  7. ch says:

    please try remove the battery and do that ring thing again with this lock. see if the lock still vulnerable to the ring. if so, updating firmware isn’t solving this crack.

  8. Kai says:

    The german website of Uhlmann & Zacher wrote two press releases of the CX6122 electronic lock.

    On June, 18th they released a firmware update that will solve the problem by now. Manipulations will be protocolled and can be read out. Also different cinds of software patches disallow the ring attack and allowes the object manager to tune up his doors.

  9. pk says:

    I don’t understand why everybody is talking about CX6122. If you check the website of U&Z you can see that the vulnerable part is just a module that is used in nearly EVERY product. Even half-cylinder and furniture lock. I also assume that all versions – Clex Prime, Paco and Private are vulnerable to this kind of attack.

  10. Lockpicker says:

    It seems to be a shortcircut in the new firmware in the H-bridge (the circut that controlls the motor). It will make the lock more power consuming, and shorten the lifelength of the batterys. Without power it will still be vulnerable for the same type of attacks. Is it possible to remove the battery from outside, without access to the right key?

  11. Lockpicker and anyone else who claims “draining the battery”: Why would it drain the battery? All the lock electronics has to do is leave the motor circuit open, so that there can’t be current running through it and thus it can’t turn with the magnet.

  12. Lockpicker says:

    Jaakko, the fix will probably be a shortcircut of the motor winding. This is done by bias a pair of transistors. Althougt they are C-MOS transistors which dont require any current, the u-processor have to be turned on all the time. The chip was turned on by a interupt in the beginning, but now it has to be on all the time. I may have wrong, but thats my oppinion.

  13. Lockpicker says:

    And… I can’t think it is the current that turns the motor, it is the circulating motion of a magnetfield that influence the motor. When it is shortcurcuit it want move.

  14. mh says:

    I guess we all still don’t know anything about how the magnetic ring influences the lock – does it turn a magnetic rotor? does it induce a current into a coil or PCB trace that would need to be short-circuited so this can work? does it influence a hall sensor or reed switch that is supposed to detect the position of the locking element, and the old firmware would then ‘counteract’ in the wrong way? or something else I just can’t imagine now?

    The fact that U&Z now offers different options in their firmware update, some of them only logging the attack, some also compensating the attack, means to me that there must be some drawbacks attached to the ‘compensation’. I imagine that would be shorter battery life.


  15. pk says:

    Seems like there is a new video from the original author – don’t know what to think about that:


  16. mh says:

    “This video is no longer available due to a copyright claim by Uhlmann & Zacher GmbH”

    what did it show?