Dry Erase Marker Opens All Hotel Room Doors

If you’re carrying around an exposed circuit board and a bunch of wires people are going to notice you. But a dry erase marker won’t turn any heads. And this one holds its own little secret. It acts as a master key for hotel room door locks.

This is really more of a repackaging hack. The exploit is already quite well-known. The Onity brand of key card locks most commonly used in hotels have a power jack on the bottom that doubles as a 1-wire communications port. The first published proof of concept used an Arduino board and a simple adapter to unlock any door in under one second. Now that hardware has been reduced in size so that it fits in the hollow shell of a dry erase marker. Even better, the felt tip has been replaced with the appropriately sized barrel jack. Check out the ultra-fast and inconspicuous use of it after the break. We think using this is no more obvious than actually having the key card.

50 thoughts on “Dry Erase Marker Opens All Hotel Room Doors

  1. Onity released a free hardware patch for their locks: actually a ‘patch’ of metal which fits inside the casing and covers the jack.

    Bottom line is you need a screwdriver to get the lock apart before you can plug anything in. So ultra-conspicuous again unfortunately.

    1. You’re assuming that every hotel has actually installed the “patch”. I bet many wait until a door lock is scheduled for service, then install the guard plate. Wouldn’t surprise me if many fail to install it ever.

    2. The likelihood that a majority of the hotels, and motels out there with Onity locks will actually install this “patch” is slim to none. Don’t get me started on servicing working units. Preventative maintenance is not a word that is in a facility managers vocabulary at these places.

      I am speaking from the perspective of a Commercial door and hardware technician. I work in the service department and our company has many hotels and motels as clients. I’ve seen locks falling apart from loose screws and can’t fix them as they are not on my service ticket. Go back to the same business 3 weeks later, lock still falling apart.

  2. I’m an electronics novice. Can someone explain to me why the 12v battery doesn’t damage the micro-controller? I thought they could only handle around 5 volts? Does it have something to do with the zener diode?

    Thanks!

    1. essentially the output voltage will equal (about) the reverse breakdown voltage of the zener which are available in a huge range. The resistor is there to limit the maximum current through the zener which happens when there is no load connected (12-3.3)/20 = 290 mA. This type of regulator is far from power efficient so you wouldn’t want to use it for most other applications, but since there is only power when the button is pressed it will work fine.

    2. Yeah thanks ibespecial, I wasn’t really clear. Scott: If you add an opamp, you can actually make a decent supply using the zener as a reference. Many high-end supplies actually use a high-precision zener reference. If you want to learn about power supplies, I highly recommend this EEVBlog series: http://youtu.be/cM7t1Mpu7s4

      You’ll notice at around the 2 minute mark, he’ll put up a diagram with a [Ref] block. If you stick the zener in there, you’ll have something close to an lm317 (in reality, those don’t use zeners as references, but the concept is the same).

    1. Yes, and I can only think of noble uses for this device too.

      Has the whole world gone completely amoral and someone just forgot to email me the memo?

      When someone steals something from the hotel rooms of people using this devious doohickey to feed their need for greed, I would love to see a CAT scan of their neurons flailing about trying to deal with the hypocrisy of their outrage.

      1. There is a different approach to this question of morality and sharing device flaws. If they weren’t shared quickly then it may take even longer for the flaw to be noticed before any real damage was done. Letting the public know of security flaws contributes a lot.

      2. To anonymous, who said “If they weren’t shared quickly then it may take even longer for the flaw to be noticed before any real damage was done.”..

        This post is all about how to make an already existing thief’s tool easier to use in public by rendering the device undetectable. I am not quite sure why you would think that this is an efficient way of fighting crime.

        Marco

        1. It doesn’t fight crime, however, it makes people aware of what criminals are capable of doing. It’s good to know what criminals have at their disposal and reminds people of the flaws of the world and technology

  3. I’m reading this from a hotel in Pittsburgh. I just went and checked the lock on my room door and there is no metal patch. In fact there are two ports at the bottom of the lock.

  4. A close look at the circuit diagram and the build photos posted on the linked site suggests there are two errors on the schematic. The first is the 30 ohm resistor from the battery to the zener which is clearly too small. The photo suggests it is 3k3 which is, arguably, too small. The correct value should be around 470 or 560 ohms IMHO. Using 30 ohms would probably seriously stress that zener and the (small) batteries suggested.

    The second error is the connection between the connector barrel and the 3.3V rail which does not match the original designer’s description. It should instead go directly to pin 5. A close look at the build photo suggests that was actually the arrangement used.

    Of course, perhaps these were just intentional errors intended to confuse beginners in the black art of microprocessors.

    1. Bill,

      You seem to be correct on the second error. The 5.6K should be used to pull the barrel high, with the barrel inner connected directly to PD3. The circuit diagram is wrong. I don’t seem to be able to comment on his page.

  5. Is there an updated schematic anywhere? one that is ‘truly’ correct? correct values and correct connections? I know this is old….and yes I read Onity has released hardware/software patches.. I have a Atmega328 DIP sitting here.. and I want to make one…. but dont want to use bogus/fake/erroneous schematic plans?

    so errors/fixes:

    1.) 30Ohm resistor is KAKA.. needs to be.?? what (not 3.3k…too small?) but a 470 Ohm is ok/correct? (bigger? than the 3.3k which is arguable too small?)…huh?

    2.) 3.3v to pin 3? or pin 5? (which is it?) :)

    3.) the 5.6k resistor? ‘should be used to pull the barrel high’.. which means what? That the 5.6k resistor should NOT be between the barrel and pin3.. but between barrel and +3.3v source/trace? and the trace/connection from barrel should go BETWEEN the 5.6k resistor and barrel. to >>>> pIn 5?

    Would this be a more ‘accurate’ schematic then?

    http://dmstudios.net/misc/onity_door_lock_schematic.jpg

    Also.. Im curious as to how they are getting a 16MHz Arduino to work @ only +3v?

    thanks!

  6. I also do not see/understand several things:

    1.) a 16MHz crystal? running at 3.3v? huh? thought it had to run @ +5v to be @ 16MHz clock?

    2.) If you are running a 16MHz clock/crystal… wheres the caps? Arent those needed for precise timing?

    3.) Is D3 or D5 used? if you read comments all over.. it differs..??

    Schematic shows D3… but comments says ‘error’…should be D5?

  7. PD3 is correct, which is pin number 5
    30 Ohm will work, not ideal
    16Mhz will work.
    It’s basically a shrunk down complete arduino on a 3V regulator. Use a full arduino if u want.

  8. I have built two of these just using ardunio’s both work great — I have bought black hobby boxes from radio shack to house them.. I really wanted to make one of these marker builds but no one can come up with/make the correct schematics

  9. Im trying to learn to make use and understand the technology that makes this device work, but it is not to steal stuff from random people its because iam prone to becoming homeless and it gets cold outside

  10. 1) The circuit show is correct and has been fixed. You could stick with the 30R resistor, and it would work.

    2) The actual source info is here: http://demoseen.com/bhpaper.html

    3) The initial guy used PCB connect #3 in the code, but on a bare 328 that is chip pin 5.
    https://www.arduino.cc/en/uploads/Main/Arduino_Uno_Rev3-schematic.pdf
    It would be safer to use an 8Mhz xtal, but make sure you set in the settings the 8Mhz during programming

    4) The best way I found is to use an arduino pro mini 3.3V version https://www.arduino.cc/en/Main/ArduinoBoardProMini
    https://www.arduino.cc/en/uploads/Main/Arduino-Pro-Mini-schematic.pdf
    You can see output 3 (D3) is PD3 or chip pin 1. This has on=board regulator and the reset button starts the process.

    5) In relation to the site code extraction it should be possible by modifying the code. I looked at it briefly before, but after it is saved, it immediately over writes it, to create the open string. You would need, to not do that, or save a copy. Writing blank mag stripes is expensive business.

    In terms of testing it, many hotels systems seem to be upgraded and no longer vulnerable. You may be able to get old locks for sale online, but be sure to get the seller to pre-program them, and supply a working card. The onity programmer costs thousands and with no program they will not open. They forget the program with battery removal so don’t remove the battery! I had a spare for a few years for testing. You could also borrow one from a hotel door!

  11. 1) The circuit show is correct and has been fixed. You could stick with the 30R resistor, and it would work.

    2) The actual source info is here: http://demoseen.com/bhpaper.html http://demoseen.com/bhtalk2.pdf

    3) The initial guy used PCB connect #3 in the code, but on a bare 328 that is chip pin 5.
    https://www.arduino.cc/en/uploads/Main/Arduino_Uno_Rev3-schematic.pdf
    It would be safer to use an 8Mhz xtal, but make sure you set in the settings the 8Mhz during programming

    4) The best way I found is to use an arduino pro mini 3.3V version https://www.arduino.cc/en/Main/ArduinoBoardProMini
    https://www.arduino.cc/en/uploads/Main/Arduino-Pro-Mini-schematic.pdf
    You can see output 3 (D3) is PD3 or chip pin 1. This has on=board regulator and the reset button starts the process.

    5) In relation to the site code extraction it should be possible by modifying the code. I looked at it briefly before, but after it is saved, it immediately over writes it, to create the open string. You would need, to not do that, or save a copy. Writing blank mag stripes is expensive business.
    Even fixed there is probably encryption flaws where site keys may be extracted from room keys. See the talk details.

    In terms of testing it, many hotels systems seem to be upgraded and no longer vulnerable. You may be able to get old locks for sale online, but be sure to get the seller to pre-program them, and supply a working card. The onity programmer costs thousands and with no program they will not open. They forget the program with battery removal so don’t remove the battery! I had a spare for a few years for testing. You could also borrow one from a hotel door!

  12. 1) The circuit shown on his site has been changed for a third time and again is wrong.
    The code is written for Arduino connector D3 which is 328 chip pin 5 (curious minds is right)
    https://www.arduino.cc/en/uploads/Main/Arduino_Uno_Rev3-schematic.pdf
    The barrel wiring is now correct. Basically the 560R goes between centre pin and 3.3V supply.
    You could stick with the 30R resistor, and it would work, higher might be safer.
    It would be safer to use an 8Mhz xtal, but make sure you set in the settings the 8Mhz during programming

    2) The actual source info is here: http://demoseen.com/bhpaper.html http://demoseen.com/bhtalk2.pdf

    3) The best way I found is to use an arduino pro mini 3.3V version https://www.arduino.cc/en/Main/ArduinoBoardProMini
    https://www.arduino.cc/en/uploads/Main/Arduino-Pro-Mini-schematic.pdf
    You can see output 3 (D3) is PD3 or chip pin 1. This has on=board regulator and the reset button starts the process.

    4) In relation to the site code extraction it should be possible by modifying the code. I looked at it briefly before, but after it is saved, it immediately over writes it, to create the open string. You would need, to not do that, or save a copy. Writing blank mag stripes is expensive business.
    Even fixed there is probably encryption flaws where site keys may be extracted from room keys. See the talk details.

    In terms of testing it, many hotels systems seem to be upgraded and no longer vulnerable. You may be able to get old locks for sale online, but be sure to get the seller to pre-program them, and supply a working card. The onity programmer costs thousands and with no program they will not open. They forget the program with battery removal so don’t remove the battery! I had a spare for a few years for testing. You could also borrow one from a hotel door!

  13. Anyone has an idea where I can buy one? I have one but it doesn’t work properly, I don’t know why.or is there a possibility to connect the device to pc to update?

Leave a Reply to curious_minds_007Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.