Thursday, December 17, 2015

Z-Con Lock Teardown

I got this lock a while ago for two reasons; it's an alarmed padlock, it has a funky key.
Since then it's been hanging out in a display case.

Here's the tear down.
This is the lock I got with a Z-Con Lock core. I believe that Z-Con makes the cores then sells them to manufacturers to use in their own locks. It's a reasonably well designed lock, no exploitable design flaws in the body of the lock that would allow me to unlock it that I could find, disabling the audio alarm is a different story. Dual ball bearing locking mechanism so shimming is out of the question, solid metal exterior, hardened shackle.

Here's the bottom of the lock:
With just a small philips screwdriver you can undo the bottom plate and access the internals. However actually getting that bottom plate off is rather tricky since it's a very very tight fit.

Internals exposed
On the top here you can see the edge of the circuit board, the wiring, and the battery compartment cover (white plastic).

Here's the circuitry:

Large black circle in the upper left is the speaker. Yellow is a piece of rubber meant to waterproof.

Above: A closeup of the circuit board "front"

Above: A closeup of the "back" of the circuit board. The white wrapped part is a trembler switch that activates the alarm if the lock is moved too much. Is is a metal tube hooked to ground with a delicate spring inside hooked to positive that will jiggle, come into contact with the tube and complete the circuit activating the alarm.

Not pictured: There is a magnetic reed switch on the positive cable that extends upwards into the lock. There is also a magnet on the extension from the back of the lock cylinder so that when the lock is turned to the alarm (little speaker picture) setting it closes the circuit and then allows the trembler to set off the alarm if activated.

So that's that for the alarm part of the lock. You can muffle it with silly putty stuffed into the speaker holes, or you can unscrew the bottom, remove the plate, then take your choice of methods to disable the circuitry.

Let's take a look at the Z-Con lock core.

Here it is still in the lock body. There is a bit of a funnel piece that you have to drill out the retaining plug, just to the right of the lock core. Then it is also held in place by a lock ring. I could not find a way to remove the funnel without permanently damaging the lock body. I kind of get the feeling they really don't want you to take it apart.

So here's the actual lock core. I've drawn 3 lines to show the way the key lines up inside the lock. Green the lock is open, the key is not removable in this position.
Yellow the lock is in the normal locked position, notice the extra cut out extensions, this allows the key to be inserted and extracted.
Red the lock is in the locked and alarmed position, again notice the extra cut out extensions allowing the key to be inserted and removed from this position.

Here is the back of the lock core. The red arrows point to lock ring that keep the inner core and the outer shell together.

The inner core is made of 2 parts (minus the springs and wards)

Here is the point of interaction between the top of the inner core and the key.

 Here is the bottom of the inner core. you can see the springs and the 3 moving wards at the bottom.

Above left is the lock inner core with the key inserted. Note the 3 black extensions, these are the  moving wards.
Above right is the lock outer cover. The red arrows show the grooves that when the wards align properly allow the lock to turn. The green arrow shows the groove for the lock ring that hold the two parts of the lock together.

Here is the inner core fully disassembled
Top left core shell
Top middle inner core lower
Top right inner core upper

The 3 black plastic items in the lower right are the moving wards. Note the difference in the diameter of the hole in the middle of them. These correspond to the different diameters of the key, which then align them with the grooves in the core shell and allow the inner core to move thus turning the extension on the top of the lock core (not pictured) that allows the ball bearings to retract and the shackle to open.

Inner core with all springs, wards, and upper portion removed.

This is a Z-Con key (not mine). The blue arrow is pointing to the ward that keeps the key in the lock when in the open position and also turns the lower portion of the inner core of the lock.
The red arrows point to the resting locations for the black plastic moving wards. See that the diameter of the holes in the plastic rings corresponds with the diameter and steps of the key.

 So that's how they work.

Now for how to pick them...

I've got some ideas but nothing I've really tested yet. As far as a straight up bypass I don't see anything that would work.

The keys almost have to have a very low entropy as far as possible bitting setups. A unique lock would require not only a unique key to be lathed but also a unique core shell with matching inner grooves.
My assumption would be that only 1 of the wards (the lowest) actually is movable as far as the bitting is concerned, the other 2 are static for all keys. I think this because the lowest ward is the only one that doesn't sit on a lathed ledge it sits on a couple of ears that stick out. But I don't have access to any other Z-Con locks and keys so I can't really say for sure.

I'll be posting the exact measurements of the key in a few days so others can compare and we can find out just exactly how many unique keys there are for this type of lock and possibly make a pick for it.