2026-06-27 –, Yoga Studio
Somewhere in a pharmacy right now, there's a lock protecting a drug cabinet. The lock stores every user code, privilege level, and active flag in plaintext on a NAND flash chip. No encryption. No MAC. No checksums. No TPM. Just raw bytes in a predictable layout, readable with a $30 programmer and a clip.
In this workshop, you'll learn to decode that layout by hand.
We'll work through real NAND dumps extracted from Alarm Lock Trilogy T3 units; the same locks deployed across healthcare, government, and financial facilities in the US. You'll learn how to identify page boundaries (hint: look for 0xFD), decode 6-digit user codes stored as interleaved ASCII nibbles with a delightful quirk where zero is encoded as “B”, parse permission flags to determine who has master access, and spot the forensic artifacts that indicate flash tampering (like the "Power Up Complete, Data Restored From Flash Memory" audit entry that appears after injection).
Along the way, I'll explain the lazy write model that makes all of this possible: the MSP430 microcontroller only commits volatile RAM to NAND on battery removal or low-voltage interrupt, creating a window where the flash doesn't reflect the lock's current state. We'll also look at what happens when you inject malformed data: some edits will show injected codes in its "Print Users" output (using the vendor's older and less used infrared printer) but silently omit them from "Export Users” in DL-Windows (the vendor audit software used on a computer), creating a stealth window where printed and digital records disagree.
No soldering required. Bring a laptop with a hex editor (HxD, wxHexEditor, or whatever you prefer). I'll provide printed reference sheets with the full NAND page layout and sample binary dumps to work through. If time permits and curiosity demands, I'll have a T48 universal programmer and a lock board on hand for a live read/write demo.
You'll leave knowing how to read embedded flash memory from a class of devices that assumed nobody would bother, and take part in showing that assumption is a security failure.
Workshop structure (approximate):
0:00-0:15 — Context and architecture. Brief overview of the Alarm Lock T3 hardware: MSP430F2418 microcontroller, Adesto AT45DB041E SPI flash (4 Mbit, 264-byte pages), and the lazy write model. Why NAND is the target (it stores the secrets, it's physically accessible, and it has zero protection). How to connect to it with a universal programmer and SOP8 test clip.
0:15-0:50 — Hands-on decoding. Participants work through provided binary dumps using hex editors and the printed reference sheet. Exercises include: locating the FD page header and identifying page boundaries; extracting the first, second, and third bytes of user codes from their interleaved positions; converting encoded bytes back to decimal codes (accounting for the B-for-zero quirk); reading active/inactive status flags; identifying permission levels (F1=Master, E1=Elevated, C1=Supervisor, 01=Normal); and comparing a "normal" dump against a dump with injected elevated privileges to spot the differences.
0:50-1:10 — Forensic artifacts and attack scenarios. Examining what audits actually show (and hide) when NAND data is manipulated. The "Print Users vs. Export Users" discrepancy. The "Code Audit After Unexpected Values" artifact where 300 user entries turn into a garbled mess. Discussion of the discarded lock scenario: recovering credentials from disposed hardware, code reuse across sites, and the insider threat implications.
1:10-1:30 — Live demo and Q&A. If conditions allow, live NAND read from a lock board using the T48 programmer. Walkthrough of the dump in real time. Open discussion of remediation (encrypt the flash, authenticate writes, establish hardware disposal protocols) and how this methodology applies to other MSP430 + NAND-based embedded systems.
Skill level: Comfortable reading hexadecimal. No prior hardware hacking experience needed. Prior experience with hex editors is helpful but not required — we'll cover the basics.
Materials provided: Printed NAND page layout reference sheets, sample .BIN dumps on USB drives (or downloadable from the GitHub repository), and a decode walkthrough guide.
Repository with all dumps and documentation: https://github.com/Qweary/T2-T3-Lock-Exploitation-Research
Louis Piano (Qweary) is a red teamer who happens to also be a locksmith for the US Department of the Army. He researches the collision of physical and digital security; demonstrating that the boundary between them was always imaginary. His hardware work includes a year-long reverse engineering project against institutional electronic locks, from NAND flash dumps to hand-patched TI assembly firmware hooks. On the cyber side, he builds multi-agent AI swarms with agentic capabilities for red team operations. Most recently, he deployed them at WRCCDC regionals, where Anthropic sponsored a blue team of 30-40 Claude instances defending against both his swarm and the human red team; this was a first-of-its-kind experiment to see the impact of augmented red team operations vs agentic blue team defense in a live competition. Based in Olympia, WA, he volunteers with OlyMega makerspace and believes persistence matters more than pedigree. This is his first conference talk.