BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//talks.toorcon.net//toorcamp-2026//talk//MJBZNN BEGIN:VTIMEZONE TZID:PST BEGIN:STANDARD DTSTART:20001029T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T100000Z TZNAME:PST TZOFFSETFROM:-0700 TZOFFSETTO:-0800 END:STANDARD BEGIN:STANDARD DTSTART:20071104T030000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11 TZNAME:PST TZOFFSETFROM:-0700 TZOFFSETTO:-0800 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000402T030000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T110000Z TZNAME:PDT TZOFFSETFROM:-0800 TZOFFSETTO:-0700 END:DAYLIGHT BEGIN:DAYLIGHT DTSTART:20070311T030000 RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3 TZNAME:PDT TZOFFSETFROM:-0800 TZOFFSETTO:-0700 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-toorcamp-2026-MJBZNN@talks.toorcon.net DTSTART;TZID=PST:20260626T120000 DTEND;TZID=PST:20260626T125000 DESCRIPTION:I spent years installing Trilogy Alarm Locks for the military. Other locksmiths asked for recommendations\, I let them know of Trilogy's fast response to responsible disclosures (at that time)\, and I soon start ed seeing them in pharmacies\, more government buildings\, and banks. Then \, after the company stopped responding to my vulnerability disclosures\, I spent a year figuring out how to hack them. Nearly every angle I approac hed it from\, I found a new vulnerability. The company never responded\, d espite acknowledging through a third party.\n\nThis talk walks through a f ive-layer attack chain against the T2/T3 lock platform: physical bypasses that leave little to no trace\, NAND flash manipulation that injects ghost users with master privileges\, a firmware hook on the MSP430 microcontrol ler that writes a persistent backdoor code during factory reset (using han d-patched TI assembly\, because apparently that's a thing I do now)\, and USB emulation of the proprietary audit cable using FaceDancer and a GreatF ET One.\n\nOver a year later\, I was able to prove that a lock deployed in critical infrastructure has credentials that can be cloned from the trash \, firmware that can be rewritten through an unblown JTAG fuse\, and whose audit trail (the one used as legal evidence) can be fooled by a device th at costs less than the lock itself.\n\nI'm not a firmware engineer\; I'm a locksmith who got curious\, bricked a lot of boards\, filled a notebook w ith bad hypotheses\, and eventually taught myself enough TI assembly to wr ite a 38-byte payload that survives every factory reset method. The tools were a $30 flash programmer\, a soldering iron\, and an unreasonable amoun t of stubbornness.\n\nThe talk closes with a constructive argument: self-a uditing endpoints are fundamentally broken. If the lock controls access AN D writes the audit log\, you have a suspect writing their own alibi\, not a log that should be used in legal evidence. I'll propose an Observer Sys tem Model where independent sensors verify what the lock claims\, and disc uss why even cheap mitigations (blow the JTAG fuse\, encrypt the NAND\, au thenticate the cable\, use a TPM) would have stopped every attack in this chain.\n\nEverything is published: code\, dumps\, patches\, pcaps\, 33 pag es of handwritten notes\, and a 4\,000-word research journal documenting e very wrong turn. \nRepo:\nhttps://github.com/Qweary/T2-T3-Lock-Exploitatio n-Research\nBlog:\nhttps://qweary.github.io/backburner/ DTSTAMP:20260626T011947Z LOCATION:Prime Dome SUMMARY:Physical Access\, Digital Lies: How a Locksmith Hacked His Recommen ded Lock - qweary URL:https://talks.toorcon.net/toorcamp-2026/talk/MJBZNN/ END:VEVENT END:VCALENDAR