Schlage smart door lock hack/teardown

Well it’s not really a teardown, but I did take apart the unit to analyse the electronics, which is the reason I bought this in the first place. Reason #2 was to see if I can hack it to control it via Moteino. Watch the video at the end of the post to see the results.

As the title suggests it’s a smart door lock with a for coded entry and is based on “Iris” which in turn uses ZWave RF wireless technology (made by Zensys), a closed source patented protocol+hardware stack that is OEM-able to automation system makers who want an “off-the-shelf” wireless stack to integrate into their product.
Here are some unboxing photos:

The mechanical side sits on the outside and also contains the keypad. I was eager to open this part up and I was met with a MSP430 controller that drives the keypad along with some circuitry to drive a small DC motor which turns a very small spring which in turn engages a latch. It was very difficult to put it back together and there’s not much going on in there anyway. The brains of this unit is a Zwave SOC (system on chip) which is similar in looks to the RFM69 transceiver. It’s soldered on another host PCB which has two button pads for LOCK/UNLOCK action from the inside of the house, and a red-green LED for visual feedback. The ZWave unit is a MCU+transceiver SOC with similar specs to the Atmega328 and works in the 915mhz unlicensed band in the US.

There are a few interesting finds on this PCB:

  • Power is provided from the 4xAA 6V battery pack through a voltage regulator. The regulator is a MCP1702-3V linear regulator, the same type that Moteino uses (except Moteino is MCP1703-3.3V and accepts up to 16V max input). This is significant because this proves mass manufactured low power electronics can and do use low dropout linear regulators without a major hit on battery life. Some people are concerned about battery life and email me to ask why I didn’t design Moteino with a switching regulator instead. A lot of reasons that I won’t go into here (except to say a low dropout linear regulator will perform great if your firmware is low power enough). And after this teardown I feel even better about it.
  • There is a mosfet enabled resistor based voltage divider which is obviously a battery monitor. A very simple and cheap alternative to other dedicated battery monitoring chip solutions. The resistors are obviously 1% or better and the divided voltage goes into one of the analog pins of the ZWave SOC.
  • The Zwave front end is probably controlled by the MSP430 controller via a 2 wire (serial?) interface, I would guess a UART. The Zwave SOC has a “patented” protocol API which is how the host application configures and talks to it. That part was not something I spent too much time to investigate since I’m not interested in ZWave.
  • The logic on the ZWave SOC is active low. Meaning that to turn ON a LED the pin wired to it has to be driven LOW instead of HIGH.
  • The ZWave PCB was covered in a clear electrical insulator coating (which scraped away very easily) to shield it from humidity, but nothing else was. This is weird, I can’t imagine why they would weather proof the MCU/radio but not the power supply.

Here are the closeups of the main PCB:

In the following video I show more details about how the unit works, power consumption, where I tapped into the circuit to control it, and how it is controllable via a Moteino/Arduino microcontroller. There is very little space in the case to add any other electronics in there. But the Moteino would probably fit OK. This makes me feel pretty good about my Moteino design decisions – one paramount requirement was small size without sacrificing usability (by tightly spaced non-breadboardable headers or cutting back on exposed pins) – it had to fit in such small places as this door lock.