Thursday, November 15, 2007

The KEYLOK USB Dongle. Little. Green. And dead before it was born!

We decided to do a teardown on a Keylok USB based dongle from Microcomputer Applications, Inc. (MAI).

A picture of the dongle is to the right.

Opening the dongle was no challenge at all. We used an x-acto knife to slit the sidewall of the rubber protective coating. This allowed us to remove the dongle's circuit board from the surrounding protective coating.

The top side of the printed circuit board (PCB) is shown above. MAI did not try to conceal anything internally. We were a little surprised by this :(.

The backside consists of two tracks and a large ground plane. The circuit is very simple for an attacker to duplicate.

With the devices removed, a schematic can be created literally within minutes. The 20-pin version of CY7C63101A can even be used in place of the smaller SOIC 24-pin package (which is difficult for some to work with). The 20-pin is also available in a dual-inline-package (DIP) making it a great candidate for an attacker to use.

Red pin denotes pin 1 on the device.

You might have seen this picture from the iKey1000 teardown. That's because we borrowed the Cypress pictures from that teardown :).

We performed some magic and once again we have success to unlock the once protected device. A quick look for ASCII text reveals a bunch of text beginning around address $06CB: .B.P.T. .E.n.t.e.r.p.r.i.s.e.s...D.o.n.g.l.e. .D.o.n.g.l.e. .C.o.m.m.<
.E.n.d.P.o.i.n.t.1. .1.0.m.s. .I.n.t.e.r.r.u.p.t. .P.i.p.e.

Ironically, they say, "There are many advantages to using a hardware–based security solution – AKA, a Dongle. There are even more advantages however to using KEYLOK Dongles over other competing solutions."

Statement's such as the one above are the reason Flylogic Engineering started this blog. We have heard this just one too many times from companies who are franckly pushing garbage. Garbage in, garbage out. Enough said on that.

This dongle is the weakest hardware based security token we have ever seen!! The outer physical protection layers ease of entry places this dongle last on our list of who's hot and who's not!


  1. Guys, this is the coolest blog I have ever seen. Just thought I'd let you know.

  2. This blog really is one of a kind. Not many people are taking apart chips and sharing it.

  3. To add to this, we should clarify that anyone can clone their dongle by attaching a test-clip to the EEPROM of the desired "master" and read it out. They can then write the read image into a second dongle or a third and make exact duplicates. The EEPROM contents is the only thing that changes between any two dongles. Since they are not uniquely keyed to each device, cloning is possible.

  4. this is especially funny since I was given this exact dongle package to implement a dongle lock on a piece of software at work. Guess that particular software won't be too secure.

  5. Would it be possible to create a "master key"? For example to have a microcontroller generate "vadid" information to perform a brute-force attack, or is there too much information in the eeprom to try something like that?

  6. i remember reverse engineering the algorithm from the drivers of this device. keylok is basically a memodongle. awesome blog btw i love it.

  7. Oscar, we don't know as we only analyzed the hardware token itself. asdf may know this answer.

  8. Yes, it all looks pretty simple to take these things apart and copy them. Has anyone actually cloned one? Has anyone got their 'new' copy to work with the software the 'old' dongle was protecting?

  9. Yes, it has been proven. Using a new EEPROM (E2) to copy whatever the original contained. The E2 contains some OTP type protected values to prevent re-using the E2 from another of their tokens.

    The E2's are <$1.00 each from digikey though. All parts to produce duplicates cost an attacker under <$10.00 as well :(.

    We've tried to contact MIA but they don't appear to be too worried (same for SafeNet btw).

  10. [...] ya esta listo para el análisis, podéis ver las entradas aquí y aun mas explicado sobre otra llave [...]



  12. Sorry Tarsem,

    This is not the purpose of the blog.

  13. So, is there any good alternative if I want/need to use a hardware dongle to protect a software? Something that would defeat the casual hacker...

  14. Sanjit,

    There are a few dongles out there , empahsis on FEW which are pretty good in resistance to the casual hacker. I have done mostly low budget and low level attacks on pretty much every dongle that exist up to 2006; all of them fell to universal emulation. There are some dongles, however, that upload the actual logic of your code into the mcu. These are breakable, but with much more effort. I know of one that is pretty darn good and uses a nice philips component which I would estimate costs around 50k to reverse, although I wouldnt bet that money against flylogic, these guys are one of the few outfits out there that actually impress and know wtf they're doing. If you are interested in a decent protection I can give you some guidance, just post back here sometime. Also, to the prior poster of many months ago, get the system drivers available for download on the keylok website and dissamble with IDA, you will have no problem finding the internal algorithm as long as you know it is in there, afterwards you can make whatever you want. Try looking up keylok on woodmann forums for a example of that.

  15. asdf,

    You said that you've investigated most security dongles out there, and that a few were ok. Which were these exactly? I need one for software licensing purposes that just needs to securely store a small amount of data.

  16. To all,

    Whya would you go to such great efforts to break open whatever company iuse to keep their code from being used for free?. Do you have no ethics?. What if everyone found a way to elimnate or access your job and take dinner off your childrens tables through a casual blog like this one. I am sure you would agree, that you would find it disfavorably. Every good man and good software deserves good favor. Evn types like all of you. Try to see it from a developers point of view and just stop this rediculous theivery. If you are just an evil bastard then you know what this will do for you. Enjoy the trip.

  17. Hello guys,

    I have purchased lightconverse and i'm trying to clone dongle usb in order to work at 2pc at the same time. Is it possible or i waste my time?

  18. Peter, sorry for this late reply, but yes I can offer some more info on the dongles. Post back here and ill check. If you already found one, let me know what it was and I can tell you how to reinforce it better.

  19. WOAH... interesting info
    very late to know that it exist :D

    already interested on those usb dongle stuff, but didn't know how or what to do :(

    give me some light, will you ?

  20. Hi.
    Congratulations on the brilliant article above.
    Anyone here who might know, please help me out with this:
    a. If KeyLok is terrible, is Aladdin any better/safer/tougher to crack?
    b. If USB Dongles in general are no good, what do you recommend (at a moderate budget) would be excellent solutions to protect your software from piracy?
    c. What are the key parameters on which you evalute the various avenues available to crack the security of a protected exe?
    Need help on this...Thanks!

  21. Arj,

    you can email me at sab2001 at the for some questions.

    a. keylok has more than one dongle
    b. usb dongles are ok depends on which
    c. many and many avenues, depends on the exe requirements.

  22. Two questions:
    1) Is there an USb dongle that operates indepemdently of the software it protects?
    2) The USB dongle should not be require the same dongle vendor's operating software be loaded onto the computer of the hacker-user for it to estop the hacker-user. I bought a certain brand dongle that did not work unless the vendor's software is also loaded on the computer!

  23. Nice blog. We use these keys and i have to agree they are not that secure. I would love to point out a flaw i found but i could be held acountable. maybe...

    Anyways it would be intresting to see if anyone has made a copy and got it to work.