Archive for the ‘Uncategorized’ Category

Hackerhotel 2024: Safe cracking workshop

Friday, February 16th, 2024

Hugo and I taught Safe cracking to a group of eleven at Hackerhotel 2024. It was great sharing the knowledge and inspiring others. Much respect goes to the attendees, which after a busy conference still had energy to take on this mighty challenge.

Every training needs to start with a good basis. We started with an introduction on what safe locks are about and how they operate, specifically group two safe combination locks. From there, we built knowledge from practical examples and exercises. From simply operating the safe lock by dialing 4L-3R-2L-1R with a known combination, to exploring contact points and graphing.

For this two-hour session, we worked with locks of known combination, and usually only get to complete one and a half graphs in this time. Around six graphs were completed in total, and some even finished all three graphs within the session.

While any training is mostly satisfying a curiosity, we expect this training gave the attendees enough knowledge to give it a try on their own later. Maybe even getting obsessed about it in the process 🙂

CCBY4.0 Jan-Willem Markus Toool Blackbag

UKLS January challenge

Monday, January 1st, 2024

The January challenge is a lockpicking game ran on the UKlocksport forum. In short, the challenge is to picks/impressions/opens one lock a day for the days of January. The rules say to post pictures daily and not to play catch up. As in, to pick a lock every day, not just 31 in the month of January.

You can extend your lockpicking streak, if you so wish. Some people extend the streak by a few days, others do a full year. One exemplary lockpicker, Toni, picked a lock a day for 1093 days straight, which is three days short of three years! Furthermore, Toni started a new streak of several hundred lock in 2022, as well.

The last two locks of the lockpicking streak by Toni are both sides of the same DOM Plura.
Lockpicking collage of the special picks from Toni from the first 365 locks.

I’ve used the January challenge as a good excuse to learn a new skill. For example, in 2018 I’ve impressioned a lock a day in January. In 2019, I’ve impressioned a dozen, and picked locks for the remaining days.

It’s very easy to start the challenge, and then let it drop when that one lock doesn’t open. So to help you along, here are a few tips and tricks.

  • Don’t set the bar too high, as the difficulty isn’t as important for your daily lock.
  • Try to incorporate lockpicking in your daily schedule, for example to pick your lock while waiting for public transit, or during a coffee break.
  • Plan out your month so you have enough easier locks for the busy days of the month.
  • If you challenge yourself with an F3D, have a contingency when it doesn’t open that quick, as someone on YT.
  • Skipping posting is better than skipping a pick.
  • Lastly, share your picked locks, no matter if it’s a steak or not. Celebrate the victories will help you stay motivated.
The two rings are easier locks than the box on the right, but at 25g each, you can’t beat the cores of Master Loto for weight. Toni took a box of these to keep his streak alive during holidays abroad. (Do check the country’s stance on lockpicking, though.)

With picking a lock a day, you built the lockpicking muscle memory. We as Toool advocate for using the three O of out name, oefenen, oefenen, and oefenen. Which is the Dutch word for practice. In English, you could say to pick locks over, over, and over again.

If you are inspired, please join the UKLS forum, and start sharing your picked locks. I would like to extend the invitation to any lockpicking streak, also if your streak starts on another date. Next to practice, share your achievements with the community.

This Kibb is my 1st pick of the year.

Pictures from Toni have his copyright. The rest are CCBY4.0, as per usual Toool Blackbag license.

Asking the community: How are pins painted?

Wednesday, November 22nd, 2023

A while ago, we had a discussion on our Discord server on how the pins for pinning kits are painted, as achieving the same effect at home was quite appealing. For example, to accentuating the different pins for teaching, or to make cutaways more fancy.

In this short blog, I’ll share what has been tried, and how we can use your help to solve the mystery.

A picture of a pinning kit by Nigel, Toool UK.

The first clue was from a pinning kit manufacturer, as they shared with a community member that the pins were soaked in bowls of food coloring. I’ve bought water based, and later alcohol based food coloring and tried the same. The color doesn’t really stick to the surface of the metal surface, as the metal was not clean enough. I wasn’t too scientific about improving the wetting and tried different cleaners. The paint didn’t stick to the pins, came on thick, or rubbed off with a towel.

A better attempt was to use alcohol (based) paints used for arts and crafts, as the pins are indeed painted. But the effect was fairly uneven and the paint washed off easily.

The best attempt was also the simplest, by painting the pins with permanent markers. The process isn’t complicated, simply rub the permanent marker on the pins. For a one-off cutaway, this process is quite feasible, but not for big quantities. Cleaning the pins beforehand will likely improve the results as well.

Edding 390 permanent marker for scale.

We have tried a few ideas, but this is where we are currently stuck. If you have an idea on how to paint these pins more evenly, leave the suggestions below. It would even be better if you gave the suggestions a go and shared the results with us.

LockCon 2023 Schedule

Sunday, October 1st, 2023

The LockCon schedule is complete!

In the morning and evenings, there will be talks about various lock topics. The afternoon is reserved for the competitions. Starting Friday with Impressioning, Saturday with Lockpicking, and Sunday with the Pentathlon competition. Please see https://blackbag.toool.nl/?p=4228 for the competition rules.

We will have flip overs with the program at the event. You are allowed to fill the gaps in the schedule and take the stage with your own last minute talk or workshop. Swapping time slots isn’t an issue either, just discuss this first.

Thursday
15:00Room check-in is open
18:00 – 01:00Socializing
21:00 Conference room open
Friday
07:30 – 10:00Breakfast
10:00 – 10:30 LockCon Opening
10:30 – 11:30Evva Elus & Anker 3800 update – Walter Belgers
11:30 – 12:30TBD – Zeefeene
13:00 – 14:00Lunch (sandwiches in the conference room)
14:00 – 19:00Impressioning competition
19:00 – 20:30Dinner
20:30- 21:30Locksport journey with Abloy disc detainer locks – Petri Maksimainen (Idanhurja)
21:30Start of disk detainer competition
21:30- 23:00Abloy disc detainer workshop by Idanhurja and DaMage
21:30- 23:00F3D workshop by Nitiflor
Saturday
07:30 – 10:00Breakfast
10:30 – 11:30Electronic safe locks – Jan-Willem Markus
11:30 – 12:00Short speak about history of lock cylinders in Czech country – Lubos Cech (catalocks.eu)
12:30 – 13:00Group photo – Dennis van Zuijlekom
13:00 – 14:00Lunch (sandwiches in the conference room)
14:00 – 19:00Lockpicking competition
19:00 – 20:30Dinner
20:30- 21:30Physical Vulnerability Research – Matt Smith (huxleypick)
21:30- 23:00Locksport – Walter, Jos, Matt, Nigel
Sunday
07:30 – 10:00Breakfast
11:00 – 11:30Aubin’s trophy – Eric scaillet
12:00End of disk detainer competition
12:00 – 16:00“PENTATHLON” COMPETITION – Parmakey
13:00 – 15:30
15:30 – 16:00Closing Ceremony

If someone wants to make a calendar file (ICS) and sends it to us, we will add it to this post.

Cutaways, and lever locks

Monday, September 11th, 2023

When we teach lockpicking we usually revert to schematics of locks, and different models for demonstrating the functionality of locks. Usually required as the core functionality is well hidden, and not often observable in action. Multiple skilled machinists have made cutaway locks for the purpose of demonstrating the inner workings of real locks.

At one cutaway themed evening, we had over 50 unique cutaways on the table. From all brands and mechanisms. Some of which even the pins themselves were cutaway.

On an evening with impressioning, a member asked for some blanks to practice with. The call was answered by the keys below. Sadly, it’ll be very hard to find a corresponding lock for the key blanks, as in Europe we have thousands of unique keyways. Even though they all look a-like.

On another evening, we delved deep in lever locks, from your classic Chubb locks to high-end safes. A boroscope was brought as to try to decode some locks by belly reading the levers. E.g. to observe the scratches on the levers and determining the length of the butting making the scratches.

The WE30C also made its appearance, one night. The lock was used on pay phones, and is remarkably hard to lockpick due to the lever blocking system, shown in the top right. As torque is applied, the blocking system engages with the levers, making all levers bind up before the lever tests the gate.

Registration for LockCon 2023 is open!

Saturday, July 22nd, 2023

Dear friends,


We are delighted to announce that registration for LockCon 2023 is open! The conference will be held from the 12th of October to the 15th of October at the WestCord Hotel de Veluwe in Garderen, The Netherlands.

The Event

We will welcome registered attendees from Thursday afternoon (check-in 15:00 hr) with a meet and greet in the bar. On Friday, Saturday, and Sunday, we will have talks, workshops, competitions, and social events. And, of course, there will be plenty of opportunities to pick locks. We will have to vacate the hotel again on Sunday evening.

Invitation

LockCon is an event for the locksport community. Everyone with a passion for locksport is welcome, no matter the locksport group you are with. We work with the principle of friends, and friends of friends. If your friends are going to LockCon, ask them to vouch for you.

We have also reserved seats for people we have never met before. If you think you have something to contribute, or just are a very enthusiastic lockpicker who does not have the right connections yet, please contact us through the usual channels.

Hotel

As you may have seen, this year we will reside in a Hotel. This means there will be no dorm rooms, the maximum number of people sharing a room will be 4, and you will be able to suggest preferred roommates. As always, we have a limited amount of beds, so please complete the registration process early.  The price for the entire weekend will be €360 per person, and will include LockCon 2023, breakfast and lunch on Friday, Saturday, and Sunday, dinner on Friday and Saturday, and lots of fun!

We are looking forward to seeing you there!

LockCon Team

Thursday October 12th 15:00 until Sunday October 15th early evening.

WestCord Hotel de Veluwe | Oud Millingenseweg 62 | 3886MJ Garderen | The Netherlands

https://westcordhotels.com/hotel/hotel-de-veluwe/

https://www.openstreetmap.org/relation/3591498

Lips shared access

Wednesday, July 5th, 2023

Locks don’t have to be hard to pick to be interesting, and a Lips lock Jos loaned me is a fine example of that.

Lately I’ve been drawn to picking lever locks, as they have that nice “Skyrim” vibe. You can get a long way with just some bent wires. Knowing that, Jos brought this nice Lips lock to a Toool meetup, and I got to play with it a little.

Picking it is pretty straightforward, as there are no false gates on the lever, and no curtain. The pin in the keyway does make navigation a bit awkward, but all in all it’s not hard to pick. 

Things get more interesting when you take a closer look at the lock.

First of all, it’s a Lips lock. Lips is a Dutch lock manufacturer that was founded in Dordrecht in 1871 by Jacobus Lips. In 1971 it became part of Chubb, and since 2000 it’s part of the Assa Abloy group.

The second name on the lock is P.G.E.M. The P.G.E.M. (or Provinciale Gelderse Energie Maatschappij) was a utility company delivering electricity and gas to the whole province of Gelderland in The Netherlands. Every Dutch province used to have its own utility company. It was owned by the province, and the local municipalities.

In the 1990’s the Dutch government decided all the utility companies had to be privatized, and P.G.E.M. became part of Nuon (which is now a part of Vattenfall).

Below P.G.E.M. are the letters LS, that stand for Laagspanning or Low Voltage. PGEM used these locks to secure electrical substations, and LS indicates this particular lock was used on a low voltage substation. The other side of the lock tells us more about this.

Here we see “Onderstation Woudhuis” written in pencil. Onderstation Woudhuis is a substation located in the city of Apeldoorn.

The double keyway is a striking feature which reminds of dual custody locks, only this isn’t that. It’s shared access, where only one of both keys is required to open the lock. This becomes clear when the faceplate is removed.

This seems to be a form of master keying without having to need to add extra gates to the levers, which would compromise the security of the lock. 

Every lever has two cuts at the bottom. A closer look at two of the levers shows how different cut heights make it possible to open the lock with two different keys.

Moral of the story: locks are fun in so many ways.

~Greenish

After posting the original blog, a good friend in the UK shared a page with the patent of the ‘Mastership’ two keyhole lock from 1889. http://www.historywebsite.co.uk/Museum/locks/gazetteer/gibbons/gibbons6.htm

EVVA ELUS cylinder

Wednesday, June 28th, 2023

I recently acquired an EVVA cylinder stamped “ELUS”. Nothing could be found about it, so I decided to investigate it.

Looking at this picture, it looks pretty standard. It is a variation of the EVVA NL system, which is inself is a variation of the TSC system. The NL is a 5-pin cylinder with multiple possible key profiles and with master keying in the bitting.

But: this system has additional electronics attached to it:

The electronics implement a Temporary Access Function, similar to that in the EVVA ICS TAF cylinder, invented around 25 years later than this. It was an invention of EVVA Netherlands with one of their partners, but it never reached production.

Read more about it in the paper Ive written about it.

-Walter.

What happens at a Toool meetup?

Wednesday, May 31st, 2023

In the current Tool rhythm, we have one meetup a week. Both the Amsterdam and Eindhoven meetups are Bi-weekly, where we planned to have one meetup a week. We come together to discuss lock topics, compete in the Toool competition, and generally have fun picking locks.

In this post, I’d like to share pictures topics and projects that have come across at Toool meetups.

A locked coin safe was brought to the meeting. Due to the construction of the box, the lock was a very difficult to put torque on with a turning tool. We succeeded in opening the lock several times, and had great fun picking the lock in literally seconds with an electronic pick.

Once in a while, we receive donations from community members. This Sparrows vault was donated to us with the request for an upgrade to the lock, as the original served not enough of a challenge. We complied, and mounted a Kaba Mas X0 Electronic lock on the Vault.

Everyone has a go-to pickset, one which is a mix of everything. We also bring Sunday’s best to dedicated sets. For example, Moki makes great picksets, which are even better with homemade handles. Or a shiny Multipick set, be it dimple or a dual-gauge set designed by Christina Palmer. Where the only part staged about the photo is to have all the sets neatly displayed.

We went to the Association des Crocheteurs de France conference in December 2022, and brought back a few tools and picks from France. We attempted to pick the Polox-5, and Fichet F3D. Both attempts made possible by the incredible work of Nitiflor, who designed and 3D printed these picks.

Jos brought a suitcase with Chinese locks, which was gifted to him for organizing LockCon 2016. At the time, these locks were unobtainable, and information sparse. The mechanisms are very intricate with 50-element wafer locks, and cores with continuous rotation similar to the Yuema 750, an implementation we have yet to see used in Europe.

If this blog sparked interest in lockpicking, or if you have been picking and would like to join a meetup, please contact us. We are always welcome to new people, be it to teach the basics or to share advanced tricks. https://toool.nl/Gatherings

May Contain Hackers 2022

Friday, May 26th, 2023

In the summer of 2022, the Dutch hacker community gathered at the May Contain Hackers conference. The conference was amazing, with over a dozen simultaneous tracks with topics ranging from electronics, privacy and internet security, to art and technology. The program is published at https://program.mch2022.org/ and the talks are published on https://media.ccc.de/c/MCH2022.

For Lockpicking content, Toool organized a lockpicking village, The MCH CTF included lockpicking challenges, and plenty of exciting talks are given. Including Introduction to lockpicking and safe cracking, Anker 3800 Magnetic lock, and bumping electronic locks! More on these after a photo impression of MCH.

Jan-Willem presented an introduction to lockpicking and safe lock manipulation.

Talk description from the MCH schedule: Most security implementations leak information, mechanical security is no different. It takes sharp eyes, a soft touch, and a good hearing to distinguish between information and noise. In this talk we will go in depth on how locks works, and how we can persuade them to disclose their secrets, and open them without damage.

The Open Organization of Lockpickers (Toool) is a group of nerds obsessed with mechanical security. We create, collect, take apart, discuss, and attempt to defeat locks. While we are known for lockpicking, there are many other techniques for opening locks without damage.

This talk will focus on the language of the locks, the side channels in mechanical security systems. We will start with binding order, the mechanism to isolate the locking elements, and exploit them one by one. Then we will discuss a wide variety of other methods of gathering information and opening locks. Most of these methods are not practical, but working them out gives us great joy, and we would like to share the highlights with you.

Walter presented his research of the Anker 3800 magnetic lock. It includes deriving master keyed systems, designing an electronic key/lock decoder, and 3D printing keys.

Talk description from the MCH schedule: The Anker 3800 is a mechanical lock that has both traditional pins as well as magnetic sliders. Can it be opened without the key? This talk discusses how the lock works in a master keyed system and how it can possibly be defeated. It will cover decoding, picking and key duplication.

The Anker 3800 is a mechanical lock that has both traditional pins as well as magnetic sliders. It was designed by Japanese company MIWA and is sold in the Netherlands under the Anker brand. It is a high security lock that is often used in large master keyed systems.

I wondered: can it be opened without the key? I will present my adventures with the lock, having opened it up to see how it works, and several things I have tried to copy the key, pick the lock, decode the lock and find out what the master key looks like. The talk will include successes and failures and I will discuss designing 3D models, C&C work, electronics, Arduino programming, PCB design, and more.

The talk is aimed at people with an interest in lockpicking. No prior knowledge is necessary.

The write-up is found at https://blackbag.toool.nl/?p=3907

mh shared his research on bumping electronic locks. As in, opening the electronic locks by using a percussion drill and custom attachment.

Talk description from the MCH schedule: Modern electronic locks are often optimized for cost, not security. Or their manufacturers don’t do security research. Or they ignore it. For whatever reason, many current electronic lock systems are susceptible to surprisingly simple attacks. We’ll look at some of them, and at the underlying basics, so that you can do your own research.

In this talk, we look at a number of modern electronic locks and their security flaws. Surprisingly many current systems are susceptible to very simple attacks, like the equivalent of using bump keys. Of course, there are electronic and/or SW-based attacks, too.
We’ll look at some of them, and at the underlying basics, so that you can do your own research.
Some of the problems have been fixed by manufacturers, but typically only for future production runs, so you will get some practical advice on how to test your own hardware for these critical flaws.

Jan-Willem presented a basic introduction to threat modeling and uses puzzles as an example.

Talk description from the MCH schedule: Mechanical locks are everywhere and come in all shapes and flavors. But choosing the right lock can be rather difficult. For example, what is better? A lock that is hard to pick, or a lock with hard to duplicate keys. This talk will not give you the answers, but it will help you understand the trade-offs. Furthermore, we will have fun threat modeling our locks.

Is lockpicking a threat you should be concerned about, or is the brick the tool you should care for? Jan-Willem, from The Open Organization of Lockpickers (Toool), will share his ideas on mechanical security and threat modeling. We will make it fun and use several case studies, starting with defining a lock, threat modeling mechanical puzzles, and use several case studies where the threat was overrated. Simply put, attacks against locks range from the trivial to mastery. I’ll share multiple failed attempts of attacks that should be trivial, but were not in practice, and we will analyze them together.