Archive for the ‘Lockpicking’ Category

2-in-1 for Abus, that barely works.

Saturday, January 8th, 2022

Lishi 2-in-1 have been around for a long time, both for automotive and more recently for pin tumbler locks. Sadly, these tools are quite costly as they are keyway specific. Furthermore, this type of tool can’t be made for some locks as the keyways are too tight. Or so I thought, as of writing there are several 2-in-1 for sale for the paracentric Yale keyway. As I was intrigued, I’ve bought an off brand 2-in1 for CISA. In testing the tool, I’ve found various limitations that might impact the usefulness of this tool.

Let’s start from the beginning, Lishi is the brand name of a series of lockpicking tools designed and made by Zhi Qin Li. The Lishi company split up and Zhi Qin Li still sells his 2-in-1 under the brand Original Lishi, while another company sells them under the brand Genuine Lishi.

Original Lishi sells a variety of tools, the one generally referred to as a Lishi is a 2-in-1 lockpick that both applies a turning force and a tool for picking individual elements. The tool can also be used to decode the lock once the lock is open, and a key can be cut in the field with another of Li’s tools.

Lishi for the Schlage SC4 keyway.

So, what does a Lishi 2-in-1 lockpick do? The tool consists of two parts; the body that is used as a turning tool and the thin feeler that’s used as a lockpick. This in itself would not be too useful, however, the body has a chart of where the lockpick is in the lock. You move the pointer to the desired element, indicated by the vertical lines, and push down lightly on the pointer. This in turn moves the lockpick, pushing down on the element in the lock. You can feel if the element is binding or not. And just as lockpicking, you go through the lock, pin by pin, and feel for the binders. Then you set each binder and search for the next one, until all elements are set. Click on one, click on three… Open!

From y2k these tools have been available for automotive locks as the combination of open keyways, many wafers, and typically low tolerances work very well for this tool. 2015 was the year 2-in-1 picks became available for pin tumbler lock for the USA market. (Schlage, Kwikset, and Master). Most of these locks have wide keyways, low tolerance, and very few security pins.

I’ve played with a few of these tools, but didn’t find them too useful. I’m not a locksmith, not in the USA. For me, they would be mostly a novelty. But the pick I’m about to show can be a game changer as it targets European locks I’m familiar with.

In December, I was notified a seller on AliExpress sells 2-in-1 (not a Lishi!) for the paracentric Yale keyway. The consensus under lockpickers is that this tool could not exist, because the keyway is too tight and has no straight access to the pins. I was curious enough to fork over €50, and bought one for CISA as it’s very close if not identical to the Abus C83, the lock we use for impressioning championships.

The seller is quite open about the tool’s limitations and wrote on the lever “80% coverage. Without pin 8 or 9”. While this sounds like it’ll open 80% of locks, but it doesn’t seem to be the whole story, as we will find out. The biggest concern with a tool that works on a subsection of locks is if the user can detect the tool does not work, instead of user error or lack of skill. I suspect so, but it will be far from easy. In short, a lock will not work with one or more cuts deeper than a 7 and therefore this pin will always be overset and this you can detect.

Small sub section of factory cut Abus C83 keys, I’ve a modest collection of them.

As I was curious about the 80% claim, I’ve spent an evening measuring my Abus C83 keys. While these are not CISA, they are close, and I happen to have a modest collection of these keys. 92 out of 283 of the measured keys have no cuts deeper than 5.5mm, the size of the tool. This means the tool will only work on 30% of my Abus C83. This is consistent with a statistics sanity check. For this, we assume every lock has a uniform distribution of cuts, ignoring MACS. This came to be (7/9)^5 = 28.4%.

I’m considering this 30% an upper bound, as Abus C83 and CISA aren’t shipped with standard pins. The old locks are shipped with mostly spool pins, and the new ones have serrated, spool, and T-pin key pins and the same for the drivers.

Abus C83 old style vs new style pins.

Besides the theoretical usability and security pins, what other flaws would make this tool suboptimal? The picking tip snags while moving from pin to pin. Furthermore, picking in the counterclockwise direction binds the picking tip, and it makes it difficult to differentiate between a binding pin and a binding picking tip.

Randomly pinned lock with standard pins, decoded to 52452.

Let’s wrap it up, this tool is sold at €50 and promises quite a lot. However, theoretical, it will only open 30% of all the locks it was designed for. Furthermore, the limitations of security pins and rotation direction will limit the functionality even more. A practiced lockpicker might be-able to overcome some limitations, or detect the tool will not work. A tool that only opens a very small subset of locks is not a very useful tool, and I can’t recommend it to pick these locks. However, as new pickers always struggle to find the binders, and this tool enables them to actually ‘see’ what they are doing, it could be a game changer for teaching.

Pictures CCBY4.0 Jan-Willem Toool Blackbag

Lock Picking Forensics

Wednesday, October 6th, 2021

I (Walter) have created a geocache that requires some RSA hacking and subsequently lockpicking. I bought an Abus Titalium 64TI/40 padlock to be picked. Several people were able to find it by teaming up together. The feedback I got was that people spent considerable time on the lock, sometimes several hours (in separate sessions).

Geocacher #15 was unable to lockpick the lock, even though he had practiced on an identical lock at home. I offered to go with him to give advice. He couldn’t open it. Also I couldn’t (quickly) open it. I took the original key and that would not open it. By not fully inserting the key and wiggling, I succeeded in opening. (I let the geocacher pick his own lock and allowed him to log the cache.)

Once home, I decided to take a look at the lock. Although only a very limited number of people had worked on it, it was completely shot. I took a video comparing showing a new padlock and then the one from the cache:

I’ve taken apart the lock to have a look at the pins. We always say that picking a lock will leave tiny traces on the pins (and other parts of the lock) that can be found during a forensic investigation. Well, in this case, the naked eye was enough to see the abuse.

Here’s the plug with the key inserted. Note how the pins have shortened. This causes the key to no longer work.

This also explains why taking out the key a bit and wiggling opened it.

Here’s a view of the pins:

There’s now a new padlock in place. You can’t really tell from the picture here, but the pins are made out of aluminium, which kind of explains the wear on them. I bought the lock as it is marketed as being weather proof. But resisting weather is different from resisting lockpicks.

Photos/video CCBY4.0 Walter Belgers

Book review: Little Black Book of Lockpicking

Thursday, September 30th, 2021

Two weeks ago Alexandre “FrenchKey” Triffault published the book Little Black Book of Lockpicking on NDE techniques for Red teams and security professionals. The book has 171 pages with a broad variety of lock types and opening methods, from lockpicking to impressioning, and from making cutaways to decoding combination padlocks.

Whenever there is a new book about lockpicking I pick up a copy especially when it’s written by a friend. It sold for €35 Amazon that does the printing and distribution of this book. The book is a good read and is a continuation of the OFC guide to lockpicking (free pdf) that’s also written by Alex and translated by MrAnybody. The OFC guide is all about lockpicking while this book includes many more topics including bumping and impressioning, both topics I’ve paid extra attention to.

The first thing I noticed was the many high detailed graphics used. Alex modeled the locks, lockpicks and other tools and included 3D renderings in the book as virtual cutaways. The style works very well for this book. It does not just write about a concept but also shows how it is done.

The book is 27 chapters and on average six pages for each subject, this inevitably means there is not too much room for details or nuances. This is a pity as Alex has the ability to give insights I would never think of.

I want to mention that the advanced topics in the book like (self) impressioning will take a long time to get good at. For me, I’ve experienced it takes many failed attempts to do these attacks, even in a controlled environment. Attacks like self-impressioning took me a very long time to make work. I can only imagine how it would be to attack doors on an assignment.

This is one of the better books on the basics of NDE and I recommend getting a copy for yourself or to to share. When you share the book, do keep in mind the book is written for red teams on an assignment and not for hobbyists. It is never a bad thing to give a small lecture on the locksport ethics and our view on locks as a puzzle with the book.

Wooden lock; Binding order demo

Sunday, May 23rd, 2021

In 2019 Jan-Willem build a binding order demo out of laser cut wood.
In this post we would like to share the project with the rest of the world.

Binding order is the order in which the pins bind in a lock. This is mostly due to the manufacturing tolerances but can have other causes. This concept is hard to grasp for a new lockpicker and is one of those ‘You’ll get it when you see it’ concepts. When teaching lockpicking it is common to hear: ‘I have been pushing down this pin and it doesn’t want to stay down.’ This tool can be used to demonstrate why the pin did not want to stay put.

This demo is certainly not ‘the’ solution. It is just a fair attempt that works for us. It will make the explanation better by adding both the visual and touch to the explanation. The participants can play with the board and feel the effect of binding and what the effect is of using light or strong tension.

For reference: The board is about the size of an A4 piece of paper. The base is crafted from three layers of 3mm plywood. The core is a single sheet and the pins are three or four layers, depending on the feel you prefer. Each pinhole in the base/core has a different size and different offset. All of the pins are a different size er well. This gives plenty of options to change the binding order.

We used the demo in lockpicking villages across the globe. We have found that it helps the explanation immensely when encountering language barriers. Video link to how you can use the binding order demo: https://youtu.be/WiCdws84EuQ

The binding order in this model can be quite subtle. It would great to have another with extreme exaggerated binding order also a smaller, 3D printed version, would be great to have. A bit of paint will not hurt either.

CC-BY-4.0 Jan-Willem Markus Toool Blackbag.

Lock pin collection

Friday, March 19th, 2021

In a previous blog post Jan-Willem’s pin collection was mentioned. In this post the pictures of the pins and keys are shared.

There is no epic conclusions to this project. At this moment it’s is just a collection of photos of locks and pins. Shared with the world. Hopefully it’ll be a resource for new pickers that would like to know what they are up against. Maybe future research will use it. Where someone clever uses the fact some spools are different than others to decode the lock. Sputnik comes to mind and we think the possibilities are not exhausted yet. (If you are working on something I’m happy to assist.)

New pickers, don’t be intimidated by the key or keyway. If you look through the collection much of the pins are underwhelming. Where a Evva is known to be difficult lock it was not expected to find all standards or one spool pin. When struggling with a lock just take it apart and see what’s in there. For the next time you encounter the same lock you will know Nemef has a spool on position two (insider joke).

This collection has a few obvious biases:

  • The collection only contains basic pin tumblers.
  • Most locks are from Europe, and are from well known lock brands.
  • The locks are not too expensive and are usually old. Therefore it lacks fancy pins like gins and Christmas trees.
  • Pins/locks that are too similar are rejected. There are some duplicates as well.
  • This is a snapshot in time. The pinning of the locks change every few years. A good example is DOM RN with two different types of pins in this collection.

If you have specific knowledge on these locks. Please share, we are open to learning more about locks. Find us on Discord, leave a comment or send us an email.

The photos are: key, pins, key, pins. The photos of pins are arranged with the brand and number. The keys have ‘key’ in the name. The Titan with a key engraved D5474 will have the pictures: TitanD5474-1key-1-scaled.jpg and TitanD5474-1-1-scaled.jpg.

The pictures are by Jan-Willem Markus. CC BY 3.0. https://creativecommons.org/licenses/by/3.0/
In short: you are free to use, modify and share these photos as long as you give attribution. If you plan on selling them or using hem in a blog/paper/book please notify us.

The end.

Lockpicks for Hackerspaces

Tuesday, December 3rd, 2019

Post by: Jan-Willem
I’ve recently acquired ~20kg lockpicks, 4000 lockpicks. These where sold by a scrap metal dealer on eBay. As why he had them I can only guess. He did well for not scrap these. The picks are a bit rusty and need work to be useable. As you can imagine cleaning them all by myself will not be fun. There for I decided to sell most of them and give some away. (Yes, this project is not what a sane person would attempt.)

I’ve sold bags of 500g at LockCon. Most will be used at lockpicking villages around Europe. With the remaining picks I’ve created grabbags of about 250gram (50 picks) for the Dutch Hackerspaces. Because every Hackerspace needs lockpicks.

Lockpicks, ~4000 of them!
Lockpicks packed and labelled. Ready to be shipped by Hackermail (Inter-hackerspace delivery service)

The full story can be found on: https://bitlair.nl/Projects/Lockpicks_for_Dutch_Hackerspaces Happy picking!