In the current Tool rhythm, we have one meetup a week. Both the Amsterdam and Eindhoven meetups are Bi-weekly, where we planned to have one meetup a week. We come together to discuss lock topics, compete in the Toool competition, and generally have fun picking locks.
In this post, I’d like to share pictures topics and projects that have come across at Toool meetups.
A locked coin safe was brought to the meeting. Due to the construction of the box, the lock was a very difficult to put torque on with a turning tool. We succeeded in opening the lock several times, and had great fun picking the lock in literally seconds with an electronic pick.
Once in a while, we receive donations from community members. This Sparrows vault was donated to us with the request for an upgrade to the lock, as the original served not enough of a challenge. We complied, and mounted a Kaba Mas X0 Electronic lock on the Vault.
Everyone has a go-to pickset, one which is a mix of everything. We also bring Sunday’s best to dedicated sets. For example, Moki makes great picksets, which are even better with homemade handles. Or a shiny Multipick set, be it dimple or a dual-gauge set designed by Christina Palmer. Where the only part staged about the photo is to have all the sets neatly displayed.
We went to the Association des Crocheteurs de France conference in December 2022, and brought back a few tools and picks from France. We attempted to pick the Polox-5, and Fichet F3D. Both attempts made possible by the incredible work of Nitiflor, who designed and 3D printed these picks.
Jos brought a suitcase with Chinese locks, which was gifted to him for organizing LockCon 2016. At the time, these locks were unobtainable, and information sparse. The mechanisms are very intricate with 50-element wafer locks, and cores with continuous rotation similar to the Yuema 750, an implementation we have yet to see used in Europe.
If this blog sparked interest in lockpicking, or if you have been picking and would like to join a meetup, please contact us. We are always welcome to new people, be it to teach the basics or to share advanced tricks. https://toool.nl/Gatherings
In the summer of 2022, the Dutch hacker community gathered at the May Contain Hackers conference. The conference was amazing, with over a dozen simultaneous tracks with topics ranging from electronics, privacy and internet security, to art and technology. The program is published at https://program.mch2022.org/ and the talks are published on https://media.ccc.de/c/MCH2022.
For Lockpicking content, Toool organized a lockpicking village, The MCH CTF included lockpicking challenges, and plenty of exciting talks are given. Including Introduction to lockpicking and safe cracking, Anker 3800 Magnetic lock, and bumping electronic locks! More on these after a photo impression of MCH.
Jan-Willem presented an introduction to lockpicking and safe lock manipulation.
Talk description from the MCH schedule: Most security implementations leak information, mechanical security is no different. It takes sharp eyes, a soft touch, and a good hearing to distinguish between information and noise. In this talk we will go in depth on how locks works, and how we can persuade them to disclose their secrets, and open them without damage.
The Open Organization of Lockpickers (Toool) is a group of nerds obsessed with mechanical security. We create, collect, take apart, discuss, and attempt to defeat locks. While we are known for lockpicking, there are many other techniques for opening locks without damage.
This talk will focus on the language of the locks, the side channels in mechanical security systems. We will start with binding order, the mechanism to isolate the locking elements, and exploit them one by one. Then we will discuss a wide variety of other methods of gathering information and opening locks. Most of these methods are not practical, but working them out gives us great joy, and we would like to share the highlights with you.
Walter presented his research of the Anker 3800 magnetic lock. It includes deriving master keyed systems, designing an electronic key/lock decoder, and 3D printing keys.
Talk description from the MCH schedule:The Anker 3800 is a mechanical lock that has both traditional pins as well as magnetic sliders. Can it be opened without the key? This talk discusses how the lock works in a master keyed system and how it can possibly be defeated. It will cover decoding, picking and key duplication.
The Anker 3800 is a mechanical lock that has both traditional pins as well as magnetic sliders. It was designed by Japanese company MIWA and is sold in the Netherlands under the Anker brand. It is a high security lock that is often used in large master keyed systems.
I wondered: can it be opened without the key? I will present my adventures with the lock, having opened it up to see how it works, and several things I have tried to copy the key, pick the lock, decode the lock and find out what the master key looks like. The talk will include successes and failures and I will discuss designing 3D models, C&C work, electronics, Arduino programming, PCB design, and more.
The talk is aimed at people with an interest in lockpicking. No prior knowledge is necessary.
mh shared his research on bumping electronic locks. As in, opening the electronic locks by using a percussion drill and custom attachment.
Talk description from the MCH schedule:Modern electronic locks are often optimized for cost, not security. Or their manufacturers don’t do security research. Or they ignore it. For whatever reason, many current electronic lock systems are susceptible to surprisingly simple attacks. We’ll look at some of them, and at the underlying basics, so that you can do your own research.
In this talk, we look at a number of modern electronic locks and their security flaws. Surprisingly many current systems are susceptible to very simple attacks, like the equivalent of using bump keys. Of course, there are electronic and/or SW-based attacks, too. We’ll look at some of them, and at the underlying basics, so that you can do your own research. Some of the problems have been fixed by manufacturers, but typically only for future production runs, so you will get some practical advice on how to test your own hardware for these critical flaws.
Jan-Willem presented a basic introduction to threat modeling and uses puzzles as an example.
Talk description from the MCH schedule:Mechanical locks are everywhere and come in all shapes and flavors. But choosing the right lock can be rather difficult. For example, what is better? A lock that is hard to pick, or a lock with hard to duplicate keys. This talk will not give you the answers, but it will help you understand the trade-offs. Furthermore, we will have fun threat modeling our locks.
Is lockpicking a threat you should be concerned about, or is the brick the tool you should care for? Jan-Willem, from The Open Organization of Lockpickers (Toool), will share his ideas on mechanical security and threat modeling. We will make it fun and use several case studies, starting with defining a lock, threat modeling mechanical puzzles, and use several case studies where the threat was overrated. Simply put, attacks against locks range from the trivial to mastery. I’ll share multiple failed attempts of attacks that should be trivial, but were not in practice, and we will analyze them together.
In a previous blog post, I’ve written about Qikom’s cutaways. Whereas, this post is a tangent on why we would like to see more cutaways made and the knowledge shared.
When we teach beginners, and show them a unique lock, often they can’t imagine what happens in the lock. As all they can see is the outside. To illustrate this, let’s play a short game with a Fichet 787. The key looks quite interesting, as it has half a dozen cutouts on each side. It’s not symmetrical, and can only be inserted in the keyway in one direction. You feel a spring pushing against the key, but at rotation it seems to be like any other lock.
If you haven’t seen this lock before, take a moment to imagine what the internals are like.
Fichet 787. CC-BY-4.0 Jan-Willem, Toool Blackbag
It’s quite obvious where I’m going with this. There can be almost anything inside the shiny cylinder. It will be very difficult to find the solution without taking it a part, or looking at a diagram. The cutaway, like the one from Qikom below, shows the internals from the lock. Reducing the guess work over a picture of the parts.
Qikom Fichet 787 Cutaway CC BY-NC-SA 4.0Qikom Fichet 787 Cutaway; The interaction between the lever pack and the gears. CC BY-NC-SA 4.0Qikom Fichet 787 Cutaway; The lock is open. CC BY-NC-SA 4.0
Is it anything like you imagined it to be?
What does the 787 do? The Fichet 787, is a push lever lock. Where the push action allows the lateral movement of the levers to rotate a set of gears to the opening position. The sidebar is a passive element that checks if the gears are all aligned. With the correct key, the cylinder moves inwards, clears a blocking element, and is able to rotate. At the same time, the key is trapped by two half circle disks.
It is quite possible you have seen this lock before, as it has been around for decades. I’ve learned about the lock in 2018, and recently expanded the knowledge at the Association des Crocheteurs de France lock conference in December 2022. I’ve learned the dovetail, which connects the cam to the core, is a fairly recent addition that prevents a (partially) destructive attack, for example.
French locks are my favorite weird lock designs, where Fichet is king. The ingenuity is admirable, with many clever ways to solve the same problem…
Posted in Lockpicking, Locks, General | Comments Off on Cutaway locks, why put in the effort?
On the 25th and 26th of March, Wendt organized a lockpicking championship in collaboration with SSDeV and ACL. Who is Wendt? They are creators and suppliers of locksmithing and lockpicking tools. They have a yearly house-fair to demonstrate the newest in locksmithing tools, and host competitions. This year’s event was specifically for the lockpicking community.
Wendt HQ in Bergheim, Germany. (Picture copyright Wendt.)
The main attraction is the German-style lockpicking competition. Where, in short, every competitor brings them own double euro pin tumbler cylinder. You’ll have to prove you can pick it yourself in five minutes to qualify. For each of the competitors locks, you get fifteen minutes for your picking attempt. Where the final score is decided by the person with the most opens in the least time.
For this year, a large variety of locks were present. Iseo, M&C, IX Saturn, IX-6, both Abus XP1 and Cisa SP, and Assa twin 2. Some of these, as you can imagine, are not opened often in fifteen minutes. This was felt as a setback by some, while others are encouraged to practice with even harder locks. Not to mention the endurance required to pick locks for over 5h straight.
Walter and Henri competed were in the competition from Toool. For Henri, it was his second lockpicking event. His video (YouTube) is worth it to watch if you are looking for encouragement to join a similar event. For photo’s of the lockpicking, please see the Facebook page of Wendt.
I’d like to share a few notes on a constructive discussion on how to run competitions. To some, the competitions at events like LockCon were too easy. People felt it was a competition in who can rake the locks, the fastest. Whereas, this event had rounds with very difficult locks, and few opens. There is a balance to be found is between the two systems. The comments are clear: give us harder locks to pick, but do give locks that are pickable in a reasonable time.
There was plenty of room to meet other lockpickers at the event, chat with the vendors, and join the side competitions. Han Fey had a very interesting challenge, where you are given a key ring and a box of locks. Where the goal was to match the most keys to the most locks in the least time. The catch is, you only got one chance. If the key didn’t fit, your attempt was over.
Just for fun, Jos and I competed in the electropicking competition and got 1st and 3rd place. The real star of the show are, of course, the electropicks Wendt sells. Truly amazing equipment.
On a side note, we call electropicking non-destructive as the locks remains functional. However, the repeated impact of the pick needle and the pins do create a lot of brass dust, as seen in the picture below.
To wrap up this post, it was great seeing so many old friends and to make new ones. Time well spent. Thanks, Sasha, and the Wendt team, for organizing this event!
Qikom, lockpicker from France, created gorgeous locks cutaways and shared the images online. I believe cutaways to be very useful for understanding intricate lock designs. Where a good cutaway allows us to observe the elements of the lock while still functioning as normal.
Qikom is an associate professor in mathematics and computer science. Who got interesting in lock picking a little before 2000 after reading R. Feynman (the physicist) autobiography. Like many pickers, he is interested in the “puzzle” aspect of locks, and making a working cutaway is another kind of puzzle. Furthermore, he added, to spend more time making cutaways than picking locks!
Screenshot from Qikom’s website as of January 2023. http://qikom.free.fr/ CC BY-NC-SA 4.0
I’ve asked Qikom for tips on making great cutaways. He says about his cutaway strategy:
“I don’t have a well-defined strategy when planning a new cutaway. I know people start by making a 3D model of the lock to plan the cuts, but I don’t bother. In many of the locks I’ve cut, the cutting plan isn’t all that complex, and I try to set things up, so I can adjust things incrementally. One important thing I do, is to never cut a lock on the same day that I come up with the cutting plan, to get some time to think about it.
I usually try to have at least 2 identical locks to cut, and I consider one of them to be expendable. When everything works, I can sell / trade the second one, and if not, I get to correct any mistake on the second try. A couple of times, I badly failed twice, but could salvage enough parts to get the third attempt. But there are still some locks waiting because I wouldn’t want to mess them up.
I’ve made several embarrassing goofs along the way, but none of them would have been prevented by that! The graveyard includes several Robur, Rosengrens, Abloy, Fontaine, and Fichet… I’ve only attempted cutting an F3D when I got a couple of broken ones. This was a good idea, because the first 3 attempts were failures.
But there are still some locks waiting because I wouldn’t want to mess them up. Including the Emhart.”
Qikom often sells his cutaways online to partially fund the hobby. If you have interesting in these locks, or have a few spares that would work as a cutaway, consider contacting Qikom at qikom@free.fr
The Association of Czech Lockpickers held their yearly competition last weekend. Starting up after COVID, they offered a limited program without impressioning championships, but still included a padlock competition, blitz, cylinders and freestyle.
I (Walter) went over to participate. There were competitors from Czechia, Germany, Austria, Hungary and I was the representative for the Netherlands. The championships were held at a nice and cosy facility, giving ample room for socialising and catching up with old friends.
Some of the ‘usual suspects’ were absent due to work or for other reasons, but still there were plenty of people participating
Padlocks
First up was the padlock competition. The padlocks were provided and differed quite a lot in difficulty. You are allowed to test your tension wrench before the clock starts. For one particular lock, it was hard to test the tension wrench without accidentially already opening the lock.. on the other side of the spectrum, some of the Tokoz padlocks proven impossible to open in the allotted time.
I had a tool stuck in a lock which I why I didn’t make the A-finals. But all for the best, because in the B-final I then became second. There were 7 people in the A-final, 9 in the B-final.
Blitz
The blitz competition requires opening locks within a minute. Each participant brings their own lock. I was a bit confused here.. I’ve done such competitions before. I fondly remember the one held by SSDeV in 2003. People would give me the lock and tell me exactly how to open, because the goal here is not to bring a difficult lock, but to encourage beginning lockpickers to have success. It is a competition that should also show the audience that lockpicking is a sport that can be done by anyone. However, at this competition, there were very difficult locks, I even saw a Mul-T-Lock with the pin-in-pin system. It was no surprise that it take not long for most of the people to be out of the game, me included.
Cylinders
For me, the cylinder opening is the most interesting competition and I was looking forward to it, after the Blitz. For this competition, people take their own locks that they need to open within 5 minutes or they cannot participate. I took an Ivana Necoloc (rebranded Anker Infinity) that was used in the Toool championship finals (nobody opened it there in 15 minutes). For the first time, I prepared for a competition, because I practiced opening this lock within 5 minutes. I managed to do so here under stress as well (about 1’20) and could participate. The competition saw some very difficult locks, such as the EVVA ICS.
I made it to the A finals, even though I did not open the FAB lock. Later, I learned it has a very deep pin because of bump protection, which I somehow missed in the stress.
In the final, I openend a cheap lock (Legallais) and a Winkhaus, but left the EVVA ICS and Cisa SB (similar to Abus XP1) closed. The Cisa was almost completely picked until I made a mistake and had to start over. Jascha had the same happening to him. The last round I got Jascha’s Yale dimple lock which had dimples and sliders. I destroyed my lockpick on it, but opened it in 14’58! That, in the end, was enough for fourth place overall. I though my Ivana lock would be difficult enough to give me an advantage, but it turned out everybody in the A-finals opened it within the 15 minutes.
Freestyle
For the freestyle competition, the locks were once more provided. They needed to be opened within 5 minutes. I did not bring any electropicks or other ‘freestyle’ tools, so reverted to normal picking. I again made it to the A-finals. There, I opened 3 EVVA locks and 2 Euro Plus locks. Once I figured using the Bogoto was the way to go, I opened these in seconds, but unfortunately the first EVVA and Euro Plus took me 1’49 and 2’14. THere were 2 Mul-T-Lock interactive cylinders that “talked” to me but wouldn’ open in the end, a FAB 400 I had opened in the first round but wouldn’t open in the final and a Kaba Gemini that was only opened by the winner using an electropick (and a bit of luck). I think it was due to my time that I only became 7th here.
Overall it was a very nice competition with a good atmosphere. Thanks to the organisers!
Our friends from Italy organized the Car lockpicking competition this year. Many car door locks, provided by ParmaKey, were picked during the competition.
First place in the competition won a Multipick ELITE pickset, an Italian bag, and a bottle of wine. Second and third place won a Multipick ELITE pickset. All winners got a trophy, and a custom engraved PACLOCK, a book on lock history, and a lock comic book.
Congrats to the winners!
Lasse got 1st placeTom C got 2nd placeNitiflor got 3rd place
During the Saturday, we ran the Lockpicking competition. For the first round, we had eight tables with eight participants each. Which all attempt to pick locks in 5 minute rounds, where everyone at the table gets to try all locks. The first and second best of the table get to the next round, which was four tables of four. The best of each table got to compete in the finals.
This year the competition had a wide selection of locks, from Abus, Corbin, Kibb, Iseo, Kale, Nemef, DMS, Winkhaus, DOM, S2, ERA, and Zeiss-Ikon, just to name a few.
First place in the competition won a custom engraved Abloy Classic lockpick by Jaakko and a Sparrows voucher of €100. Second place won a mh electronic lock bumping kit and a Sparrows voucher of €200. The third place won a set of Multipick LockNoob essentials lockpick kit. All winners got a trophy, and a custom engraved PACLOCK.
Congrats to the winners!
Oli got 1st placeTorsten got 2nd placeImSchatten360 got 3rd place
Toool NL has a competition with ~25 locks, which can be picked during Toool meetings. Each member times his opening attempts and points are awarded according to opening times. The competition ran from LockCon to LockCon, which was a bit longer than a year, this time.
First place in the competition won a custom engraved Abloy Classic lockpick by Jaakko. Second place won a Multipick Kronos electropick. The third place won a set of Multipick dimple lockpicks. All winners got a trophy, and a custom engraved PACLOCK.
Congrats to the winners!
Walter got 1st place with 250 pointsTom got 2nd place with 176 pointsJos got 3rd price with 160 points
The first sign you will see from the road.Enter through the side guard gate. If you are by foot and the gate is closed, enter through the main entrance.Drive straight through to the end, then right turn into the parking area two (P2).
After parking, walk back the way you came and head over to the conference hall (Legion Hall).
Please, do not walk through the Manor House from the parking area, as another group has rented that hall and terrace, and we don’t want to disturb them.
This is the Legion Hall and The Tower. We have this whole building!Alternative view from behind the main castle buildings, on the other side of the moat.Here’s a photo of our presentation hall. We will also run our competitions here.Here’s the dining hall.
In case of doubt, please call the organisation or use street view.
I’ve only attempted cutting an F3D when I got a couple of broken ones. This was a good idea, because the first 3 attempts were failures.
