Keys « Toool's Blackbag

Archive for the ‘Keys’ Category

Miniature Roman golden lock measures just 11 by 12 mm

Wednesday, February 26th, 2025

On November 14th 2024, the Landschaftsverband Westfalen-Lippe (LWL) at Münster presented a tiny golden lock from around the year 400 (1600 years ago). This news was published on the 28th of January by the LWL, and widely shared. Most articles written on the topic used the smallest version of the photos they could find, and glanced over the details. We chose to write this article after re-discovering the original article and studying the inner workings of the lock.
Feel free to check out the original article, first. The article has loads more details on the history, as well as videos of the CT scan and the working principle of the 4x model: https://www.lwl.org/pressemitteilungen/nr_mitteilung.php?urlID=60628

This is the lock itself on a black background. The Lock is 11 mm by 12mm in size. DKZ 3619,0094:109 – Fundnr. 15. Photo copyright: LWL /S. Brentführer

While it doesn’t look too special at first glance, this lock is s quite an engineering marvel. At just 11 mm high with a diameter of 12 mm, it’s tiny. The engineering is quite similar to engineering in horology and takes incredible skill to make something like this today, let alone with the tools from 1600 years ago.

The lock looks great from the outside, but to really, appreciate the complexity. We will have to look at the Neutron tomography CT-scan the researchers created. The images may not look like much to the untrained eye, but the researchers published the post-processed images to show the specific parts.

CT-scan (Neutron tomography) of the lock revealed the inner workings of the lock.
Photo copyright: Paul-Scherrer-Institut/Villigen [CH]/ David Mannes

The next image is the processed CT-scan where specific parts are colored. The article gives the following explanation: frame with spring (red), bolt (blue), broken bolt (?) (yellow), piece of the key (green), baseplate (purple) and inserted chain link (orange). The original article provides a video of the CT-scan as well. The video is in the attachments to the original article, with the name: “Anlage 1: Dosenschloss_Neutronen_CT_Animation.avi”.

This image shows four views of the processed CT-scan. Three side views and one top view.
Photo copyright: Paul-Scherrer-Institut/Villigen (Schweiz)/David Mannes; Montage: LWL/Corinna Hildebrand

With the information from the CT-scan, Stefan Brentführer set out to make a functioning replica. He chose to make the replica larger, likely to better show how the lock works, as well as it is easier to work on larger parts. This exploded view is quite well done, but it doesn’t show clearly how the parts fit together. If you are up to the task, take a moment to puzzle to see how these pieces fit together.

Replica of the lock at a 4:1 scale. DKZ 3619,0094:109 – Fundnr. 15.
Photo copyright: LWL /Stefan Brentführer

While locks which require a rotational motion to open can only be opened in either clockwise or counter-clockwise rotation, this lock operates clockwise, as do most locks in use today. Does someone know examples of counter-clockwise operating locks from 1600 years ago?

I’ve puzzled that the steel piece in the middle fits upright and horizontal on the round backplate. It has a matching piece which fits the rectangle hole. This leaves a square opening for the square linkage. The second diagonal rectangle hole is for the round post. (Yes, this tiny lock has a pipe key!) The cutout on the key corresponds to the bridge on the middle plate. From there it got confusing, and where I got some help. The bolt fits under the bridge into a barely visible rectangle hole to the top left next to the spring.

Single frame from the video demonstrating the workings of the lock.
Photo copyright: LWL /Stefan Brentführer

The lock’s operating is rather clever as it reuses the spring to keep the bolt in place in either positions. With the bolt closed and the key rotating in the clockwise direction, the fat bit of the key pushing down the spring that traps the bolt in the locked position. The triangle tip of the key perfectly fits the triangle cutout on the bolt. The bolt is moved on top of the spring, while the key holds the spring down. The closing operation is identical, but in reverse. Stefan Brentführer made a video of the operation and added it to the original article under “Anlage 2: Dosenschloss_Rekonstruktion_Schliessvorgang.MP4”.

Toool didn’t have a role in the research, but we believe these moments should be chearished and the news shared widely. My contribution, beside this blog, was the work to demonstrate how small the lock really is. I’ve made a mock-up of the lock in OpenSCAD and printed a copy with an FFF 3D printer. The files are attached, in case you are curious or want to print your own.

20250202_Pendant_1600_1 Download

3D printed mock-up of the lock in purple filament on top of a cabinet lock with very much the same mechanism but designed as a mass-produced low security product. CCBY4.0 Jan-Willem Markus. Toool Blackbag.

Nigel from Toool UK went a different route, and chose to model the mechanism in a 3D CAD program, with great result!

A 3D render of Nigels model. Photo copyright Nigel K. Tolley. Toool UK.

The photos in this post are mostly from LWL /S. Brentführer. They kindly give permission to share the pictures in the context of the finding. The article is the creative work of Jan-Willem Markus. This text is copyright CCBY4.0 Toool Blackbag.

Posted in Keys, Locks, General | 3 Comments »

Challenge completed!

Friday, February 2nd, 2024

Walter and Jan-Willem successfully completed the UKLS January challenge, and like to share the lessons learned as well as show off the 31 locks. The challenge is to open a lock, every day, for the days of January. This is a good way to get in the consistent lockpicking practice, and challenge yourself to pick more difficult locks. You can find a longer explanation of the challenge in the blog released earlier this year. (https://blackbag.toool.nl/?p=4023).

Picking a lock a day has helped me to get use to my new thick acrylic Moki handles, and taught me a few new picking tricks. As the month progressed, I attempted quite difficult locks, of which most didn’t open, at least not right away. For example, I’ve played an hour a day with a particular BKS, which still remains shut. When a lock didn’t open after a while, I frequently tried another lock, if not to keep the streak.

Walter picked a DOM, Pfaffenhain, Nemef, Mul-T-Lock, Wally, Anker, EVVA, ISEO, Gerda, CES, Ivana, Geba, Novoferm, Wilka, FF, Abus, Thirard, Yale, Vachette, Lips, Pratic, S2, Sobinco, Mauer, Corbin, BASI, VBH, Zeiss Ikon, Destil, Kale and an M&C.

On the other hand Jan-Willem picked the Kibb, Dom Sigma, Abus C83, MD, Anker, CAS, Gerda, Lockinox, Nemef, Pfaffenhain, Kraft, Nino, Gaba, (another) Lockinox, Bern, Yale, Axa, S, Era, UAP, Evva, M&C, F (can’t recall, federico? fred?), Iseo, Fake Assa 700, (2nd) gaba, corbin, mila, Ivana, Favour, and a SEZAM cylinder.

By Jan-Willem. Pictures CCYBY4.0 by Walter and Jan-Willem Toool Blackbag.

Posted in Lockpicking, Keys, Locks | 1 Comment »

UKLS January challenge

Monday, January 1st, 2024

The January challenge is a lockpicking game ran on the UKlocksport forum. In short, the challenge is to picks/impressions/opens one lock a day for the days of January. The rules say to post pictures daily and not to play catch up. As in, to pick a lock every day, not just 31 in the month of January.

You can extend your lockpicking streak, if you so wish. Some people extend the streak by a few days, others do a full year. One exemplary lockpicker, Toni, picked a lock a day for 1093 days straight, which is three days short of three years! Furthermore, Toni started a new streak of several hundred lock in 2022, as well.

The last two locks of the lockpicking streak by Toni are both sides of the same DOM Plura.

Lockpicking collage of the special picks from Toni from the first 365 locks.

I’ve used the January challenge as a good excuse to learn a new skill. For example, in 2018 I’ve impressioned a lock a day in January. In 2019, I’ve impressioned a dozen, and picked locks for the remaining days.

All of my January challenge impressioning opens are on (regularly repinned) Abus C83. As you can imagine, the pictures of the opens are quite similar, thus I’m only posting a few here.

It’s very easy to start the challenge, and then let it drop when that one lock doesn’t open. So to help you along, here are a few tips and tricks.

Don’t set the bar too high, as the difficulty isn’t as important for your daily lock.
Try to incorporate lockpicking in your daily schedule, for example to pick your lock while waiting for public transit, or during a coffee break.
Plan out your month so you have enough easier locks for the busy days of the month.
If you challenge yourself with an F3D, have a contingency when it doesn’t open that quick, as someone on YT.
Skipping posting is better than skipping a pick.
Lastly, share your picked locks, no matter if it’s a steak or not. Celebrate the victories will help you stay motivated.

The two rings are easier locks than the box on the right, but at 25g each, you can’t beat the cores of Master Loto for weight. Toni took a box of these to keep his streak alive during holidays abroad. (Do check the country’s stance on lockpicking, though.)

With picking a lock a day, you built the lockpicking muscle memory. We as Toool advocate for using the three O of out name, oefenen, oefenen, and oefenen. Which is the Dutch word for practice. In English, you could say to pick locks over, over, and over again.

If you are inspired, please join the UKLS forum, and start sharing your picked locks. I would like to extend the invitation to any lockpicking streak, also if your streak starts on another date. Next to practice, share your achievements with the community.

Pictures from Toni have his copyright. The rest are CCBY4.0, as per usual Toool Blackbag license.

Posted in Lockpicking, Keys, Impressioning, Uncategorized | 1 Comment »

Dutch Open 2023 Pentathlon competition results

Monday, October 23rd, 2023

The Pentathlon competition is a series of five lock challenges sponsored and hosted by Parmakey. The competitors had to pick a pin tumbler, pick a dimple, impression a key, pick a safe lock, and pick a car lock. Twenty competitors joined the challenge.

Torsten won the competition with 52 points and won a Sparrows Vorax lockpickset, a book on historic keys. Decoder, with 50 points, won the second price and received a Sparrows Tuxedo Royale and a book on safe lock history. Robert won the third price with 42 points and received a Sparrows Tuxedo set, as well as a book on locksmithing history. All three also received a bottle of Nabucco wine.

Edit: 20240312
We were made aware of a mistake in the official competition results, and would like to correct this. After a remark from one of the participants on his missing opens in the official scores, ParmaKEY checked the papers and found there were two filled in papers which were missing in the official scoring. The table below is the updated scoring form, which now includes the scores from Jascha and Nitiflor.

With this new raking, Nitiflor has the well deserved second place. We decided not to change the original certificate and prizes, but to create an additional certificate with prizes for Nitiflor.

We apologize for the inconvenience, and we will celebrate it with him the next time we meet.

Posted in Lockpicking, Keys, Locks, Impressioning, LockCon, Conference | Comments Off on Dutch Open 2023 Pentathlon competition results

3D printing keys for Protec2

Saturday, September 23rd, 2023

This story is based on the work from Reinder Stegen, in which the Protec2 was reverse engineered and scripts for parametric key generation are written. Reinder worked with James Wah for the parametric webblification. As in, a free to use online webgenerator for all your Protec2 key needs. To get the keys to the real world, one just needs a good 3D printer.

3D printing keys has been around for at least a decade, from 3D printing scrips like AutoKey3D by Christian Holler to printing many high security keys. Modeling and printing keys gives unique understanding of the underlying principles of the locking mechanisms. I, myself, wouldn’t have understood Kromer protector, Bowley Rorasera, and Fichet F3D as well without modeling the keys.

While 3D printing keys can be a strong attack, the bitting of the key needs to become known to an attacker beforehand. If this attack is within your threat model, please invest into key control. I.e. to keep track of the locks and keys in your system.

The challenge

A set of nine Abloy PL340 locks caught my attention as it was sold as a lockpicking challenge. As in, the seller didn’t have the correct keys, but included keys from the same series. Where the challenge is to open the locks. I chose to work with Reinder to decode one, and 3D print the keys for the rest of the set.

The PL340 are beefy padlocks of around 55*50*25mm, very much excess for any normal consumer applications. While we like them for securing Peli cases, they’ll work fine on your motorcycle or shipping container as well.

The key making process started by decoding the several non-working keys in the package keys. While five cuts were shared between the keys, it wasn’t enough to determine what the keys should be. One lock was disassembled and the disks were decoded according to the pictures in the Protec2 white paper by Han Fey. (Reinder has published a better chart on 22nd of September 2023)

The Protec2 has eleven disks, of which the fourth and eleven are zero disks. All code disks have two true gates, except for a six with one true gate. We see four disks with more than two true gates, which means they are mastered and accept a key with either cuts on it.

I’ve opted to use Python to create a list of all possible keys in this system instead of using pen and paper. After I had a working solution with many nested loops, I found the function product in the itertools package to generate a list of solutions in fewer lines of code. The code below generates and prints the valid keys from a list of lists with possible bittings.

# bitting_mks.py
# Quick script to get all possible keys from a single master keyed lock.
# 20230730 Jan-Willem CCBY4.0 Toool NL

import itertools

# The key codes is a list of list of ascii characters. 
key_code = [['0'],['5'],['4'],['6'],['3','5'],['1','6'],['1','3'],['0'],['5','6'],['6'],['1']]
keys = list(itertools.product(*key_code))

for key in keys:
	print("".join(key))

This script should work for most key systems. For me, it generated the sixteen valid keys of this master keyed system. With Reinder’s online generator, I’ve generated the files. As I lack a printer capable of printing these, I used the 3D printing service from JLCPCB. Reinder had good experience with Imagine Black, so that was my starting point as well.

Reinder’s tool for generating the keys isn’t widely shared, yet. He has shared a vid e o in which several more 3D printed keys are showcased, including a few which work better than the online generated keys. Several other scripts (By NVX, and bgrydon) are available online, but they don’t work as well as this work.

Uploading the models it to the service was quite tedious. Not only does the material, finish, and customs description need to be filled in for each print, QA was quite picky, and rejected the files several times. After some touch ups in Meshmixer, the keys are ordered. 3D printing keys was very affordable.

The prints came in after a couple of weeks and look great. As the print doesn’t have a captive ball bearing, I’ve removed one from a non-functioning key. Sadly, none of the keys worked of the first print run. After double-checking the data, I’ve found a translation mistake. One disk was flipped in the picture, where a disk five becomes a three.

After going through the process a second time, the keys opened the lock I decoded. Possibly a bit more surprising, two keys worked on all other locks as well. So these are the master keys of a system bigger than these nine locks.

While it’s a great success, and defeating this system with 3D printing, I think we can do much more with this locking system. I’ll likely revisit the work of Matt Smith, to attempt to pick it, or at least try to find a better way of decoding the locks.

To settle one curiosity, I’ve commissioned new prints generated by Reinder in several materials. These have a captive ball. From left to right, we have: Imagine black, 9000R Resin, 8228 Resin, 8001 Resin, 3201PA-F Nylon, 316L Stainless.

All the plastic keys were dimensionally correct and opened the lock. Of course, the engineering resins work much smoother and are generally stronger. The 8228 seems to be very good, except for the ugly color 🙂

So, what about the metal key? While it is amazing we can have these parts fabricated for €8 per key, the dimensions aren’t there yet. The key is slightly oversized and doesn’t fit the keyway. Of course, you can order keys with several different scaling factors, but it’ll be expensive, whereas the resin prints work well and are relatively cheap. In the end the resin keys are around €2 each, and I’ve spent about €200 on the whole project.

While it’s exciting to ‘defeat’ Protec2 locks with this attack, it’s more a showcase of skill and dedication of people in the locksport community. Thanks, Reinder and James, for allowing me to use this work.

This text and the pictures are CCBY4.0 Jan-Willem Markus, Toool Blackbag.
The copyright of the key generator is with Reinder Stegen and James Wah.

Posted in Keys, General, Decoding | Comments Off on 3D printing keys for Protec2

Lips shared access

Wednesday, July 5th, 2023

Locks don’t have to be hard to pick to be interesting, and a Lips lock Jos loaned me is a fine example of that.

Lately I’ve been drawn to picking lever locks, as they have that nice “Skyrim” vibe. You can get a long way with just some bent wires. Knowing that, Jos brought this nice Lips lock to a Toool meetup, and I got to play with it a little.

Picking it is pretty straightforward, as there are no false gates on the lever, and no curtain. The pin in the keyway does make navigation a bit awkward, but all in all it’s not hard to pick.

Things get more interesting when you take a closer look at the lock.

First of all, it’s a Lips lock. Lips is a Dutch lock manufacturer that was founded in Dordrecht in 1871 by Jacobus Lips. In 1971 it became part of Chubb, and since 2000 it’s part of the Assa Abloy group.

The second name on the lock is P.G.E.M. The P.G.E.M. (or Provinciale Gelderse Energie Maatschappij) was a utility company delivering electricity and gas to the whole province of Gelderland in The Netherlands. Every Dutch province used to have its own utility company. It was owned by the province, and the local municipalities.

In the 1990’s the Dutch government decided all the utility companies had to be privatized, and P.G.E.M. became part of Nuon (which is now a part of Vattenfall).

Below P.G.E.M. are the letters LS, that stand for Laagspanning or Low Voltage. PGEM used these locks to secure electrical substations, and LS indicates this particular lock was used on a low voltage substation. The other side of the lock tells us more about this.

Here we see “Onderstation Woudhuis” written in pencil. Onderstation Woudhuis is a substation located in the city of Apeldoorn.

The double keyway is a striking feature which reminds of dual custody locks, only this isn’t that. It’s shared access, where only one of both keys is required to open the lock. This becomes clear when the faceplate is removed.

This seems to be a form of master keying without having to need to add extra gates to the levers, which would compromise the security of the lock.

Every lever has two cuts at the bottom. A closer look at two of the levers shows how different cut heights make it possible to open the lock with two different keys.

Moral of the story: locks are fun in so many ways.

~Greenish

After posting the original blog, a good friend in the UK shared a page with the patent of the ‘Mastership’ two keyhole lock from 1889. http://www.historywebsite.co.uk/Museum/locks/gazetteer/gibbons/gibbons6.htm

Tags: Locks, Lips, Lever
Posted in Lockpicking, Keys, Locks, Uncategorized, General | 1 Comment »

May Contain Hackers 2022

Friday, May 26th, 2023

In the summer of 2022, the Dutch hacker community gathered at the May Contain Hackers conference. The conference was amazing, with over a dozen simultaneous tracks with topics ranging from electronics, privacy and internet security, to art and technology. The program is published at https://program.mch2022.org/ and the talks are published on https://media.ccc.de/c/MCH2022.

For Lockpicking content, Toool organized a lockpicking village, The MCH CTF included lockpicking challenges, and plenty of exciting talks are given. Including Introduction to lockpicking and safe cracking, Anker 3800 Magnetic lock, and bumping electronic locks! More on these after a photo impression of MCH.

Jan-Willem presented an introduction to lockpicking and safe lock manipulation.

Talk description from the MCH schedule: Most security implementations leak information, mechanical security is no different. It takes sharp eyes, a soft touch, and a good hearing to distinguish between information and noise. In this talk we will go in depth on how locks works, and how we can persuade them to disclose their secrets, and open them without damage.

The Open Organization of Lockpickers (Toool) is a group of nerds obsessed with mechanical security. We create, collect, take apart, discuss, and attempt to defeat locks. While we are known for lockpicking, there are many other techniques for opening locks without damage.

This talk will focus on the language of the locks, the side channels in mechanical security systems. We will start with binding order, the mechanism to isolate the locking elements, and exploit them one by one. Then we will discuss a wide variety of other methods of gathering information and opening locks. Most of these methods are not practical, but working them out gives us great joy, and we would like to share the highlights with you.

Mech-Side-channel_8 Download

Walter presented his research of the Anker 3800 magnetic lock. It includes deriving master keyed systems, designing an electronic key/lock decoder, and 3D printing keys.

Talk description from the MCH schedule: The Anker 3800 is a mechanical lock that has both traditional pins as well as magnetic sliders. Can it be opened without the key? This talk discusses how the lock works in a master keyed system and how it can possibly be defeated. It will cover decoding, picking and key duplication.

The Anker 3800 is a mechanical lock that has both traditional pins as well as magnetic sliders. It was designed by Japanese company MIWA and is sold in the Netherlands under the Anker brand. It is a high security lock that is often used in large master keyed systems.

I wondered: can it be opened without the key? I will present my adventures with the lock, having opened it up to see how it works, and several things I have tried to copy the key, pick the lock, decode the lock and find out what the master key looks like. The talk will include successes and failures and I will discuss designing 3D models, C&C work, electronics, Arduino programming, PCB design, and more.

The talk is aimed at people with an interest in lockpicking. No prior knowledge is necessary.

The write-up is found at https://blackbag.toool.nl/?p=3907

mh shared his research on bumping electronic locks. As in, opening the electronic locks by using a percussion drill and custom attachment.

Talk description from the MCH schedule: Modern electronic locks are often optimized for cost, not security. Or their manufacturers don’t do security research. Or they ignore it. For whatever reason, many current electronic lock systems are susceptible to surprisingly simple attacks. We’ll look at some of them, and at the underlying basics, so that you can do your own research.

In this talk, we look at a number of modern electronic locks and their security flaws. Surprisingly many current systems are susceptible to very simple attacks, like the equivalent of using bump keys. Of course, there are electronic and/or SW-based attacks, too.
We’ll look at some of them, and at the underlying basics, so that you can do your own research.
Some of the problems have been fixed by manufacturers, but typically only for future production runs, so you will get some practical advice on how to test your own hardware for these critical flaws.

2022_Electronic_Locks_Talk_by_mh_-_Presentation_Sli_WCe0aQk Download

Jan-Willem presented a basic introduction to threat modeling and uses puzzles as an example.

Talk description from the MCH schedule: Mechanical locks are everywhere and come in all shapes and flavors. But choosing the right lock can be rather difficult. For example, what is better? A lock that is hard to pick, or a lock with hard to duplicate keys. This talk will not give you the answers, but it will help you understand the trade-offs. Furthermore, we will have fun threat modeling our locks.

Is lockpicking a threat you should be concerned about, or is the brick the tool you should care for? Jan-Willem, from The Open Organization of Lockpickers (Toool), will share his ideas on mechanical security and threat modeling. We will make it fun and use several case studies, starting with defining a lock, threat modeling mechanical puzzles, and use several case studies where the threat was overrated. Simply put, attacks against locks range from the trivial to mastery. I’ll share multiple failed attempts of attacks that should be trivial, but were not in practice, and we will analyze them together.

Threat-modeling_8 Download

Posted in Lockpicking, Keys, Locks, Uncategorized, Conference | Comments Off on May Contain Hackers 2022

Quantifying the Brinell hardness of keys

Saturday, April 8th, 2023

In an effort to quantify the locksport world, I’m taking my measuring tools to locksport in an attempt to learn the details. For example, how much torque is required to pick a lock. With this knowledge, we can build better lockpicks, and teach proper technique. In this blog, I’ve set out to compare the hardness of key blanks for impressioning.

As I’m not a machinist, nor do I have access to fancy hardness measuring equipment, I’ve found the cheapest method I could use at home. There are many methods, and many systems, to measure the hardness of metal. One difficulty was to get familiar with the lingo and to find a measurement tool that works for key like metals, thin, soft, etc.

The most common method of cheap hardness testing is to use Rockwell hardness testing files from measuring hardness of knifes. Usually in the range of C40 to C65 in increments of five. I’ve found similar methods online for testing the hardness of lead with pencils. Where HB hardness pencil will be equivalent to a certain percentage lead in tin. To my knowledge, none such system exists for brass.

More expensive methods press a hardened piece of metal with a known force into the sample, and measuring the indentation. While most of these measuring jigs are too expensive, I’ve found one for cheap. That is the Poldihammer test, which is sold on eBay for around €100. The tool uses a captive ball bearing which presses both on a bar of known hardness and the sample. You just simply place it on the object and hit it with a hammer. The ball bearing presses with equal force into both metals object. Comparing the dents gives you the Brinell hardness.

https://de.wikipedia.org/wiki/Poldihammer#/media/Datei:Kugelschlagh%C3%A4rtepr%C3%BCfger%C3%A4t.jpg

My Poldihammer came with a small magnifier and scale. It’s not so easy to use, and the resolution is minimal. The kit also comes with convention tables, but they feel very approximate. My solution is to measure the indentation with a digital microscope and calculate the BHN from this formula from Wikipedia:

$\operatorname{BHN}=\frac{2P}{\pi D \left(D-\sqrt{D^2-d^2}\right)}$

BHN = Brinell Hardness Number (kgf/mm²).
P = applied load in kilogram-force (kgf)
D = diameter of indenter (mm)
d = diameter of indentation (mm)

It doesn’t take much to use the dent on the reference bar to calculate the force. As the force is equal on the key, we can use the force to calculate the hardness of the keys. Let’s take a look at a real world example. The next two images are the dents under high magnification.

Key for measurement B1: 214.581 by 209.048 pixels. This is 2.00 mm on average.

Reference bar with hardness 187. Measurement B1: 163.809 by 162.959 pixels. 1.55 mm average width.

For completeness, I’ve added the calculations as to make the method repeatable, and accessible to more hobbyists. The force is calculated as follows: P = BHN(reference) * PI * D * (D – SQRT(D^2 – X^2)). Where X is the dent on the reference bar. In LibreOffice Calc, this is =187*PI()*10*(10-SQRT(10^X^2)).

The hardness of the key is calculated BHN(Key) = P /(PI * D *(D^2-Y^2)). Where Y is the dent on the key. In LibreOffice Calc, this is =P/(PI()10(10-SQRT((10^2)-(Y^2))))

For the numbers above, I’ve found the force as 706.25, and the BHN of the key as 110.8. I’ve repeated the test for four more keys and measured them as 114.5, 103.9, 97.0, and 118.2 with an average of 108.9. In similar measurements, I would drop the minimum and maximum and take the average of the remaining samples, which is 109.7.

The following table is the result of my measurements. The results are surprising.

Brand	Average	Aquired date	Comment	Measurement [BHN]
Silca	Three keys	2018	CS206 Brass.	147.1
Silca	Three keys	2022	LD5R Steel.	222.8
JMA	Three keys	2018	Keys from Nigel Tolley.	135.4
Bauelemente	Three keys	2019	SSDeV Impressioning.	123.5
Abus	Three keys	2019	LockCon	133.4
Abus	Three keys	2020	Toool Inventory	135.8
Abus	Five keys	2022	LockCon Box A	127.4
Abus	Five keys	2022	LockCon Box B	108.9
Abus	Five keys	2022	LockCon Box C	131.5

Table of key measurements. Keys for Abus C83 with keyway similar to Y1.

The data revealed something interesting and confirmed a hunch. The hardness of steel keys is the highest, obviously. We see the brass alloy (nickel silver) have a range of values. There are also outliers, for example Box B, these keys are softer than keys acquired on the same day.

I’ve since played with both harnesses and can tell one hardness from another in impressioning. But only after I’ve switched from one hardness to another after a dozen opens, with the same hardness. After switching backwards and forwards, I can’t tell the difference in a blind test.

One final note, the kit comes with one reference bar that is consumable. We have about a hundred measurements in them. I have not found replacement bars, yet. But I believe we can use a similar shaped bar of steel, which is then calibrated with the reference bar before use. This will reduce accuracy, but can be accounted for if the measurements are comparative.

Thanks for taking your time to read about measuring hardness of keys. If you have a professional (Brinell) hardness measurement tool, and want to help out, let’s swap keys and compare notes. I’m always open to learn.

Posted in Keys, Impressioning | Comments Off on Quantifying the Brinell hardness of keys

Continued work on MIWA/Anker 3800

Monday, October 3rd, 2022

I had spent quite some time on the Anker 3800 cylinder. This system was originally patented by the Japanese firm MIWA. It contains just 4 pins, each of them having 4 possible depths. But, there’s also 4 sliders that are magnetically operated by magnets in the key.

This system was sold in the Netherlands by Dutch firm Ankerslot and is still used in many large, high security setups.

I made a magnetometer to decode the magnets in a key or in a cylinder, made a 3D model of the key to be able to print it and figured out how to get the master key of a system. My talk at Disobey is available online.

At LockCon, Han provided me with a set of five cylinders, all keyed differently but all part of the same masterkey system. No keys were provided.

I started by reading out all the magnets in the sliders. Each slider can have one or two magnets. If there are two, one is for the user key, one for the master key (we’ll ignore submasters for the moment). By knowing the magnets in the cylinder, it is possible to figure out which magnet should be in the key. For master keyed systems, there might be two possible magnets to operate the slider, where one will be in the master key, the other in the user key. With this information, I could determine the magnets in the master key and in the individual user keys (for each slider, there was only one possible magnet that would open all cylinders, so it was clear that that particular magnet should be present in the master key).

The correct bitting is another story. I had no key to start with. It is possible to create 256 keys and try them all to find all possible bittings. I was lucky however to have gotten one half cylinder.

What I did is create a bump key (so four times the deepest cut, which I will call a ‘4’), containing the correct magnets. With the bump key, I could open a cylinder and disassemble it. The half cylinder was my luck, as that can also be re-assembled. For this task, I used a 3D-printed plug follower.

This gave me all the correct bitting positions for this one cylinder (pin 1: 3 or 4, pin 2: 1 or 3, pin 3: 2 or 3, pin 4: 4). Since I did not have the original key, I did not know which depth belongs to the user key and which to the master key. The configuration allows for 2^3=8 possibilities. By creating 8 keys and trying them on the other cylinders, I could find out the master key bitting. With 3D printed keys, it is possible to print, say, a 3/1/2/4 key and if it doesn’t work, file a bit away to get a 4/1/2/4 key. That is exactly what I did and 4/1/2/4 worked on all cylinders, giving me the correct master key.

Next, I wanted to create the user keys. I could have created user keys by only using different magnets and keeping the bitting the same, but that would not give me the keys as they would originally be made for these cylinders. Since I now had a working master key, I could easily probe each pin position for all depths in sequence. I started with a 1/1/2/4 key, trying that on the 4 remaining cylinders and writing down the results, then filing it to a 2/1/2/4, trying again and then 3/1/2/4. With four keys to start with and 4*3=12 filing actions I was able to decode all the bittings.

Decoded cylinders, ‘G’ and ‘R’ are north/south poles (my magnetometer uses green/red light as an indicator)

Here, I have put squares around the magnets and bittings of the master key. If there are other bittings or magnets, they must be in the user key. The first pin of cylinder 2 for instance has possibile depths 3 and 4, and the master key has depth 4, so the user key must have depth 3. Note that in this system (and in this instance), user keys can have a bitting that can be filed down to the master key, as long as the magnets are different. Cylinder 2 shares the middle two magnets with the master key, the outer two are different.

With that information, I knew all the individual keys and printed them.

The user keys only open one cylinder each

And I have the master key.

In fact, with this collection of cylinders, it is now also possible to make submaster keys for certain subsets of cylinders, even if that was not intended originally.

Thanks for reading! -Walter.

Photos CCBY4.0 Walter @ Toool Blackbag

Posted in Keys, Locks, Decoding | 1 Comment »

Lock Picking Forensics

Wednesday, October 6th, 2021

I (Walter) have created a geocache that requires some RSA hacking and subsequently lockpicking. I bought an Abus Titalium 64TI/40 padlock to be picked. Several people were able to find it by teaming up together. The feedback I got was that people spent considerable time on the lock, sometimes several hours (in separate sessions).

Geocacher #15 was unable to lockpick the lock, even though he had practiced on an identical lock at home. I offered to go with him to give advice. He couldn’t open it. Also I couldn’t (quickly) open it. I took the original key and that would not open it. By not fully inserting the key and wiggling, I succeeded in opening. (I let the geocacher pick his own lock and allowed him to log the cache.)

Once home, I decided to take a look at the lock. Although only a very limited number of people had worked on it, it was completely shot. I took a video comparing showing a new padlock and then the one from the cache:

I’ve taken apart the lock to have a look at the pins. We always say that picking a lock will leave tiny traces on the pins (and other parts of the lock) that can be found during a forensic investigation. Well, in this case, the naked eye was enough to see the abuse.

Here’s the plug with the key inserted. Note how the pins have shortened. This causes the key to no longer work.

This also explains why taking out the key a bit and wiggling opened it.

Here’s a view of the pins:

There’s now a new padlock in place. You can’t really tell from the picture here, but the pins are made out of aluminium, which kind of explains the wear on them. I bought the lock as it is marketed as being weather proof. But resisting weather is different from resisting lockpicks.

Photos/video CCBY4.0 Walter Belgers