Archive for the ‘Decoding’ Category

Sophie’s safecracking simulator

Sunday, May 9th, 2021

A few weeks ago on twitter I read a tweet by Sophie and they were working on a safecracking simulator. I was intrigued and joined the conversation. Both to comment (and compliment) on the progress and add ideas for even more realism!

https://sophieh.itch.io/sophies-safecracking-simulator

So what’s the game? They designed a safe lock simulator and the game is to crack the safe! The lock from the fictional brand Safe and Sound (S&S). It acts as an average group 2 safe lock with three wheels (4xCCW, 3xCW, 2x CCW, and 1x CW). You input the combination with your arrow keys: Left and right arrow for moving the dial and control/shift to control the dialing speed. The simulated lock works just as you might expect, you can feel and hear the contact points and you can manipulate and graph it just like any other group 2 safe lock.

Cracking a safe

I’ve bought the game as soon as it was available and spend a couple hours cracking my first virtual safe.

Cracked the safe with manipulation. The transparancy is on for the screenshot.
Safe manipulation graph.

I like to start with getting a rough idea for the lock and do this by dialing all wheels left (AWL) with 20 number increments. I noticed the wheels are almost perfectly round requiring a full AWL graph and find one number at the time. I graphed AWL with 2,5 count increments and found the gate between 80 and 85. I set the number to 82 and tested the wheels. I found the number was on wheel three.

Then graphed W1 and W2 left and parked the W3 to 82 and graphed it with 5 count increment. Wheel one was at about 7. Figuring out what wheel it is was actually tricky as the simulated safe does not have flies and this means LRL is not the same as RLR for this lock. This also means you can find a number that’s impossible to dial without some calculating.

Lastly I graphed the last number 7-X-82 and found the combo 7-78-82. The dial stopped at 80 indicating I opened the lock. In the version I played it wasn’t possible to open the safe. I claimed being the first one to open the virtual safe on twitter shortly thereafter.

What else can the simulator so?

Once you have mastered the three wheel, why not try a twenty wheel lock? This lock will take 21 times right, 20 times left, 19 times… Or was it 21 times left, 20 times right. at what number was I again? In total it would take 231 moves to just open it with the combination. I can’t imagine how fun it would be to graph this one!

Not all hope is lost as the safecracker gets a handful of tools to simplify the process: Gyroscope angular measurement, camera to amplify vision, sound spectrum analyzer, and X-ray vision. You can also use advanced keyboard shortcuts to spin the dial exactly one rotation, simplifying the safecracking process.

Suggestions to Sophie

The project is very cool and certainly a functional game. These are a few suggestions for added realism:

  • I feel the current shape of the wheels is too perfectly round. Real life safe wheels are sometimes oval or egg shaped. They sometimes have an offset from the wheel center as well. This feature is only beneficial when the wheels are closer matched in size. Currently it’s very hard to find what wheel is the largest and thus the one you want to isolate.
  • As far as tolerances I think the game does very well. Yes, you can make it more tight but then you can easily make the safe impossible to manipulate. It’ll not be bad to have a setting you can play with to make the lock a lot harder.
  • Currently the safe does not have flies. It’s hard to explain what it is or how it works; It’s a small movable element that ensures you can dial two numbers on consecutive wheels to the same number. If it’s worth the effort for this extra realism, I won’t know.
  • Lastly there are a lot of ways you can go to with this project. As a simulator it works but it would be very cool to have a ‘spot the fault’ puzzle game. I.E. The combination is 10-20-30 and it only opens sometimes. Then the player could learn about failure modes like when fly is stuck or the wheel slipped. You can use the trouble shooting guide for a S&G as inspiration. In the PDF it starts at page 9.

Conclusion

The game is very much what I expected from it and it captures the nuances very well. I will certainly recommend it to people that are looking into safecracking. I will use the the simulator as training material as well. (Every participant buys their own copy.) I think it can be a very useful teaching tool.

I don’t think I would play much with the simulator myself, mostly as I have played with and have access to the real locks. The game captures the tediousness of safecracking very well and that’s amazingly impressive 🙂

Key duplication from a photo CTF

Sunday, September 22nd, 2019

Jos has a talk about key duplication from pictures. If you have not seen it: https://youtu.be/muINcnhj1EQ
For a conference there was the question: What does it take to make it into a workshop? There was little budget so we have turned it into a CTF instead of a training/workshop.
This CTF has no prices and might teach you something new.

If you ever wished you could try it without being sneaky, this is your chance. The CTF is a controlled and safe environment. You are encouraged to copy these keys!

The problem:
Publishing pictures of your keys is not a good security practice. Keys can be duplicated from a photo rather easily. Twitter and other social media are full of threads filled with pictures of keys. I got shared one but they’ve removed it on our advice.
(Note to self: Take more screenshots.)

Example: https://twitter.com/hashtag/zeigteureschluesselanhaenger
The hashtag is about the keychain but there are some perfectly decodable keys in there.

The CTF:
1) Get to the keys
2) Take a photo or make an imprint of it
3) Make a key
4) Test the key

Measuring tools and files will be available at the lockpicking village.
We are going to help as little as possible to not spoil the fun.

There are three keys at the moment:
CTF 1) Key will be published here
CTF 2) Key will be placed on the table at lockpicking villages (do not borrow/steal the key please.)
CTF 3) Key will be on the belt/lanyard of the Orga or instructors at the lockpicking Village

Please don’t publish pictures of the CTF 2 and CTF 3 key. You are allowed to do a writeup about CTF 1.

CTF Key 1:

Key measurements:


As there was still some ambiguity, this picture should prove be useful. Each square is 5mm by 5mm.

All locks are standard unmodified 5pin Abus/Buffo. The blanks that work are Y1, 1A (SKS/JMA), CS206 (Silca) and many others. You’ll get points for sourcing your own keys. Really, give it a try!

This CTF will run for the next months to years. Come see Toool at a conference near you.
Next up: Hardwear.io, HITB, LockCon and Hackerhotel 2020.

If you want to play but can’t make it to a conference. Please send me a digital bird at Jan-Willem at Toool dt nl. You’ll be send three pictures and a post address. You can mail me the physical keys you’ve made.

I’ve tested the CTF myself. It took me about 30 minutes to make three keys from a photo.
Please, don’t publish pictures of your keys, stay safe.

Published by Jan-Willem.

Lishi Schlage impressioning tool

Thursday, July 11th, 2019

The company Lishi is mostly known for their decoding tools for several brands of cars. Now, they also have decoding tools for Schlage and Kwikset locks, that works similarly.

Although not as much a sport as lockpicking using standard picking tools, we are always eager at Toool to try out new tools. Not long ago, Jan-Willem already tweeted about the tool:

Now, we also have a demonstration of the Schlage tool, done by Jos:

Enjoy!

Walter.

Picking Abloy Classic

Thursday, December 3rd, 2015

I regularly give lectures and workshops about locks and lock related topics at conferences such as CONFidence, Hack.lu, BruCON, 4GH, SEC-T, Hackito Ergo Sum, Hashdays, Fri3dcamp, TEDx and more. My latest talk was also the most interesting. It was at the wonderful t2.fi conference in Helsinki, Finland.

I was there in 2014 as well. This year, I could only speak again if I’d open Finnish locks. And Finnish locks are among the most secure.. Almost everybody in Finland has ASSA Abloy locks on their door. Many Fins believe these are unpickable. So I set myself the task to open these locks.

First, I tried the H&H tool for opening Abloy. I then found out this tool does not work and simply cannot work, unless you can set the discs in order. So this was money wasted. I finally was able to purchase a tool from Citadel LockTools in the UK, that can actually open (and decode) Abloy Classic locks. These tools are handmade by Matt and look and work fantastic.

The tool comes with several tips, for different kinds of locks. I bought a few Abloy Classic ‘handbag’ padlocks and it’s interesting to see that they differ. In one, the deepest disc is locked, not so in the other. They both need a different tip on the tool.

Abloy Classic decoder

Abloy Classic decoder

Using this tool, I was able to open an Abloy Classic live on stage in Helsinki, which got me a nice applause!

Here’s a clip of when, after some practicing, I was first able to open the Classic using Matt’s tool:

LockCon 2014 addition

Monday, September 15th, 2014

Not many people have experience in opening pump locks (locks using a push key). However, one of the guests at LockCon 2014 has ample experience. And: he has built his own tool to open these locks. This is what it looks like:

At LockCon, you will be able to see the tool in action with live commentary from the maker. You can see a 17-second sneak preview from the ELF conference here: