Archive for the ‘Decoding’ Category

2-in-1 for Abus, that barely works.

Saturday, January 8th, 2022

Lishi 2-in-1 have been around for a long time, both for automotive and more recently for pin tumbler locks. Sadly, these tools are quite costly as they are keyway specific. Furthermore, this type of tool can’t be made for some locks as the keyways are too tight. Or so I thought, as of writing there are several 2-in-1 for sale for the paracentric Yale keyway. As I was intrigued, I’ve bought an off brand 2-in1 for CISA. In testing the tool, I’ve found various limitations that might impact the usefulness of this tool.

Let’s start from the beginning, Lishi is the brand name of a series of lockpicking tools designed and made by Zhi Qin Li. The Lishi company split up and Zhi Qin Li still sells his 2-in-1 under the brand Original Lishi, while another company sells them under the brand Genuine Lishi.

Original Lishi sells a variety of tools, the one generally referred to as a Lishi is a 2-in-1 lockpick that both applies a turning force and a tool for picking individual elements. The tool can also be used to decode the lock once the lock is open, and a key can be cut in the field with another of Li’s tools.

Lishi for the Schlage SC4 keyway.

So, what does a Lishi 2-in-1 lockpick do? The tool consists of two parts; the body that is used as a turning tool and the thin feeler that’s used as a lockpick. This in itself would not be too useful, however, the body has a chart of where the lockpick is in the lock. You move the pointer to the desired element, indicated by the vertical lines, and push down lightly on the pointer. This in turn moves the lockpick, pushing down on the element in the lock. You can feel if the element is binding or not. And just as lockpicking, you go through the lock, pin by pin, and feel for the binders. Then you set each binder and search for the next one, until all elements are set. Click on one, click on three… Open!

From y2k these tools have been available for automotive locks as the combination of open keyways, many wafers, and typically low tolerances work very well for this tool. 2015 was the year 2-in-1 picks became available for pin tumbler lock for the USA market. (Schlage, Kwikset, and Master). Most of these locks have wide keyways, low tolerance, and very few security pins.

I’ve played with a few of these tools, but didn’t find them too useful. I’m not a locksmith, not in the USA. For me, they would be mostly a novelty. But the pick I’m about to show can be a game changer as it targets European locks I’m familiar with.

In December, I was notified a seller on AliExpress sells 2-in-1 (not a Lishi!) for the paracentric Yale keyway. The consensus under lockpickers is that this tool could not exist, because the keyway is too tight and has no straight access to the pins. I was curious enough to fork over €50, and bought one for CISA as it’s very close if not identical to the Abus C83, the lock we use for impressioning championships.

The seller is quite open about the tool’s limitations and wrote on the lever “80% coverage. Without pin 8 or 9”. While this sounds like it’ll open 80% of locks, but it doesn’t seem to be the whole story, as we will find out. The biggest concern with a tool that works on a subsection of locks is if the user can detect the tool does not work, instead of user error or lack of skill. I suspect so, but it will be far from easy. In short, a lock will not work with one or more cuts deeper than a 7 and therefore this pin will always be overset and this you can detect.

Small sub section of factory cut Abus C83 keys, I’ve a modest collection of them.

As I was curious about the 80% claim, I’ve spent an evening measuring my Abus C83 keys. While these are not CISA, they are close, and I happen to have a modest collection of these keys. 92 out of 283 of the measured keys have no cuts deeper than 5.5mm, the size of the tool. This means the tool will only work on 30% of my Abus C83. This is consistent with a statistics sanity check. For this, we assume every lock has a uniform distribution of cuts, ignoring MACS. This came to be (7/9)^5 = 28.4%.

I’m considering this 30% an upper bound, as Abus C83 and CISA aren’t shipped with standard pins. The old locks are shipped with mostly spool pins, and the new ones have serrated, spool, and T-pin key pins and the same for the drivers.

Abus C83 old style vs new style pins.

Besides the theoretical usability and security pins, what other flaws would make this tool suboptimal? The picking tip snags while moving from pin to pin. Furthermore, picking in the counterclockwise direction binds the picking tip, and it makes it difficult to differentiate between a binding pin and a binding picking tip.

Randomly pinned lock with standard pins, decoded to 52452.

Let’s wrap it up, this tool is sold at €50 and promises quite a lot. However, theoretical, it will only open 30% of all the locks it was designed for. Furthermore, the limitations of security pins and rotation direction will limit the functionality even more. A practiced lockpicker might be-able to overcome some limitations, or detect the tool will not work. A tool that only opens a very small subset of locks is not a very useful tool, and I can’t recommend it to pick these locks. However, as new pickers always struggle to find the binders, and this tool enables them to actually ‘see’ what they are doing, it could be a game changer for teaching.

Pictures CCBY4.0 Jan-Willem Toool Blackbag

Sophie’s safecracking simulator

Sunday, May 9th, 2021

A few weeks ago on twitter I read a tweet by Sophie and they were working on a safecracking simulator. I was intrigued and joined the conversation. Both to comment (and compliment) on the progress and add ideas for even more realism!

https://sophieh.itch.io/sophies-safecracking-simulator

So what’s the game? They designed a safe lock simulator and the game is to crack the safe! The lock from the fictional brand Safe and Sound (S&S). It acts as an average group 2 safe lock with three wheels (4xCCW, 3xCW, 2x CCW, and 1x CW). You input the combination with your arrow keys: Left and right arrow for moving the dial and control/shift to control the dialing speed. The simulated lock works just as you might expect, you can feel and hear the contact points and you can manipulate and graph it just like any other group 2 safe lock.

Cracking a safe

I’ve bought the game as soon as it was available and spend a couple hours cracking my first virtual safe.

Cracked the safe with manipulation. The transparancy is on for the screenshot.
Safe manipulation graph.

I like to start with getting a rough idea for the lock and do this by dialing all wheels left (AWL) with 20 number increments. I noticed the wheels are almost perfectly round requiring a full AWL graph and find one number at the time. I graphed AWL with 2,5 count increments and found the gate between 80 and 85. I set the number to 82 and tested the wheels. I found the number was on wheel three.

Then graphed W1 and W2 left and parked the W3 to 82 and graphed it with 5 count increment. Wheel one was at about 7. Figuring out what wheel it is was actually tricky as the simulated safe does not have flies and this means LRL is not the same as RLR for this lock. This also means you can find a number that’s impossible to dial without some calculating.

Lastly I graphed the last number 7-X-82 and found the combo 7-78-82. The dial stopped at 80 indicating I opened the lock. In the version I played it wasn’t possible to open the safe. I claimed being the first one to open the virtual safe on twitter shortly thereafter.

What else can the simulator so?

Once you have mastered the three wheel, why not try a twenty wheel lock? This lock will take 21 times right, 20 times left, 19 times… Or was it 21 times left, 20 times right. at what number was I again? In total it would take 231 moves to just open it with the combination. I can’t imagine how fun it would be to graph this one!

Not all hope is lost as the safecracker gets a handful of tools to simplify the process: Gyroscope angular measurement, camera to amplify vision, sound spectrum analyzer, and X-ray vision. You can also use advanced keyboard shortcuts to spin the dial exactly one rotation, simplifying the safecracking process.

Suggestions to Sophie

The project is very cool and certainly a functional game. These are a few suggestions for added realism:

  • I feel the current shape of the wheels is too perfectly round. Real life safe wheels are sometimes oval or egg shaped. They sometimes have an offset from the wheel center as well. This feature is only beneficial when the wheels are closer matched in size. Currently it’s very hard to find what wheel is the largest and thus the one you want to isolate.
  • As far as tolerances I think the game does very well. Yes, you can make it more tight but then you can easily make the safe impossible to manipulate. It’ll not be bad to have a setting you can play with to make the lock a lot harder.
  • Currently the safe does not have flies. It’s hard to explain what it is or how it works; It’s a small movable element that ensures you can dial two numbers on consecutive wheels to the same number. If it’s worth the effort for this extra realism, I won’t know.
  • Lastly there are a lot of ways you can go to with this project. As a simulator it works but it would be very cool to have a ‘spot the fault’ puzzle game. I.E. The combination is 10-20-30 and it only opens sometimes. Then the player could learn about failure modes like when fly is stuck or the wheel slipped. You can use the trouble shooting guide for a S&G as inspiration. In the PDF it starts at page 9.

Conclusion

The game is very much what I expected from it and it captures the nuances very well. I will certainly recommend it to people that are looking into safecracking. I will use the the simulator as training material as well. (Every participant buys their own copy.) I think it can be a very useful teaching tool.

I don’t think I would play much with the simulator myself, mostly as I have played with and have access to the real locks. The game captures the tediousness of safecracking very well and that’s amazingly impressive 🙂

Key duplication from a photo CTF

Sunday, September 22nd, 2019

Jos has a talk about key duplication from pictures. If you have not seen it: https://youtu.be/muINcnhj1EQ
For a conference there was the question: What does it take to make it into a workshop? There was little budget so we have turned it into a CTF instead of a training/workshop.
This CTF has no prices and might teach you something new.

If you ever wished you could try it without being sneaky, this is your chance. The CTF is a controlled and safe environment. You are encouraged to copy these keys!

The problem:
Publishing pictures of your keys is not a good security practice. Keys can be duplicated from a photo rather easily. Twitter and other social media are full of threads filled with pictures of keys. I got shared one but they’ve removed it on our advice.
(Note to self: Take more screenshots.)

Example: https://twitter.com/hashtag/zeigteureschluesselanhaenger
The hashtag is about the keychain but there are some perfectly decodable keys in there.

The CTF:
1) Get to the keys
2) Take a photo or make an imprint of it
3) Make a key
4) Test the key

Measuring tools and files will be available at the lockpicking village.
We are going to help as little as possible to not spoil the fun.

There are three keys at the moment:
CTF 1) Key will be published here
CTF 2) Key will be placed on the table at lockpicking villages (do not borrow/steal the key please.)
CTF 3) Key will be on the belt/lanyard of the Orga or instructors at the lockpicking Village

Please don’t publish pictures of the CTF 2 and CTF 3 key. You are allowed to do a writeup about CTF 1.

CTF Key 1:

Key measurements:


As there was still some ambiguity, this picture should prove be useful. Each square is 5mm by 5mm.

All locks are standard unmodified 5pin Abus/Buffo. The blanks that work are Y1, 1A (SKS/JMA), CS206 (Silca) and many others. You’ll get points for sourcing your own keys. Really, give it a try!

This CTF will run for the next months to years. Come see Toool at a conference near you.
Next up: Hardwear.io, HITB, LockCon and Hackerhotel 2020.

If you want to play but can’t make it to a conference. Please send me a digital bird at Jan-Willem at Toool dt nl. You’ll be send three pictures and a post address. You can mail me the physical keys you’ve made.

I’ve tested the CTF myself. It took me about 30 minutes to make three keys from a photo.
Please, don’t publish pictures of your keys, stay safe.

Published by Jan-Willem.

Lishi Schlage impressioning tool

Thursday, July 11th, 2019

The company Lishi is mostly known for their decoding tools for several brands of cars. Now, they also have decoding tools for Schlage and Kwikset locks, that works similarly.

Although not as much a sport as lockpicking using standard picking tools, we are always eager at Toool to try out new tools. Not long ago, Jan-Willem already tweeted about the tool:

Now, we also have a demonstration of the Schlage tool, done by Jos:

Enjoy!

Walter.

Picking Abloy Classic

Thursday, December 3rd, 2015

I regularly give lectures and workshops about locks and lock related topics at conferences such as CONFidence, Hack.lu, BruCON, 4GH, SEC-T, Hackito Ergo Sum, Hashdays, Fri3dcamp, TEDx and more. My latest talk was also the most interesting. It was at the wonderful t2.fi conference in Helsinki, Finland.

I was there in 2014 as well. This year, I could only speak again if I’d open Finnish locks. And Finnish locks are among the most secure.. Almost everybody in Finland has ASSA Abloy locks on their door. Many Fins believe these are unpickable. So I set myself the task to open these locks.

First, I tried the H&H tool for opening Abloy. I then found out this tool does not work and simply cannot work, unless you can set the discs in order. So this was money wasted. I finally was able to purchase a tool from Citadel LockTools in the UK, that can actually open (and decode) Abloy Classic locks. These tools are handmade by Matt and look and work fantastic.

The tool comes with several tips, for different kinds of locks. I bought a few Abloy Classic ‘handbag’ padlocks and it’s interesting to see that they differ. In one, the deepest disc is locked, not so in the other. They both need a different tip on the tool.

Abloy Classic decoder

Abloy Classic decoder

Using this tool, I was able to open an Abloy Classic live on stage in Helsinki, which got me a nice applause!

Here’s a clip of when, after some practicing, I was first able to open the Classic using Matt’s tool:

LockCon 2014 addition

Monday, September 15th, 2014

Not many people have experience in opening pump locks (locks using a push key). However, one of the guests at LockCon 2014 has ample experience. And: he has built his own tool to open these locks. This is what it looks like:

At LockCon, you will be able to see the tool in action with live commentary from the maker. You can see a 17-second sneak preview from the ELF conference here: