Archive for the ‘Locks’ Category

Hackerhotel 2024: Safe cracking workshop

Friday, February 16th, 2024

Hugo and I taught Safe cracking to a group of eleven at Hackerhotel 2024. It was great sharing the knowledge and inspiring others. Much respect goes to the attendees, which after a busy conference still had energy to take on this mighty challenge.

Every training needs to start with a good basis. We started with an introduction on what safe locks are about and how they operate, specifically group two safe combination locks. From there, we built knowledge from practical examples and exercises. From simply operating the safe lock by dialing 4L-3R-2L-1R with a known combination, to exploring contact points and graphing.

For this two-hour session, we worked with locks of known combination, and usually only get to complete one and a half graphs in this time. Around six graphs were completed in total, and some even finished all three graphs within the session.

While any training is mostly satisfying a curiosity, we expect this training gave the attendees enough knowledge to give it a try on their own later. Maybe even getting obsessed about it in the process 🙂

CCBY4.0 Jan-Willem Markus Toool Blackbag

Challenge completed!

Friday, February 2nd, 2024

Walter and Jan-Willem successfully completed the UKLS January challenge, and like to share the lessons learned as well as show off the 31 locks. The challenge is to open a lock, every day, for the days of January. This is a good way to get in the consistent lockpicking practice, and challenge yourself to pick more difficult locks. You can find a longer explanation of the challenge in the blog released earlier this year. (https://blackbag.toool.nl/?p=4023).

Picking a lock a day has helped me to get use to my new thick acrylic Moki handles, and taught me a few new picking tricks. As the month progressed, I attempted quite difficult locks, of which most didn’t open, at least not right away. For example, I’ve played an hour a day with a particular BKS, which still remains shut. When a lock didn’t open after a while, I frequently tried another lock, if not to keep the streak.

Walter picked a DOM, Pfaffenhain, Nemef, Mul-T-Lock, Wally, Anker, EVVA, ISEO, Gerda, CES, Ivana, Geba, Novoferm, Wilka, FF, Abus, Thirard, Yale, Vachette, Lips, Pratic, S2, Sobinco, Mauer, Corbin, BASI, VBH, Zeiss Ikon, Destil, Kale and an M&C.

On the other hand Jan-Willem picked the Kibb, Dom Sigma, Abus C83, MD, Anker, CAS, Gerda, Lockinox, Nemef, Pfaffenhain, Kraft, Nino, Gaba, (another) Lockinox, Bern, Yale, Axa, S, Era, UAP, Evva, M&C, F (can’t recall, federico? fred?), Iseo, Fake Assa 700, (2nd) gaba, corbin, mila, Ivana, Favour, and a SEZAM cylinder.

By Jan-Willem. Pictures CCYBY4.0 by Walter and Jan-Willem Toool Blackbag.

Progressive Disc detainer

Sunday, December 17th, 2023

In learning lockpicking try to get all advantage you can get. A good first step is to learn as much as possible about the lock. For example, You should disassemble and reassemble the lock a few times, but looking at pictures on the lpubelts or lockwiki are good options as well. The next step is to assemble the lock with fewer locking elements, pick it, and increase the difficulty after each success. This is a well understood practicing method for pin tumbler locks, call progressive pinning.

I’ve built several progressive locks for myself and for teaching lockpicking to others. Of some locks, I’ve got a keyed alike set. In this way, you can practice the locks without the (sometimes tedious) opening and reassembly of the locks. For the practice session, just work through the locks in the set.

For disc detainer locks we aren’t lucky as the locks don’t function well without all the elements. The locks consist of a stack of code discs and spacers and all live in a partially cut hollow tube. If you have several of the same lock, you can use the spacers from one lock to fill the progressive lock. This technique worked well for an attempt to pick the Rosengrens 32A81 lock.

Disassembled Rosengrens 32A81 Safe deposit box lock.

Dmac shows an clever alternative for regular disc detainers in this video. https://www.youtube.com/watch?v=ehHG-BhgdMs He is replacing part of the disc stack with a properly sized tube to take up the space of the missing discs. The tube allows the key to operate the lock and has enough movement to move freely and not impede the sidebar, but small enough so the sidebar doesn’t drop in the core. This is a clever trick which is certainly worth testing.

In this post, I propose an alternative solution which is more generic, and will most likely work for all disc detainer, lever, and wafer locks. I’ve designed a spacer to fill the lock. The spacer shape can often be reproduced from the original lock parts in most CAD packages within hours. As a proof of concept, I’ve designed the spacers for the Anchor Las and laser cut the parts at Hackerspace Bitlair in Amstersfoort.

My process is quite straight forward: Measure the part, design it in OpenCAD, determine the laser parameters, cut the part, test the part. Then adjust and repeat the steps until satisfied with the results. (Or when you run out of material/time/money, whatever comes first.) It is like CI/CD, but in hardware, with an iteration cycle of about five minutes.

In the table below, I’ve captured the measurements of the core from the Anchor Las 833-3 padlock.

ItemSize
Disc pack20.51 mm
Disc1.395 mm
Spacer0.5 mm (calculated)
Core13.92 mm
Sidebar1.97 mm
Key width5.1mm
Spacers stack0.5 mm + 0.28 mm
Anchor Las measurements with a micrometer.

Getting the dimensions into OpenSCAD isn’t too difficult. I did however reuse someone else’s code for a partial circle, which isn’t trivial in this scripting language. (The code will be on the bottom of the page)

Laser cutters are amazing machines, and I’m always excited when finding a new use for the tool. My go-to materials are acrylic, Delrin, and the occasional sheets of triplex. While, acrylic isn’t the most robust, it makes for great visualizations. POM (Delrin and Acetal are the brandnames) is an engineering plastic great for key gauges and other locksport tools. It also so happens to work great for lock replacement parts.

To get the part the correct size, we need to compensate for the kerf (laser cut width). While it can be measured, I chose to do trial and error: change the kerf compensation in the Lightburn laser software and measure the parts with a micrometer. After I was satisfied, I ran a small batch of a hundred rings, just so there are enough to play with for me and other community members.

At the hackerspace, we actively share lessons learned. For this one, I’ve found putting a sacrificial material below the Delrin greatly improved the cut quality. Half the power and speed, with two passes also worked well. The laser parameters are saved to the Bitlair wiki for others to use in the future.

Back home, I’ve assembled the lock with the spacers and found them to be slightly too large. The sandpaper took off the difference quite easily. After reassembly, the lock works great with the key and it’s hard to distinguish from a lock with a complete disc pack. (I see options for a trick lock).

I’m looking forward to picking it, and will have others play with the lock as well to gather feedback on how the parts affects picking. As I expect the Delrin spacer have noticeably more friction than metal on metal, it will likely be beneficial to keep code discs in between original spacers. Furthermore, the lock works fine without a shackle and won’t brick on you without one.

Above are the minimum parts required for a functional front tensioning training lock.

I’ve picked the lock a few times with six random code discs. This is nine spacers of 1mm thick, and six of each code disc and metal spacer. After which, I quickly progressed through the other configuration, and picked the unmodified lock an hour later. As the spacers are thinner than discs, I’ve used the remaining metal spacers to fill out the remaining space.

At the moment we do not have a repository of lock parts, but we will likely create one soon.
In the meantime, the script for OpenSCAD is attached below. When you create your own discs, please share them around.

// Ancher Las spacer V2.1
// 20231213 Jan-Willem CCBY4.0
// OpenSCAD 2021

// F5 render
// F6 generate
// Export as ...

$fn = 100;

projection() // make it flat
difference(){ // substract the keyhole and gate from the disc
    union(){ // create the disc
        cylinder(1.4,11.4/2,11.4/2, center = true);

        // code for a part of a circle
        // https://openhome.cc/eGossip/OpenSCAD/SectorArc.html
        radius = 13.2/2;
        angles = [35, 145];

        linear_extrude(1.4, center = true){
        points = [
            for(a = [angles[0]:1:angles[1]]) [radius * cos(a), radius * sin(a)]
        ];
            polygon(concat([[0, 0]], points));
        }
    }

    //key hole
    cylinder(1.4,7/2,7/2,, center = true);
    
    // gate
    translate([0,-11.5/2,0])
    cylinder(1.4,3/2,3/2, center = true);
}

Copyright CCBY4.0 Jan-Willem Markus, Toool NL

Dutch Open 2023 Pentathlon competition results

Monday, October 23rd, 2023

The Pentathlon competition is a series of five lock challenges sponsored and hosted by Parmakey. The competitors had to pick a pin tumbler, pick a dimple, impression a key, pick a safe lock, and pick a car lock. Twenty competitors joined the challenge.

Torsten won the competition with 52 points and won a Sparrows Vorax lockpickset, a book on historic keys. Decoder, with 50 points, won the second price and received a Sparrows Tuxedo Royale and a book on safe lock history. Robert won the third price with 42 points and received a Sparrows Tuxedo set, as well as a book on locksmithing history. All three also received a bottle of Nabucco wine.

Dulimex PRO-LINE challenge

Sunday, October 1st, 2023

Dulimex kindly sent us the new PRO-LINE padlocks as a lockpicking challenge. Picking these won’t be easy, as the padlock features a Tokoz Pro core with eight disks and a disk blocking system similar to Abloy Protec.

While it’s fun to spend days picking the lock, picking isn’t necessarily a realistic threat for your normal security needs. This Dulimex padlock achieved a SKG** rating. While it’ll not be indestructible, you have the assurance it’ll be at least a few minutes with a selection of power tools.

We received five locks from Dulimex for the challenge. The locks will be available at LockCon, and we will borrow them to pickers thereafter. If you are up for it, please send us a message.

At first glance, the core looks similar to the Abloy Protec. But there are quite a few notable differences. The Tokoz very cleverly uses the spacers to build up the core. The construction makes it difficult to reassemble the lock, so please keep them together.

Thanks everyone for giving me tips on picking these locks. The tips can be summarized as, to use dimple picks instead of a 2-in-1, unless one is custom-made for the Tokoz. Furthermore, the key guide can be twisted, which bricks the lock. When the lock is picked, then use a modified key to rotate the key guide, instead of forcing it from the front.

The best videos for the picking attempts are:

CCBY4.0 Jan-Willem Markus Toool Blackbag. I’ve added an archive of these pictures on the link below.



Cutaways, and lever locks

Monday, September 11th, 2023

When we teach lockpicking we usually revert to schematics of locks, and different models for demonstrating the functionality of locks. Usually required as the core functionality is well hidden, and not often observable in action. Multiple skilled machinists have made cutaway locks for the purpose of demonstrating the inner workings of real locks.

At one cutaway themed evening, we had over 50 unique cutaways on the table. From all brands and mechanisms. Some of which even the pins themselves were cutaway.

On an evening with impressioning, a member asked for some blanks to practice with. The call was answered by the keys below. Sadly, it’ll be very hard to find a corresponding lock for the key blanks, as in Europe we have thousands of unique keyways. Even though they all look a-like.

On another evening, we delved deep in lever locks, from your classic Chubb locks to high-end safes. A boroscope was brought as to try to decode some locks by belly reading the levers. E.g. to observe the scratches on the levers and determining the length of the butting making the scratches.

The WE30C also made its appearance, one night. The lock was used on pay phones, and is remarkably hard to lockpick due to the lever blocking system, shown in the top right. As torque is applied, the blocking system engages with the levers, making all levers bind up before the lever tests the gate.

Lips shared access

Wednesday, July 5th, 2023

Locks don’t have to be hard to pick to be interesting, and a Lips lock Jos loaned me is a fine example of that.

Lately I’ve been drawn to picking lever locks, as they have that nice “Skyrim” vibe. You can get a long way with just some bent wires. Knowing that, Jos brought this nice Lips lock to a Toool meetup, and I got to play with it a little.

Picking it is pretty straightforward, as there are no false gates on the lever, and no curtain. The pin in the keyway does make navigation a bit awkward, but all in all it’s not hard to pick. 

Things get more interesting when you take a closer look at the lock.

First of all, it’s a Lips lock. Lips is a Dutch lock manufacturer that was founded in Dordrecht in 1871 by Jacobus Lips. In 1971 it became part of Chubb, and since 2000 it’s part of the Assa Abloy group.

The second name on the lock is P.G.E.M. The P.G.E.M. (or Provinciale Gelderse Energie Maatschappij) was a utility company delivering electricity and gas to the whole province of Gelderland in The Netherlands. Every Dutch province used to have its own utility company. It was owned by the province, and the local municipalities.

In the 1990’s the Dutch government decided all the utility companies had to be privatized, and P.G.E.M. became part of Nuon (which is now a part of Vattenfall).

Below P.G.E.M. are the letters LS, that stand for Laagspanning or Low Voltage. PGEM used these locks to secure electrical substations, and LS indicates this particular lock was used on a low voltage substation. The other side of the lock tells us more about this.

Here we see “Onderstation Woudhuis” written in pencil. Onderstation Woudhuis is a substation located in the city of Apeldoorn.

The double keyway is a striking feature which reminds of dual custody locks, only this isn’t that. It’s shared access, where only one of both keys is required to open the lock. This becomes clear when the faceplate is removed.

This seems to be a form of master keying without having to need to add extra gates to the levers, which would compromise the security of the lock. 

Every lever has two cuts at the bottom. A closer look at two of the levers shows how different cut heights make it possible to open the lock with two different keys.

Moral of the story: locks are fun in so many ways.

~Greenish

After posting the original blog, a good friend in the UK shared a page with the patent of the ‘Mastership’ two keyhole lock from 1889. http://www.historywebsite.co.uk/Museum/locks/gazetteer/gibbons/gibbons6.htm

May Contain Hackers 2022

Friday, May 26th, 2023

In the summer of 2022, the Dutch hacker community gathered at the May Contain Hackers conference. The conference was amazing, with over a dozen simultaneous tracks with topics ranging from electronics, privacy and internet security, to art and technology. The program is published at https://program.mch2022.org/ and the talks are published on https://media.ccc.de/c/MCH2022.

For Lockpicking content, Toool organized a lockpicking village, The MCH CTF included lockpicking challenges, and plenty of exciting talks are given. Including Introduction to lockpicking and safe cracking, Anker 3800 Magnetic lock, and bumping electronic locks! More on these after a photo impression of MCH.

Jan-Willem presented an introduction to lockpicking and safe lock manipulation.

Talk description from the MCH schedule: Most security implementations leak information, mechanical security is no different. It takes sharp eyes, a soft touch, and a good hearing to distinguish between information and noise. In this talk we will go in depth on how locks works, and how we can persuade them to disclose their secrets, and open them without damage.

The Open Organization of Lockpickers (Toool) is a group of nerds obsessed with mechanical security. We create, collect, take apart, discuss, and attempt to defeat locks. While we are known for lockpicking, there are many other techniques for opening locks without damage.

This talk will focus on the language of the locks, the side channels in mechanical security systems. We will start with binding order, the mechanism to isolate the locking elements, and exploit them one by one. Then we will discuss a wide variety of other methods of gathering information and opening locks. Most of these methods are not practical, but working them out gives us great joy, and we would like to share the highlights with you.

Walter presented his research of the Anker 3800 magnetic lock. It includes deriving master keyed systems, designing an electronic key/lock decoder, and 3D printing keys.

Talk description from the MCH schedule: The Anker 3800 is a mechanical lock that has both traditional pins as well as magnetic sliders. Can it be opened without the key? This talk discusses how the lock works in a master keyed system and how it can possibly be defeated. It will cover decoding, picking and key duplication.

The Anker 3800 is a mechanical lock that has both traditional pins as well as magnetic sliders. It was designed by Japanese company MIWA and is sold in the Netherlands under the Anker brand. It is a high security lock that is often used in large master keyed systems.

I wondered: can it be opened without the key? I will present my adventures with the lock, having opened it up to see how it works, and several things I have tried to copy the key, pick the lock, decode the lock and find out what the master key looks like. The talk will include successes and failures and I will discuss designing 3D models, C&C work, electronics, Arduino programming, PCB design, and more.

The talk is aimed at people with an interest in lockpicking. No prior knowledge is necessary.

The write-up is found at https://blackbag.toool.nl/?p=3907

mh shared his research on bumping electronic locks. As in, opening the electronic locks by using a percussion drill and custom attachment.

Talk description from the MCH schedule: Modern electronic locks are often optimized for cost, not security. Or their manufacturers don’t do security research. Or they ignore it. For whatever reason, many current electronic lock systems are susceptible to surprisingly simple attacks. We’ll look at some of them, and at the underlying basics, so that you can do your own research.

In this talk, we look at a number of modern electronic locks and their security flaws. Surprisingly many current systems are susceptible to very simple attacks, like the equivalent of using bump keys. Of course, there are electronic and/or SW-based attacks, too.
We’ll look at some of them, and at the underlying basics, so that you can do your own research.
Some of the problems have been fixed by manufacturers, but typically only for future production runs, so you will get some practical advice on how to test your own hardware for these critical flaws.

Jan-Willem presented a basic introduction to threat modeling and uses puzzles as an example.

Talk description from the MCH schedule: Mechanical locks are everywhere and come in all shapes and flavors. But choosing the right lock can be rather difficult. For example, what is better? A lock that is hard to pick, or a lock with hard to duplicate keys. This talk will not give you the answers, but it will help you understand the trade-offs. Furthermore, we will have fun threat modeling our locks.

Is lockpicking a threat you should be concerned about, or is the brick the tool you should care for? Jan-Willem, from The Open Organization of Lockpickers (Toool), will share his ideas on mechanical security and threat modeling. We will make it fun and use several case studies, starting with defining a lock, threat modeling mechanical puzzles, and use several case studies where the threat was overrated. Simply put, attacks against locks range from the trivial to mastery. I’ll share multiple failed attempts of attacks that should be trivial, but were not in practice, and we will analyze them together.

Cutaway locks, why put in the effort?

Sunday, April 16th, 2023

In a previous blog post, I’ve written about Qikom’s cutaways. Whereas, this post is a tangent on why we would like to see more cutaways made and the knowledge shared.

When we teach beginners, and show them a unique lock, often they can’t imagine what happens in the lock. As all they can see is the outside. To illustrate this, let’s play a short game with a Fichet 787. The key looks quite interesting, as it has half a dozen cutouts on each side. It’s not symmetrical, and can only be inserted in the keyway in one direction. You feel a spring pushing against the key, but at rotation it seems to be like any other lock.

If you haven’t seen this lock before, take a moment to imagine what the internals are like.

Fichet 787. CC-BY-4.0 Jan-Willem, Toool Blackbag

It’s quite obvious where I’m going with this. There can be almost anything inside the shiny cylinder. It will be very difficult to find the solution without taking it a part, or looking at a diagram. The cutaway, like the one from Qikom below, shows the internals from the lock. Reducing the guess work over a picture of the parts.

Qikom Fichet 787 Cutaway
CC BY-NC-SA 4.0
Qikom Fichet 787 Cutaway; The interaction between the lever pack and the gears.
CC BY-NC-SA 4.0
Qikom Fichet 787 Cutaway; The lock is open.
CC BY-NC-SA 4.0

Is it anything like you imagined it to be?

What does the 787 do? The Fichet 787, is a push lever lock. Where the push action allows the lateral movement of the levers to rotate a set of gears to the opening position. The sidebar is a passive element that checks if the gears are all aligned. With the correct key, the cylinder moves inwards, clears a blocking element, and is able to rotate. At the same time, the key is trapped by two half circle disks.

It is quite possible you have seen this lock before, as it has been around for decades. I’ve learned about the lock in 2018, and recently expanded the knowledge at the Association des Crocheteurs de France lock conference in December 2022. I’ve learned the dovetail, which connects the cam to the core, is a fairly recent addition that prevents a (partially) destructive attack, for example.

French locks are my favorite weird lock designs, where Fichet is king. The ingenuity is admirable, with many clever ways to solve the same problem…

An even shorter cylinder

Sunday, March 26th, 2023

This weekend at the Wendt lockpicking event, I spoke with the gentle people from BESA specialty lock shop in Belgium. They brought with them a very intriguing cylinder. It’s a KESO Octro 4000S dimple cylinder, but what makes it special is its size: it is a 14/14 cylinder (total size 2.8 centimeters).

The key is a normal sized key. It goes all the way through the cylinder. That means that the bitting interacts with pins on both sides of the key, which in turn means that the key must be symmetric.

Indeed it is. When the key is inserted, you can see it while looking at the other side.

By looking at the key, there could be as many as 30 pins in there. Not bad for a 14/14 cylinder, especially when you compare it to the 20/20 cylinder that had just one pin I wrote about earlier (see https://blackbag.toool.nl/?p=3882)!

If you have one of these to spare or know where to get them, let me know.

Walter.