Archive for the ‘Impressioning’ Category

The one-pin lock

Friday, September 2nd, 2022

Eurocylinders have a standard form factor, but they come in different sizes. In the middle is the cam and the screw to attach the cylinder to the door. Measuring the lengths from the center of the cam to both ends gives you the length, for instance, 30/30 is a popular size. This means both ends are 30mm or 3cm for a total length of 6cm.

Although sizes of 30mm and 35mm (or combinations with 10mm for half cylinders) are pretty normal, there’s quite a variation in lengths, especially if you go to Belgium for instance.

A 45/55 cylinder

Very long ones such as the 45/55 above, are quite rare. Ones shorter than 30 are also rare. I had come across a 25/25 once, but a while ago, my favourite locksmith from Oostende (Birger) gave me a 20/20 cylinder.

A 20/20 cylinder

It did not come with a key. The cylinder only has one pin! This means that any key that fits the keyway can be used to open it: just insert the slope of the key just far enough to push the pin to the shear line.

By not inserting the key fully, we can pick the one pin

The cylinder did not come with a key, so I used impressioning to make one.

The impressioned key

Photos CCBY4.0 Walter @ Toool Blackbag

2-in-1 for Abus, that barely works.

Saturday, January 8th, 2022

Lishi 2-in-1 have been around for a long time, both for automotive and more recently for pin tumbler locks. Sadly, these tools are quite costly as they are keyway specific. Furthermore, this type of tool can’t be made for some locks as the keyways are too tight. Or so I thought, as of writing there are several 2-in-1 for sale for the paracentric Yale keyway. As I was intrigued, I’ve bought an off brand 2-in1 for CISA. In testing the tool, I’ve found various limitations that might impact the usefulness of this tool.

Let’s start from the beginning, Lishi is the brand name of a series of lockpicking tools designed and made by Zhi Qin Li. The Lishi company split up and Zhi Qin Li still sells his 2-in-1 under the brand Original Lishi, while another company sells them under the brand Genuine Lishi.

Original Lishi sells a variety of tools, the one generally referred to as a Lishi is a 2-in-1 lockpick that both applies a turning force and a tool for picking individual elements. The tool can also be used to decode the lock once the lock is open, and a key can be cut in the field with another of Li’s tools.

Lishi for the Schlage SC4 keyway.

So, what does a Lishi 2-in-1 lockpick do? The tool consists of two parts; the body that is used as a turning tool and the thin feeler that’s used as a lockpick. This in itself would not be too useful, however, the body has a chart of where the lockpick is in the lock. You move the pointer to the desired element, indicated by the vertical lines, and push down lightly on the pointer. This in turn moves the lockpick, pushing down on the element in the lock. You can feel if the element is binding or not. And just as lockpicking, you go through the lock, pin by pin, and feel for the binders. Then you set each binder and search for the next one, until all elements are set. Click on one, click on three… Open!

From y2k these tools have been available for automotive locks as the combination of open keyways, many wafers, and typically low tolerances work very well for this tool. 2015 was the year 2-in-1 picks became available for pin tumbler lock for the USA market. (Schlage, Kwikset, and Master). Most of these locks have wide keyways, low tolerance, and very few security pins.

I’ve played with a few of these tools, but didn’t find them too useful. I’m not a locksmith, not in the USA. For me, they would be mostly a novelty. But the pick I’m about to show can be a game changer as it targets European locks I’m familiar with.

In December, I was notified a seller on AliExpress sells 2-in-1 (not a Lishi!) for the paracentric Yale keyway. The consensus under lockpickers is that this tool could not exist, because the keyway is too tight and has no straight access to the pins. I was curious enough to fork over €50, and bought one for CISA as it’s very close if not identical to the Abus C83, the lock we use for impressioning championships.

The seller is quite open about the tool’s limitations and wrote on the lever “80% coverage. Without pin 8 or 9”. While this sounds like it’ll open 80% of locks, but it doesn’t seem to be the whole story, as we will find out. The biggest concern with a tool that works on a subsection of locks is if the user can detect the tool does not work, instead of user error or lack of skill. I suspect so, but it will be far from easy. In short, a lock will not work with one or more cuts deeper than a 7 and therefore this pin will always be overset and this you can detect.

Small sub section of factory cut Abus C83 keys, I’ve a modest collection of them.

As I was curious about the 80% claim, I’ve spent an evening measuring my Abus C83 keys. While these are not CISA, they are close, and I happen to have a modest collection of these keys. 92 out of 283 of the measured keys have no cuts deeper than 5.5mm, the size of the tool. This means the tool will only work on 30% of my Abus C83. This is consistent with a statistics sanity check. For this, we assume every lock has a uniform distribution of cuts, ignoring MACS. This came to be (7/9)^5 = 28.4%.

I’m considering this 30% an upper bound, as Abus C83 and CISA aren’t shipped with standard pins. The old locks are shipped with mostly spool pins, and the new ones have serrated, spool, and T-pin key pins and the same for the drivers.

Abus C83 old style vs new style pins.

Besides the theoretical usability and security pins, what other flaws would make this tool suboptimal? The picking tip snags while moving from pin to pin. Furthermore, picking in the counterclockwise direction binds the picking tip, and it makes it difficult to differentiate between a binding pin and a binding picking tip.

Randomly pinned lock with standard pins, decoded to 52452.

Let’s wrap it up, this tool is sold at €50 and promises quite a lot. However, theoretical, it will only open 30% of all the locks it was designed for. Furthermore, the limitations of security pins and rotation direction will limit the functionality even more. A practiced lockpicker might be-able to overcome some limitations, or detect the tool will not work. A tool that only opens a very small subset of locks is not a very useful tool, and I can’t recommend it to pick these locks. However, as new pickers always struggle to find the binders, and this tool enables them to actually ‘see’ what they are doing, it could be a game changer for teaching.

Pictures CCBY4.0 Jan-Willem Toool Blackbag

forensic research impressioning during lockcon’17

Saturday, October 23rd, 2021

As Walter stated in https://blackbag.toool.nl/?p=2746, the good people from FIOPS have asked the participants of LockCon to open some locks in various ways. These locks would then be forensically analyzed to figure out what actually happened to them. Of course I opted for impressioning (because me). It felt weird to impression while standing up (i never impressioned a lock that was mounted in a door before) and walking back and forth between the door and the table also felt rather novel.
(As this all took place late late at night during LockCon, “some” alcohol might have impacted my opening as well)

This is the video shot by FIOPS of my opening attempt;

Book review: Little Black Book of Lockpicking

Thursday, September 30th, 2021

Two weeks ago Alexandre “FrenchKey” Triffault published the book Little Black Book of Lockpicking on NDE techniques for Red teams and security professionals. The book has 171 pages with a broad variety of lock types and opening methods, from lockpicking to impressioning, and from making cutaways to decoding combination padlocks.

Whenever there is a new book about lockpicking I pick up a copy especially when it’s written by a friend. It sold for €35 Amazon that does the printing and distribution of this book. The book is a good read and is a continuation of the OFC guide to lockpicking (free pdf) that’s also written by Alex and translated by MrAnybody. The OFC guide is all about lockpicking while this book includes many more topics including bumping and impressioning, both topics I’ve paid extra attention to.

The first thing I noticed was the many high detailed graphics used. Alex modeled the locks, lockpicks and other tools and included 3D renderings in the book as virtual cutaways. The style works very well for this book. It does not just write about a concept but also shows how it is done.

The book is 27 chapters and on average six pages for each subject, this inevitably means there is not too much room for details or nuances. This is a pity as Alex has the ability to give insights I would never think of.

I want to mention that the advanced topics in the book like (self) impressioning will take a long time to get good at. For me, I’ve experienced it takes many failed attempts to do these attacks, even in a controlled environment. Attacks like self-impressioning took me a very long time to make work. I can only imagine how it would be to attack doors on an assignment.

This is one of the better books on the basics of NDE and I recommend getting a copy for yourself or to to share. When you share the book, do keep in mind the book is written for red teams on an assignment and not for hobbyists. It is never a bad thing to give a small lecture on the locksport ethics and our view on locks as a puzzle with the book.

About Impressioning Handles; DIY

Saturday, July 10th, 2021

In the summer of 2020 Jan-Willem decided to photograph his impressioning handles. Not only are pictures easier to share than the handles themselves, most of them are not worth keeping as they don’t work as well as advertised. This will hopefully be a short series of blogs on impressioning handles. This is the first one about DIY handles and handle experiments by Jan-Willem. Hopefully this post will inspire you to pick up impressioning or to motivate you to build your own impressioning handles; really you can do a lot better then most of the handles in this post.

What makes an impressioning handle an impressioning handle? It has a few requirements:

  • To hold a key for impressioning.
  • Facilitating the motion of impressioning; rotational torque while moving the handle up and down.
  • optional: Comfortable to hold. (This will come in at another blog on improvised handles.)
  • Preferably to reduce strain on the arm by applying rotational torque with one hand and the up and down movement with the other.

This post is solely about the handles not about impressioning itself. Missed out on this marvelous way of defeating locks? Maybe you can find videos on YouTube. I believe Jos Weyers has a few videos on the subject. 🙂

Disclaimer: I’m not a machinist and most of these handles are mostly build with simple tools and from scrap metal.

DIY Impressioning handle 1

After lockCon Jan-Willem was inspired to build his own Impressioning handle. This is the first iteration. Build from scrap laying around in the workshop. The handle works very well and the form factor is great. Mostly as you can’t torque and move the handle up & down with the same hand teaching good impressioning habits from the start.

DIY Impressioning handle 2

This is the second impressioning handle. It’s from 25mm or about 1/2″ aluminum round stock with a slot for the key and a few screws to keep the key in place. The long screw was kept in place to help with rotational torque. The blue covering is for racing bike handlebars and is, apart from looks, completely useless. The covering gives the illusion of grip. People unfamiliar with impressioning tent to think impressioning must require a lot of torque and thus break more keys when starting out.

This model was quite successful and about 20 of them where made. Jan-Willem still uses them, without the handle. Toool has a bunch as well for impressioning workshops, two of these are still traveling the UK, and the rest are sold to friends starting out with impressioning.

DIY Impressioning handle 3

Impressioning handles three and thereafter are made to save as much cost as possible. They can be made with simple tools out of inexpensive material but still work reasonably well.

The first two are made from partially flattened copper pipes. The ends are bend up to keep the key in place. While the design works it has a few obvious drawbacks like replacing the blank is an hassle on both of them.

DIY Impressioning handle 4

This design works a lot better than handle 3. But it’ll not work for all keys as the hole in the blank is used for mounting. It was also an experiment using bicycle handles for grip. It works almost as well as it looks.

DIY Impressioning handle 5

This concept is the cheapest of them all. It’s a PVC tube with a wooden dowel/insert clamping the key with friction. It works well but changing the blanks can be a hassle. The rings of dust around it are where it used to have the race bike handle covering. That has been removed and hence the ugly stripes.

DIY Impressioning handle 6

The last design I want to show is a failure. This is made from POM (Brandless Delrin) rod and is similar to handle two of this article. The POM is not stiff enough for gripping the key tightly.

In a future blog post we will hopefully discuss more impressioning handles. A few ideas for future blogs: Why you might or might not want to pickup professionally designed impressioning handles for hobby use, Things that can hold a key but where never designed to, and more DIY handles from other people in the community.

Feel free to steal ideas or use the photos. The ideas are free the photos are CCBY4.0 Jan-Willem Markus, Toool Blackbag. If you create your own impressioning handle design, please share it with us and we will add it to the DIY impressioning handles in a future blog.


Classic car ignition lock

Monday, March 9th, 2020

Once in a while people bring very interesting locks to our meetups. In this case an ignition lock from a classic car. The task was clear: impression a key for this lock. Taking this lock apart would pose serious challenge and risks.

As the ‘job’ was not announced in advance we had to make do with what was on hand: steel blanks, imperfect magnification, and an old file.

Complete ignition lock.
The back of the lock.
A working key!

Do you want to learn how to impression a lock? By special request we can bring the impressioning gear to the meetup. It’s not something we carry standard because of volume and weight.

MKS impressioning at Hackerhotel

Thursday, February 27th, 2020

On the Valentines weekend 400 Hackers met at a hotel in Garderen. There was the conference: Hackerhotel 2020. It felt like a huge hackerspace meetup with talks and workshops. I’ve followed the hardware hacking workshop by @Jilles_com and learned for to extreme read!

Jos was asked to do his talk om Master Keyed Systems and how to defeat them using impressioning. Summary: “Privilege escalation attack? You are doing it wrong! Use impressioning to your advantage. :)”

If you can’t figure it out from the summary you can find his talk on YT here.

Czech Lockpicking Championship 2019

Thursday, November 28th, 2019

Czech Lockpicking Championship 2019 by the Association of Czech Lockpickers.
Website: www.lockpicking.team

Report by Jan-Willem.
On Uklocksport Meastro posted an open invitation for lockpickers to compete in the Czech championship. The topic is a good read, you’ll find a lengthy discussion about the rules and difficulty of the locks. I’ve decided to join the competition and booked my flight.

The conference started on Thursday evening. I flew in on Friday and missed every easy method to get to the conference easily. I’ve haggled with the taxi driver and he took me to the conference. It took 90 minutes and was the most expensive taxi drive I’ve had to date. The Taxi driver did not speak much English and told me he was a diving instructor. From driving I understood he was a rally driver too. Just before dark I arrived at the location. The competitions had started earlier and meant I missed the padlock competition.

Main building at Youth camp Nova Zivohost

The conference was held at the youth camp at Nova Zivohost with many small cottages close to the river. The competition was held in a large cafeteria like room on wooden pick-nick benches. Even the most basic accommodation was more than sufficient. I’ve slept in a small cottage with bathroom on 200m.

Moldau at Youth camp Nova Zivohost

The championship has many disciplines; Padlocks picking, cylinder picking, safe locks, and impressioning. Safelocks and impressioning where new competitions this year.

Each competition had it’s own timetable, rules, and dedicated crowd. In between the competitions there where talks on various topics, from safe locks to decoders and lock patents to locksport groups. I’ve participated in Imperessioning, group 2 safe manipulation and freestyle.

The prices on display

The Friday night was used to get to know each other. Each lockpicking group had a small talk on the country and lockpicking group. Many nationalities where present. Not limited to: Italian, Czech, Hungarian, German, Austrian and Dutch. I’ve done a small and improvised talk on Toool, shown off a few projects like ‘the room’ at HackerHotel. The talks took quite a while as everything was translated from Czech to English and English to Czech. I’ve Marek to thank for translating every little detail.

Impressioning was my first competition. The pick-nick benches where a bit annoying as I could not get the right angle. I’ve brought my block-o-wood vice with me and it did work perfectly. In the first round we got one lock and 5 counted blanks. I’ve opened mine in 90 seconds and proceeded to the finals. After 7 minuted eight people opened the lock, four for each final. All the blanks where counted, all of them needed to be returned.

Jan-Willem at the impressioning championship

For the finals The Czech competition got extremely difficult locks: Fab 200, Fab 1000, Tokoz tech and Evva are no joke. These locks are restricted and wherefore I was not allowed to keep a lock, a blank or a photo of the keys. It was unexpected and quite annoying. I’ve managed to open the Fab 1000 and won the competition.

Impressioning setup.

I’ve entered the freestyle competition and it was a lot of fun, 5 minutes a lock. All tools allowed. Some of the locks where too hard. This included the Stealth key, Multilock and Xsecure (dimple). None of these locks opened on my table.

For the group 2 safe manipulation we had one hour to crack a S&G safe lock. Out of all competitors none opened the locks. I did not enter the Blitz (30 second knockout) or Cylinder competition. I used this time to talk with others at the conference. Many people have a story to tell if you talk time for them.

Table full of lockpicking equipment

The competition was a lot of fun but there are plenty of improvements to make. For me it all comes to communication but this is likely due to the language barrier. The competitors where likely overestimated, this meant that some competitions where harder than necessary. For instance if only 2 out of 16 open than the locks are too hard. Harder does not equal better or more fun.

I would like to ask to value competitions equally. Cylinder lockpicking was the larger competition. That does not mean it takes less effort to win freestyle, padlock or impressioning.

Thanks to the Czech team for organising this event. Please check www.lockpicking.team for the next event. 2020 will be LockFest and 2021 the next championship.

Certificate for winning the Czech impressioning championship

LockCon 2019 – impressioning

Tuesday, October 29th, 2019

Some 40+ people participated in the impressioning championship. In the first round, one lock needed to be impressioned within an hour. The locks were sponsored by Abus and they gave us keyed-alike cilinders with a rather shallow profile. Within the hour, 32 people opened their lock.

The 6 fastest went on to compete in the A-final, the 6 runners up in the B-final. Both groups needed to open 6 locks in less than 15 minutes each. These were locks with more difficult profiles.

The result:
A-Final
1. Manfred
2. Jan-Willem
3. Jord
4. Walter
5. Cocolitos
6. Jos
B-Final
7. Alex
8. Oli
9. Mathias
10. Torsten
11. Datagram
12. Rebecca

All the times scored in the A and B finals
Jos hands the first prize to Manfred

(Post by Walter)

Impressioning

Wednesday, March 7th, 2018

At the regular Toool meeting in Eindhoven, we decided to spend the evening improving our skills in impressioning. We filed some keys, exchanges some tips and generally learned a lot.