More problems for Abloy Protec? Decoding the pickproof lock?!?

Having a weblog like this attracts a lot of interesting people. And some people who think they are interesting and just try to feed you with little tidbits of information to ‘tease’ you. Well … I think I have grown pretty immune for that.

One of these people mailed me little over a year ago is interesting though. He claimed to had developed a method of decoding an Abloy protec ‘in around ten minutes, fifteen max’. His real problem was cutting the keys after decoding the lock. During some long talks he explained that decoding a 2, 3 or 4 cut disk was the most easy, without telling me how he did it.

Abloy Protec Decoder

And all of a sudden today there is a video on Youtube, showing the decoding of an Abloy Protec. What you see is some sort of probe tool (made from a keyblank), a scale and a laser pointer to tell you how far the probe can be turned. It seems as if this way you can identify the position of the disc, and the laser pointer will tell you the number of the cut. It is a pity he is holding the lock in his hand and that he is using a cut-away lock that is set to the factory cutaway combination ….

But this sure is a big dent in Abloy’s reputation. First the video of a destructive opening technique and now a video of decoding the ‘pickproof lock’.

I am convinced the person who made this video is very skilled and bright, and I think the video and tool are for real. I would just love to see some more close ups of the tip of the tool and some more info. And that also goes for another strange video that was released on Youtube: Pick Mottura doppia mappa.

If all goes well I will meet the person behind these tools and techniques in a month orso, and hopefully can give you some more details. In the meantime we can all speculate about the tool in the comments πŸ˜‰

* Update 06-02-2009 (19:15) : the video was removed before it even got 500 hits. It is a good thing I captured it before it went offline …

** Update 08-02-2009: the video became online again on youtube and could been found here.

*** Update 14-02-2009 video was removed from youtube again…

45 Responses to “More problems for Abloy Protec? Decoding the pickproof lock?!?”

  1. Wow, downloading the video right now and coming back later this evening to comment on the thing and speculating why it would or would not work πŸ™‚

  2. Alexandre says:

    Hi !

    I viewed the both videos you are talking about and I wanted to post the one concerning the abloy on your previous article, but you were faster !

    As you said, we need more details on the pick and the procedure, it seems to be too fast !

    Concerning the mottura’s video, we cannot see anything, I hope you will meet the guy and explain us the things !

    Thanks for your blog

    Alexandre (one French member of LockCon)

  3. SantasLittleHelper says:

    I’m 99% sure this is Jean-Claude’s alternate personality. πŸ˜‰ I remember some drunk ramblings in IRC months ago, so don’t be surprised if this decoder is some sort of well orchestrated hoax. But if he did really create a working tool, then I’ll tell you…he’s a very eccentric guy. I think he’s also gone by the name of AquaRegia.

  4. Barry says:

    Santa’s helper: no, I am 100% sure this is not Jean-Claude. I asked Jean-Claude not to post here anymore, and I m glad to see he is keeping his word. I really hope your comment does not fuel a big flame war, so any comments about Jean-Claude will be deleted on the spot by me.

    Thanks for your concern, but as I said: I have good reason to believe this video is not a hoax.

  5. Barry, and the reason is? πŸ™‚

    I’m saying BS on this video until otherwise proved, as it shows all the signs of a hoax: Not showing the tool, shoddy video quality, YouTube, and knowing the internals of the said lock I don’t see any way of getting between the discs to find the gate position.

  6. doppiamappa says:

    let me keep a little secret on the tool damn it:) is obvious I dont show everything for security reasons also.
    Believe or not- the fact is :I own that protec
    Tank you for comment what ever what is the oppinion

  7. Barry says:

    Jaakko: the reason I think it is not fake is because people I trust claim to have seen the tool working. And the person who developed this technique is a well known and well respected individual in his own circle.

    But I agree that if I would not have had this background information I most likely also would have called it a possible Hoax too.

  8. doppiamappa says:

    I decide to stop broadcast for the moment.Lot of interesse and sterss fot he question.

  9. Well, obviously the only way to get the proper angle is to detect the gate position, which should be impossible if the disc stack is properly assembled, meaning there is no gap between the discs and spacers.

    Other option would be the same as for Classic, Profile and Exec, meaning you would bind the discs to the locking bar via tensioning, which is impossible in Protec due to DBS.

    The reason I suspect this is because the tool seems to detect the gate position, which would mean that there has to be a way to get the tools probe in between the discs and spacers, which I don’t see happening because of a properly stacked discs/spacers.

    The tools key part could be a key that has been cut/filed down to the number 6 cut to not turn the discs for decoding and the probe part could be shaped like an L, as it obviously has to be lifted from the tang to move it to the next position, implying that the end tilts away from the discs edge. This implies that the tool actually finds the gate position by some sort of small probe tip, as the tool can be rotated and it stops to certain point when “ready” and it rotates a minute amount around the proper angle.

    doppiamappa, if you really have tackled “the impossible”, I’ll lift my hat and congratulate you on a job well done and would like to hear more πŸ™‚

  10. Barry, I understand your reasoning, I have quite the same policy when it comes to believing something over the internet πŸ™‚

    doppiamappa, I see no reason to stop broadcasting that video because it doesn’t show anything “secret”. Good thing that I downloaded it immediately from YouTube when I saw the link to it, now I can examine it more closely and take screen caps when necessary.

  11. doppiamappa says:

    LolJaakko, send me the movie I lost it im my Pc mess, lets chat on skype:)

  12. doppiamappa, I don’t have Skype or microphone, but I have email at einstein@mbnet.fi and if you want to talk private, you can search/ask for my PGP public key πŸ™‚

  13. doppiamappa, I installed Skype now, what is your contact name? I can only chat in text, as I don’t have microphone. I’m under my own name.

  14. doppiamappa says:

    Jaakko, I leaved the office and now running at home, will be happy to meet you on skype, my name is luckylocksmith, I will be in touch tomorrow morning.

  15. Okay, remember I’m in Finland so what time are you on from which country so that I know?

  16. Ah never mind, found your country from Skype πŸ™‚ I’ll wake up at 9:00 local time.

  17. mh says:

    If there were absolutely no gaps between the disks, then you could not turn them. There’s always a gap, and the disks can be moved back and forth, and the disk and spacer geometry does not prevent* a tool from going in between them.
    The question is how much of a total gap is there on a particular lock, and how thin vs. strong can the tool be.
    *It needs to have a certain strength, otherwise the disk stamping or the spacer does stop it. A human hair for example would not reach the gate area.
    And you also want to turn the tool, and it needs a certain shape at the tip…

    So basically I would need to see the tool tested in a lock assembled to factory specs (that’s tightly filled), to assess if it’s really useful.

  18. I have now been otherwise proven about this video and I confirm it functioning.

  19. Barry says:

    Jaakko: Glad you can confirm it works. How long to do think it will be before it’s out in the open? As far as I see it, it is a ‘short term secret’…

  20. doppiamappa says:

    yep…will pop out in a short time, Barry pm me on skype when have time pls

  21. Well, I’m not sure but I have to say that the method is not a new thing, but implementing it to use on a Protec is. I think someone else also figures it out quickly, but out in the open…not from me at least πŸ™‚

  22. raimundo says:

    The reason that doppia does not want to show the details of the tool is that he is interested in producing and selling the tool, and he dosen’t want to get ripped off.
    When he sells the tool, the technique will be out for everyone, but until he does, he needs to keep the secret, so that no rippers will steal his ideas and go commercial with them.
    I see a big difference in copying a tool for personal use and copying someones idea and making money selling it while not acknowleging the person who is being ripped off.
    Why did JC get told not to post? I wanna go to a site where he posts.

  23. I contacted Abloy a day or two ao and asked what they think of this and if there has been changes to the disc design due to this (last year I heard a rumor of a change) and do they have anything to comment on this.

    The director Mononen answered shortly: “Unfortunately we are unable to help you with this”.

    So I bounced the ball back by asking confirmation that they are not willing to talk about their products safety or what makes their product safe. Lets wait and see if I even get a reply πŸ™‚

    Funny that they are not willing to talk of anything…

  24. “The reason that doppia does not want to show the details of the tool is that he is interested in producing and selling the tool, and he dosenÒ€ℒt want to get ripped off.”

    The details of the tool are already out, I at least have seen the tip of the tool and the filed down key.

    No, I’m not passing this out in public or to anyone who I don’t trust/know.

  25. “This video has been removed by the user.”

    Seems that doppiamappa has yet again removed the video from YouTube. Any reason for this?

  26. red says:

    Hi m8s!

    I’m so surprised to see this video here!

    It is coming famous on entire world! πŸ˜€

    Compliments to his creator Doppiamappa, nice tool homemade!

    C u dudes!
    Red – http://www.tilc.info

  27. al says:

    it is very interesting becouse I think to do something similar, built tool or set of tool which abloy protec will be opened that i think is one version and not so bad,

    congratulations Doppiamappa

  28. ABLOY BOY says:

    I work for ASSA ABLOY if you want any information please let me know. I hate to tell you but there are many changes to PROTEC soon to be released. I’m more than happy to speak to anyone, however i can only speak English, if that works for you please let me know and i’ll send you my details.

  29. Barry says:

    Abloy Boy: I would not have expected anything less from Abloy!

    Can you please be so kind to tell a little about the changes here?

  30. cocolitos says:

    The Abloy Protec can be picked, but the technique is special…

    I pick one Protec in about 1H30…

    it’s very difficult to say, if you are blinding on fast or real gates!!

    The cylinder isn’t unpickable, but the system DBS (and the many false gates) hinders before picking…

  31. Ric says:

    Just had a forehead slapping moment. The Protec’s DBS relies on an attacker’s inability to turn the plug except through the return bars. This significantly hinders picking because disks are constantly being pushed towards the nearest discrete position. I’ve been really looking for a flaw in this isolation and I think I’ve found it. The inter disk spacers, the ones that prevent one disk from turning the one next to it are anchored to the plug. They would be accessible through the keyway. the first spacer, the one between the first disk and the profile plate + disk controller could be used to apply torque directly to the plug. that way the DBS wouldn’t really be active. In fact The dbs could be helpful, pushing all disks to their nearest possible discrete position(like the serrated tumbler lock here “http://www.crypto.com/photos/misc/wecolock/” fig15-18) but only doing so when the attacker wishes(like before trying a new combo). Turning any disk would loosen the DBS and allow you to feel for the gate far more easily.

    I also think that a tool which expands to grip the inner diameter of the disks would be an ideal tool for manipulation. Is that what others use for this sort of thing?

    I have a theory on how the tool in the vid works, and maybe why they used a laser pointer. Basically a strip of metal with is put between the disks. One lead of a resistance meter(not sure if that’s the right name) is connected to the metal strip while the other is connected to the lock body. Check the resistance of the connection, if you’re on top of a gate the metal strip would be less well electrically connected to the lock and the connection would have a higher resistance value. I’m probably way off but what the hell. whatever the case though their scale is wrong. 1t should be 123456 then 634512as the gate positions are not mirrored for the key cuts.

  32. Ric says:

    I’m a real idiot, or at least uninformed. I’ve been working off Han Fey’s article all along which shows the basic mechanisms but not much more. I just saw this ( http://www.tjweaver84.com/how-protec-works.php ) I shows an actual Protec in various stages of disassembly and reassembly which is a lot more helpful. The disc controller itself is actually a mixed blessing. one of it’s parts acts as a curtain, a little stamped bit that goes down the keyway and acts like a curtain does in a lever lock. It’s second function is to prevent rotation of the key until it has been fully inserted. That is the blessing part. Preventing key rotation is done by a set of two anti drill plates. these sit inside the plug and, when someone tries so turn the disc controller and attached profile plate relative to the plug the drill plates are pushed into the key. there are two tabs on each plate one which fits into the dimple on the key and another which sticks into a slot in the plug. If you rotate the disc controller 90 degrees you can then use these two plates to lock the DC and the plug together and render the DBS less annoying, no need to grab hold of the spacers between discs. you could do that with a purpose made tensioning tool and then use an expanding tip pick to grab and rotate the wheels.

    that’s my few cents on picking the Protec. I’m not sure the disc controller works the same way on normal cylinders (not padlocks) but my hunch tells me that it probably does as the Protec can be retrofitted into old disklock cylinders by just replacing the plug. This probably isn’t the right place to post this stuff but what the hell.

  33. mh says:

    Hey Ric,

    Door locks have another mechanism with 2 pairs of tiny little balls and springs between each pair, the keys have a different dimple hole for that. This Disk Controller allows for a little bit more than 90 degree rotation, and it’s also locked together with the curtain and the disks that engage the DBS.

    The spacers have a round inner diameter, so grabbing them is not exactly easy…

    Cheers
    mh

  34. Intice says:

    Been reading up on this and been trying different ways to both read and manipulate a protec cylinder open. i can greatly say that i have successfuly opned a 504 cly. I originally tryed to read the lock using a thined bent pic to get between the dic and spacer , i did have some luck with it but found the pick had to be micro thin to get between the spacer and disc to feel for the gates. only thin was keeped snapping the pic. Next i studied the lock in detail and reserch bit more and found some one else had made a t shaped pic to rotate the discs. thought ill make my own.
    with comercial cyl you can rotate the disc controler 90 derg both directions before it binds with the discs. knowing this i thought that the indervisual disc can be rotated with out binding with side bar. With this in mind i began to try my maniputalion theroy, but before i went to a random lock i tryed it to code. there fore i new how much to rotate every discs. with the discs in the right position i then take a blank key and apply turning presure sure enough it opened. took a few goes but i got there . i progressed from an easyer comb to icreasingly hader ie ; code p6666660123 as no6 dics dont have to be rotated . now noing i can open a cyl to code i beleave that the product can be picked open by eith identerfying to false and real gates or by random combination of rotating the discs. i havent perfected doing this yet but have show and abloy rep who was astound that an apprentice has worked this out. im still perfecting my tecnique and will post a vid or some thing when i have masterd it unless assa abloy make me an offer hehehe.
    cheers all

  35. Derson says:

    The Abloy Protect lock mechanism can be defeated. At work, we had two of them installed. One night, I noticed that if you shake the door 5 times, the lock will get loose and the door will open itself. The locksmith came the next day to fix it. Problem is, I don’t know if it was an isolated case or if the mechanism itself was ill conceived

  36. NKT says:

    Derson, I’d suggest it was the rest of the door’s locking system that was faulty. Shaking an Abloy to get the right combination would be a one in 10000+ chance, even if the discs moved.

  37. This thread’s been idle for over two years, has there been any new developments on this pick tool or the methods it exploited? Being one of two Protec dealers in California (US) I am moving into the Protec 2 line, but wondered if the Protec line had a vulnerability.

  38. This thread has been idle for over two years, has there been any new developments on this pick tool or the methods it exploited? Being one of two Protec dealers in California (US) I am moving into the Protec 2 line, but wondered if the Protec line had a vulnerability.

  39. Jean says:

    Jean…

  40. Huxleypig says:

    Well there certainly has been developments! Sorry to resurrect another old blog but the Protec decode tool definitely exists now, it is being made and sold! Making a key to go with your decodings might not be so easy but the decoder exists for sure! I do not know if the Protec 2 can be decoded in the same way though.

    The tool is supposed to work well but is prone to breakages due to its fragility.

  41. morthawt says:

    I think the decoder Huxleypig is talking about is a key decoder, so you take the key, shove it in the decoder and it gives you the bitting numbers. Has anyone verified for sure if this laser lock-decoding technique is genuine and if it works with protec2? I find it funny how every time a video of it goes on youtube, the video becomes unavailable.

  42. Hux says:

    @morthawt – I am talking about the ‘laser decode’. I have found several vulnerabilities with Protec 1. Abloy have fixed many of them in Protec 2. Not all of them πŸ˜‰

  43. Doc Memory says:

    Hi,

    I can’t play the video. Firefox and IE say the SSL certificate is wrong and the site configuration forces SSL so there can be no exception.

    Doc

    • Walter says:

      Hi Doc,

      You are right, these old pages include an incorrect hostname. I have changed it in this post, so it should now work again. You might run into the same problem on other pages though.

      Walter.