When we teach lockpicking we usually revert to schematics of locks, and different models for demonstrating the functionality of locks. Usually required as the core functionality is well hidden, and not often observable in action. Multiple skilled machinists have made cutaway locks for the purpose of demonstrating the inner workings of real locks.
At one cutaway themed evening, we had over 50 unique cutaways on the table. From all brands and mechanisms. Some of which even the pins themselves were cutaway.
On an evening with impressioning, a member asked for some blanks to practice with. The call was answered by the keys below. Sadly, it’ll be very hard to find a corresponding lock for the key blanks, as in Europe we have thousands of unique keyways. Even though they all look a-like.
On another evening, we delved deep in lever locks, from your classic Chubb locks to high-end safes. A boroscope was brought as to try to decode some locks by belly reading the levers. E.g. to observe the scratches on the levers and determining the length of the butting making the scratches.
The WE30C also made its appearance, one night. The lock was used on pay phones, and is remarkably hard to lockpick due to the lever blocking system, shown in the top right. As torque is applied, the blocking system engages with the levers, making all levers bind up before the lever tests the gate.
We are delighted to announce that registration for LockCon 2023 is open! The conference will be held from the 12th of October to the 15th of October at the WestCord Hotel de Veluwe in Garderen, The Netherlands.
The Event
We will welcome registered attendees from Thursday afternoon (check-in 15:00 hr) with a meet and greet in the bar. On Friday, Saturday, and Sunday, we will have talks, workshops, competitions, and social events. And, of course, there will be plenty of opportunities to pick locks. We will have to vacate the hotel again on Sunday evening.
Invitation
LockCon is an event for the locksport community. Everyone with a passion for locksport is welcome, no matter the locksport group you are with. We work with the principle of friends, and friends of friends. If your friends are going to LockCon, ask them to vouch for you.
We have also reserved seats for people we have never met before. If you think you have something to contribute, or just are a very enthusiastic lockpicker who does not have the right connections yet, please contact us through the usual channels.
Hotel
As you may have seen, this year we will reside in a Hotel. This means there will be no dorm rooms, the maximum number of people sharing a room will be 4, and you will be able to suggest preferred roommates. As always, we have a limited amount of beds, so please complete the registration process early. The price for the entire weekend will be €360 per person, and will include LockCon 2023, breakfast and lunch on Friday, Saturday, and Sunday, dinner on Friday and Saturday, and lots of fun!
We are looking forward to seeing you there!
LockCon Team
Thursday October 12th 15:00 until Sunday October 15th early evening.
WestCord Hotel de Veluwe | Oud Millingenseweg 62 | 3886MJ Garderen | The Netherlands
Locks don’t have to be hard to pick to be interesting, and a Lips lock Jos loaned me is a fine example of that.
Lately I’ve been drawn to picking lever locks, as they have that nice “Skyrim” vibe. You can get a long way with just some bent wires. Knowing that, Jos brought this nice Lips lock to a Toool meetup, and I got to play with it a little.
Picking it is pretty straightforward, as there are no false gates on the lever, and no curtain. The pin in the keyway does make navigation a bit awkward, but all in all it’s not hard to pick.
Things get more interesting when you take a closer look at the lock.
First of all, it’s a Lips lock. Lips is a Dutch lock manufacturer that was founded in Dordrecht in 1871 by Jacobus Lips. In 1971 it became part of Chubb, and since 2000 it’s part of the Assa Abloy group.
The second name on the lock is P.G.E.M. The P.G.E.M. (or Provinciale Gelderse Energie Maatschappij) was a utility company delivering electricity and gas to the whole province of Gelderland in The Netherlands. Every Dutch province used to have its own utility company. It was owned by the province, and the local municipalities.
In the 1990’s the Dutch government decided all the utility companies had to be privatized, and P.G.E.M. became part of Nuon (which is now a part of Vattenfall).
Below P.G.E.M. are the letters LS, that stand for Laagspanning or Low Voltage. PGEM used these locks to secure electrical substations, and LS indicates this particular lock was used on a low voltage substation. The other side of the lock tells us more about this.
Here we see “Onderstation Woudhuis” written in pencil. Onderstation Woudhuis is a substation located in the city of Apeldoorn.
The double keyway is a striking feature which reminds of dual custody locks, only this isn’t that. It’s shared access, where only one of both keys is required to open the lock. This becomes clear when the faceplate is removed.
This seems to be a form of master keying without having to need to add extra gates to the levers, which would compromise the security of the lock.
Every lever has two cuts at the bottom. A closer look at two of the levers shows how different cut heights make it possible to open the lock with two different keys.
Moral of the story: locks are fun in so many ways.
I recently acquired an EVVA cylinder stamped “ELUS”. Nothing could be found about it, so I decided to investigate it.
Looking at this picture, it looks pretty standard. It is a variation of the EVVA NL system, which is inself is a variation of the TSC system. The NL is a 5-pin cylinder with multiple possible key profiles and with master keying in the bitting.
But: this system has additional electronics attached to it:
The electronics implement a Temporary Access Function, similar to that in the EVVA ICS TAF cylinder, invented around 25 years later than this. It was an invention of EVVA Netherlands with one of their partners, but it never reached production.
In the current Tool rhythm, we have one meetup a week. Both the Amsterdam and Eindhoven meetups are Bi-weekly, where we planned to have one meetup a week. We come together to discuss lock topics, compete in the Toool competition, and generally have fun picking locks.
In this post, I’d like to share pictures topics and projects that have come across at Toool meetups.
A locked coin safe was brought to the meeting. Due to the construction of the box, the lock was a very difficult to put torque on with a turning tool. We succeeded in opening the lock several times, and had great fun picking the lock in literally seconds with an electronic pick.
Once in a while, we receive donations from community members. This Sparrows vault was donated to us with the request for an upgrade to the lock, as the original served not enough of a challenge. We complied, and mounted a Kaba Mas X0 Electronic lock on the Vault.
Everyone has a go-to pickset, one which is a mix of everything. We also bring Sunday’s best to dedicated sets. For example, Moki makes great picksets, which are even better with homemade handles. Or a shiny Multipick set, be it dimple or a dual-gauge set designed by Christina Palmer. Where the only part staged about the photo is to have all the sets neatly displayed.
We went to the Association des Crocheteurs de France conference in December 2022, and brought back a few tools and picks from France. We attempted to pick the Polox-5, and Fichet F3D. Both attempts made possible by the incredible work of Nitiflor, who designed and 3D printed these picks.
Jos brought a suitcase with Chinese locks, which was gifted to him for organizing LockCon 2016. At the time, these locks were unobtainable, and information sparse. The mechanisms are very intricate with 50-element wafer locks, and cores with continuous rotation similar to the Yuema 750, an implementation we have yet to see used in Europe.
If this blog sparked interest in lockpicking, or if you have been picking and would like to join a meetup, please contact us. We are always welcome to new people, be it to teach the basics or to share advanced tricks. https://toool.nl/Gatherings
In the summer of 2022, the Dutch hacker community gathered at the May Contain Hackers conference. The conference was amazing, with over a dozen simultaneous tracks with topics ranging from electronics, privacy and internet security, to art and technology. The program is published at https://program.mch2022.org/ and the talks are published on https://media.ccc.de/c/MCH2022.
For Lockpicking content, Toool organized a lockpicking village, The MCH CTF included lockpicking challenges, and plenty of exciting talks are given. Including Introduction to lockpicking and safe cracking, Anker 3800 Magnetic lock, and bumping electronic locks! More on these after a photo impression of MCH.
Jan-Willem presented an introduction to lockpicking and safe lock manipulation.
Talk description from the MCH schedule: Most security implementations leak information, mechanical security is no different. It takes sharp eyes, a soft touch, and a good hearing to distinguish between information and noise. In this talk we will go in depth on how locks works, and how we can persuade them to disclose their secrets, and open them without damage.
The Open Organization of Lockpickers (Toool) is a group of nerds obsessed with mechanical security. We create, collect, take apart, discuss, and attempt to defeat locks. While we are known for lockpicking, there are many other techniques for opening locks without damage.
This talk will focus on the language of the locks, the side channels in mechanical security systems. We will start with binding order, the mechanism to isolate the locking elements, and exploit them one by one. Then we will discuss a wide variety of other methods of gathering information and opening locks. Most of these methods are not practical, but working them out gives us great joy, and we would like to share the highlights with you.
Walter presented his research of the Anker 3800 magnetic lock. It includes deriving master keyed systems, designing an electronic key/lock decoder, and 3D printing keys.
Talk description from the MCH schedule:The Anker 3800 is a mechanical lock that has both traditional pins as well as magnetic sliders. Can it be opened without the key? This talk discusses how the lock works in a master keyed system and how it can possibly be defeated. It will cover decoding, picking and key duplication.
The Anker 3800 is a mechanical lock that has both traditional pins as well as magnetic sliders. It was designed by Japanese company MIWA and is sold in the Netherlands under the Anker brand. It is a high security lock that is often used in large master keyed systems.
I wondered: can it be opened without the key? I will present my adventures with the lock, having opened it up to see how it works, and several things I have tried to copy the key, pick the lock, decode the lock and find out what the master key looks like. The talk will include successes and failures and I will discuss designing 3D models, C&C work, electronics, Arduino programming, PCB design, and more.
The talk is aimed at people with an interest in lockpicking. No prior knowledge is necessary.
mh shared his research on bumping electronic locks. As in, opening the electronic locks by using a percussion drill and custom attachment.
Talk description from the MCH schedule:Modern electronic locks are often optimized for cost, not security. Or their manufacturers don’t do security research. Or they ignore it. For whatever reason, many current electronic lock systems are susceptible to surprisingly simple attacks. We’ll look at some of them, and at the underlying basics, so that you can do your own research.
In this talk, we look at a number of modern electronic locks and their security flaws. Surprisingly many current systems are susceptible to very simple attacks, like the equivalent of using bump keys. Of course, there are electronic and/or SW-based attacks, too. We’ll look at some of them, and at the underlying basics, so that you can do your own research. Some of the problems have been fixed by manufacturers, but typically only for future production runs, so you will get some practical advice on how to test your own hardware for these critical flaws.
Jan-Willem presented a basic introduction to threat modeling and uses puzzles as an example.
Talk description from the MCH schedule:Mechanical locks are everywhere and come in all shapes and flavors. But choosing the right lock can be rather difficult. For example, what is better? A lock that is hard to pick, or a lock with hard to duplicate keys. This talk will not give you the answers, but it will help you understand the trade-offs. Furthermore, we will have fun threat modeling our locks.
Is lockpicking a threat you should be concerned about, or is the brick the tool you should care for? Jan-Willem, from The Open Organization of Lockpickers (Toool), will share his ideas on mechanical security and threat modeling. We will make it fun and use several case studies, starting with defining a lock, threat modeling mechanical puzzles, and use several case studies where the threat was overrated. Simply put, attacks against locks range from the trivial to mastery. I’ll share multiple failed attempts of attacks that should be trivial, but were not in practice, and we will analyze them together.
We are happy to present the talk Experiment driven lockpicking by Jan-Willem at HackerHotel 2023.
The talk goes into uncovering information leakage in locks like Bowley Rotasera and Kromer Protector. May this talk inspire to do research and share all the interesting results.
In a previous blog post, I’ve written about Qikom’s cutaways. Whereas, this post is a tangent on why we would like to see more cutaways made and the knowledge shared.
When we teach beginners, and show them a unique lock, often they can’t imagine what happens in the lock. As all they can see is the outside. To illustrate this, let’s play a short game with a Fichet 787. The key looks quite interesting, as it has half a dozen cutouts on each side. It’s not symmetrical, and can only be inserted in the keyway in one direction. You feel a spring pushing against the key, but at rotation it seems to be like any other lock.
If you haven’t seen this lock before, take a moment to imagine what the internals are like.
Fichet 787. CC-BY-4.0 Jan-Willem, Toool Blackbag
It’s quite obvious where I’m going with this. There can be almost anything inside the shiny cylinder. It will be very difficult to find the solution without taking it a part, or looking at a diagram. The cutaway, like the one from Qikom below, shows the internals from the lock. Reducing the guess work over a picture of the parts.
Qikom Fichet 787 Cutaway CC BY-NC-SA 4.0Qikom Fichet 787 Cutaway; The interaction between the lever pack and the gears. CC BY-NC-SA 4.0Qikom Fichet 787 Cutaway; The lock is open. CC BY-NC-SA 4.0
Is it anything like you imagined it to be?
What does the 787 do? The Fichet 787, is a push lever lock. Where the push action allows the lateral movement of the levers to rotate a set of gears to the opening position. The sidebar is a passive element that checks if the gears are all aligned. With the correct key, the cylinder moves inwards, clears a blocking element, and is able to rotate. At the same time, the key is trapped by two half circle disks.
It is quite possible you have seen this lock before, as it has been around for decades. I’ve learned about the lock in 2018, and recently expanded the knowledge at the Association des Crocheteurs de France lock conference in December 2022. I’ve learned the dovetail, which connects the cam to the core, is a fairly recent addition that prevents a (partially) destructive attack, for example.
French locks are my favorite weird lock designs, where Fichet is king. The ingenuity is admirable, with many clever ways to solve the same problem…
Posted in Lockpicking, Locks, General | Comments Off on Cutaway locks, why put in the effort?
In an effort to quantify the locksport world, I’m taking my measuring tools to locksport in an attempt to learn the details. For example, how much torque is required to pick a lock. With this knowledge, we can build better lockpicks, and teach proper technique. In this blog, I’ve set out to compare the hardness of key blanks for impressioning.
As I’m not a machinist, nor do I have access to fancy hardness measuring equipment, I’ve found the cheapest method I could use at home. There are many methods, and many systems, to measure the hardness of metal. One difficulty was to get familiar with the lingo and to find a measurement tool that works for key like metals, thin, soft, etc.
The most common method of cheap hardness testing is to use Rockwell hardness testing files from measuring hardness of knifes. Usually in the range of C40 to C65 in increments of five. I’ve found similar methods online for testing the hardness of lead with pencils. Where HB hardness pencil will be equivalent to a certain percentage lead in tin. To my knowledge, none such system exists for brass.
More expensive methods press a hardened piece of metal with a known force into the sample, and measuring the indentation. While most of these measuring jigs are too expensive, I’ve found one for cheap. That is the Poldihammer test, which is sold on eBay for around €100. The tool uses a captive ball bearing which presses both on a bar of known hardness and the sample. You just simply place it on the object and hit it with a hammer. The ball bearing presses with equal force into both metals object. Comparing the dents gives you the Brinell hardness.
My Poldihammer came with a small magnifier and scale. It’s not so easy to use, and the resolution is minimal. The kit also comes with convention tables, but they feel very approximate. My solution is to measure the indentation with a digital microscope and calculate the BHN from this formula from Wikipedia:
BHN = Brinell Hardness Number (kgf/mm2). P = applied load in kilogram-force (kgf) D = diameter of indenter (mm) d = diameter of indentation (mm)
It doesn’t take much to use the dent on the reference bar to calculate the force. As the force is equal on the key, we can use the force to calculate the hardness of the keys. Let’s take a look at a real world example. The next two images are the dents under high magnification.
Key for measurement B1: 214.581 by 209.048 pixels. This is 2.00 mm on average.Reference bar with hardness 187. Measurement B1: 163.809 by 162.959 pixels. 1.55 mm average width.
For completeness, I’ve added the calculations as to make the method repeatable, and accessible to more hobbyists. The force is calculated as follows: P = BHN(reference) * PI * D * (D – SQRT(D^2 – X^2)). Where X is the dent on the reference bar. In LibreOffice Calc, this is =187*PI()*10*(10-SQRT(10^X^2)).
The hardness of the key is calculated BHN(Key) = P /(PI * D *(D^2-Y^2)). Where Y is the dent on the key. In LibreOffice Calc, this is =P/(PI()10(10-SQRT((10^2)-(Y^2))))
For the numbers above, I’ve found the force as 706.25, and the BHN of the key as 110.8. I’ve repeated the test for four more keys and measured them as 114.5, 103.9, 97.0, and 118.2 with an average of 108.9. In similar measurements, I would drop the minimum and maximum and take the average of the remaining samples, which is 109.7.
The following table is the result of my measurements. The results are surprising.
Brand
Average
Aquired date
Comment
Measurement [BHN]
Silca
Three keys
2018
CS206 Brass.
147.1
Silca
Three keys
2022
LD5R Steel.
222.8
JMA
Three keys
2018
Keys from Nigel Tolley.
135.4
Bauelemente
Three keys
2019
SSDeV Impressioning.
123.5
Abus
Three keys
2019
LockCon
133.4
Abus
Three keys
2020
Toool Inventory
135.8
Abus
Five keys
2022
LockCon Box A
127.4
Abus
Five keys
2022
LockCon Box B
108.9
Abus
Five keys
2022
LockCon Box C
131.5
Table of key measurements. Keys for Abus C83 with keyway similar to Y1.
The data revealed something interesting and confirmed a hunch. The hardness of steel keys is the highest, obviously. We see the brass alloy (nickel silver) have a range of values. There are also outliers, for example Box B, these keys are softer than keys acquired on the same day.
I’ve since played with both harnesses and can tell one hardness from another in impressioning. But only after I’ve switched from one hardness to another after a dozen opens, with the same hardness. After switching backwards and forwards, I can’t tell the difference in a blind test.
One final note, the kit comes with one reference bar that is consumable. We have about a hundred measurements in them. I have not found replacement bars, yet. But I believe we can use a similar shaped bar of steel, which is then calibrated with the reference bar before use. This will reduce accuracy, but can be accounted for if the measurements are comparative.
Thanks for taking your time to read about measuring hardness of keys. If you have a professional (Brinell) hardness measurement tool, and want to help out, let’s swap keys and compare notes. I’m always open to learn.
Posted in Keys, Impressioning | Comments Off on Quantifying the Brinell hardness of keys
On the 25th and 26th of March, Wendt organized a lockpicking championship in collaboration with SSDeV and ACL. Who is Wendt? They are creators and suppliers of locksmithing and lockpicking tools. They have a yearly house-fair to demonstrate the newest in locksmithing tools, and host competitions. This year’s event was specifically for the lockpicking community.
Wendt HQ in Bergheim, Germany. (Picture copyright Wendt.)
The main attraction is the German-style lockpicking competition. Where, in short, every competitor brings them own double euro pin tumbler cylinder. You’ll have to prove you can pick it yourself in five minutes to qualify. For each of the competitors locks, you get fifteen minutes for your picking attempt. Where the final score is decided by the person with the most opens in the least time.
For this year, a large variety of locks were present. Iseo, M&C, IX Saturn, IX-6, both Abus XP1 and Cisa SP, and Assa twin 2. Some of these, as you can imagine, are not opened often in fifteen minutes. This was felt as a setback by some, while others are encouraged to practice with even harder locks. Not to mention the endurance required to pick locks for over 5h straight.
Walter and Henri competed were in the competition from Toool. For Henri, it was his second lockpicking event. His video (YouTube) is worth it to watch if you are looking for encouragement to join a similar event. For photo’s of the lockpicking, please see the Facebook page of Wendt.
I’d like to share a few notes on a constructive discussion on how to run competitions. To some, the competitions at events like LockCon were too easy. People felt it was a competition in who can rake the locks, the fastest. Whereas, this event had rounds with very difficult locks, and few opens. There is a balance to be found is between the two systems. The comments are clear: give us harder locks to pick, but do give locks that are pickable in a reasonable time.
There was plenty of room to meet other lockpickers at the event, chat with the vendors, and join the side competitions. Han Fey had a very interesting challenge, where you are given a key ring and a box of locks. Where the goal was to match the most keys to the most locks in the least time. The catch is, you only got one chance. If the key didn’t fit, your attempt was over.
Just for fun, Jos and I competed in the electropicking competition and got 1st and 3rd place. The real star of the show are, of course, the electropicks Wendt sells. Truly amazing equipment.
On a side note, we call electropicking non-destructive as the locks remains functional. However, the repeated impact of the pick needle and the pins do create a lot of brass dust, as seen in the picture below.
To wrap up this post, it was great seeing so many old friends and to make new ones. Time well spent. Thanks, Sasha, and the Wendt team, for organizing this event!
