Master lock auto-cracker built as coursework at University

master-lock-auto-cracker

We love the beginning of May because the final projects for college coursework start rolling into our tips line. Here’s one of the latest, it’s an automatic Master lock combination cracker which was built by [Ross Aiken] and his classmates as part of their ECE453 Embedded Microprocessor System Design class at the University of Wisconsin – Madison.

We’ve talked about the ease with which these locks can be cracked. But [Ross] points out that the resources we linked to before are flawed. To get the combination as quickly as possible the team has implemented an algorithm discussed here. Their machine uses a stepper motor to turn the dial with a big solenoid to pull on the shackle. The system is sensitive enough to detect the “sticky” spots of the lock, which are then used to narrow the number of possible combinations before brute forcing the combination. As you can see in the video after the break, the shackle moves slightly when pulled after an incorrect combination. The long vertical pin near the solenoid will pass through an optical sensor when the correct combination is found.

Do you have your own final project to show off? What are you waiting for, send us a tip about it!

Comments

  1. Zee says:

    Is the narrator text2speech? Sounds good but slightly artificial.

    • Ross Aiken says:

      Nope. That’s 100% me.

      • rob says:

        It’s a bit creepy. I like it.

        • Ross Aiken says:

          Sad thing is, I was talking slower than usual for this vid…

          • ColdTurkey says:

            Wow, dude! This is slow for you? No offense but i think i’d have trouble following you at times if you were to talk quicker. I have a programmer buddy who is blind and uses text to speech significantly sped up, his speech program reminds me a bit of your narration. Not a diss at all, in fact i’m quite impressed!

          • Ross Aiken says:

            It is an area that I’m trying to improve upon (talking slower, not quicker). The underlying problem is that I think too far ahead when I’m talking, and if I talk slowly, I’ll get so far ahead of myself that I forget what I’m supposed to be saying by the time my mouth catches up. Most of the time, I can force myself to slow down, but some times (especially if I get nervous or distracted), I really just unleash the high-speed fury.

            Maybe I’ve missed my calling and should pursue a career as an Auctioneer?

          • Chris C. says:

            I had to watch the video just to hear what all the hubbub was about.

            It does sound…unusual. Not just fast, but I think the correct term for it is “decimated” – where audio is sped up without changing the frequency, by chopping out regular portions at zero crossings. I wonder if that’s due to deliberately speaking slower than your natural cadence. It’s pretty amazing though. I’m stuck with the slow Southern drawl I was brought up with, can get rid of my accent but not speed up much. ;)

            You would indeed make a great auctioneer, but with a top-notch project like this, it seems you found your calling just fine.

          • ColdTurkey says:

            Haa, i know what you mean. I guess I have a similar thing, especially when anxious but I usually just trip up straight away and end up repeating myself more than neccessary. I suppose it forces me to talk slowly (well, slower) rather than have to try to learn. Thinking about it, i don’t know which i’d prefer!
            Seconded on the auctioneer vote! In awe of your project, great work!

          • Queeg says:

            Better to think faster than you speak than the other way around.

    • Ross Aiken says:

      Funny thing is that I actually tried a couple tts voices, but thought that they sounded too artificial.

  2. eoi says:

    Neat project!

    I’m glad the video had captions, because the voice is bit hard to follow. Sounds like a slightly toned down version of Cartman.

  3. McGuiver says:

    This is a very cool hack. I like this hardware. The software looks like it was also done well. Hope to see more hardware hacks like this. Great projects.

  4. MrX says:

    This project is absolutely well done! Kudos for the team.

    PS: Love the component placement in the PCB :)

    • chango says:

      I was impressed too. I’d be patting myself on the back for a couple of months if I cranked out a (working) board that clean.

    • Justin Krosschell says:

      Thanks for noticing the component placement. The video doesn’t actively show it, but we used a couple of red SMT LEDs for Bucky’s eyes. Every time a combo is run, Bucky’s eyes do strange and wonderful things!

  5. Lupin says:

    All this is done just in one university course in one semester? By students? I wish we’d do such interesting projects at university. But most of my co-students wouldn’t have a clue how to pull off such a project :-(

    • MrX says:

      I feel the same, university was such a joke :(

      • andarb says:

        I swear, one of these days I’m going to make up a diploma that says ‘AUTODIDACT’ and frame it. I learn much more on my own time than in school.

        • Greenaum says:

          I was kicked out of science lessons a couple of times. I was bored and played up. The punishment was being shut in a room full of hundreds of back issues of New Scientist magazine! Since I’d already read thru the textbooks out of boredom, it was a big help to my education. More educational and I actually enjoyed it.

          I’m smart and technically-minded but get bored very easily, when I’m not doing my own thing. So school wasn’t really helpful, I also taught myself mostly.

          At the schools I went to, a chemistry lesson involved doing the experiment, then copying down what *should* have happened off the blackboard. Which I suppose actually is good training for real life. Unfortunately.

          • AnarKIT says:

            I had a friend in high school who got busted for smoking pot in the bathroom, ended up having a few months of in school suspension where he did all of his coursework in a controlled room. He loved it, it let him focus and get his stuff done and he did very well with it. He was very irritated to have to go back to the normal classroom setting.

    • Ross Aiken says:

      Yeah, it was a team of 3 people. We decided on the project in the beginning of February, design began mid-February. PCBs were ordered by the end of March, fab was finished in early April. The next month was spent debugging the ZedBoard interfaces and getting the algorithm working. We were finished by May.

      The initial programmable logic design (where I spent most of my time) was done on a Digilent Atlys that I had laying around (this, and the simulation of the logic, was done in parallel with the PCB process) (the 7-stage stepper driver, for better or for worse, is implemented in the PL). When we actually moved over to the ZedBoard, it slowed things down a lot (bitstream takes about ~3 minutes to generate for Atlys, and around an hour to generate for ZedBoard). The PL code isn’t perfect, but we found stable values (for velocity, acceleration, jerk, and current limiting) to run it with, and stuck to those in software.

      The team itself was one grad student, and two undergrads.

      • Hack Man says:

        Why not use a RPi or Arduino? I guess a RPi would be preferred, to give you the HDMI/GUI but STMicro’s L6470 + rotary encoder hardware would allow one to do this without custom hardware, would it not?

        • Ross Aiken says:

          Yeah, an Arduino (or more preferably an XMEGA board of some type, since that has hardware support for quadrature decoding). Then, a couple of FETs to drive the solenoid and an EasyDriver or equivalent for the stepper, with a simple LCD screen for output, and a pushbutton for ‘go’, and voila, you have a less overkill design.

          Granted the ZedBoard was supplied by the course (and hence its use was encouraged)

          • Hack Man says:

            Gotcha. Solid build!

          • Hack Man says:

            Why FETs over, say, a relay? Do you need variable shackle pull?

          • Justin Krosschell says:

            The original intent was to have variable pull (two FETS with power resistors in between them to perform a set-hold function), but we didn’t actually use that in the long run. The FETs are acting effectively as solid state relays (have an on-off function). The solenoid we settled on could be driven continuously at the rated voltage, but if you were overdriving the solenoid you can reduce the drive voltage to prevent heating, saturation, etc.

  6. ColdTurkey says:

    Cool hack! I didn’t know the ‘sticky spots’ could be exploited to significantly narrow down the possible iterations. Sounds like the guy is talking so fast that he trips over a few words and sounds like a mumble, still, props!

  7. Ilan says:

    Another data point: a quite similar project from last year’s MIT 2.131 Advanced instrumentation and Measurement:
    http://www.bnpeters.com/2131-advanced-instrumentation-and-measurement.html

  8. peter says:

    Nice project and the execution seems top notch– nice board layout and soldering. One thought I had was that an FPGA/ARM Soc seems a bit overkill for this. Was the ZedBoard part of the design requirements? You have a lot of processing power but the rate limiting step is the stepper motor. You can’t speed it up too much because if you spin the dial too fast, the internal discs will continue to spin due to inertia.

    I know it is customary to deride the use of Arduinos at Hackaday but I think that this is a project where it would have fit nicely.

    • Ross Aiken says:

      Yeah, this really was overkill, however the ZedBoard was a part of the class requirements (it wasn’t explicitly required, but the use of it was strongly encouraged, as the focus of the class was integration, and the teacher wanted us to learn about Linux driver basics).
      It would have been far less painful to do on an Arduino, but where’s the fun in only using the adequate amount of processing power??

  9. Gdogg says:

    Fellow fast speaker!

    Great project. It would be too cool if you coukld make one that could be attached to a lock that’s already on a locker. Maybe a stepper like normal, and something between the shackle and case to ‘pull’ (but really push) the shackel.

    • Ross Aiken says:

      Being that this was a class project, we figured that it would be better to have something couldn’t directly be used for nefarious purposes. The price for this could probably be brought down to under $100, without losing much in the way of performance, and at that point, this could be useful either as a vending-machine-type-thing for a locker room, or at a locksmith’s (our teacher brought in three locks that he didn’t know the combo to, and we found all combos in under ten minutes)

  10. Tom the Brat says:

    Careful! The government is likely to consider this a security risk and delete it from the internet! You can’t have lock-breaking instructions where just ANYONE can find them ;) Next thing you know, those hackers will be making guns or something.

  11. tim says:

    Great project!
    I wanted to build one during this summer, but looks like you beat me to it. Very clean implementation (better than anything I would’ve made). I wonder if it’s possible to use a faster stepper motor to increase the cracking speed.

    • Squirrel says:

      The stepper motor wasn’t actually the limiting factor. Since the pressure-fit coupler pushes in against the dial, we were afraid that much faster spinning would destroy the locks (as it was already causing some locks to … emit … metal filings). The stepper itself could easily have been spun over twice as fast.

      The real way to increase speed, is to either determine the first and second digits as @Ilan’s link does, or to back-dial the second digit of the combo
      http://woodgears.ca/combolock/left.html
      If you spin the second dial to its reverse combination, you can get away with only entering the first digit once to check all combinations of second and third digits. I was actually working on an algorithm for this, but ran out of time.

  12. Rob says:

    A buddy of mine (you out there, Matt?) in high school would do that process with a single sheet of paper and his mind… granted, to open any one lock took him approximately one study hall period (took me a bit longer, so I’d do some of the prep work and he’d do the derivations and actual lock spinning), but then neither of us needed to do anything in study hall as we’d already done the homework during the lesson. Free studyhall periods plus smart kids with a scratch pad equals concerned teachers and admiring classmates. Granted, it never got us any chicks…

    Had we had these kinds of resources readily available, we’d likely have gotten suspended or hired, I’m not sure which. Very cool project… well done!

  13. NewCommentor1283 says:

    first of all awesome machine that works more reliably then me

    i thought all you needed was a super strong neodyminum magnet
    and a pen and paper and calculator??? …. on a dudley brand lock

    i easily cracked the first two digits from my own lock this way
    to prouve it could be done. it seemed like it was easier
    to find a digit if i was rotating it the wrong way but only
    worked one pass until you start over. cant exactly
    remember which way to get the last number, its confusing.
    but somehow i got the last digit of my own combo

    to get the digits from your raw data,
    you average out all your findings after doing each digit at least 10 times,
    ( i did about 15 or 20 each table of data)
    then the result is off by only 2 or 3.
    ***_AFTER_*** you arrange into tables of “might be the same number”
    so you can eliminate the random results that only appear once (outliers)

    ie raw data 46,48,41,52,17,27,21,33,29,10,15,31
    combo:
    46,48,52 = 48.67 (48 or 49 +/- 2)
    17,21,15 = 17.67 (17 or 18 +/- 2)
    27,33,29,31 = 30 (30 +/- 2)
    outliers: (errors)
    10
    41

    PS: this is not my actual results or combo,
    but i assure you it worked this way!

    PPS: if you dont mind damageing the lock…
    two different sized MINI screwdrivers and 7 minutes…
    for a dudley,
    i assume masterlock is eaiser to brute with miniscrewdrivers
    but i havent tried

    PPPS theres also the quarter turn trick but its not reliable,
    not always the same direction or magnatude and
    only works with neodyminum magnets that are so strong
    theyr hard to find
    (need harddrive magnet from ***_before_*** 1990
    aka vintage/collectable/frombeforeIDE/PATA)
    but the quarter turn trick ***_IF_*** possible does NOT need multiple tries with avregeing…

  14. Nice Work :)

  15. sajdiasdjiajs says:

    They couldn’t even figure out how to take a screenshot, so they must resort to using their “smart” phone’s camera, and stay away from an HD camera, which probably explains why they chose to use slow-ass intrepeting python, and not something better, Like C.

    • Justin Krosschell says:

      Actually, it was a Sony 18 MP HD handheld digital camera with 1080p 60 frame video. We even used a tripod… ***GASP!**** That is why even though the video is slowed down to show the effectiveness of the algorithm the image quality is still quite good. Generally, in the university, you get marks for the quality of the work/design, not the documentary you make for Youtube/Hackaday after the fact. Also, the GUI uses python because of its easy of implementation (keep in mind this is a one semester design project from concept to completion), but everything in the background uses C (something better in your mind, apparently). The real cause of the time lag is that you are running an entire graphical Linux distribution on something about as powerful as your *smart* phone. I/O and terminal output isn’t going to be extremely fast. Sorry for the rant, but get the facts first.

  16. echodelta says:

    I have at least one dead padlock laying nearby.
    On speech in video; he reminds me of the host on NPR’s This American Life, rabbit fast and then long pauses. It’s those pauses that are annoying.
    The real problem; after 13.7 Db of boost to peak it was still unintelligible. That’s less than a tenth of normal level.
    Face the mike-camera or patch or edit miked audio into video. Talking beside the mike or behind just don’t do it. Talking to the wall and picking up the echo is worse!

  17. garhol says:

    Reminds me of a simliar hack that Neil Fraser did in 2002 – http://neil.fraser.name/hardware/locraker/

    • Justin Krosschell says:

      This is sweet; similar concept. I especially like the superstructure made from Meccano. Reminds me of a James Mays Toy Stories episode! Adds a bit of Victorian hack appeal!

  18. Very impressive and kudos to the author for a really high-tech solution to an old padlock scenario. I am amazed at the intricacies.

    HOWEVER, for those that just need to pop this lock within a few seconds (mostly any padlock that is): Take a Red Bull can. Drink the contents or just pour it out. Wash it out with water so it’s not sticky inside. Take some scissors and cut out a small shaft slightly larger than the bolt’s circumference. Form it around the bolt leaving your self a convenient handle on top to manipulate it vertically. Then use it as a shim pressing it down on the latch (which I think is on the inside left side facing the combo dial). The Red Bull can metal is thin enough to fit between the clearance between bolt and housing and strong enough not to deform while pushing it down between the internal latch and the bolt. And then just pull the bolt open! I think a different pattern cut also works on handcuffs too but I never tried it.

    Please do not do anything illegal with this information…

    • fartface says:

      This does not work on any real master locks made in the past 15 years. The kockoffs, yes. but Master had fixed that problem nearly 2 decades ago.

      • Justin Krosschell says:

        We were aware of the shimming technique. We have specifically tested this device with the newer Anit-shim locks as well as the older locks. We opened a professors lock that he had not had open since the 1970’s and we opened brand new locks purchased from the local hardware store. It seems that all master locks of this form factor behave similarly. You can also get a pretty good sense of how the locks work by using google’s patent search and finding the old drawings and schematics.

  19. Marek Sokal says:

    A shim made from an aluminum pop can will open one of these bad boys in about 10 seconds or less. Neat project but definitely not the best method if you “forgot your combo”.

  20. jason says:

    A guy in the class ahead of me did this for his senior project. He couldn’t get it working in time for the exhibition, though, so he just dropped the combination into his program. It was hillarious.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s