[Carlito] found a safe in his garage with mystery contents. It shows signs of attempted entry and makes interesting noises when shaken. What is the best solution to find out what is inside? Hack it open? Smash it? Blow it up? No, the best solution is to build a robot to try brute force cracking. The robot, housed in an old power supply case, is little more than a servo and a servo controller, communicating with his PC via USB. It seems like a good idea though. Unfortunately, he found it to be seriously lacking in torque, so he’s waiting now to upgrade. The contents of the safe are still a mystery.
[thanks ubernoober1477]
i had this idea a while ago but lacked the resources and knowledge required. im glad someone finally at least attempted it. no combo lock is safe from this attack either, which makes it practical.
Inside the safe is a smaller safe
lol… why not rip a servo apart, tap off the motor and feed the drive to a larger drive chip to drive a second motor. that should work :)
alternatively use the existing pcb and sub in any old multiturn pot, a small gearbox and suitably power (koff vcr eject mechanism /koff) motor, this works well for small robots.
regards, -A
seems like that could take a while…
i don’t know how many different cams it has, but assuming 3 cams, the lock appears to have 50 digits, and and you cannot use the same number in the combination more than once. that leaves approximately 110544 combinations to try i know that isn’t a ridiculous number compared to amount of tries it can take to crack a password. but this requires physical movement. it could take many weeks to open a safe in this manor.even at 1 second per combination it would take 30 hours. to go through combinations… i think i could work for a lock smith… but anybody looking to “crack” your neighbors safe in this way may want to rethink their choice in crimes…
really cool hack though. why pay a smith to open it when you can build this guy
You may really enjoy the video at https://youtu.be/Waw11zhaKSk?t=2. It shows how you might be able to reduce your 110544 combinations to perhaps as few as 162. Sounds impossible, I know, but hear this fellow out.
Who cares if it’s slow? The safe would just sit in his garage anyway. This is a perfect example of using a ‘non-optimal’ technique when you’re not rushed.
Plus if the PC keeps track of attempts, he learns the combination and he gets to use the safe in the future.
I read an article a couple of years back that explained weaknesses in common combination locks. Basically, the number of operations needed to brute-force the combination could be reduced from approximately 50^3 (125000) to 2*50*3 (300). If I recall correctly, it had something to do with feeling the amount of backlash for different combinations.
I think it would be a whole lot more difficult to automate, because the algorithm would be a lot more complicated, and you would need some kind of sensor to measure the backlash or torque, but it would also find the combination much faster, if it would work, ofcourse.
I recall that many of these locks have so much backlash that you could be 1 digit off, and it would still open. In that case, a regular brute force would “only” take some 7813 combinations on average for a 3-cam lock.
a video of the motor moving would be nice.
It would be nice to make a video :)
Please show us!
@sparky: that was for masterlock combination locks (and their imitators), and relied on pulling out the bar to stop the lock from moving backward after a certain amount. im assuming this safe packs a much more sophisticated locking mechanism. i know that when i used to work retail, the safe we had for cash and fine jewelry wouldn’t open if you were off by as much as a millimeter.
pre-submission edit: here you go http://hackaday.com/2005/06/22/master-lock-picking/
reading into it some more… some locks are machined to have a 3 digit slip. in order to account for human error. there by decreasing it from 50^3 to 17^3 that would be way nicer to deal with. also the technique mentioned was to leave the last cam and eliminate the first 2 then move the last cam to the next digit. in my first post i was assuming moving constantly… in their information they estimated about 2-4 hours for a 60 number lock. i can see it getting Practical for a lock smith…
The way he has the lock preloaded will not work. You can only pull on the door once the correct code has been entered. He needs to build a solenoid to try and open the door after each code is entered.
Lukes: could he just leave it up side down? Like suspend it in the air.
i don’t think the coding would be to bad to make this a stand alone unit. it would be fun to build one that mounts on a padlock with a solenoid that bumps the shackle after every code. it would be fun to have it write off to some external memory. have the user input the digits (calculate the degrees per digit). put a little lcd on it. be a neat little project.
not sure what kind of safe you have there but most safes are *easily* accessible through either the back or bottom sides, depending on the style of safe, etc. My dad has a gun safe that weighs like 750lbs and if you can get to the back of it, you can damn near open it with a can opener.
also, a rack and pinion type of setup might be a better option. glue a pinion with many teeth(hopefully an equal number of teeth as numbers on the dial) on the dial and then use a rack attached to something akin to a printer or scanner rail. The only problem I see with that is if you have to turn more than 1 turn but that could be solved with 2-3 times more teeth on the rack than the pinion.
i would drill into that so fast. im just too curious
I’ve seen a locksmith use a unit like this on an small atm machine (convenience store style). The unit was manufactured as opposed to hacked. I stopped to observe the machine in action and asked him how long it takes. He said 20 minutes to 6 hours. That would lead me to believe that the total amount of combinations is not really derived from the numbers on the face but perhaps another division of the degrees. I’m not sure how the device got the feedback to tell it when it had found the proper combination and I didn’t have the 6 hours to wait ;)
After reading the comments I’m surprised that only one other individual suggested a manual means of opening it. Don’t attack the lock the way the lock designer intended: be inventive and you could have this open in a couple of hours, if that.
Locks are notoriously vulnerable. One safe I opened, only had a spring holding the bolt into the door jam of the safe, so if you could slip a sliver of plastic into the jam it would pop open with literally no effort – and no guessing of the combination. Every lock has flaws. Exploit them!
Chances are you’re looking at a 4 number lock with an anti-forcing mechanism inside. The mechanism will give away clues as to what numbers are likely to be part of the combination but you’ll have to use your *hands* and your *ears* – not a servo – to find out what they are. Once you’ve narrowed the range of numbers and thrown out all of the numbers that are too close together to be valid, your chances improve significantly. Finally, you can literally throw out the 4th number because most of these locks will automatically stop the dial when the correct combination is entered. Essentially, you don’t even have to try turning the handle to know that you’ve gotten it right.
Read a book on safe cracking. I don’t mean to be a wet blanket, but this isn’t really a good electronics project. Your own senses and a bit of knowledge will have it open much faster than a computer could do the same.
One of my friends left a safe at our place after moving out, as he had lost the key and didn’t care enough about leaving his crap for other people to pick up… Anyway, i was going to learn how to crack it, but decided instead to just use a milling machine to open up a hole in it. It cut really easily, but all i found inside was a bunch of old VHS tapes! It was laaaaame.
-Taylor
looks like a pretty old safe. i’d say try manipulation, but i get this feeling the mechanism sucks enough at this point that it’ll be difficult to do that, especially given that he says he needs no torque–you usually need almost nothing to turn these guys. Also, it’s not clear exactly how you dial in the number.
Actually, if you’re going for this, you REALLY need to figure out the correct method of dialing in the number. Let’s just say I’ve gotten screwed over by this. In case you haven’t realized yet, dialing in a master combo lock isn’t the same as dialing in a safe lock at all.
Also, you don’t need anything to push open the door. The way safe locks work, turning the combo lock will actuate the bolt once you get the right combo. If anything, you need some means of sensing that the wheel won’t turn anymore (wheel gets stuck after actuation in one direction)
Drilling is probably a lot easier. The locksmith had to use one of these guys on an atm machine probably because ATM machines use significantly more secure locks and are probably class I manipulation proof locks.
The best way to drill this guy is to probably pick the drill point on one of the four sides of the lock. Unfortunately I’ve got no clue which direction the assembly is mounted, but if you’re lucky you’ll be able to read off the combo from the discs. If not, you’ll probably at least get to drill out the fairly soft bolt/actuator and get the thing open.
Another hint (VERY IMPORTANT)–if you’re not going for the drill point, don’t go through the front. It’s a total trap and waste of time. Trust me, I’ve been there.
some time ago there was a program on german tv, with locksmith, security expert using excatly such a thing to test his client safe after he had bypassed all of the other security things in the house, it was very fast at turning that wheel. He was given 4 hours for the whole thing, and onces he was inside the safe there was a mobile phone he had to awserer for the client to know he had done it.
I just want to know what’s inside…
lots of people are saying drill it but what if he wants to use it again? or it has an anti-drill pane. My dads safe has panes of glass on all sides that if they break a bolt locks the door permanently. you have to call the company and have them come in and literally cut it in half.
Brilliant idea! Not only will it not damage the safe, and give you the combination so you can use it again, but it’s just so much more fun! Mindless repetition is a perfect task for a robot.
If the torque is lacking, can’t you connect the servo to a gearbox and tinker with the driving for the servo? That’d probably be cheaper than getting a tougher servo. It’d just take longer to move through a certain angle, and increase the torque.
quality safes are designed such that the mechanism will wear out well before all the possible combinations have been attempted. specifically to counter this sort of process. mind you, there is always the chance you could fluke it. very interested to hear how this turns out.
When we bought our old house, the basement had a safe built into the concrete foundation wall, and the door was not attached. The old owner did not have the combination, but the door was in the house. It had a pretty thick front to it, but the back was held on by two screws and the locking pins. By removing the two screws, I was able to pull the back cover off enough to look at internal mechanism of the lock and figure out the combination.
The thing was old (1958 maybe) and was really just a giant version of a school locker masterlock combo lock.
@ Geoff: That does not make much sense unless the combination is on the far end of the combo spectrum (42-50-20-49 on a 4 pin 50 spot lock), and the attack starts at the very beginning (0-0-0-0). Reduce the number of possible combinations by the variance in the numbers (pin 1 is 42, but 41 and 43 will trigger it), and it would seem that the mechanism would need to wear out very soon into the life of an often used combination lock (Think store lock box that has a daily pickup)
1/2 inch drill, 5 minutes, open! Probably has that missing anthrax sample in a leaky vial.
i have always wanted to build that, since i was a little kid
is this a chatwood & milner style lock or a sargent & greenleaf? each combination would have to be tried for both styles if you don’t actually know.
if billy mayes can use it, why not modify some magic putty to create a mold and line it with a rubber coating to hug the dial…..somehow rig up a sensor to a scope to ‘listen’ for the click…wasn’t there a electro-stesthoscope somewhere on the site that is highly sensitive…..maybe it not so much as torque you are looking for…just another angle of attack…good luck
Did he introduce some mechanism to try the door? If he’s just trying combinations, chances are he’ll get it right and if he doesn’t try the door he’ll pass right over it. Good luck dude! I’m waiting for the high-torque writeup if not just to see what’s inside.
thats awesome! the little face is cool and the idea and implementation is very well done. good job!
@geoff – no widely available combination lock I have heard will wear out that quickly. It’s certainly not designed into the lock – most have anti-manipulation features which pretty much avoid this.
Listening for the clicks rarely works. What you need to do is feel for the “contact points”, and from this you can infer certain information about the wheels. It’s not nearly as simple as just feeling the points and saying that is the combination.
The problem is that only mid-range locks are susceptible to manipulation, especially by unskilled hands. The really low end locks mask the contact points with grinding. High end locks have mechanical features to mitigate the attack, as well as being made to tighter tolerances.
This paper explains it more thoroughly:
http://www.crypto.com/papers/safelocks.pdf
i hear stethoscopes work like magic.
Plasma cutter.
The only advantage would be the fun.
A more effective version of this hack?
http://web.mit.edu/kvogt/www/safecracker.html
I was thinking of doing a similar thing to quickly open those fiddly little combination locks on our school lockers. My device would already know the code, so you stick it on, count to 3 and open your locker.
@signal7,
If it takes twenty hours to build a safe cracking dialer that can automatically open a safe in ten hours, or twenty hours of studying plus three intense hours of skilled labor to open it, building the automated dialer is already less effort than cracking it. Plus it’s reusable on the next safe with minimal effort, whereas you still have to expend serious effort on the next safe if you open it manually.
I’m not saying that learning how to manipulate a combination lock isn’t a worthwhile hobby, but it isn’t for everyone.
Don’t all such safes have a serial number which you can use to contact the manufacturer? Of course then the owner might lay claim to it, unless it’s stolen from some secret government place and they kill you for being near their secrets :)
As for alternatives, drill a small hole then fill it with water and a small explosive charge and boom it opens, been proven to be true.
What they do here with ATM’s is fill them with natural gas (or some such explosive gas) then ignite it and it cracks open, seems to work perfectly much to the chagrin of the banks who now had to close several ATM’s pending fixes like detectors and pumps that keep them free of gas and whatever counter-trick they can think up.
wow unbelievable idea i think it will work.
can you crack this safe?
http://www.youtube.com/watch?v=rEgu05T4x04&NR=1&feature=fvwp
@wwhat
Most combination locks can have the combination changed, pretty much all of them bar the cheapest ones. That means the serial number won’t gain you much – it is worth a try though.
My safe has a mechanical lock, and I made sure to change it on arrival as some safe companies keep records of the keys sent out with each safe. If I lose the key, I can get a locksmith to open it.
A box like this would be easy to physically break into using an angle grinder, probably less than a minute using a 300mm disc.
I bet there’s a mysteriously complex looking key inside, leading to still more frustration.
He could also take it to the airport and ask them to look inside btw.
How does it know that it finished cracking the safe?
This reminds me of locker padlock cracking from back in high school. On the standard master-lock, you can lower the hundreds of thousands of combinations to 100 by a little bit of simple math (there is a few digits slip), then you can bruteforce it. Of course, the manual approach (a padlock shim) takes about 4 seconds, so….
Lightsaber
\thread
I like the eyes he drew on it. :3
Uhhh why not use a stepper motor? I have a bad ass big one out of a laser printer its got some torque i see it as being perfect for this type of robot…. i might just go get my arduino and give it a try!
Here’s a thought. Hire a locksmith.
Lots of good ideas and speculation here but i can fill in some blanks for you.
I got your safe ‘robot’ right here: edssafeservice.com/openings.html
The top left image shows how you should try to open your safe first, manipulation. second, you use your ‘robot’. It’s a stepper motor that tries every two numbers and whatever information you gathered from manipulating the lock. it uses a lathe check to grasp the dial and large rare earth magnets to mount the motor to the safe. after trying each combination it turns the dial past the opening point. if the combination is correct, the dial will stop, tripping a microswitch to say ‘Ta Da! it displays the combination on a LCD readout. the whole thing fits in a nifty briefcase. if you can get a number during manipulation, say wheel #2 is 37, you program that in after setting up the autodialer, LockMastersITL2000, and your safe will be open in less than 2 hours. i’m a certified master safecracker and a certified ethical hacker. after i learned how to pick locks i just got carried away.
Autodialer, a.k.a. LockMasters ITL2000:
http://www.lockmasters.com/index.asp?PageAction=VIEWPROD&ProdID=49863
I’m quite new to wordpress. but what you write in this post is really great and very informative. I think it will help me in the future. Thanks for the great work.