We love taking on new and awesome builds, but finding that second part (the “awesome”) of each project is usually the challenge. Looks like [Nathan Seidle] is making awesome the focus of the R&D push he’s driving at Sparkfun. They just put up this safe cracking project which includes a little gamification.
The origin story of the safe itself is excellent. [Nate’s] wife picked it up on Craig’s List cheap since the previous owner had forgotten the combination. We’ve seen enough reddit/imgur threads to not care at all what’s inside of it, but we’re all about cracking the code.
The SparkX (the new rapid prototyping endeavor at Sparkfun) approach was to design an Arduino safe cracking shield. It has a motor driver for spinning the dial and can drive a servo that pulls the lever to open the door. There is a piezo buzzer to indicate success, and the board as a display header labeled but not in use, presumably to show the combination currently under test. We say “presumably” because they’re not publishing all the details until after it’s cracked, a process that will be live streamed starting Wednesday. This will keep us guessing on the use of that INA169 current sensor that plugs into the safecracking shield. There is what appears to be a reflectance sensor above the dial to keep precise track of the spinning dial.
Electrically this is what we’d expect, but mechanically we’re in love with the build. The dial and lever both have 3D printed adapters to interface with the rest of the system. The overall framework is built out of aluminum channel which is affixed to the safe with rare earth magnets — a very slick application of this gear.
The gamification of the project has to do with a pair of $100 giveaways they’re doing for the closest guess on how long it’ll take to crack (we hope it’s a fairly fast cracker) and what the actual combination may be. For now, we want to hear from you on two things. First, what is the role of that current sensor in the circuit? Second, is there a good trick for optimizing a brute force approach like this? We’ve seen mechanical peculiarities of Master locks exploited for fast cracking. But for this, we’re more interested in hearing any mathematical tricks to test likely combinations first. Sound off in the comments below
My guess on the INA169 would be for jam-detection for the servo…
Yes, I think so, too
Alternatively, measuring the force the servo needs to turn – maybe there’s a way to unlock it by noticing where the wheel is easier to turn and where it’s harder =)
Come to think of it, it could have been done with a resistor between ground and servo ground…
That would be really cool if it worked… another cool thing would have been an integrated stethoscope and electret microphone front-end hehe.
The cheapo “fire safes” like that one use a direct entry lock (not to be confused with a group 2 or group 3 lock used on decent safes. Opening a direct entry lock requires measuring the amount of slack in the handle at various dial positions (theres a bit more to it than that but it’s a good starting point).
My guess is that the current sensor is for the motor that is pushing down on the handle to measure the slack. When the amount of current draw reaches a certain threshold you stop pushing and determine where your stepper motor is. In this application a stepper with the maximum possible number of “steps” would provide the best position resolution. You would want very high resolution. I’ve seen people mount a laser to the handle and then set up a yard stick across the room. Then you look at where the laser stops on the yard stick to take measurements.
Can’t some of these safes be opened just by dropping them? I feel like that was a Thing…
Those are electronic locks, not mechanical ones. When you put in the correct code it activates a solenoid causing a metal bar to retract. The trick is that the tiny metal bar is kept in place with just a light spring. Anything stronger would prevent the modest power of a solenoid from retracting it. By placing very little pressure on the handle (such as with a rubber band) and dropping the safe on the correct face, the metal bar would bounce against the spring and the handle can slide open. A better design would use a servo rather than a solenoid. Then you couldn’t bounce it open.
Yes, but it’s hard to see pedestrians from the 50th floor.
Hah! More like 6 or 7 inches. It doesn’t take much.
Yes, I agree, I do know I have opened ” cheepo” fire safes using the method suggested above, once you find the correct spots the possible combinations are fairly limited. I will be watching to see this in action.
This. Constant and consistent pressure on the handle is critical, I always used a thick rubber band and a strong magnet. Tape a laser pointer to it aimed at the wall with a piece of graph paper, the farther away the better. Mark your base line and slowly turn the dial a full turn marking each change in the laser-dot’s position. The biggest change will be your first number. Go back that number that produced the big change and repeat the process but turning the other way to get your second number. Rinse and repeat for the third. 5-10 minutes tops doing this by hand.
I would do this openly in front of the customer to show how much of a joke these “safes” are, same thing with the bounce-open/deadblow hammer attack. It was frightening how many folks kept firearms and cash in these things, but I sold a lot of safes that way :) Ah, capitalism…
In cyber speak – if they’re going to try every conurbation it would be called a brute force attack. But with a safe, brute force is a gas axe.
If they are bothering to take measurements, which the current sensor suggests, then they are doing *something* smarter than brute force.
Dude, you just ruined the safe cracking category of Hollywood movies…
:o(
Many, many years ago I ended up with a combination padlock with a long forgotten combination. It was enough impetus at the time to hack together a simple machine to brute force the combinations.
Initial estimates was something like 200 hours to cycle all combinations, (40^3 x 12 seconds, by fuzzy memory). With a little though it become much faster.
First, you can try all the third number possibilities without re-entering the first two. (like 40^2 x 15 sec)
Second, the mechanical lock I was using was sloppy, so I skipped half the numbers. (odd numbers only= 20^2 x 15 sec)
That gets you every combination in about an hour and a half.
In the process of the project I learned about “shimming”, which gets the lock open in about 1.5 seconds – but that’s a different story….
I guess the current sensor measures the powerr usage of the safe’s electronics, some have their battery compartments located on the outside for easy access.
By reading the current you can decide wether the safe’s mcu is working because there is the right number on the dial or numpad.( Cizld be seen in an higher power consumption)
This is workig on an easy and cheap numpad protected safe, but I don’t know if this is matching all safes.