Opening A Safe With A Stepper Motor And DIY Auto-Dialer

What do you do when you happen to come into possession of a safe of which the combination is lost to the sands of time? If you’re someone like [eNBeWe], you grab a stepper motor with driver module you had lying around gathering dust, an ESP8266 for the brains and a few other pieces to build your very own auto-dialer to crack that safe combination. The software has been made available on GitHub for those interested.

While other auto-dialers used with the fun hobby of safe cracking can generally find the combination in a matter of hours if not less, it took [eNBeWe]’s contraption two days to crack the combination. Much of this was due to the hacked together nature of the structure, with the glue joints among other weak points that’d probably not take too kindly to a lot of abuse. Since there was no particular rush to get into the safe, this worked out fine.

As an impromptu auto-dialer thrown together with parts that were lying around it seemed to perform just fine for the task, and we presume that this is the beginning of a beautiful new lock- and safe-picking hobby.

24 thoughts on “Opening A Safe With A Stepper Motor And DIY Auto-Dialer

  1. I assume this uses a brute force algorithm, like trying out all the number permutations. I wonder if, with a mechanical combination locks, could a more efficient method be devised, similar to the methods used by cryptologists. Combined with a little knowledge about number sequences humans are most likely to use, this could reduce the solution time down from a few days to hours, or possibly minutes.

    1. It’s not just dumb bruteforce. As I read somewhere, a safe lock have some tolerance on the dial. For example, if the correct number is 13, it may open if you dialed 12 or 14, some unlock even with 2 numbers off the center.

      So if you have a 3 digit combination with 100 numbers, it’ s not 100³ combinations, but 50³. It’s 125,000 combinations instead of 1,000,000. If the safe opens when within 2 numbers off the central one, it’s 15,625. 10 tries per minute brings the average cracking time to 26 hours in this case, instead of around 70 days.

      1. Exactly. I didn’t know exactly how much tolerance there was on this safe, so I went with “try ever other number”, so I reduced it to 50³ combinations.
        The main speedup is gained by coding in the dialer to remember which disk is dialed where.
        If you have to dial a combination from scratch that is about 10 full turns of the dial. If you know the current position of the disks, you can drastically reduce the number of turns for each next number.
        The dialer can do roughly one increment on the first number per hour. With 50 positions to check that makes it about two days for the whole number space.

        Professional autodialers can solve the same lock in a few hours, but I was concerned with the stability of my construction and with the forces exerted on the lock mechanism, so I kept the speeds down.

        Having said that .. The final combination looks like it could have been a birthday of someone, so maybe the idea of trying specific combinations first would have been a clever choice.

        1. I think the professional ones (sometimes) have extra options for this. You can enter a bunch of numbers, or ranges of numbers to try first, and if that does not work it goes on to a more generic algorithm.

          It can also first do all the even numbers, and if that does not work, try a finer resolution, but skipping the numbers already tried.

          But for a one-off, I would probably also just let it rip for a few days.

  2. I was curious how the device knew the combination had been reached. It would seem like between each attempt a “handle” would need to be turned or something. I’m sure this particular safe is somehow different than one would expect, like the door pops open when the combo is reached or something. I also wonder the hacking device was connected to a computer so that once the combo was reached, you’d know what it was, as opposed to the door opening and the hack continuing to try combos.

    1. When the safe is open and you have access to the back of the locking mechanism, it is easy to sus out what the combination is. At least it was on a similar looking safe that i had access to once. If i remember correctly there were discs that had notches out of them and when the discs aligned, the locking mechanism could be actuated. You could also see how it worked in regards to the full turn between subsequent numbers.

    2. There is no detection to stop when the correct number is reached. It just tries every combination and after dialing the combination in it rotates the dial almost an entire turn clockwise. If the combination is correct that actuates the locking mechanism and the door can be opened.
      I just strapped some weight (a piece of cable duct I had laying around) to the door and had it put some pull on the door.
      I then checked every few hours to see what was going.
      As soon as the right combination was dialed, the door swung open.

      As Mojoe already said, with the door open I could open the back of the lock and “read off” the correct combination by looking at the disks in the lock.

      1. Seriously you just saved me some time. I was literally working on the same exact system to crack a safe I got cheap at a surplus shop. I was coming up with all sorts of complex mechanisms to detect when the stepper motor locked up finally with the right combination. Either current sensing or maybe with a magnetic clutch that would slip and then trip a sensor. Your idea is so elegant.

  3. Every-time one of these safe dialer solvers shows up, always wonder why they don’t apparently need to test the ‘pull the bolt lever’ after each combination. That is, after a dialed a combination what’s the detected feedback that it’s either correct or incorrect?

    1. The trick is that the mechanism doesn’t require that. If the correct combination is dialed, either the mechanism cannot turn anymore, or else additional turning causes the door to open. If the particular safe mechanism you are trying to open doesn’t work this way, then you’ll need a different cracker. For this case, read the responses a couple of comments above.

  4. Many commenter had the same questions… here are the answers:

    The main dial on a safe lock turns a pack of 3-4 wheels. Each wheel has one deep notch cut into its side. When all the slots are aligned by dialing in the correct combination, the lock can be opened. However, the way cheap ‘toy’ safes work, and the way ‘real’ safes work is different.

    The ‘toy’ safes have cheaply made built-in locking mechanisms that work like combination padlocks. When the safe handle is pulled, the handle applies pressure against the side of the wheel pack. This can be felt by turning the dial and pulling the handle. After dialing the correct last digit, the handle is pulled and the safe will open. A robot for this kind of ‘toy safe’ must have a handle pulling mechanism to sense when the correct combination is dialed.

    A ‘real’ safe has separate lock module manufactured by one of a handful of companies (Sargent and Greanleaf, La Gard, etc). In these safes, the safe handle does not apply pressure to the wheel pack. Instead there is a small spring-loaded metal bar inside the lock that always applies pressure to the wheel pack. After dialing in the last digit of the correct combination, the user will start to spin the dial the opposite direction again, the bar will fall into the slot, and the dial will come to a hard STOP. At this point the lock is unlocked and the handle can be used. A dialing robot to open this kind of lock just needs to sense that the dial can no longer be turned. (https://www.youtube.com/watch?v=GgfBsigub0A)

    Yes, there are tolerances in these kinds of locks, in fact, the UL certification for real safe locks specifies what they are. A basic group 2 lock uses 3 two-digit numbers (00-99), where the tolerance is 2.5 digits (i.e. if the correct value is 20, you can dial 18.75 – 21.25 and the lock should open).

  5. Some safes have anti-autodial features. The most common design used friction between the wafers. Even so eone who forgot the combination is unlikely to keep going for more than an hour, so 3 (or more hours) of continual movement is required to melt wax / whatever and permanently disable the combination dial.

    Once that happens, you need drills and specialised knowledge to open the thing.

  6. I heard about something like this about 30 years ago. It was computer controlled, and used a microphone to hear the tumblers. I remember it was fairly good, and could open most safes in around 30 seconds. The device had the safe companies freaked out for a bit.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.