*********************************************
*********************************************
** **
* Locks and Physical Security Devices *
* *
* by Sterling *
** **
*********************************************
*********************************************
Introduction
------------
Ever since man has had something worth keeping, he has devised ways to
protect it. The Egyptians were the first to develop a working lock of any
complexity. It was based on a flat, wooden "key" with a series of raised pins
that enable the user to slide back a wooden bolt that protected the door from
entry. Advances in metallurgy eventually brought forth locks of iron.
As locks became more complex, the great medieval locksmiths' guilds
carefully guarded their secrets. Restrictions forbid the guild's members from
discussing the relatively simple inner workings of locks for fear of losing
their power. By protecting their secrets, the locksmiths were able to exploit
their unique skills, charging outlandish sums for their services.
The same principles apply today. That is why a locksmith can charge you
$60 to come and unlock the door to your house. Americans spend millions each
year on security systems to protect their property. Often this money is wasted
on devices that really provide only limited protection. In this text I would
like to expose how locks and security systems work, and how you can bypass them
if needed.
It is easy to lose faith in the common door lock once you understand its
simple operation. It took me less than a week with my lock picks before I
could open my front door. Any first timer can open a desk or filing cabinet
after achieving a basic understanding of the principles of modern locks.
Hopefully this article will expose to more people just how unsecure locks can
be, and with practice you should be able to pick your way into your house
should the need arise.
The content of the article comes from a wide variety of sources. Personal
experience, excerpts and summaries from the "alt.locksmithing" newsgroup, and
from locksmithing and lockpicking books. Special thanks goes out to *Hobbit*
for his simplex and hotel lock articles.
There are several types of locks that you are likely to encounter. These
locks are easy to spot and identify what you know what to look for. Here I
will discuss everything from the seldom used "warded lock" to alarm systems.
Table of Contents:
------------------
Key Operated Locks
Latches
The Warded Lock
The Lever Lock
The Wafer (Disc) Tumbler Lock
The Pin Tumbler Lock
Tubular Cylinder Locks
Lockpicking Tools
The Basic Picks
Making Your Own Picks
Purchasing Picks
Attitude and Tips for Success
Other Security Devices
Combination Locks
Magnetic Locks
Simplex Locks
Automotive Protection Systems
The Marlock System
VingCard Locks
Electronic Hotel Card Locks
Alarm Systems
Type of Latches
~~~~~~~~~~~~~~~
The latch is a spring bolt that actually holds the door shut. This is in
contrast to the deadbolt, that had NO spring, and must be manually engaged.
There are two primary types of latches, the springlatch and the deadlatch.
The springlatch is much more convenient, when the door is shut, the
springlatch springs into place, locking the door shut. This is the type of
latch found on most key-in-knob type door locks. The problem with the
springlatch is that it is easily defeated by sliding a plastic card or thin
knife and forcing it back. To prevent this, a latch guard can be installed.
This is a device constructed from heavy steel folded lengthwise at a ninety
degree angle or a T-bar shape. It is usually anywhere from six to twelve
inches in length and is fastened to the edge of the door by bolts. The latch
guard hides the latchbolt, and prevents any tampering with it.
The deadlatch cannot be shoved open like the unprotected springlatch can.
When the door is closed, the latch bolt is secure in the lock position and acts
as a deadbolt (a bolt that is not spring loaded, and resists any end pressure).
The deadlatch resembles a smaller, beveled bolt projecting from the latchbolt.
On some designs, the deadlatch takes the shape of an additional bolt, somewhat
smaller, and usually placed higher up on the lock body. A key or interior
locking mechanism must be used to engage the deadlatch and lock the door.
The Warded Lock
~~~~~~~~~~~~~~~
The warded lock's basic design was created by the ancient Romans. The
basic principle behind its operation is a series of "wards" (projecting
obstructions) that prevent all but the proper cut key from being rotated inside
the lock. These obstructions have been placed in the path of the turning of
the bit portion of the key. This type of lock utilizes a key that has been
notched in a way that it clears all the wards, but is still able to turn the
bolt. These locks are easy to recognize. They are the "classic" antique lock
that you may still find in old houses.
_______ blade (stem) ##### handle (bow)
/ \ ########
| | ################################# ##
\ / ################################# ##
| | #### ### ########
/ \ #### ### #####
/ \ ####
/ \ bit a warded key for a two-ward lock
/___________\
warded key lock entrance
The number of wards in the lock can vary, but normally two is the minimum.
When a user inserts a key into the warded lock, the metal obstructions inside
the lock allow only the proper key to be inserted. The key bittings allow the
key to turn in a circular motion, opening the lock through one of four
different mechanisms:
1) The key lifts a detent lever while throwing the bolt, providing
deadbolt action. (Deadbolt action means that the bolt is secure
against end pressure.)
2) The key moves a bolt whose locked or unlocked position is maintained
by the action of a humped flat spring in two notches on the bolt.
3) The key moves directly against the latch tail of a latchbolt, or does
so through the action of a floating lever.
4) The key inserts between two springs and wedges them apart as it is
turned. (Usually only in warded padlocks)
Picking
These locks offer only token security to the user. Besides being easy to
circumvent, the warded locks offers only about fifty alternate keying
combinations. Picking them is generally regarded as trivial. All that is
required is to bypass the wards and move the bolt into the unlocked position.
This can be accomplished by using a pick known as a "buttonhook". To make your
own buttonhook pick, use a pair of pliers to bend a six inch section of coat
hanger into a warded key shape as below:
########
### ##
################################# ##
# ## ##
### ## #
#####
The wire should be thin enough to pass into the keyway while avoiding all
the wards, but stiff enough that it can still manipulate the bolt to open the
lock. Though you may have to make a "large" and a "small" warded lock pick,
the same principle applies.
The Lever Lock
~~~~~~~~~~~~~~
Robert Barron invented the lever lock in 1778. This constituted a
considerable improvement over the ancient warded lock. It was based on a
series of several "levers" that must each be raised to their own set height.
If a particular lever was lifted to high or not enough, then the lock would not
open. When the proper key is inserted, the notches on the key raise all the
lever tumblers the required distance, lining up all the gates, allowing the
lock to be opened. Not only was this new lock much harder to pick, it offered
up to ten billion possible keying combinations. (The amount of practical
combinations is actually around fifty thousand)
#####
__ #######
/ \ ## ### #### ## ########### ##
\ / ###### ####### ########### ##
| | a lever or "lever tumbler" ########################### ##
| | lock keyhole #######
|__| ####
a lever tumbler lock key
Since its design the lever tumbler lock has undergone numerous
improvements. One of the is called the parautopic lock. The parautopic lock
consisted of two sets of lever tumbler, where the first worked on the second.
It also proved a plate that turned with the key so that one could not inspect
the locks interior construction. Lever locks, though limited in use, can still
be found today in some hospitals, suitcases, cabinets, fine furniture, and
attache cases. Lever locks are also used on safe-deposit boxes, often with
fifteen or more levers and sometimes requiring two keys.
Picking
Lever locks are a little harder to pick then the wafer and pin tumbler
variety. In fact, the type of lever locks used on safe-deposit boxes are very
difficult to pick indeed. To pick a lever lock requires that tension be placed
against the deadbolt throughout the course of lifting one or more levers within
the lock to the required alignment with the post. This requires the use of a
"lever lock tension wrench" and a "hook" or "lifter" pick. [Picks are
discussed later in the Lockpicking Tools section.]
Insert the lever lock tension wrench (a bit different than a normal
tension wrench) into the keyway, and exert torsional pressure. The long bit is
the part you hold, the next bend runs to the bottom of the lock, and the final
bend fits into the notch in the bolt. Unlike most other types of locks, the
lever locks requires you to exert considerable pressure on the tension wrench
while picking. Usually the lever springs provide enough force to cause the
levers to drop back down once picked. Because of the greater pressure, lever
locks may require a slightly thicker tension wrench then normal.
Then insert the hook pick all the way into the lock. Locate the back
lever and raise it gently until you FEEL or HEAR a slight "click". With the
lever locks, the force required to push against the spring is substantially
more than in other locks. Once it reaches the correct position, the gate will
align with the post, and you should notice a slight "give" in the deadbolt, as
there is now one less lever obstructing the lock from opening. You should note
that once a lever has been picked, the amount of force required to lift that
lever will be substantially less.
Move on to the next lever by slightly withdrawing the pick and repeat the
process. Each subsequent lever will require the use of slightly less tension
then on the previous ones. Otherwise the increased tension could cause the
lock to bind up.
Once you have picked each individual lever, the lock should open. If it
does not, then reinsert the pick (always maintaining tension with your wrench)
and jiggle each lever slightly to ensure correct alignment.
Each lever does not require very much lift. This is due to the fact that
the maximum depth of the cut under any tumbler is no more than half the width
of the key, and never more than two-thirds its width. You should therefore use
a pick that does not have too much "hook" to it.
The Wafer Tumbler Lock
~~~~~~~~~~~~~~~~~~~~~~
The wafer tumbler lock was developed as a low-cost lock that offered a
reasonable degree of security to the owner. These locks are make up over
one-fourth of all the locks in the world. The outside of the lock resembles
the pin tumbler lock (yet to be discussed), but uses a much simpler mechanism.
Wafer keyways usually have simple side ward indentions. The key is usually
shorter than that of other locks, but equally broad. It may be cut on one or
both sides. A two sided wafer lock is often called a "double wafer." The lock
consists of four main parts. The plug housing, which contains the wafers and
springs, the shell, the cam (locking bolt), and the retainer. The wafers are
sometimes referred to as "discs" because their top and bottom are rounded to
fit into the cylinder. Here is a diagram:
5
___ 7 | ___
||############## 1-> @| _ |_
## ||## ## ## ## ## @||2||/
6##||##4##3##2##1## <-keyway @||_||
## ||## ## ## ## ## \|___|
___||############## 3
|
\plug/ detail of a wafer tumbler
cutaway side view 1) spring
of a wafer lock 2) key slot
3) spring wing
1-4) spacings #1-4
5) cam (operates the bolt)
6) retainer (rear plug)
7) the shell (body of the lock)
Each lock has a series of chambers in which the wafers rest. These
spacing closest to the front of the lock is numbered with one, and their
numbers increase toward the back of the lock. Picture a number of the wafers
placed face-to-face in the plug's spacing chambers. Each wafer is equal in
overall size, but the key slots are of varying height. A metal spring exerts
pressure on the spring wing of each wafer, forcing its lower part into the
shell's "locking grooves" which lets the lower portion hang about midway into
the keyway. Looking into the lock, you should be able to see this. These
wafers act to hold the plug and shell together, preventing the lock from
turning.
When the correct key is inserted, it goes through the key slots on each
wafer, raising the wafers out of the locking groove. The key must have the
appropriate depth of cut in each position to raise the wafer the correct
amount. The depth of the key's cut (and the length of the wafer's key slot) is
any one of five different depths. The shorter the top edge of the wafer's key
slot, the lower the key cut depth value. For instance the number 1 slot (the
slot that is the largest) would require the shallowest cut in the key.
Normally lock manufacturers place a number four or five wafer near the keyhole
to block the view of the back wafers. Also note that the same type of wafer
may appear several times in the same lock.
Above some brands of wafer tumbler lock you will see a small hole. When
the lock has been unlocked, you can remove the entire lock plug by inserting a
piece of stiff wire into this hole and depressing the retainer. Though nowhere
near as secure as the pin tumbler lock, the wafer tumbler is a very popular,
low cost lock. The lock is normally found on cheaper cabinets and desks, some
padlocks, some automobile locks, locking handles, and trailer doors. Where
more security is desired, the double wafer type is used, providing wafers on
the top and bottom of the keyway.
Picking
Though harder to pick then the warded lock, the wafer lock is still easy
to circumvent. This is an excellent lock to practice on because the techniques
required to pick it are applicable to the pin tumbler lock as well. Like the
lever lock, picking the wafer tumbler lock requires use of a tension wrench and
a pick. A variety of the different picks can be used including the rake, the
hook, the half-diamond, and the half-round pick. Selection depends on the size
of the lock, the distance between each wafer, and personal preference.
Raking
One of the most common methods of picking the wafer tumbler lock is by
raking. To rake the lock, insert the tension wrench is inserted just inside
the keyway, stopping short of the first wafer, and flush with the bottom of the
keyway. Apply moderate tension to the wrench. If you apply too much tension
the wafers will bind and not be able to move into alignment. Once you have the
tension wrench in place, insert either the rake or half-round pick into the
keyway. Don't worry about feeling the tumblers, instead concentrate on
applying uniform pressure to them as you move the rake in and out of the keyway
in a scrubbing motion. This scrubbing motion should cause the wafers to lift
into alignment as they are thrown up and down in their spacings. This method
is usually quite effective on most wafer locks, and should always be tried
first.
Manipulating Individual Wafers
If the lock does not respond to raking, you can try using the half-diamond
pick to each wafer into alignment one-by-one. While maintaining light but
consistent pressure with the tension wrench, use the pick to lift each wafer
into alignment at the shear line, starting from the backmost tumbler. Once it
reaches the proper alignment, you should feel or hear a slight "click" and the
plug will turn ever so slightly, relieving a bit of pressure on the wrench.
Continue one-by-one, working outward, until each tumbler has been aligned and
the lock opens.
Vibration Picking
Often you can use a technique called vibration picking to open a wafer
tumbler lock. This uses a tool known as a "snapper" pick or a "lockpick gun".
[These are described in the Lockpicking Tools section of this article] To use
the snapper pick maintain a light tension with the wrench and insert the tip of
the pick into the keyway, just touching the bottom of the tumblers. Then use
the thumb, which rests along the top edge of the pick to depress the top loop.
Let the thumb slide off the compressed part of the pick, permitting it to snap
back. It will then strike a light blow to the tumblers, popping them up until
they are held in place at the shear line. Repeated snaps, while maintaining
tension with the wrench, usually results in aligning all the tumblers, and thus
opening the lock. The lockpick gun works automatically, with a trigger device
that "snaps" its wire pick up in the keyway.
Picking Double Wafer Locks
Double Wafer locks are picked the same way as single wafer locks, but
there two sides to the story. Not only must you align all the top wafers, but
the bottom ones as well. You can purchase special designed tension wrenches
with will let you then use a ball pick to pick both sets of wafers.
Alternatively you can use a standard tension wrench in the center of the
keyway, using a half diamond pick. Once you have picked one set, simply
reverse the pick and pick the other. It may take a few tries before you are
able to hold all the wafers in place.
The Pin Tumbler Lock
~~~~~~~~~~~~~~~~~~~~
Pin tumbler locks are by far the most popular lock today. Over half of
the locks in use are of the pin tumbler type. They look similar to the wafer
tumbler lock, but can easy be distinguished by their round pins, visible in the
keyhole. There operation is also similar to the wafer type, but is more costly
and requires much stricter machining tolerances. Here are some diagrams:
|
|
|
|________________________________________
| | @ | | @ | | @ | | @ | | @ |
| | @ | | @ | | @ | | @ | | @ | Tumbler springs
| | @ | | @ | | @ | | @ | | @ |
| | @ | 4 | @ | | @ | | @ | | @ |
| | @ | ||~|| | @ | ||~|| ||~||
|___||~||___|| ||___||~||___|| ||___|| ||__ _ _ _ _ _ _Shearline
\_ ||1|| 3 || || || || || || || | |
\_|| ||___||~||___|| ||___||~||___||~| |
|~| | | |~| | | | | |
keyway |2| | | | | | | | | | Plug
|_| |_| |_| |_| |_| |
+-----------------------------------------+
|
|
|
|
The pin tumbler lock, cutaway side view (locked)
1) top pin
2) bottom pin
3) cylinder (top of plug)
4) shell
|
|
|
|________________________________________
| | @ | | @ | | @ | | @ | | @ |
| | @ | | @ | | @ | | @ | | @ | Tumbler springs
| | @ | | @ | | @ | | @ | | @ |
| || || 4 || || || || || || || ||
| ||1|| || || || || || || || ||
|___|| ||_ _|| ||___|| ||___|| ||___|| ||__ _ _ _ _ _ _Shearline
\_ ||~|| 3 ||~|| ||~|| ||~|| ||~| |
\_||2||___|| ||___|| ||___|| ||___|| | |
| | |_| | | | | |
keyway |_| |_| |_| | Plug
|
+-----------------------------------------+
|
|
|
|
The pin tumbler lock, cutaway side view (unlocked)
1) top pin (drivers)
2) bottom pin (key pins)
3) cylinder (top of plug)
4) shell
___________________ ___________________
_/ @ \_ _/ @ \_
/ @ 3 \ / @ 3 \
| @ | | | | |
| | | | | |2| |
| ____|2|____ | | ____|_|____ |
| / |_| \ | | / | | \ |
| | _| |_ 4 | | | | _|1|_ 4 | |
| | / |1| \ | | | | / |_| \ | |
| | | |_| | | | | | | | | |
| | | | | | | | | | | |
| | | 5 | | | | | | 5 | | |
| | \_____/ | | | | \_____/ | |
| | 6 | | | | 6 | |
| \___________/ | | \___________/ |
| 7 | | 7 |
\_ _/ \_ _/
\___________________/ \___________________/
Locked Unlocked
Pin Tumbler Lock (front) Pin Tumbler Lock (front)
1) bottom pin (key pins)
2) top pin (drivers)
3) tumbler spring
4) shear line
5) keyway
6) plug (cylinder)
7) shell
OK, I will explain how the pin tumbler lock works, but you really should
consider going to K-Mart and buying a cheap lock to take apart and study. In
the lock's shell (main body) there is the keyway and three to eight (usually
five) spacings drilled from the top of the lock into the keyway. This is
similar in principle to the wafer lock. In each of theses spacings are two
pins and a spring. The top pins are always the same length, while each bottom
pins can each be any of ten different sizes (0-9). Note that the bottom pins
have a rounded bottom, allowing for them to ride up the key easier. The spring
forces the pin stack down so that the lower pin protrudes into the keyway.
(The wedge slot keeps them from falling all the way to the bottom of the
keyway) When the correct key is inserted, each pin stack is lifted according to
how deep or shallow the key is cut in that corresponding location. To open the
lock, the top of bottom pin (the point where the top and bottom pin meet) must
line up with the lock plug and the shell (the shearline). When in this
position, the lock is unlocked and the plug can rotate around, taking the
bottom pin around with it. If any pin is raised too high, or not high enough,
then that pin keeps the plug from turning inside the lock shell. Of course in
the locked position, all the pins stop the plug from turning.
These locks are used almost everywhere. The provide over a million
possible combinations for a five pin lock, and billions for the eight pin.
These are the standard door locks in most residential and commercial buildings.
Often you will find pin tumbler locks with only three pins on cheap desks, some
copy machines, and storage lockers. They offer a reasonable degree of
security, but are far from tamper proof.
Picking
Picking the pin tumbler lock is based on the principle that slight
imperfections exist in every lock. Every lock is machined to certain sets of
tolerances, such as plus or minus .0002 inches. The closer the tolerance, the
harder the lock is to pick, but the more expensive the machining costs. That
is what makes one pin tumbler lock harder to pick than another. This variation
in the lock's components means that in attempting to turn the plug in the lock
without the proper key, one tumbler will be caught up and become tight before
subsequent tumblers are. Therefore, when turning tension is applied to the
plug with a tension wrench, and the tight tumbler is lifted with a pick, there
will be either a clicking feel or a sudden relief in the tension the tumbler
exerts on the pick. This relief of tension occurs when the pin is brought up
even with the shear line. At this time, lifting can be stopped.
Use a hook pick to lift each pin to its breaking point, starting with the
pin that is bound (resisting) the tightest. Gently pry the pin up against the
spring pressure until it breaks at the shear line. Care must be taken not to
lift the pin too high, or it may become jammed in the upper chamber. It is
often impossible to get this pin back down without releasing tension on the
plug.
A common problem is applying too much tension. A light touch should be
used because too much pressure on the wrench not only makes it hard to feel any
change in torsional pressure, but tends to bind all the pins, making picking
order difficult to determine. The tension wrench needs only to provide a
little torque so that the pins stay up once picked.
Raking and Vibration picking
You can also use the raking and vibration picking methods described in the
section on wafer tumbler locks to pick pin tumblers. You can even use a
combination of raking and pin picking. Simply rake the pins a few times, and
then go back and pick any pins that the rake missed. You can use the hook pick
to probe each pin. If the pin feels "springy" then it has not yet broke at the
shear line.
Another technique: Start picking at the back pin, the one furthest away
from you as you face the keyway. The reason for this is relatively simple.
The rear pin will be the last worn, and when you break it, the lock's plug will
move the most it ever will for just one pin breaking. This will make it easier
to pick the other pins, as the break between the inner and outer cylinders will
be progressively held tight against the pin you are working, as you work the
lock from rear to front. The reason the rear pin is least worn is that
inserting a key "rakes" the pins up and down, wearing down their sides. The
rear pin is raked only once per time the key is inserted, the pin in front of
it is raked twice, and so on. Its not uncommon to see locks in which the front
pin can not be picked before the rear ones. The reason was that it was worn
down to the point that no amount of torsion would cause the inner plug to put
any force against it. Consequently, it won't break.
Rapping
Sometimes you can use a form of vibration picking known as rapping to open
a pin tumbler lock. A tension wrench is inserted into the keyway, and light to
moderate tension is applied. At the same time, the face of the plug is struck
sharply with a plastic mallet or hammer handle. The rapping forces the springs
and pins to gravitate toward the force of the blows. Hopefully this vibrates
the picks into their breaking positions. DO NOT HIT TOO HARD! Approach this
method with caution.
Practicing
To learn how to pick pin tumbler locks, it is best to go to the store and
buy a "practice" lock. Try to find either a KwikSet brand or a cheap Ilco lock
cylinder. On top of the lock shell is a little sliding strip that covers the
pin spacings. Carefully slide it out. you can then take out the spring, the
top pin, and the bottom pin. Remove all but one the assemblies and replace the
cover. Now you can practice on picking the lock with only one pin. When you
become good at that, insert another stack of pins, and so on until you can pick
the lock with all five pins in place.
Spool Pins
It is possible that in the course of picking a high security pin tumbler
locks, the plug will turn a bit as if it were going to unlock, then stop. I
will turn no more than 2 or 3 degrees around. This means you have encountered
a spool pin. These are simply drivers, or key pins, or both that have had
their center portions cut down to a smaller diameter.
______
|_ _|
| | | | Lock body Note that any torsion applied to the
___| | | |____ cylinder will tend to catch the spooled
||____|| pins at their waists instead of at the
| ____ | Cylinder break between the pins. This will
||_ _|| either prevent the pick from pushing
| | | | the pin up if the top spool is caught,
| | | | or it will prevent the pin from falling
___|| ||____ down, if the bottom spool is caught.
| |
\__/ Keyway
spool pins
With a hook pick, you'll be able to press up on each pin and feel the
difference. When you have a spool pin caught across the shear line, gentle
upward pressure will result in force in the opposite direction of the way
you're turning. Determine which pins are spool pins and push up until the
bottom of the pin (assuming it's a top pin) crosses the shear line. You might
lose some previously picked pins, but just pick them again.
Interlocking Pins
Several manufacturers have designed high security locks involving angled
and interlocking pins. Emhart makes a cylinder using angled cuts on the keys
where the top and bottom pins actually interlock:
+--------------+
| |
| Top |
| Pin |
| |
| | Interlocking Pins
+-----+ +-----+
+---+ | | +---+
| | | | | |
| +-+ | | +-+ |
| | +-+ +-+ | |
| | | | | |
| | +------+ | |
| +----------+ |
| |
| Bottom |
| Pin |
So the pins have to be turned to the correct angle in order for the pins
to slide apart when you turn the plug. This also means that the cylinder has
to be grooved to allow for the portion of the top pin sticking down, and the
bottom of each key has notches in it so that it can turn more than 180 degrees.
Tubular Cylinder Locks
~~~~~~~~~~~~~~~~~~~~~~
Tubular cylinder locks are widely accepted as the most secure locks you
can get for a reasonable price. Tubular cylinder locks are the round type
locks you find on most vending machines, ATMs, and the like. They are
basically a pin tumbler lock where the pins are arranged on a circular plane.
The key is a cylinder with cuts around its perimeter. When the key is
inserted, each pin (whose faces are visible) is pushed in the corresponding
depth and the plug can be turned.
Picking
Your best bet for picking these locks is to purchase a specially designed
tubular cylinder pick. While it can be picked with conventional tools, it
takes forever because you have to pick it three or four times to turn the plug
the 120 to 180 degrees needed to unlock it. And what's worse is that the
cylinder locks after each time you pick it -- every one-seventh of a turn! If
you want to try it, here's how.
If you don't have a tubular cylinder pick you will require a wrench that
is .062 inches square on its end. Fit this into the groove of the tubular
cylinder plug. Apply tension in a clockwise direction, then use a straight pin
to push each pin down until it clicks into place. Proceed to the next pin,
until all are picked and the plug turns a few degrees. You will have to repeat
this until it unlocks. Do not leave the locks halfway picked. If you do, even
the original key will not be able to open the lock until it has been picked
back into its original position. Good Luck!
Lock Picking Tools
~~~~~~~~~~~~~~~~~~
The Basic Picks
|
_______________________________________|
tension wrench
This is the standard tool for pin and wafer tumbler
locks. It is inserted in the bottom of the keyway
to provide a torsional force to the lock cylinder.
______________________________________/|
half-diamond pick
The half-diamond pick can be used for raking or
picking wafer tumbler locks, or picking pin tumbler
locks where the distance between pins is small.
---------------------------------\/\/\/\
rake
Not surprisingly, the rake (sometimes called a snake
pick) is used to rake wafer and pin tumbler locks.
.
______________________________________/
hook
The hook (also known as the feeler or lifter pick)
is normally used for picking pin and lever tumbler
locks, but can be used on larger wafer locks.
______________________________________O
O ball
_____________________________________OO
OO double ball
The ball type picks are actually not as pronounced
as they look here in the ascii diagram. Imagine a
"ball" of a little less height, a bit more width.
Though not essential, the ball picks can be used
when attempting to rake a wafer-tumbler lock.
Lever Tumbler Tension Wrench
The big difference with a lever tumbler is in the method of applying
torque. The cylinder, in models where it's visible, rotates freely--it does
not operate the bolt. Rather, the end of the key goes into a notch in the
bolt, directly operating it, just as in a warded lock. This means you need a
different torsion wrench, that looks like this:
_______
|
|
|
|
|
|
|
|
|__________________
Obtaining Lockpicks
Now I'm sure that you are ready to start practicing. Unfortunately,
locksmiths and the public in general seem reluctant to make picks an easy item
to obtain. Therefore you can either make your own, (not that difficult) or
obtain them from a commercial supplier (also not that difficult.)
Making Your Own Picks
You can file or grind picks out of spring steel. It is best to use spring
steel - sources include hacksaw blades, piano (music) wire, clock springs,
streetsweeper bristles (which can be found along the street after the sweeper
has passed), etc. Or, go down to the auto parts store and buy a few stock
lengths of .022 in. automobile feeler gauge. You can cut each one in thirds
and make a pick from each piece. In a pinch safety pin steel, or even a bobby
pin (much worse) can be used. Also try the metal band that holds a set of
walkman type earphones together. It is already the perfect width and all you
have to do is grind the indentations on it. It makes a really great heavy duty
wrench also.
You will need an electric grinder, or a grinding wheel mounted on a drill,
to shape the picks. When grinding, keep the steel from getting so hot as to
anneal (soften) it. You may have to re-harden or re-temper it.
Temper the steel by repeatedly getting it red-hot against the grinder,
then quenching it. What you get won't be feeler gauge and it won't be spring
steel, but something in between that has some give to it and won't shatter.
For a tension wrench, while you're at the grinder, take a medium-sized
Allen wrench and grind its hexagonal head into a flat blade. Alternatively,
you can use a small screwdriver, bent at the end. (Bending a screwdriver with
any precision is pretty tough). Bobby pins also make an alright tension
wrench, especially the larger ones. They work best if you cut them off and
flame to red hot with a burner. Then while it's still hot twist it 180 deg
with a pair of vicegrips or needle nose pliers, and bend down the end so it
looks like the professional ones, this gives it more 'spring'. The flaming
should be done, maybe 3/4ths of an inch from the end. Finally file and sand
rough spots from where you cut it.
If you take the finest or next to finest crochet hook they make and file
down the sides of the business end of it so it will fit in the lock, you can
make an excellent feeler pick.
Picks from Paper Clips
To open a lock with two paper clips, unbend one like this:
____________
/ \ This shape is your lockpick, you
\__________________________/ put the end with the little hook
in the lock and use it to fiddle
with the pins.
Unbend and re-bend the other paperclip like this:
____________
/ \ This shape is your torsion
\______________________ wrench. You use it to put
| torque on the lock cylinder.
_| When the hook is in the cylinder
the handle should hand off to
the side and the final bend on
the hook should be short enough
that there is room to get the
pick into the keyhole.
Warning: Filing cabinets and desks are pretty easy to do with these, but
it's not easy to do a door lock with them. Better materials really do help
when you're dealing with more than 4 pins in a lock.
Making a Pick Gun
Get yourself a piece of music wire from the local hobby shop. Find wire
that seems just a bit big for an average keyway. This will be ground down
later so that it can be inserted. Wire of this diameter is so stiff you may
doubt that you have the right size. But you need this stiffness for the device
to work. Don't use wire that is too light.
You want to bend a circle in the wire about 5 inches back from the end.
You want enough length in the first straight part to go all the way into the
keyway and leave enough to comfortably fit in your hand. Call this straight
part Side A. Try bending the wire around the body of a Magic Marker; this
seems to make a nice sized loop. The loop should be 360 + 180 degrees so that
the long end of your wire is now parallel to side A. Let's be original and
call this Side B.
Use pliers to make a 90 degree bend in side B so that the end of it
crosses side A. This bend should be located so that the part of side A which
extends past the bent part of the wire is long enough to go all the way into
the keyway. Hey, why don't we call this cross-piece Side C? Bend this
cross-piece 180 degrees around side A so that it forms a slot for side A to
slide up and down in. Call the wire segment which goes from A to B and is
parallel to C, Side D. Snip off the end of side D which extends beyond side B.
We now have an object which resembles a safety pin (hence the name) which
has one side (side A) which slides up and down in a slot made by sides C and D
and which is held in the bottom of this slot by the spring tension in the loop
between sides A and B.
Grind the sides of the piece which is to go in the keyway so it will fit.
Grind the top of this piece flat. The Top is the side toward side B. This is
the part which will be against the tumblers. Bevel the end so it will slide
under the tumblers more easily.
To use the gun, insert the end into the keyway with side B up. Press down
on side B with your thumb to slide the slot C-D down. Let your thumb slip off
the wire and the spring will pull side B back up. When the bottom of the C-D
channel hits the bottom of side A, it delivers a sharp blow to the bottoms of
the pins. Use VERY light pressure on the tension wrench and snap the gun a few
times to knock the pins up to the shear line. See the section on wafer locks
for a more information.
Electric Vibration Picks
The motor/base casing from a electric toothbrush, or vibrator makes a
decent vibrator pick (pick gun) when you superglue a straight pick to it. Alot
cheaper than the pro models, and generally smaller too.
Purchasing Your Picks
Generally picks are not sold over the counter. Your best bet is to order
them from a mail order firm. Most firms will inquire as to your profession
when making a purchase. They may not wish to sell them to you unless you are
some sort of pubic safety personnel such as an EMT or a fireman. They are
available from a variety of sources. Here are some of the most popular:
----------
Gall's Inc.
(800)-477-7766
Catalog #BA
----------
Item # : ALS15B
Price : $19.99
Name : 10-Piece Locksmith Pick Set
"Be prepared for any lock-out. Nine picks and wrenches are grouped in a handy
foldover carrying case that is small enough to carry in your pocket. Order you
lock pick set and keep it handy for easy entry to any lock-out situation.
Black."
Item # : PG1B
Price : $59.99
Name : Lock Pick Gun
"Our trigger action lock pick gun opens doors easily. Just use it with the
included picks and instructions -- with a little practice, you can smoothly
open any locked house or apartment."
----------
Delta Press Ltd.
(800)-852-4445
----------
Item # : LPS-002
Price : $24.95
Name : The 8 Piece Tool Set
"These high quality picks feature new lighter non-breakable plastic color coded
handles. Picks are of .022 blue spring steel - hardened to perfection Eight
piece set comes with handy see-through case."
Item # : LPS-003
Price : $39.95
Name : The 11 Piece Tool Set
"This deluxe 11 piece kit features all metal handles and comes in a discrete
carrying case for undercover operatives. All picks are .022 blue spring steel
and hardened to perfection."
Item # : LPS-005
Price : $119.95
Name : The 60 Piece Tool Set
"Here it is. The finest lockpick set we've stocked. It includes 60 picks,
tension wrenches, and a broken key extractor plus a zippered top grain cowhide
case and warded master keys."
Item # : LPS-004
Price : $59.95
Name : Professional Locksmithing Tool
"The famous lockaid Tool was designed for law enforcement agencies to quickly
pick pin tumbler locks. The american-made product is the only superior "lock
gun" available. Unlike conventional hand picks that activate only one or two
cylinder pins, this tool is designed to span all the pins at once. The needle,
powered by trigger action, strikes all t the cylinder bottom pins
simultaneously. As the force is transferred to the upper pins, they
momentarily rise in the chambers. Comes complete with 3 stainless steel
needles and tension wrench."
----------
Phoenix Systems Inc.
(303)-277-0305
----------
"OUR LOCK PICKS ARE THE FINEST QUALITY PROFESSIONAL TOOLS AVAILABLE. Each pick
is made of hard-finished clock-spring steel, tempered to the correct degree of
hardness. Whether the subject is wafer tumbler locks or 6 & 7 pin tumbler
locks, our picks are the best available, and the standard of the industry.
With a few minutes of practice, even a beginner can open most padlocks, door
locks and deadbolts. NOTE: BE SURE TO CHECK YOUR LOCAL, AND STATE ORDINANCES
GOVERNING POSSESSION OF THESE TOOLS."
Item # : 604
Price : $75.00
Name : Superior Pick Set
"Hip pocket size in top grain leather case. Our most complete set. 32 picks,
tension tools & extractors."
Item # : 606
Price : $34.95
Name : Tyro Pick Set.
"An excellent choice for the beginner. Cowhide leather case contains 9 picks,
tension wrenches & key extractor."
Item # : 607
Price : 9.95
Name : Warded Padlock Pick Set
"This 5 piece padlock pick set is made of the finest blue tempered spring
steel. This set will pick open most every warded padlock made today."
Item # : 610
Price : $24.95
Name : Double Sided Tumbler Lock Picks
"Set of 4 picks for use with double-sided, disc tumbler, showcase, cam and
PADLOCKS. An excellent addition to your other pick sets."
Item # : 617
Price : $39.95
Name : Padlock Shim Picks
"Open padlocks in seconds! Our new Padlock Shim pick's unique design makes
them so successful that it is frightening! Simply slide the shim down between
the shackle and the lock housing, twist and the lock is open. Works best on
laminated type padlocks (the most popular type) but will open ALMOST ANY TYPE
OF PADLOCK -- INCLUDING THE POPULAR 3 NUMBER COMBINATION TYPE. Include 20
shims -- 5 each of the 4 most common shackle diameters for perfect fit every
time. Comes with complete instructions."
Item # : 618
Price : $34.95
Name : Schlage Wafer Pick Set
"There are two types of Schlage wafer locks, each needing a different base key
to pick with. This set comes with both types of base keys and the pick. With
the proper base key the lock is already half picked. Very quick and easy to
use. Comes with complete instructions.
Item # : 620
Price : $59.95
Name : Pick Gun
"Picks locks FAST. Open locks in less than 5 seconds. Specifically designed
for tumbler locks. Insert pick into key slot, then just pull trigger. Throws
all pins into position at one time. Lock is then turned with tension bar.
Used extensively by police and other government agencies. Gun is spring
loaded, with tension adjustment knob. Comes with 3 needle picks and tension
bar. No batteries necessary. Life-time guarantee.
Item # : 612
Price : $16.00
Name : The Slim Jim
"Car door opener. The tool does not enter inside the car. Opens a car door by
"feel" rather then sight. With a little practice, car opening will be no
problem. For GM, Ford and Chrysler cars. Made of clock-spring steel and is
hand finished."
Item # : 613
Price : $16.00
Name : The Super Jim
"This tool will open most GM, Ford and AMC car doors. Opener does not enter
vehicle. Made wider and thicker, and is bright nickel plated. Faster openings
on most domestic automobiles. With illustrated instructions."
Item # : 614
Price : $19.95
Name : Houdini Car Door Opener
"The latest and best innovations on car door openers. It works the same as
your old Slim Jim, except it now folds neatly to fit in pocket or toolbox
without getting in the way. ONLY 6 1/2 INCHES LONG WHEN FOLDED. Open up and
snaps into place like a fold-up ruler, excellent stainless steel constructions
with vinyl handle for comfort."
Item # : 615
Price : $39.95
Name : Pro-Lok "Car Killer" Kit
"Over the years we have had thousands of requests for a multi-vehicle opening
kit. We are now able to offer the most complete kit that we have ever seen.
This kit of tools will open over 135 automobiles, both domestic and foreign, on
the road today. The opening procedure for each vehicle is diagrammed and
explained in the instruction manual. Kit comes with complete instruction
manual and gas cap pick tool."
Item # : 600
Price : $129.95
Name : Tubular Lock Pick
"This tool is an easy and reliable method for picking tubular locks, as found
on commercial vending machines, washers, dryers, etc. This newest high tech
design is much faster and easier to use than the old type that used rubber
bands to hold the feeler picks. Internal neoprene "O" rings together with
knurled collar provide a very simple and easy tension adjustment. Sturdy
stainless steel construction provides for long-lasting service. This tool
will, with a little practice, easily and quickly open any regular center-spaced
tubular lock -- the most popular type of tubular lock on the market. Comes
with complete instructions and leather carrying case."
Tips for Success
~~~~~~~~~~~~~~~~
Following is information that will help you become more adept at
manipulating locks. Solutions to common problems and general miscellaneous
information that could prove useful is included.
Determining the Direction of Rotation
Before you can pick a tumbler type lock, you must determine the correct
direction of rotation. It may sound like a trivial point, but who wants to
waste hours trying to pick a lock the wrong direction. Though there will of
course be exceptions, there are some general guidelines. Cylindrical locks,
padlocks, file cabinet locks almost always turn in a clockwise direction or
either direction to open. When confronted with a door lock, turn the plug so
that the top of the keyhole turns toward the edge of the door. There is a
notable exception here, Corbin and Russwin locks turn AWAY from the door edge.
Tight or Dirty Locks
If a lock seems exceptionally tight or dirty, it will be hard to break the
pins. It may help to lubricate the lock. NEVER use a liquid type lubrication
such as WD40, 3-in-1 oil, etc... Use powdered graphite, available in most
hardware stores. It comes in a little tube, allowing a light squeeze to blow a
puff of graphite into the keyway. If lubrication does not help, you may need
to apply a little firmer hand on the tension wrench.
Proper Attitude
It is very important to maintain a confident attitude while you are
learning to pick locks. If you feel nervous or stressed, it will only
make things harder. You will not be able to pick every lock you come to,
but with practice and patience, you may be surprised. Visualise what is
happening inside the lock, this is the key. If you don't fully
understand how a lock works and exactly what you are doing to it, you will
not experience a high degree of success.
Combination Locks
~~~~~~~~~~~~~~~~~
Combination locks work on a series of flat, round disks that have notches
and pegs (one of each, one set per disk) along their circumference. Notches
are referred to as "gates". The first tumbler determines the last digit of the
combination, and is actually attached to the dial directly. As the dial is
turned, the peg of the first tumbler catches on the middle tumbler's peg,
dragging it along. As the dial is turned further, the middle tumbler latches
on to the peg of the last tumbler, all three turning together. Turning all the
tumblers is known as "clearing" the lock, and must be done before attempting to
operate the lock. For the lock to open, the gate on each disk must align up
with the pawl (breaking arm) of the bolt.
Dialing the first digit of the combination aligns the last tumbler's gate
to the pawl. Before dialing the second digit, the dial must be turned one
complete turn in the opposite direction (assuming a three tumbler lock, twice
for a four digit one). Rotating in the original direction to the last digit
will align the first tumbler's gate, and the lock can open. Modern safe
combination locks are impossible to crack (literally). Many innovations have
given high quality locks this degree of security. Burglars learned to feel the
gates and pegs rotate about the lock, allowing them to manipulate the tumblers
into their proper position. To combat this, a searted front tumbler was
designed to create shallow "false gates". The false gates are difficult to
distinguish from the actual gates. To combat this problem, safe crackers would
hook up a high speed drill to the dial. This would wear the tumblers edges
smooth, eliminating the bothersome shallow gates. Still, despite their
security, cheap combination locks are far from foolproof.
Determining an Unknown Combination
The most common and difficult to open of these small disk tumbler locks
are the Master combination padlocks, and they are quite popular. With
practice, they CAN be opened. The newer the lock is, though, the more
difficult it will be to open at first. If the lock has had a lot of use, such
as that on a locker-room door where the shackle gets pulled down and encounters
the tumblers while the combination is being dialed, the serrated front tumblers
will become smoothed down, allowing easier sensing of the tumblers. So, until
you have become good at opening these locks, practice extensively on an old
one. Here's how.
Step One
First, clear the tumblers by engaging all of them. This is done by
turning the dial clockwise (sometimes these locks open more easily starting in
the opposite direction) three to four times. Now bring your ear close to the
lock and gently press the bottom back edge to the bony area just forward of
your ear canal opening so that vibrations can be heard and felt. Slowly turn
the dial in the opposite direction. As you turn, you will hear a very light
click as each tumbler is picked up by the previous tumbler. This is the sound
of the pickup pegs on each disk as they engage each other. Clear the tumblers
again in a clockwise manner and proceed to step two.
Step Two
After you have cleared the tumblers, apply an upward pressure on the
shackle of the padlock. Keeping your ear on the lock, try to hear the tumblers
as they rub across the pawl; keep the dial rotating in a clockwise direction.
You will hear two types of clicks, each with a subtle difference in pitch.
The shallow, higher pitched clicks are the sound of the false gates on the
first disk tumbler. Do not let them fool you-the real gates sound hollow and
empty, almost nonexistent.
When you feel a greater than normal relief in the shackle once every full
turn, this is the gate of the first tumbler (last number dialed). This tumbler
is connected directly to the dial as mentioned earlier. Ignore that sound for
now. When you have aligned the other two tumblers, the last tumbler's sound
will be drowned out by the sound of the shackle popping open.
Step Three
While continuing in a clockwise direction with the dial, listen carefully
for the slight hollow sound of either one of the first two tumblers. Note on
the dial face where these sounds are by either memorizing them or writing them
down. Make certain that you do not take note of the driving tumbler (last
number dialed). If you hear and feel only one hollow click (sounds like
"dumpf"), chances are that the first number could be the same as the last one.
You should have two numbers now. Let us say one of them is 12 and the
other is 26. Clear the tumblers again just to be safe and stop at the number
12. Go counterclockwise one complete turn from 12. Continue until there is
another "dumpf" sound. After the complete turn pass 12, if you feel and hear a
louder than normal sound of a tumbler rubbing on the pawl, the first tumbler is
properly aligned and the second tumbler is taking the brunt of the force from
the shackle-you are on the right track. When the second tumbler has aligned in
this case, you will feel a definite resistance with the last turn of the dial
going clockwise. The final turn will automatically open the shackle of the
lock. If none of these symptoms are evident, try starting with the number of
the combination, 26, in the same way.
Step Four
If the lock still does not open, don't give up. Try searching for a
different first number. Give it a good thirty or forty minute try. If you
play with it long enough, it will eventually open. The more practice you have
under your belt, the quicker you will be able to open these padlocks in the
future.
Using a stethoscope to increase audibility of the clicks is not out of the
question when working on disk tumbler locks, though usually not needed for
padlocks. A miniature wide-audio-range electronic stethoscope with a magnetic
base for coupling a piezoelectric-type microphone is ideal for getting to know
the tumblers better.
Sesame Locks
Another type of disk tumbler padlock is the Sesame lock made by the Corbin
Lock Co. Its unique design makes it more difficult to open than Master
padlocks, but it can be opened. Let's take one of the three or four wheel
mechanisms, look at a cross section, and see how it works. The wheel has
numbers from zero to nine. Attached to the wheel is a small cam. Both the
wheel and cam turn on the shaft. Each wheel in this lock operates indepen-
dently with its own cam and shaft. The locking dog is locked to the shackle.
In this position the shackle cannot be opened. The locking dog operates with
all three or four wheels. The locking dog is riding on the round edge of the
cam. The spring is pushing up on the cam. The locking dog cannot move up
because it is resting on the round part of the cam. When the wheel is turned
to the proper combination number, the locking dog rests on the flat of the cam.
The spring can then raise the locking dog to release the shackle, and this
opens the lock.
Magnetic Locks
~~~~~~~~~~~~~~
Magnetic locks are a recent innovation to the security world. Their basic
operation involves the principle that like poles of a magnetic repel each
other, while opposite poles repel. A magnetic lock then does not have pins,
but magnets (which are often behind a plastic "roof" on the keyway). When all
these magnets are in the "repelled" position, meaning a similar magnetic pole
is below them, a lever arm releases the lock. A key then would have a magnet
arrangement identical to that of the lock. These locks may be activated either
by a flat, notchless key, or by use of a magnetic card, where in the lock
actually uses a two dimensional arrangement of magnets. These are not too
common, but can be found in some installations.
Opening Magnetic Locks
By using a pulsating electromagnetic field, you can cause the magnets in
the lock to vibrate at thirty vibrations per second, thereby allowing it to
open by applying constant tension to the bolt. You should be able to purchase
one of these "picks" from a locksmith supply company. Unfortunately, this
method usually ruins the properties of the lock's magnets, so use it in
emergencies only. The magnetic pick can be used in padlocks by stroking it
across the place where the key is placed. It is also designed to fit into a
doorknob and is then used by stroking one pole in and out.
Simplex 5-button combination locks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(*Hobbit*'s in-depth evaluation)
This deals with the Simplex or Unican 5-button all-mechanical combination
locks. They are usually used in a variety of secure but high-traffic
applications, and come in a number of flavors: dead bolt, slam latch, lock
switches for alarms, buttons in a circle or a vertical line, etc. The internal
locking works are the same across all of these. Herein will be described the
mechanical workings and a method of defeating the lock that falls out by
logical inference and observations from playing with it.
The internals
Caveat: If this seems unclear at first, it is because the absolutely best
way to understand the inner mysteries is to take a Simplex lock apart and study
it. It is highly recommended that the reader obtain and disassemble one of the
units while studying this; otherwise the following may be confusing. The
locking mechanism box is swaged together at each end, but it is trivial to open
up without destroying it. To set a lock up for study, remove the back, leaving
the front plate held on by its Jesus clip. Put a spare thumb turn down over
the shaft so you have something to grab. Take care not to lose the button
connecting pins; they drop out.
In the round configuration, the buttons talk via bent bars in the
faceplate to the same vertical column as the straight ones. Thus all buttons
henceforth shall be referred to as if they were in a straight vertical row,
numbered 1 to 5 reading downward. The actual locking mechanism inside is a
small metal box, about 3 inches high and .75 x .75 inch across the base. It
contains five tumblers, one corresponding to each button, a common shift bar,
and a couple of cams to handle reset and unlocking. The user dials the
combination and turns the handle to the right to open the lock, or to the left
to reset any dialed digits if he made a typo. If the proper combination has
not been dialed yet, the shaft will not turn to the right. Setting a
combination shall be described later. Some of the linear-style locks are
actually made by Unican, but have the Simplex box inside. For these, a
clockwise twist serves as both open and reset. There is a detent plate and a
screwy lever system; if the lock is not open yet, the lever cannot turn to the
*box*'s right. The detent slips, allows the levers to shift the other way, and
the box arm is then turned to the left. If the detent does not slip, it's
open, and the plate locks to the latch shaft and pulls it back.
Each of the five tumblers has six possible positions. Each button does
nothing but push its corresponding tumbler from the 0 position to the 1
position. Therefore, each button can only be used once, since once the tumbler
has moved, the button has no further effect. The trick comes when *subsequent*
buttons are pushed. Each button press not only shoves its tumbler from 0 to 1,
it also advances any "enabled" tumblers one more step. When a tumbler is
enabled, its corresponding gear has engaged the common bar and pushed it around
one position, so the next button press will do this again, thus taking
previously enabled tumblers around one more notch. This way, the further-in
tumbler positions can be reached. It can be seen that there are undialable
combinations; for instance, only *one* tumbler can reach position 5 for a valid
combination [Positions labeled 0 thru 5, totalling six]. If one sits down and
figures out possible places for the tumblers to go, many combinations are
eliminated right away, so the number of possibilities is *not* 6^5 as one might
expect. Two-at-once pushes are also valid, and are *not* the same as pushing
the given two in some other order. Pushing two [or three or ...] at once
simply enables two tumblers at once and shoves them to position 1 at the same
time. [This of course leaves less buttons unused to push them in farther!] The
tumblers themselves are small round chunks of metal, with gear teeth around the
top half and a notch cut into the bottom edge. When all these notches line up
with the locking bar, the lock is open. The tumblers are mounted on a vertical
shaft so they can spin, with the locking bar fingers resting against the bottom
of each one. The locking bar is prevented from rising if any notch is turned
away from it. Juxtaposed to the tumblers is another shaft containing idler
gears, which in turn talk to the common bar in the back. The intermediate
shaft slides up and down and makes combination changes possible. Note: The
buttons actually talk to the idler gears and not the tumblers themselves. This
is necessary since during a combo change, the tumblers cannot move because the
locking bar teeth are sitting in the notches.
[Editor's note: Simplex locks are set at the factory with a default code of
(2-4), 3. This is often not even changed.]
Combination change, other random facts
Once you know the current combination, you might want to change it.
Instructions for doing this undoubtedly come with the lock; but it's real easy.
There is a screw in the top with a hex hole; remove this from the lock body.
Dial the proper combination, but don't move the handle. Press straight down
through the hole with a small screwdriver, until you feel something go "thunk"
downward. The lock is now in change mode. Reset the tumblers [leftward
twist], enter your new combination, twist the handle as though opening the
lock, and your change is now in effect. Re-insert the screw. This does the
following: The thing you hit with the screwdriver pushes the tumblers down onto
the locking bar [which is why the proper combination must be entered], and
disengages them from their idler gears. Button presses turn the *idler*
*gears* around, and then the opening action shoves the tumblers back up to mesh
with these gears in their new positions. A subsequent reset mixes the tumblers
up again to follow the new combination. This description is admittedly
somewhat inadequate; the right thing to do is take one of the locks apart and
see for one's self what exactly happens inside.
The Unican model has a disk-locked screw on the rear side. Removing this
reveals a round piece with a flat side. Twist this clockwise to enable change
mode as in the above. This lock, of course, would be a little more secure
against random people changing the combination for fun since you ostensibly
need a key to get at it. Keep in mind that "reset" on these is done by turning
the knob all the way *clockwise* instead. There is a linkage that ensures that
the shaft inside goes counterclockwise for the time that change mode is
enabled.
It is amusing to hear local locksmiths call the Simplex internals a
"computer". It would seem that none of them have taken one apart to see what
is really inside; the box is painted black as far as they are concerned and
non-openable. Obtaining one is the unquestionably best way to learn what's in
there. Unfortunately they cost on the order of $120, a price which clearly
takes advantage of the public's ignorance. These locks are *not* pick-proof
after all, and anyone who maintains that they are is defrauding the customer.
There are a variety of ways to increase the picking difficulty, to be discussed
elsewhere. Your best bet is to borrow one from somewhere for an evening and
spend the time learning its innards.
Determining an unknown combination
Contrary to what the marketing reps would have you believe, the locks can
be opened fairly quickly without knowing the set combination and without
damaging the lock. Through a blend of a soft touch, a little hard logic, and
an implicit understanding of how the locking mechanism works, they generally
yield within five minutes or so. [There are *always* exceptions...]
This method requires that one does not think in terms of a sequence of
button presses. One must think in terms of tumbler positions, and simply use
the buttons to place tumblers where desired. For practical description
purposes, it will be assumed that the buttons connect right to the tumblers,
rather than the idler gears that they really do. The idler gears are a
necessary part only during combination changes. Unless you are doing a change,
considering it this way is pretty close to the facts. Remember that a 0
position means the button was never pushed, and 5 is enabled and shifted as far
as possible.
Turning the thumb handle to the right [clockwise] raises the locking bar
against the tumblers. Since the lock is never machined perfectly, one or more
tumblers will have more pressure on it than other ones, and this shows up as
friction against it when it is turned via the button. This friction is felt in
the short distance between fully-extended and the detent on the button [the
first 2 or 3 mm of travel]. Some will travel easily to the detent, and others
will resist efforts to push them in. Suppose you are twisting the handle, and
tumbler 1 has lots of pressure on it [you can feel this when you try to push
button 1 in]. When you back off the tension on the handle a little bit, the
button can be pushed in against the resistance. The fact that the button has
resistance at position 0 tells you that tumbler 1's proper position is *not* 0,
or there would be no pressure if the notch was there! Upon pushing button 1
in, you find that no pressure has appeared at any other button. This
eliminates position 1 for tumbler 1, also. Now, how do you get tumbler 1 to
different positions so you can test for pressure against other ones? Push
subsequent buttons. Push any other button, and tumbler 1 advances to position
2. Ignore what the other tumblers are doing for the moment. Now, perhaps
another button has some resistance now. This means that tumbler 1 is either at
the right position, or getting close. Basically you are using other tumblers
to find out things about the one in question. [Keep in mind that the first one
with friction won't *always* be tumbler 1! Any tumbler[s] could have the first
pressure on them.] Continuing, push another "don't care" button. A "don't
care" button is one that is not the one you're trying to evaluate, and not the
one that recently showed some friction. What you want to do is advance tumbler
1 again without disturbing anything else. Did the pressure against your test
tumbler get stronger, or disappear? If it got stronger, that points to an even
higher probability that tumbler 1 is supposed to be at 3, rather than 2. If
the pressure vanished or became less, 1 has gone too far, and you were safer
with it at position 2. Let's assume that the pressure against your test
tumbler increased slightly when tumbler 1 was at 2, increased even more when
tumbler 1 was at 3 and vanished when you pushed it onward to 4. Reset the
lock. You now know the proper position of tumbler 1 [that is, whatever tumbler
first had pressure on it]. You've already drastically reduced the number of
possible combinations, but you aren't finished yet.
You can now eliminate positions for the next one or two tumblers the same
way -- but to set things up so you can feel the pressure against these, you
must ensure that your newly-known tumbler [1 in this case] is in its proper
position. It is useful to make a little chart of the tumbler positions, and
indicate the probabilities of correct positions.
Positions
0 1 2 3 4 5
----------------
1 : L L + T L | <-- Indicates that tumbler 1 is not
0, not 1, maybe 2, more likely 3.
Tumbler 2 : | | | | | |
number
3 : | | | | | |
4 : L | | | | | <-- Indicates that tumbler 4 is not 0.
5 : | | | | | |
This chart is simply a bunch of little vertical lines that you have drawn
in a 5x6 matrix; the topmost row corresponds to button 1 and the lowest to 5.
Mark the probabilities as little hash marks at the appropriate height. The
leftmost bar indicates position 0, rightmost 5; a high mark on the left side
indicates that the tumbler is 0, or is never used. The relative heights of
your tick marks indicate the likelihood of the notch on the respective tumbler
being there. If you don't know about a position, don't mark it yet. This
chart serves as a useful mnemonic while learning this trick; as you gain
experience you probably won't need it anymore if you can remember tumbler
positions.
A tumbler at the 0 position is already lined up before any buttons are
pressed. This will feel like a lot of loose play with a little bit of pressure
at the end of the travel, just before the enable detent. Be aware of this;
often enough the first button with pressure can be a 0, and if you aren't
watching for 0 positions you can easily assume it's a don't care, push it, and
screw your chances of feeling others. Make sure your "don't care" test buttons
aren't supposed to be at 0 either. It's a good idea to run through and try to
find all the zeros first thing.
Let us continue from the above. You have found that tumbler 1 is most
likely to bet at position 3, with a slim chance of position 2. This is marked
in the above chart. The reason this can happen is that the tops of the locking
bar teeth are slightly rounded. When the tumbler is one away from its opening
position, the locking bar can actually rise higher, since the notch is halfway
over it already. So don't assume that the first increase in pressure on other
buttons is the right position for the one you're finding out about. Let's
assume that the next pressure showed up on button 4. You can feel this when
tumbler 1 is at position 3; to get tumbler 1 out there, let's say you used the
sequence 1,2,3. 2 and 3 were your "don't care" buttons used only to push 1
around. Therefore now, tumbler 1 is at position 3, 2 is at 2, and 3 is at 1.
5 and 4 are at 0, and can therefore be felt for pressure.
The next step is to find the proper position for the next button with
pressure against its tumbler. Many times you'll get more than one that exhibit
pressure at the same time. Figure out which button has more pressure on it now
with your first tumbler in the right position. In this example, only 4
applies. You now want to advance tumbler 4 to different places, *while*
keeping 1 at its proper place. 1 must always advance to 3 to free the locking
bar enough to press on other tumblers. To place tumbler 1 at position 3 and 4
at position 1, you would do something like 1,2,4 and check 3 and 5. To place
tumbler 1 at position 3 and 4 at 2, you would do something like 1,4,2. To
place 1 at 3 and 4 at 3, you have to press 1 and 4 at the same time, and then
advance that mess by two positions. If you use 2 and 3 for this, the notation
is (14),2,3, which means 1-with-4, then 2, then 3. You can also do 4,1,2,5 to
put 4 at 4 and check 3. If all these tests fail, that is, no pressure appears
at any other button, you can start assuming that 4 is supposed to be way out
there at position 5. For the example, let's say you did 1,4,2 and pressure
showed up on button 3. To double-check this, you did (14),2,5, and the
pressure on 3 went away. So tumbler 4 must have gone too far that time. Place
a fairly high tick mark on the chart at tumbler 4, position 2 to indicate the
probability.
Note: A better way to do that last test, to avoid ambiguity, is to do
1,(42),5 and check 3, then do (14),2,5 and check 3. This ensures that the only
change you have made is to move tumbler 4 from 2 to 3 an avoids the possibility
of movement of tumbler 2 giving bogus results. Through the entire process, you
want to try to change one thing at a time at every point. Sometimes one of
this sort of possible test setup won't tell you anything and you have to try
another one [in this case, perhaps 1,(45),2 and then (14),5,2 while checking 3.
This has simply swapped the positions of 2 and 5 during your testing].
You now know two tumbler positions, with a high degree of confidence, and
have further reduced the possible combinations. From here, you could mix
tumblers 2,3 and 5 into the sequence with various permutations, as long as you
place 1 and 4 correctly every time. This would still take some time and brain
work ... let's try to find out something about some other buttons. Place 1
and 4 where they're supposed to go ... the sequence 1,4,2 will do it, and see
what's up with the other buttons. 1,4,3 will leave 2 and 5 available. You
find eventually that 2 and 3 have the next bit of pressure distributed between
them [and are nonzero], and 5 feels like a 0, as described above. To confirm
this, advance 5 along with some other button and check 3. Bingo: There is no
pressure on 2 when 5 is enabled [and you have not changed anything else besides
5's position], so you can firmly decide that 5 is 0 after all. So leave it
there. [You did this by advancing 1 to 3 and 4 to 2, as usual, so you can feel
2's pressure in the first place.]
By now you should know the proper positions of three of the tumblers, and
have eliminated any other zeros by feeling their initial pressure. Now, since
2 and 3 have the next pressure on them, try and find out more about them. You
know they aren't zero; suppose we try 1? To do this you must get one of them
to 1, 1 to 3 as usual, 4 to 2, and leave 5 alone. How? Use hitherto unknown
buttons as dummies to position the tumblers right. For instance, the sequence
1,4,3 will do what you want here; you then check pressure on 2. Or 1,4,2 and
check 3. Here you may notice that the pressure on the leftover is a *little*
stronger than before, but not enough to make any sure judgement. Well, now you
want to advance an unknown to position 2 - but you suddenly notice that if you
do [by doing something like 1,(42),3] there are no free buttons left to test
for pressure! 'Tis time to try possibilities. Your only unknowns are 2 and 3
now. You must now advance 1 and 4 to their proper positions, leaving 5 alone,
while sprinkling the unknowns around in the sequence in different permutations.
Use your chart to remember where the known tumblers must go. Sometimes you get
two possibilities for a tumbler; you must work this into the permutations also.
In this particular example, you know that either 2 or 3 [or both!] must be the
last button[s] pressed, since *something* has to get pressed after 4 to advance
4 to position 2. An obvious thing to try is putting both the unknowns at
position 1 by doing 1,4,(23). Try the handle to see if it's open. No? Okay,
now leave one of the unknowns down at 1 and mix the other one around. For
instance, for 2 at 1 and 3 at 2, you do 1,(34),2 -- nope. Advance 3 one more;
(13),4,2 *click* -- huh?? Oh, hey, it's *open*!!
Well, when you are quite through dancing around the room, you should know that
your further possibilities here ran as follows:
3,1,4,2 ; to end the permutations with 2 at 1
1,(24),3 ; and permutations involving 3 at 1.
(12),4,3
2,1,4,3
One may see how things like 2,1,(34),x are eliminated by the fact that 1
must get to 3, and 5 must stay still. Since only 4 buttons could be used, no
tumbler can get to position 5 in this particular combination. Note also that
the farther *in* a tumbler has to go, the earlier its button was pressed.
If all this seems confusing at first, go over it carefully and try to
visualize what is happening inside the box and how you can feel that through
the buttons. It is not very likely that you can set up your lock exactly as
the example, since they are all slightly different. Substitute your first-
pressure button for the 1 in this example. You may even have one that exhibits
pressure against two or more tumblers initially. Just apply the
differential-pressure idea the same way to find their most likely positions.
The example is just that, to demonstrate how the method works. To really
understand it, you'll have to set your lock up with some kind of combination,
and apply the method to opening it while watching the works. Do this a few
times until you understand what's going on in there, and then you'll be able to
do it with the lock assembled, and then in your sleep, and then by just waving
your hands and mumbling....
A 5-press combination makes life a little tougher, in that you lose
versatility in your freedom of test positions, especially if your first-
pressure tumbler is at position 5. Here you can use the "almost" feature to
your advantage, and advance the errant tumbler to one before its proper spot,
and hope to see increased pressure on other tumblers. When a tumbler is one
away from right, the locking bar tab is hanging a large section of itself into
the tumbler notch, and the tab's top is slightly rounded. So it can rise a
little higher than before. If you twist the handle fairly hard, you can
distort the locking bar slightly and make it rise higher [but don't twist it
hard enough to break away the safety clutch in the shaft!] The chances of
someone setting this sort of combination without prior knowledge about the
*specific* lock are almost nonexistent.
As if that wasn't enough, the next thing to deal with is the so-called
"high-security" combinations involving half-pushes of buttons. The long
initial travel of the tumbler permits this. If you look at your open mechanism
and slowly push in a button, you'll see that the tumbler actually travels *two*
positions before landing in the detent, and further motion is over one position
per press. There is no inherently higher security in this kind of combination;
it's just a trick used against the average person who wouldn't think of holding
a button down while twisting the latch release. It's quite possible to defeat
these also. When you are testing for pressure against a tumbler set at
"one-half", you'll feel a kind of "drop-off" in which there is pressure
initially, and then it disappears just before the detent. Before testing
further buttons, you'll have to "half-enable" the appropriate "one-half"
tumblers so the locking bar can rise past them. Set your lock up with a couple
of combinations of this type and see how it works. Note that you must hold
down the "half" buttons just before the detent click while setting or opening.
This makes an effective 7 positions for each tumbler, but in a standard [no
"halfs"] setup, it's effectively 6. This is Simplex's "high-security" trick
that they normally only tell their high-dollar military customers about. After
working the lock over for a while, it's intuitively obvious.
The Unican type has no direct pressure direction of twist; if you turn too
far to the right you only reset the tumblers. What you must do is hold the
knob against the detent release just tight enough to press the locking bar
against the tumblers inside the box but not hard enough to slip the detent.
There is a fairly large torque margin to work with, so this is not difficult to
do. Unicans do not twist to the left at all, so ignore that direction and work
clockwise only.
Possible fixes
The obvious things improvements to make are to cut notches of some kind
into the locking bar teeth and the tumblers, so that the pressure can't be as
easily felt. Another way might be to have a slip joint on the locking bar that
would release before a certain amount of pressure was developed against it, and
thus never let the tumblers have enough pressure against them to feel. The
future may see an improved design from Simplex, but the likelihood does not
seem high. They did not seem interested in addressing the "problem".
Automotive Protection Systems
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are several types of locking devices found on cars today. Standard
window locks, exterior locks, ignition locks, and the famous third party "club"
type steering wheel locks.
Wing or vent windows have several types of locking devices. The most
common is simply a lever that turns to prevent the window from opening.
Another type of wing window lock has a lever latch equipped with a plunger at
the pivot of the latch. The plunger deadlocks the latch against rotation,
unless the plunger is first pushed in and held until the initial stage of
rotation has been accomplished. Naturally, these are a bit more secure.
The most popular auto locks for the exterior and ignition are a derivative
of the wafer tumbler locks called the "side-bar wafer lock." Side-bar wafer
locks offer more protection then either the wafer tumbler or pin tumbler (of
course they cost more.) When all of the tumblers have aligned to their breaking
points, a spring-loaded bar falls into place, allowing the cylinder to turn.
Ford auto locks are an exception, as they have pin tumbler locks.
Club Type Locks
One of the "club" type auto locks is an extensible bar that has opposing
hooks that nominally wedge between spokes on the steering wheel. The bar
itself is notched at 1" intervals or so. The key on these is rather
impressive; it's a brass tube with at least three sets of chamfers drilled into
their sides.
Defeating Club Type Locks
The weak part of these locks is not the keyway; it's the extensible bar.
The notches provide built-in weak spots. The lock can be forced in about three
seconds. Do as follows (it helps to be relatively strong):
1) Put on weightlifting gloves.
2) slide driver's seat all the way back.
3) tilt driver's seat all the way down.
4) tilt steering wheel all the way down.
5) put your feet on ends of "club" (past the rim of the steering wheel)
6) grasp center of the notched extension bar. Don't interlace fingers,
just grab with your dominant hand and then grab over that hand in the other
direction with the other hand.
7) Take a deep breath
8) While smoothly exhaling, hold on tight with your hands and straighten
your legs. (classic leg press -- even Joe Average can exert twice his body
weight in this mode.)
9) "Club" will conveniently bend into a horseshoe or shatter at a convenient
notch, depending on the mood of the guy running the tempering furnace.
This is why you wear weightlifting gloves while doing this trick- it keeps
the steel fragments from cutting you.
There is another "club" that has a collar that wraps around a segment of
the steering wheel; these cost more, are much less common, and the above
technique does not work for them. However, you can hacksaw the wheel in one
place and "spring" the wheel enough to allow the collar to pop off the wheel.
Bend the wheel back, add some tinted epoxy, and you're clean.
Auto Alarms
More and more, people are using auto alarms to try to protect their
vehicles. Unfortunately, if somebody wants to steal your car, they will. No
amount of protection will prevent this. The strategy behind an auto alarm is
to make your car more of a pain to steal then somebody elses. Here are the
basics of car alarms.
The Brain
The main alarm unit, sometimes called the "brain", is mounted in the most
secure place that can be found. Up inside the dashboard for instance. They
basically took the whole dash apart, install the alarm, and then put the whole
dash together around it. Some places install the brain under a seat or even up
under the carpet on the passenger side ("so they can adjust it easier"). This
is incredibly stupid.
Starter Kill
Basically, when the alarm is armed, the starter is electronically
disconnected so the car cannot be started or even hot wired. Most alarms have
this as a standard feature.
Valet switches
This is a toggle switch that can be set to keep the alarm from going off
if the owner has to leave it with a valet or for car repairs. Most of the
systems have this feature.
Passive vs Active Arming
With passive arming, the alarm becomes armed after a given time period
after the last car door has closed. To disarm, you can either get in to the
car and place the key in the ignition within a certain time period or press a
button on a remote transmitter to disarm the alarm.
With active arming, you have to press a button on a transmitter to arm the
alarm. To disarm, you press the transmitter button again.
Arming and Disarming beeps
Most alarms give you an audible alert when the alarm is armed or disarmed.
This serves two purposes. One is to let you know the alarm is working and on
the job. The other is to let others know the car has an alarm.
Motion Sensors
Some alarms like the UNGO box and others have a motion sensor. In the
UNGO Box's case, it is a tube filled with mercury surrounded by a wire coil.
When the car moves, the mercury moves within the tube causing current to flow
in the coil. This is what sets the alarm off. Other have some type of spring
with a weight on it so when the car moves, the weight bobbles back and forth
and makes contact with the casing causing the circuit to be completed. The
former method has a patent, the latter has no patent because it is worthless.
If you have ever heard a parking lot full of alarms going off at an airport or
a parking deck, it is because of this type of sensor. These are prone to false
alarms from passing trucks, thunder, airplanes, etc.
The UNGO Box's sensor is highly adjustable, however, if you adjust it to
eliminate all false alarms, then you have basically disabled its usefulness for
triggering real alarms.
Shock Sensor
This is what comes standard on most alarms. It basically senses motion
like a motion sensor but scans a very short period of time. You can rock the
car and push up and down on it and the shock sensor will not go off. If you
kick a tire or hit the window or door with your fist, the alarm goes off.
Glass Breakage Sensor
What this is supposed to do is pick up on the particular high frequencies
of glass being broken or cut and to trigger the alarm. It is basically a
microphone placed somewhere inside the car.
Field Motion Sensor (Perimeter Guard)
Basically this is the type of sensor which sets up some type of field
around the car and inside the car to detect masses coming close to the car. It
is a must for convertible owners. These aren't as common as most other types
because of the extremely high cost. There are many cheap ones available to add
to any alarm, but they have nothing but problems with them (i.e. false
alarms). Some Alpine systems are designed especially for this type of sensor
and have a price tag to match.
They are basically useless on hard top cars. Some cheap units are set off
by anything. There is a car parked right outside of my classroom which is
always being set off by falling rain and passers by. Very annoying. There are
other fancy alarms which have a pre- recorded message like "Please step away
from the car ...". These are really stupid and a waste of money. I heard of a
new BMW being tortured by a group of kids throwing rocks at it just to hear the
little voice go off.
Current sensor
This basically monitors the current drain on the battery. If it changes,
i.e. a door is opened causing a light to come on, the alarm is triggered.
This is how many cheap alarms are triggered. They just monitor the current.
The doors and trunk are all protected because they have lights which will come
on when opened.
The problem is, most newer cars have a fan inside the engine compartment
which comes on even after the car is turned off. The resulting drain on the
battery will trigger a current sensor.
Seat pressure sensor
If someone sits in the seat, the alarm is triggered. Not very practical
unless on a convertible. By the time the thief is in your seat, your car or
your stereo is history anyway.
Backup Battery
This is an emergency backup battery for the car alarm. It charges off of
the car alternator just like the car's battery. If the car's battery goes dead
or if the power cables are cut, the battery can still run the alarm and the
siren. The alarm will remain armed.
With cheaper alarms and/or poor installations, some systems might end up
wired into the car in a haphazard way. Most alarms flash the car's parking
lights when activated. All a thief has to do is short out a parking light, set
your alarm off and whammo, your car and the alarm goes dead. Thief gets in,
replaces the right fuses and off he goes.
Automatic Door locks/Unlocks
Another neat feature is automatic door locking. This is an option on most
alarms. It uses what they call an "output" from the alarm which can be
programmed to do various things. Most installers set this up so that when the
alarm is armed, all doors lock and when the alarm is disarmed, all doors
unlock.
Pagers
A pager (sometimes called Autopage) is used to page the owner's beeper
when the car alarm goes off. This way they can run to the parking lot and
chase a potential car thief away or catch the person who just rammed in to your
car before they speed away. Pagers may also use up an "output" on the alarm
unit. Some hook on to the siren and are triggered off of the vibration when
the alarm goes off.
Transmitters
These of course are used to remotely turn the alarm on and off. It seems
that with cheaper and/or older alarms, it is possible to transmit all of the
codes in rapid fire sequence to a car alarm. Eventually, you will hit upon the
right code combination to disarm the alarm. The average alarm has around 2 to
the 29th codes which is not very many. Newer (and probably more expensive)
alarms can sense this and lock out any further attempts for a given time
period.
The Marlock System
~~~~~~~~~~~~~~~~~~
The Marlock System uses a key consisting of a piece of metal with holes
bored in it, and then covered up with strips of IR-invisible plastic. Thus,
you can't see anything in the plastic, but IR in the keyhole reader can see
thru just fine. It decodes this, sends it to a controller interface box, which
sends it to a controller PC, which says "cool or uncool", and if cool, then the
interface box sends power to the strike on the door, and turns the LED on the
reader green.
Each area that is to be accessed via Marlock must have some sort of reader
device. This can be either a "keyhole" in the knob, a plate on the wall with
the keyhole in it, or whatever. The reader is hooked up to a controller
interface box. this box is locked with a really poor lock (like you'd have on
your diskette box) and is located close to the area being secured, often in the
ceiling. The controller interface box simply provides power for the reader,
the little LED over the top of the reader, and the electric strike locking the
door. The whole thing is controlled by an IBM PC with a reader keyhole mounted
on the front of the PC which runs to an interface card inside the PC.
To program a key into the system, one simply inserts it into the keyhole
on the front of the PC, and then tells the program when and where this key can
work. This is stored in its database, and recalled by the reader as needed.
Also the PC keeps logs of when and where a key was used -- whether or not it
worked! There are audit trails all over the place.
If the power goes out, then whether or not the door opens is dependent
upon the strike which was installed. IT can be either fail-safe (i.e. no
power -- open!) or fail-secure (i.e. no power- lock!). However, for fire
safety code requirements, companies often install it on the side of the door
which allowed entry to a restricted area -- not exit.
Some of the Marlock cylinders have a small brass spot in the middle of the
LED. This is an emergency override. One would insert a marlock key, and use a
9V battery between the key and the pin to provide a signal to the interface
controller to pop the strike. This may not still be the case however.
Defeating the Marlock System
Since there's an electric strike all you have to do is provide power to
the strike so it'll release. This is usually 12-24 volts DC, and is easily
obtained from some lantern batteries. The activation wires for the strike
usually run down inside the door jamb from the controller interface box. And
if you have access to the controller interface box, then just pick the lock on
the front of it. The heavier wires are for the electric strike (the thin wires
are from the reader). Then just apply power to the thing -- use jumper wires
to get the power from the controller interface box...
VingCards
~~~~~~~~~
These cards are used primarily by hotels, and our quite unique. The lock
is a matrix of 32 pins which have two possible positions each [sort of like a
vax...]. Two of these are special and aren't really used in the keying. The
remaining 30 are constructed out of standard pin and driver parts, except that
all the drivers are the same length and all the pins are the same length. The
pin-driver combinations sit pointing upward [the springs are underneath] in a
sort of matrix about 1.5 inches on a side. Above each pin-driver combination
sits a steel ball. The entire matrix is enclosed in a *plastic* assembly, part
of which can slide "forward" [i.e. away from the user]. Some of you may be
familiar with the keys: white plastic cards about 3 inches long with a bunch of
holes in one end. Pushing this into the slot until it "clicks" forward opens
the locking mechanism.
The lock combination is set by inserting a similar card, only half as
long, into the *back* of the lock. This card is the same thickness as the
opening card and has part of the hole matrix cut out. A juxtaposition of this
combination card from the back and the key card from the front closes the
matrix: i.e. if you overlay the combination and key cards in their opening
configuration, there are no open holes left, *exclusively*: i.e. where there
is a hole on the combination card there is solid on the key card, and vice
versa. Thus the complement of the proper key card is the combination card.
This is enforced by the placement of the ballbearings and pins in relation to
the sliders and top plate, so a workaround like a card with all holes cut out
or a solid card does not open the thing.
The combination card slides in between the conical pin ends and the steel
ballbearings [and is thus harder to push in than the key card]. The key card
comes in over the balls, and its thickness pushes the balls under its solid
regions downward. So each pin assembly is pushed down, when the lock is open,
the same amount, be it by the key card hitting the ballbearing or the
combination card wedging the actual pin downward. Clarification: Let us define
a "1" pin as a hole in the opening card. Thus a "0" pin sits under a solid
portion of the opening card and a hole in the combination card. A 0 pin opens
as follows: Since the combination card lets the pin rise up against the steel
ball, the keycard pushes the ball [and its pin] down to the bottom of the
keycard slot. This brings that pin to its shear line. Simple. Here's the
magic -- a 1 pin opens in the following fashion: Since the combination card is
solid there, the steel ball is sitting directly on the combination card, and
the pin underneath is *already* at its shear line. If a solid keycard portion
arrives over this ball, the ball is pushed down against the combination card
and *pushes the entire area of the combination card down under it*, lousing up
not only that pin's shear line but probably a few around it. Although a clever
mechanism, this depends on the elasticity of the combination card to work.
Note that as the key card is inserted and removed, the combination card will be
flexed up and down randomly until the keycard comes to rest at its opening
position. [Correction to above: each pin really has *three* possible
positions. Hmm.]
All this happens within the confines of the sliding *plastic* frame; this
part carries the two cards, the balls, and the top halves of the pins. The
stationary part underneath this contains the drivers and springs. A metal
plate bolts down on top of the sliding piece, leaving a gap just big enough for
the key card. If the screws holding this plate were to become loose, the plate
would rise up, the key card would sit too high up, and the lock would not open.
All the positioning is done by the thickness of the keys while they rest
against the surfaces of their slots. Therefore a piece of thin cardboard will
not serve as a duplicate key. We found that two pieces of plastic "do not
disturb" sign, cut identically and used together, were thick enough to position
things correctly and open the lock.
A rough top view: Pin mechanism:
Back _ = top plate Front Back
o o o o <> = balls ________________________________
o o o H = keycard HHHHHHHHHHHHH<>HHHHHHHHHH<>HHHHHH ## QQ
o o o o O = comb. card --> QQ OOOOOOOO<>OOOOOOOOOOOOOOOOOOOOOO
o o o # = slider QQ# [] [] [] ## QQ
@ o o @ [] = pins QQ###[]####[]####[]#################
o o o || = driver/ QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ
o o o o spring asm QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ
o o o Q = stationary QQQQQ||QQQQ||QQQQ||QQQQQQQQQQQQQ
o o o o housing QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
Front
It is hoped that the diagram on the right, with its three example pins,
will show sufficiently that if two holes coincide the pin will rise too far,
and if two solid places coincide, the entire combination card would be pushed
down by the ballbearings. There is sufficient space underneath the combination
card for it to sag down and foul the shear line; it is normally held upward by
the pins' spring tension against the underside. This diagram may be misleading
if it is not understood that the balls are actually larger than shown; i.e.
the height of approximately three cards stacked up equals the diameter of the
ballbearing. There is a thin layer of slider plastic between the keycard and
the combination card, which separates them and retains the ballbearings.
The @'s in the top view are the two magic pins. These prevent the lock
from working at all unless a combination card is inserted. They are a bit
thicker than the other pins and do not have ballbearing parts. The slider
above the combination card slot here is solid, so these pins have nothing to do
with the keycard. They simply hold the lock shut if no combination card is
installed, regardless of what is done with a keycard. Therefore if one were to
make a combination card that only pushed down these pins, a solid keycard would
work. And if one inserts a solid combination card, the lock is already open
before you insert anything. [This is a useful hack that will allow anyone to
open the door with just about any tool, in case you are crashing lots of people
in a room, don't have enough keys, and don't feel like making more. Naturally
your security is compromised, but only those who know what's going on will be
able to get in.]
The slider has a bracket bolted on to it, which reaches down toward the
doorknob and pushes a moveable sleeve with a square hole through it. This
joins two sections of a three-section split shaft together, which allows the
outside knob to retract the bolt. The inside knob is "hardwired" to the bolt
action and always opens the door. The extra split in the shaft is so that with
the card in place, the lock will still behave like a regular split-shaft
knobset [and disable opening if the deadbolt is shot].
There is a hinged plastic door on the back [inside] of the lock, which is
held shut with a screwdriver tab inside a slot. This is where the combination
card goes, although this door exposes enough to see the entire slider mechanism
[except for its inner works; the entire back must be taken off to get the
slider out].
Now, the security evaluation: I see no clear way to "pick" it. The rear
pins are hard to get at without touching the frontmost ones. However, this
lock would be *very* easy to defeat, in the following fashion: A thin tool
about the thickness of a keycard and about .2 inch wide can cover one column of
ballbearings. If this tool is slowly slid straight into the slot along each
column in turn, the resistance encountered as it contacts each ball indicates
whether there is a hole or not underneath it in the combination card. The
combination card presses upward against the ball more strongly than the pin's
spring does, so this would allow one to map the combination card and then
construct the keycard complement. This process wouldn't take very long. I
therefore recommend that these locks be considered less than high-security.
Furthermore, come to think of it, a small hole drilled in the front plate
[which I doubt is hardened] would make it easy to frob the slider or split
shaft.
Electronic Hotel Card Locks
~~~~~~~~~~~~~~~~~~~~~~~~~~~
These are wonderful little microcomputer projects masquerading as door
locks. Inside there's a processor running a program, with I/O leads going to
things like the magnetic strip reader, or the infrared LEDs, and the solenoid,
and the lights on the outside. They are powered entirely by a battery pack,
and the circuitry is designed such that it draws almost nil power while idle.
The cards are usually magnetic-strip or infrared. The former uses an oxide
strip like a bank card, while the infrared card has a lot of holes punched in
it. Since IR light passes through most kinds of paper, there is usually a thin
layer of aluminum inside these cards. The nice thing about these systems is
that the cards are generally expendable; the guest doesn't have to return them
or worry about lost-key charges, the hotel can make them in quantity on the
fly, and the combination changes for each new guest in a given room. The hotel
therefore doesn't need a fulltime key shop, just a large supply of blank cards.
Duplication isn't a problem either since the keys are invalidated so quickly.
The controlling program basically reads your card, validates the number it
contains against some memory, and optionally pulls a solenoid inside the lock
mechanism allowing you to enter. The neat thing about them is that card
changes are done automatically and unknowingly by the new incoming guest. The
processor generates new card numbers using a pseudorandom sequence, so it is
able to know the current valid combination, and the *next* one. A newly
registered guest is given the *new* card, and when the lock sees that card
instead of the current [i.e. old guest's] card, it chucks the current
combination, moves the next one into the current one, and generates the new
next. In addition there is a housekeeping combination that is common to all
the locks on what's usually a floor, or other management-defined unit.
There is no wire or radio connection to the hotel desk. The desk and the
lock are kept in sync by the assumption that the lock won't ever see the "next"
card until a new guest shows up. However if you go to the desk and claim to
have lost your card, the new one they give you is often the "next" card
instead. If you never use it and continue using your old card, the guest after
you will have the wrong "next". In cases like this when the hotel's computer
and the lock get out of sync, the management has to go up and reset the lock.
This is probably done with a magic card that the lock always knows about [like
in ROM], and tells it something akin to "use this next card I'm going to insert
as the current combination". The pseudorandom sequence simply resumes from
there and everything's fixed. If the lock loses power for some reason, its
current memory will be lost but the magic "reset" card will work.
Rumor has it that these locks always have a back-door means of defeating
them, in case the logic fails. Needless to say, a given manufacturer's method
is highly proprietary information. In theory the security of these things is
very high against a "random guess" card since there are usually many bits
involved in the combination, and of course there is no mechanical lock to be
manipulated or picked. The robustness of the locking hardware itself sometimes
leaves something to be desired, but of course a lock designed for a hotel door
probably isn't the kind of thing you'd mount on your house.
Security Alarm Systems
~~~~~~~~~~~~~~~~~~~~~~
Security alarm systems are becoming more and more common in the home and
small business. They will become more and more popular in coming years as
their prices continue to fall. There are basically two types of systems, the
open circuit and closed circuit system.
The Open Circuit System
An open circuit system is composed of magnetic detectors or contacts that
are "normally closed." That means that their contacts are separated when the
door or window is in the normally closed position.When the door or window is
opened, the contacts are released, causing them to close. This allows current
to flow through the wires, and the alarm sounds. All the contacts and
detectors are wired in parallel. This means that current flows ONLY when any
contact or detector switch makes contact. Let me illustrate:
switch is open switch is closed
wire
----#############1############# ----#############1#############
#############2#############---
#############2#############----
########## wire
==========================
| MAGNET | (Magnet has been removed)
==========================
A Normally Closed Switch Assembly
In the first figure, the "normally closed" switch assembly, which would be
mounted about the door, is help open as the lower portion (#2) is pulled to the
magnet which would be mounted on top of the door. The magnet has an attractive
force greater than the force of a spring which normally holds the two parts of
the switch closed. In this position, no current flows through the switch. In
the second figure, the door would be open, and thus the magnet not aligned
under the switch. Both halves of the switch have been returned to their
"normal" position, closed, by the spring.
The obvious disadvantage of an open circuit system is that it become
inoperative if a transmission wire is cut, a contact or terminal wire becomes
loose, or some similar condition. For this reason, circuit wiring for this
type is often concealed. The vulnerability of the system is minimized by a
test switch or key position which sends current through the main circuit wiring
and reveals any line breaks. This test lights a small warning lamp on the main
panel, bypassing the main alarm. This will only test the integrity of the
circuit, not individual detectors.
When the open circuit system is engaged, an alarm will occur immediately
if any doors are windows have been left open. Of course the alarm will also
sound anytime a door is used while the alarm is in operation. Many times a
bypass switch will be placed next to frequently used access ways. This can be
dangerous because someone can break a door or window pain, activate the bypass
switch, and have free access to the entrance.
The Closed Circuit System
In a closed circuit security system, low amperage current continuously
flows from the power source, throughout the detector switches, to the
supervising relay (a type of switch) in the control panel. The detector
switches are of the normally open type. This is the opposite of the normally
closed type. The magnet holds the normally open switch assembly together, so
current flows through the switch. When the magnet is removed, the switch
springs open, and current ceases to flow throughout the circuit. The
supervising relay monitors the current in the circuit, and should it be
interrupted (by a door opening and causing a detector switch to open), it will
activate the alarm buzzer, telephone dialer, siren, or whatever.
Note that in the closed circuit system, any attempt to cut the wires would
have the same effect as opening a detector switch. The current would be
interrupted and the alarm would sound. This makes the closed circuit a much
more secure system than the open circuit type.
The closed circuit system requires more sophisticated equipment and the
circuit installation must be precisely wired. Closed systems are also prone to
more frequent false alarms.
Security Alarm System Power Sources
The current for most systems comes from battery, transformer, or a
recharging pack. The recharging pack is a complete power supply providing 6-12
volts of power. This is enough to run several separate alarm circuits and even
a six volt telephone dialer. It is usually equipped with nicad backup
batteries in case of power failure.
Magnetic Detectors
I used the "Magnetic Detector" when explaining the closed and open circuit
types of security systems. These are by far the most common type of detectors
used. As discussed before, they are a two part assembly consisting of a magnet
and a switch. Both are encased in a weatherproof plastic case.
Tamper Switch or Plunger Contact
Another popular type of detector is the tamper switch. It may be used on
windows, alarm boxes, or control panels. It consists of a switch assembly with
a spring loaded "plunger" protruding from one end. It is available in both the
normally open and normally closed configurations.
All-Purpose (Bullet) Detector
This is a beveled button used primarily on doors or double-hung windows.
The button is installed in the hinged side of the door frame, recessed into the
frame. When the door is closed, the button is depressed. When opened, it of
course pops out.
Floor Mats
Pressure sensitive mats wired with open or closed circuits to make or
break contact when stepped upon are used as backup to perimeter security
systems such as rear entrance doors. They can be placed under regular
carpeting or loose rugs.
Door and Window Traps
These are basically "trip-wires" and aren't used too often. They do work
well in areas where conventional detectors would not work, and are
substantially cheaper than infrared. They can be placed in either a horizontal
or vertical configuration. For open circuit systems, an insulated plug is
placed between the contacts of the detector. When it is tripped, the plug is
pulled out, causing the detector's switch to close. For a closed circuit
system, one end of the trip wire is attached to one end of the switch, and the
other end of the trip wire to the other half of the switch. This way current
still flows in the circuit. When the wire is tripped, the circuit breaks.
Photoelectric Systems
Photoelectric systems transmit invisible pulse modulated beams from
projector/transmitter to receiver. Interruption of the beam sets off the
alarm. Although the system is designed primarily for interior used, military
systems have been developed for use on the exterior, even in dense fog.
Emergency Panic Button
This permits an alarm to be activated by use of a pushbutton located near
a front door, in a bedroom, or hidden under a counter. In a business, such a
button could be used as a "holdup" button, silently summoning the police or
activating the normal store alarm system.
Automatic Telephone Dialer
This is a device that will automatically call the appropriate telephone
number and relay a prerecorded message. These devices are often used to
contact the police, private security, or store officials. Of course, the
system is at risk if the exterior phone wires are accessible. For this reason
the phone wiring will be either incased in a steel sheath or wired for alarm.
Back to the master Table of Contents.