This isn’t one of those telephone spamming machines that call you during dinner time or while you’re sleeping. This is robotic safe cracking. Two curious MIT students with a mysterious safe and a bit of free time built a laptop-controlled robotic fixture that opened a “manipulation proof”, high security safe in just a few hours.
Kyle Vogt‘s epic battle with a high security safe began about a year ago when a friend of him, Grant Jordan, managed to get his hands on an old safe – with an unknown or long forgotten combination. It could have been filled with cool stuff like gold coins, ancient relics, or even mummified body parts. Of course, we had to get it open or we would have died of curiosity.
Fortunately, Grant had been tinkering with locks for several years and had become quite knowledgeable about the subject, but had never tried to open something this difficult. They did a bit of research and discovered that, according to the books, they were pretty much out of luck. Grant’s safe was fitted with a Sargent and Greenleaf 8400 lock. This lock is a “manipulation proof” group 1 lock.
The S&G 8400 is one of the most advanced mechanical locks ever built. It was used by the government to lock up classified documents for nearly 30 years. It cannot be manipulated by any traditional attacks used on group 2 locks, such as the techniques described in the paper “Safecracking for the computer scientist”. This paper is a great read if you have some time, but I’ll be showing you the real way computer scientists crack safes…
It is worth noting that the standard lock for classified documents has since been upgraded to an even more advanced electronic lock, so our machine is not a national security threat. I’m going to be describing their process under the assumption that the lock really is “manipulation-proof” and that the only way to open the safe is to try every possible combination.
Combination space optimization is the key. By exploiting of the mechanical tolerances of the lock and certain combination “forbidden zones”, they reduced the number of possible combinations by about an order of magnitude. Again, read the paper mentioned above for details. Grant implemented their algorithm in Java and was able to test it far before they started constructing the dialer.
They used a custom stepper motor to rotate the dialer head. The dialer head transmits torque to the dial via a piece of heavy duty surgical tubing. The stepper motor they chose has more than enough resolution to implement their algorithm, but it’s not quite as fast as it could be. Stepper motors have an extremely high “holding torque”, which is ideal in this situation since the dial must be held in place while the butterfly knob is being turned.
The head also contains an RC servo motor with a machined knob to mesh with the butterfly knob. This setup enables independent rotation of both the dial and butterfly knob. The stepper motor shaft is also connected to a high resolution optical encoder for position feedback. The encoder is mainly used to detect when safe is successfully opened. The torque required to open the safe when the correct combination is entered is much higher than the maximum torque of the stepper motor, so the encoder is programmed to report when the position error exceeds a certain threshold. Basically, the stepper motor stalls and the encoder flips out if the safe actually opens.
Instead of buying off the shelf motion controllers and hacking these together to build a complete system, Kyle opted for an all-in-one controller. He built an Atmel microcontroller based control board to connect Grant’s laptop to the stepper motor, RC servo, optical encoder, limit switches, and an optional LCD screen. The control board connects to a laptop via USB and talks to a computer just like a serial port. Kyle wrote the microprocessor firmware in C and used an in-circuit programmer to download code to the chip. There are about two thousand lines of code in the firmware, and that does not include any of the actual dialing algorithms. After two rounds of PCB’s and about a dozen firmware revisions, they had a fully functional dialer.
The Autodailer successfully detected the correct combination after running for about 21,000 cycles. Kyle, and I’m also, sorry to report that there were no gold coins, ancient relics, or mummified body parts inside the safe.
© 2011, hackshark.com. All rights reserved.