In my last guide, I showed how you could crack the combination of any Master Lock combination padlock in 8 tries or less using my online calculator. Now, as promised, I'll be showing you how I devised the attack, which is based off the well-known technique that reduces the 64,000 possible combinations of a Master Lock down to just 100. Here, I will be drilling open a Master combo lock to show you how the insides work.
Using a Dremel, I removed the vast majority of the lock's backplate so that you could actually see what's going on inside when turning the dial. Inside, there's a collar that keeps the shackle from coming out when the lock is opened.
There is also a lever (which falls into the disk indentations when the combination is entered), a latch (which the shackles pulls up, and which controls the lever), and a return spring (the bar that pushes the lever/latch back in place after opening or closing the shackle).
Also, there are three combination disks, one for each number of the combination. The first two are attached to the shaft on the backplate, with a spring in-between the first disk and the backplate, and small plastic spacers in-between the disks. The third is connected to the actual dial.
Each combination disk has a tooth on each side of it. When the dial is rotated a couple times, these teeth all connect and turn all of the disks simultaneously. This is where you would enter in the first number in the combination, so that the recess lines up with the lever.
Next, you would enter in the second number going the opposite way. The tooth on disk 3 catches on disk 2 and moves disk 2's recess into place, without moving disk 1. When the second number is set, moving the other direction will secure the recess of disk 3 in place with the final number.
However, not all teeth on the combination disks are actually used. The tooth on disk 1 facing the backplate is not needed, and is where the vulnerability comes in.
As you remember from my last guide, you had to find a resistant location. To do that, you would pull on the shackle, turn the dial, and wait for resistance. What is happening is that the unneeded tooth on disk 1 is actually slightly hitting the shackle collar, which also gets pulled up as you hold the shackle up.
In this example, our resistance location is at 8.5.
To find out how far that initial resistant number is from the real number, we can simply measure from the recess in the disk to the place where it should be under the lever.
To get an idea of how that affects the turn we need to make, we then have to find the circumference of the disk, which we do by measuring the distance across the disk and multiplying that number by pi (3.14). We then divide the circumference by the number of digits on the dial to get the distance in-between each digit, which can then help us figure out how many digits are needed to move the recess in the disk to under the lever.
For the third number, we take advantage of all of the notches surrounding disk 3, which interact with the lever when pulling up on the shackle with a lot of force. When you pull up on the shackle, you're looking for the resistant locations to plug into my online calculator, which is what makes my attack much simpler than the other well-known one that makes you find all of the resistant locations to see which has the biggest gap.
Here, you only need to find the first two locked position numbers and apply the rest mathematically. If our first two whole numbers are 3 and 10, you would then add 10 to each so our possibilities are 3, 10, 13, 20, 23, 30, 33, and 0.
Now, using the two locked positions found for disk 3 (ex. 3 and 10), we simply input that into my online calculator, along with the resistant location found on disk 1 (ex. 8.5), to get the first number of the combination (ex. 14), and two possible numbers for the third (ex. 10, 30).
This is possible because of the congruency between all of the three different numbers of the combination. The first and third numbers will be congruent, and have the same modulo of 4. So, if you divide the first number by 4, whatever the remainder is will be the same as the third number divided by 4. So, we can find the two possible third numbers by comparing the locked positions with the possible numbers for the first one (ex. 2, 6, 10, 14, 18, 22, 26, 30, 34, 38).
To see which of the two third numbers is right, pull up on the shackle and compare the two to see which has the biggest gap (that would be the correct number). In this case, it's 30.
To find the second number, it's congruent to modulo 4 + 2 compared to the third number modulo of 4. The 2 just means it's offset by 2. Finding these numbers will give us 10 possible combinations (ex. 0, 4, 8, 12, 16, 20, 24, 28, 32, 38).
But we can reduce it to 8 possible combinations because of the way that the lock is built. The tooth in disk 2 cannot be too close to the tooth in disk 3, which removes the possibility of the second and third number from being too close to each other, so we can cancel out any of the possible second numbers that are within 2 of the third number. So 28 and 32 are out in our example.
That means we're left with 0, 4, 8, 12, 16, 20, 24, and 38 as possibles for the second number. From here, we should be able to open the lock using one of the 8 possible combinations of 14 - [0, 4, 8, 12, 16, 20, 24, or 38] - 30.
Be sure to subscribe to my Applied Hacking newsletter below to keep up on future hacks. Soon, I'll be showing off my motorized, 3D printed Arduino-based device that can crack combo locks in under 30 seconds.
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
3 Comments
The "Tooth that is not used" actually is used. Its meant to be hit by the shackle collar when opened to Relock the lock. As the shackle is fully opend the collar hits that tooth and spins it. Without that the lock would remain in the open setting unless the dial was spun. :) Excellent exploit find by the way!
Interesting point RRIS CENTAUR, but I didn't see that tooth get hit by the shackle collar when he pulled the shackle at 6:15 after demonstrating the opening process. Although that may be because his was all loose and broken apart, however.
If they wanted to fix this exploit/vulnerability, they wouldn't have to necessarily make a separate disc, but instead put a groove in the shackle collar so it doesn't ever hit that tooth.
Who knows though, I mean the engineer(s) may have secretly done this on purpose as a backdoor in. Sinister? Maybe. Evil genius? Definitely.
Anyways, great job Samy. You're awesome.
Edit: Something I discovered as a kid (and just thought about again), is that after the correct unlock sequence you can push in/down & hold on the number dial when pulling the shackle up and pushing it back down and it does not re-lock. But yea, normally at least one of those teeth is getting hit during the shackle release or reinsert so it can re-lock.
Double Edit: Did some isolation testing and the re-locking feature happens when you put the shackle back in (not when pulling up). Could be something else other than the shackle collar that is hitting a tooth on one of the discs. Haven't opened the back of one yet (for this purpose) to see what exactly happens though.
Triple Edit: Definitely not the shackle collar, as I can swivel the shackle to the outside of the lock and move it up and down freely several times, then push in & hold on the number dial, re-insert the shackle into the lock, pull up on the shackle (while still pressing in on the dial) and it is still unlocked.
Samy is my hero
Share Your Thoughts