Opening a Direct Entry Fence Fire Safe by Manipulation – Part 1/7

Blog Series Introduction


So I obtained a solid fire safe for free. Nice! The only problem being that the safe was locked shut and the dial combination unknown. How I got to obtain this safe and why it was locked in the first place, can be read in an earlier blog of mine.

This blog series will describe both how a safe lock works (with focus on my particular type of safe which uses a so called direct entry fence lock) and how to open such a safe through a structured process called manipulation. The lock mechanism of a safe is a very interesting topic and understanding the inner workings is essential in successfully discovering the combination number. You kind of have to “see” in your mind how the different components of the lock mechanism are moving when the safe controls are manipulated.


I am highly indebted to the excellent sources of information available on the Internet regarding manipulation (I will expand on the exact meaning of this term further up in this blog series) and inner workings of safes. I myself am just a interested amateur but expert-grade safe manipulation is an art form performed by a few very dedicated specialists. I use their information extensively in this blog and, among other sources, I highly recommend consulting the following information:

Blog series overview

IT security is an area of great interest to me and opening a safe without initially knowing the combination code can also be seen as hacking the security controls of the safe. The subsequent phases normally followed in (ethical) hacking can also be used as a general approach to discovering a safe’s combination code. I will follow that approach in this blog series.

As such the blog series Opening a Direct Entry Fence Fire Safe by Manipulation will consist of the following chapters:

Part 1 | Blog Series Introduction
This is the current blog which describes the motivating reasons to start this series. It describing the structure of the blog series and the steps and approach followed during my process of opening the safe. This blog also provides a relevant literature overview.

Part 2 | Understanding Safe Controls
This blog will explain how to open a safe when the number combination is know. This procedure is called dialing the combination. After this introduction the safe lock mechanism is described and the number combination will be dialed again but now the state of the lock is explained at every step of the dialing process so as to get a thorough understanding of the inner workings of the lock.

Part 3 | Passive Reconnaissance
Reconnaissance is the act of gathering preliminary data or intelligence on your target. The data is gathered in order to better plan for your attack. Reconnaissance can be performed actively (meaning that you are directly touching the target) or passively (meaning that your reconnaissance is being performed through an intermediary).

Part 4 | Active Reconnaissance and Scanning
In the previous blog passive reconnaissance has been performed and vital information about the safe has been obtained. Now this information will be confirmed by manipulating the lock.

Part 5 | Manipulation Explained
In this blog the theory behind safe manipulation will be explained. Manipulation is the process of opening a locked safe without damaging the safe in any way. With manipulation the normal controls of the safe are used to gather information about the inner state of the lock. This state information will then be processed and displayed in such a way that it is possible to discover the combination code of the safe. This method does not requires many tools and most of them can be built quite easily.

Part 6 | Measuring Setup
In this blog the measuring setup will be described and as well as the tools to extract meaning from the measurements in order to open the safe.

Part 7 | Gaining Access
In this blog we will finally try to gain physical access to the safe by practicing the theory of manipulation as discussed in a previous blog. The measuring setup will be described and the tools to extract meaning from the measurements in order to open the safe.

The last phases of ethical hacking, Maintaining Access and Covering Tracks, are not relevant to this blog series. Maintaining access is quite easily done because once the number combination is known we have gained root access to the safe and it can be opened using this combination any time we like. Also covering tracks is not necessary because 1.) the safe is mine and 2.) we will be using a surreptitious attack which will not damage the safe. Instead we will be opening the safe using the normal safe controls like a legitimate user would open the safe.

I hope you like this series. Please proceed to Part 2 – Understanding Safe Controls to enter on the journey of opening a closed fire safe.

2 Replies to “Opening a Direct Entry Fence Fire Safe by Manipulation – Part 1/7”

Leave a Reply

Your email address will not be published. Required fields are marked *