Understanding Safe Controls
This is part two of a seven blogs series in my quest to open my locked shut fire safe of which the dial combination was unknown. How I got to obtain this safe and why it was locked in the first place, can be read in an earlier blog of mine.
In my previous blog in this current series, Part 1 – Blog Series Description, my motivation behind the blog series was given. In that blog I also outline the structural approach – which is usually followed in (ethical) hacking – to open the safe.
This current blog will first describe how in general to open a safe when the number combination is known. This is called dialing the combination. After this introduction the internals of the safe lock mechanism is described and the number combination will be dialed again but now the state of the lock is inspected at every step of the dialing process so as to get a thorough understanding of the inner workings of the lock.
Dialing open a safe
Below is a picture of my safe, just to establish what kind of safe we are talking about here.
The safe uses a combination lock and a key lock (which will be discussed later). Let’s focus on the combination lock first because that is the most important control to understand here.
A specific sequence of numbers needs to be dialed before the safe will unlock. Each number needs to be lined up with the opening index sequentially in a specific order. This opening index is located in the dial ring.
A safe combination code usually consists of three numbers, ranging from 0 to 100. This could for example be the number sequence “52, 35, 23”. The numbers need to be dialed in the exact given order.
A combination dial can be turned left or right and depending on the type of lock this can make a difference. The direction of rotation is often denoted by putting “L” or “R” in front of the combination number, for example “L52 – R35 – L23”.
- “L” means turning the dial counterclockwise (ccw) / approaching the opening index from the right / “dial to the left”.
- “R” means turning the dial clockwise (cw) / approaching the opening index from the left / “dial to the right”.
To open a safe with the combination “L52 – R35 – L23” the following sequence of actions has to be performed:
- Turn left until the first number (52) is at the opening index for the fourth (or more) time.
- Turn right until the second number (35) is at the opening index for the third time.
- Turn left until the third number (23) is at the opening index for the second time.
- Turn right until the lock opens (this will be within one rotation).
The video below shows how this works to open a safe by dialing the combination.
Now let’s understand what is actually happening when the dial is being turned.
Understanding the mechanism
Figure 3 shows a schematic overview of a general safe combination lock. The number dial is on the left side of the picture. The wheel pack on the right is inside the safe door.
In general a safe combination lock consists of four wheels stacked behind each other. One of these wheels is a special wheel and is called the drive wheel or drive cam (usually it is the wheel furthest away from the outside dial). This drive cam is directly connected and fixed to the dial via the spindle which runs through the safe door. The other three wheels are the combination wheels. These wheels are not fixed to the spindle but, using clockwise and counterclockwise rotation of the dial, can be positioned independently of each other, the cam drive and the dial. Each of these wheels has a so called gate which in the picture below is the gap at the top of the picture.
On each side of a wheel a pin is attached which is perpendicular to the surface of the wheel and which moves around with the wheel. These pins are located at the same radial distance from the center of each wheel. So when turning the wheel around, eventually a pin will meet the pin on the adjacent wheel within one revolution. This will make the adjacent wheel also starting to turn. When the dial has been turned four times in one direction all wheels will have picked each other up (the pins are stacked) and then turn in concert.
See Figure 3: only wheel #2 and #3 have a pin on each side. The cam drive and drive #1 only have one pin (on the side where the adjacent wheel is). This is because the drive cam is being directly rotated by turning the dial and wheel #1 has no adjacent wheel that it needs to pick up.
When the correct safe combination has been dialed the gates of all wheels are lined up exactly. This is what it means to dial the correct safe combination. At that moment the fence can fit in the gap created by the lined-up gates. It is exactly in this configuration only that the bolt can be retracted which keeps the door closed.
If even one of the wheels is not in the correct position that gate is not lined up with the other gates preventing the fence to enter the gates because the fence will rest on the circumference of the incorrectly positioned wheel.
For the most common types of wheel packs Figure 5 shows a visual representation of a wheel pack that is positioned in the correct configuration such that the gates all line up. When de dial is turned for the last time the the cam gate will approach the lever and enter it. At that time further turning of the dial will retract the bolt of the lock resulting in an opened safe.
Figure 6 shows the lever and fence isolated from the wheel pack.
Let’s not get ahead of ourselves here but as we will establish in the next blog my own safe works in a slightly different way because it does not have a drive cam and does not have a lever that can enter a drive gate. My safe just has four wheels and if the gates line up a fence can be made to enter the gap by turning the safe key. This fence is connected to the bolt which closes the door. This bolt therefore retracts and the door can be opened.
Example and explanation
Now, what actually is happening when for example combination “L52 – R35 – L23” is the correct safe combination and this combination is being dialed?
Assume a random position of the wheels. Now open the safe as follows:
- Turn the dial left until the first number (52) is at the opening index for the fourth time.
Start turning the dial left (ccw). When turning the dial, at first only the drive cam will turn. Within one revolution however, the drive cam will pick up wheel #3 (revolution 1). Wheel # 3 will start to turn also and will pick up wheel #2 within the next revolution (revolution 2). Wheel #2 will start to turn also and will pick up wheel #1 within the next revolution (revolution 3). Now all wheels are turning and the opening index must be positioned on “52” within the next revolution (revolution 4). Wheel #1 is now positioned at “52”.
- Turn the dial right until the second number (35) is at the opening index for the third time.
Now start turning the dial the other way (to the right / cw). When turning the dial at first only the drive cam will turn. Within one revolution (revolution 1) however the drive cam will pick up wheel #3. Wheel #3 will start to turn also and will pick up wheel #2 within the next revolution (revolution 2). Wheel #2 will start to turn also. Keep turning the dial until position “35” is reached (revolution 3). Now stop turning. Wheel #2 is now positioned at “35” (and wheel #1 is still positioned at “52” because rotation of the dial was stopped before wheel #1 started to rotate).
- Turn the dial left until the third number (23) is at the opening index for the second time.
Now start turning the dial the other way again (to the left / ccw). When turning the dial at first only the drive cam will turn. Within one revolution (revolution 1) however the drive cam will pick up wheel #3. Wheel # 3 will start to turn also. Keep turning the dial until position “23” is reached (revolution 2). Now stop turning. Wheel #3 is now positioned at “23” (wheel #2 is still positioned at “35” and wheel #1 is still positioned at “52” because rotation of the dial was stopped before wheel #2 started to rotate).
- Turn the dial right until the lock opens (this will be within one rotation).
Now start turning the dial the other way (to the right / cw). When turning the dial only the drive cam will turn. Within one revolution (revolution 1) the lever nose will drop in the cam gate and the fence will lower in the lined up gates of the wheels. Turn until the lock opens.
Visualizing this process is key in successfully manipulating a safe and these concepts are best explained when you see this actually happening. The video below might help in making the inner workings of a safe combination lock more comprehensible.
Fixed drive pins and fly pins
Drilling a little deeper on the subject of drive pins is necessary because this will become important later on with regards to finding the dial combination of my safe.
Usually the inner wheels (#2 and #3, see Figure 3) have a fixed pin on one side and a movable pin, a fly pin, on the other side. This movable fly is designed to rotate within a fixed range before moving the wheel. This allows the opening combination number to be dialed either clockwise or counterclockwise.
There are also safes (usually the cheaper ones) which have wheels without a fly. These wheels are fitted with fixed pins only. For these kinds of safes the opening combination code will be different depending on the direction the dial is being turned when dialing the combination code for that specific wheel. The opening combination codes must be dialed strictly in the prescribed directions.
Take for example combination code “L52 – R35 – L23”. On a safe using wheels with a fly the safe can also be opened using combination code “R52 – L35 – R23”. Using “R52 – L35 – R23” on a safe with fixed drive pins will be unsuccessful.
Let’s have a look at the effect of fixed drive pins on the positioning of the wheels when the direction of rotation is reversed. See Figure 7 below.
Wheel D is the drive cam which is connected directly to the dial via the spindle. When the dial is turned, drive D will also turn in the same direction. The other wheels are the combination wheels. Let’s assume all wheels are fitted with fixed drive pins.
Also assume that the starting position of each wheel is random. And suppose our goal is to navigate wheel #1 to position A (because this is for example the unlock position of this particular wheel).
Starting from this initial configuration the dial is been turned right (cw). First the drive cam D turns, in less than one revolution it picks up wheel #3 which picks up wheel #2 which eventually picks up wheel #1. At that time the pins are in a “stacked” configuration and all wheels are turning at the same time when the dial is being turned. The dial is now turned right until wheel #1 is at position A. Assume the opening index is now aligned with “5” on the dial. This end position is depicted in the figure in the top half of Figure 7.
Now we are going to navigate wheel #1 in position A (the wheel’s opening position) by turning the dial the other way around until we reach the configuration as show in the lower half of Figure 7.
From the ending position depicted in the top half of Figure 7 now turn the dial to the left (ccw). Assume the width of a pin is 6 units. In 6 units less than a full rotation (the width of the fixed pin) it will pick up the pin of wheel #3. When that happens the dial will be 6 units before position “5” which will be position “99”.
Keep turning until wheel #3 picks up wheel #2. Because of the width of the drive pin this will again be in 6 units less than a full rotation which will result in the dial being at position “93” (= 99 – 6).
Again keep turning and than stop when the pin of wheel #2 is positioned just against the pin of wheel #1. Now the dial is at position “87” (= 93 – 6). Wheel #1 is still positioned in position A (the opening position for this wheel) but the dial is now at a different number.
Safe combinations for safes with fixed drive pins therefore require a strict dialing pattern (for example L-R-L) to unlock a safe.
The National Locksmith Guide to Manipulation dedicates a whole chapter to fixed drive pin locks. If you want to read more on fixed pins this a highly recommend source.
Now that we have a general idea of the workings of a safe lock let’s get to know the safe I obtained better by examining it and consulting publicly available information sources. Part 3 – Passive Reconnaissance of this blog series will describe this reconnaissance phase.