Skip to content

Instantly share code, notes, and snippets.

@ninp0

ninp0/safe_manipulation_steps.md Secret

Last active April 4, 2022 22:30
Show Gist options
  • Save ninp0/7a78d18c7d3b4468673c6bffcd5f9952 to your computer and use it in GitHub Desktop.
Save ninp0/7a78d18c7d3b4468673c6bffcd5f9952 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
safe_manipulation_steps.md

Safe Manipulation Steps

Pro-Tip: Go buy an, "SAIC" instead. See the Defcon 14 presentation, "Safecracking Without a Trace" for more information.

*SECTION 1 - Discover the left contact point (i.e. LCP) and right contact point (i.e. RCP) to reveal the space between them, also known as the drop-in contact area (i.e. DICA):

  1. Rotate the dial at least four times counter-clockwise (i.e. CCW) to pick up all the wheels, also known as the wheel pack (i.e. WP).
  2. Continue turning CCW slowly until the nose of the lever drops into the left side of the drive cam gate slightly. This is the LCP.
  3. Continue rotating dial slowly CCW.
  4. The next indication will be the nose of the lever striking the right side of the drive cam gate. This is the RCP.
  5. The space between LCP & RCP should be revealed at this point, revealiing the DICA.

*SECTION 2 - Determine the exact number of wheels in the WP:

  1. Rotate the dial at least four times CCW to pick up the WP.
  2. Since the DICA is known, continue to move the WP CCW and park the WP at a far away number (i.e FAN) from the DICA.
  3. Turn the dial clockwise (i.e. CW) - as you pass the FAN, the drive pin will come into contact with the fly of the first wheel...that's one wheel.
  4. Continue rotating CW - every time at FAN, another wheel should be picked up...that's wheel two.
  5. Continue this process until no more wheels are picked up at FAN. Most safes have three or four, however, some will have six, seven, eight or more.

*SECTION 3 - Charting of data on the manipulation graph (i.e. MG) via combination dial interaction:

  1. Populate the LCP and RCP values within the MG.
  2. Populate the whole number values nearest to the values of LCP and RCP.
  3. Rotate the dial at least four times CW to pick up the WP.
  4. Continue CW until the dial comes to 100 (or 0 on some safes) (i.e. MAX) in order to park the WP in that location.
  5. Rotate the dial CCW to the DICA and take the LCP and RCP readings (i.e. Refer to SECTION 1).
  6. From a graphing perspective, if we assume the current LCP is 48 1/8, this is annotated on the MG by placing a dot on the value, 48 1/8 within the left manipulation graph section (i.e. LMGS) on the MAX line (located at the bottom of the LMGS).
  7. From a graphing perspective, if we assume the current RCP is 56 1/4, this is annotated on the MG by placing a dot on the 56 1/4 on the right manipulation graph section (i.e. RMGS) on the MAX line (located at the bottom of the RGMS).
  8. It's important that LMGS and RMGS are placed vertically next to each other within the MG and are considered a mirror of one another.
  9. The MG lines in LMGS and RMGS go in increments of three, so the next reading occurs at MAX - 3 = Next Line (i.e. NL) (e.g. 100 - 3 = 97).
  10. Rotate the dial right back to MAX to pick up the WP, then park the wheels at NL.
  11. Rotate the dial left to the CA and take the LCP and RCP readings (i.e. Refer to SECTION 1).
  12. Populate NL values on the MG with the LCP value in the LGMS and the RCP value in the RGMS.
  13. Repeat this process until LCP and RCP values have been recorded for all NL in the LGMS and RGMS of the MG
  14. Once LCP and RCP values have been populated for the final NL (i.e. NL == MIN) (e.g. NL == 1), the MG is complete.
  15. The line number values within the LMGS and RMGS that approach each other the closest should reveal the same amount of wheels discovered in SECTION 2, ultimately translating to the general areas containing the combination of the safe.

*SECTION 4 - Populate an Amplified Manipulation Graph (i.e. AMG) :

  1. An AMG should be completed for each of the respective numbers identified in SECTION 3.14.
  2. On the AMG of the first number, the readings are taken every half number, instead of every three number in SECTION 3.9 and the increment lines are adjusted to read 1/8 measurements instead of 1/4.
  3. The rest of this process is done in the same manner as SECTION 3
  4. An AMG is done for only the respective numbers identified in 3.14. Doing so should reveal the actual combination.

*SECTION 5 - Recover Combination via AMG number exhaustion:

  1. Since the order of the combination revealed is still unknown (e.g. let's say AMG analysis revealed 91, 64, 16), all sequences of 91, 64, 16 will needed to be attempted to derive the true combination.
  2. Given the example provided in SECTION 4.5 the sequences to try until successful combination discovery would be:
  • 91, 64, 16
  • 64, 16, 91
  • 16, 91, 64
  • 64, 91, 16
  • 16, 64, 91
  • 91, 16, 64
  1. If none of the combination attempts above work, you may need to offset each combination number by 1 on each side and follow the steps in SECTION 5.2 with the updated numbers - for example:
  • 91 >> try 90 and 92
  • 64 >> try 63 and 65
  • 16 >> try 15 and 17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment