This 500lb safe was cracked.I'm not referring to those telephone spamming machines that call you during dinner time or while you're sleeping. This is robotic safe cracking. Two curious MIT students with a mysterious safe and a bit of free time built a laptop-controlled robotic fixture that opened a "manipulation proof", high security safe in just a few hours.
My epic battle with a high security safe began about a year ago when a friend of mine, Grant Jordan, managed to get his hands on an old safe - with an unknown or long forgotten combination. It could have been filled with cool stuff like gold coins, ancient relics, or even mummified body parts. Of course, we had to get it open or we would have died of curiosity.
Fortunately, Grant had been tinkering with locks for several years and had become quite knowledgeable about the subject, but had never tried to open something this difficult. We did a bit of research and discovered that, according to the books
Safe with S&G 8400 lock.The S&G 8400 is one of the most advanced mechanical locks ever built. It was used by the government to lock up classified documents for nearly 30 years. It cannot be manipulated by any traditional attacks used on group 2 locks, such as the techniques described in the paper "Safecracking for the computer scientist". This paper is a great read if you have some time, but I'll be showing you the real way computer scientists crack safes...
It is worth noting that the standard lock for classified documents has since been upgraded to an even more advanced electronic lock, so our machine is not a national security threat. I'm going to be describing our process under the assumption that the lock really is "manipulation-proof" and that the only way to open the safe is to try every possible combination.
It's pretty easy, right? Just stick a stepper motor on the dial and have it 'brute force' every combination. No. The dial has 100 numbers and each combination is 3 numbers long. That's 100^3 = 1,000,000 possible combinations. Every if such a machine could try a combination once per second (which would be pretty hard in itself), it would take as long as two weeks to crack the safe.
To complicate things even more, this particular lock has a special "butterfly knob" in the center of the dial that needs to be rotated before and after trying each combination. The mechanism to dial the safe has to rotate the dial and the tiny butterfly knob within the dial. The final issue is detecting a successful combination. There must be some way for the machine to know that it has dialed the correct combination and that the safe has been opened.
Combination space optimization is the key. By exploiting of the mechanical tolerances of the lock and certain combination "forbidden zones", we reduced the number of possible combinations by about an order of magnitude. Again, read the paper mentioned above for details. Grant implemented our algorithm in Java and was able to test it far before we started constructing the dialer.
Dial head and stepper.We used a custom stepper motor to rotate the dialer head. The dialer head transmits torque to the dial via a piece of heavy duty surgical tubing. The stepper motor we chose has more than enough resolution to implement our algorithm, but it's not quite as fast as it could be. Stepper motors have an extremely high "holding torque", which is ideal in this situation since the dial must be held in place while the butterfly knob is being turned.
The head also contains an RC servo motor with a machined knob to mesh with the butterfly knob. This setup enables independent rotation of both the dial and butterfly knob. The stepper motor shaft is also connected to a high resolution optical encoder for position feedback. The encoder is mainly used to detect when safe is successfully opened. The torque required to open the safe when the correct combination is entered is much higher than the maximum torque of the stepper motor, so the encoder is programmed to report when the position error exceeds a certain threshold. Basically, the stepper motor stalls and the encoder flips out if the safe actually opens.
First PCB revision.Instead of buying off the shelf motion controllers and hacking these together to build a complete system, I opted for an all-in-one controller. I built an Atmel microcontroller based control board to connect Grant's laptop to the stepper motor, RC servo, optical encoder, limit switches, and an optional LCD screen. The control board connects to a laptop via USB and talks to a computer just like a serial port. I wrote the microprocessor firmware in C and used an in-circuit programmer to download code to the chip. There are about two thousand lines of code in the firmware, and that does not include any of the actual dialing algorithms. After two rounds of PCB's and about a dozen firmware revisions, we had a fully functional dialer.
The Autodailer successfully detected the correct combination after running for about 21,000 cycles. I'm sorry to report that there were no gold coins, ancient relics, or mummified body parts inside the safe.
A faster and more intelligent version of this safe cracker will be finished sometime around January of 2007. I'm still a full time student at MIT, so these things take time. If you are a registered safe technician, a fan of interesting robots, or a lock enthusiast and you want to know more about our machine, please just let us know.
To top of page