368 lines
23 KiB
Plaintext
368 lines
23 KiB
Plaintext
Simplex 5-button combination locks:
|
|
*Hobbit*'s in-depth evaluation
|
|
|
|
This deals with the Simplex or Unican 5-button all-mechanical combination
|
|
locks. They are usually used in a variety of secure but high-traffic
|
|
applications, and come in a number of flavors: dead bolt, slam latch, lock
|
|
switches for alarms, buttons in a circle or a vertical line, etc. The
|
|
internal locking works are the same across all of these. Herein will be
|
|
described the mechanical workings and a method of defeating the lock that
|
|
falls out by logical inference and observations from playing with it.
|
|
|
|
The internals
|
|
|
|
Caveat: If this seems unclear at first, it is because the absolutely best way
|
|
to understand the inner mysteries is to take a Simplex lock apart and study
|
|
it. It is highly recommended that the reader obtain and disassemble one of
|
|
the units while studying this; otherwise the following may be confusing. The
|
|
locking mechanism box is swaged together at each end, but it is trivial to
|
|
open up without destroying it. To set a lock up for study, remove the back,
|
|
leaving the front plate held on by its Jesus clip. Put a spare thumb turn
|
|
down over the shaft so you have something to grab. Take care not to lose the
|
|
button connecting pins; they drop out.
|
|
|
|
In the round configuration, the buttons talk via bent bars in the faceplate to
|
|
the same vertical column as the straight ones. Thus all buttons henceforth
|
|
shall be referred to as if they were in a straight vertical row, numbered 1 to
|
|
5 reading downward. The actual locking mechanism inside is a small metal box,
|
|
about 3 inches high and .75 x .75 inch across the base. It contains five
|
|
tumblers, one corresponding to each button, a common shift bar, and a couple
|
|
of cams to handle reset and unlocking. The user dials the combination and
|
|
turns the handle to the right to open the lock, or to the left to reset any
|
|
dialed digits if he made a typo. If the proper combination has not been
|
|
dialed yet, the shaft will not turn to the right. Setting a combination shall
|
|
be described later. Some of the linear-style locks are actually made by
|
|
Unican, but have the Simplex box inside. For these, a clockwise twist serves
|
|
as both open and reset. There is a detent plate and a screwy lever system; if
|
|
the lock is not open yet, the lever cannot turn to the *box*'s right. The
|
|
detent slips, allows the levers to shift the other way, and the box arm is
|
|
then turned to the left. If the detent does not slip, it's open, and the
|
|
plate locks to the latch shaft and pulls it back.
|
|
|
|
Each of the five tumblers has six possible positions. Each button does
|
|
nothing but push its corresponding tumbler from the 0 position to the 1
|
|
position. Therefore, each button can only be used once, since once the
|
|
tumbler has moved, the button has no further effect. The trick comes when
|
|
*subsequent* buttons are pushed. Each button press not only shoves its
|
|
tumbler from 0 to 1, it also advances any "enabled" tumblers one more step.
|
|
When a tumbler is enabled, its corresponding gear has engaged the common bar
|
|
and pushed it around one position, so the next button press will do this
|
|
again, thus taking previously enabled tumblers around one more notch. This
|
|
way, the further-in tumbler positions can be reached. It can be seen that
|
|
there are undialable combinations; for instance, only *one* tumbler can reach
|
|
position 5 for a valid combination [Positions labeled 0 thru 5, totalling
|
|
six]. If one sits down and figures out possible places for the tumblers to
|
|
go, many combinations are eliminated right away, so the number of
|
|
possibilities is *not* 6^5 as one might expect. Two-at-once pushes are also
|
|
valid, and are *not* the same as pushing the given two in some other order.
|
|
Pushing two [or three or ...] at once simply enables two tumblers at once and
|
|
shoves them to position 1 at the same time. [This of course leaves less
|
|
buttons unused to push them in farther!] The tumblers themselves are small
|
|
round chunks of metal, with gear teeth around the top half and a notch cut
|
|
into the bottom edge. When all these notches line up with the locking bar,
|
|
the lock is open. The tumblers are mounted on a vertical shaft so they can
|
|
spin, with the locking bar fingers resting against the bottom of each one.
|
|
The locking bar is prevented from rising if any notch is turned away from it.
|
|
Juxtaposed to the tumblers is another shaft containing idler gears, which in
|
|
turn talk to the common bar in the back. The intermediate shaft slides up and
|
|
down and makes combination changes possible. Note: The buttons actually talk
|
|
to the idler gears and not the tumblers themselves. This is necessary since
|
|
during a combo change, the tumblers cannot move because the locking bar teeth
|
|
are sitting in the notches.
|
|
|
|
Combination change, other random facts
|
|
|
|
Once you know the current combination, you might want to change it.
|
|
Instructions for doing this undoubtedly come with the lock; but it's real
|
|
easy. There is a screw in the top with a hex hole; remove this from the lock
|
|
body. Dial the proper combination, but don't move the handle. Press straight
|
|
down through the hole with a small screwdriver, until you feel something go
|
|
"thunk" downward. The lock is now in change mode. Reset the tumblers
|
|
[leftward twist], enter your new combination, twist the handle as though
|
|
opening the lock, and your change is now in effect. Re-insert the screw.
|
|
This does the following: The thing you hit with the screwdriver pushes the
|
|
tumblers down onto the locking bar [which is why the proper combination must
|
|
be entered], and disengages them from their idler gears. Button presses turn
|
|
the *idler* *gears* around, and then the opening action shoves the tumblers
|
|
back up to mesh with these gears in their new positions. A subsequent reset
|
|
mixes the tumblers up again to follow the new combination. This description
|
|
is admittedly somewhat inadequate; the right thing to do is take one of the
|
|
locks apart and see for one's self what exactly happens inside.
|
|
|
|
The Unican model has a disk-locked screw on the rear side. Removing this
|
|
reveals a round piece with a flat side. Twist this clockwise to enable change
|
|
mode as in the above. This lock, of course, would be a little more secure
|
|
against random people changing the combination for fun since you ostensibly
|
|
need a key to get at it. Keep in mind that "reset" on these is done by
|
|
turning the knob all the way *clockwise* instead. There is a linkage that
|
|
ensures that the shaft inside goes counterclockwise for the time that change
|
|
mode is enabled.
|
|
|
|
It is amusing to hear local locksmiths call the Simplex internals a
|
|
"computer". It would seem that none of them have taken one apart to
|
|
see what is really inside; the box is painted black as far as they are
|
|
concerned and non-openable. Obtaining one is the unquestionably best way to
|
|
learn what's in there. Unfortunately they cost on the order of $120, a price
|
|
which clearly takes advantage of the public's ignorance. These locks are
|
|
*not* pick-proof after all, and anyone who maintains that they are is
|
|
defrauding the customer. There are a variety of ways to increase the picking
|
|
difficulty, to be discussed elsewhere. Your best bet is to borrow one from
|
|
somewhere for an evening and spend the time learning its innards.
|
|
|
|
Determining an unknown combination
|
|
|
|
Contrary to what the marketing reps would have you believe, the locks can be
|
|
opened fairly quickly without knowing the set combination and without damaging
|
|
the lock. Through a blend of a soft touch, a little hard logic, and an
|
|
implicit understanding of how the locking mechanism works, they generally
|
|
yield within five minutes or so. [There are *always* exceptions...]
|
|
|
|
This method requires that one does not think in terms of a sequence of button
|
|
presses. One must think in terms of tumbler positions, and simply use the
|
|
buttons to place tumblers where desired. For practical description purposes,
|
|
it will be assumed that the buttons connect right to the tumblers, rather than
|
|
the idler gears that they really do. The idler gears are a necessary part
|
|
only during combination changes. Unless you are doing a change, considering
|
|
it this way is pretty close to the facts. Remember that a 0 position means
|
|
the button was never pushed, and 5 is enabled and shifted as far as possible.
|
|
|
|
Turning the thumb handle to the right [clockwise] raises the locking bar
|
|
against the tumblers. Since the lock is never machined perfectly, one or more
|
|
tumblers will have more pressure on it than other ones, and this shows up as
|
|
friction against it when it is turned via the button. This friction is felt
|
|
in the short distance between fully-extended and the detent on the button [the
|
|
first 2 or 3 mm of travel]. Some will travel easily to the detent, and others
|
|
will resist efforts to push them in. Suppose you are twisting the handle, and
|
|
tumbler 1 has lots of pressure on it [you can feel this when you try to push
|
|
button 1 in]. When you back off the tension on the handle a little bit, the
|
|
button can be pushed in against the resistance. The fact that the button has
|
|
resistance at position 0 tells you that tumbler 1's proper position is *not*
|
|
0, or there would be no pressure if the notch was there! Upon pushing button
|
|
1 in, you find that no pressure has appeared at any other button. This
|
|
eliminates position 1 for tumbler 1, also. Now, how do you get tumbler 1 to
|
|
different positions so you can test for pressure against other ones? Push
|
|
subsequent buttons. Push any other button, and tumbler 1 advances to position
|
|
2. Ignore what the other tumblers are doing for the moment. Now, perhaps
|
|
another button has some resistance now. This means that tumbler 1 is either
|
|
at the right position, or getting close. Basically you are using other
|
|
tumblers to find out things about the one in question. [Keep in mind that the
|
|
first one with friction won't *always* be tumbler 1! Any tumbler[s] could
|
|
have the first pressure on them.] Continuing, push another "don't care"
|
|
button. A "don't care" button is one that is not the one you're trying to
|
|
evaluate, and not the one that recently showed some friction. What you want
|
|
to do is advance tumbler 1 again without disturbing anything else. Did the
|
|
pressure against your test tumbler get stronger, or disappear? If it got
|
|
stronger, that points to an even higher probability that tumbler 1 is supposed
|
|
to be at 3, rather than 2. If the pressure vanished or became less, 1 has
|
|
gone too far, and you were safer with it at position 2. Let's assume that the
|
|
pressure against your test tumbler increased slightly when tumbler 1 was at 2,
|
|
increased even more when tumbler 1 was at 3 and vanished when you pushed it
|
|
onward to 4. Reset the lock. You now know the proper position of tumbler 1
|
|
[that is, whatever tumbler first had pressure on it]. You've already
|
|
drastically reduced the number of possible combinations, but you aren't
|
|
finished yet.
|
|
|
|
You can now eliminate positions for the next one or two tumblers the same way
|
|
-- but to set things up so you can feel the pressure against these, you must
|
|
ensure that your newly-known tumbler [1 in this case] is in its proper
|
|
position. It is useful to make a little chart of the tumbler positions, and
|
|
indicate the probabilities of correct positions.
|
|
|
|
Positions
|
|
0 1 2 3 4 5
|
|
----------------
|
|
1 : L L + T L | <-- Indicates that tumbler 1 is not
|
|
0, not 1, maybe 2, more likely 3.
|
|
Tumbler 2 : | | | | | |
|
|
number
|
|
3 : | | | | | |
|
|
|
|
4 : L | | | | | <-- Indicates that tumbler 4 is not 0.
|
|
|
|
5 : | | | | | |
|
|
|
|
This chart is simply a bunch of little vertical lines that you have drawn in a
|
|
5x6 matrix; the topmost row corresponds to button 1 and the lowest to 5. Mark
|
|
the probabilities as little hash marks at the appropriate height. The leftmost
|
|
bar indicates position 0, rightmost 5; a high mark on the left side indicates
|
|
that that tumbler is 0, or is never used. The relative heights of your tick
|
|
marks indicate the likelihood of the notch on the respective tumbler being
|
|
there. If you don't know about a position, don't mark it yet. This chart
|
|
serves as a useful mnemonic while learning this trick; as you gain experience
|
|
you probably won't need it anymore if you can remember tumbler positions.
|
|
|
|
A tumbler at the 0 position is already lined up before any buttons are pressed.
|
|
This will feel like a lot of loose play with a little bit of pressure at the
|
|
end of the travel, just before the enable detent. Be aware of this; often
|
|
enough the first button with pressure can be a 0, and if you aren't watching
|
|
for 0 positions you can easily assume it's a don't care, push it, and screw
|
|
your chances of feeling others. Make sure your "don't care" test buttons
|
|
aren't supposed to be at 0 either. It's a good idea to run through and try
|
|
to find all the zeros first thing.
|
|
|
|
Let us continue from the above. You have found that tumbler 1 is most likely
|
|
to bet at position 3, with a slim chance of position 2. This is marked in the
|
|
above chart. The reason this can happen is that the tops of the locking bar
|
|
teeth are slightly rounded. When the tumbler is one away from its opening
|
|
position, the locking bar can actually rise higher, since the notch is halfway
|
|
over it already. So don't assume that the first increase in pressure on other
|
|
buttons is the right position for the one you're finding out about. Let's
|
|
assume that the next pressure showed up on button 4. You can feel this when
|
|
tumbler 1 is at position 3; to get tumbler 1 out there, let's say you used the
|
|
sequence 1,2,3. 2 and 3 were your "don't care" buttons used only to push 1
|
|
around. Therefore now, tumbler 1 is at position 3, 2 is at 2, and 3 is at 1.
|
|
5 and 4 are at 0, and can therefore be felt for pressure.
|
|
|
|
The next step is to find the proper position for the next button with pressure
|
|
against its tumbler. Many times you'll get more than one that exhibit
|
|
pressure at the same time. Figure out which button has more pressure on it
|
|
now with your first tumbler in the right position. In this example, only 4
|
|
applies. You now want to advance tumbler 4 to different places, *while*
|
|
keeping 1 at its proper place. 1 must always advance to 3 to free the locking
|
|
bar enough to press on other tumblers. To place tumbler 1 at position 3 and 4
|
|
at position 1, you would do something like 1,2,4 and check 3 and 5. To place
|
|
tumbler 1 at position 3 and 4 at 2, you would do something like 1,4,2. To
|
|
place 1 at 3 and 4 at 3, you have to press 1 and 4 at the same time, and then
|
|
advance that mess by two positions. If you use 2 and 3 for this, the notation
|
|
is (14),2,3, which means 1-with-4, then 2, then 3. You can also do 4,1,2,5 to
|
|
put 4 at 4 and check 3. If all these tests fail, that is, no pressure
|
|
appears at any other button, you can start assuming that 4 is supposed to be
|
|
way out there at position 5. For the example, let's say you did 1,4,2 and
|
|
pressure showed up on button 3. To double-check this, you did (14),2,5, and
|
|
the pressure on 3 went away. So tumbler 4 must have gone too far that time.
|
|
Place a fairly high tick mark on the chart at tumbler 4, position 2 to
|
|
indicate the probability.
|
|
|
|
Note: A better way to do that last test, to avoid ambiguity, is to do 1,(42),5
|
|
and check 3, then do (14),2,5 and check 3. This ensures that the only change
|
|
you have made is to move tumbler 4 from 2 to 3 an avoids the possibility of
|
|
movement of tumbler 2 giving bogus results. Through the entire process, you
|
|
want to try to change one thing at a time at every point. Sometimes one of
|
|
this sort of possible test setup won't tell you anything and you have to try
|
|
another one [in this case, perhaps 1,(45),2 and then (14),5,2 while checking 3.
|
|
This has simply swapped the positions of 2 and 5 during your testing].
|
|
|
|
You now know two tumbler positions, with a high degree of confidence, and have
|
|
further reduced the possible combinations. From here, you could mix tumblers
|
|
2,3 and 5 into the sequence with various permutations, as long as you place 1
|
|
and 4 correctly every time. This would still take some time and brain work
|
|
... let's try to find out something about some other buttons. Place 1 and 4
|
|
where they're supposed to go ... the sequence 1,4,2 will do it, and see what's
|
|
up with the other buttons. 1,4,3 will leave 2 and 5 available. You find
|
|
eventually that 2 and 3 have the next bit of pressure distributed between them
|
|
[and are nonzero], and 5 feels like a 0, as described above. To confirm this,
|
|
advance 5 along with some other button and check 3. Bingo: There is no
|
|
pressure on 2 when 5 is enabled [and you have not changed anything else
|
|
besides 5's position], so you can firmly decide that 5 is 0 after all. So
|
|
leave it there. [You did this by advancing 1 to 3 and 4 to 2, as usual, so
|
|
you can feel 2's pressure in the first place.]
|
|
|
|
By now you should know the proper positions of three of the tumblers, and have
|
|
eliminated any other zeros by feeling their initial pressure. Now, since 2
|
|
and 3 have the next pressure on them, try and find out more about them. You
|
|
know they aren't zero; suppose we try 1? To do this you must get one of them
|
|
to 1, 1 to 3 as usual, 4 to 2, and leave 5 alone. How? Use hitherto unknown
|
|
buttons as dummies to position the tumblers right. For instance, the sequence
|
|
1,4,3 will do what you want here; you then check pressure on 2. Or 1,4,2 and
|
|
check 3. Here you may notice that the pressure on the leftover is a *little*
|
|
stronger than before, but not enough to make any sure judgement. Well, now
|
|
you want to advance an unknown to position 2 - but you suddenly notice that if
|
|
you do [by doing something like 1,(42),3] there are no free buttons left to
|
|
test for pressure! 'Tis time to try possibilities. Your only unknowns are 2
|
|
and 3 now. You must now advance 1 and 4 to their proper positions, leaving 5
|
|
alone, while sprinkling the unknowns around in the sequence in different
|
|
permutations. Use your chart to remember where the known tumblers must go.
|
|
Sometimes you get two possibilities for a tumbler; you must work this into the
|
|
permutations also. In this particular example, you know that either 2 or 3
|
|
[or both!] must be the last button[s] pressed, since *something* has to get
|
|
pressed after 4 to advance 4 to position 2. An obvious thing to try is
|
|
putting both the unknowns at position 1 by doing 1,4,(23). Try the handle to
|
|
see if it's open. No? Okay, now leave one of the unknowns down at 1 and mix
|
|
the other one around. For instance, for 2 at 1 and 3 at 2, you do 1,(34),2
|
|
-- nope. Advance 3 one more; (13),4,2 *click* -- huh?? Oh, hey, it's *open*!!
|
|
|
|
Well, when you are quite through dancing around the room, you should know
|
|
that your further possibilities here ran as follows:
|
|
|
|
3,1,4,2 ; to end the permutations with 2 at 1
|
|
1,(24),3 ; and permutations involving 3 at 1.
|
|
(12),4,3
|
|
2,1,4,3
|
|
|
|
One may see how things like 2,1,(34),x are eliminated by the fact that 1
|
|
must get to 3, and 5 must stay still. Since only 4 buttons could be used, no
|
|
tumbler can get to position 5 in this particular combination. Note also that
|
|
the farther *in* a tumbler has to go, the earlier its button was pressed.
|
|
|
|
If all this seems confusing at first, go over it carefully and try to
|
|
visualize what is happening inside the box and how you can feel that through
|
|
the buttons. It is not very likely that you can set up your lock exactly as
|
|
the example, since they are all slightly different. Substitute your first-
|
|
pressure button for the 1 in this example. You may even have one that
|
|
exhibits pressure against two or more tumblers initially. Just apply the
|
|
differential-pressure idea the same way to find their most likely positions.
|
|
The example is just that, to demonstrate how the method works. To really
|
|
understand it, you'll have to set your lock up with some kind of combination,
|
|
and apply the method to opening it while watching the works. Do this a few
|
|
times until you understand what's going on in there, and then you'll be able
|
|
to do it with the lock assembled, and then in your sleep, and then by just
|
|
waving your hands and mumbling....
|
|
|
|
A 5-press combination makes life a little tougher, in that you lose
|
|
versatility in your freedom of test positions, especially if your first-
|
|
pressure tumbler is at position 5. Here you can use the "almost" feature to
|
|
your advantage, and advance the errant tumbler to one before its proper spot,
|
|
and hope to see increased pressure on other tumblers. When a tumbler is one
|
|
away from right, the locking bar tab is hanging a large section of itself into
|
|
the tumbler notch, and the tab's top is slightly rounded. So it can rise a
|
|
little higher than before. If you twist the handle fairly hard, you can
|
|
distort the locking bar slightly and make it rise higher [but don't twist it
|
|
hard enough to break away the safety clutch in the shaft!] The chances of
|
|
someone setting this sort of combination without prior knowledge about the
|
|
*specific* lock are almost nonexistent.
|
|
|
|
As if that wasn't enough, the next thing to deal with is the so-called
|
|
"high-security" combinations involving half-pushes of buttons. The long
|
|
initial travel of the tumbler permits this. If you look at your open
|
|
mechanism and slowly push in a button, you'll see that the tumbler actually
|
|
travels *two* positions before landing in the detent, and further motion is
|
|
over one position per press. There is no inherently higher security in this
|
|
kind of combination; it's just a trick used against the average person who
|
|
wouldn't think of holding a button down while twisting the latch release.
|
|
It's quite possible to defeat these also. When you are testing for pressure
|
|
against a tumbler set at "one-half", you'll feel a kind of "drop-off" in which
|
|
there is pressure initially, and then it disappears just before the detent.
|
|
Before testing further buttons, you'll have to "half-enable" the appropriate
|
|
"one-half" tumblers so the locking bar can rise past them. Set your lock up
|
|
with a couple of combinations of this type and see how it works. Note that
|
|
you must hold down the "half" buttons just before the detent click while
|
|
setting or opening. This makes an effective 7 positions for each tumbler, but
|
|
in a standard [no "halfs"] setup, it's effectively 6. This is Simplex's
|
|
"high-security" trick that they normally only tell their high-dollar military
|
|
customers about. After working the lock over for a while, it's intuitively
|
|
obvious.
|
|
|
|
The Unican type has no direct pressure direction of twist; if you turn too
|
|
far to the right you only reset the tumblers. What you must do is hold the
|
|
knob against the detent release just tight enough to press the locking bar
|
|
against the tumblers inside the box but not hard enough to slip the detent.
|
|
There is a fairly large torque margin to work with, so this is not difficult
|
|
to do. Unicans do not twist to the left at all, so ignore that direction and
|
|
work clockwise only.
|
|
|
|
Possible fixes
|
|
|
|
The obvious things improvements to make are to cut notches of some kind into
|
|
the locking bar teeth and the tumblers, so that the pressure can't be as
|
|
easily felt. Another way might be to have a slip joint on the locking bar
|
|
that would release before a certain amount of pressure was developed against
|
|
it, and thus never let the tumblers have enough pressure against them to feel.
|
|
The future may see an improved design from Simplex, but the likelihood does
|
|
not seem high. They did not seem interested in addressing the "problem".
|
|
|
|
[Method independently discovered 8410, revised and cleaned up 861020
|
|
by *Hobbit*, for informational purposes only. This information was also
|
|
forwarded to the engineering staff at Simplex Security Systems.]
|
|
|
|
_H*
|