Introduction: Cracking Single Dial Combination Locks
*DISCLAIMER* Yah, whatever. I just googled to see if all these disclaimers are legally necessary, couldn't find a definitive answer, and ultimately decided against it. Be smart... whatever that means.
There are several instructables out on how to figure out the combo to a master lock, but not all of them explain the techniques clearly, and there are heaps more awesome tricks you can use to crack them faster. I'll also go in depth into understanding why these techniques work and understanding it on a holistic level. Most of what I've learned about Master Locks is from the site Masterunlcoked.com. Check their site for more tips and such.
You might have to read several of the steps again a few times before you've figured it out. Trust me, if you take the time to really understand it all, it'll be worth it.
NOTE: In the future, I will be adding some videos, as well as a 3D model of a master lock, which is really useful for understanding how they work. Just give me some time.
Update READ! (please)
There is a brand of combination locks called Zephyr. A high school in my area buys them by the bulk for their lockers. I was experimenting with several of them, and realized that they all only had 1 sticking point (read step 5 if you don't know what that means). I tested 12 locks, and they all had only one sticking point. I only had time to unlock one of them, and that lone sticking point was the last digit. The combination followed the same rules as Master Locks do, but I only know that for sure about one Zephyr lock. If you have a Zephyr combination lock, try it out and Inbox me with the results or post them in the comments. I want to find out if this is a universal exploit.
Step 1: Dialing the Combination
If you have a Master Lock you probably already know how to dial in the combination, but I'll include how anyways.
All combinations are 3 digits, 2-26-4 for example. They are also always all even or odd numbers, and I'll get more into that later.
Step 1: Spin the dial clockwise several times. You only need to spin it around 3 full revolutions, but it doesn't hurt if you spin it more.
Step 2: Keep spinning the dial clockwise until you reach the first number, 2 in this example.
Step 3: Stop at 2, and spin the dial one full revolution COUNTERclockwise, until you pass the first number. Keep spinning the dial in the same direction until you reach the 2nd number, 26.
Step 4: Reverse direction and spin the dial clockwise until you reach the last number, then pull up on the shackle.
et voilà! You're done! Go celebrate and then keep reading. Don't worry, I'll wait until you're done.
Step 2: Understanding the Lock
You don't need to understand how this lock works in order to crack it, but I'll think less of you as a person if you skip this section. Understanding the mysterious inner workings of a combination lock will make the method for cracking them make more sense, and you will have a better sense of what is going on inside the case while you are manipulating it.
As you know, there are three numbers in the combination. Inside the lock there are 3 cams, and each cam relates to one number of the combination. A cam is really just a small wheel. All 3 of these cams have a hole in their center and they are attached to a small shaft, which extends out of the lock casing and is fixed to the numbered dial which you turn. An important fact to note is that only one of these cams is fixed to the shaft, which means when you spin the dial on front, the last cam will spin because it is fixed to the shaft, but the two other cams will not rotate, they stay in place and the shaft rotates freely. Also important, every cam has a little notch on its outer edge. Whenever you pull up on the shackle of the lock, there is a lever in the lock that wants to move, but is stopped because of the 3 cams. However, when all 3 notches on the cams are lined up underneath the lever, the lock will open when you pull up on it.
So that's how the lock opens, but I haven't explained how putting in the correct combination lines up all three notches underneath the lever. As I've explained it so far, you can only move one cam with the dial. Don't worry, there's more! The 3 cams are on the shaft with a small amount of space between them. If you looked at the space between the 3rd and 2nd cam, you would see a bump/protrusion on each cam, I'll just call them stubs. The stub on the 3rd cam sticks out just enough to run into the stub on the 2nd cam. So if you spin the dial, spinning the 3rd cam, eventually it will bump into the stub on the 2nd cam and begin turning the second cam as well. As long as you keep spinning in the same direction, both the 3rd and 2nd cam will keep spinning. But if you turn the dial in the opposite direction the 2nd cam will stop spinning, because the stub on the 3rd cam is no longer contacting the stub on the 2nd cam. You need to spin the dial one full rotation in the opposite direction before the 2nd cam will spin again. So now you can spin the 3rd and 2nd cam, we still need to move the first. The same sort of stubs are between the 2nd and 1st cam. So from the beginning, you spin the dial which directly spins the 3rd cam. When the 3rd cam stub hits the 2nd cam stub, the 2nd cam starts spinning. When the other 2nd cam stub hits the 1st cam stub, the 1st cam starts spinning.
Now you have all the cams are moving, and its time to start inputting the combination. Remember how you needed to spin the lock clockwise a few times before you put in the first number? That's so you have all the cams moving. After getting them all moving, you stop at the first number, which lines the 1st cam notch up with the lever. Now you spin the dial in the opposite direction one full revolution. The 1st and 2nd cam are left where they are, and the 3rd cam spins with the dial until it runs into the 2nd cam again, but this time from the other direction. Now you can move the 3rd and 2nd cam without disturbing the 1st cam, which is already where it needs to be. You keep spinning the dial until you reach the 2nd number, and the 2nd cam notch will be at the lever. Next you just spin the dial in the other direction until you reach the last number in your combination. Only the 3rd cam will move and when it lines up with the lever, all the notches will be lined up and you can pull the shackle.
Wow, did that make sense? I sure hope so, because it was a mouthful. Take a deep breath, digest that info and keep on reading.
Step 3: So How Many Combination Are There?
As some of you math people might want to point out, Master Locks aren't actually combination locks. They are permutation locks. Combination and permutation are mathematical terms that refer to whether or not order makes a set of numbers unique. If you were looking for the number of 3 digit combinations using 1,2, and 3. In a combination, you can rearrange the numbers and it is still considered the same combination.1-2-3, 3-2-1, 2-3-1 are all the same combination, so if this really was a combination lock, you could put the numbers in in any order. In a permutation, changing the order makes it a entirely unique set. So 1-2-3 is different from 3-1-2, and only one will open the lock. Despite all that math I will still call Master Locks combination locks, otherwise normal people will yell at me.
Okay, nerd rant over.
So how many possible permutations could a Master Lock have? Well, first we should look at how many there should be mathematically. The dial has 40 digits on it and you need 3 digits to make the permutation. So using some simple math there should be 64,000 possible permutations (40*40*40). If it took you 10 seconds to try a combination, it would take you 7 and a half days with no breaks to try all those combinations. So if there should be 64,000 combinations, why is it that if you look at the packaging of a Master Lock, it will say, "Over 1500 combinations!" What? That's not even REMOTELY close to 64,000, what gives? Mechanical tolerances are what give.
Master Locks are relatively small and aren't machined too exactly. For instance, you can't have the combination be the same 3 digits, because those stubs on the sides of the cams would run into each other when trying to get back to the same number. Also, the notches on the cams that match up with the lever don't fit into each other exactly. If they fit precisely, you would need to be incredibly careful when dialing the combination and it would take more care than anyone has time for. The notches are a good deal bigger than the lever, so if you're one number off, the lock will still open. These and several other factors greatly reduce the number of possible combinations that Master Lock can claim are the only combinations that open the lock.
The first digit could be any of the 40 digits on the dial, but once you know one digit there are certain rules that link all the digits in the combination together. So let's get down and look at those rules.
Step 4: Combinations Rules
2-6-10-14-18-22-26-30-34-38 Block 1
0-4-8-12-16-20-24-28-32-36 Block 2
3-7-11-15-19-23-27-31-35-39 Block 3
1-5-9-13-17-21-25-29-33-37 Block 4
Ah, numbers!!!!. Run! Okay, I'll explain what those blocks of numbers are above. Here's how it works, to get a combination, you pick a block, pick a number from the first line, one from the 2nd line, and one from the 3rd, and that's a unique possible combination. What that means is that any one digit in the combination could be any of the 40 on the dial, but once you know one digit, there are not 40 possible digits for each of the other digits. There are only 10 possibilities for each. That probably didn't make too much sense, so I'll take you through an example.
Let's say that for some reason you know the last digit to the combo(19); find that number in the last column of one of the blocks. In this case we are looking at block 4. Now, you have 10 possible 1st digits, and those are the numbers in the first line of block 4. The 10 possible numbers for the 2nd digit are in line two. That means that if the last digit is 19, there are only 100 (10*10) possible combinations that end in 19 (actually, there are only 64, but I'll get into that later). If you know that the 1st digit of one combination is 12, you look at block 1 and you can see the 10 possible numbers for the 2nd digit and the 10 possible numbers for the 3rd digit.
Make any more sense? The basic idea is that if you know one digit to the combination, there are only 100 combinations that your lock could have. Now if you put in a combination every 10 seconds, it takes 16 minutes or so to try all the combinations. Half the time you will get the combination in 8 minutes. That's way better than a week! Plus, there are several methods to put in combinations faster and cut down on time. Sure. If you were a spy and needed to break into a box that had a Master Lock on it, 16 minutes might be too long to go undetected, but if you just want to open one of them, that's awesome time.
"Wait just one lock crackin' second," you might theoretically ask. "That's great if you know one of the digits, but how are you supposed to do it if you don't know any digits?" Just calm down, I'm going to get to that in the next step. All things come to those who wait. Except... wait, nope, definitely not. I was thinking of buses.
I know this is a lot, but bear with me. If you understand the rules that govern the possible combinations then eventually you can work out the combo to a lock without having the write anything down. SO, moving on.
If you look at the blocks of numbers up top, you'll notice a few things. First, in any particular block all the numbers will be either all odd, or all even. So if one digit in the combination is odd, all will be odd, and vice versa. Another thing you might notice is that in every line of numbers 4 is added to each number to get the next number. You get these belts like 0-4-8-12... and so on. These belts are always 10 numbers long, they progress by 4, and they can only start at 0,1,2, or 3.
There are only 4 different belts of 10 that you can have.
I'm going to name these belts, Belt 0, Belt 1, Belt 2, and Belt 3. Creative, I know.
Looking back to the blocks at the top of the page you can see that every block starts and ends with the same belt. Block 1 starts and ends with Belt 0. In between there is Belt 2, and Belt 2 is just Belt 0, but everything is shifted over by 2.
Block 3 starts and ends with Belt 2. In between there is Belt 0, which is Belt 2 shifted over by 2.
Are you starting to see the pattern? Here, I'll show how you would use this knowledge to write down all the combinations if you found out the last digit, and you will learn a method to figure out the last digit.
SO you find out that the last digit is 8. You want to know what belt you are using for your 1st digit and what belt you are using for your 2nd digit. You know that the 1st digit belt is the same as the 3rd digit belt, so you find the belt that contains 8. That happens to be Belt 0. You know that the belt for the 2nd digit is the first belt but shifted over by two, which in this case is Belt 2. To recap everything, you know the 3rd digit is 8, the 1st digit is is one of the numbers in Belt 0, and the 2nd digit is in Belt 2.
If you are writing on paper while you solve the lock, I would write down Belt 0 and 2 like this...
Then go through them all, 0-2-8, 0-6-8, 0-10-8... and so on.
If none of that made sense, it's okay. You can still open Master Locks; I'll just be incredibly disappointed in you and never really love you.
Step 5: Getting 'dem Digits... the Last One in Particular
So everything I've talked about so far is pretty useless unless you know one digit of the combination. Which just so happens to be a piece of cake! You can figure out the last digit of pretty much all Master Locks through a mechanical manipulation process.
Remember back to the explanation of how the lock works? Remember that latch/lever that presses against the cams when ever you lift on the shackle, and only opens when all the cam notches are lined up? Time to exploit that guy. If the lock had been perfectly machined, when you lift the shackle the latch would press evenly on all three cams. Luckily for us, all the cams are slightly different sizes, the 3rd cam being the largest. So if you lift the shackle and spin the dial, the latch will apply pressure to the cam, and eventually get stuck in the notch! Or, at least, that's how it would work on old Master Locks. You just needed to lift, spin, and when the dial got stuck it meant you had found the last number.
Unfortunately for us, Master Lock wised up to that trick and all Master Locks now a days have an extra security feature to make our lives hard. Or safer, depending on how you look at it. They added 11 shallow notches spaced around the edges of the 3rd cam. This makes your job a bit harder, but still doable. If all the 11 fake notches were just like the real notch you would not be able to tell the difference between them, but then all 12 notches would open the lock. That's unacceptable, so Master Lock made the 11 fake notches much shallower than the real notch, that way they won't open the lock, but you will get stuck on them if you lift the shackle and spin. When you get caught in one of these fake notches (now referred to as sticking points) you will be able to move the dial back and forth a small amount, usually the range of movement is 1 number or so. Each sticking point has a beginning and end, often in between numbers of the dial. One sticking point might look like 21.25-22.25. To get out of a sticking point, you just need to release pressure on the shackle, turn a bit, and then you'll be ready to look for the next sticking point.
So now, if you lift the shackle and twist, you will find 12 sticking points and be able to write down what numbers those sticking points start and end. One of them is the real last digit and 11 of them are fake. Your job is to figure out which is the real one.
Go find a lock, and right down all the sticking points. When the dial is stuck in between numbers, just guesstimate .25, .5, .75 something like that. You don't have to be exact, just consistent.
Done? Perfect, below are the sticking points for a lock I had laying around. I'll only write the end of the sticking point.
Again, it looks like a bunch of numbers, but there is a pattern hiding. This is also where I think a lot of other tutorial on this technique fall flat. Often, you will be told that 5 of these sticking points will have a whole number in the middle of their sticking point, 4 will end in the same number, one is the odd one out, and that's your last digit. While that is often true, it's not the whole truth.
But first, the patterns. Every lock will have 4 sets of 3 sticking points. A set is 3 consecutive sticking points. You notice the first 3 are 0, 3.2, 6.5. That's the first set. The next three numbers are 10, 13.1, 16.5. That's the second set. The second set is the first set +10. Same for sticking points 7-9 and 10-12. Most sticking points in the same group (ie, 0, 10, 20, 30.1, one sticking point from each set) are exactly 10 numbers apart. The abnormalities are what we are looking for. Looking at the "0" group, they are all pretty much the same, and 30.1 has slightly more give than the others in its group. In the "3" group (3.2, 13.1, 23.8, 33.25) all 4 numbers are a little bit different, but 23.8 stands out among all of them. In the "6" group (6.5, 16.5, 26.6, 36.75) the last one, 36.75 is the most different from all of them. So your contenders for the last digit are 30, 23, and 36. Because the sticking point at 23 was the most different from the other sticking points in its group, that means that 23 is going to be your 3rd digit.
YEEESSSSSSSSSSSSS!!!! You've done it! You've defeated the man! You've conquered those simpletons' sense of security and you're ready to take the world by storm! Well, you still have to try all the 100 combinations. Maybe try taking the world by drizzle instead.
To recap, the 3rd digit will most likely be the sticking point that is most different from the others in its group. Sometimes you will have two numbers that you think might be the 3rd digit, and you just need to make your best guess and try one. If that wasn't it, try the other one. You'll get there.
Oh! I almost forgot! I told you that there are 64 possible combinations once you get the last number, not 100. There are some rules for figuring it out in your head, but I haven't memorized them, so you get this handy dandy calculator in an Excel file. THIS is not mine, it was made by some of the wonderful people at Masterunlocked.com. That should cut down on your solving time.
Step 6: More Tricks If the Lock Is Open
The techniques below aren't useful for opening a lock, but they are useful for finding the combination to a lock that's already open. There are 3 situations I can imagine this being useful. First is if you have a lock laying around that's open and you want to be able to use it. Second is if you find an Master Lock that should be locking something but is open, you can quickly get the combination, re-lock it and use that info later. Third is you could use a shim to open the lock, then these methods to get the combo, and use that info later. It's also just pretty cool to know.
Onto the content. Getting the 1st digit is ridiculously easy. Push the shackle into the lock only a tiny bit. You can probably feel the point where if you push more the lock will lock. Don't lock the shackle, just push it into the hole. Start spinning the dial counter-clockwise. At some point, the shackle will begin to push up from its hole. Note whichever number that happens on. The 1st digit should be 10 numbers to the right on the dial. This is an incredibly consistent rule and is very useful. Normally, I've found that as soon as you can see a gap between the shackle and the hole, that's when you stop and add 10.
Boom! You got the first number in a few seconds. Now you can use a super cool sounding technique called optical decoding. Believe me, if someone asks you what you're doing with that lock and you tell them you are optically decoding the combination, they will forever remember you as a bad@#!*% . Here's how it works: You'll need a flashlight for this, so go find one. When the shackle is open and you shine the light into the hole, you can just make out the first two disk. Start spinning the dial clockwise a few times to pick up all the cams. You should just barely be able to see the notches on the cams when you are spinning them. Stop spinning when the 1st cam notch is in sight. Look at what number you have, normally it will be 10 off from the 1st digit, which you found out earlier. Note how far off you are from the first digit, and spin the dial a full turn in the opposite direction, and keep spinning until the 2nd cam notch is lined up with the 1st cam notch inside the Master Lock. Look at what number you have, and adjust by whatever number you were off by when you lined up the 1st notch. That's all there is to it! In under 2 minutes you just got the 1st and 2nd digit and you already know how to find the last one. As you can see, getting the combination off of an open lock is ridiculously easy.
Step 7: Final Words and Parting Advice
Most people don't spin the dial after they re-lock their lock, which means very frequently the last number will still be under the red arrow. It also isn't to hard to see what number people are stopping at when they put in the combo. Use this to your advantage.
Man, you made it all the way through! I'm proud of you. If you understand all the previous step you now have a pretty intricate understanding of how master locks work and how to crack them. I covered a bunch of stuff, but I really encourage you to spend some time exploring masterunlocked.com. There is tons of awesome information hidden their and whoever made it sure put a lot of effort into it. You could learn a ton more there, things like reverse combinations, methods for faster dialing, etc. Reverse combination? What?! What does that even mean? Do some research and find out.
Now before anyone mentions this in the comments, yes, you could just use a shim to open a lock instead of taking the time to crack it. If you don't know what a padlock shim is, Google it. You can buy them cheap or make crappy ones out of soda cans. If all you wanted to do was open the lock, you'd probably just want to use a shim. But if you want the combination, or really just want to feel awesome having cracked a lock by yourself, that's where these skill come in handy.
If you've reached this point by skipping some of the steps concerning how the lock works, I really recommend that you give those pages a second look. Sure, you could learn how to find the last digit and just use the spreadsheet and you'll be cracking locks in no time, but you will be so much more satisfied if you understand it all. The only reason anyone figured out these techniques were because there was someone who understood how these locks worked and he figured out how to exploit their weaknesses. Who knows? Maybe that could be you one day.
And there's no reason to stop at master locks. You can learn how to pick key locks, crack safes, defeat fingerprint scanners. When you enter into the field of lock picking/cracking, you realize that security is mostly an illusion and locks are meant to keep honest people honest. And maybe you'll learn how to bypass some ridiculously complex disk tumbler lock for no other reason than because it's pretty awesome. So keep at it, whatever "it" happens to be, and send me a picture if "it" happens to be awesome.
3 People Made This Project!
We have a be nice policy.
Please be positive and constructive.