.:: Keypicking :: Anything And Everything For Locksmiths, Hobbyist Lock Pickers, Locksport, Lock Picking, lockpicks, cutaways and Security. Simply The Best Lockpicking Forum Around!

I have been working on this idea for a while and this weekend I had the opportunity to try it out. Unfortunately I got so engrossed with what I was doing I did not take pictures of the breadboarded circuit, O-scpe images, and the attempt made this morning with a lock mounted on a safe (the last was at the request of the safe owner).

The idea was to get information from the S&G 8560 via sound. When we engage the actuator we can hear the lever spring vibrate and a brief strike of the fence striking the wheel pack. The fence hitting the wheel pack is at a higher pitch (frequency) than the lever spring. The idea was to build an amplifier with a low pass filter ahead of the amplifying circuit to isolate the fence strike. The hope was to have a clean enough signal to set up triggering on the O-Scope to measure the various values of the fence striking the wheel pack as we manipulate around the dial.

The concept works to a degree. The fence strikes are isolated enough that they were detectable, but the values on the O-scope where slight (I'm using and analogue scope) and hard to distinguish a good variance.

This morning (UTC-6) I took the circuit to our local locksmith and we looked at it on a demo lock he set up, and then we took the circuit to a safe he had in the back that had an 8560 on it. Nothing. Safe wall was too thick. Our local locksmith also has a background in electronics and after a good discussion we concluded that there might be something there, but the device would need to be much more sensitive and be able to produce cleaner signals.

I was not going for the best with this circuit as it was simply meant to see if this was a road worth going down. Our local locksmith mentioned that the 8500 series is much easier to manipulate via "feel", but did not elaborate beyond that. He also mentioned that unless a customer insisted he would use destructive means to enter a safe with an 8500 series lock on it.

I believe at this point I will explore the "Feel" method of manipulation and see if I can figure out anything there, but I do know that there has been enough talk about using an audio device to extract information from the 8500 series that this exercise may prove useful to someone else working on these locks.

If you get info on manipulation of an 8500 series lock via feel, please let me know.

Gordon

You and me both. It's going to be a while before the "feel" method is figured out (at least by not attending a class).

There are different views on manipulating a 8500 series lock. There is the hobbyist's view, the spy's view and the locksmith's view. A hobbyist and a spy have the "no damage" policy. A locksmith has the "get the job done" policy. Drilling out the pin in the dial is within the "get the job done" policy, but not the "no damage" policy and I think with a freely usable dial there is a chance to feel when the lever nose hits the cam and when not.

The circuit is pretty crude, but there might be something there if someone wanted to pursue the audio method further. The exercise I believe was/ is worth it and it is a great lock to explore.

Hi,
a low noise pre-amplifier might boost the signal and allow it to work on a mounted lock.

Also before fully designing the circuit, you could try to record the actual signal and look at it in a software like audacity - that way you can see both the waveforms and the corresponding spectrum. This would allow you to isolate the interesting parts of the signal and also would be easier to change/tweak than a filter made from analog components...

And maybe taking the idea a bit further - using a notebook instead of the scope would give you all the benefits of DSP in probably much smaller footprint (depending on the scope size; had an old transistor Tesla, roughly a 50kg beast ).
Kind regards,
Michal

Another idea that was floated my way by this was to possibly graph the timing of the fence movement. I was able to see the fence striking the wheel pack and the case. The users suggestion was that there might be enough of a time differential in the fence travel that could be useful.

If it looks like you got a signal, good job. I tried something similar but the results were completely non-reproducible. Every time the lever came down the captured signal on the o-scope looked completely different. My thought was this was a loud crashing sound that just echoed all over uncontrollably. It could be that lower gain would have given better results. The lock was mounted on a display stand, with the back panel off (so I could easily position the wheels with my fingers).

What sort of microphone were you using? Piezo? I was using a SPU0410LR5H-QB, which can hear up to 80kHz, although maybe that's not needed. My idea was to measure the time from when the lever falls off the ledge until it hits the wheel pack. If there is a gate, it should drop a bit lower, and hit a bit later. Without knowing how fast the lever flies at that point it's hard to estimate what sort of time difference to expect. Probably less than a millisecond. The other possibility would be that it just sounds different if one or two gates are lined up.

But like I said, it seemed to me the signal was complete garbage. That's me. I don't mean to discourage you at all because there are probably 999 ways to set it up that don't work. Just needs to be 1 that does work.

@entropy - are you the guy with the luxuriant beard that I spoke to at Ozseccon last year about this exact attack on the 8500?

If so, I couldn't remember your name but wondered if you had seen this thread.

Best wishes, Michael.

@MHM Nope. PM sent.

Some quick tips for the circuitry: use a proper audio-op-amp with dual voltage, as audio signals are dual sided in nature. Also, do not use just a single op-amp to get the gain you want, otherwise you run into problems with gain bandwidth product. Like for example, if you want a gain of 1000, use three op-amps with 10x gain on each and put them in series to get the 1000x.

And if you manage to get the filtering (high-pass) done correctly, you are able to get a digital signal out from the noise and microcontrollers have wonderful luxury of measuring time in microseconds

A low-noise tip: smaller resistor values create less noise. I don't know if you'll be cranking gain up enough for it to matter, but 10k ohms is a bit high. If you can get the inputs to the first stage amplifier to use 100 or 1k resistors, it'll be lower noise. Of course gain will also be limited by environmental acoustic noise (unless you want to turn off the ventilation, hold your breath, stand perfectly still...)

An issue you may have with high gain is that driving the speakers uses a lot of power. This will cause fluctuations on the power rails and if you have a poor circuit design that can cause oscillations. So if you get oscillations and have trouble debugging them, that's one possible suspect to keep in mind. You could have a separate battery for the speaker driver. That's not ultimately needed if you design it correctly, but it's a hack you can use when experimenting.

BTW, your schematic doesn't make any sense. I think something got messed up when you were drawing it or exporting to image. The battery is backwards. And everything to the left of the "variable capacitor" block just hooks straight to battery with no signal getting through. Both sides of R2 connect directly to battery. I think some extra lines or wires got thrown onto the page somehow.

Filtering the audio.

Any suggestions what frequencies or ranges to look at OR more specifically what can be filtered out.

I would like to make it easy and automate it with software or is that beyond ability of current software?

What do I use as a search string so I can learn basics and ask a more intelligent question?

@pickmonger2:

Frequency ranges to look at: I don't think anyone has any suggestion because nobody knows what the hell we're doing. Whatever works.

Frequency filtering in the electronics is easier than in software. Just hook up some resistors and capacitors (RC filter). This also has the advantage of avoiding clipping. That is to say, if you were going to filter in software, but there is some frequency where the signal is really loud, it can go beyond the input range of the ADC (analog to digital converter) and everything is now all messed up before it even gets to the software. Clipping is like routing a guitar through a distortion pedal. The definitive intro to electronics book is The Art of Electronics by Horowitz and Hill. Or just look online for tutorials about op-amps and RC filters.

For software filtering the search term is "digital filter". Don't get scared by the math you'll see when searching for that. It's not that hard, and there are libraries already available for this. But by far the hardest part of such a venture would be getting the analog signal into the microcontroller and back out in real time (assuming your ear is the final destination for this signal). If you're trying to get the signal onto the computer, that's not really any special feat. Just learn microcontrollers in general (even Arduino language running on one of the newer/bigger chips). I don't want to minimize the effort that will take, but once you've picked up the basics then something like transferring the signal to the computer is nothing special. On the computer you can do digital filtering in python real easy.

Personally, I use a Saleae logic analyzer (saleae.com) for signal acquisition. Not the Chinese clones on ebay, because those are digital only whereas the real ones also do analog. I strongly endorse this product. But it'll sure cost you. So not recommended if you're just messing around.

But again, I must stress, this is all assuming the microphone can pick up a usable signal in the first place.

I agree with @entoypy. I find it easier to filter in the circuit than in software. I was using a variable capacitor to adjust the filter to give me the cleanest signal going into the O-Scope. If I were pursuing this farther I would use dual op-amps and re-do the circuit to maximize its performance. I still think there would need to be something to very the cut-off of the filter. I am working with an 8560 on a MBA stand. if this was a mounted lock or a 8550 then the frequency would be different based on the material, and safe thickness.

This was a crude start to see if the idea was plausible. Talking with a local safe technician, he mentioned that it would be difficult to get that clean audio through thick safe containers. So well this may work on a test stand I'm not sure how valid a method it is for industry (that's not my intention, but...). To make the audio pick up sensitive enough to work in the field I imagine that we would have to use a good microphone and design the circuit to in a way that we can keep a tight control on the amount of gain we would be asking of the op-amps.