.:: Keypicking :: Anything And Everything For Locksmiths, Hobbyist Lock Pickers, Locksport, Lock Picking, lockpicks, cutaways and Security. Simply The Best Lockpicking Forum Around!

I've made some significant and exciting progress since my last update. On my generation 1 lock (with ball bearings) I've had an idea on how to pick it, and confirmed over the last several days it working with multiple successful "SPP" attacks with 4 rotors in place. These rotors are master-keyed with 1, 2, 3 and 3 gates respectively. I've ordered some material that will hopefully allow me to pick all 8 rotors in place, in a few weeks should be able to have that confirmed.

Another problem that I realized was this may only work on a gen 1 lock, so I've ordered a brand new gen 2 lock that I will hopefully confirm it can work as well. If it is only working on gen 1 locks, likely that I will publicly release the technique.

Either way I'll be taking a pick and gut video as I've realized it's not taking me as long to pick this as I had expected. With my current lock, picking half has taken on the shortest 4 minutes and longest about 10 minutes.

For fun, though it's obviously not indicative of a successful pick, here's the photo I took excited my technique worked with 2 rotors picked (as mentioned I'm up to 4 so far):


Also for comparison and fun, I've been able to rake open my lock with a different tool with 4 rotors in place (as short as 1 minute and as high as 15m), but not with 8. I believe it could be possible, it's just a crap shoot on how long it would take, also keep in mind my lock is master-keyed, so this kind of attack may only be practical on locks you know to be master keyed.

4 Rotor Pick video:
https://youtu.be/0aNvEL5p1fw

Enjoy!

Wow...

How do you read/sense the state of the rotors? Or rather whether or not the disc on top of them is in a gate.
Are you feeling the movement of the sidebar or something?

Thanks, well that's where the magic is for now, it's still a work in progress so will have more details to come later. But quickly I can say that I do have a method to positively tell which rotor is binding and needs picking, which is picked and which isn't yet.

This is all a SPP where I'm picking each rotor one at a time, as you can see I have to fully relieve tension to manipulate a rotor, a little like a Medeco in that it's hard to get them to move under tension at all. The other problem is that once tension is applied, relieving tension slightly on the core doesn't always relieve any tension on the sidebar due to the sidebar spring it's nearly a full ON/OFF of tension required.

The pick itself for the moment isn't too special and needs some magnetic shielding that I'm ordering to allow picking all 8 rotors. Once that comes in I'll make a full pick video.

I am not familiar with the MCS other than it's the "unpickable magnetic lock". From the look of the key there seems to be additional traditional security. Correct? If so, are you already able to pick that part or would you look at this after you manage the full eight rotors?

Thanks for showing your progress. It is like a thriller.

On my gen lock there are 12 passive ball bearings for key control only and don't affect picking. Then 1 active ball bearing, it's a 1 pin lock to set it, then the super deep false set. Newer locks have a slider system, but as I understand it's only slightly more of a hassle.

Essentially picking the 8 rotors will be everything here. Stay tuned!

And you are sure this will work on the other generation of MCS's? They have a different rotor design than the one in your video.
Depends on what you're actually "reading", I suppose...
(Though I should admit I have only seen either generation on photos...)

I'm curious on how you can detect true gates that are mounted on rotating magnets ? How does the tentative feedback / feel process work with a magnetic field as part of the process ?

You mention the lock is master keyed - have you tried on any non-master keyed rotors ?

To be clear from the outset, I haven't ever tried picking an Evva MCS, but I do own one & feel that I have a good understanding for how it works.

Assuming that the rotors bind one at a time, or at least don't bind all at once when tension is applied (&the ball bearing removed/manipulated), a binding rotor should be detectable by the fact that it's magnet's poles will repel or attract the magnet in the tip of a pick moving fore and aft. A rotor that isn't binding would tend to mate it's unlike pole with the nearest pole on the pick tip & rotate as the pick moves fore & aft. A binding rotor can't move & should produce both attractive & repulsive forces as the pick tip moves fore & aft.

Detecting a binding rotor vs a correctly set rotor that has had the sidebar tooth enter it's gate may be impossible by hand - both would feel like a fixed rotor.

A rotor that is not bound & is free to rotate, shouldn't produce much feedback via the pick being moved fore and aft - as pick movement can spin it around.

A rotor that is binding cannot move, so it's magnet will interfere with fore and aft movement of a magnet tipped pick, by repelling or attracting the pole closest to the rotor.

Once a binding rotor is found, it may just (but I doubt it) be possible to detect when it has been set correctly through the tension tool, as it would turn very slightly further. If that isn't the case, it should be detectable by virtue of the fact that a previously non-binding rotor is now binding & therefore producing feedback when probed by the pick.

For the simplest case, with 4 rotors installed, tension is applied & the binding rotor located. Tension is removed & the binding rotor manipulated & tension reapplied. If no other rotors are binding, then the rotor being manipulated isn't set. If another rotor is now binding, the first rotor to bind has been set correctly. Now the new binding rotor is manipulated until another binds.

This may be an oversimplification, but it seems plausible if the rotors tend to bind one by one.

There is one non-master keyed rotor in the partially populated lock he picks in the YouTube video.

...Mark

I'm pretty sure, but not certain as I mentioned. I'm purchasing a brand new MCS to verify and will have both gen 1 and gen 2 picking videos with all 8 rotors...well that's the plan! So as of yet, I'm not there yet.



As mentioned, I haven't wanted to release the full method yet, and again will be trying it out on a new lock. The new lock shouldn't have any master keyed rotors, but I'll open it up to verify. I'm getting one of the padlocks from Security Snobs.

If everything goes according to plan, anyone is welcome to send me their lock in a padlock body, without a key and I can open it for you. I'm a little ways off from offering that service, but I think it should prove the method works.

As to what I'll end up doing with it, I'm not certain yet. I'd like to offer tools and technique available so that professionals and hobbyists will have access to it. I'll have to see how this will look, so for now I can't promise anything.

Another note, one guy on Reddit suggested that I insert the key and show the rotors moving once the lock is apart. Any other procedure suggestions to dispel reasonable doubt the lock was tampered with is welcome. My first video was just a preliminary and not meant to be conclusive.

They should add a second sidebar that engages and holds the rotors in place before the actual "gate testing" sidebar.
Medeco has a patent for this but I'm sure EVVA can claim invalidity due to prior art as it's not a new technique

Some wonderful additions to this thread! I have not added anything for the last two years but my work with the MCS did not stop with my last entry! Like I have been saying for ages now, I can assure everyone that the MCS is NOT impervious. It is still publicly unpicked but so are a few other locks too. I am now of the opinion that there is not a lock on the planet that can't be opened surreptitiously.

Droshi has done some great work here, I think he is on the right track.

I have gotten in my material unexpectedly early. Today I launched into a full pick on the other side of my Euro cylinder. After a while, I got the cylinder "jammed" and wouldn't reset or open. Then I decided to put together the other side, but without ball bearings or pins. Got a full 8 rotor pick. After playing again with the original fully pinned size, I tried several different picks on the passive ball bearings figuring it must be those, and got it open! Anyway, the passive ball bearings that I wasn't expecting much seem to be the last barrier on the Gen 1 locks. I assume with the slider version once they are set it wouldn't be any issue.

Hopefully I'll get some quiet time this evening when the house isn't so loud to get a full pick and gut completed.

Stay tuned, will post up the video once it's up.

https://www.youtube.com/watch?v=Yg5PA_A-7YI

Open at 9:24

Enjoy!

Can't figure out how to embed it, anyone help me out?

The coolest video for a long time!!

And just to add a little spice to the mix, here's a Gen 2 picked. Damned Droshi beat me to the video. I lost my sidebar for hours