How to Crack a Safe's Combination ‎with a Robotic Auto Dialer - Part 2

2023-02-06 | By Zach Hipps

License: See Original Project Adafruit Feather

My brother-in-law, Levy, has a safe and he doesn’t remember the combination. He ‎called and asked me to see if it was possible to build a robot that could crack the safe ‎combination, so of course I told him I would give it a shot. If you haven’t read part 1 of ‎this build series I would suggest starting there.

project_1 ‎

The way I’m approaching this problem is to try something, fail, and iterate as quickly as ‎possible. I’m not trying to build the perfect solution right from the start. This is a ‎prototype that will be refined as I progress toward the goal of opening Levy’s safe. I ‎hope to publish my CAD files, code, and other design documentation as open source. I ‎would love for this project to grow beyond my abilities and skills.‎

At this point, I have a stepper motor with a motor driver attached to it. The motor driver ‎can detect the load on the motor shaft which can be monitored for motor stalls. I’m ‎using a PD57-2-1076 stepper motor with a 24V power supply. To send step and ‎direction signals and control the motor driver, I’m using an Adafruit Feather Huzzah ‎ESP8266 Wi-Fi microcontroller. Why did I choose a microcontroller with Wi-Fi? ‎Because I would like to have a web or mobile app interface for this device. I would like ‎to monitor the progress of the safe cracking session from my phone and have the ‎correct combination sent to my phone when it’s done. The ESP8266 has a 128x32 ‎OLED display which can display a lot of useful information, but screen real estate is ‎limited, and using that to configure the device and change settings could be a little ‎difficult. I also looked at professional safe auto-dialers and designed an adjustable ‎chuck that attaches to the motor shaft. I 3D printed flexible “fingers” for the chuck jaws ‎to grab onto the safe dial. The chuck can be adjusted, and various flexible fingers can ‎be attached to accommodate safe dials with diameters that vary from around 1.5” to 4”. ‎Right now, I can hold this crude assembly up to a safe by hand and have the motor ‎spin the dial. I bought a cheap “practice” safe to test my prototype. I know the ‎combination to this new safe, so I hardcoded the combination into my microcontroller ‎and held up the auto dialer to a mixed-up combination dial. The motor was able to turn ‎the dial with a pretty good balance of precision and speed and aligned all three gates. ‎With the gates all aligned, I opened the safe latch by hand. The results are pretty ‎promising, and it gives me the confidence to keep moving in this direction.‎

frame_2

I have a 3D model of a simple frame structure that will hold the motor to the door of the ‎safe. It consists of two aluminum plates held about 4 inches apart with aluminum ‎tubes. The tubes have threads tapped into the ends and the whole assembly is ‎fastened together with ¼-20 countersunk screws. I used a laser cutting service to cut ‎the two plates from ¼” aluminum and had them countersink the holes where the ‎screws go. Finally, they gave it a nice matte black anodized finish. I cut the aluminum ‎tubes to the right length and tapped the ends with a ¼-20 thread. Next, I mounted the ‎stepper motor to the upper plate using some M5 screws and nuts and fastened the two ‎plates together. The plan was to embed some neodymium magnets into the base plate. ‎I even designed some 15mm holes around the base plate for this purpose. I hoped they ‎would be strong enough to hold the whole device to the metal door of the safe. I ‎stacked several 15mm diameter magnets into each of the eight holes and it was pretty ‎clear right away that these would not be strong enough to hold the assembly to the ‎door. I need to come up with a better solution. The quick and dirty way is to just get a ‎huge magnet and use that as some extra holding power. I 3D printed a little mounting ‎bracket for the new magnet and that did the trick. I don’t like how this looks, so I’ll be ‎revisiting this problem in the future. ‎

mount_3

The next problem on the docket is the microcontroller. As I said earlier, I chose a ‎feather huzzah ESP8266 with a small OLED display next to it. This would work fine, ‎but I was already maxing out the number of GPIO pins on that board, and the screen ‎was a bit too small to read from a distance. I found this new ESP32-S2 TFT Feather ‎board, and since it also uses the feather board footprint, it was a drop-in replacement ‎for the ESP8266. It has a much larger 240x135 pixel color TFT display built right onto ‎the same PCB as the ESP32 chip. It has more GPIO pins and native USB built in. ‎Overall, I think this is a much better choice for this project in the long run. I used a ‎featherwing board that breaks out every pin to a screw terminal block which is very ‎handy when prototyping. I can move things around without worrying about soldering ‎the connections. I also added a rotary encoder with a push button for navigating and ‎selecting items in the controller menu I plan to write. At this point, I am ready to set the ‎device onto the safe and write a bunch of code to solve the combination. ‎

code_4

The only problem with the “practice safe” I bought is that it doesn’t allow the user to ‎change the combination. I think it would be much better to have a safe combination ‎that could be changed and updated as I test my code, so I found a replacement dial ‎mechanism that does just that. I designed a mock-up safe door with the proper ‎threaded holes for this new dial. Again, I used a laser cutting service to cut the pieces ‎out of ¼” steel plate and had them drill and tap the holes for me. I mounted the new dial ‎onto the mock-up door and changed the combination to a new one. This mock-up safe ‎door makes it easy to see the inner workings of the dial wheels and see when the ‎gates are aligned.‎

dial_5

These safe combinations usually have 3 numbers with 100 possible numbers to ‎choose from. That means that there are potentially 100*100*100 or 1 million possible ‎combinations. I’m trying to make my auto dialer spin the dial and test each combination ‎as quickly as possible, so for argument’s sake let’s pretend that I can try one ‎combination per second. That would mean to try all combinations it would take 1 ‎million seconds or 11.57 days! So, statistically, it would take me about half that time to ‎find the right combination and stop trying any further combinations.‎

dial_6

This is longer than I want, so there are a few things I can do to make this task much ‎easier. First, on cheap safes the disk for the third number is divided up into 12 indented ‎segments. 11 of those indentations are “false gates” that, I think, are meant to trick a ‎would-be safecracker. The result is that it narrows down the possibilities significantly of ‎a brute force attack which is great for me! Instead of the third number having 100 ‎possibilities I now only have to try 12, so now the total number is 100*100*12 which is ‎only 120,000 combinations to try (1.4 days)! This is a great start, but let’s see if there is ‎anything else I can do to keep reducing that total number. I’ve read that the indents of ‎the 11 false gates are slightly different from the indent of the actual correct third gate. ‎This is something I can feel by turning the handle at one of the false gates and seeing ‎how many degrees I can turn the dial. If I spend a few minutes and test all 12 indents ‎I’m hoping that one of them will let me turn the dial just slightly more (or slightly less), ‎while the other 11 will be the same. This will tell me exactly what the third number is, ‎reducing the total number of combinations to 100*100*1 which equals 10,000. ‎Furthermore, the dial tolerance isn’t perfect which means I don’t have to land perfectly ‎on the correct number for the latch to slide into the gate. Depending on the quality of ‎manufacturing and design tolerance I could be off by a half number above and below ‎the correct number and still be able to open the latch. This again reduces the total ‎number to 50*50*1 which equals 2,500 total combinations which would only take about ‎‎20 minutes on average to find the right one. This is a 99.75% reduction in the total ‎number of combinations I need to try, and I haven’t even put the device on the safe yet! ‎Yeah science! I’m also told that certain manufacturers suggest not using certain ‎numbers for the last digit due to the spacing and interference of the gate pins so I ‎could reduce this down even further if I wanted to get manufacturer specific, but this is ‎good enough for me. I suppose it wouldn’t be that hard to add “profiles” of make and ‎model numbers to a user interface if I wanted to take advantage of these further quirks.‎

It’s time. I’m ready to attach my auto dialer to the mock-up door safe and try to crack my ‎first safe combination. Unfortunately, this mock-up door safe doesn’t have the “false ‎gate” exploit like the cheap safe so I’ll have to try more combinations. I set the dial to its ‎starting point of zero and press the button to start the safe cracking session. The auto ‎dialer makes quick work of testing all the various combinations and after several ‎minutes finds the right combination! Success! I use the change key to set a random ‎combination and run it again just to make sure it wasn’t a fluke. Now that I’ve got a ‎prototype working, it’s time to bring this device over to my brother-in-law’s house and ‎see if I can get his locked safe open! That will be part 3 (and hopefully the concluding ‎part) of this build series.‎

Recommended Reading