There’s nothing nefarious here, nor is the information contained herein particularly helpful to thieves or the dishonest. A thief would just cut the dang thing open and be done with it.
So I bought a fire safe to protect some documents that I wanted protected in the unlikely event of a house fire. When I got the safe, I promptly emailed myself the manufacturer’s code, set up an easily remembered user code, and stored the manual with the manufacturer’s code in a “safe place.”
Fast forward two years. I need to get to one of the documents in the safe. I can’t seem to remember the user code. No problem, I say, I’ll just look up the manufacturer’s code in my email. So, what keywords did I use to make it searchable? Apparently not safe, combo, password, combination, or any combination or related word thereof. Ok, no problem, I’ll just go get my manual from… umm, nope, not in my drawer with user manuals, nor in my filing system. WTF. The combos are both lost for good.
So I start considering my options. I could send a notarized letter to the safe company, but where’s the fun in that? I could open it destructively, but I didn’t really want to do that either. The lock is an electronic combination with a five digit password, so brute forcing seems plausible, but there’s a two minute lockout on 3 wrong combinations, taking the brute force time to 140 days. That won’t work. Unless…
I open up the battery compartment, enter three wrong combos, it goes into lockout mode, I remove the battery for a couple seconds and put it back. Yep, it “forgot” it was in lockout mode, and I can now enter 3 more passwords. Only 99,994 more to go. I estimate the safe could be opened in less than 6 days using brute force. I’m not in a real hurry for the documents, don’t want to break the safe, and love the challenge of getting my safecracking on, so I commit to cracking this sucker via brute force.
At first I considered a mechanical dialer that would punch the buttons for me, but the mechanics of doing that with acceptable speed seemed somewhat difficult – not an afternoon’s kind of project.
However, by cutting away a couple globs of hot glue with a blade, i could access the keypad contacts directly. Conveniently, there are access holes for connecting wires to the contact array. So I started sketching up where I need jumper wires and placing them.
Then it was a simple matter of using some relay boards I had laying around to start dialing the keypad using an arduino I also had laying around. I used a couple of photosensors to read the LED status indicators so that I could know if the combo failed or succeeded. Finally, I used an additional relay to power cycle the keypad after 3 failed combinations to defeat the lockout feature.
With a little programming work, I had an automated dialer that should (!) stop when the correct combination was found. By logging each attempt on a laptop and writing a couple of little helper scripts, I had hourly status updates being delivered via email. It was a bit of a programmer’s nightmare in that I could not test the code directly for success, and didn’t have the exact details of what the success scenario looked like, for example, how long until the green LED would light, how brightly it would light, or if it would be solid or flashing. Some youtubing failed to turn up these details as well. So I did my best to make it robust to these details and prayed.