 Welcome to Save Cracking for Everyone. A little bit about myself. Who am I? My name is Jared Diger. I'm a locksport enthusiast, gamer, rock climber, game developer, and I've been picking locks and cracking saves for about a decade now. So this talk is going to cover how Group 2 safe locks work and mechanical combination safe locks are divided into two groups. There's Group 2s, which is your basic safe lock. No anti-manipulation features in them, also the most common type. And then there's Group 1s, which are more complicated and include various different measures to keep people from figuring out the combination. Now, whether you buy a $500 safe or a $5,000 safe, if it comes with a mechanical safe lock, it will most likely be a Group 2 safe lock. Very rarely are there Group 1 safe locks that come by default on a safe. Usually you have to pay hundreds of dollars extra for the lock, even more to get it installed, and this is not very common at all. So I'll be covering these Group 2 safe locks in this talk. I'll cover the flaws in this design and how to exploit them, along with specific techniques that is used to crack the combination. And at the end, I'll cover some slight differences between various Group 2 safe locks, since not all manufacturers create them the same way. First thing is knowing the parts of the lock. So this is the back of the lock with the back cover removed, and you can see that there is a silver lever here. Now, the end of this lever has a protrusion, and this protrusion is called the nose. This nose is resting on a brass wheel. The brass wheel is called a drive cam. And this drive cam, you can see, has a cutout in it. This space, this empty space in the drive cam is called the contact area. You can see where the cutout starts on either end, and those are the contact points. So the cutout is the contact area, and each end of the cutout where it starts is the contact points. And this drive cam is controlled directly by the dial. So there's a metal rod you can see in the middle, and that connects it directly to the dial. It's locked in place with this key. So whenever you turn the dial, the drive cam moves at the same time with the dial. Behind the drive cam, you can see a larger silver wheel. There's three of these wheels generally in each lock. Sometimes there could be four, but most oftentimes it's three. Now this wheel that we see here is called wheel three. It's the third wheel. It's closest to the drive cam, and when you're in front of the lock, it would be furthest away from you. And the other two wheels are behind it. Now each of these wheels are exactly the same. There is a cutout in each of these wheels called a gate. Now these gates are part of when you dial the combination. The gates all line up, and there is a metal bar behind this lever, and it lines up all of these gates under the metal bar when you dial the correct combination. So that when you turn the dial and the drive cam, so the contact area is under the nose, everything can fall down and fit nice and easily. So here you would just continue turning the dial, and that would pull in this lever, and that retracts a bolt. The lever is attached to the bolt, and that pulls it in so that you can turn the handle and open the safe. The handle of a safe just pulls in the outermost bolts around the edge of the door so that you can open it, but the lock itself only locks the handle. So that's basically how safes operate is a locking mechanism locks the handle, and the handle is what pulls in the bolts from the outer edge of the door. Now to demonstrate that, I have a lock here, and if we look at the back, you can see the drive cam. Whenever I spin the dial, the drive cam moves with the dial. So if I were to dial in the combination, that would involve putting the gate of the first wheel under the fence, and then I would put the gate of the second wheel under the fence as well. I messed that up, but I will just fix it. And then I put the gate of the third wheel under the fence. I simply turn the drive cam so everything can fall in, and then that will retract this bolt when I continue turning. Now the way that it works is each of these wheels has a protrusion on one side, and that fits into a groove of the next wheel. Now this protrusion will ride in this groove as the wheel spins until it hits this metal piece of the next wheel, at which point this next wheel will start to spin along with the previous wheel. And this wheel also has a protrusion which rides in a groove of the wheel next to it. And then after a whole rotation, it will hit this metal bit, and then the next wheel will start to spin along with the rest of the wheels, essentially picking up each wheel after each rotation. So the drive cam has that sort of protrusion as well. So right now everything is spinning together, but if I were to spin the other way, you can see it is only the drive cam spinning. Until I make one full rotation, and then this third wheel, the wheel closest to the drive cam, starts spinning with it. So the third wheel gets picked up first, and then after another full rotation, you can see that the second wheel starts to get picked up as well, and it is spinning along with it. After another rotation, then this first wheel gets picked up as well. And the wheels are named this way because the first wheel corresponds to the first number in the combination. Since it is the last, you get picked up, then it is set first. So then you can freely mess about with the other two wheels without upsetting the position of that first one. So the third wheel gets picked up first, corresponding to the third number in the combination, then the second wheel, and then the first wheel. Now the standard opening procedure for a lock is to spin four times with left rotation to the first number, which means you pass the first number three times, and you stop on the fourth. Then you reverse directions because if you were to keep going, it would mess up the position of the first wheel. So you reverse directions, spin three times with the right rotation, so now we are turning clockwise to the second number, and then you do that three times. So you pass the second number twice, stop on the third time, and then twice with counterclockwise rotation. So we're reversing rotation again to the final number. We pass it once, and then we stop on the second time. Then we turn right until the bolt is retracted. Now the reason for this is because you have to spin three times to ensure all the wheels are picked up. You don't know the state of this wheel pack when you approach the lock. So it could be someone spun it to the right all the way before you approached it. So you want to make sure you spin one full rotation. We'll pick up that third wheel, two full rotations, picks up the second wheel, and then three full rotations ensures that that first wheel gets picked up. So we just pass the first number in the combination three times. So now we have to go to it and stop on the fourth time. We reverse directions because otherwise it would mess up the position of that first wheel. So we do one full rotation, pick up the third wheel, two full rotations. Now we pick up the second wheel, and so we pass the second number twice, and we stop on the third time. And I overshot it again. Reverse directions, one full rotation picks up the third wheel, and then we stop on the second time. And then we can turn right until everything drops in and the bolt retracts. Here's a really bad drawing. I missed the label of this. This is wheel two in the middle. So the dial will turn the drive cam until this protrusion picks up wheel three. And then after rotating for some time, wheel three will pick up wheel two, and then wheel two after rotating will pick up wheel one, and so then they'll all start spinning together. There's a lot of vulnerabilities in this design. So you can see here when none of the numbers are dialed in correctly, and then we turn the drive cam, we turn the dial so that the contact area is under the nose that allows the fence to drop down onto the wheel pack, essentially testing it for the crack combination. But the thing is these wheels, they're not perfectly circular, and they're not the same size as each other. Some will be bigger, some will be smaller, and some will have bumps and dips, and that's because of manufacturing tolerances. It's basically impossible to get rid of these imperfections. What this means is since one of these wheels is bigger, the fence is not going to be resting on all of the wheels at the same time. You can see here between wheel three and wheel three and the fence, there's actually a bit of space, it's not touching. Wheel two here you can see is larger than wheel three and wheel one. This fence is only touching wheel two. Now we can also see that this contact area where the contact points are on either end, it is sloped to go down, and that means there is less wiggle room, so to speak, between the sides of the contact area the further down you go. So let's assume that wheel two, let's pretend that the wheel two combination is dialed, that the gate for wheel two is now under this fence. Well, what happened? Well, this fence would not rest on wheel two anymore. It would drop down ever so slightly and rest on wheel three. That means this nose would be lower in the contact area, and there's less wiggle room between the contact points. The really cool thing about this is you can feel this on the dial. So if I were to reset this, you can see that the nose drops into the contact area, when it's over the contact area, and that allows the fence to rest on to the wheel pack. So if the largest wheel has the gate under the fence, this nose is lower. And so this wiggle room, you can feel this bit of resistance. You can feel each contact point from the dial. That wiggle room would be less, would be less. So the contact points, about 96 for the left one, we name it from viewing the dial, or from the dial. So the more sloped side here on the left in this view is the right contact point, because from the front of the safe that's the right. Oops. So this left contact point is about 96, and the right contact point is about 3. But if perhaps two of the wheels were dialed with the gate under the fence, we might feel this at 98 and 2. Thus the closer contact points, less wiggle room. So that is a major vulnerability, and the main thing we use in order to determine the combination. So we can know through this when one of the gates, when the gate of the largest wheel is under the fence, simply because there will be less wiggle room between the contact points. So the first step is finding a number in the combination with this information that we now have. So what we do is we have to take a series of test combinations, every two or two and a half numbers. The tolerances of these locks sometimes allow you to go every two and a half, but generally it is safer just to go every two numbers. And there are two contact points that are left and the right, but as shown earlier the right contact point is more sloped. So there will be a greater change in the amount of wiggle room from the right contact point. The left will move in a little bit, but not as much as the right. So we really only need to know what the right contact point is at any given time. And you can graph this as well. So if I get my graph paper right here, you can see this is a basic layout of a graph. So along the top we have 0 to 100. And then here I put the closest whole number to the left contact point, one above and one below. Same thing with the right contact point, one above and one below. And as I mentioned, you don't really need the left contact point, but it is good supporting evidence if the right contact point is not really giving clear readings, which we will cover later. So you can graph both of the contact points like this. So first thing is you want to turn the dial left three times to pick up all the wheels and then stop on the first reading so we can say we're going to try 0. Now the reason we spin left and we pick up all the wheels with left rotation is because the combination is found or is dialed with left, right, and then left rotation. So left to the first number, right to the second, and then left to the third. So if we find a number, it's kind of random. We don't really know which wheel is going to be at first, right? We just know one of the wheels is larger than the rest and we want to figure out when that wheel has a gate under the fence. So it's just statistics that it's going to be more likely the first and the third rather than the second. Also because of the way the locks are designed, wheel three would generally be larger or will be the wheel that makes contact with the fence first. So that's more evidence to start with more reason to start with left rotation first. So what we do is we spin the dial, pick up all the wheels with left rotation and then we stop our first test combination. So in this case that would be 0, 0, 0. So we stop at 0. And then what we do is we want to reverse directions because if we were to keep going that would mess up the position of the wheels. So we reverse directions until we get within the contact area. So remember our contact points are 96 and 3. So we want to spin left until we're within that. We don't want to pass 0 because remember after one full rotation we pick up the third wheel. So we just want to go between 0 and 3 and then you just spin. I accidentally passed it but we'll ignore that for now. You want to gently spin the dial left until you hit the contact point and you don't want to ride up on it. You don't want the nose to ride up onto the drive cam. You just want to go lightly and stop when you feel that bit of resistance. And then you can record that. So on the graph at 0 down to 3 let's say we feel it at 2 and 7 eighths. Then you can mark that from here 2 and 7 eighths for 0. So that can be about here. And that is also really important is you want to be able to differentiate between 1 eighth of an increment. And that's really hard to show on camera here for this because it's not really precise and also the resolution of the camera. But you want to be able to look at the dial and know whether it is showing like a 2 and 7 eighths or a 3 or a 35 and 1 eighths or a 35 and 2 eighths. And you want to be able to accurately record that because what we're looking for is a change of a 1 quarter increment. So we want to make sure that our measurements are taken with a precision of 1 eighth of an increment just to be safe. So we're going to pretend that we did this for the entire, I guess all the numbers of the safe. So if I were just to fill it in just with some random points and I'm just putting a generic reading here. And as stated earlier you can record the left contact point here as well. It's just that it's not going to be as much of a variation. So here essentially what we're doing is we are taking the overall shape of all the wheels of the wheel pack and we're just laying it out in a line. So this were to be cut into a strip of paper and put into a circle. This is what the wheel pack would look like on a very fine scale because remember they're not perfectly circular. So on a very fine scale there's a lot of bumps and ridges and whatnot. Now if you remember I'll show the picture again of the close up. When the gate of the largest wheel is under the fence that causes a drop. There's less wiggle room. That right contact point moves in so it gets lower. The left contact point would get higher. So that's essentially what we're looking for on the graph. We're looking for where the right contact point drops down for maybe a number or two and then goes back up. Because the gate would be under the fence and then you would go past it and it would not be under the fence anymore. So it would drop down and go up. So essentially you want to look for the shape of a gate in this reading. Now you can see there's a drop here but it goes on for a little while before going up. So that's probably not it. That'd be really wide for a gate. But here you can see it drops down for a quarter of an increment for two readings and then drops back up. The thing about these safes is you don't have to be precise in dialing. That is also why we go every two number. You go from zero to and then four, every line here on this graph. So if the combination is 16, 28, 40, you can dial 17 or maybe 18, 28, 40 and it would still open. So you want to look for the shape of the gate in the graph. And that will tell you one of the middle of that gate will tell you one of the numbers in the combination. Now we're going to assume that the number we found is 40. So at this point we know that the largest wheel in the lock has a combination of 40 associated with it. But we don't know which wheel yet. We just know that one of the wheels in the lock is larger than the others. And the point at which the contact area goes closer together and then further apart centers around 40. So we do something called the high load test. We put 10 numbers lower on the first wheel and then we put the other two wheels on the correct number. So we found we're pretending we found 40 as the correct number. So we will throw the first wheel off by 10, 10 numbers lower. Now we found 40 with left rotation. So whenever we put one of the wheels on 40, it always has to be with left rotation. So the first number, we will use right rotation to 30. We pick up the wheels, all the wheels, so four rotations to 30 with the right rotation. And then we spin left three times to 40. So that would put the second and third wheel on 40. And we will measure the contact area here. And here it is important to take both left and right contact points. And then what you want to do is figure out the space between them. So if it is at 96 and three, that is a seven number difference. So we would write down seven and we would record that down. And then we do the same with the second wheel. We put the first number on the correct number. So left to 40, left four times to 40. And then go right three times to 30. Putting the second wheel, throwing it off by 10 lower to the wrong number. And then left to 40 on the third wheel. Record the space between the contact points, how many numbers there are, and then write that down. Now we do that again for the third wheel. We left the rotation four times to 40. And write twice to 30. That ensures that only one number is off. The other two wheels are on the correct number. And then you can repeat with 50 as well instead of 30. So that would be the high test. Now the test combination with the widest contact area is the one that 40 belongs to. So for instance, we did three test combinations here for this low test. If for this last sequence that we dialed 40, 40, 30. If that has the contact area with the most space between it. Now, normally before we were looking for a closer contact points, but here we're looking for furthest apart. The reason for that is because we have the correct number on the wheel, on two of the wheels and the wrong one on one of the wheels. So if the wrong one is on, let's say here, let's say the third wheel has 40. So if we're intentionally putting on the wrong number, it's going to be a wider contact point. But seeing these two, it's got the correct number. So it'll be closer. This allows us to figure out which wheel that 40 belongs to simply by putting the correct number on each wheel twice and then having it off on one of these. So if this wheel, if the wheel three has 30 and it's wider here than the other two tests, then we can successfully conclude that 40 belongs to the third wheel, the third number in the combination. And then you can repeat with 50 just to really be sure that your readings are correct. So we're going to assume that 40 here is the third number in the combination. And then check your rotation. Any time you dial to a correct number, you want to make sure you always use the correct rotation. Now, we found one of the numbers in the combination and we know it's the third wheel. So in order to find the other numbers, we essentially just repeat the same step with this new information added in. So we run the other two wheels through every two increments, but we have the third wheel on 40 whenever we read the contact point. So the way that this is done is we know that the third wheel, right? The first one that gets picked up, that means we have to set it last. That is with left rotation to 40. So what we want to do is we want to pick up all the wheels with right rotation now. And then we'll say let's start at zero and then we spin left for one rotation. So that picks up just the third wheel and we stop on 40. So now we have left rotation on 40. Now going to zero isn't going to affect any of the wheels now. Remember, because we have to pick up the third wheel in order to affect the rest. So we can safely move around here without fear of disturbing the other wheels. So we can read the contact point again, going from inside the contact area. We can read the right contact point and then graph it. So we just do this graph and at the top we can maybe just write wheel three left 40. Just so we know that we're doing this graph with wheel three on 40 with left rotation. And then what you can do now is you turn right until you reach 40. Now that picks up the third wheel. Go to zero where the other two wheels are resting together. And that picks up wheels two and wheels one at the same time. Because remember we had everything pick up together. We only messed up wheel three in order to put it on 40 by itself. You can turn two numbers over. Spin left again one full rotation to 40. Go to the contact area and report it down again. And we just go do that the whole way around. So here we can repeat the same high low exercise. So we're going to pretend we found a drop in the graph and then a rise back up at centered around 80. So we found 80 with right rotation now. So what we're going to do here is a low test. So we're going to start with here wheel two and we're going to throw it off by 10 on to 70. So wheel one we put on the correct number 80 with right rotation. So that means we spin right picking up all the wheels stopping on 80. Then we spin left picking up wheels three and two. So we go three times to 70. And then here here's where it gets interesting. We need to go to 40 now with left rotation because we found 40 as the correct number with left rotation for wheel three. But if we were to continue past 70 left into 40 it would mess up wheel two. So there's actually a clever way to fix this. So we spin right picking up all the wheels and then we stop on 80 which is what we found to be one of the other numbers. We can spin left one rotation picking up wheel three. Another rotation picking up wheel two and we want to put wheel two with left rotation on 70. So that is 10 lower. And then we want to go to 40 now for the third wheel. But if we were to keep going it would mess up wheel two on 70. So what we do is we can reverse directions here pick up wheel three from 70 go to 40. But remember this is this is not the correct rotation we're turning right we need to be turning left. So we just go past it let's say to 30 and then we can go left picking up at 30 setting wheel three on 40. At which point we take our contact point readings for our high low test. And then again you would write down the number of increments you know the space between each of the contact points. And then do that with the first wheel we throw the first wheel off by 10 so we go left to 70 for the first wheel picking up all the wheels. And then right three times to 80 in the left to 40. So we write down the numbers again we look at what is the widest contact area. And that will give us where our second number lies like which wheel it belongs to. And usually locks will read this way will read third wheel first and then the second wheel and then the first. But sometimes it can go other ways but following this method it doesn't really matter which we will read first. As long as you know how to dial in these numbers then you can still do it just fine no matter which we will read first. And then here we have two of the numbers in combination so let's pretend that 80 belongs to wheel two. So it's a question mark for wheel one we know 80 is right rotation to wheel two and then 40 is left rotation to wheel three. And the last wheel you can graph it but generally uses brute force that you would just try to 80 40 or 080 40 to 80 40 for 80 40 until it opens. When you're starting out it is actually a good idea to graph that last wheel as well just in case you messed up on the first two and you did not find the correct number. It is useful to have that extra information. Now there's different group two locks. The one I am using here that I have shown is what is called a Sergeant Ingrid Leaf and SNG 6730. There's two major variations of 6730 and 6741. They operate the same way work the same. You cannot tell by looking at it which one it is. It's just that the 6730 has slightly tighter manufacturing tolerances which is why I recommend going every two increments on your graph rather than every two and a half. But if you know you have a 6741 if it is labeled a 6741 then you can get away with going every two and a half increments because those tolerances in the manufacturing are not as tight and you will be able to find the correct number by going every two and a half increments. Now another popular brand is Lagarde the Lagarde 3330. They have slightly oval wheels. The reason for that is because of the way that inside the wheels work there's a certain mechanism that allows you to change the combination and that puts pressure on the wheels in certain ways and that just makes it slightly more oval shaped. Which means the wheels can essentially mask the gates on other wheels. Maybe none of the wheels are bigger than the others but they can be aligned that when they're all picked up and they're all moving together. The oval shape covers essentially becomes the biggest part of the wheel pack in that location and that gate is never going to allow the fence to drop lower because one of the other wheels will be larger in that area. And so it can be rather difficult to work with a Lagarde 3330. So I do not recommend starting out with that. There is also a dimole which is a lock with a drive cam where instead of having one side that's more slanted it will be a U shape, more uniform U shape. And so in the case of a dimole group 2 you want to take both contact points into account since there will be less variation. You want to take both into account and look at the left going up and the right contact point going down. Now some final tips is you want to be really precise in dialing. You want to not just read it in one eighth of an increment but you want to dial to one eighth of an increment. You want to make sure you're not accidentally dialing 16 and one eighth or 16 and one fourth because you're going every two increments. So maybe the combination is 15. You don't want to go 16 and one eighths and have it not open but maybe on 16 you can detect it. You can detect that it's the correct number but not 16 and one eighths. Make sure you're reading the dial from the same angle each time. So if you're looking at the safe lock you want to make sure you are reading from the same angle. Let's say you're reading it from this angle this time. You don't want to look at it like this as that will change where you think that contact point is. So you want to make sure you're really consistent especially also with the amount of force that you use. You want to make sure it's the lightest possible and you want to make sure it is the same each time. So you want to be really consistent in everything you do. You can also try it with a known combination. You can, let's say you know the combination is 20, 40, 60. Well you can test at 20, 40 and 60. You don't have to graph the entirety of the dial. So just to be able to detect how the contact point feels when one of the gates is under the fence and how it feels when it's not, you can graph from let's say 10 to 30 and then like you know 10 above and 10 below each of the numbers 20, 40 and 60 so that you can tell how the graph is supposed to look and that is a very, very useful practice to do. You can also remove the back cover of the lock so that you know exactly what's happening and you can really correlate what you're feeling with what is happening inside the lock. And then if all this fails, you can buy my book. Well, not really. I put it online for free. So it is on Amazon but I don't recommend it unless you really want a hard copy. There's a PDF I have uploaded at this link down here and you can download it and basically just do whatever you want with it. I don't care. Now on YouTube, I have a video series that follows a book. It's similar to this talk but it's a lot more in depth. So it covers different sections that I have covered here in this talk but with much greater detail and I also cover additional more advanced techniques in order to figure out the combination faster and with greater precision. There's online forums such as this link at the bottom here, it points to keeppicking.com and they are very welcoming to newcomers as long as you are able to show that you are not trying to use this knowledge for criminal activities and you are interested in this as a hobby. People are very welcoming. eBay, you can buy locks on eBay. I highly recommend SNG 6730 or 6741. You can also just search up SNG 6700 series and just practice. I mean practice is the best way to learn. I mean you can read and watch all the content on safecracking and understand everything that's happening but you cannot develop the touch for feeling the contact point. You don't develop the sight for reading the contact point unless you actually practice. And I also just remember I forgot to mention this picture here. So in order to read the contact points and dial it more accurately you can take a piece of paper or maybe a needle or anything and tape it onto the dial and the dial ring just to be able to more precisely pinpoint. What is on the dial? And that is the end of this presentation.