I happened to lose the five-digit code for a SentrySafe (model KSW0510) that we had bought. Looking up the company’s website let me know that I could get the factory default combination from them again with a notarized form proving that I am who I say I am as well as $30. I knew of a couple of other things on which I could spend that $30, and I knew that the safe’s electronics were likely rather simple, so I opted to take the funner way out and use my programming and electronics prowess to crack the combination myself. This post outlines in good detail how I cracked the combination using a brute-force combination cracker I programmed in Python that interfaced with the safe using a Raspberry Pi. If you’re not very tech-savvy and just want to see the safe cracker in action, click here to skip ahead to the video of the finished product.
What better tool to help me crack a safe than the Raspberry Pi? My favorite part about the Raspberry Pi, aside from the facts that it’s cheap and has a small form factor, is that it can interface software with just about anything in the physical world– even an electronic safe– with relative ease. I suggest that if you don’t know what a Raspberry Pi is (or the Arduino, another common tool used to hack hardware), that you look it up.
Preliminaries: Is it Possible?
First things first. I had to know if what I intended to do was actually possible, so I opened up the safe’s keypad and checked (some of the safes apparently come with a screw to keep the keypad in place; mine just twists out of its socket). What do you know! The PCB inside was designed to be hacked– or, at the very least, to be worked on electronically at the factory. It includes vias (AKA “holes”) into which wires can be inserted. Certain holes making contact with other certain holes cause the safe’s PCB to “think” one of the buttons is pressed (that’s all the buttons do, anyway– complete a circuit that operates the board).
To the left I’ve included an image of the SentrySafe PCB with an overlay of what each via is (click the image for the full resolution).
It can be somewhat confusing at first to try to understand how the PCB operates, but using the schematic provided to the left and the chart below will make quick work of it. To start, we have to understand the principle of how it operates. I’ve labeled the different vias as sources and destinations. A destination via must connect with its specified source via in order to complete a certain circuit; once the circuit is made, the PCB registers it as a button pushed and enters it as one of the digits of the code. On this PCB, the setup for digits 1, 2, and 3 all use the same destination via but each a different source via. The rest of the digits have their own destination vias. See the chart to the right.
Now on to the exciting stuff. I knew I needed to use the Raspberry Pi to push all these buttons, as it were, but it can’t do it by itself. The Raspberry Pi’s GPIO pins aren’t capable of taking electricity from an input pin and putting it through an output pin, sort of like a switch. Instead, something is needed to take signals from the Pi and flip a switch when the Pi says so. This is a perfect job for a relay switch! Or rather fifteen relay switches. The relays will be turned on and off in order by the Pi to complete the appropriate circuits on the PCB to push the buttons. I purchased the cheapest sets of relay switches that I could find, and they’ve worked really swell and have made a great addition to my arsenal of electronics on hand. I wish I had done something like this sooner.
Additionally, to make things more organized, I purchased a solderless breadboard, a GPIO ribbon cable and breadboard adapter for the Pi, a bunch of jumper wires, a bunch of LEDs (for status indicators and testing the circuits as I go), and a bunch of 300k resistors (so the Pi’s 3v/5v outputs don’t fry the LEDs). If you want to get a GPIO ribbon cable for the Pi, make sure you get one adequate for your Pi. The Rasperry Pi B+ (what I recommend) has 40 pins and is compatible with the old 40-pin PATA hard drive ribbon cables while the Raspberry Pi model B only has 26 GPIO pins.
Working in Python: The Program
The program is simple enough– in fact, it’s the first real set of coding I’ve done in Python. If you’ve ever done any kind of object oriented programming before, Python is pretty easy to pick up. I won’t go into intense technical detail here as I am including the script for you to analyze, use, and alter below.
All it does is set up the GPIO pins for input and output and then go into an infinite loop of generating a random five digit number, checking against a text database to make sure that number hasn’t already been tried, isolating the combination into five individual digits, turning certain GPIO pins representing those digits on and then off in order, and then checking an input pin to see if the safe has responded with a signal declaring that the correct combination has been tried.
After three attempts, the safe gets angry and won’t let you enter another code for two minutes. When you’re inputting tens of thousands of codes, that adds up to quite a bit of time. So I also set the safe’s PCB to be powered by one of the Pi’s 5-volt pins, and the Pi turns the power off to the PCB for five seconds after three tries. This effectively resets the PCB, and you no longer have to wait the full two minutes before you can attempt another combination.
When the program senses that the safe has signaled that a correct combination has been entered, it ends the loop, prints the combination on screen, and emails it to a predetermined email address.
Note the variables near the beginning of the script– you will need to fill these in with your desired information– this includes the email address to which you’d like to send the code, the SMTP server you’ll be using to send the email, and the start and end combinations denoting the range of combinations you wish to try.
I tried to get the time the script waits to punch the next number in the combination or to reboot to PCB as small as possible so as to speed up the cracking process. I didn’t try that hard, though, so it’s possible it could go faster– by increments of a tenth or two of a second, which, after ten thousand attempts, adds up to a lot of saved time!
Update: This code used to not be capable of attempting combinations starting with a zero. However, with a nudge from commenter Larry Sellens, I was able to add that feature to the code. The lined-out paragraph below is no longer applicable.
Important note 1: This program is not capable of attempting combinations that start with a zero, meaning that if you use this to crack an electronic safe whose combination is five digits, you’ll be missing out on the first 10,000 combinations (00000 through 09999). This is due to the nature of the random number generator– it generates numbers, but not numbers prepended with any amount of zeros. I knew the first digit of my safe’s combination, so I only needed to parse through 10,000 possible combinations, and it didn’t start with zero. Thus this capability was not programmed. However, it shouldn’t be too difficult to program a bit to prepend zeros onto a randomly generated 4-digit number, and 3-digit, and so forth until you cover the 00000 set of combinations.
Important note 2: If you don’t know the first digit of your combination like I did, you will potentially have to parse through 100,000 possible combinations (you’ll likely hit it before that many, but it’s possible it could be the very last one you try!). The database file utilized in this program causes the script to slow down significantly after parsing maybe 6,000 to 7,000 combinations. This is because the script has to check to see if the current combination the random number generator supplied has already been attempted. When the database file gets fairly large, the Pi’s meagre 700Mhz processor has a harder time parsing through it, and thus it can take some time, parsing the database dozens of times, before the script finds an unattempted combination. If you have more than ten thousand possible combinations to work on, I would recommend dumping the local database file to store the attempted combinations and instead implement a MySQL database. MySQL (and other types of databases) are much faster for software to search through than a static local text file. I would recommend installing the database on another machine if you have one– a personal desktop or laptop would be fine if you don’t have your own server. That way the Pi won’t have to use its meagre 700Mhz processor to run MySQL, and the cracking will go even faster. MySQL won’t be too hard to implement in Python– simple instructions for programming MySQL into Python exist here. MySQL downloads available here.
Side note: I chose to randomly generate the combinations instead of sequentially trying each one from zero to a hundred thousand because I figured I had fair chances of randomly hitting the combination before I would hit it sequentially. At the same time, in theory the random number generator could generate every one of the 99,999 incorrect combinations over and over again and never generate the one correct one, keeping your Pi in an infinite loop of testing combinations. While that’s very unlikely, I say it because the potential of hitting the right combination in a short period of time is the same as the potential of hitting the correct combination in a very long period of time. If you cut out the entire section that randomly generates a number and checks it against the database and replace it with a sequential number generator, you’ll shave off all the time your Pi would take generating that number and checking it against the database. You’re also guaranteed a specific period of time before your Pi hits the right combination.
The code, a blank database file, and the images in this post are available for viewing and download at this Bitbucket repository.
Making the Connections: Final Steps
Now that I knew what was possible and created the program, I needed to connect everything together. It took quite a mess of wires and some reconfiguring and reprogramming as I worked out kinks in my system, but eventually it got all set up. I’ve outlined how the Pi “speaks” to the relay switches earlier, as well as how the relay switches complete the circuits on the safe’s PCB and punch in the combinations. This is something that’s pretty basic if you understand basic electronics, but it’ll probably take a little while to set up– you have to use your brain to remember which wire goes where and where it came from. Below I have provided a table showing my configuration as it relates to the GPIO setup in the software. Unless you change the GPIO settings in the software, I’d follow this pretty exactly as it’s proven to work (the BCM GPIO setup remains the same between the Raspberry Pi Model B Revision 2 and Raspberry Pi Model B+– if you have a Pi Model B Revision 1, you will have to adjust the code to fit the correct GPIO numbering).
To understand the chart, you must understand its logic, in order of columns from left to right: it tells you which GPIO pin number to use (according to the BCM numbering), to which physical pin that correlates, which of the two relay boards we’re using, which relay switch on that board is being controlled, from which electronic source the relay is taking electric signals, to which electronic destination the switch is sending electric signals, and a brief description of what this completed circuit is supposed to do.
Also note that the Safe Source Pools are each PCB source’s signal taken as an input and connected to each destination’s relay in a sort of “pool”. For example, you need to take a wire from Safe Source 1 into a breadboard (the easiest way to make this pool). In the other holes on the same breadboard terminal strip into which Safe Source 1’s wire is inserted, insert the wires going to the relays 1, 4, and 7 on the first relay board. When the Pi electronically punches the digit 1, for example, it will turn on relay 8, opening the circuit from Safe Source 1 to the Safe Source 1 Pool, as well as relay 1, completing the circuit between Safe Source 1 Pool and Safe Dest. 1,2,3– this will complete the circuit on the PCB, and the PCB will punch the digit 1.
Important note 3: The Pi must power the safe’s PCB from one of its 5v pins; that circuit goes through one of the relay switches, and the circuit is turned off briefly after three combination attempts so as to reset the PCB and circumvent waiting two minutes before entering the next combination. The reason it has to be the Pi and not an external source is the circuits are set up all sharing the same ground; this is necessary unless you want to vastly alter the design. Though the Pi only has a certain amount of amperage and voltage it can deliver, it is enough to power the safe PCB as long as your USB power adapter can deliver it. If the USB power adapter cannot deliver enough amperage (two amps is probably enough, just to be safe), then the PCB will start to have errors (five beeps with the red LED flashing) even though the first couple of combinations your Pi enters may work normally. None of my power adapters seemed to have enough amperage, so I simply plugged my Pi into a USB port on my desktop computer. The Pi can also power the two relay boards if you have enough amperage, though you can also power them from another 5v source.
Important note 4: Relay switches often have two outputs, meaning you can switch one circuit on while at the same time switching another circuit off. For these purposes, we need to make sure to always use the output that is turned on when the relay is activated, not the output that is constantly on when the relay is inactive. My relay boards had symbols printed on them signifying what each terminal was– input power, output while activated, and output while inactive. You’ll need to figure out your relay boards’ system.
This chart assumes you are using two identical relay boards with eight relays on each.
|GPIO No.||Pin No.||Relay Board||Controls Relay Number||Completes Circuit From||Completes Circuit To||Description|
|2||3||1||1||Safe Source 1 Pool||Safe Dest. 1,2,3||Digit 1|
|3||5||1||2||Safe Source 2 Pool||Safe Dest. 1,2,3||Digit 2|
|4||7||1||3||Safe Source 3 Pool||Safe Dest. 1,2,3||Digit 3|
|14||8||1||4||Safe Source 1 Pool||Safe Dest. 4||Digit 4|
|15||10||1||5||Safe Source 2 Pool||Safe Dest. 5||Digit 5|
|18||12||1||6||Safe Source 3 Pool||Safe Dest. 6||Digit 6|
|17||11||1||7||Safe Source 1 Pool||Safe Dest. 7||Digit 7|
|27||13||1||8||Safe Source 2 Pool||Safe Dest. 8||Digit 8|
|22||15||2||1||Safe Source 3 Pool||Safe Dest. 9||Digit 9|
|23||16||2||2||Safe Source 2 Pool||Safe Dest. 0||Digit 0|
|24||18||2||8||Safe Source 1||Safe Source 1 Pool||Safe Source 1 Connection|
|10||19||2||7||Safe Source 2||Safe Source 2 Pool||Safe Source 2 Connection|
|9||21||2||6||Safe Source 3||Safe Source 3 Pool||Safe Source 3 Connection|
|8||24||2||5||5v pin from Pi||Safe Power Connector (remove battery cartridge)||Safe Power On/Off Switch|
One last circuit that you need to make that doesn’t fit in the logic of this chart is the circuit that will tell your Pi when the correct combination has been completed. It must be taken from the negative side of the resistor that’s connected to the green LED. What resistor connected to the LED, you ask?
That one. If you turn the PCB over to the back, you’ll see the rear of the green LED near the top left side of the PCB. Immediately to the LED’s right you’ll see a small resistor labeled “R1”. You need to clamp a wire to the negative side of the resistor (at least I think it’s the negative side just the way it’s situated by the LED)– I used a medium-sized paper clamp to keep the wire touching that side of the resistor. Make sure the wire is only touching that side of the resistor. Also make sure the clamp doesn’t touch any other metal bits on the board or it will short it. Also, there are two holes on the PCB used for mounting it within the plastic enclosure on the safe; I threaded the wire from the LED’s resistor through these to keep it more secure so the paper clamp won’t lose its grip.
Take the wire from the resistor and have it control relay number four on relay board two. Now whenever the the green LED is turned on (such as during a number being punched or when the correct combination has been entered), the relay will turn on. When the green LED turns off, the relay will turn off. Now take a wire from one of the 3v pins on the Pi, put it through a 300k resistor, and connect it to one of the terminals on that relay. Take a wire from the other terminal and connect it to GPIO pin 7 (physical pin 24).
Pin 7 in the Python program is set up to “watch” for voltage for a brief moment after the Pi attempts an entire combination. If the combination was successful, the green LED will be lit during this period, which will activate relay number four, which will complete a circuit to Pin 7; when the Pi “sees” the completed circuit, the program prints the combination on the screen and sends an email specifying that the combination has been found as well as what that combination is. If the combination was not successful, the green LED will not be lit, which will keep relay number four inactive, and Pin 7 won’t have any voltage to it; the Pi “sees” nothing, and the program continues trying combinations.
After doing all of this (not quite in the same order– I had to figure out a lot of it by trial and error, and I played with many yellow LEDs to make sure my circuits were correct), everything was finally ready. I set the Pi to punch in combinations overnight. I had to throw a few towels and a chunk of packing foam over the PCB to keep the beeping from us in the next room over.
I woke up the next morning, entered the room excitedly to only hear more beeping. Dejected, I took a shower. Upon exiting the shower, I noticed how quiet the house was. After about fourteen hours, the safe had been open. I had received the email with the code, attempted it on the safe, and had the safe open at last– all thanks to a Raspberry Pi, some Python coding, and some wires and relays.
Since I knew the first digit of my code, my Pi had to parse only 10,000 combinations. If you have to parse 100,000 combinations, the cracking process will likely take longer– potentially a week or more (~14 hours * 10 = ~140-160 hours), though it’s still possible it could get it on the first try (not at all likely, though). You could definitely streamline the process by testing the timing between punching the numbers and reducing it by a few hundred milliseconds here and there; just don’t go too fast or the safe will start throwing errors.
Now if I ever find myself with 14 to 160 hours alone with someone else’s Target-grade cheap safe, I can crack the code and steal their social security information. Excellent.
The code, a blank database file, and the images in this post are available for viewing and download at this Bitbucket repository.
Need help? Express it in the comments.
I’ve included a video of the cracking in process. Enjoy it below.
(You’ll notice that when a digit is punched in both the green and the yellow LEDs light up, and you’ll also notice that the yellow instead of the red LED lights up when an incorrect combination is entered. My only guess is that the PCB is slightly undervolted, and for some reason this causes the yellow LED to behave this way: the PCB uses four 1.5 volt batteries, which equals six volts; the Pi can only supply five volts.)