Index Home About Blog
Date:	Tue, 14 Feb 89 06:06:00 EST
From:	gwyn@smoke.brl.mil
Subject: Re: Friction is your friend

> This rather simple idea appears to be out of reach of most locksmiths,
> though, who seem to unquestioningly believe the manufacturer's party line...

Now, be nice.  Most genuine professional locksmiths are well aware of
how to attack all kinds of locks.  The first step, when feasible, is to
gain a thorough understanding of the principles of operation of the lock.
Generally from there, along with some experience of picking techniques in
general, it is fairly obvious how to attack the lock.

For some reason "Cipher" (Simplex) locks are considered secure where I
work.  It's fun to manipulate them open, and it doesn't generally take
more than a couple of minutes once you know how.

[Moderator add-on: My impression was always that Cipher locks [electronic,
five bidirectional rocker switches in a big klunky box] were different from
Simplex locks [all mechanical, five buttons in a column or a circle].  Is
there some name crossover or am I confused?  _H*]

Date:	Sat, 18 Feb 89 15:54:00 EST
From:	gwyn@smoke.brl.mil
Subject: Re: Simplex locks

-Yes, but that is because most owners give a simple three digit code for
-their lock, and there are only 125 simple three digit codes.

You miss the whole point.  These locks can be MANIPULATED open,
not GUESSED, in very short order.  This is not dependent on use
of one-digit members of the combination.

-Any mathmeticians out there want to compute the number of possible
-combinations?

As usual, even though this can be done, it is not relevant to security
(although it can produce a lower bound for the level of security provided).

Date:	Sun, 5 Mar 89 00:14:00 EST
From:	ron@ron.rutgers.edu
Subject: Re: Friction is your friend

Hobbit is right.  Cipher locks are as he described.  Five rocker switches
run to a box usually above and inside the door.  You can program a 4 digit
sequence in them by these little patchcords inside the box.  Simplex locks
are purely mechanical which are programmed by opening them, putting in the
old combination, pushing a plunger, entering the new combination, and then
clearing it.

BRL never had any Cipher locks that I knew about, only Simplex.  The Simplex
weren't really regarded as any more secure than the plain old Seargent key
locks, key distribution was easier.  Generally they were used for things like
printout rooms and labs where they were used by a large class of people.
The secure facilities were actually deadbolted and alarmed when not attended.
Even when we used Cipher locks in the SCIF's at other jobs, they were used
only when the room was attended inside anyhow.  At night we turned on the
alarm and spun the big ol' S&G lock on the door.

What was amazing to me is the number of people who never bother to change
the Simplex locks from the 2-4, 3 combo they all get shipped with.

-Ron

Date:	Wed, 8 Mar 89 10:00:00 EST
From:	ron@ron.rutgers.edu
Subject: Re: Simplex locks

In addition, SIMPLEX had a line in some of their sales literature
to the effect that "10,000 possible combinations makes guessing
to right one a million to one."  We should send their marketing
department to Prob 101.

-Ron

Date:	Wed, 8 Mar 89 10:02:00 EST
From:	nichols@cbnewsc.att.com
Subject: Re: Simplex locks

Some time ago I computed 1152 (as I recall) as the number of possible
combinations -- not exactly what is implied by the "thousands of
possible combinations" claimed by the Simplex folks (recently I saw
some blurb that claimed "more than 2000" combinations).

Incidentally, if (through psychoanalysis of the user) you suspect a
"complex" combination involving 3 buttons simultaneously, your guessing
job is greatly reduced.  There are only 10 such 3-button sets, each with
only 2 other buttons to consider.

There IS a way to generate some additional combinations, although it
violates the instructions of the manufacturer to "remove your fingers
from the buttons before turning the knob," risking damage to the lock if
you're not careful when opening it.  At the end of the sequence, an
otherwise unused button can be pressed lightly, just to the point of
increased resistance, and HELD THERE as the knob is turned.  Such a
combination is distinct both from pressing the button all the way and
from not pressing the button at all.  The basic principles for
setting/changing such combinations still apply: set the combination
using the same actions you're going to use to open the lock; to change
the combination, press the present combination and, while holding the
final button(s) activate the "change" slide.

It is possible to detect such combinations through manipulation and
determine the buttons involved, but such combinations would confound
the unaware.

It never ceases to amaze me the way these very useful locks are
mis-applied (largely due to mis-information supplied by the
manufacturer).  The locks are primarily suited (at least in my mind) to
preventing casual entry to a restricted area, provided that the location
of the lock is such that anyone attempting manipulation would be
immediately observed and challenged.

	-*-		-*-		-*-

Now that I have located the papers with my old calculations, I find that
the actual number of combinations for a Simplex lock is 1082 (even worse
than the 1152 I remembered).

Just for kicks, I calculated the effect of the "trick" I mentioned
(lightly pressing some of the unused buttons and holding them while
turning the knob).  There are a total of 2163 combinations if you allow
this.  Perhaps this is what the manufacturer had in mind when claiming
"greater than 2000" combinations, but the operating instructions
expressly forbid doing this.

What puzzles me is why the lock wasn't made with 6 buttons instead of 5.
The number of combinations then rises to over a million (without
"tricks") and security against manipulation is also improved, at least
for combinations that use all the buttons.

[Moderator add-on: The above-mentioned "trick" is Simplex's "high-security-
mode", which in theory they only point out to their high-muckymuck military
customers.  Years ago at a locksmith show I had one of the Simplex reps set
"some random combo" on one of their demos to see if I could open it; he used
one of these and I couldn't get it open at the time, although I rolled out of
bed with the answer the next morning...    _H*]

Date:	Fri, 17 Mar 89 00:33:00 EST
From:	Root Boy Jim <rbj@nav.icst.nbs.gov>
Subject: Friction is your friend

As far as those "Cipher" lox (five bidirectional rocker switches) go, my
favorite technique is to take a piece of chalk and rub it over all the
ribs on the switches. When you come back a few days later, all the buttons
used for the combination have been wiped clean. That leaves you only
24 (4*3*2*1) instead of 5040 (10*9*8*7).

	Catman Rshd <rbj@nav.icst.nbs.gov>
	Author of "The Daemonic Versions"

Date:	Fri, 17 Mar 89 00:39:00 EST
From:	deh@eng.umd.edu
Subject: Re: Simplex locks

The number of combinations can be cut down quite a bit by spraying 
or dusting the button tops with an organic dye (or whatever) that 
will display pretty colors when illuminated with UV light. I always
prefered a coupld of strange organic dyes used in dye lasers, but 
they are expensive, and a lot of comon household things work just
as well (the proof is left as an exercise for the reader). For a 
portable UV light source, you can get fancy, but I like the little
EPROM eraser lights. Small, portable, and intense. A battery powerd
device would be better of course if 120VAC is not available in the
target area. 

In any case, the buttons without powder left on them are the 
ones that you want to play with. This works great in elevators
that have button code systems in them for after hours use. The 
MIT Media Lab is a good example of such a facility (I wonder if
they still glow over there?). 

Doug

Date:	Mon, 27 Mar 89 20:25:00 EST
From:	att!iexist!nichols@research.att.com
Subject: Re: Simplex locks

WRT using fluorescent dye to determine used vs. unused buttons, I
suspect that a solution of ordinary laundry detergent would be the most
readily available.  The brighteners glow brilliant white under UV.

For Simplex locks, however, who needs it!?  It only takes 1 to 2 minutes
of manipulation to identify used and unused buttons, with no apparatus,
power source, or even ambient light required.  In the (uncommon) event
that all the buttons were used, there are 541 combinations to try.  If
less, the math is definitely on your side.

                   #buttons       #comb
                   5 of 5         541
                   4 of 4         75
                   3 of 3         13

					Bob Nichols
					nichols@iexist.att.com

Date:	Thu, 13 Apr 89 10:02:00 EDT
From:	meister@gaak.lcs.mit.edu
Subject: Re: Simplex locks

it gets even better than that. If dealing with a location that is accessed 
VERY infrequently, (such as some of the vaults at MITRE), do the following:

coat each button of a, say, 12 button pad with a different organic dye, each
flourescent at a different wavelength spread equally along the visible
spectrum.  Now, assume the combo has a large (say 8) digits in it. The person
types in the combo. Some time later, you come back with a wide-range UV source,
and a decent spectroscope. (like the ones that you saw in jr high physics, only
with a GOOD grating.) Look at each button. One of them will give you EIGHT spec
lines.  one of them will give you SEVEN. Etc. Inverting gives you the
combination.

If two buttons have the same number of lines, it could only happ by having
one of them be used more than once in the combo. Using the relative strengths
of the spec lines will give you hints as to which one it was. Sometimes it
requires a second application designed to figure out a specific question,
(eg "is '4' before or after '8').  Have fun. The dyes used for dye lasers 
are not that expensive, given the minimal amounts you need to use here.
The main problem is that most of them are not transparent to visible light.

Have fun.

                               -meister

Date:	Fri, 21 Apr 89 04:58:00 EDT
From:	"W. K. (Bill) Gorman" <34AEJ7D@CMUVM.BITNET>
Subject: Re: Dusting Simplex locks

>The strange organic dyes used in many dye lasers ARE VERY TOXIC!!  I
>wouldn't recommend sprinkling them around, you could kill someone.

Very dramatic! However, the same effect can be obtained by using the UV
fluorescent liquids/powders available through suppliers of
stuff used for kiddies science fair projects.

Date:	Wed, 3 May 89 13:51:00 EDT
From:	deh@eng.umd.edu
Subject: Re: Dusting Simplex locks

I agree that you should use whatever you can get your
hands on for illumination of code buttons; I mentioned 
laser dyes because I happened to have a lot of them around at
the time that I first tried this, and it worked very well.

Most of the dyes that I have used are pretty common, pretty cheap,
and to the best of my knowledge none of the ones that I have used
have been toxic....

One consideration in choosing the dye to use (for buttons, not for 
lasers) is what it looks like in regular light, since you don't 
want people seeing it on the buttons. ANother consideration is the 
method of application. One reason the laser dyes worked so well
was the fact that they were disolved in solvents, usualy alcohol
but also ether some times. In a spritzer bottle, these can be sprayed
on the target area where they will dry quickly, leaving a very fine
and uniform distribution of the dye material which is very likely
to escape detection. DO make sure that the solvent doesn't melt
the materials that the buttons, etc. are made of though.....

Doug

Simplex 5-button combination locks:
		  *Hobbit*'s in-depth evaluation

This deals with the Simplex or Unican 5-button all-mechanical combination
locks.  They are usually used in a variety of secure but high-traffic
applications, and come in a number of flavors:  dead bolt, slam latch, lock
switches for alarms, buttons in a circle or a vertical line, etc.  The
internal locking works are the same across all of these.  Herein will be
described the mechanical workings and a method of defeating the lock that
falls out by logical inference and observations from playing with it.

	The internals

Caveat: If this seems unclear at first, it is because the absolutely best way
to understand the inner mysteries is to take a Simplex lock apart and study
it.  It is highly recommended that the reader obtain and disassemble one of
the units while studying this; otherwise the following may be confusing.  The
locking mechanism box is swaged together at each end, but it is trivial to
open up without destroying it.  To set a lock up for study, remove the back,
leaving the front plate held on by its Jesus clip.  Put a spare thumb turn
down over the shaft so you have something to grab.  Take care not to lose the
button connecting pins; they drop out.

In the round configuration, the buttons talk via bent bars in the faceplate to
the same vertical column as the straight ones.  Thus all buttons henceforth
shall be referred to as if they were in a straight vertical row, numbered 1 to
5 reading downward.  The actual locking mechanism inside is a small metal box,
about 3 inches high and .75 x .75 inch across the base.  It contains five
tumblers, one corresponding to each button, a common shift bar, and a couple
of cams to handle reset and unlocking.  The user dials the combination and
turns the handle to the right to open the lock, or to the left to reset any
dialed digits if he made a typo.  If the proper combination has not been
dialed yet, the shaft will not turn to the right.  Setting a combination shall
be described later.  Some of the linear-style locks are actually made by
Unican, but have the Simplex box inside.  For these, a clockwise twist serves
as both open and reset.  There is a detent plate and a screwy lever system; if
the lock is not open yet, the lever cannot turn to the *box*'s right.  The
detent slips, allows the levers to shift the other way, and the box arm is
then turned to the left.  If the detent does not slip, it's open, and the
plate locks to the latch shaft and pulls it back.

Each of the five tumblers has six possible positions.  Each button does
nothing but push its corresponding tumbler from the 0 position to the 1
position.  Therefore, each button can only be used once, since once the
tumbler has moved, the button has no further effect.  The trick comes when
*subsequent* buttons are pushed.  Each button press not only shoves its
tumbler from 0 to 1, it also advances any "enabled" tumblers one more step.
When a tumbler is enabled, its corresponding gear has engaged the common bar
and pushed it around one position, so the next button press will do this
again, thus taking previously enabled tumblers around one more notch.  This
way, the further-in tumbler positions can be reached.  It can be seen that
there are undialable combinations; for instance, only *one* tumbler can reach
position 5 for a valid combination [Positions labeled 0 thru 5, totalling
six].  If one sits down and figures out possible places for the tumblers to
go, many combinations are eliminated right away, so the number of
possibilities is *not* 6^5 as one might expect.  Two-at-once pushes are also
valid, and are *not* the same as pushing the given two in some other order.
Pushing two [or three or ...] at once simply enables two tumblers at once and
shoves them to position 1 at the same time.  [This of course leaves less
buttons unused to push them in farther!]  The tumblers themselves are small
round chunks of metal, with gear teeth around the top half and a notch cut
into the bottom edge.  When all these notches line up with the locking bar,
the lock is open.  The tumblers are mounted on a vertical shaft so they can
spin, with the locking bar fingers resting against the bottom of each one.
The locking bar is prevented from rising if any notch is turned away from it.
Juxtaposed to the tumblers is another shaft containing idler gears, which in
turn talk to the common bar in the back.  The intermediate shaft slides up and
down and makes combination changes possible.  Note: The buttons actually talk
to the idler gears and not the tumblers themselves.  This is necessary since
during a combo change, the tumblers cannot move because the locking bar teeth
are sitting in the notches.

	Combination change, other random facts

Once you know the current combination, you might want to change it.
Instructions for doing this undoubtedly come with the lock; but it's real
easy.  There is a screw in the top with a hex hole; remove this from the lock
body.  Dial the proper combination, but don't move the handle.  Press straight
down through the hole with a small screwdriver, until you feel something go
"thunk" downward.  The lock is now in change mode.   Reset the tumblers
[leftward twist], enter your new combination, twist the handle as though
opening the lock, and your change is now in effect.  Re-insert the screw.
This does the following:  The thing you hit with the screwdriver pushes the
tumblers down onto the locking bar [which is why the proper combination must
be entered], and disengages them from their idler gears.  Button presses turn
the *idler* *gears* around, and then the opening action shoves the tumblers
back up to mesh with these gears in their new positions.  A subsequent reset
mixes the tumblers up again to follow the new combination.  This description
is admittedly somewhat inadequate; the right thing to do is take one of the
locks apart and see for one's self what exactly happens inside.

The Unican model has a disk-locked screw on the rear side.  Removing this
reveals a round piece with a flat side.  Twist this clockwise to enable change
mode as in the above.  This lock, of course, would be a little more secure
against random people changing the combination for fun since you ostensibly
need a key to get at it.  Keep in mind that "reset" on these is done by
turning the knob all the way *clockwise* instead.  There is a linkage that
ensures that the shaft inside goes counterclockwise for the time that change
mode is enabled.

It is amusing to hear local locksmiths call the Simplex internals a 
"computer".  It would seem that none of them have taken one apart to
see what is really inside; the box is painted black as far as they are
concerned and non-openable.  Obtaining one is the unquestionably best way to
learn what's in there.  Unfortunately they cost on the order of $120, a price
which clearly takes advantage of the public's ignorance.  These locks are
*not* pick-proof after all, and anyone who maintains that they are is
defrauding the customer.  There are a variety of ways to increase the picking
difficulty, to be discussed elsewhere.  Your best bet is to borrow one from
somewhere for an evening and spend the time learning its innards.

	Determining an unknown combination

Contrary to what the marketing reps would have you believe, the locks can be
opened fairly quickly without knowing the set combination and without damaging
the lock.  Through a blend of a soft touch, a little hard logic, and an
implicit understanding of how the locking mechanism works, they generally
yield within five minutes or so.  [There are *always* exceptions...]

This method requires that one does not think in terms of a sequence of button
presses.  One must think in terms of tumbler positions, and simply use the
buttons to place tumblers where desired.  For practical description purposes,
it will be assumed that the buttons connect right to the tumblers, rather than
the idler gears that they really do.  The idler gears are a necessary part
only during combination changes.  Unless you are doing a change, considering
it this way is pretty close to the facts.  Remember that a 0 position means
the button was never pushed, and 5 is enabled and shifted as far as possible.

Turning the thumb handle to the right [clockwise] raises the locking bar
against the tumblers.  Since the lock is never machined perfectly, one or more
tumblers will have more pressure on it than other ones, and this shows up as
friction against it when it is turned via the button.  This friction is felt
in the short distance between fully-extended and the detent on the button [the
first 2 or 3 mm of travel].  Some will travel easily to the detent, and others
will resist efforts to push them in.  Suppose you are twisting the handle, and
tumbler 1 has lots of pressure on it [you can feel this when you try to push
button 1 in].  When you back off the tension on the handle a little bit, the
button can be pushed in against the resistance.  The fact that the button has
resistance at position 0 tells you that tumbler 1's proper position is *not*
0, or there would be no pressure if the notch was there!  Upon pushing button
1 in, you find that no pressure has appeared at any other button.  This
eliminates position 1 for tumbler 1, also.  Now, how do you get tumbler 1 to
different positions so you can test for pressure against other ones?  Push
subsequent buttons.  Push any other button, and tumbler 1 advances to position
2.  Ignore what the other tumblers are doing for the moment.  Now, perhaps
another button has some resistance now.  This means that tumbler 1 is either
at the right position, or getting close.  Basically you are using other
tumblers to find out things about the one in question.  [Keep in mind that the
first one with friction won't *always* be tumbler 1!  Any tumbler[s] could
have the first pressure on them.]  Continuing, push another "don't care"
button.  A "don't care" button is one that is not the one you're trying to
evaluate, and not the one that recently showed some friction.  What you want
to do is advance tumbler 1 again without disturbing anything else.  Did the
pressure against your test tumbler get stronger, or disappear?  If it got
stronger, that points to an even higher probability that tumbler 1 is supposed
to be at 3, rather than 2.  If the pressure vanished or became less, 1 has
gone too far, and you were safer with it at position 2.  Let's assume that the
pressure against your test tumbler increased slightly when tumbler 1 was at 2,
increased even more when tumbler 1 was at 3 and vanished when you pushed it
onward to 4.  Reset the lock.  You now know the proper position of tumbler 1
[that is, whatever tumbler first had pressure on it].  You've already
drastically reduced the number of possible combinations, but you aren't
finished yet.

You can now eliminate positions for the next one or two tumblers the same way
 -- but to set things up so you can feel the pressure against these, you must
ensure that your newly-known tumbler [1 in this case] is in its proper
position.  It is useful to make a little chart of the tumbler positions, and
indicate the probabilities of correct positions.

		   Positions
		0  1  2  3  4  5
		----------------
	   1 :	L  L  +  T  L  |	<-- Indicates that tumbler 1 is not
					    0, not 1, maybe 2, more likely 3.
Tumbler    2 :  |  |  |  |  |  |
number
	   3 :  |  |  |  |  |  |

	   4 :  L  |  |  |  |  |	<-- Indicates that tumbler 4 is not 0.

	   5 :  |  |  |  |  |  |

This chart is simply a bunch of little vertical lines that you have drawn in a
5x6 matrix; the topmost row corresponds to button 1 and the lowest to 5.  Mark
the probabilities as little hash marks at the appropriate height.  The leftmost
bar indicates position 0, rightmost 5; a high mark on the left side indicates
that that tumbler is 0, or is never used.  The relative heights of your tick
marks indicate the likelihood of the notch on the respective tumbler being
there.  If you don't know about a position, don't mark it yet.  This chart
serves as a useful mnemonic while learning this trick; as you gain experience
you probably won't need it anymore if you can remember tumbler positions.

A tumbler at the 0 position is already lined up before any buttons are pressed.
This will feel like a lot of loose play with a little bit of pressure at the
end of the travel, just before the enable detent.  Be aware of this; often
enough the first button with pressure can be a 0, and if you aren't watching
for 0 positions you can easily assume it's a don't care, push it, and screw
your chances of feeling others.  Make sure your "don't care" test buttons
aren't supposed to be at 0 either.  It's a good idea to run through and try
to find all the zeros first thing.

Let us continue from the above.  You have found that tumbler 1 is most likely
to bet at position 3, with a slim chance of position 2.  This is marked in the
above chart.  The reason this can happen is that the tops of the locking bar
teeth are slightly rounded.  When the tumbler is one away from its opening
position, the locking bar can actually rise higher, since the notch is halfway
over it already.  So don't assume that the first increase in pressure on other
buttons is the right position for the one you're finding out about.  Let's
assume that the next pressure showed up on button 4.  You can feel this when
tumbler 1 is at position 3; to get tumbler 1 out there, let's say you used the
sequence 1,2,3.  2 and 3 were your "don't care" buttons used only to push 1
around.  Therefore now, tumbler 1 is at position 3, 2 is at 2, and 3 is at 1.
5 and 4 are at 0, and can therefore be felt for pressure.

The next step is to find the proper position for the next button with pressure
against its tumbler.  Many times you'll get more than one that exhibit
pressure at the same time.  Figure out which button has more pressure on it
now with your first tumbler in the right position.  In this example, only 4
applies.   You now want to advance tumbler 4 to different places, *while*
keeping 1 at its proper place.  1 must always advance to 3 to free the locking
bar enough to press on other tumblers.  To place tumbler 1 at position 3 and 4
at position 1, you would do something like 1,2,4 and check 3 and 5.  To place
tumbler 1 at position 3 and 4 at 2, you would do something like 1,4,2.  To
place 1 at 3 and 4 at 3, you have to press 1 and 4 at the same time, and then
advance that mess by two positions.  If you use 2 and 3 for this, the notation
is (14),2,3, which means 1-with-4, then 2, then 3.  You can also do 4,1,2,5 to
put 4 at 4  and check 3.  If all these tests fail, that is, no pressure
appears at any other button, you can start assuming that 4 is supposed to be
way out there at position 5.  For the example, let's say you did 1,4,2 and
pressure showed up on button 3.  To double-check this, you did (14),2,5, and
the pressure on 3 went away.  So tumbler 4 must have gone too far that time.
Place a fairly high tick mark on the chart at tumbler 4, position 2 to
indicate the probability.

Note: A better way to do that last test, to avoid ambiguity, is to do 1,(42),5
and check 3, then do (14),2,5 and check 3.  This ensures that the only change
you have made is to move tumbler 4 from 2 to 3 an avoids the possibility of
movement of tumbler 2 giving bogus results.  Through the entire process, you
want to try to change one thing at a time at every point.  Sometimes one of
this sort of possible test setup won't tell you anything and you have to try
another one [in this case, perhaps 1,(45),2 and then (14),5,2 while checking 3.
This has simply swapped the positions of 2 and 5 during your testing].

You now know two tumbler positions, with a high degree of confidence, and have
further reduced the possible combinations.  From here, you could mix tumblers
2,3 and 5 into the sequence with various permutations, as long as you place 1
and 4 correctly every time.  This would still take some time and brain work
... let's try to find out something about some other buttons.  Place 1 and 4
where they're supposed to go ... the sequence 1,4,2 will do it, and see what's
up with the other buttons.  1,4,3 will leave 2 and 5 available.  You find
eventually that 2 and 3 have the next bit of pressure distributed between them
[and are nonzero], and 5 feels like a 0, as described above.  To confirm this,
advance 5 along with some other button and check 3.  Bingo: There is no
pressure on 2 when 5 is enabled [and you have not changed anything else
besides 5's position], so you can firmly decide that 5 is 0 after all.  So
leave it there.  [You did this by advancing 1 to 3 and 4 to 2, as usual, so
you can feel 2's pressure in the first place.]

By now you should know the proper positions of three of the tumblers, and have
eliminated any other zeros by feeling their initial pressure.  Now, since 2
and 3 have the next pressure on them, try and find out more about them.  You
know they aren't zero; suppose we try 1?  To do this you must get one of them
to 1, 1 to 3 as usual, 4 to 2, and leave 5 alone.  How?  Use hitherto unknown
buttons as dummies to position the tumblers right.  For instance, the sequence
1,4,3 will do what you want here; you then check pressure on 2.  Or 1,4,2 and
check 3.  Here you may notice that the pressure on the leftover is a *little*
stronger than before, but not enough to make any sure judgement.  Well, now
you want to advance an unknown to position 2 - but you suddenly notice that if
you do [by doing something like 1,(42),3] there are no free buttons left to
test for pressure!  'Tis time to try possibilities.  Your only unknowns are 2
and 3 now.  You must now advance 1 and 4 to their proper positions, leaving 5
alone, while sprinkling the unknowns around in the sequence in different
permutations.  Use your chart to remember where the known tumblers must go.
Sometimes you get two possibilities for a tumbler; you must work this into the
permutations also.  In this particular example, you know that either  2 or 3
[or both!] must be the last button[s] pressed, since *something* has to get
pressed after 4 to advance 4 to position 2.  An obvious thing to try is
putting both the unknowns at position 1 by doing 1,4,(23).  Try the handle to
see if it's open.  No?  Okay, now leave one of the unknowns down at 1 and mix
the other one around.  For instance, for 2 at 1 and 3 at 2, you do 1,(34),2
-- nope.  Advance 3 one more; (13),4,2 *click* -- huh?? Oh, hey, it's *open*!!

Well, when you are quite through dancing around the room, you should know
that your further possibilities here ran as follows:

	3,1,4,2		; to end the permutations with 2 at 1
	1,(24),3	; and permutations involving 3 at 1.
	(12),4,3
	2,1,4,3

One may see how things like 2,1,(34),x  are eliminated by the fact that  1
must get to 3, and 5 must stay still.  Since only 4 buttons could be used, no
tumbler can get to position 5 in this particular combination.  Note also that
the farther *in* a tumbler has to go, the earlier its button was pressed.

If all this seems confusing at first, go over it carefully and try to
visualize what is happening inside the box and how you can feel that through
the buttons.  It is not very likely that you can set up your lock exactly as
the  example, since they are all slightly different.  Substitute your first-
pressure button for the 1 in this example.  You may even have one that
exhibits pressure against two or more tumblers initially.  Just apply the
differential-pressure idea the same way to find their most likely positions.
The example is just that, to demonstrate how the method works.  To really
understand it, you'll have to set your lock up with some kind of combination,
and apply the method to opening it while watching the works.  Do this a few
times until you understand what's going on in there, and then you'll be able
to do it with the lock assembled, and then in your sleep, and then by just
waving your hands and mumbling....

A 5-press combination makes life a little tougher, in that you lose
versatility in your freedom of test positions, especially if your first-
pressure tumbler is at position 5.  Here you can use the "almost" feature to
your advantage, and advance the errant tumbler to one before its proper spot,
and hope to see increased pressure on other tumblers.  When a tumbler is one
away from right, the locking bar tab is hanging a large section of itself into
the tumbler notch, and the tab's top is slightly rounded.  So it can rise a
little higher than before.  If you twist the handle fairly hard, you can
distort the locking bar slightly and make it rise higher [but don't twist it
hard enough to break away the safety clutch in the shaft!] The chances of
someone setting this sort of combination without prior knowledge about the
*specific* lock are almost nonexistent.

As if that wasn't enough, the next thing to deal with is the so-called
"high-security" combinations involving half-pushes of buttons.  The long
initial travel of the tumbler permits this.  If you look at your open
mechanism and slowly push in a button, you'll see that the tumbler actually
travels *two* positions before landing in the detent, and further motion is
over one position per press.  There is no inherently higher security in this
kind of combination; it's just a trick used against the average person who
wouldn't think of holding a button down while twisting the latch release.
It's quite possible to defeat these also.  When you are testing for pressure
against a tumbler set at "one-half", you'll feel a kind of "drop-off" in which
there is pressure initially, and then it disappears just before the detent.
Before testing further buttons, you'll have to "half-enable" the appropriate
"one-half" tumblers so the locking bar can rise past them.  Set your lock up
with a couple of combinations of this type and see how it works.  Note that
you must hold down the "half" buttons just before the detent click while
setting or opening.  This makes an effective 7 positions for each tumbler, but
in a standard [no "halfs"] setup, it's effectively 6.  This is Simplex's
"high-security" trick that they normally only tell their high-dollar military
customers about.  After working the lock over for a while, it's intuitively
obvious.

The Unican type has no direct pressure direction of twist; if you turn too
far to the right you only reset the tumblers.  What you must do is hold the
knob against the detent release just tight enough to press the locking bar
against the tumblers inside the box but not hard enough to slip the detent.
There is a fairly large torque margin to work with, so this is not difficult
to do.  Unicans do not twist to the left at all, so ignore that direction and
work clockwise only.

	Possible fixes

The obvious things improvements to make are to cut notches of some kind into
the locking bar teeth and the tumblers, so that the pressure can't be as
easily felt.  Another way might be to have a slip joint on the locking bar
that would release before a certain amount of pressure was developed against
it, and thus never let the tumblers have enough pressure against them to feel.
The future may see an improved design from Simplex, but the likelihood does
not seem high.  They did not seem interested in addressing the "problem".

[Method independently discovered 8410, revised and cleaned up 861020
by *Hobbit*, for informational purposes only.  This information was also
forwarded to the engineering staff at Simplex Security Systems.]

_H*

Index Home About Blog