Efficiently Cracking Keypads
So for a change, this will be the first useful post in my site. This post is mainly about how to crack those annoying little electronic door locks controled by simple keypads, efficiently. Usually used in low security area’s commonly found to usually store maintenance material or other random junk (or maybe even gold). They look something like this.
Not always shiney, and not always 5 keys in a cirtular pattern, they come in various shapes, sizes, usually black and silver and the keys all lined up.
DISCLAIMER: This information is for educational purposes only, and you are held responsible for everything you do legally or illegally.
Jump to Method section below if you don’t want to read the boring part.
Consisting of 4-16 keys. As I said earlier I meant sessionless because these devices doesn’t have key entering sessions, or simply in these locks you can keep on hammering the keys very randomly and fast for hours and it will eventually unlock (but random means long period of time). In locks with sessions, you start pounding random keys and it will simply say after 5 (or ~certain keys are pressed) access denied and waits for a couple of more seconds before restarting another session, and you need to re-enter the whole code. The sessionless locks simply checks for the last 5 or so keys pressed and checks it against the stored unlock code. If they match, the door unlocks, if not it waits for another key, checks again, and this process repeats.
Old way to bypass these locks have been to use couple of small solenoid driven things (they move a pin) which act like your finger pressing the button below it, which you mount infront of the keypad’s keys and it automatically presses every possible combination, 1111 1112 1113 … 5131 5132 5133 until 5555. This works, but takes some time. Building one is extremly simple, using a binary counter along a few flip-flops, so all the keys wouldn’t be pounded at the same time but each key at a time at a time, and attaching each switches to each bit value though a transister or a relay, and letting the device pound away. I am not going to explain how to make one here (although which I pretty much did), but I will explain just a idea or logic behind the key’s being pressed I found to make this process much faster. I am sure this has been found and done many times by other people, but I decided to share this here since I don’t recall seeing this anywhere else.
Method
Usually the cracker (automated or manual, example using 5 keys with 4 key combination) go in the order of 1111 1112 1113 1114 1115 1121 … 1534 1535 1545 and so on. It takes time but this way its certain since it goes through every possible combination. But you can make this process a little fast. I will start out with a example, for combination set [5121 - 5135].
512151225123512451315132513351345135
Although it seems this is key presses for [5121 - 5135], this keypress set also includes the combinations
1215,1225,1235,1245,1315,1325,
1335,1345,1512,1513,2151,2251,
2351,2451,2512,2513,3151,3251,
3351,3451,3512,3513,4513
This is much more than the 10 original combinations out of the [5121 - 5135] set intended. You finally get 33 total combinations. This is a 230% increase in efficiency for that range, but is sure to change with larger sets of numbers. Using this method you can cut down on the total number of key presses without sacrificing the completeness of using all possible combinations, which ultimately means less time to crack it, and time always matters. To the lock it seems like this
key pressed : locks intepretation
5 1 2 1 : lock takes 5121 as input, checks against stored unlock code
5 : lock takes 1215 as input, checks against stored unlock code
1: lock takes 2151 as input, checks against stored unlock code
….
Its like overlapping multiple combinations over each other. I will post results later if I come around to make a small application to output such key sets with the most combinations yet least key presses, but if you are up for it go ahead and make one and share. All comments and feedback are welcome. Enjoy.
edit: made it more readible, and fix some mistakes
Also, forgive my small knowledge of keywords I used which may or may not be correct, this isn’t the area I am specialize in mainly.