Thursday, April 5, 2012

The Kensington Microsaver

I recently had the wonderful opportunity to play with a Kensington Microsaver Lock.

I remember a few years back these guys took a real heavy media beating over their locks being able to be opened with just some rolled up cardboard.

The locks are SLIGHTLY better now. Still security theatre, but better than they were.

These things cost about $40. Heavily overpriced in my opinion. Especially since I was able to open it (although mildly destructively) in just a few minutes.

The lock only turns 1/4 turn; a quarter turn open, a quarter turn back closed.

I initially lost all self control and just went at it with a South Ord 7 pin tubular lock pick. I didn't get to see the key and really didn't pay any attention to a slightly odd, recessed cut at the top of the lock.

I managed to get it to turn 1/8 then it stopped suddenly. I just assumed that one of the pins had moved one of the picks out of the correct depth. So I pulled out the pick and reset. While I was resetting it, I noticed something at the bottom of the recessed cut, it looked a lot like a pin.

I grabbed a  probe and pushed it a bit, sure enough it moved and it was sticking up into the cylinder preventing the plug from turning. At this point I cursed myself for not taking the time to look at the lock and actually think about what I was doing.

I tried a few different things to push the pin down and turn the cylinder at the same time, no luck.

Then I thought, well if I can't press it down, maybe I can get it out. With that thought I grabbed a pair of needle nose pliers and tapped the lock body with the rubber handle a few times. After about 3-5 light taps the pin popped out. I grabbed the tubular pick again and turned the lock the rest of the way open. Another pin popped up into the recessed cut, tapped it a couple times and that pin popped out.

After removing both the driver pins (the pins that were popping into the recessed cut) I closed the lock back up but the set pins dropped down into the gap left by removing the driver pins (surprise surprise), thus rendering the lock inoperable.

So you use your tubular pick to pick the lock and move it 1/8 turn, tighten down the pick to keep the pin depth, remove the pick, tap it a few times till the driver pin falls out, re-insert the pick, move it another 1/8 turn, lock is open. Total time, probably less than 1 minute. You only need to remove the 1 driver pin as by the time you encounter the 2nd pin you already have the ability to remove the lock from whatever device it's supposed to be protecting.

Here's a picture of the driver pin that pops up and out.



Here's a picture of the lock body itself



And here's a picture of the face of the lock, it turns clockwise and the red arrows point to the two pins locations that I popped the driver pins out of. Right at the top you can see the recessed cut that the driver pins pop into to stop it from turning.



I finished tearing the lock apart this weekend.

First, lets get a better picture of the lock on here



 This is the end that gets inserted into the device that you're trying to lock down, notice the 2 posts. On the laptop I checked (dell latitude e6420) there was enough room to move the lock around to be able to get a dremel or saw blade in there and cut the posts, this would allow you to remove the lock easily. I think you could get away with just cutting off one post. Still not easier than using some tin snips on the cable. But if you needed to remove and put back the device several times without arousing suspicion this would work.




Alright, so after removing the rubber bumper and the little orange ring we see that a snap ring is the next obstacle.



After more than a little swearing and just about skewering myself with a screw driver a few times I managed to get it off. This allows the harness that holds the cable to the lock body to be removed. The part outlined in red is the harness.


Here's the harness removed





And the two parts that make up the harness



Now we can turn our attention back to the lock body, I had to drill out 2 brass plugs on opposite sides to get the shroud off the lock.


Drilled out


Now we have the naked lock. Notice the key-way at the front of the lock (left side) that is where the extended bit on the key goes to prevent the driver pins from popping up and stopping the lock from turning




Here are two exploded views. The shroud (far left) Driver and Set pins and housing (middle) and posts (right)








This is the driver and set pin housings separated.

The 5th driver pin clockwise (red circle) is different than the rest of the pins, I'm not sure if this was a manufacturing mistake or intentional. If intentional I have no idea what purpose it would serve.

 Closeups of the driver pin in question:



The set pins are not unique or different in any way that I could find.

Here's a picture of the key. Notice the extended knob on the top of the key. You can easily remove that knob with a pair pf pliers. I assume you could drop that into the lock prior to inserting the tubular pick and bypass the driver pins from jumping up into the cylinder.




That's it.

Next lock post will be about a master lock that I absolutely CANNOT get opened.





1 comment:

  1. Encountered exactly this scenario and essentially ended up with a blown lock once I removed the driver pins. With your pictures, now I don't have to do all the disassembly myself :) That said, I'm curious to try the "key nub" technique to bypass the drivers you suggested. Nicely written up!

    ReplyDelete

All comments moderated.
Comments like "sweet dude" or "this is awesome" or "thanks" will be denied,
if you've got something genuinely interesting to say, say it. Other than that just sit back and bask in the glory.