Kwikset repinning question...

[geonap]

You need to have the ball bearings at the shear line. Think of them as pins that are captured and removed. The rotation is absolutely critical to removal. The ball bearings fall into those holes in the plug, and are removed from the pin stack upon rotation. I suggest drawing a picture of the bottom pin, ball bearing, top pin and spring in relation to the shear line when both keys are used.

The concept can be a bit tricky, but the drawings will help.

I'll give that a shot... I was pretty sure the rotation was key. This lcylinder did not have the bearings inside of it, but I imagine they use the same cylinder for multiple locks (even if they don't use the bearings in the specific design).

[Chucklz]

Yes they do. Now all you need is to find someone with bearings they are willing to share. I unfortunately do not have any.

[WDPaladin]

Agreed with Chucklz, with Qwiksets there is a small silver tab across the top of the cylinder. Use a tension wrench (or something similar if you dont want to mark up your wrench) and just pry it off from the side SLOWLY so as to not lose the springs. I ran into the same thing at first and I thought "there has to be an easier way!" and then noticed the silver tab- saved me a great deal of time compared to having to remove the plug.

WDPaladin

[geonap]

Agreed with Chucklz, with Qwiksets there is a small silver tab across the top of the cylinder. Use a tension wrench (or something similar if you dont want to mark up your wrench) and just pry it off from the side SLOWLY so as to not lose the springs. I ran into the same thing at first and I thought "there has to be an easier way!" and then noticed the silver tab- saved me a great deal of time compared to having to remove the plug.

WDPaladin

I just wish I would have figured this out "before" I destroyed most of the springs... lol... now I have to wait for my repinning kit, which should get here tomorrow or the next day. Extra springs are good!

[WDPaladin]

No problem, glad I could help. GL with the repinning

WDPaladin

[yegg57]

The system that Kwikset (and other manufacturers) uses is called "lost ball" or "dropped ball" keying.

In the case of Kwikset the balls are .046" in diameter which equates to a #2 master pin. Each step in the Kwikset system is .023".

In factory keyed locks there is not one, but three "protecto-key" balls in the operative chamber.

When the "construction key" is used in the lock the "protecto-key" balls reside below the shear line in the plug.

When the end-user's key is used the "protecto-key" balls are pushed above the shear line into the "bible" of the cylinder. When the plug is rotated the balls are pushed down by the springs into the smaller dimples machined into the plug.

Since the balls are no longer in the "pin stack" the construction key is effectively locked out.

This does leave a problem for the new home owner as the cylinder is still MASTER KEYED.

One master pin in one chamber will let two keys operate the lock.
One master pin in each of five chambers will let 32 different keys operate the lock.
2*2*2*2*2 =32 OR 2 to the 5th power (2^5) = 32.

Any skilled locksmith or any relatively informed amateur that knows the cuts of the builder or construction key can fabricate a set of 5 keys that one of which will definately open any/all of the locks that are construction keyed. I have fabricated such a set and amaze / STUN customers on an ongoing basis.

I hope that this clarifies some of the misconceptions that I have read on this subject.

I hope that y'all find my first post to this forum helpful and informative.

Thanks and have a GREAT DAY!
Charley

[Raccoon]

This has been a very informative thread for me. I have never heard of a "construction key" or the use of captured ball bearings to retire old keys when a new key has been put into use.

I also have to commend geonap for having reverse engineered this lock on his own. Most of us learn how pin stacks operate from diagrams, such as presented in the MIT Guide to Lock Picking, and not from hands-on disassembling of a lock. This is a great example of intuitive troubleshooting.

There are still a few points I'm confused on:

1. Why bother spending more money on designing/implementing such a lock with a short-term purpose, when it would probably be cheaper to have the locks re-keyed when the owner moves in? A construction key may be used for only 3 months, while the owner's change key may enjoy 30 years of use.

2. How did geonap's lock NOT have any ball bearings in it? If there were no bearings in the capture holes, how did the driver top-pins sneak by without getting captured and stopping the plug from rotating ever again?

3. yegg57's first post on this forum mentions a lot of new language I've never heard before. I was hoping someone might explain what technology and terminology is standard or company branded. "protecto-key", "bible", "lost ball", "dropped ball", etc.

4. To yegg57, could you explain why there would only be 3 bearings in this type of lock, as opposed to the 5 as pictured in geonap's lock? I figure any number of pin stacks can contain a bearing, with the remainder unused bearings ready-placed into the "bible", thus keeping the key random... but definitely 5 bearings are needed total. And why do you say the cylinder is still master keyed? What would allow the construction worker to figure out how to duplicate the owner's change key from his own construction key, if he doesn't know how many pin stacks contained a bearing?

[Raccoon]

Btw, yegg57, welcome to the forum! That was a great first post, and thus my reason for pointing it out.

You should add yourself to the member maps so we can include you in any Southwest activities that may arrise. (Need more southwesterners so we can outnumber the midwest )

PS. I'm still confused how you managed to make 5 keys which open EVERY construction-keyed Kwikset lock.

[yegg57]

The 3 balls would be in 1 pin chamber. They are so small 0.046" that you could probably fit 4 or 5 in one chamber, but I guess that the Kwikset engineers determined that 3 would do the job.

Unfortunately for y'all, ethically I don't think that I should put my entire concept including the "how to" into public domain.

I am sure y'all understand that if just anyone can access this forum that would include burglars, rapists, etc.

The balls would be in addition to the master pins which I have found to be in all 5 chambers.

Thus with one master pin in each chamber creating 2 shear lines in each chamber (2*2*2*2*2=32) for 32 potential keys opening the lock with the addition of the balls in ONE chamber the number of potential keys operating the lock would increase to 64 until the balls drop, unused, into the dimples milled into the keys.

re: short use / cost contianment - That might seem to be the case, but consider the builder has many carpenters, plumbers, electricians, etc. that carry ONE consruction key for hundreds or thousands of houses. Once Suzi Homemaker uses her key once, it locks out the construction key. Unfortunately for her, it does not eliminate the 5 master pins, one in each chamber of her lock thus permitting me or others to make up a 5 key set that can open virtually all of the houses that these locks are used on.

I don't know anything about member maps, but I am in Phoenix.

Thanks and have a GREAT DAY!
Charley

[Raccoon]

Ah, ok. I wasn't considering these locks as part of a master system so that contractors need only 1 key to access every house on the site.

This IS bad security, especially in Kwikset locks which aren't designed for large-scale mastering systems, and I wholly agree with you. The n^m odds of picking a lock with multiple shear lines is widely recognized, which is why it's important to use quality locks, preferably with restricted blanks, and at very least include security pins in such systems.

I'm still confused with the use of multiple ball bearings in such a lock, though. Would each cylinder be custom drilled with the necessary number of capture holes-- so that a pin stack containing 3 balls would have 3 parallel holes that captures each of the bearings as the plug spins around with the owner's change key? Or are the balls somehow extracted from the pin stack within the key's biting, and when the key is removed from the lock the bearings fall to the floor?

These forums are accessible to the public, but I hardly feel that revealing the security flaws in poorly designed mastering systems is going to cause wide-spread panic. Addressing these issues is the best way to prevent contractors from using these systems in the first place. None of us condone security through obscurity here.

[illusion]

None of us condone security through obscurity here.

That would depend - I have no trouble regarding picking since it is a skill, and could be argued as much a hobby as hobby gun shooting. Both can be used for ill, but both can be used ethicaly. At destructive, and super fast bypass I personaly draw the line, but everybody has their own stand on this.

[Raccoon]

At destructive, and super fast bypass I personaly draw the line, but everybody has their own stand on this.

But we frequently discuss the uses of burglary tools and how to harden a door or lock against them. Are you sure we draw a line here?

But then again, this is simply how a combination of pins and balls can weaken a lock and permit generic keys to open them. I'd think bumpkeys would be more sinister.

[yegg57]

First, about the balls - the balls are SO SMALL.... 0.046" if you put in a bottom pin and drop 3 of these balls in on top of it there is room for 1-2 more for them to sit SIDE TO SIDE laying on top of the bottom pin. It is NOT like

bottom pin - master pin - master pin- master pin- master pin- top pin
(which could be used in a MAISON situation)

where each master pin would increase the height of the pin stack.

This would be bottom pin - <3 balls = 1 master pin> - master pin - top pin.

if you put in a bottom pin and drop 3 of these balls in on top of it you would see that all 3 are directly contacting the bottom pin and that there is room for at least one more within the diameter of the hole in the plug. These are VERY VERY TINY balls - so tiny that all three will drop into one dimple in the plug and leave room for more. Perhaps when I go to the shop tomorrow I'll take a picture or two and post pictures...

Each Kwikset plug is pre-drilled from the factory with 5 dimples that are a smaller diameter than the pins so the top pins or master pins won't fall into the dimples.



RACCOON WROTE: The n^m odds of picking a lock with multiple shear lines is widely recognized, which is why it's important to use quality locks, preferably with restricted blanks, and at very least include security pins in such systems.

MY REPLY: Quality locks is definately the FIRST issue. Kwikset locks, made from cast pot metal, have much lower tolerences than many other manufacturers' locks which are constructed from machined extruded brass. The Machined brass cylinders usually have much tighter tolerences, depending on manufacturer. "restricted" blanks is another issue. The keyblank used in a lock has little or no impact on the ability to pick the lock, only whether or not the customer (or crook) can have the key easily duplicated which is another issue all together.
The SECOND issue would be "ordinary security" VS. "high security" So called "restricted" keyways in "ordinary security" locks can be relatively easily picked and keys can be fabricated to pass the so-called restricted keyways. On the other hand, HIGH SECURITY locks implement a number of systems, frequently utilizing a "side bar" that (a) thwarts picking attempts, (b) has patent protected keyways, and (c) has hardened steel pins and inserts strategically placed within the cylinder to protect the lock against drilling attacks.



RACCOON WROTE: These forums are accessible to the public, but I hardly feel that revealing the security flaws in poorly designed mastering systems is going to cause wide-spread panic. Addressing these issues is the best way to prevent contractors from using these systems in the first place. None of us condone security through obscurity here.

MY REPLY: I am, by definition, revealing the security flaws. That does NOT mean that I am willing to provide chapter and verse as to my (perhaps patentable?) methods of deducing and creating the so-called "BUILDER MASTER KEY SET" to the general public so that any crook who might happen to be reading this forum would have step-by-step directions as to how to make these keys. If anyone is THAT interested in what I have described there are sufficient resources available to the general public that someone, sufficiently clever, can recreate what I have done without such instructions. I am not being mean or harsh here, its just that I have my limitations. When asked the other day "How would you open that safe?" I replied "I'd probably just drill it." My worker, without consulting anyone else, decided to drill through the center of the dial all the way down through the lock essentially making it impossible to open the safe by traditional methods without much more significant damage. I would tell people here "I'd just drill it." but I would NOT say drill X.X" from center of the spindle at #Z. SORRY - MY ETHICAL LIMITS - TAKE IT OR LEAVE IT BUT IF I RECEIVE SIGNIFICANT CRITICISM I CAN CEASE POSTING HERE.

Terminology:

1. BIBLE - most often used describing knob lock cylinders - the portion of the cylinder that houses the top pins and springs. It is part of the HOUSING that the PLUG lives in.

2. PROTECTO-KEYED - This is a term that was trademarked sometime in the 1960's that is another way of saying "CONSTRUCTION KEYED". The protecto-keyed system utilizes the "DROPPED BALL" or "LOST BALL" concept.

3. DROPPED BALL or LOST BALL - this is a system where the lock manufacturer has included small balls into the pin stack. When the construction key is used the balls are retained in the plug. I.E. The construction key is cut sufficiently deep that the bottom pin and the balls are both in the plug. The USER's (home-owner's) key is cut higher than the construction key forcing the balls to be pushed up into the bible. When the USER's key is turned the pressure of the springs pushing on the pin stack forces the balls out of the bible into the dimple milled into the plug, thus removing them from the pin stack and locking out the construction key

4. PLUG - the portion of the lock that the key goes into that rotates within the housing.

5. MAISON - The cylinder is pinned in such a fashion that many user keys can operate the cylinder. This would be useful in a situation where you have an apartment building or office complex where each tenant would have a unique key to their individual unit but all of the unique keys would need to open the perimeter doors.

I hope this answers some questions and/or clears up any misconceptions.

Anyone having other questions can e-mail me directly at:
charley AT LocksmithCharley DOT com

Thanks and have a GREAT DAY!
Charley

[yegg57]

Yes, Hobbyists can fabricate picks and play with them and use them on their own locks at home.

If a hobbyist is stopped by police and found with lock picking tools, bolt cutters, pry bars, hammers, etc. ad. nausuem, they can be CRIMINALLY CHARGED with possession of burglary tools.

In my professional opinion (and I could be wrong) lock picking consists primarilly of LUCK.

Having said all this, in my "professional experience" the most desirable form of entry for burglary is NOT lock picking or fabrication of keys but the entry is USUALLY accomplished by the kicking in of the door, preferably a BACK door out of view of the public.

[Raccoon]

Sorry, I didn't mean to be critical of your ethical code regarding the HOWS of your magic keys. I just wanted to know the basic principal so I could understand what you're talking about. Up until now, I didn't understand what you meant by multiple ball bearings either. You did a fine job explaining that better.

I still don't believe it's possible for a keyring of 5 strategically guessed keys to open 1000+ locks of this kind-- but don't interpret this as a challenge to reveal your secrets-- just that it doesn't make sense to me, even with a solid understanding of how master systems work.

And I'll explain. As every lock is getting rid of X unknown number of bearing stacks, it's essentially getting rid of any number of master pins. Right there you have 2^5 combinations to work with. Granted, this is still pretty weak because the bearing depth to the next sheer line is predictable, and whether that sheer line belongs to the master key or the change key is unimportant. But I don't see this working with any less than 32 tryout keys.

Thanks for this new information though. Pictures would be wonderful, as well as lock make/model.