Action Packed Interview With a Master Auto-Locksmith
- Tricks of the Trade
- Bypassing Secrets
- Car Locks Explained
- Newest Lishi Developments Exposed
- The Future of Auto Lock Picking
Most lock pickers don't go anywhere near picking auto-locks (car locks) since they tend to spend their time on the never ending, and endlessly frustrating selection of pin-cylinders.
But recently Lishi, who have traditionally made tools for auto-locksmiths have been releasing picks for domestic locks such as Schlage and Kwikset, which use much the same techniques and style of tool they use for auto-locks.
YouTube Lock Picker LockPickingLawyer demonstrating the LISHI HU92 2 in 1 lock pick on a practice lock. The guides on the outside of the lock pick mean you're essentially picking the lock using information provided outside the lock.
Inevitably, the YouTube lock picking celebrities have been getting their grubby mitts on these picks and interest from the locksport community has gone crazy, with a large proportion even venturing into auto-lock picking.
So, what a perfect time to speak to my friend Jack who is a professional auto-lock picker and can open car locks with the Lishi picks in under a minute, and he's now doing the same with the Lishi domestic picks. This is a long interview, but trust me, there's lots of information that will inform your lock picking whatever locks your picking and there's a few bombshells in there, including the mind-blowing finale, which will really get your nogging jogging and consider the future of security in a different way.
So, grab a cup of tea or coffee, sit back and enjoy, I know you're going to be fascinated and learn from this incredible interview....
For ease of reading, everything Jack says is in Bold, and everything I say is not. Without any more delay, let's get into this. Enjoy!
Hello Jack, thank you for joining me today. So let's just get into this. How did you get into auto lock picking?
Part of my job involved getting into cars. I spent a few years using the old techniques, the company gave us some wedges, a selection of rods, and a window wind-down tool, which looks kind of like a Slim-Jim, but has like a two inch hole in it and you wedge the door open slightly and use it to wind down the window.
An Inflatable Air Wedge holding the door open allowing the locksmith to insert a reach rod and open the door manipulating the door handle from inside the car.
The business end of the window-winding tool complete with piece of string to pull the rod over the window winder.
With that selection of tools did you have a high success rate getting into cars?
At first it wasn't so bad, but as cars improved so did the security, more and more were either full or partial electric, or fully electric windows all round, they also came with deadlocks.....
Jack, can you explain what a deadlock is?
A deadlock is when you lock the car it disables the interior handles, so even if you were sitting inside the car, there is no way for you to get out of that car. Well, you can smash a window, but apart from that it makes wedges and rods almost obsolete.
So I'm assuming that pretty much left you a bit lost when it came to non destructive entry?
Well, with some cars we... er... procured information on the electronics, so you could still use a long rod, get through, pull the bonnet catch, and that would get you under the bonnet. In most vehicles then, the electronics are under the bonnet and you could locate certain relays, for instance you could power up a certain relay and that would turn on the ignition. Now that wouldn't take the deadlocks off, but you can go back to your wedges and rods and just press the window button. Because you've powered up that certain relay, the ignition is on, so the window would wind down and you can let yourself into the car.
Typical vehicle electronic relay system, inside knowledge of which could open the central locking and turn on the ignition - meaning you could then open the doors.
Where would that information come from? How did people find out you could do things like that?
That filtered down through the company I worked for, trade secret kind of stuff, but guys out in the field who were master technicians at some point in the companies, manufacturers like VW and Ford, since they used to work for those companies, they knew how this stuff worked, they designed it in some cases.
So was this information 'leaked' so to speak? I'm not sure car manufacturers would be too happy with that kind of information getting out on the street.
Well the company I worked for then has accounts with all those manufacturers anyway, so they do give us a little bit information to make our job easier as it also makes the customers experience of owning that brand better, rather than being stuck in a motorway services after a twelve hour drive with the family, the locksmith has some useful information to work with, and the 'brand experience' is better, than being stuck there for hours and hours.
I'm blown away! This is what I love about lock picking, the ingenious ways you can get around a multitude of security features, whether it's a Medeco Biaxial pin cylinder which they threw the book of picking prevention measures at, or an auto-lock, having to pop the bonnet, power up an electric relay to turn on the ignition, then use a rod and wedge set to open the window. I used to dream about these things as a child!
The Medeco Biaxial lock, one of the most secure pin-cylinders in America. And yet if you read Marc Tobias' excellent book 'Open in Thirty Seconds' there's even many ways into that, if you know what you're doing.
Some of these things were found by, what shall we call them 'the criminal element', who came up with a lot of tricks and techniques - the Slim-Jim came from criminals - which would travel like gossip and make its way to professional auto locksmiths. And these days of course, such information is leaked online and anyone who knows where to look can find it. One such bypass that's been around for years and years, was when Volkswagen put electronic oil level sensors in the sump, back in the 1990s, someone worked out that if you powered up a specific wire on that, you'd turn the ignition on.
What exactly do you mean 'Powered up', just attach it to a battery?
Yes, you'd just get a battery, use a power probe or something like that. So you'd use a separate power source like a battery, you'd connect the earth to the chassis of the vehicle, and then you'd use your fresh twelve volt power source, put a feed to one of the wires - there's five or six to choose from and if you get it wrong you'll damage the car - but, if you get it right, it will allow you to use a wedge, put a rod through and use the electric window switch.
Wolkswagen oil sump sensor, amazing how someone worked out you could power up the ignition with that!
So, what you're doing is finding loopholes and then the manufacturer closes that loophole and so you look for another one. A bit of cat and mouse.
Yeah, I mean when manufacturers build cars, they don't expect people to go to such extreme lengths to get into them, much like with your pin cylinder lock picking. A good example is the early Ford Transit vans, the ones with the tibbe locks, I'm talking early 2000s, the tibbe pick was very rare then, but someone found that if you undone the three screws on the wing-mirror, there's three 8mm bolts on the outside, you could get to the wiring loom for the central locking system. You then power up a wire, and it would open all the central locking for the doors. When Ford found that out, that this information was out there, as a quick fix they fitted snap bolts, so when they tightened them up, the heads snapped off. They then changed all the wires to the same colour, so unless you had a wiring diagram you wouldn't know which was which. Then when the Transit Customs came out they changed a lot of it about. Thankfully.
It's bad enough installing a tibbe lock in the first place, I think it's a terrible lock, an unimpressive piece of security equipment. But then to have these additional bypass tricks is just negligent.
Well actually, believe it or not, when the tibbe lock came out, it was actually quite revolutionary, it was ahead of the game. The tibbe came out in the mid 80s, it was fitted to the Ford Sierra, which was what, 1988, 1989? Whereas all your other cars were using very basic wafer locks, some cars were even using pin cylinder locks. Going back to the '60s...
Actually, I remember my dad had a Morris 1000 van, and that had a key that looked like a Yale 1A, and was probably a pin cylinder.
A lot of cars had those, and very basic wafer locks, and wafer rakes have been around since wafer locks, it's just a rake. Auto-locksmiths made their own rakes, just with a variety of key-like shapes.
A Wafer Rake set, a very basic and simple to use set of tools that would get you into most vehicles which used equally simple wafer locks.
it really annoys me. I've been in the lock picking game for decades now and I can't believe the quality of locks. People buy these things to secure their homes, their cars, some mother buys a padlock to secure her child's bike, and she trusts them, she assumes it will work, and yet as lock pickers we know most of them are not fit for purpose. A noob can rake most padlocks in about an hour of learning. So I guess my question is, were the car companies responding in decent time, or were they - or are they - happy to sell vehicles with sub-standard security?
Well going back to like the 1950s and 1960s you could pop the bonnet just by putting your hand under the bonnet and pulling a handle. They used to have those little vent windows too, which you could pop open with a butter knife, slip your hand through and you were in. There were no immobilizers, nothing like that, there was no trim, so it was pretty simple, and you're in. The pull the ignition wires out, that's your hotwiring, and there was no steering locks, it was really quite easy to get into those old vehicles.
The almost laughably ridiculous vent window on an older vehicle.
In fairness there's a cultural element too, I doubt there were anywhere near the amount of cars being stolen in the 1960s as there are today. So really, there wasn't the need for all that added security.
Considering the amount of cars on the roads then, there's the simple fact that not so many would be stolen. And as cars got faster their role in organized crime rose, because the get-away vehicle became a thing. No one's going to rob a bank and try and get away in a car with a top speed of 40MPH. But as they got more powerful, fast cars were in demand from thieves. A classic example is the Sierra Cosworth, all the thieves wanted them in the late 80s as they could outrun the police they were so fast. Things got so bad insurance could be 30K a year. And to even get that you had to fit an immobilizer, Ford didn't even give you one, and they had the tibbe locks....
Ford Sierra Cosworth, you probably last saw one in about 1987 going about 90MPH with a police car somewhere behind it. It had a tibbe lock! Seems mad now, and I'm sure in future, new generations of lock pickers will laugh at the locks installed in cars today.
Hang on, the Sierra Cosworth had a tibbe lock?
Oh yes, pretty much every Ford made from 88-89 onwards, they were all tibbe locks. Now I know that seems absurd now, but in those days, all criminal elements had rakes, and basic pick sets, but there were quicker ways in, you could bend the door and pull the handle with a bit of bent wire. But they soon started fitting deadlocks, and the tibbe was a disc detainer lock, which had been around for years. But what they'd do is put the tension on random discs for added security.
Can you explain that?
So you've got six discs in your standard tibbe lock, each one has four cuts. And so one disc would be your tensioner disc. So they could come with either one, two, or three tensioner discs in the lock.
But doesn't the tibbe now just have the one tensioning disc? Or do you go through them all to find it?
You put your tibbe pick in, turn it all the way to the unlocked position. and the tension arms that don't move at all, that's your tensioning disc. So you can have up to three. But then you've only got three discs to pick, so out of a six disc lock, you've now only got three discs to pick, and that was to make the lock more reliable, because as we know they're made of chocolate. So they used them as their deadlock. But when the tibbe pick came out it screwed them, because without that, the tibbe lock needed loads of training, loads of practice and knowledge. But the tibbe pick changed all that. So in a way Ford were chasing their tail, because they then made it with really heavy tension, with one tensioning disc. So when you put your pick in and picked it, when you went to pick it, it broke the pick. So, weirdly, when I did lock-outs on Transits, I would prefer to get in the old-fashioned way, rather than break my pick and have half the pick in the lock, and have to buy yet another tibbe pick at like forty quid a go, or whatever.
So when was the big revolution, when we get to the 'laser' locks, or the 'inner groove locks'?
They started to arrive on the scene around 1995-1996?
And can you tell me why they're called 'laser' locks, or 'laser' keys?
Just marketing, I think. I've never seen a laser cut a key! And there's definitely no laser in the lock!
What about 'inner groove' is that just marketing?
I think that does make a bit more sense. When you look at your key it's a flat piece of rectangular metal and it has a squiggly groove in it, an 'inner groove' you could say. Your wafers have a little protrusion which match that squiggly line and that's your locks biting essentially. So that squiggly groove is moving your wafers up and down. So, as you put your key in, you've got a protrusion on one wafer, and the wafer next to it has a protrusion on the other side, and when the keys all the way in, it moves all the wafers to the correct position, the lock opens, because there's nothing in the way to prevent or obstruct - just like a pin in a pin cylinder - to stop the core from turning and the lock opening.
A 'laser' or 'inner groove' key. No laser, but definitely an inner groove.
So what did you do then? Were you coming unstuck a bit as an auto-lock picker? How did this affect your job?
I was still doing it the old-fashioned way, wedges and rods, and powering up electronics.
So during that time, mid 90s, an auto locksmith is going to a job with rods, wedges, wafer rakes, jigglers, and electronics diagrams.
Pretty much, yes, and sometimes a few personal tricks up their sleeves.
Can I ask you, I know plenty of domestic locksmiths who've gone to a job, it's pissing down with rain, the family is standing there shivering their teeth loose and the locksmith can't get in. Have you ever gone to an auto lock job and not been able to get in?
Oh yes. You can have all the tools in the world, but for instance the HU66 and the HU64 are classics for it. The wafers seize up. It's quite ironic that they have become more secure because the lock has failed. Sometimes I've sat there for a good forty minutes with a can of WD40 slowly trying to work the wafer loose. Sometimes they're that far gone, there's no way you can pick that lock - whatever tool or tricks you have. A lot of the time the car has a flat battery, and the mechanical key doesn't work, the customer has got the key in their hand. But because they haven't used it in like ten years, the lock has just seized up, grit, salt water, whatever. But they haven't put that key in the lock, like never, they've used remote central locking. Lack of use, basically, so you can't move the wafers, so it's just a flat battery, which is a problem.
So ironically, the jobs you struggle with are where the lock has failed, or seized, rather than the manufacturers security?
Exactly that. If the lock's broken it's broken. So it's a case of drilling the lock at the side of the road, not nice. I won't drill a lock unless I absolutely have to, such as when there's kids in the car, or medication that's required. Otherwise we'll stick it on the back of a truck and take it to the dealer and let them deal with it.
Have any customers ever got angry with you?
Ha ha, not really no, I mean the company I work for now don't actually offer a lock picking service, it's more of a courtesy or goodwill gesture.
That courtesy or goodwill gesture is the difference between you driving home or having this happen while you wait for car to come along and drive you home.
So it's like you're there and you say, "I can see if I can sort this out here for you, but if not we'll put your vehicle on the back of a pick-up and drive you home" and then let them sort it out with their dealer?
Yes, I mean we don't even get picks supplied, we buy our own lock picks. But if we can't get in and I don't want to drill, we just smash a window. We have this industrial grade cling film called 'Crashwrap' which we adhere to the window, smash the window with a center punch or something, and then you can just roll up the Crashwrap which has all the broken glass stuck to it. Then I put more Crashwrap over the missing window and the customer can drive the car home, get a window specialist to replace the window and their dealer to replace the broken lock.
Crashwrap (AKA Collision Wrap) on a vehicle window after smashed window has been removed.
Right, let's get down to the good stuff, the real reason I wanted to talk to you, because I saw you pick about five car locks in about three minutes. You're a bit of a master Lishi picker. When did the Lishi picks arrive and change your whole auto lock picking game?
The first time I came across anything resembling the Lishi picks, I was told by a friend about this new auto pick. The company I worked for were so impressed they bought a few at trade price and dished a few out. I wasn't on the receiving end, but I went and bought my own. They were actually called 'Blind' picks, not the 2 in 1 Lishi's we know today.
The Lishi 'Blind' pick, the precursor to the Lishi 2 in 1. The tensioner has a fold out part with holes that match up with the wafers in the lock, allowing you to put the pick in and pick the wafers.
They were a long tensioner, a blade to put in the lock with holes that matched up with the wafers, and a pick that went through a slot in the tensioner and into the blade, so you sought out the holes and you could then pick the wafers as you were nicely lined up with them. So I started off with those, bought a few cheap locks off eBay and got practicing. There was some weird things though, like the passenger doors opened almost immediately, and the driver door was a real pain. But if there was no passenger lock, you'd pick the driver lock into the locked position and then use a plug-spinner to flip it over and boom! It was open. There was also the inner groove rakes, which were quite the game changer too, well, certainly for the HU66 VAG lock.
The Classic HU66 VAG rake, incredibly effective on the huge range of vehicles that used the HU66 lock.
So you played about with the Blind picks, the HU66 Classic rake, and the like and then the now legendary Lishi 2 in 1 pick came out, where you could both pick and decode the lock. How did you get into those?
I just went and bought a couple and they weren't cheap. I mean they're not pocket money now but I think they were asking 200 quid a piece back then.
Exactly. So I stayed with the Blind picks for a couple of years, but they wouldn't open every lock, for some reason they couldn't deal with high cuts, which is a problem when you're dealing with eight or more wafers, since one or two of those will almost always have high cuts. Now I'd heard that the company had a few of the 2 in 1 Lishi's, and I was stuck on a job, so I called my boss and asked if I could give them a go. And it was amazing, such a well designed tool. So after that I bought a couple, and I had a couple of practice locks, stuck them in the vice, put in the Lishi and had a feel about, got to know how the pick works, what the feedback is like, how much tension you need, what a binding wafer feels like etc., and, well, if you've mastered one or two 2 in 1 Lishi picks, you've mastered them all.
The Lishi 2 in 1 - named as such since it will both pick and decode the lock. This pick was an absolute gamechanger for auto lock picking, and things haven't been the same since. The lock is picked using information seen and felt outside the lock. An incredible piece of design and invention.
Amazing, and you really have mastered them, I was blown away at the speed and efficiency of watching you pick those locks. But what I don't understand is how you've learned all the tricky little details, like some of the things I've seen you do, leaving certain wafers for later, going through them in different orders and things like that. How did you pick up all those little nuances the different details between the different locks, and there's nearly a hundred Lishi picks aren't there?
Yes, there's a lot of them. But it's the same as picking a pin tumbler, you look for the binder and pick it. And also with a Lishi you'll occasionally find a security wafer, like a spool pin in a pin cylinder. And when you pick that one, three other wafers that you'd already set, will pop back down into place. So when that keeps happening with a certain number wafer, it binds, then sets, but then sets again, then three already picked wafers unset - basically something weird is going on, and even if you do it really delicately, so other wafers don't drop down, the lock still doesn't open. So after a few tries you think, I'm just going to leave that wafer alone, and you pick all the rest and the lock opens. It's a security wafer, to cause you problems. So next time you encounter that lock you keep an eye out for it, but sometimes they don't have them, it's like a....surprise!
Ha ha! Keeping you on your toes.
Yes! You don't see one for months and then six months later you recognise that feel, you recognise it's a security wafer, it sets once, twice, three times, and so you just ignore it, and the lock opens without you even picking it.
But Jack, I've had customers write to me several times and they just can't get the hang of Lishi picks. I mean don't get me wrong I get loads more telling me they're blown away, but some people just can't seem to get the hang of them.
Oh, I've had a colleague right there with me and I'm telling them exactly what to do, and how to do it and they can't manage it, it took one bloke an hour, I fell asleep twice, ha. But it's the same as pin cylinder picking, rather than going at it like a delicate operation, they're all ham-fisted, too much tension, like they can turn the lock open, and they want to force the wafers rather than pick them, it's a tiny piece of metal, a wafer, and the picking tip is tiny. Just be patient and and less aggressive. Like all picking it's usually lack of patience, too heavy-handed, and they want to know it all too soon.
Yes, lack of patience is the bane of new lock pickers, and lack of patience leads to frustration, and frustration leads to heavy-handedness, and all that together leads to the lock not opening, and that's terrible for morale, especially for noobs.
I think when I show them me using a Lishi, I should slow down, I'm giving them a false sense of ease. I mean picking with Lishi 2 in 1 picks is simple, and half the time people make it harder just because they won't relax and because they don't realise a lock picking tool is only the tool, it allows you to use your knowledge and skills on a lock, it won't just open the lock because you want it to.
Tell me about it. We have five customer service agents and daily they'll all get a couple of messages saying words to the effect of (in various states of rage) "I bought this pick and it doesn't work". I often picture them putting it in the lock and just waiting. But we ease them back to reality and it's a nice feeling when they write back a week later with an emoji-filled message about how chuffed they are that they've picked a couple of padlocks.
Yes, I've got friends who just don't have the character for lock picking and have given up completely. I guess it's not for everyone. But like anything, practice, patience, and staying focused will get you there. The best tip I can give is to take breaks. Don't sit there for hours trying and failing to pick a lock, walk away and do something else, then a couple of hours later you can come back refreshed, not frustrated and all tensed up and try again.
Right, I want to talk about what the lock manufacturers have been doing in response to the Lishi explosion. I mean Lishi are now making domestic picks, for the likes of American locks such as Schlage and Kwikset. Same principle, the picks look the same and they're the talk on all the lock picking forums. But I want to stick to the auto picks, because you were telling me a couple of weeks ago about what the HU66 people, the VAG group have done to try to combat the Lishi picks. For people who aren't familiar with Lishi picks and auto locks, the VAG HU66 has really suffered since it's used on such a wide range of vehicles.
Yes, the HU66 is used on Volkswagen, Audi, Skoda, Seat, Porsche, Lamborghini, and Bugatti. That's a lot of cars that one Lishi pick can open with relative ease. Yes, they have really taken the brunt. But you know, most of those cars, are very expensive cars, and are stolen to order. You could have a hundred thousand pound car, and it will be stolen and be in Romania in twenty four hours. You know, you've got something like an Audi RS6 and someone can open it with a forty quid tool, they really stepped up their game. So they designed three different locks, for the HU66 VAG group.
Audi RS6 door lock, which Jack can open in less than a minute with a Lishi 2 in1 pick and then go and make a new key having decoded it with the same tool.
So, this is the latest update to auto locks, this is the most recent attempt to make using the Lishi 2 in 1 problematic? Because, just to summarize, the Lishi HU66 would get you in all those expensive cars in minutes, and you're telling me they've installed three different locks into the VAG group. Why do I feel I am not going to be impressed?
Ha! So they've bought out three new locks, the HU162(8), which is an eight wafer cut, which is almost identical to the original HU66, just eight standard wafers, different keyway, so the HU66 won't pick it, but after that it's much the same from a picking point of view.
The brand new Lishi HU162(10). The VAG group corner cutting added security hardly lasted.
Then there's the HU162(9) which has six normal wafers and three side cuts, similar to the sidebar on a pin cylinder I suppose, like three little pins on the side, then the HU162(10) is the same set up, but it has six wafers, and four of the side cuts.
The Lishi HU162(10) with the four numbered sections and picking lever to deal with the side pins.
But you can already buy the Lishi HU162(8), HU162(9), and HU162(10). So couldn't you just take those three to those jobs?
Yes, but it does require more skill, and all four picks - because it also depends on the year of the car. Some cars can sit in a storage yard for years, so although it might be a 'new' car, it might have an older lock. I believe the Volkswagen Transporter has only just this year, 2021 started using the HU162(8).
Jack, why would a hundred thousand pound car have such a bad lock?
Well, in fairness the owners of such cars aren't going to have them parked at the airport for six months. They'll be in a high security garage.
It still makes my blood boil that the lock markets get away with this kind of thing. Domestic security, and as you've shown, vehicle security. Why don't they design some decent locks!
As usual it comes down to cost I'd say. Think about the numbers of cars they're making, and they want to replace the locks in all of those vehicles, which might mean changing the housing too, add to that the R&D, it could run into some very big numbers, and they know the general public are ignorant about security. They think they can't get into it without the key, or the central locking button, so no one can. So like with these new HU162, they are cheap, cheaper, and cheapest. so you can go from Skoda, to Seat, to Audi.
Jack, as a auto lock picker, is there anything they could do to prevent or problematize the Lishi attack?
I believe Honda have put a magnet in their new lock, much like some pin cylinders. And you have to pick it twice. But the real problem now, since everything went electronic, thieves have the technology to scan your key from outside of your house, duplicate the information and they don't even need to pick the lock. The detect the frequency of your key by walking near your house. That information is stored. They then walk near your vehicle, and detect other information from the lock, which then opens the door, they push the start button which starts the engine, removes the steering lock and they're off. Once they've done that they drive away. Once they're safely in a warehouse somewhere, they can plug a diagnostic computer into the OBD port, and make themselves a new key. So, actually, having an old fashioned key, you've got to pick the door lock, then the ignition barrel, and then plug something into the OBD port to cut a new key.
The Kind of equipment Jack is referring to that are being used to transmit key and lock information to open keyless vehicles. Watch video at the end of the interview to see exactly how this works.
Wow. Just wow! That's shocking. It's funny isn't it, well, funny is the wrong word. But it's almost like the technology has gone too far for so-called convenience and made the vehicles vulnerable to a very easy attack. I think if I drove a car, I'd put something like a Mul-t-lock Integrator lock in it.
Mul-T-Lock Integrator, the kind of lock being installed in work vans due to the terrible security such vehicles are sold with.
Yes! That would be better! If you look at work vans now, they're having Mul-T-Locks and the like installed as standard.
Jack, it's been a real pleasure talking to you, loads to think about, and I'm sure our readers will thoroughly enjoy everything you've shared with us. Best wishes.
Take care, Chris.
I'd like to thank Jack for taking part in this interview and sharing information and knowledge he's gained through a long career. We spoke for over an hour although I did edit some parts for flow and clarity.
Watch this video to see how thieves use transmitting technology to get information from both the key in the house and the lock on the car, to open it, start it, and drive it away.