Electronic lock decoders

A lot of people asked my opinion about the “Electronic Key Impressioner” that has been in the news lately. The device is not for sale yet and the only thing people have seen so far is a computer model of a device. Technical details are not out yet (as far as I know). This being a news item triggered a lot of people who are now curious if a device like this could really work, and if so, what is the technique behind it.

The automatic key impressioner reminded me on something I saw at a trade-show a couple of years ago. At the stand was a person with a some sort of ‘lock probe’ that could electronically read out the combination on some car locks. This lock probe was connected to a laptop, and after inserting the lock probe in and out of the lock a couple of times, the code of the lock was on the display of the laptop.

lock probe

Curious on how this technique worked, I spend some time talking with the developer of the system. As we all know, most car locks are wafer locks. These wafers all have the same outer dimensions and the only thing that differentiates (for example) a ‘cut one’ from a ‘cut four’ is the position of the hole in the wafer. To make it a little more clear for people who are not into locks, I took wafers one, two, three and four from a car lock and stacked them on top of each other. You can clearly see a ‘stairway’ pattern if you stack them in incrementing order.

stacked car lock wafers

The lock probe I saw at the show used electric current to determine the position of the opening in the wafer. The idea is to put some low voltage on the body of the lock and ‘look for it’ with the contacts in the isolated tip of the lock probe. A high cut wafer will only make contact with the higher contact points in the tip, while a low cut wafer will give a reading on more contact points as the tip slides trough it. And there were a number of different probes for various lock models (variations in the spacing and position of the contact points on the tip of the key). The theory behind this may all look easy and straight forward, but it took them quite some effort to write a decent piece of software to convert the data into a key-code. The developer told me errors could be introduced if users insert the probe too quickly, and sometimes locks ‘in the field’ were so dirty/greased up that contact with the wafers was not reliable.


lock probe

Of course I can only guess, but I imagine the “Electronic Key Impressioner” works on the same principle. I can’t wait to see the device in real life and be able to test it under some real world conditions. As I can imagine there is a range of wafer locks this technique does not work on. And I wonder if it can compete with some of the more sophisticated mechanical car lock decoders that are out on the market for many years now …

10 Responses to “Electronic lock decoders”

  1. jos weyers says:

    When I saw the mock-up, I thought it looked like a Blackbag update ! 😉

  2. Cybergibbons says:

    Really interesting post. It must be quite a fine line with the slope of the front of the PCB – imagine if you had a very low wafer followed by a very high one and then another low one (although the height difference is constrained somewhat by design) – it would be hard for the sensor to pick this up without the slope being very steep.

    Another question – how many cars actually have a single sided wafer locks? I’m guessing with careful processing and inserting the sensor in both directions it could just about deal with this. But even then, at least in the UK, double sided wafer locks are really not very common.

  3. Wolf says:

    The place that the device is contacting the wafers is not where the key would make contact. In these locks (sidewinder locks) the key makes contact with the little step on the side of the wafer. Is it supposed to be used like this , or is this just to show how it works ?

  4. Barry says:

    Cybergibbons: If I remember correct, the demo was given on a double sided lock. The tool was inserted both on the top and the bottom, but I can’t be 100% sure.

    Wolf: Good observation 🙂 And you are right, the wafers are from a sidewinder lock and are originally touched by the key on the side of the wafer. I only had these wafers available when shooting the images and used them as a proof of concept. On the wafers the lockprobe is used on, the measurement is done like in the images.

  5. Cybergibbons says:

    In case anyone is interested, here is the patent of the LockProbe device mentioned above:
    http://www.google.com/patents/about?id=FJUJAAAAEBAJ&dq=decode+wafer+lock

    It seems to be quite a solid patent and would probably cover devices operating using a fundamentally similar principle. I wonder if “The Impressioner” will infringe on the patent or use an altogether different concept?

    All the other patents seem to be quite fanciful in concept and of limited utility.

  6. elphreaker says:

    Nice concept mate, anyhow, I can understand how you decode a single wafer but I dont manage to see how you would decode a lever that isn’t totally exposed…

  7. mercurial says:

    elphreaker,

    As the tool enters the lock, the tip comes into contact with the first wafer, which makes contact with the tip of the key, giving an indication of height, as you understand.

    Then, as the probe is pushed further into the lock, the first wafer has been lifted up the sloping ‘reading surface’ of the probe, onto the blade of the probe key. The tip of the probe now encounters and ‘reads’ the next wafer – this second wafer is ‘exposed’ since the first wafer has been lifted out of the way.

    As already stated above, if the lock has wafers at the top and bottom, the probe would then be inserted ‘upside down’ to read the wafers on the other side of the keyway.

  8. elphreaker says:

    Thanks mercurial, now its pretty obvious 😉 , but the only inconvenient would be the spacing in between the waffers.

  9. mercurial says:

    elphreaker – you’re welcome. At first glance I had similar thoughts, but then visualised the probe moving into the lock and grasped the concept.

    Spacing shouldn’t be inconvenient – even if the wafers are very close together.

    If the spacing between wafers is close enough, for example with a very high first wafer, and a very low second wafer, the probe’s tip might already be touching the second wafer when it makes first contact with the first wafer. This means when wafers are very closely spaced, a wafer deeper in the lock may make contact with the probe’s tip before the probe’s tip has made contact with the wafer in front of it.

    This is where the computer software employed must be pulling its weight :

    In this case, the software should be able to ‘notice’ that the contact made by the second wafer moves up tip of the probe as the probe is inserted further into the lock, and starts interacting with the next wafers. It should thus be able to determine the order of the wafers the probe is reading, even in instances where the probe does not touch the wafers in sequence.

    I hope I explained that with some degree of clarity.

    After writing that, it just occurred to me that these spacing issues are much simpler if you just read the signal from the probe as you WITHRDAW the probe from the lock, rather than when inserting it!! (of course there is no harm looking at both signals).

  10. elphreaker says:

    Hehe, its pretty clear, I thought it would be easier if you pulled out instead of inserting it, anyhow you could get some doble lectures.