Skip to content

optskug/docs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

332 Commits
archive
archive
Β 
Β 
img
img
Β 
Β 
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

openpilot/etc. on Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY/SecOC

1

Toyota's Sword in Rock situation (that has been pulled out quite a bit by Willem and Greg!)

2

The comma.ai Discord isn't really a good place to store answers or guidance to questions about the situation with Toyota's TSK/ECU Security Key/SecOC and openpilot. Discord's search is terrible, and the content inside of it isn't accessible to search engines. This is an attempt to document some of the discussion and information about the situation with Toyota's TSK/ECU Security Key/SecOC and openpilot in a more accessible way.

Tip

This document is a bit long, you may want to put the URL of this document into your πŸ€– AI assistant of choice to ask it questions about the contents of this document. Deepwiki is a good choice for querying with citations and references. Note that deepwiki may lag behind the latest copy of the document by a week.

https://deepwiki.com/optskug/docs

Visit this button: Ask DeepWiki about openpilot/etc. on Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY/SecOC!

You are encouraged to share deepwiki conversations links in Discord if you aren't sure it is interpreting this document correctly.

Of course, other AI assistants such as ChatGPT, Claude, or Gemini can also be used once you pass them the URL of this repository: https://github.com/optskug/docs

Table of Contents

Background

tl;dr: Toyota started to use cryptographical signatures to block openpilot (and other hacks). Some smart people in the industry hacked the signatures for some cars, but not all cars. Nobody is known to be working on the issue at the moment.

openpilot, in order to control the latitude (aka. steering), needs to be able to man-in-the-middle the steering control messages used by the lane keep assist system. It blocks the original steering control messages and replaces them with its own. Latitude-controlling messages originally come from the forward-facing camera, which is also known as the "Forward Recognition Camera" or "Object Recognition Camera" in Toyota vehicles. The camera is responsible for the lane keep assist in Toyota vehicles.

There is a STEERING_LKA-ish message and more in some new Toyotas that currently has an "authentication code" scheme appended to the end. The algorithm and security system for this "authentication code" is somewhat known for certain vehicles but requires a key that is unique to each vehicle to be extracted or smuggled out of the vehicle (https://icanhack.nl/blog/secoc-key-extraction/). Not all vehicles are able to have their keys extracted with what is currently known. Without the key for each vehicle, third parties like comma and users cannot control the vehicle. While vehicles that have had their keys smuggled out are currently working with openpilot.

At the moment, nobody is known to be working on the issue beyond what was done by Willem and Greg. Newer vehicles other than the ones on this list are not known to be working with the existing exploits discovered and built by them to dump their keys.

There has been some primordial research on firmware modification to disable the security system, but it is not known if this is possible or not.

Unresolved Mysteries

The following is not comprehensive.

  • The exact details of how the process of how Toyota's tools communicate with the vehicle and their servers, and how the key is updated for multiple ECUs is still not fully known or experimented with. A high level overview of the process is known, but not the exact details.
    • Could a simulation of an extraneous "blank" vulnerable ECU into the system be tacked onto the communication with Toyota to extract the key?
    • There's something with Master ECUs and Slave ECUs here.
  • The 2023 US made ICE Corolla (VIN starts with 5) is a TSS 3.0 vehicle that does not appear to have ECU Security Key or SecOC steps when replacing the forward camera. No one has come by to show what TSS3 without TSK looks like. One person has come by but they don't have that much time and ... that's it? Just one person, how weird.
  • What might a firmware mod approach look like? Is it possible to flash a custom firmware that disables SecOC?

Cars

🟒 Successfully running openpilot

These cars can run openpilot but are not listed on https://comma.ai/vehicles#toyota or CARS.md because comma.ai (the company) understandably doesn't want to own the security key hacking process.

If it is on https://comma.ai/vehicles#toyota, then it's not in question and is supported by comma.ai for openpilot.

Follow the Setup Guide below and you'll have it working.

  • 2021-2023 RAV4 Prime/PHEV
    • All Trims supported
    • Toyota Harness A
    • Early 2024 MY situation like Early 2024 MY Sienna unknown.
    • The compatibility status of the RAV4 Hybrid or RAV4 ICE is not relevant to the Prime/PHEV. They're different vehicles.
    • Sunnypilot Discord Channel: #dev-toyota-security (requires joining the Sunnypilot Discord)
  • 2021-2023 Sienna Hybrid (USDM), 2021-2022 Sienna Hybrid (PRC)
  • 2020-2022 Yaris Hybrid (EUDM/JDM/MXDM)
    • All Trims supported
    • Toyota Harness A
    • Dataflash dump hack works as the key is not in the same address as RAV4 Prime in program memory
    • Brute force efforts to find key location successful on both European and Japanese Yaris Hybrid. European user eventually gave up full installation due to unrelated C3 malfunction.
    • I-CAN-hack/secoc#4 - brute force dataflash dump approach
    • First Continental Radar + Camera setup going and thus first radar controlled ACC vehicle done with. This does not mean longitudinal is controlled by openpilot though.
      • Experimental work in disabling the radar has shown this does is not enough to let openpilot control longitudinal.
    • Not sold in the USA, but is in Australia, Japan, and Europe
    • Only one guy using it in Japan, unfortunately. Help double the population!
      • Another vehicle, not a daily driver, but an academic study specimen, has their key dumped in France.
      • ggajoch has dumped their key in Poland and is using it.
  • 2021 GR Yaris (EUDM/JDM/MXDM)
    • All Trims supported
    • Toyota Harness A
    • Memory dump hack works but the key is not in the same address as RAV4 Prime.
    • Same hardware as Hybrid Yaris with Continental Radar + Camera
    • Manual Transmission
    • One user in Poland at the moment. lx93.
    • WIP

Notes

  • These vehicles have TSS 2.0.
  • These vehicles do not use the HSM.
  • These all seem to share the commonality of a version 1 bootloader3 ? on the EPS
  • Longitudinal

🟑 May be possible to hack but hasn't been tried

If you have one of these cars, please stop by the comma Discord's #toyota-security channel - we need more information from people like you.

  • 2023 US-made Corolla (VIN starts with 5)
    • Uses TSS 3.0 but does not appear to have ECU Security Key or SecOC steps when replacing the forward camera. It's unknown whether it has TSK, and if yes in what form. Maybe they just don't do the pairing thing but hardcode a key. No one knows. This is still of great interest to the Toyota Security Key / SecOC efforts as it may provide better insight into the TSS 3.0 system without the key complication.
    • Note that this is not the same as the 2023 TMC/JP-made Corolla or the 2024+ Corolla. It happens to be applicable to a single year of US-made Corolla.
  • 2021+ Yaris Cross Hybrid (EUDM/JDM/MXDM)
    • Brute force script may work (all guessing), but probably not on 2024+ models. Nobody has tried with earlier models.
  • 2022+ GR Yaris (EUDM/JDM/MXDM)
    • Unknown

πŸ”΄ Not hacked and can't run openpilot

Car hackers, we need your help with these.

  • 2022+ Aygo X (EUDM)4
  • 2023+ Aygo X (Euro tech info Lookup)
  • 2023+ bz4x4 (Probably the same for sister rebranded Subaru Solterra)
  • 2025+ Camry4
  • 2023 TMC/JP-made Corolla4
  • 2022+ Corolla Cross (USDM, not applicable to Thailand or Brazil)4
  • 2023 Corolla Cross Hybrid
    • TSS 2.0
    • Known to be not working.
    • Memory can be dumped but the key is not in visible memory.
    • Mentioned in Willem's blog post.
  • 2024+ Corolla/ Corolla Hybrid, All origins.
  • 2023+ Crown
  • 2024+ Grand Highlander ICE and Hybrid4, 2024 Crown Kluger ICE and Hybrid (PRC, elsewhere?)
  • 2024 Highlander ICE and Hybrid,
    • TSS 2.0
    • Known to be not working.
    • Memory can be dumped but the key is not in visible memory.
    • 02 bootloader3
  • 2025+ Highlander ICE and Hybrid4
  • 2024+ Mirai4
  • 2023+ Prius and Prius Prime/PHEV4
  • 2024+ RAV4 Prime/PHEV
    • TSS 2.0
    • Key at least not at the same location as other RAV4 Prime
    • Brute force efforts to find key location TBD
    • At least code is executed. Unknown what might have changed.
    • New 02 bootloader3 seen
  • 2024+ RAV4 in Europe (techinfo)
  • 2023+ Sequoia (Speculated from being a Tundra with an SUV Body)
  • 2023+ Sienna (PRC)
  • 2024+ Sienna
    • TSS 2.0
    • Key at least not at the same location as other RAV4 Prime
    • Brute force efforts to find key location TBD
    • At least code is executed. Unknown what might have changed.
    • New 02 bootloader3 seen
  • 2024+ Tacoma4
  • 2022+ Tundra (Confirmed in commaai/openpilot#27869 (comment))
    • TSS 2.0
    • No known bootloader3 exploit execution
    • User ThisGuy has an extra rack on the bench. Sent to Willem for further analysis. Uses HSM, possible firmware mod approach to disable SecOC in planning. See July 2025 update below.
    • 04 bootloader3
  • 2021+ Venza
    • Key at least not at the same location as the RAV4 Prime
    • Brute force efforts to find key location TBD
    • Has a 02 bootloader3 though from two 2021 samples.
  • 2024+ Lexus GX4
  • 2022+ Lexus LX, NX4
  • 2023+ Lexus LS4
  • 2023+ Lexus RX, RZ4
  • 2024+ Lexus TX4

πŸ”΅ Vehicles not in comma's supported vehicles list

The following vehicles aren't in comma's supported vehicles list but are known to not have SecOC/TSK.

They may not have been added due to:

  • Bugs in the automated process of adding vehicles to the supported vehicle list such as in the case of the 2025 Lexus ES.
  • No one has tried it!
  • Sometimes no one has tried that specific year and sent in evidential data that comma will accept to put it on the list. This sometimes results in weird year gaps on comma's list even if its other years in the same generation/facelift are supported.
  • No development has been done on it.

However, they are confirmed on Toyota Techinfo to not have SecOC/TSK.

With the exception of the 2023 US-made Corolla, these vehicles are not TSK vehicles and might just be a fingerprint away from being supported by openpilot.

  • 2023 US-made (VIN starts with 5) Corolla Sedan
    • TSS 3.0
    • No ECU Security Key or SecOC steps when replacing the forward camera.
    • It's unknown whether it has TSK, and if yes in what form. Maybe they just don't do the pairing thing but hardcode a key. No one knows.
    • Likely requires a C3X as it's probably that it uses CAN-FD.
    • Probably not a fingerprint print away.
  • 2021 Lexus RC
    • TSS2
    • No TSK
  • 2022, 2024-2025 Lexus RC
    • TSS2.5
    • No TSK
    • No one has tried
  • 2020 Lexus IS
    • TSS+
    • No one has tried
  • 2021 Lexus IS
    • TSS2.5
    • No one has tried
  • 2025 Lexus ES Non-Hybrid
    • Seems to have issues being auto-added to comma's supported vehicle list for some reason.

Unknown

If your car is not listed above, then there has been no documented information or attempts. Please talk to us at the comma Discord's #toyota-security channel.

Setup Guide

Key Extraction

Your car has a security key that Toyota doesn't want you to have.
Follow this guide to run a hardware exploit to extract the key.

Step 1. Install TSK Manager

At home, sitting next to your router, turn on C3X with your phone charger. Ignore the low voltage warning.

Choose Custom Software and enter the URL optskug/tskm

If you have C3 (predecessor to C3X), enter https://smiskol.com/fork/optskug/tskm-c3

Unplug the power to turn off the device.

Troubleshooting
  1. A normal phone or laptop charger works fine. If not, USB A-to-C cables work well, and USB PD (Power Delivery) sometimes doesn't work.
  2. Sometimes the installer won't proceed or gets stuck around 10% and restarts. Instead of Custom Software, install comma openpilot, uninstall it through the Settings menu, and then try again.
  3. The installation takes about 2 minutes, or ~20 minutes if an OS update is needed. OS update downloads a ton of stuff so don't be too far away from the router.
  4. Prefetching may fail if you're in China. The extraction will still work, but you'll have to install commaai/nightly-dev manually instead of using TSK Manager.
  5. In some cases the installation gets stuck in "registering device" screen. If this happens, unplug the device to power off, plug it back in, and then tap-tap-tap on the screen as it boots to reset the device. Afterward, install optskug/tskm

Step 2. Install the hardware

Go to your car and connect everything including Comma Power (OBD2 connector + long cable).

Official Setup Guide: https://comma.ai/setup/comma-3x

Turn the car on and off - C3X should remain powered on.

Troubleshooting
  1. The car harness sends a 12V signal instead of the usual 5V. Do not plug in anything other than C3X.
  2. For connecting C3X to the harness, always use the right-angled OBD-C cable that came with the C3X. comma.ai sells it if you need more: https://comma.ai/shop/obd-c-cable. If you must buy your own, USB-C 3.1 Gen 2 is required.
  3. You can remove Comma Power later but connect it for now.

Step 3. Put the car into Not Ready To Drive mode

Slowly press the POWER button twice WITHOUT pressing the brake pedal.

Caution

The 12V battery will die in 10 minutes. Turn off the A/C and never stay on this mode for more than 5 minutes at a time. After 5 minutes, start the engine and leave it running for 5 minutes before trying again.

The 12V battery is not your hybrid driving battery. It doesn't matter that your car is charged to 100%.

THIS IS IMPORTANT! Many people had to jump the car, so I'm telling you. Please listen. Do not stay on this mode for more than 5 minutes.

Troubleshooting
  1. Some cars refer to Not Ready To Drive mode as IGNITION ON mode while others refer to it as POWER ON mode. Regardless of what your car calls it, get on the mode that says Not Ready To Drive.
  2. The first press turns on ACCESSORY mode. The second press activates Not Ready To Drive mode.
  3. Some cars don't have ACCESSORY mode. Doesn't matter - get on the mode that says Not Ready To Drive.

Step 4. Run the exploit using TSK Manager

Note

Your car is going to freak out - it will beep and flash all kinds of errors.

Relax. The exploit is safe to run and can't break your car even if you yank the cable.

Turn off the car, wait one minute, and turn it back on. Everything will be back to normal.

Run TSK Extractor.

Congratulations, you have the key now!

Warning

It's theoretically possible for someone to remotely hack your car with the key under very specific circumstances. You don't need to protect the key like it's your bank password, but still don't post it on Discord.

Sometimes TSK Extractor can't talk to the car. Try again.

Troubleshooting

  1. Once extracted, the key is installed in /cache/params/SecOCKey and /data/params/d/SecOCKey files.

  2. In rare cases, TSK Extractor may hit an unexpected error.

    The exploit is proven to work but TSK Extractor GUI is new. Send @calvinspark a photo and then try again.

  3. Run TSK Extractor within 30 seconds of putting the car in Not Ready To Drive mode. If the car stays on that mode for a long time the extractor no longer works.

  4. Normally the extraction succeeds on the first try or after the first car restart. If you tried the extractor 3 times for 3 car restarts (=9 times) and still doesn't work, there might be a hardware problem and/or you're doing something wrong. Stop and talk to us in #toyota-security.

Step 5. Install commaai/nightly-dev

Start your car's engine.

Go to the Reboot Menu and Install commaai/nightly-dev.

commaai/nightly-dev is the only branch from comma.ai with TSK support (C3X only).

If you have C3, install sunnypilot/staging-tici. There are no branches from comma.ai with C3+TSK support, so SunnyPilot is your best option. If you have no idea what this means, come talk to us in comma Discord at #toyota-security channel.

Troubleshooting
  1. commaai/nightly-dev is the newest and possibly unstable branch from comma.ai with TSK support.
  2. Frustratingly, there isn't a release branch from comma.ai with TSK support.
  3. Openpilot won't be able to drive your car if you install a branch without TSK support. See Forks for more information.

Step 6. Calibrate & Validate

C3X should show the 15mph calibration screen.

If you're able to calibrate and use openpilot to use the steering wheel (aka "lat support"), it's working!

commaai/nightly-dev can't use the gas and brake pedals (aka "long support") on TSK vehicles. The pull request for longitudinal support has been merged into opendbc, but openpilot has not yet updated its copy of the repository to include it. Experimental mode is also not supported because experimental mode requires long support.

Troubleshooting
  1. If you get an LKAS error, either the key was not installed or you're running a fork/branch without TSK support.
  2. If C3x says Car unrecognized or Dashcam mode for unsupported car, you need to do Fingerprinting. However, this shouldn't happen anymore. If it does, please talk to us in #toyota-security.
  3. The key will change if you get a new bumper because the bumper has distance sensors that use the security key. Instead of applying the existing key to the bumper, they replace the key on all parts of the car. The same goes for many other parts with SecOC components. Even if you never get into an accident, the key can still change if a Toyota service technician presses a wrong button.

Step 7. Clean up

Put the covers back on, and you're done. Congratulations!

Comma Power (OBD2 connector + long cable) is optional. It's not necessary for using C3X, but keeping it allows C3X to stay powered on when you turn off the car.

Comma Power

Pros

Cons

  • Auto-updates may break.
  • Some have experienced 12V battery drain.
  • More cables to manage.

I (@calvinspark) don't use it because I hate even a remote possibility of a 12V battery issue.

If you decide not to use it, bring C3X into your home to get updates. Note that an auto-update to v0.10.0 broke C3 users, so check Discord for compatilibity issues before a major version update.

Step 8. What's next?

Keep using commaai/nightly-dev

  • If there is a hardware problem, you need to be on a branch from comma.ai to get support from the comma.ai company.

  • If there is a software problem, you need to be on a branch from comma.ai to get support on comma.ai's Discord. There is a channel for #custom-forks, but it's easier to get support in other channels.

  • commaai/nightly-dev updates every day but you don't need to update every day. We hope that comma.ai provides a stable release branch with TSK support, but until then, commaai/nightly-dev is the only official branch with TSK support.

  • If everything's working as expected for a week or two, you're done - just keep using it. If you want to tinker more, check out Forks.

Tell us how it went

Did everything go smoothly? Was something not clear? Did you get into a state that's not described in the doc?

Please let us know! We've put in lots of effort into this doc, so even a simple "It worked out well" comment is appreciated.

We're in comma Discord in #toyota-security channel.

Key Installation

You shouldn't need to do this

Modern openpilot and its forks have an auto-key-install process that runs on every car start.

This means that uninstalling openpilot or resetting comma no longer uninstalls the security key.

πŸŽ‰πŸŽ‰πŸŽ‰ Gone are the days of key installation. From now on, just install openpilot and go drive, just like non-TSK users! πŸŽ‰πŸŽ‰πŸŽ‰

When to do this

You may need to still reinstall the key if

  1. your C3 died and you got a new C3X,
  2. the key was never installed in /cache/params/SecOCKey because you did it the old SSH way and never ran TSK Manager / TSK Keyboard,
  3. the installed key in /cache/params/SecOCKey was deleted, or
  4. you're using an old fork without the auto-key-installer.

Follow this guide to reinstall the key.

Method 1. Use the built-in TSK Manager/TSK Keyboard

Some forks/branches have TSK Manager or TSK Keyboard under Settings.

βš™ > Device > TSK Manager/TSK Keyboard

If it's there, use it to type in your key and install, and then reboot.

Method 2. SSH and install the key to /cache/params/SecOCKey and /data/params/d/SecOCKey files

Redo Step 4B-4. Install the security key & Reboot.

Method 3. Uninstall openpilot, install the key using TSK Manager, and install openpilot

Follow Step 1. Install TSK Manager to install TSK Manager via the URL optskug/tskm

No need to go to the car. Run TSK Keyboard. Use it to type in your key and install.

Advanced Topic: Run the exploit using SSH manually

This is how to extract the key manually. Most people can skip this.

Forks

Caution

Using forks presents a real danger. Do your research!

Begin your research in comma.ai Discord's #custom-forks.
Please do not ask about forks outside of that channel.

Install URL Lat: Lateral support
MADS: AOL / MADS / keep-lat-on-after-brakes
Long: Longitudinal support
commaai/nightly-dev Lat: Yes from upstream
MADS: No
Long: No

  • Not a fork but an alternate branch from comma.ai with TSK support.
  • Install this if you need support from comma.ai company. They won't talk to you if you're on a fork.
  • Pre-compiled, so quick to install.
  • It has the most up-to-date changes, which is cool, but it could get unstable.
alexandresato/personal3
(a.k.a SatoPilot) 		Lat: Yes from upstream
MADS: Yes from community (MADS from Spektor56)
Long: Yes from community (from chrispypatt)

  • First fork to get long!
  • Very quick stop-and-go response
  • alexandresato/extract_secoc_key_btn includes a TSK key extract button and is rebased with personal3 often.
sunnypilot/release-tizi
(a.k.a. sunnypilot)
sunnypilot Discourse Forum sunnypilot Discord
 Lat: Yes from upstream
MADS: Yes from community (MADS original author)
Long: Yes from community (from chrispypatt)

  • Stable release-tizi of sunnypilot is extensively tested by the secoc community.
  • Model switcher to easily switch between various AI models
  • NNLC: Big steering improvements for '21-23 RAV4 Prime and Sienna
  • sunnypilot complies with comma.ai's safety rules as accurately as possible.
  • ‼️ If your device is C3 install sunnypilot/staging-tici instead. TICI hardware support at sunnypilot is slightly older than release but similarly capable at the moment.
frogpilot.download
(a.k.a. FrogPilot)
FrogPilot Discord 		Lat: Yes from upstream
MADS: Yes from community (AOL original author)
Long: Yes from community (from chrispypatt)

  • Uses an old AGNOS version. When downgrading, OP may get stuck in a registration loop. In this case, tap-tap-tap on the boot logo and reset the device to recover and then install again.
  • ‼️ DO NOT RUN FROGPILOT DEEP STORAGE DELETE. It deletes your security key, and you have to run TSK Manager again. Run it only when you're selling the device.

If you are installing a fork not included in the list above, find the fork author and ask the following.

  1. Does it meet the safety standards from comma? Using a fork that doesn't meet the safety standards will get you banned from comma.ai servers.
  2. Is it for the latest C3X? A fork for an older device may brick your C3X.
  3. Does it support SecOC/TSK?
  4. Does it contain banned code? Using a fork with banned code may get you banned from comma.ai servers.
  5. Is there anything to watch out for?

If you can't find the author, don't install the fork!

Discords of Note

Most if not all Discord links are to the comma.ai Discord accessible with an invite from https://discord.comma.ai unless otherwise noted. These other Discords include:

The activities, actions, and discussions on non-comma.ai Discords are/may not supported by or affiliated with comma.ai (this may even apply even to the comma.ai Discord too). In the case of MoreTorque, comma.ai is strongly opposed to that community/Discord. That said, the ECU Security Key issues affects all and relevant events and information may be there as well.

Bounty Statuses

πŸ—³οΈ comma.ai Vote for Toyota Security

In June 2022, comma.ai created a paid vote/crowdfund for making openpilot support Toyota Security. Once they get 500 votes at $100 a vote, they have 6 months to figure it out and open source a solution; Otherwise, a refund will happen and all the money is returned. The current status of that was: Latest Comma Vote Count for Toyota Security ($100 ea.)2 .

Vote counts were reported every week or similar and are recorded in this spreadsheet by the community: https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=0

The result of this vote, even though it has not met its target cost, is a pull request was produced for the RAV4 Prime to be supported in openpilot. It was eventually merged in.

In January, the vote page was taken down. Below is a snapshot.

image

The last known vote count from community observations:

2

115/500 votes.

In addition to their vote system, comma also has/had specific bounties up:

πŸ‘₯ Communities Bounty

The overall community bounty has been canceled for numerous reasons:

https://www.reddit.com/r/Comma_ai/comments/1d5r7xr/comment/l6vjf9e/

Original Sheet: https://docs.google.com/spreadsheets/d/1MKS78_utvbAe74Xv7zszgEnn6JrtBgpgYlVOfoIvLEw/edit#gid=0

Specific Community Bounties

In its place are more specific community bounties:

Pictures of TSK'd and non-TSK'd Camera ECUs

FWIW the outside of the ECU Security Key camera of a Rav4 Prime looks the same as a non-ECU Security Camera of a Corolla or Corolla Hatchback.

2021 Rav4 Prime:

image

Security Key'd Denso innards: https://discord.com/channels/469524606043160576/905950538816978974/939203494152372274

2020 Corolla/Corolla Hatchback:

IMG_20200831_164627

A photo teardown of the 2020 Corolla camera (NON ECU SECURITY KEY) innards: https://photos.app.goo.gl/qsBaMFT6PSEs7BFXA

Current History

Here's a brief to get anybody going into this ECU Security Key issue up to speed. I'll keep updating this with links to the relevant Discord messages and other stuff as I find them.

Discord links may be linking to the middle of the conversation. Scroll up and down for context.

Many of these Discord links are to the #toyota-security channel in the comma.ai Discord. For a list of other relevant Discord servers, please see the Discords of Note section.

Background

For Toyota openpilot enthusiasts, the community was very excited for the RAV4 Prime, a high performance Toyota that was going to have "Toyota Safety Sense 2" (TSS2), other awesome Toyota traits such as reliability, utility, and economy, and, new for a Toyota SUV, speed. It is the fastest accelerating real Toyota excluding Lexuses as the Supra, a BMW badged as a Toyota, does not count.

Previously seen TSS2 vehicles have had an architecture where both latitude and longitudinal are both controlled by the front-facing camera. openpilot was able to intercept and control latitude and longitudinal all at the front-facing camera of TSS2 vehicles, promising full openpilot capabilities. No other taps in the CAN of the vehicle were needed to control or block messages for this capability.

The typical process for adding a new TSS2 vehicle is simply creating a fingerprint with reference to the closest similar vehicle and trying it out.

Timeline

2013

August 2020

matty#8553 came on Discord as the first user with a RAV4 Prime and a new Comma 2. crazysim#7797 / @nelsonjchen offered to get the RAV4 Prime supported. Some worrying observations were immediately made in a GitHub issue after validating that the hardware was sound and working on another non-Prime TSS2 RAV4 :

October 2020

November 2020

December 2020

January 2021

February 2021

March 2021

April 2021

May 2021

June 2021

July 2021

August 2021

September 2021

October 2021

November 2021

December 2021

January 2022

February 2022

March 2022

April 2022

May 2022

June 2022

July 2022

August 2022

September 2022

October 2022

  • gsmdev posts about their experience with RE'ing Toyota ECUs
    • Me have experience with Toyota reverse engineering and CUW files.
    • On fresh firmwares Toyota have fully change algorithm. On firmwares with SeedKey ; Nonce. They use AES CBC for encryption. And AES CMAC for final check. Inside PC software they convert SeedKey to 128 bit Array. This seed used for encrypt firmware. AES_ECB(BL_KEY, SeedKey, SessionKey) - Take from bootloader BL_KEY 0x10 bytes inside firmware bootloader region and encrypt via AES_ECB with this key and input data SeedKey. Out from AES will be SessionKey. And this SessionKey used to encryption data with AES_CBC.
    • About NONCE - it used On final stady after writing firmware. Is AES-CMAC of whole firmware update. After checking AES-CMAC bootloader write signature inside firmware region like it correct. If this will be not maked. Firmware will never run after reboot. Module will be allways in bootloader mode.
    • About Compression i have never seen before CUW with compression. If some one have readed fullflash from module with support compressed update. I can help with reversing. Also can help with reversing other parts.
  • Remote starters with no key do exist on Toyota Security vehicles.
  • (RP Discord) In which a crew of people work through RE'ing some firmware on an EPS for their VWs.

November 2022

December 2022

January 2023

February 2023

March 2023

April 2023

May 2023

June 2023

July 2023

August 2023

September 2023

October 2023

November 2023

December 2023

January 2024

February 2024

March 2024

April 2024

May 2024

June 2024

July 2024

August 2024

September 2024

October 2024

November 2024

December 2024

January 2025

February 2025

March 2025

April 2025

May 2025

June 2025

July 2025

August 2025

September 2025

October 2025

Footnotes

  1. This is an image of the CAN BUS traffic on a RAV4 Prime. The "checksum" for the Lane Keep Assist messages are now very high in entropy, indicative of some sort of signing or encryption being used. ↩

  2. As a shameless plug, do you like those real-time updating embedded values from the Google Spreadsheet up there for the bounty and vote tracker? I made cellshield.info for that and other non-security key related uses. Check it out and let me know outside of this discussion if you have any comments! ↩ ↩2 ↩3 ↩4

  3. gregjhogan stated that the first byte of a UDS firmware version is not a bootloader version. https://discord.com/channels/469524606043160576/905950538816978974/1273746993394487376

    The first byte returned when reading the firmware versions using UDS read data by id isn't part of the version number, it is how many applications are running on the ECU (for example if it has two cores, there may be a separate application running on each core) and it tells you how many you can extract from the rest of the data returned.

    ↩ ↩2 ↩3 ↩4 ↩5 ↩6 ↩7

  4. Speculated from TechInfo lookup. TechInfo lookup is looking at Toyota's Techinfo site (payment required, minimum ~$25) and seeing if replacing the "Object recognition camera" / "Forward recognition camera" requires an ECU Security Key update. https://discord.com/channels/469524606043160576/524327905937850394/894262224552624228 ↩ ↩2 ↩3 ↩4 ↩5 ↩6 ↩7 ↩8 ↩9 ↩10 ↩11 ↩12 ↩13 ↩14 ↩15

About

πŸ” Documentation/News/History/Guide on openpilot with Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY/SecOC

Resources

Readme

License

CC-BY-4.0 license
Activity
Custom properties

Stars

104 stars

Watchers

20 watching

Forks

8 forks
Report repository

Contributors 10