Skip to content
/ docs Public

🔐 Documentation/News/History/Guide on openpilot with Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY/SecOC

40 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

optskug/docs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

165 Commits
archive
archive
 
 
img
img
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

openpilot/etc. on Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY/SecOC

1

Toyota's Sword in Rock situation (that has been pulled out quite a bit by Willem and Greg!)

2

Background

tl;dr: Toyota started to use cryptographical signatures to block openpilot (and other hacks). Some smart people in the industry hacked the signatures for some cars, but not all cars.

openpilot, in order to control the steering or latitude, needs to be able to man-in-the-middle the steering control messages used by the lane keep assist system. It blocks the original steering control messages and replaces them with its own. This is done by the forward-facing camera, which is also known as the "Forward Recognition Camera" or "Object Recognition Camera" in Toyota vehicles. The camera is responsible for the lane keep assist in Toyota vehicles.

There is a STEERING_LKA-ish message and more in some new Toyotas that currently has an "authentication code" scheme appended to the end. The algorithm and security system for this "authentication code" is somewhat known for certain vehicles but requires a key that is unique to each vehicle to be extracted or smuggled out of the vehicle (https://icanhack.nl/blog/secoc-key-extraction/). Not all vehicles are able to have their keys extracted with what is currently known. Without the key or knowledge of the system, third parties like comma and users cannot control the vehicle. While vehicles that have had their keys smuggled out are currently working with openpilot.

Cars

🟢 Successfully running openpilot

These cars can run openpilot but are not listed on https://comma.ai/vehicles or CARS.md because comma.ai (the company) understandably doesn't want to own the security key hacking process. Follow the Setup Guide below and you'll have it working.

  • 2021-2023 RAV4 Prime
    • Upstreamed into openpilot's master branch.
  • 2021-2023 Sienna Hybrid
    • Upstreamed into openpilot's master branch.
  • 2020-2022 Yaris Hybrid (EUDM/JDM/MXDM)
    • Memory dump hack works but the key is not in the same address as RAV4 Prime.
    • Brute force efforts to find key location successful on both European and Japanese Yaris Hybrid. European user eventually gave up full installation due to unrelated C3 malfunction.
    • openpilot working with heavy hacked out branch
    • First Continental Radar + Camera setup going and thus first radar controlled ACC vehicle done with. This does not mean longitudinal is controlled by openpilot though.
    • Not sold in the USA, but is in Australia, Japan, and Europe
    • Only one guy using it in Japan, unfortunately. Help double the population!

Notes

  • These vehicles have TSS 2.0.
  • These vehicles do not use the HSM.
  • These all seem to share the commonality of a version 1 bootloader3 ? on the EPS
  • Longitudinal

🟡 May be possible to hack but hasn't been tried

If you have one of these cars, please stop by the comma Discord's #toyota-security channel - we need more information from people like you.

  • 2023 US-made Corolla (VIN starts with 5)
    • Uses TSS 3.0 but does not appear to have ECU Security Key or SecOC steps when replacing the forward camera. It's unknown whether it has TSK, and if yes in what form. Maybe they just don't do the pairing thing but hardcode a key. No one knows.
  • 2021+ Yaris Cross Hybrid (EUDM/JDM/MXDM)
    • Brute force script may work.
  • 2021+ GR Yaris (EUDM/JDM/MXDM)
    • TSS 2.0
    • Brute force script may work.
    • Seems externally similar to Yaris Hybrid?
    • Would be the first manual transmission.

🔴 Not hacked and can't run openpilot

Car hackers, we need your help with these.

  • 2022+ Aygo X (EUDM)4
  • 2023+ Aygo X (Euro tech info Lookup)
  • 2023+ bz4x4 (Probably the same for sister rebranded Subaru Solterra)
  • 2025+ Camry4
  • 2023 TMC/JP-made Corolla4
  • 2022+ Corolla Cross (USDM, not applicable to Thailand or Brazil)4
  • 2023 Corolla Cross Hybrid
    • TSS 2.0
    • Known to be not working.
    • Memory can be dumped but the key is not in visible memory.
    • Mentioned in Willem's blog post.
  • 2024+ Corolla, All origins.
  • 2023+ Crown
  • 2024+ Grand Highlander ICE and Hybrid4
  • 2024 Highlander ICE and Hybrid
    • TSS 2.0
    • Known to be not working.
    • Memory can be dumped but the key is not in visible memory.
    • 02 bootloader3
  • 2025+ Highlander ICE and Hybrid4
  • 2024+ Mirai4
  • 2023+ Prius and Prius Prime4
  • 2024+ RAV4 Prime
    • TSS 2.0
    • Key at least not at the same location as other RAV4 Prime
    • Brute force efforts to find key location TBD
    • At least code is executed. Unknown what might have changed.
    • New 02 bootloader3 seen
  • 2024+ RAV4 in Europe (techinfo)
  • 2023+ Sequoia (Speculated from being a Tundra with an SUV Body)
  • 2024+ Sienna
    • TSS 2.0
    • Key at least not at the same location as other RAV4 Prime
    • Brute force efforts to find key location TBD
    • At least code is executed. Unknown what might have changed.
    • New 02 bootloader3 seen
  • 2024+ Tacoma4
  • 2022+ Tundra (Confirmed in commaai/openpilot#27869 (comment))
    • TSS 2.0
    • No known bootloader3 exploit execution
    • User ThisGuy has an extra rack on the bench. No known progress.
    • 04 bootloader3
  • 2021+ Venza
    • Key at least not at the same location as the RAV4 Prime
    • Brute force efforts to find key location TBD
    • Has a 02 bootloader3 though from one sample. Strange for this vintage? Maybe another should try.
  • 2024+ Lexus GX4
  • 2022+ Lexus LS, LX, NX4
  • 2023+ Lexus RX, RZ4
  • 2024+ Lexus TX4

Unknown

If your car is not listed above, then there has been no documented information or attempts. Please talk to us at the comma Discord's #toyota-security channel.

Setup Guide

Note

The key will change if you get a new bumper, because the bumper has distance sensors that use the security key. Instead of applying the existing key to the bumper, they replace the key on all parts of the car. The same goes for many other parts with secoc components.

If you never get into an accident, then the key will never change, unless a Toyota service technician presses a wrong button.

Key Extraction

Your car has a security key that Toyota doesn't want you to have.
Follow this guide to run a hardware exploit to extract the key.

Step 1. Upgrade AGNOS by installing commaai/master-ci

AGNOS is the operating system used in C3X. The latest one is needed to run TSK Manager.

1-1. At home, turn on C3X with your phone charger. Ignore the low voltage warning. USB A-to-C cables work well, and USB PD (Power Delivery) sometimes doesn't work. If all fails, you can do this in your car.

1-2. Connect C3X to your Wi-Fi network.

1-3. Don't choose Install openpilot. Instead, choose Custom Software with URL commaai/master-ci

The installation takes 10~20 minutes with one or two restarts. This is longer than usual because commaai/master-ci is not precompiled.

If you're doing this in your car, keep the engine running to keep the 12V battery alive.

1-4. Scroll and accept the EULA, and go through the training.

Step 2. Install the hardware

2-1. Go to your car.

2-2. Connect the harness to your car by following the official Setup Guide: https://comma.ai/setup/comma-3x

2-3. Connect Comma Power (OBD2 connector + long cable) to make sure C3X stays powered on while turning the car on and off. You can remove it later but connect it for now.

2-4. Connect the right-angled OBD-C cable to the harness.

Warning

  • The car harness sends a 12V signal instead of the usual 5V. Do not plug in anything other than C3X.
  • For connecting C3X to the harness, always use the right-angled OBD-C cable that came with the C3X.
  • comma.ai sells it if you need more: https://comma.ai/shop/obd-c-cable
  • If you must buy your own, USB-C 3.1 Gen 2 is required.

2-5. Connect the OBD-C cable to C3X to see that it powers on. Turn the car on and off - C3X should remain powered on.

Step 3. Put the car into Not Ready To Drive mode

Some cars refer to Not Ready To Drive mode as IGNITION ON mode while others refer to it as POWER ON mode. Regardless of what your car calls it, get on the mode that says Not Ready To Drive.

Slowly press the POWER button twice WITHOUT pressing the brake pedal.

  • The first press turns on ACCESSORY mode.
  • The second press activates Not Ready To Drive mode.

Step 4A. Run the exploit using TSK Manager

Note

This is the recommended method. See Step 4B for an alternate method.

4A-1. Uninstall openpilot (AGNOS will remain upgraded).

⚙️ > Software > Uninstall openpilot > UNINSTALL > Uninstall > Confirm > Confirm

4A-2. Connect C3X to Wi-Fi and install Custom Software with URL optskug/tskm to download TSK Manager.

It will stay at 92% and then 100% for a few minutes as it installs.

4A-3. Run TSK Extractor. The car may beep and flash LKAS & Power Steering errors.

Tip

Relax. The exploit is safe to run and can't break your car even if you yank the cable.

If you want to quit, turn off the car, unplug C3X, and turn the car back on. Everything will be back to normal.

When you see the output, always scroll to the bottom to see the result and what to do next.

4A-3-1. In case of a known error, it'll tell you to retry.

4A-3-2. In case of an unknown error, it will tell you to send @calvinspark a photo.

The exploit is proven to work but TSK Extractor GUI is new. Send @calvinspark a photo and then try again.

4A-3-3. If you tried the extractor 3 times for 3 car restarts (=9 times) and still doesn't work, stop and talk to us in #toyota-security.

4A-3-4. If it was successful, it'll tell you to take a photo.

This 32 digit hexadecimal number is your key (second redacted line).

SecOC Key (KEY_4) 0123456789abcdef0123456789abcdef

Congratulations, you have the key now!

As a bonus, the key was installed in /cache/params/SecOCKey file, and also written in /data/params/d/SecOCKey file for legacy support.

Warning

It's theoretically possible for someone to remotely hack your car with the key under very specific circumstances. You don't need to protect the key like it's your bank password, but still don't post it on Discord.

4A-4. Exit TSK Extractor and exit TSK Manager. C3X will reboot.

4A-5. Either come back home or start the engine so that your 12V battery doesn't die.

4A-6. Don't choose Install openpilot. Instead, choose Custom Software with URL commaai/master-ci

Caution

commaai/master-ci is the only branch from comma.ai that supports TSK vehicles.

If you install a branch without TSK support, openpilot won't be able to drive your car.

Step 4B. Run the exploit using SSH manually

Note

Even if you already extracted the key using TSK Manager, setting up SSH access will help you later with the key installation for legacy fork/branches. It's not hard to do so follow along.

If you want to do just the bare minimum and come back to this later, then skip over to Step 5.

Step 4B-1. SSH into the device

4B-1-1. Set up SSH.

Do this: https://github.com/commaai/openpilot/wiki/SSH#before-you-start

And then do one of these:

4B-1-2. SSH into the device.

ssh comma@"your Comma IP"

Step 4B-2. Extract the security key

4B-2-1. Navigate to openpilot directory.

cd /data/openpilot

4B-2-2. Clone Willem's secoc Git repository.

git clone https://github.com/I-CAN-hack/secoc

4B-2-3. Navigate to secoc directory.

cd /data/openpilot/secoc

4B-2-4. Kill openpilot process.

pkill -f openpilot

C3X will display a splash screen with Comma logo.

4B-2-5. Run the key extraction script.

./extract_keys.py

Tip

If you restarted C3X, be sure to run pkill -f openpilot on each C3X restart before running ./extract_keys.py.

If you see something like this, the key extraction was successful.

comma@comma-71b93b83:/data/openpilot/secoc$ ./extract_keys.py
INFO: connecting to panda 2c0004004450383632311333
Getting application versions...
 - APPLICATION_SOFTWARE_IDENTIFICATION (application) b'\x018965B4509100\x00\x00\x00\x00'
 - APPLICATION_SOFTWARE_IDENTIFICATION (bootloader)  b'\x01!!!!!!!!!!!!!!!!'

Security Access...
 - SEED: 36552fe27172c99222eec3a9b9bd1f28
 - KEY: b7b55ba16369bba912b7aa4c06e6c35e
 - Key OK!

Preparing to upload payload...
 - Write data by identifier 0x201 00000000000000000000000000000000
 - Write data by identifier 0x202 00000000000000000000000000000000

Upload payload...
 - Request download
 - Transfer data 0
 - Transfer data 1
 - Transfer data 2
 - Transfer data 3

Verify payload...
 - Routine control 0x10f0 OK!

Trigger payload...

Dumping keys...
100%|████████████████████████| 448/448 [00:00<00:00, 14293.36it/s]

ECU_MASTER_KEY    82667ef509b9f07a134aaf89d4973c68
SecOC Key (KEY_4) 0123456789abcdef0123456789abcdef

SecOC key written to param successfully!
comma@comma-71b93b83:/data/openpilot/secoc$

This 32 digit hexadecimal number is your key.

SecOC Key (KEY_4) 0123456789abcdef0123456789abcdef

Archive and don't lose the key so that you don't need to extract it again. Perhaps email it to yourself.

Warning

It's theoretically possible for someone to remotely hack your car with the key under very specific circumstances. You don't need to protect the key like it's your bank password, but still don't post it on Discord.

Step 4B-3. Debugging

4B-3-1. If you see any of these error messages

  • panda.python.uds.MessageTimeoutError: timeout waiting for response
  • panda.python.uds.InvalidServiceIdError: invalid response service id: 0x50 or similar
  • Can't read application software identification. Please cycle ignition.

Turn off the car, put it back into Not Ready to Drive mode, and then try again.

Be sure to kill openpilot process if you restarted C3X.

4B-3-2. Unexpected application version!

  • Open the script for editing.

    nano -l /data/openpilot/secoc/extract_keys.py

  • Comment out lines 78 and 93 by adding a # at the beginning of each line.

    if app_version not in APPLICATION_VERSIONS:
    print("Unexpected application version!", app_version)
#    exit(1)
    if bl_version != APPLICATION_VERSIONS[app_version]:
    print("Unexpected bootloader version!", bl_version)
#    exit(1)

  • Save and exit the editor (Ctrl+X, then Y, then Enter).

  • Kill openpilot process and run the script again.

    pkill -f openpilot

./extract_keys.py

4B-3-3. Still doesn't work?

Turn off the car, unplug everything, plug them back in, and try again.

Step 4B-4. Install the security key & Reboot

4B-4-1. Install the key in /cache/params/SecOCKey.

Make the installation directory.

sudo mkdir -p /cache/params || true

Give it the correct permissions.

sudo chown comma:comma /cache/params

Install the key.

echo -n "your key here" > /cache/params/SecOCKey

For example,

echo -n "0123456789abcdef0123456789abcdef" > /cache/params/SecOCKey

4B-4-2. Also write it in /data/params/d/SecOCKey for legacy support.

echo -n "your key here" > /data/params/d/SecOCKey

4B-4-3. Reboot the device.

sudo reboot

Step 5. Fingerprinting (if the car is not recognized)

Note

If C3X reboots into the 15mph calibration screen, skip to Step 6. If it says something like Car unrecognized or Dashcam mode for unsupported car, continue on Step 5.

5-1. Follow the fingerprinting guide to get the ECU codes: https://github.com/commaai/openpilot/wiki/Fingerprinting

5-2. Add the ECU codes to fingerprints.py.

  • Open the file for editing.

    nano /data/openpilot/selfdrive/car/toyota/fingerprints.py

  • Scroll down to the CAR.TOYOTA_RAV4_PRIME section.

  • Add your corresponding ECU codes:

    },
CAR.TOYOTA_RAV4_PRIME: {
(Ecu.engine, 0x700, None): [
  b'\x01896634AJ7000\x00\x00\x00\x00',
  b'\x018966342S7000\x00\x00\x00\x00',
],
(Ecu.abs, 0x7b0, None): [
  b'\x01F15264284100\x00\x00\x00\x00',
  b'\x01F15264228300\x00\x00\x00\x00',
],
(Ecu.eps, 0x7a1, None): [
  b'\x018965B4233100\x00\x00\x00\x00',
  b'\x018965B4209000\x00\x00\x00\x00',
],
(Ecu.fwdRadar, 0x750, 0xf): [
  b'\x018821F6201300\x00\x00\x00\x00',
  b'\x018821F3301400\x00\x00\x00\x00',
],
(Ecu.fwdCamera, 0x750, 0x6d): [
  b'\x028646F4210100\x00\x00\x00\x008646G3305000\x00\x00\x00\x00',
  b'\x028646F4205200\x00\x00\x00\x008646G4202000\x00\x00\x00\x00',
],

  • Save and exit the editor (Ctrl+X, then Y, then Enter).

5-3. Optionally disable updates, because an update will delete the manually added fingerprints.

  • If your fingerprints were upstreamed, then the next update will contain your fingerprints, so don't disable.
  • If your fingerprints were not upstreamed, disable. 
    echo -n "1" > /data/params/d/DisableUpdates
  • If you're using FrogPilot, disabling update using the echo command causes an updated error. Use the settings menu to disable instead.

5-4. Reboot the device.

sudo reboot

Step 6. Calibrate & Clean up

If you're able to calibrate and then use openpilot to use the steering wheel (aka "lat support"), you can clean up the cables and put the covers back on.

At this time, commaai/master-ci branch can't use the gas and brake pedals (aka "long support") on TSK vehicles. Monitor these PRs for long support progress (commaai/opendbc#1385 & commaai/panda#2061). Experimental mode is also not supported.

Comma Power (OBD2 connector + long cable) is optional. It's not necessary for using C3X, but keeping it allows C3X to stay powered on when you turn off the car, which allows you to upload logs and SSH in more easily. If you do this, you'll be in the training set and your specific driving will improve faster than others.

Key Installation

You shouldn't need to do this

Modern openpilot and its forks have an auto-key-install process that runs on every car start.

This means that uninstalling openpilot or resetting comma no longer uninstalls the security key.

🎉🎉🎉 Gone are the days of key installation. From now on, just install openpilot and go drive, just like non-TSK users! 🎉🎉🎉

When to do this

You may need to still reinstall the key if

  1. the key was never installed in /cache/params/SecOCKey because you did it the old SSH way and never ran TSK Manager / TSK Keyboard,
  2. the installed key in /cache/params/SecOCKey was deleted, or
  3. you're using an old fork without the auto-key-installer.

Follow this guide to reinstall the key.

Method 1. Use the built-in TSK Manager/TSK Keyboard

Some forks/branches have TSK Manager or TSK Keyboard under Settings.

⚙ > Device > TSK Manager/TSK Keyboard

If it's there, use it to type in your key and install, and then reboot.

Method 2. SSH and install the key to /cache/params/SecOCKey and /data/params/d/SecOCKey files

Redo Step 4B-4. Install the security key & Reboot.

Method 3. Uninstall openpilot, install the key using TSK Manager, and install openpilot

Redo Step 4A. Run the exploit using TSK Manager.

When you get to Step 4A-3, don't run TSK Extractor but instead run TSK Keyboard. Use it to type in your key and install.

Continue to Step 4A-4 and then finish with 4A-5.

Forks

Which Fork Should I Use?

Caution

If you have to ask, you're not ready for forks. Using forks present a real danger so do your research and understand what fork you are installing and what it does.

Some forks will brick your C3X.
Most forks are not made for C3X because C3X is less than a year old.

Some forks contain banned code.
Using it will get you banned by the comma.ai company.

Some forks have nudgeless-lane-change.
Simply clicking the turn signal will move your car to the next lane.
Without any checks.
Yes, it will drive into the car next to you.

Some forks play a blood-curdling goat scream at max volume randomly.

Begin your research in Discord #custom-forks

Please do not ask about forks outside of that channel.

If you're new, please start with commaai/master-ci and use it for two weeks. This is the latest official version with only lateral support. This will give you a good baseline to compare the other forks to.

Then familiarize yourself with the communities through Discord for each fork you are looking to install.

If you acknowledge the warning above and are still looking to try a fork that supports TSK, the following are available to install at your own risk. Keep in mind that these are community maintained and may not stay up to date:

Fork Lat: Lateral support
MADS: AOL / MADS / keep-lat-on-after-brakes
Long: Longitudinal support
alexandresato/personal3
(a.k.a SatoPilot) 		Lat: Yes from upstream
MADS: Yes from community (MADS from Spektor56)
Long: Yes from community (from chrispypatt)

  • First fork to get long!
  • Very quick stop-and-go response
  • alexandresato/extract_secoc_key_btn includes a TSK key extract button and is rebased with personal3 often.
sunnypilot/master-new
(a.k.a SunnyPilot)
SunnyPilot discord 		Lat: Yes from upstream
MADS: Yes from community (MADS original author)
Long: No

  • Model switcher to easily switch between various models
chrispypatt/sunnypilot
(fork of SunnyPilot) SunnyPilot discord 		Lat: Yes from upstream
MADS: Yes from community (MADS from SP)
Long: Yes from community (original author)

Notes - same as sunnypilot/master-new plus:
  • Includes a TSK keyboard with key caching
  • commaai/master and most forks based on it have unstable experimental mode due to the latest model. The model switcher in SP allows you to use old models with stable experimental mode
  • Maintained as best effort. This may not always be up to date with the latest SunnyPilot. Contact @Chrispypatt for requests to rebase his fork with SunnyPilot's rewrite.
optskug/SiennaFP
(fork of FrogPilot)
FrogPilot discord 		Lat: Yes from community (from anrum)
MADS: Yes from community (AOL from FP)
Long: No

  • anrum's old fork of FP and first fork to support TSK lateral!
  • Includes a TSK keyboard with key caching
  • Includes auto key installer
  • Uses an old AGNOS version. When downgrading, OP may get stuck in a registration loop. In this case, tap-tap-tap on the boot logo and reset the device to recover and then install again.

Warning

optskug/SiennaFP is the only FrogPilot fork/branch with TSK support. Do not install the latest FP unless FrogGoesMoo confirmed that it supports TSK vehicles.

If you are installing a fork not included in the list above, find the fork author and ask the following. If you can't find the author, don't install the fork.

  1. if it's for C3X
  2. if it supports TSK
  3. if it contains banned code
  4. if there's anything to watch out for

Bounty Statuses

🗳️ comma.ai Vote for Toyota Security

In June 2022, comma.ai created a paid vote/crowdfund for making openpilot support Toyota Security. Once they get 500 votes at $100 a vote, they have 6 months to figure it out and open source a solution; Otherwise, a refund will happen and all the money is returned. The current status of that was: Latest Comma Vote Count for Toyota Security ($100 ea.)2 .

Vote counts were reported every week or similar and are recorded in this spreadsheet by the community: https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=0

The result of this vote, even though it has not met its target cost, is a pull request was produced for the RAV4 Prime to be supported in openpilot. It was eventually merged in.

In January, the vote page was taken down. Below is a snapshot.

image

The last known vote count from community observations:

2

In addition to their vote system, comma also has/had specific bounties up:

👥 Communities Bounty

The overall community bounty has been canceled for numerous reasons:

https://www.reddit.com/r/Comma_ai/comments/1d5r7xr/comment/l6vjf9e/

Original Sheet: https://docs.google.com/spreadsheets/d/1MKS78_utvbAe74Xv7zszgEnn6JrtBgpgYlVOfoIvLEw/edit#gid=0

In its place are more specific community bounties:

Pictures of TSK'd and non-TSK'd Camera ECUs

FWIW the outside of the ECU Security Key camera of a Rav4 Prime looks the same as a non-ECU Security Camera of a Corolla or Corolla Hatchback.

2021 Rav4 Prime:

image

Security Key'd Denso innards: https://discord.com/channels/469524606043160576/905950538816978974/939203494152372274

2020 Corolla/Corolla Hatchback:

IMG_20200831_164627

A photo teardown of the 2020 Corolla camera (NON ECU SECURITY KEY) innards: https://photos.app.goo.gl/qsBaMFT6PSEs7BFXA

Current History

Here's a brief to get anybody going into this ECU Security Key issue up to speed. I'll keep updating this with links to the relevant Discord messages and other stuff as I find them.

Discord links may be linking to the middle of the conversation. Scroll up and down for context.

Many of these Discord links are to a pre-hidden channel named #toyota-security in the comma.ai Discord. Accessing #toyota-security on comma.ai Discord requires completing the simple prompt in #join-development. Otherwise, it is inaccessible. More often than not, the Discord links are to #toyota-security in the comma.ai Discord, so please complete the prompt.

Most if not all Discord links are to the comma.ai Discord accessible with an invite from https://discord.comma.ai unless otherwise noted. These other Discords include:

The activities, actions, and discussions on non-comma.ai Discords are/may not supported by or affiliated with comma.ai (this may even apply even to the comma.ai Discord too). In the case of MoreTorque, comma.ai is strongly opposed to that community/Discord. That said, the ECU Security Key issues affects all and relevant events and information may be there as well.

Background

For Toyota openpilot enthusiasts, the community was very excited for the RAV4 Prime, a high performance Toyota that was going to have "Toyota Safety Sense 2" (TSS2), other awesome Toyota traits such as reliability, utility, and economy, and, new for a Toyota SUV, speed. It is the fastest accelerating real Toyota excluding Lexuses as the Supra, a BMW badged as a Toyota, does not count.

Previously seen TSS2 vehicles have had an architecture where both latitude and longitudinal are both controlled by the front-facing camera. openpilot was able to intercept and control latitude and longitudinal all at the front-facing camera of TSS2 vehicles, promising full openpilot capabilities. No other taps in the CAN of the vehicle were needed to control or block messages for this capability.

The typical process for adding a new TSS2 vehicle is simply creating a fingerprint with reference to the closest similar vehicle and trying it out.

Timeline

2013

August 2020

matty#8553 came on Discord as the first user with a RAV4 Prime and a new Comma 2. crazysim#7797 / @nelsonjchen offered to get the RAV4 Prime supported. Some worrying observations were immediately made in a GitHub issue after validating that the hardware was sound and working on another non-Prime TSS2 RAV4 :

October 2020

November 2020

December 2020

January 2021

February 2021

March 2021

April 2021

May 2021

June 2021

July 2021

August 2021

September 2021

October 2021

November 2021

December 2021

January 2022

February 2022

March 2022

April 2022

May 2022

June 2022

July 2022

August 2022

September 2022

October 2022

November 2022

December 2022

January 2023

February 2023

March 2023

April 2023

May 2023

June 2023

July 2023

August 2023

September 2023

October 2023

November 2023

December 2023

January 2024

February 2024

March 2024

  • Major Update from former comma staffer Willem Melching:

    • New blog post is out! Extracting the SecOC keys used for securing the CAN Bus on the 2021+ RAV4 Prime. https://icanhack.nl/blog/secoc-key-extraction/

      Research started all the way in 2022, but took many evenings of reverse engineering to get code execution.

      PoC: https://github.com/I-CAN-hack/secoc

      • Extracted the firmware from an ECU, using Fault Injection to bypass the locked debug port.
      • Reverse engineered the application code, to understand how SecOC was implemented and find the location of the keys in RAM.
      • Reverse engineered the bootloader, to understand how the update procedure works and how we can upload and run shellcode.
      • We built a shellcode that extracts the keys from RAM and sends them out over CAN, then reboots the device.
    • It is a long read, but it is exactly why this is such a hard problem and there are some serious hurdles to overcome when it comes to extracting the keys.
    • An incomplete exerpts of some other information:
      • There is a way to extract the SecOC key from the RAV4 Prime without disassembly.
      • During the construction of the payload, a secret key must have been extracted from the firmware in order to upload code to the EPS, run it, and extract the key. This isn't correct secure design but it lets third parties like comma.ai and I-CAN-hack to extract the key by uploading temporary code to the EPS to extract the key.
      • By not using the "Hardware Security Module" in the firmware, the key can be extracted from memory. Newer cars may use the HSM, which hides the key from memory, and getting the key out from those is an unsolved problem. What are the newer cars is unclear, but the 2023 Corolla Cross they looked at was using the HSM.
    • Some people are looking to get the key from their Rav4 Prime

  • Discord Followups on comma.ai Discord:

  • Willem: "Grab your SecOC key and share a route in #⁠toyota-security and I'll finish the car port for the RAV4 Prime!"

  • There is some discussion on whether it is possible to intercept the key during a re-keying process. (#general)

  • hdoublearp on Discord was able to retrieve their SECOC key with Willem's script.

  • hdoublearp report on his collaboration with Willem

    • "There is some progress on the port, thanks to Willem, lateral is working. Still some missing safety features, but the initial issues with the Prime’s new PCM messages are sorted out. Willem had to make some changes to account for gearing difference in the Prime compared to other models. I’ve sent my latest feedback and test scenarios to him, and will continue working with him on it.

    • hdoublearp posts a video. It is a video of an assisted lane change on a RAV4 Prime, a feature that does not exist on TSS2 but does in openpilot.

      2619375277588803360.mov

  • There is still work to figure out some of the new messages.

  • A second RAV4 Prime by @chrispypatt seems to have come online from Willem's work.

April 2024

May 2024

June 2024

July 2024

August 2024

September 2024

October 2024

November 2024

December 2024

January 2025

Footnotes

  1. This is an image of the CAN BUS traffic on a RAV4 Prime. The "checksum" for the Lane Keep Assist messages are now very high in entropy, indicative of some sort of signing or encryption being used.

  2. As a shameless plug, do you like those real-time updating embedded values from the Google Spreadsheet up there for the bounty and vote tracker? I made cellshield.info for that and other non-security key related uses. Check it out and let me know outside of this discussion if you have any comments! 2 3 4

  3. gregjhogan stated that the first byte of a UDS firmware version is not a bootloader version. https://discord.com/channels/469524606043160576/905950538816978974/1273746993394487376

    The first byte returned when reading the firmware versions using UDS read data by id isn't part of the version number, it is how many applications are running on the ECU (for example if it has two cores, there may be a separate application running on each core) and it tells you how many you can extract from the rest of the data returned.

    2 3 4 5 6 7

  4. Speculated from TechInfo lookup. TechInfo lookup is looking at Toyota's Techinfo site (payment required, minimum ~$25) and seeing if replacing the "Object recognition camera" / "Forward recognition camera" requires an ECU Security Key update. https://discord.com/channels/469524606043160576/524327905937850394/894262224552624228 2 3 4 5 6 7 8 9 10 11 12 13 14

About

🔐 Documentation/News/History/Guide on openpilot with Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY/SecOC

Resources

Readme
Activity
Custom properties

Stars

40 stars

Watchers

14 watching

Forks

7 forks
Report repository

Contributors 6