Skip to content
/ docs Public
forked from optskug/docs

Documentation/News/History on openpilot with Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY

0 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sthompson-celerity/docs

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
archive
archive
 
 
README.md
README.md
 
 

Repository files navigation

openpilot/etc. on Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY

1

Toyota's Sword in Rock situation (that has been pulled out quite a bit by Willem and Greg!)

Background

There is a STEERING_LKA-ish message and more in some new Toyotas that currently has an "authentication code" scheme appended to the end. The algorithm and security system for this "authentication code" is somewhat known for certain vehicles but requires a key that is unique to each vehicle to be extracted or smuggled out of the vehicle. Not all vehicles are able to have their keys extracted with what is currently known.

List of vehicles with Toyota ECU Security Key

Known vehicles with Toyota ECU Security Key on the Forward Recognition Camera of which OP doesn't currently support right now:

  • 2021-2023 RAV4 Prime
    • Known as RAV4 PHEV in non-North American markets
  • 2024 RAV4 Prime
  • 2021+ Venza
  • 2021+ Sienna
  • (EUDM/JDM/MXDM) 2021+ Yaris GR
  • (USDM) 2022+ Corolla Cross (Speculated from TechInfo lookup)
    • Not applicable to Thailand or Brazil.
  • (EUDM/JDM/MXDM) 2021+ Yaris Cross Hybrid
  • (EUDM/JDM/MXDM) 2020+ Yaris Hybrid
  • 2022+ Lexus NX (Speculated from TechInfo lookup)
  • 2022+ Tundra (Confirmed in commaai/openpilot#27869 (comment) )
  • (EUDM) 2022+ Aygo X (Speculated from Toyota Tech EU lookup)
  • 2022+ Lexus LS (Speculated from TechInfo lookup)
  • 2022+ Lexus LX (Speculated from TechInfo lookup)
  • 2023+ Sequoia (Speculated from Being a Tundra With a SUV Body)
  • 2023+ bz4x (Speculated from TechInfo lookup, also probably the same for sister rebranded Subaru Solterra)
  • 2023+ TMC/JP-made Corolla (Speculated from TechInfo lookup)
    • It is also unknown what form, if any amount of TSK there is on US-made 2023 Corollas. Maybe they just don't do the pairing thing but hardcode a key. No one knows.
  • 2024+ Toyota Corolla, All origins.
  • 2023+ Prius and Prius Prime (Speculated from TechInfo lookup)
  • 2023+ Lexus RX (Speculated from TechInfo lookup)
  • 2023+ Aygo X (Euro tech info Lookup).
  • 2023+ Lexus ES (From anecdote in RP Discord's #toyota) Disputed, TechInfo has no signals of TSK, probably safe to say no TSK
  • 2023+ Toyota Crown
  • 2023+ Lexus RZ (Speculated from TechInfo lookup)
  • 2024+ Grand Highlander ICE and Hybrid (Speculated from TechInfo lookup)
  • 2024+ Highlander ICE and Hybrid (Speculated from TechInfo lookup)
  • 2024+ Lexus TX (Speculated from TechInfo lookup)
  • 2024+ Lexus GX (Speculated from TechInfo lookup)
  • 2024+ Tacoma (Speculated from TechInfo lookup)
  • 2024+ Mirai (Speculated from TechInfo lookup)
  • 2024+ Camry (Speculated from TechInfo lookup)
  • And so on.... as any refreshes or new models after 2024 will have ECU Security Key so this list will more or less be just a list of all new Toyotas after 2024.

TechInfo lookup is looking at Toyota's Techinfo site (payment required, minimum ~$25) and seeing if replacing the "Object recognition camera" / "Forward recognition camera" requires an ECU Security Key update. https://discord.com/channels/469524606043160576/524327905937850394/894262224552624228

Setup Guide

For vehicles that do work, here's a very rough guide. Please send in pull requests to fix or amend it.

Based off of share-and-enjoy's and Rez's guide on Discord and previously on the openpilot wiki before it was disabled.

The instructions can and will change and are volatile. Please report and discuss any issues in the #toyota-security channel on the comma.ai Discord. The invite to that discord is at https://discord.comma.ai. Once joined, make sure to answer any prompts you see in the Discord to gain full access. Once that is answered, this link will work to get you to #toyota-security: https://discord.com/channels/469524606043160576/905950538816978974

INSTRUCTIONS STATUS: WIP 🚧

  1. Start off with the installation guide here:

    https://comma.ai/setup/comma-3x

  2. Then once you get your Comma powered up, you'll connect it to your Wi-Fi network.

  3. Install "Custom Software:

    • When it asks you to enter a URL for "Custom Software", first try: https://installer.comma.ai/pd0wm/rav4-prime
    • If you installation hangs and then restarts, try: https://smiskol.com/fork/pd0wm/rav4-prime

  4. Get SSH setup on the device:

  5. Download Willem's secoc GitHub folder:

    • SSH back into your Comma device: 
      ssh comma@"your Comma IP" enter comma for the login
    • Clone the repository: 
      git clone https://github.com/I-CAN-hack/secoc

  6. Kill openpilot:

    • Enter the following command: 
      pkill -f openpilot
    • The Comma should display just the splash screen with the Comma logo.

  7. Put the car into "Ignition on" mode but with "Not Ready to Drive":

    • Slow press the "Power" button twice WITHOUT pressing the brake pedal.
    • PXL_20240718_234619671 MP

  8. Run the extract_keys.py script:

    • Navigate to the secoc directory: 
      cd secoc
    • Run the script: 
      ./extract_keys.py

  9. Edit the script if you get an "Unexpected application version!" error:

    • Open the script for editing: 
      nano -l /data/openpilot/secoc/extract_keys.py
    • Comment out lines 75-77 and 90-92 by adding a # at the beginning of each line: 
      # if app_version not in APPLICATION_VERSIONS:
#    print("Unexpected application version!", app_version)
#    exit(1)
#
# if bl_version != APPLICATION_VERSIONS[app_version]:
#    print("Unexpected bootloader version!", bl_version)
#    exit(1)
    • Save and exit the editor (Ctrl+X, then Y, then Enter).
    • Run the script again: 
      ./extract_keys.py

  10. Manually add the key to params (if needed):

    • Use the following command to manually change the keys: 
      echo -n "your key here" > /data/params/d/SecOCKey

  11. Fingerprinting (if the car is not recognized):

    • Follow the guide on fingerprinting: https://github.com/commaai/openpilot/wiki/Fingerprinting
    • Locate the necessary ECU codes.
    • Add the ECU codes to fingerprints.py: 
      nano /data/openpilot/selfdrive/car/toyota/fingerprints.py
    • Scroll down to the CAR.TOYOTA_RAV4_PRIME section and enter your corresponding ECU codes: 
      },
CAR.TOYOTA_RAV4_PRIME: {
  (Ecu.engine, 0x700, None): [
    b'\x01896634AJ7000\x00\x00\x00\x00',
    b'\x018966342S7000\x00\x00\x00\x00',
  ],
  (Ecu.abs, 0x7b0, None): [
    b'\x01F15264284100\x00\x00\x00\x00',
    b'\x01F15264228300\x00\x00\x00\x00',
  ],
  (Ecu.eps, 0x7a1, None): [
    b'\x018965B4233100\x00\x00\x00\x00',
    b'\x018965B4209000\x00\x00\x00\x00',
  ],
  (Ecu.fwdRadar, 0x750, 0xf): [
    b'\x018821F6201300\x00\x00\x00\x00',
    b'\x018821F3301400\x00\x00\x00\x00',
  ],
  (Ecu.fwdCamera, 0x750, 0x6d): [
    b'\x028646F4210100\x00\x00\x00\x008646G3305000\x00\x00\x00\x00',
    b'\x028646F4205200\x00\x00\x00\x008646G4202000\x00\x00\x00\x00',
  ],

  12. Disable updates

    echo -en "1" > /data/params/d/DisableUpdates

  13. Reboot the device:

    • Enter the reboot command: 
      sudo reboot

  14. Now, you should be ready to go!!!

Support Status Overview

Some vehicles have been attempted to be hacked and some have been successfully hacked and some not.

The status of the vehicles are as follows:

  • Vehicles and Possible Groupings

    • Wave Early Security Key

      • These vehicles do not use the HSM.

      • These all seem to share the commonality of a version 1 bootloader on the EPS

      • Longitudinal

        • A little fragmented. People are making change to their own code. While latitude is clearly controlled, the state of longitudinal is all over the place.
        • Resume command spams still works from existing implementation so stop and go without touching is active if openpilot is active.
        • openpilot can't control gas or brake; no traffic lights or experimental mode. The CAN bus command to control this is currently unknown, but sought.

      • Vehicles

        • 🇹 🇸 🇸 2️⃣ 2021 RAV4 Prime 🟢
          • 2021-2023: Known to be working
          • Flagship vehicle for ECU Security Key efforts
          • Focus of Willem's Pull Request
            • Additional fingerprints added in anrum's frogpilot port.
        • 🇹 🇸 🇸 2️⃣ 2021 Sienna 🟢🟡
          • 2021-2022: Known to be working
          • Key surprisingly at the same location as the RAV4 Prime
          • Community currently hacking it in as a RAV4 Prime. Should really be formally put it in as a Sienna. WIP.
            • tranlocquy's fork of anrum's Frogpilot port has this separated out and fingerprints added for 2021 at least.
        • 🇹 🇸 🇸 2️⃣ 2020-2022 Yaris Hybrid 🟢🟡🟡
          • Key at least not at the same location as the RAV4 Prime
          • Brute force efforts to find key location successful on both Euro and Japanese
          • openpilot working working with heavy hacked out branch
          • First Continental Radar + Camera setup going and thus first radar controlled ACC vehicle done with. This does not mean longitudinal is controlled by openpilot though.
          • Not sold in the USA, but is in Australia, Japan, and Europe

    • Wave HSM?

      • These vehicles don't seem to have a valid key in the memory returned after the exploit payload is run.
      • 🇹 🇸 🇸 3️⃣ 2023 Corolla Cross Hybrid 🔴
        • 2023: Known to be not working. Key not in visible memory. Mentioned in Willem's blog post.
      • 🇹 🇸 🇸 2️⃣ 2024 Toyota Highlander 🔴
        • 2024: Known to be not working. Key not in visible memory.
        • 02 bootloader

    • Wave with newer bootloader? (It's not a bootloader version?)

      • These vehicles don't seem to respond to the current exploit to run arbitrary code to do things like dump memory
      • 🇹 🇸 🇸 2️⃣ 2022 Tundra 🔴
        • No known bootloader exploit execution
        • User ThisGuy has an extra rack on the bench. No known progress.
        • 04 bootloader
      • 🇹 🇸 🇸 2️⃣ 2021 Venza 🟡?🔴?
        • Key at least not at the same location as the RAV4 Prime
        • Brute force efforts to find key location TBD
        • Has a 02 bootloader though from one sample. Strange for this vintage? Maybe another should try.
      • 🇹 🇸 🇸 2️⃣ 2024 Rav4 Prime 🟡?🔴?
        • Key at least not at the same location as other RAV4 Prime
        • Brute force efforts to find key location TBD
        • At least code is executed. Unknown what might have changed.
        • New 02 bootloader seen

    • Notable Unknown

      • 🇹 🇸 🇸 3️⃣ 2023+ Corolla, JP and US origins.
        • While users have come by here and there, none have produced usable engineering info or experiences of note.
        • No one has tried getting things to work on a 2023 US-made Corolla that doesn't appear to have TSK.
      • 🇹 🇸 🇸 2️⃣ 2023+ GR Yaris
        • Seems externally similar to Yaris Hybrid?

Note: 🟢 = Working, 🟡 = WIP, 🔴 = Not Working and sometimes a mix.

Note 2: If it's not listed above, then there has been no documented information or attempts.

It is also unknown what is the status of the approach where we pretend to be an ECU to get the keys in a re-keying situation. This might be an approach that might work for unsupported vehicles. Theoretically anybody could dump the firmware now with the exploit to dump firmware and try to reverse engineer this but no one other than the original researchers have done this.

  • History and such can be found below. The most recent history is at the bottom. If you need to catch up, start from where you left off. Feel free to ask questions in Discord.

Bounty Statuses

🗳️ comma.ai Vote for Toyota Security

In June 2022, comma.ai created a paid vote/crowdfund for making openpilot support Toyota Security. Once they get 500 votes at $100 a vote, they have 6 months to figure it out and open source a solution; Otherwise, a refund will happen and all the money is returned. The current status of that is: Latest Comma Vote Count for Toyota Security ($100 ea.) .

Vote counts are reported every week or similar and are recorded in this spreadsheet by the community: https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=0

The result of this vote, even though it has not met its milestone, is a pull request was produced for the RAV4 Prime to be supported in openpilot. It is currently developed on-and-off.

comma.ai's Vote for Toyota Security system store/page is located at: https://comma.ai/shop/products/vote

image

Please visit the page and observe what it says for official information.

In addition to their vote system, comma also has specific bounties up:

👥 Communities Bounty

The overall community bounty has been canceled for numerous reasons:

https://www.reddit.com/r/Comma_ai/comments/1d5r7xr/comment/l6vjf9e/

Original Sheet: https://docs.google.com/spreadsheets/d/1MKS78_utvbAe74Xv7zszgEnn6JrtBgpgYlVOfoIvLEw/edit#gid=0

In its place are more specific community bounties:

Pictures of TSK'd and non-TSK'd Camera ECUs

FWIW the outside of the ECU Security Key camera of a Rav4 Prime looks the same as a non-ECU Security Camera of a Corolla or Corolla Hatchback.

2021 Rav4 Prime:

image

Security Key'd Denso innards: https://discord.com/channels/469524606043160576/905950538816978974/939203494152372274

2020 Corolla/Corolla Hatchback:

IMG_20200831_164627

A photo teardown of the 2020 Corolla camera (NON ECU SECURITY KEY) innards: https://photos.app.goo.gl/qsBaMFT6PSEs7BFXA

Current History

Here's a brief to get anybody going into this ECU Security Key issue up to speed. I'll keep updating this with links to the relevant Discord messages and other stuff as I find them.

Discord links may be linking to the middle of the conversation. Scroll up and down for context.

Many of these Discord links are to a pre-hidden channel named #toyota-security in the comma.ai Discord. Accessing #toyota-security on comma.ai Discord requires completing the simple prompt in #join-development. Otherwise, it is inaccessible. More often than not, the Discord links are to #toyota-security in the comma.ai Discord, so please complete the prompt.

Most if not all Discord links are to the comma.ai Discord accessible with an invite from https://discord.comma.ai unless otherwise noted. These other Discords include:

  • Retropilot (RP): https://discord.gg/GzWegVa . This Discord can also be located in the Discord's Public Server Explore/Discover (🧭 icon on left sidebar) as well.
  • Sunnyharbin's Openpilot Server (SP): https://discord.gg/TCTvFTKrAV . This Discord can also be located in the Discord's Public Server Explore/Discover (🧭 icon on left sidebar) as well. In case it's not clear, this is Sunnypilot's home Discord.
  • Openpilot Enthusiasts (Formerly "Openpilot community") (OPC): Ask or look in RP Discord. This Discord can also be located in the Discord's Public Server Explore/Discover (🧭 icon on left sidebar) as well.
  • MoreTorque (MT): Ask or look in OPC or RP Discord
  • Frogpilot (FP): https://github.com/FrogAi/FrogPilot?tab=readme-ov-file#discord

The activities, actions, and discussions on non-comma.ai Discords are/may not supported by or affiliated with comma.ai (this may even apply even to the comma.ai Discord too). In the case of MoreTorque, comma.ai is strongly opposed to that community/Discord. That said, the ECU Security Key issues affects all and relevant events and information may be there as well.

Background

For Toyota Openpilot enthusiasts, the community was very excited for the RAV4 Prime, a high performance Toyota that was going to have "Toyota Safety Sense 2" (TSS2), other awesome Toyota traits such as reliability, utility, and economy, and, new for a Toyota SUV, speed. It is the fastest accelerating real Toyota excluding Lexuses as the Supra, a BMW badged as a Toyota, does not count.

Previously seen TSS2 vehicles have had an architecture where both latitude and longitudinal are both controlled by the front-facing camera. Openpilot was able to intercept and control latitude and longitudinal all at the front-facing camera of TSS2 vehicles, promising full openpilot capabilities. No other taps in the CAN of the vehicle were needed to control or block messages for this capability.

The typical process for adding a new TSS2 vehicle is simply creating a fingerprint with reference to the closest similar vehicle and trying it out.

Timeline

2013

August 2020

matty#8553 came on Discord as the first user with a RAV4 Prime and a new Comma 2. crazysim#7797 / @nelsonjchen offered to get the RAV4 Prime supported. Some worrying observations were immediately made in a GitHub issue after validating that the hardware was sound and working on another non-Prime TSS2 RAV4 :

October 2020

November 2020

December 2020

January 2021

February 2021

March 2021

April 2021

May 2021

June 2021

July 2021

August 2021

September 2021

October 2021

November 2021

December 2021

January 2022

February 2022

March 2022

April 2022

May 2022

June 2022

July 2022

August 2022

September 2022

October 2022

November 2022

December 2022

January 2023

February 2023

March 2023

April 2023

May 2023

June 2023

July 2023

August 2023

September 2023

October 2023

November 2023

December 2023

January 2024

February 2024

March 2024

  • Major Update from former comma staffer Willem Melching:

    • New blog post is out! Extracting the SecOC keys used for securing the CAN Bus on the 2021+ RAV4 Prime. https://icanhack.nl/blog/secoc-key-extraction/

      Research started all the way in 2022, but took many evenings of reverse engineering to get code execution.

      PoC: https://github.com/I-CAN-hack/secoc

      • Extracted the firmware from an ECU, using Fault Injection to bypass the locked debug port.
      • Reverse engineered the application code, to understand how SecOC was implemented and find the location of the keys in RAM.
      • Reverse engineered the bootloader, to understand how the update procedure works and how we can upload and run shellcode.
      • We built a shellcode that extracts the keys from RAM and sends them out over CAN, then reboots the device.
    • It is a long read, but it is exactly why this is such a hard problem and there are some serious hurdles to overcome when it comes to extracting the keys.
    • An incomplete exerpts of some other information:
      • There is a way to extract the SecOC key from the RAV4 Prime without disassembly.
      • During the construction of the payload, a secret key must have been extracted from the firmware in order to upload code to the EPS, run it, and extract the key. This isn't correct secure design but it lets third parties like comma.ai and I-CAN-hack to extract the key by uploading temporary code to the EPS to extract the key.
      • By not using the "Hardware Security Module" in the firmware, the key can be extracted from memory. Newer cars may use the HSM, which hides the key from memory, and getting the key out from those is an unsolved problem. What are the newer cars is unclear, but the 2023 Corolla Cross they looked at was using the HSM.
    • Some people are looking to get the key from their Rav4 Prime

  • Discord Followups on comma.ai Discord:

  • Willem: "Grab your SecOC key and share a route in #⁠toyota-security and I'll finish the car port for the RAV4 Prime!"

  • There is some discussion on whether it is possible to intercept the key during a re-keying process. (#general)

  • hdoublearp on Discord was able to retrieve their SECOC key with Willem's script.

  • hdoublearp report on his collaboration with Willem

    • "There is some progress on the port, thanks to Willem, lateral is working. Still some missing safety features, but the initial issues with the Prime’s new PCM messages are sorted out. Willem had to make some changes to account for gearing difference in the Prime compared to other models. I’ve sent my latest feedback and test scenarios to him, and will continue working with him on it.

    • hdoublearp posts a video. It is a video of an assisted lane change on a RAV4 Prime, a feature that does not exist on TSS2 but does in openpilot.

      2619375277588803360.mov

  • There is still work to figure out some of the new messages.

  • A second RAV4 Prime by @chrispypatt seems to have come online from Willem's work.

April 2024

May 2024

June 2024

July 2024

August 2024

Footnotes

  1. This is an image of the CAN BUS traffic on a Rav4 Prime. The "checksum" for the Lane Keep Assist messages are now very high in entropy, indicative of some sort of signing or encryption being used.

About

Documentation/News/History on openpilot with Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published