openpilot/etc. on Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY/SecOC

¹

Toyota's Sword in Rock situation (that has been pulled out quite a bit by Willem and Greg!)

²

The comma.ai Discord isn't really a good place to store answers or guidance to questions about the situation with Toyota's TSK/ECU Security Key/SecOC and openpilot. Discord's search is terrible, and the content inside of it isn't accessible to search engines. This is an attempt to document some of the discussion and information about the situation with Toyota's TSK/ECU Security Key/SecOC and openpilot in a more accessible way.

This document is a bit long, you may want to put its contents into your 🤖 AI assistant of choice, such as ChatGPT, Claude, Gemini, and so on to ask it questions about the contents of this document.

---

Table of Contents

• openpilot/etc. on Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY/SecOC
  • Background
  • Cars
    • 🟢 Successfully running openpilot
      • Notes
    • 🟡 May be possible to hack but hasn't been tried
    • 🔴 Not hacked and can't run openpilot
    • 🔵 Vehicles not in comma's supported vehicles list
    • Unknown
• Setup Guide
  • Key Extraction
  • Key Installation
  • Advanced Topic: Run the exploit using SSH manually
  • Forks
• Current History

---

Background

tl;dr: Toyota started to use cryptographical signatures to block openpilot (and other hacks). Some smart people in the industry hacked the signatures for some cars, but not all cars. Nobody is known to be working on the issue at the moment.

openpilot, in order to control the latitude (aka. steering), needs to be able to man-in-the-middle the steering control messages used by the lane keep assist system. It blocks the original steering control messages and replaces them with its own. Latitude-controlling messages originally come from the forward-facing camera, which is also known as the "Forward Recognition Camera" or "Object Recognition Camera" in Toyota vehicles. The camera is responsible for the lane keep assist in Toyota vehicles.

There is a STEERING_LKA-ish message and more in some new Toyotas that currently has an "authentication code" scheme appended to the end. The algorithm and security system for this "authentication code" is somewhat known for certain vehicles but requires a key that is unique to each vehicle to be extracted or smuggled out of the vehicle (https://icanhack.nl/blog/secoc-key-extraction/). Not all vehicles are able to have their keys extracted with what is currently known. Without the key for each vehicle, third parties like comma and users cannot control the vehicle. While vehicles that have had their keys smuggled out are currently working with openpilot.

At the moment, nobody is known to be working on the issue beyond what was done by Willem and Greg. Newer vehicles other than the ones on this list are not known to be working with the existing exploits discovered and built by them to dump their keys.

There has been some primordial research on firmware modification to disable the security system, but it is not known if this is possible or not.

Unresolved Mysteries

The following is not comprehensive.

• The exact details of how the process of how Toyota's tools communicate with the vehicle and their servers, and how the key is updated for multiple ECUs is still not fully known or experimented with. A high level overview of the process is known, but not the exact details.
  • Could a simulation of an extraneous "blank" vulnerable ECU into the system be tacked onto the communication with Toyota to extract the key?
  • There's something with Master ECUs and Slave ECUs here.
• The 2023 US made ICE Corolla (VIN starts with 5) is a TSS 3.0 vehicle that does not appear to have ECU Security Key or SecOC steps when replacing the forward camera. No one has come by to show what TSS3 without TSK looks like. One person has come by but they don't have that much time and ... that's it? Just one person, how weird.
• What might a firmware mod approach look like? Is it possible to flash a custom firmware that disables SecOC?

---

Cars

🟢 Successfully running openpilot

These cars can run openpilot but are not listed on https://comma.ai/vehicles#toyota or CARS.md because comma.ai (the company) understandably doesn't want to own the security key hacking process.

If it is on https://comma.ai/vehicles#toyota, then it's not in question and is supported by comma.ai for openpilot.

Follow the Setup Guide below and you'll have it working.

• 2021-2023 RAV4 Prime/PHEV
  • All Trims supported
  • Toyota Harness A
  • Early 2024 MY situation like Early 2024 MY Sienna unknown.
  • The compatibility status of the RAV4 Hybrid is not relevant to the Prime/PHEV. They're different vehicles.
• 2021-2023 Sienna Hybrid (USDM), 2021-2022 Sienna Hybrid (PRC)
  • All Trims supported
  • Toyota Harness A
  • Not applicable to 2023+ Sienna (PRC)
  • Early 2024 MY (Built in 09/23 to 11/23 according to sticker) might work? Currently too few data points to determine cutoff https://discord.com/channels/469524606043160576/905950538816978974/1350659380592513142
    • Check driver door jam to get month and year. It's Month/Year
      • 
    • Working
      • USDM
        • Gako - 10/23
      • PRC
        • aivordin's acquaintance - 03/22
    • Not Working
      • USDM
        • samueljsg - 12/23
        • grb5 - 09/24
      • PRC
        • hl.elias_44035 - 12/22
        • aivordin's acquaintance 2 - 08/23
        • sadmenmen - 04/24
• 2020-2022 Yaris Hybrid (EUDM/JDM/MXDM)
  • All Trims supported
  • Toyota Harness A
  • Dataflash dump hack works as the key is not in the same address as RAV4 Prime in program memory
  • Brute force efforts to find key location successful on both European and Japanese Yaris Hybrid. European user eventually gave up full installation due to unrelated C3 malfunction.
  • I-CAN-hack/secoc#4 - brute force dataflash dump approach
  • First Continental Radar + Camera setup going and thus first radar controlled ACC vehicle done with. This does not mean longitudinal is controlled by openpilot though.
    • Experimental work in disabling the radar has shown this does is not enough to let openpilot control longitudinal.
  • Not sold in the USA, but is in Australia, Japan, and Europe
  • Only one guy using it in Japan, unfortunately. Help double the population!
    • Another vehicle, not a daily driver, but an academic study specimen, has their key dumped in France.
    • ggajoch has dumped their key in Poland and is using it.
• 2021 GR Yaris (EUDM/JDM/MXDM)
  • All Trims supported
  • Toyota Harness A
  • Memory dump hack works but the key is not in the same address as RAV4 Prime.
  • Same hardware as Hybrid Yaris with Continental Radar + Camera
  • Manual Transmission
  • One user in Poland at the moment. lx93.
  • WIP

Notes

• These vehicles have TSS 2.0.
• These vehicles do not use the HSM.
• These all seem to share the commonality of a version 1 bootloader³ ? on the EPS
• Longitudinal
  • Some people seem to have it going. It is a work in progress in getting it upstreamed to comma's codebase.
  • Some Forks have it as an option.
  • Resume command spams still works from existing implementation so stop and go without touching is active if openpilot is active.

🟡 May be possible to hack but hasn't been tried

If you have one of these cars, please stop by the comma Discord's #toyota-security channel - we need more information from people like you.

• 2023 US-made Corolla (VIN starts with 5)
  • Uses TSS 3.0 but does not appear to have ECU Security Key or SecOC steps when replacing the forward camera. It's unknown whether it has TSK, and if yes in what form. Maybe they just don't do the pairing thing but hardcode a key. No one knows. This is still of great interest to the Toyota Security Key / SecOC efforts as it may provide better insight into the TSS 3.0 system without the key complication.
  • Note that this is not the same as the 2023 TMC/JP-made Corolla or the 2024+ Corolla. It happens to be applicable to a single year of US-made Corolla.
• 2021+ Yaris Cross Hybrid (EUDM/JDM/MXDM)
  • Brute force script may work (all guessing), but probably not on 2024+ models. Nobody has tried with earlier models.
• 2022+ GR Yaris (EUDM/JDM/MXDM)
  • Unknown

🔴 Not hacked and can't run openpilot

Car hackers, we need your help with these.

• 2022+ Aygo X (EUDM)⁴
• 2023+ Aygo X (Euro tech info Lookup)
• 2023+ bz4x⁴ (Probably the same for sister rebranded Subaru Solterra)
• 2025+ Camry⁴
• 2023 TMC/JP-made Corolla⁴
• 2022+ Corolla Cross (USDM, not applicable to Thailand or Brazil)⁴
• 2023 Corolla Cross Hybrid
  • TSS 2.0
  • Known to be not working.
  • Memory can be dumped but the key is not in visible memory.
  • Mentioned in Willem's blog post.
• 2024+ Corolla/ Corolla Hybrid, All origins.
• 2023+ Crown
• 2024+ Grand Highlander ICE and Hybrid⁴, 2024 Crown Kluger ICE and Hybrid (PRC, elsewhere?)
• 2024 Highlander ICE and Hybrid,
  • TSS 2.0
  • Known to be not working.
  • Memory can be dumped but the key is not in visible memory.
  • 02 bootloader³
• 2025+ Highlander ICE and Hybrid⁴
• 2024+ Mirai⁴
• 2023+ Prius and Prius Prime/PHEV⁴
• 2024+ RAV4 Prime/PHEV
  • TSS 2.0
  • Key at least not at the same location as other RAV4 Prime
  • Brute force efforts to find key location TBD
  • At least code is executed. Unknown what might have changed.
  • New 02 bootloader³ seen
• 2024+ RAV4 in Europe (techinfo)
• 2023+ Sequoia (Speculated from being a Tundra with an SUV Body)
• 2023+ Sienna (PRC)
• 2024+ Sienna
  • TSS 2.0
  • Key at least not at the same location as other RAV4 Prime
  • Brute force efforts to find key location TBD
  • At least code is executed. Unknown what might have changed.
  • New 02 bootloader³ seen
• 2024+ Tacoma⁴
• 2022+ Tundra (Confirmed in commaai/openpilot#27869 (comment))
  • TSS 2.0
  • No known bootloader³ exploit execution
  • User ThisGuy has an extra rack on the bench. Sent to Willem for further analysis. Uses HSM, possible firmware mod approach to disable SecOC in planning. See July 2025 update below.
  • 04 bootloader³
• 2021+ Venza
  • Key at least not at the same location as the RAV4 Prime
  • Brute force efforts to find key location TBD
  • Has a 02 bootloader³ though from two 2021 samples.
• 2024+ Lexus GX⁴
• 2022+ Lexus LX, NX⁴
• 2023+ Lexus LS⁴
• 2023+ Lexus RX, RZ⁴
• 2024+ Lexus TX⁴

🔵 Vehicles not in comma's supported vehicles list

The following vehicles aren't in comma's supported vehicles list but are known to not have SecOC/TSK.

They may not have been added due to:

• Bugs in the automated process of adding vehicles to the supported vehicle list such as in the case of the 2025 Lexus ES.
• No one has tried it!
• Sometimes no one has tried that specific year and sent in evidential data that comma will accept to put it on the list. This sometimes results in weird year gaps on comma's list even if its other years in the same generation/facelift are supported.
• No development has been done on it.

However, they are confirmed on Toyota Techinfo to not have SecOC/TSK.

With the exception of the 2023 US-made Corolla, these vehicles are not TSK vehicles and might just be a fingerprint away from being supported by openpilot.

• 2023 US-made (VIN starts with 5) Corolla Sedan
  • TSS 3.0
  • No ECU Security Key or SecOC steps when replacing the forward camera.
  • It's unknown whether it has TSK, and if yes in what form. Maybe they just don't do the pairing thing but hardcode a key. No one knows.
  • Likely requires a C3X as it's probably that it uses CAN-FD.
  • Probably not a fingerprint print away.
• 2021 Lexus RC
  • TSS2
  • No TSK
• 2022, 2024-2025 Lexus RC
  • TSS2.5
  • No TSK
  • No one has tried
• 2020 Lexus IS
  • TSS+
  • No one has tried
• 2021 Lexus IS
  • TSS2.5
  • No one has tried
• 2025 Lexus ES Non-Hybrid
  • Seems to have issues being auto-added to comma's supported vehicle list for some reason.

Unknown

If your car is not listed above, then there has been no documented information or attempts. Please talk to us at the comma Discord's #toyota-security channel.

---

Setup Guide

• Key Extraction if you don't know the key.
• Key Installation if you know the key.

Key Extraction

Your car has a security key that Toyota doesn't want you to have.
Follow this guide to run a hardware exploit to extract the key.

Step 1. Install TSK Manager

At home, sitting next to your router, turn on C3X with your phone charger. Ignore the low voltage warning.

Choose Custom Software and enter the URL optskug/tskm

Unplug the power to turn off the device.

Troubleshooting

1. A normal phone or laptop charger works fine. If not, USB A-to-C cables work well, and USB PD (Power Delivery) sometimes doesn't work.
2. Sometimes the installer won't proceed or gets stuck around 10% and restarts. Instead of Custom Software, install comma openpilot, uninstall it through the Settings menu, and then try again.
3. The installation takes about 2 minutes, or ~20 minutes if an OS update is needed. OS update downloads a ton of stuff so don't be too far away from the router.
4. Prefetching may fail if you're in China. The extraction will still work, but you'll have to install commaai/nightly-dev manually instead of using TSK Manager.
5. In some cases the installation gets stuck in "registering device" screen. If this happens, unplug the device to power off, plug it back in, and then tap-tap-tap on the screen as it boots to reset the device. Afterward, install optskug/tskm

Step 2. Install the hardware

Go to your car and connect everything including Comma Power (OBD2 connector + long cable).

Official Setup Guide: https://comma.ai/setup/comma-3x

Turn the car on and off - C3X should remain powered on.

Troubleshooting

1. The car harness sends a 12V signal instead of the usual 5V. Do not plug in anything other than C3X.
2. For connecting C3X to the harness, always use the right-angled OBD-C cable that came with the C3X. comma.ai sells it if you need more: https://comma.ai/shop/obd-c-cable. If you must buy your own, USB-C 3.1 Gen 2 is required.
3. You can remove Comma Power later but connect it for now.

Step 3. Put the car into Not Ready To Drive mode

Slowly press the POWER button twice WITHOUT pressing the brake pedal.

Caution

The 12V battery will die in 10 minutes. Turn off the A/C and never stay on this mode for more than 5 minutes at a time. After 5 minutes, start the engine and leave it running for 5 minutes before trying again.

The 12V battery is not your hybrid driving battery. It doesn't matter that your car is charged to 100%.

THIS IS IMPORTANT! Many people had to jump the car, so I'm telling you. Please listen. Do not stay on this mode for more than 5 minutes.

Troubleshooting

1. Some cars refer to Not Ready To Drive mode as IGNITION ON mode while others refer to it as POWER ON mode. Regardless of what your car calls it, get on the mode that says Not Ready To Drive.
2. The first press turns on ACCESSORY mode. The second press activates Not Ready To Drive mode.
3. Some cars don't have ACCESSORY mode. Doesn't matter - get on the mode that says Not Ready To Drive.

Step 4. Run the exploit using TSK Manager

Note

Your car is going to freak out - it will beep and flash all kinds of errors.

Relax. The exploit is safe to run and can't break your car even if you yank the cable.

Turn off the car, wait one minute, and turn it back on. Everything will be back to normal.

Run TSK Extractor.

Congratulations, you have the key now!

Warning

It's theoretically possible for someone to remotely hack your car with the key under very specific circumstances. You don't need to protect the key like it's your bank password, but still don't post it on Discord.

Sometimes TSK Extractor can't talk to the car. Try again.

Troubleshooting

1. Once extracted, the key is installed in /cache/params/SecOCKey and /data/params/d/SecOCKey files.

2. In rare cases, TSK Extractor may hit an unexpected error.

   

   The exploit is proven to work but TSK Extractor GUI is new. Send @calvinspark a photo and then try again.

3. Run TSK Extractor within 30 seconds of putting the car in Not Ready To Drive mode. If the car stays on that mode for a long time the extractor no longer works.

4. Normally the extraction succeeds on the first try or after the first car restart. If you tried the extractor 3 times for 3 car restarts (=9 times) and still doesn't work, there might be a hardware problem and/or you're doing something wrong. Stop and talk to us in #toyota-security.

Step 5. Install commaai/nightly-dev

Warning

Wherever commaai/nightly-dev is seen, C3 users should instead use Sunnypilot's sunnypilot/staging-c3-new wherever they see commaai/nightly-dev. comma dropped support for the C3 in their codebase. This guide will be getting some updates to reflect this change and an issue has been made to track that.. C3X users should continue with commaai/nightly-dev.

Start your car's engine.

Go to the Reboot Menu and Install commaai/nightly-dev.

commaai/nightly-dev is the only branch from comma.ai with TSK support.

Troubleshooting

1. commaai/nightly-dev is the newest and possibly unstable branch from comma.ai with TSK support.
2. Frustratingly, there isn't a release branch from comma.ai with TSK support.
3. Openpilot won't be able to drive your car if you install a branch without TSK support. See Forks for more information.

Step 6. Calibrate & Clean up

C3X should show the 15mph calibration screen.

If you're able to calibrate and use openpilot to use the steering wheel (aka "lat support"), you can clean up the cables and put the covers back on.

You're done! Congratulations!

• commaai/nightly-dev can't use the gas and brake pedals (aka "long support") on TSK vehicles. Monitor this PR (commaai/opendbc#1385) for long support progress. Experimental mode is also not supported because experimental mode requires long support.

• Comma Power (OBD2 connector + long cable) is optional. It's not necessary for using C3X, but keeping it allows C3X to stay powered on when you turn off the car, which allows you to upload logs and SSH in more easily. If you do this, you'll be in the training set and your specific driving will improve faster than others.

Troubleshooting

1. If you get an LKAS error, either the key was not installed or you're running a fork/branch without TSK support.
2. If C3x says Car unrecognized or Dashcam mode for unsupported car, you need to do Fingerprinting. However, this shouldn't happen anymore. If it does, please talk to us in #toyota-security.
3. The key will change if you get a new bumper because the bumper has distance sensors that use the security key. Instead of applying the existing key to the bumper, they replace the key on all parts of the car. The same goes for many other parts with SecOC components. Even if you never get into an accident, the key can still change if a Toyota service technician presses a wrong button.

Step 7. What's next?

Keep using commaai/nightly-dev

• If there is a hardware problem, you need to be on a branch from comma.ai to get support from the comma.ai company.

• If there is a software problem, you need to be on a branch from comma.ai to get support on comma.ai's Discord. There is a channel for #custom-forks, but it's easier to get support in other channels.

• commaai/nightly-dev updates every day but you don't need to update every day. We hope that comma.ai provides a stable release branch with TSK support, but until then, commaai/nightly-dev is the only official branch with TSK support.

• If everything's working as expected for a week or two, you're done - just keep using it. If you want to tinker more, check out Forks.

Tell us how it went

Did everything go smoothly? Was something not clear? Did you get into a state that's not described in the doc?

Please let us know! We've put in lots of effort into this doc, so even a simple "It worked out well" comment is appreciated.

We're in comma Discord in #toyota-security channel.

Key Installation

You shouldn't need to do this

Modern openpilot and its forks have an auto-key-install process that runs on every car start.

This means that uninstalling openpilot or resetting comma no longer uninstalls the security key.

🎉🎉🎉 Gone are the days of key installation. From now on, just install openpilot and go drive, just like non-TSK users! 🎉🎉🎉

When to do this

You may need to still reinstall the key if

1. your C3 died and you got a new C3X,
2. the key was never installed in /cache/params/SecOCKey because you did it the old SSH way and never ran TSK Manager / TSK Keyboard,
3. the installed key in /cache/params/SecOCKey was deleted, or
4. you're using an old fork without the auto-key-installer.

Follow this guide to reinstall the key.

Method 1. Use the built-in TSK Manager/TSK Keyboard

Some forks/branches have TSK Manager or TSK Keyboard under Settings.

⚙ > Device > TSK Manager/TSK Keyboard

If it's there, use it to type in your key and install, and then reboot.

Method 2. SSH and install the key to /cache/params/SecOCKey and /data/params/d/SecOCKey files

Redo Step 4B-4. Install the security key & Reboot.

Method 3. Uninstall openpilot, install the key using TSK Manager, and install openpilot

Follow Step 1. Install TSK Manager to install TSK Manager via the URL optskug/tskm

No need to go to the car. Run TSK Keyboard. Use it to type in your key and install.

Advanced Topic: Run the exploit using SSH manually

This is how to extract the key manually. Most people can skip this.

---

Forks

Forks may offer additional functionality or changes that comma openpilot may not offer or are unwilling to offer.

You can totally have a good time with comma openpilot without using a fork too. You can also have a better time or a worse time with forks!

Which Fork Should I Use?

Caution

Using forks present a real danger so do your research and understand what fork you are installing and what it does. Do not go down this path without research!

Some forks will brick your C3X.
Some forks may not be made for the current C3X.
comma may make changes to newly produced C3Xs that necessitate always running the newest comma openpilot and forks might brick them.

Some forks contain banned code.
Using it will get you banned from using any comma.ai cloud resource or debugging.
They will not restore access.

Some forks have nudgeless-lane-change.
Simply clicking the turn signal will move your car to the next lane.
Without any checks.
Yes, it will drive into the car next to you.

Some forks play a blood-curdling goat scream at max volume randomly. 🐐

comma will not answer to support you if you're running forks until you restore back to comma openpilot.

Begin your research in comma.ai Discord's #custom-forks. Please do not ask about forks outside of that channel.

For all forks, you should read their README documentation as well.

If you're new, please start with comma openpilot with commaai/nightly-dev and use it for two weeks. This is the same as the latest official version with only lateral support (with TSK support enabled). This will give you a good baseline to compare the other forks to and sort out any issues with the underlying hardware. Additionally, comma will only do/take bug or hardware support with comma openpilot which is critical for this period. The bathtub curve of hardware reliability is very real.

Then familiarize yourself with the communities through Discord for each fork you are looking to install. While the comma Discord may not offer any support for forks outside of basic support in their #custom-forks channel, a fork's Discord communities may or may not offer support for their fork's issues. Do not skip getting familiar with comma openpilot as you should have a basic understanding first.

If you acknowledge the warning above and are still looking to try a fork that supports SecOC/TSK, the following are available to install at your own risk. Keep in mind that this page is community maintained and may not stay up to date so please send in changes/fixes, or notices of any inaccuracies:

Fork	Lat: Lateral support MADS: AOL / MADS / keep-lat-on-after-brakes Long: Longitudinal support
alexandresato/personal3 (a.k.a SatoPilot)	Lat: Yes from upstream MADS: Yes from community (MADS from Spektor56) Long: Yes from community (from chrispypatt) First fork to get long! Very quick stop-and-go response alexandresato/extract_secoc_key_btn includes a TSK key extract button and is rebased with personal3 often.
commaai/nightly-dev	Lat: Yes from upstream MADS: No Long: No Not a fork but an alternate branch from comma.ai with TSK support. Install this if you need support from comma.ai company. They won't talk to you if you're on a fork. Pre-compiled, so quick to install. It has the most up-to-date changes, which is cool, but it could get unstable.
sunnypilot/staging-c3-new (a.k.a sunnypilot) sunnypilot discord	Lat: Yes from upstream MADS: Yes from community (MADS original author) Long: Yes from community (from chrispypatt) Pre-built version of `sunnypilot/master-new` Model switcher to easily switch between various models NNLC: Big steering improvements for '21-23 RAV4 Prime and Sienna Ships the same latest improvements as nightly-dev (with the same risk of breaking on rare occasions).
chrispypatt/frogpilot-r4p (fork of FrogPilot) FrogPilot discord	Lat: Yes from upstream MADS: Yes from community (AOL from FP) Long: Yes from community (original author) chrispypatt's fork with TSK long support. Uses an old AGNOS version. When downgrading, OP may get stuck in a registration loop. In this case, tap-tap-tap on the boot logo and reset the device to recover and then install again. ‼️ DO NOT RUN FROGPILOT DEEP STORAGE DELETE. It deletes your security key, and you have to run TSK Manager again. Run it only when you're selling the device.
optskug/SiennaFP (fork of FrogPilot) FrogPilot discord	Lat: Yes from community (from anrum) MADS: Yes from community (AOL from FP) Long: No anrum's old fork of FP and first fork to support TSK lateral! Includes a TSK keyboard with key caching Includes auto key installer Uses an old AGNOS version. When downgrading, OP may get stuck in a registration loop. In this case, tap-tap-tap on the boot logo and reset the device to recover and then install again.

If you are installing a fork not included in the list above, find the fork author and ask the following. If you can't find the author, don't install the fork!

1. Is it for the latest C3X?
2. Does it supports SecOC/TSK?
3. Does it contain banned code?
4. Is there anything to watch out for?

---

Bounty Statuses

🗳️ comma.ai Vote for Toyota Security

In June 2022, comma.ai created a paid vote/crowdfund for making openpilot support Toyota Security. Once they get 500 votes at $100 a vote, they have 6 months to figure it out and open source a solution; Otherwise, a refund will happen and all the money is returned. The current status of that was: ² .

Vote counts were reported every week or similar and are recorded in this spreadsheet by the community: https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=0

The result of this vote, even though it has not met its target cost, is a pull request was produced for the RAV4 Prime to be supported in openpilot. It was eventually merged in.

In January, the vote page was taken down. Below is a snapshot.

The last known vote count from community observations:

²

In addition to their vote system, comma also has/had specific bounties up:

• "$5k if someone cracks it and upstreams RAV4 prime support -geohot (link currently broken)
  • Currently locked to Willem for Willem's PR for the RAV4 Prime to merge in completely: commaai/openpilot#32661 (comment)
  • Likely paid out.
• We're announcing a bounty for the 2023 Corolla, 2023 Corolla Hybrid, and 2023 Prius. $500 for a working port merged.

👥 Communities Bounty

The overall community bounty has been canceled for numerous reasons:

https://www.reddit.com/r/Comma_ai/comments/1d5r7xr/comment/l6vjf9e/

Original Sheet: https://docs.google.com/spreadsheets/d/1MKS78_utvbAe74Xv7zszgEnn6JrtBgpgYlVOfoIvLEw/edit#gid=0

Specific Community Bounties

In its place are more specific community bounties:

• Tundra Interest Group
  • "I’ll put up 2k for Tundra alone" - bgill66
    • Scrubbed / User had bumped to $5k but there was no interest. https://discord.com/channels/469524606043160576/905950538816978974/1259282479257485383
• heitikender for RX 2023
  • 1000 2000EUR 3000EUR
  • "I can buy techinfo access and whatever else is needed. Have pics of connectors."
  • Konik.ai Discord link: https://discord.com/channels/1110987393990922322/1355531073353678950/1355531309333614782
  • Raised to 2000 EUR
    • https://discord.com/channels/469524606043160576/1310778132478955540/1367854050103529524
  • Raised to 3000 EUR
    • https://discord.com/channels/469524606043160576/905950538816978974/1368164880489775185
• ecman. for some Lexus RX
  • 1000 USD
  • https://discord.com/channels/469524606043160576/905950538816978974/1374020440711762042

Pictures of TSK'd and non-TSK'd Camera ECUs

FWIW the outside of the ECU Security Key camera of a Rav4 Prime looks the same as a non-ECU Security Camera of a Corolla or Corolla Hatchback.

2021 Rav4 Prime:

Security Key'd Denso innards: https://discord.com/channels/469524606043160576/905950538816978974/939203494152372274

2020 Corolla/Corolla Hatchback:

A photo teardown of the 2020 Corolla camera (NON ECU SECURITY KEY) innards: https://photos.app.goo.gl/qsBaMFT6PSEs7BFXA

Current History

Here's a brief to get anybody going into this ECU Security Key issue up to speed. I'll keep updating this with links to the relevant Discord messages and other stuff as I find them.

Discord links may be linking to the middle of the conversation. Scroll up and down for context.

Many of these Discord links are to a pre-hidden channel named #toyota-security in the comma.ai Discord. Accessing #toyota-security on comma.ai Discord requires completing the simple prompt in #join-development. Otherwise, it is inaccessible. More often than not, the Discord links are to #toyota-security in the comma.ai Discord, so please complete the prompt.

Most if not all Discord links are to the comma.ai Discord accessible with an invite from https://discord.comma.ai unless otherwise noted. These other Discords include:

• Retropilot (RP): https://discord.gg/GzWegVa.
• Sunnypilot's Openpilot Server (SP): https://discord.gg/TCTvFTKrAV.
• Openpilot Enthusiasts (Formerly "Openpilot community") (OPC): https://discord.gg/rRB7eDKccy
• MoreTorque (MT): https://discord.gg/439DM9KJ4r
• Frogpilot (FP): https://github.com/FrogAi/FrogPilot?tab=readme-ov-file#discord
• Konik.ai (KA): Discord Link on https://konik.ai/
• Car Hacking Village (CHV): https://www.carhackingvillage.com/

The activities, actions, and discussions on non-comma.ai Discords are/may not supported by or affiliated with comma.ai (this may even apply even to the comma.ai Discord too). In the case of MoreTorque, comma.ai is strongly opposed to that community/Discord. That said, the ECU Security Key issues affects all and relevant events and information may be there as well.

Background

For Toyota openpilot enthusiasts, the community was very excited for the RAV4 Prime, a high performance Toyota that was going to have "Toyota Safety Sense 2" (TSS2), other awesome Toyota traits such as reliability, utility, and economy, and, new for a Toyota SUV, speed. It is the fastest accelerating real Toyota excluding Lexuses as the Supra, a BMW badged as a Toyota, does not count.

Previously seen TSS2 vehicles have had an architecture where both latitude and longitudinal are both controlled by the front-facing camera. openpilot was able to intercept and control latitude and longitudinal all at the front-facing camera of TSS2 vehicles, promising full openpilot capabilities. No other taps in the CAN of the vehicle were needed to control or block messages for this capability.

The typical process for adding a new TSS2 vehicle is simply creating a fingerprint with reference to the closest similar vehicle and trying it out.

Timeline

2013

• IOActive experiments with injecting packets to steer a Prius in a widely disseminated and seminal security assessment. Their research around this time also led to them being able to remotely inject through the radio with a FCA vehicle and cause it to steer. In an unwise move, they demonstrated this in the middle of a busy highway. Anyways, not great.
  • This is way in the past, but it's important to note that even large slow dinosaurs or turtles move and it's been a few years.

August 2020

matty#8553 came on Discord as the first user with a RAV4 Prime and a new Comma 2. crazysim#7797 / @nelsonjchen offered to get the RAV4 Prime supported. Some worrying observations were immediately made in a GitHub issue after validating that the hardware was sound and working on another non-Prime TSS2 RAV4 :

• The STEERING_LKA CAN message is now 8 bytes in size. Existing TSS2 vehicles had a 5 byte STEERING_LKA CAN message.
  • There is a 4 byte authentication code on the CAN message instead of the simple 1 byte checksum of past Toyotas.
• @nelsonjchen implemented and tried many checksum algorithms to try and create an identical STEERING_LKA message to what was seen in Cabana. None of them worked.
• @nelsonjchen asked around on many Discords and other well-known users for help. No one was able to help.
• @nelsonjchen notices that the "checksum" is the not the same for messages with the same data. It doesn't seem like a checksum. Maybe some other state is kept somewhere?
• The authentication code messages change between ignitions.
• The messages are different between vehicles.
• The same inputs result in different "checksum"/authentication code outputs.
• @nelsonjchen notices that Toyota filed a patent about message authentication on the CAN bus.
• matty#8553 eventually returned the Comma 2 within the trial period.

October 2020

• geohot offers to take a look at a RAV4 Prime in-person if someone makes the drive to San Diego
• aka#2674 starts trying to look at the issue on their own RAV4 Prime. aka#2674 is able to capture some traffic of some sort from Toyota's Techstream diagnostic tool of both the CAN bus kind and the server traffic.

November 2020

• aka#2674 bought another RAV4 Prime camera ($800!) to take a look at and to see how the reprogramming works.
• aka#2674 moved to San Diego area

December 2020

• James-T1 takes a look at ECU Security in Toyota's TechInfo site. The Sienna and Venza are discovered to be additionally affected vehicles.
• Support for the Camry with TSS 2.5 was added around this time. It did not have ECU Security Key. TSS versioning does not appear to be correlated with ECU Security Key presence.

January 2021

• @nelsonjchen makes the bounty spreadsheet in Discord inspired by the recent success of the Honda 10th Gen Accord Bounty.

February 2021

• Willem Melching of comma.ai took a deeper interest and posted on Discord. He is waiting for parts from affected vehicles to show up on part or junkyard sites for bench analysis.
• The NHTSA had posted a PDF from Toyota about ECU Security Key and how to reconnect an ECU replacement such as a camera and so on using ECU Security Key to a vehicle. In summary, Techstream users must connect to the Techstream backend for keys.

March 2021

• TheReaper#0283 posts about looking at the issue as part of his day job. TheReaper#0283's day job appears to be reverse engineering and creating an alternative Yaris GR ECU for racing purposes. A diagram and hint that the ECU Security Key implementation is likely an AUTOSAR implementation is provided along with some guidance as to the architecture of the implementation.
  • 
  • The relevant AUTOSAR documentation the diagram was pulled from is here: https://www.autosar.org/fileadmin/user_upload/standards/classic/4-3/AUTOSAR_SWS_SecureOnboardCommunication.pdf
• @nelsonjchen and many others in the #toyota-lexus community decide to create an additional Firmware Dump milestone bounty as it is generally something that appears to be required. We simply do not know the exact details of the authentication system such that even if we capture the key programming commands, we do not know how to use the values.
  • Also known as SecOC.

April 2021

• Mutley#1114 takes an interest in the issue. Mutley#1114 is able to record a CAN log and observe that Toyota Techstream writes a local XML file to the disk with part of the keys before contacting the backend.
• Daniel Farley#9948 brings in a Yaris GR from New Zealand. It has ECU Security Key. Possible offer of some parts from another rally converted Yaris GR for reverse engineering.

May 2021

• ayau#2654 and MD1000#7505 work together to take a look at MD1000#7505's 2021 Sienna. It definitely has ECU Security Key.
• geohot, CEO of comma.ai, adds $5000 to the ECU Security Key bounty with some important clean-room stipulations. The bounty at this point is now about $8000 with $3000 from the non-comma.ai portion of the community.

June 2021

• ayau#2654 discovers a video about an alternative ECU for the Yaris GR. It discusses that the camera doesn't work in this setup. @nelsonjchen suspects it's TheReaper#0283 in the video.

July 2021

• wocsor#0313 takes an interest in the issue and @nelsonjchen briefs him on the situation and current public observations. wocsor#0313 puts out an open offer to affected owners in the ATL area to spend some time to make some observations with his hardware but unfortunately, no one on the spreadsheet is from around the ATL area.
  • We'll message him if and when someone in ATL does appear. Of course, if you have an affected vehicle and are in ATL, please get in contact with us!

August 2021

• Comma 3 is released at comma Con.

  • At the Comma Team Group Chat, Erich, a prominent Toyota community contributor and community Discord moderator, asked about ECU Security Key:

    • Adeeb: I think we'll just look into it a bit and just kind of understand what the scope of the issue was and we just decided this isn't affecting too many cars yet that's not where we're choosing. We've aggressively chosen in the last year or so to not spend time on specific cars

      We've spent almost all of our time doing things that improve everybody's experience with openpilot. Now the comma three's out, maybe we can get back to doing stuff that helps some subset of the users but we've we've really been pushing on the experience that every user sees

      Hotz: I'm counting on the community for that one of you out there we put five thousand dollars of commas hard-earned money up.

• @nelsonjchen writes this timeline: https://github.com/commaai/openpilot/discussions/19932#discussioncomment-1123629

• Tatsuya#9505 discovers an article from a reputable japanese technical publication discussing the use of AES and CMAC to secure ECUs by Toyota in response to attacks as seen on the Prius in 2013. (Archived Link)

• Achilles308#2230 brings up PASTA, a security testbed that was produced by Toyota and a discussion happens over it.

• cferra#1932 points out that the radar module is the same. Some discussion happens on if the radar communication may be authenticated and/or has modes to be in authentication mode.

• Mutley#1114, a leading hunter, elaborates on their attempts and believes that a firmware dump of an involved ECU such as the EPS is the only way to really determine what is going on. Mutley#1114 tried spoofing firmware versions. Unfortunately, Toyota only distributes firmware if there's another public firmware and no firmware is available to download from Toyota. This appeared to still be the case as of August 2021.

• deagle50#5014 asks how a firmware dump might be done. crazysim#7797 gives the best answer he could but he isn't a hunter.

September 2021

• @nelsonjchen asks if aka#2674 may be willing to take pictures of the insides of their spare Rav4 Prime front camera for comparison to a non-ECU Security camera as the exteriors look the same. No immediate response so far.
• EpiJunkie#1220 looked up TechInfo and confirms that the North American Corolla Cross has ECU Security Key
  • In contrast, the Thailand Corolla Cross posts from tape#7233 posted in January 2021 do not mention ECU Security Key and AFAIK, tape#7233's Thai Corolla Cross is working.
• EpiJunkie#1220 lists parts in a Rav4 Prime that are covered underneath ECU Security Key. Theoretically, dumping the firmware for some of these parts would help shed light on how the system works. Bolded are parts involved with OP latitude.
  • ECM
  • Hybrid vehicle control ECU
  • Forward recognition camera
  • No. 2 skid control ECU (brake actuator assembly)
  • Rack and pinion power steering gear assembly
  • Clearance warning ECU assembly
  • Steering sensor
  • Central gateway ECU (network gateway ECU)
  • Combination meter assembly
  • Airbag sensor assembly
• "toyota encryption is a small segment right now. when it comes to corolla or prius we will prioritize" - geohot
• After a small bit of confusion with some jank in Cabana, belm0#9067 determines that the CH-R Hybrid doesn't have ECU Security Key. However, the 2021 Yaris Cross Hybrid does.
• (OPC Discord) kumar#2021 mentions having dumped the Prius EPS firmware with the aid of a local friend in PHX. If the friend were to go for it, @nelsonjchen would have tried to arrange for a affected vehicle to travel to PHX. Unfortunately, the friend declined to help with dumping EPS Firmware from an ECU Security Key vehicle.

October 2021

• EpiJunkie#1220 lists the steps to get first-hand information on if a model has ECU Security Key on the forward recognition camera from TechInfo.
• Regarding offers by comma to take a look at owners of ECU Security Key vehicles in the SoCal area:
  • "it’s been a while, but I believe all the people interested in coming down [to San Diego] weren’t comfortable with something experimental" - adeeb
  • Rez (∩｀-´)⊃━☆ﾟ.*･｡ﾟ#2896 replied interest with some times in SD but no replies were received from comma.
• eggs#7709 looks up the "yaris 2020 hybrid euro model" and it requires an ECU Security Key update when replacing the camera. It is believed that this also applies to the Australian model.
• Ale Sato Brazil SP#5717 tries out OP on a Brazilian Corolla Cross and it works. That model from that region does not have ECU Security Key.
• (OPC Discord) kumar#2021 sees a rather curious message on his head unit. There's an update to improve the Pre-Collision system on his TSS2 Prius?! In TSS2, the camera is very important to PCS. Up to this point, there has not been evidence of a camera update ever happening. If this does involve a camera update, maybe the firmware from the camera can be intercepted. Maybe this issue might affect firmware from an ECU Security Key vehicle as well. Very curious.
  • 
  • (Comma.ai Discord) X-Post to comma.ai Discord. Mutley#1114 acknowledges this curiosity.
• Added @nelsonjchen's firmware dump milestone criteria

November 2021

• geohot creates a #toyota-security channel on Discord and makes a rough plan sketch to try to help the community (this channel is under the Development section of Discord, checkout #join-development if you don't see it):
  1. list all the ECUs that have the security
  2. find out what chips are in those ECUs. ideally we find a dumpable one without any hw security features
  3. dump the firmware!
  4. understand the algorithm/keys doing the encryption. at this point, openpilot will work if it's rekeyed.
  5. if possible, break the crypto. at this point, openpilot will just work
• the comma team does have logs of the pairing process and is able to see some xml stuff with some unknown values labeled M1, M2, M3, and so on
• Somebody on RP Discord claims a friend of theirs has used their OP hardware to crack the system with OP working on their 2021 Venza. They wish to stay anonymous/low at this time. They are not interested in releasing their work but could be interested in releasing it for the bounty amounts to be paid to a charity.
  • "Alright, here is what I understood from our convo. He said the ecu key is really important at lest the way he is doing. Without that ecu cannot community at all so op has no chance of working obviously. So he overwrite the original key with the new key that he generated in online portal. While the key is being sent to the car he does mitm to grab the handshake and duplicate and use that every time he wants to use op(he said something about hash being encrypted not sure what that was all about) . He also said he using using two panda and arduino. Asked him if he is interested in handing over his progress to comma so they can improve and make it better but he said no for now."
  • Added as "Mysterious Stranger" in bounty/interested user spreadsheet.

December 2021

• Somebody cross posts from RP Discord to comma.ai Discord what the RP Discord user and his mysterious friend claims. Lots of doubt as to veracity as other than the small explanation above, previously known info and not much new info or proof of working was shared.
• The RP Discord user with the mysterious friend leaves all OP communities due to harassment.
• MBrownies#7412 orders a 2021 Sienna ECM ECU to try and dump. Seems to have some history in the past of some electronics repair knowledge
  • Pictures
• @nelsonjchen borrowing jokes#4106's TechInfo account sees that the 2022 Toyota Tundra has ECU Security Key on the Forward Recognition Camera
• @nelsonjchen had a talk with wocsor. wocsor has since moved to Colorado. wocsor is still open for taking a look at a ECU Security Key Toyota especially on a weekend. Please hit us up if you're in Colorado.
• MBrownies#7412 starts an attempt to dump the firmware from a 2021 Sienna ECM ECU in #toyota-security.
• MBrownies#7412 says there may be a firmware update for the 2021 Sienna ECM that may be interceptable. IceyJ#0001, the son of a 2021 Sienna owner, appears to be interested in intercepting the firmware with MBrownies#7412's assistance.
• (RP Discord) eRock970#1675 mentions they go through Colorado in their Rav4 Prime to wocsor. wocsor's MITM idea was debunked but he's still game to try something.

January 2022

• Willem Melching from comma.ai posts a 4 part blog post about his own adventures in hacking a VW golf ECU including dumping and reverse engineering it on his own time.
• IceyJ#0001 is planning to work with MBrownies#7412 on dumping something next month. IceyJ#0001 was delayed a bit by sickness and other issues.
• #toyota-security discusses dumping the flash as seen on the LKAS forward camera
• The Rav4 Hybrid 2022 doesn't work out of the box with fingerprinting. At first glance it looks like the radar changed and security key wasn't added.
• (MT Discord) ryleymcc#4808 creates a #toyota channel in MT Discord and posts a request with offer of help/partnership to skilled hardware developers to develop a Toyota Torque Interceptor. When asked if this was a possible alternative to CAN MITM on Security Key Toyotas and referencing this discussion, ryleymcc#4808 claims it would circumvent all the Security Key issues.
  • NOTE: comma.ai strongly disapproves of ryleymcc#4808's work and operations, citing serious safety concerns.
  • This approach would likely not fulfill much of the bounty as it is currently specified as it is unlikely to make it into a release branch.

February 2022

• The Continental Radar on the 2022 Rav4 may indicate a return to Continental for Radars and Cameras. It's possible that some of these ECU Security Key vehicles have Continental Setups and not Denso setups. Further research might need to be done.
• VagueAscent#4842 posts pictures of the internals of a Denso Toyota Security Key Camera. It looks the same as a non-Toyota Security Key camera. This may mean the learnings from practicing dumping of a much cheaper and plentiful non-Security Key Camera may be helpful.
• wocsor#0313 says he heard the Dragonpilot people have cracked ECU Security Key. However, it'll require more hardware and Dragonpilot will be keeping their implentations closed-source.
  • Discussion in #toyota-security. Rumor is two pandas and an arduino.
• zorrobyte#5330 discovers that the Rav4 Prime has the same steering rack as the Rav4 Hybrid. This may mean that the authentication is implemented at the gateway. zorrobyte#5330 suspects the rumored dragonpilot approach may be taking advantage of this and bypassing the gateway.
• MBrownies#7412 says IceyJ#0001, who was going to help try to capture a relevant firmware dump together, has gone MIA.
• wocsor#0313 says that a rack replacement on a Rav4 Prime requires re-keying anyway so maybe the communication here is authenticated anyway. Nevermind.
• IceyJ#0001 returns. He's just been busy with life. Time may be found next weekend.
• zorrobyte#5330 mentions that the key may be able to be force written. This probably means capture without having to swap cameras or something.
• Mutley#1114 re-appears. Will post all info they gathered like key updating, xml, and so on. Asks IceyJ#0001 and MBrownies#7412 to do some logging. Asks if there are FW updates.
• An update is available for "back over protection" and it may be worth capturing.
• Massive Updates on 2022-02-02. Lots of progress all on one day.
• zorrobyte#5330 work on LTA for existing TSS2 vehicles merited a look again at LTA as used on the Rav4 Prime. It doesn't look like it's secured with ECU Security Key! There's no crazy high-entropy checksum. How interesting. This may be a pathway to getting working Latitude or Steering. No work was done for long though.
• In parallel, Mutley#1114 discovered and was able to download the CUW file for a camera update of the 2022 Tundra as the Tundra currently has a recall for the camera due to some issue with the camera causing the parking brake to come on. Unfortunately, the CUW file appears to be obfuscated, at least the binary part. De-obfuscation may still be needed to discover how the signing is done though among other interesting reverse-engineered information. The CUW firmware update for the camera itself is about 34MB.
• Unfortunately, it looks like the obfuscation also applies to the firmware when intercepted over the CAN as well. The camera firmware even though it may be downloaded, may be a dead end.
• MBrownies#7412 doesn't think the LTA command that checks out is at 0x191 on the Prime though.
• @nelsonjchen meets up with matty#8553 to try some stuff. They were not able to disable enough checks in OP to the point that LTA steering mode was attempted. Maybe they'll meet up again. Stock long passthrough appears to work though if we wanted. That means we can probably just focus on lateral and not worry too much about long for now.

March 2022

• aka#2674 reappears again with an offer to Willem of Comma.ai if he visits San Diego sometime to look at his Rav4 Prime.
• share-and-enjoy#7186 confirms that the 2022 Rav4 Prime still has a Denso camera. Note that is not to say a Continental Camera may not have Security Key but a security key version of a Continental Camera was seen on a New Zealand Yaris GR.
• @nelsonjchen is too busy with work to try the LTA thing and doesn't believe Toyota would leave a gaping hole like that open.

April 2022

• "new project ... Rav4 prime EPS" - Greg J Hogan of comma.ai who is experienced with firmware analysis
• "Still alive after surgery :)" - Greg J Hogan of comma.ai takes apart an EPS.
• "[ryleymcc#4808] would ship a free TI to anyone who can use it to work around this ECU security [key] problem."
  • note: it looks like comma deleted this post, see above's "NOTE: comma.ai strongly disapproves of ryleymcc#4808's work and operations, citing serious safety concerns."
• (RP Discord) wocsor#0313 notes that the MCU on the Rav4 Prime EPS Greg posted appears to be off the shelf and purchasable on DigiKey. However, there may be on-chip security that may need to be defeated and he was unable to locate a datasheet for it so far.
• Huge news. TheReaper#0283 has dumped a Yaris Engine ECU as part of their tuning effort.. @nelsonjchen reached out to a few technical fellows on the spreadsheet. If you're a technical fellow, and are interested, please reach out.

May 2022

• No progress on looking at the Yaris Engine ECU.
• geohot has mentioned that if a Lexus with the system were bought for comma.ai, it would be cracked or given back to the community if it isn't cracked in 12 weeks.

June 2022

• The 2023 Corolla has been announced with TSS 3.0 support which may also include adding security key. This may or may not add security key to the Corolla. This might be visible in TechInfo later this summer as 2023 Corollas arrive.
• (RP Discord) The Toyota Sienna Auto-MAAS self driving platform has ECU Security Key on the front camera as well. Of course, no one is going to run OP on that but it's funny to know. It also appears to have a Continental Camera and Radar for PCS.
• The bz4x (and likely its sister the Subaru Solterra) are looked up to have ECU Security Key as well
• geohot produces/announces "Vote for Toyota Security", a more direct way to vote for comma to do Toyota Security. 500 votes of $100 each. Once it reaches the goal and if comma can't accomplish the crack, the money will be refunded.
  • https://www.reddit.com/r/Comma_ai/comments/v8v4jf/vote_for_toyota_security_comma_shop/
  • https://comma.ai/shop/products/vote
  • 
• Le_potato#1107 tries their hand at looking at the key stuff after some success cracking VW checksums. Seems to be somewhat in tune with car hacking and some of the firmware dumps out there. Le_potato#1107 Looking for a firmware dump file.
• Le_potato#1107 has shared the other half of the Yaris GR ECU out there. If you're a technical fellow, and are interested, please reach out.

July 2022

• Comma Vote reaches 42 votes, also known as the answer to life, the universe, and everything.
• Erich#4634 discovers that bulk votes are discounted. Comma/Geohot are amused and replies they will honor the unintentional bulk vote discount.
  • 
• The bulk vote party spreadsheet is launched for bulk votes contingent on some criteria: https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=1958149470
  • A new counter/badge is produced along-side as well
  • ²
• geohot: Bulk votes can be bought in blocks of 10.
• CARS.md, an intermediate source file behind https://comma.ai/vehicles or the vehicle compatibility list on comma's site, is updated with a list of Toyota Security Key vehicles. It has not been pushed to comma's site yet as of July 27, but eventually will.
• Toyota posts a video about TSS 3.0. The video description mentions "23 Corolla, 23 Corolla Hatch, 23 Corolla Cross, 23 GR Corolla, 23 Crown, 23 bZ4X". The bZ4X and the Corolla Cross are known released vehicles with Security Key. The others are unknown and as of July 27, 2022, not on TechInfo yet for confirmation.
• Some discussion about how the system works along with a description from AUTOSAR about how a system would work

August 2022

• Thinkpad4by3#7568 has a great explanation of why TSK is not encryption.
• stevenkoh08#8535 in Singapore asks about the 2022 Toyota Noah. It is likely TSS3 and wonders how to check. stevenkoh08#8535 was a Toyota tech in the past. Looking up repair manuals in a non-NA, non-EU vehicle seems to be a bit of a pain and info might be JP only.
• "no one knows! 😦. without any real teardown of the architecture or setup, there's no telling what a TSK OP setup would need to look like."
• The 2023 Camry Hybrid with TSS2.5 does not appear to have Toyota Security Key. Still unknown for 2023 Corolla with TSS3 though.
• "as soon as we hit 500, we'll buy a rav4 prime thinking it'll actually be pretty easy to crack, apparently some of the ECU tuning people already have" "if the base model corolla has toyota security, we'll buy one" " - geohot . a note is also dropped by adeeb about the popularity of the Corolla Cross
• "oh fine. if we get 300 votes by the end of next week, we'll buy a corolla cross." - geohot
  • Probably unrealistic by next week, but just noting this here.

September 2022

• u/Raskinulas posts on the /r/comma_ai subreddit about wanting to support a T/LSS3 vehicle with a Torque Interceptor. Replies are doubts about u/Raskinulas's capabilities but u/Raskinulas claims to have resources and is referred to the torque-interceptor channel in Discord.
• "we will buy a toyota security car when either: a) we get the 500 votes b) security comes to the corolla, prius, or RAV4 " -geohot
• "there's only one way they are refunded: if we hit vote target and can't crack it. btw i'd bet against toyota security coming to the 3 cheap cars, the chips to do it are expensive and rare" -geohot
• The 2023 Corolla is now on Techinfo. No one has seen behind the paywall yet. 🔒 or 🔓 ? 😓
• The 2023 TMC-made/Japan-made Corollas appears to have Security Key. However the TMMMS/US-made ones do not.
• Examples of pre refresh Corollas show Corolla ICE/gas-only sedans of any trim may be made in the US. Some gas-only sedans, hatchback, and hybrids are made in JP.
• gregjhogan praises Ghidra for something related to "security access seed/key functions!" Unknown if this is specifically related to Toyota or another manufacturer. What is known though? Comma is tackling "security access seed/key functions!".

October 2022

• Remote starters with no key do exist on Toyota Security vehicles.
• (RP Discord) In which a crew of people work through RE'ing some firmware on an EPS for their VWs.

November 2022

• Willem Melching formerly of comma posts a picture with "Will it Glitch?" with what appears to be a RAV4 Prime EPS board with many probes on Twitter.
  • Rav4 Prime EPS board previously seen on Greg Hogan's Twitter
• "Yes! Turns out the Renesas RH850/P1M-E is vulnerable to a similar attack as the RX65... ", cont.
  • Cite: https://www.collshade.fr/articles/reneshack/rx_glitch_article.html
  • It appears a firmware dump of a relevant Toyota Security Key ECU has been accomplished. It does not meet my criteria for a firmware dump milestone yet as instructions for reproduction are not all present, but the dump does seem to have been accomplished.
• Willem Melching posts a writeup of how to and what to do to get the firmware dumped.
  • This meets all my criteria for the firmware dump milestone and I am working on collecting and closing the bounty.
• Greg Hogan posts a screenshot of Ghidra presumably looking at the Rav4 Prime EPS Firmware with some already work done and named functions/fields.
• Sent out "Toyota Security Key Firmware Dump Bounty Gathering Letter"
• The new SecOC/Security Key LTA message is discovered to be at 0x131.
• "SecOC message parsing, MAC truncated to 28 bits looks like AUTOSAR SecOC profile 3 (JASPAR)"
• /u/imgeohot (geohot, presumably?) "Literally the only "locked out" car is a small minority of Toyota's. We offered votes for sale, but we didn't sell many. It's not a OMG they are locked out, it's why would we care it's like 5 obscure cars. Will solve when it comes to Corolla or Prius.". (not sure if geohot knows or acknowledges TSK has arrived to Japanese-made Corollas yet.)
• vybhavab#6727 puts down the $20 to look up a batch of cars for 2023. The "Toyota Sequoia" is only offered in Hybrid and it has TSK.

December 2022

• "The SecOC implementation is purely software based and the keys are sitting in RAM. Just need to find a convenient way to get them out." - Melching
  • This is in contrast to geohot claiming that the implementation requires rare chips. All to say, to quote geohot too, if you want to know the truth, you have to hack on it.
• Geohot asked about producing a Flexray Harness: Yea, same as Toyota Security, but harder. If a major car platform switches to flexray that’s probably the only way we’ll do it, but afaik flexray is dying. we support CAN-FD
• adeeb: "23 corolla has secoc?"

January 2023

• "So is looking in there now and unfortunately the procedure for mounting the front camera includes a step 5 that instructs you to update the ecu security key 😒 [for Toyota Aygo X]"
• A comma_ai Twitter Space occured where Comma's Greg talked about TSK for ~10 minutes. Unfortunately, there are no recordings but some recollections.
  • "i think greg said reflashing the ecu to disable security might happen first less desirable and clean"
  • "i asked if secured corolla/prius would mean comma would take action before the vote quota was met. george didn't seem to care too much and that the votes mattered more."
  • "oh, greg mentioned the eps they bought didnt look like it was ever installed in a car lol"
• $480 of the FW Dumping Bounty sent to Willem Melching. Unfortunately, this was less than half of the promised bounty for a firmware dump.. Ko-Fi Link
• "Replace your EPS with one that has never been in a car and the key used for SecOC MAC generation will be 0x11111111111111111111111111111111 openpilot could work as long as you don't re-key, but stock system will not 🤣" -gregjhogan
• 2023 Prius (Standard) has Security Key
• Someone(s) volunteers to try to replace their EPS with a out of the box un-unkey'd EPS to get OP going. Of course, talk is cheap on Twitter and no one can blame that someone if they backout due to cold feet but if it's serious.....
  • The message counterpart for that offer on Discord seems to not be there now.
• The 2023 Corolla Hybrid sold in Brazil still seems to be using Denso and does not have Security Key

February 2023

• salem#4009: Sienna 2021, geohot: "i hear this"
• 2023 Lexus RX Has Security Key
• 2022+ Lexus LX Has Security Key

March 2023

• Shane from comma announces a $500 bounty for the 2023 Corolla, 2023 Corolla Hybrid, and 2023 Prius. $500 for a working port merged.
• A discussion about security key with comma comes up
  • comma believes there are many supportable cars still
  • comma understanding, Rav4 ICE/Hybrid LTA but no TSK, Corolla may be like Rav4 (no ack of JP-made corollas having TSK), Prius: secOC
• The 2023 Lexus ES has security key from looking at the CAN traffic (Retropilot Discord)
• zorrobyte thinks that it's possible to intercept the camera and control things like Ford. It's very late, I doubt he remembers the Toyota architecture and may be projecting. (OP Community Discord)
• An "emergency start" tool is being sold that organized theft rings can use to hijack and steal Toyota Smart Key system cars such as a Rav4 with just prying access to the headlights. ECU Security Key is described as a recommended response to this.
  • Posted in #toyota-security here https://discord.com/channels/469524606043160576/905950538816978974/1092978466720325672
  • Posted in #toyota on RP Discord: https://discord.com/channels/660951518014341124/744908622013661204/1092883580365062297
  • A discussion on Hacker news (some curmudgeon, but interesting nevertheless): https://news.ycombinator.com/item?id=35452963#35458481
• kylekulhanek#2725 offers up their new 2023 JP-built Corolla Hybrid for testing if it has ECU Security Key or not. However, it seems Toyota has changed the connectors. This one has 16 "pins" (not all populated), compared to the older 12 "pin" connector.
  • 
• Hamoud#4585 range-tested the shop and discovered comma actually set a quantity of 500 . trick is, do 1000 quantity for vote, and just subtract the max quantity from 500.
• oremaxis#0107 notes the connector is noted to be physically identical to the harness plug used for Subaru vehicles. oremaxis#0107 physically tests it, but does not start up the (JP?) "Prius MXWH65-AHXHB" (roughly equivalent to a non-PHEV Prius w/e AWD in USDM) since the pinout is different with a Mr. One Subaru harness.
  • 
• A 2023 Tundra was hooked up to a C2 and confirmed to have TSK/SecOC.

April 2023

• @nelsonjchen asks u/LordKing64, a reddit user who produces spreadsheets for those looking to hunt down extremely desirable Toyotas to run a scrape against the ICE 2023 Toyota Corolla to see what percentage of ICE corollas are Japanese-made, which get locked up with TSK.
  • It's a snapshot, assuming that it is generalizable for the ICE Corolla through the rest of the model year.
  • https://docs.google.com/spreadsheets/d/15FaeZggrsoSizcqARb-eJXpbLFqoYUVtk6s_qFFwSXk/edit#gid=0
  • About 1% of ICE Toyotas in the US are produced in Japan across all trims.
  • Note: To date, no one has attempted to port OP to the 2023 ICE US-made Corolla.
• More scrapes from /u/LordKing64 produces this spreadsheet of 2023 Corolla origins. . About a quarter of Corollas (not including GR, have TSK on them).
  • 
• Oof, even more 2023 ICE JP Corollas
  • 

May 2023

• The 2023 US Corolla does have a different connector.
• Saeed Almansoori#9530 says "Congratulations comma.ai, 4 new cars will be included in OpenPilot toyota LC300 2023 toyota sequoia 2023 toyota tundra 2023 Lexus LX600 2023". A baffling comment is made in #toyota-lexus channel. Three of these vehicles are known to have TSK in the US market.

June 2023

• Comma staffer vanillagorilla is looking to build a B harness for Toyota that some newer Toyotas such as the Prius or Corolla may have. Looking for a tester.
  • GH Issue: commaai/openpilot#28402
• circulartofu bought a EPS ECU for an RX to try and dump it for more torque. While this isn't for TSK, this is someone else trying to dump an EPS.

July 2023

• "When Geo was hosting the VC last week I brought up the fact that the new Prius has TSK and he wasn't aware of that, so maybe they'll look into getting a 2023/2024 Prius and start taking a crack at it. Cause Alex [alexm (on Discord)] even said they need a new Prius anyways since their old one is worn out." (SP)
• The Grand Highlander and Grand Highlander Hybrid appear to have Toyota Security Key. Thanks to rap_rep_291 on Discord.
• Users in #toyota-security discuss getting keys from dealerships. The aura is that dealership techs know less than us and it's just an annoying thing to do afterwards.

August 2023

• comma.ai has its periodic social and product convention "comma_con" to announce new products, meet and greet contributors and users, and talk about the future.

  • comma ai | Shipping github.com/commaai/openpilot | Adeeb Shihadeh | COMMA_CON talks | CPO

    [23:49.760 --> 23:52.360]  \[Audience Question\] Which car brands are the easiest to support
    [23:52.360 --> 23:53.360]  and the hardest to support?
    [23:53.360 --> 23:55.600]  \<cut\>
    [23:55.600 --> 23:56.760]  \<cut\>
    [23:59.760 --> 24:03.360]  Adeeb: So easiest to support, this is really changing now, actually.
    [24:03.360 --> 24:06.360]  The software platforms and the cars, at least for the ADAS,
    [24:06.360 --> 24:09.360]  were pretty stable for about like three, four years.
    [24:09.360 --> 24:10.760]  And we did a lot of this initial work
    [24:10.760 --> 24:12.360]  maybe three, four years ago.
    [24:12.360 --> 24:13.760]  And now we're in this cycle where
    [24:13.760 --> 24:15.360]  Honda, Toyota, Honda, Toyota, Honda,
    [24:15.360 --> 24:18.160]  we're in this cycle where Honda, Toyota, Honda, a lot of them
    [24:18.160 --> 24:21.080]  are changing their platforms right at the same time.
    [24:21.080 --> 24:23.720]  So that's the hard part right now,
    [24:23.720 --> 24:25.600]  is we're getting this influx that
    [24:25.600 --> 24:27.960]  are all different right now.
    [24:27.960 --> 24:31.400]  The hardest ones now are the ones that implement the Autosar
    [24:31.400 --> 24:33.160]  secure onboard communication.
    [24:33.160 --> 24:34.560]  We haven't spent much time on it,
    [24:34.560 --> 24:36.320]  but that'll be a little bit of a project.
    [24:36.320 --> 24:39.600]  It just adds more overhead to porting a car.
    

  • Jason Young, a prominent not-comma.ai openpilot community contributor, discusses SecOC as a bad thing to see when attempting to port OP to a new vehicle.

• The Toyota B Harness seen in the 2023 Corolla and the 2023 Prius go on sale in comma's shop after a tester was located.
• rap_rep_291 on Discord discovers that Vector's (A popular CAN Bus Analyzer and debugging tool) tooling may have SecOC "OEM Security Addons" "free of charge" for some OEMs. Toyota is not mentioned specifically though. Vector stuff is $20k though.
• The Lexus UX 2023 2023 are looked up to not have Security Key.
• oremaxis is trying to hook up the Japanese 2023 Prius with the current comma B Harness. There are missing connections and some issues with the harness relays.
• .malachor reports that Toyota is moving to GTS+ away from TechInfo and that there's some sort of capture or key stuff possibly going on with the newer platform as well.
• Toyota B Harness updated with more wires needed/as seen on Prius 2023

September 2023

• celeryferrari on discord dumps a bunch of PDFs of the ECU replacement for the forward camera for Lexuses. Notably, the 2024 Lexus ES doesn't have replace ECU Security Key as a procedure
  • Question follow up to original ES reporter stupefacient on Retropilot

October 2023

• geohot
  • "until the votes are bought [for tsk], i don't care about it"
  • "i care so little about tsk until the votes are sold
• A lexus tuning scene user comes on and asks about the status. No news, but some interest from adjacent fields.
• Apparently there was a firmware update / recall for cameras Corolla and Corolla HV, Corolla Hatchback, Corolla Cross, BZ4X
  • https://static.nhtsa.gov/odi/tsbs/2023/MC-10242520-9999.pdf

November 2023

• Range Check Trick to check vote count no longer works
• A small discussion on that mentions 2023 Toyotas such as a bz4x and 2023 Sienna known to have TSK can have their immobilizers changed by a non-Toyota tool. (OPC Discord)
  • A later discussion comma Discord establishes this as not as big a deal. Adding a key with a key already present is easy.
• Range trick to check votes works again.
• VineTimeLive#2651 paid $25 and looked up a bunch of models after Toyota's paywall. Summary below.
  • Highlander 2024, even though it still has TSS 2.5, got TSK . Not unexpected for it being rather oddly the most change prone.
  • The 2024 Rav4 still does not have TSK.
  • 2024 Lexus TX, has TSK, not big surprise
  • There is no longer a differentiation between JP and US 2024 Corollas for TSK. All 2024 corollas have TSK.
  • The 2023 ES and 2024 ES does not have TSK, contrary to what others may have reported.
• A small discussion on differences between Toyota Dealership and independent shop access re: TSK and Techstream
  • "The local branches don't have the data. Any dealer that wants to swap a secured ECU for repairs has to login through Techstream to get the one specific key for the ECU he is installing at that time. Third party shops have to do the same but they don't even get Techstream Global access. They get case-by-case access if Toyota approves it. (E.g. parts number matching and so forth)"
• A post with a sample of an exchange between Techstream and Toyota servers.
• "interesting how european ecu security key can do offline key writing"

December 2023

• jakethesnake420420 on Discord believes they see a pattern in the checksum?
• this guy's adventure is interesting abeit unfulfilled, to try to RE and hack their tundra instrument cluster
  • https://www.reddit.com/r/embedded/comments/ystc0l/automotive_mcu_instrument_cluster_firmware/ and check user's posts.

January 2024

• Added more vehicles:
  • 2024+ Lexus TX (Speculated from TechInfo lookup)
  • 2024+ Lexus GX (Speculated from TechInfo lookup)
  • 2024+ Tacoma (Speculated from TechInfo lookup)
  • 2024+ Mirai (Speculated from TechInfo lookup)
• Q: I’ll tell my friends, can we spend marketing budget on new Toyota/lexus ecu cracking? :kekw: geohot: no, buy votes
  • https://discord.com/channels/469524606043160576/954493346250887168/1197701819686715462
• Willem: "We got code execution in the bootloader over CAN! Still a few issues to work out though, the main application stops working after a few seconds now. EPS part # is 89650-42370, whole steering rack is 44250-42310. 2021+ Rav4 Prime."
  • Greg: Can anyone help find a Rav4 prime power steering motor from a wrecked vehicle? Some promising things have been found! I want one that was in a car so it has real keys, and something that we have no fear of bricking or physically destroying.
  • Greg: FYI, this means a way to dump the keys over CAN has been found
• geohot asks: What's the most popular car with Toyota security?
  • After looking at Toyota's year end sales reports, @nelsonjchen replies with "the Tundra/Sequoia"
  • Source Spreadsheet: https://docs.google.com/spreadsheets/d/1CWUmOk4rFPWVNqDoz02tPQxp6SLbJsedYQ1fjv6oXAI/edit#gid=0
• A draft pull request to support the 2021 RAV4 Prime is made. It is very early and has shortcomings.
  • It does not have code to dump the keys. Willem is worried it could brick the EPS and it is undertested
  • It does have the the code to calculate new Message Authentication Codes (MACs) for the SecOC messages.
  • Notably, if merged, comma is currently not yet comfortable adding it to the supported cars list.

February 2024

• "I’m working on blog post. Will post that together with the script. (UPDATE: Blog post in March 1)

  The risk is not super high, but it’s very inconvenient if the rack needs to be replaced. In the meantime I’ve tested it on a second rack pulled from a crashed vehicle, and it worked fine." - Willem

  • https://discord.com/channels/469524606043160576/905950538816978974/1205056507973214208

• Comma staffer Shane mentions that comma has determined the Corolla radar to be CAN-FD. While not TSK related, there is info that comma has discovered and not released yet.

  • https://discord.com/channels/469524606043160576/1194100053879558225/1205747241718124544

March 2024

• Major Update from former comma staffer Willem Melching:

  • New blog post is out! Extracting the SecOC keys used for securing the CAN Bus on the 2021+ RAV4 Prime. https://icanhack.nl/blog/secoc-key-extraction/

    Research started all the way in 2022, but took many evenings of reverse engineering to get code execution.

    PoC: https://github.com/I-CAN-hack/secoc

  • • Extracted the firmware from an ECU, using Fault Injection to bypass the locked debug port.
    • Reverse engineered the application code, to understand how SecOC was implemented and find the location of the keys in RAM.
    • Reverse engineered the bootloader, to understand how the update procedure works and how we can upload and run shellcode.
    • We built a shellcode that extracts the keys from RAM and sends them out over CAN, then reboots the device.

  • It is a long read, but it is exactly why this is such a hard problem and there are some serious hurdles to overcome when it comes to extracting the keys.
  • An incomplete exerpts of some other information:
    • There is a way to extract the SecOC key from the RAV4 Prime without disassembly.
    • During the construction of the payload, a secret key must have been extracted from the firmware in order to upload code to the EPS, run it, and extract the key. This isn't correct secure design but it lets third parties like comma.ai and I-CAN-hack to extract the key by uploading temporary code to the EPS to extract the key.
    • By not using the "Hardware Security Module" in the firmware, the key can be extracted from memory. Newer cars may use the HSM, which hides the key from memory, and getting the key out from those is an unsolved problem. What are the newer cars is unclear, but the 2023 Corolla Cross they looked at was using the HSM.
  • Some people are looking to get the key from their Rav4 Prime

• Discord Followups on comma.ai Discord:

• Willem: "Grab your SecOC key and share a route in #⁠toyota-security and I'll finish the car port for the RAV4 Prime!"

• There is some discussion on whether it is possible to intercept the key during a re-keying process. (#general)

• hdoublearp on Discord was able to retrieve their SECOC key with Willem's script.

• hdoublearp report on his collaboration with Willem

  • "There is some progress on the port, thanks to Willem, lateral is working. Still some missing safety features, but the initial issues with the Prime’s new PCM messages are sorted out. Willem had to make some changes to account for gearing difference in the Prime compared to other models. I’ve sent my latest feedback and test scenarios to him, and will continue working with him on it.

  • hdoublearp posts a video. It is a video of an assisted lane change on a RAV4 Prime, a feature that does not exist on TSS2 but does in openpilot.

    2619375277588803360.mov

• There is still work to figure out some of the new messages.

• A second RAV4 Prime by @chrispypatt seems to have come online from Willem's work.

April 2024

• Spawahh tries to get the tools working on their bz4x. Things are complicated by CAN-FD and other issues. WIP
• etc6849 tries to run the key extraction script on their Tundra from their C2, but is stopped by the firmware check in the script. Still a hello world! There is some apprehension about bricking, possibly.
• tranlocquy bravely comments out past the firmware check on the SecOC key extraction script and the EPS on their 2021 Sienna survives. And purportedly some sort of key is extracted. After putting in their Sienna's firmware and masquerading as a RAV4 Prime, it appears to work!

  • tranlocquy posts a video of openpilot working on the Sienna.

    IMG_1898.mov

  • Willem: "No way! Didn't expect it to be this easy with the offsets/keys in RAM being in the same place. Checked out the route and dump you sent me, and looks legit!"

• chaechullee with tranlocquy's guidance manages to dump their keys and get it going on their 2022 Sienna.
• As of this time, longitudinal support is still not present.
• Tundra will be attempted soon
• A 4th Sienna key extraction is in progress.
• Siennas apparently have unsecured longitudinal and it "just works"?!
• bgill66 tries to dump the key on the Tundra; no success and christmas lights. A restart of the truck clears up the warnings. Some sort of v4 bootloader was encounted.
• yipstar tries to dump keys on their 2024 toyota highlander, but is unsuccessful; that said, it does seem to execute code.
  • Unfortunately, it does not appear the key is inside the "dataflash" and might be inside the HSM
• willem: "Hopefully ThisGuy can get the bench setup working [for the tundra eps rack]!"
• Longitudinal might actually still be secured on the Sienna. Resume spam might still work, but longitudinal controlled completely by OP isn't

May 2024

• Full longitudinal support for the Rav4 Prime (and probably Sienna) is blocked by a lack of understanding of the gas/brake/acc messages. @nelsonjchen suggests the community get good on how to reverse engineer can bus messages. Worry about the signing later.
• More 2023 Rav4 Primes are known to be working, but there may be some issues with some understandings of the messages.
• dpan9738 tries to dump their key from a 2022 Corolla Cross but is unsuccessful. Checksum verification error... . Unknown if HSM is in 2022 Corolla Cross.
• ThisGuy has successfully wired up their C3 to the new and spare Tundra steering rack on their workbench with Willem's help and guidance. While the keys still aren't able to be dumped, there is connectivity and some response.
• ianik66 tries the script on the 2021 Venza after commenting out some checks but an invalid key is returned. Some proposals are done for a memory-dump search that, while unsuccessful on the Tundra, might be successful on the Venza in locating the changes in memory location for the key. Other suggestions are made to improve this search as well.)
• chrispypatt and tranlocquy have started a thread to look for the ACC_CONTROL equivalent CAN bus message in their Sienna and Rav4 Prime.
  • This is required for "Full longitudinal support" or openpilot actually being able to control gas and brake beyond only spamming auto-resume for automatic stop and go for stuff like slowdowns, experimental mode, or traffic lights.
• Existing key dumping script did not work on 2024 Rav4 Prime. nandrews283 is now trying the brute force method and seeing if it would work. A new bootloader is seen and results have not. Unclear comments from willem.
• Greg and Willem recently spoke at a hardware security conference in Santa Clara, CA about their efforts. A recording is currently not available.

June 2024

• The full support for TSK community bounty is canceled in favor of more focused bounties
• $5k bounty is confirmed to be locked to Willem with the RAV4 Prime
• @nelsonjchen helps GON0822 try to dump the key off their 2022 Yaris Hybrid in Japan. GON0822's English isn't great and it's quite a struggle but GON0822 is preservering. Unfortunately, the key is not located at the same memory address as the RAV4/Sienna. Plans are made for a possible brute force trial though more Western users have not had much success.
• @nelsonjchen misremembers the Venza. Apparently it was bootloader version 2 unlike the RAV4 Prime and Sienna which came out in the same model year. GON0822's Yaris is actually the first bootloader v1 to fail to dump the key.
• According to thehui, the 2024 Sienna fails with the same error as the 2024 RAV4 Prime
• The key from GON0822's 2022 Yaris Hybrid is extracted with a brute-force method. However, dropping in the key into the rav4 prime branch doesn't work for unknown reasons with a forced fingerprint.
• Fixing the key and using a firmware replaced branch doesn't work on GON0822's Yaris Hybrid. Request for assistance
• AleSato comes with with a bunch of suggestions and working latitude is now working on GON0822's Yaris Hybrid! It is the first radar controlled vehicle to work. C3 Gon　Yaris-enc.webm
• Update from Willem on RAV4 Prime port upstreaming: "Regarding the Rav4 prime port, I've been quite busy lately."
• (Longitudinal Support on SecOC/TSK vehicles) Regarding the ACC message, if I remember correctly it's split up into the existing message and 0x177. They moved the actual acceleration command to 0x177 which has a SecOC MAC.

July 2024

• bravo_char has a nice discussion with Willem about SecOC ECUs and that the "Clearance Warning" assembly might be a non-complex ECU to attack for getting the key out. bravo_char is interested in attacking the Tundra Sonar Module as it is only $80 on eBay. Also, Willem says he got a Yaris GR radar, but it is BGA mounted so dumping it was never attempted.
• anrum, a 2023 Rav4 Prime user, announces a porting effort of support to Frogpilot
  • https://github.com/FrogAi/FrogPilot?tab=readme-ov-file#discord
  • https://discord.com/channels/1137853399715549214/1137905508217540699/1264113031365787700 (Frogpilot Discord)
• Willem & Greg's talk on SecOC is posted. "Hardwear.io USA 2024 : My Car, My Keys: Obtaining CAN Bus SecOC Signing Keys - Willem & Greg"
• A discussion with Willem on why intercepting the key from a key updating process may be infeasible.
• anrum announces a successful port of the changes necessary for the 2021-2023 rav4 prime and 2021 sienna to frogpilot
  • Frogpilot Discord link version
• tranlocguy attempts separating out the sienna hybrid properly in a fork of anrum's frogpilot
• A small request to some 2022 Sienna owners to send and post firmware versions
• Some thoughts on part swapping very similar vehicles to rekey a vulnerable part instead, probably just wishful thinking
• European/Italian 2020 Yaris Hybrid's Key successfully dumped. Unfortunately, the C3X was buggy and needs to be returned. If it wasn't though, it might have worked...

August 2024

• A suggestion is made again to try to make a unified patch in a repo for TSK users.
• Willem, Greg, and Robbe wins the DEFCON Car Hacking Village CTF and with it, a Model 3. (X, formerly known as Twitter)
  • "We did it again!!! We got 1st place in the #defcon32 @CarHackVillage CTF. This year we won a Tesla Model 3, and the whole team has their own Black Badge now 😎. @gregjhogan @robbederks"
• META: GitHub discussions have been shuttered in favor of all discussion going on at Discord. . Please link users to https://github.com/optskug/docs/ for the latest news/history from here on out. Unfortunately, there's no way to make old GitHub links redirect so this is the best that can be done. The old link, for reference is: https://github.com/commaai/openpilot/discussions/19932
• gregjhogan clarifies what the first byte of a UDS firmware version is. It's not a bootloader version?
  • "The first byte returned when reading the firmware versions using UDS read data by id isn't part of the version number, it is how many applications are running on the ECU (for example if it has two cores, there may be a separate application running on each core) and it tells you how many you can extract from the rest of the data returned."

September 2024

• 2023 Sienna confirmed to work
• there is some rough renewed interest in fork support such as frogpilot/sunnypilot
• A small debate in openpilot Enthusiasts about the comma vote system (OPC). Would we have gotten this far without it?
• Willem shows up in #toyota-security
  • Asks about TSS3 Toyota Corolla without TSK like the ones made in the USA in 2023. "If somebody makes that port work, I’ll see if I can spend some time on the HSM EPSes. It’s definitely possible to get lateral only on those by just nuking the SecOC checks on the power steering"
  • "If somebody wants to finish the rav4 prime port, feel free to take my code and reopen the PR"
  • "Probably best to start with the panda safety code. It’s all working now, but comma wanted it cleaned up with some config structs like the Chrysler code"
  • "I’m too busy with other projects to work on car ports"
  • "Happy to provide feedback"
• Renewed interest from newer driving models being available re-raises the question of merging in support for TSK vehicles into Frogpilot. anrum, the original first porter to Frogpilot reappears. Since the original port, there has sporadic been semi-one-off Sienna and Rav4 fingerprints but nothing unified or upstreamed and numerous disparent HEADs. (FP Discord)
• Work continues on the Frogpilot TSK support upstreaming.

• comma Discord Sept 25 Developer Meeting notes
  • Jason Young (jyoung8607), a prominent non-comma.ai openpilot contributor and VW openpilot saint, is wanting to work on moving forward Willem's RAV4 Prime work to be rebased atop current comma openpilot with Willem's guidance (pd0wm) while he is visiting comma.ai's office in San Diego on vacation.
  • Approved goal by Adeeb is to have release comma openpilot be able to work with the RAV4 Prime if the key is provided by the user.
  • SecOC Key extraction is outside of the scope of this work though and will not be included. In other words, plug-and-play is not to be expected. The are open to seeing if/any UI or workflow might come from the community on this.
• Jason opens a new draft pull request superceding Willem's pull request: commaai/openpilot#33654
• Produced a user group list of working vehicles and users on Jason's request: https://docs.google.com/spreadsheets/d/1sprUteWtCVH6nQ6JfsmX0liIJ58H4nAVWxtAdorfW4c/edit?gid=0#gid=0
• A mainland China/PRC user with a PRC-built 2022 Sienna comes into the Frogpilot Discord. They are able to extract the key but for whatever reason, can't write "Params". Will followup with prescribed reset. User really only speaks Mandarin so the Frogpilot Discord Frogbot's thread auto-translation bot is used. (FP Discord)
  • Note: They are also using a Mr. One C3 clone since comma doesn't appear to ship to China from their POV for whatever reason. This complicates debugging and upstreaming to comma's branch is impossible for their vehicle.
  • Got it working with Mr One's C3 Clone! (FP Discord)
• Jason has a test branch out for users to try on a new openpilot base. Users may need to reinstall their key. He is looking for reports of successes and failures.
  • "Ready for testers! I have a test branch for you (not the one in the PR) that forces the fingerprint to RAV4 Prime. This means it should work even if you have a Sienna, or a RAV4 Prime with a different fingerprint."
  • gon0822 asks about Yaris Hybrid support. Yaris has a Continental Radar. Jason answers they might finish support for that as well this week.

October 2024

• share-and-enjoy mentions that Stop and Go is working on their hacked branch off of an old Willem's branch in April 2024. This is baffling as it is not supposed to be working. ACC/Automatic Cruise Control messages are supposed to be signed! HOW?

  • Effort is spent to try to preserve and archive share-and-enjoy's very special and self-hacked copy as the git commit reported up to comma does not appear to have prerequsite or necessary changes.
  • share-and-enjoy shares their dirty changes and some shocking/amazing discoveries are made
    • "The only thing I can think of, it's possible you were extremely lucky with openpilotLongitudinalControl and managed to filter the old message which still has [Stop and Go] relevant control bits, and transparent passthrough the new SecOC message with the actual acceleration command."
    • "LOL that's exactly what you managed to do" "You accidentally made partial long control work "
    • The changes are not slated to be merged in but they are at least documented for future follow up work.
    • "Just FYI, yes incode was running the same SnG hack as me from tranlocquy. tranlocquy told me how to do it, and actually did it for incode."
    • "Now, it does NOT stop at red lights or stop signs, but DOES auto-resume from stop with a lead car."

• (Longitudinal Support) Jason posts a PR to document the ACC command to the opendbc repo for SecOC/TSK vehicles. "Toyota: DBC message for SecOC longitudinal control #1337"

• Jason restates the current merge goals and milestones, quoted below:

  1. It won't be in dashcam mode, if there's a correctly saved SecOC key, it'll just work
  2. It will require a non-release branch, just like alpha openpilot longitudinal
  3. It won't appear in comma.ai/vehicles or CARS.md
  4. comma will not ship the key retrieval mechanism, you're on your own for that

• Jason asks for a couple of test route data for automated safety as a prerequisite of getting comma panda (Vehicle Interface) changes relating to safety merged in.

  • GON0822 volunteers and we capture some with Frogpilot's AI Translation bot doing translation duties (FP Discord)
  • "For the stock routes, I've got what I need now"

• The first of the RAV4 Prime support PRs is merged into the car support repository.

  • This was done on the first part of a live stream. There was cake. https://youtube.com/live/ayiIi5hxE38?feature=share
  • commaai/openpilot#33654

• While the RAV4 Prime fingerprint changes are being merged in, the Sienna Fingerprints are not. Another call for Sienna owners to provide their fingerprints.

• Sienna fingerprints / support are merged into opendbc, an openpilot dependency. Will naturally get into openpilot's master branch sooner than later.

• A small discussion about what happens to the code to support this in OP's release configuration. It won't work except on development branches such as master-ci/master and fails cleanly with a clear error.

• Some discussion about producing a key-dumping tool that can be run with the Custom Software input for dumping the key.

• The MY2025 ES300H is one of the few (only so far?) 2025 Lexus vehicles without SecOC/TSK apparently.

• Alexandre N. Sato, Brazil-SP adds to his own personal fork functionality to dump a SecOC key on a compatible vehicle assuming the vehicle is in the correct state. He does not have a SecOC vehicle and its functionality is purely speculative.

  • Confirmed working.

• Longitudinal control is brought up again. "all you people who say you can spell Python and Linux, go add a second copy of the ACC message packer and (for testing) an unconditional transmit allow in Panda for address 0x183 (decimal 387), high chance it'll Just Work" - Jason

• chrispypatt takes on that offer and gives it a try on their 2021 RAV4 Prime. They are able to successfully block the message but generating longitudinal ACC messages isn't working yet.

• chrispypatt gets longitudinal control working on their 2021 RAV4 Prime.

  Ok so I changed the ACC_CONTROL_2’s ACCEL_CMD to match the ACC_CONTROL’s scaling in the dbc. I just manually edited it for now rather than figuring out how the generation works. I can throw my changes up to my fork tonight.

  The good news is it worked 🎉🎉🎉! OP was clearly controlling long. It just doesn’t seem to be fully working. It seemed something was not quite right but I don’t have any experience with OP long so let me know if it is expected when on city streets. Acceleration seemed to not always work, even with no lead car, my rav would not always accelerate up to my set point. Many times I would have to accelerate manually up to the desired speed but then OP would be good about decelerating down for lead cars and stopping at stop lights.

  I also noticed at clear and green light stop lights and when cars were a whole block in front of me OP would decelerate.

  If I came to a complete stop I always had to hit the gas to get going again. Also rolling up to a red light there was some creep where the car would not come to a complete stop until many times I was in the cross walk.

  You can see some of these issues in the attached videos.

• chrispypatt: "The biggest benefit I have seen is coming up on freeway traffic and cars stopped at stoplights deceleration is smooth. With TSS2 it would always wait till last minute and then just slam on the breaks"

• calvinspark had his Sienna repaired after his wife sideswipes it and the key apparently changed. He was able re-dump it though.

  • Willem: Every time a rekey operation is done the key changes. I think there is a sonar/parking sensor that has SecOC because it can press the brake when you’re backing up into something.

November 2024

• domsz06 and calvinspark are attempting to dump the key from a 2024 Prius. It's not expected to work but they want to try the memory brute force script.
  • They are running into issues even getting the firmware versions.
  • Willem - I think the key extract is timing out because of the car being CAN-FD. You need to change a line in the the panda FW to force it back into regular CAN mode for diagnostic communications. See the Bz4x Thread.
    • Bz4X thread: https://discord.com/channels/469524606043160576/1226559486160801823
• alesatobrazilsp and gon0822 determine that the Yaris Hybrid in Japan uses the same acceleration command seen in other Toyotas by looking in Cabana for the CAN BUS data. (FP Discord)
• "disable radar worked in the conti radar of the japanese Yaris (RADAR_ACC car)"
  • NOTE: This was not enough to let openpilot control ACC on the Yaris
• posts pictures of the camera internals for the 2024 Tacoma
• Jason - "Definitely technically possible to back port the work to openpilot 0.8.13.1" (last version of openpilot that supports the comma two and comma two class of devices.)
• Re: openpilot long on R4P and Sienna- Jason: "I don't remember and I'm not in a position to refresh myself right now" "But I haven’t had the time to get back to it to resolve the mutations issue or put more thought into the refactor" [of secOC Long]. The secOC Long support is getting a bit stale.
• por_por.t helps determine on a trip that the EU 2024 RAV4 Hybrid has TSK from looking at the EU equivalent of TechInfo

December 2024

• Users are still working on porting openpilot long, at least to Frogpilot or their own forks/branches for now, in lieu of working tests.
• dstaley determines that the 2025 US RAV4, unlike the EU 2024 RAV4 Hybrid, does not have TSK from looking at TechInfo
• Ale and GON0822 continue work on Yaris Latitude upstreaming (FP Discord)
  • commaai/opendbc#1578
• shiver32 confirms that the 2024-2025 Model Year IS 500 does not have ECU Security Key. A lot of interested IS users come on and don't do things but shiver32 pulled through.
• calvinspark is trying to make a GUI dumping and restoration tool for the key.

January 2025

• calvinspark is talking with sunnypilot developers about his GUI dumping and restoration tool along with integration opportunies and concern. As the sunnypilot fork is one that continuously and properly keeps up with comma's codebase much more frequently than frogpilot, sunnypilot has inherited compatibility and with that, some focus on making the UX for TSK/SecOC users is of great interest. (SP Discord)
• sunnyharbin makes a dedicated channel for the quirks and features needed for sunnypilot support of TSK/SecOC Toyotas (SP Discord)
• satireshepherd was looking for the DBC for a 2024 Corolla or similar. They are the first not ex-comma or comma staff but a community member to have looked at the CANFD traffic on a 2024 Corolla. They are using a comma adapter, but on a Raspberry Pi and CAN-FD shield. Unfortunately, they are the first so there's no precedent and just first mover problems ahead but just noting this here for the log.
• calvinspark creates optskug/tskm, a pre-installation GUI extraction/restoration tool for the SecOC key. He is campaigning to have it in various forks and comma openpilot.
  • The guide is updated to use this manager
• The keyboard integration suggestion for SecOC into comma openpilot is rejected.
• After some discussion, the /cache is identified as a place to store the key. It is looking good that comma openpilot may accept the process of restoring the key from this location as a proposal. While a "third-party" non-comma key extractor must still be run, this is a major good QOL change.
  • The pull request for this change was accepted
• crispypatt is continuing to develop longitudinal support and just recently rebased and worked on safety. (SP Discord)
• calvinspark notices the shop page for comma votes has been taken down. There has been no statement from comma. Perhaps the inclusion of the Sienna and RAV4 Prime qualified?
• satireshepherd is able to dump the memory on their 2024 Corolla's EPS.
• A discussion breaks out about the status of OP longitudinal control and radar parsing on TSK vehicles.
• .lx93: "I just bought a 2021 GR Yaris and am interested in getting my c3 to work with it. i see https://github.com/optskug/docs?tab=readme-ov-file#-may-be-possible-to-hack-but-hasnt-been-tried its possible but no one has done it yet. i will report back once i get my toyota harness to mess around"
• Satire_Shepherd: "A quick update so you guys know I havent given up, I couldnt find an eps on its own but I did find a 2023 Japan Corolla steering column that also goes back to the 2019 corolla, I just wanted something with secoc but not too new, I'm hoping to have some progress soon. If I have some good progress ill see if I can register to the comma hack 5 since I live in the San Diego area."
  • There is some confusion that a SecOC vehicle (2023-2024 Corolla) shares the same EPS part number as a non-SecOC vehicle (2019-2022 Corolla). A theory is brought up that SecOC security only goes up to the "multiplexer" and that traffic after it may be unsecured. This is a theory and no direct observations have been made yet.
• A third GR Yaris shows up in the Discord and some discussion is had about dumping happening from the dataflash vs the RAM.
• Yaris Pull request was reverted as easily it had went in due to test route lacking
  • "I will open a new PR. We need the same route with the same curves at the same speed to improve lateral control by torque to be at least equal to PID." - Ale

February 2025

• "why don't you just wrap the installer? why does the fork even need to know about TSK extraction?". An idea or proposal is made for the community to wrap an installer with an extractor that extracts the key first and then automatically continues installation of a compatible openpilot version for TSK/SecOC.

• "I think the sweet spot branch for upstream TSK users is nightly-dev". A better branch of comma openpilot for initial install is discussed.

  • This change was eventually merged into the guide. #28

• 2401_penitenttangent: "A couple of bZ4X/Soltera owners are looking at replicating Willem's work on an EPS from a bZ4X. The payloads Willem provided work for code execution, but the brute force script was not able to find a key in the RAM dump. They are hoping that by reverse engineering the full firmware we may gain a better understanding of how/where the key is stored.

  We also determined that the pinout for the Toyota B harness is incorrect for our cars. The CAN busses are flipped so the relay ends up on bus 1 instead of bus 0/2. Once the busses are flipped we are able to see the different ECUs and interact with the EPS ECU. I have a feeling the same may be true for all of the TSS3.0 vehicles."

  • https://discord.com/channels/469524606043160576/905950538816978974/1338908891148193903

• martinolium shows up with a 2023 US Corolla, a specific year and model with TSS3 and with no (?) TSK. Does not have a device, but some discussion is conducted on some preparations.

• martinolium: I'll be back here if I get a raise in the next 4 months

• mehrab.shakil comes on and asks for help with a Yaris Cross Hybrid but never responded.

• lx93 proceeds with getting an A harness for Yaris GR port(FP Discord)

March 2025

• Satopilot removed on request from author from listing due to support load.

• gako_41825 reports that they were able to get a key dump on an early 2024 Canadian-spec 2024 Sienna. This is in contrast to earlier failures on other 2024 Siennas.

• warren.2: "I copied TOYOTA_RAV4_TSS2_2022.json to TOYOTA_RAV4_PRIME.json then committed it to a local git branch. Now Developer menu NNLC says Exact match. Subjectively lat is smoother now. I think that means it's working." (SP Discord)

  • The NNLC stuff works for the RAV4 Prime EPS where available. It is similar to the 2020-2021 RAV4 except for the whole security key thing.

• Sunnypilot declares it is open to accepting chrispypatt's longitudinal control work in advance of the pull request being merged or accepted upstream in comma openpilot/opendbc.

• "checking with @Woosa 's 💸 on request. the 2022 and 2023 mirai do not have ⁠toyota-security and the 2024+ still do.

• Some more precise information is recorded for the possible working early MY2024 workings

• 2023 Lexus RC is confirmed to not have TSK. A small discussion results in a section on TSK-less but not in comma's supported vehicle list being added to this document.

• heitikender posts 1000 EUR bounty for 2023 RX on Konik.ai Discord (KA)

• warren.2 - " https://www.renesas.com/en/products/microcontrollers-microprocessors/rh850-automotive-mcus/rh850p1m-e-high-end-automotive-microcontrollers-electronic-power-steering-systems#documents https://www.renesas.com/en/document/eln/end-life-notice-saf-b-24-0011?r=1054236 Add to notes ... the Renesas RH850/P1M-E is the same across both working and not-working cars. The non-working cars still have working payload execution so there is some hope of figuring something out. But see the End of Life document. That gives us a clue as to when the cut-off will be when models move away from this part to something totally unknown."

April 2025

• Yaris support re-merged in from Ale working with GON0822
• "Thanks to @GON0822, "Toyota Security Keyed" vehicles have been confirmed to work in FrogPilot!" - frogsgomoo (FP)
  • This includes the Yaris Hybrid in Japan which at the moment, upstream comma openpilot had removed support for.
• ir0nbyte is able to dump a key from a donated lemon French 2019 Yaris Hybrid MX. It is for academic purposes and not for personal or daily use. This is the 3rd Yaris Hybrid whose key has been dumped.
• Gako, who earlier was able to dump the key from their early 2024 Sienna, is unable to use the dumped key with OP after dumping it with two different methods. There's some weird CAN Bus error that needs to be looked into.
  • Error was due to frogpilot implementation issues currently being cleared up. (FP)
• .lx93 comes back with their GR Yaris attempt. (FP)
  • Able to dump the SecOC key with the dataflash method just like a Yaris Hybrid. Sienna and RAV4 Prime dump does not work.
  • FrogPilot with the vehicle set to the Yaris does not work. Lots of GEAR_PACKET_HYBRID errors which makes sense since this is a ICE 6MT.
  • WIP
• .lx93 is able to get their GR Yaris working. As it is a manual transmission, some changes had to be made and there's some desire and requests for comments of upstreaming. (FP Discord)
  • Some followup in #toyota-security
• SecOC long merged into Sunnypilot
  • This means you will have longitudinal control in master-new and staging-c3-new.
  • reverted soon after: sunnypilot/opendbc#125
  • and unreverted soon after again!
• drumstyx. tries their hand at tackling the Toyota Crown with B harness. Has some issues getting FW version, advised to talk to Bz4x/Solterra people. "aha, good to note. Don't suppose there's anyone working on the Crown...as far as I can tell, this would be the first recorded effort at a crown"
• jamalbrown - "Hey all, does anyone have any CAN recordings of firmware updates for Toyota Instrument Clusters? Specifically 2018+ Models with RH850s are what I'm looking for the most.", "I've followed this and have successfully reversed the majority of the firmware update procedure. I'm now just having trouble with getting code execution for my uploaded code to change the language." (CHV)
  • Ooh, someone else is also dumping the firmware from Toyota ECUs?

May 2025

• heitikender's Lexus RX 2023 bounty raised to 2000 EUR
  • Later raised to 3000 EUR
• heitikender and PenitentTangent are able to get the current exploit for code execution on the 2023 RX but no key is dumped
• RAV4 Prime News: TOYOTA_RAV4_PRIME.json NNLC model gen 1 merged into sunnypilot
  • sunnypilot/sunnypilot#850
• 1000 USD added to Lexus RX 2023 bounty
• geohot comments on CAN BUS encryption/validation in general
  • "Our mission is to solve self driving cars. Aka design software capable of driving a car better than a human. There's plenty of cars that are controllable enough for what we are doing. We don't really care about the encrypted ones. If they all get encrypted, we'll just buy used cars and so can you."
  • "The truth about the whole encryption thing is that it's not even on our priority list, and every time I see more FUD about it I push it even lower."

June 2025

• More comments from geohot
  • "Our mission is solving self driving cars, improving the models and the software. That's where we are focusing the full resources of the team, we just don't care that much about encryption. To comma the AI and driving quality is the interesting problem, the security isn't. Buy a different car, or break the encryption yourself (you have all the tools)."
• hl.elias_44035 is unable to get their Sienna in the PRC working. It was made in December 2022 and is likely a 2023 model.
• Some PRC users discuss some services that offer to re-key. Unfortunately, it still seems that getting a key is not possible, even with some insider Chinese Toyota (FAW) knowledge.
• More NNLC improvements land in SP for RAV4 Prime users.
  • "For these finely tuned NNLC models for Toyota we recommend TR7 model. For reasons we don't understand it seems to be vastly superior than any other model at keeping centered in lane and steering with precision. Nothing else comes close." (SP Discord)
• SoLstun (6duda9) has a 2023 US-made Corolla with a VIN that starts with 5 and may be up for a car port attempt. Unfortunately, they are also busy in July but may be able to assist later.
• geohot: "Remember, our goal is solving self driving cars, not anything else. It's important to stay focused on the mission. Solving Toyota security will not help with the mission, but we strongly encourage the community to solve it."

July 2025

• The 2021 Venza is confirmed to still be using the HSM or updated firmware.
• willem: "Quick update from my side. @ThisGuy sent me a 2022 Tundra EPS to look at. It has a weird redundant architecture with 2x RH850 on the PCB, and the exploit didn't work out of the box. After modifying my scripts a bit I was able to get my exploit to run. Unfortunately it's using the HSM."
  • "But during this process I found that there is a TSB for the 2022 Tundra EPS (T-SB-0069-22). This means you can download a .cuw file (T-0035-22.cuw) containing the firmware."
  • "The most interesting part of this is actually the flash driver that's uploaded before flashing. Having this file will help tremendously if we want to go the route of flashing custom firmware that disables SecOC."
  • "could this easily open the door to other cars? or is it pretty tundra specific from what we know" - spanconstant5
    • "This flash driver should be applicable to all cars"
• calvinspark notices that the Chinese August 2023 PRC Sienna which doesn't work for dumping has an 0x01 app identifier and a 0x02 bootloader identifier.

August 2025

• Apparently the Combonation Meter Assembly or the Instrument cluster on a Corolla Hatchback (All JP Made) isn't covered under security key?
  • Nevermind, it is. Without it, TSS3 won't work.
• ryleymcc, creator of the Mazda Torque Interceptor, discusses a bit about the Toyota Torque Interceptor (MT)
  • The connector for Toyota's EPS was found but unfortunately it is "protected". A 3D printed replacement is needed.
  • The method used on the Mazda Torque Interceptors is non-appliable to Toyota as it is non-linear. Ripping the firmware may be needed to create a lookup table to "linearize" it.
  • "its not too hard to dump it"
• ggajoch works in #dev-toyota-security for their Yaris's Long issues (SP)
• Someone on reddit is documenting meter assembly swapping on Rav4s and there is a private swap of meters for the Rav4 Prime. They cannot share it as "it contains my credentials".
• C3 support is removed from comma's codebase, this means the guide is temporarily unavailable for C3 users.

---

Footnotes

1. This is an image of the CAN BUS traffic on a RAV4 Prime. The "checksum" for the Lane Keep Assist messages are now very high in entropy, indicative of some sort of signing or encryption being used. ↩

2. As a shameless plug, do you like those real-time updating embedded values from the Google Spreadsheet up there for the bounty and vote tracker? I made cellshield.info for that and other non-security key related uses. Check it out and let me know outside of this discussion if you have any comments! ↩ ↩² ↩³ ↩⁴

3. gregjhogan stated that the first byte of a UDS firmware version is not a bootloader version. https://discord.com/channels/469524606043160576/905950538816978974/1273746993394487376

   The first byte returned when reading the firmware versions using UDS read data by id isn't part of the version number, it is how many applications are running on the ECU (for example if it has two cores, there may be a separate application running on each core) and it tells you how many you can extract from the rest of the data returned.

   ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶ ↩⁷

4. Speculated from TechInfo lookup. TechInfo lookup is looking at Toyota's Techinfo site (payment required, minimum ~$25) and seeing if replacing the "Object recognition camera" / "Forward recognition camera" requires an ECU Security Key update. https://discord.com/channels/469524606043160576/524327905937850394/894262224552624228 ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶ ↩⁷ ↩⁸ ↩⁹ ↩¹⁰ ↩¹¹ ↩¹² ↩¹³ ↩¹⁴ ↩¹⁵