openpilot/etc. on Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY 🔑 / SecOC (e.g. RAV4 Prime/PHEV, 2021+ Sienna, 2021+ Venza, 2020+ Yaris, 2022+ NX, 2022+ Tundra, 2023+ Sequoia, NA Corolla Cross, bZ4X, Solterra, 2023+ JP-made (?) Corollas, ALL 2024+ Corollas, RX 2023+, LX 2022+, Grand Highlander, 2024+ Tacoma, etc.) #19932
Replies: 8 comments 5 replies
-
Edit: History moved to OP so thread gets bumped with every history note update. |
Beta Was this translation helpful? Give feedback.
-
What I've observed about ECU Security KeyI'm not great at reverse-engineering, but this is what I've seen. dec 2023 note: web cabana has since been removed. you'll need to use desktop qt cabana now. You can get here by going to Comma Connect, clicking on a drive, uploading all log files, and selecting "View in Cabana" after the files are uploaded: Once in Cabana, click
|
Beta Was this translation helpful? Give feedback.
-
🚨 It is data authentication, and encryption isn't used to hide the data. We can see the messages used to control latitude! We just can't make new ones.You've got a message you want to send to Bob. In the old cars, Bob didn't know who was sending him letters to his inbox, so he would blindly read anything you sent him. Now Bob is getting suspicious of people that aren't his co-workers to be sending him messages. He gives all his coworkers a red stamp with a roll of numbers on it. Every time a coworker sends a message, they change the stamp to a new code position, then stamp the envelope with the code. Bob knows what the next code should be. We are trying to send Bob messages without the special stamp, so Bob knows to ignore our letters. --- Thinkpad4by3#7568 on Discord https://discord.com/channels/469524606043160576/905950538816978974/1012390757832855553 nelson note: this isn't the best analogy, but it gets across the point that the message is readable, but we can't notarize it. |
Beta Was this translation helpful? Give feedback.
-
FWIW the outside of the ECU Security Key camera of a Rav4 Prime looks the same as a non-ECU Security Camera of a Corolla or Corolla Hatchback. 2021 Rav4 Prime: Security Key'd Denso innards: https://discord.com/channels/469524606043160576/905950538816978974/939203494152372274 2020 Corolla/Corolla Hatchback: A photo teardown of the 2020 Corolla camera (NON ECU SECURITY KEY) innards: https://photos.app.goo.gl/qsBaMFT6PSEs7BFXA looks the same |
Beta Was this translation helpful? Give feedback.
-
The criteria has been met. Please get in contact with me if you haven't to pool the bounty.Criteria for Firmware Dump milestoneThese are my criteria; others may have different criteria. If the goal is claimed to be met and also meets my criteria, I, @nelsonjchen, will try to convince the other bounty offers for the firmware dump milestone to align their criteria with mine and fulfill their pledge.
A good example of "Enough instructions" and "Videos/Pictures" would be these blog posts regarding hacking/dumping a VW Golf Power Steering ECU: https://blog.willemmelching.nl/carhacking/2022/01/02/vw-part1/ Reverse engineering the security system is not needed. Please don't openly share the copyrighted firmware. The amount of sharing with the second criteria should be just enough with fair use to show that the firmware dump has been accomplished and that it can be reproduced. Also, if the system is cracked without the firmware dump, consider this firmware dump milestone met too. |
Beta Was this translation helpful? Give feedback.
-
Buy a vote for $100 if you want the Comma Team to crack Toyota security! |
Beta Was this translation helpful? Give feedback.
-
Hello everyone, regarding the Toyota security topic, They've implemented a MAC (Message Authentication Code) from AUTOSAR If you have any questions, please feel free to contact me directly. |
Beta Was this translation helpful? Give feedback.
-
Willing to test out commands on a Tundra 2023 i-Force Max, don't own any comma hardware though, but I have a Mini-VCI cable as well as the dealer software that allows changing settings per vehicle (ontop of the ELM327 and a MCP2515). Don't know if this would help, but I'd like to contribute to get this rolling in any way possible 👍 |
Beta Was this translation helpful? Give feedback.
-
1
Toyota's Sword in Rock situation
🗳️ comma.ai's "Vote for Toyota Security"
👥 Known Bounties
📃 Background/Wiki with a list of affected vehicles:
Link to the Wiki Page: https://github.com/commaai/openpilot/wiki/Toyota-Lexus#2021-toyota-ecu-security-key-support-new-steering_lka--more
Status Overview
Some vehicles have been attempted to be hacked and some have been successfully hacked and some not.
The status of the vehicles are as follows:
🇹 🇸 🇸 2️⃣
2021 RAV4 Prime 🟢🇹 🇸 🇸 2️⃣
2021 Sienna 🟢🟡🇹 🇸 🇸 2️⃣
2021 Venza 🟡?🔴?🇹 🇸 🇸 2️⃣
2024 Rav4 Prime 🟡?🔴?🇹 🇸 🇸 3️⃣
2023 Corolla Cross Hybrid 🔴🇹 🇸 🇸 2️⃣
2024 Toyota Highlander 🔴🇹 🇸 🇸 2️⃣
2022 Tundra 🔴Note: 🟢 = Working, 🟡 = WIP, 🔴 = Not Working and sometimes a mix.
It is also unknown what is the status of the approach where we pretend to be an ECU to get the keys in a re-keying situation. This might be an approach that might work for unsupported vehicles. Theoretically anybody could dump the firmware now with the exploit to dump firmware and try to reverse engineer this but no one other than the original researchers have done this.
There are currently two running types of initiatives for tackling the issue: 🗳️ comma vote and 👥 community bounty.
🗳️ comma.ai Vote for Toyota Security
Greg Hogan of comma.ai was disassembling and currently looking at the RAV4 Prime EPS as of April 2022, but also had working on other reverse-engineering projects such as the Hyundai IONIQ 5/ Kia EV6 rear radars on his docket. https://twitter.com/gregjhogan/status/1512171907608576013 .
In June 2022, comma.ai created a paid vote/crowdfund for making openpilot support Toyota Security. Once they get 500 votes at $100 a vote, they have 6 months to figure it out and open source a solution; Otherwise, a refund will happen and all the money is returned. The current status of that is:
In September 2022, geohot announced that if Security comes to the Corolla, Prius, or RAV4, they'll purchase the vehicle and begin a formal attempt at it. TSK has since come to JP-made Corollas and the 2023 Prius, there has been no comment but there has been some light action in that comma has produced new harnesses to connect to these. For 2024, all Corollas have TSK, but still no comment.
It is suspected that the 2023 Corollas made in Japan have Security Key and the 2023 US-made Corollas do not. Corollas made in Japan may be exported to the US and many examples of J-prepended VINs of 2023 Corollas in the US can be found online. There has been no comment on this speculation from looking up TechInfo. However, comma has produced a new harness for the connector found in these vehicles but as of yet there has been no port of openpilot to either US or JP version. In late 2023, looking up Techinfo seemed to indicate that 2024+ JP and US Corollas have harmonized on Security Key; they both have Update ECU Security Key in their repair instructions.
In November 2022, Willem Melching, who used to be "Head of Openpilot" at comma.ai as LinkedIn says they aren't at comma.ai anymore, appeared to be looking at the Rav4 Prime EPS ECU that Greg Hogan had performed surgery on and attempting to dump its firmware. The dump was successful and the procedure to do so was well documented.. It is unknown what the relationship here is currently regarding this is between Melching and comma.ai but presumably, having comma.ai's RAV4 Prime EPS is a sign of a positive partnership and relationship. Later, Hogan posted a screenshot from a disassembled Rav4 Prime EPS firmware.
2 years later, in January 2024, they appeared to be able to execute code on the EPS and extract keys and were looking for test subject parts.
Soon after, a pull request was produced for the RAV4 Prime to be supported in openpilot. It is currently in a very early stage.
comma.ai's Vote for Toyota Security system store/page is located at: https://comma.ai/shop/products/vote
Please visit the page and observe what it says for more information.
Vote counts are reported every week or similar and are recorded in this spreadsheet by the community:
https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=0
Bulk votes in blocks of 10+ get a 15% discount. A sheet was launched to organize and create bulk vote parties and their contingencies who may want to do a bulk vote that's even larger. The minimum for an entry on this sheet is 10 votes.
https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=1958149470
👥 Communities Bounty
Substantial progress was made by an Willem Melching, who used to be "Head of Openpilot" at comma.ai as LinkedIn says they aren't at comma.ai anymore.
In November 2022, Melching appeared to be looking at the Rav4 Prime EPS ECU that Greg Hogan had performed surgery on and attempting to dump its firmware. The dump was successful and the procedure to perform the dump was well documented.. As this met all the milestones of the firmware dump bounty with the requisite documentation, efforts are underway to collect on this part of the bounty.
Further bounties may be made for the community, non-comma and the non-Melching to repeat the feat as more ECUs would likely need to be dumped. Reproducibility and decentralization is extremely important and should not be siloed. The work beyond on understanding and supporting ECU SECURITY KEY vehicles is still in-progress, however as no one has or performed the dump Melching has, progress is inherently limited and possibly might suffer the same malaise that Flexray has with no progress from the community.
Additionally, with only ~39% of the first firmware bounty collected and the rest absconded, it is a bit unknown what the future of the full bounty might be. Will still record entries though.
Community Bounty/Tracker Spreadsheet on Google Sheets:
https://docs.google.com/spreadsheets/d/1MKS78_utvbAe74Xv7zszgEnn6JrtBgpgYlVOfoIvLEw/edit#gid=0
Even if you're not contributing to the bounty, having an entry in the spreadsheet with a rough location and your model would be extremely helpful. It helps show demand, and a possible local hunter may desire some local helpers or vehicles to compare to.
The bounty was split into two very important milestones identified so far: Firmware Dump and Total Openpilot support . As the the firmware dump milestone was achieved, there may be more milestones for other ECUs that may need to be dumped to retrieve their keys.
The milestone for firmware dump is here which was completed:
#19932 (comment)
Total openpilot support's milestone is support making it into a "release" branch of openpilot.
Individual bounties may have other or more criteria such as being able to run on the Comma Two and so on.
This conversation is about anything and all related to ECU Security Key used in Toyotas starting from the 2021 model year.
Current History
Here's a brief to get anybody going into this ECU Security Key issue up to speed. I'll keep updating this with links to the relevant Discord messages and other stuff as I find them.
Discord links may be linking to the middle of the conversation. Scroll up and down for context.
Many of these Discord links are to a pre-hidden channel named
#toyota-security
in the comma.ai Discord. Accessing#toyota-security
on comma.ai Discord requires completing the simple prompt in#join-development
. Otherwise, it is inaccessible. More often than not, the Discord links are to#toyota-security
in the comma.ai Discord, so please complete the prompt.Most if not all Discord links are to the comma.ai Discord accessible with an invite from https://discord.comma.ai unless otherwise noted. These other Discords include:
The activities, actions, and discussions on non-comma.ai Discords are/may not supported by or affiliated with comma.ai (this may even apply even to the comma.ai Discord too). In the case of MT, comma.ai is strongly opposed to that Discord. That said, the ECU Security Key issues affects all and relevant events and information may be there as well.
Background
For Toyota Openpilot enthusiasts, the community was very excited for the RAV4 Prime, a high performance Toyota that was going to have "Toyota Safety Sense 2" (TSS2), other awesome Toyota traits such as reliability, utility, and economy, and, new for a Toyota SUV, speed. It is the fastest accelerating real Toyota excluding Lexuses as the Supra, a BMW badged as a Toyota, does not count.
Previously seen TSS2 vehicles have had an architecture where both latitude and longitudinal are both controlled by the front-facing camera. Openpilot was able to intercept and control latitude and longitudinal all at the front-facing camera of TSS2 vehicles, promising full openpilot capabilities. No other taps in the CAN of the vehicle were needed to control or block messages for this capability.
The typical process for adding a new TSS2 vehicle is simply creating a fingerprint with reference to the closest similar vehicle and trying it out.
Timeline
2013
August 2020
matty#8553 came on Discord as the first user with a RAV4 Prime and a new Comma 2. crazysim#7797 / @nelsonjchen offered to get the RAV4 Prime supported. Some worrying observations were immediately made in a GitHub issue after validating that the hardware was sound and working on another non-Prime TSS2 RAV4 :
STEERING_LKA
CAN message is now 8 bytes in size. Existing TSS2 vehicles had a 5 byteSTEERING_LKA
CAN message.STEERING_LKA
message to what was seen in Cabana. None of them worked.October 2020
November 2020
December 2020
January 2021
February 2021
March 2021
April 2021
May 2021
June 2021
July 2021
August 2021
Comma 3 is released at Comma Con.
Adeeb: I think we'll just look into it a bit and just kind of understand what the scope of the issue was and we just decided this isn't affecting too many cars yet that's not where we're choosing. We've aggressively chosen in the last year or so to not spend time on specific cars
We've spent almost all of our time doing things that improve everybody's experience with openpilot.
Now the comma three's out, maybe we can get back to doing stuff that helps some subset of the users but we've we've really been pushing on the experience that every user sees
Hotz: I'm counting on the community for that one of you out there we put five thousand dollars of commas hard-earned money up.
@nelsonjchen writes this timeline: openpilot/etc. on Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY 🔑 / SecOC (e.g. RAV4 Prime/PHEV, 2021+ Sienna, 2021+ Venza, 2020+ Yaris, 2022+ NX, 2022+ Tundra, 2023+ Sequoia, NA Corolla Cross, bZ4X, Solterra, 2023+ JP-made (?) Corollas, ALL 2024+ Corollas, RX 2023+, LX 2022+, Grand Highlander, 2024+ Tacoma, etc.) #19932 (comment)
Tatsuya#9505 discovers an article from a reputable japanese technical publication discussing the use of AES and CMAC to secure ECUs by Toyota in response to attacks as seen on the Prius in 2013. (Archived Link)
Achilles308#2230 brings up PASTA, a security testbed that was produced by Toyota and a discussion happens over it.
cferra#1932 points out that the radar module is the same. Some discussion happens on if the radar communication may be authenticated and/or has modes to be in authentication mode.
Mutley#1114, a leading hunter, elaborates on their attempts and believes that a firmware dump of an involved ECU such as the EPS is the only way to really determine what is going on. Mutley#1114 tried spoofing firmware versions. Unfortunately, Toyota only distributes firmware if there's another public firmware and no firmware is available to download from Toyota. This appeared to still be the case as of August 2021.
deagle50#5014 asks how a firmware dump might be done. crazysim#7797 gives the best answer he could but he isn't a hunter.
September 2021
mentions having dumped the Prius EPS firmware with the aid of a local friend in PHX. If the friend were to go for it, @nelsonjchen would have tried to arrange for a affected vehicle to travel to PHX. Unfortunately, the friend declined to help with dumping EPS Firmware from an ECU Security Key vehicle.
October 2021
replied interest with some times in SD but no replies were received from comma.
November 2021
#toyota-security
channel on Discord and makes a rough plan sketch to try to help the community (this channel is under the Development section of Discord, checkout#join-development
if you don't see it):December 2021
January 2022
February 2022
and MBrownies#7412 to do some logging. Asks if there are FW updates.
March 2022
April 2022
May 2022
June 2022
July 2022
CARS.md
, an intermediate source file behind https://comma.ai/vehicles or the vehicle compatibility list on comma's site, is updated with a list of Toyota Security Key vehicles. It has not been pushed to comma's site yet as of July 27, but eventually will.August 2022
thinking it'll actually be pretty easy to crack, apparently some of the ECU tuning people already have" "if the base model corolla has toyota security, we'll buy one"
" - geohot . a note is also dropped by adeeb about the popularity of the Corolla Cross
September 2022
btw i'd bet against toyota security coming to the 3 cheap cars, the chips to do it are expensive and rare" -geohot
October 2022
November 2022
0x131
.December 2022
January 2023
February 2023
March 2023
trick is, do 1000 quantity for vote, and just subtract the max quantity from 500.
April 2023
May 2023
June 2023
July 2023
August 2023
comma ai | Shipping github.com/commaai/openpilot | Adeeb Shihadeh | COMMA_CON talks | CPO
[23:49.760 --> 23:52.360] [Audience Question] Which car brands are the easiest to support
[23:52.360 --> 23:53.360] and the hardest to support?
[23:53.360 --> 23:55.600] <cut>
[23:55.600 --> 23:56.760] <cut>
[23:59.760 --> 24:03.360] Adeeb: So easiest to support, this is really changing now, actually.
[24:03.360 --> 24:06.360] The software platforms and the cars, at least for the ADAS,
[24:06.360 --> 24:09.360] were pretty stable for about like three, four years.
[24:09.360 --> 24:10.760] And we did a lot of this initial work
[24:10.760 --> 24:12.360] maybe three, four years ago.
[24:12.360 --> 24:13.760] And now we're in this cycle where
[24:13.760 --> 24:15.360] Honda, Toyota, Honda, Toyota, Honda,
[24:15.360 --> 24:18.160] we're in this cycle where Honda, Toyota, Honda, a lot of them
[24:18.160 --> 24:21.080] are changing their platforms right at the same time.
[24:21.080 --> 24:23.720] So that's the hard part right now,
[24:23.720 --> 24:25.600] is we're getting this influx that
[24:25.600 --> 24:27.960] are all different right now.
[24:27.960 --> 24:31.400] The hardest ones now are the ones that implement the Autosar
[24:31.400 --> 24:33.160] secure onboard communication.
[24:33.160 --> 24:34.560] We haven't spent much time on it,
[24:34.560 --> 24:36.320] but that'll be a little bit of a project.
[24:36.320 --> 24:39.600] It just adds more overhead to porting a car.
Jason Young (a major non-comma.ai openpilot contributor) discusses SecOC as a bad thing to see when attempting to port OP to a new vehicle.
September 2023
October 2023
November 2023
December 2023
January 2024
February 2024
"I’m working on blog post. Will post that together with the script. (UPDATE: Blog post in March 1)
The risk is not super high, but it’s very inconvenient if the rack needs to be replaced. In the meantime I’ve tested it on a second rack pulled from a crashed vehicle, and it worked fine." - Willem
Comma staffer Shane mentions that comma has determined the Corolla radar to be CAN-FD. While not TSK related, there is info that comma has discovered and not released yet.
March 2024
Major Update from former comma staffer Willem Melching:
Discord Followups on comma.ai Discord:
Willem: "Grab your SecOC key and share a route in #toyota-security and I'll finish the car port for the RAV4 Prime!"
There is some discussion on whether it is possible to intercept the key during a re-keying process. (#general)
hdoublearp on Discord was able to retrieve their SECOC key with Willem's script.
hdoublearp report on his collaboration with Willem
"There is some progress on the port, thanks to Willem, lateral is working. Still some missing safety features, but the initial issues with the Prime’s new PCM messages are sorted out. Willem had to make some changes to account for gearing difference in the Prime compared to other models. I’ve sent my latest feedback and test scenarios to him, and will continue working with him on it.
hdoublearp posts a video. It is a video of an assisted lane change on a RAV4 Prime, a feature that does not exist on TSS2 but does in openpilot.
2619375277588803360.mov
There is still work to figure out some of the new messages.
A second RAV4 Prime by @chrispypatt seems to have come online from Willem's work.
April 2024
tranlocquy posts a video of openpilot working on the Sienna.
IMG_1898.mov
Willem: "No way! Didn't expect it to be this easy with the offsets/keys in RAM being in the same place. Checked out the route and dump you sent me, and looks legit!"
May 2024
ACC_CONTROL
equivalent CAN bus message in their Sienna and Rav4 Prime.June 2024
Footnotes
This is an image of the CAN BUS traffic on a Rav4 Prime. The "checksum" for the Lane Keep Assist messages are now very high in entropy, indicative of some sort of signing or encryption being used. ↩
As a shameless plug, do you like those real-time updating embedded values from the Google Spreadsheet up there for the bounty and vote tracker? I made cellshield.info for that and other non-security key related uses. Check it out and let me know outside of this discussion if you have any comments! ↩
Beta Was this translation helpful? Give feedback.
All reactions