├── .gitignore
├── README.md
├── archive
    ├── auth_not_enc.md
    ├── can_bus.md
    ├── dump_milestone.md
    ├── rav4_prime_replace_rack.md
    └── sienna_replace_rack.md
└── img
    ├── v2.nrtd1.jpg
    ├── v2.nrtd2.jpg
    ├── v2.settings-keyboard.jpg
    ├── v3.calibrate.jpg
    ├── v3.ext-known.jpg
    ├── v3.ext-success.jpg
    ├── v3.ext-unknown.jpg
    ├── v3.tsk-keyboard.jpg
    ├── v3.tsk-manager.home.jpg
    ├── v3.tsk-manager.incar.jpg
    ├── v4.install.1.jpg
    ├── v4.install.2.jpg
    └── v4.reboot.jpg


/.gitignore:
--------------------------------------------------------------------------------
1 | /.idea/
2 | .DS_Store
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
   1 | # openpilot/etc. on Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY/SecOC
   2 | 
   3 | ![](https://user-images.githubusercontent.com/5363/91650158-ed5f5880-ea30-11ea-9b07-6e3dca7f8f83.gif)[^1]
   4 | 
   5 | [*Toyota's Sword in Rock situation*](https://store.steampowered.com/app/1865370/The_one_who_pulls_out_the_sword_will_be_crowned_king/) (that has been pulled out [quite a bit by Willem and Greg](https://icanhack.nl/blog/secoc-key-extraction/)!)
   6 | 
   7 | [![](https://shields.io/endpoint?url=https%3A%2F%2Fcellshield.info%2Fgs%3FspreadSheetId%3D1sprUteWtCVH6nQ6JfsmX0liIJ58H4nAVWxtAdorfW4c%26cellRange%3DA1)](https://docs.google.com/spreadsheets/d/1sprUteWtCVH6nQ6JfsmX0liIJ58H4nAVWxtAdorfW4c/edit#gid=0&range=A1)[^2]
   8 | 
   9 | ---
  10 | 
  11 | ## Table of Contents
  12 | 
  13 | * [openpilot/etc. on Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY/SecOC](#openpilotetc-on-toyotalexussubaru-with-tskecu-security-keysecoc)
  14 |    * [Background](#background)
  15 |    * [Cars](#cars)
  16 |       * [🟢 Successfully running openpilot](#-successfully-running-openpilot)
  17 |          * [Notes](#notes)
  18 |       * [🟡 May be possible to hack but hasn't been tried](#-may-be-possible-to-hack-but-hasnt-been-tried)
  19 |       * [🔴 Not hacked and can't run openpilot](#-not-hacked-and-cant-run-openpilot)
  20 |       * [🔵 Vehicles not in comma's supported vehicles list](#-vehicles-not-in-commas-supported-vehicles-list)
  21 |       * [Unknown](#unknown)
  22 | * [Setup Guide](#setup-guide)
  23 |    * [Key Extraction](#key-extraction)
  24 |    * [Key Installation](#key-installation)
  25 |    * [Advanced Topic: Run the exploit using SSH manually](#advanced-topic-run-the-exploit-using-ssh-manually)
  26 |    * [Forks](#forks)
  27 | * [Current History](#current-history)
  28 | 
  29 | ---
  30 | 
  31 | ## Background
  32 | 
  33 | tl;dr: Toyota started to use cryptographical signatures to block openpilot (and other hacks). Some smart people in the industry hacked the signatures for _some_ cars, but not all cars.
  34 | 
  35 | openpilot, in order to control the steering or latitude, needs to be able to man-in-the-middle the steering control messages used by the lane keep assist system. It blocks the original steering control messages and replaces them with its own. Messages originally come from the forward-facing camera, which is also known as the "Forward Recognition Camera" or "Object Recognition Camera" in Toyota vehicles. The camera is responsible for the lane keep assist in Toyota vehicles.
  36 | 
  37 | There is a `STEERING_LKA`-ish message and more in some new Toyotas that currently has an "authentication code" scheme appended to the end. The algorithm and security system for this "authentication code" is somewhat known for certain vehicles but requires a key that is unique to each vehicle to be extracted or smuggled out of the vehicle (https://icanhack.nl/blog/secoc-key-extraction/). Not all vehicles are able to have their keys extracted with what is currently known. Without the key or knowledge of the system, third parties like comma and users cannot control the vehicle. While vehicles that have had their keys smuggled out are currently working with openpilot.
  38 | 
  39 | ### Unresolved Mysteries
  40 | 
  41 | The following is not comprehensive.
  42 | 
  43 | * The exact details of how the process of how Toyota's tools communicate with the vehicle and their servers, and how the key is updated for multiple ECUs is still not fully known or experimented with. A high level overview of the process is known, but not the exact details.
  44 |   * Could a simulation of an extraneous "blank" vulnerable ECU into the system be tacked onto the communication with Toyota to extract the key?
  45 |   * There's something with Master ECUs and Slave ECUs here.
  46 | * The 2023 US made ICE Corolla (VIN starts with `5`) is a TSS 3.0 vehicle that does not appear to have ECU Security Key or SecOC steps when replacing the forward camera. No one has come by to show what TSS3 without TSK looks like. It's not a rare vehicle so it's quite unknown why no one has come by yet.
  47 | 
  48 | ---
  49 | 
  50 | ## Cars
  51 | 
  52 | ### 🟢 Successfully running openpilot
  53 | 
  54 | These cars can run openpilot but are not listed on https://comma.ai/vehicles or [CARS.md](https://github.com/commaai/openpilot/blob/master/docs/CARS.md) because comma.ai (the company) understandably doesn't want to own the security key hacking process. Follow the [Setup Guide](#setup-guide) below and you'll have it working.
  55 | 
  56 | * 2021-2023 RAV4 Prime
  57 |   * All Trims supported
  58 |   * Toyota Harness A
  59 |   * Early 2024 MY situation like Early 2024 MY Sienna unknown.
  60 |   * The compatibility status of the RAV4 Hybrid is not relevant to the Prime/PHEV. They're different vehicles.
  61 | * 2021-2023 Sienna Hybrid
  62 |   * All Trims supported
  63 |   * Toyota Harness A
  64 |   * Not applicable to 2023+ Sienna (PRC)
  65 |   * Early 2024 MY might work? Currently too few data points to determine cutoff
  66 |     https://discord.com/channels/469524606043160576/905950538816978974/1350659380592513142
  67 |     * Check driver door jam to get month and year. It's Month/Year
  68 |       * ![20250316_201239](https://github.com/user-attachments/assets/1ebd4643-5774-409f-9c15-0e170864b480)
  69 |     * Working
  70 |       * Gako - 10/23
  71 |     * Not Working
  72 |       * samueljsg - 12/23
  73 |       * [sadmenmen (Sienna made in PRC)](https://discord.com/channels/469524606043160576/905950538816978974/1362613104206151932) - 04/24
  74 |       * grb5 - 09/24
  75 | * 2020-2022 Yaris Hybrid (EUDM/JDM/MXDM)
  76 |   * All Trims supported
  77 |   * Toyota Harness A
  78 |   * Dataflash dump hack works as the key is not in the same address as RAV4 Prime in program memory
  79 |   * Brute force efforts to find key location successful on both European and Japanese Yaris Hybrid. European user eventually gave up full installation due to unrelated C3 malfunction.
  80 |   * https://github.com/I-CAN-hack/secoc/pull/4 - brute force dataflash dump approach
  81 |   * First Continental Radar + Camera setup going and thus first radar controlled ACC vehicle done with. This does not mean longitudinal is controlled by openpilot though.
  82 |     * Experimental work in disabling the radar has shown this does is not enough to let openpilot control longitudinal.
  83 |   * Not sold in the USA, but is in Australia, Japan, and Europe
  84 |   * Only one guy using it in Japan, unfortunately. Help double the population!
  85 |     * Another vehicle, not a daily driver, but an academic study specimen, has their key dumped in France.
  86 | * 2021 GR Yaris (EUDM/JDM/MXDM)
  87 |   * All Trims supported
  88 |   * Toyota Harness A
  89 |   * Memory dump hack works but the key is not in the same address as RAV4 Prime.
  90 |   * Same hardware as Hybrid Yaris with Continental Radar + Camera
  91 |   * Manual Transmission
  92 |   * One user in Poland at the moment. lx93.
  93 |   * WIP
  94 | 
  95 | #### Notes
  96 | 
  97 | * These vehicles have TSS 2.0.
  98 | * These vehicles do not use the HSM.
  99 | * These all seem to share the commonality of a ~~version 1 bootloader~~[^4] ? on the EPS
 100 | * Longitudinal
 101 |   * Some people seem to have it going. It is a [work in progress in getting it upstreamed to comma's codebase](https://github.com/commaai/opendbc/pull/1385).
 102 |   * Resume command spams still works from existing implementation so stop and go without touching is active if openpilot is active.
 103 | 
 104 | ### 🟡 May be possible to hack but hasn't been tried
 105 | 
 106 | If you have one of these cars, please stop by the [comma Discord](https://discord.comma.ai)'s #toyota-security channel - we need more information from people like you.
 107 | 
 108 | * 2023 US-made Corolla (VIN starts with `5`)
 109 |   * Uses TSS 3.0 but does not appear to have ECU Security Key or SecOC steps when replacing the forward camera. It's unknown whether it has TSK, and if yes in what form. Maybe they just don't do the pairing thing but hardcode a key. No one knows. This is still of great interest to the Toyota Security Key / SecOC efforts as it may provide better insight into the TSS 3.0 system without the key complication.
 110 |   * Note that this is not the same as the 2023 TMC/JP-made Corolla or the 2024+ Corolla. It happens to be applicable to a single year of US-made Corolla.
 111 | * 2021+ Yaris Cross Hybrid (EUDM/JDM/MXDM)
 112 |   * Brute force script may work.
 113 | * 2022+ GR Yaris (EUDM/JDM/MXDM)
 114 |   * Unknown
 115 | 
 116 | ### 🔴 Not hacked and can't run openpilot
 117 | 
 118 | Car hackers, we need your help with these.
 119 | 
 120 | * 2022+ Aygo X (EUDM)[^3]
 121 | * 2023+ Aygo X (Euro tech info Lookup)
 122 | * 2023+ bz4x[^3] (Probably the same for sister rebranded Subaru Solterra)
 123 | * 2025+ Camry[^3]
 124 | * 2023 TMC/JP-made Corolla[^3]
 125 | * 2022+ Corolla Cross (USDM, not applicable to Thailand or Brazil)[^3]
 126 | * 2023 Corolla Cross Hybrid
 127 |   * TSS 2.0
 128 |   * Known to be not working.
 129 |   * Memory can be dumped but the key is not in visible memory.
 130 |   * Mentioned in Willem's blog post.
 131 | * 2024+ Corolla, All origins.
 132 | * 2023+ Crown
 133 | * 2024+ Grand Highlander ICE and Hybrid[^3]
 134 | * 2024 Highlander ICE and Hybrid
 135 |   * TSS 2.0
 136 |   * Known to be not working.
 137 |   * Memory can be dumped but the key is not in visible memory.
 138 |   * 02 ~~bootloader~~[^4]
 139 | * 2025+ Highlander ICE and Hybrid[^3]
 140 | * 2024+ Mirai[^3]
 141 | * 2023+ Prius and Prius Prime/PHEV[^3]
 142 | * 2024+ RAV4 Prime/PHEV
 143 |   * TSS 2.0
 144 |   * Key at least not at the same location as other RAV4 Prime
 145 |   * Brute force efforts to find key location TBD
 146 |   * At least code is executed. Unknown what might have changed.
 147 |   * New 02 ~~bootloader~~[^4] seen
 148 | * 2024+ RAV4 in Europe (techinfo)
 149 | * 2023+ Sequoia (Speculated from being a Tundra with an SUV Body)
 150 | * 2023+ Sienna (PRC)
 151 | * 2024+ Sienna
 152 |   * TSS 2.0
 153 |   * Key at least not at the same location as other RAV4 Prime
 154 |   * Brute force efforts to find key location TBD
 155 |   * At least code is executed. Unknown what might have changed.
 156 |   * New 02 ~~bootloader~~[^4] seen
 157 | * 2024+ Tacoma[^3]
 158 | * 2022+ Tundra (Confirmed in https://github.com/commaai/openpilot/issues/27869#issuecomment-1504046497)
 159 |   * TSS 2.0
 160 |   * No known ~~bootloader~~[^4] exploit execution
 161 |   * User ThisGuy has an extra rack on the bench. No known progress.
 162 |   * 04 ~~bootloader~~[^4]
 163 | * 2021+ Venza
 164 |   * Key at least not at the same location as the RAV4 Prime
 165 |   * Brute force efforts to find key location TBD
 166 |   * Has a 02 ~~bootloader~~[^4] though from one sample. Strange for this vintage? Maybe another should try.
 167 | * 2024+ Lexus GX[^3]
 168 | * 2022+ Lexus LS, LX, NX[^3]
 169 | * 2023+ Lexus RX, RZ[^3]
 170 | * 2024+ Lexus TX[^3]
 171 | 
 172 | ### 🔵 Vehicles not in comma's supported vehicles list
 173 | 
 174 | The following vehicles aren't in comma's supported vehicles list but are known to not have SecOC/TSK.
 175 | 
 176 | They may not have been added due to:
 177 | 
 178 | * Bugs in the automated process of adding vehicles to the supported vehicle list such as in the case of the 2025 Lexus ES.
 179 | * No one has tried it!
 180 | * Sometimes no one has tried that specific *year* and sent in evidential data that comma will accept to put it on the list. This sometimes results in weird year gaps on comma's list even if its other years in the same generation/facelift are supported.
 181 | * No development has been done on it.
 182 | 
 183 | However, they are confirmed on Toyota Techinfo to not have SecOC/TSK.
 184 | 
 185 | With the exception of the 2023 US-made Corolla, these vehicles are not TSK vehicles and might just be a fingerprint away from being supported by openpilot.
 186 | 
 187 | * 2023 US-made (VIN starts with `5`) Corolla Sedan
 188 |   * TSS 3.0
 189 |   * No ECU Security Key or SecOC steps when replacing the forward camera.
 190 |   * It's unknown whether it has TSK, and if yes in what form. Maybe they just don't do the pairing thing but hardcode a key. No one knows.
 191 |   * Likely requires a C3X as it's probably that it uses CAN-FD.
 192 |   * Probably not a fingerprint print away.
 193 | * 2021 Lexus RC
 194 |   * TSS2
 195 |   * No TSK
 196 | * 2022, 2024-2025 Lexus RC
 197 |   * TSS2.5
 198 |   * No TSK
 199 |   * No one has tried
 200 | * 2020 Lexus IS
 201 |   * TSS+
 202 |   * No one has tried
 203 | * 2021 Lexus IS
 204 |   * TSS2.5
 205 |   * No one has tried
 206 | * 2025 Lexus ES Non-Hybrid
 207 |   * Seems to have issues being auto-added to comma's supported vehicle list for some reason.
 208 | 
 209 | ### Unknown
 210 | 
 211 | If your car is not listed above, then there has been no documented information or attempts. Please talk to us at the [comma Discord](https://discord.comma.ai)'s #toyota-security channel.
 212 | 
 213 | ---
 214 | 
 215 | # Setup Guide
 216 | 
 217 | * [Key Extraction](#key-extraction) if you don't know the key.
 218 | * [Key Installation](#key-installation) if you know the key.
 219 | 
 220 | ## Key Extraction
 221 | 
 222 | Your car has a security key that Toyota doesn't want you to have. \
 223 | Follow this guide to run a [hardware exploit](https://icanhack.nl/blog/secoc-key-extraction/) to extract the key.
 224 | 
 225 | ### Step 1. Install `TSK Manager`
 226 | 
 227 | At home, sitting next to your router, turn on C3X with your phone charger. Ignore the low voltage warning.
 228 | 
 229 | Choose `Custom Software` and enter the URL `optskug/tskm`
 230 | 
 231 | ![](img/v4.install.1.jpg)
 232 | 
 233 | ![](img/v4.install.2.jpg)
 234 | 
 235 | ![](img/v3.tsk-manager.home.jpg)
 236 | 
 237 | Unplug the power to turn off the device.
 238 | 
 239 | <details><summary>Troubleshooting</summary>
 240 | 
 241 | 1. A normal phone or laptop charger works fine. If not, USB A-to-C cables work well, and USB PD (Power Delivery) sometimes doesn't work.
 242 | 2. The installation takes about 2 minutes, or ~20 minutes if an OS update is needed. OS update downloads a ton of stuff so don't be too far away from the router.
 243 | 3. Prefetching may fail if you're in China. The extraction will still work, but you'll have to install `commaai/nightly-dev` manually instead of using TSK Manager.
 244 | 4. In some cases the installation gets stuck in "registering device" screen. If this happens, unplug the device to power off, plug it back in, and then tap-tap-tap on the screen as it boots to reset the device. Afterward, install `optskug/tskm`
 245 | </details>
 246 | 
 247 | ### Step 2. Install the hardware
 248 | 
 249 | Go to your car and connect everything including Comma Power (OBD2 connector + long cable).
 250 | 
 251 | Official Setup Guide: https://comma.ai/setup/comma-3x
 252 | 
 253 | Turn the car on and off - C3X should remain powered on.
 254 | 
 255 | ![](img/v3.tsk-manager.incar.jpg)
 256 | 
 257 | <details><summary>Troubleshooting</summary>
 258 | 
 259 | 1. The car harness sends a 12V signal instead of the usual 5V. Do not plug in anything other than C3X.
 260 | 2. For connecting C3X to the harness, always use the right-angled OBD-C cable that came with the C3X. comma.ai sells it if you need more: https://comma.ai/shop/obd-c-cable. If you must buy your own, USB-C 3.1 Gen 2 is required.
 261 | 3. You can remove Comma Power later but connect it for now.
 262 | </details>
 263 | 
 264 | ### Step 3. Put the car into `Not Ready To Drive` mode
 265 | 
 266 | Slowly press the `POWER` button twice WITHOUT pressing the brake pedal.
 267 | 
 268 | ![](img/v2.nrtd1.jpg) ![](img/v2.nrtd2.jpg)
 269 | 
 270 | > [!CAUTION]
 271 | > The 12V battery will die in 10 minutes. Turn off the A/C and never stay on this mode for more than 5 minutes at a time. After 5 minutes, start the engine and leave it running for 5 minutes before trying again.
 272 | >
 273 | > The 12V battery is not your hybrid driving battery. It doesn't matter that your car is charged to 100%.
 274 | >
 275 | > THIS IS IMPORTANT! Many people had to jump the car, so I'm telling you. Please listen. Do not stay on this mode for more than 5 minutes.
 276 | 
 277 | <details><summary>Troubleshooting</summary>
 278 | 
 279 | 1. Some cars refer to `Not Ready To Drive` mode as `IGNITION ON` mode while others refer to it as `POWER ON` mode. Regardless of what your car calls it, get on the mode that says `Not Ready To Drive`.
 280 | 2. The first press turns on `ACCESSORY` mode. The second press activates `Not Ready To Drive` mode.
 281 | 3. Some cars don't have `ACCESSORY` mode. Doesn't matter - get on the mode that says `Not Ready To Drive`.
 282 | </details>
 283 | 
 284 | ### Step 4. Run the exploit using `TSK Manager`
 285 | 
 286 | > [!NOTE]
 287 | > Your car is going to freak out - it will beep and flash all kinds of errors.
 288 | >
 289 | > Relax. The exploit is safe to run and can't break your car even if you yank the cable.
 290 | >
 291 | > Turn off the car, wait one minute, and turn it back on. Everything will be back to normal.
 292 | 
 293 | Run `TSK Extractor`.
 294 | 
 295 | ![](img/v3.ext-success.jpg)
 296 | 
 297 | Congratulations, you have the key now!
 298 | 
 299 | > [!WARNING]
 300 | > It's theoretically possible for someone to remotely hack your car with the key under very specific circumstances. You don't need to protect the key like it's your bank password, but still don't post it on Discord.
 301 | 
 302 | Sometimes `TSK Extractor` can't talk to the car. Try again.
 303 | 
 304 | ![](img/v3.ext-known.jpg)
 305 | 
 306 | <details><summary>Troubleshooting</summary>
 307 | 
 308 | 1. Once extracted, the key is installed in `/cache/params/SecOCKey` and `/data/params/d/SecOCKey` files.
 309 | 2. In rare cases, `TSK Extractor` may hit an unexpected error.
 310 | ![](img/v3.ext-unknown.jpg)  
 311 |   The exploit is proven to work but `TSK Extractor` GUI is new. Send @calvinspark a photo and then try again.
 312 | 3. Run `TSK Extractor` within 30 seconds of putting the car in `Not Ready To Drive` mode. If the car stays on that mode for a long time the extractor no longer works.
 313 | 4. Normally the extraction succeeds on the first try or after the first car restart. If you tried the extractor 3 times for 3 car restarts (=9 times) and still doesn't work, there might be a hardware problem and/or you're doing something wrong. Stop and talk to us in #toyota-security.
 314 | </details>
 315 | 
 316 | ### Step 5. Install `commaai/nightly-dev`
 317 | 
 318 | Start your car's engine.
 319 | 
 320 | Go to the `Reboot Menu` and `Install commaai/nightly-dev`.
 321 | 
 322 | `commaai/nightly-dev` is the only branch from comma.ai with TSK support.
 323 | 
 324 | ![](img/v4.reboot.jpg)
 325 | 
 326 | <details><summary>Troubleshooting</summary>
 327 | 
 328 | 1. `commaai/nightly-dev` is the newest and possibly unstable branch from comma.ai with TSK support.
 329 | 2. Frustratingly, there isn't a release branch from comma.ai with TSK support.
 330 | 3. Openpilot won't be able to drive your car if you install a branch without TSK support. See [Forks](#forks) for more information.
 331 | </details>
 332 | 
 333 | ### Step 6. Calibrate & Clean up
 334 | 
 335 | C3X should show to the 15mph calibration screen.
 336 | 
 337 | ![](img/v3.calibrate.jpg)
 338 | 
 339 | If you're able to calibrate and use openpilot to use the steering wheel (aka "lat support"), you can clean up the cables and put the covers back on.
 340 | 
 341 | You're done! Congratulations!
 342 | 
 343 | * `commaai/nightly-dev` can't use the gas and brake pedals (aka "long support") on TSK vehicles. Monitor this PR (https://github.com/commaai/opendbc/pull/1385) for long support progress. Experimental mode is also not supported because experimental mode requires long support.
 344 | 
 345 | 
 346 | * Comma Power (OBD2 connector + long cable) is optional. It's not necessary for using C3X, but keeping it allows C3X to stay powered on when you turn off the car, which allows you to upload logs and SSH in more easily. [If you do this, you'll be in the training set and your specific driving will improve faster than others.](https://discord.com/channels/469524606043160576/954493346250887168/1328801037578145802)
 347 | 
 348 | <details><summary>Troubleshooting</summary>
 349 | 
 350 | 1. If you get an `LKAS` error, either the key was not installed or you're running a fork/branch without TSK support.
 351 | 2. If C3x says `Car unrecognized` or `Dashcam mode for unsupported car`, you need to do [Fingerprinting](https://github.com/optskug/docs/blob/19c61098eac496ded2fb1cacb732be6671c38c69/README.md#step-5-fingerprinting-if-the-car-is-not-recognized). However, this shouldn't happen anymore. If it does, please talk to us in #toyota-security.
 352 | 3. The key will change if you get a new bumper because the bumper has distance sensors that use the security key. Instead of applying the existing key to the bumper, they replace the key on all parts of the car. The same goes for many other parts with SecOC components. Even if you never get into an accident, the key can still change if a Toyota service technician presses a wrong button.
 353 | </details>
 354 | 
 355 | ### Step 7. What's next?
 356 | 
 357 | #### Keep using `commaai/nightly-dev`
 358 | 
 359 | * If there is a hardware problem, you need to be on a branch from comma.ai to get support from the comma.ai company.
 360 | 
 361 | * If there is a software problem, you need to be on a branch from comma.ai to get support on comma.ai's Discord. There is a channel for #custom-forks, but it's easier to get support in other channels.
 362 | 
 363 | * `commaai/nightly-dev` updates every day but you don't need to update every day. We hope that comma.ai provides a stable release branch with TSK support, but until then, `commaai/nightly-dev` is the only official branch with TSK support.
 364 | 
 365 | * If everything's working as expected for a week or two, you're done - just keep using it. If you want to tinker more, check out [Forks](#forks).
 366 | 
 367 | #### Tell us how it went
 368 | 
 369 | Did everything go smoothly? Was something not clear? Did you get into a state that's not described in the doc?
 370 | 
 371 | Please let us know! We've put in lots of effort into this doc, so even a simple "It worked out well" comment is appreciated.
 372 | 
 373 | We're in [comma Discord](https://discord.comma.ai) in #toyota-security channel.
 374 | 
 375 | ## Key Installation
 376 | 
 377 | ### You shouldn't need to do this
 378 | 
 379 | Modern openpilot and its forks have an [auto-key-install process](https://github.com/commaai/openpilot/pull/34401/files) that runs on every car start.
 380 | 
 381 | This means that **uninstalling openpilot or resetting comma no longer uninstalls the security key.**
 382 | 
 383 | **🎉🎉🎉 Gone are the days of key installation. From now on, just install openpilot and go drive, just like non-TSK users! 🎉🎉🎉**
 384 | 
 385 | ### When to do this
 386 | 
 387 | You may need to still reinstall the key if
 388 | 1. your C3 died and you got a new C3X,
 389 | 2. the key was never installed in `/cache/params/SecOCKey` because you did it the old SSH way and never ran `TSK Manager` / `TSK Keyboard`,
 390 | 3. the installed key in `/cache/params/SecOCKey` was deleted, or
 391 | 4. you're using an old fork without the auto-key-installer.
 392 | 
 393 | Follow this guide to reinstall the key.
 394 | 
 395 | ### Method 1. Use the built-in `TSK Manager`/`TSK Keyboard`
 396 | 
 397 | Some forks/branches have `TSK Manager` or `TSK Keyboard` under Settings.
 398 | 
 399 | ⚙ > `Device` > `TSK Manager`/`TSK Keyboard`
 400 | 
 401 | ![](img/v2.settings-keyboard.jpg)
 402 | 
 403 | If it's there, use it to type in your key and install, and then reboot.
 404 | 
 405 | ### Method 2. SSH and install the key to `/cache/params/SecOCKey` and `/data/params/d/SecOCKey` files
 406 | 
 407 | Redo [Step 4B-4. Install the security key & Reboot](https://github.com/optskug/docs/blob/19c61098eac496ded2fb1cacb732be6671c38c69/README.md#step-4b-4-install-the-security-key--reboot).
 408 | 
 409 | ### Method 3. Uninstall openpilot, install the key using `TSK Manager`, and install openpilot
 410 | 
 411 | Follow [Step 1. Install TSK Manager](#step-1-install-tsk-manager) to install `TSK Manager` via the URL `optskug/tskm`
 412 | 
 413 | No need to go to the car. Run `TSK Keyboard`. Use it to type in your key and install.
 414 | 
 415 | ![](img/v3.tsk-keyboard.jpg)
 416 | 
 417 | ## Advanced Topic: Run the exploit using SSH manually
 418 | 
 419 | This is how to [extract the key manually](https://github.com/optskug/docs/blob/19c61098eac496ded2fb1cacb732be6671c38c69/README.md#step-4b-run-the-exploit-using-ssh-manually). Most people can skip this.
 420 | 
 421 | 
 422 | 
 423 | ---
 424 | ## Forks
 425 | 
 426 | Forks may offer additional functionality or changes that comma openpilot may not offer or are unwilling to offer.
 427 | 
 428 | You can totally have a good time with comma openpilot without using a fork too. You can also have a better time or a worse time with forks!
 429 | 
 430 | ### Which Fork Should I Use?
 431 | 
 432 | > [!CAUTION]
 433 | > Using forks present a real danger so do your research and understand what fork you are installing and what it does. Do not go down this path without research!
 434 | >
 435 | > Some forks will brick your C3X. \
 436 | > Some forks may not be made for the current C3X. \
 437 | > comma may make changes to newly produced C3Xs that necessitate always running the newest comma openpilot and forks might brick them.
 438 | >
 439 | > Some forks contain banned code. \
 440 | > Using it will get you banned from using any comma.ai cloud resource or debugging. \
 441 | > They will not restore access.
 442 | >
 443 | > Some forks have nudgeless-lane-change. \
 444 | > Simply clicking the turn signal will move your car to the next lane. \
 445 | > Without any checks. \
 446 | > Yes, it will drive into the car next to you.
 447 | >
 448 | > Some forks play a blood-curdling goat scream at max volume randomly. 🐐
 449 | >
 450 | > comma will not answer to support you if you're running forks until you restore back to comma openpilot.
 451 | 
 452 | Begin your research in [comma.ai Discord's #custom-forks](https://discord.com/channels/469524606043160576/538741329799413760). Please do not ask about forks outside of that channel.
 453 | 
 454 | For all forks, you should read their README documentation as well.
 455 | 
 456 | If you're new, please start with comma openpilot with `commaai/nightly-dev` and use it for two weeks. This is the same as the latest official version with only lateral support (with TSK support enabled). This will give you a good baseline to compare the other forks to and sort out any issues with the underlying hardware. Additionally, comma will only do/take bug or hardware support with comma openpilot which is critical for this period. The [bathtub curve of hardware reliability](https://en.wikipedia.org/wiki/Bathtub_curve) is very real.
 457 | 
 458 | Then familiarize yourself with the communities through Discord for each fork you are looking to install. While the comma Discord may not offer any support for forks outside of basic support in their #custom-forks channel, a fork's Discord communities may or may not offer support for their fork's issues. Do not skip getting familiar with comma openpilot as you should have a basic understanding first.
 459 | 
 460 | If you acknowledge the warning above and are still looking to try a fork that supports SecOC/TSK, the following are available to install at your own risk. Keep in mind that this page is community maintained and may not stay up to date so please send in changes/fixes, or notices of any inaccuracies:
 461 | 
 462 | <table>
 463 |     <tr>
 464 |         <td><strong>Fork</strong></td>
 465 |         <td>
 466 |           <strong>Lat:</strong> Lateral support
 467 |           <br>
 468 |           <strong>MADS:</strong> AOL / MADS / keep-lat-on-after-brakes
 469 |           <br>
 470 |           <strong>Long:</strong> Longitudinal support
 471 |         </td>
 472 |     </tr>
 473 |     <tr>
 474 |       <td><code>alexandresato/personal3</code>  <br/>
 475 |         (a.k.a SatoPilot)
 476 |       </td>
 477 |       <td>
 478 |         <strong>Lat:</strong> Yes from upstream <br/>
 479 |         <strong>MADS:</strong> Yes from community (MADS from Spektor56) <br/>
 480 |         <strong>Long:</strong> Yes from community (from chrispypatt) <br/> <br/>
 481 |         <ul>
 482 |           <li>First fork to get long!</li>
 483 |           <li>Very quick stop-and-go response</li>
 484 |           <li><code>alexandresato/extract_secoc_key_btn</code> includes a TSK key extract button and is rebased with <code>personal3</code> often.</li>
 485 |         </ul>
 486 |       </td>
 487 |     </tr>
 488 |     <tr>
 489 |       <td><code>commaai/nightly-dev</code></td>
 490 |       <td>
 491 |         <strong>Lat:</strong> Yes from upstream <br/>
 492 |         <strong>MADS:</strong> No <br/>
 493 |         <strong>Long:</strong> No <br/> <br/>
 494 |         <ul>
 495 |           <li>Not a fork but an alternate branch from comma.ai with TSK support.</li>
 496 |           <li>Install this if you need support from comma.ai company. They won't talk to you if you're on a fork.</li>
 497 |           <li>Pre-compiled, so quick to install.</li>
 498 |           <li>It has the most up-to-date changes, which is cool, but it could get unstable.</li>
 499 |         </ul>
 500 |       </td>
 501 |     </tr>
 502 |     <tr>
 503 |       <td>
 504 |         <code>sunnypilot/staging-c3-new</code> <br/>
 505 |         (a.k.a sunnypilot) <br/>
 506 |         <a href="https://discord.gg/sunnypilot">sunnypilot discord</a>
 507 |       </td>
 508 |       <td>
 509 |         <strong>Lat:</strong> Yes from upstream <br/>
 510 |         <strong>MADS:</strong> Yes from community (MADS original author) <br/>
 511 |         <strong>Long:</strong> Yes from community (from chrispypatt) <br/> <br/>
 512 |         <ul>
 513 |           <li>Pre-built version of `sunnypilot/master-new`</li>
 514 |           <li>Model switcher to easily switch between various models</li>
 515 |           <li>NNLC: Big steering improvements for '21-23 RAV4 Prime and Sienna</li>
 516 |           <li>Ships the same latest improvements as nightly-dev (with the same risk of breaking on rare occasions).</li>
 517 |         </ul>
 518 |       </td>
 519 |     </tr>
 520 |     <tr>
 521 |       <td>
 522 |         <code>chrispypatt/frogpilot-r4p</code> <br/>
 523 |         (fork of FrogPilot) <br/>
 524 |         <a href="https://discord.com/invite/frogpilot">FrogPilot discord</a>
 525 |       </td>
 526 |       <td>
 527 |         <strong>Lat:</strong> Yes from upstream <br/>
 528 |         <strong>MADS:</strong> Yes from community (AOL from FP) <br/>
 529 |         <strong>Long:</strong> Yes from community (original author) <br/> <br/>
 530 |         <ul>
 531 |           <li>chrispypatt's fork with TSK long support.</li>
 532 |           <li>Uses an old AGNOS version. When downgrading, OP may get stuck in a registration loop. In this case, tap-tap-tap on the boot logo and reset the device to recover and then install again.</li>
 533 |           <li>‼️ DO NOT RUN FROGPILOT DEEP STORAGE DELETE. It deletes your security key, and you have to run TSK Manager again. Run it only when you're selling the device.</li>
 534 |         </ul>
 535 |       </td>
 536 |     </tr>
 537 |     <tr>
 538 |       <td>
 539 |         <code>optskug/SiennaFP</code> <br/>
 540 |         (fork of FrogPilot) <br/>
 541 |         <a href="https://discord.com/invite/frogpilot">FrogPilot discord</a>
 542 |       </td>
 543 |       <td>
 544 |         <strong>Lat:</strong> Yes from community (from anrum) <br/>
 545 |         <strong>MADS:</strong> Yes from community (AOL from FP) <br/>
 546 |         <strong>Long:</strong> No <br/> <br/>
 547 |         <ul>
 548 |           <li>anrum's old fork of FP and first fork to support TSK lateral!</li>
 549 |           <li>Includes a TSK keyboard with key caching</li>
 550 |           <li>Includes auto key installer</li>
 551 |           <li>Uses an old AGNOS version. When downgrading, OP may get stuck in a registration loop. In this case, tap-tap-tap on the boot logo and reset the device to recover and then install again.</li>
 552 |         </ul>
 553 |       </td>
 554 |     </tr>
 555 | </table>
 556 | 
 557 | If you are installing a fork not included in the list above, find the fork author and ask the following. If you can't find the author, don't install the fork!
 558 | 
 559 | 1. Is it for the latest C3X?
 560 | 2. Does it supports SecOC/TSK?
 561 | 3. Does it contain banned code?
 562 | 4. Is there anything to watch out for?
 563 | 
 564 | ---
 565 | 
 566 | ## Bounty Statuses
 567 | 
 568 | ### 🗳️ comma.ai Vote for Toyota Security
 569 | 
 570 | In June 2022, comma.ai created a paid vote/crowdfund for making openpilot support Toyota Security. Once they get 500 votes at $100 a vote, they have 6 months to figure it out and open source a solution; Otherwise, a refund will happen and all the money is returned. The current status of that was: [![Latest Comma Vote Count for Toyota Security ($100 ea.)](https://shields.io/endpoint?url=https%3A%2F%2Fcellshield.info%2Fgs%3FspreadSheetId%3D1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM%26cellRange%3DB1&label=Latest%20Comma%20Vote%20Count%20for%20Toyota%20Security%20(%24100%20ea.))](https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=0&range=B1)[^2] .
 571 | 
 572 | Vote counts were reported every week or similar and are recorded in this spreadsheet by the community:
 573 | https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=0
 574 | 
 575 | The result of this vote, even though it has not met its target cost, is [a pull request was produced for the RAV4 Prime to be supported in openpilot](https://github.com/commaai/openpilot/pull/31179). It was eventually merged in.
 576 | 
 577 | In January, the vote page was taken down. Below is a snapshot.
 578 | 
 579 | ![image](https://github.com/user-attachments/assets/fa1b25b5-f8c5-4f03-b5a7-c80912d17b8f)
 580 | 
 581 | The last known vote count from community observations:
 582 | 
 583 | [![](https://shields.io/endpoint?url=https%3A%2F%2Fcellshield.info%2Fgs%3FspreadSheetId%3D1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM%26cellRange%3DBulkVoteCount)](https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=0&range=BulkVoteCount)[^2]
 584 | 
 585 | In addition to their vote system, comma also has/had specific bounties up:
 586 | 
 587 | * ["$5k if someone cracks it and upstreams RAV4 prime support -geohot (link currently broken)](https://discord.com/channels/469524606043160576/524328425415245827/839289683489062952)
 588 |   * Currently locked to Willem for Willem's PR for the RAV4 Prime to merge in completely: https://github.com/commaai/openpilot/pull/32661#issuecomment-2156220468
 589 |   * Likely paid out.
 590 | * [We're announcing a bounty for the 2023 Corolla, 2023 Corolla Hybrid, and 2023 Prius. $500 for a working port merged.](https://discord.com/channels/469524606043160576/954493346250887168/1082390596544639086)
 591 | 
 592 | ### 👥 Communities Bounty
 593 | 
 594 | The overall community bounty has been canceled for numerous reasons:
 595 | 
 596 | https://www.reddit.com/r/Comma_ai/comments/1d5r7xr/comment/l6vjf9e/
 597 | 
 598 | Original Sheet: https://docs.google.com/spreadsheets/d/1MKS78_utvbAe74Xv7zszgEnn6JrtBgpgYlVOfoIvLEw/edit#gid=0
 599 | 
 600 | #### Specific Community Bounties
 601 | 
 602 | In its place are more specific community bounties:
 603 | 
 604 | * Tundra Interest Group
 605 |   * [~~"I’ll put up 2k for Tundra alone" - bgill66~~](https://discord.com/channels/469524606043160576/905950538816978974/1243275998745722911)
 606 |     * Scrubbed / User had bumped to $5k but there was no interest. https://discord.com/channels/469524606043160576/905950538816978974/1259282479257485383
 607 | * heitikender for RX 2023
 608 |   * ~~1000~~ ~~2000EUR~~ 3000EUR
 609 |   * "I can buy techinfo access and whatever else is needed. Have pics of connectors."
 610 |   * Konik.ai Discord link: https://discord.com/channels/1110987393990922322/1355531073353678950/1355531309333614782
 611 |   * Raised to 2000 EUR
 612 |     * https://discord.com/channels/469524606043160576/1310778132478955540/1367854050103529524
 613 |   * Raised to 3000 EUR
 614 |     * https://discord.com/channels/469524606043160576/905950538816978974/1368164880489775185
 615 | * ecman. for some Lexus RX
 616 |   * 1000 USD
 617 |   * https://discord.com/channels/469524606043160576/905950538816978974/1374020440711762042
 618 | ## Pictures of TSK'd and non-TSK'd Camera ECUs
 619 | 
 620 | FWIW the outside of the ECU Security Key camera of a Rav4 Prime looks the same as a non-ECU Security Camera of a Corolla or Corolla Hatchback.
 621 | 
 622 | 2021 Rav4 Prime:
 623 | 
 624 | ![image](https://user-images.githubusercontent.com/5363/132140741-662d7c6c-f15d-4e25-a480-233ee11467a7.png)
 625 | 
 626 | Security Key'd Denso innards: https://discord.com/channels/469524606043160576/905950538816978974/939203494152372274
 627 | 
 628 | 2020 Corolla/Corolla Hatchback:
 629 | 
 630 | ![IMG_20200831_164627](https://user-images.githubusercontent.com/5363/132140777-a9a9153d-622f-4640-b338-89871c24a706.jpg)
 631 | 
 632 | A photo teardown of the 2020 Corolla camera (NON ECU SECURITY KEY) innards: https://photos.app.goo.gl/qsBaMFT6PSEs7BFXA
 633 | 
 634 | # Current History
 635 | 
 636 | Here's a brief to get anybody going into this ECU Security Key issue up to speed. I'll keep updating this with links to the relevant Discord messages and other stuff as I find them.
 637 | 
 638 | Discord links may be linking to the middle of the conversation. Scroll up and down for context.
 639 | 
 640 | Many of these Discord links are to a pre-hidden channel named `#toyota-security` in the  comma.ai Discord. Accessing `#toyota-security` on comma.ai Discord requires completing the simple prompt in `#join-development`. Otherwise, it is inaccessible. More often than not, the Discord links are to `#toyota-security` in the comma.ai Discord, so please complete the prompt.
 641 | 
 642 | Most if not all Discord links are to the comma.ai Discord accessible with an invite from https://discord.comma.ai unless otherwise noted. These other Discords include:
 643 | 
 644 | * Retropilot (RP): https://discord.gg/GzWegVa.
 645 | * Sunnypilot's Openpilot Server (SP): https://discord.gg/TCTvFTKrAV.
 646 | * Openpilot Enthusiasts (Formerly "Openpilot community") (OPC): https://discord.gg/rRB7eDKccy
 647 | * MoreTorque (MT): https://discord.gg/439DM9KJ4r
 648 | * Frogpilot (FP): https://github.com/FrogAi/FrogPilot?tab=readme-ov-file#discord
 649 | * Konik.ai (KA): Discord Link on https://konik.ai/
 650 | * Car Hacking Village (CHV): https://www.carhackingvillage.com/
 651 | 
 652 | The activities, actions, and discussions on non-comma.ai Discords are/may not supported by or affiliated with comma.ai (this may even apply even to the comma.ai Discord too). In the case of MoreTorque, comma.ai is strongly opposed to that community/Discord. That said, the ECU Security Key issues affects all and relevant events and information may be there as well.
 653 | 
 654 | 
 655 | ## Background
 656 | 
 657 | For Toyota openpilot enthusiasts, the community was very excited for the RAV4 Prime, a high performance Toyota that was going to have "Toyota Safety Sense 2" (TSS2), other awesome Toyota traits such as reliability, utility, and economy, and, new for a Toyota SUV, speed. It is the fastest accelerating real Toyota excluding Lexuses as the Supra, a BMW badged as a Toyota, does not count.
 658 | 
 659 | Previously seen TSS2 vehicles have had an architecture where both latitude and longitudinal are both controlled by the front-facing camera. openpilot was able to intercept and control latitude and longitudinal all at the front-facing camera of TSS2 vehicles, promising full openpilot capabilities. No other taps in the CAN of the vehicle were needed to control or block messages for this capability.
 660 | 
 661 | The typical process for adding a new TSS2 vehicle is simply creating a fingerprint with reference to the closest similar vehicle and trying it out.
 662 | 
 663 | ## Timeline
 664 | 
 665 | ### 2013
 666 | 
 667 | * [IOActive experiments with injecting packets to steer a Prius in a widely disseminated and seminal security assessment. Their research around this time also led to them being able to **remotely** inject through the radio with a FCA vehicle and cause it to steer. In an unwise move, they demonstrated this in the middle of a busy highway. Anyways, not great.](https://www.youtube.com/watch?v=qX0rRRUdOKU)
 668 |   * This is way in the past, but it's important to note that even large slow dinosaurs or turtles _move_ and it's been a few years.
 669 | 
 670 | ### August 2020
 671 | 
 672 | matty#8553 came on Discord as the first user with a RAV4 Prime and a new Comma 2. crazysim#7797 / @nelsonjchen offered to get the RAV4 Prime supported. [Some worrying observations were immediately made in a GitHub issue after validating that the hardware was sound and working on another non-Prime TSS2 RAV4 ](https://github.com/commaai/openpilot/issues/2103):
 673 | 
 674 | * The `STEERING_LKA` CAN message is now 8 bytes in size. Existing TSS2 vehicles had a 5 byte `STEERING_LKA` CAN message.
 675 |   * There is a 4 byte authentication code on the CAN message instead of the simple 1 byte checksum of past Toyotas.
 676 | * [@nelsonjchen implemented and tried many checksum algorithms to try and create an identical `STEERING_LKA` message to what was seen in Cabana](https://github.com/nelsonjchen/toyota_checksum_2020_scratch/blob/8422bd3b4b7770391e940d31202b8129fdebcb02/src/lib.rs#L97-L108). None of them worked.
 677 | * @nelsonjchen asked around on many Discords and other well-known users for help. No one was able to help.
 678 | * @nelsonjchen notices that the "checksum" is the not the same for messages with the same data. It doesn't seem like a checksum. Maybe some other state is kept somewhere?
 679 | * The authentication code messages change between ignitions.
 680 | * The messages are different between vehicles.
 681 | * The same inputs result in different "checksum"/authentication code outputs.
 682 | * [@nelsonjchen notices that Toyota filed a patent about message authentication on the CAN bus.](https://discord.com/channels/469524606043160576/524327905937850394/749576060110241824)
 683 | * [matty#8553 eventually returned the Comma 2 within the trial period.](https://discord.com/channels/469524606043160576/524327905937850394/793525907763363901)
 684 | 
 685 | ### October 2020
 686 | 
 687 | * [geohot offers to take a look at a RAV4 Prime in-person if someone makes the drive to San Diego](https://www.youtube.com/watch?v=JQxAGhhflDc&t=37m23s)
 688 | * [aka#2674 starts trying to look at the issue on their own RAV4 Prime. aka#2674 is able to capture some traffic of some sort from Toyota's Techstream diagnostic tool of both the CAN bus kind and the server traffic.](https://discord.com/channels/469524606043160576/524327905937850394/763998197507948564)
 689 | 
 690 | ### November 2020
 691 | 
 692 | * [aka#2674 bought another RAV4 Prime camera ($800!) to take a look at and to see how the reprogramming works.](https://discord.com/channels/469524606043160576/524327905937850394/772718083798335521)
 693 | * aka#2674 moved to San Diego area
 694 | 
 695 | ### December 2020
 696 | 
 697 | * [James-T1 takes a look at ECU Security in Toyota's TechInfo site. The Sienna and Venza are discovered to be additionally affected vehicles.](https://discord.com/channels/469524606043160576/524327905937850394/793229962869604382)
 698 | * Support for the Camry with TSS 2.5 was added around this time. It did not have ECU Security Key. TSS versioning does not appear to be correlated with ECU Security Key presence.
 699 | 
 700 | ### January 2021
 701 | 
 702 | * [@nelsonjchen makes the bounty spreadsheet in Discord inspired by the recent success of the Honda 10th Gen Accord Bounty.](https://discord.com/channels/469524606043160576/524327905937850394/803436044028215316)
 703 | 
 704 | ### February 2021
 705 | 
 706 | * [Willem Melching of comma.ai took a deeper interest and posted on Discord](https://discord.com/channels/469524606043160576/524327905937850394/808639016266235975). He is waiting for parts from  affected vehicles to show up on part or junkyard sites for bench analysis.
 707 | * [The NHTSA had posted a PDF from Toyota about ECU Security Key and how to reconnect an ECU replacement such as a camera and so on using ECU Security Key to a vehicle. In summary, Techstream users must connect to the Techstream backend for keys.](https://static.nhtsa.gov/odi/tsbs/2020/MC-10184541-9999.pdf)
 708 | 
 709 | ### March 2021
 710 | 
 711 | * [TheReaper#0283 posts about looking at the issue as part of his day job. TheReaper#0283's day job appears to be reverse engineering and creating an alternative Yaris GR ECU for racing purposes. A diagram and hint that the ECU Security Key implementation is likely an AUTOSAR implementation is provided along with some guidance as to the architecture of the implementation.](https://discord.com/channels/469524606043160576/524327905937850394/826016337142480906)
 712 |   * ![autosar diagram](https://media.discordapp.net/attachments/524327905937850394/826016334873624586/unknown.png)
 713 |   * The relevant AUTOSAR documentation the diagram was pulled from is here: https://www.autosar.org/fileadmin/user_upload/standards/classic/4-3/AUTOSAR_SWS_SecureOnboardCommunication.pdf
 714 | * [@nelsonjchen and many others in the #toyota-lexus community decide to create an additional Firmware Dump milestone bounty as it is generally something that appears to be required. We simply do not know the exact details of the authentication system such that even if we capture the key programming commands, we do not know how to use the values.](https://discord.com/channels/469524606043160576/524327905937850394/826013930493050891)
 715 |   * Also known as SecOC.
 716 | 
 717 | ### April 2021
 718 | 
 719 | * [Mutley#1114 takes an interest in the issue. Mutley#1114 is able to record a CAN log and observe that Toyota Techstream writes a local XML file to the disk with part of the keys before contacting the backend.](https://discord.com/channels/469524606043160576/524327905937850394/834765270840770561)
 720 | * [Daniel Farley#9948 brings in a Yaris GR from New Zealand. It has ECU Security Key. Possible offer of some parts from another rally converted Yaris GR for reverse engineering.](https://discord.com/channels/469524606043160576/524327905937850394/834576493325713408)
 721 | 
 722 | ### May 2021
 723 | 
 724 | * [ayau#2654 and MD1000#7505 work together to take a look at MD1000#7505's 2021 Sienna. It definitely has ECU Security Key.](https://discord.com/channels/469524606043160576/524327905937850394/842903140030611466)
 725 | * [geohot, CEO of comma.ai, adds $5000 to the ECU Security Key bounty with some important clean-room stipulations.](https://discord.com/channels/469524606043160576/524328425415245827/847528122793590784) The [bounty](https://docs.google.com/spreadsheets/d/1MKS78_utvbAe74Xv7zszgEnn6JrtBgpgYlVOfoIvLEw/edit#gid=0) at this point is now about $8000 with $3000 from the non-comma.ai portion of the community.
 726 | 
 727 | ### June 2021
 728 | 
 729 | * [ayau#2654 discovers a video about an alternative ECU for the Yaris GR. It discusses that the camera doesn't work in this setup. @nelsonjchen suspects it's TheReaper#0283 in the video.](https://discord.com/channels/469524606043160576/524327905937850394/850804871127891968)
 730 | 
 731 | ### July 2021
 732 | 
 733 | * [wocsor#0313 takes an interest in the issue and @nelsonjchen briefs him on the situation and current public observations. wocsor#0313 puts out an open offer to affected owners in the ATL area to spend some time to make some observations with his hardware but unfortunately, no one on the spreadsheet is from around the ATL area.](https://discord.com/channels/469524606043160576/524327905937850394/870149096894255144)
 734 |   * We'll message him if and when someone in ATL does appear. Of course, if you have an affected vehicle and are in ATL, please get in contact with us!
 735 | 
 736 | ### August 2021
 737 | 
 738 | * Comma 3 is released at comma Con.
 739 |   * [At the Comma Team Group Chat, Erich, a prominent Toyota community contributor and community Discord moderator, asked about ECU Security Key:](https://youtu.be/qTaPD0l_8PM?t=23390)
 740 |     * Adeeb: I think we'll just look into it a bit and just kind of understand what the scope of the issue was and we just decided this isn't affecting too many cars yet that's not where we're choosing. We've aggressively chosen in the last year or so to not spend time on specific cars
 741 | 
 742 |        We've spent almost all of our time doing things that improve everybody's experience with openpilot.
 743 |        Now the comma three's out, maybe we can get back to doing stuff that helps some subset of the users but we've we've really been pushing on the experience that every user sees
 744 | 
 745 |        Hotz: I'm counting on the community for that one of you out there we put five thousand dollars of commas hard-earned money up.
 746 | 
 747 | * @nelsonjchen writes this timeline: https://github.com/commaai/openpilot/discussions/19932#discussioncomment-1123629
 748 | 
 749 | * [Tatsuya#9505 discovers an article from a reputable japanese technical publication discussing the use of AES and CMAC to secure ECUs by Toyota in response to attacks as seen on the Prius in 2013. (Archived Link)](https://web.archive.org/web/20210805040317/https://xtech.nikkei.com/atcl/nxt/column/18/00001/00161/)
 750 | 
 751 | * [Achilles308#2230 brings up PASTA, a security testbed that was produced by Toyota and a discussion happens over it.](https://discord.com/channels/469524606043160576/524327905937850394/872673279733800990)
 752 | 
 753 | * [cferra#1932 points out that the radar module is the same. Some discussion happens on if the radar communication may be authenticated and/or has modes to be in authentication mode. ](https://discord.com/channels/469524606043160576/524327905937850394/872750852358688778)
 754 | 
 755 | * [Mutley#1114, a leading hunter, elaborates on their attempts and believes that a firmware dump of an involved ECU such as the EPS is the only way to really determine what is going on. Mutley#1114 tried spoofing firmware versions. Unfortunately, Toyota only distributes firmware if there's another public firmware and no firmware is available to download from Toyota. This appeared to still be the case as of August 2021.](https://discord.com/channels/469524606043160576/524327905937850394/873993271574143056)
 756 | 
 757 | * [deagle50#5014 asks how a firmware dump might be done. crazysim#7797 gives the best answer he could but he isn't a hunter.](https://discord.com/channels/469524606043160576/524327905937850394/881940297108578344)
 758 | 
 759 | ### September 2021
 760 | 
 761 | * [@nelsonjchen asks if aka#2674 may be willing to take pictures of the insides of their spare Rav4 Prime front camera for comparison to a non-ECU Security camera as the exteriors look the same. No immediate response so far.](https://discord.com/channels/469524606043160576/524327905937850394/883632739784478731)
 762 | * [EpiJunkie#1220 looked up TechInfo and confirms that the North American Corolla Cross has ECU Security Key](https://discord.com/channels/469524606043160576/524327905937850394/886733789353635871)
 763 |   * [In contrast, the Thailand Corolla Cross posts from tape#7233 posted in January 2021 do not mention ECU Security Key and AFAIK, tape#7233's Thai Corolla Cross is working.](https://discord.com/channels/469524606043160576/524327905937850394/804016804175282267)
 764 | * [EpiJunkie#1220 lists parts in a Rav4 Prime that are covered underneath ECU Security Key. Theoretically, dumping the firmware for some of these parts would help shed light on how the system works. **Bolded** are parts involved with OP latitude.](https://discord.com/channels/469524606043160576/524327905937850394/887755778012880926)
 765 |   - ECM
 766 |   - Hybrid vehicle control ECU
 767 |   - **Forward recognition camera**
 768 |   - No. 2 skid control ECU (brake actuator assembly)
 769 |   - **Rack and pinion power steering gear assembly**
 770 |   - Clearance warning ECU assembly
 771 |   - Steering sensor
 772 |   - Central gateway ECU (network gateway ECU)
 773 |   - Combination meter assembly
 774 |   - Airbag sensor assembly
 775 | * ["toyota encryption is a small segment right now. when it comes to corolla or prius we will prioritize" - geohot](https://discord.com/channels/469524606043160576/524328425415245827/889659628655345684)
 776 | * [After a small bit of confusion with some jank in Cabana, belm0#9067 determines that the CH-R Hybrid doesn't have ECU Security Key. However, the 2021 Yaris Cross Hybrid does.](https://discord.com/channels/469524606043160576/524327905937850394/892723021066944512)
 777 | * [(OPC Discord) kumar#2021
 778 |  mentions having dumped the Prius EPS firmware with the aid of a local friend in PHX. If the friend were to go for it, @nelsonjchen would have tried to arrange for a affected vehicle to travel to PHX. Unfortunately, the friend declined to help with dumping EPS Firmware from an ECU Security Key vehicle.](https://discord.com/channels/771493367246094347/771495215570747403/888052591504789584)
 779 | 
 780 | ### October 2021
 781 | 
 782 | * [EpiJunkie#1220 lists the steps to get first-hand information on if a model has ECU Security Key on the forward recognition camera from TechInfo.](https://discord.com/channels/469524606043160576/524327905937850394/894262224552624228)
 783 | * Regarding offers by comma to take a look at owners of ECU Security Key vehicles in the SoCal area:
 784 |   * ["it’s been a while, but I believe all the people interested in coming down [to San Diego] weren’t comfortable with something experimental" - adeeb](https://discord.com/channels/469524606043160576/524327905937850394/896842676278800434)
 785 |   * [Rez (∩｀-´)⊃━☆ﾟ.*･｡ﾟ#2896
 786 |  replied interest with some times in SD but no replies were received from comma. ](https://discord.com/channels/469524606043160576/524327905937850394/900899681272496178)
 787 | * [eggs#7709 looks up the "yaris 2020 hybrid euro model" and it requires an ECU Security Key update when replacing the camera. It is believed that this also applies to the Australian model.](https://discord.com/channels/469524606043160576/524327905937850394/896984387344801843)
 788 | * [Ale Sato Brazil SP#5717 tries out OP on a Brazilian Corolla Cross and it works. That model from that region does not have ECU Security Key.](https://discord.com/channels/469524606043160576/524327905937850394/897182609371717652)
 789 | * [(OPC Discord) kumar#2021 sees a rather curious message on his head unit. There's an update to improve the Pre-Collision system on his TSS2 Prius?! In TSS2, the camera is very important to PCS. Up to this point, there has not been evidence of a camera update ever happening. If this does involve a camera update, maybe the firmware from the camera can be intercepted. Maybe this issue might affect firmware from an ECU Security Key vehicle as well. Very curious. ](https://discord.com/channels/771493367246094347/771495215570747403/900570141417426965)
 790 |   *  ![IMG_0112](https://user-images.githubusercontent.com/5363/138372057-debf2192-e846-4e94-9c2f-ede854c09014.png)
 791 |   *  [(Comma.ai Discord) X-Post to comma.ai Discord. Mutley#1114 acknowledges this curiosity. ](https://discord.com/channels/469524606043160576/524327905937850394/900834516166389813)
 792 | * [Added @nelsonjchen's firmware dump milestone criteria](https://github.com/commaai/openpilot/discussions/19932#discussioncomment-1554882)
 793 | 
 794 | ### November 2021
 795 | 
 796 | * [geohot creates a `#toyota-security `channel on Discord and makes a rough plan sketch to try to help the community (this channel is under the Development section of Discord, checkout `#join-development` if you don't see it):](https://discord.com/channels/469524606043160576/905950538816978974/905950733558513674)
 797 |   1. list all the ECUs that have the security
 798 |   2. find out what chips are in those ECUs. ideally we find a dumpable one without any hw security features
 799 |   3. dump the firmware!
 800 |   4. understand the algorithm/keys doing the encryption. at this point, openpilot will work if it's rekeyed.
 801 |   5. if possible, break the crypto. at this point, openpilot will just work
 802 | * [the comma team does have logs of the pairing process and is able to see some xml stuff with some unknown values labeled M1, M2, M3, and so on](https://canary.discord.com/channels/469524606043160576/905950538816978974/906082176305610812)
 803 | * Somebody on RP Discord claims a friend of theirs has used their OP hardware to crack the system with OP working on their 2021 Venza. They wish to stay anonymous/low at this time. They are not interested in releasing their work but could be interested in releasing it for the bounty amounts to be paid to a charity.
 804 |   * "Alright, here is what I understood from our convo. He said the ecu key is really important at lest the way he is doing. Without that ecu cannot community at all so op has no chance of working obviously. So he overwrite the original key with the new key that he generated in online portal. While the key is being sent to the car he does mitm to grab the handshake and duplicate and use that every time he wants to use op(he said something about hash being encrypted not sure what that was all about) . He also said he using using two panda and arduino. Asked him if he is interested in handing over his progress to comma so they can improve and make it better but he said no for now."
 805 |   * Added as "Mysterious Stranger" in bounty/interested user spreadsheet.
 806 | 
 807 | ### December 2021
 808 | 
 809 | * [Somebody cross posts from RP Discord to comma.ai Discord what the RP Discord user and his mysterious friend claims. Lots of doubt as to veracity as other than the small explanation above, previously known info and not much new info or proof of working was shared. ](https://discord.com/channels/469524606043160576/905950538816978974/915068210481618944)
 810 | * The RP Discord user with the mysterious friend  leaves all OP communities due to harassment.
 811 | * [MBrownies#7412 orders a 2021 Sienna ECM ECU to try and dump. Seems to have some history in the past of some electronics repair knowledge](https://discord.com/channels/469524606043160576/905950538816978974/915643239141363732)
 812 |   * [Pictures](https://discord.com/channels/469524606043160576/905950538816978974/920412000234917908)
 813 | * [@nelsonjchen borrowing jokes#4106's TechInfo account sees that the 2022 Toyota Tundra has ECU Security Key on the Forward Recognition Camera](https://discord.com/channels/469524606043160576/524327905937850394/916155760352837692)
 814 | * [@nelsonjchen had a talk with wocsor. wocsor has since moved to Colorado. wocsor is still open for taking a look at a ECU Security Key Toyota especially on a weekend. Please hit us up if you're in Colorado.](https://canary.discord.com/channels/469524606043160576/524327905937850394/916901731282079764)
 815 | * [MBrownies#7412 starts an attempt to dump the firmware from a 2021 Sienna ECM ECU in #toyota-security.](https://discord.com/channels/469524606043160576/905950538816978974/918688294081003520)
 816 | * [MBrownies#7412 says there may be a firmware update for the 2021 Sienna ECM that may be interceptable. IceyJ#0001, the son of a 2021 Sienna owner, appears to be interested in intercepting the firmware with MBrownies#7412's assistance.](https://discord.com/channels/469524606043160576/905950538816978974/918768906183798844)
 817 | * [(RP Discord) eRock970#1675 mentions they go through Colorado in their Rav4 Prime to wocsor. wocsor's MITM idea was debunked but he's still game to try something.](https://discord.com/channels/660951518014341124/801610171641364500/922592221067345921)
 818 | 
 819 | ### January 2022
 820 | 
 821 | * [Willem Melching from comma.ai posts a 4 part blog post about his own adventures in hacking a VW golf ECU including dumping and reverse engineering it on his own time.](https://blog.willemmelching.nl/carhacking/2022/01/02/vw-part1/)
 822 | * [IceyJ#0001 is planning to work with MBrownies#7412 on dumping something next month. IceyJ#0001 was delayed a bit by sickness and other issues.](https://discord.com/channels/469524606043160576/905950538816978974/932763692762800218)
 823 | * [#toyota-security discusses dumping the flash as seen on the LKAS forward camera](https://discord.com/channels/469524606043160576/905950538816978974/932839231406088252)
 824 | * [The Rav4 Hybrid 2022 doesn't work out of the box with fingerprinting. At first glance it looks like the radar changed and security key wasn't added.](https://discord.com/channels/469524606043160576/934541955818467379/936126765137555527)
 825 | * [(MT Discord) ryleymcc#4808 creates a #toyota channel in MT Discord and posts a request with offer of help/partnership to skilled hardware developers to develop a Toyota Torque Interceptor. When asked if this was a possible alternative to CAN MITM on Security Key Toyotas and referencing this discussion, ryleymcc#4808 claims it would circumvent all the Security Key issues.](https://discord.com/channels/839295599928934430/936051750639665172/936099944518025217)
 826 |   * NOTE: comma.ai strongly disapproves of ryleymcc#4808's work and operations, citing serious safety concerns.
 827 |   * This approach would likely not fulfill much of the bounty as it is currently specified as it is unlikely to make it into a release branch.
 828 | 
 829 | ### February 2022
 830 | 
 831 | * [The Continental Radar on the 2022 Rav4 may indicate a return to Continental for Radars and Cameras. It's possible that some of these ECU Security Key vehicles have Continental Setups and not Denso setups. Further research might need to be done. ](https://discord.com/channels/469524606043160576/934541955818467379/937772568822317076)
 832 | * [VagueAscent#4842 posts pictures of the internals of a Denso Toyota Security Key Camera. It looks the same as a non-Toyota Security Key camera. This may mean the learnings from practicing dumping of a much cheaper and plentiful non-Security Key Camera may be helpful. ](https://discord.com/channels/469524606043160576/905950538816978974/939203494152372274)
 833 | * [wocsor#0313 says he heard the Dragonpilot people have cracked ECU Security Key. However, it'll require more hardware and Dragonpilot will be keeping their implentations closed-source.](https://youtu.be/OXlEKoCRmwk?t=1360)
 834 |   * [Discussion in #toyota-security. Rumor is two pandas and an arduino.](https://canary.discord.com/channels/469524606043160576/905950538816978974/939331758124593193)
 835 | * [zorrobyte#5330 discovers that the Rav4 Prime has the same steering rack as the Rav4 Hybrid. This may mean that the authentication is implemented at the gateway. zorrobyte#5330 suspects the rumored dragonpilot approach may be taking advantage of this and bypassing the gateway.](https://discord.com/channels/469524606043160576/905950538816978974/939392177144999967)
 836 | * [MBrownies#7412 says IceyJ#0001, who was going to help try to capture a relevant firmware dump together, has gone MIA.](https://discord.com/channels/469524606043160576/905950538816978974/942146323908550687)
 837 | * [wocsor#0313 says that a rack replacement on a Rav4 Prime requires re-keying anyway so maybe the communication here is authenticated anyway. Nevermind.](https://discord.com/channels/469524606043160576/905950538816978974/943268332436590602)
 838 | * [IceyJ#0001 returns. He's just been busy with life. Time may be found next weekend.](https://discord.com/channels/469524606043160576/905950538816978974/943733084552044625)
 839 | * [zorrobyte#5330 mentions that the key may be able to be force written. This probably means capture without having to swap cameras or something.](https://discord.com/channels/469524606043160576/905950538816978974/943519475129520128)
 840 | * [Mutley#1114 re-appears. Will post all info they gathered like key updating, xml, and so on. Asks IceyJ#0001
 841 |  and MBrownies#7412 to do some logging. Asks if there are FW updates. ](https://discord.com/channels/469524606043160576/905950538816978974/944004532491395082)
 842 | * [An update is available for "back over protection" and it may be worth capturing.](https://discord.com/channels/469524606043160576/905950538816978974/944015246828371998)
 843 | * Massive Updates on 2022-02-02. Lots of progress all on one day.
 844 | * [zorrobyte#5330 work on LTA for existing TSS2 vehicles merited a look again at LTA as used on the Rav4 Prime. It doesn't look like it's secured with ECU Security Key! There's no crazy high-entropy checksum. How interesting. This may be a pathway to getting working Latitude or Steering. No work was done for long though.](https://discord.com/channels/469524606043160576/905950538816978974/945800149819621416)
 845 | * [In parallel, Mutley#1114 discovered and was able to download the CUW file for a camera update of the 2022 Tundra as the Tundra currently has a recall for the camera due to some issue with the camera causing the parking brake to come on. Unfortunately, the CUW file appears to be obfuscated, at least the binary part. De-obfuscation may still be needed to discover how the signing is done though among other interesting reverse-engineered information. The CUW firmware update for the camera itself is about 34MB.](https://discord.com/channels/469524606043160576/905950538816978974/945892489074712596)
 846 | * [Unfortunately, it looks like the obfuscation also applies to the firmware when intercepted over the CAN as well. The camera firmware even though it may be downloaded, may be a dead end.](https://discord.com/channels/469524606043160576/905950538816978974/946165610226790441)
 847 | * [MBrownies#7412 doesn't think the LTA command that checks out is at 0x191 on the Prime though. ](https://discord.com/channels/469524606043160576/905950538816978974/947239543839539250)
 848 | * [@nelsonjchen meets up with matty#8553 to try some stuff. They were not able to disable enough checks in OP to the point that LTA steering mode was attempted. Maybe they'll meet up again. Stock long passthrough appears to work though if we wanted. That means we can probably just focus on lateral and not worry too much about long for now.](https://discord.com/channels/469524606043160576/905950538816978974/947324116275453983)
 849 | 
 850 | ### March 2022
 851 | 
 852 | * [aka#2674 reappears again with an offer to Willem of Comma.ai if he visits San Diego sometime to look at his Rav4 Prime.](https://discord.com/channels/469524606043160576/905950538816978974/958039139884859432)
 853 | * [share-and-enjoy#7186 confirms that the 2022 Rav4 Prime still has a Denso camera. Note that is not to say a Continental Camera may not have Security Key but a security key version of a Continental Camera was seen on a New Zealand Yaris GR.](https://discord.com/channels/469524606043160576/905950538816978974/958121480401588284)
 854 | * [@nelsonjchen is too busy with work to try the LTA thing and doesn't believe Toyota would leave a gaping hole like that open.](https://discord.com/channels/469524606043160576/905950538816978974/958192169900978266)
 855 | 
 856 | ### April 2022
 857 | 
 858 | * "[new project ... Rav4 prime EPS](https://twitter.com/gregjhogan/status/1511038040101195779/photo/1)" - Greg J Hogan of comma.ai who is experienced with firmware analysis
 859 | * ["Still alive after surgery :)"](https://twitter.com/gregjhogan/status/1512171907608576013) - Greg J Hogan of comma.ai takes apart an EPS.
 860 | * ["[ryleymcc#4808] would ship a free TI to anyone who can use it to work around this ECU security [key] problem."](https://github.com/commaai/openpilot/discussions/19932#discussioncomment-2577462)
 861 |   * note: it looks like comma deleted this post, see above's "NOTE: comma.ai strongly disapproves of ryleymcc#4808's work and operations, citing serious safety concerns."
 862 | * [(RP Discord) wocsor#0313 notes that the MCU on the Rav4 Prime EPS Greg posted appears to be off the shelf and purchasable on DigiKey. However, there may be on-chip security that may need to be defeated and he was unable to locate a datasheet for it so far.](https://discord.com/channels/660951518014341124/744908622013661204/964894619831795805)
 863 | * Huge news. [TheReaper#0283 has dumped a Yaris Engine ECU as part of their tuning effort.](https://discord.com/channels/469524606043160576/905950538816978974/966235887417573447). @nelsonjchen reached out to a few technical fellows on the spreadsheet. If you're a technical fellow, and are interested, please reach out.
 864 | 
 865 | ### May 2022
 866 | 
 867 | * No progress on looking at the Yaris Engine ECU.
 868 | * [geohot has mentioned that if a Lexus with the system were bought for comma.ai, it would be cracked or given back to the community if it isn't cracked in 12 weeks.](https://discord.com/channels/469524606043160576/954493346250887168/973743822787993640)
 869 | 
 870 | ### June 2022
 871 | 
 872 | * [The 2023 Corolla has been announced with TSS 3.0 support which may also include adding security key. This may or may not add security key to the Corolla. This might be visible in TechInfo later this summer as 2023 Corollas arrive.](https://pressroom.toyota.com/toyota-boosts-2023-corolla-with-four-new-hybrid-models-awd-new-multimedia-and-safety-tech-and-freshened-styling/)
 873 | * [(RP Discord) The Toyota Sienna Auto-MAAS self driving platform has ECU Security Key on the front camera as well. Of course, no one is going to run OP on that but it's funny to know. It also appears to have a Continental Camera and Radar for PCS.](https://discord.com/channels/660951518014341124/744908622013661204/982781901276340314)
 874 | * [The bz4x (and likely its sister the Subaru Solterra) are looked up to have ECU Security Key as well](https://discord.com/channels/469524606043160576/524327905937850394/982801080893198387)
 875 | * [geohot produces/announces "Vote for Toyota Security", a more direct way to vote for comma to do Toyota Security. 500 votes of $100 each. Once it reaches the goal and if comma can't accomplish the crack, the money will be refunded.](https://discord.com/channels/469524606043160576/524572601826410498/984592766757658635)
 876 |   * https://www.reddit.com/r/Comma_ai/comments/v8v4jf/vote_for_toyota_security_comma_shop/
 877 |   * https://comma.ai/shop/products/vote
 878 |   * ![image](https://user-images.githubusercontent.com/5363/173100637-34fc20a3-c3fe-435c-931b-e1830ae5a00e.png)
 879 | * [Le_potato#1107 tries their hand at looking at the key stuff after some success cracking VW checksums. Seems to be somewhat in tune with car hacking and some of the firmware dumps out there. Le_potato#1107 Looking for a firmware dump file.](https://discord.com/channels/469524606043160576/905950538816978974/989654788230742016)
 880 | * Le_potato#1107 has shared the other half of the Yaris GR ECU out there. If you're a technical fellow, and are interested, please reach out.
 881 | 
 882 | ### July 2022
 883 | 
 884 | * [Comma Vote reaches 42 votes, also known as the answer to life, the universe, and everything.](https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=0)
 885 | * [Erich#4634 discovers that bulk votes are discounted. Comma/Geohot are amused and replies they will honor the unintentional bulk vote discount. ](https://discord.com/channels/469524606043160576/905950538816978974/997269767742308432)
 886 |   * ![unknown](https://user-images.githubusercontent.com/5363/179237984-50137dd3-030e-4085-a396-5e2383348b41.png)
 887 | * The bulk vote party spreadsheet is launched for bulk votes contingent on some criteria: https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=1958149470
 888 |   * A new counter/badge is produced along-side as well
 889 |   * [![](https://shields.io/endpoint?url=https%3A%2F%2Fcellshield.info%2Fgs%3FspreadSheetId%3D1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM%26cellRange%3DBulkVoteCount)](https://docs.google.com/spreadsheets/d/1GOeN2ph9JLvOlwStZso988YPT-lILl7yZqFW8UPCFZM/edit#gid=0&range=BulkVoteCount)[^2]
 890 | * [geohot: Bulk votes can be bought in blocks of 10.](https://discord.com/channels/469524606043160576/905950538816978974/998719121644601394)
 891 | * [`CARS.md`](https://github.com/commaai/openpilot/blob/a009723513329921aafa6902ce320c3cc537729b/docs/CARS.md#toyota-security), an intermediate source file behind https://comma.ai/vehicles or the vehicle compatibility list on comma's site, is updated with a list of Toyota Security Key vehicles. It has not been pushed to comma's site yet as of July 27, but eventually will.
 892 | * Toyota posts a [video](https://www.youtube.com/watch?v=8pNwnX6hpE8) about TSS 3.0. The video description mentions "23 Corolla, 23 Corolla Hatch, 23 Corolla Cross, 23 GR Corolla, 23 Crown, 23 bZ4X". The bZ4X and the Corolla Cross are known released vehicles with Security Key. The others are unknown and as of July 27, 2022, not on TechInfo yet for confirmation.
 893 | * [Some discussion about how the system works along with a description from AUTOSAR about how a system would work](https://discord.com/channels/469524606043160576/905950538816978974/1002125130035642418)
 894 | 
 895 | ### August 2022
 896 | 
 897 | * [Thinkpad4by3#7568 has a great explanation of why TSK is not encryption.](https://discord.com/channels/469524606043160576/905950538816978974/1012390757832855553)
 898 | * [stevenkoh08#8535 in Singapore asks about the 2022 Toyota Noah. It is likely TSS3 and wonders how to check. stevenkoh08#8535 was a Toyota tech in the past. Looking up repair manuals in a non-NA, non-EU vehicle seems to be a bit of a pain and info might be JP only.](https://discord.com/channels/469524606043160576/524327905937850394/1012963545564069888)
 899 | * ["no one knows! 😦. without any real teardown of the architecture or setup, there's no telling what a TSK OP setup would need to look like."](https://discord.com/channels/469524606043160576/524327905937850394/1013241055434518619)
 900 | * [The 2023 Camry Hybrid with TSS2.5 does not appear to have Toyota Security Key. Still unknown for 2023 Corolla with TSS3 though.](https://discord.com/channels/469524606043160576/905950538816978974/1013928544319066173)
 901 | * ["as soon as we hit 500, we'll buy a rav4 prime
 902 | thinking it'll actually be pretty easy to crack, apparently some of the ECU tuning people already have" "if the base model corolla has toyota security, we'll buy one"
 903 | " - geohot . a note is also dropped by adeeb about the popularity of the Corolla Cross](https://discord.com/channels/469524606043160576/905950538816978974/1014944026484547706)
 904 | * ["oh fine. if we get 300 votes by the end of next week, we'll buy a corolla cross." - geohot](https://discord.com/channels/469524606043160576/905950538816978974/1014962017645371542)
 905 |   * Probably unrealistic by next week, but just noting this here.
 906 | 
 907 | ### September 2022
 908 | 
 909 | * [u/Raskinulas posts on the /r/comma_ai subreddit about wanting to support a T/LSS3 vehicle with a Torque Interceptor. Replies are doubts about u/Raskinulas's capabilities but u/Raskinulas claims to have resources and is referred to the torque-interceptor channel in Discord.](https://www.reddit.com/r/Comma_ai/comments/x3926l/does_stock_emergency_evasive_steering_assist_work/)
 910 | * ["we will buy a toyota security car when either: a) we get the 500 votes b) security comes to the corolla, prius, or RAV4 " -geohot](https://discord.com/channels/469524606043160576/954493346250887168/1017201649284022334)
 911 | * ["there's only one way they are refunded: if we hit vote target and can't crack it.
 912 | btw i'd bet against toyota security coming to the 3 cheap cars, the chips to do it are expensive and rare" -geohot](https://discord.com/channels/469524606043160576/954493346250887168/1017207178081337414)
 913 | * [The 2023 Corolla is now on Techinfo. No one has seen behind the paywall yet. 🔒 or 🔓 ? 😓 ](https://discord.com/channels/469524606043160576/905950538816978974/1020428115194941470)
 914 | * [The 2023 TMC-made/Japan-made Corollas appears to have Security Key. However the TMMMS/US-made ones do not.](https://discord.com/channels/469524606043160576/905950538816978974/1020529259191738479)
 915 | * [Examples of pre refresh Corollas show Corolla ICE/gas-only sedans of any trim may be made in the US. Some gas-only sedans, hatchback, and hybrids are made in JP.](https://discord.com/channels/469524606043160576/905950538816978974/1020874972803125268)
 916 | * [gregjhogan praises Ghidra for something related to "security access seed/key functions!" Unknown if this is specifically related to Toyota or another manufacturer. What is known though? Comma is tackling "security access seed/key functions!".](https://twitter.com/gregjhogan/status/1571628060310646784?s=20&t=wFK5M5B4RMpEO2hqEJ_LKw)
 917 | 
 918 | ### October 2022
 919 | 
 920 | * [Remote starters with no key do exist on Toyota Security vehicles.](https://discord.com/channels/469524606043160576/905950538816978974/1029816408491692112)
 921 | * [(RP Discord) In which a crew of people work through RE'ing some firmware on an EPS for their VWs.](https://discord.com/channels/660951518014341124/1026931406590447617/1034646246125735987)
 922 | 
 923 | ### November 2022
 924 | 
 925 | * [Willem Melching formerly of comma posts a picture with "Will it Glitch?" with what appears to be a RAV4 Prime EPS board with many probes on Twitter.](https://twitter.com/PD0WM/status/1588553011638374401)
 926 |   * [Rav4 Prime EPS board previously seen on Greg Hogan's Twitter](https://twitter.com/gregjhogan/status/1512171907608576013?s=20&t=4UVu_pAgsyNq2wRkg-gh0Q)
 927 | * ["Yes! Turns out the Renesas RH850/P1M-E is vulnerable to a similar attack as the RX65... ", cont.](https://twitter.com/PD0WM/status/1588981771974373376)
 928 |   * Cite: https://www.collshade.fr/articles/reneshack/rx_glitch_article.html
 929 |   * It appears a firmware dump of a relevant Toyota Security Key ECU has been accomplished. It does not meet my criteria for a firmware dump milestone yet as instructions for reproduction are not all present, but the dump does seem to have been accomplished.
 930 | * [Willem Melching posts a writeup of how to and what to do to get the firmware dumped.](https://blog.willemmelching.nl/carhacking/2022/11/08/rh850-glitch/)
 931 |   * This meets all my criteria for the firmware dump milestone and I am working on collecting and closing the bounty.
 932 | * [Greg Hogan posts a screenshot of Ghidra presumably looking at the Rav4 Prime EPS Firmware with some already work done and named functions/fields.](https://twitter.com/gregjhogan/status/1590423198705016832)
 933 | * [Sent out "Toyota Security Key Firmware Dump Bounty Gathering Letter"](https://docs.google.com/document/d/15n3A66MxJENAEJtEfhZT34KHWkgmA8-_fM9-FI5jjB8/edit)
 934 | * [The new SecOC/Security Key LTA message is discovered to be at `0x131`.](https://discord.com/channels/469524606043160576/905950538816978974/1043144835147767818)
 935 | * ["SecOC message parsing, MAC truncated to 28 bits looks like AUTOSAR SecOC profile 3 (JASPAR)"](https://twitter.com/gregjhogan/status/1594607138004815872)
 936 | * [/u/imgeohot (geohot, presumably?) "Literally the only "locked out" car is a small minority of Toyota's. We offered votes for sale, but we didn't sell many. It's not a OMG they are locked out, it's why would we care it's like 5 obscure cars. Will solve when it comes to Corolla or Prius.". (not sure if geohot knows or acknowledges TSK has arrived to Japanese-made Corollas yet.) ](https://www.reddit.com/r/Comma_ai/comments/z262yk/comment/ixfb4t3/?utm_source=share&utm_medium=web2x&context=3)
 937 | * [vybhavab#6727 puts down the $20 to look up a batch of cars for 2023. The "Toyota Sequoia" is only offered in Hybrid and it has TSK. ](https://discord.com/channels/469524606043160576/1041146821705207818/1046649221467611186)
 938 | 
 939 | ### December 2022
 940 | * ["The SecOC implementation is purely software based and the keys are sitting in RAM. Just need to find a convenient way to get them out." - Melching](https://twitter.com/PD0WM/status/1599776675423666176)
 941 |   * [This is in contrast to geohot claiming that the implementation requires rare chips. All to say, to quote geohot too, if you want to know the truth, you have to hack on it.](https://discord.com/channels/469524606043160576/954493346250887168/1017207178081337414)
 942 | * [Geohot asked about producing a Flexray Harness: **Yea, same as Toyota Security, but harder**. If a major car platform switches to flexray that’s probably the only way we’ll do it, but afaik flexray is dying. we support CAN-FD](https://twitter.com/realGeorgeHotz/status/1608638713067892736)
 943 | * [adeeb: "23 corolla has secoc?"](https://discord.com/channels/469524606043160576/954493346250887168/1060285053273391164)
 944 | 
 945 | ### January 2023
 946 | 
 947 | * ["So is looking in there now and unfortunately the procedure for mounting the front camera includes a step 5 that instructs you to update the ecu security key 😒 [for Toyota Aygo X]"](https://discord.com/channels/469524606043160576/524327905937850394/1060727691344629790)
 948 | * [A comma_ai Twitter Space occured](https://tweetdeck.twitter.com/i/spaces/1gqGvyBPQkaKB/peek) where Comma's Greg talked about TSK for ~10 minutes. Unfortunately, there are no recordings but some [recollections](https://discord.com/channels/469524606043160576/905950538816978974/1060769430864400415).
 949 |   * "i think greg said reflashing the ecu to disable security might happen first less desirable and clean"
 950 |   * "i asked if secured corolla/prius would mean comma would take action before the vote quota was met. george didn't seem to care too much and that the votes mattered more."
 951 |   * "oh, greg mentioned the eps they bought didnt look like it was ever installed in a car lol"
 952 | * [$480 of the FW Dumping Bounty sent to Willem Melching. Unfortunately, this was less than half of the promised bounty for a firmware dump.](https://discord.com/channels/469524606043160576/905950538816978974/1061400929531863110). [Ko-Fi Link](https://ko-fi.com/home/coffeeshop?txid=e84e7aa3-f643-4f75-a83e-81331aeba142&mode=public&img=ogiboughtsomeone)
 953 | * ["Replace your EPS with one that has never been in a car and the key used for SecOC MAC generation will be 0x11111111111111111111111111111111 openpilot could work as long as you don't re-key, but stock system will not 🤣" -gregjhogan](https://twitter.com/gregjhogan/status/1613011165189410816)
 954 | * [2023 Prius (Standard) has Security Key](https://discord.com/channels/469524606043160576/905950538816978974/1062756940524040202)
 955 | * [Someone(s) volunteers to try to replace their EPS with a out of the box un-unkey'd EPS to get OP going. Of course, talk is cheap on Twitter and no one can blame that someone if they backout due to cold feet but if it's serious.....](https://twitter.com/sheldonroth22/status/1613032236386848769?s=20&t=rKv-kcR_tb5Vod_5X7pR4w)
 956 |   * The message counterpart for that offer on Discord seems to not be there now.
 957 | * [The 2023 Corolla Hybrid sold in Brazil still seems to be using Denso and does not have Security Key](https://github.com/commaai/openpilot/pull/26943)
 958 | 
 959 | ### February 2023
 960 | 
 961 | * [ salem#4009: Sienna 2021, geohot: "i hear this" ](https://discord.com/channels/469524606043160576/954493346250887168/1079946460466008095)
 962 | * [2023 Lexus RX Has Security Key](https://discord.com/channels/469524606043160576/524327905937850394/1080298999954800682)
 963 | * [2022+ Lexus LX Has Security Key](https://discord.com/channels/469524606043160576/524327905937850394/1080929136429781032)
 964 | 
 965 | ### March 2023
 966 | 
 967 | * [Shane from comma announces a $500 bounty for the 2023 Corolla, 2023 Corolla Hybrid, and 2023 Prius. $500 for a working port merged.](https://discord.com/channels/469524606043160576/954493346250887168/1082390596544639086)
 968 | * [A discussion about security key with comma comes up](https://discord.com/channels/469524606043160576/954493346250887168/1085045409396826112)
 969 |   * [comma believes there are many supportable cars still](https://discord.com/channels/469524606043160576/954493346250887168/1084934027326275694)
 970 |   * [comma understanding, Rav4 ICE/Hybrid LTA but no TSK, Corolla may be like Rav4 (no ack of JP-made corollas having TSK), Prius: secOC](https://discord.com/channels/469524606043160576/954493346250887168/1084949761683095713)
 971 | * [The 2023 Lexus ES has security key from looking at the CAN traffic (Retropilot Discord)](https://discord.com/channels/660951518014341124/744908622013661204/1090685795230290013)
 972 | * [zorrobyte thinks that it's possible to intercept the camera and control things like Ford. It's very late, I doubt he remembers the Toyota architecture and may be projecting. (OP Community Discord)](https://discord.com/channels/771493367246094347/771493367779295304/1092702824313409536)
 973 | * [An "emergency start" tool is being sold that organized theft rings can use to hijack and steal Toyota Smart Key system cars such as a Rav4 with just prying access to the headlights. ECU Security Key is described as a recommended response to this.](https://kentindell.github.io/2023/04/03/can-injection/ )
 974 |   * Posted in #toyota-security here https://discord.com/channels/469524606043160576/905950538816978974/1092978466720325672
 975 |   * Posted in #toyota on RP Discord: https://discord.com/channels/660951518014341124/744908622013661204/1092883580365062297
 976 |   * A discussion on Hacker news (some curmudgeon, but interesting nevertheless): https://news.ycombinator.com/item?id=35452963#35458481
 977 | * [kylekulhanek#2725 offers up their new 2023 JP-built Corolla Hybrid for testing if it has ECU Security Key or not. However, it seems Toyota has changed the connectors. This one has 16 "pins" (not all populated), compared to the older 12 "pin" connector.](https://discord.com/channels/469524606043160576/524327905937850394/1093327458050244676)
 978 |   * ![image](https://user-images.githubusercontent.com/5363/230242077-d103e98c-8aea-4523-a3a5-1b98070f1978.png)
 979 | * [Hamoud#4585 range-tested the shop and discovered comma actually set a quantity of 500 .
 980 | trick is, do 1000 quantity for vote, and just subtract the max quantity from 500.](https://discord.com/channels/469524606043160576/905950538816978974/1094047733951770674)
 981 | * [oremaxis#0107 notes the connector is noted to be physically identical to the harness plug used for Subaru vehicles. oremaxis#0107 physically tests it, but does not start up the (JP?) "Prius MXWH65-AHXHB" (roughly equivalent to a non-PHEV Prius w/e AWD in USDM)  since the pinout is different with a Mr. One Subaru harness. ](https://discord.com/channels/469524606043160576/905950538816978974/1094577635784413286)
 982 |   * ![image6](https://user-images.githubusercontent.com/5363/230780056-f050bf8b-aafa-41eb-9e8f-ee3e5f540895.png)
 983 | * [A 2023 Tundra was hooked up to a C2 and confirmed to have TSK/SecOC.](https://github.com/commaai/openpilot/issues/27869#issuecomment-1504046497)
 984 | 
 985 | ### April 2023
 986 | 
 987 | * [@nelsonjchen asks u/LordKing64, a reddit user who produces spreadsheets for those looking to hunt down extremely desirable Toyotas to run a scrape against the ICE 2023 Toyota Corolla to see what percentage of ICE corollas are Japanese-made, which get locked up with TSK.](https://discord.com/channels/469524606043160576/905950538816978974/1097790378528215101)
 988 |   * It's a snapshot, assuming that it is generalizable for the ICE Corolla through the rest of the model year.
 989 |   * https://docs.google.com/spreadsheets/d/15FaeZggrsoSizcqARb-eJXpbLFqoYUVtk6s_qFFwSXk/edit#gid=0
 990 |   * About 1% of ICE Toyotas in the US are produced in Japan across all trims.
 991 |   * Note: To date, no one has attempted to port OP to the 2023 ICE US-made Corolla.
 992 | * More scrapes from /u/LordKing64 produces this [spreadsheet of 2023 Corolla origins. ](https://docs.google.com/spreadsheets/d/10cUUi29vIGUmBLC3ZhPRP8AfEHiaxwB9hinsNmb36CE/edit#gid=0). About a quarter of Corollas (not including GR, have TSK on them).
 993 |   * ![image](https://user-images.githubusercontent.com/5363/234712559-59527772-a60d-4e20-b382-348bf0a3b4d8.png)
 994 | * Oof, even more 2023 ICE JP Corollas
 995 |   * ![US_2023_Corolla_Toyota_Security_Key_Distribution_from_a_sample_scrape_suspected_we_still_need_a_harness_to_confirm _1](https://user-images.githubusercontent.com/5363/235087019-008b3b4e-592e-40bf-82e7-eeca205da908.png)
 996 | 
 997 | ### May 2023
 998 | 
 999 | * [The 2023 US Corolla does have a different connector.](https://discord.com/channels/469524606043160576/524327905937850394/1103425854727524362)
1000 | * [Saeed Almansoori#9530 says "Congratulations comma.ai, 4 new cars will be included in OpenPilot toyota LC300 2023 toyota sequoia 2023 toyota tundra 2023 Lexus LX600 2023". A baffling comment is made in #toyota-lexus channel. Three of these vehicles are known to have TSK in the US market.](https://discord.com/channels/469524606043160576/524327905937850394/1107239972261601332)
1001 | 
1002 | ### June 2023
1003 | 
1004 | * [Comma staffer vanillagorilla is looking to build a B harness for Toyota that some newer Toyotas such as the Prius or Corolla may have. Looking for a tester.](https://discord.com/channels/469524606043160576/524327905937850394/1115093142962704424)
1005 |   * GH Issue: https://github.com/commaai/openpilot/issues/28402
1006 | * [circulartofu bought a EPS ECU for an RX to try and dump it for more torque. While this isn't for TSK, this is someone else trying to dump an EPS.](https://discord.com/channels/469524606043160576/664566220086837273/1119155823055220777)
1007 | 
1008 | ### July 2023
1009 | 
1010 | * ["When Geo was hosting the VC last week I brought up the fact that the new Prius has TSK and he wasn't aware of that, so maybe they'll look into getting a 2023/2024 Prius and start taking a crack at it. Cause Alex \[alexm (on Discord)\] even said they need a new Prius anyways since their old one is worn out." (SP) ](https://discord.com/channels/880416502577266699/881763752943435807/1133560878722191421)
1011 | * [The Grand Highlander and Grand Highlander Hybrid appear to have Toyota Security Key. Thanks to rap_rep_291 on Discord.](
1012 | https://discord.com/channels/469524606043160576/905950538816978974/1134950311719600279)
1013 | * [Users in #toyota-security discuss getting keys from dealerships. The aura is that dealership techs know less than us and it's just an annoying thing to do afterwards.](https://discord.com/channels/469524606043160576/905950538816978974/1135581504316129290)
1014 | 
1015 | ### August 2023
1016 | 
1017 | * comma.ai has its periodic social and product convention "[comma_con](https://web.archive.org/web/20230807020817/https://commacon.splashthat.com/)" to announce new products, meet and greet contributors and users, and talk about the future.
1018 |   * [comma ai | Shipping github.com/commaai/openpilot | Adeeb Shihadeh | COMMA_CON talks | CPO](https://youtu.be/18CjH41VXn4?t=1444)
1019 | 
1020 |     ```
1021 |     [23:49.760 --> 23:52.360]  \[Audience Question\] Which car brands are the easiest to support
1022 |     [23:52.360 --> 23:53.360]  and the hardest to support?
1023 |     [23:53.360 --> 23:55.600]  \<cut\>
1024 |     [23:55.600 --> 23:56.760]  \<cut\>
1025 |     [23:59.760 --> 24:03.360]  Adeeb: So easiest to support, this is really changing now, actually.
1026 |     [24:03.360 --> 24:06.360]  The software platforms and the cars, at least for the ADAS,
1027 |     [24:06.360 --> 24:09.360]  were pretty stable for about like three, four years.
1028 |     [24:09.360 --> 24:10.760]  And we did a lot of this initial work
1029 |     [24:10.760 --> 24:12.360]  maybe three, four years ago.
1030 |     [24:12.360 --> 24:13.760]  And now we're in this cycle where
1031 |     [24:13.760 --> 24:15.360]  Honda, Toyota, Honda, Toyota, Honda,
1032 |     [24:15.360 --> 24:18.160]  we're in this cycle where Honda, Toyota, Honda, a lot of them
1033 |     [24:18.160 --> 24:21.080]  are changing their platforms right at the same time.
1034 |     [24:21.080 --> 24:23.720]  So that's the hard part right now,
1035 |     [24:23.720 --> 24:25.600]  is we're getting this influx that
1036 |     [24:25.600 --> 24:27.960]  are all different right now.
1037 |     [24:27.960 --> 24:31.400]  The hardest ones now are the ones that implement the Autosar
1038 |     [24:31.400 --> 24:33.160]  secure onboard communication.
1039 |     [24:33.160 --> 24:34.560]  We haven't spent much time on it,
1040 |     [24:34.560 --> 24:36.320]  but that'll be a little bit of a project.
1041 |     [24:36.320 --> 24:39.600]  It just adds more overhead to porting a car.
1042 |     ```
1043 |   * [Jason Young, a prominent not-comma.ai openpilot community contributor, discusses SecOC as a **bad** thing to see when attempting to port OP to a new vehicle.](https://youtu.be/KcfzEHB6ms4?t=221)
1044 | * [The Toyota B Harness seen in the 2023 Corolla and the 2023 Prius go on sale in comma's shop after a tester was located.](https://github.com/commaai/openpilot/issues/28402)
1045 | * [rap_rep_291 on Discord discovers that Vector's (A popular CAN Bus Analyzer and debugging tool) tooling may have SecOC "OEM Security Addons" "free of charge" for some OEMs. Toyota is not mentioned specifically though. Vector stuff is $20k though.](https://discord.com/channels/469524606043160576/905950538816978974/1137507914525970615)
1046 | * [The Lexus UX 2023 2023 are looked up to not have Security Key.](https://discord.com/channels/469524606043160576/524327905937850394/1141095773346472019)
1047 | * [oremaxis is trying to hook up the Japanese 2023 Prius with the current comma B Harness. There are missing connections and some issues with the harness relays.](https://discord.com/channels/469524606043160576/905950538816978974/1144175305787981834)
1048 | * [.malachor reports that Toyota is moving to GTS+ away from TechInfo and that there's _some_ sort of capture or key stuff possibly going on with the newer platform as well.](https://discord.com/channels/469524606043160576/905950538816978974/1145575288076521543)
1049 | * [Toyota B Harness updated with more wires needed/as seen on Prius 2023](https://discord.com/channels/469524606043160576/905950538816978974/1145880152560115782)
1050 | 
1051 | ### September 2023
1052 | 
1053 | * [ celeryferrari on discord dumps a bunch of PDFs of the ECU replacement for the forward camera for Lexuses. Notably, the 2024 Lexus ES doesn't have replace ECU Security Key as a procedure](https://discord.com/channels/469524606043160576/1155185322473300010)
1054 |   * [Question follow up to original ES reporter stupefacient on Retropilot](https://discord.com/channels/660951518014341124/744908622013661204/1155212167927320616)
1055 | 
1056 | ### October 2023
1057 | 
1058 | * geohot
1059 |   * ["until the votes are bought [for tsk], i don't care about it"](https://discord.com/channels/469524606043160576/819046761287909446/1161370683553624157)
1060 |   * ["i care so little about tsk until the votes are sold](https://discord.com/channels/469524606043160576/905950538816978974/1161375506579595284)
1061 | * [A lexus tuning scene user comes on and asks about the status. No news, but some interest from adjacent fields.](https://discord.com/channels/469524606043160576/524327905937850394/1165408803987132436)
1062 | * [Apparently there was a firmware update / recall for cameras Corolla and Corolla HV, Corolla Hatchback, Corolla Cross, BZ4X](https://discord.com/channels/469524606043160576/905950538816978974/1170097413172756544)
1063 |   * https://static.nhtsa.gov/odi/tsbs/2023/MC-10242520-9999.pdf
1064 | 
1065 | ### November 2023
1066 | 
1067 | * [Range Check Trick to check vote count no longer works](https://discord.com/channels/469524606043160576/905950538816978974/1172535775330578523)
1068 | * [A small discussion on that mentions 2023 Toyotas such as a bz4x and 2023 Sienna known to have TSK can have their immobilizers changed by a non-Toyota tool. (OPC Discord)](https://discord.com/channels/771493367246094347/771493367779295304/1173483333934645339)
1069 |   * [A later discussion comma Discord establishes this as not as big a deal. Adding a key with a key already present is easy.](https://discord.com/channels/469524606043160576/905950538816978974/1178817755760304230)
1070 | * Range trick to check votes works again.
1071 | * [VineTimeLive#2651 paid $25 and looked up a bunch of models after Toyota's paywall. Summary below.](https://discord.com/channels/469524606043160576/524327905937850394/1176372862840479825)
1072 |   * Highlander 2024, even though it still has TSS 2.5, got TSK . Not unexpected for it being rather oddly the most change prone.
1073 |   * The 2024 Rav4 still does not have TSK.
1074 |   * 2024 Lexus TX, has TSK, not big surprise
1075 |   * There is no longer a differentiation between JP and US 2024 Corollas for TSK.  *All* 2024 corollas have TSK.
1076 |   * The 2023 ES and 2024 ES does not have TSK, contrary to what others may have reported.
1077 | * [A small discussion on differences between Toyota Dealership and independent shop access re: TSK and Techstream](https://discord.com/channels/469524606043160576/905950538816978974/1177567834688196638)
1078 |   * "The local branches don't have the data. Any dealer that wants to swap  a secured ECU for repairs has to login through Techstream to get the one specific key for the ECU he is installing at that time. Third party shops have to do the same but they don't even get Techstream Global access. They get case-by-case access if Toyota approves it. (E.g. parts number matching and so forth)"
1079 | * [A post with a sample of an exchange between Techstream and Toyota servers.](https://discord.com/channels/469524606043160576/905950538816978974/1178220020086616156)
1080 | * ["interesting how european ecu security key can do offline key writing"](https://discord.com/channels/469524606043160576/905950538816978974/1178723776146448444)
1081 | 
1082 | ### December 2023
1083 | 
1084 | * [jakethesnake420420 on Discord believes they see a pattern in the checksum?](https://discord.com/channels/469524606043160576/905950538816978974/1180247525156987000)
1085 | * [this guy's adventure is interesting abeit unfulfilled, to try to RE and hack their tundra instrument cluster](https://discord.com/channels/469524606043160576/905950538816978974/1184889844149780591)
1086 |   * https://www.reddit.com/r/embedded/comments/ystc0l/automotive_mcu_instrument_cluster_firmware/ and check user's posts.
1087 | 
1088 | ### January 2024
1089 | 
1090 | * Added more vehicles:
1091 |   * 2024+ Lexus TX (Speculated from TechInfo lookup)
1092 |   * 2024+ Lexus GX (Speculated from TechInfo lookup)
1093 |   * 2024+ Tacoma (Speculated from TechInfo lookup)
1094 |   * 2024+ Mirai (Speculated from TechInfo lookup)
1095 | * Q: I’ll tell my friends, can we spend marketing budget on new Toyota/lexus ecu cracking? :kekw: geohot: no, buy votes
1096 |    * https://discord.com/channels/469524606043160576/954493346250887168/1197701819686715462
1097 | * [Willem: "We got code execution in the bootloader over CAN! Still a few issues to work out though, the main application stops working after a few seconds now. EPS part # is 89650-42370, whole steering rack is 44250-42310. 2021+ Rav4 Prime." ](https://twitter.com/PD0WM/status/1750253508530483699)
1098 |   * [Greg: Can anyone help find a Rav4 prime power steering motor from a wrecked vehicle? Some promising things have been found!  I want one that was in a car so it has real keys, and something that we have no fear of bricking or physically destroying.](https://twitter.com/gregjhogan/status/1750214610328969552)
1099 |   * [Greg: FYI, this means a way to dump the keys over CAN has been found](https://discord.com/channels/469524606043160576/905950538816978974/1200071382210465872)
1100 | * [geohot asks: What's the most popular car with Toyota security?](https://discord.com/channels/469524606043160576/954493346250887168/1200226940276195338)
1101 |   * [After looking at Toyota's year end sales reports, @nelsonjchen replies with "the Tundra/Sequoia"](https://discord.com/channels/469524606043160576/954493346250887168/1200296188092616714)
1102 |   * Source Spreadsheet: https://docs.google.com/spreadsheets/d/1CWUmOk4rFPWVNqDoz02tPQxp6SLbJsedYQ1fjv6oXAI/edit#gid=0
1103 | * [**A draft pull request to support the 2021 RAV4 Prime is made. It is very early and has shortcomings.**](https://github.com/commaai/openpilot/pull/31179)
1104 |   * [It does not have code to dump the keys. Willem is worried it could brick the EPS and it is undertested](https://discord.com/channels/469524606043160576/905950538816978974/1200180041028489306)
1105 |   * [It does have the the code to calculate new Message Authentication Codes (MACs) for the SecOC messages.](https://github.com/commaai/openpilot/pull/31179/files#diff-8d263c776436c5ff7ccd6f4f3a0918a5d7fb4167c1c6054013883c5723ee295dR9-R36)
1106 |   * [Notably, if merged, comma is currently not yet comfortable adding it to the supported cars list.](https://github.com/commaai/openpilot/pull/31179#issuecomment-1912575990)
1107 | 
1108 | ### February 2024
1109 | 
1110 | * "I’m working on blog post. Will post that together with the script.   (UPDATE: Blog post in March 1)
1111 | 
1112 |    The risk is not super high, but it’s very inconvenient if the rack needs to be replaced. In the meantime I’ve tested it on a second rack pulled from a crashed vehicle, and it worked fine." - Willem
1113 |    * https://discord.com/channels/469524606043160576/905950538816978974/1205056507973214208
1114 | * Comma staffer Shane mentions that comma has determined the Corolla radar to be CAN-FD. While not TSK related, there is info that comma has discovered and not released yet.
1115 |   * https://discord.com/channels/469524606043160576/1194100053879558225/1205747241718124544
1116 | 
1117 | 
1118 | ### March 2024
1119 | 
1120 | * [Major Update from former comma staffer Willem Melching]():
1121 |   * > New blog post is out! Extracting the SecOC keys used for securing the CAN Bus on the 2021+ RAV4 Prime. https://icanhack.nl/blog/secoc-key-extraction/
1122 |     >
1123 |     > Research started all the way in 2022, but took many evenings of reverse engineering to get code execution.
1124 |     >
1125 |     > PoC: https://github.com/I-CAN-hack/secoc
1126 |   * > * Extracted the firmware from an ECU, using Fault Injection to bypass the locked debug port.
1127 |     > * Reverse engineered the application code, to understand how SecOC was
1128 |         implemented and find the location of the keys in RAM.
1129 |     > * Reverse engineered the bootloader, to understand how the update procedure  works and how we can upload and run shellcode.
1130 |     > * We built a shellcode that extracts the keys from RAM and sends them out over CAN, then reboots the device.
1131 |   * It is a long read, but it is exactly why this is such a hard problem and there are some serious hurdles to overcome when it comes to extracting the keys.
1132 |   * An incomplete exerpts of some other information:
1133 |     * There is a way to extract the SecOC key from the RAV4 Prime without disassembly.
1134 |     * During the construction of the payload, a secret key must have been extracted from the firmware in order to upload code to the EPS, run it, and extract the key. This isn't correct secure design but it lets third parties like comma.ai and I-CAN-hack to extract the key by uploading temporary code to the EPS to extract the key.
1135 |     * By not using the "Hardware Security Module" in the firmware, the key can be extracted from memory. Newer cars may use the HSM, which hides the key from memory, and getting the key out from those is an unsolved problem. *What* are the newer cars is unclear, but the 2023 Corolla Cross they looked at was using the HSM.
1136 |   * Some people are looking to get the key from their Rav4 Prime
1137 | * Discord Followups on comma.ai Discord:
1138 | * [Willem: "Grab your SecOC key and share a route in #⁠toyota-security and I'll finish the car port for the RAV4 Prime!"](https://discord.com/channels/469524606043160576/954493346250887168/1213580915972776016)
1139 | * [There is some discussion on whether it is possible to intercept the key during a re-keying process. (#general)](https://discord.com/channels/469524606043160576/954493346250887168/1213583124894842941)
1140 | * [hdoublearp on Discord was able to retrieve their SECOC key with Willem's script.](https://discord.com/channels/469524606043160576/905950538816978974/1215389425291235348)
1141 | * [hdoublearp report on his collaboration with Willem](https://discord.com/channels/469524606043160576/905950538816978974/1219399908659036261)
1142 |   * "There is some progress on the port, thanks to Willem, lateral is working. Still some missing safety features, but the initial issues with the Prime’s new PCM messages are sorted out. Willem had to make some changes to account for gearing difference in the Prime compared to other models. I’ve sent my latest feedback and test scenarios to him, and will continue working with him on it.
1143 |   * hdoublearp posts a video. It is a video of an assisted lane change on a RAV4 Prime, a feature that does not exist on TSS2 but does in openpilot.
1144 | 
1145 |     https://github.com/commaai/openpilot/assets/5363/757c916d-ac08-4384-80b2-0de48664ecd1
1146 | 
1147 | * There is still work to figure out some of the new messages.
1148 | * [A second RAV4 Prime by @chrispypatt seems to have come online from Willem's work.](https://discord.com/channels/469524606043160576/905950538816978974/1223761559629856929)
1149 | 
1150 | ### April 2024
1151 | 
1152 | * [Spawahh tries to get the tools working on their bz4x. Things are complicated by CAN-FD and other issues. WIP](https://discord.com/channels/469524606043160576/1226559486160801823/1227094607784054864)
1153 | * [etc6849 tries to run the key extraction script on their Tundra **from their C2**, but is stopped by the firmware check in the script. Still a hello world! There is some apprehension about bricking, possibly.](https://discord.com/channels/469524606043160576/905950538816978974/1227751587720728647)
1154 | * [tranlocquy **bravely** comments out past the firmware check on the SecOC key extraction script and the EPS on their 2021 Sienna survives. And purportedly some sort of key is extracted. After putting in their Sienna's firmware and masquerading as a RAV4 Prime, it appears to work!](https://discord.com/channels/469524606043160576/905950538816978974/1228862172696936552)
1155 |   * tranlocquy posts a video of openpilot working on the Sienna.
1156 | 
1157 |     https://github.com/commaai/openpilot/assets/5363/53d73339-38be-4e96-aa1e-46f87206025d
1158 |   * Willem: ["No way! Didn't expect it to be this easy with the offsets/keys in RAM being in the same place. Checked out the route and dump you sent me, and looks legit!"](https://discord.com/channels/469524606043160576/905950538816978974/1229156739530756186)
1159 | * [chaechullee with tranlocquy's guidance manages to dump their keys and get it going on their 2022 Sienna.](https://discord.com/channels/469524606043160576/905950538816978974/1230018621791801445)
1160 | * As of this time, longitudinal support is still not present.
1161 | * [Tundra will be attempted soon](https://discord.com/channels/469524606043160576/905950538816978974/1230932381876228156)
1162 | * [A 4th Sienna key extraction is in progress.](https://discord.com/channels/469524606043160576/905950538816978974/1231193993757327390)
1163 | * [Siennas apparently have unsecured longitudinal and it "just works"?!](https://discord.com/channels/469524606043160576/905950538816978974/1232531416730828810)
1164 | * [bgill66 tries to dump the key on the Tundra; no success and christmas lights. A restart of the truck clears up the warnings. Some sort of v4 bootloader was encounted.](https://discord.com/channels/469524606043160576/905950538816978974/1233207683482521690)
1165 | * [yipstar tries to dump keys on their 2024 toyota highlander, but is unsuccessful; that said, it does seem to execute code.](https://discord.com/channels/469524606043160576/1234274531691069502/1234294969129238599)
1166 |   * [Unfortunately, it does not appear the key is inside the "dataflash" and might be inside the HSM](https://discord.com/channels/469524606043160576/1234274531691069502/1234772431344762933)
1167 | * [willem: "Hopefully ThisGuy can get the bench setup working [for the tundra eps rack]!"](
1168 | https://discord.com/channels/469524606043160576/905950538816978974/1234383264467124227)
1169 | * [Longitudinal might actually still be secured on the Sienna. Resume spam might still work, but longitudinal controlled completely by OP isn't](https://discord.com/channels/469524606043160576/905950538816978974/1235791266294530160)
1170 | 
1171 | ### May 2024
1172 | 
1173 | * [Full longitudinal support for the Rav4 Prime (and probably Sienna) is blocked by a lack of understanding of the gas/brake/acc messages. @nelsonjchen suggests the community get good on how to reverse engineer can bus messages. Worry about the signing later.](https://discord.com/channels/469524606043160576/905950538816978974/1237827694175981578)
1174 | * [More 2023 Rav4 Primes are known to be working, but there may be some issues with some understandings of the messages.](https://discord.com/channels/469524606043160576/905950538816978974/1238293711918600244)
1175 | * [dpan9738 tries to dump their key from a 2022 Corolla Cross but is unsuccessful. Checksum verification error... . Unknown if HSM is in 2022 Corolla Cross.](https://discord.com/channels/469524606043160576/905950538816978974/1239059445682667561)
1176 | * [ThisGuy has successfully wired up their C3 to the new and spare Tundra steering rack on their workbench with Willem's help and guidance. While the keys still aren't able to be dumped, there is connectivity and some response.](https://discord.com/channels/469524606043160576/1238938922084597831/1238997445573218364)
1177 | * [ianik66 tries the script on the 2021 Venza after commenting out some checks but an invalid key is returned. Some proposals are done for a memory-dump search that, while unsuccessful on the Tundra, might be successful on the Venza in locating the changes in memory location for the key. Other suggestions are made to improve this search as well.](https://discord.com/channels/469524606043160576/905950538816978974/1240410992282959992))
1178 | * [chrispypatt and tranlocquy have started a thread to look for the `ACC_CONTROL` equivalent CAN bus message in their Sienna and Rav4 Prime.](https://discord.com/channels/469524606043160576/1241808888282480730/1241809056100782141)
1179 |   * This is required for "Full longitudinal support" or openpilot actually being able to control gas and brake beyond only spamming auto-resume for automatic stop and go for stuff like slowdowns, experimental mode, or traffic lights.
1180 | * [Existing key dumping script did not work on 2024 Rav4 Prime. nandrews283 is now trying the brute force method and seeing if it would work. A new bootloader is seen and results have not. Unclear comments from willem.](https://discord.com/channels/469524606043160576/905950538816978974/1245899042395783248)
1181 | * [Greg and Willem recently spoke at a hardware security conference in Santa Clara, CA about their efforts. A recording is currently not available.](https://hardwear.io/usa-2024/speakers/willem-and-greg.php)
1182 | 
1183 | ### June 2024
1184 | 
1185 | * [The full support for TSK community bounty is canceled in favor of more focused bounties](https://www.reddit.com/r/Comma_ai/comments/1d5r7xr/state_of_toyota_security_key_secoc_and_community/)
1186 | * [$5k bounty is confirmed to be locked to Willem with the RAV4 Prime](https://github.com/commaai/openpilot/pull/32661#issuecomment-2156220468)
1187 | * [@nelsonjchen helps GON0822 try to dump the key off their 2022 Yaris Hybrid in Japan. GON0822's English isn't great and it's quite a struggle but GON0822 is preservering. Unfortunately, the key is not located at the same memory address as the RAV4/Sienna. Plans are made for a possible brute force trial though more Western users have not had much success.](https://discord.com/channels/469524606043160576/905950538816978974/1251451250331877426)
1188 | * [@nelsonjchen misremembers the Venza. Apparently it was bootloader version 2 unlike the RAV4 Prime and Sienna which came out in the same model year. GON0822's Yaris is actually the first bootloader v1 to fail to dump the key.](https://discord.com/channels/469524606043160576/905950538816978974/1252441668372664350)
1189 | * [According to thehui, the 2024 Sienna fails with the same error as the 2024 RAV4 Prime](https://discord.com/channels/469524606043160576/905950538816978974/1249192050096738315)
1190 | * [The key from GON0822's 2022 Yaris Hybrid is extracted with a brute-force method. However, dropping in the key into the rav4 prime branch doesn't work for unknown reasons with a forced fingerprint.](https://discord.com/channels/469524606043160576/1234274531691069502/1254322986970779660)
1191 | * [Fixing the key and using a firmware replaced branch doesn't work on GON0822's Yaris Hybrid. Request for assistance](https://discord.com/channels/469524606043160576/905950538816978974/1256508887146958848)
1192 | * [AleSato comes with with a bunch of suggestions and working latitude is now working on GON0822's Yaris Hybrid! It is the first radar controlled vehicle to work.](https://discord.com/channels/469524606043160576/905950538816978974/1256873861979574396)
1193 |    [C3 Gon　Yaris-enc.webm](https://github.com/commaai/openpilot/assets/5363/fb611502-0ecb-4555-ac5a-4ac442511d53)
1194 | * [Update from Willem on RAV4 Prime port upstreaming: "Regarding the Rav4 prime port, I've been quite busy lately."](https://discord.com/channels/469524606043160576/905950538816978974/1256568186568970263)
1195 | * [(Longitudinal Support on SecOC/TSK vehicles) Regarding the ACC message, if I remember correctly it's split up into the existing message and 0x177. They moved the actual acceleration command to 0x177 which has a SecOC MAC.](https://discord.com/channels/469524606043160576/905950538816978974/1256569386781904896)
1196 | 
1197 | ### July 2024
1198 | 
1199 | - [bravo_char has a nice discussion with Willem about SecOC ECUs and that the "Clearance Warning" assembly might be a non-complex ECU to attack for getting the key out. bravo_char is interested in attacking the Tundra Sonar Module as it is only $80 on eBay. Also, Willem says he got a Yaris GR radar, but it is BGA mounted so dumping it was never attempted. ](https://discord.com/channels/469524606043160576/905950538816978974/1263121042885443624)
1200 | - [anrum, a 2023 Rav4 Prime user, announces a porting effort of support to Frogpilot](https://discord.com/channels/469524606043160576/905950538816978974/1264322468160733335)
1201 |   - https://github.com/FrogAi/FrogPilot?tab=readme-ov-file#discord
1202 |   - https://discord.com/channels/1137853399715549214/1137905508217540699/1264113031365787700 (Frogpilot Discord)
1203 | - [Willem & Greg's talk on SecOC is posted. "Hardwear.io USA 2024 : My Car, My Keys: Obtaining CAN Bus SecOC Signing Keys - Willem & Greg"](https://www.youtube.com/watch?v=8958gH3KD3Y)
1204 | - [A discussion with Willem on why intercepting the key from a key updating process may be infeasible.](https://discord.com/channels/469524606043160576/905950538816978974/1265284524401754195)
1205 | - [anrum announces a successful port of the changes necessary for the 2021-2023 rav4 prime and 2021 sienna to frogpilot](https://discord.com/channels/469524606043160576/905950538816978974/1266255824263708694)
1206 |   - [Frogpilot Discord link version](https://discord.com/channels/1137853399715549214/1137905508217540699/1266255306921480202)
1207 | - [tranlocguy attempts separating out the sienna hybrid properly in a fork of anrum's frogpilot](https://discord.com/channels/469524606043160576/905950538816978974/1266663937978400809)
1208 | - [A small request to some 2022 Sienna owners to send and post firmware versions](https://discord.com/channels/469524606043160576/905950538816978974/1267338201769705503)
1209 | - [Some thoughts on part swapping very similar vehicles to rekey a vulnerable part instead, probably just wishful thinking](https://discord.com/channels/469524606043160576/905950538816978974/1267699386218053723)
1210 | - [European/Italian 2020 Yaris Hybrid's Key successfully dumped. Unfortunately, the C3X was buggy and needs to be returned. If it wasn't though, it might have worked...](https://discord.com/channels/469524606043160576/905950538816978974/1268704646365581372)
1211 | 
1212 | ### August 2024
1213 | 
1214 | - [A suggestion is made again to try to make a unified patch in a repo for TSK users.](https://discord.com/channels/469524606043160576/905950538816978974/1270120634139283577)
1215 | - [Willem, Greg, and Robbe wins the DEFCON Car Hacking Village CTF and with it, a Model 3. (X, formerly known as Twitter)](https://x.com/pd0wm/status/1823030161207349639)
1216 |   - `"We did it again!!! We got 1st place in the #defcon32 @CarHackVillage CTF. This year we won a Tesla Model 3, and the whole team has their own Black Badge now 😎. @gregjhogan @robbederks"`
1217 | - **META**: [GitHub discussions have been shuttered in favor of all discussion going on at Discord. ](https://discord.com/channels/469524606043160576/954493346250887168/1272595007060054048). Please link users to https://github.com/optskug/docs/ for the latest news/history from here on out. Unfortunately, there's no way to make old GitHub links redirect so this is the best that can be done. The old link, for reference is: https://github.com/commaai/openpilot/discussions/19932
1218 | - [gregjhogan clarifies what the first byte of a UDS firmware version is.](https://discord.com/channels/469524606043160576/905950538816978974/1273746993394487376) It's not a bootloader version?
1219 |   - "The first byte returned when reading the firmware versions using UDS read data by id isn't part of the version number, it is how many applications are running on the ECU (for example if it has two cores, there may be a separate application running on each core) and it tells you how many you can extract from the rest of the data returned."
1220 | 
1221 | ### September 2024
1222 | 
1223 | - [2023 Sienna confirmed to work](https://discord.com/channels/469524606043160576/905950538816978974/1281348878570094748)
1224 | - [there is some rough renewed interest in fork support such as frogpilot/sunnypilot]([https://discord.com/channels/1137853399715549214/1137905508217540699/1282936146526994534](https://discord.com/channels/469524606043160576/905950538816978974/1283091024406908938))
1225 | - [A small debate in openpilot Enthusiasts about the comma vote system (OPC). Would we have gotten this far without it?](https://discord.com/channels/771493367246094347/771493367779295304/1283867906937192459)
1226 | - [Willem shows up in #toyota-security](https://discord.com/channels/469524606043160576/905950538816978974/1283870093067161721)
1227 |   - Asks about TSS3 Toyota Corolla without TSK like the ones made in the USA in 2023. "If somebody makes that port work, I’ll see if I can spend some time on the HSM EPSes. It’s definitely possible to get lateral only on those by just nuking the SecOC checks on the power steering"
1228 |   - "If somebody wants to finish the rav4 prime port, feel free to take my code and reopen the PR"
1229 |   - "Probably best to start with the panda safety code. It’s all working now, but comma wanted it cleaned up with some config structs like the Chrysler code"
1230 |   - "I’m too busy with other projects to work on car ports"
1231 |   - "Happy to provide feedback"
1232 | -  [Renewed interest from newer driving models being available re-raises the question of merging in support for TSK vehicles into Frogpilot. anrum, the original first porter to Frogpilot reappears. Since the original port, there has sporadic been semi-one-off Sienna and Rav4 fingerprints but nothing unified or upstreamed and numerous disparent HEADs. (FP Discord)]()
1233 | -  [Work continues on the Frogpilot TSK support upstreaming.](https://discord.com/channels/1137853399715549214/1137905508217540699/1287467639559422023)
1234 | * comma Discord Sept 25 Developer Meeting notes
1235 |   * Jason Young (jyoung8607), a prominent non-comma.ai openpilot contributor and VW openpilot saint, is wanting to work on moving forward Willem's RAV4 Prime work to be rebased atop current comma openpilot with Willem's guidance (pd0wm) while he is visiting comma.ai's office in San Diego on vacation.
1236 |   * Approved goal by Adeeb is to have release comma openpilot be able to work with the RAV4 Prime *if* the key is provided by the user.
1237 |   * SecOC Key extraction is outside of the scope of this work though and will not be included. In other words, plug-and-play is not to be expected. The are open to seeing if/any UI or workflow might come from the community on this.
1238 | * Jason opens a new draft pull request superceding Willem's pull request: https://github.com/commaai/openpilot/pull/33654
1239 | * Produced a user group list of working vehicles and users on Jason's request: https://docs.google.com/spreadsheets/d/1sprUteWtCVH6nQ6JfsmX0liIJ58H4nAVWxtAdorfW4c/edit?gid=0#gid=0
1240 | * [A mainland China/PRC user with a PRC-built 2022 Sienna comes into the Frogpilot Discord. They are able to extract the key but for whatever reason, can't write "Params". Will followup with prescribed reset. User really only speaks Mandarin so the Frogpilot Discord Frogbot's thread auto-translation bot is used. (FP Discord)](https://discord.com/channels/1137853399715549214/1289252533654650952/1289401084640493641)
1241 |   * Note: They are also using a Mr. One C3 clone since comma doesn't appear to ship to China from their POV for whatever reason. This complicates debugging and upstreaming to comma's branch is impossible for their vehicle.
1242 |   * [Got it working with Mr One's C3 Clone! (FP Discord)](https://discord.com/channels/1137853399715549214/1289252533654650952/1289678233633165343)
1243 | * [Jason has a test branch out for users to try on a new openpilot base. Users may need to reinstall their key. He is looking for reports of successes and failures.](https://discord.com/channels/469524606043160576/905950538816978974/1290439760267186270)
1244 |   * "Ready for testers! I have a test branch for you (not the one in the PR) that forces the fingerprint to RAV4 Prime. This means it should work even if you have a Sienna, or a RAV4 Prime with a different fingerprint."
1245 |   * [gon0822 asks about Yaris Hybrid support. Yaris has a Continental Radar. Jason answers they might finish support for that as well this week.](https://discord.com/channels/469524606043160576/905950538816978974/1290457046910763073)
1246 | 
1247 | 
1248 | ### October 2024
1249 | 
1250 | * [share-and-enjoy mentions that Stop and Go is working on their hacked branch off of an old Willem's branch in April 2024. This is baffling as it is not supposed to be working. ACC/Automatic Cruise Control messages are supposed to be signed! HOW?](https://discord.com/channels/469524606043160576/905950538816978974/1291044591138766919)
1251 |   * Effort is spent to try to preserve and archive share-and-enjoy's very special and self-hacked copy as the git commit reported up to comma does not appear to have prerequsite or necessary changes.
1252 |   * [share-and-enjoy shares their dirty changes and some shocking/amazing discoveries are made](https://discord.com/channels/469524606043160576/905950538816978974/1291457526004453498)
1253 |     * "The only thing I can think of, it's possible you were extremely lucky with `openpilotLongitudinalControl` and managed to filter the old message which still has [Stop and Go] relevant control bits, and transparent passthrough the new SecOC message with the actual acceleration command."
1254 |     * ["LOL that's exactly what you managed to do" "You accidentally made partial long control work "](https://discord.com/channels/469524606043160576/905950538816978974/1291459549794140182)
1255 |     * [The changes are not slated to be merged in but they are at least documented for future follow up work.](https://discord.com/channels/469524606043160576/905950538816978974/1291466235082571877)
1256 |     * "Just FYI, yes incode was running the same SnG hack as me from tranlocquy. tranlocquy told me how to do it, and actually did it for incode."
1257 |     * **"Now, it does NOT stop at red lights or stop signs, but DOES auto-resume from stop with a lead car."**
1258 | * [(Longitudinal Support) Jason posts a PR to document the ACC command to the opendbc repo for SecOC/TSK vehicles. "Toyota: DBC message for SecOC longitudinal control #1337"](https://github.com/commaai/opendbc/pull/1337)
1259 | * [Jason restates the current merge goals and milestones, quoted below:](https://discord.com/channels/469524606043160576/905950538816978974/1291077896269467668)
1260 |   1. It won't be in dashcam mode, if there's a correctly saved SecOC key, it'll just work
1261 |   2. It will require a non-release branch, just like alpha openpilot longitudinal
1262 |   3. It won't appear in comma.ai/vehicles or CARS.md
1263 |   4. comma will not ship the key retrieval mechanism, you're on your own for that
1264 | * [Jason asks for a couple of test route data for automated safety as a prerequisite of getting comma panda (Vehicle Interface) changes relating to safety merged in.](https://discord.com/channels/469524606043160576/905950538816978974/1291215107547861105)
1265 |   * [GON0822 volunteers and we capture some with Frogpilot's AI Translation bot doing translation duties (FP Discord)](https://discord.com/channels/1137853399715549214/1291217403157413980)
1266 |   * ["For the stock routes, I've got what I need now"](https://discord.com/channels/469524606043160576/905950538816978974/1291456815527231581)
1267 | * The first of the RAV4 Prime support PRs is merged into the car support repository.
1268 |   * This was done on the first part of a live stream. There was cake. https://youtube.com/live/ayiIi5hxE38?feature=share
1269 |   * https://github.com/commaai/openpilot/pull/33654
1270 | * [While the RAV4 Prime fingerprint changes are being merged in, the Sienna Fingerprints are *not*. Another call for Sienna owners to provide their fingerprints.](https://discord.com/channels/469524606043160576/905950538816978974/1292480897441857536)
1271 | * [Sienna fingerprints / support are merged into opendbc, an openpilot dependency. Will naturally get into openpilot's master branch sooner than later.](https://discord.com/channels/469524606043160576/905950538816978974/1292898908460023901)
1272 | * [A small discussion about what happens to the code to support this in OP's release configuration. It won't work except on development branches such as master-ci/master and fails cleanly with a clear error.](https://discord.com/channels/469524606043160576/905950538816978974/1293017524270534656)
1273 | * [Some discussion about producing a key-dumping tool that can be run with the Custom Software input for dumping the key.](https://discord.com/channels/469524606043160576/905950538816978974/1293088853359460383)
1274 | * [The MY2025 ES300H is one of the few (only so far?) 2025 Lexus vehicles without SecOC/TSK apparently.](https://discord.com/channels/469524606043160576/524327905937850394/1294352198482001972)
1275 | * [Alexandre N. Sato, Brazil-SP adds to his own personal fork functionality to dump a SecOC key on a compatible vehicle assuming the vehicle is in the correct state. He does not have a SecOC vehicle and its functionality is purely speculative.](https://discord.com/channels/469524606043160576/905950538816978974/1295082300337553419)
1276 |   * [Confirmed working.](https://discord.com/channels/469524606043160576/905950538816978974/1330354854782308363)
1277 | * [Longitudinal control is brought up again. "all you people who say you can spell Python and Linux, go add a second copy of the ACC message packer and (for testing) an unconditional transmit allow in Panda for address 0x183 (decimal 387), high chance it'll Just Work" - Jason](https://discord.com/channels/469524606043160576/905950538816978974/1295793229228408923)
1278 | * [chrispypatt takes on that offer and gives it a try on their 2021 RAV4 Prime. They are able to successfully block the message but generating longitudinal ACC messages isn't working yet.](https://discord.com/channels/469524606043160576/905950538816978974/1296311472095494195)
1279 | * [chrispypatt gets longitudinal control working on their 2021 RAV4 Prime.](https://discord.com/channels/469524606043160576/905950538816978974/1296469627911667713)
1280 | 
1281 |   >  Ok so I changed the ACC_CONTROL_2’s ACCEL_CMD to match the ACC_CONTROL’s scaling in the dbc. I just manually edited it for now rather than figuring out how the generation works. I can throw my changes up to my fork tonight.
1282 |   >
1283 |   >  The good news is it worked 🎉🎉🎉! OP was clearly controlling long. It just doesn’t seem to be fully working. It seemed something was not quite right but I don’t have any experience with OP long so let me know if it is expected when on city streets. Acceleration seemed to not always work, even with no lead car, my rav would not always accelerate up to my set point. Many times I would have to accelerate manually up to the desired speed but then OP would be good about decelerating down for lead cars and stopping at stop lights.
1284 |   >
1285 |   >  I also noticed at clear and green light stop lights and when cars were a whole block in front of me OP would decelerate.
1286 |   >
1287 |   >  If I came to a complete stop I always had to hit the gas to get going again. Also rolling up to a red light there was some creep where the car would not come to a complete stop until many times I was in the cross walk.
1288 |   >
1289 |   >You can see some of these issues in the attached videos.
1290 | * [chrispypatt: "The biggest benefit I have seen is coming up on freeway traffic and cars stopped at stoplights deceleration is smooth. With TSS2 it would always wait till last minute and then just slam on the breaks"](https://discord.com/channels/469524606043160576/905950538816978974/1297571813970284627)
1291 | * [calvinspark had his Sienna repaired after his wife sideswipes it and the key apparently changed. He was able re-dump it though.](https://discord.com/channels/469524606043160576/524592892627517450/1299143839059021925)
1292 |   * [Willem: Every time a rekey operation is done the key changes. I think there is a sonar/parking sensor that has SecOC because it can press the brake when you’re backing up into something.](https://discord.com/channels/469524606043160576/524592892627517450/1299187790860517448)
1293 | 
1294 | ### November 2024
1295 | 
1296 | * [domsz06 and calvinspark are attempting to dump the key from a 2024 Prius. It's not expected to work but they want to try the memory brute force script.](https://discord.com/channels/469524606043160576/905950538816978974/1302185205251182663)
1297 |   * [They are running into issues even getting the firmware versions.](https://discord.com/channels/469524606043160576/905950538816978974/1307983214970667018)
1298 |   * [Willem - I think the key extract is timing out because of the car being CAN-FD. You need to change a line in the the panda FW to force it back into regular CAN mode for diagnostic communications. See the Bz4x Thread.](https://discord.com/channels/469524606043160576/905950538816978974/1308103144525267016)
1299 |     * Bz4X thread: https://discord.com/channels/469524606043160576/1226559486160801823
1300 | * [alesatobrazilsp and gon0822 determine that the Yaris Hybrid in Japan uses the same acceleration command seen in other Toyotas by looking in Cabana for the CAN BUS data. (FP Discord)](https://discord.com/channels/1137853399715549214/1291217403157413980/1302269836017008694)
1301 | * ["disable radar worked in the conti radar of the japanese Yaris (RADAR_ACC car)"](https://discord.com/channels/469524606043160576/524327905937850394/1305662760381714492)
1302 |   * [NOTE: This was not enough to let openpilot control ACC on the Yaris](https://discord.com/channels/469524606043160576/524327905937850394/1328186598344626178)
1303 | * [posts pictures of the camera internals for the 2024 Tacoma](https://discord.com/channels/469524606043160576/905950538816978974/1303932394776301589)
1304 | * [Jason - "Definitely technically possible to back port the work to openpilot 0.8.13.1" (last version of openpilot that supports the comma two and comma two class of devices.)](https://discord.com/channels/469524606043160576/905950538816978974/1304818543920939070)
1305 | * [Re: openpilot long on R4P and Sienna- Jason: "I don't remember and I'm not in a position to refresh myself right now" "But I haven’t had the time to get back to it to resolve the mutations issue or put more thought into the refactor" [of secOC Long]. The secOC Long support is getting a bit stale. ](https://discord.com/channels/469524606043160576/905950538816978974/1309380353261174847)
1306 | * [por_por.t helps determine on a trip that the EU 2024 RAV4 Hybrid has TSK from looking at the EU equivalent of TechInfo](https://discord.com/channels/469524606043160576/524327905937850394/1311431355564822630)
1307 | 
1308 | ### December 2024
1309 | 
1310 | * [Users are still working on porting openpilot long, at least to Frogpilot or their own forks/branches for now, in lieu of working tests.](https://discord.com/channels/469524606043160576/905950538816978974/1313523364975083621)
1311 | * [dstaley determines that the 2025 US RAV4, unlike the EU 2024 RAV4 Hybrid, does not have TSK from looking at TechInfo](https://discord.com/channels/469524606043160576/524327905937850394/1314137491711856680)
1312 | * [Ale and GON0822 continue work on Yaris Latitude upstreaming (FP Discord)](https://discord.com/channels/1137853399715549214/1291217403157413980/1316946374205505638)
1313 |   * https://github.com/commaai/opendbc/pull/1578
1314 | * [shiver32 confirms that the 2024-2025 Model Year IS 500 does not have ECU Security Key. A lot of interested IS users come on and don't do things but shiver32 pulled through.](https://discord.com/channels/469524606043160576/524327905937850394/1318361110558281728)
1315 | * [calvinspark is trying to make a GUI dumping and restoration tool for the key.](https://discord.com/channels/469524606043160576/905950538816978974/1321643758600851506)
1316 | 
1317 | ### January 2025
1318 | 
1319 | * [calvinspark is talking with sunnypilot developers about his GUI dumping and restoration tool along with integration opportunies and concern. As the sunnypilot fork is one that continuously and properly keeps up with comma's codebase much more frequently than frogpilot, sunnypilot has inherited compatibility and with that, some focus on making the UX for TSK/SecOC users is of great interest. (SP Discord)](https://discord.com/channels/880416502577266699/1326432461298860042)
1320 | * [sunnyharbin makes a dedicated channel for the quirks and features needed for sunnypilot support of TSK/SecOC Toyotas (SP Discord)](https://discord.com/channels/880416502577266699/1326834259096371211)
1321 | * [satireshepherd was looking for the DBC for a 2024 Corolla or similar. They are the first not ex-comma or comma staff but a community member to have looked at the CANFD traffic on a 2024 Corolla. They are using a comma adapter, but on a Raspberry Pi and CAN-FD shield. Unfortunately, they are the first so there's no precedent and just first mover problems ahead but just noting this here for the log.](https://discord.com/channels/469524606043160576/905950538816978974/1328554540534071306)
1322 | * [calvinspark creates `optskug/tskm`, a pre-installation GUI extraction/restoration tool for the SecOC key. He is campaigning to have it in various forks and comma openpilot.](https://discord.com/channels/469524606043160576/905950538816978974/1328979290267717673)
1323 |   * [The guide is updated to use this manager](https://discord.com/channels/469524606043160576/905950538816978974/1329505463351382056)
1324 | * [The keyboard integration suggestion for SecOC into comma openpilot is rejected.](https://github.com/commaai/openpilot/issues/34392)
1325 | * [After some discussion, the `/cache` is identified as a place to store the key. It is looking good that comma openpilot may accept the process of restoring the key from this location as a proposal. While a "third-party" non-comma key extractor must still be run, this is a major good QOL change.](https://discord.com/channels/469524606043160576/524594418628558878/1329867134721065011)
1326 |   * [The pull request for this change was accepted](https://github.com/commaai/openpilot/pull/34401)
1327 | * [crispypatt is continuing to develop longitudinal support and just recently rebased and worked on safety. (SP Discord)](https://discord.com/channels/880416502577266699/1326834259096371211/1329893800658731160)
1328 | * [calvinspark notices the shop page for comma votes has been taken down. There has been no statement from comma. Perhaps the inclusion of the Sienna and RAV4 Prime qualified?](https://discord.com/channels/469524606043160576/905950538816978974/1330048270407434300)
1329 | * [satireshepherd is able to dump the memory on their 2024 Corolla's EPS.](https://discord.com/channels/469524606043160576/905950538816978974/1330440541703241789)
1330 | * [A discussion breaks out about the status of OP longitudinal control and radar parsing on TSK vehicles.](https://discord.com/channels/469524606043160576/1331823208424542330)
1331 | * [.lx93: "I just bought a 2021 GR Yaris and am interested in getting my c3 to work with it. i see https://github.com/optskug/docs?tab=readme-ov-file#-may-be-possible-to-hack-but-hasnt-been-tried its possible but no one has done it yet. i will report back once i get my toyota harness to mess around"](https://discord.com/channels/469524606043160576/905950538816978974/1332610193443520522)
1332 | * [Satire_Shepherd: "A quick update so you guys know I havent given up, I couldnt find an eps on its own but I did find a 2023 Japan Corolla steering column that also goes back to the 2019 corolla, I just wanted something with secoc but not too new, I'm hoping to have some progress soon. If I have some good progress ill see if I can register to the comma hack 5 since I live in the San Diego area."](https://discord.com/channels/469524606043160576/905950538816978974/1334700988539469894)
1333 |   * There is some confusion that a SecOC vehicle (2023-2024 Corolla) shares the same **EPS** part number as a non-SecOC vehicle (2019-2022 Corolla). A theory is brought up that SecOC security only goes up to the "multiplexer" and that traffic after it may be unsecured. This is a theory and no direct observations have been made yet.
1334 | * [A third GR Yaris shows up in the Discord and some discussion is had about dumping happening from the dataflash vs the RAM.](https://discord.com/channels/469524606043160576/905950538816978974/1335710649702940835)
1335 | * [Yaris Pull request was reverted as easily it had went in due to test route lacking](https://github.com/commaai/opendbc/pull/1653)
1336 |   * ["I will open a new PR. We need the same route with the same curves at the same speed to improve lateral control by torque to be at least equal to PID." - Ale](https://discord.com/channels/1137853399715549214/1291217403157413980/1333110387960447070)
1337 | 
1338 | ### February 2025
1339 | 
1340 | * ["why don't you just wrap the installer? why does the fork even need to know about TSK extraction?". An idea or proposal is made for the community to wrap an installer with an extractor that extracts the key first and then automatically continues installation of a compatible openpilot version for TSK/SecOC.](https://discord.com/channels/469524606043160576/954493346250887168/1336842625373962301)
1341 | * ["I think the sweet spot branch for upstream TSK users is `nightly-dev`". A better branch of comma openpilot for initial install is discussed.](https://discord.com/channels/469524606043160576/905950538816978974/1336748446295654410)
1342 |   * This change was eventually merged into the guide. https://github.com/optskug/docs/pull/28
1343 | * 2401_penitenttangent: "A couple of bZ4X/Soltera owners are looking at replicating Willem's work on an EPS from a bZ4X. The payloads Willem provided work for code execution, but the brute force script was not able to find a key in the RAM dump. They are hoping that by reverse engineering the full firmware we may gain a better understanding of how/where the key is stored.
1344 | 
1345 |   We also determined that the pinout for the Toyota B harness is incorrect for our cars. The CAN busses are flipped so the relay ends up on bus 1 instead of bus 0/2. Once the busses are flipped we are able to see the different ECUs and interact with the EPS ECU. I have a feeling the same may be true for all of the TSS3.0 vehicles."
1346 |   * https://discord.com/channels/469524606043160576/905950538816978974/1338908891148193903
1347 | * [martinolium shows up with a 2023 US Corolla, a specific year and model with TSS3 and with no (?) TSK. Does not have a device, but some discussion is conducted on some preparations.](https://discord.com/channels/469524606043160576/905950538816978974/1340558302945214516)
1348 | * [martinolium: I'll be back here if I get a raise in the next 4 months](https://discord.com/channels/469524606043160576/905950538816978974/1340874369378811934)
1349 | * [mehrab.shakil comes on and asks for help with a Yaris Cross Hybrid but never responded.](https://discord.com/channels/469524606043160576/905950538816978974/1345161761548013609)
1350 | * [lx93 proceeds with getting an A harness for Yaris GR port(FP Discord)](https://discord.com/channels/1137853399715549214/1291217403157413980/1342905714213130322)
1351 | 
1352 | ### March 2025
1353 | 
1354 | * [Satopilot removed on request from author from listing due to support load.](https://discord.com/channels/469524606043160576/905950538816978974/1350253438210019359)
1355 | * [gako_41825 reports that they were able to get a key dump on an early 2024 Canadian-spec 2024 Sienna. This is in contrast to earlier failures on other 2024 Siennas.](https://discord.com/channels/469524606043160576/905950538816978974/1350659380592513142)
1356 | * [warren.2: "I copied TOYOTA_RAV4_TSS2_2022.json to TOYOTA_RAV4_PRIME.json then committed it to a local git branch. Now Developer menu NNLC says Exact match. Subjectively lat is smoother now. I think that means it's working."  (SP Discord)](https://discord.com/channels/880416502577266699/1118704399850680522/1351567921414934661)
1357 |   * The NNLC stuff works for the RAV4 Prime EPS where available. It is similar to the 2020-2021 RAV4 except for the whole security key thing.
1358 | * [Sunnypilot declares it is open to accepting chrispypatt's longitudinal control work in advance of the pull request being merged or accepted upstream in comma openpilot/opendbc.](https://discord.com/channels/469524606043160576/905950538816978974/1352300164143911024)
1359 | 
1360 | * ["checking with @Woosa 's 💸 on request. the 2022 and 2023 mirai do not have ⁠toyota-security and the 2024+ still do.](https://discord.com/channels/469524606043160576/905950538816978974/1352472975944974427)
1361 | * [Some more precise information is recorded for the possible working early MY2024 workings](https://discord.com/channels/469524606043160576/905950538816978974/1352687298885713940)
1362 | * [2023 Lexus RC is confirmed to not have TSK. A small discussion results in a section on TSK-less but not in comma's supported vehicle list being added to this document.](https://discord.com/channels/469524606043160576/905950538816978974/1355162109620785163)
1363 | * [heitikender posts 1000 EUR bounty for 2023 RX on Konik.ai Discord (KA)](https://discord.com/channels/1110987393990922322/1355531073353678950/1355531073353678950)
1364 | * warren.2 - " https://www.renesas.com/en/products/microcontrollers-microprocessors/rh850-automotive-mcus/rh850p1m-e-high-end-automotive-microcontrollers-electronic-power-steering-systems#documents https://www.renesas.com/en/document/eln/end-life-notice-saf-b-24-0011?r=1054236 Add to notes ... the Renesas RH850/P1M-E is the same across both working and not-working cars. [The non-working cars still have working payload execution so there is some hope of figuring something out. But see the End of Life document. That gives us a clue as to when the cut-off will be when models move away from this part to something totally unknown.](https://discord.com/channels/469524606043160576/905950538816978974/1356487039025021032)"
1365 | 
1366 | ### April 2025
1367 | 
1368 | * [Yaris support re-merged in from Ale working with GON0822](https://github.com/commaai/opendbc/pull/1668)
1369 | * ["Thanks to @GON0822, "Toyota Security Keyed" vehicles have been confirmed to work in FrogPilot!" - frogsgomoo
1370 |  (FP)](https://discord.com/channels/1137853399715549214/1137905508217540699/1359246607069220926)
1371 |   * This includes the Yaris Hybrid in Japan which at the moment, upstream comma openpilot had removed support for.
1372 | * [ir0nbyte is able to dump a key from a donated lemon French 2019 Yaris Hybrid MX. It is for academic purposes and not for personal or daily use. This is the 3rd Yaris Hybrid whose key has been dumped.](https://discord.com/channels/469524606043160576/905950538816978974/1359481937449975990)
1373 | * [Gako, who earlier was able to dump the key from their early 2024 Sienna, is unable to use the dumped key with OP after dumping it with two different methods. There's some weird CAN Bus error that needs to be looked into.](https://discord.com/channels/469524606043160576/905950538816978974/1359696972877135974)
1374 |   * [Error was due to frogpilot implementation issues currently being cleared up. (FP)](https://discord.com/channels/1137853399715549214/1137905508217540699/1359768523408408697)
1375 | * [.lx93 comes back with their GR Yaris attempt. (FP)](https://discord.com/channels/1137853399715549214/1291217403157413980/1360462532418212042)
1376 |   * Able to dump the SecOC key with the dataflash method just like a Yaris Hybrid. Sienna and RAV4 Prime dump does not work.
1377 |   * FrogPilot with the vehicle set to the Yaris does not work. Lots of `GEAR_PACKET_HYBRID` errors which makes sense since this is a ICE 6MT.
1378 |   * WIP
1379 | * [.lx93 is able to get their GR Yaris working. As it is a manual transmission, some changes had to be made and there's some desire and requests for comments of upstreaming. (FP Discord)](https://discord.com/channels/1137853399715549214/1291217403157413980/1360861569495466044)
1380 |   * [Some followup in #toyota-security](https://discord.com/channels/469524606043160576/905950538816978974/1361021966244646992)
1381 | * [SecOC long merged into Sunnypilot](https://github.com/sunnypilot/opendbc/pull/93)
1382 |   * [This means you will have longitudinal control in `master-new` and `staging-c3-new`.](https://discord.com/channels/469524606043160576/905950538816978974/1361435824960311448)
1383 |   * reverted soon after: https://github.com/sunnypilot/opendbc/pull/125
1384 |   * and unreverted soon after again!
1385 | * [drumstyx. tries their hand at tackling the Toyota Crown with B harness. Has some issues getting FW version, advised to talk to Bz4x/Solterra people. "aha, good to note. Don't suppose there's anyone working on the Crown...as far as I can tell, this would be the first recorded effort at a crown"](https://discord.com/channels/469524606043160576/905950538816978974/1361689361556443177)
1386 | * [jamalbrown - "Hey all, does anyone have any CAN recordings of firmware updates for Toyota Instrument Clusters? Specifically 2018+ Models with RH850s are what I'm looking for the most.", "I've followed this and have successfully reversed the majority of the firmware update procedure. I'm now just having trouble with getting code execution for my uploaded code to change the language." (CHV)](https://discord.com/channels/717022042313982033/717022042313982036/1363514703632142356)
1387 |   * Ooh, someone else is also dumping the firmware from Toyota ECUs?
1388 | 
1389 | ### May 2025
1390 | 
1391 | * [heitikender's Lexus RX 2023 bounty raised to 2000 EUR](https://discord.com/channels/469524606043160576/1310778132478955540/1367854050103529524)
1392 |   * [Later raised to 3000 EUR](https://discord.com/channels/469524606043160576/905950538816978974/1368164880489775185)
1393 | * [heitikender and PenitentTangent are able to get the current exploit for code execution on the 2023 RX but no key is dumped](https://discord.com/channels/469524606043160576/905950538816978974/1367923937723289742)
1394 | * [RAV4 Prime News: TOYOTA_RAV4_PRIME.json NNLC model gen 1 merged into sunnypilot](https://discord.com/channels/469524606043160576/905950538816978974/1369157071865647125)
1395 |   * https://github.com/sunnypilot/sunnypilot/pull/850
1396 | * [1000 USD added to Lexus RX 2023 bounty](https://discord.com/channels/469524606043160576/1310778132478955540/1369157071865647125)
1397 | * [geohot comments on CAN BUS encryption/validation in general](https://www.reddit.com/r/Comma_ai/comments/1kpuvbx/comment/mt26nzn/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
1398 |   * "Our mission is to solve self driving cars. Aka design software capable of driving a car better than a human. There's plenty of cars that are controllable enough for what we are doing. We don't really care about the encrypted ones. If they all get encrypted, we'll just buy used cars and so can you."
1399 |   * "The truth about the whole encryption thing is that it's not even on our priority list, and every time I see more FUD about it I push it even lower."
1400 | 
1401 | ### June 2025
1402 | 
1403 | * [More comments from geohot](https://www.reddit.com/r/Comma_ai/comments/1l271c2/comment/mvsoj94/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
1404 |   * "Our mission is solving self driving cars, improving the models and the software. That's where we are focusing the full resources of the team, we just don't care that much about encryption. To comma the AI and driving quality is the interesting problem, the security isn't. Buy a different car, or break the encryption yourself (you have all the tools)."
1405 | * [hl.elias_44035 is unable to get their Sienna in the PRC working. It was made in December 2022 and is likely a 2023 model.](https://discord.com/channels/469524606043160576/905950538816978974/1379612874942709780)
1406 | 
1407 | ---
1408 | 
1409 | [^1]: This is an image of the CAN BUS traffic on a RAV4 Prime. The "checksum" for the Lane Keep Assist messages are now very high in entropy, indicative of some sort of signing or encryption being used.
1410 | 
1411 | [^2]: As a shameless plug, do you like those real-time updating embedded values from the Google Spreadsheet up there for the bounty and vote tracker? I made [cellshield.info](https://cellshield.info) for that and other non-security key related uses. Check it out and let me know outside of this discussion if you have any comments!
1412 | 
1413 | [^3]: Speculated from TechInfo lookup. TechInfo lookup is looking at Toyota's Techinfo site (payment required, minimum ~$25) and seeing if replacing the "Object recognition camera" / "Forward recognition camera" requires an ECU Security Key update. https://discord.com/channels/469524606043160576/524327905937850394/894262224552624228
1414 | 
1415 | [^4]: gregjhogan stated that the first byte of a UDS firmware version is not a bootloader version. https://discord.com/channels/469524606043160576/905950538816978974/1273746993394487376
1416 |     > The first byte returned when reading the firmware versions using UDS read data by id isn't part of the version number, it is how many applications are running on the ECU (for example if it has two cores, there may be a separate application running on each core) and it tells you how many you can extract from the rest of the data returned.
1417 | 


--------------------------------------------------------------------------------
/archive/auth_not_enc.md:
--------------------------------------------------------------------------------
 1 | # 🚨 It is data authentication, and encryption *isn't* used to hide the data. We can see the messages used to control latitude! We just can't make new ones.
 2 | 
 3 | ---
 4 | You've got a message you want to send to Bob. In the old cars, Bob didn't know who was sending him letters to his inbox, so he would blindly read anything you sent him.  Now Bob is getting suspicious of people that aren't his co-workers to be sending him messages. He gives all his coworkers a red stamp with a roll of numbers on it. Every time a coworker sends a message, they change the stamp to a new code position, then stamp the envelope with the code. Bob knows what the next code should be. We are trying to send Bob messages without the special stamp, so Bob knows to ignore our letters.
 5 | If we go through bobs inbox, we know he's getting the same letters. He also knows we're sending the same letters, but as long as that envelope isn't stamped, you can't get anywhere.
 6 | 
 7 | --- Thinkpad4by3#7568 on Discord
 8 | 
 9 | https://discord.com/channels/469524606043160576/905950538816978974/1012390757832855553
10 | 
11 | nelson note: this isn't the best analogy, but it gets across the point that the message is readable, but we can't notarize it. 


--------------------------------------------------------------------------------
/archive/can_bus.md:
--------------------------------------------------------------------------------
 1 | # What I've observed about ECU Security Key
 2 | 
 3 | I'm not great at reverse-engineering, but this is what *I've* seen.
 4 | 
 5 | **dec 2023 note**: web cabana has since been removed. you'll need to use desktop qt cabana now.
 6 | 
 7 | You can get here by going to Comma Connect, clicking on a drive, uploading all log files, and selecting "View in Cabana" after the files are uploaded:
 8 | 
 9 | <img width="471" alt="image" src="https://user-images.githubusercontent.com/5363/206864999-05da8720-a724-4316-a9b0-c0fab534935d.png">
10 | 
11 | Once in Cabana, click `Load DBC` and select `toyota_nodsu_pt_generated.dbc`. Filter the messages for `STEERING_LKA`. Click on one of the STEERING_LKA messages and change the message size to 8. If you see extremely high-entropy and random bytes on the last 4 bytes, then the vehicle likely has Toyota Security Key.
12 | 
13 | -----
14 | 
15 | ![](https://user-images.githubusercontent.com/5363/91650158-ed5f5880-ea30-11ea-9b07-6e3dca7f8f83.gif)
16 | 
17 | * Bus 128 is like what OP would love to be sending. That is the old Toyota checksum scheme. It's a rather low FPS GIF with a rather low period but imagine the checksum being obviously steadily increasing due to the counter part of the message also steadily increasing but everything else pinned to `0x00`.
18 | * Bus 2 is what we're seeing and that's from the camera right? The last four bytes are super high entropy looking.
19 | * Bus 0: 🤷‍♂️, but I am also not sure if it matters.
20 | 
21 | -----
22 | 
23 | * No existing checksum algorithms were working.
24 | * There is a 4 byte authentication code on the CAN message instead of the simple 1 byte checksum of past Toyotas.
25 | * The same inputs result in different "checksum"/authentication code outputs.
26 | * The messages are different between ignitions.
27 | * The messages are different between vehicles.
28 | 


--------------------------------------------------------------------------------
/archive/dump_milestone.md:
--------------------------------------------------------------------------------
 1 | The criteria has been met. Please get in contact with me if you haven't to pool the bounty.
 2 | ---
 3 | ### Criteria for Firmware Dump milestone
 4 | 
 5 | These are my criteria; others may have different criteria. If the goal is claimed to be met and also meets my criteria, I, @nelsonjchen, will try to convince the other bounty offers for the firmware dump milestone to align their criteria with mine and fulfill their pledge.
 6 | 
 7 | 1. Enough instructions to be reproduced by someone else
 8 | 2. Video/Pictures of loading the dump into a disassembler and showing that it loads and showing some strings in the dump that are obviously from a relevant Toyota ECU Security'd ECU and coherently disassembled machine instructions.
 9 | 3. The firmware must be from a Toyota ECU that has ECU Security Key.
10 | 
11 | A good example of "Enough instructions" and "Videos/Pictures" would be these blog posts regarding hacking/dumping a VW Golf Power Steering ECU: https://blog.willemmelching.nl/carhacking/2022/01/02/vw-part1/
12 | 
13 | Reverse engineering the security system is not needed. Please don't openly share the copyrighted firmware. The amount of sharing with the second criteria should be just enough with fair use to show that the firmware dump has been accomplished and that it can be reproduced.
14 | 
15 | Also, if the system is cracked without the firmware dump, consider this firmware dump milestone met too.
16 | 
17 | ---
18 | 
19 | The criteria appears to have been met.
20 | 
21 | https://blog.willemmelching.nl/carhacking/2022/11/08/rh850-glitch/
22 | 
23 | I'm going to start to try to collect and gather the bounty.


--------------------------------------------------------------------------------
/archive/rav4_prime_replace_rack.md:
--------------------------------------------------------------------------------
1 | Probably too much, just here for the record.
2 | 
3 | ![techinfo toyota com_t3Portal_document_rm_RM36E0U_xhtml_RM100000001P2DN html_sisuffix=ff locale=en siid=1742577679283](https://github.com/user-attachments/assets/1c5d521d-b5ff-45ce-b4e5-d66b752f7125)
4 | 


--------------------------------------------------------------------------------
/archive/sienna_replace_rack.md:
--------------------------------------------------------------------------------
1 | Probably too much for most people, but if one is wondering...
2 | 
3 | ![techinfo toyota com_t3Portal_document_rm_RM36H0U_xhtml_RM100000001PD9G html_sisuffix=ff locale=en siid=1742577343404](https://github.com/user-attachments/assets/6ad95bb5-97d7-4444-b0da-c4133275f83e)
4 | 


--------------------------------------------------------------------------------
/img/v2.nrtd1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v2.nrtd1.jpg


--------------------------------------------------------------------------------
/img/v2.nrtd2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v2.nrtd2.jpg


--------------------------------------------------------------------------------
/img/v2.settings-keyboard.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v2.settings-keyboard.jpg


--------------------------------------------------------------------------------
/img/v3.calibrate.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v3.calibrate.jpg


--------------------------------------------------------------------------------
/img/v3.ext-known.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v3.ext-known.jpg


--------------------------------------------------------------------------------
/img/v3.ext-success.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v3.ext-success.jpg


--------------------------------------------------------------------------------
/img/v3.ext-unknown.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v3.ext-unknown.jpg


--------------------------------------------------------------------------------
/img/v3.tsk-keyboard.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v3.tsk-keyboard.jpg


--------------------------------------------------------------------------------
/img/v3.tsk-manager.home.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v3.tsk-manager.home.jpg


--------------------------------------------------------------------------------
/img/v3.tsk-manager.incar.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v3.tsk-manager.incar.jpg


--------------------------------------------------------------------------------
/img/v4.install.1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v4.install.1.jpg


--------------------------------------------------------------------------------
/img/v4.install.2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v4.install.2.jpg


--------------------------------------------------------------------------------
/img/v4.reboot.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/optskug/docs/3b94738e78c77383fce622f9010798d6852b2172/img/v4.reboot.jpg


--------------------------------------------------------------------------------