SkillAgentSearch skills...

Docs

🔐 Documentation/News/History/Guide on openpilot with Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY/SecOC

GenerateConvertImprove

Install / Use

/learn @optskug/Docs
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

openpilot/etc. on Toyota/Lexus/Subaru with TSK/ECU SECURITY KEY/SecOC

[^1]

Toyota's Sword in Rock situation (that has been pulled out quite a bit by Willem and Greg!)

The comma.ai Discord isn't really a good place to store answers or guidance to questions about the situation with Toyota's TSK/ECU Security Key/SecOC and openpilot. Discord's search is terrible, and the content inside of it isn't accessible to search engines. This is an attempt to document some of the discussion and information about the situation with Toyota's TSK/ECU Security Key/SecOC and openpilot in a more accessible way.

[!TIP] This document is a bit long, you may want to put the URL of this document into your 🤖 AI assistant of choice to ask it questions about the contents of this document. Ask DeepWiki is a good choice for querying with citations and references. Note that DeepWiki may lag behind the latest copy of the document by a week.

https://deepwiki.com/optskug/docs

You are encouraged to share DeepWiki conversations links in Discord if you aren't sure it is interpreting this document correctly or if you have follow up questions that it can't handle.

Of course, other AI assistants such as ChatGPT, Claude, or Gemini can also be used once you pass them the URL of this repository: https://github.com/optskug/docs

Table of Contents

Background

tl;dr: Toyota started to use cryptographical signatures to block openpilot (and other hacks). Some smart people in the industry hacked the signatures for some cars, but not all cars. Nobody is known to be working on the issue at the moment.

openpilot, in order to control the latitude (aka. steering), needs to be able to man-in-the-middle the steering control messages used by the lane keep assist system. It blocks the original steering control messages and replaces them with its own. Latitude-controlling messages originally come from the forward-facing camera, which is also known as the "Forward Recognition Camera" or "Object Recognition Camera" in Toyota vehicles. The camera is responsible for the lane keep assist in Toyota vehicles.

There is a STEERING_LKA-ish message and more in some new Toyotas that currently has an "authentication code" scheme appended to the end. The algorithm and security system for this "authentication code" is somewhat known for certain vehicles but requires a key that is unique to each vehicle to be extracted or smuggled out of the vehicle (https://icanhack.nl/blog/secoc-key-extraction/). Not all vehicles are able to have their keys extracted with what is currently known. Without the key for each vehicle, third parties like comma and users cannot control the vehicle. While vehicles that have had their keys smuggled out are currently working with openpilot.

At the moment, nobody is known to be working on the issue beyond what was done by Willem and Greg. Newer vehicles other than the ones on this list are not known to be working with the existing exploits discovered and built by them to dump their keys.

There has been some primordial research on firmware modification to disable the security system, but it is not known if this is possible or not. However, there has been no updates since July 2025.

[!NOTE] Toyota is not alone in implementing encrypted CAN bus systems to block ADAS additions. For example, Ford has been rolling out their Trusted Realtime Operating Network (TRON) on CANFD vehicles starting with the 2023 Superduty. You can check the Confirmed TRON Status List on Blue Pilot for more details on affected Ford vehicles that are likewise currently incompatible with openpilot.

Unresolved Mysteries

The following is not comprehensive.

  • The exact details of how the process of how Toyota's tools communicate with the vehicle and their servers, and how the key is updated for multiple ECUs is still not fully known or experimented with. A high level overview of the process is known, but not the exact details.
    • Could a simulation of an extraneous "blank" vulnerable ECU into the system be tacked onto the communication with Toyota to extract the key?
    • There's something with Master ECUs and Slave ECUs here.
  • The 2023 US made ICE Corolla (VIN starts with 5) is a TSS 3.0 vehicle that does not appear to have ECU Security Key or SecOC steps when replacing the forward camera. No one has come by to show what TSS3 without TSK looks like. One person has come by but they don't have that much time and ... that's it? Just one person, how weird.
  • What might a firmware mod approach look like? Is it possible to flash a custom firmware that disables SecOC?

Cars

🟢 Successfully running openpilot

These cars can run openpilot but are not listed on https://comma.ai/vehicles#toyota or CARS.md because comma.ai (the company) understandably doesn't want to own the security key hacking process.

If it is on https://comma.ai/vehicles#toyota, then it's not in question and is supported by comma.ai for openpilot. At the moment, all harnesses for pre-existing and non-TSK/SecOC supported Toyota vehicles are Toyota Harness A and can be used with TSK/SecOC supported vehicles.

Follow the Setup Guide below and you'll have it working.

  • 2021-2023 RAV4 Prime/PHEV aka. Plug-in Hybrid
    • All Trims supported
    • For non-Prime/PHEV RAV4s (e.g. various ICE trims, Hybrid trims, etc.) in the US, please refer to comma's supported vehicle list
    • Toyota Harness A
    • Early 2024 MY situation like Early 2024 MY Sienna unknown.
    • The compatibility status of the RAV4 Hybrid or RAV4 ICE is not relevant to the Prime/PHEV. They're different vehicles.
  • 2021-2023 Sienna Hybrid (US-made), 2021-2022 Sienna Hybrid (Mainland China-made)
    • All Trims supported
    • VINs starting with 5 are US-made. VINs starting with L are Mainland China-made. We are not aware of Siennas made in any other regions.
    • Toyota Harness A
    • Not applicable to 2023+ Sienna (Mainland China-made)
    • Early 2024 MY (Built in 09/23 to 11/23 according to sticker) might work? Currently too few data points to determine cutoff https://discord.com/channels/469524606043160576/905950538816978974/1350659380592513142
  • 2020-2022 Yaris Hybrid (EUDM/JDM/MXDM)
    • All Trims supported
    • Toyota Harness A
    • Dataflash dump hack works as the key is not in the same address as RAV4 Prime in program memory
    • Brute force efforts to find key location successful on both European and Japanese Yaris Hybrid. European user eventually gave up full installation due to unrelated C3 malfunction.
    • https://github.com/I-CAN-hack/secoc/pull/4 - brute force dataflash dump approach
    • First Continental Radar + Camera setup going and thus first radar controlled ACC vehicle done with. This does not mean longitudinal is controlled by openpilot though.
      • Experimental work in disabling the radar has shown this does is not enough to let openpilot control longitudinal.
    • Not sold in the USA, but is in Australia, Japan, and Europe
    • Only one guy using it in Japan and one guy in Poland, unfortunately. Help increase the population!
  • 2021 GR Yaris (EUDM

optskug

View profile

View on GitHub
GitHub Stars143
CategoryDevelopment
Updated3d ago
Forks9
optskug/docs

Security Score

95/100

Audited on Mar 24, 2026

No findings