Login

u/omarela

▲ 4 r/Comma_ai

It's unlikely comma.ai will "crack" Toyota TSS 3.0+ encryption at scale, and they've effectively deprioritized modern Toyotas. The problem isn't a single encryption cipher to break — it's a hardware-backed security architecture (HSM-protected keys) that makes per-vehicle extraction economically and technically infeasible for a consumer hardware company.
What's Actually Happening (The Technical Reality)
SecOC Is Not "Encryption" — It's Message Authentication
Toyota's implementation uses AUTOSAR SecOC (Secure Onboard Communication), which appends a Message Authentication Code (MAC) to CAN bus messages. This isn't encrypted data you can decrypt — it's a cryptographic signature that proves the message came from an authorized ECU. Without the per-vehicle AES key, comma's devices can listen but can't send valid control commands.
The 2020-2021 Exploit Window Has Closed
Security researchers Willem Melching (former head of openpilot at comma.ai) and Greg Hogan successfully extracted keys from early SecOC vehicles like the 2021 RAV4 Prime by:

  1. Using voltage fault injection to bypass the locked debug port on the power steering ECU
  2. Reverse-engineering the bootloader to upload shellcode
  3. Extracting keys from RAM (since these early ECUs did AES in software, not hardware)
    The critical finding from their research: By 2022+, Toyota began phasing in Hardware Security Modules (HSMs) within the microcontrollers. The keys are no longer in RAM — they're locked in silicon that won't export them, even with code execution.
    What This Means for Newer Vehicles
    From Melching's own analysis on a 2023 Corolla Cross (which still had a vulnerable bootloader):
    • They could still achieve code execution
    • The ECU had started using the HSM for AES operations
    • Keys could not be extracted from memory
    • In theory, you could turn the ECU into a "signing oracle" (keeping it connected and asking it to sign messages), but this isn't practical for a consumer product
    The optskug community documentation (the definitive tracking resource) confirms: "Nobody is known to be working on the issue at the moment."
    ----
    The Vehicles Affected
    Working (key extraction possible):
    • 2021 RAV4 Prime, 2021-2023 Sienna (US-made), 2020-2022 Yaris, 2021 GR Yaris, 2021 Venza
    Not hacked and unlikely to be:
    • 2023+ Lexus RX, RZ, LS, ES
    • 2024+ Grand Highlander, Tacoma, GX, TX
    • 2023+ Prius/Prius Prime
    • 2024+ RAV4 (new generation)
    • 2022+ Tundra, 2023+ Sequoia
    • 2023+ bZ4X/Solterra
    Looking at comma.ai's official vehicle list, their newest "favorite" Toyotas are the 2021-22 Prius and 2020-23 Highlander — models that predate or sit at the edge of the SecOC transition.
    Why Comma.ai Likely Won't Solve This
  4. It's Not Their Business Model
    Comma.ai sells consumer hardware that "just works" when you plug it in. The SecOC workaround for early Toyotas required:
    • Physical removal of the power steering ECU
    • Bench-top voltage fault injection equipment
    • Firmware dumping and reverse engineering
    • Per-vehicle key extraction
    This is boutique hardware security research, not a scalable consumer product.
  5. Cat-and-Mouse Dynamics Favor Toyota
    Even if researchers found a new bypass on 2023-2024 vehicles, Toyota can:
    • Patch bootloaders via over-the-air updates
    • Rotate to newer HSM implementations
    • Close the vulnerability window
    comma.ai would need to maintain an active hardware security research lab just to chase Toyota's updates.
  6. They've Already Moved On
    Comma.ai's recent development focus has shifted to:
    • Tesla (Model 3/Y with HW3/HW4)
    • Rivian (R1T/R1S)
    • Ford (F-150, Explorer, Bronco)
    • Hyundai/Kia ( Ioniq 5, EV6, Palisade)
    These brands either don't use SecOC or have architectures more amenable to comma's integration approach. Their "favorite cars" list now prominently features Hyundai and Ford over Toyota.
  7. The Key Talent Has Left
    Willem Melching — who led the original SecOC research while at comma.ai — has since left the company and pursues this research independently. His blog post on the topic explicitly frames it as an owner's rights/access issue, not a comma.ai commercial initiative.
    ----
    What Could Happen (But Is Unlikely)
    Scenario Likelihood Explanation
    New bootloader vulnerability found Low-medium Toyota has patched known bypass vectors
    HSM key extraction via side-channel Very low Requires advanced semiconductor analysis per chip revision
    Firmware modification to disable SecOC Unknown Research stalled in 2025; risks safety system integrity
    Comma.ai partners with Toyota Very low Toyota has no incentive to support aftermarket ADAS competitors
    CAN FD/ethernet architecture change Possible long-term Newer vehicle networks may offer different attack surfaces
    Bottom Line
    If you own a TSS 3.0+ Toyota (2023+ models), don't hold your breath for comma.ai support. The security architecture has fundamentally shifted from "software verification with key in memory" to "hardware-backed signing that can't be extracted."
    Comma.ai is a machine learning and consumer hardware company, not a hardware security research firm. The research that did crack early SecOC vehicles came from individual security researchers with specialized equipment, not from comma.ai's product engineering team. Those researchers have moved on, and comma.ai's commercial priorities have shifted to brands with more open architectures.
    Your best bet for modern driver assistance in a newer Toyota is Toyota's own TSS 3.0 system — which, by most accounts, has improved significantly and now offers competent lane centering and adaptive cruise. It's not openpilot, but it's no longer the uncompetitive system that made comma.ai essential for Toyota owners in the first place.
reddit.com
u/omarela — 9 days ago