breaking into a prius

There is no such thing as a plain fob. Every fob has to be electronically
mated to it's specific Prius. My fob will not work in your Prius...

The exorbitant cost of the fob is for this electronics plus a lot of
dealer markup. A fob without battery works in the dash
because the Prius provides power to it when it is plugged in.

Robert

 

If you mean an electrical connection is made through the plastic to the electronics inside, then no, that is not the case.
A coil sends a signal that energizes the transponder in the fob, and the fob echos back with the transponder ID. Much like RFID on cereal boxes at walmart, or the badge system they have here where I work.
I don't think enough energy is sent to the fob for it to be able to perform rolling code. Would be quite secure if it could.

 

I viewed it like my electric tooth brush sitting on it's base... The fob sends something better
than a fixed number, because it has been programmed to match the car. Otherwise
any fob would work. Anyone got a fob I can borrow?

Robert

 

Ah no, not if each fob send a long unique 40 bit number. The ECU would then have to know what that number would be. The fob would send that same number it always sent, 2000 times ago, but your significant other's fob would send a different number than yours, but still the same one it sent 2000 times ago.

Only if someone probed the output of the keyslot would we know.

 

I think my understanding of the process was incorrect...

I thought to get an additional fob, you gave the dealer your current
fob and he made the new one match it.

A better description would be that the dealer registers the new fob with
with the ECU built into the Prius, using your existing fob for authorization.

In that case, it could be like a badge reader.

Still not sure how rolling codes plays into it past using it to open doors.

Robert

 

"There is no such thing as a plain fob."

There are two kinds of fobs, one with the silver logo and one without. The owner's manual makes this distinction. I am not sure, but I believe one will work the SE/SS and the other must be inserted into the slot. I expect both need to be programmed, but one should be cheaper than the other.

 

Yes, one supports SKS, other doesn't. There are 3 codes, one for SKS, one for immobilizer, one for wireless remote.
It is now speculated that SKS and immobilizer codes are fixed but randomly assigned to each fob. The ECU is programmed to accept that code, but to authorize the learning of these new codes, a fob with a known code must be used.

Now with the wireless remote, it too must be learned and a known fob needs to be used to authorize the learning. What is learned is the code this new fob and the ECU will match to start the rolling code sequence.

 

Apologies in advance -- I may be missing something obvious (I probably am), but from what I've read in other PriusChat threads on the subject, it was my understanding that the ECU in the car had storage for 4 separate codes -- i.e., 4 separate fobs.

I was under the impression that was part of the reason a new Prius fob was so expensive -- the dealer had to go into the ECU and program the ECU for the new fob. (And as you point out, Dan, using an existing, working fob to authorize the change.)

The best detailed explanation of how secure remote entry technology works for cars (among other things) is a topic over at howthingswork.com on remote entry security.
[hr:9a23a1985f]
And Dan -- you've really made a lightbulb appear over my head. If the fob can start the car without batteries in it (i.e, inserting the "dead" fob into the keyslot/fobslot) -- how does it have enough power to calculate the next rolling code? Man, I really missed that one. :sleeping:

The only explanation I could come up with: if you're using the fob when inserted in the fob slot of the Prii, it always performs a resynchronize operation (see the howthingswork.com article) in this situation. I.e., why use a rolling code operation if the code isn't going to be transmitted over RF? And for SKS systems, the rolling system is used.

That way, the process for authenticating the fob for the immobilizer would be the same for SKS and non-SKS systems. However, it means not only adding RF hardware to SKS systems, but also rolling codes algorithms to the fobs and ECU as well -- which is extra cost to Toyota.

(Or alternatively, the fob is resynchronized when the fob battery is dead, for either SKS or non-SKS systems.)

I know there *is* significant extra hardware/software FOR SKS (i.e., you can't add it aftermarket); I just don't know if Toyota felt there was enough justification to add extra encryption software.

I believed that the Prius used rolling codes for the ECU, based on several articles on the web about the Prius. (See the aforementioned Prius thread.) However, I certainly don't know for sure -- incorrect information is often recycled on the internet ad infinitum.
[hr:9a23a1985f]
Speaking for myself, the only place I really would like to have a rolling code system in the Prius is the engine immobilizer. Anyone who wants to break into my car can -- by shattering the window. It's their inability to drive it away that appeals to me.

 

I have no knowledge of this other than what I've read here. My understanding is that when a fob is inserted in the slot it receives power from the car. It doesn't take much power to operate a circuit designed for low-power, as the fob obviously is, since normally it can operate for years on one itsy-bitsy battery.

Dan, on what do you base the speculation that the engine immobilizer does not use a rolling code? Why would it not use a rolling code? Doesn't a fixed code make it one whole heck of a lot easier to steal a car?

 

A toothbrush charger was mentioned above. My electric toothbrush sits in a holder and everything is plastic. There are no metal connections whatsoever. Yet my toothbrush has never run out of power.

Thus, an awful lot of electicial energy can be sent thru the air, or thru the plastic in this case.

So surely if the FOB has no battery, and you stick it into the dash, the car can easily send it enough juice for the FOB to generate and send a new rolling code.

If it can charge a toothbrush thru plastic then it can power a FOB thru plastic. The energy required would be miniscule compared to an electric toothbrush.

 

Not sure about the fob's workings, but a side note that the toothbrush is charged through the plastic by induction, same as the GM EV was charged through the paddle stuck in the hood-- dry, no metal-- safe for the high current required.

 

I have a question. Several have said you can wrap an extra fob in heavy duty aluminum foil and leave it in the car and it will not be reconized because the signal would not go through the foil. I would think that you would have to use a ferreous metal to block the signal? People who know more about radio transmission leap in here. I did study for a Ham Licenses many many years ago but never made it because my dyslexia fowled me up on the code test. I did learn a bunch about radio. Is my memory faulty or am I not understanding the principles correctly.

 

As my day job is in industrial auto-ID (read: bar codes, RFID, etc), I have learned a thing or two about RFID lately (especially hype versus reality). It is certainly possible to have a dynamic code such as challenge-response with RFID technology, such as that likely used in the non SKS portion of the Prius key fob. The RFID chip can collect enough power using a capacitor and a diode to power up just long enough to do calculations. The chip can then transmit its answer back to the scanner by effectively changing the impedance of its receiving antenna. The scanner picks this up by listening to the minute reflections of its transmitted signal. There are different types of passive RFID using varying frequencies and having varying capabilities and range. The passive chip in the Prius keyfob doesn't need much range at all.

Active RFID requires a battery, like the SKS key fob. This can actively receive, store, and transmit more information over longer distances than the cheaper non-powered RFID. Since the fob already requires a battery for the non-RFID remote lock/unlock/panic functions, active RFID makes sense for SKS. So that the car can still be started with a dead battery in the fob, passive RFID makes sense for the in-dash ignition slot function and of course the backup metal key so you can unlock the door.

Note the recent findings at John-Hopkins regarding the popular TI RFID chip used in keys and gas-pass cards:

RFID Chips in Car Keys and Gas Pump
Pay Tags Carry Security Risks

Of course, as far as what specific technologies (active and passive RFID, rolling code remote lock/unlock, etc) the Prius fobs actually use is all speculation on our part at this point. It would be interesting to know if the passive RFID portion of the fob (in-dash ignition slot) uses the TI chip mentioned in the article.

--
Geoff Shepherd
'04 Tideland Pearl BC + XM
'00 Honda Insight Citrus Yellow Metallic

 

Geoff:

I don't think you need the FOB circuit powered all the time just to keep synch with the rolling code. You can use flash memory in the register to keep the current hash value, so the next time the circuit is powered it will look for the next expected hash value, actually the next 256 hash values.

Only if the hash value exceeds 256 increments from the last known value will you have to resynchronize the hash tables. That's the biggest PITA with hashing is how do you combine security with convenience??

I had posted some detailed technical material on how the hash algorithm works, but the recent PriusChat crash wiped it out. Anybody interested in seeing this again?? No??

That Johns Hopkins hack was very clever, wasn't it? As they stated a few times "obscurity is not security." I'm hopeful we have several years before we have to worry about this hack.

 

It doesn't have to be ferreous, just a conductor. It doesn't even have to be solid as long as the holes are less than 1/4 of the wavelength you want to block, if I remember correctly.

 

wow what a truck!!

Starla you definitely deserve points for this!!

 

Mostly speculation/educated guess. I would doubt that a stored brief energy pulse would be enough for the fob to retrieve the code from flash, transmit the code, calculate the next value, then store it in flash. The transmit alone, even over an inch of space, would take quite a bit of energy.
SKS could be rolling code, I just haven't seen any documentation positively saying it is. Only Wireless Remote Door Lock is positively designated as rolling code in NCF.

 

Good question about a plain FOB, what is so unique about this totally enclosed piece of plastic. There are no seeable external connections?

 

There's one for the battery. It communicates by various radio waves. Even with the battery dead, when the fob is in the slot, the car can power it briefly through inductance, much like today's rechargable electric tooth brushes, entry badge system, and keys with sealed chips in them that other cars often now use.

 

You don't need a huge amount of power to operate the encoder. Flash is easily applied to remember the encrypted hash until next use. There are many USB security dongles and security card systems that operate on very low power levels.

If it wasn't a rolling code, Johns Hopkins would not have needed to go through all that nasty math to break the hash algorithm. All you would need to do is record the fob broadcast and play it back. If it was really that easy with the Prius, we'd hear of them disappearing left and right.

That's why garage door opener companies really had no choice but to introduce some sort of rolling code system. It was just too easy to break into a house: record the opener broadcast, wait for the car to disappear, play it back, enter the house.