cryptographic process of key "reprogramming"

Discussion in 'Gen 2 Prius Technical Discussion' started by obscenefrogtour, Jul 23, 2017.

  1. obscenefrogtour

    obscenefrogtour New Member

    Jul 23, 2017
    2008 Prius
    Three Touring

    First, thanks to all for this awesome forum. I've already learned a lot from you all!

    Can someone link me to a deep technical guide to how the keys work?

    Specifically, I want to understand how the key is authorized to do certain actions to the car. Other than the mechanical key that's cut to a literal private key, there appears to be 3 functions:

    1. Wireless Remote (ie: the unlock, lock, & panic buttons on the fob)
    2. SKS = Smart Key System
    3. Starting the car, which works even when SKS is disabled or the battery is dead

    First question: What is the technology that allows authorization of a given key to preform each of the above actions? Is there a different private key & tech for each of the above actions? At this point I think it's an RFID chip for both [2] & [3], and [1] is a different tech all-together. Is that assumption accurate?

    I'm mostly concerned with the cryptographic tech with regard to the security risks of purchasing a used car and/or a new/used key fob. Ideally, after purchasing a used Prius, one would want to:

    1. securely wipe all previous private keys on all the key fobs
    2. securely wipe the list of all authorized keys from the car's storage
    3. generate new cryptographic key pairs on each of the key fobs
    4. whitelist all the new keys on the car's storage

    Second Question: Is it possible to do any or all of the above steps?

  2. ChapmanF

    ChapmanF Senior Member

    Mar 30, 2008
    Indiana, USA
    2010 Prius

    (2) and (4) are easy, just plug into the car with Techstream and follow the corresponding menu options.

    (1) and (3) assume more than I know about the internal workings of the fobs themselves. But a fob you have wiped from the car using (2) isn't going to let anyone mess with the car anyway.

    There is definitely some amount of state kept in the fob itself, seen in the fact that a fob once whitelisted to one car cannot be added to another car (without being 'revirginized' first, which is a service you can find on eBay for around twenty bucks).

    Elektroingenieur likes this.
  3. Elektroingenieur

    Elektroingenieur Senior Member

    Jan 8, 2017
    2016 Prius
    Three Touring
    For the official perspective, I’d start with Smart Key System: Course T973B Handbook, the 160-page student manual for Toyota’s technical training course. You can also refer to Quick Training Guide QT613A, “Smart Key Component Registration,” and to the New Car Features and Repair Manual books for each model and year. These publications are all available by subscription to
    The terms you’re using (“key pairs,” “private key”) suggest that you’re assuming a public-key cryptosystem is used; this is not necessarily so, though Toyota’s publications understandably do not discuss cryptographic algorithms, key lengths, or other implementation details unlikely to be useful to service technicians.

    From the open literature, it appears that challenge-response or rolling code systems, relying on shared secrets between the car and key, are typical. I believe some recent Toyota cars use keys with the DST80 system from Texas Instruments, implemented in ICs such as the TMS37145 and TMS37126, about which TI doesn’t have much to say in public, but for which aftermarket cloning devices seem to be available.
    Practically speaking, if you’ve bought a used Prius, the most basic security measure for the Smart Key system is to have a dealer (or someone else with a Toyota Techstream diagnostic system) check how many keys are registered in the car, and make sure you have that many working keys. If there are registered keys that you don’t have, Techstream can erase (de-register) them, as @ChapmanF notes, so they will no longer work with the car, even if the keys themselves still have the car’s vehicle ID programmed in their memories.

    For more protection—against cloned keys, for example—you could buy as many new keys (having new key ID values, not known to the previous owner) as you need, erase (de-register) all of the old keys, and register the new ones. You could also install a new lock cylinder and replace the mechanical key blades.

    I suppose you could go further, by changing the vehicle ID using the Smart Code Reset function or by physically replacing the ID Code Box, Certification ECU, or both, but I’m not sure these steps would add enough security to justify their cost or the risk of causing other problems, especially since they would not be addressing any of the fundamental weaknesses in the system, such as its vulnerability to RF relay attacks.
    RobH likes this.