Does your smart key open other Prius?

my smart key won't open my wife's Prius, nor will her smart key open mine.

 

If you play with the math and assume a purely theoretical random distribution, what you described is almost impossible.

The Prius uses a 40 bit proprietary algorithm: 2 raised to the 40th power is over 1 trillion or 1.0995 trillion to be precise. However, to maintain synchronization with the encoder, the decoder uses an algorithm that also anticipates the next 256 value or 2 to the 8th power.

You no longer have a "pure" randomly distributed situation to deal with.
Since up to 4 keys can be programmed into the system, this changes the math a bit too.

If you want to know the probability of a *random* code unlocking the car, you would have to calculate the following:

probability = (2 to 8th) (4)
[align=center]2 to 40th

= 1
2 to 30th

= 1
1.074 x 10 to 9th

or - rounded off - around a 1 in a billion chance that a "random" code another fob will unlock your Prius. Anything is possible, though probably he just forgot to lock it.

If not, you have to hunt that person down and get them to pick out some lottery numbers for you.

I suppose the next question that will come up is the hacking issue. I think we already covered that, or was that thread lost when PriusChat got hacked a month ago?

 

Geez the math is hard enough for the typical novice reader to understand, when it looks like s*** too it makes it worse. Anybody want to play with formatting, please feel free to do so. :roll:

 

<div class='quotetop'>QUOTE(CraigCSJ\";p=\"74283)</div>

The important thing is: How far away from his own car was your tennis buddy when the other couple touched the handle? The Prius probably thought that it was the owner who was 1) approaching it, 2) his hand touching its handle.

If your tennis buddy was far away (more than 15 - 20 feet) when this happened, then we have an issue indeed.

 

I remeber somthing years ago along these lines with regular car keys. There it was mentioned that the manufacturers try to ship cars with matching keys to different areas. But then regular keys have a much smaller number of possible keys.

 

But the regular car key issue is real.

Years ago I was staying at one of the fancy hotels in Monterey, CA (business trip) that had valet parking. One night I called down for my rental car and when I got there they handed me the keys. Since my wife was with, I went to open her door, but the key wouldn't unlock it. Odd, I thought, but I went over to the driver siade and hit the unlock button. Got in started up and drove to dinner, where we locked the car using the lock button.

About an hour or so later, I went out to the car and tried to unlock it. It wouldn't unlock. Not the passenger's side, nor the driver's side. It was then I noticed the rental tag on the keys said "Red Sable," while I had rented a white Taurus.

So, I called back to the hotel, asked for the valet stand and explained my problem. The guy on the end said hold on a minute, and I hear him shout out "I found the keys! I found the keys!" The valet manager gets on the phone, finds out where we are, and rushes right over. While there he explains that they've ripped apart the valet area looking for some other guy's keys for the last hour. They even went so far as to search his room. Apparently, he couldn't start his car with my keys and probably missed out on dinner.

The following day I noticed that when the valets handed over the keys, they all had nametags on them and the valet would look at it carefully and would clearly state,"Your car Mr/Mrs. So-and-so."


Thanks,
Shawn

 

<div class='quotetop'>QUOTE(jayman\";p=\"74390)</div>

Having had some Tech Math while in college , I can see what you are trying to show us :roll: . But somebody that is not to math oriented would look at that and say, " Wth is all this!"

In my opinion, the Smart Prius would be like using the remote door lock fob for your 80's GM. I don't remember any of those unlocking someone elses car. Just to many combinations like jayman figured out for us. :wink:

 

I try on every one I come across, so far, no success. I'm biding my time. I use the remote and not the SKS as it's been pointed out mathamatically it's almost impossible. If I ever get one to unlock, I'm driving it over to the lotto sales kiosk. I will take it back though.

 

No matter how good the math is, it is still possible that Toyota just accidentally (or stupidly) produced multiple transpoders with the same key instead of choosing random codes for each one.

I'm not completely up on the rolling code algorithm, but the above discussion seems to imply that any of the next 256 codes would be valid. If both cars are relatively new then then it's quite feasible that the number of times car A was unlocked is within 256 of the number of times car B was unlocked, so it seems possible and even realistic that this could happen if (and only if) Toyota produced identical transponders.

This shouldn't be true, but often things that shouldn't be true are true. In my company there are only four different key masters for the desk locks. And perhaps even more annoyingly, there are only four key masters for the gym lockers. I've had the experience of accidentally putting my gym locker key into the adjacent locker and having it open up with someone else's wallet inside. And my company is one that takes great pride in its security prowess.

Still I believe it's more likely your friend was mistaken and that the car was already unlocked, but the math doesn't rule out human error on Toyota's part.

 

I have the SKS but as yet have not run into this "problem". I agree that if this happened the car probably just sensed its own transponder nearby and it was a fluke.

I have had the metal key opens multiple cars thing happen. We had a Ford Pinto when I was a kid (a 1971) and a Mercury Monarch (1980) and the two keys were interchangable. The first time we discovered this was of course by accident by opening the right car with the wrong key.

I have seen this phenomenon mostly in Fords.

You can bet that I will now be pulling on every Prius door I come too just to see what will happen. Actually, come to think of it, you don't have to touch to door, if the car "recognizes" you it will light up inside sort of like it is saying "Hi!".

Take care,

Tisza

 

Thats somthing fishy....
Most of PC memeber know I rent a garage in Japan and I park next to Crown Majest, Lexus LS, and Toyota Crown Athlete everyday. Which are flagship sedan for Toyota fleet and all of them has SKS, so does my Prius. I never have problem yet
My recent habit is when ever lock my Prius by SKS, I pull outside rear door handle to make sure its locked :idea:

 

One other thing to think about, when considering 'possiblilities' is that the codes are not truly random, but psudo-random. After all, both the car and the fob have to agree, within 256 iterations, what the codes are. Therefore, there is a good possiblility that the range of codes is much smaller, but still quite large compared to mechanical keys.
Also, Jayman divided the probablility by 4 for each fob slot. Actually it is 5 for SKS, but most of us only have 2 of those populated.

I'll be putting this on another thread, but I made 2 discoveries yesterday, in studying SKS to try and come up with an auto lock when no fob is present.

The osclillators at the 3 doors and interior have only one purpose; to wake up the fob and ask it to transmit its code. It is the wireless remote receiver that receives the code that the fob transmitted. The oscillators are weak, in that they only work up to about 3 feet, but we all know the fob goes much further. Also, the oscillators only send their requests when events dictate to check: handle touched, hatch latch pressed (actually, the oscillators do broadcast often but only when doors are locked), power button pushed, and when the car is not off and door is open to see if you are taking the fob away.
Since the fob is not polled when the doors are unlocked, there is no way to tell if the fob has left the detection area of the car. I have to see if the dome lights come on when I approach the car in my garage, where I usually leave it unlocked.


I also discovered that the SKS ECU does have a reset function, where with a scanner, you can reset the SKS to clear all fobs and accept a new one. The scanner gets a seed from the ECU, the tech enters that in Toyota's website, Toyota returns a passkey, and the passkey is entered into the scanner. Now I don't know if that would also reset the transponder ECU that handles the immobilizer.

 

I tried to get into 5 Prii at the dealer and failed. This dealer in Manassas VA has em on the lot.

 

My SKS does not work on my wife's or vice versa. Your friend probably forgot to lock it. Especially since the couple could not drive away in the car. If the car will not start then the doors would not have opened if locked properly, unless he put his keys under his seat.

 

<div class='quotetop'>QUOTE(DanMan32\";p=\"74541)</div>

The dome light on my car comes on but you have to be close and it takes a few seconds to happen. I think you have to be in the range of the oscillators before it happens. Nice touch though.

 

If that's true, that the doors don't have to be locked for the car to sense the fob, then it may be possible to make an auto-lock on abandon.

 

<div class='quotetop'>QUOTE(DanMan32\";p=\"74541)</div>

Dan:

That's why I said "and assume a purely theoretical random distribution ..." and "If you want to know the probability of a *random* code unlocking the car" which as we should all know, is "theoretical." In the real world a PRNG is used, the robustness of which depends on how you set up seed values and hashing.

Since the car makers depend on a proprietary algorithm or "security through obscurity" we will never know how the PRNG is actually calculated. Thus we'll never know how truly robust - or not so robust - the hash actually is. Since they "cheat" by using a 40 bit value, and they also need to know the next 256 values, my guess would be "not so robust."

<div class='quotetop'>QUOTE(DanMan32\";p=\"74541)</div>

The overall probability doesn't change enough, it's still very close to 1 in a billion. Again assuming a "perfect" random distribution. I tried to keep this as simple as I could, but a lot of clarity has been left out.

A "pure" random number can never be proven, only disproven. So you have to accept that at best you will have a "pseudo" random distribution. Thus the PRNG algorithm:

http://www.embedded.com//showArticle.jhtml...icleID=20900500

I don't know how to enter special symbols like Sigma into this editor, so please go to the above URL and scroll down to "Figure 2" which describes how to calculate a Lag k value from the Y values. Figure 3 will show you how to calculate the x squared distribution.

Remember, so far the math is *easy* there is no calculus or integrals.

Here is a resultant "reasonably" secure hash that is fairly easy to follow:

static unsigned int xorTable[64] = {0x7be9c1bd...0x088aa102};
static unsigned int r = 31468; // your seed
static unsigned int q = 0, n = 0;
unsigned int i;
unsigned char Y;
// begin critical section
for(i=0;i<32;i++)
{
q = (r + xorTable[choice & 0x3f]) ^ n*xorTable[n++ & 0x3f];
if (q==r)
{
r+=xorTable[choice & 0x1f] ^ choice; continue;
}
else
{
r = q;
break;
}
}
n++;
Y = r >> 24;
// end critical section
return(Y)

I hope everybody quickly noticed the static integer that was the fixed value of 31,468. Try some other values and your resultant Y's will be remarkably different in value *and* distribution!

If you do something like inverse congruential number generation, you perform the math tests and discover that if the seed values differ just by 1, you can go from a reasonably "secure" hash where a value isn't repeated for 100 million iterations to hash output where there is a *lot* of autocorrelation.

This is where the math gets tricky ...

You have to perform *extensive* statistical diagnostics (ANOVA, F&T, Chi Square, Weibull, etc etc) on *all* the PRNG outputs to determine if you have a "robust" and reasonably "secure" hash at your disposal.

And you have to factor in one additional complexity: since it's possible for the fob to transmit and not receive a reply from the car, the fob encoder will get out of synchronization with the decoder in the car. The "expected" results won't match up and your fob no longer works.

That's why not only does that proprietary hash have to know the *next* expected hash, it also has to know the next 256 "expected" hash outputs. So that implies a certain level of autocorrelation that, more importantly, allows for more "unexpected" same values. This also allows for hacking once the Johns Hopkins University hack becomes common knowledge.

Look, does anybody want me to go into more detail wrt the programming or the math? I had to make a lot of assumptions here, I don't mind PM'ing with more detail. Rick, our RHCE? Rick, our MDT??

 

<div class='quotetop'>QUOTE(Widdletink\";p=\"74498)</div>

Tisza:

For a long time only 10 key permutations existed, so all you needed was a master dupe set. Open the door, start her up, drive off with no sign of forcible entry.

Same as the lock to your home, there are a set and limited number of permutations. I'm sure you've been to Home Depot, go look at their entry locks. If you want all the locks in your home "keyed alike" instead of paying a locksmith just get the locks with the same code.

You'd be surprised how weak the "security" in our everyday lives really is. I suppose it's best not to think about it ... it's not like you can do anything about it.