Austin Fisk
Home
Projects ▾
CAN Analysis Super Cooled Seats 433 RF Remote Lay-Z Pool Boy Email Marketing Touch Paintings Gate Controller BLE Motorcycle LEDs Chicken Door Pi Thermostat Snoopy Mailbox Snowboard Hanger Laser Cut Pin Lawnmower Hitch
School Projects ▾
Number Prime Intro To Computer Graphics Intro To Web Development

2023 Rav4 CAN

Rav4s are being sotlen through CAN injection, I wanted to understand how this was being done.

Project Image
I wanted to be like Remy from Ratatouille and be the one pulling the strings, but on my Rav4.

Whats happening

I was able to decode and understand the Rav4's CAN messages to the point where I could unlock my doors via CAN injection. This is a ~50 hour project. I will not be posting key parts of this project as I would not like to be responsible for any Rav4s being stolen, including my own.

Finding the Right Wires

I started with the Toyota wiring diagrams to locate the seat climate control connectors, power feeds, and the mysterious control line that changes with the ventilated seat levels.

Seat wiring diagram
Smart Key ECU wiring diagram.
Seat wiring diagram
Smart Key ECU's connector part numbers.
Seat wiring diagram
Smart Key ECU's important pins for this project..
Seat wiring diagram
Pin # for each connector on Smart Key ECU.
Seat wiring diagram
LIN bus is on G54's pin 13.
Seat wiring diagram
CAN pinout from wiring diagram.

Baud Rates

I hooked up my Saleae logic analyser to the CAN and LIN bus and got readings. The CAN runs at 500k and the LIN bus runs at 9,600 baud.

Seat wiring diagram
Saleae reading.

Data Analysis

I started with CAN only as I have a device to read in and log CAN information. I read in multiple readings of locking my car and unlocking my car and noted which Message ID's and their messages changed or stayed the same throughout the file, changed or stayed the same throughout multiple of the same files (unlocks vs unlock files), and which messages changed or stayed the same between unlocking vs locking recordings. Here were the most interesting finds.

Seat wiring diagram
Probed the CAN lines off the Smart Key ECU with Saleae probes, then ran the lines back to my MPVI2+ to read the CAN data.
Seat wiring diagram
Comparison between 3 unlock vs 3 lock recordings.
Seat wiring diagram
An closer look at one specific, interesting message.

Data Playback

I read online that Rav4s were easy to attack because the signals never changed. I went on to read that they were so easy to hack that all you needed to do was run a playback of your recording. Turns out you can't trust people on the internet. Rav4s are resilliant to a direct playback of an unlock signal.
I was able to start breaking down the data in the messages and find specific lines that did specific things. I found a message for running the hazzard lights. I then found a message that could be mixed with the unlock button of the key fob and it would try to double or tripple unlock the doors. This was exciting! I found the unlock code in the CAN, I just needed to figure out how to authenticate it.

Running the 'Flash Hazzards' command
*Sound On* - I found one specific message that when played while unlocking the car with the key fob, would try to unlock the door more than one time.

This made it pretty clear that what I had read online was not true. The Doors were not just linked directly to the CAN lines, which is GOOD. This means that no specific door unlock command is sent out to the doors, it needs to be authenticated by the BCM that is much more involved in the Rav4's data life.

Seat wiring diagram
Someone else's online diagram of the Rav4's CAN connections.
Seat wiring diagram
What I found to be true. The door locks are all directly talking to the BCM.

Data Analysis Round 2

I thought it might be easier to learn more about what the CAN IDs mean and what different messages do in order to single out what messages are important and which are not for my use case.

Flash Hazzards

Example: Flash one time - "000623 19 80 00 00 00 00 00 20"
Example: Flash two time - "000623 19 80 00 00 00 00 00 40"
ID - 0x623
Data 0 - 0x19
Data 1 - 0x80 when sending msg
Data 2 - Sometimes 0x80, sometimes 0x00
Data 3-6 - 0x00
Data 7 - 0x20 for one flash, 0x40 for 2 flash

Something with lock/unlock

ID - 0x626
Data 0 - 0x1C
Data 1 - 0x80 during unlock/lock event (not subsiquent where no real action in unlocking/locking is actually being taken), else 0x00
Data 2 - 0x33 after unlock, gets reset on next wakeup?
Data 3 - 0x30 after unlock, gets reset on next wakeup?
Data 5 - 0x08
All others are 0x00

Something with lock/unlock

ID - 0x4A5
Data 4 - 0xF8 after Unlocked (sometimes 0x08 then turns to 0xF8), 0x00 after locked (Same from handle lock/unlock)
Data 7 - Constantly changing

Something with lock/unlock

ID - 0x375
Data 0 - 0x00 after start/stop car - 0x26 after unlock, 0x00 after lock
Data 1 - 0x00 after start stop car - 0x50 after lock, 0x4C after driver door handle lock, 0x00 after unlock
Data 2-7 - 0x00

Something with lock/unlock

ID - 0x621
Data 0 - 11
Data 1 - 0x80 during msg, else 0x00
Data 2 - 0x21 during lock from remote, 0x31 from Driver door lock on handle, 0xA1 during unlock, 0xB1 from driver door unlock handle, else 0x00
Data 3-7 - 0x00

Something with Unlock/Unlock

ID - 0x631

Something with lock/unlock

ID - 0x638

Something with lock/unlock

ID - 0x639

Some kind of random counter, only counts up. Seems to get reset on start

ID - 0x63B
Data is the counter?

Something with thermostat

ID - 0x590
Data 5 - 0x01 when Air requested is much colder
Data 6 -Fan speed

Front Passenger Seatbelt Status

ID - 0x610
Data 1 - ?Occupancy Sensor?
Data 7 - ?Unbuckle vs Buckle Flag?

Blinkers

Normal, idle - 000614 29 00 62 30 00 01 72 5C
ID - 0x614
Data 0 - 29
Data 1 - 0x80 to initiate, 0x00 otherwise
Data 2 - 0x62
Data 3 - 0x30 idle, 0x10 for left, 0x20 for right, 0x38 for hazzards

Doors & Driver Seatbelt:

ID - 0x620
Data 0 - Same
Data 1 - 0x00 when nothing happens, 0x80 when door open/close event happens or Driver seatbelt event (click/unclick)
Data 4 -
Data 5 - 0x00 when all doors closed, not 0x00 when a door is currently open
Data 7 - Nibble 1 (Seat Belt) 0x5 when Disconnected
Data 7 - Nibble 2 - Moon roof - 0xA when closed

Window status & Door Lock Status: - Msg comes every second

ID - 0x638
Data 0 - Same
Data 1 - 0x80 when status. 0x00 when event happens (window opening, window close)
Data 2 - Door Lock status - 0x00 when doors locked - 0x1F when all doors unlocked (0b1 1111 - bits go Driver door, front passenger, rear passenger, rear driver, I assume last bit is hatch)
Data 4 - Window open/closed status - 0xAA when all closed, 0xFF when all halfway open, 0x55 when all open

Driver Seat Memory Position

ID - 0x63A
Data 0 - Same
Data 1 - 0x80 when starting or finished

Headlights Status

ID - 0x699
Data 0 - 9D
Data 1 - 0x80 when something changes, else 0x00
Data 2 - 0x62 for on, 0x62 on with Fog lights on, 0x40 for driving lights, 0x00 is lights off

Driver Seat Moving

ID - 0x6A0
Data 1 - 0x80 at start and finish of movement
Data 5 - 0x0F when idle, 0x02 when something in seat is moving

Unlock Msg from door handle

Example: 000621 11 80 83 00 00 00 00 00
ID - 0x621
Data 0 - Same (0x11)
Data 1 - 0x00 no change, 0x80 during change
Data 2 - 0x00 no change, 0x83 (unlock), 0x03(lock)

Second Counter

ID-0x675
Data - #Seconds


Skip Some Steps...IT UNLOCKS!

After lots and lots of data analysis and many data recordings, all of which I will not be posting, I was able to send the CAN unlock signal. There is encoding on the message, aka a record and repeat attack will NOT work. I am using a custom built CAN module that can initiate the attack, and then read the appropriate messages from the CAN lines and send back the correct sequence of messages required for the unlock. I will not share as I do not want my 2023 Rav4 stolen.
Here is a video of the unlock working!

Here is me unlocking my 2023 Rav4's doors via CAN injection. You can hear the doors unlock as soon as I unplug and re-plug in my CAN module.