Toyota Prius Forum banner
1 - 20 of 22 Posts

·
Registered
Joined
·
28 Posts
Discussion Starter · #1 ·
Isn't there some way to update the Prius internal software via firmware on a CD or DVD (with Navi)? I have heard that to update the Navi maps, you need a DVD update of something. Is this true with the firmware, and how can this be done? I am interested in how this all works...very fascinating :)
 

·
Registered
Joined
·
344 Posts
toyota did release a firmware update for the 04 and early 05 priuses, and one previous to that for the early 04s (i think) the newer one is SSC 50P and the older one is SSC 40D, both recall issues.

they require a toyota scantool to load the software, and the software is loaded onto the scantool from toyota's internal network.

it's no child's play. takes quite a while for the new version to load, they actually have to use a battery tender for the 12v battery.

not all ECUs are updatable. the NAV system can be updated with a CD, but i don't know of any other software updates for the prius.
 

·
Registered
Joined
·
28 Posts
Discussion Starter · #3 ·
1) How big is this file?

2) Is it encrypted when it comes over the Toyota network or is it encrypted on this scantool device?

Cool stuff!!! I don't see why it would take so long to update the software, unless it begins an entire diagnostic sequence to verify the loaded code. Hrmmm.. My hex editing dreams are seeming to be killed. Wish I could get that software somehow :-(

3) How much is this scantool device?

There must be some I/O port. However, I assume it is using proprietary protocls because they think it is safer to protect from modification. I bet the security, if any, is weak should I be able to access the data -- it might be easy to change. Wondering...
 

·
Registered
Joined
·
344 Posts
they update using the OBDII connector, i believe.

i'm not sure how TIS works, i've only seen it a couple times. but i know they send all updates and such over this system. i don't think it's really the same thing as a computer file that you're thinking of.

scantool? ooh, maybe $10k. very very expensive. my husband is the first person in the history of the service department to ever take one home (for a bad, intermittent diagnostic issue) and he was told that if anything happened to it, he would be fired no questions asked despite being one of their "rising stars."

i don't think they're taking chances with any of this programming stuff. it does not seem accesible to play with, as you seem to be intending to do. you could do some serious damage, as this stuff controls the usage of the HV battery, engine timing, etc, etc, etc.
 

·
Registered
Joined
·
28 Posts
Discussion Starter · #5 ·
I'm more interested in finding enable/disable procedures somewhere in the code/firmware.

1) I really want to enable the FM radio RDS MSG function while driving.

2) And in addition to that, would like to know how to keep the BACKUP CAMERA on while driving! I figured if I could capture that API call "TURN_BACKUP_CAM_ON" or something, I could patch the software to call this function using a modified button combination -- say "INFO + DISPLAY". It would be a cool hack...
 

·
Registered
Joined
·
344 Posts
hmm. don't think you'll be able to play around with that, sad to say :(

if you can dig around in the diagnostic menu you may find something, someone found the nav lockout workaround on the 05s that way... i think. i don't have nav or any of that stuff so i don't pay attention to that.
 

·
Premium Member
Joined
·
888 Posts
khermans,

Please read my thread in your other post regarding wanting to "reprogram" the vehicle. That will answer your desires regarding backup beep and seatbelt beep. I'll say it here also, search the site, instructions on how you defeat them using a series of button presses and powerup procedures is all over the place.

I'm shooting from the hip here. Simply put, this vehicle requires 2 things for any kind of software update. A THHT (Toyota Hand Held Tester), which is then loaded with any software updates that Toyota may produce for the vehicle. Those software updates do indeed come down from TIS. And that of course leads to the second thing it needs, a properly trained Toyota Master tech and a connection to TIS for Toyota written updates.

From what I can tell, the onboard systems do not have any ability to handle upload, download of software or data on their own. An ODB II compliant device, specifically a THHT, is necessary to start those operations on the vehicle. And further from that point, I'm inclined to believe that onboard software cannot be downloaded into the THHT or any other device. In other words, softare has a one way trip, from the THHT to the computer's nonvolital storage. The tester cannot download the current software to itself. I'm also inclined to believe that as part of the upload process for any software updates, the software on the THHT goes through some kind of "transformation" between the hand held device and the vehicle. This could be nothing more than some kind of deencryption or decompression. Either way, in the case of SSC 50p, I'm pretty sure the software residing on the THHT for upload to a vehicle that needs the update will be in a different format once it is onboard the vehicle. Toyota wouldn't leave the software in a state where it could be harvested from a THHT, reverse engineered or modified.

The best you are going to be able to do is enjoy devices such as Scan Gauge which is a read only ODB II device that many here really like for moitoring coolant temperatures, rpm and other operating conditions of the vehicle. I'm going to get one this spring. Plus, it can be used on any ODB II vehicle you wish to read the codes and operating conditions from.

This car is not user programmable. Just as the label says on many products, "No user serviceable parts inside."
 

·
Registered
Joined
·
211 Posts
Sorry to be pollyannish, but I'd say any messing with the Prius computer beyond factory options is a really bad idea. Even cautious bit flipping in an unfamiliar environment could have unintended consequences. Especially with a jury rigged setup, which sounds like the only possible option becasue Toyota has a propriatary controller.

Hypothetically, if someone messed with their car computer and it went out of control and killed sombody, I think it would qualify as manslaughter. Even a distracting mod might qualify if the accident was borderline negligence. Just saying... bad idea.
 

·
Registered
Joined
·
7,161 Posts
Galaxee, don't confuse drivetrain reprogramming with AVC reprogramming. Those TSBs/ SSCs are reprogramming the ECM/HV ECU, not the NAV or MFD.

If you recall, updating the combination meter for the fuel guage problem required a replacement, not an onboard firmware update. Which by the way, that is on a separate LAN called the BEAN (Body Electronics Area Network).

The NAV can get a firmware update through the DVD. Not sure about the MFD though. The file on the DVD that is actual code is LOADING.KWI.
 

·
Registered
Joined
·
2,285 Posts
I also expect there are checksums in most of the files, and changing a few bits would probably end up disabling the car for a "bad S/W load" type of error at startup.
 

·
Registered
Joined
·
28 Posts
Discussion Starter · #11 ·
KTPhil said:
I also expect there are checksums in most of the files, and changing a few bits would probably end up disabling the car for a "bad S/W load" type of error at startup.
There's always ways around that. Do you guys know what CPU that update file is going to be run on inside the car? I could probably fire up IDA Pro and reverse it a little if it is supported. Otherwise, I'd have to patch the CRC checks, if any, manually by guessing some stuff about the binary. Actually, if IDA supports this CPU, it wouldn't be hard to reverse if it is not protected. It seems like it is not well masked/encrypted, since the textual data is unaltered in the binary. This is a good sign that it could be easily reversible :)
 

·
Registered
Joined
·
344 Posts
DanMan32 said:
Galaxee, don't confuse drivetrain reprogramming with AVC reprogramming. Those TSBs/ SSCs are reprogramming the ECM/HV ECU, not the NAV or MFD.

If you recall, updating the combination meter for the fuel guage problem required a replacement, not an onboard firmware update. Which by the way, that is on a separate LAN called the BEAN (Body Electronics Area Network).

The NAV can get a firmware update through the DVD. Not sure about the MFD though. The file on the DVD that is actual code is LOADING.KWI.
he said firmware update and the first thing i thought of was the recall updates. eflier on priuschat has played around with the mfd programming quite a bit in his work with the can-view and says it may not be possible to do much with it. this was in response to a post by iggy1iggy asking about reprogramming the mfd.

i'm flying solo this week, DH is down in jax for some more training classes till saturday, but i just thought i'd just share whatever i could recall...
 

·
Registered
Joined
·
128 Posts
I'll offer a little insight. Not the full needs, but part.

The code downloaded into the car is hex. To access the code, you must get it from Toyota (in this case). The code access is well protected to prevent hacking. If you could get the code, you would need to decompile it. Thus you need the processor type and preferably the language used for development. Then you would need access to the program comments to be able to understand what the over 100,000 lines of code are doing. You don't get the comments with the code. If you could figure out some of the code and modify it without the comments, then you would need to know the correct encryption keys used to verify the software is indeed whole and accurate, a step above checksums and other file checks made to ensure accuracy and legitimacy. Then you would need to have access to the programmer. This is a proprietary special tool from Toyota (in this case). Let's assume you get that. So you load your software into the scan tool, and attempt to program. If the encryption keys, programming allowance keys, etc. are not correct the program will not load. If it does not load, it might (depends on the programming sequence) have cleared the existing program and you now have a dead ECU.

We have been working on software security for vehicles for more than two decades. While impossible is not necessarily true, there is significant effort made to prevent modification to critical software. Imagine if someone could reprogram your air bags not to deply, of the brake system to release pressure upon a brake apply. The software sets are large, complex, and secured. I doubt you could get access to one, but if you could, the size and complexity is such that reverse engineering is out of the question. Attempts at it were successful to a small degree two decades ago when the software was simple and small. I have not heard of any success during the last 10 years. Most computers now communicate information to other computers for active use. One mistake in a data value can corrupt several computers in the vehicle.

Some companies have gained access to some engine calibrations. This allows modification of spark and fuel curves, among others, but not to the core program. Of course if you burn a hole in a piston, it is your problem.
 

·
Registered
Joined
·
2,285 Posts
Anyone know if Toyota software meets DO-178B requirements? Safety in software is one advantage of using a system that meets this certification. It's probably overkill for a car, but perhaps Toyota is using it. Or maybe IEC 61508?
 

·
Registered
Joined
·
7,161 Posts
Actually, by law, Toyota has to provide the updates that comply with the J2534 interface, which is generic. They can charge for the service.

See https://techinfo.toyota.com/public/main ... flash.html

Now the code itself may be secured so that editing would be futile. After all, all that is require is to allow a generic 'file' transfer. It doesn't mean that the contents of the file are encrypted at Toyota, and decrypted by the ECUs for install once they receive it.
 

·
Registered
Joined
·
128 Posts
DanMan32 said:
Actually, by law, Toyota has to provide the updates that comply with the J2534 interface, which is generic. They can charge for the service.

See https://techinfo.toyota.com/public/main ... flash.html

Now the code itself may be secured so that editing would be futile. After all, all that is require is to allow a generic 'file' transfer. It doesn't mean that the contents of the file are encrypted at Toyota, and decrypted by the ECUs for install once they receive it.
This requirement is for OBD-II compliance. In this area, the requirement is to be able to access the trouble codes for service. After much debate during the early 90's and with Ford, GM, Toyota, etc. all using different protocols to access their codes thus requiring several different scan tools which were also deemed proprietary and restricted to dealers, the OBD-II agreement allows a common architecture to access a minimum amount of information. Dealer tools often include much more diagnostic capability and more data than the generic tools provide. Messages were established that contain specific data in specific byte locations, thus making the basic message content generic. The access method is simply a message sent by the tool requesting a specific message response. If formatted correctly, the vehicle device responds with the data packet requested. This is a read-only capability. If codes are requested to be cleared, this message is sent to the vehicle device, which then clears the codes using its own internal code to accomplish this.
 

·
Registered
Joined
·
7,161 Posts
If you even look at the URL, it is to FLASH the car, not just to get the code.

Might I suggest you click on the link and see what you get. There ARE tools to update the programming of cars.
 

·
Registered
Joined
·
128 Posts
I understand that. Different issue. Generic tools cannot FLASH cars. The ability to change the program code is complex and proprietary, and as I wrote elsewhere, highly complex to prevent unauthorized changes.
 

·
Registered
Joined
·
7,161 Posts
Yes they can and no you don't. Click on the link and you will see. I am not speaking of DTCs here, where you get a scanguage or something like that to read the errors. I am talking about devices that let you update the firmware on your vehicle, using the manufacturer's firmware update.

A generic tool doesn't have to compile code, only transfer it. An FTP protocol (or HTTP for that matter) can transfer a file, even if the file is encrypted. It is up to the creator of the file, and the one to use the tranferred file to encrypt/decrypt for proper use. A clerk could FTP it without knowing the contents.

I would agree that Toyota would have to provide the file (or files) that is being flashed into the car, but a generic flash tool could be used (and as per the link has been standardized) to transfer the toyota provided flash file into the ECU. Then if security is placed on the data, such as encryption, authentication, and/or checksum, the ECU could verify the file's signature, and decrypt the file.

Would it be easier or safer to use the genuine Toyota tool? Most likely. Is it absolutely necessary? Not at all. Heck, the THHT is a generic tool with Toyota provided software anyway.
 

·
Premium Member
Joined
·
2,815 Posts
khermans said:
Isn't there some way to update the Prius internal software via firmware on a CD or DVD (with Navi)? I have heard that to update the Navi maps, you need a DVD update of something. Is this true with the firmware, and how can this be done? I am interested in how this all works...very fascinating :)
Depends- what type of Prius do you have? What are you trying to update?

If you have a NHW10 or NHW11, the only way to update an ECU is to replace the ECU.

If you have a NHW20, you can visit your dealer, and if there is such an update (service campaign) it'll be uploaded via the Toyota Hand-Held Tester (THHT) (which was downloaded from the dealer's technical data site) through the OBDII port onto the required ECU. Expect a few hours for that to finish... But I don't think that all of the ECUs can be flash-programmed in this fashion yet.

If all you want to do is to update the maps/POI data for your navigation system, then you have to purchase an updated data navigation DVD from your dealer. I think that the newer DVDs will also have some navigation ECU reprogramming (for better routing algorithms, for example, as seen in the LSC 40J for the early 2004s).
 
1 - 20 of 22 Posts
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top