Toyota Unintended Acceleration and the Big Bowl of "spaghetti" Code(2013)

Postedabout 1 month agoActive25 days ago

SoKamil

2 points

1 comments

safetyresearch.netTech Discussionstory

informativenegative

Debate

60/100

Automotive SoftwareSoftware SafetyCode Quality

Key topics

Automotive Software

Software Safety

Code Quality

Discussion Activity

Very active discussion

First comment

10m

Peak period

0-12h

Avg / period

Key moments

01Story posted
Dec 7, 2025 at 7:31 PM EST
about 1 month ago
Step 01
02First comment
Dec 7, 2025 at 7:41 PM EST
10m after posting
Step 02
03Peak activity
43 comments in 0-12h
Hottest window of the conversation
Step 03
04Latest activity
Dec 12, 2025 at 9:36 PM EST
25 days ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (1 comments)

Showing 55 comments

supahfly_remix

30 days ago

1 reply

Does anyone know where one could obtain the firmware for this? It might be interesting to reverse engineer.

altairprime

30 days ago

1 reply

It’s available in various archives of the Toyota TechStream pre-2024 editions, in some sort of weird encrypted file format that can be trivially decrypted; I haven’t tried myself but the ECU I work with isn’t encrypted in-vehicle. I’ve spent five or six years in Ghidra with various hybrid Subaru-Toyota ECUs from 2013-2020 and I wonder what kind of source control practices result in the massive function spaghetti that must have produced in this SH-2A code; I can see where Toyota bolted their direct injection runloop into Subaru’s. So, yeah, if you’re curious, the firmware’s out there, if you’ve got a few years to spare and an absolutely ridiculous amount of patience (and a solid grasp of CAN bus messaging protocols, which you’ll need to identify code blocks and variables and such!)

“The Car Hacker’s Handbook” may be of interest as a first step review, but honestly I just dove in with Ghidra and just .. didn’t ever stop. YMMV :)

supahfly_remix

30 days ago

1 reply

lol, thanks for the reply. Yes, I was thinking of looking at it, but your comment dissuaded me. Out of curiosity, did you try running ECU code through an LLM and asking questions of it, and, if so, how did that work out?

altairprime

29 days ago

[delayed]

stackghost

30 days ago

1 reply

Safety Research Systems, the author of TFA, is a for-profit company whose income is based on lawsuits.

Make of that what you will.

throwaway81523

30 days ago

Philip Koopman was an expert witness against Toyota (which is a bit questionable to me) and he has some stuff on his website about the case too.

https://betterembsw.blogspot.com/search/label/Toyota%20UA

LanceH

30 days ago

2 replies

Ah yes, where Toyota was found guilty of not being a US company.

The only thing they did in the recall was the same floor mat anchor as so many other cases.

"NASA engineers found no electronic flaws in Toyota vehicles capable of producing the large throttle openings required to create dangerous high-speed unintended acceleration incidents. The two mechanical safety defects identified by NHTSA more than a year ago – “sticking” accelerator pedals and a design flaw that enabled accelerator pedals to become trapped by floor mats – remain the only known causes for these kinds of unsafe unintended acceleration incidents. Toyota has recalled nearly 8 million vehicles in the United States for these two defects." -- transportation.gov

Cosmic rays and other wild theories over the simple theory of driver error. Even with a stuck throttle, the brakes will still stop a car (not to mention shifting into neutral still works).

Denatonium

30 days ago

4 replies

Not to mention that in an emergency, you can always turn the key to kill the engine, and then put it back into pre-igntion (to unlock the steering column). You won't have power-assisted braking or power-steering, but with a bit of adrenaline-fueled strength, it is definitely preferable to being in a car that is stuck accelerating.

helterskelter

30 days ago

1 reply

Key?

chneu

30 days ago

Long press the start/stop button.

laweijfmvo

30 days ago

1 reply

shift into neutral

ehnto

30 days ago

It was a 2005 model, so it should have been possible. However the article isn't super clear on where exactly the software is running, and the transmission controller and engine control unit can be interlinked in various ways. Especially more modern vehicles, it would be entirely possible to write code that disallowed shifting if it was an automatic. We have no idea just how poorly orchestrated this system was and what features were affected.

I don't know enough about 2005 Camry's though, so I wouldn't speculate much further than that.

PhotonHunter

30 days ago

1 reply

The service brakes of anything short of a supercar are sufficient to stop a car at WOT.

joecool1029

30 days ago

1 reply

Well, they didn’t here, also: https://en.wikipedia.org/wiki/Brake_fade

jjav

30 days ago

Brakes will always overpower the engine unless the braking system is severly damaged. This is simple physics. Cars decelerate far faster than they accelerate, which is to say, the brakes can generate far more horsepower than the engine can.

(Apparently the Rimac Nevera, with about 2000hp, can accelerate faster than it brakes. So that one might be the only exception. So unless you're driving a 2000hp car, the brakes will always overpower the engine, that is not debatable.)

Brake fade is irrelevant here. Brakes fade when overheated beyond their operating range, either due to fluid boiling and/or the pads overheating. This is nearly impossible to achieve in street driving, but can be experienced on the race track. None of the claimed acceleration accidents involved extreme repeated braking prior to the incident.

mmooss

30 days ago

1 reply

That's a lot of thought and action in a unexpected and very fast-moving situation. I don't think that's a realistic expectation, except perhaps for trained personnel like airplane pilots.

LanceH

29 days ago

Stomp on brakes is pretty basic, and all that was ever needed for overpowering a prius's engine/motor.

This "scandal" was never about mechanical failures. It was almost certainly about driver error and mass hysteria.

As for Toyota settling, had this been Ford or Chevy, the government wouldn't have had the appetite to go after them for what was always a non-issue. It was just less expensive for Toyota to fix floor mats and pay a billion to put it all behind them.

SV_BubbleTime

30 days ago

5 replies

Ok, but their engine controller was found to have 12,000 global variables and no one could ever say conclusively that the pedal issue was real or not.

The issue was not that no one found the flaw, it’s that no one could prove it wasn’t there.

behringer

30 days ago

1 reply

Over 9000!!??

jiggawatts

30 days ago

1 reply

Common in some real time systems with minimal or no usage of the stack.

behringer

29 days ago

1 reply

Yes. In fact I would trust such a system far more since a more procedural approach to the system would be much, much easier to spot bugs.

SV_BubbleTime

29 days ago

My man. As someone who works on Autosar controllers, your trust is extremely misplaced.

majormajor

30 days ago

1 reply

>The issue was not that no one found the flaw, it’s that no one could prove it wasn’t there.

Are cars since then required to have formally verified codebases, or is "no one could prove [there are no bugs]" still true?

---

Trying to evaluate what happened based on observation of events alone and stats, in absence of a formal proof of issue or non-issue... the cars didn't just disappear overnight so if there was such an issue... where did it go?

LanceH

29 days ago

1 reply

That software was never fixed. Those cars were still on the road after the "scandal". The problem went away somehow.

SV_BubbleTime

29 days ago

1 reply

This isn’t true.

Toyota issued multiple engine controller updates. All mfgs do, all the time.

There are no changelogs.

It would also matter what their typical car lifecycle is, it could have been just before refresh so only effected a couple years.

It could have also been bad floor mats.

We’ll never know - but the point is, that their code was so bad you COULD never know.

LanceH

29 days ago

They also never caught the clowns in the forest stealing children, nor the satanic groups sacrificing babies in the 80's.

cwmoore

30 days ago

But brakes bro

McGlockenshire

30 days ago

> no one could ever say conclusively that the pedal issue was real or not

You should ask a mechanic's opinion.

Gibbon1

30 days ago

I'm suspicious that a lot of those 12,000 are constants. Just based on how I think those guys operate.

You and I would change a constant and recompile. They will just splat location 0x239A

fnord77

30 days ago

1 reply

> Other egregious deviations from standard practice were the number of global variables in the system. (A variable is a location in memory that has a number in it. A global variable is any piece of software anywhere in the system can get to that number and read it or write it.) The academic standard is zero. Toyota had more than 10,000 global variables.

jdlshore

30 days ago

2 replies

My understanding is that global variables are more common in embedded systems because it provides memory determinism.

monegator

30 days ago

nah, by looking ad other people's firmware it's because most of my embedded colleagues are goats stuck in pre-ANSI C. You can always declare a "global" static, so it's not on the stack or heap, and access that via functions.

Nothing wrong with source-file-level statics, you're bound to use them

Glawen

30 days ago

Yep that's the standard in embedded on bare metal without memory allocation. There is a mechanism in place to synchronise data during interrupts, so it's not really direct write. Usually also coupled with a two complement variable or similar to make sure memory is not corrupted for safety critical data.

PhotonHunter

30 days ago

1 reply

Was there ever a recall of the ECU, and if not, why did the UA events go away? Were UA events more common at higher elevations, where there would be more cosmic ray activity?

This story is like Baba Yaga, it comes out from the shadows to scare people every now and then, but Barr’s theory has the interesting property that the ECU would be cleared by the error and so there could never be evidence of the event as he postulated.

1970-01-01

29 days ago

There was an ECU update but not a recall. There's thousands of these old ECUs driving cars that are still on the road. Yet somehow they never misbehaved after the mass hysteria and legal circus was over and forgotten. Hmm.

userbinator

30 days ago

2 replies

I still believe that the actual cause was tin whiskers, but all the RoHS lobbying buried the evidence.

http://nepp.nasa.gov/whisker/reference/tech_papers/2011-NASA...

Aeglaecia

30 days ago

1 reply

im sure that any reasonably charismatic software engineer could scare the shit out of a judge/jury based on code analysis ... perusing the linked nasa document, recurrence odds of this particular failure mode do seem significantly greater than the odds of a cosmic bit flip ...

thebruce87m

30 days ago

1 reply

> Studies by IBM in the 1990s suggest that computers typically experience about one cosmic-ray-induced error per 256 megabytes of RAM per month.

https://www.scientificamerican.com/article/solar-storms-fast...

Just to give perspective on the bit flip probability. ECC ftw!

nsoqm

30 days ago

5 replies

Is this was true, wouldn’t any modern computer would be crashing several times a month? And please don’t tell me “oh but it is”, because it is not.

ashirviskas

30 days ago

1 reply

Most of the RAM may not be critical enough to crash the whole system. Just some random app you have open or a browser tab. So even if it is true, most bit flips should not crash a system.

nsoqm

30 days ago

1 reply

Yes, I know that. So why aren’t my applications or tabs crashing at least once a day?

ashirviskas

25 days ago

No clue, but you can most likely simulate this for a process on linux. Actually, I might just try that and see what happens.

crote

30 days ago

How many of those errors vould result in a full system crash, though? And how many of them are just going to cause silent and mostly-harmless data corruption?

After all, was the error in the first line a typo on my side, or a single-bit upset?

A while ago some researchers registered off-by-one-bit domain name typos, which due to physical key positioning were unlikely to be the result of genuine mistyping. I can't find a reference right now, but I recall them getting quite a lot of queries!

SoKamilAuthor

30 days ago

Write a Bit Flip simulator and report your observations ;)

userbinator

28 days ago

It's not true.

I have left memtest86+ running on a few dozen GB of memory for several days during burn-in testing, definitely more than enough to pass the "once per 256MB per month" threshold, and did not encounter any errors.

scraptor

29 days ago

Servers with ECC generally report zero recoverable memory errors until the chip starts failing, at which point there are increasingly many. Therefore the average server experiences zero cosmic ray related memory errors during its lifetime, despite having many times more memory than 256MB.

Aloha

30 days ago

2 replies

I'm a very large believer that aggressive RoHS regulations have created more intractable problems than they have solved.

ta20240528

30 days ago

1 reply

Sure, let's let them put lead back in paint.

Aloha

29 days ago

There is a large gap between "maybe trying to take lead out of solder causes more issues that it solves" and "lead paint is good"

brettermeier

30 days ago

Stupid

pengaru

30 days ago

2 replies

"supply voltage to the electronic control system was purposely lowered and perturbed to simulate bad alternator and/or battery system. The result from the manipulation of supply voltage was rather astonishing. The control systems seemed to work even with the perturbed supply voltage but not correctly. As a matter of fact, it seemed to cause the sudden unintended acceleration repeatedly. The supply voltage to the ECU can be disturbed by minor mishap in the alternator output function and possibly by the overload of ever increasing use of electric devices in the vehicle by the driver. In any case, the current study showed the reproduction of the sudden unintended acceleration when the supply voltage changes abruptly by sudden drop of the alternator output voltage or by overload of the electric devices."

https://www.sciencedirect.com/science/article/abs/pii/S03790...

Glawen

30 days ago

So they drop the voltage to mimic an engine cranking, and they are surprised that the ECU behaves like it is cranking. When engine cranks, voltage drops below minimum voltage required by ECU to keep SW running (SW resets). To counter these, ECUs keep outputs to the max. Normally I would expect an electrical loop with the crank signal though.

M95D

30 days ago

Couldn't read the article, only the summary, but it sounds like glitching by the description. I expect the ECU lowers 12V to 5V or 3.3V by using a buck converter which includes a filter capacitor. To glitch the CPU, the 12V would need to drop well below 5V to have any effect. I don't see how this could happen. If the battery is weak enough to drop below 9V under any conditions other than a short, that car won't even start. My suspicion is that they glitched the ECU power supply directly, not the 12V input - the summary doesn't say.

My conclusion is that it's mosty (scientific) clickbait.

gnabgib

about 1 month ago

Popular in 2015:

(96 points, 106 comments) https://news.ycombinator.com/item?id=10437117

(152 points, 145 comments) https://news.ycombinator.com/item?id=9643204

qchris

30 days ago

Related to [1]; this topic was discussed earlier today (perhaps inspiring this submission?) in a HN thread on C++ coding standards for the F-35 JSF (search "spaghetti").

[1] https://news.ycombinator.com/item?id=46183657

View full discussion on Hacker News

ID: 46186950Type: storyLast synced: 12/8/2025, 12:50:14 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN