Protocol Basics (ISO 14229)#

  • Originated from KWP2000 (ISO 14230)

  • Application layer protocol

  • Transported by ISOTP (DoCAN) or TCP (DoIP or HSFZ)

  • Use-Cases:

    • Configuration of ECUs

    • Execution of test routines

    • Software-updates

    • Information retrieval

    • Reading of DTCs

  • Manufacturers rather change configuration then firmware: Same firmware on different markets and types of cars with different config

  • Test routines: Actuators, Breaks, Run Engine, Clear Memory, etc.

  • Vehicle acts as server

  • Computer / Tester can be treated as client

  • Communication is driven by the client

  • Communication is request / response driven

  • First byte is always the service identifier

  • Range of request service identifiers: 0x10 - 0x3e and 0x80 - 0xbf

  • Range of positive response service identifiers: 0x50 - 0x7e and 0xc0 - 0xff, RequestServiceId | 0x40 == PositiveResponseServiceId

  • Negative response service identifier: 0x7f

  • Official request service identifier ranges as defined in ISO14229 are smaller, but sometimes OEMs use unspecified identifiers for custom services

  • On some services bit 7 (MSB) of byte 2 has a special meaning: suppressPosRspMsgIndicationBit

  • On broadcasts, the positive response is often suppressed to save bandwidth

  • A negative response with response code requestCorrectlyReceived-ResponsePending (0x78) delays a positive response. If this negative response is received, a positive response will follow.

Interesting Services#

  • 0x10 DiagnosticSessionControl: Allows to change sessions. ProgrammingSession is often the bootloader. Some OEMs have proprietary sessions.

  • 0x11 ECUReset: Critical, if this is possible while driving

  • 0x22 ReadDataByIdentifier: Identifiers are OEM specific. If they are known, useful information can be gathered

  • 0x23 ReadMemoryByAddress: Bingo! … if supported.

  • 0x27 SecurityAccess: Necessary to access protected functions. Modern ECUs have different levels.

  • 0x28 CommunicationControl: Critical, if this is accessible while driving. Allows you to silent an ECU.

  • 0x2E WriteDataByIdentifier: If you know what your are doing, this service might be very useful. Identifiers are OEM specific and usually kept secret.

  • 0x2F InputOutputControlByIdentifier: Allows to overwrite input signals or to control actuators.

  • 0x31 RoutineControl: Used for arbitrary functions from OEMs. Can be safety critical actions, security access related functions, or necessary functions during software updates.

  • 0x34 RequestDownload: Initiates a software update.

  • 0x36 TransferData: Transports the software update data.

  • 0x3E TesterPresent: Important. Needs to be send periodically (\(t < 5s\)), to keep ECU in a certain session / security access level.

Communication Examples#


Fig. 57 UDS ReadDataByIdentifier communication examples. Request with positive response, request with negative response, and request with delayed positive response.#


Fig. 58 UDS TesterPresent communication examples with suppressPosRspMsgIndicationBit.#