Unified Diagnostic Services (UDS) is a diagnostic communication protocol used by electronic control units (ECUs) in automotive electronics. [1] UDS is defined by ISO 14229 and evolved from from ISO 14230 (KWP2000), which is now largely obsolete. UDS specifies functionality at the session, presentation, and application layers (layers 5–7) of the OSI model. Because of this, it can operate on different physical and data link layers such as CAN (ISO 11898), LIN (ISO 17987), Ethernet (ISO 13400), FlexRay (ISO 17458), and K-Line (ISO 14230). In practice, UDS is most commonly used over CAN via Diagnostic over CAN (DoCAN), defined in ISO 15765.
The term “Unified” refers to the fact that UDS is an international standard rather than a manufacturer-specific protocol. Today, nearly all Tier 1 suppliers implement UDS in ECUs developed for automotive original equipment manufacturers (OEMs). UDS is also integrated into larger software architectures, including AUTOSAR.
Modern vehicles have a diagnostic interface for on-board diagnostics, which makes it possible to connect a computer (client) or diagnostics tool, which is referred to as tester, to the communication system of the vehicle. Thus, UDS requests can be sent to the controllers which provide responses (this may be positive or negative). This makes it possible to interrogate the fault memory of the individual control units, to update them with new firmware, have low-level interaction with their hardware (e.g. to turn a specific output on or off), or to make use of special functions (referred to as routines) to attempt to understand the environment and operating conditions of an ECU to be able to diagnose faulty or otherwise undesirable behavior.
SID (Service Identifier) [2]
| Function group | Request Service Identifier (SID) | Response Service Identifier (RSID) | Service name | Description |
|---|---|---|---|---|
| Diagnostic and Communications Management | 0x10 | 0x50 | DiagnosticSessionControl [3] | DiagnosticSessionControl service is used to change diagnostic sessions in the server(s). In each diagnostic session a different set of diagnostic services (and/or functionalities) is enabled in the server. Server shall always be in exactly one diagnostic session. |
| 0x11 | 0x51 | ECUReset [4] | ECUReset service is used by the client to request that the server perform a reset. The server, after receiving this request, performs the specified type of reset (either before or after transmitting the positive response). | |
| 0x27 | 0x67 | SecurityAccess [5] | SecurityAccess service allows the client to unlock functions/services with restricted access. Unlocking sequence:
| |
| 0x28 | 0x68 | CommunicationControl [6] | CommunicationControl service allows the client to switch on/off the transmission and/or the reception of certain messages on the server(s). | |
| 0x29 | 0x69 | Authentication [7] | Authentication service provides a mechanism for the client to prove its identity, allowing access to data and/or diagnostic services that have restricted access due to security, emissions, or safety requirements. | |
| 0x3E | 0x7E | TesterPresent [8] | If no communication is exchanged with the client for a long time, the control unit automatically exits the current session and returns to the "Default Session" back, and might go to sleep mode. Therefore, there is an extra service which purpose is to signal to the device that the client is still present. | |
| 0x85 | 0xC5 | ControlDTCSettings [9] | Enables, disables, or otherwise controls the transmission of DTC's. This is helpful when maintenance or modification work is being performed on a vehicle to avoid anomalous or annoying behavior, like beeping on an instrument cluster or safety systems activating in response to an external DTC. Like most UDS settings, this does not typically persist after a reboot.
| |
| 0x86 | 0xC6 | ResponseOnEvent [10] | ||
| 0x87 | 0xC7 | LinkControl [11] | The Service Link Control is used to set the baud rate of the diagnostic access. It is usually implemented only at the central gateway. | |
| Data Transmission | 0x22 | 0x62 | ReadDataByIdentifier [12] | ReadDataByIdentifier service allows the client to request data record values from the server identifier by one or more DataIdentifiers (DIDs). |
| 0x23 | 0x63 | ReadMemoryByAddress [13] | ReadMemoryByAddress service allows the client to request server’s memory data stored under provided memory address. | |
| 0x24 | 0x64 | ReadScalingDataByIdentifier [14] | ReadScalingDataByIdentifier service allows the client to request the scaling information associated with a Data Identifier (DID). Scaling data provides information required to correctly interpret the actual data value, such as:
| |
| 0x2A | 0x6A | ReadDataByPeriodicIdentifier [15] | ReadDataByPeriodicIdentifier service allows the client to request periodic transmission of data record values from the server. Each periodic data record is identified by Periodic DID (the second byte of a DID with a fixed first byte 0xF2). | |
| 0x2C | 0x6C | DynamicallyDefineDataIdentifier [16] | This service offers the possibility of a fix for a device specified Data Identifier (DID) pool to configure another Data Identifier. This is usually a combination of parts of different DIDs or simply a concatenation of complete DIDs. The requested data may be configured or grouped in the following manner:
| |
| 0x2E | 0x6E | WriteDataByIdentifier [17] | With the same Data Identifier (DID), values can also be changed. In addition to the identifier, the new value is sent along. | |
| 0x3D | 0x7D | WriteMemoryByAddress [18] | The “Write Memory By Address” service allows the external diagnostic tool to write information into the ECU at one or more contiguous memory locations. | |
| Stored Data Transmission | 0x14 | 0x54 | ClearDiagnosticInformation [19] | ClearDiagnosticInformation service is used by the client to clear Diagnostic Trouble Codes (DTCs) and related data stored in one or more server memories. |
| 0x19 | 0x59 | ReadDTCInformation [20] | ReadDTCInformation service allows the client to request current Diagnostic Trouble Code (DTC) information from one or more servers within the vehicle. | |
| Input / Output Control | 0x2F | 0x6F | InputOutputControlByIdentifier [21] | This service allows an external system intervention on internal / external signals via the diagnostic interface. By specifying a so-called option bytes additional conditions for a request can be specified, the following values are specified: ReturnControlToECU: The device must get back controls of the mentioned signals. ResetToDefault: The tester prompts to reset signals to the system wide default value. Freeze Current State: The device shall freeze the current signal value. ShortTermAdjustment: The device shall use the provided value for the signal |
| Remote Activation of Routine | 0x31 | 0x71 | RoutineControl [22] | Control routine services of all kinds can be performed. There are three different message types:
The start and stop message parameters can be specified. This makes it possible to implement every possible project-specific service. |
| Upload / Download | 0x34 | 0x74 | RequestDownload [23] | Downloading new software or other data into the control unit is introduced using the "Request Download". Here, the location and size of the data is specified. In turn, the tester specifies how large the data packets can be. |
| 0x35 | 0x75 | RequestUpload [24] | The service "request upload" is almost identical to the service "Request Download". With this service, the software from the control unit is transferred to the tester. The location and size must be specified. Again, the size of the data blocks are specified by the tester. | |
| 0x36 | 0x76 | TransferData [25] | For the actual transmission of data, the service "Transfer Data" is used. This service is used for both uploading and downloading data. The transfer direction is notified in advance by the service "Request Download" or "Upload Request". This service should try to send packets at maximum length, as specified in previous services. The background protocol ISO-TP has a limit of 4095 bytes. If the data set is larger than the maximum, the "Transfer Data" service must be used several times in succession until all data has arrived. | |
| 0x37 | 0x77 | RequestTransferExit [26] | A data transmission can be 'completed' when using the "Transfer Exit" service. This service is used for comparison between the control unit and the tester. When it is running, a control unit can answer negatively on this request to stop a data transfer request. This will be used when the amount of data (set in "Request Download" or "Upload Request") has not been transferred. | |
| 0x38 | 0x78 | RequestFileTransfer [27] | This service is used to initiate a file download from the client to the server or upload from the server to the client. Additionally information about the file system are available by this service. | |
| Security | 0x84 | 0xC4 | SecuredDataTransmission [28] |
There are two types of diagnostic messages transmitted using UDS protocol:
Request messages are transmitted by a Client towards one or more Servers. [29]
Service Identifier (SID) is the first byte in each request message. [30]
Response messages are transmitted by Servers to a Client. [31]
The first byte in the response message is usually Response Service Identifier (RSID) value (with the exception of following responses to ReadDataByPeriodicIdentifier service). [32] [15]
If a server responds with a positive response message, it means that the server received the corresponding request message and executed actions requested by a client. [33]
Format of each positive response message is specific for the diagnostic service it relates to.
If a server responds with a negative response message, it means that (for some reason) the server could not execute actions requested by a client. [34]
| Byte | Value | Description |
|---|---|---|
| #1 | 0x7F | Negative Response SID |
| #2 | SID | SID value from request message |
| #3 | NRC | reason for the rejection |
Negative Response Codes (NRC in short) carry the information for request message rejection. [35]
| Value | Name |
|---|---|
| 0x10 | generalReject |
| 0x11 | serviceNotSupported |
| 0x12 | SubFunctionNotSupported |
| 0x13 | incorrectMessageLengthOrInvalidFormat |
| 0x14 | responseTooLong |
| 0x21 | busyRepeatRequest |
| 0x22 | conditionsNotCorrect |
| 0x24 | requestSequenceError |
| 0x25 | noResponseFromSubnetComponent |
| 0x26 | FailurePreventsExecutionOfRequestedAction |
| 0x31 | requestOutOfRange |
| 0x33 | securityAccessDenied |
| 0x34 | authenticationRequired |
| 0x35 | invalidKey |
| 0x36 | exceedNumberOfAttempts |
| 0x37 | requiredTimeDelayNotExpired |
| 0x38 | secureDataTransmissionRequired |
| 0x39 | secureDataTransmissionNotAllowed |
| 0x3A | secureDataVerificationFailed |
| 0x50 | Certificate verification failed, Invalid Time Period |
| 0x51 | Certificate verification failed, Invalid Signature |
| 0x52 | Certificate verification failed, Invalid Chain of Trust |
| 0x53 | Certificate verification failed, Invalid Type |
| 0x54 | Certificate verification failed, Invalid Format |
| 0x55 | Certificate verification failed, Invalid Content |
| 0x56 | Certificate verification failed, Invalid Scope |
| 0x57 | Certificate verification failed, Invalid Certificate (revoked) |
| 0x58 | Ownership verification failed |
| 0x59 | Challenge calculation failed |
| 0x5A | Setting Access Rights failed |
| 0x5B | Session key creation/derivation failed |
| 0x5C | Configuration data usage failed |
| 0x5D | DeAuthentication failed |
| 0x70 | uploadDownloadNotAccepted |
| 0x71 | transferDataSuspended |
| 0x72 | generalProgrammingFailure |
| 0x73 | wrongBlockSequenceCounter |
| 0x78 | requestCorrectlyReceived-ResponsePending |
| 0x7E | SubFunctionNotSupportedInActiveSession |
| 0x7F | serviceNotSupportedInActiveSession |
| 0x81 | rpmTooHigh |
| 0x82 | rpmTooLow |
| 0x83 | engineIsRunning |
| 0x84 | engineIsNotRunning |
| 0x85 | engineRunTimeTooLow |
| 0x86 | temperatureTooHigh |
| 0x87 | temperatureTooLow |
| 0x88 | vehicleSpeedTooHigh |
| 0x89 | vehicleSpeedTooLow |
| 0x8A | throttle/PedalTooHigh |
| 0x8B | throttle/PedalTooLow |
| 0x8C | transmissionRangeNotInNeutral |
| 0x8D | transmissionRangeNotInGear |
| 0x8F | brakeSwitch(es)NotClosed (Brake Pedal not pressed or not applied) |
| 0x90 | shifterLeverNotInPark |
| 0x91 | torqueConverterClutchLocked |
| 0x92 | voltageTooHigh |
| 0x93 | voltageTooLow |
| 0x94 | ResourceTemporarilyNotAvailable |