1. Introduction

This page details the UDS reprogramming sequence as implemented in OpenECU. Both mandatory and optional services will be detailed. The purpose of this page is not to fully explain these services since this is done in ISO14229. Instead, the purpose of this page is to describe the OpenECU implementation where the ISO14229 standard leaves room for manufacturer specific customization.

2. ISO15765 Configuration

ISO15765 CAN identifiers can be configured using the piso_Configuration block (Simulink API) or the iso-diagnostics compound statement in the C-API file (C-API).If the FEPS feature exists on the ECU, then default ISO15765 CAN identifiers will be used when negative FEPS is applied. See your ECU’s technical specification for details regarding FEPS.

Default ISO15765 identifiers:

3. Mandatory Services

3.1 Service $10 – DiagnosticSessionControl

The diagnostic tool must request sub-function 03 (extended diagnostic session) prior to requesting sub-function 02 (programming session). After requesting a programming session, the ECU will send a negative response / response pending message prior to jumping to the bootloader. The positive response will be sent after the bootloader is running.

3.2 Service $31 – RoutineControl, memory erase

Service $31 must be used to request flash memory erase. This is done with the following format:

Routine Control Option Record:

A negative response / response pending message will be sent followed by the positive response once the memory has been erased. Note: Only physical addressing is supported during reprogramming.

3.3 Service $34 – RequestDownload

Service $34 is used to set up a programming data transfer from the diagnostic tool to the ECU, and is formatted as follows:

Address and length format identifier: 0xNM, where N is the most significant nibble, and M is the least significant nibble. N is the number of bytes in the memorySize parameter. M is the number of bytes in the memoryAddress parameter

Note: Only physical addressing is supported during reprogramming.

3.4 Service $36 – TransferData

Service $36 contains the data that is described in the service $34 RequestDownload message. Service $36 immediately follows service $34, or immediately follows another service $36 message in the same transfer sequence.

Format is as described in ISO14229.

Note: Only physical addressing is supported during reprogramming.

3.5 Service $37 – RequestTransferExit

The diagnostic tool must send a service $37 Transfer Exit message prior to sending a new service $34 Request Download message.

OpenECU expects no transferRequestParameterRecord bytes. Therefore, this service should only consist of the service identifier.

The positive response will include a two-byte CRC in the transferResponseParameterRecord. This CRC is the CRC of the received data.

Note: Only physical addressing is supported during reprogramming.

4. Optional Supported Services This section describes optional services that may be used as part of a reprogramming sequence.

4.1 Service $3E – TesterPresent

The tester present service may be send at any time (except in the middle of a transport protocol sequence) in order to prevent the timeout of the current diagnostic session. The format is as described in ISO14229.

4.2 Service $22 – ReadDataByIdentifier

This service may be used to retrieve data

(DIDs) from the ECU. The format is as described in ISO14229.

4.3 Service $31 – RoutineControl, check programming conditions

Service $31 may be used to check programming conditions prior to beginning the reprogramming sequence. This is done with the following format:

  1. Service ID: $31
  2. Sub-function: 0x01 – startRoutine
  3. Routine ID: 0x0203
  4. Routine Control Option Record: None

Providing there are no conditions that would warrant a negative response code (as described in ISO14229), the OpenECU platform will emit a positive response. If programming conditions are such that programming is allowed, then the response will consist of the positive response ID along with the routine identifier. If the application is inhibiting reprogramming, then the positive response will contain one extra byte, which will be set to 0x06 (control active).

4.4 Service $27 – SecurityAccess

Service $27 may be used to unlock security for reprogramming. This service is only required if the OpenECU application configures UDS security to be required for reprogramming. Further information can be found in the OpenECU user guides. The format is as described in ISO14229 and the OpenECU user guides.

4.5 Service $31 – RoutineControl, check memory

Service $31 may be used after service $27 (TransferExit) to check if the resulting memory image is correct. As part of service $27 (TransferExit), a 2 byte CRC is calculated on the data received in the last transfer sequence. This routine computes the CRC of the memory just programmed to determine if it matches the CRC of the received data.

Providing there are no conditions that would warrant a negative response code (as described in ISO14229), the OpenECU platform will emit a positive response. If CRC of the memory image matches the CRC of the data received in the last transfer, then the routineInfo parameter will be 0x00. If the CRCs do not match, then the routineInfo parameter will be 0x01. Note: Only physical addressing is supported during reprogramming.

4.6 Service $85 – ControlDTCSetting

Service $85 may be used to enable or disable setting DTCs. This is typically used to disable DTCs during reprogramming. The format is as described in ISO14229, with subfunctions 0x01 (on) and 0x02 (off) as the only supported subfunctions. The optional DTCSettingControlOptionRecord is not supported by OpenECU and will result in a negative response if it is included.

4.7 Service $28 – CommunicationControl

Service $28 may be used to disable non-essential CAN communication during reprogramming events. The format is as described in ISO14229 with the following conditions:

4.8 Service $11 – ECUReset

Service $11 may be used after the reprogramming sequence to reset the ECU, therefore starting the newly programmed application. The format is as described in ISO14229.

Note: Only physical addressing is supported during reprogramming.

5. Example Reprogramming Sequence

The following shows a successful reprogramming sequence using all the mandatory services as well as some optional services. Data for 2 memory regions loaded:

1: start = 0x01000000, end = 0x010014a3, bytes = 0x000014a4

2: start = 0x01040000, end = 0x0106eb95, bytes = 0x0002eb96

Starting transport protocol with request id = 0x7e0, response id = 0x7e8

Step: tester present ping 1 (quick comms check)

Sending tester present ping 1 1

0:49:20.060 Tool> 7E0: 3e 00

10:49:20.068 ECU> 7E8: 7e 00

Test ping 1 reply received as expected, comms established

Step: Diagnostic Session Control (extended session)

10:49:20.409 Tool> 7E0: 10 03

10:49:20.419 ECU> 7E8: 50 03 00 32 13 88

Response OK (P2Can/P2*Can numbers ignored)

Step: Routine (check programming conditions) 1

0:49:20.846 Tool> 7E0: 31 01 02 03

10:49:20.860 ECU> 7E8: 71 01 02 03

Response OK

Step: ControlDTCSetting (off) 1

0:49:21.168 Tool> 7E0: 85 02

10:49:21.178 ECU> 7E8: c5 02

Response OK

Step: CommunicationControl (disable non-diagnostic)

10:49:21.499 Tool> 7E0: 28 01 01

10:49:21.508 ECU> 7E8: 68 01

Response OK

Step: Diagnostic Session Control (programming session)

10:49:21.828 Tool> 7E0: 10 02

10:49:21.838 ECU> 7E8: 7f 10 78

10:49:21.936 ECU> 7E8: 50 02 00 32 13 88

(Ignored response pending 'negative' response)

Response OK (P2Can/P2*Can numbers ignored)

Stage: actual programming

Step: WriteData (fingerprint)

10:49:22.485 Tool> 7E0: 2e f1 5a 13 05 0f 12 34 56 78 13 05 0f 12 34 56 78 13 05 0f 12 34 56 78

10:49:22.494 ECU> 7E8: 6e f1 5a

Response OK

Step: Routine (erase memory) for 2 regions

Erasing region 0 : start = 0x01000000, end = 0x010014a3, bytes = 0x000014a4

10:49:22.818 Tool> 7E0: 31 01 ff 00 44 01 00 00 00 00 00 14 a4

10:49:22.822 ECU> 7E8: 7f 31 78

(Ignored response pending 'negative' response)

10:49:23.803 ECU> 7E8: 71 01 ff 00 00

Valid response received

Erasing region 1 : start = 0x01040000, end = 0x0106eb95, bytes = 0x0002eb96 1

0:49:24.018 Tool> 7E0: 31 01 ff 00 44 01 04 00 00 00 02 eb 96

10:49:24.022 ECU> 7E8: 7f 31 78

(Ignored response pending 'negative' response)

10:49:25.066 ECU> 7E8: 71 01 ff 00 00

Valid response received

All memory regions erased

Step: RequestDownload for 2 regions

RequestDownload for region 0 : start = 0x01000000, end = 0x010014a3, bytes = 0x000014a4

10:49:25.332 Tool> 7E0: 34 00 44 01 00 00 00 00 00 14 a4

10:49:25.336 ECU> 7E8: 74 20 04 00

Response OK, proceeding to TransferData for all blocks in region

Note: using ECU allowed payload size of 1022 bytes per block. Option to log TransferData messages (of which a large number is normal) is turned off.

Will show first TransferData message only as an example. Logging option can be turned on during transfer if desired.

Downloading block: start = 0x01000000, bytes = 0x000003fe

10:49:25.665 Tool> 7E0: 36 01 0f e5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 f9 00 00 06 f8 00 00 01 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

10:49:25.961 ECU> 7E8: 76 01

Response OK

As explained above, further TD messages for this region will not be shown unless the option to log them is turned on during transfer. See address indicator for progress. All blocks transferred

Step: sending RequestTransferExit

10:49:28.828 Tool> 7E0: 37

10:49:28.830 ECU> 7E8: 77 04 94

Response OK

RequestDownload for region 1 : start = 0x01040000, end = 0x0106eb95, bytes = 0x0002eb96

10:49:29.398 Tool> 7E0: 34 00 44 01 04 00 00 00 02 eb 96

10:49:29.402 ECU> 7E8: 74 20 04 00

Response OK, proceeding to TransferData for all blocks in region

Note: using ECU allowed payload size of 1022 bytes per block.

Option to log TransferData messages (of which a large number is normal) is turned off.

Will show first TransferData message only as an example. Logging option can be turned on during transfer if desired.

Downloading block: start = 0x01040000, bytes = 0x000003fe

10:49:29.701 Tool> 7E0: 36 01 78 01 eb 86 00 00 00 00 00 00 00 00 00 00 00 00 78 02 d2 c6 00 00 00 00 00 00 00 00 00 00 00 00 78 02 d3 70 00 00 00 00 00 00 00 00 00 00 00 00 78 01 eb 32 00 00 00 00 00 00 00 00 00 00 00 00 78 01 eb 46 00 00 00 00 00 00 00 00 00 00 00 00 78 01 eb 12 00 00 00 00 00 00 00 00 00 00 00 00 78 01 eb 26 00 00 00 00 00 00 00 00 00 00 00 00 78 01 eb 16 00 00 00 00 00 00 00 00 00 00 00 00 78 01 eb 06 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea f6 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea d4 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea c4 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea c6 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea b6 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea a6 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

10:49:29.998 ECU> 7E8: 76 01

Response OK

As explained above,

further TD messages for this region will not be shown unless the option to log them is turned on during transfer.

See address indicator for progress.

All blocks transferred

Step: sending RequestTransferExit

10:51:12.403 Tool> 7E0: 37

10:51:12.437 ECU> 7E8: 77 55 d1

Response OK

All regions transferred

Step: Routine (check memory)

10:51:12.855 Tool> 7E0: 31 01 02 02

10:51:12.889 ECU> 7E8: 71 01 02 02 00

Response OK

Step: Routine (check reprogramming dependencies)

10:51:13.171 Tool> 7E0: 31 01 ff 01

10:51:13.172 ECU> 7E8: 71 01 ff 01 00

Response OK

Step: ECUReset (hardReset)

10:51:13.607 Tool> 7E0: 11 01

10:51:13.608 ECU> 7E8: 51 01

Response OK

Finished programming sequence

6. UDS Settings Although the application may implement a specialized diagnostics design that may require tweaks to these settings, for typical OpenECU use:

"Flash" tab: Send extended session command should be CHECKED

Send reprogramming session command should be CHECKED

Perform SecurityAccess exchange will depend on whether security is desired

Download secondary bootloader should be UNCHECKED

Activate SBL routine command should be UNCHECKED ECU timeout should be 5000 ms

Custom TransferData max size should be CHECKED (typical size is 64)

Reset ECU command should be CHECKED

"EraseMemory" tab:

Start routine command basis should be 31 01 FF 00

Insert UDS addressAndLengthFormatIdentifier byte should be CHECKED

Number of address bytes should be 4

Number of length bytes should be 4

Numeric address, length range should be selected.

"PRELIMINARY PAGE"

      Copyright © 2016 Pi Innovo, All rights reserved