== 1. Introduction == This page details the UDS reprogramming sequence as implemented in OpenECU. Both mandatory and optional services will be detailed. The purpose of this document is not to fully explain these services since this is done in ISO14229. Instead, the purpose of this document is to describe the OpenECU implementation where the ISO14229 standard leaves room for manufacturer specific customization. == 2. ISO15765 Configuration == ISO15765 CAN identifiers can be configured using the piso_Configuration block (Simulink API) or the iso-diagnostics compound statement in the C-API file (C-API).If the FEPS feature exists on the ECU, then default ISO15765 CAN identifiers will be used when negative FEPS is applied. See your ECU’s technical specification for details regarding FEPS. Default ISO15765 identifiers: • Functional request ID: 0x7DF • Physical request ID: 0x7E0 • Physical response ID: 0x7E8 == 3. Mandatory Services == 3.1 Service $10 – DiagnosticSessionControl The diagnostic tool must request sub-function 03 (extended diagnostic session) prior to requesting sub-function 02 (programming session). After requesting a programming session, the ECU will send a negative response / response pending message prior to jumping to the bootloader. The positive response will be sent after the bootloader is running. 3.2 Service $31 – RoutineControl, memory erase Service $31 must be used to request flash memory erase. This is done with the following format: • Service ID: $31 • Sub-function: 0x01 – startRoutine • Routine ID: 0xFF00 Routine Control Option Record: • byte 0: Format identifier, bits 0-3: address size, bits 4-7: length size. Typically 0x44 (four byte length size, four byte address size). For the remainder of this description, this byte will be represented by 0xNM, where N is the most significant nibble, and M is the least significant nibble). • bytes 1 – N: address to erase • bytes (N+1) – M: length (number of bytes) to erase After requesting a flash memory erase via service $31, a negative response / response pending message will be sent followed by the positive response once the memory has been erased. Note: Only physical addressing is supported during reprogramming. 3.3 Service $34 – RequestDownload Service $34 is used to set up a programming data transfer from the diagnostic tool to the ECU, and is formatted as follows: • Service ID: $34 • Data format identifier: 0x00 – no compression or encryption Address and length format identifier: 0xNM, where N is the most significant nibble, and M is the least significant nibble. N is the number of bytes in the memorySize parameter. M is the number of bytes in the memoryAddress parameter • memoryAddress: Address to write the data being transferred • memorySize: Number of bytes to write • Response: as described in ISO14229 Note: Only physical addressing is supported during reprogramming. 3.4 Service $36 – TransferData Service $36 contains the data that is describe d in the service $34 RequestDownload message. Service $36 immediately follows service $34, or immediately follows another service $36 message in the same transfer sequence. Format is as described in ISO14229. Note: Only physical addressing is supported during reprogramming. 3.5 Service $37 – RequestTransferExit The diagnostic tool must send a service $37 Transfer Exit message prior to sending a new service $34 Request Download message. OpenECU expects no transferRequestParameterRecord bytes. Therefore, this service should only consist of the service identifier. The positive response will include a two-byte CRC in the transferResponseParameterRecord. This CRC is the CRC of the received data. Note: Only physical addressing is supported during reprogramming. == 4. Optional Supported Services == This section describes optional services that may be used as part of a reprogramming sequence. 4.1 Service $3E – TesterPresent The tester present service may be send at any time (except in the middle of a transport protocol sequence) in order to prevent the timeout of the current diagnostic session. The format is as described in ISO14229. 4.2 Service $22 – ReadDataByIdentifier This service may be used to retrieve data (DIDs) from the ECU. The format is as described in ISO14229. 4.3 Service $31 – RoutineControl, check programming conditions Service $31 may be used to check programming conditions prior to beginning the reprogramming sequence. This is done with the following format: 1. Service ID: $31 2. Sub-function: 0x01 – startRoutine 3. Routine ID: 0x0203 4. Routine Control Option Record: None Providing there are no conditions that would warrant a negative response code (as described in ISO14229), the OpenECU platform will emit a positive response. If programming conditions are such that programming is allowed, then the response will consist of the positive response ID along with the routine identifier. If the application is inhibiting reprogramming, then the positive response will contain one extra byte, which will be set to 0x06 (control active). 4.4 Service $27 – SecurityAccess Service $27 may be used to unlock security for reprogramming. This service is only required if the OpenECU application configures UDS security to be required for reprogramming. Further information can be found in the OpenECU user guides. The format is as described in ISO14229 and the OpenECU user guides. 4.5 Service $31 – RoutineControl, check memory Service $31 may be used after service $27 (TransferExit) to check if the resulting memory image is correct. As part of service $27 (TransferExit), a 2 byte CRC is calculated on the data received in the last transfer sequence. This routine computes the CRC of the memory just programmed to determine if it matches the CRC of the received data. • Service ID: $31 • Sub-function: 0x01 – startRoutine • Routine ID: 0x0202 • Routine Control Option Record: None Providing there are no conditions that would warrant a negative response code (as described in ISO14229), the OpenECU platform will emit a positive response. If CRC of the memory image matches the CRC of the data received in the last transfer, then the routineInfo parameter will be 0x00. If the CRCs do not match, then the routineInfo parameter will be 0x01. Note: Only physical addressing is supported during reprogramming. 4.6 Service $85 – ControlDTCSetting Service $85 may be used to enable or disable setting DTCs. This is typically used to disable DTCs during reprogramming. The format is as described in ISO14229, with subfunctions 0x01 (on) and 0x02 (off) as the only supported subfunctions. The optional DTCSettingControlOptionRecord is not supported by OpenECU and will result in a negative response if it is included. 4.7 Service $28 – CommunicationControl Service $28 may be used to disable non-essential CAN communication during reprogramming events. The format is as described in ISO14229 with the following conditions: • OpenECU does not support nodeIdentification number. Inclusion of this parameter will result in a negative response. • OpenECU supports subfunctions 0x00 through 0x03. • OpenECU supports the following message types (bits 0 – 1 of communicationType): • 0x1: normalCommunicationMessages • 0x2: networkManagementCommunicationMessages • 0x3: networkManagementCommunicationMessages and normalCommunicationMessages • OpenECU supports the following subnets (bits 4 – 7 of communicationType): 0x0, 0x1, 0x2, 0x3, and 0xF 4.8 Service $11 – ECUReset Service $11 may be used after the reprogramming sequence to reset the ECU, therefore starting the newly programmed application. The format is as described in ISO14229. Note: Only physical addressing is supported during reprogramming. == 5. Example Reprogramming Sequence == The following shows a successful reprogramming sequence using all the mandatory services as well as some optional services. Data for 2 memory regions loaded: 1: start = 0x01000000, end = 0x010014a3, bytes = 0x000014a4 2: start = 0x01040000, end = 0x0106eb95, bytes = 0x0002eb96 Starting transport protocol with request id = 0x7e0, response id = 0x7e8 Step: tester present ping 1 (quick comms check) Sending tester present ping 1 1 0:49:20.060 Tool> 7E0: 3e 00 10:49:20.068 ECU> 7E8: 7e 00 Test ping 1 reply received as expected, comms established Step: Diagnostic Session Control (extended session) 10:49:20.409 Tool> 7E0: 10 03 10:49:20.419 ECU> 7E8: 50 03 00 32 13 88 Response OK (P2Can/P2*Can numbers ignored) Step: Routine (check programming conditions) 1 0:49:20.846 Tool> 7E0: 31 01 02 03 10:49:20.860 ECU> 7E8: 71 01 02 03 Response OK Step: ControlDTCSetting (off) 1 0:49:21.168 Tool> 7E0: 85 02 10:49:21.178 ECU> 7E8: c5 02 Response OK Step: CommunicationControl (disable non-diagnostic) 10:49:21.499 Tool> 7E0: 28 01 01 10:49:21.508 ECU> 7E8: 68 01 Response OK Step: Diagnostic Session Control (programming session) 10:49:21.828 Tool> 7E0: 10 02 10:49:21.838 ECU> 7E8: 7f 10 78 10:49:21.936 ECU> 7E8: 50 02 00 32 13 88 (Ignored response pending 'negative' response) Response OK (P2Can/P2*Can numbers ignored) Stage: actual programming Step: WriteData (fingerprint) 10:49:22.485 Tool> 7E0: 2e f1 5a 13 05 0f 12 34 56 78 13 05 0f 12 34 56 78 13 05 0f 12 34 56 78 10:49:22.494 ECU> 7E8: 6e f1 5a Response OK Step: Routine (erase memory) for 2 regions Erasing region 0 : start = 0x01000000, end = 0x010014a3, bytes = 0x000014a4 10:49:22.818 Tool> 7E0: 31 01 ff 00 44 01 00 00 00 00 00 14 a4 10:49:22.822 ECU> 7E8: 7f 31 78 (Ignored response pending 'negative' response) 10:49:23.803 ECU> 7E8: 71 01 ff 00 00 Valid response received Erasing region 1 : start = 0x01040000, end = 0x0106eb95, bytes = 0x0002eb96 1 0:49:24.018 Tool> 7E0: 31 01 ff 00 44 01 04 00 00 00 02 eb 96 10:49:24.022 ECU> 7E8: 7f 31 78 (Ignored response pending 'negative' response) 10:49:25.066 ECU> 7E8: 71 01 ff 00 00 Valid response received All memory regions erased Step: RequestDownload for 2 regions RequestDownload for region 0 : start = 0x01000000, end = 0x010014a3, bytes = 0x000014a4 10:49:25.332 Tool> 7E0: 34 00 44 01 00 00 00 00 00 14 a4 10:49:25.336 ECU> 7E8: 74 20 04 00 Response OK, proceeding to TransferData for all blocks in region Note: using ECU allowed payload size of 1022 bytes per block. Option to log TransferData messages (of which a large number is normal) is turned off. Will show first TransferData message only as an example. Logging option can be turned on during transfer if desired. Downloading block: start = 0x01000000, bytes = 0x000003fe 10:49:25.665 Tool> 7E0: 36 01 0f e5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 f9 00 00 06 f8 00 00 01 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10:49:25.961 ECU> 7E8: 76 01 Response OK As explained above, further TD messages for this region will not be shown unless the option to log them is turned on during transfer. See address indicator for progress. All blocks transferred Step: sending RequestTransferExit 10:49:28.828 Tool> 7E0: 37 10:49:28.830 ECU> 7E8: 77 04 94 Response OK RequestDownload for region 1 : start = 0x01040000, end = 0x0106eb95, bytes = 0x0002eb96 10:49:29.398 Tool> 7E0: 34 00 44 01 04 00 00 00 02 eb 96 10:49:29.402 ECU> 7E8: 74 20 04 00 Response OK, proceeding to TransferData for all blocks in region Note: using ECU allowed payload size of 1022 bytes per block. Option to log TransferData messages (of which a large number is normal) is turned off. Will show first TransferData message only as an example. Logging option can be turned on during transfer if desired. Downloading block: start = 0x01040000, bytes = 0x000003fe 10:49:29.701 Tool> 7E0: 36 01 78 01 eb 86 00 00 00 00 00 00 00 00 00 00 00 00 78 02 d2 c6 00 00 00 00 00 00 00 00 00 00 00 00 78 02 d3 70 00 00 00 00 00 00 00 00 00 00 00 00 78 01 eb 32 00 00 00 00 00 00 00 00 00 00 00 00 78 01 eb 46 00 00 00 00 00 00 00 00 00 00 00 00 78 01 eb 12 00 00 00 00 00 00 00 00 00 00 00 00 78 01 eb 26 00 00 00 00 00 00 00 00 00 00 00 00 78 01 eb 16 00 00 00 00 00 00 00 00 00 00 00 00 78 01 eb 06 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea f6 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea d4 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea c4 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea c6 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea b6 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea a6 00 00 00 00 00 00 00 00 00 00 00 00 78 01 ea 96 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10:49:29.998 ECU> 7E8: 76 01 Response OK As explained above, further TD messages for this region will not be shown unless the option to log them is turned on during transfer. See address indicator for progress. All blocks transferred Step: sending RequestTransferExit 10:51:12.403 Tool> 7E0: 37 10:51:12.437 ECU> 7E8: 77 55 d1 Response OK All regions transferred Step: Routine (check memory) 10:51:12.855 Tool> 7E0: 31 01 02 02 10:51:12.889 ECU> 7E8: 71 01 02 02 00 Response OK Step: Routine (check reprogramming dependencies) 10:51:13.171 Tool> 7E0: 31 01 ff 01 10:51:13.172 ECU> 7E8: 71 01 ff 01 00 Response OK Step: ECUReset (hardReset) 10:51:13.607 Tool> 7E0: 11 01 10:51:13.608 ECU> 7E8: 51 01 Response OK Finished programming sequence == 6. UDS Settings == Although the application may implement a specialized diagnostics design that may require tweaks to these settings, for typical OpenECU use: "Flash" tab: Send extended session command should be CHECKED Send reprogramming session command should be CHECKED Perform SecurityAccess exchange will depend on whether security is desired Download secondary bootloader should be UNCHECKED Activate SBL routine command should be UNCHECKED ECU timeout should be 5000 ms Custom TransferData max size should be CHECKED (typical size is 64) Reset ECU command should be CHECKED "EraseMemory" tab: Start routine command basis should be 31 01 FF 00 Insert UDS addressAndLengthFormatIdentifier byte should be CHECKED Number of address bytes should be 4 Number of length bytes should be 4 Numeric address, length range should be selected. "PRELIMINARY PAGE"