Configure whether sensitive services are available and related SecurityAccess settings.
EXT_DIAG (Extended diagnostics library). (See Section 2.3, “Licensed Features”.)
Certain UDS/KWP2000 services can be restricted to protect your ECU from having unauthorised changes or having its contents read out over the diagnostic link.
The relevant services can either be completely disallowed, or allowed only if the required seed-key security exchange has been passed successfully. (The options are detailed below.)
Even if flash reprogramming via UDS is allowed, you may wish to disable this facility if run-time circumstances are not appropriate (e.g. vehicle moving or engine running). The 'inhibit_reprogramming' inport allows you to control whether reprogramming is permitted at run time.
If enabled, the platform will attempt to use a C code function that implements your own custom security algorithm, whenever it receives the SecurityAccess ($27) service request from the tool. The security algorithm is also used in programming mode (i.e. by the boot loader) so that access to the ECU can be controlled even if the application has been erased, for subsequent programming attempts.
See Notes section at the end of this block help for more detail on how to implement the security function.
Value type: | Boolean | ||
Calibratable: | No |
Used to control whether UDS protocol flash reprogramming of the application code and/or calibration is allowed at all, and if so what SecurityAccess must be achieved first (if any). The options are:
Allowed without security: programming is always allowed, and no SecurityAccess exchange is required first.
Allowed if any security level attained: programming is only allowed if a SecurityAccess seed-key exchange has been passed successfully, but it does not matter which security level (LEV_SAT_RSD in the UDS standard) was negotiated.
Allowed if specified security level(s) attained: programming is only allowed if a SecurityAccess seed-key exchange has been passed successfully, and the security level (LEV_SAT_RSD in the UDS standard) was negotiated is one specified in the list (next parameter down).
Never allowed: programming is never permitted via UDS, regardless of SecurityAccess exchanges.
Value type: | List | ||
Calibratable: | No |
Security level(s) [for flash reprogramming]
This parameter only becomes visible if Allowed if specified security level(s) attained is selected above. Specify one or more values of the seed-key security level (LEV_SAT_RSD in the UDS standard) at which flash programming should be permitted. The levels must be odd values as used in the requestSeed request. (The corresponding level in the sendKey message is an even number equal to LEV_SAT_RSD + 1.)
Range: [1, 125] (odd numbers only)
Value type: | Integer (scalar or vector) | ||
Calibratable: | No |
This is very similar to the parameter which selects the allowed access for UDS flash reprogramming, but this time controls access to ECU memory via the ReadMemoryByAddress service ($23). See above for options.
Value type: | List | ||
Calibratable: | No |
Security level(s) [for ReadMemoryByAddress]
This is just like the corresponding parameter for flash reprogramming described in detail above, but this time relevant to ReadMemoryByAddress.
Value type: | Integer (scalar or vector) | ||
Calibratable: | No |
Whether ReadMemoryByAddress is allowed (ever) in a Default diagnosticSession.
Value type: | Boolean | ||
Calibratable: | No |
Whether ReadMemoryByAddress is allowed (ever) in an Extended diagnosticSession.
Value type: | Boolean | ||
Calibratable: | No |
Whether ReadMemoryByAddress is allowed (ever) in a Programming diagnosticSession.
Value type: | Boolean | ||
Calibratable: | No |
You must implement your own security function to use seed-key security; it is not supplied by Pi Innovo, because it will be specific and confidential to you. The function must be written such that it does not depend on any statically allocated variables and does not call any functions, including functions inserted by the compiler for math utilities for example. This is to ensure that it is fully relocatable, which is required for it to run as part of the boot loader in reprogramming mode, as well as in normal application mode.
To add your function to the build, place the C file alongside the model, and then instruct RTW to include it in the build by using the Custom Code... Include list of additional:... Source files option, alongside other model configuration and build options in the Code Generation/Real-Time Workshop section (the exact menu item depends on MATLAB version).
Alternatively, you can compile your C code to make an object (.o) file and specify it in the Libraries option nearby. This is useful if you wish to be cautious with confidentiality by avoiding application-builders needing to have the C source code available.
If the auto-coder settings are switched, e.g. from Simulink Coder to Embedded Coder, this setting will need to be reconfigured.
The function name for the security algorithm and the second empty function that marks the end of it are fixed. If they are missing, a linker error will be reported. A complete example block of code is presented below, in which the "secret" algorithm is to reverse the order of the two seed bytes to form the correct key:
#include "openecu.h" /***************************************************************************** * Purpose: Called by the library when UDS/KW2000 diagnostic security access * is required. * Returns: Return code to send to tool on error, otherwise zero if OK. * Notes: Code is copied to nonvolatile memory and must be relocatable. It * must not call any functions (including compiler arithmetic * utilities). ***************************************************************************** */ U8 psc_diag_security_callback ( const U8* pdgf_request_message, /* The received unpacked request message */ U16 pdgf_request_message_len, /* Total byte length of request message */ U8* pdgf_seed_buffer, /* Place seed here, or access it when computing correct key */ U8* pdgf_seed_len, /* Specify your seed length (in bytes) here (max 8 bytes) */ U32 pdgf_random /* Pseudorandom number you may use to generate seed */ ) { if (pdgf_request_message_len < 2) { return 0x13; /* invalid length */ } switch (pdgf_request_message[1]) { case 0x03: /* a requestSeed value we choose to support */ /* Set up the seed bytes, here using the provided random number */ pdgf_seed_buffer[0] = (U8) pdgf_random & 0xff; pdgf_seed_buffer[1] = (U8) (pdgf_random >> 8); *pdgf_seed_len = 2; return 0; break; case 0x04: /* corresponding sendKey value */ if ((pdgf_request_message_len == 4) && (pdgf_request_message[2] == pdgf_seed_buffer[1]) && (pdgf_request_message[3] == pdgf_seed_buffer[0]) ) { /* security passed -- bytes reversed! */ return 0; } else { return 0x35; /* invalid key */ } break; default: return 0x12; /* unsupported parameters */ break; } } /***************************************************************************** * Purpose: Marks the end of the security function above. * Returns: None. * Notes: Must be placed immediately after the security function. The * platform uses this to calculate the size of the security function * when relocating it to non-volatile memory for use in * reprogramming mode. ***************************************************************************** */ void psc_diag_security_end ( void ) { }