Scribd Logo
Upload

Welcome to Scribd!

  • 6 1 Multi Level Security Access: Software Documentation Page 6-1 EDC7 Keyword Protocol 2000

    Uploaded by

    Lucía jandig
    4 views4 pages
    EDC 7 MWM 7

    Original Title

    p365_kwp_06

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    EDC 7 MWM 7

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views4 pages

    6 1 Multi Level Security Access: Software Documentation Page 6-1 EDC7 Keyword Protocol 2000

    Uploaded by

    Lucía jandig
    EDC 7 MWM 7

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Software Documentation Page 6-1

    Y281 S365_KWP_V14 EDC7 Keyword Protocol 2000 Version 1.4

    6 1 Multi Level Security Access

    6.1 securityAccess (27h)


    To avoid unauthorized access, multi level seed & key security access is supported by EDC7. Since the
    diagnostic modes are assigned to different access levels, it is compulsory to perform the securityAccess
    service before starting a diagnostic session (unless for defaultMode-StandardDiagnosticMode).
    The seed & key procedure is started by sending the first securityAccess request service with an odd
    identifier accessMode (AM_) to the ECU. This parameter is used to indicate the step in progress for this
    service (odd = requesting seed, even = sending key) and the level of security the tester wants to access.
    The ECU answers with the first securityAccess positive response service (67h) including the seed (SEED_),
    a four (4) byte random number. The seed consists of zeros ("00h 00h"), if the requested diagnosic mode is
    already unlocked. This enables the tester to check, whether a certain diagnostic mode is still locked or not.
    First Request:
    Byte Request block #1 Hex Value Mnemonic
    #1 securityAccess Request#1 Service Identifier 27 SA#1
    #2 accessMode = (refer to table below) xx=[ AM_RS...
    03,
    07,
    09,
    0B
    OD
    ...]

    Byte Positive response block #1 Hex Value Mnemonic


    #1 securityAccess Positive Response#1 Service Identifier 67 SA#1PR
    #2 accessMode = (refer to table below) xx=[ AM_RS...
    03,
    07,
    09,
    0B
    OD
    ...]
    #3 Seed#1 (Upper High Byte) xx SEED
    #4 Seed#2 (Upper Low Byte) xx
    #5 Seed#3 (High Byte)
    #6 Seed#4 (Low Byte)

    Byte Negative response block #1 Hex Value Mnemonic


    #1 negative Response Service Identifier 7F NR
    #2 securityAccess Request#1 Service Identifier 27 SA#1
    #3 responseCode = [ xx=[ RC_...
    generalReject (seed not generateable), 10,
    subFunctionNotSupported-invalidFormat 12]
    (accessMode not odd or not supported),]

    Note that after ECU power-on or reset and after two unsuccessful attempts of the tester to login (tester has
    sent the wrong keys), a ten (10) second time delay is required before seed & key may be started (again).
    The supported access levels are shown in the following table:

    accessMode (AM_) first request / positive response

    © Robert Bosch GmbH (Germany) reserves all rights even in the event of industrial rights. We reserve all rights of disposal such as copying and passing to third parties.

    DS-NF/ESN2 15-JAN-2004 Multi Level Security Access


    Software Documentation Page 6-2
    Y281 S365_KWP_V14 EDC7 Keyword Protocol 2000 Version 1.4

    Hex Description Mnemonic


    03 requestSeed for diagnosticMode "EngineManufacturerFactory AM_RSEMF
    ECUAdjustmentMode" (87h) and ìEngineManufacturerFactory
    EOLProgrammingModeîî (83h)
    05 reserved for system supplier AM_RSSYS
    07 requestSeed for diagnosticMode "ECUProgrammingMode" (85h) AM_RSPRO
    09 requestSeed for diagnosticMode "ECUDevelopmentMode" (86h) and ìDevelopment AM_RSDEV
    EOLProgrammingMode î (83h)
    0B requestSeed for diagnosticMode ìVehicleManufacturerServiceModeî î (89h) AM_RSVMS
    0D requestSeed for diagnosticMode "VehicleManufacturerFactoryMode" (83h) AM_RSVMF

    If access is not yet given, now both tester and ECU calculate the key from the seed basing on a certain
    algorithm (formula). The algorithm used by this software version is described in a separate document and
    supplied to the customer.

    Second Request:
    Byte Request block #2 Hex Value Mnemonic
    #1 securityAccess Request#2 Service Id 27 SA#2
    #2 accessMode = (refer to table below) xx=[ AM_SK...
    04,
    08,
    0A,
    0C
    0E
    ...]
    #3 key#1 (High Byte) xx KEY
    #4 key#2 (Low Byte) xx

    Byte Positive response block #2 Hex Value Mnemonic


    #1 securityAccess Positive Response#2 Service Id 67 SA#2PR
    #2 accessMode = (refer to table below) xx=[ AM_SK...
    04,
    08,
    0A,
    0C
    0E
    ...]
    #3 SecurityAccessStatus = [securityAccessAllowed] 34 SAA

    Byte Negative response block #2 Hex Value Mnemonic


    #1 negative Response Service Id 7F NR
    #2 securityAccess Request#2 Service Id 27 SA#2
    #3 responseCode = [ xx=[ RC_...
    subFunctionNotSupported-invalidFormat 12,
    (accessMode not corresponding to first request),
    invalidKey, 35,
    exceedNumberOfAttempts, 36,
    requiredTimeDelayNotExpired ] 37]

    The parameter accessMode (AM_) is now an even number one greater than accessMode in the first
    request. The key (key_) is the result of the computation, a four (4) byte number as well.

    accessMode (AM_) second request / positive response


    Hex Description Mnemonic

    © Robert Bosch GmbH (Germany) reserves all rights even in the event of industrial rights. We reserve all rights of disposal such as copying and passing to third parties.

    DS-NF/ESN2 15-JAN-2004 Multi Level Security Access


    Software Documentation Page 6-3
    Y281 S365_KWP_V14 EDC7 Keyword Protocol 2000 Version 1.4

    Hex Description Mnemonic


    04 requestSeed for diagnosticMode "EngineManufacturerFactory AM_RSEMF
    ECUAdjustmentMode" (87h) and ìEngineManufacturerFactory
    EOLProgrammingModeîî (83h)
    06 reserved for system supplier AM_RSSYS
    08 requestSeed for diagnosticMode "ECUProgrammingMode" (85h) AM_RSPRO
    0A requestSeed for diagnosticMode "ECUDevelopmentMode" (86h) and ìDevelopment AM_RSDEV
    EOLProgrammingMode î (83h
    0C requestSeed for diagnosticMode ìVehicleManufacturerServiceModeî î (89h) AM_RSVMS
    0E requestSeed for diagnosticMode "VehicleManufacturerFactoryMode" (83h) AM_RSVMF

    The ECU compares the two keys and, if the keys do match, unlocks the requested diagnostic session to the
    tester. The parameter securityAccessStatus (SAS_) may be used to receive the status of the ECU security
    system.

    © Robert Bosch GmbH (Germany) reserves all rights even in the event of industrial rights. We reserve all rights of disposal such as copying and passing to third parties.

    DS-NF/ESN2 15-JAN-2004 Multi Level Security Access


    Software Documentation Page 6-4
    Y281 S365_KWP_V14 EDC7 Keyword Protocol 2000 Version 1.4

    Tester ECU

    10s since ECU


    power-on

    1.
    securityAccess
    request seed

    generate
    random
    number (seed)

    seed 1.
    securityAccess
    pos. response

    evaluate evaluate
    key = f(seed) key = f(seed)

    2. key
    securityAccess
    send key
    compare keys,
    unlock
    diagn. mode

    access o.k.! 2.
    securityAccess
    pos. response

    start
    Diagnostic
    Session

    Message flow of seed & key

    © Robert Bosch GmbH (Germany) reserves all rights even in the event of industrial rights. We reserve all rights of disposal such as copying and passing to third parties.

    DS-NF/ESN2 15-JAN-2004 Multi Level Security Access

    You might also like