Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract — The diagnostic tester is presented here to read out controllers can also save such critical data into external
the contents of external EEPROM of an EMS ECU. The tester EEPROM as a different strategy, if supported. To read/write
and the EMS ECU are built with Unified Diagnostic Service the data with external EEPROM, the controller normally uses
(UDS) on Controller Area Network (CAN) as per ISO 14229-1 Serial Peripheral Interface (SPI).
and ISO 15765-3. When the tester requests the UDS on CAN bus,
the ECU invokes the respective routines. The micro-controller of
ECU uses Serial Peripheral Interface (SPI) protocol to read out C. Controller Area Network (CAN)
the contents of EEPROM. The ECU stores the contents read The Controller Area Network (CAN) is a serial
from external EEPROM into a buffer and that will be communication protocol which efficiently supports distributed
transmitted on CAN bus as response to the tester request. real time control with a very high level of security. Its domain
of application ranges from high speed networks to low cost
In this paper, the work flow and the algorithms are provided multiplex wiring. In automotive electronics, engine control
as, how the tester requests the UDS commands on CAN bus and units, sensors, etc. are connected using CAN with bitrates up to
how the EMS ECU interprets this command to get the contents of
1 Mbit/sec. At the same time it is cost effective to build into
EEPROM for the tester, as per ISO 14229-1 and ISO 15765-3.
vehicle body electronics, e.g. lamp clusters, electric windows
Index Terms — ISO 14229-1, ISO 15765-3, EEPROM, EMS, etc. to replace the wiring harness otherwise required.[3]
ECU, UDS, CAN, SPI.
D. Communication between Diagnostic Tester and ECU
I. INTRODUCTION Both the ECU and the tester should communicate with each
other on CAN bus. The ECU should support the below ISO
A. Diagnostic Tester
standards.
The diagnostic testers are used to exchange the diagnostic
ISO 14229-1:2013(E) - Road vehicles – Unified
data with Electronic Control Units (ECUs). The testers which
Diagnostic Services (UDS) – Part 1: Specification and
are available in the markets and the testers which are internally
requirements.
developed by the OEMs are mainly used for different
This standard contains a detailed specification of diagnostic
applications as mentioned below.
services and their parameters.
• Reading/writing the data from/to flash memory of
ISO 15765-3:2004 - Road vehicles – Diagnostic on
controllers,
Controller Area Network (CAN) – Part 3: Implementation
• Re-programming of ECUs,
of Unified Diagnostic Services (UDS on CAN).
• To read the Diagnostic Trouble Codes (DTCs) from
This standard specifies the adaptation of UDS on CAN.
the ECUs,
• During vehicle end of line for actuators test, and so
on. II. ISO 14229-1:20013(E) - ROAD VEHICLES – UNIFIED
DIAGNOSTIC SERVICES (UDS) PART 1: SPECIFICATION AND
B. ECU with External EEPROM REQUIREMENTS
The micro-controller of ECU can save the critical data A. ReadMemoryByAddress (23 hex) UDS Service Details
into their internal FLASH memory before it gets powered-off
The ReadMemoryByAddress (23 hex) service allows the
and retain the same data when it boots up next time. The
client to request memory data from the server via a provided
169
A.3. Negative Response Message requested action will not be taken because
The Negative Response Message Definition of the length of the received request message
ReadMemoryByAddress (23 hex) service is given in Table 5. does not match the prescribed length for the
specified service or because the format of the
A_Data Parameter name Con Hex Mnemoni parameters does not match the prescribed
byte ven value c format for the specified service.
tio 31 requestOutOfRange ROO
#1 Negative Response M 7F SIDRSI R
Service ID DNRQ This response code indicates that the
#2 ReadMemoryByAddres M 23 RMBA requested action will not be taken because
s Request Service ID the server has detected that the request
#3 responseCode M XX NRC_ message contains a parameter which attempts
M (Mandatory) - The parameter has to be present. to substitute a value beyond its range of
Table 5. Negative Response Message Definition [1] authority (e.g. attempting to substitute a data
byte of 111 when the data is only defined to
The NRC_ (Negative Response Code) are listed in the Table 7. 100), or which attempts to access a
dataIdentifier/routineIdentifer that is not
A.4. Positive Response supported or not supported in active session.
The circumstances under which Positive Response This response code shall be implemented for
would occur for 0x23 service are documented in Table 6. all services which allow the client to read
Hex Response Code Mnemonic data, write data or adjust functions by data in
Value the server.
00 positiveResponse PR 78 requestCorrectlyReceived- RCR
ResponsePending RP
This response code shall not be used
in negative response message. This This response code indicates that the request
positiveResponse parameter value is message was received correctly, and that all
reserved for server-internal parameters in the request message were
implementation. valid, but the action to be performed is not
Table 6. Positive Response Code [1] yet completed and the server is not yet ready
to receive another request. As soon as the
A.5. Negative Response Code (NRC_) requested service has been completed, the
The following negative response codes are server shall send a positive response message
implemented for 0x23 service. The circumstances under which or negative response message with a
each response code would occur are documented in Table 7. response code different from this.
Hex Response Code Mne
Value mon The negative response message with this
ic response code may be repeated by the server
11 serviceNotSupported SNS until the requested service is completed and
the final response message is sent. This
This response code indicates that the response code might impact the application
requested action will not be taken because layer timing parameter values. The detailed
the server does not support the requested specification shall be included in the data-
service. link-specific implementation document.
The server shall send this response code in This response code shall only be used in a
case the client has sent a request message negative response message if the server will
with a service identifier which is either not be able to receive further request
unknown or not supported by the server. messages from the client while completing
Therefore, this negative response code is not the requested diagnostic service.
shown in the list of negative response codes
to be supported for a diagnostic service When this response code is used, the server
because this negative response code is not shall always send a final response (positive
applicable for supported services. or negative) independently of the
13 incorrectMessageLengthOrInvalidFormat IML suppressPosRspMsgIndicationBit value.
OIF
This response code indicates that the A typical example of where this response
170
code may be used is when the client has sent
a request message which includes data to be
programmed or erased in flash memory of III. APPLICATION OF ISO 14229-1 AND ISO 15765-3 FOR
the server. If the programming/erasing EEPROM OF EMS ECU
routine (usually executed out of RAM) is not
A. Block Diagram of the Work
able to support serial communication while
writing to the flash memory, the server shall The schematic representation for the implementation of the
send a negative response message with this work is as given below.
response code.
171
Message Client -> Server Send NRC 0x7F
Direction: ELSE(1)
Message Request IF(2) (Service is not supported in active
Type: SecurityLevel)
A_Data Description (all values are in Byte THEN(2)
byte hexadecimal) value
Send NRC 0x33
(hex)
#1 ReadMemoryByAddress request SID 23
ELSE(2)
#2 addressAndLengthFormatIdentifier 24 IF(3) (Service is configured to support
#3 memoryAddress [ byte#1 ] (MSB) 00 sub-function)
#4 memoryAddress [ byte#2 ] 00 THEN(3)
#5 memoryAddress [ byte#3 ] 00 IF(4) (Service request length <
#6 memoryAddress [ byte#4 ] 00 2)
#7 memorySize [ byte#1 ] (MSB) 03 THEN(4)
#8 memorySize [ byte#2 ] FF Send NRC 0x13
Table 8. Tester request message to read EEPROM contents ELSE(4)
Call 0x23 Service
B.3. EMS ECU Configurations Algorithm
ENDIF(4)
The following configurations were done in the EMS ECU ENDIF(3)
project. ENDIF(2)
• 0x23 service was configured in Default Diagnostic ENDIF(1)
Session, without Security Access.
• 0x7E0 CAN message ID was configured for the Tester
Request message as a physical addressing receive C. 0x23 Service Algorithm
message.
• 0x7E8 CAN message ID was configured for the Tester
Initialization:
Response message as a physical addressing transmit 0x78_Response_Active = 0
message. Maximum_Buffer_Size = 4096
E2P_Read_Completed = 0
IV. IMPLEMENTATION OF ALGORITHM AS PER ISO 14229-1 TO
IF[1] (0x78_Response_Active == 1)
READ THE EEPROM CONTENTS OF EMS ECU
THEN[1]
IF[2a] (E2P_Read_Completed == 1)
A. Behaviour of EMS ECU for the Tester Request THEN[2a]
Depending on the client request, the service scheduler of Copy data from SPI buffer to UDS buffer
the EMS ECU called the UDS service interpreter. The UDS Send Positive Response with UDS buffer data
service interpreter checks certain general conditions which 0x78_Response_Active = 0
were common for all the configured services. Once these ELSE[2a]
general conditions were met, the corresponding UDS service // SPI is busy in EEPROM Read operation
Send NRC 0x78
called.
ENDIF[2a]
B. UDS Interpreter Algorithm ELSE[1] // 0x78_Response_Active = 0
IF[2b] (Request Length == 8 bytes)
The algorithm of UDS interpreter is given below. THEN[2b]
IF[3] (Requested size < Maximum_Buffer_Size)
IF[1] (Requested Service ID not supported) THEN[3]
THEN[1] IF[4] (Requested memoryAddress ==
Send NRC 0x11 0x00000000)
ELSE[1] THEN[4]
Call Service_Request_Normal_Handling // Tester has requested to read
EEPROM memory location
ENDIF[1] Call E2P_Read_Routine
0x78_Response_Active = 1
Send NRC 0x78
Service_Request_Normal_Handling ELSE[4]
// Tester has requested to read
other memory location
IF[1](Service is not supported in active Send NRC 0x31
diagnosticSessionType) ENDIF[4]
THEN(1) ELSE[3]
172
Send NRC 0x31 In the above report, CAN Frame 1 is called as First Frame
ENDIF[3] and CAN Frame 3 is called as First Consecutive Frame. These
ELSE[2b] CAN frames are transmitted by diagnostic tester on 0x7E0
Send NRC 0x13 CAN ID and they contain the tester request message (square-
ENDIF[2b]
ENDIF[1]
blocked data), which can be compared with the data mentioned
in the Table 8. CAN Frame 2 contains Flow Control parameters
which is transmitted by ECU.
E2P_Read_Routine
When the EMS ECU receives 0x7E0 CAN ID on CAN bus,
Pass the tester requested data to SPI driver-> start it interprets that it’s a tester request and calls the respective
address, size, READ operation. UDS algorithms. The Positive Response Message from EMS
Start reading the data from the given memory location ECU is transmitted on 0x7E8 CAN ID (bold highlighted data
using SPI driver. in oval blocks) from CAN Frame 8 onwards (other than CAN
Once the SPI completes the read operation, set Frame 9). This can be compared with the data mentioned in the
E2P_Read_Completed = 1 Table 3. The bold highlighted data in oval blocks, after the first
0x63 (RMBAPR), is the contents of EEPROM. CAN Frame 9
contains Flow Control parameters which is transmitted by the
V. RESULTS tester.
The result of EEPROM contents read from UDS was
observed using CANalyzer tool. A small part of report from CAN frames 4 to 7 are transmitted by EMS ECU to tester
CANalyzer log (*.asc) file is provided below. during the time when the controller of the ECU is busy with
EEPROM read operation.
date Fri Mar 7 08:08:36 am 2014
base hex timestamps absolute
internal events logged VI. CONCLUSION
// version 7.6.0
Begin Triggerblock Fri Mar 7 08:08:36 am 2014 The above paper discusses and proposes the usage of
0.000000 Start of measurement standard UDS protocol listed in ISO 14229-1 used for
0.001323 CAN 1 Status:chip status error active diagnostic communication. The author also presents a holistic
1.019953 1 Statistic: D 586 R 0 XD 0 XR 0 E 0 O 0 B 14.51%
2.019953 1 Statistic: D 586 R 0 XD 0 XR 0 E 0 O 0 B 14.51%
view of how this protocol can be implemented in embedded
4.995468 1 7E0 Rx d 8 10 08 23 24 00 00 00 00 Length = 238000 software application. An attempt is also made to validate the
BitCount = 123 -> CAN Frame 1 data transmitted from EMS ECU with respect to standard
4.995724 1 7E8 Rx d 8 30 FF 00 55 55 55 55 55 Length = 228000 driver.
BitCount = 118 -> CAN Frame 2
5.006094 1 7E0 Rx d 8 21 03 FF 00 00 00 00 00 Length = 242000
BitCount = 125 -> CAN Frame 3
5.303306 1 7E8 Rx d 8 03 7F 23 78 55 55 55 55 Length = 222000 ACKNOWLEDGMENT
BitCount = 115 -> CAN Frame 4 We thank the management of Continental Automotive
5.313299 1 7E8 Rx d 8 03 7F 23 78 55 55 55 55 Length = 222000
BitCount = 115 -> CAN Frame 5 Components (India) Pvt. Ltd. for the encouragement. The
5.323309 1 7E8 Rx d 8 03 7F 23 78 55 55 55 55 Length = 222000 authors would like to especially thank Mr. Girish Ramaswamy,
BitCount = 115 -> CAN Frame 6 General Manager of Continental Technical Centre India. We
5.333301 1 7E8 Rx d 8 03 7F 23 78 55 55 55 55 Length = 222000 would also like to thank Dr. Vivek Venkobarao for motivating
BitCount = 115 -> CAN Frame 7
5.343523 1 7E8 Rx d 8 14 00 63 B0 4E 00 00 B0 Length = 234000 and supporting us.
BitCount = 121 -> CAN Frame 8
5.354852 1 7E0 Rx d 8 30 00 00 00 00 00 00 00 Length = 244000
BitCount = 126 -> CAN Frame 9 REFERENCES
5.358242 1 7E8 Rx d 8 21 4E 00 00 01 00 00 00 Length = 238000
BitCount = 123 -> CAN Frame 10 [1] ISO 14229-1:2013(E) - Road vehicles – Unified Diagnostic
5.358501 1 7E8 Rx d 8 22 01 00 00 00 B0 4E 00 Length = 240000 Services (UDS) – Part 1: Specification and requirements.
BitCount = 124 -> CAN Frame 11 [2] ISO 15765-3:2004 - Road vehicles – Diagnostic on Controller
5.358753 1 7E8 Rx d 8 23 00 B0 4E 00 00 01 00 Length = 234000 Area Network (CAN) – Part 3: Implementation of Unified
BitCount = 121 -> CAN Frame 12
Diagnostic Services (UDS on CAN).
End TriggerBlock
[3] BOSCH CAN Specification 2.0
173