Guardians of the Road — Part 3: Unified Diagnostic Services

5 min readMar 10, 2024

Image from: https://gtamag.com/en/gta-online/garages/details/bennys-original-motor-works/2

What is Unified Diagnostic Services?

This service enables the mechanics to perform Car Diagnostic tests. The UDS is powered by ISO-TP protocol also known as ‘ISO 15765–2’.

What is the ISO-TP?

This is the standard protocol for sending packets on the CAN Bus. This protocol extends the 8 bytes CAN limit up to 4095 bytes by chaining CAN packets. The most common use of this protocol is for Car Diagnostic Tests, KWP-message(You can understand it as just an alternative for the CAN.), and sending large amounts of the message on the bus. But you should be careful when you use ISO-TP protocol to send large amounts of data on the CAN Bus, it may easily cause the flooding of the CAN Bus.

How can I perform Diagnostic tests with ISO-TP?

There are 4 types of ISO-TP packets called Single, First, Consecutive, and Flow Control. You should know first what they are exactly.

Standard ISO-TP Packet

PCI stands for ‘Protocol Control Information’. This block contains the Data Length(0..3 bit), and What type of packet it is(4..7 bit).

And PDU stands for ‘Protocol Data Unit’. These blocks are just the data itself.

Single

The Single type packet always has 0x0 in PCI. 0x0 means that there are no more packets after it. When you see the packet has 0x0 in the first byte, that is the Single type of ISO-TP packet.

First

The First type packet has one more PCI block to express the Data Length. Because the First type packet is usually used to send large amounts of data. This packet always has 0x1 in the first byte.

Consecutive

As the name suggests, It’s a Consecutive packet after the First type packet. It always has 0x2 in the first byte. This packet has a Sequence Number, which indicates the order of the packets. If there’s no sequence number, the packets can get mixed up, making it confusing.

Flow Control

This packet always starts with 0x3 and has Flow Status, Block Size, and Separation Time. As the name suggests, it controls the flow of the packets.

Flow Status

‘0' indicates ‘Continue to Send’.
‘1’ indicates ‘Wait’.
‘2’ indicates ‘Overflow/Abort’.

Block Size

This block tells how many frames to send at once.

Separation Time

This block sets the delay time between each packet.

Okay, these are all the types of ISO-TP packets. To use the Diagnostic Services using these packets, you can look up ‘Service Identifiers’.

Service Identifiers

It’s a unique code that can express many different services.

0x10: Diagnostic Session Control
0x11: ECU Reset
0x19: Read Diagnostic Trouble Code
0x22: Read Data by Identifier
0x23: Read Memory by Address
0x27: Security Access
0x3E: Tester Present

Service Identifiers: Subfunctions

There are many Subfunctions for each Service identifier. In the case of “0x11: ECU Reset”, here are the Subfunctions above. You can send many types of Subfunctions you’d like to perform like the below.

https://piembsystech.com/ecu-reset-service-identifier-0x11-uds-protocol/

For example, like this “7E0#021101”. It makes the ECU Reset but ‘Hard Reset’.

Response Packet

Once we send the ISO-TP packets to the ECUs, it’s not surprising that the response packet will be sent to us.

If we send ‘7E0#013E’ on the CAN Bus(The ‘7E0’ is a standard Arbitration ID for diagnostics),

the response packet will be ‘7E8#017E’, which is added 0x8 to the Arbitration ID and 0x40 to the Data.

Now let’s send some ISO-TP packets on the CAN Bus.

https://ctf.blockharbor.io/challenges#Simulation%20VIN-15

I willsolve one CTF problem that involves finding out the ‘Vehicle Identification Number’ of the Car. We can find out VIN using the ISO-TP packet very easily.

We can see the virtual CAN network interface is up now.

Send “22 f1 90” to the isotpsend command. As I mentioned, 0x22 indicates the ‘Read Data by Identifier’ service, which reads data through a Data identifier(DID). As you can see below, the “f1 90” is a VIN Data Identifier.