F1F2ANNEX I BREQUIREMENTS FOR CONSTRUCTION, TESTING, INSTALLATION AND INSPECTION
5.MANAGEMENT SERVICES
The services available are detailed in the following table:
Service name | Description |
|---|---|
StartDiagnosticSession | The client requests to start a diagnostic session with a VU |
SecurityAccess | The client requests access to functions restricted to authorised users |
5.1.StartDiagnosticSession service
5.1.1.Message description
[CPR_025] The service StartDiagnosticSession is used to enable different diagnostic sessions in the server. A diagnostic session enables a specific set of services according to Table 17. A session can enable vehicle manufacturer specific services which are not part of this document. Implementation rules shall conform to the following requirements:
there shall be always exactly one diagnostic session active in the VU,
the VU shall always start the StandardDiagnosticSession when powered up. If no other diagnostic session is started, then the StandardDiagnosticSession shall be running as long as the VU is powered,
if a diagnostic session which is already running has been requested by the tester, then the VU shall send a positive response message,
whenever the tester requests a new diagnostic session, the VU shall first send a StartDiagnosticSession positive response message before the new session becomes active in the VU. If the VU is not able to start the requested new diagnostic session, then it shall respond with a StartDiagnosticSession negative response message, and the current session shall continue.
[CPR_026] The diagnostic session shall only be started if communication has been established between the client and the VU.
[CPR_027] The timing parameters defined in Table 4 shall be active after a successful StartDiagnosticSession with the diagnosticSession parameter set to ‘StandardDiagnosticSession’ in the request message if another diagnostic session was previously active.
5.1.2.Message format
[CPR_028] The message formats for the StartDiagnosticSession primitives are detailed in the following tables:
Byte # | Parameter Name | Hex value | Mnemonic |
|---|---|---|---|
#1 | Format byte — physical addressing | 80 | FMT |
#2 | Target address byte | EE | TGT |
#3 | Source address byte | tt | SRC |
#4 | Additional length byte | 02 | LEN |
#5 | StartDiagnosticSession request service Id | 10 | STDS |
#6 | diagnosticSession = (one value from Table 17) | xx | DS_ … |
#7 | Checksum | 00-FF | CS |
Byte # | Parameter Name | Hex value | Mnemonic |
|---|---|---|---|
#1 | Format byte — physical addressing | 80 | FMT |
#2 | Target address byte | tt | TGT |
#3 | Source address byte | EE | SRC |
#4 | Additional length byte | 02 | LEN |
#5 | StartDiagnosticSession Positive Response Service Id | 50 | STDSPR |
#6 | DiagnosticSession = (same value as in byte #6 Table 14) | xx | DS_ … |
#7 | Checksum | 00-FF | CS |
Byte # | Parameter Name | Hex value | Mnemonic |
|---|---|---|---|
#1 | Format byte — physical addressing | 80 | FMT |
#2 | Target address byte | tt | TGT |
#3 | Source address byte | EE | SRC |
#4 | Additional length byte | 03 | LEN |
#5 | Negative response service Id | 7F | NR |
#6 | StartDiagnosticSession request service Id | 10 | STDS |
#7 | ResponseCode = (subFunctionNotSupported44 incorrectMessageLength45 | 12 13 | RC_SFNS RC_IML |
conditionsNotCorrect46) | 22 | RC_CNC | |
#8 | Checksum | 00-FF | CS |
The value inserted in byte #6 of the request message is not supported, i.e. not in Table 17. | |||
The length of the message is wrong. | |||
The criteria for the request StartDiagnosticSession are not met. | |||
5.1.3.Parameter definition
[CPR_029] The parameter diagnosticSession (DS_) is used by the StartDiagnosticSession service to select the specific behaviour of the server(s). The following diagnostic sessions are specified in this document:
Hex | Description | Mnemonic |
|---|---|---|
81 | StandardDiagnosticSession This diagnostic session enables all services specified in Table 1 column 4 ‘SD’. These services allow reading of data from a server (VU). This diagnostic Session is active after the initialisation has been successfully completed between client (tester) and server (VU). This diagnostic session may be overwritten by other diagnostic sessions specified in this section. | SD |
85 | ECUProgrammingSession This diagnostic session enables all services specified in Table 1 column 6 ‘ECUPS’. These services support the memory programming of a server (VU) This diagnostic session may be overwritten by other diagnostic sessions specified in this section. | ECUPS |
87 | ECUAdjustmentSession This diagnostic session enables all services specified in Table 1 column 5 ‘ECUAS’. These services support the input/output control of a server (VU). This diagnostic session may be overwritten by other diagnostic sessions specified in this section. | ECUAS |
5.2.SecurityAccess service
Writing of calibration data or access to the calibration input/output line is not possible unless the VU is in CALIBRATION mode. In addition to insertion of a valid workshop card into the VU, it is necessary to enter the appropriate PIN into the VU before access to the CALIBRATION mode is granted.
The SecurityAccess service provides a means to enter the PIN and to indicate to the tester whether or not the VU is in CALIBRATION mode.
It is acceptable that the PIN may be entered through alternative methods.
5.2.1.Message description
The SecurityAccess service consists of a SecurityAccess ‘requestSeed’ message, eventually followed by a SecurityAccess ‘sendKey’ message. The SecurityAccess service must be carried out after the StartDiagnosticSession service.
[CPR_033] The tester shall use the SecurityAccess "requestSeed" message to check if the vehicle unit is ready to accept a PIN.
[CPR_034] If the vehicle unit is already in CALIBRATION mode, it shall answer the request by sending a ‘seed’ of 0x0000 using the service SecurityAccess Positive Response.
[CPR_035] If the vehicle unit is ready to accept a PIN for verification by a workshop card, it shall answer the request by sending a ‘seed’ greater than 0x0000 using the service SecurityAccess positive response.
[CPR_036] If the vehicle unit is not ready to accept a PIN from the tester, either because the workshop card inserted is not valid, or because no workshop card has been inserted, or because the vehicle unit expects the PIN from another method, it shall answer the request with a negative response with a response code set to conditionsNotCorrectOrRequestSequenceError.
[CPR_037] The tester shall then, eventually, use the SecurityAccess ‘sendKey’ message to forward a PIN to the Vehicle Unit. To allow time for the card authentication process to take place, the VU shall use the negative response code requestCorrectlyReceived-ResponsePending to extend the time to respond. However, the maximum time to respond shall not exceed five minutes. As soon as the requested service has been completed, the VU shall send a positive response message or negative response message with a response code different from this one. The negative response code requestCorrectlyReceived-ResponsePending may be repeated by the VU until the requested service is completed and the final response message is sent.
[CPR_038] The vehicle unit shall answer to this request using the service SecurityAccess Positive Response only when in CALIBRATION mode.
[CPR_039] In the following cases, the vehicle unit shall answer to this request with a Negative Response with a response code set to:
subFunctionNot supported: invalid format for the subfunction parameter (accessType),
conditionsNotCorrectOrRequestSequenceError: vehicle unit not ready to accept a PIN entry,
invalidKey: PIN not valid and number of PIN checks attempts not exceeded,
exceededNumberOfAttempts: PIN not valid and number of PIN checks attempts exceeded,
generalReject: Correct PIN but mutual authentication with workshop card failed.
5.2.2.Message format — SecurityAccess — requestSeed
[CPR_040] The message formats for the SecurityAccess ‘requestSeed’ primitives are detailed in the following tables:
Byte # | Parameter Name | Hex value | Mnemonic |
|---|---|---|---|
#1 | Format byte — physical addressing | 80 | FMT |
#2 | Target address byte | EE | TGT |
#3 | Source address byte | tt | SRC |
#4 | Additional length byte | 02 | LEN |
#5 | SecurityAccess request service Id | 27 | SA |
#6 | accessType — requestSeed | 7D | AT_RSD |
#7 | Checksum | 00-FF | CS |
Byte # | Parameter Name | Hex value | Mnemonic |
|---|---|---|---|
#1 | Format byte — physical addressing | 80 | FMT |
#2 | Target address byte | tt | TGT |
#3 | Source address byte | EE | SRC |
#4 | Additional length byte | 04 | LEN |
#5 | SecurityAccess positive response service Id | 67 | SAPR |
#6 | accessType — requestSeed | 7D | AT_RSD |
#7 | Seed High | 00-FF | SEEDH |
#8 | Seed Low | 00-FF | SEEDL |
#9 | Checksum | 00-FF | CS |
Byte # | Parameter Name | Hex value | Mnemonic |
|---|---|---|---|
#1 | Format byte — physical addressing | 80 | FMT |
#2 | Target address byte | tt | TGT |
#3 | Source address byte | EE | SRC |
#4 | Additional length byte | 03 | LEN |
#5 | negativeResponse Service Id | 7F | NR |
#6 | SecurityAccess request service Id | 27 | SA |
#7 | responseCode = (conditionsNotCorrectOrRequestSequenceError incorrectMessageLength) | 22 13 | RC_CNC RC_IML |
#8 | Checksum | 00-FF | CS |
5.2.3.Message format — SecurityAccess — sendKey
[CPR_041] The message formats for the SecurityAccess ‘sendKey’ primitives are detailed in the following tables:
Byte # | Parameter Name | Hex value | Mnemonic |
|---|---|---|---|
#1 | Format byte — physical addressing | 80 | FMT |
#2 | Target address byte | EE | TGT |
#3 | Source address byte | tt | SRC |
#4 | Additional length byte | m+2 | LEN |
#5 | SecurityAccess Request Service Id | 27 | SA |
#6 | accessType — sendKey | 7E | AT_SK |
#7 to #m+6 | Key #1 (High) | xx | KEY |
… | … | ||
Key #m (low, m must be a minimum of 4, and a maximum of 8) | xx | ||
#m+7 | Checksum | 00-FF | CS |
Byte # | Parameter Name | Hex value | Mnemonic |
|---|---|---|---|
#1 | Format byte — physical addressing | 80 | FMT |
#2 | Target address byte | tt | TGT |
#3 | Source address byte | EE | SRC |
#4 | Additional length byte | 02 | LEN |
#5 | SecurityAccess positive response service Id | 67 | SAPR |
#6 | accessType — sendKey | 7E | AT_SK |
#7 | Checksum | 00-FF | CS |
Byte # | Parameter Name | Hex value | Mnemonic |
|---|---|---|---|
#1 | Format byte — physical addressing | 80 | FMT |
#2 | Target address byte | tt | TGT |
#3 | Source address byte | EE | SRC |
#4 | Additional length byte | 03 | LEN |
#5 | NegativeResponse Service Id | 7F | NR |
#6 | SecurityAccess request service Id | 27 | SA |
#7 | ResponseCode = (generalReject subFunctionNotSupported | 10 12 | RC_GR RC_SFNS |
incorrectMessageLength | 13 | RC_IML | |
conditionsNotCorrectOrRequestSequenceError | 22 | RC_CNC | |
invalidKey | 35 | RC_IK | |
exceededNumberOfAttempts | 36 | RC_ENA | |
requestCorrectlyReceived-ResponsePending) | 78 | RC_RCR_RP | |
#8 | Checksum | 00-FF | CS |
Inserted by Council Regulation (EC) No 2135/98 of 24 September 1998 amending Regulation (EEC) No 3821/85 on recording equipment in road transport and Directive 88/599/EEC concerning the application of Regulations (EEC) No 3820/85 and (EEC) No 3821/85.