1

as I understand, If the security key returned by the tester (client) is correct the ECU will respond with a positive UDS-response. After this the tester will be granted security access at the requested security level.

my question is : what's the purpose of security level if tester will always be granted security access at the requested security level?

Torsten Knodt
  • 477
  • 1
  • 5
  • 20
bouqbouq
  • 973
  • 2
  • 14
  • 34

2 Answers2

4

Security Access works using a shared-secret between ECU and authorized tester (secret algorithm/private key). The purpose is to restrict access to certain services/subfunctions by i.e. unauthorized tester/tools (3rd party) or users lacking certain access rights.

To request Security Access, the tester will first send a command to request a random seed from the ECU (i.e. 0x27 01). If the ECU will allow this in their current state, it may respond with a positive response including the seed (i.e. 0x67 01 AA BB CC DD). Then the tester application needs to take this seed (0xAA BB CC DD) and apply a secret key generation algorithm to it (i.e. a cryptographic function using a private key only known to ECU and authorized tester) - once the key is calculated it needs to be sent back to the ECU (i.e. 0x27 02 66 77 88 99). The ECU can reply to this with a positive response (i.e. 0x67 02) or an Negative Response Code (i.e. 0x7F 0x27 0x35).

That means a tester will not always be granted security access at the requested security level. It is possible for the ECU to deny the access - common reasons are:

  • transition to this security access level is not possible from the current session/security level (i.e. NRC 0x7F serviceNotSupportedInActiveSession, NRC 0x22 conditionsNotCorrect, NRC 0x31 requestOutOfRange...)
  • the key send by tester does not match the key which the ECU expects (NRC 0x35 invalidKey)
  • tester tried to many times with the wrong key (NRC 0x36 exceedNumberOfAttempts)
  • the ECU is not allowing unlocking security access currently due to too many wrong attempts before - tester needs to wait a certain timeout first (NRC 0x37 requiredTimeDelayNotExpired)
Constantin
  • 8,721
  • 13
  • 75
  • 126
1

UDS is not a AUTOSAR only concept, it was defined long ago as ISO-14229.

There can be more than one Security Level. Usually, they are also a bit bound to the Diagnostic Sessions. Each Session can have a separate Security Level, with different Seed/Key and/or SecurityAlgorithms: * ProgrammingSession -> SecurityLevel 1 * ExtendedSession -> SecurityLevel 3 * SupplierSpecific/User Session -> SecurityLevel 5 ...

As already stated, the Client has to request the seed and calculates a key, which the ECU does the same. The client then sends the Key which the ECU will compare against its own calculated expected key. If it does not match, there will be a negative response, and the security level will not be reached. If the Session times out or if the session is changed, the Security Level is set back to Locked state. Services can be configured regarding availability and execution by assignment to certain Sessions and SecurityLevels.

kesselhaus
  • 1,241
  • 8
  • 9