Mode 23 – Read Memory

According to some of my notes, Euro 5 diesel models, or cars that support Extended/Enhanced OBD-II in general, might support mode/service 23 for dumping ROM or RAM blocks:

Format is similar or same as ReadMemoryByAddress (23 hex) service specified UDS (Unified Diagnostic Services, ISO 14229) protocol:

"23 <Format> <Address[]> <Length[]>"

Several $23 formats can be supported, Euro 5 diesel:

  1. "23 14 A1 A2 A3 A4 L1"
  2. "23 24 A1 A2 A3 A4 L1 L2"

As you can guess, format byte e.g. 0x14 means:

  • 4 address bytes → uint32 big endian, encoded in low nibble of format byte
  • 1 length byte → uint8, encoded in high nibble of format


Stock firmware usually restrict available address ranges, allowing only partial dumps. ROM calibration data and RAM regions might work. Knowing how to reflash and reverse-engineer the logic, such restrictions can be patched and therefore eliminated.


Depends on actual implementation, (early) Euro 5 diesel ROM logic:

  • 0 < length ≤ 0x400 (dec 1024) bytes otherwise NRC 31
  • other formats or request message lengths yield NRC 13
NRC (hex) Description
13 Incorrect message length or invalid format
31 Request out of range


Euro 5 diesel (1.5 MiB ROM, SH7059 chip) example – dump beginning at ROM calibration data:

Start address = 0xC0000
Length (per request) = 0x40 = 64 bytes

"23 14 00 0C 00 00 40"
Positive response: "63 <XX XX XX ... total 64 payload bytes ... XX XX>"

"23 14 00 0C 00 40 40"

"23 14 00 0C 00 80 40"

"23 14 00 0C 00 C0 40"

"23 14 00 0C 01 00 40"

Anyone able to confirm that these mode 23 commands and formats are working?

Personal experience on many different control units: Maximizing length per request yields max transfer speed, however application algorithm must be able to handle NRC codes and react properly.


3 responses to “Mode 23 – Read Memory

  1. EURO5 GEN2 Diesel ECU needs a securiy access to read flash memory addresses, so negativ responce NRC 33 answer of a Mode23 flash address request.
    RAM memory addresses work with UDS Mode23 reading.


    • AFAIK Euro 4 allowed dumping of calibration area region using SSM2 via K-Line without any security access.

      NRC 33 (securityAccessDenied/securityAccessRequested) makes sense.
      Currently not sure about Euro 5 as it has been a while since worked on Subaru Diesel ROMs…
      Perhaps try addresses ≥ 0xC0000 (≥ 768 KiB) as this is where calibration area starts for ROMs like 2010/2011 Forester Turbo Diesel 2.0 CID JP4A130A ROMID 7744D87207. ScoobyRom shows table data starting at around 0xC3000.

      As often, most of the RAM might be available, enough for logging RAM data, however there might be censored regions where you get either error responses or fake (const) bytes.


      • All differned areas tryed. Even Flashcounter cannot be read without security access.
        EURO5 differs in some cases to EURO4 with haveing some access challage 😦


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s