Mode 23 – Read Memory

According to some of my notes, Euro 5 diesel models, or cars that support Extended/Enhanced OBD-II in general, might support mode/service 23 for dumping ROM or RAM blocks:

Format is similar or same as ReadMemoryByAddress (23 hex) service specified UDS (Unified Diagnostic Services, ISO 14229) protocol:

"23 <Format> <Address[]> <Length[]>"

Several $23 formats can be supported, Euro 5 diesel:

  1. "23 14 A1 A2 A3 A4 L1"
  2. "23 24 A1 A2 A3 A4 L1 L2"

As you can guess, format byte e.g. 0x14 means:

  • 4 address bytes → uint32 big endian, encoded in low nibble of format byte
  • 1 length byte → uint8, encoded in high nibble of format

Restrictions

Stock firmware usually restrict available address ranges, allowing only partial dumps. ROM calibration data and RAM regions might work. Knowing how to reflash and reverse-engineer the logic, such restrictions can be patched and therefore eliminated.

Errors

Depends on actual implementation, (early) Euro 5 diesel ROM logic:

  • 0 < length ≤ 0x400 (dec 1024) bytes otherwise NRC 31
  • other formats or request message lengths yield NRC 13
NRC (hex) Description
13 Incorrect message length or invalid format
31 Request out of range

Example

Euro 5 diesel (1.5 MiB ROM, SH7059 chip) example – dump beginning at ROM calibration data:

Start address = 0xC0000
Length (per request) = 0x40 = 64 bytes

"23 14 00 0C 00 00 40"
Positive response: "63 <XX XX XX ... total 64 payload bytes ... XX XX>"

"23 14 00 0C 00 40 40"

"23 14 00 0C 00 80 40"

"23 14 00 0C 00 C0 40"

"23 14 00 0C 01 00 40"

Anyone able to confirm that these mode 23 commands and formats are working?

Personal experience on many different control units: Maximizing length per request yields max transfer speed, however application algorithm must be able to handle NRC codes and react properly.

ParsePID

Just published my new little C# project:

ParsePID is a console application to analyse Extended/Enhanced OBD-II mode 22 capabilities, specifically for Subaru diesel and petrol control units supporting this protocol.

Go to http://github.com/SubaruDieselCrew/ParsePID/

  • README document includes demo output, currently for a diesel and petrol model.
  • The project uses published definitions from page Extended OBD-II, saved as CSV (delimiter: tab) format.
  • There is no need to compile the code for yourself if you haven’t got own data.

As always, do not hesitate to provide feedback…

ScoobyRom v0.8.0 Released

New in v0.8.0:
  • Navigation bar visualisation.
  • Additional columns (conversion: Multiplier & Offset or NaN if not used; Axes locations: XPos, YPos)
  • Select all/none
  • RomRaider definitions export: choose whether to export all/selected/annotated tables.
  • Roughly 3 times faster when scanning whole ROM.
  • Lots of misc improvements in code at least…

Go to homepage: ScoobyRom Software
Post software specific feedback there, please!
Also, if you find this software useful consider to “like” above page as minimum feedback and motivation for future work!

Definitions Download for Extended OBD-II

Uploaded first draft of definitions file for diagnostics protocol Extended/Enhanced OBD-II. Should be easy to work with, can export to CSV etc. Everyone is welcome to use the data as long as it is mentioned where it came from.
Also added a few more PIDs in the meantime.
Go to page: Extended OBD-II

ScoobyRom v0.7.1 Released

New in v0.7.1:
  • Dynamically adjust icon size (Ctrl-+, Ctrl--, Ctrl-0)
  • Edit -> Copy Table: Can paste values into existing RomRaider table, spreadsheet (LibreOffice Calc, Microsoft Excel), text editor etc.
  • Miscellaneous improvements as always.
  • Also tested on Windows 10, no changes were necessary.

Go to page: ScoobyRom Software
Enjoy and provide software specific feedback there, please!

ScoobyRom v0.7.0 Released

Go to page: ScoobyRom Software

Enjoy and provide software specific feedback there, please!

Protocols page Extended OBD-II

Added 3 more DPF related PIDs on page Extended OBD-II:

114A Pressure Difference between DPF Inlet and Outlet
1155 Estimated Distance to Oil Change
1156 Running Distance since last DPF Regeneration

Will add some more over time…
Apparently newer petrol models now also use this protocol (exclusively apart OBD-II, no SSM2 anymore ?). Might add petrol specific PIDs in the future.
Also, apps like Torque have been confirmed working with this.
Anyone able to provide any data, testing new or known PIDs, screenshots of software including SSM etc. or spot any issues, please get in touch!