Some services are boring.. like really, really, really, boring.. but others can make the car move gauges or make the car’s warning lights light up. Here is a bit more about these types of services.
Stop Normal Communications (GMLAN and Others):
This service is fun because you can make the Normal Communications (the ECU to ECU communications that occurs normally on the network) stop. Why would such a service exist, mostly to clear the bus for large amounts of data such as when a controller is going to be reflashed over the CAN Bus. On GMLAN this service is 0x28. It does not require any sub-function so an example of this might be: 0x7E0 01 28 00 00 00 00 00 00. This will command the engine controller to stop sending normal communications. Of course you don’t ever want to do this while the car is being driven, but it’s pretty fun to see what happens when you do it!
You will see the Engine Controllers Normal messages virtually disappear. I say virtually because not all messages will go away, some that are mission critical will stay, but a lot of them will not.
This service can also be useful if you want to simulate the messages the ECU would send without removing the power to the controller or cutting the CAN Bus itself.
This service requires that you continually send a Tester Present (0x3E) message periodically (2 seconds is good) in order to maintain this. If you want to return the communications send a Return to Normal message (0x20): 0x7E0 01 20 00 00 00 00 00 00. This will restore communications. Or simply stop sending the Tester Present message and it will automatically restore communications after 3 seconds. Oh what fun you’ll have.
Input/Output Control (ISO 14229 – UDS):
This is pretty much the coolest services ever made. I/O Control is exactly as it sounds, you can command Outputs on the Module to do your bidding. Of course software control will limit your bidding to a safe and secure bidding, but it’s still cool.
I/O Control (Service 0x2F) requires 3 parameters: a DID (Data ID), Control Record, and Control Mask. The DID is a two byte ID for the output (or input) you want to modify. Control Record is what you want the output to do (On/Off, Up/Down, etc.). Control Mask is a bitwise mask of one or more parameters that will be modified. An Example of a I/O Control is something like this: 0x7E0 06 2F 11 22 07 01 00 00 00. Where 0x1122 is the DID, 0x07 is the Control Record, and 0x0100 is the mask. This is not a real function, but you could potentially iterate through all possibilities and wait for the controller to give you a positive response. It would take a while, but it’d be interesting to see what happened…. Right!?
It’s likely that you will get a negative response from the controller 0x7E8 03 7F 2F 13 00 00 00 00, where 0x13 is the Negative Response Code (NRC).
Here are a few possible NRCs you may receive:
• 0x13 – Incorrect Message Length or Invalid Format.
• 0x22 – Condition Not Correct.
• 0x31 – Request Out of Range.
• 0x33 – Security Access Denied.
• 0x80-0xFF – OEM Specific.
Good luck……. .. have fun ..