Skip to Content
UDS Simulator 2.0 Released
DocsLearnUDS Protocol Fundamentals

Protocol Fundamentals

Module 2 of 5 · 2 lessons · ~27 min · ← Back to Learning Hub

Lesson 1: UDS Message Structure

Every UDS message follows a simple, predictable structure. Understanding this structure is the foundation of all UDS work.

Basic Request Format

[SID] [Sub-Function] [Data Bytes...]

Components

1. SID (Service Identifier) — 1 byte

  • Identifies which diagnostic service to execute
  • Range: 0x00–0xFF
  • Examples: 0x10 (Session Control), 0x22 (Read Data), 0x27 (Security Access)

2. Sub-Function — 1 byte (service-dependent)

  • Service-specific parameter
  • The high bit (bit 7) can be set to suppress the positive response
  • Example: For SID 0x10, sub-function 0x03 = Extended Diagnostic Session

3. Data Bytes — variable length

  • Additional parameters specific to the service
  • Can be 0 bytes (e.g., SID 0x3E Tester Present) up to many bytes (e.g., firmware blocks)

Response Formats

Positive Response:

(SID + 0x40) [Response Data...]

The ECU always echoes the SID + 0x40 in byte 0 of a positive response.

Negative Response:

0x7F [Requested SID] [NRC]

Negative responses are always 3 bytes: 0x7F, the original SID, and the NRC (Negative Response Code).

Frame Examples

OperationRequestResponse
Enter Extended Session10 0350 03 00 32 01 F4
Read VIN22 F1 9062 F1 90 57 56 57... (17 VIN bytes)
Request Security Seed27 0167 01 12 34 56 78
Tester Present3E 007E 00
Error: wrong length10 (incomplete)7F 10 13

Multiple DID Read (SID 0x22)

SID 0x22 allows reading multiple Data Identifiers in a single request:

Request:  22 F1 90 F1 8C
          ↑  ↑─────┘ ↑─────┘
         SID  DID 1   DID 2

Response: 62 F1 90 [VIN 17 bytes] F1 8C [serial number bytes]

Suppress Positive Response

Setting bit 7 of the sub-function byte tells the ECU not to send a positive response (useful for reducing bus load):

3E 80   → Tester Present with suppressed positive response (0x00 | 0x80)

The ECU processes the request but sends nothing if it succeeds. It will still send a negative response if the request fails.

Negative Response Codes (NRCs)

NRCNameMeaning
0x10generalRejectRequest rejected for unspecified reason
0x11serviceNotSupportedSID not implemented in this ECU
0x12subFunctionNotSupportedSub-function not valid
0x13incorrectMessageLengthOrInvalidFormatWrong byte count
0x22conditionsNotCorrectPrerequisites not met (wrong session, etc.)
0x24requestSequenceErrorOut-of-order operation
0x31requestOutOfRangeParameter outside valid range
0x33securityAccessDeniedSecurity not unlocked
0x35invalidKeyWrong security key
0x36exceededNumberOfAttemptsToo many failed security attempts
0x37requiredTimeDelayNotExpiredMust wait before retrying
0x78requestCorrectlyReceivedResponsePendingECU needs more time — not an error
0x7EsubFunctionNotSupportedInActiveSessionValid sub-function, wrong session
0x7FserviceNotSupportedInActiveSessionValid service, wrong session

Key Takeaways

  • UDS messages follow SID + sub-function + data bytes structure
  • Positive responses add 0x40 to the request SID
  • Negative responses always start with 0x7F followed by SID and NRC
  • NRC 0x78 (Response Pending) is informational, not an error
  • Bit 7 of sub-function suppresses the positive response

Lesson 2: Timing Parameters

UDS defines precise timing parameters that govern how quickly the ECU must respond and how long a diagnostic session can remain idle.

P2 — Standard Response Time

Definition: Maximum time from the end of a client request to the start of the ECU’s response.

  • Default: 50 ms (0x0032)
  • Reported in: Session Control (0x10) positive response, bytes 2–3
  • Purpose: Ensures timely response for normal synchronous operations

If the ECU cannot respond within P2, it must send NRC 0x78 (Response Pending) to extend the window.

P2* — Enhanced Response Time

Definition: Extended response window granted after the ECU sends NRC 0x78.

  • Default: 5000 ms — encoded at 10 ms resolution (0x01F4 = 500 units × 10 ms)
  • Reported in: Session Control positive response, bytes 4–5
  • Purpose: Allows time for long operations: flash erasure, memory programming, complex routines
  • Usage: The ECU may send multiple NRC 0x78 responses, each one resetting the P2* clock

S3 — Session Timeout

Definition: Maximum idle time before the ECU automatically returns to the Default Diagnostic Session.

  • Typical: 5000 ms (5 seconds)
  • Reset by: Any valid UDS request (including Tester Present 0x3E)
  • Purpose: Safety mechanism — ensures the ECU returns to a safe state if the tester disconnects or crashes

Timing in Practice

Normal request flow:

Client → Request (10 03)
       ← Response (50 03 00 32 01 F4)  [within P2 = 50 ms]

Long operation (flash erase):

Client → Request (31 01 FF 00)
       ← NRC 0x78 (7F 31 78)           [within P2]
       ← NRC 0x78 (7F 31 78)           [within P2*]
       ← Response (71 01 FF 00)        [within P2*]

Session timeout:

Client → Request (10 03)   ← Enter Extended Session
         [5 seconds of silence]
ECU    → Returns to Default Session automatically
Client → Next request      ← Fails with NRC 0x7F (not in extended session)

Reading Timing from the Session Response

When you send 10 03 (Enter Extended Session), the ECU response includes its timing parameters:

50 03 00 32 01 F4
↑  ↑  ↑──┘ ↑──┘
|  |   P2   P2*
|  Session type echo
Response SID (0x10 + 0x40)
  • 00 32 → P2 = 50 ms (50 decimal)
  • 01 F4 → P2* = 500 units × 10 ms = 5000 ms

Maintaining Sessions with Tester Present

To prevent S3 timeout during long user interactions or delays, send Tester Present periodically:

3E 00  → Standard Tester Present (expect positive response 7E 00)
3E 80  → Suppressed Tester Present (no response, reduces bus load)

Best practice: send Tester Present every 2–3 seconds when in a non-default session.

Key Takeaways

  • P2 (50 ms) is the standard response window for most operations
  • P2* (5000 ms) is the extended window triggered by NRC 0x78
  • P2* is encoded at 10 ms resolution in the session response
  • S3 (5000 ms) is the session idle timeout — send Tester Present to keep sessions alive
  • These values are ECU-specific and reported in the SID 0x10 response

Next Steps

Continue to Core UDS Services for detailed coverage of Session Control, Security Access, and DTC reading.

Core UDS ServicesIntroduction to UDS