Skip to Content
UDS Simulator 2.0 Released
Docs0x27 Security Access

Service Interaction Protocol

Security Access

0x27
Protocol Identifier
Enables unlocking of protected ECU features via a challenge-response (Seed & Key) mechanism.
A Service Identifier (SID) is a single-byte value (0x00–0xFF) in position 0 of every UDS request frame. It specifies which diagnostic operation the client wishes the ECU to execute. The positive response echoes the SID with the high bit set (SID + 0x40).

CHALLENGE_TYPE

SEED_KEY
Dynamic 4-byte seed generation ensures protection against replay attacks.

SECURITY_TIERS

LEVELS_1-5
Scalable security model where higher levels unlock more critical ECU functions (e.g. Flashing).

ANTI_BRUTE

TIMEOUT
Hard-coded delays and attempt limits prevent rapid automated hacking attempts.

Overview

ISO 14229-1

“The client uses this service to unlock and access secured functions and data on the server by passing a security challenge.”

Many critical UDS services (like Write Data (0x2E), Routine Control (0x31), and Download (0x34)) are restricted until a specific security level is unlocked.

Default Behavior

At system startup or after a diagnostic session transition (e.g., from Extended to Default), the ECU security status resets to Locked. Access to restricted services requires a successful challenge-response exchange using service 0x27. A seed of 0x0000… from the ECU indicates the requested security level is already unlocked.

Protocol Anatomy (Request Seed L1)

◆ PROTOCOL ANATOMY

View
REQUEST_TX

0x27 SECURITY ACCESS

RESPONSE_RX

0x27 RESPONSE

Security Levels

Security levels are defined by Sub-Functions. Odd numbers are used to Request Seeds, while the following even number is used to Send Keys.

Visualizing the tiered security structure and the services they unlock.

Level
Seed SF
Key SF
Typical Purpose
Level 10x010x02Standard Access (Config, Clearing History)
Level 30x030x04Programming / Flashing (Requires Prog. Session)
Level 50x050x06Supplier / Engineering Access
OEM Specific0x61...0x62...Custom OEM-defined security tiers

Seed & Key Logic

Workflow: Challenge-Response Sequence

4 steps
Tester
ECU
Step 1: Request Seed
tx_packet

Request

27 01

> Request Seed for Level 1

rx_packet

Response

67 01 4A 2B 9C 1D

> Seed = 0x4A2B9C1D

Step 2: Send Key
tx_packet

Request

27 02 [Calculated Key]

> Tester sends key derived from seed

rx_packet

Response

67 02

> Security Access Granted

Timers & Lockouts

warning _entry
Anti-Brute Force Protection
  • Attempt Counter: Typically allows 3 consecutive failed attempts.
  • Delay Timer: After 3 failures, the ECU enters a Time Penalty state (e.g., 10 seconds).
  • NRC 0x36: Returned when attempts are exceeded.
  • NRC 0x37: Returned if you try again before the timer expires.

Negative Response Codes

Error_Catalog

Negative Response Codes

THREAT_LEVEL1 CRITICAL5 HIGH3 MEDIUM9 NRCs TOTAL
ISO_14229_ANNEX_ANRC_ENGINE_V2
0x23 Read Memory By Address0x28 Communication Control