Home Shop Consulting Training Knowledge Base Blog About

Vehicle Networks & Protocols

1Introduction
2Vehicle Documentation
3Local Interconnect Network (LIN)
4Controller Area Network (CAN)
5FlexRay
6Automotive Ethernet
7Secure Onboard Communication (SecOC)

Diagnostic Protocols

8Introduction
9ISO 15765-2 (ISO-TP)
10VW Transport Protocol 2.0 (TP 2.0)
11On-board diagnostics (OBD-II)
12Unified Diagnostic Services (UDS)
13CAN Calibration Protocol (CCP)
14Universal Measurement and Calibration Protocol (XCP)

Tools

15CAN Adapters
16CAN Analysis
17Scripting
18DBC Files

Diagnostic Protocols · Chapter 8

Introduction

This part of the knowledge base discusses a variety of diagnostic protocols. First, ISO-TP is explained — a protocol layer to send payloads larger than 8 bytes over CAN. ISO-TP is used as a transport layer in many diagnostic protocols. While ISO-TP is the most common transport layer, VW TP2.0 is also used in some Volkswagen vehicles and is explained as well.

Then OBD (On-Board Diagnostics) is discussed — the first standardized diagnostic protocol, intended for emissions-related testing. OBD evolved into OBD-II, which is still in use today. UDS is the most common enhanced diagnostic protocol in modern cars, allowing functionality such as reading live values, running routines, unlocking security levels, and reflashing ECUs. It can also be used over networks other than CAN.

Finally, CCP (CAN Calibration Protocol) and XCP (Universal Measurement and Calibration Protocol) are introduced. These are more low-level debugging interfaces meant for use during final calibration or testing of an ECU. However, in practice they are sometimes left enabled or can be enabled by an attacker. They are useful protocols to extract firmware or read RAM to help with reverse engineering or exploit development.

Schematic representation of how diagnostic requests are transported using ISO-TP over CAN.