Skip to Content
UDS Simulator 2.0 Released

Docs baseline actions

Copy this page URLEdit page
Docs0x22 Read Data By Identifier

Service Interaction Protocol

Read Data By Identifier

0x22
Protocol Identifier
The standard service for requesting data values from the ECU using 16-bit Data Identifiers (DIDs).

Overview

ISO 14229-1

“The client uses this service to request data record values from the server by one or more data identifiers.”

Unlike services with Sub-Functions (like 0x10 or 0x19), this service relies entirely on Data Identifiers (DIDs) to define the data content. A DID is a 2-byte (16-bit) identifier representing a specific piece of ECU data: VIN, sensor values, calibration parameters, fault codes, or configuration data.

Key Characteristics

  • Multiple DIDs: Request 1–N identifiers in single message
  • No Sub-Functions: Service behavior driven by DID content
  • DID Echo: ECU repeats requested DIDs in response
  • Session-Dependent: Access varies by diagnostic session
  • Security-Protected: Some DIDs require unlock (SID 0x27)
  • Condition-Aware: NRC 0x22 when vehicle conditions unmet

Common Use Cases

  • Vehicle ID: Read VIN, serial numbers, versions
  • Live Data: Monitor sensors (temp, RPM, speed)
  • Diagnostics: Collect fault codes and DTC info
  • Calibration: Read/verify tuning parameters
  • Status Check: Programming state, system health
  • Compliance: Verify ECU configuration compliance

Message Structure

SID 0x22 frames are compact: one service byte followed by one or more 2-byte DID pairs. The positive response echoes each DID header before its data. Click any byte field below to inspect its role.

Message Frame
DID
Vehicle ID Number (VIN)
REQUEST BYTES

Tap any byte to inspect its field definition.

Request (0x22)

22DID1_HiDID1_Lo[DID2…]

Requests can contain multiple 2-byte DIDs.

Response (0x62)

62DID1_HiDID1_LoDATA…DID2…

DIDs are echoed back before their respective data.

Data Identifier (DID) Ranges & Categories

DIDs are organized into ISO 14229-defined ranges. Search and filter the catalog below, then click any entry for session, security, and data-size details.

DID Explorer22 identifiers
22 DIDs

Multi-DID request: SID 0x22 supports multiple DIDs per frame — 22 F1 90 F1 8C F1 89 reads VIN + Serial + SW Version at once.

Note: 0xF200–0xF2FF (Periodic) is for SID 0x2A (Read Data By Periodic Identifier) only. SID 0x22 should NOT be used with periodic DIDs.

Session & Security Requirements

DID access is gated by both session type and security level. Use the filter buttons to explore which DID categories are reachable from each session, then click any row for the full requirement note.

Session & Security Matrix
DID CategoryDEFAULTEXTENDEDPROGRAMMING
Vehicle ID
0xF190–0xF19F
Open
Open
Open
i
ECU ID / Versions
0xF180–0xF18F, 0xF1A0–0xF1EF
Open
Open
Open
i
Active Session DID
0xF186
Open
Open
Open
i
OBD / Emissions
0xF400–0xF4FF
Open
Open
Denied
i
Live Sensor Data
0x0100–0x0FFF (typical)
Denied
Session
Denied
i
Manufacturer Calibration
0x1000–0xEFFF (OEM)
Denied
Secured
Secured
i
Programming Status
0xF0xx, 0xF1F0–0xF1FF
Denied
Denied
Session
i
Immobilizer / Security Keys
0xFXXX (OEM)
Denied
Denied
Secured
i

Security Unlock Flow: To access secured DIDs, first unlock using SID 0x27 (Security Access). Request seed → calculate key using proprietary algorithm → send key. Security auto-locks on session change or timeout (~5 seconds).

Service Dependencies

SID 0x22 depends on several other services to work correctly. Click any service card to see why it matters, what happens if skipped, and example hex sequences.

Service Interaction Map
SID
0x22
ReadDataByIdentifier

Lookup Logic

A single request can contain multiple DIDs. The ECU processes each identifier, fetches the data from the internal mapping engine, and concatenates the results in the response.

UDS DID Mapping and Retrieval Engine
Click to Enlarge

How the ECU resolves 16-bit identifiers to internal memory locations.

Example 1: Read VIN (0xF190)
tx_packet

Request

22 F1 90

> Get Vehicle Identification Number

rx_packet

Response

62 F1 90 31 42 41...

> Returns '1BA...' (ASCII Encoded)

Example 2: Multiple Identifiers
tx_packet

Request

22 12 34 56 78

> Read DID 0x1234 AND 0x5678

rx_packet

Response

62 12 34 [Data1] 56 78 [Data2]

> DIDs are interleaved with their data

Timing Parameters

The UDS protocol defines timing windows for request/response. Understanding these ensures reliable communication.

P2 Timer

Default response timeout

50 ms

Maximum time ECU has to begin sending response after receiving request. Can be adjusted via SID 0x83 (AccessTimingParameter).

P2* Timer

Extended timeout (Response Pending)

5000 ms

Used when ECU sends NRC 0x78 to indicate it needs more time. ECU will send final response within P2* after NRC 0x78.

Response Pending Flow (NRC 0x78)

3 steps
Tester
ECU

Negative Response Codes

The ECU returns a negative response (0x7F) when SID 0x22 cannot be processed. The third byte indicates the specific error (NRC).

EXCEPTION_MATRIX_V3

Diagnostic_Context

Request length is not (1 + 2N) bytes where N = number of DIDs. Missing high/low byte of DID, or empty request.

Technical_Significance & Trigger

This negative response indicates a failure in processing the Read Data By Identifier request. Ensure all pre-conditions and active sessions match the requirements defined by ISO 14229.

Execution_Trace
Tester → ECU
22 F1
ECU → Tester
NRC 0x13
Note →
Missing low byte of DID 0xF1xx
Quick NRC Reference
0x13 → Check message format (1 + N×2 bytes)
0x14 → Request fewer DIDs per message
0x22 → Check vehicle conditions (speed, gear, voltage)
0x31 → Verify DID exists in ODX/CDD
0x33 → Unlock security (SID 0x27)
0x7F → Switch session (SID 0x10)
0x78 → Wait P2* timeout, don’t retry

Complete Workflow Examples

Step through real-world diagnostic workflows showing how SID 0x22 interacts with session control, security access, and TesterPresent. Select a workflow and press Run.

Workflow Simulator

Read VIN and ECU identification from DEFAULT session — no session change or security required.

Press "Run Simulation" to step through the message exchange.

Best Practices & Troubleshooting

Implementation guidance organized by concern area. Each practice includes context, timing notes, related NRCs, and code examples. The troubleshooting table maps common failure symptoms to root causes and fixes.

Best Practices

Click any category to explore implementation details, when to apply each practice, and related error codes.

Troubleshooting
SymptomNRCRoot CauseFix
No response from ECUECU not powered, wrong CAN address, or wrong transport layer (ISO 15765 vs. ISO 14230)Verify physical layer first; confirm target address in ODX; check bit-rate
7F 22 13 received0x13Request byte count is not 1 + N×2 — DID truncated in last pairEnsure each DID contributes exactly 2 bytes; check for off-by-one in loop
7F 22 31 received0x31DID not present in ECU DID table — often a wrong ECU variant or typoCross-reference ODX/CDD for exact DID address; use 0xF186 to confirm ECU identity first
7F 22 7E received0x7EDID requires EXTENDED or PROGRAMMING session but tool is in DEFAULTSend SID 0x10 0x03 (EXTENDED) or 0x10 0x02 (PROGRAMMING) before retrying
7F 22 33 received0x33DID is security-locked; correct session is active but SID 0x27 has not been completedExecute full SID 0x27 seed/key exchange at required security level before retry

ISO 14229-1 Reference

Standard: ISO 14229-1:2020

Section: 9.2 - ReadDataByIdentifier (0x22) service

Related Sections:

• Section 6.2: Data Identifier Definition

• Section 8.2: Diagnostic Session Control (SID 0x10)

• Section 8.6: Security Access (SID 0x27)

• Annex A: Data Identifier Ranges

• Annex C: Negative Response Code Definitions

0x19 Read DTC Information0x23 Read Memory By Address