Service Interaction Protocol

Read Memory By Address

0x23

Protocol Identifier

Allows a diagnostic tester to read raw memory content from an ECU at a specific memory address.

Overview

ISO 14229-1

“The ReadMemoryByAddress service is used by the client to request memory data from the server at a specified address with a specified length.”

Use Cases

Reading calibration data
Extracting fault memory buffers
Verifying firmware code integrity
Development and debugging

Dependencies

Extended Session (0x03) usually required
Security Access (0x27) for protected regions
ALFID must match ECU memory architecture

When to Use SID 0x23 vs. Alternatives

Select Your Use Case

Recommended Services for "Verify firmware integrity"

Full Comparison

Attribute	0x23	0x22	0x34
Read Type	📦 Raw	📋 Structured	📦 Raw
Complexity	🔴 high	🟢 low	🔴 high
Default Session	✗ No	✓ Yes	✗ No
Max Read Size	~4KB	~512B	∞ (chunked)

📊 Decision Guide

Use 0x23 (Read Memory): When you know the exact memory address (from data sheet or debugger) and need raw bytes. Best for firmware verification, calibration extraction, and low-level debugging.

Use 0x22 (Read DID): When you want structured data (VIN, ECU ID, sensor values) without knowing memory layout. Best for production diagnostics and when memory addresses are unknown.

Use 0x34 (Download): For bulk firmware transfers. More efficient than repeated 0x23 reads; handles fragmentation automatically.

ALFID Encoding

The Address and Length Format Identifier (ALFID) is a critical byte that specifies how many bytes the ECU should expect for the address and size parameters.

Click to Enlarge

The ALFID byte is split into two nibbles for Length (Bits 7-4) and Address (Bits 3-0).

ALFID	Address Length	Size Length	Architecture
0x11	1 Byte	1 Byte	Small 8-bit MCUs
0x22	2 Bytes	2 Bytes	16-bit addressing
0x44	4 Bytes	4 Bytes	Typical 32-bit systems
0x24	4 Bytes	2 Bytes	32-bit addr, 64KB max read

Message Format

Request Structure

Byte	Field	Value	Description
0	SID	0x23	Read Memory By Address
1	ALFID	0xNN	Specifies format of next fields
2-N	Address	Variable	Memory address to read
N+1-M	Size	Variable	Number of bytes to read

Response Structure

Byte	Field	Value	Description
0	Response SID	0x63	Positive Response
1-N	Data Record	Variable	Requested memory content

Interactive Message Constructor

Build a valid request message by selecting ALFID and entering memory address and size. See the hex output update in real time.

ALFID Quick-Picker

Memory Address (Hex)

Byte Count (Hex)

Message Frame

SID

ALFID

Addr[0]

Addr[1]

Addr[2]

Addr[3]

Size[0]

Size[1]

Size[2]

Size[3]

Complete Message Hex

23 44 00 10 00 00 00 00 00 10

Total: 10 bytes (1 SID + 1 ALFID + 4 addr + 4 size)

✓ Valid request structure. ALFID match confirmed.

Request Examples

32-bit Standard Read

tx_packet

Request

23 44 00 10 20 30 00 00 00 10

> Read 16 bytes (0x10) from 0x00102030

rx_packet

Response

63 AA BB CC DD EE FF 11 22 33 44 55 66 77 88 99 00

> Memory Data returned

Short Address Format

tx_packet

Request

23 22 10 00 00 04

> ALFID 0x22: 2-byte addr, 2-byte size

rx_packet

Response

63 12 34 56 78

> 4 bytes returned

Session State Requirements

SID 0x23 is only available in specific diagnostic sessions. Default session rejects all memory read attempts.

Session Type	SID 0x23 Allowed?	Security Available?	Typical Use Case
Default (0x01)	✗ No	✗ No	Post-reset state; no memory access
Extended (0x03)	✓ Yes	✓ Yes	Standard diagnostics; most reads here
Programming (0x02)	✓ Yes	✓ Yes (Level 0-3)	Firmware/calibration programming

⏱️ Session Timeout Behavior

Timeout Duration: Typically 5000ms (5 seconds) after last diagnostic request
Auto-Reversion: Session automatically reverts to Default (0x01) on timeout
Timer Reset: Any valid request (including 0x3E Tester Present) resets the timeout
Long Operations: Use SID 0x3E (Tester Present) every 2-3 seconds to keep session alive

Interactive Session Simulator

Switch between sessions and watch the 5-second timeout countdown. See why NRC 0x22 occurs when session times out.

Diagnostic Session Type

💡 How This Works

1. Switch Sessions: Click Extended (0x03) to enter diagnostics mode where SID 0x23 is allowed.
2. Timer Starts: A 5-second countdown begins. Any valid request resets it.
3. Send Requests: Use "Send Request" to simulate sending a request and reset the timer.
4. Watch Timeout: If you wait 5 seconds without a request, session reverts to Default automatically.

✗ SID 0x23 blocked in Default session. Switch to Extended (0x03) first, or you will get NRC 0x22.

Security Behavior & Memory Protection

Protected memory regions require Security Access (SID 0x27) before reads are allowed. Security state is hierarchical—unlock Level 1 to access Level 0 & 1 regions.

Security Level Requirements by Region

Memory Region	Security Level	Unlock Command	Access Requirements
Public Calibration	Level 0	None	Extended Session only
Flash Code (OEM)	Level 1	SID 0x27 0x01/0x02	Extended Session + Unlock
OEM Calibration	Level 1	SID 0x27 0x01/0x02	Extended Session + Unlock
Security Keys	Level 2	SID 0x27 0x03/0x04	Programming Session + Unlock
Bootloader	Level 3	SID 0x27 0x05/0x06	Programming Session + Unlock

🔐 Security Timeout & Expiration

Timeout: Security access expires after 5000ms if no request received
Session Change: Changing sessions (SID 0x10) clears all security unlocks
ECU Reset: Any reset returns security to locked state (🔒)
Multi-Level Security: Each level must be individually unlocked; Level 2 does not auto-unlock Level 1

Interactive Seed-Key Exchange

Perform the seed-key exchange for each security level. Request a seed, calculate the key, and submit it within the 5-second window.

Security Level to Unlock

Seed-Key Exchange Flow

Step 1: Request Seed[27 01]

Click to start seed request

🔐 Security Levels Overview

Level 1: OEM Flash & Calibration (subfuncs: 0x01/0x02)

Level 2: Security Keys & Certificates (subfuncs: 0x03/0x04)

Level 3: Bootloader & Core (subfuncs: 0x05/0x06)

💡 Each level must be explicitly unlocked. Level 3 unlock does NOT automatically unlock Level 1–2.

Service Dependencies & Relationships

SID 0x23 integrates with other services to enable complete memory diagnostics. Understanding these relationships is key to building robust workflows.

SID	Service	Relationship	Purpose
0x10	Diagnostic Session Control	REQUIRED	Switch to Extended (0x03) or Programming (0x02) session first
0x27	Security Access	CONDITIONAL	Unlock protected memory regions via seed-key exchange
0x3E	Tester Present	SUPPORTING	Send periodically (every 2-3s) to prevent session timeout during long operations
0x3D	Write Memory By Address	COMPLEMENTARY	Read-Modify-Write workflows; opposite operation of 0x23
0x22	Read Data By Identifier	ALTERNATIVE	Structured read by DID; use when memory layout unknown
0x34	Request Download	ALTERNATIVE	Bulk download for large firmware; more efficient for huge transfers

📊 Typical Call Sequence

1. [10 03] ← Enter Extended Session

2. [27 01] [27 02] ← Optional: Unlock security if needed

3. [23 44 …] ← Read memory

4. [3E 80] (loop) ← Optional: Keep-alive every 2-3s for long ops

Complete Workflow Examples

Real-world scenarios showing proper session and security handling. Click through each scenario step-by-step to understand the complete flow.

Workflow Scenarios

Goal

Extract 256 bytes of public calibration from 0x00100000

Precondition

ECU in Default Session

Message Sequence (0 / 4)

💡 How to Use

Select a scenario to see how requests and responses flow
Click Play to step through the workflow at your pace
Read the notes for each message to understand timing and state changes
Try all three scenarios to learn: public reads, security unlocks, and timeout handling

Timing Parameters

Understanding ECU Response Timing:

P2 (standard response): 50ms — normal request/response cycle
P2* (enhanced response): 5000ms — for slow operations (memory reads from flash)
Session timeout: 5000ms — reset on any valid request or keep-alive (0x3E)
Security timeout: 5000ms — from seed request to key submission
Maximum single read: 4095 bytes (depends on ECU buffer size)

Interactive Timing Diagram

Watch a 4KB read operation unfold in real time (or 4x/8x speed). See where keep-alive messages are needed and how timeout is prevented.

Speed:

0.0s / 6.0s

Request-Response Timing

0.0s[10 03] Enter Extended

⏱️ Timing Rules

P2 (Standard Response): 50ms — used for quick services (session control, identification)

P2* (Enhanced Response): 5000ms — used for slow operations (memory reads, large transfers)

Tester Present (0x3E): Send every 2–3s during long operations to prevent S3 timeout

S3 Timeout: 5000ms — session automatically reverts to Default if no request received

What's Happening in This Diagram

This scenario shows reading 4KB of data. The operation would take ~1 second if uninterrupted. However, S3 timeout fires after 5 seconds of inactivity. The diagram shows:

Session entered at 0.2s (starts 5s timeout counter)
Read request sent at 1.0s (resets timeout)
Keep-alive sent at 2.0s and 4.0s (keeps session alive)
Read completes at 5.2s (before timeout at 5.2s mark)
Without keep-alives, timeout would fire at 5.2s and revert session

Negative Response Codes

EXCEPTION_MATRIX_V3

Diagnostic_Context

The request message length does not match the ALFID specification, or ALFID nibbles are invalid (must be 1-15).

Technical_Significance & Trigger

This negative response indicates a failure in processing the Read Memory By Address request. Ensure all pre-conditions and active sessions match the requirements defined by ISO 14229.

Execution_Trace

Tester → ECU

Read (23 44 00 10 20 00 00 10) — Only 3 addr bytes but ALFID says 4

ECU → Tester

NRC 0x13 — Length mismatch

Troubleshooting Common Issues

NRC Decoder Tool

Paste a negative response hex (e.g., “7F 23 22”) to decode the NRC and see root cause analysis with step-by-step fixes.

Paste NRC Response Hex

Format: "7F 23 XX" where XX is the NRC code. Spaces optional.

Enter a negative response hex to diagnose the root cause.

❌ Intermittent NRC 0x22 (Conditions Not Correct)

Root Causes to Check:

Session Timeout: No request sent for 5+ seconds → session reverts to Default (0x01).
💡 Fix: Send [3E 80] (Tester Present) every 2-3 seconds
Voltage Issue: ECU power supply unstable.
💡 Fix: Stabilize power supply to ECU
ECU Busy: ECU performing other critical operation.
💡 Fix: Wait 100-500ms and retry

❌ NRC 0x31 on What Looks Like Valid Address

Root Causes to Check:

Region Boundary Crossing: Read spans two memory regions (Flash → Calibration).
💡 Fix: Keep read within single region; split into two reads at boundary
Integer Overflow: Address + Size wraps around (e.g., 0xFFFFFFF0 + 0x20).
💡 Fix: Reduce size or use lower address
Vendor Memory Map: ECU has custom reserved regions not in standard layout.
💡 Fix: Consult ECU memory map documentation

❌ NRC 0x33 Persists After Security Unlock

Root Causes to Check:

Security Timeout Expired: Too much time between seed request and key submission (5s limit).
💡 Fix: Speed up key calculation or request new seed
Wrong Security Level: Memory needs Level 2, but only Level 1 is unlocked.
💡 Fix: Perform [27 03] [27 04] for Level 2 unlock
Session Changed: [10 xx] was called after security unlock → cleared all locks.
💡 Fix: Don’t change sessions; if needed, re-unlock after change

Address Validation Rules

Before reading memory, the ECU validates the address range against the memory map. Understanding these rules prevents NRC 0x31 errors.

Validation Check	Condition	Failure Response
Size is valid	Size must be > 0	NRC 0x31
No overflow	Address + Size must not wrap around	NRC 0x31
Region found	Address must fall in a readable memory region	NRC 0x31
Single region	Address range must not span multiple regions	NRC 0x31
Region readable	Memory region must have read permission	NRC 0x31

Interactive Address Validator

Enter a start address and byte count to test if the read is valid. Watch the memory map visualize your requested range and check for boundary violations.

Start Address (Hex)

= 1048576 decimal

Byte Count (Hex)

= 256 decimal

Memory Map (4 MB View)

Reserved0x00000000 — 0x00000FFF

Public

Flash Code0x00001000 — 0x000FFFFF

Sec Lvl 1

Calibration0x00100000 — 0x001FFFFF

Public

Reserved0x00200000 — 0x002FFFFF

Public

RAM0x00300000 — 0x003FFFFF

Public

✓

Valid read range. No security unlock required.

Memory Regions in This Simulator

Reserved: None (read fails)

Flash Code: Read

Calibration: Read (public)

Reserved: None

RAM: Read (public)

💡 Try These

ECU Memory Map Explorer

Different ECU architectures have different memory layouts. Use this explorer to understand the memory map of various ECU types and where SID 0x23 can and cannot read.

ECU Architecture

Memory Layout (8-bit MCU)

Flash Program

0x00008000 – 0x0000FFFF

32.0 KB

EEPROM

0x00004000 – 0x0000407F

0.1 KB

RAM

0x00000000 – 0x00001FFF

8.0 KB

Visual Layout

Flash Program0.03 MB

Flash Program

EEPROM0.00 MB

EEPROM

RAM0.01 MB

RAM

Legend

Secure (Level 1+)

Public/Open

Working Memory

Bootloader/Core

💡 Tips

Click a region to see its address range and security requirements
Use ALFID 0x11 for SID 0x23 requests on this architecture
Each region shown requires different security levels; check before reading
Real ECUs may have different memory maps; always verify with the data sheet