Skip to Content
UDS Simulator 2.0 Released

Docs baseline actions

Copy this page URLEdit page
Docs0x27 Security Access

Service Interaction Protocol

Security Access

0x27
Protocol Identifier
Enables unlocking of protected ECU features via a challenge-response (Seed & Key) mechanism.

Overview

ISO 14229-1

“The client uses this service to unlock and access secured functions and data on the server by passing a security challenge.”

Many critical UDS services (like Write Data (0x2E), Routine Control (0x31), and Download (0x34)) are restricted until a specific security level is unlocked.

Sub-Functions & Security Levels

Security levels are defined by Sub-Functions. Odd numbers are used to Request Seeds, while the following even number is used to Send Keys. Use the explorer below to understand the available levels and their sub-function byte encoding.

SID 0x27 SubFunction Explorer

Click on a security level to explore its seed-request and key-submit subfunctions. Standard levels use odd/even pairing (0x01/0x02 for Level 1, 0x03/0x04 for Level 2, etc.).

0x01
0x02
Selected Level Details
DescriptionLevel 1: OEM Flash & Calibration
Seed SubFunction0x01
Key SubFunction0x02

💡 Odd subfunctions (0x01, 0x03, 0x05) request seeds. Even subfunctions (0x02, 0x04, 0x06) submit keys. OEM levels follow the same pattern with higher values (0x05/0x06, 0x07/0x08, 0x09/0x0A).

📋 ISO 14229-1 Reference

SID 0x27 (SecurityAccess) uses subfunctions to request seeds and submit keys. The odd/even pairing is fundamental: odd subfunctions always request a seed, even subfunctions always submit a key for the corresponding level.

Seed & Key Logic

The two-stage challenge-response process for unlocking security.

Step 1: Request Seed
tx_packet

Request

27 01

> Request Seed for Level 1

rx_packet

Response

67 01 4A 2B 9C 1D

> Seed = 0x4A2B9C1D

Step 2: Send Key
tx_packet

Request

27 02 [Calculated Key]

> Tester sends key derived from seed

rx_packet

Response

67 02

> Security Access Granted

Message Formats

Security Access messages follow a strict byte-level structure. Use the explorer below to understand the exact format of seed requests, key submissions, and responses.

Request Seed (Odd Sub-Function)
0x27
0x01
0x27 0x01

Session & Security Requirements

Security Access (0x27) is only available in specific diagnostic sessions. Changing sessions automatically resets all security levels to LOCKED.

0x01

Default

No Access
0x03

Extended

L1 Available
0x02

Programming

L1–L3 Available

⚠️ Critical Rule

Changing the diagnostic session automatically resets ALL security levels to LOCKED. You must re-unlock after any session change.

Live Simulation

Try the full seed-key exchange mechanism interactively. Select a security level, request a seed, compute the key, and see how the ECU validates your response.

Security Level

Click "Request Seed" to begin the challenge-response exchange

Security State Machine

The security subsystem transitions through four discrete states: LOCKED → SEED_REQUESTED → UNLOCKED, with a LOCKED_OUT state for brute-force protection. Try the interactive simulator below to explore all state transitions.

LOCKED
No access. Security level locked.
SEED REQUESTED
5-second window to send valid key.
UNLOCKED
Access granted. 5s inactivity timeout (S3).
LOCKED OUT
3+ failed attempts. Power cycle or wait 10min.
Transition Log
0000msLOCKED(Initial State)

Timers & Lockout Protection

Security Access uses three independent timers to prevent brute-force attacks and manage session state. Explore the interactive simulators below to understand how they work.

Seed Timeout
Triggered by "Request Seed", reset by successful key submit
5.0s
IDLE
S3 Session Timeout
Triggered by entering Extended Session, reset by TesterPresent
5.0s
IDLE
Delay Timer
Triggered by invalid key attempt, blocks new seed requests
10.0s
IDLE
⚡ Timer Interactions:
• Seed timeout (5s) starts on "Request Seed", stops when key is sent
• S3 timeout (5s) manages extended session inactivity
• Delay timer (10s) enforces rate limiting after wrong key
1
2
3
Attempts
0/3
ℹ️ Lockout Rules:
• First wrong key (Attempt 1) → NRC 0x35, 10s delay
• Second wrong key (Attempt 2) → NRC 0x35, 10s delay
• Third wrong key (Attempt 3) → NRC 0x36, ECU LOCKED OUT
• Locked-out ECU requires power cycle or ~10min timeout

Timing Constraints

Security Access respects the standard UDS timing parameters. Responses must arrive within specific windows.

Parameter
Typical Value
Usage
P250 msSeed/Key response deadline (response before 50ms)
P2*500 msExtended response window (if NRC 0x78 sent)
S35 secondsSession timeout (inactivity resets to Default)
Seed Timeout5 secondsTime to send key after receiving seed
Delay Timer10 secondsLockout after invalid key attempt
Lockout Period~10 minTime before counter resets (varies by ECU)
info _entry

NRC 0x78 (Response Pending): If processing takes longer than P2, the ECU sends 0x7F 0x27 0x78 to signal continued processing. The client should wait up to P2* for the actual response.

Protected Services Overview

Many critical UDS services require Security Access to be unlocked first. Here are the most common ones:

0x2EWriteDataByIdentifier

Write protected configuration DIDs (Security Level 1-3)

Protected DIDs: 0xF18C (ECU Serial), 0xF190 (VIN), 0xF198 (Supplier ID)

0x31RoutineControl

Execute protected routines (Security Level 1-3)

Protected Routines: 0xFF00 (Erase Memory), 0xFF01 (Check Dependencies), 0x0203 (Check Preconditions)

0x34RequestDownload

Initiate software flash/download (Security Level 2-3)

Requires: Programming Session (0x02) + Security Level 2+

0x35RequestUpload

Extract calibration data or logs (Security Level 2-3)

Sensitive operation requiring elevated security

0x14ClearDiagnosticInformation

Clear DTCs (Diagnostic Trouble Codes) - Security Level 1

Requires: Extended Session (0x03) + Security Level 1

0x85ControlDTCSetting

Disable/Enable DTC storage during testing - Security Level 1

Prevents false DTC codes during development

Negative Response Codes

EXCEPTION_MATRIX_V3

Diagnostic_Context

Requested a security level that does not exist.

Technical_Significance & Trigger

This negative response indicates a failure in processing the Security Access request. Ensure all pre-conditions and active sessions match the requirements defined by ISO 14229.

Execution_Trace
Tester → ECU
27 09
ECU → Tester
NRC 0x12

Practical Workflow Patterns

Security Access workflows vary by use case. Use the interactive explorer below to walk through three real-world scenarios: standard L1 unlock, L3 flash programming, and error recovery.

Workflow Sequence

Unlock Level 1 security to write DIDs or clear DTCs

Press Play to walk through the workflow
0x23 Read Memory By Address0x28 Communication Control