Skip to Content
UDS Simulator 2.0 Released

Docs baseline actions

Copy this page URLEdit page
Docs0x3D Write Memory By Address

Service Interaction Protocol

Write Memory By Address

0x3D
Protocol Identifier
Writes specific data bytes directly to absolute memory addresses (RAM, EEPROM, Flash), without the upload/download transfer sequence.
warning _entry

Low-level write. 0x3D writes raw bytes to an absolute address in a single request — powerful and dangerous. The simulator gates it behind session, region, and (per-region) security checks. For firmware-sized payloads use the transfer chain (0x34 → 0x36 → 0x37) instead.

0x3D

WriteMemoryByAddress

low-level write

Request

3D
SID
ALFID
addr/size format
addr…
memoryAddress
size…
memorySize
data…
data to write

Positive Response

7D
Response SID
ALFID
echoed
addr…
memoryAddress echoed
Use it for small, direct writes — calibration values, config, patches. For firmware-sized payloads use the transfer chain (0x34 → 0x36 → 0x37) instead.
Service ID
0x3D
Positive Response
0x7D
Role
Direct write to a memory address
Required session
EXTENDED or PROGRAMMING
Security
Per-region — only if the region needs it
Response echoes
ALFID + address (not the data, not the size)
No transfer sequence
One request writes the bytes (cf. 0x34/0x36)
ISO ref
ISO 14229-1:2020 §10 (Data transmission)

Overview

ISO 14229-1

“The client uses WriteMemoryByAddress to write information into the server at one or more contiguous memory addresses.”

✅ Good fit

  • Calibration values in RAM
  • Configuration parameters (small)
  • Temporary patches

❌ Use something else

  • Firmware images → 0x34/0x36/0x37
  • Named/structured data → 0x2E (DID)
  • Protected / read-only regions

Write in Context

Step through a clean RAM write (with a 0x23 read-back), and the four ways the ECU refuses: security (0x33), protected (0x22), read-only (0x31), and wrong session (0x7F).

Write Runner

See 0x3D in context — a clean write, plus the four ways it gets refused.

Goal

Write 4 bytes to a RAM scratch region and verify with 0x23.

SessionEXTENDED
Securitynot required
Outcome4 bytes written & verified
0 / 6

Press Play or Step to begin the sequence.

Build a Write

Set the ALFID, address, size, and ECU state. The builder assembles the request and shows the simulator’s exact response — a 0x7D acknowledgement or the precise NRC.

Request Builder

Set the ALFID, address, size, and ECU state — see the assembled write request and the simulator’s exact response.

ECU state

addressAndLengthFormatId = 0x44

Data is auto-filled to 4 byte(s) so the frame length is always valid.

Assembled request (14 bytes)

3D 44 20 00 00 00 00 00 00 04 11 22 33 44
Acceptedpositive

Write applied to RAM (scratch). The response echoes ALFID + the address bytes (not the size or data).

ECU response

7D 44 20 00 00 00

Memory Map

Memory Map

Each region resolves to a different result: writable → 0x7D, protected → 0x22, secured-and-locked → 0x33, not-writable → 0x31. (Regions are ECU-configured; these are illustrative.)

* secured region → 0x33 only while locked; after a 0x27 unlock it writes (0x7D). Gaps between regions return 0x31.

RAM (scratch)writable → 0x7D
Range
0x200000000x20008000
Size · Type
32 KB · RAM
Writable
yes
Protected
no
Security level
0x3D here
7D …

Message Format

Inspect each byte of the request, the 0x7D response, and a negative response.

Message Frame Breakdown

The whole write is one request. Pick a frame, then focus a byte.

3DSID

WriteMemoryByAddress service identifier.

info _entry

ALFID: high nibble = memorySize length, low nibble = memoryAddress length (e.g. 0x44 = 4-byte size + 4-byte address). The positive response echoes ALFID + address only — not the size or the data.

Session & Security

Requirement
Value
If not met
SessionEXTENDED (0x03) or PROGRAMMING (0x02)NRC 0x7F (checked first)
RegionMust be writable and not protectednot writable → 0x31 · protected → 0x22
SecurityPer-region — only if the region needs itNRC 0x33 (region requires a level & locked)
Boundsaddress + size within one regionNRC 0x31 (out of range / crosses boundary)
info _entry

Per-region security: unlike the transfer services, 0x3D only demands a 0x27 unlock when the target region defines a security level. A plain writable RAM region accepts the write with no unlock at all.

Service Dependencies

Service Dependencies

0x3D writes; 0x23 reads it back. Select a node to see how it relates.

0x3D0x100x270x230x2E0x340x3E
0x23ReadMemoryByAddressVerify
Typical request
23 …

The read counterpart — read the same address back to confirm the write landed.

Negative Response Codes

NRC Decoder — SID 0x3D

Note the split: a protected region returns 0x22, while a non-writable / out-of-range one returns 0x31. Click any card for details.

0x7F
0x13
0x31
0x22
0x33

Order the simulator checks errors — session → length/ALFID → range/region → protected → security. (0x72 is an internal-error fallback.)

Troubleshooting Guide

Troubleshooting Guide

Click any issue to expand diagnosis and resolution.

ISO 14229-1 References

info _entry

Standard: ISO 14229-1:2020 — WriteMemoryByAddress sits in the Data-transmission functional unit (§10), alongside its read counterpart ReadMemoryByAddress (0x23). Related: §0x27 SecurityAccess, §0x10 DiagnosticSessionControl.

Key points

  • Request: 3D + ALFID + memoryAddress + memorySize + data
  • addressAndLengthFormatIdentifier: high nibble = memorySize length, low nibble = memoryAddress length
  • Positive response 7D echoes ALFID + address (this simulator does not echo size or data)
  • Allowed in EXTENDED or PROGRAMMING; emits NRC 0x7F, 0x13, 0x31, 0x22, 0x33 (and 0x72 on an internal failure)
  • A protected region returns 0x22; a non-writable / out-of-range one returns 0x31
0x37 Request Transfer Exit0x3E Tester Present