NefMoto

I saw a $200 J2534 MyGenius tool recently and I got inspired. It claims it can read + write from the latest and greatest Mercedes ECUs (Bosch MED17.7.5)

http://www.dimsport.it/en/my-genius/

Pretty much everything else online I see contradicts that. From $5k master/slave setups, buying an hour of time for access through Mercedes, etc.

Where does it fall apart in terms of simplicity:

1. Connect PINs to CAN high/low in OBD-II port
2. Send/receive CAN messages following UDS

I've read about Seed/Key algorithms and I get how without the dump of the ECU firmware it'd be near impossible to brute force these days. What other modern protection methods are at play? I've heard about 1024-bit keys for BMW. TPROT, etc. When are all of those encountered through the process?

Is it just... start a UDS diagnostic session, request a seed, send back a key, and you can read/write to whatever region of memory you want? No, right? So, is it different for every manufacturer?

I'm obviously a noob but I'm a software engineer and I've done a bit of research trying to piece what is out there together.

I get that for some cars, this is a wide open field day. It takes little to no effort to tune an older car, etc.

I get that manufacturers are adding more and more levels of protection these days. I just don't understand where they fit into the flow/stack.

Is it possible to read an ECU over CAN through OBD-II ports for every single car these days? If not, why? What's different? Is it that some cars don't implement/speak UDS? Is it that some cars don't support CAN over OBD-II? Where do pins other than the CAN pins (like KLine) come into play?

Where does ECU password protection sit? What is TPROT and where does that sit in the flow of CAN -> UDS -> data? Is it an extension of CAN?

There is VERY little openly available information about this, every manufacturer does it differently, and every model year they do something different...

What is the general gist? Am I on the right track that it's UDS over CAN/K-line through the OBD-II port? Are there layers above UDS that are manufacturer specific? If you try to perform a diagnostic session then read the ECU... what happens? Do they just, close down the access/not allow it?

Compressed version for sw engineer and talking OBD access: UDS on CAN is ubiquitous on late models, but there are some others like KWP on CAN and TP2.0 on some earlier MED17. Reading with UDS commands is often not implemented or has restricted address ranges and session permissions protected by seed key challenges. When you can write, you often have private public key based signature checks of a hash of the flashed segments before the ECU will run them.