you will for sure i believe you need like a power cube or some crap. i almost bought that module till i saw that. :-p Flex works for me.

Bench read and write ecu full contents without having to open the ecu. For example EDC16u31 is BDM normally and requires to be open well with service mode no need to open the ecu

Without getting into the software vulnerabilities:

Overall Bosch Service Mode / TSW is similar to the Continental TSW which I have documented, except it uses KWP2000 instead of a custom command-set over ISO-TP. It's kind of odd, it's almost like the two vendors received the same loose specification and then decided to use it in two dramatically different ways.

The break-in process is two PWM/square-wave signals applied to the so-called "S1 and S2" pins. This tells the ECU to boot into a command shell using KWP2000 over serial. On many CAN ECUs the serial runs through the CAN transceiver before it gets to the external pins, so you need to wire a UART into a CAN transceiver (yes, this works!) to use it.

http://nefariousmotorsports.com/forum/index.php?action=printpage;topic=18870.0

So in terms of hardware, yes, you don't just need two voltages on S1 and S2, you need specific frequencies. And you also need test hardware which can do KWP2000 over a CAN transceiver basically. With PCM this is why you need Scanmatik.

I am going to correct you here, as you have the layers mixed up.

KWP2000 is the service layer. It can run over any transport protocol. For example ISO-TP, TP1.6, TP2.0 or K-Line.

What you mean here not KWP2000 over CAN, you probably mean K-Line over CAN
As KWP2000 over ISO-TP or TP1.6/TP2.0 is a completely normal thing.

Usually 14230-3 is referred to as KWP2000, the service layer.
Because KWP2000 service layer can also run over other transports.

Hence yes, in this case it is better to say ISO 9141 over CAN, as it is super confusing otherwise.