Home Learning Paths ECU Lab Assessments Interview Preparation Arena Pricing Log In Sign Up
Back to Flash Bootloader Development
Learning Paths Flash Bootloader Development Module 2
MODULE 2 - UDS Reprogramming Services

RequestDownload & TransferData

67 min read
7 sections
Chapter 3 of 6

RequestDownload (SID 0x34)

Crequest_download.c
/* UDS 0x34: RequestDownload — negotiates download parameters */
/* Request: 0x34 + dataFormatIdentifier + addressAndLengthFormatIdentifier + memoryAddress + memorySize */
/* Response: 0x74 + lengthFormatIdentifier + maxBlockLength */

#include 
#include "Flash_If.h"

typedef struct {
    uint32_t address;     /* target flash address */
    uint32_t length;      /* total bytes to download */
    uint8_t  compression; /* dataFormatIdentifier high nibble */
    uint8_t  encryption;  /* dataFormatIdentifier low nibble */
    boolean  active;      /* download session is open */
    uint32_t bytes_received; /* running count */
    uint8_t  next_block;  /* expected next block sequence counter */
} DownloadSession_t;

static DownloadSession_t g_download;

Std_ReturnType RD_RequestDownload(const uint8_t *req, uint16_t req_len,
                                   uint8_t *resp, uint16_t *resp_len)
{
    /* Parse dataFormatIdentifier (byte 1): compression + encryption */
    uint8_t dfi = req[1];
    uint8_t compression = (dfi >> 4u) & 0x0Fu;  /* 0=none; 1=zlib */
    uint8_t encryption  =  dfi & 0x0Fu;           /* 0=none; 1=AES-128 */

    /* Parse addressAndLengthFormatIdentifier (byte 2) */
    uint8_t alfi = req[2];
    uint8_t addr_len = (alfi >> 4u) & 0x0Fu;   /* number of address bytes (e.g., 4) */
    uint8_t size_len =  alfi & 0x0Fu;            /* number of size bytes (e.g., 4) */

    if (addr_len != 4u || size_len != 4u) {
        resp[0]=0x7Fu; resp[1]=0x34u; resp[2]=0x31u;  /* NRC 0x31: requestOutOfRange */
        *resp_len = 3u; return E_NOT_OK;
    }

    /* Extract memory address (4 bytes big-endian) */
    uint32_t address = ((uint32_t)req[3]<<24)|((uint32_t)req[4]<<16)
                      |((uint32_t)req[5]<<8)| (uint32_t)req[6];
    uint32_t length  = ((uint32_t)req[7]<<24)|((uint32_t)req[8]<<16)
                      |((uint32_t)req[9]<<8)| (uint32_t)req[10];

    /* Validate address range is in programmable region */
    if (!Flash_IsAddressValid(address, length)) {
        resp[0]=0x7Fu; resp[1]=0x34u; resp[2]=0x31u;
        *resp_len = 3u; return E_NOT_OK;
    }

    /* Open download session */
    g_download.address       = address;
    g_download.length        = length;
    g_download.compression   = compression;
    g_download.encryption    = encryption;
    g_download.active        = TRUE;
    g_download.bytes_received= 0u;
    g_download.next_block    = 0x01u;

    /* Response: 0x74 + maxBlockLength (4 bytes: 0x04 + 3-byte value) */
    uint32_t max_block = 0x400u;  /* 1 kB per block; adjust for RAM buffer size */
    resp[0] = 0x74u;
    resp[1] = 0x40u;  /* lengthFormatIdentifier: 4-byte maxBlockLength */
    resp[2] = (uint8_t)((max_block >> 16u) & 0xFFu);
    resp[3] = (uint8_t)((max_block >>  8u) & 0xFFu);
    resp[4] = (uint8_t)( max_block         & 0xFFu);
    *resp_len = 5u;
    return E_OK;
}

TransferData (SID 0x36)

Ctransfer_data.c
/* UDS 0x36: TransferData — sends one block of firmware data */
/* Request: 0x36 + blockSequenceCounter(1) + data[maxBlockLen-2] */
/* Response: 0x76 + blockSequenceCounter(1) */

#include "Flash_If.h"

Std_ReturnType TD_TransferData(const uint8_t *req, uint16_t req_len,
                                uint8_t *resp, uint16_t *resp_len)
{
    if (!g_download.active) {
        resp[0]=0x7Fu; resp[1]=0x36u; resp[2]=0x24u;  /* 0x24: requestSequenceError */
        *resp_len = 3u; return E_NOT_OK;
    }

    uint8_t block_seq = req[1];   /* block sequence counter: 0x01–0xFF, then wraps to 0x00 */

    /* Verify sequence counter */
    if (block_seq != g_download.next_block) {
        resp[0]=0x7Fu; resp[1]=0x36u; resp[2]=0x73u;  /* 0x73: wrongBlockSequenceCounter */
        *resp_len = 3u; return E_NOT_OK;
    }

    const uint8_t *data     = &req[2];
    uint16_t       data_len = req_len - 2u;

    /* Bounds check: ensure we don't write past declared length */
    if (g_download.bytes_received + data_len > g_download.length) {
        resp[0]=0x7Fu; resp[1]=0x36u; resp[2]=0x31u;
        *resp_len = 3u; return E_NOT_OK;
    }

    /* Write data to flash */
    uint32_t write_addr = g_download.address + g_download.bytes_received;
    Std_ReturnType ret  = Flash_WriteData(write_addr, data, data_len);
    if (ret != E_OK) {
        resp[0]=0x7Fu; resp[1]=0x36u; resp[2]=0x72u;  /* 0x72: uploadDownloadNotAccepted */
        *resp_len = 3u; return E_NOT_OK;
    }

    g_download.bytes_received += data_len;
    g_download.next_block = (block_seq == 0xFFu) ? 0x00u : (block_seq + 1u);  /* wrap */

    resp[0] = 0x76u;
    resp[1] = block_seq;
    *resp_len = 2u;
    return E_OK;
}

Block Size Optimisation

FactorImpact on maxBlockLengthTypical Value
RAM buffer sizemaxBlockLength ≤ RAM buffer — keep 20% margin1024–4096 bytes
CAN TP (ISO 15765-2)Max 4095 bytes per PDU; overhead: SID + seq = 2 bytes → data = 4093 bytes max1024–4093 bytes
DoIP (TCP)Effectively unlimited; limited by ECU RAM buffer4096–65535 bytes
Flash page sizeBlock should be multiple of flash write page for efficiency512, 1024, 4096 bytes
Transfer speedLarger block = fewer RTTs = higher effective throughput4096 bytes recommended for DoIP

Summary

The block sequence counter (0x01–0xFF, wrapping to 0x00) is the detection mechanism for out-of-order or duplicated TransferData requests — the ECU rejects any block with the wrong sequence counter with NRC 0x73 (wrongBlockSequenceCounter). The maxBlockLength returned by RequestDownload must account for the 2-byte overhead (SID + sequence counter) that is not part of the data payload, so the effective data per block is maxBlockLength - 2. For DoIP-based programming at 100 Mbit/s, a 4096-byte block size gives ~98 Mbit/s effective throughput; for CAN at 500 kbit/s, a 1024-byte block with optimised timing gives ~400 kbit/s effective throughput.

🔬 Deep Dive — Core Concepts Expanded

This section builds on the foundational concepts covered above with additional technical depth, edge cases, and configuration nuances that separate competent engineers from experts. When working on production ECU projects, the details covered here are the ones most commonly responsible for integration delays and late-phase defects.

Key principles to reinforce:

  • Configuration over coding: In AUTOSAR and automotive middleware environments, correctness is largely determined by ARXML configuration, not application code. A correctly implemented algorithm can produce wrong results due to a single misconfigured parameter.
  • Traceability as a first-class concern: Every configuration decision should be traceable to a requirement, safety goal, or architecture decision. Undocumented configuration choices are a common source of regression defects when ECUs are updated.
  • Cross-module dependencies: In tightly integrated automotive software stacks, changing one module's configuration often requires corresponding updates in dependent modules. Always perform a dependency impact analysis before submitting configuration changes.

🏭 How This Topic Appears in Production Projects

  • Project integration phase: The concepts covered in this lesson are most commonly encountered during ECU integration testing — when multiple software components from different teams are combined for the first time. Issues that were invisible in unit tests frequently surface at this stage.
  • Supplier/OEM interface: This is a topic that frequently appears in technical discussions between Tier-1 ECU suppliers and OEM system integrators. Engineers who can speak fluently about these details earn credibility and are often brought into critical design review meetings.
  • Automotive tool ecosystem: Vector CANoe/CANalyzer, dSPACE tools, and ETAS INCA are the standard tools used to validate and measure the correct behaviour of the systems described in this lesson. Familiarity with these tools alongside the conceptual knowledge dramatically accelerates debugging in real projects.

⚠️ Common Mistakes and How to Avoid Them

  1. Assuming default configuration is correct: Automotive software tools ship with default configurations that are designed to compile and link, not to meet project-specific requirements. Every configuration parameter needs to be consciously set. 'It compiled' is not the same as 'it is correctly configured'.
  2. Skipping documentation of configuration rationale: In a 3-year ECU project with team turnover, undocumented configuration choices become tribal knowledge that disappears when engineers leave. Document why a parameter is set to a specific value, not just what it is set to.
  3. Testing only the happy path: Automotive ECUs must behave correctly under fault conditions, voltage variations, and communication errors. Always test the error handling paths as rigorously as the nominal operation. Many production escapes originate in untested error branches.
  4. Version mismatches between teams: In a multi-team project, the BSW team, SWC team, and system integration team may use different versions of the same ARXML file. Version management of all ARXML files in a shared repository is mandatory, not optional.

📊 Industry Note

Engineers who master both the theoretical concepts and the practical toolchain skills covered in this course are among the most sought-after professionals in the automotive software industry. The combination of AUTOSAR standards knowledge, safety engineering understanding, and hands-on configuration experience commands premium salaries at OEMs and Tier-1 suppliers globally.

← PreviousSecurityAccess: Seed-Key ExchangeNext →RoutineControl: Erase, Verify & Checksum