Am i correct with the assumption, that different diagnostic sessions and SecurityAccess/Authentication are decoupled concepts in UDS? I.e. you can secure any service behind a seed/key or PKI challenge, even the ones in the default session making them unaccessible for somebody not authorized?
I'm referring to ISO14229-1:2020
Why i came over this: The standard defines NRC 0x33 (securityAccessDenied) as a supoorted NRC for ECUReset service (0x11). However, ECUReset is available in the default session. If my above assumption was not correct this wouldn't make sense.
BUT ReadDtcInformation(0x19) is also availabe in the default session but for this service the standard does not define NRC 0x33. However, according to Annex A.1 the manufacturer may implement NRC 0x33 as an additional NRC.
If my assumption was correct, would that mean that any service that was originally available in the default session would only be available in a non-default session if it were secured? Or can I get the security access, switch back to the standard session and access the service I want?
In my opinion the standard is not very clear on that, or at least misleading (also at other parts of the standard)
Thanks for your help!
Read the standard however not clear, asked Google, did not find an answer
As far as I would interpret the standard, you're right. Since you can change sessions without authorization, an ECU might as well send you a NRC in the default session, if you're attempting an operation you don't have authorization for.
Note that's it's uncommon, but as far as I understand it, not forbidden.