JP2016094032A - On-vehicle control device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an on-vehicle control device not performing unintended data provision to a diagnostic system.SOLUTION: In an ECU20, a session controlling unit 205 performs session initialization processing for initializing a session state on the basis of the session state and a communication history held by a communication history holding part 207.SELECTED DRAWING: Figure 2

Description

  The present invention relates to an in-vehicle control device that is mounted on a vehicle and performs data communication with a plurality of diagnostic devices.

  As an in-vehicle control device that is mounted on a vehicle and performs data communication with a plurality of diagnostic devices, the one described in Patent Document 1 below is given as an example. The in-vehicle control device (ECU 1 to m in the same document) described in Patent Document 1 below receives a request message transmitted from a diagnostic device (tools 1 to n in the same document) connected to a network outside the vehicle. , Via the gateway device (DoIP 101 in the same document). When a request message is transmitted from a plurality of diagnostic devices to one in-vehicle control device, the gateway device controls transmission of the request message to the in-vehicle control device so that operation interference does not occur.

JP 2013-123998 A

  In the above-described conventional technology, the gateway device is provided. However, in order to simplify the entire system, there may be a situation where the gateway device must be omitted. Therefore, the present inventors have studied the case where access is made from a plurality of diagnostic devices to the in-vehicle control device without providing a gateway device.

  An in-vehicle control device that performs data communication such as diagnostic communication with a diagnostic device performs session management in order to provide certain restrictions on the exchange of diagnostic data, for example. This session management is for determining whether or not data communication is permitted between the diagnostic device and the in-vehicle control device. The session management includes not only the literal session state but also the security state. Is.

  In the initial state, the session state is a default session, and the security state is a locked state. When this transitions to another state, data communication between the diagnostic device and the in-vehicle control device becomes possible. For example, when a session request message is transmitted from the first diagnostic device, the in-vehicle control device changes the session state from the default session to a non-default session (referred to as session # 1), and indicates that the session state has been changed. Send a response message.

  Thereafter, when a security request message is further transmitted from the first diagnostic device, the in-vehicle control device changes the security state from the security lock to the security unlocked state (level # 1 is released), and the security state is changed. Send response message.

  When the session state becomes session # 1 and the security state becomes level # 1 release, when a diagnostic data acquisition request message is transmitted from the diagnostic device, the in-vehicle control device transmits diagnostic data as a response message. The in-vehicle diagnostic device maintains the session state and the security state by enabling the session timer within a predetermined time after transmitting the response message regardless of the content. When a predetermined time elapses, the session timer is invalidated, the session state is set as the default session, and the security state is returned to the security lock state.

  At this timing, when a second diagnostic device different from the first diagnostic device does not transmit a session request message, but transmits a diagnostic data acquisition request message that requires cancellation of session # 1 and security level # 1. Because the session state and security state conditions are not satisfied, the request can be rejected. On the other hand, if a diagnostic data acquisition request message is transmitted from the second diagnostic device within a predetermined time after the response message is transmitted to the first diagnostic device, the session state becomes session # 1, and the security state is level. Since # 1 remains released, diagnostic data is provided to the second diagnostic apparatus.

  This invention is made | formed in view of such a subject, The objective is to provide the vehicle-mounted control apparatus which does not perform unintended data provision with respect to a diagnostic apparatus.

  In order to solve the above-described problem, an in-vehicle control device according to the present invention is an in-vehicle control device that is mounted on a vehicle and performs data communication with a plurality of diagnostic devices. A session holding unit (210, 210a, 210n, 211, 211a, 211n) that holds a session state that specifies whether communication is permitted, and a communication history that is a history of data communication with the plurality of diagnostic devices A communication history holding unit (207) for holding data, and a session control unit (205) for controlling whether or not data communication is possible for each of the plurality of diagnostic apparatuses. The session control unit initializes the session state held by the session holding unit based on the communication history held by the communication history holding unit and the session state held by the session holding unit. Execute session initialization processing.

  In the present invention, since the session state is initialized based on the communication history and the session state, the diagnosis device reflects the history of data communication with the plurality of diagnosis devices and the approval / disapproval of data communication with the plurality of diagnosis devices. In a scene where data communication should not be allowed unconditionally, the session state can be accurately initialized.

  ADVANTAGE OF THE INVENTION According to this invention, the vehicle-mounted control apparatus which does not perform unintended data provision with respect to a diagnostic apparatus can be provided.

It is a block diagram which shows the structure of the vehicle-mounted control system containing ECU which is 1st Embodiment of this invention. It is a block diagram which shows the functional structure of ECU which is 1st Embodiment of this invention. 3 is a flowchart for explaining the operation of the ECU shown in FIG. 3 is a flowchart for illustrating session timer processing of an ECU shown in FIG. 2. 3 is a flowchart for explaining session initialization processing of the ECU shown in FIG. 2. It is a flowchart for demonstrating the diagnosis message priority determination process shown in FIG. FIG. 3 is a sequence diagram for explaining the operation of the ECU shown in FIG. 2. FIG. 3 is a sequence diagram for explaining the operation of the ECU shown in FIG. 2. It is a block diagram which shows the structure of the vehicle-mounted control system containing ECU which is 2nd Embodiment of this invention. FIG. 10 is a sequence diagram for explaining the operation of the ECU shown in FIG. 9.

  Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In order to facilitate the understanding of the description, the same constituent elements in the drawings will be denoted by the same reference numerals as much as possible, and redundant description will be omitted.

  A configuration of an in-vehicle control system in which an ECU (in-vehicle control device) according to the first embodiment of the present invention is used will be described with reference to FIG. The in-vehicle control system 10 includes an ECU 20, an ECU 21, a relay device 22, a diagnostic device 23, a bus 24, and a connector 25. The ECU 20, the ECU 21, the relay device 22, and the diagnostic device 23 are each connected to a bus 24, and are configured to be capable of data communication with each other via the bus 24.

  The ECU 20 and the ECU 21 are both vehicle-mounted control devices, and each independently performs another control operation. The diagnostic device 23 is a diagnostic device provided in the in-vehicle control system 10, and performs fault diagnosis in the vehicle by performing so-called diagnostic communication with the ECU 20 and the ECU 21.

  The relay device 22 is a gateway device, and is a device for performing data communication with the diagnostic device 30 provided on the external network. The relay device 22 performs protocol conversion between the in-vehicle control system 10 and the diagnostic device 30 to transmit and receive data. The connector 25 is a connector for connecting the diagnostic device 40 to the bus 24.

  By setting it as the structure mentioned above, the vehicle-mounted control system 10 is comprised so that data communication is possible between several diagnostic apparatus 23,30,40 and ECU20,21.

  Next, the ECU 20 and the ECU 21 that are vehicle-mounted control devices will be described with reference to FIG. As shown in FIG. 2, the ECU 20 includes a communication protocol processing unit 201, a communication processing unit 202, a reception processing unit 203, a priority determination unit 204, a session control unit 205, a session timer measurement unit 206, a communication A history holding unit 207, a communication state holding unit 208, a diagnostic service unit 209, a security state holding unit 210 (session holding unit), a session state holding unit 211 (session holding unit), and a response processing unit 212. I have.

  The communication protocol processing unit 201 is a part that exchanges data with the bus 24. The communication protocol processing unit 201 performs protocol processing based on information such as routing information and protocol information, outputs data received from the bus 24 to the communication processing unit 202, and outputs data output from the communication processing unit 202 to the bus 24. Send it out.

  The communication processing unit 202 includes diagnostic messages (session request message, session response message, security access (SEED request) message, security access (SEED response) message, security access (KEY request) message, security access (security release) relating to diagnostic processing. Message, diagnostic data request message, diagnostic data response message). The communication processing unit 202 composes a diagnostic message from the protocol data received from the communication protocol processing unit 201 and outputs the diagnostic message to the reception processing unit 203. The communication processing unit 202 decomposes the diagnostic message received from the response processing unit 212 into protocol data, and To 201.

  The reception processing unit 203 is a diagnostic message relating to diagnostic processing, and is a part that processes the received diagnostic messages (session request message, security access (SEED request) message, security access (KEY request) message, diagnostic data request message). is there. The reception processing unit 203 outputs the received diagnostic message to the priority determination unit 204 and the session control unit 205. The reception processing unit 203 exchanges information with the communication history holding unit 207 and the communication state holding unit 208.

  The priority determination unit 204 is a part that determines and processes the priority of the received diagnostic message. Details of the processing of the priority determination unit 204 will be described later. The priority determination unit 204 outputs the priority determination result of the received diagnostic message to the session control unit 205.

  The session control unit 205 is a part that controls the availability of communication of diagnostic messages (data communication availability) to the diagnostic device 23, the diagnostic device 30, and the diagnostic device 40. When the session control unit 205 receives the diagnosis message from the reception processing unit 203, the session control unit 205 outputs information for stopping the session timer to the session timer measurement unit 206. The session control unit 205 exchanges information with the communication history holding unit 207, the security state holding unit 210, and the session state holding unit 211, and performs processing such as updating or initializing the session state as necessary.

  The session control unit 205 outputs the received diagnostic message (session request message, security access (SEED request) message, security access (KEY request) message, diagnostic data request message)) and session state to the diagnostic service unit 209. Details of the processing of the session control unit 205 will be described later.

  The diagnostic service unit 209 reads out diagnostic data 209a as necessary based on the diagnosis message and session state output from the session control unit 205, and outputs them to the response processing unit 212.

  The response processing unit 212 is a diagnostic message relating to diagnostic processing, and is a part that processes diagnostic messages to be transmitted (session response message, security access (SEED response) message, security access (security release) message, diagnostic data response message). is there. The response processing unit 212 outputs a diagnosis message to be transmitted to the communication processing unit 202, and starts a session timer as necessary.

  Next, information processing of each part of the ECU 20 will be described with reference to FIG. When the program is started, in step S001, whether or not the session control unit 205 has received a diagnosis message (session request message, security access (SEED request) message, security access (KEY request) message, diagnostic data request message). Judging. If a diagnosis message has not been received, the process proceeds to step S002. If a diagnosis message has been received, the process proceeds to step S003. In step S002, after the elapse of a predetermined time, the process returns to step S001.

  In step S003, an instruction signal is output from session control unit 205 to session timer measurement unit 206 so as to stop the session timer. In this embodiment, the session timer is set to 5 seconds. If the session timer stop process is not performed within 5 seconds after the session timer is started by satisfying a predetermined condition, the session initialization process is executed. Is configured to do.

  Here, the session timer process will be described with reference to FIG. In step S301, the session control unit 205 determines whether or not the measurement by the session timer measurement unit 206 exceeds a predetermined time (5 seconds) and the session timer has timed out. If the session timer has not timed out, the session timer process ends.

  If the session timer has timed out, the session control unit 205 clears the communication history held by the communication history holding unit 207 (step S302). In step S303 following step S302, session initialization processing is executed.

  Next, the session initialization process will be described with reference to FIG. As shown in FIG. 4, in step S201, the session state held in the session state holding unit 211 is initialized (for example, a default session). In step S202 following step S201, the security state held in the security state holding unit 210 is initialized (for example, security lock). The session control unit 205 outputs an instruction signal to the session state storage unit 211 and the security state storage unit 210.

  Returning to FIG. 3, the description will be continued. In step S004 following step S003, the session control unit 205 determines whether diagnosis communication is in progress. In order to describe the determination of whether or not the diagnosis communication is in progress, reference is made to FIGS. 7 and 8. FIG.

  7 and 8 show a first diagnostic device (NodeID # 01 corresponding to the diagnostic device 23 in the in-vehicle control system 10 shown in FIG. 1) and a second diagnostic device (in the in-vehicle control system 10 shown in FIG. It is the sequence figure which showed one pattern of the data communication with Node20 corresponding to the diagnostic apparatus 30 and ECU20. Corresponding to these data communications, the session status, security status, and communication history with the diagnostic device are shown.

  7 and 8 are sequence diagrams showing data communication between the first diagnostic device and the second diagnostic device and the ECU 20 as described above, but show examples in which the timing of diagnostic communication is different. FIG. 7 shows a case where a diagnostic data request message is transmitted from the second diagnostic apparatus before the session timer times out after the diagnosis communication of the first diagnostic apparatus is completed. FIG. 8 shows a case where a session request message is transmitted from the second diagnostic apparatus before the diagnosis communication of the first diagnostic apparatus is completed and while the ECU 20 is performing the process of providing diagnostic data. .

  In step S001 described above, whether or not a diagnostic message (session request message, security access (SEED request) message, security access (KEY request) message, diagnostic data request message) as shown in FIGS. 7 and 8 has been received. Judging. Therefore, in the example shown in FIGS. 7 and 8, the determination in step S001 is “Yes”.

  In step S004, it is determined whether or not the ECU 20 is in a state between the time when the diagnostic message is received and the time when the diagnostic response message is transmitted. For example, in the state shown in FIG. 7, the diagnosis data request message is transmitted from the second diagnostic device to the ECU 20 after the diagnostic data response message is transmitted from the ECU 20 to the first diagnostic device. It becomes.

  On the other hand, in the state shown in FIG. 8, for example, the session request message is transmitted from the second diagnostic apparatus to the ECU 20 before the diagnostic data response message is transmitted from the ECU 20 to the first diagnostic apparatus. It becomes. If it is determined that the diagnosis communication is being performed, the process proceeds to step S005. If it is determined that the diagnosis communication is not being performed, the process proceeds to step S006.

  In step S005, the priority determination unit 204 determines whether the priority of the received diagnostic message is high. The diagnosis message priority determination will be described with reference to FIG.

  In step S401, the priority determination unit 204 compares the priorities of both based on the NodeID of the diagnostic device in communication and the NodeID of the diagnostic device that has transmitted the received diagnostic message. If the priority of the NodeID of the diagnostic apparatus that has transmitted the received diagnostic message is set high, the priority determination unit 204 proceeds to the processing of Step S403, and the priority of the NodeID of the diagnostic apparatus that has transmitted the received diagnostic message is low. If set, the process proceeds to step S405, and if both the priorities are the same, the process proceeds to step S402.

  In step S402, the priority determination unit 204 compares the SID (Service Identifier: ID indicating the diagnostic service) of the diagnostic message received from the diagnostic apparatus in communication with the SID of the received diagnostic message, and each message is regulated. Determine whether you have a SID or a non-legal SID. If it has a regulation SID, it is determined that the diagnostic message has a high priority based on the regulation.

  If the priority determination unit 204 receives a diagnostic message having a legal SID while receiving a diagnostic message having a non-regular SID, the priority determination unit 204 proceeds to the process of step S403. If a diagnostic message having a non-regulatory SID is received during reception of a diagnostic message having a legal SID, the priority determination unit 204 proceeds to the process of step S405. When receiving a diagnostic message having a legal SID while receiving a diagnostic message having a legal SID, and when receiving a diagnostic message having a non-regular SID while receiving a diagnostic message having a non-regular SID In step 204, the process proceeds to step S404.

  In step S404, since the priority difference between the two in step S401 and step S402 was not given, the priority determination unit 204 performs a process of assigning a priority according to the determination criterion when a diagnosis message having the same priority is received. Do. For example, if the configuration is such that the diagnostic device received first is prioritized, the priority determination unit 204 determines that the priority of the diagnostic message received first is high, and proceeds to the process of step S405. . On the other hand, if the configuration is such that the diagnostic device received later is prioritized, the priority determination unit 204 determines that the priority of the diagnostic message received later is high, and proceeds to the processing of step S403.

  In step S403, the priority determination unit 204 determines that the priority of the received diagnosis message is high, outputs the determination result to the session control unit 205, ends the diagnosis message priority determination processing, and performs the step of FIG. The process proceeds to S009. In step S405, the priority determination unit 204 determines that the priority of the received diagnostic message is low, outputs the determination result to the session control unit 205, ends the diagnostic message priority determination processing, and performs the step of FIG. The process proceeds to S009.

  In step S009, based on the result of the diagnostic message priority determination process, the session control unit 205 determines whether the priority of the diagnostic message received is high. If the priority of the received diagnostic message is high, the process proceeds to step S011, and if the priority of the received diagnostic message is low, the process proceeds to step S010. In the example of the sequence diagram illustrated in FIG. 8, the priority of the second diagnostic apparatus that has transmitted the diagnosis message later is high, and therefore the determination result in step S <b> 009 is “Yes”.

  In step S010, since the priority of the received diagnostic message is low, the session control unit 205 discards the diagnostic message without performing the processing in this processing flow.

  In step S011, the session control unit 205 performs execution diagnostic device switching processing. This is a process of ending the diagnostic service process being executed, and the session control unit 205 outputs an instruction signal to the diagnostic service unit 209 so as to end the diagnostic service process. In step S012 following step S011, the session state holding unit 211 and the security state holding unit 210 perform session initialization processing (see the above description with reference to FIG. 5).

  In the example of the sequence diagram shown in FIG. 8, the determination result in step S009 is “Yes”, and the processes in steps S011 and S012 are executed. As a result, processing based on diagnostic messages (session request message, security access (SEED request) message, security access (KEY request) message, diagnostic data request message) transmitted from the second diagnostic device is executed.

  Returning to FIG. 3, the description will be continued. If it is determined in step S004 that the session control unit 205 does not perform diagnostic communication, the process proceeds to step S006, and it is determined whether there is a communication history. More specifically, the session control unit 205 determines whether or not the communication history holding unit 207 has a diagnostic device holding the communication history.

  If the communication history holding unit 207 does not hold the communication history of any diagnostic device, the session control unit 205 does not perform diagnostic communication (the determination result of step S004), but does not have any other diagnostic device in communication. Judge. If the communication history holding unit 207 does not hold the communication history of any diagnostic device, the process proceeds to step S013. If the communication history holding unit 207 holds the communication history of any diagnostic device, the process proceeds to step S007. Proceed to processing. In the example of the sequence diagram shown in FIG. 7, the determination result in step S006 is “Yes”.

  In step S007, the session control unit 205 compares the NodeID of the received diagnostic message (NodeID of the diagnostic device that is the transmission source) with the NodeID of the diagnostic message that is in the communication history (NodeID of the diagnostic device that is the transmission source). , It is determined whether or not they are the same NodeID. If the NodeIDs are the same, the session control unit 205 determines that a diagnosis message has been continuously transmitted from the same diagnostic device.

  The session control unit 205 compares the NodeID of the received diagnostic message with the NodeID of the diagnostic message in the communication history. . In the example of the sequence diagram shown in FIG. 7, the determination result in step S007 is “No”.

  In step S008, the session control unit 205 performs the session initialization process already described with reference to FIG. 4, and proceeds to the process of step S013. In the example of the sequence diagram shown in FIG. 7, since the process of step S008 is performed and the session state and the security state are initialized, the diagnosis data request message from the second diagnosis apparatus not accompanied by the session request is denied. A response message is sent.

  In step S013, the communication history holding unit 207 stores the Node ID of the diagnostic apparatus that has actually received the diagnosis message. For example, when a diagnosis message is received from the diagnosis device 23 whose NodeID is # 1, if the diagnosis message from the diagnosis device 30 whose NodeID is # 2 is processed by the processing from Step S001 to Step S009, The communication history holding unit 207 performs processing for rewriting the Node ID of the communication history from # 1 to # 2.

  In step S014, the diagnosis service unit 209 executes a diagnosis service. As an example, the diagnostic service unit 209 acquires suitable diagnostic data from the diagnostic data 209a and prepares for transmission to the diagnostic device. In step S015 following step S014, the response processing unit 212 transmits diagnostic data as a response diagnostic message (diagnostic data response message). The information that the response processing unit 212 has transmitted a response diagnostic message is transmitted to the session timer measurement unit 206, and the session timer measurement unit 206 starts counting the session timer if the session timer measurement is necessary ( Step S016).

  In the first embodiment described above, one session state holding unit 211 and one security state holding unit 210 are provided, the session state and the security state to be held are each single, and linked to the transmission / reception of a diagnostic message, The target diagnostic message can be sent and received. However, if a plurality of session states and security states can be held according to the number of diagnostic devices, accurate transmission and reception of target diagnostic messages (not providing diagnostic messages to unintended diagnostic devices) can be realized. .

  FIG. 9 is a block configuration diagram showing a functional configuration of the ECU 20A of the second embodiment. As shown in FIG. 9, session state holding units 211a to 211n and security state holding units 210a to 210n are provided according to the number of target diagnostic apparatuses.

  Thus, by providing a plurality of session state holding units 211a to 211n and security state holding units 210a to 210n, as shown in FIG. 10, the session state and security state optimized for each diagnostic apparatus are held. The ECU 20A can receive the diagnosis data acquisition request from the diagnosis device 23, which is the first diagnosis device, or can also transmit the diagnosis data acquisition request from the diagnosis device 30, which is the second diagnosis device. Also, it is possible to take a response corresponding to each session state and security state.

20, 20A: ECU (on-vehicle control device)
204: Priority determination unit 205: Session control unit 207: Communication history holding unit 208: Communication state holding unit 210, 210a, 210n: Session state holding unit (session holding unit)
211, 211a, 211n: security state holding unit (session holding unit)

Claims (5)

An in-vehicle control device that is mounted on a vehicle and performs data communication with a plurality of diagnostic devices,
A session holding unit (210, 210a, 210n, 211, 211a, 211n) that holds a session state that specifies whether data communication with the plurality of diagnostic devices is permitted;
A communication history holding unit (207) that holds a communication history that is a history of data communication with the plurality of diagnostic devices;
A session control unit (205) for controlling the availability of data communication for each of the plurality of diagnostic devices,
The session control unit
Based on the communication history held by the communication history holding unit and the session state held by the session holding unit, a session initialization process for initializing the session state held by the session holding unit is executed. A vehicle-mounted control device characterized by: The session control unit
The session initialization process is executed when the first diagnostic device specified by the communication history held by the communication history holding unit is different from the second diagnostic device that has requested the data communication. The in-vehicle control device according to claim 1. A communication state holding unit (208) for holding a communication state indicating whether or not the data communication is performed with the plurality of diagnostic devices;
The session control unit
The in-vehicle control device according to claim 2, wherein the session initialization process is executed when a communication state held by the communication state holding unit is not in communication. A priority determination unit (204) for determining a priority of the data communication request transmitted from the plurality of diagnostic apparatuses;
The session control unit
The session initialization process is performed according to the priority determined by the priority determination unit when the communication state held by the communication state holding unit is in communication. In-vehicle control device.   The in-vehicle control according to any one of claims 1 to 4, wherein the session holding unit (210a, 210n, 211a, 211n) holds the session state for each of the plurality of diagnostic devices. apparatus.

Images