JP2017097851A - Relaying apparatus and method and program for relaying - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce cost of an electronic controller and a time for updating data stored in the electronic controller.SOLUTION: The relaying apparatus according to an embodiment is for updating current data in an electronic controller to new data. The relaying apparatus includes: a request sending unit; a response receiving unit; and a data sending unit. The request sending unit sends, to a providing device, an acquisition request, which includes a device identifier for identifying the electronic controller, a data identifier for identifying current data, and version specifying information for specifying the version of the current data. The response receiving unit receives new data from the providing device in response to the acquisition request. The data sending unit receives the new data from the providing device and sends the new data to the electronic controller to cause the current data stored in the electronic controller to be updated to the new data. The data sending unit sends the current data to the electronic controller to cause the electronic controller to restore the current data if the updating processing has failed.SELECTED DRAWING: Figure 7

Description

  Embodiments described herein relate generally to a relay device, a relay method, and a program.

  The vehicle includes an electronic control unit (ECU) for controlling, for example, an engine. The electronic control unit executes firmware and controls the engine and the like. In recent years, vehicles that can be connected to a network have also been proposed. An electronic control device provided in such a vehicle can download data and update firmware via a network. Such electronic control device can update the firmware without returning the vehicle to the factory or the like when the vulnerability of the firmware is found.

  By the way, when the firmware update fails, the electronic control device has to download the current firmware and write it in the memory. For this reason, the electronic control unit must access the server again when the firmware update fails, and the period from the start of the update to the state where it can be executed again becomes longer. It was.

  In order to solve such a problem, the electronic control apparatus may include two buffers that temporarily store data. In updating the firmware, the electronic control device having such a configuration holds the current firmware in one buffer and downloads the new firmware using the other buffer. When the firmware update fails, the electronic control device writes the current firmware stored in the one buffer back to the memory. However, the electronic control device having such a configuration has to be provided with two buffers, which increases the cost. Further, when the vehicle includes a plurality of electronic control devices, each of the electronic control devices must include two buffers, which increases the overall cost of the vehicle.

International Publication No. 2011/055447 JP 2006-268554 A

  The problem to be solved by the present invention is to reduce the cost of the electronic control device and shorten the update time of data stored in the electronic control device.

  The relay device according to the embodiment is a device for updating current data stored in the electronic control device to new data. The relay device includes a request transmission unit, a response reception unit, and a data transmission unit. The request transmitting unit transmits an acquisition request including a device identifier for identifying the electronic control device, a data identifier for identifying the current data, and version specifying information capable of specifying a version of the current data to a providing device. To do. The response receiving unit receives the new data from the providing device in response to the acquisition request. The data transmitting unit transmits the new data received from the providing device to the electronic control device, causes the current data stored in the electronic control device to be updated to the new data, and an update process fails. Then, the current data is transmitted to the electronic control unit to cause the electronic control unit to restore the current data.

The figure which shows the network system which concerns on embodiment. The block diagram of a relay apparatus. The figure which shows management data. The figure which shows key information. The figure which shows acquisition information. The figure which shows status information. The block diagram of a provision apparatus and a relay apparatus. Acquisition processing flowchart. FIG. 6 is a flow chart for judging validity of received current FW data. FIG. 5 is a flow chart for judging validity of received new FW data. The block diagram of a relay apparatus and an electronic control apparatus. The update process flow figure by a relay apparatus. FIG. 5 is a flow chart for judging validity of written new FW data. FIG. 6 is a flow chart for judging the validity of the written current FW data. The block diagram of the provision apparatus and relay apparatus which concern on a 1st modification. The figure which shows the newest version information. The acquisition process flowchart which concerns on a 1st modification. The block diagram of the relay apparatus and electronic control apparatus which concern on a 2nd modification. The update process flowchart which concerns on a 2nd modification. The block diagram of the relay apparatus and electronic control apparatus which concern on a 3rd modification. The figure which shows the status information which concerns on a 3rd modification. The update process flow figure concerning a 3rd modification. The figure which shows another example of a 2nd update process flow. The block diagram of the relay apparatus which concerns on a 4th modification. The figure which shows the current firmware information. The block diagram of the provision apparatus and relay apparatus which concern on a 4th modification. The acquisition process flowchart which concerns on a 4th modification. The block diagram of the relay apparatus and electronic control apparatus which concern on a 4th modification. The update process flow figure concerning a 4th modification. The block diagram of the provision apparatus and relay apparatus which concern on a 5th modification. The block diagram of the relay apparatus which concerns on a 6th modification. The figure which shows system information. The block diagram of the provision apparatus and relay apparatus which concern on a 6th modification. The acquisition process flowchart which concerns on a 6th modification. The block diagram of the relay apparatus and electronic control apparatus which concern on a 6th modification. The update process flow figure concerning a 6th modification. The rollback process flowchart which concerns on a 6th modification. The figure which shows the network system which concerns on a 7th modification. The block diagram of the relay apparatus and memory | storage device which concern on a 7th modification. The figure which shows the hardware constitutions of information processing apparatus.

  Hereinafter, the network system 10 according to the embodiment will be described in detail with reference to the drawings. The network system 10 aims to reduce the cost of the electronic control unit (ECU) and shorten the update time of data stored in the electronic control unit.

  FIG. 1 is a diagram illustrating a network system 10 according to the embodiment. The network system 10 includes a providing device 20 and a control target system 22.

  The providing device 20 is an information processing device such as a server. The providing device 20 is connected to the control target system 22 via an external network such as the Internet.

  The control target system 22 includes at least one electronic control device 24 and a relay device 26. In the present embodiment, the control target system 22 is a vehicle. The control target system 22 is not limited to a vehicle, and may be, for example, a robot system, an airplane, or a home network system.

  Each electronic control unit 24 controls the target device. The target device is a device provided in the control target system 22. In the present embodiment, the target device is, for example, a vehicle system such as an engine, an energy system device such as a fuel supply device, a body system device such as a window or a door, or an entertainment system such as an audio device. Device.

  The electronic control device 24 is connected to a processing unit such as a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), a storage unit such as a nonvolatile storage device, and a target device as hardware. Interface unit, a communication unit for communicating with the relay device 26, and the like.

  The storage unit of the electronic control device 24 stores firmware. Firmware is a program executed by a processing unit such as a CPU or data read by a processing unit such as a CPU. The electronic control device 24 controls the target device in cooperation with firmware and hardware. The electronic control device 24 may store one firmware or a plurality of firmware.

  Further, the electronic control unit 24 updates the firmware. The electronic control unit 24 stores the actual version data of the firmware that is newer than the currently stored version when it is provided by a firmware developer (developer, development group, provider, etc.). The firmware entity data is updated to the new version of the entity data. For example, the electronic control unit 24 deletes the currently stored firmware entity data and newly stores a new version of the entity data, or stores the new version of the entity data in the currently stored firmware entity data storage area. Update by overwriting data. The electronic control unit 24 executes the update process when receiving the actual data of the new firmware and the update instruction from the outside.

  In this embodiment, the stored firmware entity data is referred to as “current FW data”. Also, entity data of a newer version than the stored firmware entity data is referred to as “new FW data”.

  The relay device 26 is a device for updating current FW data stored in each electronic control device 24 to new FW data. The relay device 26 is an information processing device having a hardware configuration similar to that of a computer or the like. The relay device 26 is connected to the providing device 20 via an external network. In the present embodiment, since the control target system 22 is a vehicle, the relay device 26 is connected to an external network by wireless communication.

  The relay device 26 is connected to each electronic control device 24 via an internal network. The external network and the internal network are connected via the relay device 26, but are not directly connected.

  FIG. 2 is a diagram illustrating a functional configuration of the relay device 26. The relay device 26 includes an acquisition unit 30, an update unit 32, a management data storage unit 34, a shared key storage unit 36, a temporary storage unit 38, and a state storage unit 40.

  The acquisition unit 30 receives current FW data, new FW data, and the like from the providing device 20. The update unit 32 transmits the new FW data received from the providing device 20 to the electronic control device 24, and causes the electronic control device 24 to update the current FW data to the new FW data. In addition, when the update process for updating the current FW data to the new FW data fails, the update unit 32 transmits the current FW data received from the providing device 20 to the electronic control device 24, and sends the current FW data to the electronic control device 24. Restore data.

  The management data storage unit 34 stores management data related to current FW data stored in each electronic control unit 24. The shared key storage unit 36 stores key information including shared key data for verifying whether the current FW data and the new FW data are valid. The shared key data is shared with the firmware developer and kept secret from a third party. The temporary storage unit 38 stores acquisition information including the current FW data and new FW data received by the acquisition unit 30. The state storage unit 40 stores state information indicating the state of the electronic control device 24.

  FIG. 3 is a diagram showing the contents of the management data stored in the management data storage unit 34. The management data storage unit 34 stores management data shown in FIG. 3 for each firmware stored in each electronic control unit 24 included in the control target system 22.

  The management data includes an ECU ID, a FWID, a MAC (Message Authentication Code) value of the current FW, a version number of the current FW, a domain of the ECU, a developer ID of the current FW, update timing information, and FW acquisition status information.

  The ECU ID is an identifier of the electronic control device 24 that stores the firmware. The FWID is an identifier of the firmware. The MAC value of the current FW is the MAC value of the current FW data written in the electronic control unit 24.

  Here, the MAC value is data for verifying that the data has not been tampered with. The MAC value is calculated and verified using target data and key data. The same key data is used for generating and verifying the MAC value. For example, it is assumed that the sender and the receiver hold the same key data. This key data is kept secret from a third party. In this case, the sender calculates the MAC value from the target data and the key data held by the sender. Then, the sender transmits the target data and the MAC value to the receiver. The receiver calculates the MAC value from the received transmission data and the key data held by the receiver. Then, the receiver compares the calculated MAC value with the MAC value received from the sender. In the case of a match, the receiver can determine that the received target data has been generated by the sender (that is, is valid).

  The version number of the current FW represents the version of the current FW data written in the electronic control unit 24. The version number may be a numerical value or a character that increases each time the version of the firmware entity data is updated.

  The ECU domain represents a function of the target device. For example, the ECU domain indicates whether the target device is an exercise device, an energy device, a body device, or an entertainment device.

  The current FW developer ID is information for identifying the developer of the current FW data. The shared key data is assigned for each developer ID.

  The update timing information indicates the timing at which the firmware can be updated. For example, the update timing information can be updated during driving of the vehicle, whether the vehicle can be updated while braking, whether the vehicle can be updated while idling, and Indicates whether or not the vehicle engine can be updated while the vehicle is stopped.

  The FW acquisition status information indicates the acquisition status of new FW data by the relay device 26. For example, the FW acquisition status information indicates any of a status of doing nothing, a status of inquiring the providing apparatus 20, a status of receiving data, or a status of verification.

  FIG. 4 is a diagram showing the contents of the key information stored in the shared key storage unit 36. The shared key storage unit 36 stores the key information shown in FIG. 4 for each firmware developer.

  The key information includes a developer ID and shared key data. The developer ID is information for identifying a firmware developer. The shared key data is data used for calculating the MAC value.

  The developer ID may be different for each firmware version. For example, the developer ID of the current FW data and the developer ID of the new FW data may be different or the same. When the developer ID of the current FW data is different from the developer ID of the new FW data, the corresponding shared key data is different.

  FIG. 5 is a diagram illustrating the contents of the acquired information stored in the temporary storage unit 38. The temporary storage unit 38 stores the acquisition information illustrated in FIG. 5 every time it is determined that the current FW data and the new FW data received from the providing device 20 are valid.

  The acquisition information includes ECUID, FWID, current FW data, new FW data, new FW MAC value, new FW version number, new FW developer ID, acquisition error count, and update error count.

  The ECU ID is an identifier of the electronic control device 24 to be updated. The FWID is an identifier of the firmware to be updated.

  The current FW data and the new FW data are firmware actual data received from the providing device 20. The current FW data is data that should be the same as the current FW data currently written in the electronic control unit 24.

  The MAC value of the new FW is the MAC value of the new FW data received from the providing device 20. The MAC value of the new FW is generated, for example, by the developer of the new FW data. The new FW version number represents the version of the new FW data. The new FW developer ID is information for identifying the developer of the new FW data.

  The number of acquisition errors represents the number of times it is determined that the current FW data or new FW data received from the providing device 20 is not valid. The number of update errors represents the number of times when it is determined that the new FW data written in the electronic control unit 24 is not valid.

  FIG. 6 is a diagram illustrating the contents of the state information stored in the state storage unit 40. The state storage unit 40 stores state information illustrated in FIG. 6 for each electronic control device 24.

  The state information includes an ECU ID, an ECU domain, and ECU state information. The ECU ID is an identifier of the electronic control device 24. The domain of the ECU represents a function of the target device controlled by the electronic control device 24.

  The ECU state information indicates the current state of the electronic control unit 24. For example, the ECU status information is one of a normal operation status, an update waiting status, a data update target reception status, a data write status, a verification status, or a data validation status. Indicates.

  FIG. 7 is a diagram illustrating functional configurations of the providing device 20 and the relay device 26. The providing apparatus 20 includes a provision information storage unit 50, a request reception unit 54, a specification unit 56, and a response transmission unit 58. The acquisition unit 30 of the relay device 26 includes a request transmission unit 52, a response reception unit 60, a first verification value generation unit 62, a first verification unit 64, and a status update unit 66.

  The provided information storage unit 50 stores information to be provided to the relay device 26. The provided information storage unit 50 stores, for each firmware, the ECU ID, FWID, the actual data of each version, the MAC value of the actual data of each version, the version number of each version, and the developer ID of each version. The developer ID may be common for each version.

  The request transmission unit 52 transmits an acquisition request to the providing device 20 for each firmware stored in each electronic control device 24 included in the control target system 22. For example, the request transmission unit 52 transmits an acquisition request at a predetermined timing for each firmware (for example, periodically).

  The request transmitting unit 52 includes an acquisition request including an ECU ID (device identifier) for identifying the electronic control device 24, a FWID (data identifier) for identifying the current FW data, and version specifying information capable of specifying the version of the current FW data. Is transmitted to the providing device 20. The request transmission unit 52 reads management data regarding the firmware from the management data storage unit 34 and generates an acquisition request.

  The version specifying information is a MAC value of the current FW data (a verification value for verifying the current FW data stored in the electronic control unit 24). The version specifying information may be the version number of the current FW data instead of the MAC value.

  The request receiving unit 54 receives an acquisition request from the relay device 26. The identification unit 56 reads information related to the firmware corresponding to the ECU ID and the FWID included in the acquisition request from the provision information storage unit 50. Based on the read information, the specifying unit 56 determines whether or not entity data of a version newer than the version specified by the version specifying information is provided by the developer. That is, the specifying unit 56 determines whether or not there is actual data (new FW data) of a version newer than the version of the current FW data stored in the electronic control unit 24 for the firmware specified by the acquisition request. to decide.

  The response transmission unit 58 transmits response information corresponding to the received acquisition request to the relay device 26. When there is no new FW data, the response transmission unit 58 transmits response information including the ECU ID, the FWID, and the update flag. When new FW data is present, the response transmission unit 58 includes a response including ECU ID, FWID, update flag, current FW data, new FW data, new FW MAC value, new FW version number, and new FW developer ID. Send information.

  The ECU ID and FWID included in the response information are the same as the ECU ID and FWID included in the acquisition request. The update flag is a flag indicating whether or not there is a newer version of FW data (new FW data) than the version specified by the version specifying information. In the present embodiment, the update flag has a value other than 0 when new FW data does not exist and a value other than 0 when new FW data exists. When the developer ID is common for each version, the response transmission unit 58 may not transmit the developer ID.

  The response receiving unit 60 receives response information corresponding to the acquisition request from the providing device 20. When the new FW data does not exist, the response receiving unit 60 receives response information including the ECU ID, the FWID, and the update flag. When the new FW data exists, the response receiving unit 60 responds including the ECU ID, FWID, update flag, current FW data, new FW data, new FW MAC value, new FW version number, and new FW developer ID. Receive information.

  The first verification value generation unit 62 calculates a MAC value (second verification value) for the current FW data received from the providing device 20. Specifically, the first verification value generation unit 62 reads the shared key data corresponding to the developer ID of the current FW from the shared key storage unit 36. The first verification value generation unit 62 calculates a MAC value from the read shared key data and the current FW data received from the providing device 20.

  Further, the first verification value generation unit 62 calculates a MAC value (fourth verification value) for the new FW data received from the providing device 20. Specifically, the first verification value generation unit 62 reads the shared key data corresponding to the developer ID of the new FW from the shared key storage unit 36. The first verification value generation unit 62 calculates a MAC value from the read shared key data and the new FW data received from the providing device 20.

  The first verification unit 64 determines whether the current FW data received from the providing apparatus 20 is valid. Specifically, the first verification unit 64 is configured to verify the first verification value for verifying the current FW data stored in the electronic control device 24 and the first FW data received from the providing device 20. If the two verification values match, it is determined that the current FW data received from the providing device 20 is valid.

  Here, the first verification value is the MAC value of the current FW stored in the management data storage unit 34. The second verification value is the MAC value of the current FW data calculated by the first verification value generation unit 62. That is, the first verification unit 64 verifies whether or not the current FW data received from the providing device 20 is the same as the current FW data stored in the electronic control device 24.

  Further, the first verification unit 64 determines whether the new FW data received from the providing device 20 is valid. Specifically, the first verification unit 64 matches the third verification value received from the providing device 20 with the fourth verification value calculated from the shared key data and the new FW data received from the providing device 20. In this case, it is determined that the new FW data received from the providing device 20 is valid.

  Here, the third verification value is the MAC value of the new FW data (MAC value of the new FW) received from the providing apparatus 20 in response to the acquisition request. The fourth verification value is the MAC value of the new FW data calculated by the first verification value generation unit 62. That is, the first verification unit 64 verifies whether the developer of the new FW data received from the providing device 20 holds the same shared key data as that of the relay device 26.

  If either the current FW data or the new FW data received from the providing device 20 is not valid, the first verification unit 64 causes the request transmission unit 52 to transmit an acquisition request again. The first verification unit 64 stops transmission of the acquisition request if any of the current FW data and the new FW data is not valid even if the same acquisition request is transmitted a certain number of times.

  The first verification unit 64 stores the information received by the response reception unit 60 in the temporary storage unit 38 on condition that the current FW data and new FW data received from the providing device 20 are valid. Specifically, the first verification unit 64 receives the ECU ID, FWID, current FW data, new FW data, new FW MAC value, new FW version number, and new FW developer ID received from the providing device 20. And stored in the temporary storage unit 38. When the developer ID is common for each version, the first verification unit 64 may not store the developer ID of the new FW in the temporary storage unit 38. The first verification unit 64 may also store in the temporary storage unit 38 the number of times that either the current FW data or the new FW data is determined to be invalid (the number of errors).

  The status update unit 66 writes the FW acquisition status information in the management data storage unit 34 for each firmware.

  With the above configuration, the relay device 26 can receive the current FW data and the new FW data from the providing device 20. Further, the relay device 26 can determine whether the received current FW data and new FW data are valid. Then, the relay device 26 can store the current FW data and the new FW data in the temporary storage unit 38 on condition that the received current FW data and new FW data are valid.

  FIG. 8 is a diagram illustrating an acquisition processing flow by the relay device 26. The acquisition unit 30 executes the acquisition process illustrated in FIG.

  First, in step S <b> 11, the acquisition unit 30 transmits an acquisition request to the providing apparatus 20 at a predetermined timing for any firmware. In this case, the acquisition unit 30 transmits an acquisition request including the ECU ID, the FWID, and the version specifying information (the MAC value of the current FW or the version number of the current FW) to the providing device 20.

  The providing device 20 transmits response information about the corresponding firmware to the relay device 26 in response to the acquisition request. Specifically, when there is no corresponding new FW data, providing device 20 transmits response information including an ECU ID, an FWID, and an update flag whose value is 0. When the new FW data exists, the providing device 20 updates the ECU ID, the FWID, the update flag whose value is not 0, the current FW data, the new FW data, the new FW MAC value, the new FW version number, and the new FW Response information including the developer ID is transmitted.

  Subsequently, in step S12, the acquisition unit 30 receives the response information. Subsequently, in step S <b> 13, the acquisition unit 30 determines whether or not the update flag included in the response information is a value other than 0. When the update flag is 0 (No in S13), the acquisition unit 30 ends this flow. If the update flag is a value other than 0 (Yes in S13), the process proceeds to step S14.

  In step S14, the acquisition unit 30 determines whether the received current FW data is valid. The process of step S14 will be described in more detail with reference to the flow of FIG. If the acquisition unit 30 is valid (Yes in S14), the process proceeds to step S15. If the acquisition unit 30 is not valid (No in S14), the process proceeds to step S17.

  In step S15, the acquisition unit 30 determines whether or not the received new FW data is valid. The process of step S15 will be described in more detail with reference to the flow of FIG. If the acquisition unit 30 is valid (Yes in S15), the process proceeds to step S16. If the acquisition unit 30 is not valid (No in S15), the process proceeds to step S17.

  In step S16, the acquisition unit 30 temporarily stores the ECU ID, FWID, current FW data, new FW data, new FW MAC value, new FW version number, and new FW developer ID received from the providing device 20. Write to 38. When step S16 ends, the acquisition unit 30 ends this flow. In this case, the acquisition unit 30 can receive valid current FW data or new FW data.

  In step S <b> 17, the acquisition unit 30 determines whether the number of times that either the current FW data or the new FW data is not valid (the number of errors) is equal to or greater than a certain number even if the same acquisition request is transmitted. To do. When the number of errors is less than the predetermined number (No in S17), the acquisition unit 30 returns the process to Step S11. As a result, even when the acquisition unit 30 cannot receive valid data due to a communication error or the like, the acquisition unit 30 can receive the valid data at the next opportunity.

  When the number of errors is equal to or greater than the predetermined number (Yes in S17), the acquisition unit 30 ends this flow.

  FIG. 9 is a diagram illustrating a flow for determining the validity of the current FW data received from the providing device 20. In step S14, the acquisition unit 30 executes the process illustrated in FIG.

  First, the acquisition unit 30 reads the MAC value (first verification value) of the current FW stored in the management data storage unit 34 (S21). Subsequently, the acquisition unit 30 reads the developer ID of the current FW from the management data storage unit 34 (S22). Subsequently, the acquisition unit 30 reads the shared key data corresponding to the developer ID of the current FW from the shared key storage unit 36 (S23). Subsequently, the acquiring unit 30 acquires the current FW data received from the providing device 20 (S24). Subsequently, the acquisition unit 30 calculates a MAC value (second verification value) from the read shared key data and the current FW data received from the providing device 20 (S25).

  Subsequently, the acquiring unit 30 determines whether or not the first verification value and the second verification value match (S26). If the first verification value and the second verification value match (Yes in S26), the acquisition unit 30 determines that the current FW data received from the providing device 20 is valid (S27) and ends the process. If the first verification value and the second verification value do not match (No in S26), the acquisition unit 30 determines that the current FW data received from the providing device 20 is not valid (S28) and ends the process.

  FIG. 10 is a diagram illustrating a flow for determining the validity of the new FW data received from the providing apparatus 20. In step S15, the acquisition unit 30 executes the process illustrated in FIG.

  First, the acquisition unit 30 acquires the MAC value (third verification value) of the new FW received from the providing device 20 (S31). Subsequently, the acquisition unit 30 acquires the developer ID of the new FW received from the providing device 20 (S32). Subsequently, the acquisition unit 30 reads the shared key data corresponding to the developer ID of the new FW from the shared key storage unit 36 (S33). Subsequently, the acquisition unit 30 acquires new FW data received from the providing device 20 (S34). Subsequently, the acquisition unit 30 calculates a MAC value (fourth verification value) from the read shared key data and the new FW data received from the providing device 20 (S35).

  Subsequently, the acquisition unit 30 determines whether or not the third verification value and the fourth verification value match (S36). If the third verification value matches the fourth verification value (Yes in S36), the acquisition unit 30 determines that the new FW data received from the providing device 20 is valid (S37) and ends the process. If the third verification value does not match the fourth verification value (No in S36), the acquisition unit 30 determines that the new FW data received from the providing device 20 is not valid (S38) and ends the process.

  FIG. 11 is a diagram illustrating functional configurations of the relay device 26 and the electronic control device 24. The electronic control unit 24 includes a data storage unit 70, a control unit 72, a status transmission unit 74, a start reception unit 82, a data reception unit 86, a writing unit 88, a first key storage unit 90, 2 includes a verification value generation unit 92, a verification value transmission unit 94, and an end reception unit 104. The update unit 32 of the relay device 26 includes a state reception unit 76, a start detection unit 78, a start transmission unit 80, a data transmission unit 84, a verification value reception unit 96, a second verification unit 98, and a determination unit 100. And a notification unit 102.

  The data storage unit 70 stores firmware entity data (current FW data). The control unit 72 controls the target device based on the current FW data stored in the data storage unit 70.

  The state transmission unit 74 detects the state of the electronic control device 24. For example, the state transmission unit 74 may be any of a normal operation state, an update waiting state, a reception target data reception state, a writing state, a verification state, or a data validation state. Is detected. The state transmission unit 74 transmits ECU state information indicating the detected state to the relay device 26.

  The state receiving unit 76 receives ECU state information from the electronic control unit 24. The state receiving unit 76 causes the state storage unit 40 to store the received ECU state information.

  The start detection unit 78 determines whether it is possible to update the firmware for which valid new FW data and current FW data have been verified from the providing device 20 and the new FW data has not yet been written to the electronic control device 24. For example, the start detection unit 78 determines that the control target system 22 is updatable when the state of the control target system 22 matches the update timing information stored in the management data storage unit 34 and the ECU state information indicates normal operation. . The start detection unit 78 gives a start instruction to the start transmission unit 80 and the data transmission unit 84 when the update is possible.

  When the start transmission unit 80 receives the start instruction, the start transmission unit 80 transmits information indicating the start of update to the electronic control device 24 to be updated. As a result, the electronic control device 24 to be updated can prepare for receiving data. In addition, the start transmission unit 80 transmits information indicating that the electronic control device 24 to be updated starts firmware update to the other electronic control device 24. Thus, the other electronic control unit 24 can limit the operation or warn the user so that no malfunction occurs during the update period.

  The start receiving unit 82 receives information indicating update start from the relay device 26. The start receiving unit 82 restricts the operation of the control unit 72 when receiving information indicating update start. Thereby, the start receiving part 82 can control so that the malfunction of an operation | movement does not arise in an object apparatus during an update period.

  When the data transmission unit 84 receives the start instruction from the start detection unit 78, the data transmission unit 84 transmits the new FW data received from the providing device 20 to the electronic control device 24, and updates the current FW data stored in the electronic control device 24. Update to FW data. Specifically, the data transmission unit 84 transmits new FW data stored in the temporary storage unit 38 to the electronic control device 24 and transmits an update instruction.

  The temporary storage unit 38 stores new FW data determined to be valid. Therefore, the data transmission unit 84 can transmit the new FW data determined to be valid to the electronic control unit 24. Further, since the data transmission unit 84 transmits new FW data when receiving a start instruction from the start detection unit 78, when the target device to be controlled by the electronic control unit 24 is in a predetermined state, the new data is transmitted. FW data can be transmitted.

  The data receiving unit 86 receives new FW data and an update instruction from the relay device 26. When receiving the update instruction, the writing unit 88 updates the current FW data stored in the data storage unit 70 to the new FW data received from the relay device 26. For example, the writing unit 88 overwrites the area where the current FW data is stored in the data storage unit 70 with the new FW data, or deletes the current FW data stored in the data storage unit 70 to store the data storage unit New FW data is written in a predetermined area of 70.

  The first key storage unit 90 stores key data used to verify the data written in the data storage unit 70. In the present embodiment, the first key storage unit 90 stores shared key data corresponding to the developer ID of the current FW and shared key data corresponding to the developer ID of the new FW. If the developer ID of the current FW and the developer ID of the new FW are the same, the first key storage unit 90 stores one shared key data.

  The first key storage unit 90 may store key data different from the shared key data shared by the relay device 26 and the providing device 20. In this case, the first key storage unit 90 shares this key data with the relay device 26 and keeps it secret from a third party. The update unit 32 includes a storage unit that stores the key data and a verification value generation unit that generates a MAC value from the key data. Further, this key data may be periodically updated, or may be newly generated every time the relay device 26 and the electronic control device 24 carry out concealment communication.

  The second verification value generation unit 92 calculates a MAC value (fifth verification value) for verifying the new FW data written in the data storage unit 70 in the update process. Specifically, the second verification value generation unit 92 reads the shared key data corresponding to the developer ID of the new FW from the first key storage unit 90. Then, the second verification value generation unit 92 calculates the MAC value from the read shared key data and the new FW data written in the data storage unit 70 in the update process.

  The verification value transmission unit 94 transmits the MAC value for verifying the new FW data written in the data storage unit 70 in the update process to the relay device 26. The verification value receiving unit 96 receives a MAC value for verifying the new FW data written in the data storage unit 70 in the update process from the electronic control unit 24.

  The second verification unit 98 verifies whether the new FW data written in the electronic control device 24 in the update process is valid. Specifically, the second verification unit 98 verifies the fifth verification value for verifying the new FW data written in the electronic control unit 24 in the update process and the new FW data transmitted to the electronic control unit 24. In the case where the sixth verification value for doing so does not match, it is determined that the new FW data written in the electronic control unit 24 by the update process is not valid.

  Here, the fifth verification value is a MAC value calculated by the second verification value generation unit 92 for the new FW data written in the data storage unit 70. The sixth verification value is a MAC value of new FW data received from the providing device 20. That is, the second verification unit 98 verifies whether the new FW data received from the providing device 20 has been written in the electronic control device 24 without being tampered.

  When the second verification unit 98 determines that the new FW data written in the electronic control unit 24 is valid in the update process, the second verification unit 98 notifies the determination unit 100 and the notification unit 102.

  When receiving the notification that the new FW data written in the electronic control unit 24 is valid in the update process, the determination unit 100 reads the information stored in the temporary storage unit 38 and the management data storage unit 34. Remember me. Specifically, the determining unit 100 reads the MAC value of the new FW, the version number of the new FW, and the developer ID of the new FW from the temporary storage unit 38, and includes the current FW included in the management data for the same firmware. The MAC value, the version number of the current FW, and the developer ID of the current FW are written in the management data storage unit 34. Thereby, the relay apparatus 26 can update the management data stored in the management data storage unit 34. The determination unit 100 may delete the information stored in the temporary storage unit 38 after storing the necessary information in the management data storage unit 34.

  When the notification unit 102 receives a notification from the second verification unit 98 that the new FW data is valid, it notifies the other electronic control unit 24 and the update target electronic control unit 24 that the firmware has been updated. Send information to indicate. As a result, the other electronic control unit 24 can cancel the restriction of the operation or cancel the warning for the user.

  The end reception unit 104 receives information indicating that the firmware update has been completed from the relay device 26. When the end reception unit 104 receives information indicating that the update has been completed, the end reception unit 104 releases the restriction on the operation by the control unit 72. Thereby, the control part 72 can control an object apparatus based on new FW data.

  On the other hand, when the second verification unit 98 determines that the new FW data written in the electronic control unit 24 is not valid in the update process, the second verification unit 98 notifies the data transmission unit 84 that the update process has failed.

  When the update process fails, the data transmission unit 84 transmits the current FW data received from the providing device 20 to the electronic control device 24, and causes the electronic control device 24 to restore the current FW data. Specifically, the data transmission unit 84 transmits the current FW data stored in the temporary storage unit 38 to the electronic control device 24 and transmits a restoration instruction. The temporary storage unit 38 stores current FW data determined to be valid. Therefore, the data transmission unit 84 can transmit the current FW data determined to be valid to the electronic control unit 24.

  The data receiving unit 86 receives the current FW data and the restoration instruction from the relay device 26. When receiving the restoration instruction, the writing unit 88 restores the current FW data stored in the data storage unit 70. For example, the writing unit 88 overwrites the received current FW data in the area where the current FW data was originally stored in the data storage unit 70. The writing unit 88 may write the current FW data after deleting the new FW data written in the update process.

  The second verification value generation unit 92 calculates a MAC value (seventh verification value) for verifying the current FW data written in the data storage unit 70 in the restoration process. Specifically, the second verification value generation unit 92 reads the shared key data corresponding to the developer ID of the current FW stored in the first key storage unit 90 from the first key storage unit 90. Then, the second verification value generation unit 92 calculates a MAC value from the read shared key data and the current FW data written in the data storage unit 70 in the restoration process.

  The verification value transmission unit 94 transmits the MAC value for verifying the current FW data written in the data storage unit 70 in the restoration process to the relay device 26. The verification value receiving unit 96 receives a MAC value for verifying the current FW data written in the data storage unit 70 in the restoration process from the electronic control unit 24.

  The second verification unit 98 verifies whether the current FW data written in the electronic control unit 24 in the restoration process is valid. Specifically, the second verification unit 98 verifies the seventh verification value for verifying the current FW data written in the electronic control unit 24 in the restoration process, and the current FW data transmitted to the electronic control unit 24. In the case where the eighth verification value for matching does not match, it is determined that the current FW data written in the electronic control unit 24 by the restoration process is not valid.

  Here, the seventh verification value is a MAC value for the current FW data written in the data storage unit 70 calculated by the second verification value generation unit 92. The eighth verification value is the MAC value of the current FW data stored in the management data storage unit 34. In other words, the second verification unit 98 verifies whether the same data as the current FW data originally stored in the management data storage unit 34 has been written in the electronic control unit 24.

  The second verification unit 98 notifies the notification unit 102 when it is determined that the current FW data written in the electronic control unit 24 is valid in the restoration process. When the notification unit 102 receives a notification from the second verification unit 98 that the current FW data is valid, the notification unit 102 notifies the other electronic control device 24 and the update target electronic control device 24 that the processing has been completed. Send. As a result, the other electronic control unit 24 can cancel the restriction of the operation or cancel the warning for the user.

  The end receiving unit 104 receives information indicating that the processing is completed from the relay device 26. When the end reception unit 104 receives information indicating that the processing is completed, the end reception unit 104 releases the restriction on the operation by the control unit 72. Accordingly, the control unit 72 can control the target device based on the current FW data.

  If the second verification unit 98 determines that the current FW data written in the electronic control unit 24 is not valid in the restoration process, the second verification unit 98 notifies the data transmission unit 84 that the restoration process has failed. When the restoration process fails, the data transmission unit 84 transmits the current FW data received from the providing device 20 to the electronic control device 24 again, and causes the electronic control device 24 to restore the current FW data. Accordingly, the second verification unit 98 can cause the electronic control device 24 to repeatedly execute the restoration process.

  However, if the number of times that the current FW data written to the electronic control unit 24 in the restoration process is not valid (the number of errors) becomes equal to or greater than a certain number, the second verification unit 98 End retransmission. Further, the second verification unit 98 may store the number of times that the current FW data is determined to be invalid (number of errors) in the temporary storage unit 38.

  Then, the second verification unit 98 notifies the notification unit 102 that valid data has not been written in the electronic control unit 24. When the notification unit 102 receives a notification from the second verification unit 98 that valid data has not been written, the valid data has been written to the other electronic control device 24 and the electronic control device 24 to be updated. Send information indicating that there is no. As a result, the other electronic control device 24 can limit operations related to the electronic control device 24 to be updated, and can give a warning to the user.

  When the notification unit 102 receives a notification indicating that valid data is not written, the notification unit 102 transmits information indicating that valid data is not written to the electronic control device 24 to be updated. When the end reception unit 104 receives information indicating that valid data is not written, the end reception unit 104 limits the operation of the control unit 72. Thereby, the control part 72 can prohibit control of the object apparatus based on invalid data.

  With the above configuration, the relay device 26 can update the current FW data stored in the electronic control device 24 to the new FW data received from the providing device 20. Further, when the new FW data written in the electronic control device 24 in the update process is not valid, the relay device 26 uses the current FW data received from the providing device 20 to store the current FW stored in the electronic control device 24. Data can be restored.

  FIG. 12 is a diagram showing an update processing flow by the relay device 26. The update unit 32 executes the update process shown in FIG.

  First, in step S <b> 41, the update unit 32 reads update timing information regarding the firmware to be updated from the management data storage unit 34. Subsequently, in step S <b> 42, the update unit 32 reads ECU state information regarding the electronic control device 24 to be updated from the state storage unit 40.

  Subsequently, in step S43, the update unit 32 determines whether or not to start the update process. Specifically, the update unit 32 determines that the update is possible when the state of the control target system 22 matches the update timing information and the ECU state information indicates that the normal operation is being performed. If the update unit 32 is not updatable (No in S43), the process proceeds to step S44 and waits for a predetermined time, and then repeats the process from step S42 again. If updating is possible (Yes in S43), the updating unit 32 advances the process to Step S45.

  In step S <b> 45, the update unit 32 transmits information indicating update start to the update-target electronic control device 24. Subsequently, in step S <b> 46, the update unit 32 transmits information indicating the start of firmware update in the update target electronic control device 24 to the other electronic control device 24.

  Subsequently, in step S47, the updating unit 32 transmits the new FW data received from the providing device 20 to the electronic control device 24, and updates the current FW data stored in the electronic control device 24 to the new FW data. . Specifically, the update unit 32 transmits the new FW data determined to be valid stored in the temporary storage unit 38 to the electronic control device 24 together with the update instruction.

  Here, when receiving the new FW data and the update instruction from the relay device 26, the electronic control device 24 to be updated updates the stored current FW data to the new FW data received from the relay device 26. Subsequently, the electronic control unit 24 calculates a MAC value (fifth verification value) for verifying the new FW data written in the data storage unit 70 in the update process.

  Subsequently, in step S48, the updating unit 32 receives a MAC value (fifth verification value) for verifying the written new FW data from the electronic control device 24 to be updated.

  Subsequently, in step S49, the update unit 32 verifies whether or not the new FW data written in the electronic control device 24 in the update process is valid. The process of step S49 will be described in more detail with reference to the flow of FIG. If it is valid (Yes in S49), the updating unit 32 advances the process to Step S50, and if not valid (No in S49), advances the process to Step S52.

  In step S <b> 50, the update unit 32 reads information stored in the temporary storage unit 38 and transfers the information to the management data storage unit 34. Specifically, the update unit 32 reads the MAC value of the new FW, the version number of the new FW, and the developer ID of the new FW from the temporary storage unit 38, and the MAC value of the current FW, the version number of the current FW, and the current FW It is stored in the management data storage unit 34 as the FW developer ID.

  Subsequently, in step S <b> 51, the update unit 32 transmits an end notification indicating completion of firmware update in the update target electronic control device 24 to the update target electronic control device 24 and the other electronic control devices 24. And the update part 32 complete | finishes an update process about this firmware.

  On the other hand, in step S52, the updating unit 32 transmits the current FW data received from the providing device 20 to the electronic control device 24, and causes the electronic control device 24 to restore the current FW data. Specifically, the update unit 32 transmits the current FW data determined to be valid stored in the temporary storage unit 38 to the electronic control unit 24 together with a restoration instruction.

  Here, when receiving the current FW data and the restoration instruction from the relay device 26, the electronic control device 24 to be updated stores the current FW data received from the relay device 26. Specifically, the electronic control unit 24 deletes the new FW data written in the update process, and writes the received current FW data in the area where the current FW data was originally stored in the data storage unit 70. Then, the electronic control unit 24 calculates a MAC value (seventh verification value) for verifying the current FW data written in the data storage unit 70 in the restoration process.

  Subsequently, in step S53, the updating unit 32 receives a MAC value (seventh verification value) for verifying the written current FW data from the electronic control device 24 to be updated.

  Subsequently, in step S54, the updating unit 32 verifies whether or not the current FW data written in the electronic control unit 24 in the restoration process is valid. The process of step S54 will be described in more detail with reference to the flow of FIG. If it is valid (Yes in S54), the update unit 32 advances the process to step S51, transmits an end notification, and ends the update process for this firmware. If the update unit 32 is not valid (No in S54), the process proceeds to step S55.

  In step S55, the updating unit 32 determines whether or not the number of times that the current FW data written in the electronic control unit 24 in the restoration process is invalid (number of errors) is equal to or greater than a certain number. If the number of errors is less than the predetermined number (No in S55), the updating unit 32 returns the process to step S52 and repeats the process from the transmission of the current FW data. If the number of errors is equal to or greater than a certain number (Yes in S55), the process proceeds to step S56.

  In step S <b> 56, the update unit 32 transmits a failure notification indicating that valid data has not been written in the update-target electronic control device 24 to the update-target electronic control device 24 and other electronic control devices 24. And the update part 32 complete | finishes an update process about this firmware.

  FIG. 13 is a diagram showing a flow for determining the validity of the new FW data written in the electronic control unit 24 in the update process. In step S49, the update unit 32 executes the process shown in FIG.

  First, the update unit 32 acquires a fifth verification value for verifying the new FW data written in the electronic control unit 24 in the update process (S61). The fifth verification value is a MAC value for the new FW data written in the electronic control device 24 calculated by the electronic control device 24. Subsequently, the update unit 32 reads the MAC value (sixth verification value) of the new FW from the temporary storage unit 38 (S62).

  Subsequently, the updating unit 32 determines whether or not the fifth verification value and the sixth verification value match (S63). If the fifth verification value and the sixth verification value match (Yes in S63), the updating unit 32 determines that the new FW data written in the electronic control device 24 is valid (S64) and ends the process. If the fifth verification value and the sixth verification value do not match (No in S63), the updating unit 32 determines that the new FW data written in the electronic control device 24 is not valid (S65) and ends the process.

  FIG. 14 is a diagram showing a flow for determining the validity of the current FW data written in the electronic control unit 24 in the restoration process. In step S54, the update unit 32 executes the process illustrated in FIG.

  First, the update unit 32 acquires a seventh verification value for verifying the current FW data written in the electronic control unit 24 in the restoration process (S71). The seventh verification value is a MAC value for the current FW data written in the electronic control unit 24 calculated by the electronic control unit 24. Subsequently, the update unit 32 reads the MAC value (eighth verification value) of the current FW from the management data storage unit 34 (S72).

  Subsequently, the updating unit 32 determines whether or not the seventh verification value matches the eighth verification value (S73). If the seventh verification value matches the eighth verification value (Yes in S73), the updating unit 32 determines that the current FW data written in the electronic control device 24 is valid (S74), and ends the process. If the seventh verification value and the eighth verification value do not match (No in S73), the updating unit 32 determines that the current FW data written in the electronic control device 24 is not valid (S75) and ends the process.

  As described above, the network system 10 according to the present embodiment may not include a separate buffer for updating data in the electronic control device 24. Thereby, according to the network system 10 which concerns on this embodiment, the cost of the electronic control apparatus 24 can be made small.

  In the network system 10 according to the present embodiment, the relay device 26 receives both the current FW data and the new FW data from the providing device 20 in advance. Then, when the update from the current FW data to the new FW data for the electronic control device 24 fails, the relay device 26 transmits the current FW data received in advance to the electronic control device 24 and sends it to the electronic control device 24. The current FW data is restored. Thereby, according to the network system 10 which concerns on this embodiment, when the update process fails, it is not necessary to access the provision apparatus 20, Therefore The whole update time can be shortened.

(First modification)
FIG. 15 is a diagram illustrating a functional configuration of the providing device 20 and the relay device 26 according to the first modification. FIG. 16 is a diagram showing the latest version information.

  In the description of the first modification, blocks having substantially the same functions and configurations as the blocks described with reference to FIGS. 1 to 14 are denoted by the same reference numerals and description thereof is omitted except for differences. To do. The same applies to the second and subsequent modifications.

  The providing device 20 according to the first modification further includes a version transmission unit 122. The acquisition unit 30 of the relay device 26 according to the first modification further includes a version reception unit 124 and a version determination unit 126.

  The version transmission unit 122 transmits the latest version information indicating the version of new FW data that can be transmitted from the providing apparatus 20 to the relay apparatus 26 for each firmware. As shown in FIG. 16, the latest version information includes ECUID, FWID, and MAC value. The MAC value is the MAC value of the latest FW data. The version transmission unit 122 may transmit a list including the latest version information about a plurality of firmware. The version transmission unit 122 transmits the latest version information at regular intervals, for example.

  The version receiving unit 124 receives the latest version information indicating the version of new FW data that can be transmitted from the providing apparatus 20. Based on the received latest version information, the version determination unit 126 determines whether the version of the new FW data that can be transmitted from the providing device 20 is newer than the version of the current FW data stored in the electronic control device 24.

  The request transmission unit 52 receives a notification from the version determination unit 126 when the version of the new FW data that can be transmitted from the providing device 20 is newer than the version of the current FW data stored in the electronic control unit 24. Then, the request transmission unit 52 makes an acquisition request for the firmware on the condition that the version of the new FW data that can be transmitted from the providing device 20 is newer than the version of the current FW data stored in the electronic control device 24. To the providing device 20.

  FIG. 17 is a diagram illustrating an acquisition processing flow by the relay device 26 according to the first modification. In the first modification, the acquisition unit 30 executes the acquisition process illustrated in FIG.

  First, in step S <b> 81, the acquisition unit 30 receives the latest version information from the providing device 20. Subsequently, in step S <b> 82, the acquisition unit 30 determines whether management data in which the ECU ID and the FWID match the latest version information is stored in the management data storage unit 34. If there is no matching management data (No in S82), the acquisition unit 30 ends this flow. If there is matching management data (Yes in S82), the acquisition unit 30 advances the process to Step S83.

  In step S83, the acquisition unit 30 compares the MAC value included in the latest version information with the MAC value of the current FW included in the management data having the same ECU ID and FWID. When the MAC values match (Yes in S83), the acquisition unit 30 assumes that the version of the current FW data stored in the electronic control device 24 is the same as the latest version that can be transmitted from the providing device 20. This flow ends. If they do not match (No in S83), the acquisition unit 30 determines that the version of the new FW data that can be transmitted from the providing device 20 is newer than the version of the current FW data stored in the electronic control device 24, The process proceeds to step S84.

  In step S84, the acquisition unit 30 transmits an acquisition request to the providing device 20 for the firmware specified by the ECU ID and the FWID included in the latest version information. When receiving the acquisition request from the relay device 26, the providing device 20 transmits response information to the relay device 26 as in the case of FIG.

  Subsequently, in step S <b> 85, the acquisition unit 30 receives response information from the providing device 20. Thereafter, the acquisition unit 30 executes processing similar to the processing from step S14 to step S17 in FIG. However, in step S17, when the number of errors is less than the predetermined number (No in S17), the acquisition unit 30 returns the process to step S84.

  The relay device 26 according to the first modified example issues an acquisition request when the version of new FW data that can be transmitted from the providing device 20 is newer than the version of the current FW data stored in the electronic control device 24. Can be sent. Therefore, according to the relay apparatus 26, an acquisition request can be transmitted efficiently.

(Second modification)
FIG. 18 is a diagram illustrating a functional configuration of the relay device 26 and the electronic control device 24 according to the second modification. The electronic control device 24 according to the second modification can execute verification of whether or not the stored data is valid. Therefore, in the second modified example, the electronic control unit 24 executes verification of the new FW data and the current FW data written in the electronic control unit 24.

  The electronic control device 24 according to the second modification has a configuration that further includes a third verification unit 142 and a result transmission unit 144 and does not include the verification value transmission unit 94, as compared with the configuration illustrated in FIG. . Further, the updating unit 32 of the relay device 26 according to the second modification further includes a result receiving unit 146, and a verification value receiving unit 96 and a second verification unit 98, as compared with the configuration illustrated in FIG. It is a configuration that does not.

  In the second modification, when the data transmission unit 84 receives a start instruction from the start detection unit 78, the data transmission unit 84 verifies the new FW data received from the providing device 20 and the new FW data received from the providing device 20. 6 The verification value is transmitted to the electronic control unit 24 together with the update instruction. The sixth verification value is the MAC value of the new FW data received from the providing device 20. As a result, the data transmission unit 84 can cause the electronic control device 24 to update the current FW data to the new FW data, and can verify the validity of the new FW data written to the electronic control device 24.

  The third verification unit 142 verifies whether the new FW data written in the electronic control device 24 in the update process is valid. Specifically, the third verification unit 142 verifies the fifth verification value for verifying the new FW data written in the electronic control device 24 in the update process and the new FW data received from the relay device 26. If the new verification value does not match the new verification value, it is determined that the new FW data written in the electronic control unit 24 by the update process is not valid.

  Here, the fifth verification value is a MAC value calculated by the second verification value generation unit 92 for the new FW data written in the data storage unit 70. The sixth verification value is the MAC value of the new FW data received from the relay device 26.

  The result transmission unit 144 transmits the result of whether or not the new FW data written in the electronic control device 24 in the update process is valid to the relay device 26. The result receiving unit 146 receives a result from the electronic control unit 24 as to whether the new FW data written in the electronic control unit 24 in the update process is valid.

  When the result reception unit 146 receives a result indicating that the new FW data written in the electronic control unit 24 is valid in the update process, the result reception unit 146 notifies the determination unit 100 and the notification unit 102 of the result. When the confirmation unit 100 receives a notification from the result reception unit 146 that the written new FW data is valid, the determination unit 100 reads the information stored in the temporary storage unit 38 and stores it in the management data storage unit 34. Let When the notification unit 102 receives a notification from the result reception unit 146 that the written new FW data is valid, the other electronic control device 24 and the update target electronic control device 24 are notified of the update target electronic control. Information indicating that the firmware update in the device 24 has been completed is transmitted.

  On the other hand, when the result receiving unit 146 receives a result indicating that the new FW data written in the electronic control unit 24 in the update process is not valid, the result receiving unit 146 notifies the data transmitting unit 84 that the update process has failed. To do.

  When the update process fails, the data transmission unit 84 transmits the current FW data received from the providing device 20 and the eighth verification value for verifying the current FW data to the electronic control device 24 together with the restoration instruction. The eighth verification value is the MAC value of the current FW data stored in the management data storage unit 34. As a result, the data transmission unit 84 can cause the electronic control unit 24 to restore the current FW data and can verify the validity of the current FW data written in the electronic control unit 24.

  The third verification unit 142 verifies whether the current FW data written in the electronic control unit 24 in the restoration process is valid. Specifically, the third verification unit 142 verifies the seventh verification value for verifying the current FW data written in the electronic control device 24 in the restoration process and the current FW data received from the relay device 26. When the current verification data does not match the eighth verification value, it is determined that the current FW data written in the electronic control unit 24 by the restoration process is not valid.

  Here, the seventh verification value is the MAC value in the current FW data written in the data storage unit 70 calculated by the second verification value generation unit 92. The eighth verification value is the MAC value of the current FW data received from the relay device 26.

  The result transmission unit 144 transmits the result of whether or not the current FW data written in the electronic control device 24 in the restoration process is valid to the relay device 26. The result receiving unit 146 receives from the electronic control unit 24 the result of whether or not the current FW data written in the electronic control unit 24 in the restoration process is valid.

  When the result receiving unit 146 receives a result indicating that the current FW data written in the electronic control unit 24 is valid in the restoration process, the result receiving unit 146 notifies the notification unit 102 of the result. When the notification unit 102 receives a notification from the result reception unit 146 that the written current FW data is valid, the other electronic control device 24 and the electronic control device 24 to be restored receive the electronic control to be updated. Information indicating that the processing in the device 24 is completed is transmitted.

  In addition, when the result receiving unit 146 receives a result indicating that the current FW data written in the electronic control unit 24 in the restoration process is not valid, the result receiving unit 146 notifies the data transmission unit 84 that the restoration process has failed. .

  When the restoration process fails, the data transmission unit 84 repeats the process of sending the current FW data and the eighth verification value to the electronic control unit 24 together with the restoration instruction. As a result, the data transmission unit 84 can cause the electronic control device 24 to repeatedly execute the restoration process.

  However, the result receiving unit 146 is a data transmitting unit when the number of times (error count) of receiving the result indicating that the current FW data written in the electronic control unit 24 in the restoration process is not valid is equal to or greater than a certain number. The transmission of the current FW data by 84 is terminated. Then, the result reception unit 146 notifies the notification unit 102 that valid data is not written in the electronic control device 24. When the notification unit 102 receives a notification from the result reception unit 146 indicating that valid data has not been written, the notification unit 102 notifies the other electronic control device 24 and the update target electronic control device 24 of the update target electronic control device 24. Information indicating that no legitimate data has been written to is transmitted.

  FIG. 19 is a diagram illustrating an update processing flow by the relay device 26 according to the second modification. In the second modification, the update unit 32 executes the update process illustrated in FIG.

  First, the updating unit 32 executes the same processing as in steps S41 to S46 in FIG. When step S46 ends, the updating unit 32 advances the process to step S91.

  In step S91, the updating unit 32 transmits the new FW data received from the providing device 20 and the MAC value (sixth verification value) of the new FW data received from the providing device 20 to the electronic control device 24 together with an update instruction. To do. Subsequently, in step S <b> 92, the updating unit 32 receives from the electronic control device 24 the result of whether or not the written new FW data is valid.

  Subsequently, in step S93, the update unit 32 determines whether or not the new FW data written in the electronic control device 24 in the update process is valid. If it is valid (Yes in S93), the updating unit 32 advances the process to Step S50, and if not valid (No in S93), advances the process to Step S94.

  In step S50 and step S51, the update unit 32 performs the same process as in FIG. When step S51 ends, the update unit 32 ends the update process for this firmware.

  In step S94, the updating unit 32 transmits the current FW data received from the providing device 20 and the MAC value (eighth verification value) of the current FW data to the electronic control device 24 together with a restoration instruction. Subsequently, in step S95, the update unit 32 receives a verification result from the electronic control unit 24 as to whether or not the current FW data written in the restoration process is valid.

  Subsequently, in step S96, the updating unit 32 determines whether or not the current FW data written in the electronic control unit 24 in the restoration process is valid. If the update unit 32 is valid (Yes in S96), the process proceeds to step S51. If not valid (No in S96), the update unit 32 proceeds to step S97.

  In step S97, the update unit 32 determines whether or not the number of errors in the restoration process is equal to or greater than a certain number. If the number of errors is less than the predetermined number (No in S97), the updating unit 32 returns the process to step S94 and repeats the process from the transmission of the current FW data. If the number of errors is equal to or greater than a certain number (Yes in S97), the process proceeds to step S56.

  In step S56, the update unit 32 performs the same process as in FIG. When step S56 ends, the update unit 32 ends the update process for this firmware.

  The relay device 26 according to the second modification can cause the electronic control device 24 to verify the validity of the data written in the electronic control device 24.

(Third Modification)
FIG. 20 is a diagram illustrating a functional configuration of the relay device 26 and the electronic control device 24 according to the third modification. FIG. 21 is a diagram illustrating the content of information stored in the state storage unit 40 according to the third modification.

  The relay device 26 according to the third modification can switch whether the electronic control device 24 verifies the validity of the data written in the electronic control device 24 or the relay device 26. In the third modification, the electronic control unit 24 has the configuration shown in FIG. 11 or the configuration shown in FIG. When the electronic control device 24 has the configuration shown in FIG. 11, the relay device 26 verifies the validity of the data written in the electronic control device 24. When the electronic control unit 24 has the configuration shown in FIG. 18, the electronic control unit 24 verifies the validity of the data written in the electronic control unit 24.

  The updating unit 32 of the relay device 26 according to the third modification further includes a result receiving unit 146 and a switching unit 152 in addition to the configuration shown in FIG. The result receiving unit 146 has the same function as the configuration illustrated in FIG.

  In the third modification, the state storage unit 40 further stores verification subject information as shown in FIG. The verification subject information indicates whether the relay device 26 or the electronic control device 24 performs verification of whether the data written in the electronic control device 24 is valid.

  The switching unit 152 reads verification subject information about the electronic control device 24 to be updated from the state storage unit 40. The switching unit 152 switches whether the verification is executed by the relay device 26 or the electronic control device 24 based on the read verification subject information.

  When the verification is performed by the relay device 26, the switching unit 152 enables the functions of the verification value receiving unit 96 and the second verification unit 98 and stops the function of the result receiving unit 146. When the verification is executed by the electronic control unit 24, the switching unit 152 stops the functions of the verification value receiving unit 96 and the second verification unit 98 and enables the function of the result receiving unit 146.

  FIG. 22 is a diagram illustrating an update processing flow by the relay device 26 according to the third modification. In the third modification, the update unit 32 executes the update process shown in FIG.

  First, the updating unit 32 executes the same processing as in steps S41 to S46 in FIG. When step S46 ends, the updating unit 32 advances the process to step S111.

  In step S <b> 111, the update unit 32 reads verification subject information regarding the electronic control device 24 to be updated from the state storage unit 40. Subsequently, in step S <b> 112, the updating unit 32 determines whether to perform verification by the relay device 26 or the electronic control device 24 based on the read verification subject information.

  When the update unit 32 causes the relay device 26 to execute verification (Yes in S112), the update unit 32 advances the processing to the first update flow in Step S113. When the verification is executed by the electronic control device 24 (No in S112), the update unit 32 advances the process to the second update flow in Step S114.

  The first update flow in step S113 is the same as the process flow after step S47 shown in FIG. Further, the second update flow in step S114 is the same as the process flow after step S91 shown in FIG.

  By executing the above processing, the updating unit 32 can cause the relay device 26 or the electronic control device 24 to verify the data written in the electronic control device 24.

  FIG. 23 is a diagram illustrating another example of the second update processing flow. When updating the stored data, the electronic control unit 24 may have a buffer for temporarily storing data received from the outside. The electronic control device 24 having such a configuration can temporarily store the new FW data received from the relay device 26 in the buffer, and verify the validity of the new FW data in the state stored in the buffer.

  If the electronic control unit 24 determines that the new FW data stored in the buffer is valid, the electronic control unit 24 transfers the new FW data from the buffer to the data storage unit 70. Thereby, the electronic control unit 24 can update the stored current FW data to new FW data.

  On the other hand, when it is determined that the new FW data stored in the buffer is not valid, the electronic control unit 24 deletes the new FW data stored in the buffer without transferring it to the data storage unit 70. In this case, the electronic control unit 24 does not need to write the current FW data again because the current FW data remains in the data storage unit 70.

  Therefore, when the electronic control unit 24 has such a buffer, the updating unit 32 may execute the process illustrated in FIG. 23 in the second update flow in step S114.

  First, in step S121, the update unit 32 updates the new FW data received from the providing apparatus 20 and the MAC value (sixth verification value) of the new FW data received from the providing apparatus 20 together with an update instruction. Send to. Subsequently, in step S122, the update unit 32 receives a verification result as to whether or not the new FW data is valid from the electronic control device 24.

  Subsequently, in step S123, the update unit 32 determines whether or not the new FW data transmitted to the electronic control device 24 is valid. If the update unit 32 is valid (Yes in S123), the process proceeds to step S124. If not valid (No in S123), the update unit 32 proceeds to step S125.

  In step S <b> 124, the update unit 32 reads the information stored in the temporary storage unit 38 and transfers it to the management data storage unit 34. Specifically, the update unit 32 reads the MAC value of the new FW, the version number of the new FW, and the developer ID of the new FW from the temporary storage unit 38, and the MAC value of the current FW, the version number of the current FW and the current FW It is stored in the management data storage unit 34 as the FW developer ID. After completing step S124, the updating unit 32 advances the process to step S125.

  In step S <b> 125, the update unit 32 transmits an end notification indicating that the update target electronic control device 24 has completed the firmware update to the update target electronic control device 24 and the other electronic control devices 24. In this case, if the transmitted new FW data is valid, the electronic control unit 24 operates based on the new FW data. If the transmitted new FW data is not valid, the electronic control unit 24 operates based on the current FW data. And the update part 32 complete | finishes an update process about this firmware.

(Fourth modification)
FIG. 24 is a diagram illustrating a functional configuration of the relay device 26 according to the fourth modification. The fourth modification is a configuration obtained by modifying the network system 10 described with reference to FIGS. 1 to 14, but may be applied to the first modification, the second modification, and the third modification.

  The relay device 26 further includes a current FW data storage unit 201 (current data storage unit). The current FW data storage unit 201 stores current FW data stored in each electronic control unit 24 provided in the controlled system 22.

  The acquisition unit 30 receives new FW data from the providing device 20. When receiving the new FW data from the providing device 20, the acquiring unit 30 determines whether the received new FW data is valid. The update unit 32 transmits the valid new FW data received from the providing device 20 to the electronic control device 24, and causes the electronic control device 24 to update the current FW data to the new FW data. When the update process for updating the current FW data to the new FW data is successful, the update unit 32 transfers the new FW data transmitted to the electronic control unit 24 to the current FW data storage unit 201 and stores it as the current FW data. .

  In addition, when receiving the new FW data from the providing device 20, the acquiring unit 30 also determines whether or not the current FW data stored in the current FW data storage unit 201 is valid. When the update process fails, the updating unit 32 transmits the current FW data that is valid stored in the current FW data storage unit 201 to the electronic control unit 24, and causes the electronic control unit 24 to restore the current FW data. .

  In addition, when it is determined that the current FW data stored in the current FW data storage unit 201 is not valid, the acquisition unit 30 receives the current FW data from the providing device 20. When receiving the current FW data from the providing device 20, the acquiring unit 30 determines whether the received current FW data is valid. The update unit 32 transmits the received valid current FW data to the electronic control unit 24 when the current FW data stored in the current FW data storage unit 201 is not valid and the update process fails. Then, the electronic control unit 24 restores the current FW data. Then, when the restoration process is successful, the update unit 32 transfers the current FW data transmitted to the electronic control device 24 to the current FW data storage unit 201 for storage.

  FIG. 25 is a diagram showing the contents of the current firmware information stored in the current FW data storage unit 201. The current FW data storage unit 201 stores current firmware information shown in FIG. 25 for each firmware stored in each electronic control unit 24.

  The current firmware information includes ECUID, FWID, and current FW data. The ECU ID is an identifier of the electronic control device 24. The FWID is an identifier of the firmware.

  The current FW data is the actual data of the firmware. That is, the current FW data is firmware entity data that should be currently written in the electronic control unit 24.

  FIG. 26 is a diagram illustrating a functional configuration of the providing device 20 and the relay device 26 according to the fourth modification.

  The request transmission unit 52 transmits an acquisition request including a request identifier, ECU ID, FWID, and version specifying information to the providing device 20. The request identifier is information for identifying an acquisition request for requesting transmission of new FW data or an acquisition request for requesting transmission of current FW data.

  The request transmission unit 52 transmits an acquisition request for requesting transmission of new FW data to the providing device 20 at a predetermined update timing (for example, periodically) for each firmware. Further, when it is determined that the current FW data stored in the current FW data storage unit 201 is not valid in the firmware update, the request transmission unit 52 issues an acquisition request for requesting transmission of the current FW data of the firmware. To the providing device 20.

  When the identification unit 56 receives an acquisition request for new FW data, there is a version of the actual data (new FW data) of the firmware that is newer than the version of the current FW data stored in the electronic control unit 24. Determine whether or not.

  The response transmission unit 58 transmits response information including an ECU ID, an FWID, and an update flag when a new FW data acquisition request is received and there is no new FW data. The response transmission unit 58 receives the new FW data acquisition request and when the new FW data exists, the ECU ID, the FWID, the update flag, the new FW data, and the new FW MAC value (third verification value) The response information including the version number of the new FW and the developer ID of the new FW is transmitted. The update flag has a value of 0 when no new FW data exists and a value other than 0 when new FW data exists.

  When the response transmission unit 58 receives the acquisition request for the current FW data, the ECU ID, the FWID, the update flag, the current FW data, the MAC value (the ninth verification value) of the current FW, the version number of the current FW, and the current FW Response information including the developer ID is sent. The update flag has a value other than 0.

  The response receiving unit 60 receives response information including an ECU ID, an FWID, and an update flag when a new FW data acquisition request is transmitted and there is no new FW data. When the response receiving unit 60 transmits a request for acquiring new FW data and there is new FW data, the ECU ID, FWID, update flag, new FW data, and new FW MAC value (third verification value) The response information including the version number of the new FW and the developer ID of the new FW is received. When the response receiving unit 60 transmits an acquisition request for the current FW data, the ECU ID, the FWID, the update flag, the current FW data, the MAC value (the ninth verification value) of the current FW, the version number of the current FW, and the current FW The response information including the developer ID is received.

  When the first verification value generation unit 62 transmits an acquisition request for new FW data, the first verification value generation unit 62 calculates a MAC value (fourth verification value) for the new FW data received from the providing device 20. When a new FW data acquisition request is transmitted, the first verification value generation unit 62 calculates a MAC value (tenth verification value) for the current FW data stored in the current FW data storage unit 201. Specifically, the first verification value generation unit 62 reads the shared key data corresponding to the developer ID of the current FW from the shared key storage unit 36. The first verification value generation unit 62 calculates a MAC value from the read shared key data and the current FW data stored in the current FW data storage unit 201.

  Further, when the first verification value generation unit 62 transmits an acquisition request for current FW data, the first verification value generation unit 62 calculates a MAC value (an eleventh verification value) for the current FW data received from the providing device 20. Specifically, the first verification value generation unit 62 reads the shared key data corresponding to the developer ID of the current FW from the shared key storage unit 36. The first verification value generation unit 62 calculates a MAC value from the read shared key data and the current FW data received from the providing device 20.

  The first verification unit 64 determines whether the new FW data received from the providing device 20 is valid. Specifically, the first verification unit 64 matches the third verification value received from the providing device 20 with the fourth verification value calculated from the shared key data and the new FW data received from the providing device 20. In this case, it is determined that the new FW data received from the providing device 20 is valid. Thereby, the first verification unit 64 can verify whether the developer of the new FW data received from the providing device 20 holds the same shared key data as the relay device 26.

  In addition, when the new FW data received from the providing device 20 is not valid, the first verification unit 64 may cause the request transmission unit 52 to transmit a new FW data acquisition request again. If the new FW data is not valid even if the same acquisition request is transmitted a certain number of times, the first verification unit 64 stops transmitting the acquisition request.

  Further, when the acquisition request for new FW data is transmitted, the first verification unit 64 determines whether or not the current FW data stored in the current FW data storage unit 201 is valid. Specifically, the first verification unit 64 verifies the first verification value for verifying the current FW data stored in the electronic control unit 24 and the current FW data stored in the current FW data storage unit 201. If the tenth verification value for matching the current FW data, the current FW data stored in the current FW data storage unit 201 is determined to be valid.

  Here, the first verification value is the MAC value of the current FW stored in the management data storage unit 34. The tenth verification value is a MAC value for the current FW data stored in the current FW data storage unit 201 calculated by the first verification value generation unit 62. That is, the first verification unit 64 verifies whether or not the current FW data stored in the current FW data storage unit 201 is the same as the current FW data stored in the electronic control unit 24.

  If the current FW data stored in the current FW data storage unit 201 is not valid, the first verification unit 64 causes the request transmission unit 52 to transmit an acquisition request for the current FW data.

  When the current FW data acquisition request is transmitted, the first verification unit 64 determines whether or not the current FW data received from the providing device 20 is valid. Specifically, the first verification unit 64 matches the ninth verification value received from the providing device 20 with the eleventh verification value calculated from the shared key data and the current FW data received from the providing device 20. In this case, it is determined that the current FW data received from the providing device 20 is valid.

  Here, the ninth verification value is the MAC value (the MAC value of the current FW) of the current FW data received from the providing device 20 in response to the acquisition request for the current FW data. The eleventh verification value is the MAC value of the current FW data calculated by the first verification value generation unit 62. That is, the first verification unit 64 verifies whether the developer of the current FW data received from the providing device 20 holds the same shared key data as that of the relay device 26.

  In addition, when the current FW data received from the providing device 20 is not valid, the first verification unit 64 may cause the request transmission unit 52 to transmit an acquisition request for the current FW data again. The first verification unit 64 stops transmitting the acquisition request if the current FW data is not valid even if the same acquisition request is transmitted a certain number of times.

  The first verification unit 64 confirms that the new FW data received from the providing device 20 and the current FW data stored in the current FW data storage unit 201 (or the current FW data received from the providing device 20) are valid. As a condition, the information received by the response receiving unit 60 is stored in the temporary storage unit 38. Specifically, the first verification unit 64 temporarily stores the ECU ID, FWID, new FW data, new FW MAC value, new FW version number, and new FW developer ID received from the providing device 20. 38. Further, the first verification unit 64 causes the temporary storage unit 38 to store the current FW data stored in the current FW data storage unit 201 (or the current FW data received from the providing device 20).

  With the above configuration, the relay device 26 can receive new FW data from the providing device 20. Further, the relay device 26 can determine whether or not the current FW data stored in the current FW data storage unit 201 is valid. Further, when the current FW data stored in the current FW data storage unit 201 is not valid, the relay device 26 can receive the current FW data from the providing device 20. The relay device 26 can determine whether or not the received current FW data is valid. The relay device 26 can store the new FW data and the current FW data in the temporary storage unit 38 on condition that the new FW data and the current FW data are valid.

  Note that the request transmission unit 52 may transmit an acquisition request for requesting transmission of the current FW data to the providing apparatus 20 regardless of the firmware update timing (for example, periodically). Thereby, the acquisition unit 30 can acquire valid current FW data in advance and store it in the current FW data storage unit 201. In this case, the update flag included in the response information is 0.

  In this case, the first verification unit 64 also checks whether the MAC value of the current FW included in the response information received from the providing device 20 matches the MAC value of the current FW stored in the management data storage unit 34. It may be determined whether or not. If they do not match, the shared key data used to generate the MAC value of the current FW may have been updated. Therefore, if they do not match, the first verification unit 64 notifies the user or the like that the MAC values do not match. Thereby, the 1st verification part 64 can prompt the update of shared key data.

  FIG. 27 is a diagram illustrating an acquisition processing flow by the relay device 26 according to the fourth modification. The acquisition unit 30 according to this modification executes the acquisition process shown in FIG.

  First, in step S <b> 201, the acquisition unit 30 transmits a new FW data acquisition request to the providing apparatus 20 at a predetermined timing for any firmware.

  The providing device 20 transmits response information about the corresponding firmware to the relay device 26 in response to the acquisition request for new FW data. Specifically, when there is no corresponding new FW data, providing device 20 transmits response information including an ECU ID, an FWID, and an update flag whose value is 0. When the new FW data exists, the providing device 20 sets the ECU ID, the FWID, the update flag whose value is other than 0, the new FW data, the new FW MAC value, the new FW version number, and the new FW developer ID. Send response information including.

  Subsequently, in step S202, the acquisition unit 30 receives response information. Subsequently, in step S203, the acquisition unit 30 determines whether or not the update flag included in the response information is a value other than zero. When the update flag is 0 (No in S203), the acquisition unit 30 ends this flow. If the update flag is a value other than 0 (Yes in S203), the process proceeds to step S204.

  In step S204, the acquisition unit 30 determines whether the received new FW data is valid. If the acquisition unit 30 is valid (Yes in S204), the process proceeds to step S206. If the acquisition unit 30 is not valid (No in S204), the process proceeds to step S205.

  In step S205, the acquisition unit 30 determines whether or not the number of times that the new FW data is not valid (number of errors) is equal to or greater than a certain number. When the number of errors is less than the predetermined number (No in S205), the acquisition unit 30 returns the process to step S201. When the number of errors is equal to or greater than the predetermined number (Yes in S205), the acquisition unit 30 ends this flow.

  In step S206, the acquisition unit 30 determines whether the current FW data stored in the current FW data storage unit 201 is valid. If the acquisition unit 30 is valid (Yes in S206), the process proceeds to step S211. If the acquisition unit 30 is not valid (No in S206), the process proceeds to step S207.

  In step S207, the acquisition unit 30 transmits an acquisition request for the current FW data to the providing apparatus 20 for the same firmware. The providing device 20 transmits response information about the corresponding firmware to the relay device 26 in response to the acquisition request for the current FW data. Specifically, the providing device 20 responds including an ECU ID, an FWID, an update flag whose value is other than 0, the current FW data, the MAC value of the current FW, the version number of the current FW, and the developer ID of the current FW. Send.

  Subsequently, in step S208, the acquisition unit 30 receives the response information. In step S209, the acquisition unit 30 determines whether the received current FW data is valid. If the acquisition unit 30 is valid (Yes in S209), the process proceeds to step S211. If the acquisition unit 30 is not valid (No in S209), the process proceeds to step S210.

  In step S210, the acquisition unit 30 determines whether or not the number of times that the current FW data is invalid (number of errors) is equal to or greater than a certain number. When the number of errors is less than the predetermined number (No in S210), the acquisition unit 30 returns the process to step S207. When the number of errors is equal to or greater than the predetermined number (Yes in S210), the acquisition unit 30 ends this flow.

  In step S211, the acquisition unit 30 writes the ECU ID, FWID, new FW data, the new FW MAC value, the new FW version number, and the new FW developer ID received from the providing device 20 in the temporary storage unit 38. Further, the acquisition unit 30 writes the current FW data stored in the current FW data storage unit 201 or the current FW data received from the providing device 20 in the temporary storage unit 38.

  When step S211 is completed, the acquisition unit 30 ends this flow. In this case, the acquisition unit 30 can receive valid current FW data or new FW data.

  FIG. 28 is a diagram illustrating a functional configuration of the relay device 26 and the electronic control device 24 according to the fourth modification.

  When the confirmation unit 100 receives a notification that the new FW data written in the electronic control unit 24 is valid in the update process, the confirmation unit 100 reads the new FW data stored in the temporary storage unit 38. Then, the determination unit 100 transfers the read new FW data to the current FW data storage unit 201 and writes the new FW data in the current FW data storage unit 201. That is, when the update process is successful, the determination unit 100 writes the new FW data transmitted to the electronic control device 24 in the current FW data storage unit 201 as the current FW data.

  If the second verification unit 98 determines that the new FW data written in the electronic control unit 24 is not valid in the update process, the second verification unit 98 notifies the data transmission unit 84 that the update process has failed. When the update process fails, the data transmission unit 84 transmits the current FW data stored in the temporary storage unit 38 to the electronic control device 24 to cause the electronic control device 24 to restore the current FW data. That is, the data transmission unit 84 transmits valid current FW data stored in the current FW data storage unit 201 to the electronic control device 24, and causes the electronic control device 24 to restore the current FW data. If the current FW data stored in the current FW data storage unit 201 is not valid, the data transmission unit 84 transmits the current FW data received from the providing device 20 to the electronic control unit 24. The electronic control unit 24 restores the current FW data.

  Further, when receiving the notification that the current FW data written in the electronic control unit 24 is valid in the restoration process, the determination unit 100 reads the current FW data stored in the temporary storage unit 38. Then, the determination unit 100 transfers the read current FW data to the current FW data storage unit 201 and writes the current FW data in the current FW data storage unit 201. That is, when the restoration process is successful, the determination unit 100 writes the current FW data transmitted to the electronic control device 24 in the current FW data storage unit 201.

  The relay device 26 according to this modification example can update the current FW data stored in the electronic control device 24 to new FW data. In addition, when the new FW data written in the electronic control unit 24 in the update process is not valid, the relay device 26 uses the valid current FW data stored in the current FW data storage unit 201 to update the electronic control unit. The current FW data stored in 24 can be restored. Further, even when the current FW data stored in the current FW data storage unit 201 is not valid, the relay device 26 is stored in the electronic control device 24 by the valid current FW data received from the providing device 20. The current FW data can be restored.

  FIG. 29 is a diagram illustrating an update process flow by the relay device 26 according to the fourth modification. The update unit 32 according to this modification executes the update process shown in FIG.

  The update unit 32 according to this modification is different from the flow illustrated in FIG. 12 in that the processes of S221 and S222 are further executed.

  The update part 32 advances a process to S221 after step S50. In S221, the update unit 32 reads the new FW data stored in the temporary storage unit 38, and writes the read new FW data in the current FW data storage unit 201 as the current FW data. After completing S221, the update unit 32 advances the process to S51.

  If the update unit 32 determines in S54 that the current FW data written in the electronic control unit 24 in the restoration process is valid (Yes in S54), the process proceeds to step S222. In S <b> 222, the update unit 32 reads the current FW data stored in the temporary storage unit 38 and writes the read current FW data in the current FW data storage unit 201. After completing S222, the update unit 32 advances the process to S51.

  As described above, the relay device 26 according to the fourth modification stores the current FW data written in the electronic control device 24 in the current FW data storage unit 201, and the update process to the new FW data has failed. In this case, the restoration process can be performed using the current FW data stored in the current FW data storage unit 201. Thereby, according to the relay apparatus 26 which concerns on a 4th modification, the communication amount with the provision apparatus 20 can be reduced. Further, in the network system 10 according to the fourth modified example, since the relay device 26 stores the current FW data, each electronic control device 24 may not include a memory for backing up the firmware. Therefore, according to the network system 10 according to the fourth modification, the cost can be reduced.

  Note that when the new FW data written is not valid, the update unit 32 executes a restoration process for writing the current FW data into the electronic control unit 24. However, the update unit 32 may fail the restoration process more than a certain number of times. The current FW data storage unit 201 stores firmware for analyzing a situation where the restoration process has failed, firmware for operating the electronic control unit 24 with minimum functions, or firmware having both functions. May be. The update unit 32 may transmit such firmware to the electronic control device 24 and store the firmware in the electronic control device 24 when the restoration process has failed a certain number of times.

  Further, the electronic control unit 24 may store a program for updating the firmware separately from the firmware in, for example, a ROM area storing a boot loader or the like. Then, the electronic control unit 24 may execute update processing and restoration processing by executing this program. As a result, when the electronic control unit 24 is restarted due to a power shutdown or the like during the update process, or when the overwritten firmware is abnormal, there is a possibility that a problem occurs in the program for updating the firmware. Can be reduced.

  When the relay device 26 notifies the providing device 20 or the like of the firmware update result or the like, the relay device 26 may add a MAC value calculated using a key shared by the electronic control device 24 and the providing device 20. Thereby, the providing device 20 can safely acquire the update result of each electronic control device 24.

(5th modification)
FIG. 30 is a diagram illustrating a functional configuration of the providing device 20 and the relay device 26 according to the fifth modification. The fifth modification is a configuration obtained by further modifying the fourth modification. However, the network system 10, the first modification, the second modification, and the third modification described with reference to FIGS. 1 to 14 are used. May be applied.

  The relay device 26 further includes a new FW data generation unit 211 (new data generation unit).

  The provided information storage unit 50 further stores difference data for each version of firmware. The difference data is data obtained by subtracting the previous version of the entity data from the version of the entity data.

  The response transmission unit 58 transmits response information including differential data of the new FW instead of the new FW data when the new FW data acquisition request is received and the new FW data exists. That is, when the response reception unit 60 transmits a request for acquiring new FW data and there is new FW data, the ECU ID, the FWID, the update flag, the difference data of the new FW, the MAC value of the new FW, Response information including the version number of the FW and the developer ID of the new FW is received.

  The new FW data generation unit 211 generates new FW data when a new FW data acquisition request is transmitted and there is new FW data. Specifically, the new FW data generation unit 211 generates new FW data based on the difference data included in the response information and the current FW data stored in the current FW data storage unit 201.

  When the first verification value generation unit 62 transmits an acquisition request for new FW data, the first verification value generation unit 62 calculates a MAC value (fourth verification value) for the new FW data generated by the new FW data generation unit 211.

  The first verification unit 64 determines whether the new FW data generated based on the difference data received from the providing device 20 is valid. Specifically, the first verification unit 64 includes the third verification value received from the providing device 20, the fourth verification value calculated from the shared key data and the new FW data generated by the new FW data generation unit 211. Are matched, it is determined that the new FW data generated based on the difference data received from the providing device 20 is valid.

  The first verification unit 64 is a response reception unit provided that the new FW data generated based on the difference data received from the providing device 20 and the current FW data stored in the current FW data storage unit 201 are valid. Information received by 60 is stored in the temporary storage unit 38.

  As described above, the relay device 26 according to the present modification receives difference data from the providing device 20 instead of the new FW data. Thereby, the relay apparatus 26 can reduce the amount of data received from the providing apparatus 20.

(Sixth Modification)
FIG. 31 is a diagram illustrating a functional configuration of the relay device 26 according to the sixth modification. The sixth modification has a configuration obtained by further modifying the fourth modification. However, the network system 10 described with reference to FIGS. 1 to 14, the first modification, the second modification, and the third modification. And it may be applied to the fifth modification.

  The relay device 26 according to the sixth modified example updates the firmware of the plurality of electronic control devices 24 included in the control target system 22 in a coordinated manner. The relay device 26 further includes a system information storage unit 221. The system information storage unit 221 stores system information.

  The acquisition unit 30 receives new FW data or the like for at least one electronic control device 24 to be updated among the plurality of electronic control devices 24 included in the control target system 22 from the providing device 20. The update unit 32 transmits each new FW data received from the providing device 20 to the corresponding electronic control device 24, and causes the corresponding electronic control device 24 to update the current FW data to the new FW data.

  Further, when the update process fails in any one of the electronic control devices 24, the update unit 32 transmits the current FW data to all the electronic control devices 24 that are the update targets, and each of the electronic control devices 24. To restore the current FW data.

  FIG. 32 is a diagram showing the contents of the system information stored in the system information storage unit 221. The system information storage unit 221 stores the system information shown in FIG.

  The system information includes a system identifier and system version information. The system identifier is information for identifying a set of a plurality of electronic control devices 24 included in the control target system 22. If the control target system 22 is a vehicle, it may be information for identifying the type of the vehicle. For example, the providing device 20 can specify a plurality of electronic control devices 24 included in the control target system 22 based on the system identifier.

  The system version information represents the version of the system list. The system version information may be a numerical value or a character that increases each time the system list is updated.

  The system list represents a set of versions of the current FW data stored in each of the plurality of electronic control devices 24 included in the control target system 22. For example, the system list may be a list including a set of ECU ID, FWID, and version number of FW data.

  FIG. 33 is a diagram illustrating a functional configuration of the providing device 20 and the relay device 26 according to the sixth modification. The provided information storage unit 50 stores a system list for each version.

  For example, even if the firmware version of one electronic control device 24 among a plurality of electronic control devices 24 included in the control target system 22 is updated, the other electronic control device 24 is stable unless the firmware is updated. May not work. The system list represents a set of firmware versions that are guaranteed not to perform such an unstable operation. The version of the system list is updated as appropriate. The system list is assigned a version number for each version.

  The request transmission unit 52 transmits a collective acquisition request to the providing apparatus 20 instead of the acquisition request for new FW data at a predetermined update timing (for example, periodically). The collective acquisition request includes the system identifier and system version information stored in the system information storage unit 221.

  When receiving the batch acquisition request from the provision information storage unit 50, the specifying unit 56 determines whether a system list of a version newer than the version specified by the system version information included in the batch acquisition request is provided. When a system list of a new version is provided, the specifying unit 56 specifies at least one firmware to be updated whose version is to be updated. Specifically, in the new version system list, the specifying unit 56 specifies the firmware whose version has been updated from the system list of the current version.

  When there is no new version of the system list, the response transmitter 58 transmits response information including a system identifier and an update flag. When a new version of the system list exists, the response transmission unit 58 transmits response information including an update flag and new FW data for each of the identified firmware to be updated. The update flag has a value of 0 when a new version of the system list does not exist and a value other than 0 when a new version of the system list exists.

  When there is no new version of the system list, the response receiving unit 60 receives response information including a system identifier and an update flag. When there is a new version of the system list, the response receiving unit 60 receives response information including an update flag and new FW data for each of the identified firmware to be updated.

  The first verification value generation unit 62 calculates the MAC value (fourth verification value) of the new FW data for each firmware to be updated. Further, the first verification value generation unit 62 calculates the MAC value (tenth verification value) of the current FW data stored in the current FW data storage unit 201 for each of the firmware to be updated.

  The first verification unit 64 determines whether or not the new FW data received from the providing device 20 is valid for each firmware to be updated. The first verification unit 64 determines whether the current FW data stored in the current FW data storage unit 201 is valid for each firmware to be updated.

  The first verification unit 64 responds to each update target firmware on the condition that the new FW data received from the providing device 20 and the current FW data stored in the current FW data storage unit 201 are valid. Information received by the receiving unit 60 is stored in the temporary storage unit 38. Specifically, for each firmware to be updated, the first verification unit 64 receives the ECU ID, FWID, new FW data, new FW MAC value, new FW version number, and new FW version received from the providing device 20. The developer ID is stored in the temporary storage unit 38. Further, the first verification unit 64 causes the temporary storage unit 38 to store the current FW data stored in the current FW data storage unit 201 for each firmware to be updated.

  With the above configuration, the relay device 26 can receive new FW data from the providing device 20 for each piece of firmware to be updated. Further, the relay device 26 collectively determines whether the received new FW data and the current FW data stored in the current FW data storage unit 201 are valid for each of the firmware to be updated. be able to.

  The first verification unit 64 may cause the request transmission unit 52 to transmit an acquisition request for the new FW data when any of the new FW data received from the providing device 20 is not valid. If the new FW data is not valid even if the same acquisition request is transmitted a certain number of times, the first verification unit 64 ends the acquisition process for all the firmware to be updated.

  In addition, when the current FW data stored in the current FW data storage unit 201 is not valid, the first verification unit 64 may cause the request transmission unit 52 to transmit an acquisition request for the current FW data. Then, if the current FW data is not valid even if the same acquisition request is transmitted a fixed number of times, the first verification unit 64 ends the acquisition process for all firmware to be updated.

  FIG. 34 is a diagram illustrating an acquisition processing flow by the relay device 26 according to the sixth modification. The acquisition unit 30 according to this modification executes the acquisition process shown in FIG.

  First, in step S231, the acquisition unit 30 transmits a batch acquisition request to the providing apparatus 20 at a predetermined timing.

  The providing device 20 transmits corresponding response information to the relay device 26 in response to the collective acquisition request. If the new version of the system list is not provided, the providing apparatus 20 transmits response information including an update flag having a value of 0. Further, when a new version of the system list is provided, the providing apparatus 20 sends response information including an update flag whose value is other than 0 and new FW data for each firmware to be updated. Send.

  Subsequently, in step S232, the acquisition unit 30 receives response information. Subsequently, in step S233, the acquisition unit 30 determines whether or not the update flag included in the response information is a value other than zero. When the update flag is 0 (No in S233), the acquisition unit 30 ends this flow. If the update flag is a value other than 0 (Yes in S233), the process proceeds to step S234.

  In S234, the acquisition unit 30 identifies one of the update target firmware as the verification target firmware. Subsequently, in step S235, the acquisition unit 30 determines whether the new FW data is valid for the firmware to be verified. If the acquisition unit 30 is valid (Yes in S235), the process proceeds to step S236. If the acquisition unit 30 is not valid (No in S235), the flow ends.

  In step S236, the acquisition unit 30 determines whether or not the current FW data stored in the current FW data storage unit 201 is valid for the firmware to be verified. If the acquisition unit 30 is valid (Yes in S236), the process proceeds to step S237. If the acquisition unit 30 is not valid (No in S236), the flow ends.

  In step S237, the acquisition unit 30 writes new FW data and the like received from the providing device 20 in the temporary storage unit 38 for the firmware to be verified. Further, the acquisition unit 30 writes the current FW data stored in the current FW data storage unit 201 into the temporary storage unit 38 for the firmware to be verified.

  Subsequently, in step S238, the acquisition unit 30 determines whether or not all firmware to be updated has been verified. If not all have been verified yet (No in S238), the acquisition unit 30 returns the process to S234, specifies another firmware as the verification target, and continues the process. When all are verified (Yes in S238), the acquisition unit 30 ends this flow.

  FIG. 35 is a diagram illustrating a functional configuration of the relay device 26 and the electronic control device 24 according to the sixth modification.

  The start detection unit 78 determines whether or not each electronic control unit 24 that stores the firmware to be updated can be updated. The start detection unit 78 gives a start instruction to the start transmission unit 80 and the data transmission unit 84 when all of the electronic control devices 24 that store the firmware to be updated can be updated.

  When the start transmission unit 80 receives the start instruction, the start transmission unit 80 transmits information indicating the start of update to each electronic control unit 24 that stores the firmware to be updated.

  When the data transmission unit 84 receives the start instruction from the start detection unit 78, the data transmission unit 84 transmits the corresponding new FW data received from the providing device 20 to each electronic control device 24 that stores the firmware to be updated, to the electronic control device 24. Then, the current FW data stored in the electronic control unit 24 is updated to new FW data.

  The verification value receiving unit 96 receives a MAC value for verifying the new FW data written in the data storage unit 70 in the update process from each electronic control unit 24 that stores the firmware to be updated.

  The second verification unit 98 verifies whether or not the new FW data written in the electronic control unit 24 in the update process is valid for each firmware to be updated. When the second verification unit 98 determines that the new FW data written in the electronic control device 24 in the update process is valid for each firmware to be updated, the second verification unit 98 notifies the determination unit 100 and the notification unit 102.

  When the confirmation unit 100 receives notification that the new FW data written in the electronic control unit 24 is valid in the update process for each of the firmware to be updated, the determination unit 100 displays the information stored in the temporary storage unit 38. The data is read and stored in the management data storage unit 34.

  When the notification unit 102 receives notification from the second verification unit 98 that the new FW data is valid for all the firmware to be updated, the notification unit 102 sends the notification to the other electronic control device 24 and the electronic control device 24 to be updated. Information indicating that the firmware update has been completed is transmitted.

  On the other hand, when the second verification unit 98 determines that the new FW data written in any one of the electronic control devices 24 is not valid, the second verification unit 98 notifies the data transmission unit 84 that the update process has failed.

  When the update process fails, the data transmission unit 84 transmits the corresponding current FW data to the electronic control device 24 for each firmware to be updated, and causes the electronic control device 24 to restore the current FW data. Specifically, the data transmission unit 84 transmits the current FW data stored in the temporary storage unit 38 to the electronic control unit 24 and the restoration instruction for each firmware to be updated. Note that the data transmission unit 84 may not perform the restoration process for the electronic control device 24 that has not yet been transmitted to the new FW data and has not started updating.

  The verification value receiving unit 96 receives a MAC value for verifying the current FW data written in the data storage unit 70 in the restoration process from the electronic control unit 24 for each of the firmware to be restored.

  The second verification unit 98 verifies whether the current FW data written in the electronic control unit 24 in the restoration process is valid for each restoration target firmware. When the second verification unit 98 determines that the current FW data written in the electronic control device 24 in the restoration process is valid for each restoration target firmware, the second verification unit 98 notifies the notification unit 102 of the firmware. When the notification unit 102 receives notification from the second verification unit 98 that the current FW data is valid for all of the firmware to be restored, the notification unit 102 notifies the other electronic control device 24 and the electronic control device 24 to be updated to Information indicating that the process has been completed is transmitted.

  If the second verification unit 98 determines that the current FW data written in the electronic control device 24 in the restoration process is not valid for any of the firmware to be restored, the valid data is written in the electronic control device 24. The notification unit 102 is notified that the information has not been received. When the notification unit 102 receives a notification from the second verification unit 98 that valid data has not been written, the valid data has been written to the other electronic control device 24 and the electronic control device 24 to be updated. Send information indicating that there is no.

  When the confirmation unit 100 receives notification that the new FW data written in the electronic control unit 24 is valid in the update process for each of the firmware to be updated, the confirmation unit 100 stores the new FW stored in the temporary storage unit 38. Data is transferred to the current FW data storage unit 201 and written to the current FW data storage unit 201. Further, when receiving a notification that the current FW data written in the electronic control unit 24 is valid in the restoration process, the determination unit 100 stores the current FW data stored in the temporary storage unit 38 into the current FW data storage. The data is transferred to the unit 201 and written to the current FW data storage unit 201.

  FIG. 36 is a diagram illustrating an update processing flow by the relay device 26 according to the sixth modification. The update unit 32 executes the update process shown in FIG.

  First, in step S <b> 241, the update unit 32 reads update timing information from the management data storage unit 34 for each piece of firmware to be updated. Subsequently, in step S <b> 242, the update unit 32 reads out ECU state information for each electronic control unit 24 that stores firmware to be updated from the state storage unit 40.

  Subsequently, in step S243, the updating unit 32 determines whether or not all the electronic control devices 24 storing the firmware to be updated can be updated based on the read ECU state information and the like. If the update unit 32 is not updatable (No in S243), the process proceeds to step S244 and waits for a predetermined time, and then repeats the process from step S242. If updating is possible (Yes in S243), the updating unit 32 advances the process to Step S245.

  In step S245, the update unit 32 transmits information indicating update start to each electronic control unit 24 that stores the firmware to be updated. Subsequently, in step S <b> 246, the update unit 32 transmits information indicating the start of firmware update in the update target electronic control device 24 to the other electronic control device 24.

  Subsequently, in step S247, the update unit 32 specifies one firmware among the at least one firmware to be updated as the firmware to be written.

  Subsequently, in step S248, the update unit 32 transmits the new FW data received from the providing device 20 to the electronic control device 24 for the firmware to be written, and the current FW data stored in the electronic control device 24 is transmitted. Update to new FW data.

  Subsequently, in step S249, the updating unit 32 receives a MAC value for verifying the written new FW data from the electronic control device 24 to be updated.

  Subsequently, in step S250, the update unit 32 verifies whether the new FW data written in the electronic control unit 24 in the update process is valid for the firmware to be written. If it is not valid (No in S250), the updating unit 32 advances the process to S251 and executes a rollback process. Note that the rollback processing in S251 will be further described with reference to FIG.

  If it is valid (Yes in S250), the updating unit 32 advances the process to S252. In step S252, the update unit 32 reads the MAC value of the new FW, the version number of the new FW, and the developer ID of the new FW stored in the temporary storage unit 38, and the current FW developer ID. The management data storage unit 34 stores the MAC value, the version number of the current FW, and the developer ID of the current FW.

  Subsequently, in S253, the update unit 32 reads the new FW data for the firmware to be written, which is stored in the temporary storage unit 38, and sets the read new FW data as the current FW data as the current FW data storage unit. Write to 201. After completing S253, the update unit 32 advances the process to S254.

  Subsequently, in step S254, the update unit 32 determines whether or not new FW data has been written for all firmware to be updated. If all have not yet been written (No in S254), the updating unit 32 returns the process to S247, specifies other firmware as a write target, and continues the process. When all are written (Yes in S254), the updating unit 32 ends this flow.

  FIG. 37 is a diagram showing a rollback processing flow by the relay device 26 according to the sixth modification. The update unit 32 executes the rollback process shown in FIG. 37 in S251 shown in FIG.

  First, in step S <b> 261, the update unit 32 specifies one of the firmware to be updated as the firmware to be restored. Note that the update unit 32 may exclude firmware that has not been transmitted to the new FW data and has not started to be updated.

  Subsequently, in step S262, the update unit 32 transmits the current FW data stored in the temporary storage unit 38 to the electronic control device 24 for the firmware to be restored, and causes the electronic control device 24 to restore the current FW data. .

  Subsequently, in step S263, the updating unit 32 receives a MAC value for verifying the written current FW data from the electronic control device 24 to be restored.

  Subsequently, in step S264, the updating unit 32 verifies whether or not the current FW data written in the electronic control unit 24 in the restoration process is valid. If the update unit 32 is not valid (No in S264), the process proceeds to step S265. If the update unit 32 is valid (Yes in S264), the process proceeds to step S266.

  In step S <b> 265, the updating unit 32 transmits a failure notification indicating that valid data is not written in the electronic control device 24 to be restored to the electronic control device 24 to be restored and the other electronic control device 24. When step S265 ends, the update unit 32 advances the process to step S268.

  In step S266, the update unit 32 reads the MAC value of the current FW, the version number of the current FW, and the developer ID of the current FW stored in the temporary storage unit 38, and the management data storage unit 34 is stored.

  Subsequently, in step S267, the update unit 32 reads the current FW data for the firmware to be written, which is stored in the temporary storage unit 38, and writes the read current FW data in the current FW data storage unit 201. . The update part 32 advances a process to S268, after finishing step S267.

  Subsequently, in step S268, the update unit 32 determines whether or not the current FW data has been written for all the firmware to be updated. If not all has been written yet (No in S268), the updating unit 32 returns the process to S261, specifies another firmware as a restoration target, and continues the process. When all are written (Yes in S268), the updating unit 32 ends this flow.

  Such a relay device 26 according to this modification can update firmware of a plurality of electronic control devices 24 in a coordinated manner. Thereby, the relay device 26 can update the firmware of the plurality of electronic control devices 24 so as to be a combination of versions that operate stably. The configuration according to the sixth modification may be applied to the network system 10 described with reference to FIGS. 1 to 14.

(Seventh Modification)
FIG. 38 is a diagram illustrating a network system 10 according to a seventh modification. The seventh modification is a configuration obtained by further modifying the fourth modification, but may be applied to the fifth modification and the sixth modification.

  The control target system 22 further includes a storage device 251 outside the relay device 26. The storage device 251 may be connected to the relay device 26 via an internal network, or may be connected to the relay device 26 via a network different from the internal network. The relay device 26 can write information in the storage device 251. The relay device 26 can read information stored in the storage device 251.

  FIG. 39 is a diagram illustrating a functional configuration of the relay device 26 and the storage device 251 according to the seventh modification. The relay device 26 further includes a first communication unit 261. The storage device 251 includes a second communication unit 262 and a current FW data storage unit 201.

  The first communication unit 261 and the second communication unit 262 transmit / receive information to / from each other. The current FW data storage unit 201 is accessed from the acquisition unit 30 and the update unit 32 of the relay device 26 via the first communication unit 261 and the second communication unit 262. The acquisition unit 30 and the update unit 32 write and read current FW data to and from the external storage device 251.

  Further, the confirmation unit 100 of the update unit 32 receives a notification (update result notification) from the electronic control device 24 that the written new FW data or current FW data is valid. The determination unit 100 may transmit the update result notification and the new FW data (or current FW data) transmitted from the electronic control device 24 to the external storage device 251 for storage. Thereby, the control target system 22 can guarantee that the current FW data stored in the external storage device 251 is written in the electronic control device 24.

  Such a control target system 22 detects that the current FW data stored in the current FW data storage unit 201 is illegally rewritten or fails even when the program of the relay device 26 fails, for example. It can be avoided. Further, the relay device 26 and the storage device 251 may verify the current FW data to be transmitted and received by calculating the MAC value of the current FW data using the shared key. Thereby, the controlled system 22 can prevent unauthorized rewriting of the current FW data stored in the storage device 251.

  Further, the control target system 22 may include a storage device 251 for each electronic control device 24. Further, the control target system 22 may cause the relay device 26 and the storage device 251 to hold a shared key for each electronic control device 24. Thereby, the controlled system 22 can more strongly prevent unauthorized rewriting of the current FW data.

  Further, the relay device 26 may generate a MAC value of information obtained by adding a hash value of new FW data (or current FW data) written in the electronic control device 24 to the update result notification. Then, the relay device 26 transmits the generated MAC value, the update result notification, and the new FW data (or the current FW data) to the storage device 251. In this case, the second communication unit 262 of the storage device 251 generates a hash value of the received new FW data (or current FW data), generates a MAC value of information obtained by adding the hash value to the update result notification, Compare. As a result, the second communication unit 262 indicates that the malware has entered the relay device 26 that the received new FW data (or current FW data) is certainly stored in the electronic control device 24. Can be guaranteed even under difficult circumstances.

  Note that the relay device 26 and the storage device 251 may exchange update result notifications using a challenge response method using a random number generated by the storage device 251. Thereby, the relay device 26 and the storage device 251 can prevent an attack using an update result notification that has been effective in the past, and improve security. The relay device 26 and the storage device 251 may prevent an attack using an update result notification that has been effective in the past by a method using a public key instead of a challenge response method.

  FIG. 40 is a diagram illustrating an example of a hardware configuration of the information processing apparatus 300 according to the embodiment. The relay device 26 described above can be realized by an information processing device 300 as shown in FIG. 40, for example.

  The information processing apparatus 300 has the same configuration as a normal computer. That is, the information processing apparatus 300 includes a CPU 302, a ROM 304, a RAM 306, a storage device 308, an external communication device 310, and an internal communication device 312. CPU 302, ROM 304, RAM 306, storage device 308, external communication device 310, and internal communication device 312 are connected by a bus. The CPU 302, the ROM 304, and the RAM 306 may be configured as one chip, and the storage device 308, the external communication device 310, and the internal communication device 312 may be connected by a bus.

  The CPU 302 expands and executes the program stored in the storage device 308 in the RAM 306, and controls each unit to perform input / output and process data. The ROM 304 stores a start program for reading an OS startup program from the storage device 308 to the RAM 306. The RAM 306 stores data as a work area for the CPU 302.

  The storage device 308 is, for example, a hard disk drive or a flash memory. The storage device 308 stores an operating system, application programs, and data. These programs are files in an installable or executable format, and are recorded and distributed on a computer-readable recording medium. The program may be distributed by downloading from a server.

  The external communication device 310 is an interface device for connecting to an external network. The internal communication device 312 is an interface device for connecting to an internal network.

  The program executed by the information processing apparatus 300 according to the present embodiment is an installable format or executable format file, and is a computer-readable recording such as a CD-ROM, a flexible disk (FD), a CD-R, and a DVD. Provided by being recorded on a medium.

  The program executed by the information processing apparatus 300 according to the present embodiment may be configured to be stored by being stored on a computer connected to a network such as the Internet and downloaded via the network. The program executed by the information processing apparatus 300 according to the present embodiment may be configured to be provided or distributed via a network such as the Internet. Further, the program of the present embodiment may be configured to be provided by being incorporated in advance in the ROM 304 or the like.

  A program for causing the information processing device 300 to function as the relay device 26 includes an acquisition module (including a request transmission module, a response reception module, a first verification value generation module, a first verification module, a status update module, and the like), and an update module (Status reception module, start detection module, start transmission module, data transmission module, verification value reception module, second verification module, confirmation module, notification module, etc.). In the information processing apparatus 300, as actual hardware, the processor (CPU 302) reads a program from a storage medium (such as the storage device 308) and executes the program so that the above-described units are loaded on the main storage device (RAM 306). 30 (including a request transmission unit 52, a response reception unit 60, a first verification value generation unit 62, a first verification unit 64, a status update unit 66, etc.) and an update unit 32 (a status reception unit 76, a start detection unit 78, A start transmission unit 80, a data transmission unit 84, a verification value reception unit 96, a second verification unit 98, a determination unit 100, a notification unit 102, and the like) are generated on the main storage device.

  Although several embodiments and modifications of the present invention have been described, these embodiments and modifications are presented by way of example and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

DESCRIPTION OF SYMBOLS 10 Network system 20 Provision apparatus 22 Control object system 24 Electronic control apparatus 26 Relay apparatus 30 Acquisition part 32 Update part 34 Management data storage part 36 Shared key storage part 38 Temporary storage part 40 Status storage part 50 Provision information storage part 52 Request transmission part 54 request reception unit 56 identification unit 58 response transmission unit 60 response reception unit 62 first verification value generation unit 64 first verification unit 66 status update unit 70 data storage unit 72 control unit 74 status transmission unit 76 status reception unit 78 start detection unit 80 Start transmission unit 82 Start reception unit 84 Data transmission unit 86 Data reception unit 88 Writing unit 90 First key storage unit 92 Second verification value generation unit 94 Verification value transmission unit 96 Verification value reception unit 98 Second verification unit 100 Confirmation Unit 102 notification unit 104 end reception unit 122 version transmission unit 124 version reception unit 126 version determination unit 142 third inspection Part 144 result transmission unit 146 result receiving unit 152 switching unit 201 the current FW data storage unit 211 the new FW data generation unit 221 system information storage unit 251 stores device 261 first communication portion 262 the second communication unit

Claims (20)

A relay device for updating current data stored in an electronic control device to new data,
A request transmitting unit that transmits an acquisition request including a device identifier for identifying the electronic control device, a data identifier for identifying the current data, and version specifying information capable of specifying a version of the current data to a providing device;
In response to the acquisition request, a response receiving unit that receives the new data from the providing device;
When the new data received from the providing device is transmitted to the electronic control device and the current data stored in the electronic control device is updated to the new data. A data transmission unit for transmitting to the electronic control unit and causing the electronic control unit to restore the current data;
A relay device comprising: The response receiving unit receives the new data and the current data from the providing device in response to the acquisition request,
The relay according to claim 1, wherein, when the update process fails, the data transmission unit transmits the current data received from the providing device to the electronic control device and causes the electronic control device to restore the current data. apparatus. A first verification unit for determining whether the current data and the new data received from the providing device are valid;
The relay device according to claim 2, wherein the data transmission unit transmits the current data and the new data determined to be valid to the electronic control device. The first verification unit includes a first verification value for verifying the current data stored in the electronic control device and a second verification value for verifying the current data received from the providing device. The relay device according to claim 3, wherein, when they match, it is determined that the current data received from the providing device is valid. The response receiving unit further receives a third verification value for verifying the new data from the providing device,
The first verification unit receives the third verification value received from the providing apparatus when the fourth verification value calculated by the shared key data and the new data received from the providing apparatus matches. The relay apparatus according to claim 3, wherein the new data is determined to be valid. A second verification unit that verifies whether the new data written to the electronic control unit by the update process is valid;
The data transmission unit transmits the current data received from the providing device to the electronic control device to the electronic control device when the new data written to the electronic control device in the update process is not valid. The relay device according to claim 3, wherein the current data is restored. The second verification unit includes a fifth verification value for verifying the new data written in the electronic control unit in the update process, and a second value for verifying the new data transmitted to the electronic control unit. 7. The relay device according to claim 6, wherein when the verification value does not match, it is determined that the new data written to the electronic control device by the update process is not valid. The second verification unit further determines whether or not the current data written in the electronic control device in the restoration process is valid,
The relay device further includes a notification unit that notifies the outside that the data written to the electronic control device is not valid when the current data written to the electronic control device is not valid. The relay device described in 1. The second verification unit includes a seventh verification value for verifying the current data written in the electronic control device in the restoration process, and a second value for verifying the current data transmitted to the electronic control device. 9. The relay device according to claim 8, wherein when the verification value does not match, the current data written in the electronic control device is determined not to be valid. The data transmitting unit transmits the new data received from the providing device and a sixth verification value for verifying the new data to the electronic control device and stores the current data stored in the electronic control device. Update to the new data,
The relay device further includes a result receiving unit that receives a result from the electronic control device whether or not the new data written to the electronic control device in the update process is valid,
The data transmission unit verifies the current data and the current data received from the providing device when receiving a result indicating that the new data written to the electronic control device is not valid in the update process. The relay device according to any one of claims 3 to 5, wherein an eighth verification value to be transmitted is transmitted to the electronic control device to cause the electronic control device to restore the current data. A version receiving unit that receives information representing a version of the new data that can be transmitted from the providing device;
A version determination unit that determines whether the version of the new data that can be transmitted from the providing device is newer than the version of the current data stored in the electronic control device;
Further comprising
The request transmission unit transmits the acquisition request to the providing apparatus on the condition that the version of the new data that can be transmitted from the providing apparatus is newer than the version of the current data stored in the electronic control apparatus. The relay device according to any one of claims 1 to 10. A state storage unit that stores verification entity information indicating whether the relay device or the electronic control device executes verification of whether the new data written to the electronic control device is valid;
A switching unit for switching whether to execute the verification by the relay device or the electronic control device based on the verification subject information;
The relay device according to claim 1, further comprising: A current data storage unit for storing the current data;
If the update process is successful, a confirmation unit that writes the new data transmitted to the electronic control device as the current data in the current data storage unit;
Further comprising
The request transmission unit transmits the acquisition request for requesting transmission of the new data to the providing device,
The response receiving unit receives the new data from the providing device in response to the acquisition request for requesting transmission of the new data,
The data transmission unit, when the update process fails, transmits the current data stored in the current data storage unit to the electronic control unit, and causes the electronic control unit to restore the current data. The relay device described in 1. A first verification unit that determines whether the new data received from the providing device and the current data stored in the current data storage unit are valid;
The relay device according to claim 13, wherein the data transmission unit transmits the current data and the new data that are valid to the electronic control device. The request transmission unit, when it is determined that the current data stored in the current data storage unit is not valid, transmits the acquisition request for requesting transmission of the current data to the providing device,
The response receiving unit receives the current data from the providing device in response to the acquisition request for requesting transmission of the current data;
The relay according to claim 14, wherein, when the update process fails, the data transmission unit transmits the current data received from the providing device to the electronic control device and causes the electronic control device to restore the current data. apparatus. Based on the difference data obtained by removing the current data from the new data, and the current data stored in the current data storage unit, further comprising a new data generation unit that generates the new data,
The response receiving unit receives the difference data from the providing device in response to the acquisition request for requesting transmission of the new data,
The new data generation unit generates the new data based on the difference data received from the providing device and the current data stored in the current data storage unit, and the data transmission unit generates the new data generation The relay device according to any one of claims 13 to 15, wherein the new data generated by a unit is transmitted to the electronic control device to update the current data stored in the electronic control device to the new data. . The request transmission unit includes a system identifier that identifies a set of a plurality of electronic control devices, and a system list version that represents a set of versions of the current data stored in each of the plurality of electronic control devices. Sending the acquisition request including version information to the providing device;
The response receiving unit receives the new data for each of the at least one electronic control device to be updated that needs to be updated to the new data in response to the acquisition request,
The data transmitter is
Transmitting each new data received from the providing device to the corresponding electronic control device, and updating the current data stored in the corresponding electronic control device to the new data;
When the update process fails in any of the electronic control devices, the corresponding current data is transmitted to the electronic control device in which the update process has failed and each of the electronic control devices in which the update process has succeeded. The relay apparatus according to claim 1, wherein the current data is restored. When the update process is successful, the new data transmitted to the electronic control device further comprises a determination unit that writes the current data as a current data in a current data storage unit provided outside,
The request transmission unit transmits the acquisition request for requesting transmission of the new data to the providing device,
The response receiving unit receives the new data from the providing device in response to the acquisition request for requesting transmission of the new data,
The data transmission unit, when the update process fails, transmits the current data stored in the current data storage unit to the electronic control unit, and causes the electronic control unit to restore the current data. The relay device described in 1. A relay method executed by a relay device for updating current data stored in an electronic control device to new data,
An acquisition request including a device identifier for identifying the electronic control device, a data identifier for identifying the current data, and version specifying information capable of specifying the version of the current data is transmitted to the providing device,
In response to the acquisition request, the new data is received from the providing device,
When the new data received from the providing device is transmitted to the electronic control device and the current data stored in the electronic control device is updated to the new data. A relay method for transmitting to an electronic control unit and causing the electronic control unit to restore the current data. A program for causing an information processing device to function as a relay device for updating current data stored in an electronic control device to new data,
The information processing apparatus;
A request transmitting unit that transmits an acquisition request including a device identifier for identifying the electronic control device, a data identifier for identifying the current data, and version specifying information capable of specifying a version of the current data to a providing device;
In response to the acquisition request, a response receiving unit that receives the new data from the providing device;
When the new data received from the providing device is transmitted to the electronic control device and the current data stored in the electronic control device is updated to the new data. A data transmission unit for transmitting to the electronic control unit and causing the electronic control unit to restore the current data;
Program to make it function.

Images