JP6408450B2 - Electronic control unit for automobile - Google Patents

Description

  The present invention relates to an automotive electronic control device including a nonvolatile memory capable of electrically rewriting data.

  The electronic control device for automobile is equipped with a nonvolatile memory capable of electrically rewriting data. When rewriting data in the nonvolatile memory, as described in Japanese Patent Application Laid-Open No. 2014-16890 (Patent Document 1), a writing tool for transferring update data is connected to the electronic control device. Then, the writing tool transfers the update data to the electronic control device, and the electronic control device writes the update data in the nonvolatile memory.

JP 2014-16890 A

  Incidentally, a boot loader program for loading and starting an operating system is written in the nonvolatile memory of the electronic control unit. When the data in the nonvolatile memory is rewritten, the update data is written in the nonvolatile memory after the erasure area is erased. During rewriting of the boot loader program, for example, if the electronic control device is reset due to a power failure or communication failure after erasing the nonvolatile memory, the boot loader program does not exist in the nonvolatile memory. For this reason, even if the power is turned on or reset, the electronic control unit cannot load the operating system. For example, the electronic control unit is used unless the electronic control unit is disassembled and the boot loader program is not written in the nonvolatile memory. It becomes impossible. Note that the boot loader program needs to be rewritten, for example, to eliminate the problem and rewrite the entire storage area of the nonvolatile memory.

  SUMMARY OF THE INVENTION An object of the present invention is to provide an automotive electronic control device in which a boot loader program can be written with a writing tool.

An electronic control device for an automobile includes a nonvolatile memory that can electrically rewrite data, and performs control according to a first mode in which data in the nonvolatile memory is rewritten by an external instruction and an application program stored in the nonvolatile memory. It is possible to switch between the second mode for controlling the target device. The automotive electronic control device has no rewrite program used in the first mode, a first program that operates when a start program for starting the operating system in the second mode exists, and no start program. A second program that includes a subset of the operating system that sometimes runs can be selected.

  According to the present invention, a boot loader program can be written by a writing tool.

It is a schematic diagram which shows an example of a data rewriting system. It is an internal structure figure which shows an example of an electronic controller. It is explanatory drawing which shows an example of the memory map of flash ROM (Read Only Memory). It is an internal structure figure which shows an example of the rewriting tool. It is a flowchart which shows an example of the process which an electronic controller performs. It is a subroutine which shows an example of a data rewriting process. It is explanatory drawing which shows an example of a memory map when a boot loader program does not exist in flash ROM.

Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the accompanying drawings.
FIG. 1 shows an example of a data rewriting system for rewriting data of an electronic control unit (ECU) mounted on an automobile.

  The ECU 100 to be rewritten can be attached to and detached from a rewriting tool 300 in which an operator performs data rewriting work on the ECU 100 via a network cable 200 such as CAN (Controller Area Network), serial communication, FlexRay (registered trademark), or the like. Connected. Note that the ECU 100 and the rewriting tool 300 are not limited to wired connection using the network cable 200 but may be connected by wireless connection using a wireless transceiver.

  The ECU 100 is an electronic device that controls various devices mounted on an automobile, for example, a fuel injection valve, a transmission, an electric brake system, an ABS (Antilock Brake System), a variable valve timing mechanism, a variable compression ratio mechanism, and the like. Built-in microcomputer. Specifically, as shown in FIG. 2, the ECU 100 includes a processor 110 such as a CPU (Central Processing Unit), a communication circuit 120 for connecting to a network, a flash ROM 130 as an example of a nonvolatile memory, A RAM (Random Access Memory) 140 that is an example of a volatile memory, and a bus 150 that connects the processor 110, the communication circuit 120, the flash ROM 130, and the RAM 140 to each other are included. Here, the communication circuit 120 includes a connector (not shown) that detachably connects the network cable 200. The flash ROM 130 can rewrite data by electrically erasing and writing data.

  As shown in FIG. 3, the flash ROM 130 stores a boot loader program, a rewrite program, a fail safe boot loader program, an operating system, application programs 1 to n for controlling various devices, and the like. Here, the boot loader program, the rewrite program, and the fail safe boot loader program are examples of the start program, the first program, and the second program, respectively.

  The boot loader program loads the operating system into the RAM 140 and starts it. The rewriting program rewrites data in the flash ROM 130 except for the storage area in which the fail-safe boot loader program is stored in response to an instruction from the rewriting tool 300 under the operation of the operating system. The fail-safe boot loader program includes a storage area in which the fail-safe boot loader program is stored in response to an instruction from the rewriting tool 300 in a state where the operating system is not operating, that is, a state where the boot loader program does not exist. The data in the ROM 130 is rewritten. The boot loader program, the rewrite program, the fail safe boot loader program, the operating system, and the application programs 1 to n can be identified by, for example, an identifier embedded in data, a table that manages the memory map of the flash ROM 130, or the like.

  Here, the fail-safe boot loader program is configured to realize a communication function between the ECU 100 and the rewriting tool 300, a data rewriting function of the flash ROM 130, and a data verification function of the flash ROM 130 even when the operating system is not operating. ing. Thus, the failsafe boot loader program includes a subset of the operating system.

  The ECU 100 selectively activates a boot loader program or a fail safe boot loader program according to the memory map state of the flash ROM 130 when power is turned on or reset. This selective activation can be realized, for example, using a boot sector.

  The rewriting tool 300 is an electronic device in which an operator performs data rewriting work of the ECU 100, and is composed of a computer such as a personal computer, for example. Specifically, as shown in FIG. 4, the rewriting tool 300 includes a processor 310 such as a CPU, a communication circuit 320 for connecting to a network, a storage 330 such as a hard disk device and an SSD (Solid State Drive), And an input / output device 340 serving as an interface to the worker. Here, the communication circuit 320 includes a connector (not shown) that removably connects the network cable 200. The input / output device 340 includes a display such as an LCD (Liquid Crystal Display), a keyboard, and a pointing device such as a mouse. The storage 330 may be, for example, a NAS (Network Attached Storage) connected to a network (not shown), a server storage, or the like.

  The storage 330 stores update data for rewriting the flash ROM 130 of the ECU 100. The update data includes, for example, a boot loader program, an application program for controlling various devices mounted on the automobile, constants used in the application program, control parameters such as a map (table), and the like. The update data can further include a rewrite program, a fail safe boot loader program, and an operating system.

  The ECU 100 is configured to be able to switch between a first mode in which data in the flash ROM 130 is rewritten in accordance with an instruction from the rewriting tool 300 and a second mode in which the control target device is controlled in accordance with an application program stored in the flash ROM 130. Has been. As the data rewrite program used in the first mode, a rewrite program that operates when the boot loader program in the second mode exists and a fail safe boot loader program that operates even when the boot loader program does not exist can be selected. It is. Further, when the boot loader program does not operate even when the power is turned on or reset, the ECU 100 automatically shifts to a rewrite process by the fail safe boot loader program.

  FIG. 5 shows an example of processing executed by the processor 110 of the ECU 100 when the ECU 100 is powered on or reset. When rewriting the data in the flash ROM 130 of the ECU 100, the operator connects the rewriting tool 300 to the ECU 100 and turns on the power to the ECU 100.

  In step 1 (abbreviated as “S1” in the figure, the same applies hereinafter), the processor 110 of the ECU 100 searches for the boot sector of the flash ROM 130 and, for example, whether or not the identifier of the boot loader program is stored therein. To determine whether there is a boot loader program. If the processor 110 of the ECU 100 determines that there is a boot loader program in the flash ROM 130, the process proceeds to step 2 (Yes). On the other hand, if the processor 110 of the ECU 100 determines that there is no boot loader program in the flash ROM 130, the process proceeds to step 8 (No). Whether or not there is a boot loader program in the flash ROM 130 can be determined by using, for example, a function provided in the ECU 100 for searching and booting boot sectors in a specified order.

  In step 2, the processor 110 of the ECU 100 loads the boot loader program in the flash ROM 130 into the RAM 140 and starts it. When the boot loader program is activated, the processor 110 of the ECU 100 can load the operating system of the flash ROM 130 into the RAM 140 and activate it to prepare for starting the application program. Note that the boot loader program can be activated by, for example, a function provided in the ECU 100 for searching and booting boot sectors in a specified order.

  In step 3, the processor 110 of the ECU 100 searches the storage area of the flash ROM 130 and determines whether there is an application program, for example, based on whether the identifier of the application program is stored there. If the processor 110 of the ECU 100 determines that there is an application program in the flash ROM 130, the process proceeds to step 4 (Yes). On the other hand, if the processor 110 of the ECU 100 determines that there is no application program in the flash ROM 130, the process proceeds to step 7 (No).

  In step 4, the processor 110 of the ECU 100 loads the application program of the flash ROM 130 into the RAM 140 and starts it. When there are a plurality of application programs in the flash ROM 130, the processor 110 of the ECU 100 sequentially activates each application program in, for example, a preset activation order.

  In step 5, the processor 110 of the ECU 100 electronically converts various devices such as a fuel injection valve, a transmission, an electric brake system, an ABS, a variable valve timing mechanism, and a variable compression ratio mechanism in accordance with each application program started in step 4. Control.

  In step 6, the processor 110 of the ECU 100 determines whether or not there is a data rewrite request from the rewrite tool 300. If the processor 110 of the ECU 100 determines that there is a data rewrite request, the process proceeds to step 7 (Yes). On the other hand, if the processor 110 of the ECU 100 determines that there is no data rewrite request, the process returns to step 5 (No). When the rewriting tool 300 is not connected to the ECU 100, a data rewriting request is not transmitted from the rewriting tool 300 to the ECU 100, and therefore normal processing for electronically controlling various devices is executed.

  In step 7, the processor 110 of the ECU 100 loads the flash ROM 130 rewrite program into the RAM 140 and starts it. Then, the processor 110 of the ECU 100 advances the process to step 9.

  In step 8, the processor 110 of the ECU 100 loads the fail safe boot loader program in the flash ROM 130 into the RAM 140 and activates it using, for example, a function to search and activate the boot sectors in the specified order. That is, since the boot loader program does not exist in the flash ROM 130, the processor 110 of the ECU 100 starts the fail safe boot loader program including a subset of the operation system, and uses the function to store various data including the boot loader program in the flash ROM 130. Make it writable. Then, the processor 110 of the ECU 100 advances the process to step 9.

  In step 9, the processor 110 of the ECU 100 cooperates with the rewrite tool 300 to execute a data rewrite processing subroutine by the rewrite program activated in step 7 or the fail safe boot loader program activated in step 8. Details of the data rewriting process will be described later.

  In step 10, the processor 110 of the ECU 100 determines whether or not to end the process through whether or not at least one of the following four conditions is satisfied. If the processor 110 of the ECU 100 determines that at least one of the four conditions is satisfied, the process is terminated (Yes). On the other hand, if the processor 110 of the ECU 100 determines that none of the four conditions is satisfied, the process returns to step 9 (No).

First condition: data writing to the flash ROM 130 is completed, or signature modification of the rewrite tool 300 is second condition: session timeout (however, when rewriting the entire storage area of the flash ROM 130, timeout is not performed)
Third condition: ECU 100 receives a reset command (however, it is valid only when the entire storage area of flash ROM 130 is rewritten, and is normally a negative response)
Fourth condition: communication failure such as flash ROM 130 erasing or writing error, communication interruption (valid only when rewriting the entire storage area or boot sector)

  FIG. 6 shows an example of a subroutine for data rewriting processing that is executed in cooperation by the processor 110 of the ECU 100 and the processor 310 of the rewriting tool 300.

  In step 21, the processor 310 of the rewriting tool 300 uses the input / output device 340 to cause the user to select a rewriting target. That is, the processor 310 of the rewriting tool 300 displays, for example, a screen for causing the input / output device 340 to select a rewriting target, and selects at least one rewriting target from the screen.

  In step 22, the processor 310 of the rewriting tool 300 sequentially selects one rewriting object from at least one rewriting object selected in step 21. For example, the processor 310 of the rewriting tool 300 selects the rewriting object selected first in the first process, and sequentially selects the rewriting object according to the selected order in the second and subsequent processes.

  In step 23, the processor 310 of the rewrite tool 300 designates the rewrite target address selected in step 22, for example, to erase the storage area storing the rewrite target in the flash ROM 130 of the ECU 100 to the ECU 100. Request.

  In step 31, in response to the erasure request from the rewrite tool 300, the processor 110 of the ECU 100 erases the storage area, for example, by writing predetermined data to a designated address of the flash ROM 130.

  In step 32, the processor 110 of the ECU 100 notifies the rewriting tool 300 that the erasure of the storage area of the designated address in the flash ROM 130 has been completed. Note that such notification is performed in order to synchronize between the ECU 100 and the rewriting tool 300 (the same applies hereinafter).

  In step 24, the processor 310 of the rewriting tool 300 reads the update data to be rewritten from the storage 330 in response to the notification from the ECU 100 and transmits it to the ECU 100. The update data may be divided and transmitted for each predetermined size.

In step 33, the processor 110 of the ECU 100 writes the update data received from the rewriting tool 300 into the flash ROM 130.
In step 34, the processor 110 of the ECU 100 notifies the rewriting tool 300 that the data writing to the flash ROM 130 has been completed.

  In step 25, the processor 310 of the rewriting tool 300 determines whether or not all rewriting objects have been processed. If the processor 310 of the rewriting tool 300 determines that all the rewriting objects have been processed, the processing ends (Yes). On the other hand, if the processor 310 of the rewriting tool 300 determines that not all rewriting objects have been processed, the process returns to step 22 (No).

  According to such processing, if the boot loader program is written in the flash ROM 130 of the ECU 100, the processor 110 of the ECU 100 loads the boot loader program into the RAM 140 and starts it, thereby operating the operating system. If an application program is written in the flash ROM 130, the processor 110 of the ECU 100 electronically controls various devices mounted on the automobile by loading the application program into the RAM 140 and starting the application program.

  If the application program is not written in the flash ROM 130, the ECU 100 cannot electronically control various devices. Therefore, the processor 110 of the ECU 100 starts the rewriting program so that the application program can be written in the flash ROM 130. In addition, when the processor 110 of the ECU 100 electronically controls various devices, if there is a data rewrite request from the rewrite tool 300 connected to the ECU 100, the processor 110 of the ECU 100 rewrites to respond to the request of the rewrite tool 300. Start the program.

  Then, the processor 110 of the ECU 100 rewrites the data in the flash ROM 130 in response to an instruction from the rewriting tool 300. At this time, since the rewrite program is configured so that the fail safe loader program cannot be rewritten, for example, when all data in the flash ROM 130 is rewritten, even if a power failure or a communication failure occurs, the rewrite program fails from the flash ROM 130. The loss of the safe boot loader program can be suppressed.

  On the other hand, as shown in FIG. 7, when the boot loader program is not written in the flash ROM 130, the processor 110 of the ECU 100 cannot operate the operating system. For this reason, the processor 110 of the ECU 100 activates a fail-safe boot loader program including a subset of the operating system and uses the function to write at least the boot loader program into the flash ROM 130.

  Therefore, when the boot loader program in the flash ROM 130 is rewritten in the ECU 100, for example, even if the boot loader program is deleted due to a power failure or a communication failure and the boot loader program is deleted, the ECU 100 does not disassemble the ECU 100 and responds to the instruction of the rewriting tool 300. Thus, the boot loader program can be written by the fail safe boot loader program.

  Here, since the fail-safe boot loader program of the flash ROM 130 may contain, for example, a bug, it can also be rewritten. In this case, the fail-safe boot loader program cannot be rewritten by the rewriting program under the operation of the operating system. However, since the fail safe boot loader program can rewrite the entire storage area of the flash ROM 130, the fail safe boot loader program can be rewritten. Here, since the fail safe boot loader program is loaded from the flash ROM 130 to the RAM 140 and started, no problem occurs even if the fail safe boot loader program in the flash ROM 130 is rewritten.

100 Electronic control device 110 Processor 130 Flash ROM (nonvolatile memory)

Claims (3)

A non-volatile memory capable of electrically rewriting data is provided, and a control target device is controlled in accordance with a first mode in which data in the non-volatile memory is rewritten by an external instruction and an application program stored in the non-volatile memory In the automotive electronic control device capable of switching between the second mode,
The rewrite program used in the first mode operates when the start program for starting the operating system in the second mode exists and when the start program does not exist , A second program including a subset of the operating system is selectable;
An electronic control device for an automobile. If the first program does not operate even when the power is turned on or reset, the process proceeds to a rewrite process by the second program.
The automotive electronic control device according to claim 1. The first program cannot rewrite the second program.
The automobile electronic control device according to claim 1 or 2, wherein