WO2018127393A1 - Control system for a motor vehicle, with a central control device and multiple further control devices - Google Patents

Control system for a motor vehicle, with a central control device and multiple further control devices Download PDF

Info

Publication number
WO2018127393A1
WO2018127393A1 PCT/EP2017/083273 EP2017083273W WO2018127393A1 WO 2018127393 A1 WO2018127393 A1 WO 2018127393A1 EP 2017083273 W EP2017083273 W EP 2017083273W WO 2018127393 A1 WO2018127393 A1 WO 2018127393A1
Authority
WO
WIPO (PCT)
Prior art keywords
control device
further control
control devices
central control
control system
Prior art date
Application number
PCT/EP2017/083273
Other languages
French (fr)
Inventor
Desoky Abdelqawy
Karim Gomaa
Ahmed Darwish
Hussein Hesham
Ruba Noureldin
Original Assignee
Connaught Electronics Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Connaught Electronics Ltd. filed Critical Connaught Electronics Ltd.
Publication of WO2018127393A1 publication Critical patent/WO2018127393A1/en

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C5/00Registering or indicating the working of vehicles
    • G07C5/008Registering or indicating the working of vehicles communicating information to a remotely located station
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • G06F9/4416Network booting; Remote initial program loading [RIPL]
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C5/00Registering or indicating the working of vehicles
    • G07C5/08Registering or indicating performance data other than driving, working, idle, or waiting time, with or without registering driving, working, idle or waiting time
    • G07C5/0841Registering performance data
    • G07C5/085Registering performance data using electronic data carriers
    • G07C5/0866Registering performance data using electronic data carriers the electronic data carrier being a digital video recorder in combination with video camera

Definitions

  • Control system for a motor vehicle with a central control device and multiple further control devices
  • the invention relates to a control system for a motor vehicle, having a central control device and at least two further control devices, wherein the further control devices are designed for executing a function application that is loaded in the corresponding control device repectively.
  • the invention further relates to a method for operating such a control system.
  • control devices typically has a nonvolatile or permanent memory, for example a flash memory, in which software which is coordinated with or matched to the functionality of the control device is stored, for example as a so- called function application.
  • This software may also be referred to as firmware.
  • the control device also has a computing unit.
  • the size of the nonvolatile permanent memory is typically matched very closely to the software that is provided for the particular control device.
  • the control device may also have a volatile (working) memory, for example a random access memory (RAM), for running the particular software or function application.
  • RAM random access memory
  • the software is permanently stored or saved in the nonvolatile memory, and generally cannot be readily updated or modified. Updating and modifying the function application is possible here only in a maintenance or service center via a special bootstrap loader or boot loader update mechanism, or via a wireless update mechanism (over-the-air update) which is implemented in the bootstrap loader of each control device and which must be synchronized with same. Accordingly, in a modern motor vehicle, which typically has approximately one hundred control devices, updating the function application, and thus a particular control device, involves considerable effort.
  • DE 103 48 362 B4 describes an integrated vehicle control system having a plurality of electronic control devices which are connected via at least one communication line in order to communicate with one another for controlling particular functions of a vehicle, whereby one of the electronic control devices acts as a master control device in order to transmit operating instructions to other electronic control devices.
  • EP 2 477 421 A1 A method is known from EP 2 477 421 A1 in which data may be transmitted via a wireless network to a motor vehicle that is moving, for example during driving operation.
  • the object of the invention is to provide a simplified control system for a motor vehicle, having multiple control devices and which may be operated and updated more efficiently.
  • the invention relates to a control system for a motor vehicle, having a central control device and at least two further control devices, preferably a plurality of further control devices, wherein the further control devices are designed for executing one or more function applications that are each loaded into or onto the respective control device.
  • the function application may also be referred to as a function application program.
  • the particular function applications for the further control devices are stored in the central control device, and during a start operation, i.e., a start-up or booting of the control device, the further control devices are designed to load the corresponding or appropriate function application, which is associated with the particular control device, from the central control device and subsequently activate or execute it.
  • the appropriate function application may be loaded from the central control device into a particular local volatile memory, for example a random access memory, of the respective further control device.
  • the central control device may thus be regarded as a shared data center for the further control devices.
  • the function applications which are generally stored as firmware in a local nonvolatile memory of the particular further control devices in the state of the art, are centrally stored in the data center.
  • the invention therefore relates to a central control device which is connected to the further control devices of the control system, preferably to all further control devices of the motor vehicle.
  • the central control device may include all firmware of the further control devices. During start-up, each further control device is able to contact the central control device and retrieve the necessary firmware data.
  • the size of a nonvolatile permanent memory in each further control device may thus be reduced, or a local nonvolatile memory may be dispensed with altogether.
  • This nonvolatile memory is responsible for approximately 70 percent of the memory costs for each control device.
  • the function applications are centrally stored, they may also be centrally managed, for example updated and distributed. When the function application is updated, it is also not necessary, as heretofore, to take file size into consideration, since the memory in the central control device may be flexibly associated with the particular function application. The file size or the size of the updated function application may thus exceed that of the function application to be updated.
  • a function application which grows in size from, for example, 500 kilobytes to 1 megabyte during an update may still be used in the control system.
  • memory redundancy may also be incorporated for critical function applications particularly easily, with little additional effort. Problems that may be caused by a faulty memory, for example, may thus be avoided or reduced.
  • the further control devices reload the appropriate function application from the central control device for each start operation, it may thus be ensured at a central location that each further control device of the control system always executes the most current and correct function application. This also allows updating to take place during operation of the control system, since during the update operation, only the central control device, not the further control devices in which the function applications to be updated are active during operation, is accessed.
  • the function application for the further control devices is stored in a nonvolatile, i.e., persistent, memory of the central control device, for example a flash memory, which, in contrast to a random access memory, is suitable for permanently storing information, and thus, a function application.
  • the further control devices do not have a nonvolatile memory that is suitable for storing the particular function application.
  • the memory of the central control device is thus the only nonvolatile memory of the control system that is suitable for storing the function applications.
  • the function application in the central control device is stored in a memory having a file system, so that for the further control devices, the function application may in each case be stored in a variable file size.
  • Using a file system has the advantage that fragmentation of the data, for example, as in an update process, in which a certain function application in its updated version requires more memory space than in the version to be updated, may be managed and therefore is not a problem.
  • a file system By use of a file system, internal as well as external fragmentation problems may be addressed and thus avoided.
  • the memory in the central control device may thus be managed in a particularly efficient manner. Flexible and dynamically adaptable memory management is thus achieved, which is advantageous in particular for an update process.
  • an encryption process and/or a signing process are/is implemented for at least one of the particular function applications, in particular all function applications.
  • Use of a file system for the function applications in the central control device is particularly advantageous here.
  • each further control device is capable of executing only specific function applications, so that in addition, reliability of the particular control device is increased and the susceptibility to error of the control system is reduced.
  • the function application of the particular further control device is thus automatically validated prior to being executed.
  • the further control devices have a standardized, i.e., an identical or structurally identical, bootstrap loader or boot loader for loading the particular function application from the central control device.
  • the bootstrap loader may have, for example independently of the control device, i.e., independently of hardware, multiple different connection options for further components that are coupled to the particular control device.
  • the function applications are stored as a respective binary file for the further control device.
  • the central control device and the further control devices are coupled to one another via a data connection having a transmission rate of at least 100 megabits, in particular at least 1 gigabit.
  • the central control device has an update interface, in particular a wireless update interface, i.e., an update interface for wireless transmission of data, via which the function applications stored in the control device may be updated, i.e., overwritten.
  • the update interface may be or include a standardized data interface.
  • the function applications are updatable via the wireless update interface by means of a mobile wireless connection and/or a wireless local area network (WLAN) connection and/or a Bluetooth connection.
  • the update interface may have a corresponding wireless module, for example a mobile wireless module and/or a WLAN module and/or a Bluetooth module, and/or the like.
  • the invention further relates to a motor vehicle having a single control system or multiple control systems according to one or more of the described embodiments.
  • the single control system may include, for example, all control devices of the motor vehicle. This has the advantage that all control devices of the motor vehicle may be updated via a single update interface.
  • control systems may in each case be part of so-called domains of control devices, i.e., control devices of one functional group, for example an engine control domain or a driver assistance domain.
  • control devices of one functional group for example an engine control domain or a driver assistance domain.
  • the function applications stored in the central control device are updatable when the motor vehicle is being used as intended, i.e., in an operating mode that is different from a service mode, in particular during driving operation.
  • the function applications may be updated at any time. Since during use of the motor vehicle as intended, the corresponding function applications are already locally stored and executed in the further control devices, for example in a volatile memory, an update operation may meanwhile take place in the central control device without jeopardizing the functioning of the further control devices. Since the central control device is already in operation during use of the motor vehicle as intended, the update operation may also be started with little effort. In addition, it is not necessary to activate a particular operating mode of the motor vehicle in order to update the function programs, so that the update operation may be started automatically when the motor vehicle is started up, and no disadvantages, for example due to limited availability, result here for a user of the motor vehicle. The updated function applications are thus also always automatically in the most current version.
  • the invention further relates to a method for operating a control system for a motor vehicle, wherein the control system has a central control device and at least two further control devices that are designed for executing a function application which in each case is loaded in the respective further control device, the further control device in question.
  • the method has multiple method steps. One method step is storing a particular function application for the further control devices in question in the central control device. A further method step is automatically loading the particular function application from the central control device into the particular further control device during a start operation, a so-called booting or boot, of the particular further control device, by this specific further control device.
  • the method also comprises activating the particular function application in the further control device in question.
  • the single fig. shows a motor vehicle having one exemplary embodiment of a control system with multiple control devices.
  • the motor vehicle 1 shown in the fig. includes a control system 2 having a central control device 3 and at least two, in the present case a plurality of, further control devices 4a, 4b, 4c.
  • the further control devices 4a through 4c are designed for executing a function application 5a, 5b, 5c, respectively, which in each case is loaded into the corresponding control device 4a through 4c.
  • the further control devices 4a through 4c are coupled to the central control device 3 via a bus 6 of the motor vehicle 1 , for example via an Ethernet.
  • the first further control device 4a is coupled to a camera 10, and is used here with the function application 5a to operate this camera, for example for a driver assistance functionality of the motor vehicle 1 .
  • the second further control device 4b in the present case is coupled to a driving motor 1 1 of the motor vehicle 1 , and with the second function application 4b is used here for engine control.
  • a so-called domain for example the driver assistance domain or the engine control domain
  • multiple further control devices may also be provided, each of which takes over different functionalities within the field of application in question.
  • the particular function applications 5a through 5c for the further control devices 4a through 4c are now centrally stored in the central control device 3.
  • the further control devices 4a through 4c are appropriately designed for loading the appropriate function application 5a through 5c from the central control device 3 and subsequently activating it during a start-up or boot operation.
  • the first further control device 4a loads the first function application 5a
  • the second further control device 4b loads the function application 5b
  • the third further control device 4c loads the corresponding function application 5c, and so forth.
  • the central control device 3 is equipped with a file system here, so that the corresponding function applications 5a through 5c, which in the present case are stored as binary files, may be efficiently stored, even when they have different sizes or their sizes change. Dynamic and flexible updating of the function applications 5a through 5c is thus made possible.
  • a communication protocol is provided in the control system, and thus in the central control device 3 and the further control devices 4a through 4c, which offers the storing of the function applications 5a through 5c as a service within the control system, i.e., "data storage as service,” in which the function applications 5a through 5c may be requested and transmitted, in the present case as binary files.
  • an update service a signing or verification service, and an encryption service are also implemented in the central control device 3.
  • the central control device 3 has a wireless update interface 7 in the present case, via which update data and thus updated function applications may be retrieved from a computing device 9, for example a server, external to the vehicle by means of a wireless data connection 8, in the present case for example a mobile wireless connection.
  • Simple updating of the further control devices 4a through 4c or of the corresponding function applications 5a through 5c is thus possible via the central control device 3. Due to the file system that is used in the central control device 3, varying sizes of the particular function applications 5a through 5c may also be processed without problems.
  • a verification service is also implemented in the central control device 3, so that, for example via the known encryption or signing algorithms with public and private keys, the further control devices 4a through 4c may identify the particular loaded function application 5a through 5c as originating from the central control device 3 and not being manipulated, and may thus execute them without a security risk.
  • appropriate encryption is also provided here, so that the particular further control device 4a through 4c is able to decrypt and thus execute in each case only its own function application 5a through 5c which is intended for it.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Multimedia (AREA)
  • Stored Programmes (AREA)

Abstract

The invention relates to a control system (2) for a motor vehicle (1), having a central control device (3) and at least two further control devices (4a-4c), wherein the further control devices (4a-4c) are designed for executing a function application (5a-5c) that is loaded in each case in the corresponding control device (4a-4c), the particular function applications (5a-5c) for the further control devices (4a-4c) are stored in the central control device (3), and during a start operation, the further control devices (4a-4c) are designed to load the appropriate function application (5a-5c) from the central control device (3) and subsequently activate it, in order to provide a simplified control system (2) for a motor vehicle (1), having multiple control devices (4a-4c) and which may be operated and updated more efficiently.

Description

Control system for a motor vehicle, with a central control device and multiple further control devices
The invention relates to a control system for a motor vehicle, having a central control device and at least two further control devices, wherein the further control devices are designed for executing a function application that is loaded in the corresponding control device repectively. The invention further relates to a method for operating such a control system.
Presently, the architecture or topology of electronic devices in automotive manufacturing is based on a close connection between hardware components, for example control devices, and particular software. Such a control device typically has a nonvolatile or permanent memory, for example a flash memory, in which software which is coordinated with or matched to the functionality of the control device is stored, for example as a so- called function application. This software may also be referred to as firmware. For running the software, the control device also has a computing unit. For cost reasons, the size of the nonvolatile permanent memory is typically matched very closely to the software that is provided for the particular control device. In addition, the control device may also have a volatile (working) memory, for example a random access memory (RAM), for running the particular software or function application.
The software is permanently stored or saved in the nonvolatile memory, and generally cannot be readily updated or modified. Updating and modifying the function application is possible here only in a maintenance or service center via a special bootstrap loader or boot loader update mechanism, or via a wireless update mechanism (over-the-air update) which is implemented in the bootstrap loader of each control device and which must be synchronized with same. Accordingly, in a modern motor vehicle, which typically has approximately one hundred control devices, updating the function application, and thus a particular control device, involves considerable effort.
In this regard, DE 103 48 362 B4 describes an integrated vehicle control system having a plurality of electronic control devices which are connected via at least one communication line in order to communicate with one another for controlling particular functions of a vehicle, whereby one of the electronic control devices acts as a master control device in order to transmit operating instructions to other electronic control devices.
A method is known from EP 2 477 421 A1 in which data may be transmitted via a wireless network to a motor vehicle that is moving, for example during driving operation.
The object of the invention is to provide a simplified control system for a motor vehicle, having multiple control devices and which may be operated and updated more efficiently.
This object is achieved by the subject matter of the independent patent claims. Advantageous embodiments are apparent from the dependent patent claims, the description, and the figures.
The invention relates to a control system for a motor vehicle, having a central control device and at least two further control devices, preferably a plurality of further control devices, wherein the further control devices are designed for executing one or more function applications that are each loaded into or onto the respective control device. The function application may also be referred to as a function application program. The particular function applications for the further control devices are stored in the central control device, and during a start operation, i.e., a start-up or booting of the control device, the further control devices are designed to load the corresponding or appropriate function application, which is associated with the particular control device, from the central control device and subsequently activate or execute it. The appropriate function application may be loaded from the central control device into a particular local volatile memory, for example a random access memory, of the respective further control device. The central control device may thus be regarded as a shared data center for the further control devices. The function applications, which are generally stored as firmware in a local nonvolatile memory of the particular further control devices in the state of the art, are centrally stored in the data center. The invention therefore relates to a central control device which is connected to the further control devices of the control system, preferably to all further control devices of the motor vehicle. The central control device may include all firmware of the further control devices. During start-up, each further control device is able to contact the central control device and retrieve the necessary firmware data.
This has the advantage that the software, i.e., the function applications, of the further control devices and storage thereof are decoupled from the hardware of the particular further control devices. The size of a nonvolatile permanent memory in each further control device may thus be reduced, or a local nonvolatile memory may be dispensed with altogether. This nonvolatile memory is responsible for approximately 70 percent of the memory costs for each control device. Since the function applications are centrally stored, they may also be centrally managed, for example updated and distributed. When the function application is updated, it is also not necessary, as heretofore, to take file size into consideration, since the memory in the central control device may be flexibly associated with the particular function application. The file size or the size of the updated function application may thus exceed that of the function application to be updated. Thus, for example, a function application which grows in size from, for example, 500 kilobytes to 1 megabyte during an update, may still be used in the control system. In this way, memory redundancy may also be incorporated for critical function applications particularly easily, with little additional effort. Problems that may be caused by a faulty memory, for example, may thus be avoided or reduced. Since the further control devices reload the appropriate function application from the central control device for each start operation, it may thus be ensured at a central location that each further control device of the control system always executes the most current and correct function application. This also allows updating to take place during operation of the control system, since during the update operation, only the central control device, not the further control devices in which the function applications to be updated are active during operation, is accessed.
In one advantageous embodiment, it is provided that the function application for the further control devices is stored in a nonvolatile, i.e., persistent, memory of the central control device, for example a flash memory, which, in contrast to a random access memory, is suitable for permanently storing information, and thus, a function application. The further control devices do not have a nonvolatile memory that is suitable for storing the particular function application. In particular, the memory of the central control device is thus the only nonvolatile memory of the control system that is suitable for storing the function applications.
This has the advantage that the further control devices may be implemented in a particularly robust manner and with little effort, with few components and at low cost.
In another advantageous embodiment, it is provided that the function application in the central control device is stored in a memory having a file system, so that for the further control devices, the function application may in each case be stored in a variable file size.
Using a file system has the advantage that fragmentation of the data, for example, as in an update process, in which a certain function application in its updated version requires more memory space than in the version to be updated, may be managed and therefore is not a problem. By use of a file system, internal as well as external fragmentation problems may be addressed and thus avoided. The memory in the central control device may thus be managed in a particularly efficient manner. Flexible and dynamically adaptable memory management is thus achieved, which is advantageous in particular for an update process.
In another advantageous embodiment, it is provided that in the central control device and in the further control devices an encryption process and/or a signing process are/is implemented for at least one of the particular function applications, in particular all function applications. Use of a file system for the function applications in the central control device is particularly advantageous here.
This has the advantage that the function applications may be protected from unauthorized access or manipulation, in particular by means of a single security certification operation for the entire control system, instead of a security certification operation for each individual control device. It may thus be provided that each further control device is capable of executing only specific function applications, so that in addition, reliability of the particular control device is increased and the susceptibility to error of the control system is reduced. The function application of the particular further control device is thus automatically validated prior to being executed.
In another advantageous embodiment, it is provided that the further control devices have a standardized, i.e., an identical or structurally identical, bootstrap loader or boot loader for loading the particular function application from the central control device. The bootstrap loader may have, for example independently of the control device, i.e., independently of hardware, multiple different connection options for further components that are coupled to the particular control device.
This has the advantage that the development of the control system is simplified, and at the same time reliability is increased with a minimal number of errors.
In another advantageous embodiment, it is provided that the function applications are stored as a respective binary file for the further control device.
This has the advantage that the further control devices require no, or only minimal, software for interpreting the particular function applications, so that memory requirements there are minimized.
In another advantageous embodiment, it is provided that the central control device and the further control devices are coupled to one another via a data connection having a transmission rate of at least 100 megabits, in particular at least 1 gigabit.
This has the advantage that during start-up of the control system, which includes starting or start-up of the further control devices, the further control devices are ready for use particularly quickly, since data are often transmitted between the central control device and the further control devices during start-up. In another advantageous embodiment, it is provided that the central control device has an update interface, in particular a wireless update interface, i.e., an update interface for wireless transmission of data, via which the function applications stored in the control device may be updated, i.e., overwritten. The update interface may be or include a standardized data interface.
This has the advantage that the particular function applications may be easily updated without individually modifying in each case a bootstrap loader of the further control devices in question for the particular update process. Instead, in each case one or more of the further control devices of the control system are updated for the entire control system via a single update interface. Thus, for the update process itself, only the central control device is involved.
It may advantageously be provided that the function applications are updatable via the wireless update interface by means of a mobile wireless connection and/or a wireless local area network (WLAN) connection and/or a Bluetooth connection. For this purpose, the update interface may have a corresponding wireless module, for example a mobile wireless module and/or a WLAN module and/or a Bluetooth module, and/or the like.
This has the advantage that the function applications may be updated in numerous different situations, and thus, also outside a service mode. Thus, for example, a control system of a motor vehicle which is in operation and moving along a route according to its intended use may be updated.
The invention further relates to a motor vehicle having a single control system or multiple control systems according to one or more of the described embodiments. The single control system may include, for example, all control devices of the motor vehicle. This has the advantage that all control devices of the motor vehicle may be updated via a single update interface.
In an alternative variant with multiple control systems, these control systems may in each case be part of so-called domains of control devices, i.e., control devices of one functional group, for example an engine control domain or a driver assistance domain. This has the advantage that the described progressive architecture for the control system may be implemented step by step in a motor vehicle, and does not have to be realized in a single development step.
In one particularly advantageous embodiment, it is provided that the function applications stored in the central control device are updatable when the motor vehicle is being used as intended, i.e., in an operating mode that is different from a service mode, in particular during driving operation.
This has the advantage that the function applications may be updated at any time. Since during use of the motor vehicle as intended, the corresponding function applications are already locally stored and executed in the further control devices, for example in a volatile memory, an update operation may meanwhile take place in the central control device without jeopardizing the functioning of the further control devices. Since the central control device is already in operation during use of the motor vehicle as intended, the update operation may also be started with little effort. In addition, it is not necessary to activate a particular operating mode of the motor vehicle in order to update the function programs, so that the update operation may be started automatically when the motor vehicle is started up, and no disadvantages, for example due to limited availability, result here for a user of the motor vehicle. The updated function applications are thus also always automatically in the most current version.
The invention further relates to a method for operating a control system for a motor vehicle, wherein the control system has a central control device and at least two further control devices that are designed for executing a function application which in each case is loaded in the respective further control device, the further control device in question. The method has multiple method steps. One method step is storing a particular function application for the further control devices in question in the central control device. A further method step is automatically loading the particular function application from the central control device into the particular further control device during a start operation, a so-called booting or boot, of the particular further control device, by this specific further control device. Lastly, the method also comprises activating the particular function application in the further control device in question.
Advantages and advantageous embodiments of the method correspond here to advantages and advantageous embodiments of the control system.
The features and feature combinations mentioned above in the description as well as the features and feature combinations mentioned below in the description of figures and/or shown in the figures alone are usable not only in the respectively specified combination, but also in other combinations without departing from the scope of the invention. Thus, implementations are also to be considered as encompassed and disclosed by the invention, which are not explicitly shown in the figures and explained, but arise from and can be generated by separated feature combinations from the explained implementations. Implementations and feature combinations are also to be considered as disclosed, which thus do not have all of the features of an originally formulated independent claim. Moreover, implementations and feature combinations are to be considered as disclosed, in particular by the implementations set out above, which extend beyond or deviate from the feature combinations set out in the relations of the claims.
Exemplary embodiments of the invention are explained in greater detail below with reference to one schematic drawing. The single fig. shows a motor vehicle having one exemplary embodiment of a control system with multiple control devices.
The motor vehicle 1 shown in the fig. includes a control system 2 having a central control device 3 and at least two, in the present case a plurality of, further control devices 4a, 4b, 4c. The further control devices 4a through 4c are designed for executing a function application 5a, 5b, 5c, respectively, which in each case is loaded into the corresponding control device 4a through 4c. In the present case, the further control devices 4a through 4c are coupled to the central control device 3 via a bus 6 of the motor vehicle 1 , for example via an Ethernet. In the present case, the first further control device 4a is coupled to a camera 10, and is used here with the function application 5a to operate this camera, for example for a driver assistance functionality of the motor vehicle 1 . The second further control device 4b in the present case is coupled to a driving motor 1 1 of the motor vehicle 1 , and with the second function application 4b is used here for engine control. Within a field of application, a so-called domain, for example the driver assistance domain or the engine control domain, multiple further control devices may also be provided, each of which takes over different functionalities within the field of application in question.
The particular function applications 5a through 5c for the further control devices 4a through 4c are now centrally stored in the central control device 3. The further control devices 4a through 4c are appropriately designed for loading the appropriate function application 5a through 5c from the central control device 3 and subsequently activating it during a start-up or boot operation. Thus, during start-up the first further control device 4a loads the first function application 5a, the second further control device 4b loads the function application 5b, the third further control device 4c loads the corresponding function application 5c, and so forth.
The central control device 3 is equipped with a file system here, so that the corresponding function applications 5a through 5c, which in the present case are stored as binary files, may be efficiently stored, even when they have different sizes or their sizes change. Dynamic and flexible updating of the function applications 5a through 5c is thus made possible. In addition, in the present case a communication protocol is provided in the control system, and thus in the central control device 3 and the further control devices 4a through 4c, which offers the storing of the function applications 5a through 5c as a service within the control system, i.e., "data storage as service," in which the function applications 5a through 5c may be requested and transmitted, in the present case as binary files.
Furthermore, in the present case an update service, a signing or verification service, and an encryption service are also implemented in the central control device 3. For the update service, the central control device 3 has a wireless update interface 7 in the present case, via which update data and thus updated function applications may be retrieved from a computing device 9, for example a server, external to the vehicle by means of a wireless data connection 8, in the present case for example a mobile wireless connection. Simple updating of the further control devices 4a through 4c or of the corresponding function applications 5a through 5c is thus possible via the central control device 3. Due to the file system that is used in the central control device 3, varying sizes of the particular function applications 5a through 5c may also be processed without problems.
In addition, in the present case a verification service is also implemented in the central control device 3, so that, for example via the known encryption or signing algorithms with public and private keys, the further control devices 4a through 4c may identify the particular loaded function application 5a through 5c as originating from the central control device 3 and not being manipulated, and may thus execute them without a security risk. To further increase the security, appropriate encryption is also provided here, so that the particular further control device 4a through 4c is able to decrypt and thus execute in each case only its own function application 5a through 5c which is intended for it.

Claims

Patent Claims
A control system (2) for a motor vehicle (1 ), having a central control device (3) and at least two further control devices (4a-4c), wherein the further control devices (4a-4c) are designed for executing a function application (5a-5c) that is loaded into the corresponding control device (4a-4c) each,
characterized in that
the respective function applications (5a-5c) for the further control devices (4a-4c) are stored in the central control device (3), and during a start operation, the further control devices (4a-4c) are designed to load the corresponding function application (5a-5c) from the central control device (3) and subsequently activate it.
The control system (2) according to Claim 1 ,
characterized in that
the function applications (5a-5c) for the further control devices (4a-4c) are stored in a nonvolatile memory of the central control device (3), and the further control devices (4a-4c) do not have a nonvolatile memory that is suitable for storing the particular function application (5a-5c).
The control system (2) according to one of the preceding claims,
characterized in that
the function applications (5a-5c) are stored in the central control device (3) in a memory having a file system, so that for the further control devices (4a-4c), the function application (5a-5c) may in each case be stored in a variable file size.
The control system (2) according to one of the preceding claims,
characterized in that
in the central control device (3) and in the further control devices (4a-4c), an encryption process and/or a signing process are/is implemented for at least one of the particular function applications (5a-5c), in particular all function applications (5a-5c).
5. The control system (2) according to one of the preceding claims,
characterized in that
the further control devices (4a-4c) have a standardized bootstrap loader for loading the particular function application (5a-5c) from the central control device (3).
6. The control system (2) according to one of the preceding claims,
characterized in that
the function applications (5a-5c) are stored as binary files.
7. The control system (2) according to one of the preceding claims,
characterized in that
the central control device (3) and the further control devices (4a-4c) are coupled to one another via a data connection having a transmission rate of at least 100 Mbits, in particular at least 1 GBit.
8. The control system (2) according to one of the preceding claims,
characterized in that
the central control device (3) has an in particular wireless update interface (7) via which the function applications (5a-5c) stored in the central control device (3) are updatable.
9. The control system (2) according to Claim 8,
characterized in that
the function applications (5a-5c) are updatable via the wireless update interface (7) by means of a mobile wireless connection and/or a wireless local area network connection and/or a Bluetooth connection.
10. A motor vehicle (1 ) having a single control system (2) or multiple control systems (2) according to one of the preceding claims.
1 1. The motor vehicle (1 ) according to Claim 10, having a control system (2) according to Claim 8,
characterized in that
the function applications (5a-5c) stored in the central control device (3) are updatable when the motor vehicle (1 ) is being used as intended, in particular during driving operation of the motor vehicle (1 ).
12. A method for operating a control system (2) for a motor vehicle (1 ), wherein the control system (2) has a central control device (3) and at least two further control devices (4a-4c) which are designed for executing a function application (5a-5c) that in each case is loaded in the corresponding further control device (4a-4c), comprising the method steps:
- storing the particular function application (5a-5c) for the further control devices (4a-4c) in the central control device (3);
- automatically loading the particular function application (5a-5c) from the central control device (3) into the particular further control device (4a-4c) during a start operation of the further control device (4a-4c), by the further control device (4a-4c);
- activating the particular function application (5a-5c) in the further control device (4a-4c) in question.
PCT/EP2017/083273 2017-01-04 2017-12-18 Control system for a motor vehicle, with a central control device and multiple further control devices WO2018127393A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102017100116.6 2017-01-04
DE102017100116.6A DE102017100116A1 (en) 2017-01-04 2017-01-04 Control system for a motor vehicle having a central control unit and a plurality of further control units

Publications (1)

Publication Number Publication Date
WO2018127393A1 true WO2018127393A1 (en) 2018-07-12

Family

ID=61054312

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2017/083273 WO2018127393A1 (en) 2017-01-04 2017-12-18 Control system for a motor vehicle, with a central control device and multiple further control devices

Country Status (2)

Country Link
DE (1) DE102017100116A1 (en)
WO (1) WO2018127393A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2595509A (en) * 2020-05-29 2021-12-01 Continental Automotive Gmbh Computer secure boot method and system

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102022128183B3 (en) 2022-10-25 2023-12-07 Audi Aktiengesellschaft Method for starting a data processing device, data processing device and motor vehicle

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020016652A1 (en) * 2000-05-31 2002-02-07 Hans Heckmann System for controlling/regulating the operational sequences in a motor vehicle and a method for starting such a system
US20060041338A1 (en) * 2004-07-24 2006-02-23 Markus Fislage System and method for controlling or regulating the operational sequences in a vehicle
EP2477421A1 (en) 2011-01-14 2012-07-18 Cisco Technology, Inc. System and method for packet distribution in a vehicular network environment
DE10348362B4 (en) 2002-10-18 2014-10-09 Denso Corporation Integrated vehicle control system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020016652A1 (en) * 2000-05-31 2002-02-07 Hans Heckmann System for controlling/regulating the operational sequences in a motor vehicle and a method for starting such a system
DE10348362B4 (en) 2002-10-18 2014-10-09 Denso Corporation Integrated vehicle control system
US20060041338A1 (en) * 2004-07-24 2006-02-23 Markus Fislage System and method for controlling or regulating the operational sequences in a vehicle
EP2477421A1 (en) 2011-01-14 2012-07-18 Cisco Technology, Inc. System and method for packet distribution in a vehicular network environment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2595509A (en) * 2020-05-29 2021-12-01 Continental Automotive Gmbh Computer secure boot method and system

Also Published As

Publication number Publication date
DE102017100116A1 (en) 2018-07-05

Similar Documents

Publication Publication Date Title
US11635955B2 (en) Roll back of data delta updates
US9436456B2 (en) System and method for management of software updates at a vehicle computing system
WO2014148003A1 (en) Program rewrite system for onboard electronic control device and onboard relay device
US20180341476A1 (en) Software updating device, software updating system, and software updating method
US11360758B2 (en) Communication processing device, information processing device, and communication processing device control method
US20190278588A1 (en) Vehicle control system and software compatibility checking method
CN110892376B (en) Method and apparatus for processing software updates
JP2023090981A (en) Gateway device, on-vehicle network system and firmware update method
WO2018127393A1 (en) Control system for a motor vehicle, with a central control device and multiple further control devices
US20220091762A1 (en) Electronic Control Device and Program-Update Method
US11269617B2 (en) System for transmitting at least one upgrade package for at least one control device of a motor vehicle and method
CN111052073B (en) Method and device for updating software for operating a vehicle device and vehicle
US20220197747A1 (en) Electronic control device and usage of non-volatile memory
US20220391194A1 (en) Ota master, system, method, non-transitory storage medium, and vehicle
CN113821243A (en) Software updating device, host, OTA host, network system, method, storage medium, center and vehicle
JP7211189B2 (en) Update processing system and update processing method
US20220405087A1 (en) Vehicle control device and vehicle control system
WO2023195460A1 (en) In-vehicle apparatus, computer program, and program updating method
US20220391193A1 (en) Ota master, system, method, non-transitory storage medium, and vehicle
JP2021056656A (en) Vehicle reprogramming system
CN117321569A (en) Electronic control device for vehicle, update program, and data structure
CN115244505A (en) Information processing apparatus, program update system, and program update method
GB2592646A (en) Software update process on a vehicle

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17835827

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17835827

Country of ref document: EP

Kind code of ref document: A1