CN111480141A - Method and device for updating software of a motor vehicle control device - Google Patents

Method and device for updating software of a motor vehicle control device Download PDF

Info

Publication number
CN111480141A
CN111480141A CN201880082909.2A CN201880082909A CN111480141A CN 111480141 A CN111480141 A CN 111480141A CN 201880082909 A CN201880082909 A CN 201880082909A CN 111480141 A CN111480141 A CN 111480141A
Authority
CN
China
Prior art keywords
vehicle control
control device
motor vehicle
updating
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201880082909.2A
Other languages
Chinese (zh)
Inventor
D.克里普纳
A.海尔
M.斯普劳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch GmbH filed Critical Robert Bosch GmbH
Publication of CN111480141A publication Critical patent/CN111480141A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Abstract

The method for updating the software of at least one vehicle control device (4, 6, 8) installed in a vehicle (2) comprises the following steps: (A) transmitting a preparation command, in particular a command for stopping the motor vehicle (2), from the updating device (12 a, 12 b) to the motor vehicle control device (4, 6, 8); (B) transmitting an acknowledgement message by the motor vehicle control device (4, 6, 8); (C) transmitting the new software from the updating device (12 a, 12 b) to the vehicle control device (4, 6, 8); (D) querying the characteristic values of one or more vehicle control devices (4, 6, 8) built into the vehicle (2); (E) calculating an activation code from the queried feature values; (F) using the calculated activation code for subsequent communication with a motor vehicle control device (4, 6, 8) in which the vehicle function has been blocked; and (G) the command for reestablishing the driving readiness of the motor vehicle (2) is only implemented by the motor vehicle control device (4, 6, 8) after the motor vehicle control device (4, 6, 8) has checked directly or indirectly that a correct activation code is present.

Description

Method and device for updating software of a motor vehicle control device
Technical Field
The invention relates to a method and a device for updating Software (Software) of at least one control device of a motor vehicle (Kfz) built into the motor vehicle.
Background
Updates to the software of the motor vehicle control system are in the voltage field, since the motor vehicle control system must firstly fulfill Safety requirements ("Safety-Goals") up to ASI L-D (ISO 26262), and secondly use diagnostic testers or other external devices for the updating of the software of the motor vehicle control system, which can contain complex programs and already existing software and which are therefore difficult to comply with when ASI L Safety targets are affected.
However, if no reaction has been demonstrated in the sense of ISO 26262-1:2011, § 1.49 (R ü ckwirkungsfreeit), the use of such components is permissible.
Thus, in a simple case, end-to-end protection is used, a target control device that conforms to ASI L self-tests after an update and activates only when the result occurs that the software update does not proceed incorrectly.
In modern motor vehicles, a plurality of vehicle control devices generally act closely together: the engine control device may have a function of limiting the maximum speed, for example. For this purpose, the engine control device obtains information about the vehicle speed from the ESP control device.
Additionally, the gear currently being shifted to is queried by the gearbox control device so that the engine control device can perform a plausibility check of the vehicle speed based on the shifted gear and the engine speed.
However, through the previously described "simple" self-plausibility check of the updated vehicle control device, the incompatible configurations of the overall system resulting from the update cannot be reliably identified.
Disclosure of Invention
The task of the invention is therefore: a method and a device for the secure updating of software of at least one vehicle control device built into a motor vehicle are provided. The object is in particular to ensure that the overall system configuration of all vehicle control units installed in a motor vehicle is compatible with one another and safe to operate after a software update.
According to one embodiment of the invention, a method for updating software of at least one vehicle control device installed in a motor vehicle comprises at least the following steps:
(A) transmitting a command, in particular a command for blocking at least one function of the motor vehicle, from the updating device to at least one motor vehicle control device;
(B) transmitting a confirmation message confirming the execution of the preparation command from the motor vehicle control device to the updating device;
(C) transmitting the new software from the updating device to at least the vehicle control device and installing the new software on the at least one vehicle control device;
(D) querying one or more vehicle control devices built into the vehicle for characteristic values, in particular software version numbers, associated with the software;
(E) calculating an activation code from the queried feature values;
(F) using the activation code, the updating device is communicated with a vehicle control device, which at least already prevents at least one function of the vehicle, wherein the communication is designed in such a way that the vehicle control device reliably recognizes if the updating device does not have the correct activation code;
(G) the command for reactivating the at least one blocked function of the motor vehicle is only executed by the motor vehicle control device after it has checked and confirmed directly or indirectly that a correct activation code is present.
According to one embodiment of the invention, an updating device for updating software of a motor vehicle control device installed in a motor vehicle comprises: a storage device configured to store software to be updated; a transmitting device, which is designed to transmit a preparation command, in particular a command for blocking the motor vehicle, to the motor vehicle control unit; and a receiving device, which is designed to receive a confirmation message that confirms the execution of the received preparation command by the motor vehicle control unit.
The transmission device is designed to transmit the software to be updated to the vehicle control unit. The receiving device is designed to receive characteristic values of one or more vehicle control devices, in particular the current software version number, which are associated with the software. The updating device has a computing means configured to compute the activation code from the received characteristic value; and the transmitting device is designed to communicate with at least one other vehicle control unit using the activation code.
The motor vehicle control device is configured according to an embodiment of the invention to cooperate with the updating device in order to carry out the method according to an embodiment of the invention. To this end, the motor vehicle control device comprises in particular: a receiving device, which is designed to receive a preparation command, in particular a command for stopping the motor vehicle, from the updating device; and a transmitting device, which is designed to transmit a confirmation message that confirms the execution of the received preparation command by the motor vehicle control unit. The transmitting means are designed to transmit characteristic values associated with the software, in particular the current software version number, to the updating device. The receiving means is configured to communicate with the update device. The vehicle control device also has a comparison and authorization device which is designed to validate the received message and to reestablish the driving readiness of the vehicle only after the validation has been successfully completed.
In this case, not all functions need to be present in all vehicle control devices. In particular, the transmission device of the motor vehicle control unit, which processes the instructions for blocking, does not necessarily have to be designed to transmit software-related characteristic values, in particular the current software version number, to the updating device. This function only has to be present in the motor vehicle control device to be updated.
The function for blocking the motor vehicle and the comparison and authorization device need only be implemented in a motor vehicle control unit in the vehicle.
The activation code is not retained on the updating device, but is calculated from feedback from the surroundings (other vehicle control devices, the background, driver interaction, Hotline Support (suport Hotline), etc.).
The decision about reactivating the vehicle functions is transferred from the updating device to the other vehicle control devices: the updating device calculates an activation code from the feedback of the other vehicle control devices and uses this code in particular for reactivating vehicle functions. This code is unknown to the updating device and therefore no (potentially erroneous) decision can be made in the updating device.
The activation code is calculated by the updating device, in particular on the basis of data queried from the updated (reprogrammed) vehicle control device.
If at least one of the vehicle control devices has not been successfully updated and/or is not in the expected state, the at least one vehicle control device provides different data, on the basis of which the updating device calculates a different activation code, which subsequently leads to a rejection when an attempt is made to reactivate the vehicle function.
The basic idea of the invention is: the activation code is not compared to a reference value by the updating device. In the case of such a scheme, the comparison may be skipped due to error or the result of the comparison may be interpreted incorrectly. Thus, there is a reaction from the update device to the vehicle function.
The updating device may retain the result of the one-way function of the activation code and check in advance before steps (F) and (G) whether the reestablishment of the blocked vehicle function will succeed. In particular, hash functions such as MD4, MD5, SHA1 or SHA256 may be used for this purpose.
In step (F), the activation code can be sent, in particular directly as a value, to the device that has blocked the vehicle function. This value can be, inter alia, the service ID ("SID") or used as a parameter within the framework of UDS communication (ISO 14229: 2013). The activation code must then be validated on the device, for example by comparison with a reference code or by checking whether the result of the one-way function corresponds to a reference value.
As one-way functions, it is possible in particular to use MD4, MD5, SHA1 or the product of two (prime) numbers.
The activation code may, in particular, be implemented according to UDS Security Access (UDS-Security-Access) (see ISO14229-1:2013, § 9.4-service 0x 27) or according to ASAM XCP MCD-1 "UN L OCK (unlock)".
Alternatively, the activation code may be used in step (F) to decrypt a program containing algorithms and instructions required for communication. Here, the encryption does not have to provide cryptographic security, it being sufficient for the updating device that it is not possible to obtain unencrypted programs without knowing the activation code. AES256 is an example of a cryptographically secure encryption algorithm, and DES or RC4 is an example of an algorithm that does not provide cryptographic security. Algorithms without cryptographic security generally require less computing time, which may be necessary depending on the application.
Encryption has inter alia the following advantages: any complex algorithm can be used to reactivate the vehicle function without modification, and nevertheless, by encryption, it is ensured that no part of the algorithm can be triggered in the absence of the activation code. In particular, this makes it possible to communicate with each vehicle control unit.
The check performed in step (G) may be implemented as a simple comparison with a reference code: the updating device transmits the calculated activation code to a motor vehicle control device, which compares the activation code with a reference code.
However, a one-way function may also be used. If a one-way function is used, the comparison means also only know the result of this function: the motor vehicle control device calculates the result of the one-way function using the activation code as one or more input variables. If the result matches the reference value, the activate code is correct.
Both described methods are direct checks: the activation code is transmitted to the vehicle control unit and checked by the vehicle control unit.
The identification can also be implemented within the framework of existing authentications, in particular UDS secure access or XCP UN L OCK, in a motor vehicle control device, authentication is carried out according to the prior art, but (unlike the prior art) the algorithms required in the updating device are stored such that they can only be used if the correct activation code is present.
In a further variant for indirect testing, a program (instructions, algorithms) is stored encrypted, which is executed by the updating device for communication with the vehicle control unit. The activation code is used as a decryption key, and the updating device only accesses the required instructions through decryption. If the motor vehicle control device receives the correct command or a command with the correct parameters from the updating device, it is indirectly verified that the updating device already has the correct activation code.
In one embodiment, the key (hereinafter "key B") is transmitted by the vehicle control unit upon successful blocking of the vehicle function.
Key B is required if, in addition to preventing erroneous reactivation of the vehicle function, it must also prove impossible to initiate reprogramming incorrectly (point (C) in the disclosure of the invention).
In one embodiment, the key B is calculated from a key a, which has previously been transmitted from the updating device to the vehicle control device.
The use of the key a, which has been transmitted previously from the updating device to the vehicle control device, has the following advantages: key B is no longer constant. Thus, an old confirmation message stored in error is unlikely to result in an impermissible start of reprogramming.
In addition, the at least one vehicle control device mentioned in step (a) can store the key a for a long period of time and in this way can reliably recognize and reject old keys. The key may also be digitally signed so that the update device cannot falsely prevent vehicle functions.
It is also possible that: the key a is either sent before or after the instruction for blocking the at least one vehicle function. Key B may also be sent after the message on successful blocking.
It is also possible that: the vehicle control device always calculates key B from key a — and adds this calculation when the vehicle function is blocked. This has the following advantages: both states can be reliably added, for example, to the activate code. In this context, "reliable" means: errors in the updating device always lead to another code (activation code, unlocking code, start code, "code n"), and these errors can then be noticed by the vehicle control device.
In this case, only the blocking state needs to be added to key B in an arbitrary form. In particular, the motor vehicle control unit can react to queries relating to the key B with fault reports in the normal state and only respond to these queries if at least one vehicle function is blocked. Alternatively, the algorithm for calculating the key B may be designed such that the blocked vehicle function is added as a parameter to the key B.
In order to avoid incorrect programming, the activation code can be calculated by the updating device from the data (characteristic values) queried from the vehicle control device, in particular from the key B. The start code may then be used in step C. This has the following advantages: the SW updating process cannot be started without preventing the vehicle function in advance.
The boot code is used similar to the boot code: in particular, the command for executing the SW update can be decrypted by means of the start code, the new SW which should be installed can be decrypted by means of the start code, the start code can be issued as a parameter or command to the motor vehicle control device, and/or the start code can be used for authentication.
In another embodiment, the method comprises: the software of a plurality of vehicle control devices is updated. In this case, an SW update for the (n + 1) th motor vehicle control unit is carried out using a code ("code n"), which is calculated in particular from the feedback of the (n) th motor vehicle control unit, the software of which has been updated. Since the code containing the data of the nth motor vehicle control device is present only when the motor vehicle control device has been successfully updated and when the code is used for updating the (n + 1) th motor vehicle control device, it is ensured that the motor vehicle control devices can only be updated in a predetermined sequence.
After the software of all the vehicle control devices to be updated has been updated, the characteristic values and/or the memory contents of all the updated vehicle control devices can be checked again in order to check the final configuration. This step is not necessary in form, since the last vehicle control device is only updated if all vehicle control devices have been successfully updated beforehand. However, it may be advantageous: the dialog (answeren) is still resumed with all the vehicle control units, for example, so that the same software module can always be used for this step. In particular, dialogues with vehicle control units that have not been updated are also possible.
For the use of this code, the same scheme can be used as in the case of the boot code and in the case of the activation code: in particular, with these solutions, commands can be decrypted, which can be sent as parameters or commands to the vehicle control unit and/or which can be used for authentication.
The transmission between the updating device and the at least one vehicle control device can also be effected via a gateway connected therebetween. In one aspect, the gateway may be configured to filter disallowed messages; alternatively, the gateway may connect the wireless interface with the wired interface.
The impermissible messages may be, for example, the following messages, which contain rotational speed information of the engine or the vehicle speed: these messages are only allowed to be transmitted by the responsible vehicle control device. Thus, the gateway can prevent the update device from interfering with the vehicle functions. To determine whether the notification is permissible, the gateway may analyze, among other things, the CAN message identifier, the source or destination IP address (e.g., according to IPV6, RFC 2460), and/or the source or destination port (e.g., according to TCP, RFC 793), and/or the direction from which the gateway received the message. It may also not be permissible to: the updating device sends too many messages, since the resulting bus load may lead to disturbances in the vehicle functions.
In one embodiment, the gateway must be unlocked by the updating device before the gateway transmits data between the updating device and the at least one vehicle control device. In particular, the gateway may be configured such that the gateway does not forward messages required for reprogramming, such as UDS Programming sessions (ISO 14229-1:2013, § 9.2.2.2), when operating normally. For unlocking, a code ("gateway unlocking code") can be used which is not initially present on the diagnostic test device, but which is calculated, in particular, on the basis of communication with the at least one vehicle control device. In particular, the key B mentioned before can be added to the gateway unlock code. The gateway unlock code may be the same as the start code. But it is also possible: the two codes are different. In particular, the feedback of the gateway may also incorporate a start code.
In one embodiment, the step of transmitting the calculated activation code to the vehicle control unit also comprises transmitting the key a and/or B, and the step of validating comprises evaluating all values (activation code and/or key a and/or key B). Mixed forms are also possible: this would use the activate code for decryption and key a would be transmitted. The transmission of the key a and/or the key B may be advantageous if the key a and/or the key B cannot/should not be stored on a motor vehicle control device which has blocked at least one vehicle function.
In one embodiment, the preventing of the motor vehicle comprises: activating an anti-theft lock and/or preventing the starter and/or the fuel pump. In this way, the motor vehicle can be reliably stopped.
In one embodiment, the method comprises: these codes (activation code, unlocking code, start code, "code n") are additionally calculated as a function of the contents of at least one section of the memory of the motor vehicle control unit. In this way, it is also possible to better check whether the software update was successful, since errors which lead to different memory contents can be reliably identified.
To confirm successful updates, additional protection may be used; these protections may include, for example:
-writing data forward and reading back data;
-reading data not only by "ReadMemoryByAddress" but also by "readdatabydenifier" (ISO 14229: 2013);
not only the (flash) memory of the respective vehicle control device is read, but additionally also the calculation result of the respective vehicle control device is queried.
It is also possible that: the same data is queried several times in order to protect against bus messages being disturbed.
In one embodiment, the query for feature values comprises: one or more characteristic values of the vehicle control device are queried, which cooperate during operation with the vehicle control device whose software has been updated. In this way it is ensured that: all vehicle control devices which cooperate with one another during operation are equipped with compatible software versions, so that they can cooperate without problems.
In one embodiment, the communication between the updating device and the vehicle control device takes place encrypted. As a result, unauthorized modification at the motor vehicle control device is prevented or at least made significantly more difficult.
In one embodiment, the query for feature values comprises: the query of the data is carried out at least one external backend system, for example a server of the manufacturer of the vehicle or of the motor vehicle control device. This simplifies the exclusion of unauthorized manipulations and enables a complete documentation of the changes made, in particular of the final or target state of the motor vehicle control unit.
In a further embodiment, two processes for reconstructing the driving readiness of the motor vehicle by the motor vehicle control device are reserved on the updating device: a first procedure, which requires an activation code that can be calculated in the event of a successful update.
Additionally, a second process is reserved for which an activation code is required, which is calculated from background and/or hotline feedback and which then activates the emergency operation of the vehicle. This has the following advantages: on the one hand, accidental activation for emergency operation is not possible; and on the other hand avoids that the vehicle can no longer be used at all when the update fails.
In one embodiment, the method comprises: the user input (driver interaction), the vehicle chassis number and/or the vehicle identification code are additionally included in the calculation of the activation code. In this way it is ensured that: the vehicle is reactivated only if the user has confirmed that the software update and/or the newly loaded software is compatible with the corresponding vehicle (model).
In one embodiment, the interface for transmitting data between the updating device and the vehicle control device is designed as a wired interface. The wired interface enables reliable data transmission and can be implemented cost-effectively. The wired interface can be designed as a standardized interface, in particular as an OBD/OBD2 interface.
The wireless interface enables particularly convenient data transmission, since no cables have to be laid and connected, and can be established in particular as W L AN or Bluetooth @connections.
Alternatively, the known concept of communicating with a watchdog module can be used for the communication between the updating device and the motor vehicle control device. The vehicle control unit can, for example, take note of the minimum and maximum permitted times and reject messages arriving outside said times. The updating device can also use the wrong code in a targeted manner and then incorporate a negative response code of the respective vehicle control device into the other code.
The updating device can be a specific vehicle control device, but it can also be a software module in the vehicle control device. The updating device may also be designed, for example, as a virtual machine on an existing vehicle control unit. The virtual machine has the advantages that: here a small, ISO-26262 compliant Hypervisor (Hypervisor) may adhere to the boundary conditions. For example, the virtual machine may not contain non-volatile memory that can be written to, and the hypervisor deletes volatile memory at the end of the update or when the update is interrupted. This prevents: old acknowledgement messages or old key values or activation codes may result in impermissible repetitions.
The invention is based on the recognition that: updating software of a motor vehicle control unit or a motor vehicle control unit complex (') "
Figure DEST_PATH_IMAGE001
") is a variation of the" Mobile Agent (Mobile Agent) "/" Hostile Host (Host) "configuration:
"Mobile agent" is a program for updating software
"hostile host" is an updating device on which a program for updating software runs.
The update device may be a real "hostile host," such as when an end-customer's smart phone, tablet PC, or laptop is used as the update device.
For implementation, therefore, algorithms known from the literature, so-called "mobile cryptography" (mobilecryprography), can be used in order to achieve the proven reaction-free behavior. In particular, "Environmental Key Generation" belongs thereto, and "Homomorphic Encryption" is also used.
Hereinafter, embodiments of the present invention are described with reference to the accompanying drawings.
Drawings
Fig. 1a shows a motor vehicle with a plurality of motor vehicle control devices and an external updating device.
Fig. 1b shows a motor vehicle with a plurality of motor vehicle control devices and interior updating devices.
Fig. 2 shows an enlarged schematic view of an external updating device.
Fig. 3 shows an enlarged schematic view of an internal updating device.
Fig. 4 shows an enlarged schematic illustration of a motor vehicle control device.
Fig. 5 shows a schematic representation of a flowchart of a method for updating software of at least one vehicle control device installed in a motor vehicle according to an exemplary embodiment of the present invention.
Detailed Description
Fig. 1a shows a motor vehicle 2 having a plurality of motor vehicle control devices 4, 6, 8, at least one of which is supplied ("updated") with new software by means of an external updating device 12 a.
Fig. 1b shows a motor vehicle 2 having a plurality of motor vehicle control devices 4, 6, 8, at least one of which is supplied ("updated") with new software by means of an internal updating device 12 b.
Fig. 2 shows an enlarged schematic view of the external updating device 12 a. The external updating device 12a may be, for example, a correspondingly equipped automotive diagnostic tester or a user's smartphone/tablet PC/laptop, on which appropriate software ("App") is installed.
Fig. 3 shows an enlarged schematic view of the internal updating device 12 b. The internal updating device 12b can be a vehicle control device 4, 6, 8 embedded in the vehicle 2 for this purpose or a module in an existing vehicle control device 4, 6, 8. The internal updating device 12b can also be a software module in the motor vehicle control device 4, 6, 8. The internal updating device can be designed in particular as a virtual machine on an existing motor vehicle control device 4, 6, 8. The virtual machine has the advantages that: here a small, ISO-26262 compliant hypervisor 38 may adhere to the boundary conditions.
Fig. 4 shows an enlarged schematic illustration of the motor vehicle control device 4.
The updating devices 12a, 12b each have a transmitter 17 and a receiver 18, which are connected via a wireless or wired data connection 10 to a transmitter 30 and a receiver 28 of at least one of the vehicle control devices 4, 6, 8.
The wired data connection 10 may for example be established via a standardized interface 16, in particular AN OBD/OBD2 interface 16, present in the motor vehicle 2 the wireless data connection 10 may for example be established via a W L AN or Bluetooth ® connection.
The transmission between the updating device 12a, 12b and the at least one vehicle control device 4, 6, 8 can also take place via a gateway 34 connected therebetween. In one aspect, the gateway 34 may be configured to filter disallowed messages; alternatively, the gateway 34 may connect a wireless interface with a wired interface.
The vehicle control devices 4, 6, 8 can exchange data with one another via a data line 18, in particular a data bus 18, or wirelessly.
The sequence of a method according to one exemplary embodiment of the present invention for updating the software of at least one of the vehicle control units 4, 6, 8 installed in the motor vehicle 2 is schematically illustrated in fig. 5.
In a first step 110, the updating device 12a, 12b obtains the task of updating the software of at least one of the motor vehicle control devices 4, 6, 8 by means of the input means 14 or the interface 15, in particular the mobile radio, the W L AN, the bluetooth or the USB interface 15, which are formed at the updating device 12a, 12 b.
The new software to be transmitted to the at least one vehicle control device 4, 6, 8 is either stored in the memory device 13 of the updating device 12a, 12b or transmitted to the updating device 12a, 12b via an interface 15, for example an interface 15 of a USB memory device ("USB Stick", "Flash Drive") and if necessary (temporarily) stored in the memory device 13.
Alternatively, the software may exist in an encrypted form, such that the software must be decrypted before it can be put into use. In particular, in this case, the updating device 12a, 12b may (also) not know the key required for decrypting the software.
The updating device 12a, 12b then sends (in step 120) a command to at least one of the vehicle control devices 4, 6, 8 in order to stop or block the vehicle 2 for the duration of the software update. The instructions may include, for example: activating an anti-theft lock 20 of the motor vehicle 2 and/or blocking a starter 22 and/or a fuel pump 24 of the motor vehicle 2.
In this context, "preventing" of the motor vehicle 2 may also mean: placing the motor vehicle 2 in an "emergency operating state" in which, for example, only a limited engine power is available; and/or activating an alarm signal indicating: some functions of the motor vehicle 2, such as ABS or ESP, are not available.
The following possibilities also exist: the operation of the motor vehicle 2 is initially completely prevented, and the motor vehicle 2 is placed in an emergency operating state after expiration of a predefined time period, which can be implemented, for example, as follows: for example, when the software update cannot be successfully completed, the motor vehicle 2 is driven into a (further) factory.
The activation of the "emergency operation state" may comprise a user input by which the user confirms: the user knows that the motor vehicle 2 is in a restricted emergency operating state in which not all functions are at the disposal. The motor vehicle 2 is not activated in the emergency operating state until the user has confirmed that this is known.
Optionally, together with the command for blocking the motor vehicle 2, the key ("key a") can be transmitted to the relevant motor vehicle control device 4, 6, 8.
Once the vehicle control device 4, 6, 8 has executed the command for blocking the vehicle 2, it sends a confirmation message to the updating device 12a, 12b in a step 130 confirming that the command has been executed.
The vehicle control devices 4, 6, 8 can likewise issue a key B, which has already been calculated in the vehicle control devices 4, 6, 8, to the updating devices 12a, 12B. If the key a has already been transmitted to the vehicle control device 4, 6, 8 in advance (in step 120), the key B can be calculated in particular from this key a.
The vehicle control devices 4, 6, 8 do not know but the updating devices 12a, 12B know the algorithm for calculating the key B or at least the parameters that are added to the calculation.
The motor vehicle control device 4, 6, 8 can be designed such that the key B is transmitted only when at least one vehicle function has been blocked. If the function is not blocked, a fault report is sent. Alternatively, providing key B may be an always active function, and "is the vehicle blocked" is a parameter that joins the calculation of this key.
The computing means 26 present in the updating device 12a, 12b calculates the code from the data (characteristic values) queried from the motor vehicle control device 4, 6, 8 (step 130). The computing device 26 may be implemented in hardware or software. In particular, key B may also be added to the calculation.
The query for data (characteristic values) can also include a query for data at least one external backend system 40, for example a server of the manufacturer of the motor vehicle 2 or of the motor vehicle control devices 4, 6, 8, in order to exclude unauthorized manipulations and to enable a complete documentation of the changes made, in particular of the final or target state of the motor vehicle control devices 4, 6, 8.
If the new software is stored in encrypted form on the updating device 12a, 12b, this code can be used, inter alia, to decrypt the software (step 140). Encryption of the software does not necessarily provide cryptographic security.
Alternatively, it is also possible that this code incorporates an algorithm for UDS Secure Access (UDS-Secure-Access) (ISO 14229:2013, § 9.4-service 0x 27) or for ASAM XCP MCD-1 "UN L OCK (unlock)".
After the software stored, optionally encrypted, has been decrypted, it is transmitted in step 150 via the data connection 10 to at least one of the vehicle control devices 4, 6, 8 and installed on the at least one vehicle control device 4, 6, 8.
The software may also comprise a plurality of software packages, wherein in particular each software package is provided for updating a respective one of the vehicle control devices 4, 6, 8. In particular, the sequence in which these software packages are to be loaded (aufspielen) on the different vehicle control devices 4, 6, 8 can be specified.
In this case, the vehicle control device 4, 6, 8 whose software has been successfully installed can provide the key value. Which in turn is used by the calculation means 26 to calculate a new code. The new code is then used, among other things, to decrypt and update the next software package.
Since the new code is only present when the previous software package has been successfully installed on the vehicle control device 4, 6, 8 of the software package, it is ensured in this way that the software of the vehicle control device 4, 6, 8 can only be updated in a predetermined sequence.
It is also possible that: the nth software package deactivates certain functions of the motor vehicle 2, such as fuel injection systems, in order to bring the motor vehicle 2 into a safe state, and after a software update has been successfully performed, the following mth software package (m > n), which is decrypted later and installed, reactivates the deactivated functions.
After the software update has been completed, i.e. after all software packages have been successfully loaded onto the associated motor vehicle control device 4, 6, 8, the computing device 26 can be used again to calculate the activation code from the data (characteristic values) queried from the motor vehicle control device 4, 6, 8 (step 160).
Depending on the application, it is possible to query the data of all vehicle control devices 4, 6, 8 or only those vehicle control devices 4, 6, 8 whose software has been updated. In order to ensure correct cooperation of all the vehicle control devices 4, 6, 8 in the motor vehicle 2, it is possible in particular to query the data of those vehicle control devices 4, 6, 8 which cooperate with the updated vehicle control device 4, 6, 8.
The queried data may include, for example, the version number of the software currently installed on the respective motor vehicle control device 4, 6, 8 and/or the content of at least one defined partial region of the respective motor vehicle control device 4, 6, 8 or the entire memory 7.
Additionally, the queried data may also comprise user input, which is input via an input device 5 provided at/in the motor vehicle 2. This can be achieved: it is ensured that the motor vehicle 2 is activated only after the software update has been confirmed by a user input at the motor vehicle 2 itself. In addition to simple yes/no, the user input may also be a transcription of an alignment permission ("Captcha"). This has the following advantages: this code can add to the calculation of the activation code and therefore cannot be skipped.
In particular, provision can be made for: the emergency operation is activated only after the user has confirmed that he already knows the presence of "emergency operation" of the motor vehicle 2, in which not all functions of the motor vehicle 2 are at the disposal, and the restrictions associated therewith.
In addition or alternatively, the queried data may also contain a vehicle chassis number and/or a vehicle identification code or other parameters which unambiguously identify the motor vehicle 2 or the vehicle type of the motor vehicle 2. Features of the vehicle configuration, such as motorization (motorism), number of axles driven, and other equipment features may also be added to the calculation of the activation code.
Since the data of the unsuitable motor vehicle 2 do not lead to the calculation of the correct activation code, it can be ensured in this way that: the motor vehicle 2 is only reactivated if only software suitable for the respective motor vehicle 2 has been installed.
The activation code calculated in this way is used by the updating device 10 to communicate with at least one of the vehicle control devices 4, 6, 8 (step 170), where optionally the previously calculated key a or B can additionally be transmitted.
In step 180, the comparison and authorization device 32 of the at least one vehicle control device 4, 6, 8 which has received the activation code validates the received message using a predefined reference algorithm stored in the respective vehicle control device 4, 6, 8 and (only) reactivates the vehicle 2 if the received activation code is validated positively (step 200), for example by unlocking the immobilizer 20 and/or activating the starter 22 or the fuel pump 24 to reactivate the vehicle 2 (step 200).
If the activation code is not validated positively using the algorithm stored in the respective vehicle control device 4, 6, 8, the vehicle 2 is not reactivated. Instead, a fault report is output (step 210).
The comparison and granting means 32 may be implemented in hardware or software.
In order to prevent or at least make difficult unauthorized manipulation, the communication between the updating device 10 and the vehicle control device 4, 6, 8 can be cryptographically secured, i.e. encrypted and/or signed.
Alternatively, the known concept of communication with a "watchdog" module can be used for the communication between the updating device 12a, 12b and the motor vehicle control device 4, 6, 8. The vehicle control device 4, 6, 8 can, for example, take note of the minimum and maximum permissible times and reject activation codes arriving outside these times. The updating devices 12a, 12b can also send the wrong activation code in a targeted manner and then incorporate the negative response code of the respective vehicle control device 4, 6, 8 into an extensive process.

Claims (15)

1. Method for updating the software of at least one motor vehicle control device (4, 6, 8) installed in a motor vehicle (2), wherein the method comprises:
(A) transmitting a preparation command, in particular a command for stopping the motor vehicle (2), from the updating device (12 a, 12 b) to at least one motor vehicle control device (4, 6, 8);
(B) transmitting a confirmation message confirming the implementation of the preparation instruction from the at least one vehicle control device (4, 6, 8) to the updating device (12 a, 12 b);
(C) transmitting new software from the updating device (12 a, 12 b) to the at least one vehicle control device (4, 6, 8) and installing the new software on the at least one vehicle control device (4, 6, 8);
(D) querying at least one motor vehicle control device (4, 6, 8) for characteristic values, in particular software version numbers, associated with the software;
(E) calculating an activation code from at least one queried characteristic value;
(F) using the activation code in subsequent communication with at least one motor vehicle control device (4, 6, 8);
(G) only when the vehicle control device (4, 6, 8) checks the activation code directly or indirectly and it has been determined that a valid activation code is present, is a command implemented by the at least one vehicle control device (4, 6, 8), in particular a command for reconstructing a driving readiness of the vehicle (2).
2. The method according to claim 1, wherein in step (F) the activation code is transmitted by the updating device (12 a, 12 b) to the at least one vehicle control device (4, 6, 8) and validated by the vehicle control device according to a predefined algorithm; and/or wherein the activation code is used in step (F) in order to decrypt at least one instruction or algorithm with the activation code, the instruction or algorithm being used for communication with the at least one motor vehicle control device (4, 6, 8); and/or wherein in step (F) the activation code is used for authenticating the updating device (12 a, 12 b) with respect to the at least one vehicle control device (4, 6, 8).
3. The method according to one of the preceding claims, wherein the method comprises: before step (C), a key is transmitted from the at least one vehicle control device (4, 6, 8) to the updating device (12 a, 12 b) and in step (C) a start code is used, which has been calculated from at least the key.
4. The method according to claim 1 or 2, wherein the method comprises: before step (C), a key is transmitted from the updating device (12 a, 12 b) to the at least one vehicle control device (4, 6, 8), and wherein the vehicle control device with which the dialog is made transmits a message back to the updating device (12 a, 12 b), in particular depending on the key, and wherein the updating device (12 a, 12 b) uses an activation code in step (C), which has been calculated from at least the message.
5. The method according to claim 3 or 4, wherein in step (C) the start code is transmitted by the updating device (12 a, 12 b) to the at least one vehicle control device (4, 6, 8) and is validated by the vehicle control device according to a predefined algorithm; and/or wherein the start code is used in step (C) to decrypt at least one instruction or algorithm with the start code, the instruction or algorithm being used for communication with the at least one vehicle control device (4, 6, 8); and/or wherein in step (C) the activation code is used for authenticating the updating device (12 a, 12 b) with respect to the at least one vehicle control device (4, 6, 8).
6. The method according to one of claims 1 to 5, wherein the method comprises: in a step (C), the data are transmitted from the updating device (12 a, 12 b) to the motor vehicle control device (4, 6, 8) via a gateway (34), wherein the gateway (34) performs, in particular, a message check and forwards only the messages that are allowed.
7. Method according to claim 6, wherein the updating device (12 a, 12 b) has to unlock the gateway (34) for at least one message, and wherein for this purpose a gateway code is used, which has been calculated at least from messages sent by the motor vehicle control device (4, 6, 8).
8. The method of claim 7, wherein a gateway unlock code is transmitted from the update device (12 a, 12 b) to the gateway (34) and validated by the gateway (34) according to a predefined algorithm; and/or wherein the gateway unlocking code is used to decrypt at least one instruction or algorithm used to unlock the gateway (34) with the gateway unlocking code; and/or wherein the gateway unlock code is used to authenticate the update device (12 a, 12 b) with respect to the gateway (34).
9. Method according to one of the preceding claims, wherein the method comprises updating the software of a plurality of motor vehicle control devices (4, 6, 8), wherein a code is used for communication with the (n + 1) th motor vehicle control device (4, 6, 8), which code has been calculated from the characteristic values of at least the n-th motor vehicle control device (4, 6, 8) whose software has been updated.
10. The method according to one of the preceding claims, wherein the query for characteristic values of one or more motor vehicle control devices (4, 6, 8) comprises: one or more characteristic values of one or more vehicle control devices (4, 6, 8) are queried, which cooperate with at least one vehicle control device (4, 6, 8) whose software has been updated.
11. The method according to one of the preceding claims, wherein the method comprises: -calculating one of said codes as a function of the content of at least one partial area of a memory (7) of said motor vehicle control device (4, 6, 8); and/or wherein the method comprises: calculating one of the codes from a user input, a vehicle chassis number and/or a vehicle identification code; and/or wherein the method comprises: data about the software update is sent to an external background and the feedback of the background is used for the calculation of the code.
12. Method according to one of the preceding claims, wherein a check is carried out in which a vehicle control device (4, 6, 8), in particular a vehicle control device (4, 6, 8) which has prevented at least one driving function and/or a vehicle control device (4, 6, 8) which should be reprogrammed and/or a vehicle control device (4, 6, 8) which acts as a gateway (34), compares the received message, in particular containing instructions and/or parameters, with the stored reference value; and/or wherein the check is carried out in which the motor vehicle control device (4, 6, 8) uses the received information as a parameter for at least one unidirectional function and compares the result with a stored reference value; and/or wherein the checking is effected by successful completion of the authentication.
13. Updating device (12 a, 12 b) for updating software of at least one vehicle control device (4, 6, 8) installed in a vehicle (2), wherein the updating device (12 a, 12 b) has:
a storage device (13) configured to store software to be updated;
a transmitting device (17) which is designed to transmit a preparation command, in particular a command for blocking the motor vehicle (2), to the motor vehicle control device (4, 6, 8);
a receiving device (19) which is designed to receive a confirmation message that confirms the execution of the received preparation instruction by the motor vehicle control unit (4, 6, 8);
wherein the transmitting device (17) is designed to transmit the software to be updated to the motor vehicle control unit (4, 6, 8);
wherein the receiving device (19) is designed to receive at least one characteristic value, in particular a software version number, of one or more vehicle control devices (4, 6, 8);
wherein the updating device (12 a, 12 b) has a computing device (26) which is designed to compute a code, in particular an activation code and/or a code for starting a programming and/or a code for unlocking a gateway, as a function of the received characteristic value; and is
Wherein the transmitting device (17) is designed in such a way that the code is required for communication with the motor vehicle control unit (4, 6, 8).
14. Motor vehicle control device for a motor vehicle (2), comprising at least one management program (38) and an updating device (12 b) according to claim 13, wherein the management program (38) at least partially deletes and/or resets, in particular, the storage means (13) and/or the receiving means (19) and/or the transmitting means (17) and/or the computing means (26) of the updating device (12 b) depending on whether the updating was successful or unsuccessful.
15. Motor vehicle control device (4, 6, 8) for a motor vehicle (2), which is designed to cooperate with an updating device (12 a, 12 b) and with further motor vehicle control devices (4, 6, 8), wherein the motor vehicle control device (4, 6, 8) comprises:
a receiving device (28) which is designed to receive a preparation command, in particular a command for stopping the motor vehicle (2), from an updating device (12 a, 12 b);
a transmitting device (30) which is designed to transmit an acknowledgement message which acknowledges the execution of the received preparation instruction by the motor vehicle control unit (4, 6, 8);
wherein the transmitting device (30) is designed to transmit a key to the updating device (12 a, 12 b), in particular a key associated with a previous communication between the updating device (12 a, 12 b), wherein the key is dependent in particular on whether a vehicle function has been blocked;
wherein the receiving device (28) is designed to forward the message received from the updating device (12 a, 12 b) to a comparison and authorization device (32), which is designed to validate the message according to a predefined algorithm and to reconstruct the driving readiness of the motor vehicle (2) only if the validation is positive.
CN201880082909.2A 2017-10-23 2018-10-22 Method and device for updating software of a motor vehicle control device Pending CN111480141A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE102017218872.3A DE102017218872A1 (en) 2017-10-23 2017-10-23 Method and device for updating software of a motor vehicle control unit
DE102017218872.3 2017-10-23
PCT/EP2018/078830 WO2019081395A1 (en) 2017-10-23 2018-10-22 Method and device for updating software of a motor vehicle control unit

Publications (1)

Publication Number Publication Date
CN111480141A true CN111480141A (en) 2020-07-31

Family

ID=64049104

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201880082909.2A Pending CN111480141A (en) 2017-10-23 2018-10-22 Method and device for updating software of a motor vehicle control device

Country Status (3)

Country Link
CN (1) CN111480141A (en)
DE (1) DE102017218872A1 (en)
WO (1) WO2019081395A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102018218736A1 (en) 2018-11-01 2020-05-07 Continental Automotive Gmbh Device for configuring and validating an intervention in a real-time Ethernet data network
DE102019131087A1 (en) * 2019-11-18 2021-05-20 Audi Ag Software installation in vehicle control units
CN113162959B (en) * 2020-01-23 2023-06-30 华为技术有限公司 Upgrading method and device of vehicle-mounted equipment
DE102020116715A1 (en) * 2020-06-25 2021-12-30 Bayerische Motoren Werke Aktiengesellschaft Method for determining a driving clearance after a software update of a set of control units of a vehicle, computer-readable medium, system and vehicle
CN112506536B (en) * 2020-11-12 2023-05-30 东风汽车集团有限公司 Method, device, equipment and medium for updating vehicle-mounted controller software
JP7452452B2 (en) 2021-02-02 2024-03-19 トヨタ自動車株式会社 OTA master, software update control method and update control program, vehicle equipped with OTA master
DE102021125672A1 (en) * 2021-10-04 2023-04-06 Bayerische Motoren Werke Aktiengesellschaft Processor system for a vehicle and method for monitoring a process state after a remote software update
CN114244828B (en) * 2021-11-30 2023-02-24 三一汽车起重机械有限公司 Data transmission method and vehicle-mounted dynamic data management system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010054920A1 (en) * 2008-11-11 2010-05-20 Continental Automotive Gmbh Apparatus for controlling a vehicle function and method for updating a control device
CN101930629A (en) * 2010-06-09 2010-12-29 金龙联合汽车工业(苏州)有限公司 Remote updating system and method of vehicle information collecting device
CN103593208A (en) * 2012-08-16 2014-02-19 福特全球技术公司 Methods and apparatus for vehicle computing system software updates
CN106484457A (en) * 2015-08-25 2017-03-08 福特全球技术公司 Multistage safe vehicle software updates
CN106533655A (en) * 2016-10-27 2017-03-22 江苏大学 Method for secure communication of ECUs (Electronic control unit) in a vehicle network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110377310B (en) * 2014-11-12 2023-04-07 松下电器(美国)知识产权公司 Update management method, update management device, and computer-readable recording medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010054920A1 (en) * 2008-11-11 2010-05-20 Continental Automotive Gmbh Apparatus for controlling a vehicle function and method for updating a control device
CN101930629A (en) * 2010-06-09 2010-12-29 金龙联合汽车工业(苏州)有限公司 Remote updating system and method of vehicle information collecting device
CN103593208A (en) * 2012-08-16 2014-02-19 福特全球技术公司 Methods and apparatus for vehicle computing system software updates
CN106484457A (en) * 2015-08-25 2017-03-08 福特全球技术公司 Multistage safe vehicle software updates
CN106533655A (en) * 2016-10-27 2017-03-22 江苏大学 Method for secure communication of ECUs (Electronic control unit) in a vehicle network

Also Published As

Publication number Publication date
DE102017218872A1 (en) 2019-04-25
WO2019081395A1 (en) 2019-05-02

Similar Documents

Publication Publication Date Title
CN111480141A (en) Method and device for updating software of a motor vehicle control device
EP3780481B1 (en) Method for upgrading vehicle-mounted device, and related device
EP3690643B1 (en) Vehicle-mounted device upgrading method and related device
US10244394B2 (en) Method and update gateway for updating an embedded control unit
EP3623939A1 (en) Method and apparatus for wirelessly updating software for vehicle
US9280653B2 (en) Security access method for automotive electronic control units
JP5729337B2 (en) VEHICLE AUTHENTICATION DEVICE AND VEHICLE AUTHENTICATION SYSTEM
CN112585905A (en) Equipment upgrading method and related equipment
GB2561689A (en) End-to-end vehicle secure ECU unlock in a semi-offline environment
CN109941228B (en) Device and method for unlocking vehicle component, vehicle and vehicle communication module
CN104426669B (en) Method for the protected transmission of data
GB2424293A (en) Recovery from partial programming in key authentication
US20190034637A1 (en) In-vehicle apparatus for efficient reprogramming and controlling method thereof
CN113138775B (en) Firmware protection method and system for vehicle-mounted diagnosis system
CN108482308B (en) Electric vehicle safety control method and device, storage medium and electric vehicle
CN111177709A (en) Execution method and device of terminal trusted component and computer equipment
KR101806719B1 (en) The electronic control unit possible auto setting of memory area according to secure boot and method for secure boot using the same
CN111508110A (en) Method and device for realizing remote locking of vehicle
CN112702166A (en) Data transmission method, data verification device and automobile
CN113805916A (en) Upgrading method, system, readable storage medium and vehicle
KR20160093764A (en) Secure communication system of ecu utilizing otp rom
JP2015113693A (en) Vehicle control system
US20220182248A1 (en) Secure startup method, controller, and control system
US20210406361A1 (en) Method for securely updating control units
EP3772863A1 (en) Electronic key and method for wireless flashing of an electronic key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination