CN113495736A - Vehicle-mounted electronic module updating method and vehicle-mounted electronic module - Google Patents

Vehicle-mounted electronic module updating method and vehicle-mounted electronic module Download PDF

Info

Publication number
CN113495736A
CN113495736A CN202010250074.6A CN202010250074A CN113495736A CN 113495736 A CN113495736 A CN 113495736A CN 202010250074 A CN202010250074 A CN 202010250074A CN 113495736 A CN113495736 A CN 113495736A
Authority
CN
China
Prior art keywords
update
updating
data
operating system
vehicle
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010250074.6A
Other languages
Chinese (zh)
Inventor
孔雪博
孙旺
顾晓莉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SAIC General Motors Corp Ltd
Pan Asia Technical Automotive Center Co Ltd
Original Assignee
SAIC General Motors Corp Ltd
Pan Asia Technical Automotive Center Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SAIC General Motors Corp Ltd, Pan Asia Technical Automotive Center Co Ltd filed Critical SAIC General Motors Corp Ltd
Priority to CN202010250074.6A priority Critical patent/CN113495736A/en
Publication of CN113495736A publication Critical patent/CN113495736A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The application relates to a vehicle-mounted electronic module updating method, which comprises the following steps: receiving an updating instruction and updating data; determining an updating type according to the updating instruction; and executing corresponding updating operation by using the updating data according to the updating type.

Description

Vehicle-mounted electronic module updating method and vehicle-mounted electronic module
Technical Field
The invention relates to the technical field of vehicle electronics, in particular to a vehicle-mounted electronic module updating method and a vehicle-mounted electronic module.
Background
With the development of automobile electronic technology, automobile electrification, networking and intellectualization, the number of vehicle-mounted electronic control units (or electronic control modules, ECUs) is increasing, and thus the functions are gradually enhanced and the mechanisms are increasingly complex. In order to meet the requirements of vehicle-mounted software on a multi-process file management system and the like, Linux operating systems are applied to more and more non-entertainment system ECUs to replace real-time operating systems. The conventional technique of refreshing (also referred to as updating in the context of the present invention) a real-time operating system is to complete the deletion and downloading of the whole application or the target in the boot mode phase of the system through a transmitted instruction by a tool. When the application is updated in the offline refreshing mode, the operating system and the application are bound in the same file, and even if the application is slightly changed, the whole file needs to be deleted and refreshed, so that the updating efficiency is low, and the updating process is complicated.
Although the vehicle-mounted software resources are managed in a file form by using the Linux operating system in some cases, certain memory areas can be conveniently controlled, so that multi-level flash of the file system can be realized. However, the updating function of the U-Boot as a Boot loader of a conventional Linux system cannot ensure the authenticity and integrity of downloaded software, and cannot meet the security requirement of a vehicle-mounted network. The end-to-end communication mode of the vehicle-mounted system is not integrated in the U-Boot, so that the requirements of application or calibration updating of an automobile production line and an after-sales tool chain are not met.
Disclosure of Invention
The invention provides an updating mechanism of a vehicle-mounted ECU (electronic control unit), so that the vehicle-mounted electronic module updating method and the vehicle-mounted electronic module can efficiently and reliably update the ECU module. Specifically, the method comprises the following steps:
according to an aspect of the invention, an updating method for a vehicle-mounted electronic module is provided, which comprises the following steps: receiving an updating instruction and updating data; determining an updating type according to the updating instruction; and executing corresponding updating operation by using the updating data according to the updating type.
Optionally, in some embodiments of the present invention, if it is determined that the update type is an operating system update, the update operation includes the following steps: restarting an operating system and guiding the operating system to enter a minimum system through U-Boot; and updating the operating system using the update data under the minimal system.
Optionally, in some embodiments of the invention, the method further comprises: and verifying the signature of the updating data under the minimum system, and updating the operating system if the verification is passed.
Optionally, in some embodiments of the present invention, if the update type is an application update or a calibration update, the update operation includes the following steps: storing the update data to a designated storage area; and calling an operating system to execute data flashing according to the updated data.
Optionally, in some embodiments of the invention, the method further comprises: and verifying the authenticity of the updating data, and performing data flashing if the updating data passes the verification.
According to another aspect of the present invention, there is provided an in-vehicle electronic module including: a receiving unit configured to receive an update instruction and update data; a judging unit configured to determine an update type according to the update instruction; and an updating unit configured to perform a corresponding updating operation using the update data according to the update type.
Optionally, in some embodiments of the present invention, if the determining unit determines that the update type is an os update, the updating unit performs an update operation that: restarting an operating system and guiding the operating system to enter a minimum system through U-Boot; and updating the operating system using the update data under the minimal system.
Optionally, in some embodiments of the present invention, the updating unit is further configured to: and verifying the signature of the updating data under the minimum system, and updating the operating system if the verification is passed.
Optionally, in some embodiments of the present invention, if the determining unit determines that the update type is an application update or a calibration update, the updating unit performs an update operation that: storing the update data to a designated storage area; and calling an operating system to execute data flashing according to the updated data.
Optionally, in some embodiments of the present invention, the updating unit is further configured to: and verifying the authenticity of the updating data, and performing data flashing if the updating data passes the verification.
Drawings
The above and other objects and advantages of the present invention will become more apparent from the following detailed description when taken in conjunction with the accompanying drawings, in which like or similar elements are designated by like reference numerals.
FIG. 1 illustrates an in-vehicle electronic module according to one embodiment of the present invention.
FIG. 2 illustrates an in-vehicle electronic module according to one embodiment of the present invention.
FIG. 3 illustrates an in-vehicle electronic module update method according to one embodiment of the invention.
FIG. 4 illustrates an in-vehicle electronic module according to one embodiment of the present invention.
Detailed Description
Since the real-time operating system cannot meet the functional requirements of some ECUs, and the update of the general Linux file cannot be directly applied to the vehicle-mounted terminal, a secure update (or referred to as refresh) scheme is proposed herein, which securely updates the Linux operating system itself or the application and the like through the vehicle-mounted communication interface, as described in detail below.
According to one aspect of the invention, an in-vehicle electronic module updating method is provided. As shown in fig. 3, the method for updating the vehicle-mounted electronic module includes the following steps: receiving an update instruction and update data (abbreviated as "reception" in the drawing) in step S31; determining the update type according to the update instruction in step S32 (abbreviated as "determination" in the figure); and in step S33, corresponding update operation (abbreviated as "update" in the figure) is performed using the update data according to the update type.
The update instruction and the update data are received in step S31 of the update method of the present invention. Generally, an ECU serving as a node to be updated may receive an update command (or called query or request) from an update tool (e.g., a vehicle production line tool or an after-market tool). The ECU to be updated may or may not return corresponding data to the update tool according to its own condition. If the ECU accepts the update instruction, it may return a response to the update tool that it is willing to receive the update data. If the ECU does not accept the update command (e.g., certain communication protocol services do not meet the ECU system requirements), the ECU may send an error code and exit the ECU's update process (not enter the download process and thus not receive the update data). In addition, if the update tool does not receive the response from the ECU due to other reasons, the update tool may exit the update flow at this time. The update tool may send the update data to the ECU after the ECU indicates acceptance of the update request. Specifically, for example, the ECU may receive a download instruction transmitted by the update tool, and thereafter the ECU may initiate a download operation and receive update data.
The update type is determined according to the update instruction in step S32 of the update method of the present invention. As noted above, updates to the ECU may be of multiple levels (or referred to as types, modes, etc.), i.e., updates to the ECU require consideration of the update type. In some examples of the invention, the update type may be determined based on certain parameters in the update instructions, e.g., the update tool may inform via the update instructions which type of update needs to be performed. In other examples of the invention it may be determined which type of update is to be performed in dependence on parameters in the update data. Of course, the type of update may also be determined in combination with both. For example, the update may be exited when the two declared update types are inconsistent, or the later received update type may be the priority. Additional data may also be sent to indicate the type of update in other examples of the invention.
In step S33 of the update method of the present invention, a corresponding update operation is performed using the update data according to the update type. In this step, the ECU may perform the update operation according to the update type determined above and the update data for the update operation. It should be noted that, the ECU has previously specified the update modes of different update types, and the update operation can be realized by flushing the update data in the corresponding update modes. Here, the present invention does not limit the specific form of the update type, but common update types include system level updates (e.g., Linux kernel updates, file system updates, etc.), application updates, calibration updates, and the like.
In some embodiments of the present invention, if it is determined that the update type is an operating system update, the update operation includes the steps of: restarting an operating system and guiding the operating system to enter a minimum system through U-Boot; and updating the operating system with the update data under the minimal system.
FIG. 1 illustrates an in-vehicle electronic module according to one embodiment of the present invention. As shown, the ECU 10 includes a U-Boot 101, a minimal system 102, a Linux kernel 103, a file system 104, and a data update area 105. Wherein, the U-Boot 101 is used as a program which is firstly accessed by system Boot and is used for booting the Linux minimum system 102, and other updating functions in the system are forbidden. The minimum system 102 is additionally constructed, and functions of a communication protocol, a security key algorithm, a Flash driver and the like are mainly integrated in the minimum system. The minimum system 102 has a main function of completing operations such as system file deletion, update, and check, and after exiting the update process, the updated ECU node will enter the Linux system. The Linux kernel 103 is a Linux operating system core. The Linux kernel 103 starts the file system 104 where the application program is located, and starts the corresponding application process. In addition, the application program for updating needs to be downloaded to a specific memory area, that is, the data update area 105. In addition, the ECU 10 may further include a data storage area (not shown in the drawings) for storing shared data required during the start-up of the ECU 10 and during the running of the program.
With reference to the example shown in fig. 1, if the update to the ECU 10 belongs to a system level update, the system directly configures the start parameter and performs a restart, after which the minimum system 102 continues to receive information from the update tool, erases the corresponding Partition area, downloads the file system content to the data update area 105, and then updates the operating system according to the downloaded content.
In some embodiments of the invention, the method further comprises: and verifying the signature of the updated data under the minimum system, and updating the operating system if the verification is passed. Continuing with the above example, after the downloading of the file system content to the designated area is completed, the Linux minimum system verifies the file signature of the downloaded file by using the integrated key algorithm, ensures the authenticity and integrity of the downloaded file, and feeds back the final result to the update tool. As shown in fig. 2, the minimal system 102 may specifically include a digital signature unit 201, a diagnostic communication unit 202, and a file management unit 203. In some examples of the invention, the digital signature unit 201 may verify the file signature of the downloaded file through an integrated key algorithm. If the Linux system fails, the process will stay in the minimum system all the time.
In some embodiments of the present invention, if the update type is an application update or a calibration update, the update operation includes the following steps: storing the update data in a designated storage area; and calling the operating system to perform data flashing according to the updated data. If the software is the application layer software and the calibration update, a downloading process in the Linux file system can be used for receiving a downloading instruction sent by an updating tool and downloading the updating package to a specified storage area. Specifically, in the case of application layer software or calibration update, the downloading process in the Linux file system may receive a downloading instruction sent by the update tool, download the update package to a specified storage area (e.g., the data update area 105), and further call the Linux operating system to perform the flushing of the file.
In some embodiments of the invention, the method further comprises: and verifying the authenticity of the updated data, and performing data flashing if the updated data passes the verification. Continuing with the previous example, after downloading is completed, the downloading process can be used to verify the authenticity of the file, the updating process can be triggered after verification is successful, the updating process can call the Linux system to call and execute the flashing of the completed file, and the final result is fed back to the updating tool.
According to another aspect of the invention, an in-vehicle electronic module is provided. As shown in fig. 4, the in-vehicle electronic module 40 includes a receiving unit 401, a determining unit 402, and an updating unit 403, and data interaction may be performed between the units as needed.
Wherein the receiving unit 401 is configured to receive update instructions and update data. Generally, the in-vehicle electronic module 40 serving as a node to be updated can receive an update instruction (or called query or request) from an update tool (e.g., a vehicle production line tool and an after-sales tool) through the receiving unit 401. The vehicle-mounted electronic module 40 to be updated may or may not return corresponding data to the update tool according to its own condition. If the in-vehicle electronic module 40 accepts the update instruction, a response may be returned to the update tool that it is willing to receive the update data. If the vehicle-mounted electronic module 40 does not accept the update command (e.g., some communication protocol services do not meet the system requirements of the vehicle-mounted electronic module 40), the vehicle-mounted electronic module 40 may send an error code and exit the update process of the vehicle-mounted electronic module 40 (not enter the download process, and thus not receive the update data). In addition, if the update tool does not receive the response from the in-vehicle electronic module 40 due to other reasons, the update tool may exit the update process. After the in-vehicle electronic module 40 indicates acceptance of the update request, the update tool may send update data to the in-vehicle electronic module 40. Specifically, for example, the in-vehicle electronic module 40 may receive a download instruction sent by the update tool, and then the in-vehicle electronic module 40 may initiate a download operation and receive update data. It is noted that in some examples of the invention, the receiving unit 401 may take on the data transmission role of the in-vehicle electronic module 40.
The judging unit 402 is configured to determine the update type according to the update instruction. As mentioned above, the update of the in-vehicle electronic module 40 may be of various levels (or called types, modes, etc.), that is, the update of the in-vehicle electronic module 40 needs to take into account the update type. In some examples of the invention, the determination unit 402 may determine the update type according to certain parameters in the update instruction, for example, the update tool may inform which type of update needs to be performed through the update instruction. In other examples of the invention the decision unit 402 may determine which type of update to perform based on parameters in the update data. Of course, the determining unit 402 may also determine the type of update by combining the two. For example, the update may be exited when the two declared update types are inconsistent, or the later received update type may be the priority. In other examples of the invention the update tool may also send additional data to indicate the type of update.
The updating unit 403 is configured to perform a corresponding updating operation using the update data according to the update type. At this time, the updating unit 403 may perform the updating operation according to the update type determined above and the update data for the updating operation. It should be noted that, the vehicle-mounted electronic module 40 has been previously assigned with update modes of different update types, and the update operation can be implemented by writing update data in the corresponding update modes. Here, the present invention does not limit the specific form of the update type, but common update types include system level updates (e.g., Linux kernel updates, file system updates, etc.), application updates, calibration updates, and the like.
In some embodiments of the present invention, if the determining unit determines that the update type is the os update, the updating unit performs an update operation including: restarting an operating system and guiding the operating system to enter a minimum system through U-Boot; and updating the operating system with the update data under the minimal system. If the update of the vehicle-mounted electronic module 40 belongs to system level update, the system can directly configure the starting parameters and restart, after the restart, the minimum system can continuously receive information from the updating tool, erase the corresponding Partition area, download the file system content to the data updating area, and then update the operating system according to the downloaded content.
In some embodiments of the invention, the update unit is further configured to: and verifying the signature of the updated data under the minimum system, and updating the operating system if the verification is passed. Continuing with the above example, after the downloading of the file system content to the designated area is completed, the Linux minimum system verifies the file signature of the downloaded file by using the integrated key algorithm, ensures the authenticity and integrity of the downloaded file, and feeds back the final result to the update tool. If the Linux system fails, the process will stay in the minimum system all the time.
In some embodiments of the present invention, if the determining unit determines that the update type is an application update or a calibration update, the updating unit performs an update operation of: storing the update data in a designated storage area; and calling the operating system to perform data flashing according to the updated data. If the software is the application layer software and the calibration update, a downloading process in the Linux file system can be used for receiving a downloading instruction sent by an updating tool and downloading the updating package to a specified storage area. Specifically, if the file is an application layer software or a calibration update, the downloading process in the Linux file system may receive a downloading instruction sent by the update tool, download the update package to a specified storage area, and further call the Linux operating system to perform the flash of the file.
In some embodiments of the invention, the update unit is further configured to: and verifying the authenticity of the updated data, and performing data flashing if the updated data passes the verification. Continuing with the previous example, after downloading is completed, the downloading process can be used to verify the authenticity of the file, the updating process can be triggered after verification is successful, the updating process can call the Linux system to call and execute the flashing of the completed file, and the final result is fed back to the updating tool.
In the safe refresh mechanism in the Linux environment of the present invention, some examples provide a plurality of different update modes for the vehicle-mounted terminal, including a full system refresh and an APP/CAL update, and the requirements for refresh under different conditions are satisfied in one mechanism. In addition, some examples of the invention construct a Linux minimum system to complete operations such as verification/deletion/upgrade of files, so that the overall security of the system is improved, and the requirements of a trust chain of vehicle-mounted network security are met. Finally, some examples of the present invention implement the functionality of updating a Linux file system from a vehicle-mounted communication interface by building a Linux minimum system, meeting the automotive toolchain update requirements.
Although the above examples mainly illustrate the vehicle-mounted electronic module updating method and the vehicle-mounted electronic module of the present invention, and only some of the embodiments of the present invention are described, it should be understood by those skilled in the art that the present invention can be implemented in many other forms without departing from the spirit and scope of the present invention. Accordingly, the present examples and embodiments are to be considered as illustrative and not restrictive, and various modifications and substitutions may be made therein without departing from the spirit and scope of the present invention as defined by the appended claims.

Claims (10)

1. A vehicle-mounted electronic module updating method is characterized by comprising the following steps:
receiving an updating instruction and updating data;
determining an updating type according to the updating instruction; and
and executing corresponding updating operation by using the updating data according to the updating type.
2. The method of claim 1, wherein if the update type is determined to be an operating system update, the update operation comprises:
restarting an operating system and guiding the operating system to enter a minimum system through U-Boot; and
and updating the operating system by using the updating data under the minimum system.
3. The method of claim 2, further comprising: and verifying the signature of the updating data under the minimum system, and updating the operating system if the verification is passed.
4. The method of claim 1, wherein if the update type is an application update or a calibration update, the update operation comprises the steps of:
storing the update data to a designated storage area; and
and calling an operating system to execute data flashing according to the updated data.
5. The method of claim 4, further comprising: and verifying the authenticity of the updating data, and performing data flashing if the updating data passes the verification.
6. An in-vehicle electronic module, the module comprising:
a receiving unit configured to receive an update instruction and update data;
a judging unit configured to determine an update type according to the update instruction; and
an updating unit configured to perform a corresponding updating operation using the update data according to the update type.
7. The module according to claim 6, wherein if the determining unit determines that the update type is os update, the updating unit performs an update operation that is:
restarting an operating system and guiding the operating system to enter a minimum system through U-Boot; and
and updating the operating system by using the updating data under the minimum system.
8. The module of claim 7, wherein the update unit is further configured to: and verifying the signature of the updating data under the minimum system, and updating the operating system if the verification is passed.
9. The module according to claim 6, wherein if the determining unit determines that the update type is an application update or a calibration update, the updating unit performs an update operation of:
storing the update data to a designated storage area; and
and calling an operating system to execute data flashing according to the updated data.
10. The module of claim 9, wherein the update unit is further configured to: and verifying the authenticity of the updating data, and performing data flashing if the updating data passes the verification.
CN202010250074.6A 2020-04-01 2020-04-01 Vehicle-mounted electronic module updating method and vehicle-mounted electronic module Pending CN113495736A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010250074.6A CN113495736A (en) 2020-04-01 2020-04-01 Vehicle-mounted electronic module updating method and vehicle-mounted electronic module

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010250074.6A CN113495736A (en) 2020-04-01 2020-04-01 Vehicle-mounted electronic module updating method and vehicle-mounted electronic module

Publications (1)

Publication Number Publication Date
CN113495736A true CN113495736A (en) 2021-10-12

Family

ID=77993956

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010250074.6A Pending CN113495736A (en) 2020-04-01 2020-04-01 Vehicle-mounted electronic module updating method and vehicle-mounted electronic module

Country Status (1)

Country Link
CN (1) CN113495736A (en)

Similar Documents

Publication Publication Date Title
US10042635B2 (en) Method for wireless remote updating vehicle software
US9841965B2 (en) Centralized system for software updating vehicle components
US10162625B2 (en) Vehicle control storage methods and systems
US20160371075A1 (en) Method for software updating of vehicle components
US20160364230A1 (en) Telematics control unit comprising a differential update package
US20160364232A1 (en) Method for ota updating vehicle electronic control unit
CN102135922B (en) The method for refreshing of application program and system
CN110008690B (en) Authority management method, device, equipment and medium for terminal application
CN111796848A (en) Bootloader software updating method and device, embedded controller and storage medium
CN110825403A (en) Method and system for flashing ECU (electronic control Unit) of automobile
US20240069906A1 (en) Server, software update system, distribution method, and non-transitory storage medium
CN115061713A (en) Method and device for upgrading electronic equipment
CN114895947A (en) Software upgrading method, device, equipment and storage medium of vehicle-mounted controller
CN113495736A (en) Vehicle-mounted electronic module updating method and vehicle-mounted electronic module
CN114840241A (en) Data processing method and related equipment
US11947824B2 (en) Electronic control unit, method, and program
US20220391194A1 (en) Ota master, system, method, non-transitory storage medium, and vehicle
CN115982710A (en) OTA (over the air) security upgrading method based on Ethernet
CN114675864A (en) Control method, control device and system for reprogramming and upgrading of dual-partition ECU
CN113276788A (en) Vehicle-mounted application upgrading method and device, vehicle-mounted terminal and storage medium
CN113454608A (en) Update method for updating a motor vehicle computer to add additional functionality thereto
CN113935011A (en) Method for executing a secure boot sequence of a control device
CN117295055A (en) OTA upgrading system and upgrading method
US11954480B2 (en) Center, OTA master, system, method, non-transitory storage medium, and vehicle
US20220405083A1 (en) Ota master, system, method, non-transitory storage medium, and vehicle

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination