CN114895950A - Self-updating method and system for program and guide layer - Google Patents
Self-updating method and system for program and guide layer Download PDFInfo
- Publication number
- CN114895950A CN114895950A CN202210461294.2A CN202210461294A CN114895950A CN 114895950 A CN114895950 A CN 114895950A CN 202210461294 A CN202210461294 A CN 202210461294A CN 114895950 A CN114895950 A CN 114895950A
- Authority
- CN
- China
- Prior art keywords
- program
- layer
- bootstrap
- boot
- function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
- G06F8/656—Updates while running
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
Abstract
The invention provides a self-updating method and a self-updating system for a program and a guide layer, wherein the self-updating method comprises the following steps: the system comprises three layers of software, a first bootstrap program, a second bootstrap program and a functional program. The three are independent of each other, and the storage addresses are not overlapped. The first guide program comprises a master area and a slave area, the two guide functions are the same, and the storage areas are not overlapped. The burner writes the first layer of boot program in a flashing mode, the first boot main area runs after the burner is powered on, the slave area is ignored when the burner is normal, and the master area program jumps to the slave area when the burner fails. The can box writes a second layer bootstrap program by the first bootstrap program; the can box writes the functional program through a second bootstrap program; during off-line testing, the upper computer software is not refreshed by a second bootstrap program can, and the off-line testing and client bootstrap synthetic program is refreshed by the first bootstrap software can and the upper computer software; and the client provides second guiding flash upper computer software, and the second guiding flash off-line test program and the app synthesis program are used. And if the off-line test program is qualified, the bootstrap program deletes the off-line test program.
Description
Technical Field
The invention relates to the technical field of automobile electronic controllers, in particular to a self-updating method and a self-updating system for a program and a guide layer.
Background
The current market for electronic automobile controllers still uses a single-layer guiding layer.
In the method, a supplier provides hardware of an electric control unit, a whole vehicle factory (namely a client) only provides a binary executable file of a guide layer as a default write-in program of a main control chip when the electric control unit leaves a factory, and does not provide an upper computer software cooperation mode matched with the guide program, the supplier needs to perform offline test before the hardware electric control unit leaves the factory, the off-line test can only be performed by a programming program provided by a chip company at a debugging port to control a programmer (needing to open a shell or additionally connecting a debugging port wire harness), and after the test is completed and the hardware is confirmed to be free of problems, the client guide binary file is secondly written by the programmer and delivered to the client. The process is tedious and time-consuming.
Even if an electric control unit supplier has upper computer flash software of a client single-layer bootstrap program, the current common flow is 1. a programming program provided by a chip company for a debugging port controls a programming device (needing to open a shell or additionally connecting a debugging port wire harness) to flash the client single-layer bootstrap program, and 2. the upper computer can flash software of the single-layer bootstrap program to carry out off-line test program and carry out hardware test; 3. after the hardware test is passed, the off-line test program is firstly erased by using an upper computer can box of the client single-layer bootstrap program, and then functional layer software of the client is written.
Secondly, when the single-layer bootstrap program is used, the whole car factory wants to upgrade the single-layer bootstrap program after taking the electric control unit hardware brushed with the single-layer bootstrap program or only needs to open the shell by the programming device to update the program after the single-layer bootstrap layer is damaged in the using process. The shell removing operation is troublesome, the air tightness and the water resistance are damaged, an external debugging port can be used for outputting a wire harness without opening the shell, and the risk that a program is changed by mistake and is interfered is increased.
In patent document with publication number CN111475179A, a software online writing method, device, electronic control unit and upper computer are disclosed, which relate to the technical field of automobiles, and the method comprises: when the currently running program is a first boot loader, if a second boot loader sent by an upper computer is received, the second boot loader is written to a non-refreshable area; and running the second boot loader and sending an instruction for representing the completion of the second boot loader flashing to the upper computer. Although this patent uses a two-tier bootstrap method, when the first tier bootstrap has no redundant backup, it must be flushed when it is damaged. The first layer of bootstrap program is a foundation with a three-layer program structure, and the function of the electric control unit cannot normally run after the electric control unit is damaged.
Therefore, a new technical solution needs to be proposed.
Disclosure of Invention
In view of the defects in the prior art, the present invention aims to provide a method and a system for self-updating a program and a boot layer.
According to the program and the method for self-updating the guide layer provided by the invention, the method comprises the following steps:
step S1: the main control unit places the three layers of software in three mutually independent non-overlapping areas;
step S2: the method comprises the steps that a first-layer bootstrap program is written by a burner, the first-layer bootstrap program comprises a first-layer bootstrap program and a second-layer bootstrap program which have the same bootstrap function, and the first-layer bootstrap program and the second-layer bootstrap program are stored in two non-coincident addresses; the same boot function means that the steps of programming the upper layer program are completely the same, the running state products are also completely the same, and only the jump addresses are different and the check sums are different;
step S3: if the first layer of bootstrap function is normal, the can box is used for writing the second layer of bootstrap program or the composite program of the second layer of bootstrap program and the offline test program through the first layer of bootstrap program;
step S4: if the second layer of guiding function is normal, the can box is used for writing the functional program or the combined program of the functional program and the offline testing program through the second layer of guiding program;
step S5: the electronic control unit firstly runs the first layer of bootstrap program after being electrified, detects the checksum of the first layer of bootstrap program, ignores the second layer of bootstrap program after being normal, and otherwise jumps to the second layer of bootstrap program; if the first layer bootstrap program has a program refreshing or updating request, stopping at the first layer bootstrap program, erasing the second layer bootstrap program and the functional program, and updating the second layer bootstrap program after the erasing is finished; the second layer of bootstrap program checks whether the checksum is normal or not, and if the checksum is abnormal, the software is forcibly reset;
step S6: when the main control unit leaves a factory for testing, the app written by the bootstrap program comprises an off-line test program and an app program; after the offline test program is executed for a fixed number of times, the bootstrap program automatically deletes the offline test program, and then the app written by the bootstrap program only contains the app program;
step S7: in the normal function program operation process, for example, under the working condition of allowing the program to be updated, the program updating request of the upper computer is received, the writing request mark is recorded in the nonvolatile memory, and then the program which requests the updating is directly jumped to the first layer bootstrap program or the second layer bootstrap program.
Preferably, the three layers of software in step S1 are three independent functions, the bootstrap program receives a valid write-over request when the electronic control unit is powered on and the functional program is running, jumps to the bootstrap program update program to run, and executes after confirming that the state of the functional program is normal when the write-over or update is completed or there is no update requirement.
Preferably, the step S3 updates the second-layer boot program after detecting that the first-layer boot program is valid for the flash request, otherwise, after confirming that the second-layer boot program is normal, jumps to the second-layer boot program, and if not, leaves the first-layer boot program until the power is off.
Preferably, the second-layer bootstrap program detects the requirement of effective refreshing function program, if yes, the function program is updated, otherwise, after checking the function program to be normal, the function program is jumped to, otherwise, the second-layer bootstrap program is remained until the power is off.
The invention also provides a program and guide layer self-updating system, which comprises the following modules:
module M1: the main control unit places the three layers of software in three mutually independent non-overlapping areas;
module M2: the method comprises the steps that a first-layer bootstrap program is written by a burner, the first-layer bootstrap program comprises a first-layer bootstrap program and a second-layer bootstrap program which have the same bootstrap function, and the first-layer bootstrap program and the second-layer bootstrap program are stored in two non-coincident addresses; the same boot function means that modules of the upper layer program are completely the same, running state products are also completely the same, and only the jump addresses are different and the checksums are different;
module M3: if the first layer of guide function is normal, the can box is used for writing the second layer of guide program or the synthesis program of the second layer of guide program and the offline test program through the first layer of guide program;
module M4: if the second layer of guiding function is normal, the can box is used for writing the functional program or the combined program of the functional program and the offline testing program through the second layer of guiding program;
module M5: the electronic control unit firstly runs the first layer of bootstrap program after being electrified, detects the checksum of the first layer of bootstrap program, ignores the second layer of bootstrap program after being normal, and otherwise jumps to the second layer of bootstrap program; if the first layer bootstrap program has a program refreshing or updating request, stopping at the first layer bootstrap program, erasing the second layer bootstrap program and the functional program, and updating the second layer bootstrap program after the erasing is finished; the second layer of bootstrap program checks whether the checksum is normal or not, and if the checksum is abnormal, the software is forcibly reset;
module M6: when the main control unit leaves a factory for testing, the app written by the bootstrap program comprises an off-line test program and an app program; after the offline test program is executed for a fixed number of times, the bootstrap program automatically deletes the offline test program, and then the app written by the bootstrap program only contains the app program;
module M7: in the normal function program operation process, for example, under the working condition of allowing the program to be updated, the program updating request of the upper computer is received, the writing request mark is recorded in the nonvolatile memory, and then the program which requests the updating is directly jumped to the first layer bootstrap program or the second layer bootstrap program.
Preferably, the three layers of software in the module M1 are three independent functions, the bootstrap program receives a valid write-through request when the electronic control unit is powered on and the functional program is running, the bootstrap program is run when the bootstrap program is updated, and the bootstrap program is executed after the status of the functional program is determined to be normal when the write-through or update is completed or no update is required.
Preferably, the module M3 updates the second-layer boot program after detecting that the first-layer boot program is valid for the flash request, otherwise, after confirming that the second-layer boot program is normal, jumps to the second-layer boot program, and if not, stays in the first-layer boot program until the power is off.
Preferably, the second-layer bootstrap program detects the requirement of effective refreshing function program, if yes, the function program is updated, otherwise, after checking the function program to be normal, the function program is jumped to, otherwise, the second-layer bootstrap program is remained until the power is off.
Compared with the prior art, the invention has the following beneficial effects:
1. even if the upper computer matched with the bootstrap program given by the client is not available, the programming device does not need to be used for brushing the off-line detection program when the programming device leaves the factory, and after the completion (twice in total for the second time), the programming device (which needs to be opened or is additionally connected with a debugging port wire harness) is used for erasing the test program and programming back the single-layer (second-layer) bootstrap program given by the client; using a plurality of layers of bootstrap programs, when the hardware quality of the electric control unit is detected to be qualified or not by an off-line after leaving a factory, firstly, using a burner to write a first layer of bootstrap program, and then using a can box to write an off-line test program and a client bootstrap program synthesis software through the first layer of bootstrap program; after the offline test program performs hardware detection for a fixed number of times and is qualified, the layer self-erasing test program is guided, so that the operation steps are simplified, and errors are not easy to occur;
2. in the practical use process of the invention, the second layer does not need to be opened after the guide of the second layer is damaged (for example, the second guide layer is adjacent to the function program, and the guide of the second layer is changed by mistake if the function program overflows), and the two communication wiring harnesses of the canH canL externally connected with the connector of the electric control unit can be used for re-brushing the guide of the second layer from the guide of the first layer, so that the invention is safer and more reliable;
3. in the practical use process of the invention, the first layer of guide main area is damaged and can be switched to another backup, thereby reducing the risk that the first layer of guide program cannot be used once being damaged and needs to be burned by a burner when the shell is opened;
4. the functional program for guiding program flashing comprises two parts, namely an off-line test program and a functional program, wherein the off-line test program can automatically delete the off-line test program after hardware detection is qualified after the off-line test program executes hardware detection for a fixed number of times; only the APP is reserved, and the off-line testing process is simplified.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments with reference to the following drawings:
FIG. 1 is a schematic diagram of communication interfaces of a self-contained bootstrap program of all electronic devices using a main control chip through the main control chip;
FIG. 2 is a schematic view of a communication interface of the electronic control unit of the automobile through a user-written bootstrap program;
FIG. 3 is a diagram illustrating an example of a relationship between three layers of program storage addresses of an electronic control unit of the battery management system;
FIG. 4 is a flow chart of the operation of the power-up to power-down procedure of the electrical control unit including the two-layer boot procedure according to the present invention.
Detailed Description
The present invention will be described in detail with reference to specific examples. The following examples will aid those skilled in the art in further understanding the present invention, but are not intended to limit the invention in any manner. It should be noted that it would be obvious to those skilled in the art that various changes and modifications can be made without departing from the spirit of the invention. All falling within the scope of the present invention.
Example 1
The invention provides a program and a self-updating method of a guide layer, wherein the self-updating program comprises two parts, and the updating method comprises the following steps:
step S1: the main control unit places the three layers of software in three mutually independent non-overlapping areas; the three layers of software have three independent functions, the bootstrap program receives effective flashing requests when the electric control unit is powered on and the functional program runs, the bootstrap program runs when the bootstrap program updates the program, and the bootstrap program is executed after the state of the functional program is determined to be normal when the flashing or updating is completed or no updating requirement exists. The whole program storage space of the electric control unit is divided into three independent and non-overlapping blocks, and the first layer bootstrap program, the second layer bootstrap program and the product function program are respectively stored in three different addresses. And finishing the upper computer software, and controlling the electric control unit to update the program of the electric control unit by matching with the program of the guide layer of the electric control unit. The programs are all placed in a non-volatile program memory flash. Such a memory will not lose stored content after power is lost. Storing three layers of software in a designated program storage address, modifying a file for distributing the three layers of software to generate an executable file storage address, and respectively placing the three layers of software in three different areas, wherein for example, the size of a flash is 1000 bytes, the sizes of the three layers of software are 300 bytes, 200 bytes and 400 bytes respectively, so that 1-300 bytes can be placed in a first layer of boot, 1000 bytes are placed in a second layer of boot, and 760 bytes are placed in a function program. The three mutually independent non-overlapping areas ensure that three layers of software can run independently without mutual influence, and if the three layers of software are overlapped, the program content written into the program memory firstly can be covered by the program content written later.
Step S2: the method comprises the steps that a first-layer bootstrap program is written by a burner, the first-layer bootstrap program comprises a first-layer bootstrap program and a second-layer bootstrap program which have the same bootstrap function, and the first-layer bootstrap program and the second-layer bootstrap program are stored in two non-coincident addresses; the same boot function means that the steps of programming the upper layer program are completely the same, the running state products are also completely the same, and only the jump addresses are different and the check sums are different. A program updating guide program which can support can communication is written in an empty electronic control unit ECU in a flashing mode; the support of can communication means that the upper computer of the matched bootstrap program can interact through can communication. The readable program memory of the main control chip of the single chip microcomputer of the electric control unit is empty when being bought back, and only asynchronous serial port communication (UART expressed by English) and the like and matched upper computer flash software flash programs provided by a single chip microcomputer supplier are supported by an internal solidified read-only bootstrap program. USB communication connects one end of the burner to PC, namely personal computer, the other end of the burner is connected to the debugging port on the hardware circuit board of the electronic control unit by DuPont wire, the DuPont wire uses the programming software on the PC to write the guiding layer 1 program to the electronic control unit through communication such as asynchronous serial port, JTAG port, etc., the main control unit MCU in the programming software is provided by the chip company for MCU updating program, erasing program and debugging program, the supplier of the electronic control unit is the manufacturer of the design and manufacture and chip mounting of the hardware circuit board of the ECU electronic control unit, and the chip company is the supplier of the main control unit chip MCU which is used on the circuit board of the electronic control unit and has similar brain function. And the bootstrap program supporting can communication is flushed by the read-only bootstrap program carried by the chip. The first layer bootstrap program is a universal unified bootstrap program for all the electronic control units in a company, and no matter who a client is, whether the bootstrap program required by the client is consistent (such as brushing CAN ID, brushing protocol and specific steps) or not CAN be brushed (the supplier of the unified electronic control unit) first layer bootstrap. The second tier boot is typically the client's boot. The method can also be a bootstrap program similar to a first-layer bootstrap program when no client exists, and only the storage address of the generated executable file is different from that of the first layer, and the jump address is also different; therefore, the first-layer bootstrap program can be uniformly written when the electronic control unit is offline, different bootstrap programs of different customers do not need to be distinguished, and the method is simple, reliable and not easy to make mistakes. When the second layer guide is damaged, if the first layer guide is not available, the shell can be detached and the shell can be rewritten through the serial port URAT or the parallel port, so that the operation is complicated and the air tightness is damaged. With the first tier boot, the second tier boot program CAN be re-flashed directly through its CAN communication. The first layer of boot backup is used, because of the three layers of software, the first layer of boot program is the basis, if the first layer of boot program is damaged, the first layer of boot program can only be written by an open shell method, and the backup improves the reliability of one layer of boot, namely the reliability of the whole software system. The programming software is provided by a chip company and comprises two types, wherein one type is software specially used for programming a program, and the other type can be the programming software and a debugging program.
Step S3: and if the first layer boot function is normal, the can box is used for writing the second layer boot program or the composite program of the second layer boot program and the offline test program through the first layer boot program. And updating the second layer bootstrap program after detecting that the first layer bootstrap program effectively refreshes the request, otherwise, jumping to the second layer bootstrap program after confirming that the second layer bootstrap program is normal, and remaining in the first layer bootstrap program until power failure if the second layer bootstrap program is abnormal. And the second-layer bootstrap program detects the requirement of effectively refreshing the functional program, if so, the functional program is updated, otherwise, after the functional program is checked to be normal, the functional program is jumped to, and if not, the second-layer bootstrap program is remained until the power is off. The USB communication connects one end of the CAN box to the PC, the other end of the CAN box uses CANH/CANL communication line to connect the electric control unit, CANH/CANL uses the CAN communication, the programming software (not provided by MCU supplier) on the PC which is made by MCU user self-research and other modes to write the guiding layer 2 program or product function program to the electric control unit, and the electric control unit is provided by supplier. The upper computer can select to flash or update the second layer bootstrap program according to the purpose of a user, when the hardware is just produced and the second layer bootstrap program does not exist, the flash is selected, when the second layer bootstrap program is flashed by the update finger, and a bug is found to exist in the second layer bootstrap program, the bootstrap layer 2 program and the product function program can be completely flashed at the same time, so that the operation steps are more efficiently saved. The can box is a communication switching box with one end connected with a usb interface and a computer and the other end connected with an electronic local area network communication interface of the automobile.
Step S4: and if the second-layer boot function is normal, the can box is used for writing the functional program or the combined program of the functional program and the offline test program through the second-layer boot program. After the electric control unit is powered on, jumping to a first layer bootstrap program initial address through the interrupt vector table and executing, detecting that the first layer bootstrap program is normal, and then ignoring the first layer bootstrap program backup area bootstrap program, wherein the detection method is various, for example, reading the content of the flash to calculate whether crc is consistent with the flash, otherwise, jumping to the first layer backup bootstrap program. The first layer of the boot program can effectively prevent the problem that only one part needs to be burned by the burner after the shell is damaged, and the risk is reduced. The upper computer sends a brushing request to the battery management main control unit through the can box, the main control unit guides a program to reply whether the program is allowed or not, the upper computer sends the functions of products to be brushed to the battery management main control unit through the can box, and the main control unit is placed in a corresponding program storage area after all the functions are received and checked correctly.
Step S5: the electronic control unit firstly runs the first layer of bootstrap program after being electrified, detects the checksum of the first layer of bootstrap program, ignores the second layer of bootstrap program after being normal, and otherwise jumps to the second layer of bootstrap program; if the first layer bootstrap program has a program refreshing or updating request, stopping at the first layer bootstrap program, erasing the second layer bootstrap program and the functional program, and updating the second layer bootstrap program after the erasing is finished; and the second layer of bootstrap program checks whether the checksum is normal or not, and if the checksum is abnormal, the software is forced to reset. And updating the second layer of bootstrap program after detecting the effective flashing request, otherwise, jumping to the second layer of bootstrap program after confirming that the second layer of bootstrap program is normal, triggering and resetting the software to restore the normal state if checking that the first layer of backup area and the main area program are abnormal, executing the first layer of bootstrap program to judge that the effectiveness is invalid and resetting the software if the first layer of backup area and the main area program are abnormal all the time, and repeatedly executing the steps until the power failure occurs. And the second-layer bootstrap program detects the requirement of effectively refreshing the functional program, if so, the functional program is updated, otherwise, after the functional program is checked to be normal, the functional program is jumped to, and otherwise, the abnormal functional program is left in the second-layer bootstrap program until the power is off. The main body that the normal state will perform is the normal function of the product. The normal function of the product is executed by jumping to the functional program of the battery management electronic control unit. But each power-up must begin with the execution of the lower two layers of refresh boot procedures. The first layer guide judges whether the second layer guide needs to be updated, if the condition for updating the second layer guide needs to be confirmed, the PC is informed to send a new second layer guide through can communication after the condition is met, the electronic control unit receives and judges whether the received new second layer guide program is correct and then writes the new second layer guide program into the program storage unit, and whether the checksum calculated by the data part downloaded by the accurate and error-free can communication is consistent with the checksum data obtained by downloading is judged. And after the storage is successful, reading the check sum of the second-layer bootstrap program, jumping into the second-layer bootstrap program without errors, and then updating the functional program by using the same implementation as that of the first-layer bootstrap program. If the first layer of guidance or the second layer of guidance judges the non-brush writing request, if the second layer of guidance or the product function program needs to be updated or brushed for the first time, the client operates the upper computer brushing program to send a message to the electric control unit through the can box, and if the data of the second layer of guidance or the function program is normal, the client directly jumps to the second layer of guidance or the function program. When the upper computer writes the second layer of the electric control unit to guide or function programs, the second layer of the electric control unit guides or function programs indicate a flag bit respectively, can information is sent to the electric control unit, the electric control unit changes the writing flag bit value from invalid to valid after receiving and confirming that the writing flag bit value is legal, the electric control unit stores the writing flag bit value in the nonvolatile memory, the variable value of which is not lost even if the power is lost, the electric control unit is prevented from suddenly powering down in the process of updating the programs, then jumps to the first layer of the guide programs to start execution, and the valid flag bit is changed to invalid after the writing is successful. The first layer bootstrap program checks itself, for example, the checksum of the first layer program exists in the EEPROM as a reference, if the checksum calculated by the power-on operation at this time is the same as that stored in the EEPROM, the result is normal, otherwise, the result is abnormal.
Step S6: when the main control unit leaves a factory for testing, the app which is written by the bootstrap program comprises an offline test program and an app program, the fixed times can be calibrated for N times after the offline test program is executed for the fixed times, the offline test program can be automatically deleted by the bootstrap program, and then the app which is written by the bootstrap program only comprises the app program.
Step S7: in the normal function program operation process, for example, under the working condition of allowing the program to be updated, the program updating request of the upper computer is received, the writing request mark is recorded in the nonvolatile memory, and then the program which requests the updating is directly jumped to the first layer bootstrap program or the second layer bootstrap program.
According to the invention, the upper computer can box of the single-layer bootstrap program is used for writing the offline test and the synthetic software of the functional layer software, and the can box is only written once, so that the previous steps are simplified; after the off-line test program is executed (written in advance) for a plurality of times to complete factory inspection, the off-line test program is automatically erased by the bootstrap program. Thus, the operation steps are simplified, and errors are not easy to occur.
Example 2
The present embodiment is different from embodiment 1 in that: the embodiment is applicable to two or more layers of bootstrap programs, at least two layers of bootstrap programs. can communication may be replaced by other communication means, such as SPI, UART, local area network, internet, and the like. The addresses of the three layers of software are independent of each other, have no overlapping and are not in sequence. After the electric control unit is powered on, the electric control unit jumps to the initial address of the first layer of bootstrap program through the interrupt vector table, and the method can also be realized through a configuration method given by other chips.
The invention also provides a program and guide layer self-updating system, which comprises the following modules:
module M1: the main control unit places the three layers of software in three mutually independent non-overlapping areas; the three layers of software have three independent functions, the bootstrap program receives effective flashing requests when the electric control unit is powered on and the functional program runs, the bootstrap program runs when the bootstrap program updates the program, and the bootstrap program is executed after the state of the functional program is determined to be normal when the flashing or updating is completed or no updating requirement exists.
Module M2: the method comprises the steps that a first-layer bootstrap program is written by a burner, the first-layer bootstrap program comprises a first-layer bootstrap program and a second-layer bootstrap program which have the same bootstrap function, and the first-layer bootstrap program and the second-layer bootstrap program are stored in two non-coincident addresses; the same boot function means that modules of the upper layer program are completely the same, running state products are also completely the same, and only the jump addresses are different and the checksums are different.
Module M3: if the first layer of bootstrap function is normal, the can box is used for writing the second layer of bootstrap program or the composite program of the second layer of bootstrap program and the offline test program through the first layer of bootstrap program; and updating the second layer bootstrap program after detecting that the first layer bootstrap program effectively refreshes the request, otherwise, jumping to the second layer bootstrap program after confirming that the second layer bootstrap program is normal, and remaining in the first layer bootstrap program until power failure if the second layer bootstrap program is abnormal. And the second-layer bootstrap program detects the requirement of effectively refreshing the functional program, if so, the functional program is updated, otherwise, after the functional program is checked to be normal, the functional program is jumped to, and if not, the second-layer bootstrap program is remained until the power is off.
Module M4: and if the second-layer boot function is normal, the can box is used for writing the functional program or the combined program of the functional program and the offline test program through the second-layer boot program.
Module M5: the electronic control unit firstly runs the first layer of bootstrap program after being electrified, detects the checksum of the first layer of bootstrap program, ignores the second layer of bootstrap program after being normal, and otherwise jumps to the second layer of bootstrap program; if the first layer bootstrap program has a program refreshing or updating request, stopping at the first layer bootstrap program, erasing the second layer bootstrap program and the functional program, and updating the second layer bootstrap program after the erasing is finished; and the second layer of bootstrap program checks whether the checksum is normal or not, and if the checksum is abnormal, the software is forcibly reset.
Module M6: when the main control unit leaves a factory for testing, the app written by the bootstrap program comprises an off-line test program and an app program; after the offline test program is executed for a fixed number of times, the bootstrap program automatically deletes the offline test program, and then the app written by the bootstrap program only contains an app program.
Module M7: in the normal function program operation process, for example, under the working condition of allowing the program to be updated, the program updating request of the upper computer is received, the writing request mark is recorded in the nonvolatile memory, and then the program which requests the updating is directly jumped to the first layer bootstrap program or the second layer bootstrap program.
The main area and the slave area of the first layer of guide can also be mutually backed up, when one of the main area and the slave area has an error, the error partition is erased through the other normal partition, the normal program is rewritten, and the error partition is recovered, so that compared with the case that an error occurs by using a single first layer of guide scheme, the case is not required to be dismounted, and the reliability is also improved.
The invention does not need to open the shell and operate the writer PC machine flash software twice, and respectively brushes the off-line test and the client bootstrap program, only the binary file combined by the two softwares once is brushed (the two binary files are put in two non-overlapping independent continuous areas of the flash and are combined into one binary file), and after the off-line test program is executed (written in advance) for a plurality of times to complete the factory detection, the off-line test program is automatically erased by the bootstrap program. Thus, the operation steps are simplified, and errors are not easy to occur.
Those skilled in the art will appreciate that, in addition to implementing the system and its various devices, modules, units provided by the present invention as pure computer readable program code, the system and its various devices, modules, units provided by the present invention can be fully implemented by logically programming method steps in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Therefore, the system and various devices, modules and units thereof provided by the invention can be regarded as a hardware component, and the devices, modules and units included in the system for realizing various functions can also be regarded as structures in the hardware component; means, modules, units for performing the various functions may also be regarded as structures within both software modules and hardware components for performing the method.
The foregoing description of specific embodiments of the present invention has been presented. It is to be understood that the present invention is not limited to the specific embodiments described above, and that various changes or modifications may be made by one skilled in the art within the scope of the appended claims without departing from the spirit of the invention. The embodiments and features of the embodiments of the present application may be combined with each other arbitrarily without conflict.
Claims (8)
1. A method for program and boot layer self-update, the method comprising the steps of:
step S1: the main control unit places the three layers of software in three mutually independent non-overlapping areas;
step S2: the method comprises the steps that a first-layer bootstrap program is written by a burner, the first-layer bootstrap program comprises a first-layer bootstrap program and a second-layer bootstrap program which have the same bootstrap function, and the first-layer bootstrap program and the second-layer bootstrap program are stored in two non-coincident addresses; the same boot function means that the steps of programming the upper layer program are completely the same, the running state products are also completely the same, and only the jump addresses are different and the check sums are different;
step S3: if the first layer of bootstrap function is normal, the can box is used for writing the second layer of bootstrap program or the composite program of the second layer of bootstrap program and the offline test program through the first layer of bootstrap program;
step S4: if the second layer of guiding function is normal, the can box is used for writing the functional program or the combined program of the functional program and the offline testing program through the second layer of guiding program;
step S5: the electronic control unit firstly runs the first layer of bootstrap program after being electrified, detects the checksum of the first layer of bootstrap program, ignores the second layer of bootstrap program after being normal, and otherwise jumps to the second layer of bootstrap program; if the first layer bootstrap program has a program refreshing or updating request, stopping at the first layer bootstrap program, erasing the second layer bootstrap program and the functional program, and updating the second layer bootstrap program after the erasing is finished; the second layer of bootstrap program checks whether the checksum is normal or not, and if the checksum is abnormal, the software is forcibly reset;
step S6: when the main control unit leaves a factory for testing, the app which is written by the bootstrap program comprises an off-line test program and an app program; after the offline test program is executed for a fixed number of times, the bootstrap program automatically deletes the offline test program, and then the app written by the bootstrap program only contains the app program;
step S7: in the normal function program operation process, for example, under the working condition of allowing the program to be updated, the program updating request of the upper computer is received, the writing request mark is recorded in the nonvolatile memory, and then the program which requests the updating is directly jumped to the first layer bootstrap program or the second layer bootstrap program.
2. The program and boot layer self-updating method according to claim 1, wherein the three-layer software in step S1 is three independent functions, the boot program receives a valid write-through request when the electronic control unit is powered on and the function program is running, jumps to the boot program update program to run, and executes after confirming that the state of the function program is normal when the write-through or update is completed or there is no update requirement.
3. The program and boot layer self-updating method of claim 1, wherein the step S3 updates the second layer boot program after detecting that the first layer boot program is valid for the flash request, otherwise, after confirming that the second layer boot program is normal, jumps to the second layer boot program, and leaves the first layer boot program until power is off.
4. The program and boot layer self-update method of claim 3, wherein the second layer boot program detects a valid refresh function program requirement, updates the function program if it is valid, jumps to the function program after checking the function program is normal, otherwise leaves the second layer boot program until power is removed.
5. A program and boot layer self-update system, comprising:
module M1: the main control unit places the three layers of software in three mutually independent non-overlapping areas;
module M2: the method comprises the steps that a first-layer bootstrap program is written by a burner, the first-layer bootstrap program comprises a first-layer bootstrap program and a second-layer bootstrap program which have the same bootstrap function, and the first-layer bootstrap program and the second-layer bootstrap program are stored in two non-coincident addresses; the same boot function means that modules of the upper layer program are completely the same, running state products are also completely the same, and only the jump addresses are different and the checksums are different;
module M3: if the first layer of bootstrap function is normal, the can box is used for writing the second layer of bootstrap program or the composite program of the second layer of bootstrap program and the offline test program through the first layer of bootstrap program;
module M4: if the second layer of guiding function is normal, the can box is used for writing the functional program or the combined program of the functional program and the offline testing program through the second layer of guiding program;
module M5: the electronic control unit firstly runs the first layer of bootstrap program after being electrified, detects the checksum of the first layer of bootstrap program, ignores the second layer of bootstrap program after being normal, and otherwise jumps to the second layer of bootstrap program; if the first layer bootstrap program has a program refreshing or updating request, stopping at the first layer bootstrap program, erasing the second layer bootstrap program and the functional program, and updating the second layer bootstrap program after the erasing is finished; the first layer bootstrap program II checks whether the checksum is normal or not, and if the checksum is abnormal, the software is forced to reset;
module M6: when the main control unit leaves a factory for testing, the app written by the bootstrap program comprises an off-line test program and an app program; after the offline test program is executed for a fixed number of times, the bootstrap program automatically deletes the offline test program, and then the app written by the bootstrap program only contains the app program;
module M7: in the normal function program operation process, for example, under the working condition of allowing the program to be updated, the program updating request of the upper computer is received, the writing request mark is recorded in the nonvolatile memory, and then the program which requests the updating is directly jumped to the first layer bootstrap program or the second layer bootstrap program.
6. The program and boot layer self-updating system of claim 5, wherein the three layers of software in the module M1 are three independent functions, the boot program receives a valid write-through request when the electronic control unit is powered on and the function program is running, jumps to the boot program updating program to run, and executes after confirming that the state of the function program is normal when the write-through or update is completed or there is no update requirement.
7. The program and boot layer self-updating system of claim 5, wherein the module M3 updates the second layer boot program after detecting that the first layer boot program is valid for the flush request, otherwise, jumps to the second layer boot program after confirming that the second layer boot program is normal, and stays in the first layer boot program until power down if not normal.
8. The program and boot layer self-update system of claim 7, wherein the second layer boot program detects a valid refresh function program requirement, updates the function program if it is available, jumps to the function program if it is checked to be normal, and otherwise leaves the second layer boot program until power is removed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210461294.2A CN114895950A (en) | 2022-04-28 | 2022-04-28 | Self-updating method and system for program and guide layer |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210461294.2A CN114895950A (en) | 2022-04-28 | 2022-04-28 | Self-updating method and system for program and guide layer |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114895950A true CN114895950A (en) | 2022-08-12 |
Family
ID=82720627
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210461294.2A Pending CN114895950A (en) | 2022-04-28 | 2022-04-28 | Self-updating method and system for program and guide layer |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114895950A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI819957B (en) * | 2023-02-02 | 2023-10-21 | 新唐科技股份有限公司 | Method and apparatus for self-checking states on power on initial and electrical device using the same |
-
2022
- 2022-04-28 CN CN202210461294.2A patent/CN114895950A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI819957B (en) * | 2023-02-02 | 2023-10-21 | 新唐科技股份有限公司 | Method and apparatus for self-checking states on power on initial and electrical device using the same |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101650662B (en) | Memory device of embedded system and staring method and upgrading of firmware | |
| CN104025047B (en) | Information processor, information processing method and computer program | |
| US20080033609A1 (en) | Automotive diagnostic and tuning system | |
| JP2990181B1 (en) | Flash memory, microcomputer having flash memory, and method of storing program in flash memory | |
| CN111240720A (en) | Boot program upgrading method and device and storage medium | |
| CN109189445A (en) | A kind of method of internet of things equipment program upgrading | |
| US5933595A (en) | Computer apparatus having electrically rewritable nonvolatile memory, and nonvolatile semiconductor memory | |
| CN110809755A (en) | Electronic control system | |
| CN101620542B (en) | Compatible updating method of ultrasonic imaging equipment software data | |
| CN111651174A (en) | Method and system for remotely upgrading MCU (microprogrammed control Unit) program | |
| CN108874582A (en) | A kind of system recovery method, device and terminal | |
| US20070250254A1 (en) | On-vehicle control apparatus | |
| CN108920168B (en) | Bootloader method supporting simultaneous upgrading of multiple similar ECUs and having function of preventing program mismatching | |
| CN108108193A (en) | A kind of easy-to-use firmware upgrade method of safety and system | |
| CN114895950A (en) | Self-updating method and system for program and guide layer | |
| CN115718610A (en) | Reliable method for updating application program of single chip microcomputer | |
| US7934050B2 (en) | Microcomputer for flash memory rewriting | |
| JP3093541B2 (en) | Terminal device and online system for managing version numbers of programs and data | |
| CN111796839B (en) | Controller program management method and device | |
| CN114741091A (en) | Firmware loading method and device, electronic equipment and computer readable storage medium | |
| WO2019064644A1 (en) | Electronic control device and control program verification method | |
| CN113703816B (en) | Server device and method for avoiding firmware from being unable to be updated again | |
| TWI726477B (en) | Server device and method for avoiding firmware cannot be updated again to programmable logic device thereof | |
| CN112114749B (en) | BBU software interface decoupling system and method | |
| CN113553085B (en) | Method, device, equipment and storage medium for online upgrading of embedded operating system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |