DE102017218872A1 - Method and device for updating software of a motor vehicle control unit - Google Patents

Abstract

A method for updating the software of at least one vehicle control unit (4, 6, 8) installed in a motor vehicle (2) comprises the steps of: (A) transmitting a preparatory command, in particular a command to block the motor vehicle (2), from one Updating device (12a, 12b) to the vehicle control unit (4, 6, 8); (B) transmitting an acknowledgment message by the vehicle control unit (4, 6, 8); (C) transmitting new software from the updating device (12a, 12b) to the vehicle control unit (4, 6, 8); (D) querying a characteristic value of one or more vehicle control units (4, 6, 8) which are installed in the motor vehicle (2); (E) calculating an activation code from the requested characteristic values; (F) using the calculated activation code for subsequent communication with the vehicle control unit (4, 6, 8) that has disabled the vehicle function; and (G) executing a command for restoring the travel readiness of the motor vehicle (2) by the vehicle control unit (4, 6, 8) only after the vehicle control unit (4, 6, 8) has directly or indirectly checked that the correct one Activation code is present.

Description

The invention relates to a method and a device for updating the software of at least one motor vehicle control unit installed in a motor vehicle.

State of the art

The updating of software of vehicle control units is in a field of tension, since the motor vehicle control units on the one hand have to implement safety requirements ("Safety Goals") up to ASIL-D (ISO 26262), on the other hand for updating the software of the vehicle ECUs or other external devices that contain complex programs and much existing software and therefore can not easily meet the requirements that are imposed when ASIL security objectives are affected.

Since a faulty update of the software of the vehicle control units can lead to a breach of safety goals up to ASIL D, the use of such components is not readily permitted. However, the use of such components is permitted if the absence of feedback has been demonstrated within the meaning of ISO 26262-1: 2011, §1.49.

In a simple case, end-to-end protection is used: the ASIL-compliant target ECU checks itself after an update and only releases when it finds that the software update was done without error. Consequently, there is no feedback for the updating device.

In a modern motor vehicle, several vehicle control units usually interact closely: an engine control unit may e.g. have the function to limit the maximum speed. For this purpose, the engine control unit receives information about the vehicle speed from an ESP control unit.

In addition, the currently engaged gear is interrogated by a transmission control unit, so that the engine control unit can perform a plausibility check of the vehicle speed on the basis of the engaged gear and the engine speed.

However, the above-described "simple" self-plausibility of an updated automotive control unit can not reliably detect an incompatible configuration of the entire system created by the update.

Disclosure of the invention:

It is therefore an object of the invention to provide a method and a device for safely updating the software of at least one motor vehicle control unit installed in a motor vehicle. In particular, it is an object to ensure that the overall system configuration of all vehicle control units installed in the motor vehicle is in a mutually compatible and reliable state after updating the software.

1. (A) Übertragen eines Befehls, insbesondere eines Befehls zum Blockieren wenigstens einer Funktion des Kraftfahrzeugs, von einer Aktualisierungsvorrichtung an das wenigstens eine Kfz-Steuergerät;
2. (B) Übertragen einer Bestätigungsnachricht, welche die Ausführung des vorbereitenden Befehls bestätigt, von dem Kfz-Steuergerät an die Aktualisierungsvorrichtung;
3. (C) Übertragen neuer Software von der Aktualisierungsvorrichtung an das wenigstens Kfz-Steuergerät und Installierten der neuen Software auf dem wenigstens einen Kfz-Steuergerät;
4. (D) Abfragen eines von der Software abhängigen Kennwertes, insbesondere der Software-Versionsnummer, eines oder mehrerer Kfz-Steuergeräte, die in dem Kraftfahrzeug verbaut sind;
5. (E) Berechnen eines Aktivierungscodes aus den abgefragten Kennwerten;
6. (F) Kommunizieren der Aktualisierungsvorrichtung mit wenigstens dem Kfz-Steuergerät, das wenigstens eine Funktion des Kraftfahrzeugs blockiert hat, unter Verwendung dieses Aktivierungscodes, wobei die Kommunikation so aufgebaut ist, dass das Kfz-Steuergerät sicher erkennt, wenn die Aktualisierungsvorrichtung nicht über den richtigen Aktivierungscode verfügt;
7. (G) Ausführen eines Befehls zum Reaktivieren der wenigstens einen blockierten Funktion des Kraftfahrzeugs durch das Kfz-Steuergerät nur, nachdem das Kfz-Steuergerät direkt oder indirekt geprüft und bestätigt hat, dass der richtige Aktivierungscode vorliegt.

According to one exemplary embodiment of the invention, a method of updating the software of at least one motor vehicle control device installed in a motor vehicle comprises at least the following steps:

1. (A) transmitting an instruction, in particular a command for blocking at least one function of the motor vehicle, from an updating device to the at least one motor vehicle control unit;
2. (B) transmitting an acknowledgment message confirming the execution of the preparatory command from the vehicle control unit to the updating device;
3. (C) transferring new software from the updating device to the at least vehicle controller and installing the new software on the at least one vehicle controller;
4. (D) querying a software dependent characteristic value, in particular the software version number of one or more vehicle control units, which are installed in the motor vehicle;
5. (E) calculating an activation code from the requested characteristic values;
6. (F) communicating the update device with at least the vehicle control unit that has blocked at least one function of the motor vehicle using this activation code, wherein the communication is configured such that the vehicle control unit securely detects if the updating device does not have the correct activation code features;
7. (G) executing a command to reactivate the at least one blocked function of the motor vehicle by the vehicle control unit only after the vehicle control unit has directly or indirectly checked and confirmed that the correct activation code is present.

An updating device for updating the software of a motor vehicle control unit installed in a motor vehicle, according to an embodiment of the invention, has a storage device which is used to store the vehicle to be updated Software is formed, a transmitting device, which is adapted to transmit a preparatory command, in particular a command to block the motor vehicle, to the vehicle control unit; and a receiving device configured to receive an acknowledgment message confirming the execution of a received preparatory command by the vehicle control unit.

The transmitting device is designed to transmit the software to be updated to the vehicle control unit. The receiving device is designed to receive a parameter dependent on the software, in particular a current software version number, of one or more motor vehicle control units. The updating device has a calculating device which is designed to calculate an activation code from the received characteristic values; and the transmitting device is configured to communicate with at least one other vehicle control unit using this activation code.

A vehicle control unit according to an embodiment of the invention is configured to cooperate with an updating device to carry out a method according to an embodiment of the invention. In particular, the vehicle control unit comprises a receiving device, which is designed to receive a preparatory command, in particular a command to block the motor vehicle, by an updating device, and a transmitting device, which is designed to transmit an acknowledgment message indicating the execution of a received preparatory command confirmed by the vehicle control unit. The transmitting device is designed to transmit a parameter dependent on the software, in particular a current software version number, to the updating device. The receiving device is configured to communicate with the updating device. The vehicle control unit further comprises a comparison and release device, which is designed to validate the received messages and to restore the driving readiness of the motor vehicle only if this validation has been completed successfully.

Not all functions have to be present in all vehicle control units. In particular, the transmitting device of the vehicle control unit that processes the command for blocking need not necessarily be configured to transmit a software-dependent characteristic value, in particular a current software version number, to the updating device. This feature only needs to be present in the car control unit to be updated.

The function for blocking the motor vehicle, as well as the comparison and release device must be formed only in a vehicle control unit in the vehicle.

The activation code is not kept on the update device, but it is calculated from the feedback from the environment (other car control devices, backend, driver interaction, support hotline, etc.).

The decision to reactivate the vehicle function is transferred from the update device to another vehicle control unit. The update device calculates the activation code from the feedback of the other vehicle control units and uses the code, in particular for reactivating the vehicle function. The code is not known to the updater, so there are no (potential miss) decisions that can be made in the updater.

The activation code is in particular calculated by the updating device from data queried by the updated (reprogrammed) vehicle control units.

If at least one of the vehicle controllers has not been successfully updated and / or is not in the expected state, it provides different data from which the updater calculates a different activation code, which subsequently results in a refusal when attempting to reactivate the vehicle function.

It is a basic idea of the invention that the activation code is not compared by the updating device with a reference value. In such an approach, the comparison could be skipped by an error or the result of the comparison misinterpreted. Consequently, there is a feedback from the updating device on vehicle functions.

The updating device may maintain the result of a one-way function of the activation code and pre-check before step (F) and (G) whether the restoration of the blocked vehicle function will be successful. In particular, hash functions such as MD4, MD5, SHA1 or SHA256 could be used for this purpose.

The activation code can be sent in step (F), in particular directly as a value to the device that has blocked the vehicle function. The value can, in particular, represent a service ID ("SID") or be used as a parameter in the context of a UDS communication (ISO 14229: 2013). On this device, the activation code must then be validated, for example by comparison with a reference code, or by checking whether the result of a one-way function corresponds to a reference value.

In particular, MD4, MD5, SHA1 or the multiplication of two (prime) numbers could be used as one-way functions.

Alternatively, the activation code in step (F) may enter the algorithm for authentication of the updating device with respect to the at least one vehicle control unit. This authentication could be done in particular according to UDS security access (see ISO 14229-1: 2013, §9.4 - service 0x27) or according to ASAM XCP MCD-1 "UNLOCK".

Alternatively, the activation code in step (F) may be used to decrypt a program containing the algorithms and instructions required for communication. The encryption does not have to provide any cryptographic security, it is sufficient if it is impossible for the updating device to get to the unencrypted program without knowledge of the activation code. AES256 is an example of a cryptographically secure encryption algorithm, DES or RC4 are examples of algorithms that do not provide cryptographic security. Algorithms without cryptographic security require i.d.R. less computing time, depending on the application, this may be necessary.

In particular, encryption has the advantage that an arbitrarily complex algorithm for reactivating the vehicle function can be used without changes, and nevertheless it is ensured by the encryption that no part of this algorithm can be triggered without the presence of the activation code. In particular, this can be communicated with each vehicle control unit.

The test carried out in step (G) may be implemented as a simple comparison with a reference code: the updating device sends the calculated activation code to the vehicle control unit, which compares the activation code with a reference code.

However, one-way functions can also be used. If a one-way function is used, also the comparison device only the result of the function is known: The car control unit calculates the result of the one-way function with the activation code as input (s). If the result matches the reference value, the activation code is correct.

The two methods described are direct tests: The activation code is sent to the vehicle control unit and checked by the vehicle control unit.

The recognition can also take place in the context of existing authentications, in particular UDS Security Access or XCP UNLOCK: In the vehicle control unit an authentication according to the prior art is implemented, but in the updating device - in contrast to the prior art - the necessary algorithms stored so that they are usable only when the correct activation code is present. This variant has the advantage that no change to the vehicle control unit is required. This is an example of an indirect check: The activation code is not sent, but without the value the authentication would fail.

In another approach to indirect testing, the program (instructions, algorithms) executed by the updating device for communication with the vehicle controller is stored in encrypted form. The activation code is used as the password for the decryption, only through the decryption the update device has access to the required commands. When the vehicle controller receives the correct commands, or commands with the correct parameters, from the updater, it is indirectly demonstrated that the updater has the correct activation code.

In one embodiment, a key (hereinafter "key B") is sent by the vehicle control unit upon successful blocking of the vehicle function.

A key B is required if, in addition to preventing a false reactivation of the vehicle function, it must also be proved that no erroneous start of the reprogramming is possible (item (C) in the disclosure of the invention).

In one embodiment, the key B is calculated from a key A, which has been previously transferred from the updating device to the vehicle control unit.

The use of a key A, which has been previously transmitted from the updating device to the vehicle control unit, has the advantage that the key B is no longer constant. Consequently, an erroneously stored old acknowledgment message can not lead to an inadmissible start of the reprogramming.

In addition, the addressed in step (A) at least one vehicle control unit to store the key A long term and thus recognize and reject old keys safely. The keys may also be digitally signed so that the update device can not falsely block the vehicle function.

It is also possible that the key A is sent either before or after the command to block the at least one vehicle function. Key B can also be sent after the successful blocking message.

It is also possible that the car control unit always calculates keys B from keys A - and that this calculation is received when a vehicle function is blocked. This has the advantage that both states are safe, e.g. into the activation code. "Safe" in this context means that faults in the updater always result in a different code (Activation Code, Activation Code, Start Code, "Code n"), and these faults can then be noticed by the vehicle controllers.

It is only necessary here that the blocking status is received in some form in the key B. In particular, the vehicle control unit in the normal state can respond to requests for a key B with an error message and answer these requests only if at least one vehicle function is blocked. Alternatively, the algorithm for calculating key B may be constructed such that the blocked vehicle function enters the key B as a parameter.

In order to avoid an erroneous start of the programming, a start code can be calculated by the updating device from data (characteristic values) which are requested by the motor vehicle control units, in particular from the key B. This start code can then be used in step C. This has the advantage that the SW update process can not be started without a previous blocking of the vehicle function.

The start code is used in the same way as the activation code: In particular, it can be used to decrypt commands for the execution of the software update; the start code can be used to decrypt the new software to be installed. The start code can be used as a parameter or command to a vehicle manufacturer. Control unit are shipped, and / or it can be used for authentication.

In another embodiment, the method includes updating the software of multiple vehicle controllers. In this case, a code ("code n"), which was calculated in particular from feedback of an nth vehicle control unit whose software has been updated, used to perform the SW update for an n + 1-th car control unit , Since the code that contains data of the nth car controller is present only when this car control unit has been successfully updated and this code is used for the update of the n + 1sten car control unit, it is ensured that the vehicle control units can only be updated in the given order.

After updating the software of all vehicle ECUs to be updated, once again the characteristics and / or memory contents of all updated vehicle ECUs can be checked to verify the final configuration. This step is formally not necessary because the update of the last vehicle control unit only takes place if all vehicle control units have been previously successfully updated. However, it may be advantageous to still re-address all car control units, for example to always be able to use the same software module for this step. In particular, vehicle control unit can be addressed, which have not been updated.

The same approaches as for the start code and the activation code can be used for the use of these codes: In particular, commands can be decrypted with them, they can be sent as parameters or commands to a vehicle control unit, and / or they can be used for authentication ,

The transmission between the updating device and at least one vehicle control unit can also take place via an intermediary gateway. On the one hand, this gateway can be designed to filter impermissible messages, on the other hand, the gateway can connect a wireless interface to a wired interface.

Illegal messages could be, for example, messages that contain speed information from the engine or a driving speed: This information may only be sent by the responsible vehicle control units. The gateway can thus prevent the update device from disturbing vehicle functions. For the decision as to whether a message is admissible, the gateway may in particular have a CAN message identifier, a source or a destination IP address (eg according to IPV6, RFC2460), and / or a source or a destination port (eg after TCP, RFC793), and / or evaluate the direction from which the gateway received the message. It may also be inadmissible if too many messages are sent by the updating device, as the result following bus load could lead to a malfunction of vehicle functions.

In one embodiment, the gateway must be enabled by the updating device before transferring data between the updating device and at least one vehicle control unit. In particular, the gateway may be designed so that it does not forward messages that are required for reprogramming during normal operation, such as, for example, the UDS programming session (ISO 14229-1: 2013, §9.2.2.2). For the activation of a code ("Gatway unlock code") can be used, which is initially not present on the diagnostic tester, but is calculated in particular from the communication with at least one vehicle control unit. In particular, the aforementioned key B may enter the gateway unlock code. The Gatwway unlock code can be the same as the startup code. But it is also possible that both codes are different. In particular, the start code can also receive feedback from the gateway.

In one embodiment, the step of transmitting the calculated activation code to the vehicle control unit also includes transmitting the keys A and / or B, and the step of validating comprises evaluating all values (activation code, and / or key A, and / or Key B). Mixed forms are also possible: for example, the activation code could be used for decryption and the key A is transmitted. The transmission of key A and / or B could be advantageous if these keys on the vehicle control unit that has blocked at least one vehicle function, can not be stored / should.

In one embodiment, blocking the motor vehicle includes activating an immobilizer and / or blocking a starter and / or a fuel pump. In this way, the motor vehicle can be reliably blocked.

In one embodiment, the method additionally comprises calculating the codes (activation code, activation code, start code, "code n") from the content of at least partial areas of a memory of a motor vehicle control unit. In this way, the success of the software update can be checked even better, since errors that lead to different memory contents, can be reliably detected.

• - die Daten vorwärts zu schreiben und rückwärts zurückzulesen;
• - die Daten sowohl über „ReadMemoryByAddress“ als auch über „ReadDataByIdentifier“ zu lesen (ISO 14229:2013);
• - nicht nur den (Flash-)Speicher des jeweiligen Kfz-Steuergerätes auszulesen, sondern zusätzlich auch Rechenergebnisse des jeweiligen Kfz-Steuergerätes abzufragen.

Additional validations may be used to confirm a successful upgrade; these may include, for example:

• - write the data forward and read it backwards;
• - read the data both through "ReadMemoryByAddress" and via "ReadDataByIdentifier" (ISO 14229: 2013);
• - Not only read the (flash) memory of each vehicle control unit, but also also query results of the respective car control unit.

It is also possible to query the same data multiple times, so as to achieve protection against disturbed bus messages.

In one embodiment, the interrogation of the characteristic value comprises interrogating the characteristic values of one or more motor vehicle control units which, during operation, interact with the vehicle control unit whose software has been updated. This ensures that all car control units that interact with each other in operation are equipped with compatible software versions so that they can cooperate easily.

In one embodiment, the communication between the updating device and the vehicle control unit is encrypted. As a result, unauthorized changes to the vehicle control units is prevented or at least considerably more difficult.

In one embodiment, polling characteristics comprises polling data in at least one external back-end system, e.g. a server of the manufacturer of the vehicle or the vehicle control unit. This makes it easier to exclude unauthorized manipulations and allows a complete documentation of the changes made, in particular the final or target state of the vehicle control units.

In a further embodiment, two processes for restoring the driving readiness of the motor vehicle by the vehicle control unit are provided on the updating device: a first sequence which requires an activation code which can be calculated in the event of a successful update.

In addition, a second sequence is provided, for which an activation code is required, which is calculated from the backend and / or hotline feedback, which then activates an emergency operation of the vehicle. This has the advantage that on the one hand accidental activation of the emergency operation is impossible, and on the other hand, it is avoided that the vehicle is no longer usable if the update has failed.

In one embodiment, the method further includes user input (driver interaction), a chassis number, and / or a vehicle identification number in the calculation of the activation code. In this way it can be ensured that the motor vehicle is only reactivated when the user has confirmed the update of the software and / or the newly installed software with the respective motor vehicle (type) is compatible.

In one embodiment, the interface for transmitting the data between the updating device and the vehicle control unit is designed as a wired interface. A wired interface enables reliable data transmission and is inexpensive to implement. The wired interface can be designed as a standardized interface, in particular as an OBD / OBD2 interface.

In one embodiment, the interface for transmitting the data between the updating device and the vehicle control unit is designed as a wireless interface. A wireless interface allows a particularly convenient data transmission, since no cables need to be laid and connected. The wireless interface can in particular be produced as a WLAN or Bluetooth® connection.

Optionally, known communication concepts with watchdog devices may be used for communication between the updating device and the vehicle controllers. For example, the car control units can observe minimum and maximum allowable times and reject messages arriving outside these times. The updating device can also selectively use incorrect codes and then incorporate the negative response code of the respective vehicle control unit in another code.

The update device may be a separate vehicle control unit, but it may also be a software module in a vehicle control unit. For example, it could also be designed as a virtual machine on an existing vehicle control unit. The advantage of a virtual machine is that a small, ISO 26262 compliant hypervisor can enforce boundary conditions. For example, the virtual machine might not contain writeable non-volatile memory, and the hypervisor clears the volatile memory at the end or at the abort of the update. This prevents old acknowledgment messages or old key-values or activation codes from leading to invalid retries.

• - Der „Mobile Agent“ sind die Programme zur Aktualisierung der Software
• - Der „Hostile Host“ ist die Aktualisierungsvorrichtung, auf der die Programme zur Aktualisierung der Software ablaufen.

The invention is based on the recognition that the updating of the software ("in order") of a motor vehicle control unit or of a vehicle control unit network is a variant of a "mobile agent" / "hostile host" configuration:

• - The "Mobile Agent" are the programs for updating the software
• - The "hostile host" is the updating device on which the programs for updating the software run.

The updating device may be a true "hostile hosts", e.g. B. when a smartphone, tablet PC or laptop of an end user is used as an updating device.

For the implementation can therefore be used on the known from the literature algorithms of the so-called. "Mobile Cryptography" to achieve a proven freedom from retroactivity. This includes in particular the "Environmental Key Generation", as well as the use of "Homomorphic Encryption".

An embodiment of the invention will be described below with reference to the accompanying drawings.

list of figures

• 1a shows a motor vehicle with several vehicle control units and an external updating device.
• 1b shows a motor vehicle with several vehicle control units and an internal updating device.
• 2 shows an enlarged schematic view of an external updating device.
• 3 shows an enlarged schematic view of an internal updating device.
• 4 shows an enlarged schematic view of a vehicle control unit.
• 5 shows a schematic diagram of the flow of a method for updating the software at least one installed in a motor vehicle vehicle control unit according to an embodiment of the invention.

figure description

1a shows a motor vehicle 2 with several car control units 4 . 6 . 8th of which at least one using an external updating device 12a supplied with new software ("updated").

1b shows a motor vehicle 2 with several car control units 4 . 6 . 8th of which at least one using an internal updating device 12b supplied with new software ("updated").

2 shows an enlarged schematic view of an external updating device 12a , The external updating device 12a can z. B. a suitably equipped car diagnostic tester or a smartphone / tablet PC / laptop of a user, on which a suitable software ("App") is installed.

3 shows an enlarged schematic view of an internal updating device 12b , The internal updating device 12b can a for this in the vehicle 2 built-in vehicle control unit 4 . 6 . 8th be, or a module in an existing car control unit 4 . 6 . 8th , The internal updating device 12b can also be a software module in a car control unit 4 . 6 . 8th his. In particular, it can be used as a virtual machine on an existing car control unit 4 . 6 . 8th be educated. The advantage of a virtual machine is that it has a small, ISO 26262 compliant hypervisor 38 Can force boundary conditions.

4 shows an enlarged schematic view of a vehicle control unit 4 ,

The updating device 12a . 12b each has a transmitting device 17 and a receiving device 19 on, over a wireless or wired data connection 10 with a transmitting device 30 and a receiving device 28 at least one of the vehicle control units 4 . 6 . 8th are connected.

A wired data connection 10 can for example via a motor vehicle 2 existing standardized interface 16 , in particular an OBD / OBD2 interface 16 getting produced. A wireless data connection 10 can be made for example by a Wi-Fi or Bluetooth® connection.

The transmission between the updating device 12a . 12b and at least one vehicle control unit 4 . 6 . 8th can also have an intermediary gateway 34 respectively. This gateway 34 On the one hand, it can be configured to filter invalid messages, on the other hand, the gateway can 34 connect a wireless interface to a wired interface.

The car control units 4 . 6 . 8th can communicate with each other via data lines 18 , in particular a data bus 18 , or wirelessly exchange data.

The sequence of a method for updating the software of at least one of the motor vehicle 2 installed vehicle control units 4 . 6 . 8th according to an embodiment of the invention is shown schematically in the 5 shown.

In a first step 110 gets the update device 12a . 12b about one at the update device 12a . 12b trained input device 14 or an interface 15 , in particular a mobile radio, WLAN, Bluetooth® or USB interface 15 , an order to update the software of at least one of the vehicle control units 4 . 6 . 8th ,

The new software attached to the at least one car control unit 4 . 6 . 8th is to be transferred is either in a storage device 13 the updating device 12a . 12b stored or is over the interface 15 , z. From a USB storage device ("USB stick", "flash drive") to the updater 12a . 12b transmitted and possibly (temporarily) in the storage device 13 saved.

The software may optionally be in encrypted form, so it must first be decrypted before it can be used. In particular, in this case, the updating device 12a . 12b the key required to decrypt the software is not (yet) known.

The updating device 12a . 12b then send (in step 120 ) command to at least one of the vehicle control units 4 . 6 . 8th to the motor vehicle 2 shut down or block for the duration of the software update. The command may include, for example, an immobilizer 20 of the motor vehicle 2 to activate and / or a starter 22 or a fuel pump 24 of the motor vehicle 2 to block.

"Blocking" the motor vehicle 2 may in this context also mean the motor vehicle 2 in an "emergency mode" in which, for example, only a limited engine power is available, and / or to activate a warning light that indicates that some functions of the motor vehicle 2 , such as As ABS or ESP, are not available.

There is also the possibility that the operation of the motor vehicle 2 is initially completely blocked, and the motor vehicle 2 is set after the lapse of a predetermined period of time in an emergency operating state, which makes it possible, for example, the motor vehicle 2 to drive to a (other) workshop, eg. For example, if the software update failed to complete successfully.

The activation of the "emergency mode" may include a user input by which the user confirms that he is aware that the motor vehicle 2 is in a restricted emergency mode in which not all functions are available. The car 2 is activated only in emergency mode after the user has confirmed to have taken note of this.

Together with the command to block the motor vehicle 2 Optionally, a key ("key A") to the relevant car control unit 4 . 6 . 8th be transmitted.

Once the car control unit 4 . 6 . 8th the command to block the motor vehicle 2 has executed, send it in step 130 an acknowledgment message confirming that the command has been executed, to the updating device 12a . 12b ,

The car control unit 4 . 6 . 8th can also have a key B to the updating device 12a . 12b ship in the car control unit 4 . 6 . 8th was calculated. Was previously (in step 120 ) a key A to the vehicle control unit 4 . 6 . 8th can transfer, the key B in particular be calculated from this key A.

The algorithm for calculating the key B , or at least parameters that are included in the calculation, is the vehicle control unit 4 . 6 . 8th but not the updater 12a . 12b known.

The car control unit 4 . 6 . 8th can be designed so that key B is sent only if the at least one vehicle function has been blocked. If the function is not blocked, an error message will be sent. Alternatively, the provision of a key B is an always active function, and "Is the vehicle blocked?" is a parameter that enters into the calculation of the key.

A calculation device 26 that in the updating device 12a . 12b is present, calculated from data (characteristics) provided by the vehicle control units 4 . 6 . 8th be queried, a code (step 130 ). The calculation device 26 can be realized in hardware or software. In particular, the key B can also be included in this calculation.

Querying the data (characteristic values) can also query the data in at least one external backend system 40 , eg a server of the manufacturer of the motor vehicle 2 or the car control units 4 . 6 . 8th include to exclude unauthorized manipulation and a complete documentation of the changes made, in particular the final or target state of the vehicle control units 4 . 6 . 8th to enable.

If the new software on the updater 12a . 12b stored in encrypted form, this code can be used in particular to decrypt the software (step 140 ) be used. The encryption of the software does not have to provide cryptographic security.

Alternatively, it is also possible that this code is included in the algorithm for UDS Secure Access (ISO 14229: 2013, §9.4 - service 0x27) or for ASAM XCP MCD-1 "UNLOCK".

After the possibly encrypted stored software has been decrypted, the software in step 150 over the data connection 10 on at least one of the vehicle control units 4 . 6 . 8th transmitted and on the at least one vehicle control unit 4 . 6 . 8th Installed.

The software may also include several software packages, in particular each software package for updating each one of the vehicle control units 4 . 6 . 8th is provided. In particular, an order can be specified in which the software packages to the various vehicle control units 4 . 6 . 8th are aufzuspielen.

In this case, a car control unit 4 . 6 . 8th whose software has been successfully installed, provide a key value. This key value is in turn from the calculation device 26 used to calculate a new code. This new code is then used in particular for decrypting and updating the next software package.

Because the new code is only present if the previous software package succeeds on its car control unit 4 . 6 . 8th has been installed, this way ensures that the software of the car control units 4 . 6 . 8th can only be updated in the given order.

It is also possible that an nth software package certain functions of the motor vehicle 2 , such as B. the injection system deactivated to the motor vehicle 2 and a subsequent m-th software package (m> n), which is later decrypted and installed, re-enables the disabled function after the software update has been successfully completed.

After the software update has been completed, ie after all software packages successfully on the associated car control units 4 . 6 . 8th can be played, the calculation device 26 be reused to get out of data (characteristics) provided by the car control units 4 . 6 . 8th request an activation code (step 160 ) to calculate.

In this case, depending on the application data all vehicle control units 4 . 6 . 8th or only data of those vehicle control units 4 . 6 . 8th be queried whose software has been updated. To ensure proper interaction of all car control units 4 . 6 . 8th in the motor vehicle 2 In particular, data of those car control devices can ensure 4 . 6 . 8th be queried with the updated car control units 4 . 6 . 8th interact.

The queried data can, for example, version numbers of the current on the respective car control unit 4 . 6 . 8th installed software and / or the content of at least one defined subarea or an entire memory 7 of the respective vehicle control unit 4 . 6 . 8th include.

In addition, the queried data can also be input to a user via an on / in the motor vehicle 2 provided input device 5 is input. This makes it possible to ensure that the motor vehicle 2 is activated only after the software update by a user input on the motor vehicle 2 itself has been confirmed. The user input can be a simple Yes / No as well as the copying of a release code ("Captcha"). This has the advantage that this code can enter into the calculation of the activation code and thus can not be skipped.

In particular, it may be provided that an "emergency operation" of the motor vehicle 2 in which not all functions of the motor vehicle 2 is activated only after the user has confirmed that he has noted the existence of an emergency operation and the associated restrictions.

Additionally or alternatively, the queried data may also include a vehicle identification number and / or a vehicle identification number or a different size that the motor vehicle 2 or the vehicle type of the motor vehicle 2 clearly identified. Also features of the vehicle configuration, such as engine size, number of driven axles and other features, may be included in the calculation of the activation code.

Because the data of an inappropriate motor vehicle 2 can not lead to the calculation of the correct activation code, can be ensured in this way that the motor vehicle 2 is only activated again when only software has been installed, which is for the respective motor vehicle 2 suitable is.

The activation code calculated in this way is provided by the updating device 10 for communication with the at least one of the vehicle control units 4 . 6 . 8th used (step 170 ), optionally additionally the previously calculated key A or B can be transmitted.

A comparison and release device 32 the at least one vehicle control unit 4 . 6 . 8th that has received the activation code, validated in step 180 the received messages, with a in the respective car control unit 4 . 6 . 8th stored predetermined reference algorithm and reactivated the motor vehicle 2 (Step 200 ), eg by unlocking the immobilizer 20 and / or activating the starter 22 or the fuel pump 24 , (only) in the case of a positive validation of the received activation code.

Will the activation code with the in the respective car control unit 4 . 6 . 8th stored algorithm is not positively validated, the motor vehicle 2 not reactivated. Instead, an error message is issued (step 210 ).

The comparison and release device 32 can be realized in hardware or software.

In order to prevent or at least complicate unauthorized manipulations, communication between the updating device 10 and the car control units 4 . 6 . 8th be cryptographically secured, that is encrypted and / or signed done.

Optionally, for communication between the updating device 12a . 12b and the car control units 4 . 6 . 8th Known concepts of communication with "watchdog" blocks are used. The car control units 4 . 6 . 8th For example, you can keep track of minimum and maximum allowable times and reject activation codes that arrive outside of these times. The updating device 12a . 12b can also selectively send wrong activation codes and then the negative response code of the respective vehicle control unit 4 . 6 . 8th to flow into the wide process.

Claims (15)

A method of updating software of at least one vehicle control unit (4, 6, 8) installed in a motor vehicle (2), the method comprising: (A) transmitting a preparatory command, in particular a command to block the Motor vehicle (2), of an updating device (12a, 12b) to at least one vehicle control unit (4, 6, 8); (B) transmitting to the updating device (12a, 12b) an acknowledgment message confirming the execution of the preparatory command from the at least one vehicle control unit (4, 6, 8); (C) transferring new software from the updating device (12a, 12b) to the at least one vehicle control unit (4, 6, 8) and installing the new software on the at least one vehicle control unit (4, 6, 8); (D) querying a parameter dependent on the software, in particular the software version number, of at least one motor vehicle control unit (4, 6, 8); (E) calculating an activation code from the at least one requested characteristic value; (F) using this activation code in the subsequent communication with at least one vehicle control unit (4, 6, 8); (G) executing a command, in particular a command for restoring the driving readiness of the motor vehicle (2), by the at least one motor vehicle control unit (4, 6, 8), only if the motor vehicle control unit (4, 6, 8) checked the activation code directly or indirectly and determined that there was a valid activation code. Method according to Claim 1 wherein in step (F) the activation code is transmitted from the updating device (12a, 12b) to the at least one vehicle control unit (4, 6, 8) and validated by this vehicle control unit according to a predefined algorithm; and / or wherein in step (F) the activation code is used to decrypt at least one command or algorithm used for communication with the at least one vehicle control unit (4, 6, 8) with this activation code; and / or wherein in step (F) the activation code is used for authentication of the updating device (12a, 12b) to the at least one motor vehicle control unit (4, 6, 8). Method according to one of the preceding claims, wherein the method comprises, prior to step (C) to transmit a key from the at least one vehicle control unit (4, 6, 8) to the updating device (12a, 12b) and in step (C) Use start code calculated from at least this key. Method according to Claim 1 or 2 wherein the method comprises, prior to step (C), sending a key from the updating device (12a, 12b) to the at least one motor vehicle control unit (4, 6, 8), and wherein the addressed motor vehicle control unit is dependent in particular on this key Message to the updating device (12a, 12b) and wherein the updating device (12a, 12b) uses in step (C) a start code calculated from at least this message. Method according to Claim 3 or 4 in step (C), wherein the start code is transmitted from the updating device (12a, 12b) to the at least one vehicle control unit (4, 6, 8) and is validated by this vehicle control unit according to a predefined algorithm; and / or wherein in step (C) the start code is used to decrypt at least one command or algorithm used for communication with the at least one vehicle controller (4, 6, 8) with that start code; and / or wherein in step (C) the start code is used for authentication of the updating device (12a, 12b) to the at least one motor vehicle control unit (4, 6, 8). Method according to one of Claims 1 to 5 wherein the method comprises, in step (C), transferring the data via a gateway (34) from the updating device (12a, 12b) to the motor vehicle control unit (4, 6, 8), the gateway (34) in particular Checks the messages and forwards only allowed messages. Method according to Claim 6 in that the updating device (12a, 12b) must enable the gateway (34) for at least one message, and for this purpose a gateway code is used which calculates at least one message sent by a motor vehicle control unit (4, 6, 8) has been. Method according to Claim 7 wherein the gateway unlock code is transmitted from the updating device (12a, 12b) to the gateway (34) and validated by that gateway (34) according to a predefined algorithm; and / or wherein the gateway unlock code is used to decrypt at least one command or algorithm used to enable the gateway (34) with that gateway unlock code; and / or wherein the gateway unlock code is used to authenticate the updating device (12a, 12b) to the gateway (34). Method according to one of the preceding claims, wherein the method comprises updating the software of a plurality of motor vehicle control units (4, 6, 8), wherein a code consisting of characteristic values of at least the nth vehicle control unit (4, 6, 8), whose software has been updated, is used for communication with the n + 1-th car control unit (4, 6, 8). Method according to one of the preceding claims, wherein the interrogation of the characteristic value of one or more motor vehicle control units (4, 6, 8) comprises the / the characteristic value (s) of one or more vehicle Control units (4, 6, 8) query, which cooperate with the at least one vehicle control unit (4, 6, 8) whose software has been updated. Method according to one of the preceding claims, wherein the method comprises calculating one of the codes from the content of at least a portion of a memory (7) of the motor vehicle control unit (4, 6, 8); and / or wherein the method comprises calculating one of the codes from a user input, a chassis number, and / or a vehicle identification number; and / or wherein the method comprises sending data about the software update to an external backend and using the feedback from the backend to calculate a code. Method according to one of the preceding claims, wherein the test takes place in which the vehicle control unit (4, 6, 8), in particular the vehicle control unit (4, 6, 8) that has blocked at least one driving function and / or Vehicle control unit (4, 6, 8) that is to be reprogrammed and / or the vehicle control unit (4, 6, 8) that acts as a gateway (34), received messages that contain particular commands and / or parameters, compares with stored reference values; and / or wherein the check is made in which the vehicle control unit (4, 6, 8) uses the received messages as parameters for at least one one-way function and compares the results with stored reference values, and / or wherein the check is successful Authentication takes place. Updating device (12a, 12b) for updating the software of at least one motor vehicle control unit (4, 6, 8) installed in a motor vehicle (2), the updating device (12a, 12b) comprising: a storage device (13) adapted to store the software to be updated; a transmitting device (17) adapted to transmit a preparatory command, in particular a command to block the motor vehicle (2), to the motor vehicle control unit (4, 6, 8); a receiving device (19) adapted to receive an acknowledgment message confirming the execution of the received preparatory command by the vehicle control unit (4, 6, 8); wherein the transmitting device (17) is adapted to transmit the software to be updated to the vehicle control unit (4, 6, 8); wherein the receiving device (19) is adapted to receive at least one characteristic value, in particular the software version number, of one or more motor vehicle control units (4, 6, 8); wherein the updating device (12a, 12b) has a calculation device (26) which is designed to calculate a code, in particular an activation code and / or a code for starting the programming and / or a code for activating a gateway, from the received characteristic values ; and wherein the transmission device (17) is designed such that this code is required for communication with the vehicle control unit (4, 6, 8). A motor vehicle control unit (2) comprising at least one hypervisor (38) and an updating device (12b) Claim 13 wherein the hypervisor (38) after a successful or unsuccessful update, in particular the storage device (13) and / or the receiving device (19) and / or the transmitting device (17) and / or the calculation device (26) of the updating device (12b) at least partially clears and / or resets. Vehicle control unit (4, 6, 8) for a motor vehicle (2), which is designed to interact with an updating device (12a, 12b) and other motor vehicle control units (4, 6, 8), wherein the motor vehicle control unit (4 , 6, 8) comprises: a receiving device (28) adapted to receive a preparatory command, in particular a command to block the motor vehicle (2), from an updating device (12a, 12b); a transmitting device (30) adapted to transmit an acknowledgment message confirming the execution of a received preparatory command by the vehicle control unit (4, 6, 8); wherein the sending device (30) is adapted to transmit a conclusion, in particular a key dependent on the previous communication between the updating device (12a, 12b), to the updating device (12a, 12b), the key in particular depending on whether the vehicle function was blocked; wherein the receiving device (28) is adapted to forward messages received by the updating device (12a, 12b) to a comparison and release device (32), which is designed to validate the messages according to a predetermined algorithm and to control the driving readiness of the motor vehicle (2). restore only on positive validation.

Images