Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
  • G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
  • G06F21/575—Secure boot
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F8/00—Arrangements for software engineering
  • G06F8/60—Software deployment
  • G06F8/65—Updates
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
  • H04L41/08—Configuration management of networks or network elements
  • H04L41/0803—Configuration setting
  • H04L41/0813—Configuration setting characterised by the conditions triggering a change of settings
  • H04L41/082—Configuration setting characterised by the conditions triggering a change of settings the condition being updates or upgrades of network functionality
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
  • H04L41/08—Configuration management of networks or network elements
  • H04L41/085—Retrieval of network configuration; Tracking network configuration history
  • H04L41/0859—Retrieval of network configuration; Tracking network configuration history by keeping history of different configuration generations or by rolling back to previous configuration versions
  • H04L41/0863—Retrieval of network configuration; Tracking network configuration history by keeping history of different configuration generations or by rolling back to previous configuration versions by rolling back to previous configuration versions
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
  • H04L41/08—Configuration management of networks or network elements
  • H04L41/0866—Checking the configuration
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/12—Applying verification of the received information
  • H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/01—Protocols
  • H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 

Definitions

• the invention relates to the software update of one or more computers of a motor vehicle carried out remotely from a diagnostic tool also called an OTA update (for Over The Air).
• OTA update for Over The Air
• an OTA update can save a lot of time compared to an organized recall of vehicles in the garage of the authorized or independent network.
• This type of problem can arise for example in the case where the destination computer tries to write a value on a corrupted memory cell for example, or in the case of a transmission error due for example to an electromagnetic field, or of still other cases.
• Such a type of problem is generally detected by the recipient computer (for example by means of a verification of a CRC Cyclic Redoundancy Check in the event of an erroneous reception). In this case, information will be sent to the master computer to request the execution of the rollback process.
• document US20190057214 discloses an update control device which comprises a first communication unit, a second communication unit, and a control unit.
• the first communication unit is configured to receive patch data for each software block and first authentication data for each software authentication block in an updated terminal using the patch data on a basis. by block.
• the control unit is configured to request the terminal to rollback for restoration from a first block to a (M-1) th block using the patch data upon receipt of an update result indicating a failure in an authentication of an Mth block (M> 1).
• An object of the present invention is to provide a solution for quickly resetting to a previous state a software update of a computer of a vehicle in particular when an update has been identified as corrupt.
• the invention relates in particular to a method of installing a software update of an on-board computer of a vehicle, comprising a memory comprising a first zone (Z1), a second zone (Z2), a current software, generated during a first preliminary compilation, being stored in the first zone (Z1), said current software comprising physical addresses, determined during the first preliminary compilation, designating parts of said first zone (Z1), and a pointer indicating to the computer which instructions to execute, said pointer indicating the first memory area (Z1), characterized in that it comprises steps of:
• the invention has the advantage of operating with computers having advanced microcontrollers. Indeed, the invention does not require the microcontroller responsible for memory management to have an address translation mechanism.
• the advantage of the invention is when an integrity test of the data received results in failure, to allow the installation procedure to be interrupted without delay and to continue to use the current software which is not modified in the first one. memory.
• a rollback step (for example, following a malfunction observed by a user), can easily be implemented by modifying the pointer again to return to the software still present in the first memory area.
• the invention therefore saves time but also enhanced security insofar as it eliminates additional risks of data corruption. inevitably linked to successive software block generation operations during the rollback phase in the solution of the state of the art.
• the method for updating software of a computer further comprises a step of sending a request controlling a check of the integrity of the updated software in the second zone, the step of sending a request commanding an activation of the updated software, only if the integrity is verified.
• the method for updating software of a computer further comprises a step of returning to a state preceding the update, said return to a previous state comprising a modification of the pointer, of so that this indicates the first memory area.
• the method for updating the software of a computer further comprises, following detection of an error, a step of sending a request ordering the stopping of the. installing the update.
• stopping the installation of the update involves sending a message to the driver to inform him of the stopping of the installation.
• the invention also relates to a computer program product comprising instructions adapted for the execution of the steps of the method according to the invention, when the computer program is executed by at least one processor.
• the invention also relates to a device for updating computer software, said device comprising a memory associated with at least one processor configured to implement the steps of the method according to the invention.
• the invention also relates to a vehicle characterized in that it comprises a device for updating computer software according to the invention.
• FIG. 1 schematically illustrates a system, according to a particular embodiment of the present invention
• FIG. 2 schematically illustrates a computer, according to a particular embodiment of the present invention
• FIG. 3 schematically illustrates an updating method, according to a particular embodiment of the present invention.
• FIG 4 illustrates an example of the successive states of memories of a computer during an update.
• the system comprises a vehicle 101 connected to a remote update server 102.
• the vehicle 101 comprises a plurality of computers ECU1, ECU2, ECU3 including an on-board communication unit which communicates with the server 102, via a wireless connection.
• the connection or wireless link is a connection by radio waves (3G, 4G, ).
• the computers ECU1, ECU2, ECU3 communicate with each other via a data bus 104 (for example of the CAN type).
• the unloaded server 102 is for example a generic computer comprising at least one memory and one processor.
• the vehicle 101 and the disembarked server 102 communicate via a wide area network 105 such as a fixed communication network 103 (or WAN for “Wide Area Network”), for example the Internet network to which the vehicle is connected by a wireless link (3G, 4G, ).
• a wide area network 105 such as a fixed communication network 103 (or WAN for “Wide Area Network”), for example the Internet network to which the vehicle is connected by a wireless link (3G, 4G, ).
• the ECU1 computer also called the update management computer (or FOTA Master - for Firmware Over-The-Air) which allows the updating of the ECU2 to ECU3 computers, has for this purpose mechanisms capable of transferring the files from data received in frames awaited by the recipient ECU2, ECU3 computers to install their software.
• the computer playing the role of FOTA master in a vehicle may or may not be the same computer as the one which has wireless communication functions.
• An operator via a terminal 107 can perform the checks and transmits remote instructions to the vehicle 101. These instructions are transmitted to the vehicle 101 by wave which can be 4G, WIFI or any other wireless communication technology. to come.
• wave which can be 4G, WIFI or any other wireless communication technology. to come.
• ECU1, ECU2, ECU3 calculators can be updated in a garage.
• Updating software in a garage responds to a specific procedure (case 1 in figure 1) during which the operator becomes responsible for the vehicle entrusted to him.
• he places the vehicle in a “safe and secure” environment before launching this operation from a tool 106 connected to a dedicated outlet 108 of the vehicle 101
• he performs certain checks in order to to ensure its proper functioning.
• the technician will take the necessary measures to correct the anomaly (new test, change of part, etc.) before returning the vehicle. to the client.
• the garage owner is therefore an important link in the safety chain, but is also in charge of ensuring the quality of the operation carried out.
• the FOTA master communicates with said target computer via the communication network available in the vehicle (for example CAN, Ethernet or other).
• the communication network available in the vehicle (for example CAN, Ethernet or other).
• the FOTA master uses a dedicated communication protocol, such as, for example, the UDS protocol (standard IS014229) commonly used to perform the diagnosis or download the software of the on-board computers in motor vehicles.
• UDS protocol standard IS014229
• the computer 200 comprises a microcontroller provided with a Flash memory 201.
• the flash memory 201 comprises: - a first zone Z1, also called execution zone, used to execute the downloaded software, and of a size at least equal to a given size N,
• a second zone Z2 also called backup zone, of a size at least equal to the given size N, used as a backup memory allowing to revert to the previous version of the software in the event of a problem during installation,
• the size of the flash memory 201 is therefore at least twice the given size N.
• Z2 can be a memory module separate from the first zone Z1 or form part of the same memory module as a zone contiguous to the first zone Z1.
• the principle of selecting the memory area of the software to be executed is achieved by programming at a particular address commonly called the Reset Vector pointer generally located at the start of the Flash memory (address OOOOOh) an instruction whose execution will cause a jump to the memory zone Z1 or Z2 corresponding to the execution zone. Start-up will therefore always take place in the memory area which contains the reset vector. The rest of the execution will take place from the correct memory zone because the addresses from which the microcontroller will read the instructions to be executed will be linked either to zone Z1, or else to zone Z2, the values of these addresses being produced when the software was compiled.
• the computer to be updated 200 or target computer, has software (version N) in its first memory area Z1.
• the FOTA master before updating the target computer, places the computer 200 in a state dedicated to programming (where the functional is deactivated) using a reprogramming session-entry request.
• the target computer 200 accepts to execute this request only if the safety conditions are met (eg: vehicle stationary, traction chain deactivated, etc.)
• the FOTA master communicates directly with the boot software of the target computer 200.
• the computer boot software can perform various operations (write, copy, integrity check) on one of the two memories available (ME execution memory or MS backup memory).
• Figure 3 describes a succession of actions to be performed by the FOTA master to install new software in the target computer 200.
• the target computer 200 is in a first state 501, called the initial state, in which: the first zone Z1 contains the current software (version N).
• a first step 311 the FOTA master downloads updated software compiled to be installed in the second memory area.
• the compilation has the effect of including in the image constituting the update to be installed, the memory addresses which differ depending on whether the software is intended to run from the first or from the second bank.
• the translation of the addresses is therefore carried out not dynamically (in other words during the execution of the software by the microcontroller), but at the time of creation (compilation) of the software.
• a software for example version n
• the software compiled for the second memory area includes addresses between 10000h and I FFFFh.
• the software compiled for the first zone includes addresses between OOOOh and OFFFFh.
• the FOTA master sends a request to ask the target computer 200 to erase the second zone Z2.
• the FOTA master then sends 312 to the target computer the update and orders its writing in the second zone Z2.
• the FOTA master then sends 313 a request to ask the target computer to check the integrity of the data copied into the second zone Z2.
• This check can be carried out using a Cyclic Redoundancy Check CRC or any other method known in the state of the art (example: calculation, using a hash function, of a "hash »Of the data content and comparison of the result with a reference value transmitted beforehand by the FOTA master). If the memory is made up of several data blocks, each block has its own integrity control mechanism (based on the same method or different methods).
• the target computer 200 is in a second state 502, in which: the first zone Z1 comprises the current software (version N) and the second zone Z2 contains the updated software (version N + 1 ).
• the FOTA master then orders the activation 314 of the updated software (version N + 1).
• the FOTA master interrupts the installation 315 without activating the software of the second zone Z2. Use of the vehicle then remains possible by continuing to run the software contained in the first zone Z1. An error message is then displayed indicating the failure of the installation to the customer who must then drop off his vehicle in a garage.
• a return to the previous version (version N) is possible by performing a rollback.
• the latter consists, in the case of the double bank memory, of a simple reactivation of the execution of the software still present in the first zone (Z1). No copying is necessary, the rollback operation here consisting in reassigning the execution pointer to the first zone (Z1), so that each time the computer is powered on (vehicle start) the software which will be executed. will be that of the first zone (Z1).
• the activation step 314, or the execution of a possible rollback is carried out by simply reassigning the execution address to the memory zone containing the new software (activation) or that containing the old version used.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• General Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Theoretical Computer Science (AREA)
• Software Systems (AREA)
• Computer Hardware Design (AREA)
• Physics & Mathematics (AREA)
• General Physics & Mathematics (AREA)
• Computing Systems (AREA)
• Health & Medical Sciences (AREA)
• Medical Informatics (AREA)
• General Health & Medical Sciences (AREA)
• Stored Programmes (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=72088200

Family Applications (1)

Country Status (4)

Families Citing this family (1)

Family Cites Families (6)

• 2020
  • 2020-03-10 FR FR2002378A patent/FR3108191B1/fr active Active
• 2021
  • 2021-02-02 CN CN202180020341.3A patent/CN115280280A/zh active Pending
  • 2021-02-02 WO PCT/FR2021/050190 patent/WO2021181015A1/fr unknown
  • 2021-02-02 EP EP21707766.8A patent/EP4118548A1/fr active Pending

Also Published As

Similar Documents

Legal Events