JP2006281883A - Vehicular electronic control device, and vehicle service center - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a vehicular electronic control device capable of performing the mutual authentication with a plurality of electronic control devices equipped in one vehicle, and constantly updating an authentication code and an electronic control device forming a monitor, and a vehicle service center to monitor and manage the vehicular electronic control device. <P>SOLUTION: Vehicular control devices (10, 20, 30) to control a vehicle are equipped with authentication control means (11b, 21b, 31b) to perform the mutual authentication with other electronic control devices (10, 20, 30) connected via a communication means (61), and an anti-theft control means to perform the anti-theft countermeasures according to the result of authentication. The authentication code to be used for the authentication and/or the authentication relationship to other electronic control devices are updated at the predetermined timing. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an electronic control device for a vehicle and a vehicle service center, and more specifically, an electronic control device for a vehicle (hereinafter referred to as an ECU) and a vehicle service center capable of preventing the electronic control device of a vehicle from being stolen and unauthorized exchange. About.

  As one of the vehicle theft prevention measures, an immobilizer (theft prevention function) ECU is used that allows the engine to be started only when the verification of a specific authentication code matches. However, when such an immobilizer ECU itself is replaced, the anti-theft function is lost.

  In addition, there is a problem of causing early deterioration of the emission, environmental pollution, etc. when the EFI ECU is replaced by the user for the purpose of enhancing the acceleration performance of the electronic fuel injection (EFI) ECU provided with the speed limiting function or the vehicle. Has occurred.

  In order to prevent theft of the vehicle and the unauthorized exchange of the ECU that controls various functions of the vehicle described above, an authentication code is stored in the ECU and the unauthorized exchange of the ECU is monitored by checking the authentication code. A method has been proposed. For example, in Patent Document 1 below, code verification is performed between a monitored ECU such as an immobilizer ECU and a monitored ECU, and if the verification is not established, there is a possibility that the monitored ECU has been illegally replaced or removed. There is disclosed a vehicle antitheft device that determines that there is a bus failure and disables normal operation by causing a bus failure.

  Further, in Patent Document 2 below, the authentication code stored in the memory of the vehicle component is checked against the authentication code stored in the memory of the in-vehicle control device, and the vehicle component is provided on condition that these authentication codes match. A theft monitoring system for a vehicle component that permits basic functional operation of the vehicle is disclosed.

However, in the case of the anti-theft device disclosed in Patent Document 1 or the anti-theft system disclosed in Patent Document 2, the authentication code used for verification is stored in the monitoring ECU as a fixed ID. Since the relationship between the monitored device and the monitoring ECU is also fixed, when the authentication code is specified and embedded in the unauthorized exchange ECU by a person who intends to be stolen or illegally exchanged, or when the monitoring ECU itself is removed , There was a problem that the theft and unauthorized exchange prevention function would be lost.
JP 2003-212093 A JP 2003-196755 A

Means for solving the problems and their effects

  The present invention has been made in view of the above-described problems, and can perform mutual authentication with a plurality of electronic control devices installed in the same vehicle, and always provides an authentication code and an electronic control device serving as a monitor. It is an object of the present invention to provide a vehicle electronic control device that can be updated and a vehicle service center that monitors and manages the vehicle electronic control device.

  In order to achieve the above object, a vehicle electronic control device (1) according to the present invention is a vehicle electronic control device for controlling a vehicle, and is mutually authenticated with another electronic control device connected via communication means. Authentication control means for performing authentication and security control means for executing a security measure in accordance with the authentication result, and the authentication relationship used for the authentication and / or the authentication relationship with the other electronic control device is at a predetermined timing. It is characterized by being updated by.

  According to the above-described vehicle electronic control device (1), the authentication control means for performing mutual authentication with another electronic control device connected via the communication means, and the security control means for executing a security measure according to the authentication result. Therefore, there is no need to provide a dedicated authentication device, mutual authentication can be performed between electronic control devices mounted on the same vehicle, and an authentication code used for the authentication and / or the other electronic control. Since the authentication relationship with the device is updated at a predetermined timing, it is difficult to identify authentication information from the outside, and avoiding crime prevention failures when a dedicated authentication device is removed or a fixed authentication code is specified It is possible to reliably prevent theft of the vehicle or unauthorized exchange of the electronic control device of the vehicle.

Further, in the vehicle electronic control device (2) according to the present invention, in the vehicle electronic control device (1), an authentication code used for the authentication and / or an authentication relationship with the other electronic control device is updated. , It is performed every time authentication is performed.
According to the vehicle electronic control device (2), the authentication code used for the authentication and / or the authentication relationship with the other electronic control device is updated every time authentication is performed. Or it can prevent reliably that the said authentication relationship is specified.

  In the vehicle electronic control device (3) according to the present invention, in the vehicle electronic control device (1) or (2), the authentication control means authenticates itself from the other electronic control devices. Select a monitoring destination, acquire and store the authentication code of the monitoring destination in advance, and acquire the authentication code of the monitoring destination again from the monitoring destination during authentication, while updating and storing its own authentication code In addition, the self-authentication code is transmitted in advance to a monitor who selects the self as a monitoring destination, and the self-authentication code is transmitted to the monitor again at the time of authentication.

  According to the vehicle electronic control device (3) described above, the authentication control means selects a monitoring destination to be authenticated by the other electronic control device, and acquires an authentication code of the monitoring destination in advance. The authentication code of the monitoring destination is obtained again from the monitoring destination at the time of authentication, and the self-authentication code is updated and stored, and the monitoring person who has selected himself as the monitoring destination is notified of the self An authentication code is transmitted in advance, and the authentication code of the monitoring destination acquired in advance is collated with the authentication code of the monitoring destination acquired at the time of authentication in order to transmit the self-authentication code to the monitor again at the time of authentication. While the monitoring destination can be authenticated, the monitoring person can verify the self-authentication code transmitted in advance by collating the self-authentication code transmitted in advance with the self-authentication code transmitted during authentication. It is.

  In the vehicle electronic control device (4) according to the present invention, in the vehicle electronic control device (1) or (2), the authentication control means updates its own authentication code, and the other electronic control is performed. The self-authentication code is transmitted in advance to the supervisor who authenticates the self selected from the apparatus, and the self-authentication code is re-sent to the supervisor at the time of authentication, while the self is selected as the supervisor The authentication code of the monitoring destination received from the monitoring destination is stored in advance, and the authentication code of the monitoring destination is received again from the monitoring destination at the time of authentication.

  According to the above-described vehicle electronic control device (4), the authentication control means updates its own authentication code to the supervisor who authenticates the self selected from the other electronic control devices. An authentication code is transmitted in advance, and the authentication code of the monitoring destination received from the monitoring destination selected as the monitoring person is stored in advance while the authentication code of the self is transmitted to the monitoring person again at the time of authentication. In order to re-receive the authentication code of the monitoring destination from the monitoring destination at the time of authentication, the monitor is caused to collate the self-authentication code transmitted in advance with the self-authentication code transmitted at the time of authentication. While the user is authenticated by the monitoring person, the monitoring destination can be authenticated by comparing the monitoring destination authentication code received in advance with the monitoring destination authentication code acquired at the time of authentication.

  In the vehicle electronic control device (5) according to the present invention, in the vehicle electronic control device (1) or (2), the authentication control means has its own authentication code and a monitoring destination authenticated by itself. The authentication code and the information of the supervisor who authenticates itself are previously received and stored from the outside, and the authentication code of the monitoring destination is received again from the monitoring destination at the time of authentication. It is characterized by being transmitted to.

  According to the above-described vehicle electronic control device (5), the authentication control means receives in advance from the outside the self authentication code, the authentication code of the monitoring destination authenticated by the self, and the information of the supervisor who authenticates the self. The authentication code of the monitoring destination is received again from the monitoring destination at the time of authentication, while the self-authentication code received from the outside is transmitted to the monitoring person in order to transmit the self-authentication code to the monitoring person. The self-authenticator is authenticated by collating the code with the self-authentication code transmitted by the self at the time of authentication, while the monitoring destination authentication code received from the outside and the monitoring received from the monitoring destination The monitoring destination can be authenticated by checking the previous authentication code.

  In the vehicle electronic control device (6) according to the present invention, in any one of the vehicle electronic control devices (1) to (5), the authentication control means receives the authentication code of the monitoring destination received in advance. The authentication code of the monitoring destination received at the time of authentication is collated, and when it is determined that the two are in a predetermined relationship, it is determined that the monitoring destination has been successfully authenticated.

  According to the vehicle electronic control device (6) described above, the authentication control means collates the authentication code of the monitoring destination received in advance with the authentication code of the monitoring destination received at the time of authentication, and the two have a predetermined relationship. If it is determined that the monitoring destination has been successfully authenticated, it is determined that the monitoring destination has succeeded in authentication, so that it is possible to authenticate another electronic control device that has selected itself as a monitor.

  Further, in the vehicle electronic control device (7) according to the present invention, in the vehicle electronic control devices (1) to (6), the authentication control means participates in mutual authentication with the result of the authentication performed by itself. While transmitting to each electronic control unit, receiving the result of authentication performed by each electronic control unit, and determining each authentication result based on the self authentication result and the received authentication result It is said.

  According to the vehicle electronic control device (7) described above, the authentication control means transmits the result of the authentication performed by itself to the electronic control devices participating in the mutual authentication, while the electronic control device performs Since the authentication result is received, the authentication result for each electronic control device can be known, and each authentication result is determined based on the self-authentication result and the received authentication result, thereby improving the accuracy of authentication. Can be made.

  In the vehicle electronic control device (8) according to the present invention, when the authentication control unit has two or more authentication results for the same electronic control device in the vehicle electronic control device (7), a predetermined number is provided. Even if the following authentication result indicates an authentication failure, the electronic control device determines that the authentication has succeeded.

  According to the vehicle electronic control device (8) described above, when the authentication control means has two or more authentication results for the same electronic control device, even when a predetermined number or less of the authentication results indicate an authentication failure. Since the electronic control unit determines that the authentication has succeeded, an error in the authentication result due to a communication failure can be eliminated.

  In addition, in the vehicle electronic control device (9) according to the present invention, in any one of the vehicle electronic control devices (6) to (8), the authentication control means authenticates the electronic control device that the device has authenticated. When it determines with having failed, it is characterized by transmitting the information of the said electronic control apparatus authentication failure to a vehicle-mounted information terminal via the said transmission / reception means.

  According to the vehicle electronic control device (9) described above, if the authentication control means determines that the electronic control device authenticated by itself has failed in authentication, the electronic control device authentication failure has occurred via the transmission / reception means. Since the information is transmitted to the in-vehicle information terminal, the authentication failure information can be notified to the occupant via the information terminal.

  In addition, in the vehicle electronic control device (10) according to the present invention, in any one of the vehicle electronic control devices (6) to (9), the authentication control means authenticates the electronic control device that the device itself has authenticated. When it is determined that the information has failed, the electronic control device authentication failure information is transmitted to a pre-registered destination via the transmission / reception means.

  According to the vehicle electronic control device (10) described above, when the authentication control means determines that the electronic control device authenticated by itself has failed in authentication, the electronic control device authentication failure has occurred via the transmission / reception means. For example, if a destination of a vehicle service center that manages and monitors a vehicle is registered in advance, authentication failure information is automatically transmitted to the vehicle service center. The

In the vehicle electronic control device (11) according to the present invention, in any one of the vehicle electronic control devices (1) to (10), there is an electronic control device in which the security control means fails in authentication. The case is characterized in that normal control for controlling the vehicle is prohibited.
According to the above-described vehicle electronic control device (11), when there is an electronic control device for which the security control means has failed in authentication, the electronic control device is stolen in order to prohibit normal control for controlling the vehicle. Alternatively, the movement of the illegally exchanged vehicle can be temporarily restricted.

  In addition, the vehicle service center (1) according to the present invention is a vehicle service center that manages and monitors a vehicle. For a vehicle registered in advance, the ROMSUM and control of a plurality of electronic control devices mounted on the vehicle are provided. Information including a program is stored, and management means for monitoring and managing the electronic control unit by updating the vehicle and the information is provided.

  According to the vehicle service center (1) described above, information including ROMSUM and control programs of a plurality of electronic control devices mounted on the vehicle is stored for each vehicle registered in advance. Since there is a management means for monitoring and managing the electronic control device by updating the vehicle and the information, the registration information (control program, ROMSUM) of the electronic control device mounted on the vehicle registered in advance is used as a reference. Furthermore, by collating the information from the vehicle, the electronic control device can be monitored and the electronic control device can be prevented from being stolen or illegally exchanged.

  In the vehicle service center (2) according to the present invention, the vehicle management center (1) includes a plurality of electronic control devices mounted on the vehicle with respect to a vehicle registered in advance by the management means. The mutual authentication relationship and / or the authentication code used for the authentication are periodically updated, and the respective authentication code, the authentication code of the monitored person, and the information of the monitoring person are transmitted to each electronic control unit. It is characterized by that.

  According to the vehicle service center (2) described above, the management means uses a mutual registration relationship between a plurality of electronic control devices mounted on the vehicle and / or the authentication with respect to a vehicle registered in advance. The authentication code is periodically updated, and the respective electronic control devices mounted on the vehicle are mutually connected with each other to transmit the respective authentication code, the authentication code of the monitored person, and the information of the supervisor to each electronic control device. It is possible to realize the authentication, and since the authentication code and the authentication relationship are periodically updated, it becomes difficult to specify the authentication information, and it is possible to reliably prevent the electronic control device of the vehicle from being stolen or illegally replaced. it can.

  Further, the vehicle service center (3) according to the present invention fails in the authentication in the vehicle service center (1) or (2) when the management means receives information on the electronic control device authentication failure from the vehicle. Obtains the ROMSUM of the electronic control device, compares it with the previously stored ROMSUM of the electronic control device, and if they match, sends a control signal that causes the electronic control device of the vehicle to release the security function It is characterized by being.

  According to the vehicle service center (3) described above, when the management means receives information on the electronic control device authentication failure from the vehicle, it acquires the ROMSUM of the electronic control device that has failed in authentication and stores it in advance. If the two match, the control signal for canceling the crime prevention function is transmitted to the electronic control device of the vehicle. If there is an error in the authentication result, the electronic control of the vehicle The crime prevention function in the apparatus can be quickly released, and the movement restriction of the vehicle can be released.

  In addition, the vehicle service center (4) according to the present invention fails in the authentication in the vehicle service centers (1) to (3) when the management means receives information on the electronic control device authentication failure from the vehicle. The ROMSUM of the electronic control device obtained is acquired, collated with the previously stored ROMSUM of the electronic control device, and if both do not match, the control program of the electronic control device registered in advance is transmitted to the electronic control device It is characterized by that.

  According to the vehicle service center (4) described above, when the management means receives information on the electronic control device authentication failure from the vehicle, it acquires the ROMSUM of the electronic control device that has failed in authentication and stores it in advance. If the electronic control unit is checked against the ROMSUM of the electronic control unit and the two do not match, the control program of the electronic control unit registered in advance is transmitted to the electronic control unit. It can be installed on the device.

Hereinafter, a vehicle electronic control device (hereinafter referred to as ECU) according to the present invention and a vehicle service center for managing and monitoring a vehicle will be described with reference to the drawings.
FIG. 1 is a block diagram schematically showing a main part of a system configured to include a vehicle ECU according to a first embodiment of the present invention. In the figure, reference numeral 10 denotes an engine ECU for controlling the fuel injection and ignition timing of the vehicle engine, 20 denotes a handle ECU for controlling the vehicle handle, and 30 denotes a wiper ECU for controlling the vehicle wiper. Show.

  The engine ECU 10 includes a microcomputer (hereinafter referred to as a microcomputer) 11 and a transmission / reception means 12. The microcomputer 11 includes a main control unit 11a that controls the fuel injection and ignition timing of the engine, an authentication control unit 11b that creates, exchanges and collates authentication information, and an EEPROM 11c that is a storage device that stores the authentication information and the like. It is configured to include.

  The main control unit 11a is connected to the sensor 51, the transmission / reception means 12, the EEPROM 11c, and the authentication control unit 11b. Based on various input signals input from the sensor 51, the main control unit 11a outputs control signals such as engine fuel injection and ignition timing. It outputs to each drive circuit (not shown).

  The authentication control unit 11b is connected to the transmission / reception means 12, the EEPROM 11c, the main control unit 11a, the start sensor 55, and the key sensor 56 (via the switch 14), and creates authentication information and stores it in the EEPROM 11c. Authentication information is exchanged with the outside via the transmission / reception means 12, or authentication is performed at an authentication timing determined by input signals from the start sensor 55 and the key sensor 56. When the authentication fails, the authentication control unit 11b gives a signal to temporarily stop the control to the main control unit 11a, outputs a control signal (fuel cut signal) for implementing the security measures, and further via the transmission / reception means 12 The authentication failure information is transmitted to the navigation device 71 and the vehicle service center 72. The switch 14 is a switch that can be operated from the outside. If the switch 14 is turned off using a dedicated tool, the authentication function of the engine ECU 10 can be canceled.

  The handle ECU 20 includes a microcomputer 21 and a transmission / reception means 22. The microcomputer 21 includes a main control unit 21a that controls handling, an authentication control unit 21b that creates, exchanges, and collates authentication information, and an EEPROM 21c that is a storage device that stores authentication information and the like.

  The main control unit 21a is connected to the sensor 52, the transmission / reception means 22, the EEPROM 21c, and the authentication control unit 21b. The main control unit 21a performs handling control based on various input signals input from the sensor 52, and sends the control signal to a handle driving circuit. Output to.

  The authentication control unit 21b is connected to the transmission / reception means 22, the storage device EEPROM 21c, the main control unit 21a, the start sensor 55, and the key sensor 56 (via the switch 24), and creates authentication information and stores it in the EEPROM 21c. Authentication information is exchanged with the outside via the transmission / reception means 22, or authentication is performed at an authentication timing determined by input signals from the start sensor 55 and the key sensor 56. If the authentication fails, the authentication control unit 21b gives a signal to temporarily stop the control to the main control unit 21a, outputs a control signal (handle lock signal) for implementing a security measure, and further via the transmission / reception means 22 The authentication failure information is transmitted to the navigation device 71 and the vehicle service center 72. The switch 24 is a switch that can be operated from the outside. If the switch 24 is turned off using a dedicated tool, the authentication function of the handle ECU 20 can be canceled.

  The wiper ECU 30 includes a microcomputer 31 and a transmission / reception means 32. The microcomputer 31 includes a main control unit 31a that controls the operation of the wiper, an authentication control unit 31b that creates, exchanges and collates authentication information, and an EEPROM 31c that is a storage device that stores authentication information and the like. Yes.

  The main control unit 31a is connected to the sensor 53, the transmission / reception means 32, the EEPROM 31c, and the authentication control unit 31b, and performs control based on the input signal from the sensor 53, and outputs the control signal to the wiper drive circuit. Has been.

  The authentication control unit 31b is connected to the transmission / reception means 32, the storage device EEPROM 31c, the main control unit 31a, the start sensor 55, and the key sensor 56 (via the switch 34), and creates authentication information and stores it in the EEPROM 31c. Authentication information is exchanged with the outside via the transmission / reception means 32, or authentication is performed at an authentication timing determined by input signals from the start sensor 55 and the key sensor 56. When the authentication fails, the authentication control unit 31b gives a signal for temporarily stopping the control to the main control unit 31a, outputs a control signal (wiper operation signal) for implementing the security measures, and further via the transmission / reception means 32 The authentication failure information is transmitted to the navigation device 71 and the vehicle service center 72. The switch 34 is a switch that can be operated from the outside. If the switch 34 is turned off using a dedicated tool, the authentication function can be canceled.

  The engine ECU 10, the handle ECU 20, and the wiper ECU 30 authenticate each other, the engine ECU 10 selects a monitoring destination from the handle ECU 20 and the wiper ECU 30, and the handle ECU 20 selects a monitoring destination from the engine ECU 10 and the wiper ECU 30. The wiper ECU 30 selects a monitoring destination from the engine ECU 10 and the handle ECU 20. Furthermore, the monitoring destination selection order in each ECU is set in advance so that the monitoring destination of each ECU does not overlap.

  Each ECU updates and stores the authentication code for the next authentication after the previous authentication is normally completed and the vehicle starts, and acquires the authentication code of the monitoring destination from the newly selected monitoring destination. Remember. The authentication is performed when the next authentication condition is satisfied (for example, when it is detected that a key is inserted into the key cylinder).

  The authentication code is for identifying each ECU. Here, a variable code (for example, ABC) in which A, B, and C are combined in a random number method or a sequence method and a fixed number (for example, for example) An authentication code (for example, “ABC10”) composed of a numeric number) is employed.

  For example, as shown in FIG. 2a, in the first authentication, the engine ECU 10 selects the handle ECU 20 as a monitoring destination, and stores its own authentication code (ABC10) and the authentication code (BCA20) of the handle ECU 20. . The handle ECU 20 selects the wiper ECU 30 as a monitoring destination, and stores its own authentication code (BCA20) and the wiper ECU 30 authentication code (ABC30). The wiper ECU 30 selects the engine ECU 10 as a monitoring destination, and stores its own authentication code (ABC30) and the authentication code (ABC10) of the engine ECU 10.

  In the second authentication, as shown in FIG. 2b, the engine ECU 10 changes the wiper ECU 30 to a monitoring destination and stores the updated authentication code (BCA10) and the wiper ECU 30 authentication code (ACB30). Yes. The steering wheel ECU 20 changes the engine ECU 10 to a monitoring destination, and stores the updated self-authentication code (BAC20) and the engine ECU 10 authentication code (BCA10). The wiper ECU 30 changes the handle ECU 20 to a monitoring destination, and stores the updated self-authentication code (ACB30) and the handle ECU 20 authentication code (BAC20).

  Next, an authentication processing operation performed by the engine ECU 10, the handle ECU 20, and the wiper ECU 30 will be described based on the flowcharts shown in FIGS. First, based on FIG. 3a, a process for creating authentication information performed by the engine ECU 10, the handle ECU 20, and the wiper ECU 30 will be described. Each of the ECUs starts a process for creating authentication information after the previous authentication is normally completed. First, in step S1, its own authentication code is updated and stored in its own EEPROM, and then the process proceeds to step S2. In step S2, a monitoring destination is selected according to a preset selection order (for example, the order shown in FIG. 2a), and then the process proceeds to step S3. In step S3, an authentication code transmission request is transmitted to the selected monitoring destination, and then the process proceeds to step S4. In step S4, it is determined whether or not a transmission request for the self-authentication code has been received from a monitor who has selected himself as the monitoring destination. If it is determined that the transmission request has not been received, the process jumps to step S6, If it is determined that the transmission request has been received, the process proceeds to step S5. In step S5, the self-authentication code is transmitted to the supervisor, and then the process jumps to step S7. On the other hand, in step S6, it is determined whether or not a predetermined time T1 (for example, 1 second) has elapsed. If it is determined that 1 second has not elapsed, the process returns to step S4, and on the other hand, it is determined that 1 second has elapsed. If so, the process proceeds to step S7. In step S7, it is determined whether or not the monitoring destination authentication code has been received. If it is determined that the monitoring destination authentication code has not been received, the process jumps to step S9, and on the other hand, the monitoring destination authentication code has been received. If it is determined, the process proceeds to step S8. In step S8, the address of the supervisor and the authentication code of the monitoring destination are stored in their own EEPROMs, and the processing operation is terminated. On the other hand, in step S9, it is determined whether or not a predetermined time T2 (for example, 5 seconds) has elapsed. When it is determined that 5 seconds have not elapsed, the process returns to step S7, and on the other hand, it is determined that 5 seconds have elapsed. If so, the process proceeds to step S10. In step S10, information that a communication failure has occurred with the monitoring destination is transmitted to the navigation device 71, and then the processing operation is terminated.

  Next, based on FIG. 3b, an authentication process performed in each of the engine ECU 10, the handle ECU 20, and the wiper ECU 30 will be described. When each ECU receives a key insertion signal from the key sensor 56, the ECU proceeds to step 22 (step 21). In step S22, the user's own authentication code is transmitted to the supervisor, and then the process proceeds to step S23. In step S23, it is determined whether or not the monitoring destination authentication code has been received. If it is determined that the monitoring destination authentication code has not been received, the process jumps to step S25, and on the other hand, the monitoring destination authentication code has been received. If so, the process proceeds to step S24. In step S24, the received authentication code of the monitoring destination is collated with the authentication code of the monitoring destination stored in the respective EEPROM, and then the process proceeds to step S27. In step S27, it is determined whether or not the collation is matched. If it is determined that they match, the process jumps to step S29, and if it is determined that they do not match, the process proceeds to step S28. In step S28, the name of the monitoring destination is recorded in the array F2 in which the ECUs that have failed in authentication are recorded, and then the process proceeds to process C. On the other hand, in step 25, it is determined whether or not a predetermined time T3 (for example, 1 second) has elapsed. If it is determined that 1 second has not elapsed, the process returns to step S23, and on the other hand, it is determined that 1 second has elapsed. If so, the process proceeds to step S26. In step S26, the name of the monitoring destination is recorded in the array F1 storing the ECUs in which the communication abnormality has occurred, and then the process proceeds to process C. On the other hand, in step S29, normal control for controlling the vehicle is permitted (that is, control of each main control unit is started), and then the process proceeds to step S30. In step S30, after elapse of a predetermined time T2 (for example, 5 minutes), the process proceeds to process A (FIG. 3a). In step S29, after elapse of a predetermined time T2 (for example, 5 minutes), the process proceeds to process A (FIG. 3a).

  Next, crime prevention processing performed by the engine ECU 10, the handle ECU 20, and the wiper ECU 30 will be described with reference to FIG. 3c. First, in step S31, a crime prevention control signal is output (in the case of the engine ECU 10, a fuel cut signal is output, in the case of the handle ECU 20, a handle lock signal is output, and in the case of the wiper ECU 30, a wiper operation signal is output), Thereafter, the process proceeds to step S32. In step S32, it is determined whether or not there is a record in the array F1. If it is determined that there is no record in the array F1, the process jumps to step S35, whereas if it is determined that there is a record in the array F1, the process proceeds to step S33. In step S33, the ECU communication abnormality information recorded in the array F1 is transmitted to the navigation device 71, and then the process proceeds to step S34. In step S34, the ECU communication abnormality information recorded in the array F1 is transmitted to the vehicle service center 72, and then the process proceeds to step S35. In step S35, information that the ECU recorded in the array F2 has failed in authentication is transmitted to the navigation device 71, and then the process proceeds to step S36. In step S36, information that the ECU recorded in the array F2 has failed in authentication is transmitted to the vehicle service center 72, and then the process proceeds to step S37. In step S37, it is determined whether or not a security release signal has been received from the vehicle service center 72. If it is determined that a security release signal has been received, the process proceeds to step S39. On the other hand, if it is determined that a security release signal has not been received, Proceed to step S38. In step S38, it is determined whether or not a predetermined time T4 (for example, 5 minutes) has elapsed. If it is determined that 5 minutes have not elapsed, the process returns to step S37, and if it is determined that 5 minutes have elapsed. The processing operation is terminated. On the other hand, in step S39, normal control for controlling the vehicle is permitted, and then the process proceeds to step S40. In step S40, the output of the security control signal is stopped, and then the processing operation is terminated.

  On the other hand, in the navigation device 71, when communication abnormality information or authentication failure information is received from any of the engine ECU 10, the handle ECU 20, and the wiper ECU 30, the ECU or authentication in which communication abnormality has occurred in the form of screen output and / or voice output. The information of the ECU that failed is output.

  Further, in the vehicle service center 72, when communication abnormality information or authentication failure information is received from any of the engine ECU 10, the handle ECU 20, and the wiper ECU 30, for example, the situation is confirmed by contacting the vehicle owner, and the crime prevention is canceled. Is approved, a security release signal is sent to the ECU that has sent the communication abnormality information or the authentication failure information.

  According to the vehicular ECU according to the first embodiment, mutual authentication between the plurality of ECUs is realized by the authentication means provided in the plurality of ECUs equipped in the same vehicle. It is no longer necessary to equip a dedicated device, and authentication failure and crime prevention when an authentication dedicated device is removed are prevented. In addition, since the self-authentication code and the monitoring destination are constantly updated, the authentication code is specified, or the inability of authentication and crime prevention due to the removal of the monitor is prevented, and furthermore, the authentication of the monitoring destination fails. Information on authentication failure is transmitted to the vehicle-mounted navigation device and the vehicle service center, and crime prevention measures such as stopping the control of the ECU are executed, so that theft of the vehicle or unauthorized replacement of the ECU of the vehicle can be reliably prevented. .

  In the vehicle ECU according to the first embodiment, after the current authentication, when the engine is restarted, the self-authentication code is updated and the monitoring destination is selected for the next authentication. However, in another embodiment, the own authentication code may be fixed and only the monitoring destination may be updated, or the own authentication code may be updated and the monitoring destination may be fixed.

  Further, in the first embodiment, in order to reduce the number of communications, the monitoring destination selection order in each ECU is set in advance so that the monitoring destinations of each ECU do not overlap. Then, you may make it make each ECU select the monitoring destination by a random number system.

  In the first embodiment, the engine ECU 10, the handle ECU 20, and the wiper ECU 30 are equipped with an authentication control unit, the control output of each ECU is stopped, the fuel cut by the engine ECU 10, the handle lock by the handle ECU 20, and the wiper ECU 30. Although the wiper operation is a security measure, in another embodiment, the other ECU of the vehicle is equipped with an authentication control unit, and the hazard lamp, tail lamp, fog lamp, room lamp is turned on or blinking, horn operation, throttle opening Restrictions or vehicle speed restrictions may be adopted as security measures.

In the first embodiment, each ECU is set to select a monitoring destination. However, in another embodiment, each ECU may be set to select a monitor. .
In the first embodiment, each ECU is set to start a process for generating authentication information after the previous authentication is normally completed. However, in another embodiment, the power source of the ECU The authentication information creation process may be set to start at various timings until is turned off.

  In the first embodiment, when it is determined that the monitoring destination authentication code received in advance matches the monitoring destination authentication code received at the time of authentication, the authentication is set to be determined as successful. However, in another embodiment, conversion processing is performed on a monitoring destination authentication code received in advance, and the converted authentication code has a predetermined relationship with the monitoring destination authentication code received at the time of authentication. When it is determined, it may be set to determine that the authentication is successful. In another embodiment, if it is determined that the deviation is within a predetermined range even if the monitoring destination authentication code received in advance and the monitoring destination authentication code received at the time of authentication do not completely match, It may be set so that it is determined that the above has succeeded.

  FIG. 4 is a block diagram schematically showing a main part of a system configured to include a vehicle ECU according to the second embodiment of the present invention. The description of the same components as the system configuration (FIG. 1) in the first embodiment described above is omitted here.

  Unlike the first embodiment, the navigation device 71 is connected to a start sensor 55 and a key sensor 56 (via a switch 44). The ECU of the navigation device 71 (not shown, hereinafter referred to as a navigation ECU). ) Is provided with an authentication control unit. The switch 44 is a switch that can be operated from the outside. When the switch 44 is turned off using a dedicated tool, the authentication function of the navigation device 71 is canceled.

  FIG. 5 is a diagram showing a vehicle service center 72 according to the second embodiment of the present invention. As shown in FIG. 5, the vehicle service center 72 creates storage means 721 for storing information including the ECU regular program and ROMSUM in the registered vehicle 80, and ECU authentication information in the vehicle 80. Authentication management means 722 for transmission and transmission / reception means 723 for communicating with the vehicle 80 are provided.

  The authentication management means 722 updates the ECU authentication information (authentication code of each ECU, authentication relationship) in the vehicle 80 periodically (for example, once per lap) and transmits it to each ECU via the transmission / reception means 723. When the information of the ECU that has failed in authentication is received from the vehicle 80, the ROMSUM of the ECU that has failed in authentication is acquired and collated with the ROMSUM of the ECU that has been registered in advance. Is transmitted to each ECU, and if the two do not match, the ECU's registered regular control program is sent to the ECU for installation.

  FIG. 6 is a diagram illustrating an example when the vehicle service center 72 transmits authentication information to each ECU. As shown in FIG. 6, the vehicle service center 72 uses the authentication information (authentication code: ABC10, monitor: navigation ECU and ECU 30, monitor: ECU 20, monitor destination authentication code: BCA20 created for the engine ECU 10. ) Is transmitted to the engine ECU 10, and authentication information (authentication code: BCA20, supervisor: ECU10, monitoring destination: navigation ECU, monitoring destination authentication code: ABC72) created for the handle ECU20 is transmitted to the handle ECU20. The authentication information (authentication code: ABC30, monitor: navigation ECU, monitoring destination: ECU10, monitoring destination authentication code: ABC10) created for the wiper ECU 30 is transmitted to the wiper ECU 30 and created for the navigation ECU. Authentication information (authentication code: ABC72, monitoring person: ECU20, monitoring destination: CU10 and ECU30, the monitoring destination authentication code: ABC10 and ABC30) and transmits to the navigation ECU.

  On the other hand, when the engine ECU 10, the handle ECU 20, the wiper ECU 30 and the navigation ECU receive new authentication information from the vehicle service center 72, the new authentication information is overwritten and stored in its own EEPROM.

  Next, an authentication processing operation and a security processing operation performed by the engine ECU 10, the handle ECU 20, the wiper ECU 30, and the navigation ECU will be described based on the flowcharts shown in FIGS. 7a and 7b. As shown in FIG. 7a, when a key insertion signal is received in step S61, the process proceeds to step S62. In step S62, the self-authentication code stored in the respective EEPROM is transmitted to the designated supervisor, and then the process proceeds to step S63. In step S63, it is determined whether or not an authentication code for the designated monitoring destination has been received. If it is determined that an authentication code for the designated monitoring destination has not been received, the process returns to step S63. If it is determined that the monitoring destination authentication code has been received, the process proceeds to step S64. In step 64, the received authentication code of the monitoring destination is collated with the authentication code of the monitoring destination stored in the respective EEPROM, and then the process proceeds to step S65. In step S65, the collation result is transmitted to another ECU, and then the process proceeds to step S66. In step S66, it is determined whether or not the verification results of all the ECUs have been received. If it is determined that the verification results of all the ECUs have been received, the process jumps to the process F, and on the other hand, the verification results of all the ECUs are received. If not, the process proceeds to step S67. In step S67, it is determined whether or not a predetermined time T2 (for example, 1 second) has elapsed, and when it is determined that 1 second has not elapsed, the process returns to step S66, while when it is determined that 1 second has elapsed The process proceeds to process F.

  Next, the process F is demonstrated based on FIG. 7b. As shown in FIG. 7b, in step S71, an authentication result for each ECU is determined based on a collation result received from another ECU. When there are a plurality of monitors at the same monitoring destination, it is determined that the monitoring destination has succeeded in authentication only when the collation results by a predetermined number (for example, half) or more of the monitoring targets match. Subsequent to step S71, in step S72, it is determined whether there is an ECU that has failed in authentication. If it is determined that there is no ECU that has failed in authentication, the process proceeds to step S73, while the ECU that has failed in authentication. If it is determined that exists, the process proceeds to step S74. In step S74, a crime prevention control signal is output (in the case of the engine ECU 10, a fuel cut signal is output, in the case of the handle ECU 20, a handle lock signal is output, in the case of the wiper ECU 30, a wiper operation signal is output, and the navigation ECU In this case, the authentication failure information is output on the display screen or by voice guidance), and then the process proceeds to step S75. In step S75, it is determined whether the ECU that has failed in authentication is its own monitoring destination. If it is determined that the ECU that has failed in authentication is not its own monitoring destination, the process jumps to step S77, and on the other hand, the authentication fails. If the determined ECU determines that it is the monitoring destination of itself, the process proceeds to step S76. In step S76, information of authentication failure is transmitted to the vehicle service center 72, and then the process proceeds to step S77. In step S77, it is determined whether or not a ROMSUM transmission request has been received from the vehicle service center 72. If it is determined that a ROMSUM transmission request has not been received, the process jumps to step S81 while receiving a ROMSUM transmission request. If it is determined that the process has been performed, the process proceeds to step S78. In step S78, ROMSUM is transmitted to the vehicle service center 72, and then the process proceeds to step S79. In step S79, it is determined whether or not a control program has been received from the vehicle service center 72. If it is determined that the control program has not been received, the process jumps to step S81, whereas if it is determined that the control program has been received, Proceed to step S80. In step S80, the current control program is updated with the received control program, and then the processing operation is terminated. On the other hand, in step S81, it is determined whether a security release signal has been received from the vehicle service center 72. If it is determined that a security release signal has not been received, the process returns to step S77, and on the other hand, it has been determined that a security release signal has been received. If so, the process proceeds to step S82. In step S82, normal control for controlling the vehicle is permitted (that is, control of each main control unit is started), and then the process proceeds to step S83. In step S83, the output of the crime prevention control signal is stopped, and then the processing operation is ended. On the other hand, in step S73, normal control for controlling the vehicle is permitted, and then the processing operation is terminated.

  According to the ECU according to the second embodiment, authentication information created by a vehicle service center that manages and monitors a vehicle is provided with a plurality of vehicle ECUs mounted on the same vehicle. By using this, mutual authentication between the plurality of ECUs is realized, so that it is not necessary to equip an authentication-dedicated device, and it is possible to prevent the inability to authenticate and the inability to execute crime prevention measures when the authentication-dedicated device is removed. . In addition, since the authentication information is regularly updated, the authentication code is specified, or the authentication failure and the crime prevention failure due to the removal of the monitor are prevented. Not only the security measures such as stopping the control are executed, but also the authentication failure information is transmitted to the vehicle service center 72. Therefore, the vehicle service center 72 checks the ROMSUM of the ECU that has failed the authentication, and is illegally exchanged. By installing a control program registered in advance in the ECU, theft of the vehicle or unauthorized exchange of the ECU of the vehicle can be reliably prevented.

  In the ECU according to the second embodiment, the authentication code and the authentication relationship of each ECU are periodically updated. However, in another embodiment, the authentication code of each ECU is fixed. The authentication relationship may be updated or the authentication code of each ECU may be updated to fix the authentication relationship.

  In the ECU according to the second embodiment, the engine ECU 10, the handle ECU 20, the wiper ECU 30, and the navigation ECU are equipped with an authentication control unit, the control output in each ECU is temporarily stopped, the fuel cut by the engine ECU 10, the handle ECU 20. The steering lock by the wiper ECU 30, the wiper operation by the wiper ECU 30, the screen display of the navigation device or the output of the authentication failure information by voice guidance is used as a crime prevention measure. In another embodiment, the other ECU of the vehicle is equipped with an authentication control unit. A hazard lamp, tail lamp, fog lamp, lighting or blinking of a room lamp, operation of a horn, throttle opening restriction or vehicle speed restriction may be employed as a crime prevention measure.

  In the second embodiment, when it is determined that the authentication code of the monitoring destination received in advance matches the authentication code of the monitoring destination received at the time of authentication, it is set to determine that the authentication is successful. However, in another embodiment, conversion processing is performed on a monitoring destination authentication code received in advance, and the converted authentication code has a predetermined relationship with the monitoring destination authentication code received at the time of authentication. When it is determined, it may be set to determine that the authentication is successful. In another embodiment, if it is determined that the deviation is within a predetermined range even if the monitoring destination authentication code received in advance and the monitoring destination authentication code received at the time of authentication do not completely match, It may be set so that it is determined that the above has succeeded.

1 is a block diagram schematically showing a main part of a system configured to include a vehicle ECU according to a first embodiment of the present invention. It is a figure which shows the example of the mutual authentication relationship of each ECU which concerns on 1st Embodiment. It is a figure which shows the example of the mutual authentication relationship of each ECU which concerns on 1st Embodiment. It is a flowchart which shows a part of process which each ECU which concerns on 1st Embodiment performs. It is a flowchart which shows a part of process which each ECU which concerns on 1st Embodiment performs. It is a flowchart which shows a part of process which each ECU which concerns on 1st Embodiment performs. It is the block diagram which showed roughly the principal part of the system comprised including ECU for vehicles which concerns on the 2nd Embodiment of this invention. It is a block diagram which shows the vehicle service center which concerns on 2nd Embodiment. It is a figure which shows the example which the vehicle service center which concerns on 2nd Embodiment transmits authentication information to each ECU. It is a flowchart which shows a part of process which each ECU which concerns on 2nd Embodiment performs. It is a flowchart which shows a part of process which each ECU which concerns on 2nd Embodiment performs.

Explanation of symbols

10 Engine ECU
20 Handle ECU
30 Wiper ECU
11, 21, 31 Microcomputer 11a, 21a, 31a Main controller 11b, 21b, 31b Authentication controller 11c, 21c, 31c EEPROM
12, 22, 32 723 Transmission / reception means 14, 24, 34, 44 Switch 51-53 Sensor 55 Start sensor 56 Key sensor 61 LAN
62 Antenna 71 Navigation device 72 Vehicle service center 721 Storage means 722 Authentication management means

Claims (15)

In a vehicle electronic control device for controlling a vehicle,
Authentication control means for performing mutual authentication with other electronic control devices connected via communication means;
Security control means to execute security measures according to the authentication result,
An electronic control device for a vehicle, wherein an authentication code used for the authentication and / or an authentication relationship with the other electronic control device is updated at a predetermined timing.   The vehicular electronic control device according to claim 1, wherein an authentication code used for the authentication and / or an update of an authentication relationship with the other electronic control device is performed every time authentication is performed. The authentication control means
Select the monitoring destination to be authenticated by itself from the other electronic control units, acquire and store the monitoring destination authentication code in advance, and acquire the monitoring destination authentication code from the monitoring destination again during authentication While
Update and store the self-authentication code, send the self-authentication code in advance to the monitor who has selected self as the monitoring destination, and re-send the self-authentication code to the monitor during authentication The vehicular electronic control device according to claim 1 or 2, wherein the vehicular electronic control device is used. The authentication control means
The self-authentication code is updated, and the self-authentication code is transmitted in advance to a monitor who authenticates the self selected from among the other electronic control devices. While re-sending to
The authentication code of the monitoring destination received from the monitoring destination selected as the monitor by itself is stored in advance, and the authentication code of the monitoring destination is received again from the monitoring destination at the time of authentication. The vehicle electronic control device according to claim 1 or 2. The authentication control means
Receiving and storing in advance the self-authentication code, the authentication code of the monitoring destination authenticated by the self and the information of the supervisor who authenticates the self,
While receiving the authentication code of the monitoring destination again from the monitoring destination at the time of authentication,
3. The vehicular electronic control device according to claim 1, wherein the self-authentication code is transmitted to the supervisor.   When the authentication control unit collates the authentication code of the monitoring destination received in advance with the authentication code of the monitoring destination received at the time of authentication, and determines that both are in a predetermined relationship, the monitoring destination authenticates The vehicle electronic control device according to claim 1, wherein the vehicle electronic control device is determined to be successful. While the authentication control means transmits the result of authentication performed by itself to each electronic control device participating in mutual authentication, the result of authentication performed by each electronic control device is received,
The vehicular electronic control device according to any one of claims 1 to 6, wherein each authentication result is determined based on the self-authentication result and the received authentication result.   The authentication control means determines that the electronic control device has succeeded in authentication when there are two or more authentication results for the same electronic control device, even if a predetermined number or less of authentication results indicate an authentication failure. The vehicle electronic control device according to claim 7, wherein   When the authentication control means determines that the electronic control apparatus authenticated by itself has failed in authentication, the authentication control means transmits information on the electronic control apparatus authentication failure to the in-vehicle information terminal via the transmission / reception means. The electronic control device for a vehicle according to any one of claims 6 to 8, wherein the electronic control device is for a vehicle.   When it is determined that the electronic control device authenticated by the authentication control means has failed in authentication, the authentication control means transmits the electronic control device authentication failure information to a pre-registered destination via the transmission / reception means. The vehicular electronic control device according to any one of claims 6 to 9.   The said crime prevention control means prohibits the normal control for controlling a vehicle, when there exists the electronic control apparatus which failed in authentication, The Claim 1 characterized by the above-mentioned. Electronic control device for vehicles. In a vehicle service center that manages and monitors vehicles,
Information including ROMSUM and control programs of a plurality of electronic control devices mounted on the vehicle is stored for each vehicle registered in advance, and the vehicle and the information are updated to update the electronic A vehicle service center comprising management means for monitoring and managing a control device.   The management means periodically updates a mutual authentication relationship between a plurality of electronic control devices mounted on the vehicle and / or an authentication code used for the authentication with respect to a vehicle registered in advance. 13. The vehicle service center according to claim 12, wherein the authentication code, the authentication code of the monitored person, and the information of the monitoring person are transmitted to the electronic control unit.   When the management means receives information on the failure of the electronic control device from the vehicle, it acquires the ROMSUM of the electronic control device that has failed in authentication, compares it with the previously stored ROMSUM of the electronic control device, 14. The vehicle service center according to claim 12 or 13, wherein when the two match, a control signal for canceling a security function is transmitted to the electronic control device of the vehicle.   When the management means receives information on the failure of the electronic control device from the vehicle, it acquires the ROMSUM of the electronic control device that has failed in authentication, compares it with the previously stored ROMSUM of the electronic control device, The vehicle service center according to any one of claims 12 to 14, wherein if the two do not match, the control program of the electronic control device registered in advance is transmitted to the electronic control device.

Images