JP2007041694A - Upgrade method of firmware - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To make it possible to carry out upgrade only to a permitted kind of firmware when a user performs upgrade of firmware. <P>SOLUTION: 1. The firmware for upgrade has a hash value list of the firmware before being permitted. 2. A device performs comparison of the hash value list with the hash value of the firmware currently under operation and if in agreement, upgrade is performed. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  It relates to a device that has a CPU and operates by installing firmware.

  Conventionally, some devices that operate on firmware can be upgraded by a user. At that time, in order to prevent a highly functional firmware from being installed on a user device that is not originally permitted, one or more of the following measures may be taken.

  Each device has a unique number and the firmware manufacturer gives the firmware the device number used by the authorized user. When the installation is executed, the installation program checks the number of the device and the number of the firmware to be installed, and if they match, the installation is performed.

  When the device is turned on, if the number held by the device matches the number of the firmware to be executed, the device starts its operation.

  The firmware running on the user's device has a unique number, and the firmware manufacturer gives the new firmware provided to the user a number equivalent to the firmware of the device held by the target user, and the installation program The number is checked at the time of installation, and if it matches, the installation is executed.

  The user holds a unique number assigned to the currently operating firmware, and the firmware manufacturer assigns a number equivalent to the number of the target user to the newly provided firmware. The installation program requests the number from the user at the time of installation, and starts the installation if they match.

  The above is a method for managing version upgrades for each user or for each individual firmware (individually even firmware having the same function). Installation and execution of firmware can be prevented when a user illegally obtains new high-performance firmware.

  Firmware is managed by type depending on the functions it holds. Each type has a unique number, and the installation program compares the number of the newly provided firmware with the number of the currently operating firmware. If it matches, install only.

  The firmware is managed by type depending on the function to be held, the date and time of distribution / release, version, etc., each type has a unique number, the newly provided firmware has the number that can be installed, The installation program compares the number of the currently operating firmware with the number, and if the numbers match, the installation program is installed.

  The above (5) to (6) are methods for managing version upgrades for each type of firmware (for example, without identifying firmware having the same function). For products that are not managed for each user, it is possible to prevent installation of high-performance firmware that is not permitted and version upgrades that are not subject to maintenance.

Moreover, as a prior art example, patent document 1 and patent document 2 can be mention | raise | lifted, for example.
JP 2004-86771 A JP 09-244886 A

  When trying to manage firmware upgrades by the methods (1) to (4), there are the following problems.

  The firmware manufacturer manages the number held by the user's device, the number held by the firmware running on the user's device, its version, etc., on a “per user” basis. There was a need to create. However, there are products that do not require management for each user, and it can be said that management for each user is unsuitable for updating the firmware of such products because the burden on the firmware manufacturer is large.

  When trying to manage firmware upgrades by the methods (5) to (6), there are the following problems.

  If the firmware number is a model number, version number, serial number, etc., it is easy for a malicious user to analyze, and a high-performance firmware that is classified into another type is tampered with by changing its number. It may be installed for functional types of firmware.

  In order to solve the above problems, the following matters must be taken into consideration.

  Let the device judge itself, no other equipment is required.

  The procedure and effort are the same as the conventional firmware version upgrade, and the user is not inconvenienced.

  In order to solve the above problems, the following measures are taken.

  The firmware for upgrading has a HASH value list of previous firmware that is permitted to be upgraded to that firmware.

  When upgrading the firmware, the installation program compares the HASH value list held by the firmware with the HASH value of the currently operating firmware, and if they match, upgrades the version.

  The HASH value is created from (firmware + secret value), and by changing the secret value, the Hash value list value of the previous firmware to be upgraded is changed.

  By taking these measures, the following actions can be obtained.

  It is possible to prevent the user from executing version upgrade for firmware that is not permitted to be upgraded.

The device itself that executes the installation program determines whether or not the upgrade is possible, and no other equipment is required for the upgrade.
By using the hash value of the currently operating firmware instead of a simple number as the criterion for determination, the following advantages can be obtained.

  Since it is determined not by easy-to-understand information such as model number information and version information but by a hash value obtained by adding a secret value to the firmware, it can be said that it is difficult to specify firmware information that can be upgraded from the hash value list. Therefore, it is possible to reduce the possibility that the Hash value list is rewritten by a malicious user and the version is arbitrarily upgraded. In particular, if there is a plurality of secret values in one firmware, or changes are made for each firmware that releases secret value changes, the possibility of hacking can be made very low.

  The firmware does not need to have its own number information. (Because HASH values can be generated from firmware)

  The following matters are mentioned as effects of the present invention.

  It is possible to prevent the user from executing version upgrade for firmware that is not permitted to be upgraded.

  The device itself that executes the installation program determines whether or not the version can be upgraded, and no other equipment is required for the upgrade.

  By using the Hash value of the currently operating firmware instead of a simple number as the criterion for determination, the following advantages can be obtained.

  Since it is determined not by easy-to-understand information such as model number information and version information but by a hash value obtained by adding a secret value to the firmware, it can be said that it is difficult to specify firmware information that can be upgraded from the hash value list. Therefore, it is possible to reduce the possibility that the Hash value list is rewritten by a malicious user and the version is arbitrarily upgraded. In particular, if there is a plurality of secret values in one firmware, or changes are made for each firmware that releases secret value changes, the possibility of hacking can be made very low.

  Since the HASH value can be generated from the firmware, it is not necessary for the firmware to have its own number information.

  The present invention relates to a method for upgrading the firmware of a device, as will be described in detail below.

FIG. 1 is a diagram illustrating a configuration in which the network system of this embodiment can operate.
In FIG. 1, reference numeral 110 denotes a single function printer (hereinafter referred to as SFP (Single Function Printer)), and reference numeral 120 denotes a multifunction peripheral (hereinafter referred to as MFP (Multi Function Printer)), which is connected to the LAN 100.

  The SFP 110 and MFP 120 receive a print job from the PC 130 via the network and perform print processing. In addition, the SFP 110 and the MFP 120 receive a new firmware installation request according to an instruction from the PC 130, and if possible, receive a new firmware program and execute installation. A firewall 140 connects the LAN 100 to the external Internet 150. The LAN 100 is connected to a further network 160 via a firewall 140 and the Internet 150.

  FIG. 2 is a diagram showing an internal configuration of a general personal computer, and the internal configuration of the PC 130 in FIG. 1 is as described above. The PC 200 includes a CPU 201 that executes various kinds of software stored in the ROM 202 or the hard disk (HD) 211 or supplied from the flexible disk drive (FD) 212, and comprehensively controls each device connected to the system bus 204. To do. A RAM 203 functions as a main memory, work area, and the like for the CPU 201. A keyboard controller (KBC) 205 controls instruction input from a keyboard (KB) 209 or a pointing device (not shown). Reference numeral 206 denotes a CRT controller (CRTC) that controls display on a CRT display (CRT) 210. A disk controller (DKC) 207 controls access to the hard disk (HD) 211 and the flexible disk controller (FD) 212 for storing a boot program, a program for realizing the present invention, various applications, editing files, user files, and the like. To do. A network interface card (NIC) 208 bi-directionally exchanges data with a network printer, another network device, or another PC via the LAN 220.

  In this embodiment, the LAN 220 is the same as the LAN 100 in FIG.

  3, 300 is an example of the internal configuration of the MFP or SFP in which the program of the present invention is run, and is equivalent to 110 and 120 in FIG. The device 300 includes a CPU 301 that executes various programs stored in a ROM 302 or a hard disk (HD) 310 or supplied from a flexible disk drive (FD) 311, and generally controls each device connected to the system bus 304. Control. A RAM 303 functions as a main memory, work area, and the like for the CPU 301. A user interface controller (UIC) 305 controls display on the user interface (UI) 309 and instruction input from the 309. A function controller (FUNCC) 306 realizes / controls a function (FUNC) 310 that is a function unique to each device. In the case of a monochrome printer, a monochrome print engine controller and a monochrome print engine, in the case of a color printer, a color print engine controller and a color print engine, and in the case of an MFP, the device 300 includes a function controller (FUNCC) 306 and a function (FUNC) 310 for each function. Have each. Reference numeral 307 denotes a disk controller (DKC) which controls access to a hard disk (HD) 311 and a flexible disk controller (FD) 312 for storing a boot program, a program for performing the operation of the present invention, various applications, and data files. A network interface card (NIC) 308 bi-directionally exchanges data with a network printer, another network device, or another PC via the LAN 320. In this embodiment, the LAN 320 is the same as the LAN 100 and the LAN 190 in FIG.

  FIG. 4 is an explanatory diagram of the installation operation of the MFP and SFP in the printing system of the present invention. Reference numeral 410 denotes a medium which stores a firmware program 411 for upgrading and a hash value list 412 of firmware to be upgraded. Reference numerals 420 and 421 denote devices representing MFPs or SFPs, which are equivalent to 110 and 120 in FIG. It is represented by a firmware program Hash2 operating on the device 420 and displayed in the hash value list 412. Therefore, it can be seen that the upgrade firmware program stored in the medium 410 can be installed in the device 420. However, the hash value of the device 421 is Hash8 and does not exist in the hash value list 412. Therefore, the device 421 is not permitted to install the firmware program stored in the medium 410.

  FIG. 5 is a sequence diagram of the installation operation in the operation of the present invention. When the installation operation is started in the PC 510, the installation program is transferred to the device 520. At this time, the hash value list is also transferred at the same time. The device 520 starts the processing of the installation program, first calculates the hash value of the firmware currently operating on the device (521), and checks whether or not the calculated hash value is in the received hash value list ( 521, 522), if it exists, the new firmware installation process is started (523). Thereafter, the firmware program data is received from the PC 510 (513 to 515), and the installation is executed (524).

  FIG. 6 is an expression representing calculation of a hash value in the present invention. The hash value in the present invention refers to the output of the firmware data that is input to the hash function H () together with the secret value held secretly by the installation program.

  FIG. 7 is a flowchart of a firmware program operating on the device. First, when the power is turned on, a device initialization process is performed (process 710). When the initialization is completed, an external request is waited (process 711). When a new firmware installation request is received, an installation program is received (process 720). When another request is received, other processing is performed (processing 730), and the request from the outside is again waited (processing 711). After the processing 720 is completed, the boot program of the device is set so that the installation program is activated (processing 721), reboot is performed (processing 722), and the processing is ended (processing 799).

  FIG. 8 is a flowchart of the installation program received in the process 720 of FIG. First, a hash value of the currently operating firmware is created as shown in FIG. 6 (process 810). The calculated hash value is searched from the hash value list held by the installation program (process 811). If the calculated hash value is included in the hash value list, the process proceeds to process 821. If not, the process proceeds to process 830. In process 820, the new firmware is downloaded from the PC 510 in FIG. 5, and the firmware is inspected to determine whether the download was successful (process 821). If the download is successful, the process proceeds to process 840. If it is determined that the download has failed, the process proceeds to process 830. In process 840, the downloaded new firmware is set to start operation after the next reboot (process 840), and the device is rebooted (process 841). In process 830, the panel display or the PC 510 is notified that the firmware update has failed. Thereafter, in the process 831, the firmware that has been operated so far is set to operate, and the process proceeds to the process 841.

  FIG. 9 is a memory map of programs related to the device installation operation. After the CPU is turned on, the first address to be referenced is Address A (address 910), and the boot program is stored with Address A as the head. Address B (address 920) and Address C (address 930) are the top addresses of the area where the firmware program is stored, and the installation program is stored in the area starting with Address D.

  The boot program is set as to which program is to be executed. If the currently active firmware program is stored in the firmware 0 storage area (area 921), the boot program executes processing from the address 920. It is set to be. In FIG. 7, when an installation request is received as in process 711, the install program is first stored in the install program storage area (area 941) (process 720), and the process from address 940 is executed at the next start in process 721. Set to do. Thereafter, the system is rebooted, and the process is executed according to the flow of the installation program shown in FIG. 8. When a new firmware program is downloaded in process 820, it is stored in the firmware 1 storage area (area 931). When the download of the new firmware is completed, the boot program is set to execute the process from the address 930 (process 840). After the device is rebooted (process 841), the process is started from the address 830 and the execution of the new firmware is started. Is done.

  FIG. 10 is a diagram showing a memory map of a CD-ROM which is an example of a storage medium. 9999 is an area in which directory information is stored, an area 9998 in which subsequent installation programs are stored, an area 9997 in which installation programs for devices are stored, and an area 9996 in which new firmware programs for devices are stored. Indicates the position. An area 9998 stores a program for executing the installation of the area 9996 on the device on the PC. Reference numeral 9997 denotes an area in which a program for executing installation that operates on the device is stored. Reference numeral 9996 denotes an area in which a device firmware program is stored. When the program stored in 9996 is installed in the printing device 300 using, for example, the PC 200, the installation program stored in the area 9998 storing the installation program is first loaded into the PC 200, and the CPU 201 Executed by. Next, the installation program executed by the CPU 201 transfers the area 9997 storing the device installation program to the printing device 300 and is executed by the CPU 301. Next, the device installation program executed by the CPU 301 requests the device firmware to the PC 200, the PC 200 transmits the device firmware to the printing device 300 by the installation program, and the printing device 300 uses the device installation program for the device. Firmware is stored in the hard disk 311.

  Note that the present invention may be applied to a system or an integrated device including a plurality of devices (for example, a host computer, an interface device, a reader, etc.) or an apparatus including a single device.

  In addition, a storage medium in which a program code of software that realizes the functions of the above-described embodiments is supplied to a system or apparatus, and the computer (or CPU or MPU) of the system or apparatus stores the program code in the storage medium. It goes without saying that the object of the present invention can also be achieved by reading and executing.

  In this case, the program code itself read from the storage medium realizes the novel function of the present invention, and the storage medium storing the program code constitutes the present invention.

  As a storage medium for supplying the program code, for example, a flexible disk, a hard disk, an optical disk, a magneto-optical disk, a CD-ROM, a CD-R, a magnetic tape, a nonvolatile memory card, a ROM, or the like can be used.

  In addition, the functions of the above-described embodiments are realized by executing the program code read by the computer, and the OS running on the computer is part of the actual processing based on the instruction of the program code. Alternatively, the functions of the above-described embodiment can be realized by performing all of them and performing the processing.

  Further, after the program code read from the storage medium is written to a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer, the function expansion is performed based on the instruction of the program code. The CPU or the like provided in the board or the function expansion unit performs part or all of the actual processing, and the functions of the above-described embodiments can be realized by the processing.

  The present invention can also be applied to a case where the program is distributed to a requester via a communication line such as personal computer communication from a storage medium in which a program code of software realizing the functions of the above-described embodiments is recorded. Needless to say.

1 is a diagram illustrating a configuration of a printing system according to an embodiment. The figure which showed the internal structure of the general personal computer. 1 is a diagram illustrating an internal configuration of a general image forming apparatus. Model diagram of PC and image forming apparatus. An example of a sequence diagram between a PC and an image forming apparatus. Hash value calculation formula. 1 is an example of a flowchart of an image forming apparatus. 1 is an example of a flowchart of an image forming apparatus. An example of the memory map of an image forming apparatus. An example of the memory map in the storage medium of the program of this invention.

Claims (4)

  A firmware upgrade method in which the firmware to be upgraded and a secret value that is not disclosed are input to the Hash function and the output value is used as an identifier for the firmware to be upgraded.   The firmware version upgrade method according to claim 1, wherein the list has one or more of the Hash values in a list.   If the Hash value that identifies the current firmware matches the Hash value list of the upgrade firmware during the upgrade operation, it is determined that the current firmware is the target of the upgrade. The firmware version-up method according to claim 1 or 2, wherein the version-up is executed.   A device for executing the firmware version upgrade method according to claim 1.

Images