JP2008123147A - Remote rewrite method for electronic control unit - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To take measures for protection and safety when rewriting PLD data in an electronic control unit. <P>SOLUTION: A write logic 130 is provided for transferring and writing logic program and data from a control center 200 to a PLD 110. A buffer circuit 1001 can control the passage/blockage of the logic program and data, and an enable register 1101 passes the logic program and data only when the logic program and data are transferred to the PLD. A method includes the transfer of the logic program and data only when a hardware ID data fixedly and separately given to each electronic control unit matches a key code data remotely transferred from the outside, the transfer of the logic program and data after encrypting the hardware ID data, and the transfer of the logic program and data through an external serial EEPROM. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an electronic control device for writing logic program data for control of a controlled object by a microprocessor to a programmable device, and in particular, by rewriting these logic programs from a place away from the device, The present invention relates to a remote rewriting method for switching or changing the operation mode of the hardware of the apparatus.

  Currently, in the hardware design of an electronic control device, its logical operation is described in a hardware logic description language (HDL: Hardware Description Language), and its logical expression (program) is an FPGA (Field Programmable Gate Array), It has become common practice to implement desired hardware functions by writing to programmable devices (programmable logic elements) such as CPLDs (Complex Programmable Logic Devices).

  Conventionally, the logic operation realized by the combination connection of the primitive logic elements, by using these programmable devices, by changing the data to be written to the logic elements without physically changing the wiring, It is possible to change the logic.

  Currently, there are the following three types of programmable devices such as FPGA and CPLD due to the difference in the method of fetching configuration logic program data.

  (1) A type in which a OneTimeROM (ROM that can be written only once) is built in as a configuration data storage memory inside the PLD.

  As shown in FIG. 5, the writing of the logic program data to the built-in ROM is performed using a dedicated ROM writer when the apparatus is manufactured. With this type, once it is mounted on the control board, data cannot be rewritten, and when changing the logic program data, the device itself must be replaced. However, it does not require time for fetching logic program data, and is characterized by a short start-up time.

  (2) A type in which SRAM (StaticRAM: Random Access Memory that holds data only while power is supplied) is built in the PLD as a configuration data storage memory.

  As shown in FIG. 6, data is automatically downloaded from an external serial ROM (OneTimeROM with serial I / F or EEPROM (Electric Erasable PROM)) via a serial I / F, Writing can also be performed by software via a processor serial I / F. This type does not require data to be written in the PLD main unit at the time of manufacture of the apparatus, but can be ISP (In System Programming). When starting up, since it takes time to inject (download) the logic program data from the outside, it is necessary to consider a certain delay time.

  (3) A type in which FlashROM (a rewritable nonvolatile memory) is built in the PLD as a configuration data storage memory.

  As shown in FIG. 7, at present, as an interface for rewriting the internal flash ROM, a signal that conforms to a JTAG port (IEEE1149.1 standard) is generally used. This type has the advantage that ISP (In System Programming) is possible, and it is not necessary to take in data from the outside when starting up in normal use, and it can be operated in a short time like the built-in OneTimeROM type. .

  Here, in view of an electronic control device using these programmable devices (hereinafter referred to as PLD), generally, data written to the PLD at the time of product manufacture and shipment is fixed, and some change factor ( Since it is not necessary to rewrite these if no request) occurs, it is not necessary to have a mechanism or structure for rewriting this logical program data at the site of operation of the device, regardless of the type of PLD described above. Few.

  In rare cases, these devices need to rewrite the logic program data of the PLD. If there is some problem with the logic program data and it becomes obvious, or if the function of the device is added. For example, a version upgrade for improving performance may be considered. At present, when these needs arise, the device is temporarily stopped (power off), removed, replaced with a replacement (spare part), etc., and then the product is used at the site or the factory where it was manufactured. In general, the logical program / data is rewritten and decomposed.

  On the other hand, in recent years, as described above, the PLD itself has an ISP (In System Programming) function, and after mounting (manufacturing) the PLD on the control board, the board is powered on to write logic program data to the PLD, More and more can be downloaded and perform logical operations. The PLDs of the types (2) and (3) described above correspond to this. By using this mechanism, it is possible to rewrite (change) the logic program data of the PLD incorporated in the electronic control device by remote control.

A method for rewriting PLD logic program data by remote control via a LAN line or a communication network using this mechanism has been proposed (for example, see Patent Document 1 and Patent Document 2).
JP 2005-258996 A Japanese Patent Laid-Open No. 9-218781

  However, when performing PLD data rewriting according to the above-mentioned Patent Documents 1 and 2, etc., there are problems in safety and reliability.

  FIG. 8 shows an example of a mechanism for remote writing of a PLD realized by using the mechanism of Patent Document 1. This example is a mechanism for rewriting a control device using PLDs of the types (2) and (3) described above from a remote control center via a LAN line.

  In FIG. 8, reference numeral 100 denotes an electronic control device on which a PLD (FPGA or the like) is mounted. Reference numeral 200 is a remote control center for instructing rewriting of the PLD logic program of the electronic device, and 300 is a communication network for transmitting rewritten data, such as a LAN line or an IP network. .

  Furthermore, in the figure, 110 is the whole PLD to be rewritten by the logical program data, 120 is the control target controlled by the PLD, and 130 is used for rewriting the logical program data of the PLD. 140 is an internal local bus used for data exchange in 100 control devices, 150 is a CPU that controls and processes the entire control device, 160 is a memory circuit, 170 Is a LAN control circuit for the control device to send and receive data to and from 300 communication networks.

  Further, in the figure, 111 is a JTAG interface inside the PLD to be rewritten, 112 is a RAM (Random Access Memory) or FlashROM (Read Only Memory) for storing PLD configuration data, and 113 is a core of the PLD. A logic part (a logic circuit matrix for actually controlling a control target in accordance with configuration logic program data). On the other hand, 131 is a “CPU interface circuit” for 130 write logic mechanisms to exchange data with 150 CPUs via 140 local buses, and 132 is a control signal for writing logical program data. “Transfer (transfer) control circuit” for performing timing generation and data conversion, 133 is a “JTAG interface circuit” for actually transferring logical program data to be written with the PLD, and 134 is a logical program A “DMA control circuit” in the case of using DMA (Direct Memory Access: a method used when transferring data in 160 memories to 110 PLDs without a CPU) when writing data.

  In this mechanism, when it becomes necessary to rewrite the logic program data of the PLD (110) in the control apparatus from the control center of 200, writing is performed by the following STEP.

  (STEP 1) In accordance with a predetermined data exchange procedure (hereinafter referred to as a protocol) between 200 and 100, new logical program data for rewriting prepared on the control center side is transferred to 160 memories.

  (STEP 2) When the logic program data is stored in the memory, 150 CPUs or 134 DMA controllers operate, and the rewrite data in the 160 memory is transferred through the circuit of 131 → 132 → 133 → 111. The data is transferred (written) to the configuration data storage memory 112.

  After this data transfer (write process) is completed, if a self-reset (reboot process) is generated in the entire 100 control devices, the 110 PLD implements a new control function according to the new logic program data stored in 112 Will come to do.

  Now, the function so far can be realized by the mechanism and contents of Patent Document 1. However, since this mechanism alone does not include a safety mechanism for PLD rewrite processing, incorrect data is written to the control device to be rewritten due to an incorrect command from the control center, and control becomes impossible. If the CPU goes out of control due to an S / W or F / W bug mounted on the control device, the PLD data will be rewritten, and the device will never stand up again. There was a danger.

  In other words, rewriting of PLD data in the control device must be performed very carefully, and sufficient protection measures and safety measures are required for this rewriting mechanism.

  SUMMARY OF THE INVENTION An object of the present invention is to provide a remote rewriting method capable of taking protection measures and safety measures for rewriting PLD data in an electronic control unit.

  The present invention for solving the above-described problems is characterized by the following configuration.

(1) A micro processor, a programmable device in which a logic program for controlling a control target by the micro processor is written, and the logic program data remotely transmitted to the micro processor from the outside. In an electronic control unit with write logic that transfers and writes to the device,
The write logic is
A buffer circuit capable of controlling transfer enable (signal passage) / disable (signal cutoff) of the logic program data; and
And an enable register that switches the buffer circuit from a disabled state to an enabled state only when the logical program data is transferred to the programmable device.

(2) a microprocessor, a programmable device in which logic program data for control of a control target by the microprocessor is written, and the logic program data transmitted remotely to the microprocessor from the outside In an electronic control device with write logic that transfers and writes to a programmable device,
The write logic is
A buffer circuit capable of controlling transfer enable (signal passage) / disable (signal cutoff) of the logic program data; and
A hardware ID register pre-stored with hardware ID data fixedly given to each electronic control unit;
A key code register in which key code data transmitted from the outside to the microprocessor is written;
A comparator that switches the buffer circuit from a disabled state to an enabled state only when the hardware ID data and the key code data match when transferring the logic program data to the programmable device. It is characterized by.

(3) a microprocessor, a programmable device in which logic program data for control of a control target by the microprocessor is written, and the logic program data transmitted from the outside to the microprocessor In an electronic control device with write logic that transfers and writes to a programmable device,
The programmable device stores a hardware ID register in which hardware ID data fixedly given for each electronic control device is stored in advance, and a revision of the current logic program data written in the programmable device. With a revision register,
The write logic is
A buffer circuit capable of controlling transfer enable (signal passage) / disable (signal cutoff) of the logic program data; and
An encryption circuit in which the contents of the hardware ID register and the contents of the revision display register are written by the microprocessor;
Key code written as key code data to the hardware ID register contents and the revision display register contents notified to the outside by the microprocessor, and the encrypted data encrypted externally by software・ Register and
A comparator that switches the buffer circuit from a disabled state to an enabled state only when the hardware ID data and the key code data match when transferring the logic program data to the programmable device. It is characterized by.

(4) An external serial EEPROM into which the logic program data output from the write logic is written is provided.
The programmable device includes means for reading the logic program data from the serial EEPROM at the time of self-resetting of the entire control apparatus.

  As described above, according to the present invention, the logical program data of the programmable device can be rewritten from the outside, the program execution (software) runaway, the influence of noise, and further intentional human destruction, etc. However, it is possible to thoroughly eliminate the risk of losing its function and never be able to restore it, and to rewrite the PLD in the control device with high safety.

(Embodiment 1)
In the present embodiment, it is proposed to provide a simple buffer circuit on the basic data write processing route and to provide an enable register for enabling / disabling the buffer circuit.

  FIG. 1 shows an example of a mechanism for this purpose. In the same figure, each part of 100-170 is the same as each part of FIG. In FIG. 1, reference numeral 1000 denotes an entire protection circuit added in the write logic for safety measures in this embodiment. Reference numeral 1001 denotes a buffer circuit provided in a data path between 132 transfer control circuits and 133 JTAG interface, and enable (signal passing) / disable (signal cutoff) can be controlled by a buffer control signal 1001a. Is. Reference numeral 1101 denotes an “enable register” for operating the buffer control signal 1001a, and the level of the buffer control signal can be changed by an access operation by 150 CPU.

  In the mechanism of FIG. 1, first, in the initialization state (after reset), the enable register 1101 is cleared, and the buffer control signal 1001a is in the “disable (signal cut-off)” state. To do. In this state, writing is performed by the following STEP.

  (STEP 1) The new logical program data for rewriting prepared on the control center side is transferred to 160 memories in accordance with a data exchange protocol predetermined between 200 and 100.

  (STEP 2) Prior to the data writing process, the CPU operates the enable register 1101 to invert the buffer control signal 1001a in the “enable (signal passing)” direction.

  (STEP 3) When the logic program data is stored in the 160 memory, 150 CPUs or 134 DMA controllers operate, and the rewrite data in the 160 memory is changed from 131 → 132 → 1001 → 133 → 111. The data is transferred (written) to the configuration data storage memory 112 via the circuit.

  After this data transfer (write process) is completed, if a self-reset (reboot process) is generated in the entire 100 control devices, the 110 PLD implements a new control function according to the new logic program data stored in 112 Will come to do. This reset process clears the enable register 1101 and returns the buffer control signal 1001a to the “disabled (signal cut-off)” state.

  In this example, since the enable register 1101 is cleared and the buffer control signal 1001a is “disabled (signal cutoff)” during normal operation of the control device, the signal of noise or the like There is no possibility that the JTAG interface for writing will malfunction due to the disturbance and the contents of the 112 configuration data will be rewritten. Also, unless the CPU correctly operates the enable register 1101 and inverts the buffer control signal 1001a in the “enable (signal passing)” direction, the contents of the 132 configuration data cannot be rewritten. Even if the S / W execution runs out of control and the rewrite processing unit is executed, there is no fear that the contents of the configuration data will be rewritten.

  In order to realize such a mechanism, the use of the mechanism according to the first embodiment shown in FIG. 1 can improve the safety against erroneous writing in the PLD data rewriting process.

(Embodiment 2)
In the present embodiment, a mechanism for further improving the safety of the mechanism of the first embodiment is proposed.

  In the case of the first embodiment, once the S / W goes out of control and the enable register 1101 in FIG. 1 is operated to invert in the “enable (signal passing)” direction, 1000 protection circuits function. Therefore, since the configuration is exactly the same as that of the conventional circuit of FIG. 8, the erroneous write lock function due to erroneous operation and noise, which is a feature of this mechanism, is lost.

  Therefore, the second embodiment is a mechanism in which the mechanism of the enable register 1101 in FIG.

  FIG. 2 shows a mechanism example of the second embodiment. In the same figure, each part of 100-170 is the same as each part in FIG. In FIG. 2, reference numeral 1000 denotes the entire protection circuit added in the write logic as a safety measure in the second embodiment. Reference numeral 1001 denotes a buffer circuit provided in a data path between 132 transfer control circuits and 133 JTAG interface, and enable (signal passing) / disable (signal cutoff) can be controlled by a buffer control signal 1001a. It is the same as in FIG.

  In FIG. 2, each part of 1201 to 1203 is a feature of the second embodiment, but 1201 is unique data (for example, only dependent data such as a manufacturing serial number) given to each control device to be rewritten. Is a register (hardware ID register) in which is stored in a fixed manner. This register is realized by a nonvolatile memory or the like, and cannot be rewritten after writing at the time of manufacture. Next, reference numeral 1202 denotes a key code register which can be accessed (rewritten) from 150 CPUs via the 131 CPU interface, and is sent from the 200 control center side in the PLD logical program data rewriting process. The CPU receives the incoming key code data and writes it here. Reference numeral 1203 denotes a comparison circuit (comparator), which compares a unique hardware ID stored in advance in 1201 with a value set in the key code register of 1202, and determines whether or not they match (1001a Signal). Here, the 1001a signal is set to the enable (signal passing) side when the two values match, and is set to the disable (signal cutoff) side otherwise.

  Here, when the device is reset, the “key code register” of 1202 is cleared, and if it always becomes a value different from the hardware ID code, the buffer control signal of 1001a (the output of the comparator of 1203) ) Is in a “disabled (signal cut-off)” state during normal times (except during PLD rewrite processing). In this state, PLD logic program data rewrite is performed in the following STEP.

  (STEP 1) The new logical program data for rewriting prepared on the control center side is transferred to 160 memories in accordance with a data exchange protocol predetermined between 200 and 100.

  (STEP 2) On the control center side, the hardware ID data (for example, only subordinate data such as the manufacturing serial number) of the control device to be rewritten is pre-recorded and the PLD logic program data is rewritten. When rewriting program data, the hardware ID data of the device is transferred to the CPU (150) of the device as “key code data” information.

  (STEP 3) The CPU 150 writes the “key code data” information delivered from the 200 control center side into the 1202 key code register.

  By this processing, the two inputs of the comparator 1203 (the unique hardware ID stored in advance 1201 and the value set in the key code register 1202) match, and the output signal 1001a signal Indicates the “enable (signal passing)” direction, and the buffer 1001 is enabled.

  (STEP 4) When the logical program data for PLD rewrite is stored in the memory, 150 CPUs or 134 DMA controllers operate, and the rewrite data in the 160 memory is changed from 131 → 132 → 1001 → 133 → The data is transferred (written) to the configuration data storage memory 112 via the circuit 111.

  After this data transfer (write process) is completed, if a self-reset (reboot process) is generated in the entire 100 control devices, the 110 PLD implements a new control function according to the new logic program data stored in 112 Will come to do. In addition, the reset process initializes (clears) the key code register 1202, and the values 1201 and 1202 do not match. Therefore, the buffer control signal 1001a (the output of the comparator 1203) is "disabled ( The signal is cut off.

  In this example, when the normal control device is operated, the key code register 1202 is initialized (cleared), the values 1201 and 1202 do not match, and the buffer control signal 1001a (the output of the comparator 1203) Is in the “disable (signal cut-off)” state, there is a risk that the JTAG interface for this writing will malfunction due to disturbance of the signal such as noise and the contents of the 112 configuration data will be rewritten. Absent. In addition, the 200 control centers instructing to rewrite the PLD logic program data correctly recognize the hardware ID information of the control device. Unless this is correctly transmitted to the CPU of the apparatus, and the CPU does not correctly set this in the key code register, the buffer control signal of 1001a will not be in the “enable (signal passing)” direction, so the contents of the 112 configuration data Cannot be rewritten. For this reason, even if the S / W execution runs out of control and the rewrite processing unit is executed, there is almost no possibility that the contents of the configuration data will be rewritten.

  If the mechanism of the second embodiment shown in FIG. 2 is used in order to realize such a mechanism, the safety against erroneous writing can be further improved in the data rewriting process of the PLD.

(Embodiment 3)
The present embodiment proposes a mechanism for further improving the safety of the mechanism of the second embodiment.

  In the case of the second embodiment, it is possible to have a considerably high safety in order to prevent erroneous writing of PLD data due to S / W runaway or erroneous writing operation to a device that is not the original target (device having a different hardware ID). However, in the third embodiment, if higher reliability is provided and the revision of the logical program data written in the control device to which the PLD is to be rewritten does not match, the new data is transferred. Propose a mechanism to avoid rewriting.

  For this purpose, encryption was performed based on this information in the device that is the target of rewriting of the PLD logical program data based on the target hardware ID already written in the PLD, the revision of the logical program data, etc. In addition to generating “encrypted data”, information such as the target hardware ID already written in the PLD and the revision of the logical program data is transferred from 100 devices to 200 control centers prior to the communication protocol for rewrite processing. In this embodiment, the control center transmits “encrypted data” obtained by encrypting these in S / W as key code data to the apparatus together with the write data for processing. 3.

  FIG. 3 shows a mechanism example of the third embodiment. In the same figure, each part of 100-170 is the same as each part in FIG. In FIG. 3, reference numeral 1000 denotes the entire protection circuit added in the write logic for safety measures as the third embodiment. Reference numeral 1001 denotes a buffer circuit provided in a data path between 132 transfer control circuits and 133 JTAG interface, and enable (signal passing) / disable (signal cutoff) can be controlled by a buffer control signal 1001a. It is the same as in FIG.

  In FIG. 3, the mechanisms 1301 to 1304 are the features of the third embodiment. Reference numeral 1301 denotes an encryption logic circuit for encrypting data given by the CPU 150, and the encrypted data is stored in an “encrypted data register” 1302. Reference numeral 1303 denotes a “hardware ID register” nonvolatile register that stores unique data (for example, only subordinate data such as a manufacturing serial number) given to the individual control device to be rewritten. “Revision register” indicating the revision of the current logic program data written in the PLD, which is created as part of the PLD configuration logic program data and embedded in the PLD. Shall be left in place. 1303 and 1304 are configured so that 150 CPUs can read via 140 local buses.

On the other hand, each part of 1202 and 1203 is the same as that of the second embodiment (FIG. 2), but 1202 is a register that can be accessed (rewritten) from 150 CPUs via the CPU interface 131 and is a PLD logical program. In the data rewriting process, the CPU receives key code data sent from the control center side of 200 and writes it here. Reference numeral 1203 denotes a comparison circuit (comparator), which compares a unique hardware ID stored in advance in 1201 with a value set in the key code register of 1202, and determines whether or not they match (1001a Signal). Here, the 1001a signal is set to the enable (signal passing) side when the two values match, and is set to the disable (signal cutoff) side otherwise.
Here, when the device is reset, the “key code register” of 1202 is cleared, and if it always becomes a value different from the output of the “encrypted data register” of 1302, the buffer control of 1001a The signal (the output of the comparator 1203) is in a “disabled (signal cut-off)” state at the normal time (except during the PLD rewrite process). In this state, PLD logic program data rewrite is performed in the following STEP.

  (STEP 1) The CPU 150 reads the contents of the “hardware ID register” of 1303 and the “revision register” of 1304 in the 110 PLD.

  (STEP 2) The CPU 150 flows the contents of 1303 “hardware ID register” and 1304 “revision register” read in STEP 1 into 1301 “encryption circuit”. By this processing, the output of the encryption circuit is stored in “encrypted data register” 1302.

  (STEP 3) The CPU of 150 controls the contents of 1303 “Hardware ID Register” and 1304 “Revision Register” read in STEP 1 through 200 LAN control units and 300 communication lines. -Notify the center side.

  (STEP 4) In the data center of 200, the new logical program data for rewriting prepared on the control center side is transferred to the memory of 160 in accordance with a data exchange protocol determined in advance with 100 devices concerned. To do.

  (STEP 5) Further, on the 200 control center side, the contents of 1303 parts of “Hardware ID Register” and 1304 parts of “Revision Register” received in STEP 3 are encrypted by software, and “encrypted data” is stored. Generate.

  (STEP 6) The control center 200 transmits the “encrypted data” generated in STEP 5 to the 150 CPUs as “key code data”.

  (STEP 7) The CPU of 150 writes the “key code data” information delivered from the control center side of 200 to the key code register of 1202.

  By this processing, the two inputs of the comparator 1203 (“encrypted data” stored in 1302 and the value set in the key code register 1202) match, and the output signal 1001a signal is , Indicates the “enable (signal passing)” direction, and the buffer 1001 is enabled.

  (STEP 8) When the logic program data for PLD rewrite is stored in the memory, 150 CPUs or 134 DMA controllers operate, and the rewrite data in the 160 memory is changed from 131 → 132 → 1001 → 133 → The data is transferred (written) to the configuration data storage memory 112 via the circuit 111.

  After this data transfer (write process) is completed, if a self-reset (reboot process) is generated in the entire 100 control devices, the 110 PLD implements a new control function according to the new logic program data stored in 112 Will come to do. In addition, the reset process initializes (clears) the key code register 1202, and the values 1201 and 1202 do not match. Therefore, the buffer control signal 1001a (the output of the comparator 1203) is "disabled ( The signal is cut off.

  In this example, when the normal control device is operated, the key code register 1202 is initialized (cleared), the values 1201 and 1202 do not match, and the buffer control signal 1001a (the output of the comparator 1203) Is “disabled (signal cut-off)”, there is no possibility that the JTAG interface for this writing malfunctions due to disturbance of the signal such as noise and the contents of the 112 configuration data are rewritten. .

  Also, the 200 control centers instructing the rewriting of the PLD logic program data correctly receive the contents of the “hardware ID register” 1303 and the “revision register” 1304 of the control device to be written. Recognize it, encrypt it correctly with a predetermined encryption method, and transmit it to the CPU of the device as “key code data”, which is then correctly set in the key code register On the control device side to which writing is performed, the contents of the “hardware ID register” in 1303 and the “revision register” in 1304 are correctly encrypted and stored in the “encrypted data register” in 1302. Unless otherwise, the buffer control signal of 1001a is not in the “enable (signal passing)” direction. , It is impossible to rewrite the contents of the data 112's configuration.

  With such a mechanism, the present embodiment can provide a PLD logic program / data rewriting mechanism that maintains extremely high safety.

(Embodiment 4)
In the fourth embodiment, the protection method for ensuring basic safety is the same as that in the third embodiment. However, the logical program data is stored in the serial ROM, and the configuration in the PLD is then stored. This is a configuration example when applied to a PLD of a type that operates by downloading data to a RAM for operation.

  FIG. 4 shows a configuration example of the fourth embodiment. In this figure, the 111 and 133 JTAG interfaces in FIG. 3 (Embodiment 3) are replaced with 114 and 135 serial interfaces, and 180 serial EEPROMs are added to the serial interface signal bus. Has been.

  Also in this mechanism, steps (protocol) (STEP 1) to (STEP 7) are exactly the same as those in the third embodiment, and the processes after (STEP 8) are different as follows.

  (STEP 8) The logic program data for PLD rewrite is stored in 160 memory, but 150 CPUs or 134 DMA controllers are operated, and the rewrite data in the 160 memory is changed from 131 → 132 → 1001. Transfer (write processing) is performed in 180 serial EEPROMs through the circuit of → 135 → 180.

  (STEP 9) After the data transfer (write process) in (STEP 8) is completed, if a self-reset (reboot process) is generated in the entire 100 control devices, the 110 PLD is switched to 180 through the 114 serial interface. The data is read from the serial EEPROM, and the data is transferred to the configuration RAM 112, and a new control function is realized according to the new logic program data transferred to the RAM. In addition, the reset process initializes (clears) the key code register 1202, and the values 1201 and 1202 do not match. Therefore, the buffer control signal 1001a (the output of the comparator 1203) is "disabled ( The signal is cut off.

  Also in this example, during the normal operation of the control device, the key code register of 1202 is initialized (cleared), the values of 1201 and 1202 do not match, and the buffer control signal of 1001a (the output of the comparator of 1203) is Therefore, there is no possibility that the serial interface for writing malfunctions and the contents of the 180 serial EEPROMs are rewritten due to disturbance of signals such as noise.

  In addition, the 200 control centers that instruct rewriting of the PLD logic program data correctly receive and recognize the contents of the “hardware ID register” of 1303 parts and the “revision register” of 1304 parts of the control device to be written. Then, this is correctly encrypted by a predetermined encryption method and further transmitted as “key code data” to the CPU of the device, while the CPU is correctly set in the key code register, The control device side to which data is written also correctly encrypts the contents of the “hardware ID register” in 1303 and the “revision register” in 1304 and stores them in the “encrypted data register” in 1302. As long as there is not, the buffer control signal of 1001a does not go in the “enable (signal passing)” direction. , It is impossible to rewrite the content of the serial EEPROM 180.

  With such a mechanism, the present embodiment can provide a PLD logic program / data rewriting mechanism that maintains extremely high safety.

  Note that the mechanism of the present embodiment can be applied to the configuration of the first embodiment or the second embodiment to obtain equivalent operational effects.

The structural example of the PLD data remote rewriting mechanism which shows Embodiment 1 of this invention. The structural example of the PLD data remote rewriting mechanism which shows Embodiment 2 of this invention. The structural example of the PLD data remote rewriting mechanism which shows Embodiment 3 of this invention. The structural example of the PLD data remote rewriting mechanism which shows Embodiment 4 of this invention. Configuration of a conventional OneTimeROM built-in PLD. Configuration of a conventional configuration RAM built-in type PLD. Configuration of a conventional flash ROM built-in type PLD. 2 shows a configuration example of a conventional PLD data remote rewriting mechanism.

Explanation of symbols

100 Electronic control device 200 Control center 110 PLD
130 Write Logic 111 JTAG Interface 112 Data Storage RAM or FlashROM
113 Core Logic Portion 131 CPU Interface Circuit 132 Transfer (Transfer) Control Circuit 133 JTAG Interface Circuit 134 DMA Control Circuit 1000 Protection Circuit 1001 Buffer Circuit 1101 Enable Register 1201 Hardware ID Register 1202 Key Code Register 1203 Comparator 1301 Encryption Logic Circuit 1302 Encrypted data register 1303 Hardware ID register 1304 Revision register 180 Serial EEPROM

Claims (4)

Microprocessor, programmable device in which a logical program for controlling the control object by the microprocessor is written, and the logical program data transmitted from the outside to the microprocessor are transferred to the programmable device In an electronic control device having write logic for writing
The write logic is
A buffer circuit capable of controlling transfer enable (signal passage) / disable (signal cutoff) of the logic program data; and
An electronic controller remote rewrite system, comprising: an enable register that switches the buffer circuit from a disabled state to an enabled state only when transferring the logic program data to the programmable device. Microprocessor, programmable device in which logical program data for control of control target by this microprocessor is written, and said programmable program data that is remotely transmitted to said microprocessor from outside In an electronic control device with write logic that transfers and writes to
The write logic is
A buffer circuit capable of controlling transfer enable (signal passage) / disable (signal cutoff) of the logic program data; and
A hardware ID register pre-stored with hardware ID data fixedly given to each electronic control unit;
A key code register in which key code data transmitted from the outside to the microprocessor is written;
A comparator that switches the buffer circuit from a disabled state to an enabled state only when the hardware ID data and the key code data match when transferring the logic program data to the programmable device. A remote rewriting method for electronic control devices. Microprocessor, programmable device in which logical program data for control of control target by this microprocessor is written, and said programmable program data that is remotely transmitted to said microprocessor from outside In an electronic control device with write logic that transfers and writes to
The programmable device stores a hardware ID register in which hardware ID data fixedly given for each electronic control device is stored in advance, and a revision of the current logic program data written in the programmable device. With a revision register,
The write logic is
A buffer circuit capable of controlling transfer enable (signal passage) / disable (signal cutoff) of the logic program data; and
An encryption circuit in which the contents of the hardware ID register and the contents of the revision display register are written by the microprocessor;
Key code written as key code data to the hardware ID register contents and the revision display register contents notified to the outside by the microprocessor, and the encrypted data encrypted externally by software・ Register and
A comparator that switches the buffer circuit from a disabled state to an enabled state only when the hardware ID data and the key code data match when transferring the logic program data to the programmable device. A remote rewriting method for electronic control devices. An external serial EEPROM into which the logic program data output from the write logic is written;
4. The electronic control device according to claim 1, wherein the programmable device includes means for reading the logic program data from the serial EEPROM at the time of self-reset of the entire control device. 5. Remote rewrite method.

Images