JP2008165729A - Microcomputer - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a microcomputer, capable of restarting a rewrite program without performing mode switching through an external terminal in the event of a rewriting failure of a nonvolatile memory. <P>SOLUTION: When a CPU of the microcomputer executes the rewrite program, the FLASH status 0 of a flash memory is cleared prior to rewriting of all areas of the flash memory, and a rewrite completion code is finally written to the FLASH status 0. When the CPU executes a determination program, the FLASH status 0 of the flash memory is read first (step S1). When the data is not matched with the rewrite completion code (NO), the CPU confirms that reading data of ID statuses 2_1 and 2_2 is matched with an ID code (step S5: YES), and then executes the rewrite program again. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a microcomputer configured to be able to execute rewriting of a rewritable nonvolatile first memory in which an application program is stored on board or on chip.

  FIG. 12 shows an ECU (Electronic Control Unit) for vehicle control. The ECU 1 is configured by mounting a microcomputer 3 and other peripheral circuits (not shown) on a substrate 2. The control program for the microcomputer 3 may be stored in a rewritable nonvolatile memory such as the flash memory 4. The control program on the flash memory 4 executed by the CPU 5 is rewritten as necessary for debugging and version upgrade.

When the flash memory 4 is rewritten, the microcomputer 3 is set to a rewriting mode and reset to start a rewriting program stored in the ROM 6 on the microcomputer 3, for example, and the CPU 5 is connected to an external device (not shown). Write the data transferred from the rewrite device. For example, Patent Document 1 discloses a technique related to rewriting of the flash memory as described above.
JP 2000-20178 A

By the way, if the microcomputer can be reset from the outside, the power supply voltage drops while the flash memory is being rewritten, or the communication line to the rewrite device is disconnected. Even if rewriting fails, it is sufficient to start the rewriting program by resetting the microcomputer and retry the rewriting by repeating the same procedure.
However, when the ECU is actually operating in the field, it is not necessary to perform reset control from the outside. Therefore, providing an extra terminal for resetting is redundant, leading to an increase in cost. Therefore, it is preferable to configure the ECU so that only the power-on reset acts.

And since ECU is in the state which always receives the power supply from the battery of a vehicle in a field, a power-on reset does not generate | occur | produce fundamentally. Further, if no reset occurs, there is no opportunity to switch the operation mode of the microcomputer to “rewrite mode” or the like, so that a terminal for mode switching should be unnecessary.
However, assuming the configuration as described above, if rewriting of the flash memory fails in the middle, there is no means for starting the rewriting program, so that rewriting of the flash memory cannot be performed again.

  For example, in the normal operation state where the ECU is executing the application program written in the flash memory, if the rewriting program is started upon recognizing that the rewriting command is given from the external writing device, the rewriting is performed once. It can be performed. However, if the above rewriting fails midway, the application program will not be executed normally thereafter, and the CPU on the ECU will not be able to recognize the rewriting command. Therefore, it was actually difficult to reduce the number of terminals of the microcomputer.

  The present invention has been made in view of the above circumstances, and an object thereof is to provide a microcomputer capable of restarting a rewriting program without switching modes via an external terminal when rewriting of a nonvolatile memory fails. There is to do.

According to the microcomputer of claim 1, when the rewrite program is executed by the CPU, the rewrite check area of the first memory is cleared first, then the entire area of the memory is rewritten, and finally the rewrite check area Write the rewrite completion code in. When the determination program is executed by the CPU, first, the rewrite check area of the first memory is read.
Here, if the data in the rewrite check area matches the rewrite completion code, this indicates that the rewrite of the first memory has been completed normally, and the CPU executes the application program. On the other hand, if the data does not match the rewrite completion code, it indicates that the rewriting of the first memory has failed in the middle, so the CPU executes the rewriting program again.

  That is, for example, when the power-on reset of the microcomputer is released, if the CPU is set to execute the determination program first, the application program in the first memory can be rewritten normally by referring to the rewrite check area. Whether rewriting has failed or not can be retried. Accordingly, it is not necessary to provide a reset terminal or a mode setting terminal as an external terminal of the microcomputer in order to retry the rewriting of the first memory, and the microcomputer package can be downsized to reduce the cost.

  According to the microcomputer of the second aspect, when the rewrite program is executed by the CPU, the same ID code is written in the two rewrite permission ID areas of the first memory. Then, when the CPU executes the determination program, if the data read from the rewrite check area does not match the rewrite completion code, the first and second rewrite permission ID areas are read, and both the data are the ID If it matches the code, the rewriting program is executed. That is, if the ID codes match as described above, it is confirmed that the subject who has written to the memory has a legitimate access right to the first memory, so that unauthorized writing can be prevented. it can.

  According to the microcomputer of claim 3, when the rewrite program is executed by the CPU, the same ID code is written in the first and second rewrite permission ID areas set in the two blocks of the first memory, If the data read from the rewrite check area does not match the rewrite completion code when the CPU executes the determination program, the first and second rewrite permission ID areas are read for two blocks, respectively. Then, if both of the read data in one of the blocks match the ID code, the rewrite program is executed.

  That is, the two blocks of the first memory are not erased or written at the same time. If rewriting of the first memory fails in the middle, depending on the timing, it is assumed that one block has not been rewritten, and therefore the ID code cannot be confirmed. Therefore, in the rewriting program, if the ID code is written to the two blocks in the same manner and the ID code match is determined for each block, the match can be reliably confirmed in either one of the blocks. it can.

According to the microcomputer of claim 4, when the partial rewrite program is executed by the CPU, the partial rewrite check area of the first memory is first cleared, and then the memory is rewritten from the start position to the end position. Finally, a partial rewrite completion code is written in the partial rewrite check area. Then, when the CPU executes the determination program and the data read from the rewrite check area matches the rewrite completion code, the flag storage area is subsequently referred to. If permission is set, the partial memory rewrite check is performed. Read the area.
When the read data matches the partial rewrite completion code, the application program is executed, and when the data does not match the partial rewrite completion code, the partial rewrite program is executed. Therefore, the same effect as in claim 1 can be obtained even when rewriting fails while rewriting only a part of the first memory.

  According to the microcomputer of claim 5, when the CPU executes the rewrite program, the same ID code is written in the first and second rewrite permission ID areas of the first memory, and the partial rewrite to the flag storage area is performed. Enable / disable setting, write setting of start position and end position are also performed. When the CPU executes the determination program and the data read from the rewrite check area matches the rewrite completion code, the first and second rewrite permission ID areas are read out, and both read data match the ID code. Refer to the flag storage area. Therefore, even when partial rewriting of the first memory is performed, ID code matching can be confirmed.

  According to the microcomputer of claim 6, the rewrite check area in claim 1 is set as a full rewrite check area, and the first memory has a flag storage area for performing partial rewrite permission / inhibition setting in claim 4; The area for writing the start position and the end position is set in a size within the minimum write unit defined for the first memory together with the all-rewrite check area. Further, full rewriting and partial rewriting of the first memory are executed in the same manner as in claims 1 and 4 respectively. Here, the “minimum write unit” is the minimum size of data written to the first memory in one write cycle, and is determined according to the design specifications of the microcomputer.

When the determination program is executed by the CPU, first, the entire rewrite check area of the first memory is read, and if the data does not match the complete rewrite completion code, the complete rewrite program is executed. If the data matches the complete rewrite completion code, the flag storage area is referred to.If permission is set, the partial rewrite check area is read. If the data matches the partial rewrite completion code, the application program is read. If the data does not match the partial rewrite completion code, the partial rewrite program is executed.
That is, the information related to the partial rewrite of the first memory is meaningful at least after the complete rewrite is completed once. Therefore, if the partial rewrite information has the size within the minimum write unit together with the full rewrite check area, the amount of information is reduced. Reduced and can be used effectively. As a result, the execution of the determination program can be completed within a shorter time.

  According to the microcomputer of the seventh aspect, in the partial rewrite check area, for the area to be subjected to partial rewrite next, the storage area of the flag for setting permission / prohibition of partial rewrite, the start position, and the end position Is set to a size within the minimum writing unit, and one or more partial rewrite check areas are arranged. Therefore, partial rewriting can be performed for a plurality of areas where the addresses are discontinuous.

  According to the microcomputer of the eighth aspect, since the CPU executes the determination program at the time of resetting, the CPU checks whether or not the writing to the first memory is normally performed when the reset is released. When an erroneous writing or data corruption occurs, the execution of the user program can be stopped to prevent the program from running out of control.

  According to the microcomputer of the ninth aspect, since the CPU executes the determination program when the low power consumption mode is canceled (during wake-up), whether or not writing to the first memory is normally performed. By checking this at the time of wakeup, the execution of the user program can be stopped and the program runaway can be prevented beforehand when erroneous writing or data corruption occurs.

(First embodiment)
Hereinafter, a first embodiment of the present invention will be described with reference to FIGS. FIG. 5 is a block diagram showing the configuration of the microcomputer 11 of the present invention. For example, the microcomputer 11 constitutes a vehicle control ECU in the same manner as the microcomputer 3. With the CPU 12 as the center, the ROM (second memory) 13, the RAM 14, the flash memory (first memory) 15, the flash controller 16, communication A circuit 17 and the like are provided, and these are connected via an address bus 18 and a data bus 19.

  The flash memory 15 stores a user program 20 that is a control program as an ECU executed by the CPU 12. The ROM 13 has a rewrite program 21 for writing the user program 20 to the flash memory 15 and a determination program 22 for determining the status of the flash memory 15 in order to determine which of the user program 20 and the rewrite program 21 is executed. It is remembered. The flash controller 16 performs block management and error correction processing of the flash memory 15 when the CPU 12 accesses the flash memory 15.

  The communication circuit 17 is a communication interface corresponding to a protocol such as UART, other serial communication, or an in-vehicle LAN such as CAN. When the user (application) program 20 of the flash memory 15 is rewritten, an external interface is used. Communication is performed with the rewriting device 23. Then, the rewrite data 24 transferred from the rewriting device 23 is written in the RAM 14.

  Next, the operation of this embodiment will be described with reference to FIGS. Note that the initial writing of the user program 20 to the flash memory 15 is preliminarily performed using a ROM writer or the like (or “NO” is determined in step S6 of FIG. 1 described later). In this case, the first write to the flash memory 15 can be performed by branching to the rewrite program 21 instead of branching to the user program 20).

FIG. 2 shows a memory map of the flash memory 15, and FIG. 3 shows a procedure of the entire rewriting process by the rewriting program 21, and a change in the state of the flash memory 15 accompanying the rewriting process. As shown in FIG. 2, the flash memory 15 is divided into, for example, blocks 0 to n in units of 64 Kbytes, and the rewriting process is also performed in units of blocks.
Then, “FLASH status 0 (rewrite check area)” and “ID area 2” indicating the completion of “rewrite all” are arranged in the first block 0, and “ID area 1” is arranged in the end block n. It has become so. Further, the block 6 is set as a head block when “partial rewriting” is performed as an example, and “FLASH status 1 (partial rewriting check area)” indicating the completion of “partial rewriting” is arranged.

In the “FLASH status 0”, predetermined data, for example, 55AA... 55AAH is written at the stage when the entire rewriting process is completed. Similarly, for “FLASH status 1”, for example, “55AA... 55AA (hereinafter, the data value is indicated by HEX)” is written when the partial rewriting process is completed. The same data is written in “ID area 2” and “ID area 1”, and is used for collation confirmation described later.
In these “ID areas”, IDs and passwords that permit rewriting of the flash memory 15 are stored, and the same ID statuses (ID codes) 1 and 2 are written at the beginning and end of the areas. In addition, a flag storage area for setting permission / prohibition of partial rewriting, an area for storing the start block number and end block number for partial rewrite, and other program IDs and passwords are stored.

<All rewrite processing>
In the all-rewrite process shown in FIG. 3, the CPU 12 first writes and clears data “0000... 0000” in “FLASH status 0” of block 0, and then blocks each block 0,. , “Erase”, “Write”, and “Verify” are sequentially performed. Finally, the data “55AA... 55AA” is written in “FLASH status 0”, and the process ends.
It should be noted that the data related to “partial rewrite” in the ID areas 2 and 1 is set at this stage to allow / prohibit and to set start and end block numbers depending on whether or not “partial rewrite” is performed later. Is written.

  Further, FIG. 3 shows a state in which the write data of “FLASH status 0, 1” and “ID status 1, 2” in the ID area 2, 1 change as the entire rewrite process proceeds. If the flash memory 15 has already been written, the data of “FLASH status 0” is “55AA ... 55AA”. The data “0000... 0000” is written first, but changes to “FFFF... FFFF” when the next block 0 is erased, and “FLASH status 0” is not written at the next “write”. The above data value is maintained. And it returns to "55AA ... 55AA" by the last writing process. Therefore, “FLASH status 0” during the entire rewriting process is a value other than “55AA... 55AA”.

  In addition, “FLASH status 1” has an initial value of “55AA... 55AA” in a state where writing has already been performed, but changes to “FFFF... FFFF” by erasing block 6, and the next “writing "Is written back to" 55AA ... 55AA ". The initial values of “ID status 2_1, 2_2” in the ID area 2 are also written back to “55AA... 55AA”, “FFFF... FFFF” when erasing block 0, and “55AA. Similarly, the initial values of “ID status 1_1, 1_2” in the ID area 1 are also written back to “55AA... 55AA”, “FFFF... FFFF” when erasing block n, and “55AA. .

  When a write error is detected in “verify” during the entire rewrite process, the CPU 12 generates an internal reset at that time and starts execution from the reset vector, and the determination program 22, that is, the flash status shown in FIG. Judgment processing is executed. In addition, for example, the time from the start to the end of all rewrite processing may be counted by a timer, and an internal reset may be generated when the processing does not end within a predetermined time (timeout). In FIG. 1, the CPU 12 reads “FLASH status 0” from the flash memory 15 and determines whether or not the data value matches the rewrite completion code “55AA... 55AA” (step S1).

  If the data value of “FLASH status 0” does not match the rewrite completion code (“NO”), the CPU 12 determines whether both of “ID status 2_1, 2_2” in the ID area 2 are normal codes “55AA... 55AA”. It is determined whether or not (step S5). If both are normal codes (“YES”), it is determined that the ID and password written in the ID area 2 are valid, and execution of the rewriting program 21 is started. In this case, the rewriting program 21 authenticates the ID and password written in the ID area 2 and starts the processing of the flowchart of FIG. 3 if the authentication result is “OK”.

If “NO” is determined in the step S5, the CPU 12 proceeds to a step S6 so as to determine whether or not the “ID statuses 1_1 and 1_2” in the ID area 1 are all normal codes “55AA... 55AA”. If both are normal codes (“YES”), it is determined that the ID and password written in the ID area 1 are valid, and the execution of the rewrite program 21 is started.
That is, as shown in FIG. 3, when the entire rewriting process is completed in a state where writing is not correctly performed for either one of the ID areas 2 and 1, the ID status is “FFFF... FFFFF”, which is normal. Is not written. However, since normal data is always written in the other ID area, one of the valid ones is selected.

If neither of the ID areas 2 and 1 is normal data (step S6, “NO”), the CPU 12 executes the user program 20. In this case, there is an abnormal state in which, for some reason, the first writing to the user program 20 has not been normally performed, or a failure has occurred in a part of the flash memory 15 or the buses 18 and 19. Presumed.
Therefore, if rewriting is executed as it is, abnormal data may be written to the flash memory 15, so that the process branches to the user program 20. If the memory check routine prepared in the program 20 is normal, the checksum of the flash memory 15 is calculated by the check routine. As a result, if an abnormality is determined, error processing is performed. In this case, since it is impossible to perform normal writing in the flash memory 15, measures such as component replacement are performed as necessary.

<Partial rewrite processing>
FIG. 4 shows a partial rewriting process of the flash memory 15. As described above, the partial rewriting process is assumed to be performed by updating a part of the user program 20 while the ECU-microcomputer 11 is powered on in the field. Accordingly, when the microcomputer 11 is executing the user program 20, the rewriting device 23 is connected, and when the rewriting device 23 issues a partial rewrite command, the user program 20 recognizes the partial rewrite command, and FIG. The partial rewriting process is executed. The block 0 of the flash memory 15 is determined in advance so as not to be partially rewritten.

  FIG. 4 shows a case where partial rewriting of the block 6 is performed, and the start block number and end block number of the ID area are both set to “6”. Note that the partial rewriting program is a part of the rewriting program 21. The CPU 12 first writes and clears data “0000... 0000” in the “FLASH status 1” of the block 6 and then sequentially performs “erasing”, “writing”, and “verifying” of the block 6. Finally, the data “55AA... 55AA” is written in “FLASH status 1”, and the process ends.

  FIG. 4 shows a state in which the write data of “FLASH status 1” changes with the progress of the partial rewriting process. Since only the block 6 is rewritten, the data of “FLASH status 0” and “ID statuses 1 and 2” in the ID areas 2 and 1 remain “55AA... 55AA”.

  In this case, since the flash memory 15 has already been written, the data of “FLASH status 1” is “55AA... 55AA”. The data “0000... 0000” is written first, but changes to “FFFF... FFFF” by erasing the next block 6, and “FLASH status 1” is not written in the next “write”, and the above data Keep the value. And it returns to "55AA ... 55AA" by the last writing process. Accordingly, “FLASH status 0” during the partial rewriting process is a value other than “55AA... 55AA”.

  Further, when a write error is detected in the “verify” of the block 6 in the partial rewrite, the CPU 12 similarly generates an internal reset at that time and starts execution from the reset vector, and performs the flash status determination process shown in FIG. Execute. In this case, since the data value of “FLASH status 0” matches the rewrite completion code, the CPU 12 determines “YES” in step S1, and the “ID status 2_1, 2_2” in the ID area 2 is the same as in step S5. Is also a normal code (step S2).

  If the status of the ID area 2 is a normal code (“YES”), the CPU 12 determines whether or not partial rewriting is set to “permitted” in the area (step S3). If it is set to “permitted” (“YES”), the “FLASH status 1” in the block 6 is read, and it is determined whether or not the data value matches the rewrite completion code “55AA. S4). If it does not match the rewrite completion code (“NO”), the process branches to the rewrite program 21 and the partial rewrite process in FIG. 4 is retried.

  In the case of the partial rewriting process, since block 0 is excluded from the rewriting target, basically “YES” should be determined in step S2, and “NO” is determined in step S6. Similar to the case where “NO” is determined, the state is abnormal. Therefore, similarly, the program branches to the user program 20, and the memory check routine is executed. Further, it is not necessary to repeatedly check the ID area 1 of the block n as in steps S5 and S6.

  In addition, the occurrence of an internal reset in the CPU 12 also occurs when a runaway is detected by a watchdog timer or the like, or due to a bus error or the like. In this case, the determination process of FIG. 1 is executed. At this time, if the rewriting of the flash memory 15 is normally performed, the determination process determines “YES” in steps S1 to S4. Therefore, the CPU 12 exits the determination process and branches to the user program 20. The program 20 is executed. Further, when the partial rewrite process is set to “prohibited” in step S3 (“NO”), the process branches to the user program 20.

  As described above, according to this embodiment, when the rewrite program 21 is executed by the CPU 12 of the microcomputer 11, the FLASH status 0 of the flash memory 15 is first cleared and then the entire area of the memory 15 is rewritten. Finally, the rewrite completion code “55AA... 55AA” is written in the FLASH status 0. When the CPU 12 executes the determination program 22, first, the FLASH status 0 of the flash memory 15 is read. If the data does not match the rewrite completion code, the CPU 12 executes the rewrite program 21 again.

  That is, if the CPU 12 executes the determination program 22 and refers to the FLASH status 0, it can be determined whether or not the user program 20 of the flash memory 15 has been normally rewritten, and can be retried if rewriting has failed. . Accordingly, it is not necessary to provide a reset terminal or a mode setting terminal as an external terminal of the microcomputer 11 in order to retry the rewriting of the flash memory 15, and the package of the microcomputer 11 can be downsized to reduce the cost. .

  Further, when the CPU 12 executes the rewrite program 21, the same ID code is written to the two ID statuses 2_1 and 2_2 of the flash memory 15, and when the determination program 22 is executed, the data of the FLASH status 0 matches the rewrite completion code. Otherwise, the ID statuses 2_1 and 2_2 are read out, and if both data match the ID code, the rewrite program 21 is executed, so that the subject who has written in the memory 15 has a legitimate access right. This can be confirmed to prevent unauthorized writing.

  Further, the same ID code is written to the ID statuses 2 and 1 set in the two blocks 0 and n of the flash memory 15, the CPU 12 executes the determination program 22, and the data of the FLASH status 0 matches the rewrite completion code. If not, the ID statuses 2 and 1 are read for the two blocks 0 and n, respectively, and if both read data match the ID code in either block, the rewrite program 21 is executed. Therefore, even if rewriting of the flash memory 15 fails in the middle, it is possible to reliably confirm the coincidence of the ID code in any one of the blocks.

When the partial rewrite program which is a part of the rewrite program 21 is executed by the CPU 12, the flash status 1 of the flash memory 15 is cleared first, the memory is rewritten from the start position to the end position, and finally the partial rewrite program 21 is executed. A partial rewrite completion code “55AA... 55AA” is written in FLASH status 1.
Then, when the CPU 12 executes the determination program 22 and the data of the FLASH status 1 matches the rewrite completion code, the flag storage area is subsequently referred to, and if the permission is set, the FLASH status 1 is read. When the read data does not match the partial rewrite completion code, the partial rewrite program is executed. Therefore, when rewriting fails while rewriting only a part of the flash memory 15, the same as in the case of all area rewriting is performed. An effect can be obtained. For example, this is effective when a part of the user program 20 is rewritten in the field to upgrade the version.

  In addition, when the CPU 12 executes the rewrite program 21, the same ID code is written in the ID statuses 2_1 and 2_2 of the flash memory 15, and the partial rewrite permission / prohibition setting, the start position and the end position are written in the flag storage area. Also set. Then, the CPU 12 executes the determination program 22, and if the data read from the FLASH status 0 matches the rewrite completion code, the ID status 2_1 and 2_2 are read respectively. If both read data match the ID code, the FLASH status is read. Since ID 1 is referred to, ID code matching can be confirmed even when partial rewriting of the flash memory 15 is performed.

  Furthermore, since the CPU 12 executes the determination program 22 at the time of resetting, by checking whether or not writing to the flash memory 15 is normally performed when the reset is released, erroneous writing or garbled data is obtained. In such a case, the execution of the user program 20 can be stopped to prevent the program 20 from running out of control.

(Second embodiment)
6 to 9 show a second embodiment of the present invention. The same parts as those in the first embodiment are denoted by the same reference numerals and the description thereof will be omitted. Hereinafter, different parts will be described. FIG. 6 is a diagram corresponding to FIG. 2 of the first embodiment. In the second embodiment, in the first 16 bytes of the first block 0, together with “FLASH status 0”, a flag storage area for setting permission / prohibition of partial rewrite, and the start block number and end block number of partial rewrite are stored. Area to be placed. “ID area 2” and “ID area 1” are deleted. Further, unlike the first embodiment, no special area setting is performed for the end block n. As in the first embodiment, the block 6 is set as the head block when “partial rewriting” is performed, and “FLASH status 1” is arranged.

  The 16 bytes is a size set as a minimum writing unit when the flash controller 16 writes data to the flash memory 15. That is, even when the CPU 12 writes 1-byte data to the flash memory 15, the flash controller 16 performs error checking. Therefore, the write (read / modify) is performed in units of continuous 16-byte data including the address of the 1-byte data.・ Light).

Next, the operation of the second embodiment will be described.
<All rewrite processing>
In the full rewrite process shown in FIG. 7, the partial rewrite permission prohibition flag is set to “permitted” = “01H”, and the partial rewrite start block / end block is set to “0006H”. The CPU 12 first writes and clears the data “0000... 0000” in the “FLASH status 0” of the block 0, and clears the partial rewrite permission prohibition flag and the partial rewrite start block / end block storage area to zero. As in the first embodiment, “erase”, “write”, and “verify” are sequentially performed for each block 0,..., 6,. Finally, the data “55AA... 55AA” is written in “FLASH status 0”, the partial rewrite permission prohibition flag is written in “01H”, and “0006H” is written in the partial rewrite start block / end block. That is, regarding the “FLASH status 0, 1”, the change in the data value is exactly the same as in the first embodiment.

<Partial rewrite processing>
FIG. 8 shows a partial rewriting process of the flash memory 15. Also in the partial rewriting process, the change in the data value related to “FLASH status 1” is exactly the same as in the first embodiment. Then, the “FLASH status 0”, the state of the partial rewrite permission prohibition flag, and the values of the partial rewrite start block / end block remain the initial values.
FIG. 9 shows the flash status determination process corresponding to FIG. 1 and includes only steps S1, S3 and S4. That is, in the second embodiment, since it is not checked whether the ID status is a normal code, the determination process is simplified.

  As described above, according to the second embodiment, the storage area of the flag for setting the permission / prohibition of partial rewriting, the area for writing the start position and the end position, and the minimum rewrite unit of the flash memory 15 together with the entire rewrite check area. The size was set. That is, the information related to the partial rewrite of the flash memory 15 is meaningful at least after the complete rewrite is completed once, so that the amount of information can be reduced by providing the partial rewrite information together with the full rewrite check area in the size of the minimum write unit. And can be used effectively.

  Further, one of the prior arts related to the present invention is disclosed in International Publication No. WO 2004/031966. In this prior art, in order to determine which block has been erased in a memory composed of a plurality of blocks (minimum erase unit), each block is provided with a flag, and the state of the flag is determined. It is determined whether or not. However, when the state of the flag provided for each block is determined when the microcomputer is activated, the activation of the program is delayed because the determination takes time, and this activation delay increases the number of memory blocks. Along with it.

In use as a data memory, since the host microcomputer itself using the memory initializes at the time of startup, it is possible to determine the memory during that time. However, in use as a program memory, a delay in activation due to processing of the memory leads to a delay in activation of the program, that is, the microcomputer itself.
On the other hand, according to the second embodiment, since the ID code is not checked for the flash memory 15 as in the first embodiment, the execution of the determination program can be completed in a shorter time.

(Third embodiment)
10 and 11 show a third embodiment of the present invention, and only the parts different from the second embodiment will be described. The third embodiment shows processing corresponding to a case where there are a plurality of blocks to be partially rewritten. As shown in FIG. 10, it is assumed that the blocks to be partially rewritten are two blocks “6, 11”. In this case, in the FLASH status 0 of the block 0, information for performing the partial rewrite (1) of the block 6 is arranged as in the second embodiment, and the partial rewrite of the block 11 is included in the FLASH status 1 of the block 6 Information for performing (2), that is, a flag storage area for setting permission / prohibition of partial rewrite (2) and an area for storing the start block number and end block number of partial rewrite are 16 bytes in total. Has been placed.

In block 11, FLASH status 2 is arranged as a partial rewrite check area, and information for performing partial rewrite (3) is performed together with the FLASH status 2 in response to subsequent partial rewrite. Are arranged in a total of 16 bytes. When partial rewriting (3) is not performed, the permission / prohibition setting flag is set to “prohibited”.
FIG. 11 is a diagram corresponding to FIG. 9, and steps S3 and S4 in FIG. 9 are steps S3 ′ and S4 ′ corresponding to partial rewriting (1). Subsequently, determination steps corresponding to partial rewriting (2) are arranged as steps S11 and S12.

  If the partial rewriting is defined as a maximum of 2 blocks, the determination process shown in FIG. 11 may be used. If the partial rewriting is performed up to a maximum of 3 blocks, the partial rewriting (3 The determination step corresponding to) may be arranged as steps S13 and S14. In this case, in the case of the third embodiment, since the permission / prohibition setting flag for partial rewriting (3) is set to “prohibited”, it is determined (NO) in step S13 and the process proceeds to the user program. .

  As described above, according to the third embodiment, in the partial rewrite check area of the block 6, the storage area for the flag for setting permission / prohibition of partial rewrite for the area to be subjected to partial rewrite next, and the start The area for writing the position and end position is set in the size of the minimum writing unit, and one or more partial rewriting check areas are arranged, so that partial rewriting can be performed for a plurality of blocks whose addresses are discontinuous. .

The present invention is not limited to the embodiments described above or shown in the drawings, and the following modifications are possible.
The same ID area as that of block 0 is provided in block n, and the process of double checking in steps S5 and S6 may be performed as necessary. The ID code check in block 0 may be performed as necessary.
Where the FLASH statuses 0 and 1 and the ID areas 2 and 1 are arranged in the flash memory 15 may be changed as appropriate.
The data value of the rewrite completion code and ID code can be changed as appropriate.
Block 0 may be a target of partial rewriting.
The block capacity of the flash memory 15 is not limited to 64 Kbytes.
The first memory is not limited to one that is rewritten in units of blocks. Further, when performing the rewriting, the “verify” process may be performed according to the specifications of the memory.
Furthermore, the check in step S2 may be performed as necessary.
The partial rewriting process may also be performed when required by the specifications.
The rewrite data 24 is not limited to the batch transfer to the RAM 14 and may be rewritten while receiving data sequentially transmitted from the rewrite device 23.

When the microcomputer 11 is configured to be able to execute a low power consumption mode (sleep, stop mode) that waits in a state where the supply of the operation clock is stopped, the CPU 12 cancels the determination program 22 in the low power consumption mode. It may be executed during (wake-up). With this configuration, the user program 20 can be executed when erroneous writing or garbled data occurs by checking whether or not the writing to the flash memory 15 is normally performed at the time of wakeup. To prevent the program 20 from going out of control.
The minimum writing unit is not limited to 16 bytes, and may be appropriately changed according to the individual specifications of the microcomputer.
The flash controller 16 may be provided as necessary, and the CPU 12 may directly write to the flash memory 15.
The total size of “FLASH status 0, 1” and the like and information related to partial rewriting in the second and third embodiments may be smaller than the minimum writing unit.
The present invention is not limited to the microcomputer constituting the vehicle control ECU, and any microcomputer having a rewritable nonvolatile memory can be applied.

The flowchart which shows the content of the flash status determination process which is 1st Example of this invention. Memory map of flash memory The figure which shows the procedure of all the rewriting processes by a rewriting program, and the state change of the flash memory accompanying the rewriting process 3 equivalent diagram corresponding to partial rewrite processing Block diagram showing the configuration of the microcomputer FIG. 2 equivalent diagram showing a second embodiment of the present invention. 3 equivalent figure 4 equivalent diagram 1 equivalent diagram FIG. 6 equivalent view showing a third embodiment of the present invention. Fig. 9 equivalent The figure which shows the rewriting state of the flash memory in the conventional ECU

Explanation of symbols

  In the drawing, 11 is a microcomputer, 12 is a CPU, 13 is a ROM (second memory), 15 is a flash memory (first memory), 20 is a user program (application program), and 21 is a rewrite program (partial rewrite program). Show.

Claims (9)

A rewritable non-volatile first memory in which an application program is stored, a rewriting program for rewriting the first memory, and a determination program for performing rewriting determination of the first memory are stored. In a microcomputer comprising a second memory and a CPU that reads and executes each program,
When the rewrite program is executed by the CPU, the rewrite check area of the first memory is first cleared and then the entire area of the memory is rewritten, and finally the rewrite completion code is written in the rewrite check area.
When the determination program is executed by the CPU, the rewrite check area of the first memory is read first, and when the read data matches the rewrite completion code, the application program is executed, and the data is A microcomputer that executes the rewriting program when it does not match the rewriting completion code. When the rewrite program is executed by the CPU, the same ID code is written in the first and second rewrite permission ID areas of the first memory,
When the determination program is executed by the CPU and the data read from the rewrite check area of the first memory does not match the rewrite completion code, the first and second rewrite permission ID areas are read respectively. 2. The microcomputer according to claim 1, wherein said rewriting program is executed when both of the read data coincide with said ID code. When the first memory is rewritten in units of a predetermined capacity block,
When the rewrite program is executed by the CPU, the same ID code is written in the first and second rewrite permission ID areas set in the two blocks of the first memory,
When the CPU executes the determination program and the data read from the rewrite check area of the first memory does not match the rewrite completion code, the first and second rewrite permission IDs for the two blocks 3. The microcomputer according to claim 2, wherein each of the areas is read, and when both read data in any one of the blocks match the ID code, the rewriting program is executed. The second memory also stores a partial rewriting program for performing partial rewriting of the first memory,
In the first memory, a flag storage area for performing the partial rewrite permission / prohibition setting and an area for writing a start position and an end position are set.
When the partial rewrite program is executed by the CPU, the partial rewrite check area of the first memory is first cleared, then the memory is rewritten from the start position to the end position, and finally the partial rewrite check is performed. Write the partial rewrite completion code in the area,
When the CPU executes the determination program and the data read from the rewrite check area of the first memory matches the rewrite completion code, the permission is set by referring to the flag storage area. If so, the partial rewrite check area is read. If the read data matches the partial rewrite completion code, the application program is executed. If the data does not match the partial rewrite completion code, the partial rewrite check area is executed. The microcomputer according to any one of claims 1 to 3, wherein the program is executed. When the rewrite program is executed by the CPU, the same ID code is written in the first and second rewrite permission ID areas of the first memory, and the partial rewrite permission / prohibition setting in the flag storage area; Write setting of the start position and end position,
When the determination program is executed by the CPU and the data read from the rewrite check area matches the rewrite completion code, the first and second rewrite permission ID areas are read respectively, and both read data are 5. The microcomputer according to claim 4, wherein when both coincide with the ID code, the flag storage area is referred to. A rewritable nonvolatile first memory in which an application program is stored, a total rewrite program for performing a complete rewrite of the first memory, and a determination program for performing a rewrite determination of the first memory are stored. A microcomputer comprising: a second memory; and a CPU that reads and executes each of the programs,
When the all-rewrite program is executed by the CPU, first the all-rewrite check area of the first memory is cleared and then all the areas of the memory are rewritten, and finally the all-rewrite completion code is stored in the rewrite check area. Write
The second memory also stores a partial rewriting program for performing partial rewriting of the first memory,
In the first memory, a storage area for a flag for setting the permission / prohibition of partial rewriting and an area for writing a start position and an end position are defined for the first memory together with the all-rewrite check area. It is set by the size within the writing unit,
When the partial rewrite program is executed by the CPU, the partial rewrite check area of the first memory is first cleared, then the memory is rewritten from the start position to the end position, and finally the partial rewrite check is performed. Write the partial rewrite completion code in the area,
When the determination program is executed by the CPU, first, the entire rewrite check area of the first memory is read, and when the read data does not match the complete rewrite completion code, the complete rewrite program is executed, If the data matches the complete rewrite completion code, the flag storage area is subsequently referred to, and if the permission is set, the partial rewrite check area is read, and the read data is the partial rewrite complete. The microcomputer executes the application program when the code matches the code, and executes the partial rewrite program when the data does not match the partial rewrite completion code. In the partial rewrite check area, a storage area for a flag for setting permission / prohibition of partial rewrite and an area for writing a start position and an end position for the area to be subjected to partial rewrite next, and a minimum write area It is set with the size within the unit,
7. The microcomputer according to claim 6, further comprising one or more partial rewrite check areas.   The microcomputer according to claim 1, wherein the CPU executes the determination program at the time of resetting.   The microcomputer according to claim 1, wherein the CPU executes the determination program when the low power consumption mode is canceled.

Images