JP2012234437A - In-vehicle communication system and control unit - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve an effect preventing a fraudulent rewriting of software of a control unit.SOLUTION: In the in-vehicle communication system in which an engine ECU and a vehicle integrated ECU are connected via a communication line, the two ECUs store same connection confirmation data. The engine ECU, upon receiving a rewrite start notification from a rewrite tool connected to the communication line, executes processes (S110, S180, and the like) including a process of executing a predetermined communication with the rewrite tool, and then executes a rewrite process (S200) for rewriting control software in a flash memory to control software from the rewrite tool. However, by the start of the rewrite processing, the engine ECU obtains connection confirmation data from the vehicle integrated ECU, executes processes (S120, S150, S170, and S190) for determining whether or not the data matches connection confirmation data of the engine ECU, and, when it is determined not to match therewith, prohibits the rewrite process. Thereby, fraudulent rewriting by removing the engine ECU and using the engine ECU as a single body can be prevented.

Description

  The present invention relates to a technique for preventing software of a control unit mounted on a vehicle from being rewritten illegally.

In vehicles (automobiles), an in-vehicle communication system in which a plurality of control units communicate via communication lines is employed.
As a control unit (in-vehicle control unit) that is a component of the in-vehicle communication system, an electrically rewritable nonvolatile memory such as an EEPROM or a flash memory (hereinafter also referred to as a rewritable nonvolatile memory) In addition, software (hereinafter also referred to as control software) consisting of a control program and control data for controlling the controlled object is stored, and the control software in the non-volatile memory is stored in the control unit even after being supplied to the market. Can be rewritten from outside (so-called on-board rewritable).

  That is, this type of control unit normally executes control software in a rewritable nonvolatile memory (specifically, a control program of the control software is executed) by a microcomputer mounted on the control unit. The control object is controlled according to the control software. On the other hand, when the rewrite tool, which is an external device for rewriting the control software, is connected to the communication line of the in-vehicle communication system and a rewrite start notification is transmitted from the rewrite tool, the control unit Reprogramming permission communication (communication for determining whether or not to rewrite control software) with a predetermined procedure and contents between them is performed, and rewritable non-volatile if the communication ends normally The rewriting process is performed to rewrite the control software in the memory with new control software transmitted from the rewriting tool. Note that the processing performed by the control unit, such as processing for communication with the rewriting tool and rewriting processing, is actually performed by the microcomputer of the control unit.

  Patent Document 1 describes a technique for preventing control software stored in a rewritable nonvolatile memory of a control unit from being rewritten with software that is not compatible with the control unit. Specifically, the control unit stores an identification number and is a data card that is attached to the rewriting tool and that is compatible with the new control software. Storing the information indicating the identification number of the control unit, the control unit acquires the information by communication from the rewriting tool, and prohibits rewriting of the control software if the information and its identification number do not match, The technology is described.

JP-A-11-141394

  By the way, according to the on-board rewritable control unit, if you want to change the control content after supplying it to the market, you can easily cope with it by rewriting the control software. There is also a possibility of rewriting (that is, rewriting without using a regular rewriting tool).

  As a technique for preventing unauthorized rewriting of control software, for example, it is conceivable to use the technique of Patent Document 1. That is, it is conceivable that the control unit compares the identification number acquired from the rewriting tool with its own identification number and prohibits execution of the rewriting process if both identification numbers do not match. In general, such a concept of collation is applied to the rewrite permission communication.

  However, a person who intends to rewrite the control software illegally (hereinafter referred to as a fraudulent person) analyzes the procedure and contents of the rewrite permission communication performed between the control unit and the rewrite tool, and creates a regular rewrite tool. The possibility of creating a device that functions in the same way is not zero.

  However, it is expected that such analysis work is performed by removing the control unit from the vehicle and connecting a measuring device to the communication terminal of the control unit that has become a single unit. In a state where the control unit is mounted on a vehicle and can communicate with other in-vehicle control units, it is not only workable, but also an estimation factor when trying to analyze the content of communication with the rewriting tool This is because the analysis is considered to be extremely difficult.

  The present invention pays attention to such points, and provides an in-vehicle communication system that is highly effective in preventing the software of the control unit from being illegally rewritten, and a control unit that constitutes the in-vehicle communication system. It is aimed.

  In the in-vehicle communication system according to claim 1, a first control unit that controls a control object according to software stored in a rewritable nonvolatile memory (rewritable nonvolatile memory), and the first control unit At least two control units, which are different from the second control unit, are communicably connected via a communication line provided in the vehicle. In addition, a rewriting tool, which is an external device for rewriting software stored in at least the nonvolatile memory of the first control unit, can be attached to and detached from the communication line.

  In this in-vehicle communication system, each of the first control unit and the second control unit includes data storage means in which connection confirmation data having a specific relationship with each other is stored.

  Further, when the first control unit receives a rewrite start notification from the rewrite tool, the first control unit performs a rewrite permission process including a process of performing a predetermined rewrite permission communication with the rewrite tool, and the rewrite permission process. After the above is completed, a rewriting process is performed in which the software in the nonvolatile memory is rewritten with the software transmitted from the rewriting tool.

Furthermore, the first control unit includes a determination unit and a rewrite prohibition unit.
Among them, the determination means communicates with the second control unit between the time when the first control unit receives the rewrite start notification and the time when the rewrite process is started. The connection confirmation data stored in the data storage means is acquired, the other unit connection confirmation data which is the connection confirmation data acquired from the second control unit, and the data storage means of the first control unit. It is determined whether the unit connection confirmation data, which is stored connection confirmation data, has the specific relationship.

  The rewrite prohibition means is used when the determination means does not determine that the other unit connection confirmation data and the own unit connection confirmation data have the specific relationship even though the determination means is operated. Prohibits the rewrite process from being performed in the first control unit.

  In the scope of the claims, the software is not limited to a control program for controlling a controlled object, but includes control data referred to by processing of the control program. The software in the non-volatile memory that is rewritten by the rewriting process may be one or both of the control program and the control data, or a part of the control program or a part of the control data. Department may be sufficient.

  According to the in-vehicle communication system of the first aspect, since the first control unit includes the determination unit and the rewrite prohibition unit, the software of the first control unit (software in the nonvolatile memory) is It can be rewritten only when the first control unit is connected to the communication line of the vehicle together with the other second control unit, that is, mounted on the vehicle. Otherwise, even if the determination means operates, the determination means cannot acquire connection confirmation data (other unit connection confirmation data) from the second control unit. This is because it is not determined that the unit connection confirmation data has a specific relationship and the rewriting process is prohibited.

  For this reason, an unauthorized person who intends to illegally rewrite the software of the first control unit removes the first control unit from the vehicle and becomes a single unit, the communication terminal (connected to the communication line) of the control unit. If the software is rewritten, it is possible to prevent such unauthorized rewriting.

  In addition, even if an unauthorized person attempts to rewrite the software of the first control unit in a state where the first control unit is mounted on the vehicle, the first control unit is not limited to the rewriting tool. Since communication with the control unit 2 shifts to a state in which rewrite processing is performed, it is considered very difficult for an unauthorized person to find all of the transition conditions.

As described above, according to the in-vehicle communication system according to the first aspect, the effect of preventing the software of the control unit (first control unit) from being rewritten illegally can be enhanced.
Next, in the in-vehicle communication system according to claim 2, in the in-vehicle communication system according to claim 1, the rewrite permission process includes a plurality of processes performed in a predetermined order, and the determination unit performs the rewrite permission process. It operates every time a plurality of processes to be completed is completed.

  According to this configuration, the determination unit operates a plurality of times in the first control unit between the time when the first control unit receives the rewrite start notification and the start of the rewrite process. Connection confirmation with the second control unit (authentication using connection confirmation data) is performed a plurality of times. Therefore, it is possible to further enhance the effect of preventing the software of the first control unit from being rewritten illegally.

  For example, a fraudster starts to rewrite the software of the first control unit in a state where the first control unit is mounted on the vehicle, and in the middle of trial and error, the first control unit or Even if the second control unit is removed from the communication line of the vehicle, the software of the first control unit can be made non-rewritable by the rewrite prohibition unit by the operation of the determination unit thereafter.

  Next, in the in-vehicle communication system according to claim 3, in the in-vehicle communication system according to claims 1 and 2, when the first control unit receives a rewrite start notification from the rewrite tool, the data storage of the first control unit is performed. The connection confirmation data stored in the means is transmitted to the rewriting tool, and after the rewriting process is completed, the new connection confirmation data transmitted from the rewriting tool is stored in the data storage means of the first control unit. It is supposed to be updated and stored.

  The rewrite tool updates the connection confirmation data transmitted from the first control unit with a predetermined logic, and the rewrite processing is performed on the updated connection confirmation data by the first control unit. After completion, the new connection confirmation data is transmitted to the first control unit.

  Further, after the rewriting process is completed in the first control unit, the second control unit uses the connection confirmation data stored in the data storage means of the second control unit as the new connection confirmation. The data is updated to the data having the specific relationship with the business data.

  That is, the connection confirmation data stored in the first control unit is updated by the rewriting tool, and the connection confirmation data stored in the second control unit is updated by the second control unit itself. ing.

  According to such an in-vehicle communication system of claim 3, in the unlikely event that the first and second control units are connected to the communication line of the vehicle, the software of the first control unit is an authorized rewriting tool. The connection confirmation data stored in the first control unit is not correctly updated even if it is illegally rewritten by a non-external device (hereinafter referred to as a non-regular external device), and the second control unit The updated connection confirmation data stored in (1) does not have a specific relationship. Therefore, even if the fraudster tries to rewrite the software of the first control unit again in a state where the first and second control units are connected to the communication line of the vehicle, the determination means confirms the connection of the other unit. It is determined that the data for use and the self unit connection confirmation data do not have a specific relationship, and such illegal rewriting after the second time can be prevented.

  Next, in the in-vehicle communication system according to claim 4, in the in-vehicle communication system according to claim 3, the determination unit of the first control unit operates even during a normal control period in which the first control unit controls a control target. It is supposed to be.

  According to this configuration, even if the software of the first control unit is illegally rewritten by the non-regular external device, the first control unit is subsequently activated and the determination means during the normal control period If is operated, the determination means determines that the other unit connection confirmation data and the own unit connection confirmation data do not have a specific relationship.

  Therefore, it is possible to detect that the software has been illegally rewritten by the determination unit that operates during the normal control period. Then, when an unauthorized rewrite of software is detected, some countermeasure processing can be performed.

  As the countermeasure process, for example, a process of storing a history indicating that the software has been illegally rewritten or a process of turning on a warning lamp can be considered. These processes are processes for notifying a vehicle mechanic or the like in a card dealer that software has been illegally rewritten. Moreover, you may comprise so that the process as described in Claim 5 may be performed as another countermeasure process.

  That is, in the in-vehicle communication system according to the fifth aspect, in the in-vehicle communication system according to the fourth aspect, the first control unit includes an output prohibiting unit. Then, the output prohibiting means, when the determination means determines that the other unit connection confirmation data and the own unit connection confirmation data do not have a specific relationship during the normal control period. It is prohibited to output a predetermined signal for controlling the controlled object from the control unit.

According to this configuration, when the software is illegally rewritten, the first control unit does not output a signal for controlling the control target, and thus substantially does not function.
For this reason, illegally rewriting software itself does not make sense, and as a result, the effect of preventing illegal software rewriting can be further enhanced.

  Next, in the in-vehicle communication system according to claim 6, in the in-vehicle communication system according to claims 1 to 5, when the second control unit detects that a rewrite start notification is output to the communication line, The communication content with one control unit is monitored to determine whether the communication content is different from the rewrite permission communication.

  According to this configuration, in the state where the first and second control units are connected to the communication line of the vehicle, the fraudulent person tries to illegally rewrite the software of the first control unit by the non-regular external device. In this case, the second control unit can detect this and perform some countermeasure processing. This is because when a non-regular external device is used, it is not considered that correct rewrite permission communication with the first control unit is completely realized from the beginning.

  As the countermeasure process performed by the second control unit, for example, a process of storing a history indicating that the software of the first control unit has been illegally rewritten or a process of turning on a warning lamp can be considered. . These processes are processes for notifying a maintenance person or the like in the card dealer that the software of the first control unit may be illegally rewritten. Further, the second control unit may be configured to perform countermeasure processing as described in claim 7.

  That is, in the in-vehicle communication system according to claim 7, in the in-vehicle communication system according to claim 6, the communication content between the rewriting tool and the first control unit of the second control unit is different from the rewriting permission communication. If it is determined that the communication is interrupted, communication obstruction data for obstructing communication between the rewriting tool and the first control unit is output to the communication line. In this case, the rewriting tool trying to communicate with the first control unit is actually a non-regular external device.

  And if comprised in this way, the prevention effect that the software of the 1st control unit is actually rewritten can be heightened further. From the standpoint of a fraudulent person, even if an attempt is made to send various signals from a non-regular external device to the first control unit by trial and error, the unauthorized communication itself may be interrupted, leading to software rewriting. Because it becomes impossible. In addition, if the fraudster notices that the data for interfering communication is output from the second control unit and removes the second control unit from the communication line, in the first control unit, Since the above-described functions of the determination unit and the rewrite prohibiting unit prohibit the execution of the rewriting process, it is possible to prevent unauthorized rewriting of software.

  In addition, as described in claim 8, the communication interference data may be communication data having a higher priority than communication data used in communication between the rewriting tool and the first control unit. Further, it is preferable to transmit the communication jamming data at a cycle as short as possible. This is because the time for which the communication disturbing data occupies the communication line becomes longer, so that the communication disturbing effect can be increased.

  The second control unit can also be configured to transmit the communication obstruction data for a certain period of time, but the communication content between the rewrite tool and the first control unit is different from the rewrite permission communication. Once it is determined that the communication power is interrupted, the communication jamming data can be continuously transmitted until the operation power supply is cut off and the operation is stopped. The latter is preferable because it has a high communication interference effect.

  On the other hand, according to the control unit of claim 9, it can be used as the first control unit in the in-vehicle communication system of claim 1, and according to the control unit of claim 10, the second in the in-vehicle communication system of claim 2. The control unit of claim 11 can be used as the first control unit in the in-vehicle communication system of claim 3. According to the control unit of claim 12, the control unit can be used as the first control unit in the in-vehicle communication system of claim 4, and according to the control unit of claim 13, the first in the in-vehicle communication system of claim 5. It can be used as one control unit.

It is a block diagram showing the vehicle-mounted communication system of embodiment. It is a flowchart showing the rewriting start notification response process performed by engine ECU. It is a flowchart showing the process at the time of normal mode performed by engine ECU. It is a flowchart showing the process for control software rewriting performed with a rewriting tool. It is a flowchart showing the connection confirmation response process performed by vehicle integrated ECU. It is a flowchart showing the rewriting sequence monitoring process performed with vehicle integrated ECU. It is explanatory drawing showing the mutual relationship of operation | movement with engine ECU, vehicle integrated ECU, and a rewriting tool.

Hereinafter, an in-vehicle communication system according to an embodiment to which the present invention is applied will be described.
As shown in FIG. 1, an in-vehicle communication system 1 according to this embodiment includes an electronic control unit (hereinafter referred to as an engine ECU) 11 that controls an engine of a vehicle, an engine target output and an automatic shift according to the traveling state of the vehicle. An electronic control unit (hereinafter referred to as a vehicle integrated ECU) 12 that determines a target control state relating to the power of the vehicle, such as a target gear shift state of the machine, and an electronic control unit (hereinafter referred to as a transmission ECU) that controls the automatic transmission of the vehicle. ) 13, an electronic control unit (hereinafter referred to as an immobilizer ECU) 14 that performs immobilizer control for preventing vehicle theft, and an electronic control unit (hereinafter referred to as meter ECU) 15 that controls a vehicle meter. Yes. Each of the ECUs 11 to 15 is connected to be communicable with each other via a communication line 17 provided in the vehicle.

  Further, the communication line 17 is provided with a connector 18 for enabling an external device (device outside the vehicle) to be attached to and detached from the communication line 17. The connector 18 is attached with a rewriting tool 19 that is an external device for rewriting control software when rewriting any control software (software consisting of control programs and control data) of the ECUs 11 to 15.

  In the present embodiment, it is assumed that only the engine ECU 11 among the ECUs 11 to 15 is capable of on-board rewriting of control software. For this reason, the rewriting tool 19 is connected to the communication line 17 via the connector 18 when the control software of the engine ECU 11 is rewritten.

  Here, the engine ECU 11 includes a microcomputer 21 that is a central part of the processing operation, a nonvolatile memory (flash memory in the present embodiment) 22 in which stored contents can be rewritten, and other ECUs connected to the communication line 17. And a communication circuit 23 for communication. Further, the flash memory 22 is provided with two storage areas 22a and 22b in which rewriting of stored contents is permitted. In one storage area 22a, control software (control program and control data) for controlling the engine is stored, and in the other storage area 22b, the ECU 11 and the vehicle integrated ECU 12 are connected to the communication line 17. The data for connection confirmation for confirming that it has been stored is stored.

  In the engine ECU 11, the microcomputer 21 executes the control software in the flash memory 22 (specifically, executes a control program of the control software), thereby controlling the engine according to the control software. For example, the microcomputer 21 controls the engine so that the target output transmitted from the vehicle integrated ECU 12 via the communication line 17 is realized.

  In addition, the vehicle integrated ECU 12 includes a microcomputer 25 that is a central part of the processing operation, a nonvolatile memory (flash memory in the present embodiment) 26 in which stored contents can be rewritten, and other ECUs connected to the communication line 17. And a communication circuit 27 for communication. In the flash memory 26, connection confirmation data having a specific relationship with the connection confirmation data stored in the flash memory 22 of the engine ECU 11 is stored in a predetermined storage area where rewriting of the stored contents is permitted. ing. In the present embodiment, the specific relationship is “same”.

  In the vehicle integrated ECU 12, the microcomputer 25 executes the control software in the ROM built in the microcomputer 25 (specifically, the control program of the control software is executed), so that the target output of the engine A power control process for determining a target shift state of the automatic transmission and transmitting the target output to the engine ECU 11 and transmitting the target shift state to the transmission ECU 13 is performed.

  Although not shown, each of the transmission ECU 13, the immobilizer ECU 14, and the meter ECU 15 also includes a microcomputer and a communication circuit. In each of the ECUs 13 to 15, the microcomputer exchanges information by communicating with other ECUs via the communication circuit provided in the ECU and the communication line 17 so that each control target is controlled. Processing for control is performed. For example, the microcomputer of the transmission ECU 13 controls the automatic transmission (transmission) so that the target shift state transmitted from the vehicle integrated ECU 12 via the communication line 17 is realized.

  In the present embodiment, the ECUs 11 to 15 are activated by supplying power for operation when the vehicle is in an ignition-on state (a state in which a battery voltage is supplied to an ignition system power line in the vehicle). The microcomputers of the ECUs 11 to 15 are activated).

  On the other hand, the rewriting tool 19 includes a microcomputer 31, a communication circuit 33, and an operation unit 35 that are the central part of the processing operation. In the rewriting tool 19, when a user of the rewriting tool 19 (usually a worker who rewrites control software of the engine ECU 11) performs a predetermined operation on the operation unit 35, the microcomputer 31 controls the engine ECU 11. The control software rewriting process for rewriting the software is performed. The rewriting tool 19 is mounted with a storage medium 37 having a predetermined shape in which control software to be transmitted to the engine ECU 11 (that is, new control software to be rewritten) is stored. As the storage medium 37, for example, a card-type memory card or a USB memory can be considered.

Next, processing executed by each of the engine ECU 11, the vehicle integrated ECU 12, and the rewriting tool 19 when the control software of the engine ECU 11 is rewritten will be described.
When an operator who rewrites control software of the engine ECU 11 connects the rewriting tool 19 to the communication line 17 of the vehicle and then performs a predetermined operation on the operation unit 35, the rewriting tool 19 starts rewriting to the communication line 17. Send a notification.

  When the engine ECU 11 receives the rewrite start notification from the rewrite tool 19 during the normal control period in which the engine is controlled according to the control software in the flash memory 22, the microcomputer 21 performs the rewrite start notification response process in FIG. Run.

  As shown in FIG. 2, when the microcomputer 21 of the engine ECU 11 starts executing the rewrite start notification response process, first, in S110, the current control software is prevented from being rewritten with control software that is not compatible with the ECU 11. For product number confirmation.

  Specifically, first, a product number request is transmitted from the rewriting tool 19. When the product number request is received, the product number of the ECU 11 is transmitted to the rewriting tool 19. Then, the rewriting tool 19 selects control software that matches the product number of the ECU 11 among the control software stored in the storage medium 37 as new control software to be rewritten. In the engine ECU 11, the product number of the ECU 11 is stored in, for example, a non-rewritable area where rewriting of stored contents is not permitted in the storage area of the flash memory 22 or a ROM in the microcomputer 21.

  Next, in S120, a matching confirmation process for confirming whether or not the connection confirmation data of the other unit (vehicle integrated ECU 12 in this embodiment) matches the connection confirmation data of the ECU 11 is performed.

  Specifically, first, a data request for requesting connection confirmation data is transmitted to the vehicle integrated ECU 12. When the vehicle integration ECU 12 receives the data request, the microcomputer 21 of the ECU 11 transmits the connection confirmation data stored in the flash memory 26 to the engine ECU 11. When the data is received and the received connection confirmation data of the vehicle integrated ECU 12 matches the connection confirmation data of the ECU 11 (that is, the connection confirmation data stored in the storage area 22b of the flash memory 22). It is determined whether or not.

  Then, in the next S125, it is determined whether or not the determination result in the match confirmation process in S120 is “match”. If it is determined that it is not “match”, the rewrite start notification response process is directly performed. finish. In this case, engine control is continued.

  In S125, if it is determined by the match confirmation process that the connection confirmation data of the vehicle integrated ECU 12 and the connection confirmation data of the ECU 11 do not match (do not match), or the connection is made from the vehicle integrated ECU 12. When the confirmation data has not been transmitted, it is determined that the determination result by the match confirmation process is not “match”. This also applies to S155, S175, S195, and S200, which will be described later, and S315 in FIG.

On the other hand, if it is determined in S125 that the determination result of the match confirmation process in S120 is “match”, the process proceeds to S130.
In S 130, the connection confirmation data stored in the flash memory 22 is transmitted to the rewriting tool 19 so that the connection confirmation data is updated by the rewriting tool 19.

  Next, in S140, the program to be executed is switched. In other words, in the present embodiment, the processes of S140 and S110 to S130 are performed by a predetermined program stored as part of the control software to be rewritten in the storage area 22a of the flash memory 22, so Thus, the process jumps to the rewrite process area of the flash memory 22 or the rewrite process program stored in the ROM in the microcomputer 21, and thereafter, the rewrite process program is executed to perform the processes after S150 described later. .

  In S150 subsequent to S140, the same confirmation process as in S120 is performed. Further, in the next S155, as in the above S125, it is determined whether or not the determination result by the match confirmation processing in S150 is “match”. The process proceeds to the last step S240, but if it is determined to be “match”, the process proceeds to step S160.

  In S160, a failure diagnosis stop request and a communication stop request are transmitted to the other ECUs 12-15. Then, the other ECUs 12 to 15 stop the failure diagnosis process for monitoring whether or not each of the ECUs 11 to 15 is operating normally, and stop the mutual communication performed during the normal control period. Become. The reason why such a measure is taken is that the engine ECU 11 is now in a state of rewriting the control software and does not operate normally.

  Next, in S170, the same confirmation process as in S120 is performed. Further, in the next S175, as in S125, it is determined whether or not the determination result by the match confirmation processing in S170 is “match”. The process proceeds to S240, but if it is determined to be “match”, the process proceeds to S180.

In S180, a security confirmation process for confirming whether the communication partner is the regular rewriting tool 19 is performed.
Specifically, the encryption communication of the predetermined rule is performed several times with the rewriting tool 19 and if all the encryption communication is normally completed, it is determined that the communication partner is the regular rewriting tool 19 and the process proceeds to S190. . Although not shown in FIG. 2, if the encryption communication (security confirmation processing) with the rewriting tool 19 cannot be normally completed in S180, the subsequent processing is interrupted and the last S240 is completed. Migrate to

  In S190, the same confirmation process as in S120 is performed. Further, in the next S195, as in S125, it is determined whether or not the determination result by the match confirmation processing in S190 is “match”. The process proceeds to S240, but if it is determined to be “match”, the process proceeds to S200.

  In S200, a request for control software is transmitted to the rewriting tool 19. Then, since the new control software to be rewritten is transmitted from the rewriting tool 19, the rewriting to rewrite the control software stored in the storage area 22 a of the flash memory 22 with the new control software transmitted from the rewriting tool 19. Process. Specifically, the data in the storage area 22a is erased, and the control software received from the rewriting tool 19 (specifically, digital data constituting the control software) is written into the erased storage area 22a. The rewritten control software may be one or both of the control program and control data, or may be a part of the control program or a part of the control data.

  Although not shown in FIG. 2, in S200, in parallel with the rewriting process, in the form of multitasking, the same match confirmation process as in S120 and the determination result by the match confirmation process are “match”. The process of determining whether or not there is repeated is executed, and when it is determined that the determination result by the match confirmation process is not “match”, the rewrite process is interrupted and the process proceeds to the last S240.

  If all the control software from the rewriting tool 19 is written in the storage area 22a of the flash memory 22 by the rewriting process in S200, the process proceeds to S210 to check whether the writing of the control software is normally completed. Perform memory check. Specifically, the control software written in the storage area 22a of the flash memory 22 is compared with the control software received from the rewriting tool 19 and temporarily stored in the RAM (not shown) in the microcomputer 21 (verification). )

  If the memory check in S210 is NG, for example, the process of S200 is performed again. If the memory check in S210 is OK, the process proceeds to S220, and the rewritten control software is control software compatible with the ECU 11. Perform part number reconfirmation processing to reconfirm that.

  Specifically, first, the product number of the ECU 11 is transmitted to the rewriting tool 19. Then, the rewriting tool 19 determines whether or not the product number received from the ECU 11 matches the product number of the ECU conforming to the control software transmitted to the ECU 11, and stores the product number confirmation information indicating the determination result. It returns to ECU11. For this reason, if the product number confirmation information transmitted from the rewriting tool 19 indicates “product number match”, the microcomputer 21 determines that the product number reconfirmation process has ended and proceeds to S230.

  Although not shown in FIG. 2, if the product number confirmation information from the rewriting tool 19 indicates “product number mismatch”, the process proceeds to the last S240. Further, in this case, the rewriting tool 19 performs a process for notifying the user of the occurrence of an incorrect product number (that is, writing incompatible control software to the ECU 11).

  In S230, the updated connection confirmation data transmitted from the rewriting tool 19 is received, and the received connection confirmation data is updated and stored in the storage area 22b of the flash memory 22. That is, the old connection confirmation data stored in the storage area 22b is erased, and the connection confirmation data received from the rewriting tool 19 is written into the erased storage area 22b. The rewriting tool 19 receives the connection confirmation data transmitted from the ECU 11 in S130 and updates the received connection confirmation data with a predetermined logic. It transmits to ECU11.

When the update storage process in S230 is completed, the process proceeds to the last S240.
In S240, a process for restarting the microcomputer 21 is performed as the post-rewrite process. A process for restarting the microcomputer 21 may be a process of setting the level of the reset terminal of the microcomputer 21 to the active level that is reset. In the present embodiment, when the microcomputer 21 is started from the reset state, the microcomputer 21 is executed from the top of the control program constituting the control software. Therefore, as a process for restarting the microcomputer 21, the execution of the program is executed. Processing for jumping the destination address to the start address of the control program may be used.

  For this reason, when the process proceeds from S230 to S240, and the control software in the flash memory 22 is normally rewritten to the control software suitable for the ECU 11 by the regular rewriting tool 19, the process of S240 is performed. Then, the execution of the control program constituting the rewritten new control software is started.

  Next, FIG. 3 is a flowchart showing normal mode processing executed by the microcomputer 21 of the engine ECU 11 during the normal control period (during the period when the engine is controlled according to the control software in the flash memory 22). The normal mode processing is processing by a predetermined program that forms part of the control software in the flash memory 22, and is executed at regular intervals, for example.

  As shown in FIG. 3, when the microcomputer 21 of the engine ECU 11 starts executing the normal mode process, first, in S310, the same confirmation process as in S120 of FIG. 2 is performed. Then, in the next S315, as in S125 of FIG. 2, it is determined whether or not the determination result by the match confirmation processing in S310 is “match”, and if it is determined to be “match” (ie, If it is determined that the connection confirmation data of the vehicle integrated ECU 12 and the connection confirmation data of the ECU 11 match), the normal mode processing is terminated. Therefore, in this case, normal control based on the control software in the flash memory 22 is performed.

  On the other hand, when it is determined in S315 that the determination result by the match confirmation process in S310 is not "match" (that is, the connection check data of the vehicle integrated ECU 12 and the connection check data of the ECU 11 match). If it is determined that there is no connection confirmation data is not transmitted from the vehicle integrated ECU 12, the process proceeds to S320.

In S320, an output prohibiting process for prohibiting the ECU 11 from outputting a predetermined signal for controlling the engine as a control target is performed.
As the predetermined signal for prohibiting the output, for example, an injection command signal for opening the injector for injecting fuel into the engine or an ignition command signal for generating a spark in the plug of the engine can be considered. As the output prohibition processing, processing for prohibiting execution of processing for outputting those signals, or processing for shutting off the power to the output circuit for outputting those signals can be considered.

  Further, in the subsequent S330, a process for storing a history indicating that the control software has been illegally rewritten is stored in a predetermined area of the flash memory 22, and a warning process for turning on a warning lamp is performed. These processes are processes for notifying a vehicle mechanic or the like in a card dealer that the control software has been illegally rewritten. Then, after the process of S330 is completed, the normal mode process is terminated.

  Next, FIG. 4 is a flowchart showing the control software rewriting process executed by the microcomputer 31 of the rewriting tool 19. The control software rewriting process is executed when the user of the rewriting tool 19 performs a predetermined operation on the operation unit 35.

  Then, as shown in FIG. 4, when the microcomputer 31 of the rewriting tool 19 starts executing the control software rewriting process, first, a rewriting start notification is transmitted to the communication line 17 in S410. Then, as described above, in the engine ECU 11 that has received the rewrite start notification, the microcomputer 21 executes the rewrite start notification response process of FIG.

  Next, the microcomputer 31 of the rewriting tool 19 performs the above-described product number confirmation processing in S420. That is, first, a part number request is transmitted to the engine ECU 11, and the part number of the ECU 11 transmitted from the engine ECU 11 in response to the part number request is received. And among the control software memorize | stored in the storage medium 37, the control software which suits the product number of ECU11 is selected as new control software which should be rewritten.

In the next S430, the connection confirmation data transmitted from the engine ECU 11 in the process of S130 in FIG. 2 is received and stored.
Next, in S440, the above-described security confirmation process is performed. That is, the encryption communication with the engine ECU 11 according to a predetermined rule is performed several times.

If all the encrypted communications are normally completed, the process proceeds to S450, and the control software rewriting communication is performed with the engine ECU 11.
Specifically, the control software waits for the above-described control software request from the engine ECU 11 to be transmitted, and if the control software request is transmitted, the control software selected in S420 is transferred to the engine ECU 11 by a predetermined unit amount. Send. Then, the control software is written in the storage area 22a of the flash memory 22 by the rewriting process of S200 in FIG.

  If all the control software rewriting communication is normally completed, the above-described product number reconfirmation process is performed in the next S460. That is, the product number transmitted from the engine ECU 11 in the process of S220 in FIG. 2 is received, and whether or not the received product number matches the product number of the ECU that matches the control software transmitted to the engine ECU 11 in S450. Determine. And the product number confirmation information which shows the determination result is transmitted to engine ECU11.

  Next, in S470, it is determined whether the rewriting of the control software has been normally completed. When it is determined that the rewriting of the control software has not ended normally, the control software rewriting process is terminated as it is. However, when it is determined that the rewriting of the control software has ended normally, the process proceeds to S480. . In the part number reconfirmation process in S460, if it is determined that the part number received from the engine ECU 11 matches the part number of the ECU that matches the control software transmitted to the engine ECU 11, It is determined that the rewriting has been completed normally.

  In S480, the connection confirmation data received from the engine ECU 11 in S430 is updated with a predetermined logic. As the update logic, for example, logic such as adding a constant a to the received connection confirmation data and logic such as multiplying a constant b can be considered.

  Then, in the next S490, the updated connection confirmation data is transmitted to the engine ECU 11. Then, as described above, in the engine ECU 11, the connection confirmation data transmitted from the rewriting tool 19 is updated and stored in the storage area 22 b of the flash memory 22.

In subsequent S495, a rewriting completion notification indicating that the rewriting of the control software is completed is transmitted to the communication line 17, and then the control software rewriting process is terminated.
If the microcomputer 21 of the engine ECU 11 receives the rewrite completion notification from the rewrite tool 19 after performing the process of S230 in the rewrite start notification response process of FIG. 2, the process proceeds to S240. good.

Next, FIG. 5 is a flowchart showing a connection confirmation response process executed by the microcomputer 25 of the vehicle integrated ECU 12. This connection confirmation response process is executed, for example, at regular intervals.
As shown in FIG. 5, when the microcomputer 25 of the vehicle integrated ECU 12 starts executing the connection confirmation response process, first, in S510, the above-described data request from the engine ECU 11 (data request for requesting connection confirmation data). Is received.

If a data request has not been received, the connection confirmation response process is terminated. If a data request has been received, the process proceeds to S520.
In S520, the connection confirmation data stored in the flash memory 26 (that is, the connection confirmation data of the ECU 12) is transmitted to the engine ECU 11. Then, the connection confirmation response process ends. The connection confirmation data transmitted to the engine ECU 11 in S520 is used in the engine ECU 11 for each of the above-described coincidence confirmation processes in S120, S150, S170, S190, S200 in FIG. 2 and S310 in FIG.

Next, FIG. 6 is a flowchart showing a rewrite sequence monitoring process executed by the microcomputer 25 of the vehicle integrated ECU 12.
When the vehicle integration ECU 12 receives the above-mentioned rewrite start notification from the rewrite tool 19 (in other words, when it is detected that the rewrite start notification is output from the rewrite tool 19 to the communication line 17), the microcomputer 25 changes the state shown in FIG. The rewrite sequence monitoring process is executed.

  Then, as shown in FIG. 6, when the microcomputer 25 starts executing the rewrite sequence monitoring process, in S610, the microcomputer 25 continuously monitors the communication signal transmitted to the communication line 17, and the rewrite tool 19 and the engine ECU 11 are monitored. The rewrite sequence that is the communication content between the two (specifically, the content and order of signals exchanged between the two) is monitored, and it is determined (checked) whether the rewrite sequence is correct (OK) or not correct (NG). .

  That is, the microcomputer 25 of the vehicle integrated ECU 12 includes at least the engine ECU 11 and the rewriting tool 19 that are executed by the processes of S110 and S180 of FIG. 2 in the engine ECU 11 and the processes of S420 and S440 of FIG. The contents of communication (contents and order of signals exchanged) are stored as the contents of rewrite permission communication. Then, the microcomputer 25 determines whether or not the communication content between the rewrite tool 19 and the engine ECU 11 matches the content of the rewrite permission communication.

Specifically, the contents of (1) and (2) below are sequentially checked.
(1) Whether or not communication by the part number confirmation process between the engine ECU 11 and the rewriting tool 19 has been performed with the correct contents and order.

  That is, whether a signal indicating a product number request is transmitted from the rewriting tool 19 to the engine ECU 11, and then a signal indicating the product number of the ECU 11 is transmitted from the engine ECU 11 to the rewriting tool 19.

(2) Whether or not cryptographic communication by the security confirmation process between the engine ECU 11 and the rewriting tool 19 has been performed the correct number of times in the correct content and order.
In addition, as a check content in S610, whether or not a signal that should have been transmitted in each of S130 and S160 in FIG. 2 is transmitted from engine ECU 11 between (1) and (2) above. You can also check that. Further, after the above (2), whether or not a signal as a request for the control software is transmitted from the engine ECU 11 to the rewriting tool 19, and thereafter, the data considered to be the control software is transmitted from the rewriting tool 19 to the engine ECU 11. It may also be checked whether or not a predetermined unit amount has been transmitted.

Then, when it is determined in S610 that the rewrite sequence is not correct (NG), the process proceeds to S620 and rewrite disturbing communication is started.
As the rewrite disturbing communication, specifically, communication disturbing data for disturbing communication between the rewriting tool 19 and the engine ECU 11 is output to the communication line 17. The communication obstruction data is communication data having a higher priority than communication data used in communication between the rewriting tool 19 and the engine ECU 11.

  For example, if the communication protocol in the in-vehicle communication system 1 is a CAN generally used in a vehicle, the priority (that is, collision) of the communication data is determined by an ID (so-called CAN-ID) given to the communication data. Therefore, communication data with an ID higher in priority than the ID of communication data used for communication between the rewriting tool 19 and the engine ECU 11 is communicated as communication obstruction data. Send to line 17.

  For this reason, when it is determined in S610 that the rewriting sequence is not correct (NG), communication between the rewriting tool 19 and the engine ECU 11 is obstructed, and as a result, the control software of the engine ECU 11 by the rewriting tool 19 is Rewriting will be disturbed.

  This interference is caused by the fact that the external device that is trying to communicate with the engine ECU 11 is not actually a regular rewriting tool 19 but uses an external device (non-regular external device) that is not the regular rewriting tool 19. This is because the control software of the engine ECU 11 is considered to be illegally rewritten.

  From this point of view, it is preferable to transmit the communication jamming data at a cycle as short as possible. For example, in this embodiment, the data is continuously transmitted. This is because it is possible to increase the communication interference effect, and thus the effect of preventing unauthorized rewriting of the control software.

  In addition, the communication jamming data can be configured to be transmitted for a certain period of time, but in this embodiment, once it is determined in S610 that the rewrite sequence is not correct, the vehicle is in an ignition-off state. The communication disturbance data is continuously transmitted until the operation power supply to the vehicle integrated ECU 12 is cut off. This is preferable because the communication interference effect is high.

  In step S630, the microcomputer 25 of the vehicle integrated ECU 12 performs a process of storing in the predetermined area of the flash memory 26 an illegal activity history indicating that the control software of the engine ECU 11 has been illegally rewritten. Perform warning processing to turn on the warning light. These processes are processes for notifying a vehicle mechanic or the like in the card dealer that the control software of the engine ECU 11 may be illegally rewritten. Thereafter, the rewrite sequence monitoring process is terminated.

  On the other hand, if it is not determined in S610 that the rewriting sequence is not correct, in S640, the process waits until the rewriting of the control software of the engine ECU 11 ends normally, and if the rewriting of the control software ends normally. The process proceeds to S650. In S640, it is monitored whether or not the above-described rewriting completion notification is output from the rewriting tool 19 to the communication line 17. If the rewriting completion notification is output, the rewriting of the control software of the engine ECU 11 is normally completed. judge.

  In S650, the connection confirmation data stored in the flash memory 26 is the same logic as the logic (update rule) used to update the connection confirmation data of the engine ECU 11 in S480 of FIG. (Same rules) Thereafter, the rewrite sequence monitoring process is terminated.

On the other hand, FIG. 7 shows the interrelationship among the operations of the engine ECU 11, the vehicle integrated ECU 12, and the rewriting tool 19 by the processes shown in FIGS. 2 and 4 to 6.
In the in-vehicle communication system 1 of the present embodiment as described above, the engine ECU 11 receives the rewriting start notification and starts the rewriting process (S200) for rewriting the control software before starting the rewriting process (S200). The connection confirmation data is acquired from the vehicle, and a matching confirmation process for determining whether or not the acquired connection confirmation data of the vehicle integrated ECU 12 matches the connection confirmation data of the engine ECU 11 is performed (S120, S150). , S170, S190), if the determination result by the match confirmation process does not become “match”, the rewrite process (S200) is prohibited (S125: NO, S155: NO, S175: NO, S195). : NO).

  For this reason, the control software of the engine ECU 11 can be rewritten only when the engine ECU 11 is connected to the communication line 17 of the vehicle together with the vehicle integrated ECU 12, that is, when the engine ECU 11 is mounted on the vehicle. Otherwise, the engine ECU 11 cannot acquire the connection confirmation data from the vehicle integrated ECU 12, and the determination result by the matching confirmation process does not become “match”.

  Therefore, a fraudulent person who intends to rewrite the control software of the engine ECU 11 removes the engine ECU 11 from the vehicle and tries the communication terminal (terminal connected to the communication line 17) of the ECU 11 in a single state. By giving signals while making mistakes, even if the control software is to be rewritten, such illegal rewriting can be prevented. Further, even if an unauthorized person tries to rewrite the control software of the engine ECU 11 with the engine ECU 11 mounted on the vehicle, the engine ECU 11 communicates not only with the rewriting tool 19 but also with the vehicle integrated ECU 12. In order to shift to the state where the rewriting process is performed, it is considered very difficult for the fraudster to find out all the transition conditions.

From the above, according to the in-vehicle communication system 1 of the present embodiment, the effect of preventing the control software of the engine ECU 11 from being rewritten illegally can be enhanced.
In addition, the engine ECU 11 performs at least a rewrite permission process including a plurality of processes of S110, S140, S160, and S180 in FIG. 2 after receiving the rewrite start notification and before starting the rewrite process. However, at each stage where each process is completed, a match confirmation process is performed in each of S120, S150, S170, and S190 in FIG. 2, and the determination result by any one of the match confirmation processes is “match”. If not, the rewrite process is prohibited.

  For this reason, it is possible to further enhance the effect of preventing the control software of the engine ECU 11 from being rewritten illegally. For example, an unauthorized person starts to rewrite the control software of the engine ECU 11 in a state where the engine ECU 11 is mounted on the vehicle, and the engine ECU 11 or the vehicle integrated ECU 12 is connected from the communication line 17 in the middle of trial and error. Even if it is removed, it is possible to make the control software of the engine ECU 11 unrewritable by performing the coincidence confirmation process of any of S120, S150, S170, and S190 in FIG.

  Furthermore, in the present embodiment, when the engine ECU 11 receives a rewrite start notification from the rewrite tool 19, the rewrite tool 19 stores the connection confirmation data stored in the flash memory 22 (specifically, the storage area 22 b) of the ECU 11. After the rewriting process is completed, new connection confirmation data transmitted from the rewriting tool 19 is updated and stored in the flash memory 22 (S230).

  For this reason, the rewriting tool 19 updates the connection confirmation data transmitted from the engine ECU 11 with a predetermined logic, and updates the updated connection confirmation data after the rewriting process is completed in the engine ECU 11. Is transmitted to the engine ECU 11 as correct connection confirmation data (S480, S490).

  The vehicle integrated ECU 12 updates the connection confirmation data stored in the flash memory 26 of the ECU 12 with the same logic as the update logic by the rewriting tool 19 after the rewriting process is completed in the engine ECU 11. (S650).

  That is, the connection confirmation data stored in the engine ECU 11 is updated by the rewriting tool 19, and the connection confirmation data stored in the vehicle integrated ECU 12 is updated by the vehicle integrated ECU 12 itself.

  Therefore, even if the engine ECU 11 and the vehicle integrated ECU 12 are connected to the vehicle communication line 17 and the control software of the engine ECU 11 is illegally rewritten by an unauthorized external device, The connection confirmation data stored in the engine ECU 11 is not updated correctly and does not match the updated connection confirmation data stored in the vehicle integrated ECU 12.

  Therefore, even if the fraudulent person tries to rewrite the control software of the engine ECU 11 again in a state where the engine ECU 11 and the vehicle integrated ECU 12 are connected to the communication line 17 of the vehicle, the determination result by the coincidence confirmation process in the engine ECU 11 Will not become “match”, and such illegal rewriting after the second time can be prevented.

  Further, since the engine ECU 11 performs the matching confirmation process in S310 of FIG. 3 even during the normal control period, even if the control software is illegally rewritten by an unauthorized external device, the engine ECU 11 thereafter If the coincidence confirmation process is performed in S310 of FIG. 3 during the normal control period after the ECU 11 is activated, the determination result by the coincidence confirmation process is not “coincidence” (“mismatch”), and the control software is illegally rewritten. Can be detected.

  In particular, the engine ECU 11 controls the engine when the determination result by the match confirmation processing in S310 of FIG. 3 is not “match” (S315: NO) and an unauthorized rewrite of the control software is detected. Since the output prohibition process (S320) for prohibiting the output of the above-mentioned signal is performed, it is meaningless to illegally rewrite the control software itself, thereby further enhancing the effect of preventing unauthorized rewrite of the control software. it can. This is because the engine ECU 11 does not substantially function in the role of controlling the engine if the control software is rewritten illegally.

  Further, in the present embodiment, when the vehicle integrated ECU 12 detects that a rewrite start notification has been output to the communication line 17, in step S610 in the rewrite sequence monitoring process of FIG. In order to perform a check process for determining whether or not the rewriting sequence by communication is correct, it is possible to detect when someone attempts to rewrite the control software of the engine ECU 11 illegally using a non-regular external device. it can.

  If the vehicle integration ECU 12 determines that the rewrite sequence is not correct in S610 of FIG. 6, the vehicle integration ECU 12 performs rewrite obstruction communication (S620) for outputting communication obstruction data to the communication line 17, so that the control software of the engine ECU 11 The effect of preventing actual rewriting can be further enhanced. This is because even if an unauthorized person tries to transmit various signals from the non-regular external device to the engine ECU 11 through trial and error, the unauthorized communication itself is disturbed and the control software cannot be rewritten. Also, if an unauthorized person notices that data for interfering communication has been output from the vehicle integrated ECU 12, and removes the vehicle integrated ECU 12 from the communication line 17, the engine ECU 11 performs the above-described matching confirmation process. Since the execution of the rewriting process is prohibited when the determination result does not become “match”, the unauthorized rewriting of the control software can also be prevented.

  On the other hand, when one of the engine ECU 11 and the vehicle integrated ECU 12 is replaced due to a failure or the like, the new ECU after the replacement and the other ECU are in a state in which the same connection confirmation data is stored. It is necessary to keep.

The following methods can be considered as countermeasures.
First, when the ECUs 11 and 12 are manufactured, the initial value of the connection confirmation data is stored in a specific area of the flash memories 22 and 26 or a specific area of the non-rewritable ROM. The initial value is managed so as to be the same data for each model of vehicle.

  Then, after performing predetermined authentication communication with the rewriting tool 19 or another dedicated tool, the ECUs 11 and 12 receive the stored value initialization request from the rewriting tool 19 or the dedicated tool, and are stored in the specific area. The initial value of the connection confirmation data is stored as connection confirmation data used in actual processing. That is, in the case of the engine ECU 11, the initial value of the connection confirmation data is copied from the specific area to the storage area 22b of the flash memory 22, and in the case of the vehicle integrated ECU 12, the predetermined area of the flash memory 26 is stored from the specific area. The initial value of the connection confirmation data is copied to the area.

  For this reason, when one of the engine ECU 11 and the vehicle integrated ECU 12 is exchanged, the stored value initialization request is made after performing the authentication communication to each of the ECUs 11 and 12 by the rewriting tool 19 or the dedicated tool. , The connection confirmation data in each of the ECUs 11 and 12 can be set to the same initial value.

  Further, for example, as another method, the rewriting tool 19 or the dedicated tool reads out the connection confirmation data from the ECU that has not been exchanged, and stores the read connection confirmation data in the exchanged ECU. You may take the technique.

  In the above embodiment, the engine ECU 11 corresponds to the first control unit, and the vehicle integrated ECU 12 corresponds to the second control unit. In the engine ECU 11, the flash memory 22 (more specifically, the storage area 22b). However, in the vehicle integrated ECU 12, the flash memory 26 corresponds to data storage means for storing connection confirmation data. For this reason, the connection confirmation data stored in the flash memory 22 of the engine ECU 11 corresponds to the self-unit connection confirmation data, and the connection confirmation data stored in the flash memory 26 of the vehicle integrated ECU 12 is the other unit connection confirmation data. Corresponds to connection confirmation data.

  In the engine ECU 11, the coincidence confirmation process performed in each of S120, S150, S170, and S190 in FIG. 2 and S310 in FIG. 3 corresponds to a process as a determination unit, and S125, S155 in FIG. Each process of S175 and S195 corresponds to a rewrite prohibiting unit, and the processes of S315 and S320 in FIG. 3 correspond to a process as an output prohibiting unit.

  As mentioned above, although one Embodiment of this invention was described, this invention is not limited to such Embodiment at all, Of course, in the range which does not deviate from the summary of this invention, it can implement in a various aspect. .

  For example, in the above embodiment, the connection confirmation data stored on the engine ECU 11 side and the connection confirmation data stored on the vehicle integrated ECU 12 side have the same relationship, but the difference in data values is Other relationships such as a predetermined number may be used.

In addition, the rewritable nonvolatile memory in which the control software to be rewritten is stored may be a type of memory other than the flash memory.
Further, in the engine ECU 11, the memory for storing the connection confirmation data may be a physically separate memory from the memory for storing the control software to be rewritten.

  Moreover, each ECU which comprises a vehicle-mounted communication system is not restricted to the thing of the said embodiment, ECU which has another role may be sufficient.

DESCRIPTION OF SYMBOLS 1 ... In-vehicle communication system, 11 ... Engine ECU, 12 ... Vehicle integrated ECU
13 ... Transmission ECU, 14 ... Immobilizer ECU, 15 ... Meter ECU
DESCRIPTION OF SYMBOLS 17 ... Communication line, 19 ... Rewriting tool, 18 ... Connector, 21, 25, 31 ... Microcomputer 22, 26 ... Flash memory, 23, 27, 33 ... Communication circuit, 35 ... Operation part 37 ... Storage medium

Claims (13)

At least two controls: a first control unit that controls an object to be controlled in accordance with software stored in a rewritable nonvolatile memory, and a second control unit that is different from the first control unit The unit is connected to be communicable via a communication line provided in the vehicle,
The communication line is an in-vehicle communication system in which a rewriting tool that is an external device for rewriting software stored in the nonvolatile memory of at least the first control unit is removable.
Each of the first control unit and the second control unit includes data storage means in which connection confirmation data having a specific relationship with each other is stored.
Upon receiving a rewrite start notification from the rewrite tool, the first control unit performs a rewrite permission process including a process for performing a predetermined rewrite permission communication with the rewrite tool, and the rewrite permission process. Is completed, the rewriting process is performed to rewrite the software in the nonvolatile memory with the software transmitted from the rewriting tool,
Furthermore, the first control unit comprises:
Between receiving the rewrite start notification and starting the rewrite process, communicate with the second control unit and check the connection stored in the data storage means of the second control unit Other unit connection confirmation data which is data for connection confirmation obtained from the second control unit and connection confirmation data stored in the data storage means of the first control unit A determination means for determining whether or not own unit connection confirmation data has the specific relationship;
If the determination means does not determine that the other unit connection confirmation data and the own unit connection confirmation data have the specific relationship even though the determination means has been operated, Rewriting prohibiting means for prohibiting the rewriting process from being performed in one control unit;
An in-vehicle communication system characterized by the above. The in-vehicle communication system according to claim 1,
The rewrite permission process includes a plurality of processes performed in a predetermined order.
The determination means operates each time a plurality of processes constituting the rewrite permission process are completed;
An in-vehicle communication system characterized by the above. In the in-vehicle communication system according to claim 1 or claim 2,
The first control unit includes:
Upon receiving the rewrite start notification, the connection confirmation data stored in the data storage means of the first control unit is transmitted to the rewrite tool, and is transmitted from the rewrite tool after the rewrite process is completed. New incoming connection confirmation data is updated and stored in the data storage means of the first control unit,
The rewriting tool is:
The connection confirmation data transmitted from the first control unit is updated with a predetermined logic, and the updated connection confirmation data is updated in the first control unit after the rewriting process is completed. The new connection confirmation data is transmitted to the first control unit,
The second control unit is
After the rewrite processing is completed in the first control unit, the connection confirmation data stored in the data storage means of the second control unit is changed to the new connection confirmation data and the specific relationship. Updating to data with
An in-vehicle communication system characterized by the above. The in-vehicle communication system according to claim 3,
The determination means of the first control unit operates even during a normal control period in which the first control unit controls the control target;
An in-vehicle communication system characterized by the above. The in-vehicle communication system according to claim 4,
The first control unit includes:
When the determination unit determines that the other unit connection confirmation data and the own unit connection confirmation data do not have the specific relationship during the normal control period, the first control unit Output prohibiting means for prohibiting the output of a predetermined signal for controlling the control object from
An in-vehicle communication system characterized by the above. The in-vehicle communication system according to any one of claims 1 to 5,
The second control unit is
When it is detected that the rewrite start notification is output to the communication line, the communication content between the rewrite tool and the first control unit is monitored, and the communication content is different from the rewrite permission communication. Determining whether or not
An in-vehicle communication system characterized by the above. The in-vehicle communication system according to claim 6,
The second control unit is
Communication between the rewriting tool and the first control unit when it is determined that the communication content between the rewriting tool and the first control unit is different from the rewriting permission communication. Outputting data for interfering communication to disturb the communication line,
An in-vehicle communication system characterized by the above. The in-vehicle communication system according to claim 7,
The communication obstruction data is communication data having a higher priority than communication data used in communication between the rewriting tool and the first control unit;
An in-vehicle communication system characterized by the above. The control object is controlled according to the software stored in the rewritable nonvolatile memory, and the communication contents are communicably connected to other units via a communication line provided in the vehicle.
Further, upon receiving a rewrite start notification from a rewrite tool that is an external device that can be attached to and detached from the communication line, a rewrite permission process including a process of performing a predetermined rewrite permission communication with the rewrite tool is performed, In a control unit that performs a rewrite process for rewriting the software in the nonvolatile memory with the software transmitted from the rewrite tool after the rewrite permission process is completed.
Data storage means for storing connection confirmation data having a specific relationship with the connection confirmation data stored in the other unit;
Between receiving the rewrite start notification and starting the rewrite process, communicate with the other unit to obtain connection confirmation data stored in the other unit, and obtain the connection Whether the other unit connection confirmation data as confirmation data and the own unit connection confirmation data as connection confirmation data stored in the data storage means of the control unit have the specific relationship Determining means for determining whether or not;
If the determination means does not determine that the other unit connection confirmation data and the own unit connection confirmation data have the specific relationship even though the determination means has operated, the control Rewrite prohibition means for prohibiting the rewrite processing from being performed in the unit;
A control unit comprising: The control unit according to claim 9,
The rewrite permission process includes a plurality of processes performed in a predetermined order.
The determination means operates each time a plurality of processes constituting the rewrite permission process are completed;
A control unit characterized by. In the control unit according to claim 9 or 10,
Upon receipt of the rewrite start notification, the connection confirmation data stored in the data storage means is transmitted to the rewrite tool, and after the rewrite process is completed, a new connection confirmation data transmitted from the rewrite tool is transmitted. Updating and storing data in the data storage means;
A control unit characterized by. The control unit according to claim 11, wherein
The determination means operates even during a normal control period in which the control unit controls the control object;
A control unit characterized by. The control unit according to claim 12,
During the normal control period, when the determination unit determines that the other unit connection confirmation data and the own unit connection confirmation data do not have the specific relationship, the control unit performs the control. Comprising output prohibiting means for prohibiting the output of a predetermined signal for controlling the object;
A control unit characterized by.

Images