JP2014232437A - Electronic controller and memory rewrite method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make time required to rewrite a control program shorter.SOLUTION: First, an ECU 1 executes a receiving process for receiving rewrite data for rewriting a content of a control program stored in a flash ROM 3 from outside. By writing the rewrite data received in the receiving process to the flash ROM 3, the ECU 1 executes a write process for rewriting the content of the control program stored in the flash ROM 3. Furthermore, if a state in which the ECU 1 does not execute the receiving process or a state in which the ECU 1 waits to receive the rewrite data in the receiving process, and a state in which the ECU 1 does not execute the rewrite process or a state in which the ECU 1 waits for the end of writing the rewrite data to the nonvolatile memory in the rewrite process are both satisfied, the ECU 1 executes a verification process for verifying whether the rewrite data written to the nonvolatile memory is appropriate.

Description

  The present invention relates to an electronic control device and a memory rewriting method capable of rewriting a control program used for controlling a predetermined control target.

  Conventionally, in an electronic control device that stores a control program in a non-volatile memory capable of rewriting stored contents, in order to shorten the time required for rewriting the control program, a reception process for receiving rewrite data from the outside, and a received rewrite There is known one that executes a rewrite process for rewriting a control program in parallel by writing data in a nonvolatile memory (see, for example, Patent Document 1).

  In the electronic control device capable of rewriting the control program in this way, verification (Verification) for confirming the coincidence between the received rewritten data and the data written in the nonvolatile memory is executed. However, this verification cannot determine whether the received rewrite data is appropriate for the electronic control device. For this reason, for example, even if the received rewritten data is illegally rewritten by a third party, the illegal rewritten data is written in the nonvolatile memory when the above-mentioned coincidence is confirmed in the verification.

  As a method for solving such a problem, validation for confirming the validity of rewritten data is known. In the validation, for example, calculation is performed on data to be verified or authentication with an external device is performed to determine whether the data is rewritten data suitable for the electronic control device.

JP 2000-20389 A

However, by executing the validation, there is a problem that the time required for rewriting the control program becomes longer by the execution of the validation.
The present invention has been made in view of these problems, and an object thereof is to shorten the time required for rewriting a control program.

An electronic control device according to a first aspect of the invention made to achieve the above object includes a non-volatile memory, a reception process execution means, a rewrite process execution means, and a verification process execution means.
The nonvolatile memory can rewrite the stored contents, and stores a control program for controlling a predetermined control target.

  In the electronic control apparatus according to the first aspect of the invention, first, the reception process execution means executes a reception process for receiving rewrite data, which is data for rewriting the contents of the control program stored in the nonvolatile memory, from the outside. Then, the rewrite process execution means executes the rewrite process for rewriting the contents of the control program stored in the non-volatile memory by writing the rewrite data received by the receiving process into the non-volatile memory. Whether the verification process execution means is in a state of waiting for reception of rewrite data in the reception process, and whether it is in a state of waiting for completion of writing of rewrite data to the nonvolatile memory in the rewrite process. When a verification execution condition set in advance so as to include at least one of the conditions is satisfied, a verification process for verifying whether the rewritten data written in the nonvolatile memory is appropriate is executed.

  According to the electronic control device configured as described above, in a state of waiting for reception of rewrite data in the reception process, or in a state of waiting for completion of writing of rewrite data to the nonvolatile memory in the rewrite process. The verification process can be executed. Therefore, even if the reception process is being executed, the verification process can be executed as long as it is waiting for the reception of the rewrite data. If it is in a state of waiting for completion of writing of the rewrite data, verification processing can be executed. That is, the verification process can be executed in parallel with the reception process or the rewrite process executed to rewrite the control program.

  As a result, the verification process can be executed before the writing of the entire control program to be rewritten is completed (that is, the verification process need not be executed after the writing of the entire control program is completed). The time from the start of program rewriting to the end of the verification process, that is, the time required for rewriting the control program can be shortened.

The memory rewriting method of the second invention includes a reception process execution procedure, a rewrite process execution procedure, and a verification process execution procedure.
In the memory rewriting method according to the second aspect of the invention, first, the contents of the control program stored in the non-volatile memory storing the control program for controlling the predetermined control object, in which the reception processing execution procedure can rewrite the stored contents. A reception process for receiving rewrite data that is data for rewriting the data is executed. Then, the rewrite process execution procedure executes the rewrite process for rewriting the contents of the control program stored in the non-volatile memory by writing the rewrite data received by the receiving process into the non-volatile memory. Whether the verification process execution procedure is in a state of waiting for reception of rewrite data in the reception process, and whether it is in a state of waiting for completion of writing of rewrite data to the nonvolatile memory in the rewrite process. When a verification execution condition set in advance so as to include at least one of the conditions is satisfied, a verification process for verifying whether the rewritten data written in the nonvolatile memory is appropriate is executed.

  The memory rewriting method of the second invention is a method executed by the electronic control device of the first invention, and the same effect as that of the electronic control device of the first invention can be obtained by executing this method.

It is a block diagram which shows the structure of ECU1 of 1st Embodiment. FIG. 3 is a diagram illustrating the configuration of a reception buffer 11 and a rewrite buffer 12. It is a flowchart which shows a control program execution process. It is a flowchart which shows a rewriting program execution process. It is a flowchart which shows a reception storage process. It is a flowchart which shows the rewriting execution process of 1st Embodiment. It is a flowchart which shows the verification execution process of 1st Embodiment. 6 is a timing chart illustrating operations of a reception process, a rewrite process, and a verification process according to the first embodiment. It is a block diagram which shows the structure of ECU1 of 2nd Embodiment. FIG. 3 is a diagram showing a configuration of a flash ROM 3 and a verification buffer 13. It is a flowchart which shows the rewriting execution process of 2nd Embodiment. It is a flowchart which shows the verification execution process of 2nd Embodiment. It is a timing chart which shows operation of reception processing, rewriting processing, and verification processing of a 2nd embodiment. It is a timing chart which shows operation | movement of the reception process before and after writing starting, a rewriting process, and a verification process. It is a figure explaining ROM verification pointer PT21. It is a flowchart which shows the rewriting execution process of 3rd Embodiment. It is a flowchart which shows the verification execution process of 3rd Embodiment. It is a timing chart which shows operation of reception processing, rewriting processing, and verification processing of a 3rd embodiment. It is a timing chart which shows operation | movement of the reception process of another embodiment, a rewriting process, and a verification process.

(First embodiment)
A first embodiment of the present invention will be described below with reference to the drawings.
An electronic control unit 1 (hereinafter referred to as ECU 1) of the present embodiment is mounted on a vehicle and controls an engine EG of the vehicle as shown in FIG.

The ECU 1 includes a CPU (central processing unit) 2, a flash ROM 3, a RAM 4, an input / output circuit 5, a communication circuit 6, and a bus 7 that interconnects them.
The flash ROM 3 is a data rewritable nonvolatile memory, and stores a program executed by the CPU 2 and data referred to when the program is executed.

  The RAM 4 is a volatile memory, and temporarily stores calculation results of the CPU 2 and the like. The RAM 4 is provided with a reception buffer 11 and a rewrite buffer 12. The reception buffer 11 is a storage area for temporarily storing data received from the program rewriting device RP for rewriting a program stored in the flash ROM 3. The rewrite buffer 12 is a storage area for temporarily storing data to be written to the flash ROM 3.

  The CPU 2 inputs and outputs various signals as information for controlling the engine EG from an intake pipe pressure sensor, an engine speed sensor, an engine water temperature sensor, an exhaust system oxygen sensor (air-fuel ratio sensor), a vehicle speed sensor, an ignition switch, and the like. Input via the circuit 5. The engine EG shown in FIG. 1 is a generic name for systems related to the engine such as an intake system and an exhaust system including the engine body, and detailed description thereof is omitted in this embodiment.

  The CPU 2 executes various processes based on the program stored in the flash ROM 3. Further, the CPU 2 performs a control calculation based on various signals input via the input / output circuit 5 and outputs a drive signal via the input / output circuit 5 to an electric load such as an ignition device and an injector based on the calculation result. Thus, the electric load related to the control of the engine EG is controlled. For example, the CPU 2 calculates the valve opening timing and valve opening time of the injector, and controls the fuel injection to the engine EG by outputting a drive signal for driving the injector based on the calculation result.

  Further, the communication circuit 6 exchanges messages with other ECUs (not shown) via the communication bus BS in accordance with, for example, a CAN (Controller Area Network) communication protocol, thereby obtaining data necessary for controlling the control target device. Send and receive. Further, a program rewriting device RP for rewriting a program stored in the flash ROM 3 is connected to the communication circuit 6 via a communication bus BS. The program rewriting device RP is detachable through a connector (not shown), for example, and is connected to the ECU 1 when the program is rewritten. The program rewriting device RP is a handy type device provided with a microcomputer and a display device or a small personal computer.

  Further, the reception buffer 11 of the RAM 4 has a ring buffer structure as shown in FIG. For this reason, the reception data received from the program rewriting device RP is sequentially written from the head address of the reception buffer 11 in the order of reception. When reception data is written to the last address of the reception buffer 11, the next reception data is written to the head address (see arrow AL1).

  Further, when receiving data is written in the receiving buffer 11, a receiving write pointer PT1 is provided which indicates an address of a storage area in which the receiving data is written. In addition, when the data stored in the reception buffer 11 is read out and written into the rewrite buffer 12, a reception read pointer PT2 is provided that indicates the address of the storage area in which the data to be read is stored. FIG. 2 shows that by reading the data RD1 from the reception buffer 11 and writing it in the rewrite buffer 12 (see arrow AL2), the indicated value of the reception read pointer PT2 has changed by the amount of data RD1 (see FIG. 2). (See arrow AL3).

  The rewrite buffer 12 of the RAM 4 has a ring buffer structure. For this reason, the read data read from the reception buffer 11 is sequentially written from the top address of the rewrite buffer 12 in the order of reading. When read data is written to the last address of the rewrite buffer 12, the next read data is written to the head address (see arrow AL4).

  A rewrite write pointer PT3 is provided for designating the address of the storage area where the read data is written when the read data is written to the rewrite buffer 12. FIG. 2 shows that the instruction value of the rewrite write pointer PT3 has changed by the amount of data RD1 by reading the data RD1 from the reception buffer 11 and writing it in the rewrite buffer 12 (see arrow AL2). (See arrow AL5).

  In addition, when the data stored in the rewrite buffer 12 is written to the flash ROM 3, a rewrite read pointer PT4 is provided to indicate the address of the storage area where the data to be read from the rewrite buffer 12 for writing to the flash ROM 3 is stored. It has been.

  Further, when verifying (validating) the data stored in the rewrite buffer 12, a rewrite verification pointer PT5 is provided which indicates the address of the storage area where the data to be verified is stored.

  In the ECU 1 configured as described above, the CPU 2 executes a control program execution process, a rewrite program execution process, a reception storage process, a rewrite execution process, and a verification execution process, which will be described later.

First, the procedure of the control program execution process executed by the CPU 2 will be described. The control program execution process is a process executed only once immediately after the ECU 1 is activated.
When this control program execution process is executed, the CPU 2 first determines whether or not a control program has already been written in the flash ROM 3 in S10 as shown in FIG. Here, when the control program is not written (S10: NO), the process of S10 is repeated to wait until the control program is written in the flash ROM 3. This control program is a program for controlling the engine EG.

  On the other hand, if the control program has already been written (S10: YES), the control program written in the flash ROM 3 is appropriate based on the result of verification (validate) in S20. Judge whether there is. If the written control program is not appropriate (S20: NO), the process proceeds to S10 and the above-described processing is repeated.

  On the other hand, if the written control program is appropriate (S20: YES), in S30, the control program written in the flash ROM 3 is started and the control program execution process is terminated.

Next, the procedure of the rewrite program execution process executed by the CPU 2 will be described. The rewrite program execution process is a process executed only once immediately after the ECU 1 is activated.
When the rewrite program execution process is executed, the CPU 2 first determines whether or not a program rewrite request is received from the program rewrite device RP via the communication circuit 6 in S110, as shown in FIG. Here, when the program rewrite request is not received (S110: NO), the process of S110 is repeated to wait until the program rewrite request is received.

  On the other hand, when a program rewrite request is received (S110: YES), a rewrite program for rewriting the control program is acquired from the program rewrite device RP via the communication circuit 6 in S120. In S130, execution of the acquired rewrite program is started, and the rewrite program execution process is terminated.

  Next, the procedure of the reception storing process executed by the CPU 2 will be described. The reception storage process is a process described in the rewrite program. The process starts when the execution of the rewrite program is started, and ends when the rewrite of the control program is completed.

  When this reception storage process is executed, the CPU 2 first determines in S210 whether or not the rewrite process (the process of S320) is being executed, as shown in FIG. If the control program is not rewritten (S210: NO), the process proceeds to S230. On the other hand, if the rewriting process is being executed (S210: YES), it is determined in S220 whether or not it is in a state waiting for the end of data writing (hereinafter referred to as a write end waiting state). Note that the write completion wait state refers to a state in which the CPU 2 transmits a write instruction to the flash ROM 3 and then the CPU 2 waits for a write completion notification from the flash ROM 3.

  Here, when it is not in the writing end waiting state (S220: NO), the process proceeds to S210 and the above-described processing is repeated. On the other hand, when it is in the writing end waiting state (S220: YES), the process proceeds to S230.

  When the process proceeds to S230, a process of receiving data indicating a new control program to be rewritten by the current program rewriting request from the program rewriting apparatus RP via the communication circuit 6 (hereinafter referred to as a receiving process) is executed.

  In S240, it is determined whether or not new data has been received from the program rewriting device RP by the reception process in S230. If no new data has been received (S240: NO), the process proceeds to S210, and the above process is repeated.

  On the other hand, when data is newly received (S240: YES), the received data is received and stored in the reception buffer 11 in order in S250. In S260, the reception write pointer PT1 is updated. Specifically, the instruction value of the reception write pointer PT1 is changed by the amount of data stored in the reception buffer 11 in S250.

  In step S <b> 270, data stored in the reception buffer 11 that is not stored in the rewrite buffer 12 is read from the reception buffer 11 and stored in the rewrite buffer 12. In S280, the reception read pointer PT2 and the rewrite write pointer PT3 are updated. Specifically, the instruction values of the reception read pointer PT2 and the rewrite write pointer PT3 are changed by the amount of data stored in the rewrite buffer 12 in S270.

  Thereafter, in S290, it is determined whether or not all rewriting related to the control program to be rewritten by the current program rewriting request has been completed. Here, when all the rewriting is not completed (S290: NO), the process proceeds to S210 and the above-described processing is repeated. On the other hand, if all rewriting has not been completed (S290: NO), the reception storage process is terminated.

  Next, the procedure of the rewrite execution process executed by the CPU 2 will be described. The rewrite execution process is a process described in the rewrite program. The process starts when the execution of the rewrite program is started, and ends when the control program is rewritten.

  When this rewrite execution process is executed, as shown in FIG. 6, the CPU 2 first determines in S310 whether there is any data stored in the rewrite buffer 12 that has not been written to the flash ROM 3. to decide. Specifically, when the instruction value of the rewrite write pointer PT3 and the instruction value of the rewrite read pointer PT4 do not match each other, it is determined that there is data not written in the flash ROM 3.

  Here, when there is no data not written in the flash ROM 3 (hereinafter referred to as unwritten data) (S310: NO), the process of S310 is repeated, whereby the unwritten data is stored in the rewrite buffer 12. Wait until

  On the other hand, if there is unwritten data (S310: YES), in S320, the unwritten data is read from the rewrite buffer 12, and the read data is written to the flash ROM 3, thereby rewriting the control program. Run.

  Thereafter, in S330, the data written in S320 is verified. Specifically, it is confirmed whether or not the data read from the rewrite buffer 12 and the data written to the flash ROM 3 match each other.

  In S340, based on the result of verification in S330, it is determined whether the data read from the rewrite buffer 12 and the data written in the flash ROM 3 match each other. Here, when both data do not correspond (S340: NO), it transfers to S320 and repeats the above-mentioned process.

  On the other hand, if the two data match (S340: YES), the rewrite read pointer PT4 is updated in S350. Specifically, the instruction value of the rewrite read pointer PT4 is changed by the amount of data read from the rewrite buffer 12 in S320.

  Thereafter, in S360, it is determined whether or not all rewriting related to the control program to be rewritten by the current program rewriting request has been completed. Here, when all rewriting is not completed (S360: NO), the process proceeds to S310 and the above-described processing is repeated. On the other hand, when all rewriting is completed (S360: YES), the rewriting execution process is terminated.

  Next, a procedure of verification execution processing executed by the CPU 2 will be described. The verification execution process is a process described in the rewrite program. The process starts when the execution of the rewrite program is started, and ends when the rewrite of the control program is completed.

  When the verification execution process is executed, as shown in FIG. 7, the CPU 2 first determines in S410 whether or not the rewrite process (the process of S320) is being executed. If the rewriting process is not executed (S410: NO), the process proceeds to S430. On the other hand, when the rewriting process is being executed (S410: YES), it is determined in S420 whether or not the writing completion waiting state is set.

  Here, when it is not in the writing end waiting state (S420: NO), the process proceeds to S410 and the above-described processing is repeated. On the other hand, when it is in the writing end waiting state (S420: YES), the process proceeds to S430.

  When the process proceeds to S430, it is determined whether or not the reception process (the process of S230) is being executed. If the reception process is not executed (S430: NO), the process proceeds to S450. On the other hand, when the reception process is being executed (S430: YES), it is determined in S440 whether or not it is in a state of waiting for reception of data from the program rewriting device RP (hereinafter referred to as a reception wait state). to decide. The reception waiting state refers to, for example, a state in which the CPU 2 waits until reception of the next message is started after reception of a message is completed during reception processing.

  Here, when it is not in the reception waiting state (S440: NO), the process proceeds to S410 and the above-described processing is repeated. On the other hand, when it is in a reception waiting state (S440: YES), the process proceeds to S450.

  In S450, it is determined whether or not there is data that has not been verified (validated) among the data stored in the rewrite buffer 12. Specifically, if the instruction value of the rewrite write pointer PT3 and the instruction value of the rewrite verification pointer PT5 do not match each other, it is determined that there is data that has not been verified (validated).

If there is no data that has not been verified (hereinafter referred to as unverified data) (S450: NO), the process proceeds to S410 and the above-described processing is repeated.
On the other hand, if there is unverified data (S450: YES), verification processing is executed in S460. Specifically, first, of the data stored in the rewrite buffer 12, data from the address indicated by the rewrite verification pointer PT5 to the address for the preset verification unit is read. For the read data, for example, an authentication calculation such as a sum calculation or a CRC calculation is executed, and the calculated value and the value of the verification data previously given to the read data on the program rewriting device RP side are obtained. In comparison, if the two match, it is determined that the read data is appropriate, and if the two do not match, it is determined that the read data is incorrect.

  In step S470, the rewrite verification pointer PT5 is updated. Specifically, the instruction value of the rewriting verification pointer PT5 is changed by the amount of data that has been verified (validated) in S460.

  Thereafter, in S480, it is determined whether or not all verification (validation) related to the control program to be rewritten by the current program rewrite request has been completed. Here, when all the verifications are not completed (S480: NO), the process proceeds to S410 and the above-described processing is repeated. On the other hand, when all the verifications are completed (S480: YES), the verification execution process is ended.

  In the ECU 1 configured as described above, first, a reception process for receiving rewrite data for rewriting the contents of the control program stored in the flash ROM 3 is executed (S230). And the rewriting process which rewrites the content of the control program memorize | stored in flash ROM3 is performed by writing in the flash ROM3 the rewriting data received by the receiving process (S320). In addition, the reception process is not executed (S430: NO) or the reception process is waiting for the rewrite data (S440: YES), and the rewrite process is not executed (S410: NO). ) Or in the rewrite process, when both of the states of waiting for the completion of rewrite data write to the non-volatile memory (S420: YES) are satisfied, the rewrite data written to the non-volatile memory is appropriate. A verification process for verifying whether or not there is is executed (S460).

  Therefore, even if the reception process is being executed, the verification process can be executed as long as it is waiting for the reception of the rewrite data. If it is in a state of waiting for completion of writing of the rewrite data, verification processing can be executed. That is, for example, as shown in FIG. 8, the verification process can be executed in parallel with the reception process or the rewrite process executed to rewrite the control program.

  In FIG. 8, the reception processes RP01, RP02, RP03,..., RP14 are sequentially executed. First, during the execution of the reception process RP01, the rewrite process WP01 and the verification process VP01 are started (see time t01). ). The rewriting process WP01 writes the data received by the receiving process RP01. The verification process VP01 verifies the data written in the rewrite process WP01. As a result, the reception processes RP01, RP02, RP03, the rewrite process WP01, and the verification process VP01 are executed in parallel.

  Further, the rewrite process WP02 is started before the start of the reception process RP04 (see time t02), and thereafter the verification process VP02 is started. The rewriting process WP02 writes the data received by the receiving processes RP02 and RP03. The verification process VP02 verifies the data written in the rewrite process WP02. As a result, the reception processes RP04, RP05, RP06, the rewrite process WP02, and the verification process VP02 are executed in parallel.

  Further, the rewrite process WP03 is started before the start of the reception process RP07 (see time t03), and thereafter the verification process VP03 is started. The rewriting process WP03 writes the data received in the receiving processes RP04, RP05, and RP06. The verification process VP03 verifies the data written in the rewrite process WP03. As a result, the reception processes RP07, RP08, RP09, RP10, the rewrite process WP03, and the verification process VP03 are executed in parallel.

  Further, the rewrite process WP04 is started before the start of the reception process RP11 (see time t04), and thereafter the verification process VP04 is started. The rewrite process WP04 writes the data received in the reception processes RP07, RP08, RP09, and RP10. The verification process VP04 verifies the data written in the rewrite process WP04. As a result, the reception processes RP11, RP12, RP13, RP14, the rewrite process WP04, and the verification process VP04 are executed in parallel.

  As a result, the verification process can be executed before the writing of the entire control program to be rewritten is completed (that is, the verification process need not be executed after the writing of the entire control program is completed). The time from the start of program rewriting to the end of the verification process, that is, the time required for rewriting the control program can be shortened.

  Further, the ECU 1 includes a rewrite buffer 12 that temporarily stores rewrite data to be written to the flash ROM 3 by rewrite processing, and executes verification processing on the rewrite data stored in the rewrite buffer 12. .

  As a result, rewriting data to be written to the flash ROM 3 can be verified without reading the data from the flash ROM 3. Note that data cannot be read from the flash ROM 3 during the rewriting process. However, since the verification process can be executed on the rewrite data stored in the rewrite buffer 12 instead of the flash ROM 3, even when the rewrite process is being executed, the completion of the rewrite data writing to the nonvolatile memory is terminated. If it is in a waiting state, the verification process can be executed.

  The rewrite buffer 12 has a ring buffer structure. That is, when rewrite data is written to the last address of the rewrite buffer 12, the next rewrite data is written to the start address of the rewrite buffer 12. For this reason, when new verification data is written to the rewrite buffer 12 in a state where the verification of the rewrite data written in the rewrite buffer 12 is not completed, it is not necessary to move the unverified rewrite data to the head address. . On the other hand, if the rewrite buffer 12 does not have a ring buffer structure, no more data can be written when rewritten data is written to the last address. Therefore, in order to secure an area for writing data, unverified rewritten data is used as the top address. Need to be moved to.

  In the embodiment described above, the flash ROM 3 is the non-volatile memory in the present invention, the process in S230 is the reception process execution means and the reception process execution procedure in the present invention, and the process in S320 is the rewrite process execution means and the rewrite process execution procedure in the present invention. , S460 is the verification processing execution means and verification processing execution procedure in the present invention.

(Second Embodiment)
A second embodiment of the present invention will be described below with reference to the drawings. In the second embodiment, parts different from the first embodiment will be described.

The ECU 1 of the second embodiment is the same as the first embodiment except that the configuration of the ECU 1, the rewrite execution process, and the verification process are changed.
First, the configuration of the ECU 1 is the same as that of the first embodiment except that a verification buffer 13 is further provided in the RAM 4 as shown in FIG.

  The verification buffer 13 has a ring buffer structure as shown in FIG. For this reason, the read data read from the flash ROM 3 is sequentially written from the head address of the verification buffer 13 in the order of reading. When read data is written to the last address of the verification buffer 13, the next read data is written to the head address (see arrow AL11).

  Also, a ROM read pointer PT11 is provided that indicates the address of the storage area where the read data is stored when the data written in the flash ROM 3 is read out and written into the verification buffer 13. FIG. 11 shows that by reading the data RD11 from the flash ROM 3 and writing it in the verification buffer 13 (see arrow AL12), the indicated value of the ROM read pointer PT11 has changed by the amount of data RD11 (arrow). See AL13).

Further, when writing data to the flash ROM 3, a ROM write pointer PT12 is provided which indicates an address of a storage area in which the data is written.
In addition, a verification write pointer PT13 is provided which indicates an address of a storage area in which the read data is written when the read data is written into the verification buffer 13. FIG. 10 shows that the instruction value of the verification write pointer PT13 has changed by the amount of data RD1 by reading the data RD11 from the flash ROM 3 and writing it in the verification buffer 13 (see arrow AL12) (see FIG. 10). (See arrow AL14).

  A verification pointer PT14 for indicating the address of a storage area in which data to be verified is verified when data stored in the verification buffer 13 is verified (validated) is provided.

  Next, the rewriting execution process of 2nd Embodiment is demonstrated. As shown in FIG. 11, the rewrite execution process of the second embodiment is the same as that of the first embodiment except that the processes of S303, S306, S342, S345, and S355 are added and the process of S350 is omitted. The same.

  That is, when this rewrite execution process is executed, the CPU 2 first verifies among the control programs already written in the flash ROM 3 separately from the control program to be rewritten by the current program rewrite request in S303. Unread data is read from the flash ROM 3 and stored in the verification buffer 13.

  In S306, the ROM read pointer PT11, the verification write pointer PT13, and the verification verification pointer PT14 are updated. Specifically, the ROM read pointer PT11 is set to the start address of the storage area in which the control program to be rewritten by the current program rewrite request is written. Further, the verification write pointer PT13 is set to the address next to the last address of the data stored in the verification buffer 13 in S303. Further, the verification pointer PT14 is set to the head address of the data stored in the verification buffer 13 in S303. When the process of S306 is completed, the process proceeds to S310.

  In S340, when the data read from the rewrite buffer 12 and the data written in the flash ROM 3 match each other (S340: YES), the ROM write pointer PT12 is updated in S342. Specifically, the instruction value of the ROM write pointer PT12 is changed by the amount of data written to the flash ROM 3 in S320.

  In S345, the data written in the flash ROM 3 that is not stored in the verification buffer 13, that is, written between the address indicated by the ROM read pointer PT11 and the address indicated by the ROM write pointer PT12 is written. Is read from the flash ROM 3 and stored in the verification buffer 13. Further, in S355, the ROM read pointer PT11 and the verification write pointer PT13 are updated. Specifically, the instruction values of the ROM read pointer PT11 and the verification write pointer PT13 are changed by the amount of data stored in the verification buffer 13 in S345. When the process of S355 ends, the process proceeds to S360.

Next, verification execution processing according to the second embodiment will be described.
When the verification execution process is executed, as shown in FIG. 12, the CPU 2 first determines in S510 whether or not the rewrite process (the process of S320) is being executed. If the rewriting process is not executed (S510: NO), the process proceeds to S530. On the other hand, if the rewriting process is being executed (S510: YES), it is determined in S520 whether or not the writing completion waiting state is set.

  Here, when it is not in the writing end waiting state (S520: NO), the process proceeds to S510 and the above-described processing is repeated. On the other hand, when it is in the writing end waiting state (S520: YES), the process proceeds to S530.

  When the process proceeds to S530, it is determined whether the reception process (the process of S230) is being executed. If the reception process is not executed (S530: NO), the process proceeds to S550. On the other hand, if the reception process is being executed (S530: YES), it is determined in S540 whether or not it is in a state of waiting for reception of data from the program rewriting device RP (hereinafter referred to as a reception wait state). to decide.

  Here, when it is not in the reception waiting state (S540: NO), the process proceeds to S510 and the above-described processing is repeated. On the other hand, when it is in the reception waiting state (S540: YES), the process proceeds to S550.

  In step S450, it is determined whether there is data that has not been verified (validated) among the data stored in the verification buffer 13. Specifically, when the indication value of the verification write pointer PT13 and the indication value of the verification verification pointer PT14 do not match each other, it is determined that there is data that has not been verified (validated).

If there is no data that has not been verified (hereinafter referred to as unverified data) (S550: NO), the process proceeds to S510, and the above-described processing is repeated.
On the other hand, if there is unverified data (S550: YES), verification processing is executed in S560. Specifically, first, of the data stored in the verification buffer 13, the data from the address indicated by the verification verification pointer PT14 to the address corresponding to the preset verification unit is read. For the read data, for example, an authentication calculation such as a sum calculation or a CRC calculation is executed, and the calculated value and the value of the verification data previously given to the read data on the program rewriting device RP side are obtained. In comparison, if the two match, it is determined that the read data is appropriate, and if the two do not match, it is determined that the read data is incorrect.

  In step S570, the verification pointer PT14 for verification is updated. Specifically, the instruction value of the verification pointer PT14 is changed by the amount of data that has been verified (validated) in S560.

  Thereafter, in S580, it is determined whether or not all verification (validation) related to the control program to be rewritten by the current program rewrite request has been completed. Here, when all the verifications are not completed (S580: NO), the process proceeds to S510 and the above-described processing is repeated. On the other hand, when all the verifications are completed (S580: YES), the verification execution process is ended.

  In the ECU 1 configured as described above, first, a reception process for receiving rewrite data for rewriting the contents of the control program stored in the flash ROM 3 is executed (S230). And the rewriting process which rewrites the content of the control program memorize | stored in flash ROM3 is performed by writing in the flash ROM3 the rewriting data received by the receiving process (S320). In addition, the reception process is not executed (S530: NO) or the reception process is waiting for the rewrite data (S540: YES), and the rewrite process is not executed (S510: NO). ) Or the state of waiting for the completion of rewrite data writing to the non-volatile memory in the rewrite process (S520: YES), the rewrite data written to the non-volatile memory is appropriate. A verification process for verifying whether or not there is is executed (S560).

  Therefore, even if the reception process is being executed, the verification process can be executed as long as it is waiting for the reception of the rewrite data. If it is in a state of waiting for completion of writing of the rewrite data, verification processing can be executed. That is, for example, as shown in FIG. 13 and FIG. 14, the verification process can be executed in parallel with the reception process or the rewrite process executed to rewrite the control program. Thereby, similarly to the first embodiment, the time required for rewriting the control program can be shortened.

  In FIG. 13, reception processes RP01, RP02, RP03,..., RP14 are sequentially executed, and the verification process VP11 is started before the reception process RP01 is started (see time t11). Then, the rewriting process WP11 is started during the execution of the receiving process RP01 (see time t12). The rewrite process WP11 writes the data received by the reception process RP01. The verification process VP11 verifies the data (for example, data written by partial rewriting) written in the flash ROM 3 before the rewriting process WP11. As a result, the reception processes RP01, RP02, and RP03, the rewrite process WP11, and the verification process VP11 are executed in parallel.

  Further, the rewrite process WP12 is started before the start of the reception process RP04 (see time t13), and thereafter the verification process VP12 is started. The rewriting process WP12 writes the data received in the receiving processes RP02 and RP03. The verification process VP12 verifies the data written in the rewrite processes WP11 and WP12. As a result, the reception processes RP04, RP05, RP06, the rewrite process WP12, and the verification processes VP11, VP12 are executed in parallel.

  Further, the rewrite process WP13 is started before the start of the reception process RP07 (see time t14), and thereafter the verification process VP13 is started. The rewriting process WP13 writes the data received in the receiving processes RP04, RP05, RP06. The verification process VP13 verifies the data written in the rewrite process WP13. Accordingly, the reception processes RP07, RP08, RP09, RP10, the rewrite process WP13, and the verification processes VP12, VP13 are executed in parallel.

  Further, the rewrite process WP14 is started before the start of the reception process RP11 (see time t15), and then the verification process VP14 is started. The rewriting process WP14 writes the data received in the receiving processes RP07, RP08, RP09, RP10. The verification process VP14 verifies the data written in the rewrite process WP14. As a result, the reception processes RP11, RP12, RP13, RP14, the rewrite process WP14, and the verification processes VP13, VP14 are executed in parallel.

  In FIG. 14, the reception process RP21 and the verification process VP21 are executed in parallel before the write activation WP21, and the reception process RP22, the rewrite process WP22, and the verification process VP22 are performed in parallel after the write activation WP21. Is shown to be executed.

  The ECU 1 also includes a verification buffer 13 that temporarily stores rewrite data written in the flash ROM 3, and executes verification processing on the rewrite data stored in the verification buffer 13.

  As a result, rewriting data to be written to the flash ROM 3 can be verified without reading the data from the flash ROM 3. For this reason, as in the first embodiment, even when the rewriting process is being executed, the verification process can be executed as long as the writing of the rewritten data to the nonvolatile memory is awaited.

  If the rewrite data written in the flash ROM 3 by the rewrite process based on the previous program rewrite request remains in the verification buffer 13 at the time of receiving the current program rewrite request, In parallel with the rewriting process based on the program rewriting request of the rewriting request, the verification of the rewriting data by the rewriting process based on the previous program rewriting request can be continued.

  The verification buffer 13 has a ring buffer structure. For this reason, as in the first embodiment, when all the verifications on the rewritten data written in the verification buffer 13 are not completed, and new data is written in the verification buffer 13, unverified rewritten data is stored. There is no need to move to the start address.

In the embodiment described above, the processing of S560 is the verification processing execution means and the verification processing execution procedure in the present invention.
(Third embodiment)
A third embodiment of the present invention will be described below with reference to the drawings. In the third embodiment, parts different from the first embodiment will be described.

The ECU 1 of the third embodiment is the same as the first embodiment except that the configuration of the ECU 1, the rewrite execution process, and the verification execution process are changed.
First, the configuration of the ECU 1 is that the rewriting verification pointer PT5 is omitted, and the data to be verified is written when the data written in the flash ROM 3 is verified (validated) as shown in FIG. The second embodiment is the same as the first embodiment except that a ROM verification pointer PT21 is provided to indicate the address of the storage area.

Next, the rewrite execution process of the third embodiment will be described. The rewrite execution process of the third embodiment is the same as that of the first embodiment except that the process of S308 is added as shown in FIG.
That is, when this rewrite execution process is executed, the CPU 2 first updates the ROM verification pointer PT21 in S308. Specifically, the ROM verification pointer PT21 is the start address of the storage area of the data that has not been verified among the control programs already written in the flash ROM 3 separately from the control program to be rewritten by the current program rewrite request. Set to. Then, when the processing of S308 ends, the process proceeds to S310.

Next, verification execution processing according to the third embodiment will be described.
When the verification execution process is executed, as shown in FIG. 17, the CPU 2 first determines in S610 whether or not the rewrite process (the process of S320) is being executed. When the rewriting process is being executed (S610: YES), the process proceeds to S610, and the process of S610 is repeated. On the other hand, if the rewriting process is not executed (S610: NO), it is determined in S620 whether the receiving process (the process of S230) is being executed. If the reception process is not executed (S620: NO), the process proceeds to S640.

  On the other hand, if the reception process is being executed (S620: YES), it is determined in S630 whether or not a reception waiting state is set. Here, when it is not a reception waiting state (S630: NO), it transfers to S610 and repeats the above-mentioned process. On the other hand, when it is in a reception waiting state (S630: YES), the process proceeds to S640.

  In S640, a verification process is executed. Specifically, first, of the data written in the flash ROM 3, the data from the address indicated by the ROM verification pointer PT21 to the address corresponding to the preset verification unit is read. For the read data, for example, an authentication calculation such as a sum calculation or a CRC calculation is executed, and the calculated value and the value of the verification data previously given to the read data on the program rewriting device RP side are obtained. In comparison, if the two match, it is determined that the read data is appropriate, and if the two do not match, it is determined that the read data is incorrect.

In step S650, the ROM verification pointer is updated. Specifically, the instruction value of the ROM verification pointer is changed by the amount of data that has been verified (validated) in S640.
Thereafter, in S660, it is determined whether or not all verification (validation) related to the control program to be rewritten by the current program rewrite request has been completed. If all the verifications have not been completed (S660: NO), the process proceeds to S610 and the above-described process is repeated. On the other hand, when all the verifications are completed (S660: YES), the verification execution process is ended.

  In the ECU 1 configured as described above, first, a reception process for receiving rewrite data for rewriting the contents of the control program stored in the flash ROM 3 is executed (S230). And the rewriting process which rewrites the content of the control program memorize | stored in flash ROM3 is performed by writing in the flash ROM3 the rewriting data received by the receiving process (S320). In addition, the reception process is not executed (S620: NO) or the reception process is waiting for the rewrite data (S630: YES), and the rewrite process is not executed (S610: NO). ), A verification process for verifying whether or not the rewritten data written to the nonvolatile memory is appropriate is executed (S640).

  For this reason, even if the reception process is being executed, the verification process can be executed as long as it is waiting for the reception of the rewrite data. That is, for example, as shown in FIG. 18, the reception process and the verification process can be executed in parallel. Thereby, similarly to the first embodiment, the time required for rewriting the control program can be shortened.

  In FIG. 18, the reception processes RP01, RP02, RP03,..., RP14 are sequentially executed, and the verification process VP31 is started before the reception process RP01 is started (see time t31). Then, the rewriting process WP31 is started during the execution of the receiving process RP01 (see time t32). For this reason, the verification process VP31 ends before the start of the rewrite process WP31. The rewriting process WP31 writes the data received by the receiving process RP01. The verification process VP31 verifies the data written in the flash ROM 3 before the rewrite process WP31. As a result, the reception process RP01 and the verification process VP31 are executed in parallel.

  When the rewriting process WP31 ends, the verification process VP32 is started (see time t33). Then, the rewrite process WP32 is started before the start of the reception process RP04. (See time t34). For this reason, the verification process VP31 ends before the start of the rewrite process WP32. The rewriting process WP32 writes the data received in the receiving processes RP02 and RP03. The verification process VP32 verifies the data written in the flash ROM 3 before the rewrite process WP31. Thereby, the reception process RP03 and the verification process VP32 are executed in parallel.

  Further, when the rewriting process WP32 is completed, the verification process VP33 is started (see time t35). Then, the rewrite process WP33 is started before the start of the reception process RP07. (See time t36). For this reason, the verification process VP33 ends before the start of the rewrite process WP33. The rewriting process WP33 writes the data received in the receiving processes RP04, RP05, RP06. The verification process VP33 verifies the data written in the flash ROM 3 before the rewrite process WP31.

  When the rewriting process WP33 ends, the verification process VP34 is started (see time t37). Then, the rewrite process WP34 is started before the start of the reception process RP11. (See time t38). Therefore, the verification process VP34 ends before the rewrite process WP34 starts. The rewriting process WP34 writes the data received in the receiving processes RP07, RP08, RP09, and RP10. The verification process VP34 verifies the data written in the flash ROM 3 before the rewrite process WP11. Thereby, the reception process RP10 and the verification process VP34 are executed in parallel.

  The ECU 1 also performs verification processing on the rewritten data written in the flash ROM 3. As a result, even if the RAM 4 does not have enough storage capacity to provide the verification buffer 13, the verification process can be executed.

  Further, when the rewrite data written in the flash ROM 3 by the rewrite process based on the previous program rewrite request remains unverified when the current program rewrite request is received, the program rewrite request program of this time In parallel with the rewrite process based on the rewrite request, verification of the rewrite data by the rewrite process based on the previous program rewrite request can be continued.

In the embodiment described above, the processing of S640 is the verification processing execution means and the verification processing execution procedure in the present invention.
As mentioned above, although one Embodiment of this invention was described, this invention is not limited to the said embodiment, As long as it belongs to the technical scope of this invention, a various form can be taken.

For example, in the above-described embodiment, the control target of the ECU 1 is the vehicle engine. However, the present invention is not limited to this, and may be an automatic transmission, for example.
In the above embodiment, the control program is stored in the flash ROM 3. However, the storage medium for the control program is not limited to this, and for example, nonvolatile storage that can rewrite the storage content, such as an EEPROM. Any memory can be used.

  In the above embodiment, the rewriting program is acquired from the program rewriting device RP. However, the ECU 1 may store the rewriting program in the flash ROM 3 in advance.

  In the above embodiment, the rewrite buffer 12 and the verification buffer 13 are formed in a ring buffer structure. However, a normal structure other than the ring buffer structure may be used. However, in the case of a normal structure, it is necessary to move already written data to the head address before new data is written.

  Moreover, in the said embodiment, what determined whether the control program currently written in S20 is appropriate was shown. However, when the verification process determines that the written control program is not appropriate, it is determined in the process of S10 that the control program has not been written even if the control program has already been written. If so, the process of S20 can be made unnecessary. For example, an area for storing an identification value indicating whether both rewriting and verification (validation) are normal is provided, and the identification value is erased at the start of rewriting. When the rewriting is normally completed and the verification result is normal, the identification value of the preset value is stored again. On the other hand, if the rewriting is interrupted or the verification result is abnormal, the identification is performed. Prohibit value storage. This makes it possible to determine whether or not the control program has been normally written based on the identification value, and eliminates the need for processing to determine whether or not the written control program is appropriate. Can do.

  Moreover, in the said embodiment, what performed a receiving process, a rewriting process, and a verification process in parallel, and what performed a receiving process and a verification process in parallel were shown. However, for example, as shown in FIG. 19, the rewriting process and the verification process may be executed in parallel. Note that FIG. 19 is configured to execute a rewriting process in which data received in a plurality of receiving processes is collectively written in the flash ROM after a plurality of receiving processes, and to resume the receiving process after the rewriting process is completed. In the electronic control apparatus, the verification process is executed in parallel with the rewrite process and is executed between the reception process and the reception process.

  1 ... ECU, 3 ... Flash ROM

Claims (11)

A non-volatile memory (3) capable of rewriting stored contents and storing a control program for controlling a predetermined control object;
A receiving process executing means (S230) for executing a receiving process for receiving rewrite data from the outside, which is data for rewriting the contents of the control program stored in the nonvolatile memory;
Rewriting processing execution means (S320) for executing rewriting processing for rewriting the contents of the control program stored in the nonvolatile memory by writing the rewriting data received by the receiving processing in the nonvolatile memory;
At least one of whether it is in a state of waiting for reception of the rewrite data in the reception process and whether it is in a state of waiting for completion of writing of the rewrite data to the nonvolatile memory in the rewrite process Verification processing means for executing verification processing for verifying whether or not the rewritten data written to the nonvolatile memory is appropriate when a preset verification execution condition is established so as to include (S460, S560, S640) The electronic control apparatus (1) characterized by the above-mentioned. The verification processing execution means (S460, S560)
The first determination state is a state in which the reception process is not executed or a state in which reception of the rewrite data is awaited in the reception process, and a state in which the rewrite process is not executed or the nonvolatile process in the rewrite process. The state of waiting for completion of writing of the rewritten data to the volatile memory is set as the second determination state, and the first determination state and the second determination state are set as the first verification execution condition, The electronic control apparatus according to claim 1, wherein a first verification execution condition is adopted as the verification execution condition. A rewrite buffer (12) for temporarily storing the rewrite data to be written to the nonvolatile memory by the rewrite processing before the data is written to the nonvolatile memory;
The verification processing execution unit adopts the first verification execution condition as the verification execution condition, and executes the verification processing on the rewritten data stored in the rewrite buffer. The electronic control apparatus as described in. A verification buffer (13) for temporarily storing the rewritten data written in the nonvolatile memory;
The electronic control device according to claim 2, wherein the verification processing execution unit executes the verification processing on the rewritten data stored in the verification buffer. The verification processing execution means (S640)
The first determination state is a state in which the reception process is not executed or a state in which reception of the rewrite data is awaited in the reception process, and a third determination that the rewrite process is not executed. The second verification execution condition is adopted as the second verification execution condition, and the second verification execution condition is adopted as the verification execution condition. The electronic control device described. The electronic control device according to claim 5, wherein the verification processing execution unit executes the verification processing on the rewritten data written in the nonvolatile memory. The electronic control device according to claim 3, wherein the rewrite buffer has a ring buffer structure. The electronic control device according to claim 4, wherein the verification buffer has a ring buffer structure. Receiving rewrite data, which is data for rewriting the contents of the control program stored in the non-volatile memory that stores the control program for controlling a predetermined control object, can be rewritten. Receiving process execution procedure (S230),
A rewrite process execution procedure (S320) for executing a rewrite process for rewriting the contents of the control program stored in the non-volatile memory by writing the rewrite data received by the reception process to the non-volatile memory;
At least one of whether it is in a state of waiting for reception of the rewrite data in the reception process and whether it is in a state of waiting for completion of writing of the rewrite data to the nonvolatile memory in the rewrite process Verification process execution procedure for executing verification process for verifying whether or not the rewritten data written to the nonvolatile memory is appropriate when a preset verification execution condition is established so as to include (S460, S560, S640) The memory rewriting method characterized by the above-mentioned. The verification processing execution procedure (S460, S560)
The first determination state is a state in which the reception process is not executed or a state in which reception of the rewrite data is awaited in the reception process, and a state in which the rewrite process is not executed or the nonvolatile process in the rewrite process. The state of waiting for completion of writing of the rewritten data to the volatile memory is set as the second determination state, and the first determination state and the second determination state are set as the first verification execution condition, The memory rewriting method according to claim 9, wherein the first verification execution condition is adopted as the verification execution condition. The verification process execution procedure (S640) includes:
The first determination state is a state in which the reception process is not executed or a state in which reception of the rewrite data is awaited in the reception process, and a third determination that the rewrite process is not executed. The second verification execution condition is adopted as the second verification execution condition, and the second verification execution condition is adopted as the verification execution condition. Memory rewrite method as described.