JP2015207937A - Communication apparatus - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technology for preventing processing based on contents of an unauthorized communication frame from being performed in a communication system where communications are performed via a common communication path.SOLUTION: An on-vehicle system functions as a node in the communication system. In the communication system, a communication frame is transmitted by sending a recessive signal and a dominant signal from a node to the communication path in order and it is specified that a communication frame being transmitted becomes ineffective when patterns of the recessive signal and the dominant signal meet a previously specified error condition. Reception means (S100) included in the on-vehicle system receives a communication frame. In the case where determination means (S110) determines that the communication frame received by the reception means is unauthorized on the basis of identification data included in the communication frame, transmission means (S120) sends the dominant signal to the communication path in such a manner that the error condition is satisfied during the transmission of the communication frame.

Description

  The present invention relates to a technique in which a plurality of devices communicate via a common communication path.

Conventionally, a technique in which a plurality of devices communicate with each other via a common communication path is known.
For example, in a vehicle, a technique in which a plurality of electronic control units (ECUs) connected to a common communication path transmit and receive communication frames via the communication path and communicate with each other is well known. Further, in the vehicle, an external tool (external device) is connected to such a common communication path, and using the external tool, a communication frame is transmitted to and received from an ECU connected to the communication path. The vehicle state can be diagnosed.

  By the way, operations that can be carried out by communicating with the ECU using an external tool include those other than authorized workers, such as setting and releasing security-related information and program rewriting (reprogramming). Operations that should not be performed are also included. When an external tool (non-regular external tool) by an unauthorized worker is connected to a common communication path, there is a possibility that these information and programs may be illegally obtained or rewritten.

  Therefore, when an unauthorized external tool is connected to a common communication path, an ECU to be communicated with by the external tool is specified based on the content of an unauthorized communication frame transmitted from the external tool. A technology has been proposed in which the ECU is shifted from the activated state to the inactive state (see Patent Document 1).

JP2013-74489A

  However, in the technique described in Patent Document 1, the ECU to be communicated is specified based on the content of the unauthorized communication frame after the transmission and reception of the unauthorized communication frame is completed. It is possible that processing based on the contents of an unauthorized communication frame targeted for the ECU (for example, unauthorized acquisition or rewriting of information or programs as described above, etc.) may be started before entering the dormant state. There was a problem.

  The present invention has been made in view of such problems, and is intended to suppress processing based on the contents of an unauthorized communication frame in a communication system in which communication is performed via a common communication path. The purpose is to provide technology.

  One aspect of the present invention is a communication device, and the communication device functions as a node in a communication system in which a plurality of nodes transmit and receive a communication frame including identification data via a common communication path. In the communication system, a communication frame is transmitted by sequentially transmitting an inferior state signal and a superior state signal that is superior to the inferior state signal in the communication path from the node to the communication path. Also, in the communication system, a communication protocol that is specified so that a communication frame being transmitted is invalidated when a pattern of an inferior state signal and a superior state signal transmitted to the communication path satisfies a predetermined error condition. Accordingly, each of the plurality of nodes performs communication.

  The communication apparatus includes a receiving unit, a determining unit, and a sending unit. The receiving means receives a communication frame. The determination unit determines whether or not the communication frame is illegal based on identification data included in the communication frame received by the reception unit. When the determination unit determines that the communication frame is invalid, the transmission unit transmits a superiority state signal to the communication path so that the error condition is satisfied during transmission of the communication frame.

  According to such a configuration, since a communication frame determined to be invalid is invalidated during transmission of the communication frame, an illegal communication frame is used in a communication system in which communication is performed via a common communication path. It is possible to suppress the processing based on the contents of.

  In addition, the code | symbol in the parenthesis described in the claim shows the correspondence with the specific means as described in embodiment mentioned later as one aspect, Comprising: The technical scope of this invention is limited is not.

The block diagram which shows the vehicle-mounted system and external tool of 1st Embodiment. The figure which shows an example of the identification data memorize | stored in GW memory | storage part. The flowchart of the illegal frame response process of 1st Embodiment. The block diagram which shows the vehicle-mounted system and external tool of 2nd Embodiment. The flowchart of the illegal frame response process of 2nd Embodiment.

Embodiments to which the present invention is applied will be described below with reference to the drawings.
[1. First Embodiment]
[1-1. overall structure]
An in-vehicle system 1 shown in FIG. 1 is mounted on a vehicle and includes a connector 40 for connecting an external tool (external device) 3, a gateway ECU (GW-ECU) 10, and a plurality of other ECUs 20a, 20b,. Is provided.

  The external tool 3 is connected to the GW-ECU 10 via the connector 40 and the external bus 50 so as to communicate with each other. Further, the GW-ECU 10 and a plurality of other ECUs 20 a, 20 b,... Are connected to an internal bus 30 that is a common communication path to construct a network (in-vehicle LAN), and the CAN (Controller) is connected via the internal bus 30. Mutual communication is performed in accordance with the Area Network protocol. In the following description, a plurality of identical configurations such as the ECU 20a, the ECU 20b,... Are omitted from the reference numerals like the ECU 20 except when they are individually described.

  The GW-ECU 10 is installed on a communication path that relays between the external bus 50 and the internal bus 30. That is, the GW-ECU 10 communicates directly with the external tool 3, and the ECU 20 communicates with the external tool 3 via the GW-ECU 10. Further, the GW-ECU 10 communicates directly with the ECU 20, and the external tool 3 communicates with the ECU 20 via the GW-ECU 10. As described above, the external tool 3 and the ECU 20 are not directly connected to each other but are connected via the GW-ECU 10, and the GW-ECU 10 relays communication performed between the external tool 3 and the ECU 20. Functions as a device.

The GW-ECU 10 includes an in-vehicle LAN communication unit 11, an external tool communication unit 12, a GW storage unit 13, and a gateway control unit (GW control unit) 14.
The in-vehicle LAN communication unit 11 is an interface for communicating with the ECU 20 via the internal bus 30 and includes a driver 111 and a receiver 112. When the data included in the communication frame output from the GW control unit 14 is “1”, the driver 111 sends an inferior state signal (referred to as recessive) corresponding to the data (bit value) “1” to the internal bus 30. And when it is “0”, a superior state signal (referred to as dominant) corresponding to data (bit value) “0” is sent to the internal bus 30. The receiver 112 outputs data corresponding to recessive (“1”) to the GW control unit 14 when recessive is input via the internal bus 30, and data corresponding to dominant when the dominant is input (“1”). “0”) is output to the GW control unit 14.

  The external tool communication unit 12 is an interface for communicating with the external tool 3 connected to the connector 40 via the external bus 50, and includes a driver 121 and a receiver 122. When the data included in the communication frame output from the GW control unit 14 is “1”, the driver 121 sends a recessive corresponding to the data (bit value) “1” to the external bus 50. In this case, the dominant corresponding to the data (bit value) “0” is sent to the internal bus 30. The receiver 122 outputs recessive data (“1”) to the GW control unit 14 when recessive is input via the external bus 50, and data corresponding to dominant when the dominant is input (“1”). “0”) is output to the GW control unit 14.

  The GW control unit 14 includes a known microprocessor including a CPU 41, a ROM 42, a RAM 43, and the like. For example, communication performed between the external tool 3 and the ECU 20 according to a program stored in the ROM 42 or the like (data included in the communication frame) (Transmission / reception)) and processing for dealing with illegal frames described later are executed. Note that the in-vehicle system 1 of the present embodiment is configured such that power is supplied to the GW-ECU 10 even when the ignition switch of the vehicle is off, and the CPU 41 can execute the illegal frame handling process.

  The gateway (GW) storage unit 13 includes a nonvolatile storage device (for example, a flash memory, an EEPROM, or the like) that can electrically rewrite the stored contents. The GW storage unit 13 stores a plurality of identification data. The identification data is a predetermined unit of a communication frame that is a unit in which communication is performed between the external tool 3 and the ECU 20 via the internal bus 30 and the external bus 50 in the in-vehicle system 1, that is, a unit in which data is transmitted and received. Data included in a region, which is data composed of a plurality of bits for identifying the communication frame. In the present embodiment, as an example, data included in the arbitration field in the format of a communication frame (data frame, remote frame) of a known CAN protocol is referred to as identification data.

  Specifically, as shown in FIG. 2, communication frame identification data transmitted from the external tool 3 to the ECU 20a, communication frame identification data transmitted from the external tool 3 to the ECU 20b, and communication transmitted from the ECU 20b to the ECU 20a. Data representing a combination of a transmission source and a transmission destination to which the communication frame is transmitted is stored in the GW storage unit 13 as identification data, such as frame identification data. The identification data is data in which a number represented by a decimal number such as “7X1 (X is an arbitrary integer from 0 to 9)” in FIG. 2 is represented by a binary number. In the present embodiment, the identification data stored in the GW storage unit 13 is referred to as permission data.

  Examples of the plurality of ECUs 20 include those having various functions such as an engine ECU that performs engine control, a brake ECU that performs brake control, and a steering ECU that performs steering control. Although not shown, the ECU 20 includes, as an example, a control unit (CPU), a storage unit (for example, a flash memory), and a communication unit. The storage unit stores a program for causing the control unit (CPU) to execute processing for realizing various functions. The control unit (CPU) executes processing according to a program stored in the storage unit. The communication unit is an interface for communicating with the GW-ECU 10 and other ECUs 20 via the internal bus 30.

  The external tool 3 is stored in the GW-ECU 10 and the ECU 20 while being connected to the in-vehicle system 1 (connector 40), diagnosis of the vehicle state via the ECU 20, setting and releasing of data (security related information, etc.). Performs program rewrite processing.

  Although not shown, the external tool 3 includes a control unit (CPU), a storage unit (for example, a flash memory), and a communication unit. The storage unit stores a program for causing the control unit (CPU) to execute processing for realizing various functions. The control unit (CPU) executes various processes according to the program stored in the storage unit. The communication unit is an interface for communicating with the GW-ECU 10 and the ECU 20 via the connector 40. The external tool 3 may be configured using a general-purpose personal computer, a smartphone (multifunctional mobile phone), or the like.

  In the in-vehicle system 1 that is a communication system that performs mutual communication according to the CAN protocol having such a configuration, communication via the internal bus 30 will be described as an example. The GW-ECU 10 that functions as a node (in-vehicle As described above, the LAN communication unit 11) and the ECU 20 (communication unit) internally use one of the two status signals of the inferior state signal (recessive) and the superior state signal (dominant) corresponding to the bit value of the data. By sequentially outputting to the bus 30, each data included in the communication frame is transmitted to the internal bus 30.

  Further, in the in-vehicle system 1, as described above, the GW-ECU 10 (in-vehicle LAN communication unit 11) and the ECU 20 (communication unit) sequentially input recessive or dominant via the internal bus 30 so that the internal bus 30. The data included in the communication frame is received, and when both recessive and dominant are output from the plurality of nodes to the internal bus 30, data corresponding to the dominant is received as data in the internal bus 30.

  In the CAN protocol applied to the in-vehicle system 1, an error defined in advance in a pattern (arrangement) of data included in a communication frame received via the internal bus 30 is detected by one of the nodes. Then, it is defined that the communication frame is invalidated. As well known, such errors include bit errors, CRC errors, form errors, and ACK errors in addition to stuff errors in which the same status signal (dominant or recessive) continues for 6 bits. Although communication via the internal bus 30 has been described as an example, communication via the external bus 50 is performed in the same manner in the in-vehicle system 1.

[1-2. processing]
Next, the illegal frame handling process executed by the CPU 41 of the GW-ECU 10 will be described with reference to the flowchart shown in FIG.

  First, in S (step) 100, a communication frame is received via the internal bus 30. Specifically, each data included in the communication frame transmitted to the internal bus 30 is sequentially received based on a state signal (dominant or recessive) input from the internal bus 30.

  In S110, based on the identification data included in the communication frame received in S100, it is determined whether or not the communication frame is illegal. Specifically, when the identification data included in the communication frame received in S100 does not match the permission data stored in advance in the GW storage unit 13, it is determined that the communication frame is invalid. In other words, if a communication frame including identification data not stored in the GW storage unit 13 is transmitted to the internal bus 30, the communication frame is transmitted to an unauthorized external tool (which is illegally connected to the internal bus 30 ( For example, it is determined that the communication frame is an unauthorized communication frame by the unauthorized tool 90) indicated by a two-dot chain line in FIG. If it is determined that the communication frame is not illegal, the illegal frame handling process is terminated. On the other hand, when it is determined that the communication frame is invalid, the process proceeds to S120.

  In S120, a dominant is sent to the internal bus 30 using the in-vehicle LAN communication unit 11 so that the error condition is satisfied during transmission of the communication frame. Specifically, the in-vehicle LAN communication unit 11 is caused to transmit a dominant of 6 bits in order to cause a staff error. Then, the illegal frame handling process ends.

[1-3. effect]
According to the first embodiment described in detail above, the following effects can be obtained.
[1A] A communication frame determined to be illegal on the internal bus 30 is invalidated even during transmission of the communication frame. For this reason, even if an unauthorized external tool (illegal tool 90) is connected to the internal bus 30 and an unauthorized communication frame is transmitted from the unauthorized external tool to the internal bus 30, this unauthorized communication is performed. The frame is invalidated as soon as it is determined to be invalid. That is, an unauthorized communication frame for performing setting and cancellation of data (security related information or the like) performed by a regular external tool, rewriting processing of a program stored in the GW-ECU 10 or the ECU 20, etc. When transmitted from the tool, it is possible to suppress processing based on the contents of an unauthorized communication frame.

  [1B] In the illegal frame handling process, a 6-bit continuous dominant is transmitted so as to satisfy the condition for causing a stuff error (S120). According to this, an illegal communication frame can be invalidated at an arbitrary timing regardless of the timing at which data included in the communication frame is received from the internal bus 30.

  In the present embodiment, the GW-ECU 10 corresponds to an example of a “communication device”, and the GW storage unit 13 corresponds to an example of a “storage unit”. S100 corresponds to an example of processing as “reception means”, S110 corresponds to an example of processing as “determination means”, and S120 corresponds to an example of processing as “transmission means”. The CAN protocol corresponds to an example of a communication protocol.

[2. Second Embodiment]
[2-1. Constitution]
Since the basic configuration of the second embodiment is the same as that of the first embodiment, the description of the common configuration will be omitted, and the description will focus on the differences.

  In the second embodiment, as shown in FIG. 4, the GW storage unit 13 shown in FIG. 1 is deleted, the detection circuit 113 is added to the in-vehicle LAN communication unit 11 shown in FIG. The content of the illegal frame handling process executed by the CPU 41 of the GW control unit 14 is different from that of the first embodiment.

  Specifically, the detection circuit 113 added to the in-vehicle LAN communication unit 11 is based on a sequence of data sequentially output from the receiver 112, and a predetermined area of the communication frame received from the internal bus 30 (this embodiment) In the embodiment, there is provided a comparison circuit (not shown) that generates a determination flag F that is a result of comparing whether or not the identification data included in the above-described arbitration field matches predetermined non-regular data. The comparison circuit sets the determination flag F to 1 when the identification data included in the communication frame matches the non-regular data (F = 1), and sets it to 0 when it does not match (reset, F = 0). To do. The determination flag F is output to the GW control unit 14.

  Here, the predetermined irregular data refers to identification data that can be included in a communication frame transmitted from an unauthorized node. For example, identification data that can be included in an unauthorized communication frame transmitted from an unauthorized external tool (an unauthorized tool 90 indicated by a two-dot chain line in FIG. 4) illegally connected to the internal bus 30 is known. In some cases, this known identification data is regarded as non-regular data.

  When there are a plurality of types of non-normal data, the detection circuit 113 includes a comparison circuit for each non-normal data. Then, the detection circuit 113 sets the determination flag F when the identification data included in the predetermined region of the communication frame in any one of the plurality of comparison circuits matches the non-regular data. . In other words, it can be said that each of these comparison circuits stores identification data (non-regular data in this embodiment) instead of the GW storage unit 13 shown in FIG.

[2-2. processing]
Next, the illegal frame handling process executed by the GW control unit 14 (CPU 41) will be described with reference to the flowchart shown in FIG. In the flowchart shown in FIG. 5, S100 shown in FIG. 3 is deleted, and S110 is replaced with S115.

  In S115, based on the identification data included in the communication frame received by the in-vehicle LAN communication unit 11 via the internal bus 30, it is determined whether or not the communication frame is illegal. Specifically, when the determination flag F output from the detection circuit 113 is set, it is determined that the communication frame is invalid. If the determination flag F is not set (F = 0), the illegal frame handling process ends. On the other hand, if the determination flag F is set (F = 1), the process proceeds to S120, and in the same way as S120 shown in FIG. Send the dominant. That is, by transmitting 6-bit continuous data “0” to the driver 111 of the in-vehicle LAN communication unit 11, a dominant is transmitted from the in-vehicle LAN communication unit 11 (driver 111) to the internal bus 30. Then, the illegal frame handling process ends.

[2-3. effect]
According to the second embodiment described in detail above, the following effects are obtained in addition to the effects [1A] and [1B] of the first embodiment described above.

  [2A] Since the comparison circuit detects whether or not the communication frame received via the internal bus 30 is illegal, the detection result can be obtained quickly. Further, since the illegal frame handling process is executed based on the determination flag F that is the detection result of the comparison circuit, the process of invalidating the communication frame is quickly performed when it is determined that the communication frame is illegal. be able to.

  In the second embodiment, the receiver 112 corresponds to an example of “reception unit”, the detection circuit 113 corresponds to an example of “determination unit” and “storage unit”, and the driver 111 corresponds to an example of a transmission unit. .

[3. Other Embodiments]
As mentioned above, although embodiment of this invention was described, it cannot be overemphasized that this invention can take a various form, without being limited to the said embodiment.

  [3A] In the above embodiment, a dominant is transmitted to the internal bus 30 so as to generate a stuff error. However, the present invention is not limited to this, and any of a bit error, CRC error, form error, and ACK error occurs. As such, a dominant may be sent to the internal bus 30.

  [3B] In the above embodiment, 6-bit continuous dominants are transmitted so as to cause a stuff error. However, the present invention is not limited to this. For example, 7-bit continuous dominants may be transmitted. Or you may transmit a dominant so that it may continue 6 bits including the dominant contained in the communication frame received in S100.

  [3C] The functions of one component in the above embodiment may be distributed as a plurality of components, or the functions of a plurality of components may be integrated into one component. Further, at least a part of the configuration of the above embodiment may be replaced with a known configuration having the same function. Moreover, you may abbreviate | omit a part of structure of the said embodiment as long as a subject can be solved. In addition, at least a part of the configuration of the above embodiment may be added to or replaced with the configuration of the other embodiment. In addition, all the aspects included in the technical idea specified from the wording described in the claims are embodiments of the present invention.

  [3C] The present invention is implemented in various forms such as the above-described GW-ECU 10 and in-vehicle systems 1 and 2, a program for causing a computer to function as the GW-ECU 10, a medium on which the program is recorded, and a communication method. be able to.

  DESCRIPTION OF SYMBOLS 1, 2 ... In-vehicle system 3 ... External tool 10 ... GW-ECU, 11 ... In-vehicle LAN communication part 13 ... GW memory | storage part 14 ... GW control part 15 ... In-vehicle LAN communication part 20 ... ECU 30 ... Bus for internal use 50 ... For external use Bus 111 ... Driver 112 ... Receiver 113 ... Detection circuit.

Claims (4)

A communication system in which a plurality of nodes transmit and receive a communication frame including identification data via a common communication path, wherein the communication frame is superior to the inferior state signal and the inferior state signal in the communication path. Are transmitted by sequentially transmitting from the node to the communication path, and the inferior state signal transmitted to the communication path and the pattern of the superior state signal are defined in advance as error conditions. A communication device that functions as the node in a communication system in which each of the plurality of nodes performs communication in accordance with a communication protocol defined such that the communication frame being transmitted is invalidated when the communication frame is satisfied;
Receiving means (11, 112, S100) for receiving the communication frame;
Determining means (113, S110) for determining that the communication frame is invalid based on the identification data included in the communication frame received by the receiving means;
Sending means (11, 11) for sending the superiority state signal to the communication path so that the error condition is satisfied during transmission of the communication frame when the determination means determines that the communication frame is invalid. 111, S120),
A communication device (1, 2) characterized by comprising: The communication device according to claim 1,
Comprising storage means (13) for preliminarily storing the identification data that can be included in the communication frame transmitted from the regular node as permission data;
The determination unit determines that the communication frame is invalid when the identification data included in the communication frame received by the reception unit does not match the permission data. ). The communication device according to claim 1 or 2,
Storage means (113) for storing the identification data that can be included in the communication frame transmitted from the non-regular node as non-regular data;
The determination unit determines that the communication frame is invalid when the identification data included in the communication frame received by the receiving unit matches the non-regular data. 2). The communication device according to any one of claims 1 to 3,
The error condition is a condition that the superiority state signal continues for a predetermined number of times or more.

Images