JP2017191529A - Program rewriting system and program rewriting method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a program rewriting system capable of easily restoring, when the program of a controller is rewritten and a problem occurs in the rewritten program, the program before rewriting.SOLUTION: In rewriting the program of a motor controller 101, the program is divided and the divided programs are transmitted to another controller for storage by a divided program transmission unit 116 of the motor controller 101; and after that, the program is rewritten by a rewriting program transmitted from a tester 103; and when an abnormality of the operation by a new program thus obtained is detected by a state detection unit 115, the divided programs are transmitted from the other controller and the original program is written back.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a program rewriting system and a program rewriting method for rewriting a program of a control device connected to a network.

2. Description of the Related Art Conventionally, as a program rewriting system and method for a control device connected to an automobile network, for example, one described in Patent Document 1 is known.
In the program rewriting system disclosed in Patent Document 1, an engine control device whose program data is to be rewritten and a memory rewrite device are connected in signal via a communication bus connection connector via a communication bus line.
The engine control device includes an input processing circuit that processes a signal from the sensor, a CPU (Central Processing Unit) that calculates an engine optimum control amount from the sensor signal and the like, and an operation result in the CPU as a control signal. And an output circuit for driving an actuator such as a fuel injection device or an ignition device attached to the memory, and a communication circuit for data communication with a memory rewrite machine as an external device.

The CPU includes a microprocessor unit (hereinafter referred to as MPU) that operates in accordance with a control program, a ROM (Read Only Memory) that stores programs and data necessary for operating the MPU, and a RAM that stores calculation results of the MPU. (Random Access Memory) and I / O (Input / Output) for receiving signals from the input processing circuit and the communication circuit and outputting a control signal to the output circuit.
Further, the mode determination control signal line connected by the communication bus connection connector sets the execution mode of the CPU immediately after the reset from the memory rewrite device side.

  In the program rewriting method of Patent Document 1, when there is a rewriting command transmitted from the outside while the built-in program is activated, it is determined that the automobile is not driven from various conditions, and is not driven. If it becomes clear, a part or all of the built-in program or built-in data is rewritten with a new program or data transmitted from the outside.

Japanese Patent No. 3109413 (pages 5-7, Fig. 1)

  However, in the program rewriting system described in Patent Document 1, after rewriting the program and disconnecting the memory rewrite device from the connector, a bug in the rewritten program and a security vulnerability in the rewritten program were found. In some cases, until the memory rewriting machine is connected again and the same rewriting procedure is performed to rewrite the program, the problematic program continues to be used, and the safety of the vehicle cannot be ensured.

  The present invention has been made in order to solve the above-described problems. When the program of the control device is rewritten and there is a problem with the rewritten program, the program can be easily returned to the program before rewriting. An object is to obtain a program rewriting system and a program rewriting method.

  In the program rewriting system according to the present invention, the first type node and the plurality of second type nodes are communicably connected to the network, and the first type is transmitted by the rewriting program transmitted from the third type node connected to the network as needed. A program rewriting system for rewriting a node program, wherein a first type node divides a first recording area for storing a program and a program stored in the first recording area into a plurality of divided programs. Respectively, and a program rewriting unit for rewriting the program in the first recording area by the rewriting program received from the third type node. A second recording area for storing the divided program received from the first type node; A transmission unit for transmitting the divided program stored in the second recording area to the first type node, and the third type node includes a third recording area for storing the rewrite program, and a first type node. A rewriting instruction unit for instructing rewriting and a rewriting program transmission unit for transmitting a rewriting program to the first type node, and the program rewriting unit of the first type node receives the rewriting instruction from the third type node After the split program is transmitted to the second type node, the program is rewritten by the rewrite program received from the third type node.

  According to the present invention, the first type node and the plurality of second type nodes are communicably connected to the network, and the program of the first type node is executed by the rewrite program transmitted from the third type node connected to the network as needed. In the program rewriting system for rewriting, the first type node divides a first recording area for storing a program and a program stored in the first recording area into a plurality of parts, and each divided program is divided into a plurality of parts. A divided program transmission unit that transmits to the two-type node, and a program rewriting unit that rewrites the program in the first recording area by the rewriting program received from the third-type node, and the second-type node is the first-type node A second recording area for storing the division program received from the second recording area, and a division program stored in the second recording area. A transmission unit for transmitting the ram to the first type node, the third type node having a third recording area for storing the rewriting program, a rewriting instruction unit for instructing rewriting to the first type node, and a rewriting A rewriting program transmitting unit that transmits the program to the first type node, and the program rewriting unit of the first type node transmits the divided program to the second type node when receiving a rewriting instruction from the third type node. After that, since the program is rewritten by the rewriting program received from the third type node, if there is a problem with the program after the rewriting, it is possible to easily return to the program before rewriting from the second type node.

It is a block diagram which shows the structure of the vehicle control system to which the program rewriting system by Embodiment 1 of this invention is applied. It is a memory map figure which shows the area | region structure of the recording device of the 1st-3rd type node in the program rewriting system by Embodiment 1 of this invention. It is a flowchart which shows the flow of a process at the time of the program rewriting in the 1st type node of the program rewriting system by Embodiment 1 of this invention. It is a flowchart which shows the flow of a process at the time of the program write-back in the 1st type node of the program rewriting system by Embodiment 1 of this invention. It is a flowchart which shows the flow of a process in the 2nd type node of the program rewriting system by Embodiment 1 of this invention. It is a flowchart which shows the flow of a process in the 3rd type node of the program rewriting system by Embodiment 1 of this invention. It is a block diagram which shows the structure of the vehicle control system to which the program rewriting system by Embodiment 2 of this invention is applied. It is a memory map figure which shows the area | region structure of the recording device of the 1st-3rd type node in the program rewriting system by Embodiment 2 of this invention. It is a flowchart which shows the flow of a process at the time of the program rewriting in the 1st type node of the program rewriting system by Embodiment 2 of this invention. It is a flowchart which shows the flow of a process at the time of the program write-back in the 1st type node of the program rewriting system by Embodiment 2 of this invention. It is a flowchart which shows the flow of a process in the 2nd type node of the program rewriting system by Embodiment 2 of this invention. It is a flowchart which shows the flow of a process in the 3rd type node of the program rewriting system by Embodiment 2 of this invention.

Embodiment 1 FIG.
Below, the program rewriting system by Embodiment 1 is demonstrated based on figures.
FIG. 1 is a block diagram showing a configuration of a vehicle control system to which a program rewriting system according to Embodiment 1 of the present invention is applied.
In FIG. 1, the program rewriting system of Embodiment 1 includes a motor control device 101 that is a first type node, an EPS (Electric Power Steering) control device 102a and a battery control device 102b that are second type nodes. And a tester 103 which is a third type node.
These nodes are communicably connected to each other via a vehicle CAN (Controller Area Network) network 106.
In addition, although the EPS control apparatus 102a and the battery control apparatus 102b were shown as a 2nd type node, it cannot be overemphasized that another node may be included not only in this.

The motor control device 101 as the first type node controls the drive motor 110, and similarly, the EPS control device 102a is connected to control the EPS 120a, and the battery control device 102b is connected to control the battery 120b. .
1 is always connected to the CAN network 106. However, the tester 103 is not always connected to the CAN network 106. Connected as needed, such as during failure diagnosis.
The configuration of each control device and tester will be described later.
Each control device and tester includes components other than those shown in FIG. 1, but those not directly related to the first embodiment are not shown.

FIG. 2 is a memory map diagram showing the area configuration of the recording devices of type 1 to type 3 nodes in the program rewriting system according to Embodiment 1 of the present invention.
2A shows the area configuration of the recording apparatus 113 of the motor control apparatus 101, FIG. 2B shows the area configuration of the recording apparatus 123a of the EPS control apparatus 102a, and FIG. 2C shows the battery control apparatus. FIG. 2D shows an area configuration of the recording device 133 of the tester 103. FIG.

  In FIG. 2A, the recording device 113 stores a program rewriting program recording area 221 for storing a program rewriting program for rewriting the motor control program in whole or in part, and a first for storing the motor control program. A motor control program recording area 222, which is a recording area, and a motor control program recording area (data) 223 for storing data related to the control of the driving motor 110 are provided.

In FIG. 2B, the recording device 123a includes an EPS control program recording area 231a for storing an EPS control program for determining the control content of the EPS 120a, and an EPS control program recording area (for storing data related to the control of the EPS 120a). (For data) 232a and a divided motor control program recording area 233a which is a second recording area for temporarily storing a divided program to be described later.
Note that an empty area of the recording device 123a can be allocated to the divided motor control program recording area 233a.

In FIG. 2C, the recording device 123b is for a battery control program recording area 231b for storing a battery control program for determining the control content of the battery 120b, and for a battery control program for recording data relating to the control of the battery 120b. A recording area (for data) 232b and a divided motor control program recording area 233b, which is a second recording area for temporarily storing a divided program to be described later, are provided.
Note that an empty area of the recording device 123b can be allocated to the divided motor control program recording area 233b.

  In FIG. 2D, the recording device 133 includes a motor control program recording area 241 that is a third recording area for storing a rewrite program.

Next, the configuration and function of each control device and tester in FIG. 1 will be described.
First, the configuration and function of the motor control device 101 will be described.
The microcomputer 111 calculates a control amount and various processing values related to the control of the driving motor 110. The data transmission / reception unit 112, which is a data transmission / reception unit for the CAN network, transmits / receives data to / from other connected control devices (including the EPS control device 102a, the battery control device 102b, and the tester 103) via the CAN network 106.
The recording device 113 has a motor control program recording area 222 that is a first recording area for storing a motor control program to be rewritten. This motor control program determines the operation (control content) of the motor control device 101 and performs calculation.

  The program rewriting unit 114 of the motor control device 101 rewrites the motor control program stored in the motor control program recording area 222 of the recording device 113 in whole or in part. At that time, the program rewriting program recorded in the program rewriting program recording area 221 of the recording device 113 is used.

The state detection unit 115 indicates whether the first type node itself is in a state in which the motor control program can be rewritten, whether the motor control program has been completely rewritten, whether there is no abnormality in itself, etc. Is detected and notified to other control devices.
When the state detection unit 115 detects an abnormality in itself and that it can be rewritten, it notifies the EPS control device 102a and the battery control device 102b via the CAN network 106, and receives this notification. The EPS control device 102a and the battery control device 102b transmit a divided motor control program (hereinafter, abbreviated as a divided program) stored by the EPS control device 102a and the battery control device 102b to the motor control device 101 via the CAN network 106.
Then, every time the motor control device 101 receives the division program from the EPS control device 102a or the battery control device 102b, the program rewriting unit 114 rewrites the corresponding part of the motor control program stored in the motor control program recording area 222.
Here, the abnormality of itself may include performing unintended control or processing, or detecting a security vulnerability, but is not limited thereto.

  After receiving the rewrite instruction from the tester 103, the division program transmission unit 116 of the motor control device 101 divides the motor control program (currently) stored in the motor control program recording area 222 to obtain the division program. It is created and transmitted to the EPS control device 102a and the battery control device 102b, respectively.

Next, the configuration and function of the EPS control apparatus 102a as the second type node will be described.
The microcomputer 121a calculates the control amount and various processing values of the EPS 120a. The data transmitter / receiver 122a transmits / receives data to / from other connected control devices (including the motor control device 101, the battery control device 102b, and the tester 103) via the CAN network 106. The recording device 123a has a divided motor control program recording area 233a which is a second recording area for storing a divided motor control program which is a part of the motor control program.

  The division program transmission unit 124a (transmission unit) determines whether or not the division program can be transmitted to the motor control device 101. When the divided program transmission unit 124a determines that the divided program can be transmitted to the motor control device 101, the divided program stored in the second recording area by the own node is transmitted via the CAN network 106. It transmits to the motor control apparatus 101.

Next, the configuration and function of the battery control apparatus 102b as the second type node will be briefly described.
The microcomputer 121b calculates the control amount and various processing values of the battery 120b. The data transmission / reception unit 122b transmits / receives data to / from other connected control devices (including the motor control device 101, the EPS control device 102a, and the tester 103) via the CAN network 106.
The recording device 123b has a divided motor control program recording area 233b, which is a second recording area for storing a divided program that is a part of dividing the motor control program.

  The division program transmission unit 124 b (transmission unit) determines whether or not the division program can be transmitted to the motor control device 101. If the divided program transmission unit 124b determines that the divided program can be transmitted to the motor control device 101, the divided program stored in the second recording area by the own node is transmitted via the CAN network 106. It transmits to the motor control apparatus 101.

Next, the configuration and function of the tester 103 as the third type node will be briefly described.
The tester 103 transmits a program to be rewritten to the motor control program (hereinafter abbreviated as a rewriting program).
The microcomputer 131 performs various processes related to the operation of the tester 103. The data transmission / reception unit 132 transmits / receives data to / from other connected control devices (including the motor control device 101, the EPS control device 102a, and the battery control device 102b) via the CAN network 106.
As shown in FIG. 2D, the recording device 133 includes a motor control program recording area 241 that is a third recording area for storing the rewriting program.

The rewrite instruction unit 134 instructs the motor control device 101 to rewrite the program. The rewriting program transmission unit 135 transmits the rewriting program recorded in the motor control program recording area 241 to the motor control device 101 after receiving a rewriteable notification from the motor control device 101.
The tester 103 is not always connected to the CAN network 106 but is connected when rewriting a program to the control device or performing diagnosis.

Next, the operation will be described.
Here, the flow of processing in each node of the program rewriting system according to the first embodiment will be described with reference to the flowcharts of FIGS.
In the motor control device 101 that is the first type node, normal processing related to control of the driving motor 110 and processing related to rewriting of the motor control program are performed. FIG. 3 shows a flow of processing relating to program rewriting, which is performed when a rewrite execution notification (rewrite instruction) is received from the tester 103.
The flow of the process of writing back to the program before rewriting of the motor control apparatus 101 which is the first type node is shown in FIG.

First, the processing at the time of program rewriting of the first type node will be described with reference to FIG.
In step S <b> 301, the state detection unit 115 determines whether a rewrite instruction is notified from the tester 103. If notified (YES), the process proceeds to step S302. If not notified (NO), the process waits until notified.

  Subsequently, in step S302, the state detection unit 115 determines whether or not normal processing is performed. If normal processing is not performed, the state detection unit 115 is rewritable (YES), and thus proceeds to step S303. When normal processing is being performed, the process waits until the end.

In step S303 (second step), the division program transmission unit 116 divides the motor control program in the motor control program recording area 222 stored in the recording device 113 to create a division program. Then, the data transmission / reception unit 112 transmits the divided program to the battery control device 102b and the EPS control device 102a which are the second type nodes.
Here, since the first type node is provided in the first embodiment, the rewriting program is divided into two to create the divided program A and the divided program B, and the divided program A is transferred to the EPS control apparatus 102a. In addition, the divided program B is transmitted to the battery control device 102b.
That is, the rewriting program is divided into two programs, a divided program A and a divided program.

  In step S304, it is determined whether all the motor control programs have been transmitted. If everything has been transmitted (YES), the process proceeds to step S305. If not (NO), the process proceeds to step S303, and the transmission process is performed again.

  In step S305, since the state detection unit 115 has transmitted all of the motor control program, the state detection unit 115 notifies the tester 103 that rewriting is possible.

  In step S306, reception of a rewrite program from the tester 103 is awaited. When the rewrite program is received (YES), the process proceeds to step S307.

  In step S307 (fourth step), the program rewriting unit 114 rewrites the portion of the motor control program corresponding to the received rewriting program using the program rewriting program, and proceeds to step S308.

  In step S308, the state detection unit 115 receives all the rewrite programs and determines whether or not the corresponding motor control program portion has been rewritten. If all rewrite programs have not been received (NO), the process proceeds to step S306, and if received (YES), the process is terminated.

Next, with reference to FIG. 4, description will be given of the processing after rewriting to the rewriting program and then writing back to the program before rewriting as the operation after rewriting.
At this time, the tester 103 is assumed to be removed from the CAN network 106.
In step S311 (fifth step), the state detection unit 115 determines whether or not there is an abnormality in its processing. If an abnormality is detected (YES), the process proceeds to step S312.

  In step S312, the state detection unit 115 determines whether or not normal processing is performed. If normal processing is not performed, the state detection unit 115 is rewritable (YES), and thus proceeds to step S313. If the process is being performed, the process waits until the process is completed.

  In step S313, the state detection unit 115 notifies the battery control device 102b and the EPS control device 102a, which are the second type nodes, of a transmission instruction for the recorded divided program.

  In step S314, it waits for reception of the division program from the battery control device 102b and the EPS control device 102a. When the division program is received (YES), the process proceeds to step S315.

  In step S315 (seventh step), the program rewriting unit 114 rewrites the portion of the motor control program corresponding to the received divided program using the program rewriting program, and proceeds to step S316.

  In step S316, all the divided programs are received, and it is determined whether or not the corresponding motor control program portion has been rewritten. If all the divided programs have not been received (NO), the process proceeds to step S314, and if they have been received (YES), the process ends.

Next, the flow of processing related to program rewriting in the EPS control device 102a and the battery control device 102b, which are the second type nodes, will be described with reference to FIG.
In the EPS control device 102a (or the battery control device 102b), normal processing related to the control of the EPS 120a (or the battery 120b) and processing related to program rewriting of the motor control device 101 are performed.
Note that the processes related to program rewriting in the EPS control apparatus 102a and the battery control apparatus 102b are the same, and therefore, the EPS control apparatus 102a will be described as an example here.

  The EPS control apparatus 102a waits for reception of the division program from the motor control apparatus 101 in step S401 after the rewriting execution instruction is notified from the tester 103. When the division program is received by the data transmission / reception unit 122a (YES), the process proceeds to step S402, the received division program is stored in the division motor control program recording area 233a of the recording device 123a, and the process proceeds to step S403.

  In step S403, the EPS control apparatus 102a waits for notification of a split program transmission instruction from the motor control apparatus 101. When the transmission instruction is notified (YES), the process proceeds to step S405, and when the transmission instruction is not notified (NO), the process proceeds to step S404.

  In step S404, reception of the divided program is confirmed. When the division program is received by the data transmitting / receiving unit 122a (YES), the process proceeds to step S402. If not received (NO), the process proceeds to step S403 and waits for a split program transmission instruction.

  In step S405 (sixth step), the divided program stored in the divided motor control program recording area 233a is transmitted to the motor control device 101, and the process proceeds to step S406.

  In step S406, it is confirmed whether or not all the saved divided programs have been transmitted. If all have been transmitted (YES), the process is completed. If not (NO), the process proceeds to step S405, and the transmission process is performed.

Next, the flow of processing related to program rewriting in the tester 103 which is the third type node will be described with reference to FIG.
The tester 103 performs notification of program rewriting to the related nodes and transmission processing of the rewriting program.

  First, in step S411 (first step), the rewrite instruction unit 134 notifies the motor control device 101, the EPS control device 102a, and the battery control device 102b that the motor control device 101 will be rewritten.

  Next, in step S <b> 412, the rewriting instruction unit 134 determines whether or not rewriting is notified from the motor control device 101. If notified (YES), it is determined that rewriting is possible, and the process proceeds to step S413. When not notified (NO), it waits until notified.

  Next, in step S413 (third step), the rewriting program recorded in advance in the motor control program recording area 241 of the recording device 133 is transmitted to the motor control device 101, and the process is terminated.

  In the first embodiment, the motor control device 101 includes an encryption unit that encrypts a divided program and a decryption unit that decrypts the divided program, and the divided program encrypted by the encryption unit is transferred to the EPS control device 102a and the battery control. The EPS controller 102a and the battery controller 102b store the encrypted split program, and the motor controller 101 stores the encrypted split program from the EPS controller 102a or the battery controller 102b. When received, the division program may be decoded by the decoding unit.

  By providing the encryption unit and the decryption unit as described above, there is a risk of being decrypted by the third party on the CAN network 106, or when being stored in the EPS control device 102a and the battery control device 102b, The program can be rewritten safely.

As described above, in the program rewriting system according to the first embodiment, when the tester 103 notifies the motor control device 101 of execution of program rewriting, the motor control device 101 first uses the motor used for the control so far. A divided program is created from the control program and transmitted to the EPS control device 102a and the battery control device 102b.
After the transmission is completed, the motor control device 101 rewrites the motor control program with the rewrite program received from the tester 103.
Thereafter, the tester 103 is separated from the CAN network 106, and the motor control device 101 performs control with the rewritten motor control program.
When an abnormal operation or a security vulnerability is detected during the control, the motor control device 101 notifies the EPS control device 102a and the battery control device 102b, and the received EPS control device 102a and the battery are notified. The control device 102b transmits the divided programs stored by itself to the motor control device 101, and the motor control device 101 rewrites the corresponding motor control program with the received divided program every time the divided program is received.

  According to the first embodiment, after rewriting the motor control program of the motor control device 101 and separating the tester 103 from the CAN network 106, there is an abnormality in the operation of the motor control device 101, or security vulnerability. Is detected, it is possible to efficiently return to the control program before rewriting without reconnecting the tester 103 to the CAN network 106 and transmitting the rewriting program again as in the past. The safety of the vehicle can be ensured without using the control program.

  In addition, since a divided program is created from the motor control program and stored in a plurality of second type nodes (in the first embodiment, two of the EPS control device 102a and the battery control device 102b), all are stored in one second type node. It is not necessary to provide a recording capacity large enough to store the rewriting program, and the cost of one node can be prevented from increasing, and the overall cost can be suppressed.

Embodiment 2. FIG.
FIG. 7 is a block diagram showing a configuration of a vehicle control system to which a program rewriting system according to Embodiment 2 of the present invention is applied.
7, the program rewriting system according to the second embodiment includes a motor control device 101 that is a first type node, an EPS control device 102a and a battery control device 102b that are second type nodes, and a tester that is a third type node. 103.
These nodes are communicably connected to each other via the vehicle's CAN network 106.
In addition, although the EPS control apparatus 102a and the battery control apparatus 102b are shown as a 2nd type node, it cannot be overemphasized that another node may be included not only in this.

The motor control device 101 as the first type node controls the driving motor 110, and similarly, the EPS control device 102a is connected to control the EPS 120a, and the battery control device 102b is connected to control the battery 120b.
Although the control devices other than the tester 103 shown in FIG. 7 are always connected to the CAN network 106, the tester 103 is not always connected to the CAN network 106. Connected as needed, such as during failure diagnosis.
The configuration of each control device and tester will be described later.
In FIG. 7, each control device and tester includes components other than those shown in FIG. 7, but those not directly related to the second embodiment are not shown.

FIG. 8 is a memory map diagram showing the area configuration of the recording devices of the first to third type nodes in the program rewriting system according to the second embodiment of the present invention.
8A shows the area configuration of the recording device 113 of the motor control apparatus 101, FIG. 8B shows the area configuration of the recording apparatus 123a of the EPS control apparatus 102a, and FIG. 8C shows the battery configuration. FIG. 8D shows the area configuration of the recording apparatus 133 of the tester 103. FIG. 8D shows the area configuration of the recording apparatus 123b of the control apparatus 102b.

  In FIG. 8A, the recording device 113 stores a program rewriting program recording area 221 for storing a program rewriting program for rewriting the motor control program in whole or in part, and a first for storing the motor control program. A motor control program recording area 222, which is a recording area, a motor control program recording area (data) 223 for storing data related to the control of the driving motor 110, and a program for partially verifying the motor control program And a program verification program recording area 634 for storing the verification program.

In FIG. 8B, the recording device 123a includes an EPS control program recording area 231a for storing an EPS control program for determining the control content of the EPS 120a, and an EPS control program recording area (for storing data related to the control of the EPS 120a). (For data) 232a, a second recording area for temporarily storing a divided program to be described later, and a divided motor control program recording area 533a which is a fourth recording area for temporarily storing a check code.
Note that an empty area of the recording device 123a can be allocated to the divided motor control program recording area 533a.

In FIG. 8C, the recording device 123b is for a battery control program recording area 231b for storing a battery control program for determining the control content of the battery 120b, and for a battery control program in which data related to the control of the battery 120b is recorded. A recording area (for data) 232b, a second recording area for temporarily storing a divided program to be described later, and a divided motor control program recording area 533b that is a fourth recording area for temporarily storing a check code are provided. Yes.
Note that an empty area of the recording device 123b can be allocated to the divided motor control program recording area 533b.

  In FIG. 8D, the recording device 133 includes a motor control program recording area 241 that is a third recording area for storing the rewrite program.

Next, the configuration and function of each control device and tester in FIG. 7 will be described.
First, the configuration and function of the motor control device 101 will be briefly described.
The microcomputer 111 calculates a control amount and various processing values related to the control of the driving motor 110. The data transmission / reception unit 112, which is a data transmission / reception unit for the CAN network, transmits / receives data to / from other connected control devices (including the EPS control device 102a, the battery control device 102b, and the tester 103) via the CAN network 106.
The recording device 113 has a first recording area for storing a motor control program to be rewritten. This motor control program determines the operation (control content) of the motor control device 101 and performs calculation.

  The program rewriting unit 114 of the motor control device 101 rewrites the motor control program stored in the motor control program recording area 222 of the recording device 113 in whole or in part. At that time, the program rewriting program recorded in the program rewriting program recording area 221 of the recording device 113 is used.

The division program and check code transmission unit 512 (including the check code generation unit) divides the motor control program in the motor control program recording area 222 stored in the recording device 113, and the division program and the divided program are changed. Create a check code to prove that you have not.
The second state detection unit 513 determines whether or not the first type node itself is in a state where the motor control program can be rewritten, or whether the motor control program is completely rewritten, depending on whether or not normal processing is being performed by the first type node itself. The state of whether or not it has been detected is detected and notified to another control device.
When the second state detection unit 513 detects that rewriting is possible, it notifies the EPS control device 102a and the battery control device 102b via the CAN network 106.
Then, the EPS control device 102a and the battery control device 102b that have received this notification send a check code for proving that the divided program to be saved and the saved divided program have not been changed via the CAN network 106 to the motor. Transmit to the control device 101.

  The program verification unit 511 of the motor control device 101 uses the program verification program recorded in the program verification program recording area 634 of the recording device 113 to break the divided program during storage on the CAN network 106 or another node. It is verified by using the received check code whether it is not (eg, bit inversion due to noise).

Whenever the motor control device 101 receives a division program from the EPS control device 102a or the battery control device 102b, the program rewriting unit 114 rewrites the corresponding division program of the motor control program stored in the motor control program recording area 222. .
Each time a check code is received, the program verification unit 511 verifies the content rewritten by the corresponding divided program.

Next, the configuration and function of the EPS control apparatus 102a as the second type node will be briefly described.
The microcomputer 121a calculates the control amount and various processing values of the EPS 120a. The data transmitter / receiver 122a transmits / receives data to / from other connected control devices (including the motor control device 101, the battery control device 102b, and the tester 103) via the CAN network 106.
The recording device 123a has a second recording area for storing a split program that is a part of the rewrite program of the motor control program and a check code that proves that the split program stored by another type 2 node has not been changed. As a fourth recording area, a divided motor control program recording area 533a is provided.

The division program and check code transmission unit 521a determines whether the division program and the check code can be transmitted to the motor control apparatus 101.
If the divided program transmission unit 124a determines that the divided program and the check code can be transmitted to the motor control device 101, the divided program and the check code stored by itself are transmitted to the motor via the CAN network 106. Transmit to the control device 101.

The first type node state detection unit 522a detects a state of whether or not there is an abnormality in the motor control device 101. When an abnormality is detected, a write-back instruction is notified to the motor control device 101 and the battery control device 102b via the CAN network 106.
When abnormality is detected by the first type node state detection unit 522a, or when a write back instruction is notified from another second type node, and from the second state detection unit 513 of the motor control device 101 If it is notified that rewriting is possible, the divided program and check code stored by itself are transmitted to the motor control device 101 via the CAN network 106.
Here, examples of the abnormality of the motor control device 101 include that unintended control or processing is performed or there is a security vulnerability, but is not limited thereto.

Next, the configuration and function of the battery control apparatus 102b as the second type node will be briefly described.
The microcomputer 121b calculates the control amount and various processing values of the battery 120b. The data transmission / reception unit 122b transmits / receives data to / from other connected control devices (including the motor control device 101, the EPS control device 102a, and the tester 103) via the CAN network 106.
The recording device 123b is a second recording area / fourth recording for storing a division program that is a part of dividing the motor control program and a check code that proves that the division program stored by another control device has not been changed. As an area, a divided motor control program recording area 533b is provided.

The division program and check code transmission unit 521b determines whether the division program and the check code can be transmitted to the motor control device 101.
If the divided program and check code transmission unit 521b determines that the divided program and check code can be transmitted to the motor control device 101, the divided program and check code stored in the own node are stored in the CAN network 106. Is transmitted to the motor control device 101.

The first type node state detection unit 522b detects a state of whether or not the motor control device 101 is normal. When an abnormality is detected, a write-back instruction is notified to the motor control device 101 and the EPS control device 102a via the CAN network 106.
When abnormality is detected by the first type node state detection unit 522b, or when a write back instruction is notified from another second type node, and from the second state detection unit 513 of the motor control device 101 When it is notified that rewriting is possible, the divided program and the check code stored by itself are transmitted to the motor control apparatus 101 via the CAN network 106.
Here, the abnormality of the motor control device 101 may include that unintended control or processing is performed or there is a security vulnerability, but is not limited thereto.

Next, the configuration and function of the tester 103 as the third type node will be briefly described. The tester 103 transmits a rewriting program.
The microcomputer 131 performs various processes related to the operation of the tester 103. The data transmission / reception unit 132 transmits / receives data to / from other connected control devices (including the motor control device 101, the EPS control device 102a, and the battery control device 102b) via the CAN network 106.
As shown in FIG. 8D, the recording device 133 includes a motor control program recording area 241 that is a third recording area for storing the rewriting program.

The rewrite instruction unit 134 instructs the motor control device 101 to rewrite the program. The rewriting program transmission unit 135 transmits the rewriting program recorded in the motor control program recording area 241 to the motor control device 101 after receiving a rewriteable notification from the motor control device 101.
The tester 103 is not always connected to the CAN network 106, but is connected when rewriting a program to the control device or performing diagnosis.

Next, the operation will be described.
Here, the flow of processing in each node of the program rewriting system according to the second embodiment will be described with reference to the flowcharts of FIGS.
In the motor control device 101 that is the first type node, normal processing related to control of the driving motor 110 and processing related to rewriting of the motor control program are performed. The processing related to program rewriting is shown in FIG. 9 and is performed when a rewrite execution notification (rewrite instruction) is received from the tester 103.
The process of writing back to the program before rewriting in the motor control apparatus 101 which is the first type node is shown in FIG.

First, the processing at the time of rewriting the program of the first type node will be described with reference to FIG.
In step S <b> 701, the second state detection unit 513 determines whether a rewrite instruction is notified from the tester 103. If notified (YES), the process proceeds to step S702. If not notified (NO), the process waits until notified.

  Subsequently, in step S702, the second state detection unit 513 determines whether or not normal processing is performed. If normal processing is not performed, the second state detection unit 513 is rewritable (YES). The process proceeds to S703, and when normal processing is being performed, the process waits until the end.

In step S703, the divided program and check code transmission unit 512 divides the motor control program in the motor control program recording area 222 stored in the recording device 113, and confirms that the divided program and the divided program are not changed. Create a check code to prove.
Then, the data transmission / reception unit 112 transmits the divided program and the check code to the battery control device 102b and the EPS control device 102a that are the second type nodes.
Here, since the second type node is provided in the second embodiment, the rewriting program is divided into two, and the divided program A and the divided program B are created. Check code A and check code B corresponding to each are created, and divided program A and check code B are sent to EPS control device 102a, divided program B and check code A are sent to battery control device 102b, and so on. The code shall be sent to a different control device.

  In step S704, it is determined whether all of the division program and check code created from the motor control program have been transmitted. If everything has been transmitted (YES), the process proceeds to step S705. If not (NO), the process proceeds to step S703, and the transmission process is performed again.

  In step S705, the second state detection unit 513 notifies the tester 103 that rewriting is possible because all the motor control programs have been transmitted.

  In step S706, reception of a rewrite program from the tester 103 is awaited. If the rewriting program is received (YES), the process proceeds to step S707.

  In step S707, the program rewriting unit 114 rewrites the portion of the motor control program corresponding to the received rewriting program using the program rewriting program, and proceeds to step S708.

  In step S708, the second state detection unit 513 receives all the rewrite programs and determines whether or not the corresponding motor control program portion has been rewritten. If not received (NO), the process proceeds to step S706, and if received (YES), the process is terminated.

Next, with reference to FIG. 10, a description will be given of processing in the motor control device 101 for rewriting to a rewriting program and then writing back to the program before rewriting.
At this time, it is assumed that the tester 103 has been removed from the CAN network 106.
In step S711, the second state detection unit 513 determines whether or not a write-back instruction is notified from the second type node (here, the EPS control device 102a or the battery control device 102b). If notified (YES), the process proceeds to step S712. If not notified (NO), the process waits until reception.

  In step S712, the second state detection unit 513 determines whether or not normal processing is performed. If normal processing is not performed, the second state detection unit 513 is rewritable (YES), and thus proceeds to step S713. If normal processing is being performed, the process waits until the end.

  In step S713, the second state detection unit 513 notifies the battery control device 102b and the EPS control device 102a, which are the second type nodes, the transmission instructions of the recorded divided program and check code.

  In step S714, reception of the division program and check code from the battery control device 102b and the EPS control device 102a is awaited. When the division program or the check code is received (YES), the process proceeds to step S715.

In step S715, the received content is confirmed. If it is a divided program, the process proceeds to step S716, and if it is a check code, the process proceeds to step S717.
In step S716, the program rewriting unit 114 rewrites the portion of the motor control program corresponding to the received divided program using the program rewriting program, and proceeds to step S719.

In step S717, the program verification unit 511 verifies the portion of the motor control program corresponding to the received check code using the program verification program.
In step S718, it is determined whether there is a problem with the verification result. If there is no problem (YES), the process proceeds to step S719. If there is a problem (NO), the write-back process is terminated.

  In step S719, it is determined whether all divided programs have been received and the corresponding motor control program portion has been rewritten. If not all have been received (NO), the process proceeds to step S714. If all have been received (YES), the process ends.

Next, the flow of processing related to program rewriting in the EPS control device 102a and the battery control device 102b, which are type 2 nodes, will be described with reference to FIG.
In the EPS control device 102a (or the battery control device 102b), normal processing related to the control of the EPS 120a (or the battery 120b) and processing related to program rewriting of the motor control device 101 are performed.
In addition, since the process regarding the program rewriting in the EPS control apparatus 102a and the battery control apparatus 102b is the same, here, the EPS control apparatus 102a will be described as an example.

  After receiving the rewrite execution instruction from the tester 103, the EPS control apparatus 102a waits for reception of the divided program or check code in step S801. If the data transmission / reception unit 122a receives the divided program or check code (YES), the process proceeds to step S802, where the received divided program or check code is stored in the divided motor control program recording area 533a of the recording device 123a, and step S803 is performed. Proceed to

  In step S803 (fifth step), the first type node state detection unit 522a of the EPS control apparatus 102a determines whether or not the motor control apparatus 101 is normal. If an abnormality is detected in the motor control device 101 (YES), the process proceeds to step S806, and if no abnormality is detected (NO), the process proceeds to step S804.

  In step S804, the EPS control apparatus 102a determines whether or not a write-back instruction is notified from the other second type node (here, the battery control apparatus 102b) to the motor control apparatus 101. If notified (YES), the process proceeds to step S807. If not notified (NO), the process proceeds to step S805.

  In step S805, the data transmission / reception unit 122a confirms whether a division program or a check code is received. If received (YES), the process proceeds to step S802. If not received (NO), the process proceeds to step S803.

  In step S806, the EPS control apparatus 102a notifies the other second type node (here, the battery control apparatus 102b) and the motor control apparatus 101 of a write-back instruction, and proceeds to step S807.

  In step S807, the EPS control apparatus 102a waits for a split program and check code transmission instruction from the motor control apparatus 101. When the transmission instruction is notified (YES), the process proceeds to step S808. When the transmission instruction is not notified (NO), the process waits until the notification is received.

  In step S808, the divided program and check code stored in the divided motor control program recording area 533a are transmitted to the motor control apparatus 101, and the process proceeds to step S809.

In step S809, it is confirmed whether all of the saved divided programs and check codes have been transmitted.
If all are transmitted (YES), the process is completed, and if not transmitted (NO), the process proceeds to step S808, and the transmission process is performed.

Next, a flow of processing related to program rewriting in the tester 103 which is the third type node will be described with reference to FIG.
The tester 103 performs notification of program rewriting to the related nodes and transmission processing of the rewriting program.
First, in step S811, the rewrite instruction unit 134 notifies the motor control device 101, the EPS control device 102a, and the battery control device 102b that the motor control device 101 is to be rewritten.

  Next, in step S812, the rewrite instruction unit 134 determines whether or not the motor control apparatus 101 has notified that rewrite is possible. If notified (YES), it is determined that rewriting is possible, and the process proceeds to step S813. When not notified (NO), it waits until notified.

  In step S813, the rewrite program recorded in advance in the motor control program recording area 241 of the recording device 133 is transmitted to the motor control device 101, and the process ends.

  In the second embodiment, the motor control device 101 includes an encryption unit that encrypts the divided program and the check code, and a decryption unit that decrypts the divided program and the check code, and the divided program and the check code encrypted by the encryption unit. The EPS control apparatus 102a and the battery control apparatus 102b transmit the encrypted divided program and the check code, and the motor control apparatus 101 executes the EPS control apparatus 102a or the battery control. When the encrypted divided program and check code are received from the apparatus 102b, the divided program may be decrypted by the decryption unit.

  By providing the encryption unit and the decryption unit as described above, there is a risk of being decrypted by a third party on the CAN network 106, or it is decrypted by a third party at the time of storage in the EPS control device 102a and the battery control device 102b. The program can be rewritten safely.

In the program rewriting system according to the second embodiment having the above processing flow, when the tester 103 notifies the motor control device 101 of execution of the program rewrite, the motor control device 101 first performs the control so far. A divided program is created from the motor control program used, and a check code for proving that the divided program has not been changed is created and transmitted to the EPS control device 102a and the battery control device 102b, respectively.
After the transmission is completed, the motor control device 101 rewrites the motor control program with the rewrite program transmitted from the tester 103.
Thereafter, the tester 103 is separated from the CAN network 106, and the motor control device 101 performs control with the rewritten motor control program.
When the EPS control apparatus 102a or the battery control apparatus 102b detects an operation abnormality or security vulnerability of the motor control apparatus 101 by the rewritten motor control program, the other second type node and the motor control apparatus are detected. 101 is notified.

  Thereby, the EPS control apparatus 102a and the battery control apparatus 102b transmit the division program and the check code stored therein to the motor control apparatus 101, and the motor control apparatus 101 receives the division The motor control program portion corresponding to the program is rewritten, and each time the check code is received, the corresponding motor control program portion is verified.

  According to the program rewriting system of the second embodiment, after the motor control program of the motor control device 101 is rewritten and the tester 103 is separated from the CAN network 106, there is an abnormality in the operation of the motor control device 101 or security. Even when the above vulnerability is detected, there is no need to re-connect the tester 103 to the CAN network 106 and send the rewriting program again, and it is possible to efficiently return to the control program before rewriting and verify it. In addition, the motor control apparatus 101 can ensure the safety of the automobile without continuing to use the problematic control program.

  In addition, since a divided program is created from the motor control program and stored in a plurality of second type nodes (in the second embodiment, two of the EPS control device 102a and the battery control device 102b), one second type node It is not necessary to provide a recording capacity large enough to store all the rewriting programs, and the cost of one node can be prevented from increasing, and the overall cost can be suppressed.

In the first embodiment and the second embodiment described above, the vehicle control system including two second type nodes has been described as an example. However, the number of second type nodes is not limited to this. Absent.
By increasing the number of type 2 nodes, the capacity of each divided program can be reduced, and the recording capacity required for each type 2 node can be suppressed.

Further, although the CAN network 106 has been described as an example of a network to which each node is connected, the type of network is not limited to this.
Further, the same effect can be obtained when the tester is directly connected to the motor control device 101 without using the CAN network 106.

  In the first and second embodiments described above, the description has been made on the assumption that the program rewriting of the first type node is successful. However, there is a problem due to the verification result, and the rewriting fails or for some reason. In preparation for the case where rewriting fails, a timeout time or the like is set in the first type node, and when the rewriting program or the divided program cannot be received even after a predetermined time has passed, or when rewriting does not end, The rewriting process may be forcibly terminated.

  However, when the rewriting process is terminated halfway, it is necessary to prepare a countermeasure such as recording a unique code indicating a failure state in the related node.

  In the second embodiment described above, the description has been made on the assumption that the check code corresponding to the divided program arrives. However, when the check code does not reach, there is an abnormality in the CAN network 106 or the corresponding second type node. Therefore, rewriting can be stopped at an early stage.

  In the above-described second embodiment, the description has been made on the assumption that the divided program can be proved by the check code. However, as the check code, a check code that can be corrected at the time of change (for example, an error-correcting code). ) Can be used to repair the split program when a problem occurs.

  It should be noted that within the scope of the present invention, the embodiments can be freely combined, or the embodiments can be appropriately modified or omitted.

  The present invention can be used for rewriting a program in a system (for example, a vehicle control system) including a plurality of control devices connected to a network.

101 motor control device (first type node), 102a EPS control device (second type node),
102b Battery control device (type 2 node), 103 tester (type 3 node),
106 CAN network, 110 drive motor,
111, 121a, 121b, 131 microcomputer,
112, 122a, 122b, 132 data transmission / reception unit,
113, 123a, 123b, 133 recording device,
114 program rewriting unit, 115 status detection unit, 116 divided program transmission unit,
120a EPS, 120b battery,
124a, 124b division program transmission unit, 134 rewrite instruction unit,
135 rewrite program transmission unit, 511 program verification unit,
512 division program and check code transmission unit, 513 second state detection unit,
521a, 521b division program and check code transmission unit,
522a, 522b type 1 node state detection unit

In the program rewriting system according to the present invention, the first type node and the plurality of second type nodes are communicably connected to the network, and the first type is transmitted by the rewriting program transmitted from the third type node connected to the network as needed. A program rewriting system for rewriting a node program, wherein a first type node divides a first recording area for storing a program and a program stored in the first recording area into a plurality of divided programs. Respectively, and a program rewriting unit for rewriting the program in the first recording area by the rewriting program received from the third type node. A second recording area for storing the divided program received from the first type node; Has a transmission unit for transmitting the stored divided program in the second recording area to the one node, the first type node state detecting unit for detecting the state of the first type node, the third type node, A first recording node having a third recording area for storing the rewriting program, a rewriting instruction unit for instructing rewriting to the first type node, and a rewriting program transmitting unit for transmitting the rewriting program to the first type node; the program rewriting unit, when receiving a rewrite instruction from the three nodes, after transmitting the divided programs into the second type node, rewrites the program by rewriting program received from the third type node, the second type node After the program is rewritten by the program rewriting unit, the first type node status detection unit detects an abnormality of the first type node. In addition to notifying the first type node and other second type nodes, the divided program stored by the own node is transmitted to the first type node, and the other second type node receiving the notification is stored by the own node. The divided program to be transmitted is transmitted to the first type node, and the first type node rewrites the corresponding part of the program in the first recording area by the divided program received from each second type node .

According to the present invention, the first type node and the plurality of second type nodes are communicably connected to the network, and the program of the first type node is executed by the rewrite program transmitted from the third type node connected to the network as needed. In the program rewriting system for rewriting, the first type node divides a first recording area for storing a program and a program stored in the first recording area into a plurality of parts, and each divided program is divided into a plurality of parts. A divided program transmission unit that transmits to the two-type node, and a program rewriting unit that rewrites the program in the first recording area by the rewriting program received from the third-type node, and the second-type node is the first-type node A second recording area for storing the division program received from the second recording area, and a division program stored in the second recording area. Has a transmission unit for transmitting the ram to the first type node, the first type node state detecting unit for detecting the state of the first type node, the third type node, a third recording area for storing the rewriting program A rewriting instruction unit that instructs rewriting to the first type node, and a rewriting program transmitting unit that transmits the rewriting program to the first type node. The program rewriting unit of the first type node is a third type node. When the rewrite instruction is received from the node, after the split program is transmitted to the second type node, the program is rewritten by the rewrite program received from the third type node , and the program is rewritten by the program rewriting unit in the second type node Later, when an abnormality of the first type node is detected by the first type node state detection unit, the first type node and other second type nodes are detected. And the split program stored by the own node is transmitted to the first type node, and the other second type node having received the notification transmits the split program stored by the own node to the first type node, Since the first type node rewrites the corresponding part of the program in the first recording area by the divided program received from each second type node , if there is a problem with the program after the rewriting, You can easily return to the program before rewriting.

Next, with reference to FIG. 4, description will be given of the processing after rewriting to the rewriting program and then writing back to the program before rewriting as the operation after rewriting.
At this time, the tester 103 is assumed to be removed from the CAN network 106.
Oite to Step S31 1, the state detection unit 115 determines whether a problem arises in its processing. If an abnormality is detected (YES), the process proceeds to step S312.

Claims (7)

A program rewriting system in which a first type node and a plurality of second type nodes are communicably connected to a network, and the program of the first type node is rewritten by a rewriting program transmitted from a third type node connected to the network as needed Because
The first type node is
A first recording area for storing the program;
A divided program transmission unit that divides the program stored in the first recording area into a plurality of parts, and transmits each divided program to the second type node separately;
A program rewriting unit for rewriting the program in the first recording area by the rewriting program received from the third type node;
The second type node is
A second recording area for storing the divided program received from the first type node;
A transmission unit for transmitting the divided program stored in the second recording area to the first type node;
The above type 3 node is
A third recording area for storing the rewriting program;
A rewriting instruction unit for instructing rewriting to the first type node;
A rewriting program transmitting unit for transmitting the rewriting program to the first type node;
The program rewrite unit of the first type node receives the rewrite instruction from the third type node, transmits the divided program to the second type node, and then receives the rewrite program received from the third type node. A program rewriting system, wherein the program is rewritten by The first type node has a state detection unit that detects its own state,
After rewriting the program by the program rewriting unit, when an abnormality is detected by the state detection unit, the second type node is notified,
Upon receiving the notification, the second type node transmits the divided program stored by the own node to the first type node,
2. The program rewriting system according to claim 1, wherein the first type node rewrites a corresponding part of the program in the first recording area by the divided program received from the second type node. The second type node has a first type node state detection unit for detecting the state of the first type node,
After rewriting the program by the program rewriting unit, when an abnormality of the first type node is detected, the divided program is stored in the first type node and other second type nodes and stored by the own node To the first type node,
Upon receiving the notification, the other type 2 node transmits the divided program stored by itself to the type 1 node,
2. The program rewriting system according to claim 1, wherein the first type node rewrites a corresponding portion of the program in the first recording area by the divided program received from each second type node. The first type node includes an encryption unit that encrypts the divided program;
A decoding unit for decoding the divided program received from the second type node,
The divided program is encrypted, transmitted to the second type node, the divided program received from the second type node is decrypted, and the corresponding part of the program in the first recording area is rewritten. The program rewriting system according to claim 2 or 3. The first type node has a check code generation unit that generates a check code for verifying the divided program when the divided program is generated,
The check code generated by the check code generation unit is transmitted to the second type node,
The second type node has a fourth recording area for storing the check code received from the first type node,
When transmitting the divided program to the first type node, the check code stored in the fourth recording area is transmitted to the first type node,
The first type node verifies that the divided program has not been changed from the divided program and the check code received from the second type node, and then uses the divided program to store the first recording area. The program rewriting system according to any one of claims 2 to 4, wherein a corresponding portion of the program is rewritten. A first step in which the third type node transmits a program rewrite instruction of the first type node to the first type node via the network;
A second step in which the first type node divides the program in response to receiving the rewrite instruction, and transmits each divided program to a plurality of second type nodes via the network;
A third step in which the third type node transmits a rewriting program for rewriting the program to the first type node;
A program rewriting method comprising: a fourth step in which the first type node rewrites the program by the rewriting program transmitted in the third step. A fifth step in which, after rewriting the program in the fourth step, the first type node or the second type node detects an abnormal operation of the first type node;
A sixth step of transmitting the divided program stored in each of the second type nodes to the first type node when an abnormality is detected in the fifth step;
And the first type node includes a seventh step of rewriting a corresponding part of the program rewritten in the fourth step by the divided program transmitted in the sixth step. The program rewrite method described in 1.

Images