JP6094523B2 - Program rewriting method - Google Patents

Description

  The present invention relates to a technique for verifying whether a program and data necessary for operation of a device have been normally written in a storage device.

  Various control devices are mounted on the vehicle. These control devices include a storage device that stores a program, data necessary for the operation of the device, and the like, and the program stored in the storage device may be rewritten.

  Regarding the technology for determining whether or not data has been normally written to the storage device, a load completion mark is included at the end of the main program, and this load completion mark is stored in a specific storage area of the flash memory when downloading. A storing technique is known (see, for example, Patent Document 1). In this technique, when determining whether or not the main program is correctly stored, the load completion mark is stored in the load completion mark storage area in the flash memory, and the result of the sum check for the main program area is normal. If it is determined that it is stored correctly.

  In addition, regarding the in-vehicle control device, when rewriting data in the electronic control device, the master control device first holds and manages the VIN code (vehicle identification code) of each vehicle, the version information of the control program, etc. A technique for acquiring data for rewriting from a management center by wireless communication is known (for example, see Patent Document 2). Then, the acquired data is temporarily stored in the memory device and the suitability of the stored data for rewriting is determined. As a result, on the condition that the data for rewriting stored in the memory device is appropriate, the data in the electronic control device is rewritten using the data for rewriting.

Japanese Patent Laid-Open No. 11-15672 JP 2007-22734 A

  In the method of determining whether or not data has been written normally by checking the load completion mark and checksum, it is assumed that data has been written normally even if the checksum accidentally matches data in an area other than the load completion mark. There is a case where it is erroneously determined.

  In addition, when data is garbled in the middle of data writing and writing is completed and processing is interrupted during verification, the fact that verification has been completed normally is not written. There are cases where it is erroneously determined that data has been written normally.

  An object of the present invention is to determine whether or not the program rewrite to verify has been performed normally.

A program rewriting method according to an embodiment of the disclosure is as follows:
Receive the program sent from the tool,
When writing the program to the storage unit, the check data A embedded in the program and the check data B that is the same data as the check data A, the check data A is written to the storage unit,
After the program is written in the storage unit, a verification program is received from the tool during a verification process for verifying whether the program has been normally written,
Based on the verification program, the program written in the storage unit is verified, and the check data B embedded in the verification program is written in the storage unit,
The check data A written in the storage unit and the check data B written in the storage unit are collated, and if they match, the tool is notified of normal writing.

  According to the disclosed embodiment, it is possible to determine whether or not the program rewriting to the verification has been normally performed.

It is a figure which shows one Example of a structure which implement | achieves the program rewriting method. It is a figure which shows one Example of the rewriting process of a program. It is a figure which shows one Example of a verify. It is a sequence chart which shows one Example of the process between a writing tool and an electronic control unit. It is a flowchart which shows one Example of the rewriting process of a program. It is a flowchart which shows one Example of a verify. It is a figure which shows the prior art example (the 1) of the rewriting process of a program. It is a figure which shows the prior art example (the 1) of verification. It is a figure which shows the prior art example (the 2) of the rewriting process of a program. It is a figure which shows the prior art example (the 2) of verification.

Next, the form for implementing this invention is demonstrated, referring drawings based on the following Examples. Examples described below are merely examples, and embodiments to which the present invention is applied are not limited to the following examples.
In all the drawings for explaining the embodiments, the same reference numerals are used for those having the same function, and repeated explanation is omitted.

<Electronic control unit>
FIG. 1 shows an embodiment of an electronic control unit (ECU) 100 as a control device.

  The ECU 100 is mounted on a moving body such as a vehicle. One embodiment of the ECU 100 is mounted on a vehicle and connected to an in-vehicle network such as a CAN (Controller Area Network). The ECU 100 can be connected to an information system LAN, a power train system LAN, a body system LAN, and the like. Further, a sensor, an actuator, or the like may be mounted on the ECU 100. A plurality of ECUs 100 constitute an in-vehicle communication system.

  An external device connection connector 300 is mounted on a vehicle on which the ECU 100 is mounted. A data link connector (DLC: Data Link Connector) can be applied to the external device connection connector 300. The ECU 100 and the external device connection connector 300 are connected by a communication line 50 according to a standard used for data transfer between interconnected devices such as CAN.

  Various tools such as a diagnostic machine are connected to the external device connecting connector 300 from the outside of the vehicle. An example of the tool is a rewriting tool 200 that rewrites a program stored in the storage device of the ECU 100. The rewrite tool 200 and the external device connection connector 300 are connected by a communication line 50 according to a standard used for data transfer between interconnected devices such as CAN.

  In one embodiment of the ECU 100, a case where the rewriting tool 200 is connected to the external device connecting connector 300 will be described.

<Rewriting tool 200>
The rewriting tool 200 is connected to the ECU 100 via the external device connection connector 300. The rewriting tool 200 includes an interface (I / F) (not shown), a CPU (not shown), and a memory (not shown). "Rewrite program").

  The interface transmits data to the ECU 100 via the communication line 50. For example, the interface transmits a rewrite program stored in the storage device of the ECU 100 to the communication line 50. The interface also receives data such as various responses from the ECU 100, and inputs the received data to the CPU.

  The CPU is connected to the interface. Prior to the transmission of the rewrite program, the CPU performs security access such as password verification to the ECU 100 and acquires a security access response transmitted from the ECU 100. When the CPU obtains the security access response transmitted from the ECU 100, it requests the ECU 100 to erase the address range to be written, and the erase response indicating that the erasing of the address range to be written transmitted from the ECU 100 is completed. To get. An address range in which check data B is written at the time of verification is also designated as an address range for requesting erasure. When acquiring the erase response transmitted from the ECU 100, the CPU transmits a write request command for requesting writing to the ECU 100 and a rewrite program, and acquires a write response indicating that the writing transmitted from the ECU 100 is completed. When the CPU obtains a write response transmitted from the ECU 100, the CPU transmits a verify request command requesting to verify whether or not the rewrite program has been normally written to the ECU 100, and a verify program transmitted from the ECU 100. Get a verify response indicating that is complete.

<ECU100>
The ECU 100 includes a microcomputer (not shown) and a transceiver (not shown). The transceiver is connected to the communication line 50, and transmits data such as a message from the communication circuit to the communication line 50, and receives data such as a message from the communication line 50 and inputs the data to the communication circuit under the control of the communication driver. . The transceiver controls input voltage, signal amplitude, and sleep and wakeup for power saving of the ECU 100.

  The microcomputer is equipped with a communication circuit (not shown), a CPU (Central Processing Unit) (not shown), and a storage device (not shown) such as a flash memory, and when the ECU 100 functions as a master node, a token And scheduling management. The microcomputer transmits and receives data regardless of whether the ECU 100 functions as a master node or a slave node.

  Prior to the transmission of the rewriting program, the microcomputer performs a process related to security in accordance with security access such as password verification from the rewriting tool 200 and transmits a security access response. The microcomputer stores security information, and is set so that the program cannot be written unless the security check based on the security information is passed. As a result, unauthorized program writing can be prevented.

  The microcomputer erases the corresponding address range of the storage device in response to a request for erasing the address range to be written from the rewriting tool 200, and transmits an erase response indicating that the erasure of the corresponding address range is completed. To do. When the microcomputer acquires the write request command for requesting writing and the rewrite program transmitted from the rewrite tool 200, the microcomputer writes the rewrite program to the storage device and transmits a write response when the writing is completed.

<Write processing>
FIG. 2 shows an embodiment of the rewriting process. FIG. 2 shows an example of a storage device area. The storage device is provided with an area not to be rewritten and an area to be rewritten, and the area not to be rewritten is divided into an area in which a program such as a rewrite processing program is stored and an empty area. In FIG. 2, the range of the area to be rewritten is indicated by hatching.

  In the rewrite target area, an area in which the check data A is written when the program is rewritten is prepared. Here, the check data A indicates identification information such as a language, characters, symbols, and various indicia used for verifying that the program rewriting process has been performed. The check data A may be identification information in which at least two of a language, characters, symbols, and various indicia are combined.

  In the area not to be rewritten, an area in which the check data B is written at the time of verifying that the program has been rewritten normally is prepared. Here, the check data B indicates identification information such as language, characters, symbols, and various indicia used for verifying that the program has been rewritten normally. The check data B may be identification information in which at least two of language, characters, symbols, and various indicia are combined. Check data A and check data B are the same identification information.

  The rewriting tool transmits the rewriting program to the ECU 100 in order from the smallest memory address. The microcomputer of the ECU 100 writes the rewrite program transmitted from the rewrite tool in the order of transmission from the smallest memory address in the direction of the arrow (write from the left to the right in FIG. (Write in the right direction), and a write response indicating write completion is returned when the data before the check data B (the end of the transmitted rewrite program) is rewritten. That is, the check data B is not written in the writing process.

  Check data A and check data B are embedded in a program in advance, and the values can be different for each program. For example, the value of the check data A and the value of the check data B before the program is rewritten is “84963451h”, and the value of the check data A and the value of the check data B is “32964754h” in the program to be rewritten. . In this case, when the check data A is rewritten after the start of program rewriting, the check data A is “32964754h” because it is rewritten, and the check data B is “84963451h” because it is not rewritten.

  After the rewriting of the program is completed, verification for verifying whether the program has been rewritten normally is performed. When the microcomputer acquires the verify request command for verifying whether or not the rewrite program transmitted from the rewrite tool 200 has been normally written, and the verify program, the rewrite program written in the storage device, the verify program, Are verified to verify whether the rewrite program has been written normally. When the verification is completed, a verification response is transmitted.

  FIG. 3 shows an example of verification. FIG. 3 shows an example of a storage device area. The storage device is provided with an area not to be rewritten and an area to be rewritten, and the area not to be rewritten is divided into an area in which a program such as a rewrite processing program is stored and an empty area. In FIG. 3, the range of the area where the verification is performed is indicated by hatching. The area to be verified is the same as the rewrite target area. Further, an area where the check data B is written is set as a rewrite target area.

  The rewrite tool transmits the same verify program as the rewrite program to the ECU 100 in order from the smallest memory address. The microcomputer of the ECU 100 performs verification in the direction of the arrow from the lowest memory address in the order in which the verification program is transmitted based on the verification program transmitted from the rewriting tool (verification from the left to the right in FIG. After writing to the right end, the next address is verified in the direction from left to right.) After verifying to the word before check data B (the end of the transmitted program), check data B sent from the rewrite tool Write. Note that the memory block in which the check data B is stored (included) is erased once when the program is written, and therefore does not need to be erased again. After writing the check data B, it is checked whether or not the check data B and the check data A already written are the same.

  In the process of writing the rewrite program, the check data B is not written, but when the word before the check data B is written, a write response indicating completion of writing is returned. At this time, it can be recognized that the verification has not been completed normally because the value of the check data A and the value of the check data B do not match. For example, when the power is shut off at the time when rewriting of the program is completed, the check data A is rewritten, but the check data B that is rewritten at the last time of verification is not rewritten. Therefore, when the power is turned on next time, the value of the check data A and the value of the check data B do not match, so that it can be recognized that the verification is not normally performed.

  In addition, the size of check data A and check data B is about 4 bytes each, so it is recognized whether or not the verification has been performed normally without squeezing the memory capacity for storing the vehicle program. it can.

  In addition, verification can be performed on the entire rewrite target area including check data.

<Operation of ECU100>
FIG. 4 shows an example of processing for writing a program to the ECU 100 using the program rewriting tool 200.

  In step S402, the rewrite tool 200 performs security access such as password verification to the ECU 100.

  In step S404, the ECU 100 checks the password against the security access from the rewriting tool 200, and returns a security access response permitting the program writing to the rewriting tool 200 when they match.

  In step S406, when the rewrite tool 200 receives a security access response from the ECU 100, the rewrite tool 200 transmits an erase request command requesting the ECU 100 to erase the address range to be written. In the erase request command, an address range indicating an area in which the check data B is written at the time of verification is also specified.

  In step S408, when the ECU 100 receives the erase request command from the rewrite tool 200, the ECU 100 erases the flash memory in the requested address range.

  In step S410, after the flash memory in the requested address range is completely erased, the ECU 100 transmits to the rewriting tool 200 an erase response notifying that the erase has been completed.

  In step S <b> 412, after receiving the erase response transmitted from the ECU 100, the rewrite tool 200 transmits a write request command for requesting write and write data (rewrite program) to the ECU 100. The write request command is accompanied with information indicating which size of data is written from which address.

  In step S414, upon receiving the write request command and write data transmitted from the rewrite tool 200, the ECU 100 writes data in the requested address range in accordance with the write request command.

  In step S416, when the writing of data to the requested address range is completed, the ECU 100 returns a write response notifying that the writing has been completed.

  In step S418, upon receiving a write response transmitted from the ECU 100, the rewrite tool 200 transmits a verify request command and verify data (verify program) to the ECU 100. The verification request command is accompanied by information indicating from which address to which size data is to be verified. The verify data is the same as the write data transmitted from the rewrite tool 200 in step S412.

  In step S420, the ECU 100 collates the data written in the address range attached to the verify request command with the verify data transmitted from the rewrite tool 200 according to the verify request command.

  In step S422, when the verification is completed for the data in the requested address range, the ECU 100 transmits a verification response notifying the rewriting tool 200 that the verification is completed.

  5 and 6 show an embodiment of the operation of the ECU 100. FIG. FIG. 5 shows an embodiment of a rewrite program writing process in the ECU 100. That is, FIG. 5 shows a process corresponding to step S414 in FIG.

  FIG. 5 shows an operation after the ECU 100 transmits a security access response according to security access such as password verification from the rewriting tool 200 prior to transmission of the rewriting program. The rewriting tool 200 transmits the rewriting program to the ECU 100 in order from the smallest memory address.

  In step S502, the microcomputer of the ECU 100 determines whether or not the write target is the final address.

  In step S504, when the microcomputer of the ECU 100 determines that the write target is the final address, the microcomputer 100 returns a write completion write response to the rewrite tool 200.

  In step S506, when the microcomputer of the ECU 100 determines that the write target is not the final address, the microcomputer 100 writes the data transmitted from the rewriting tool 200 to the storage device. Thereafter, the processing from step S502 is performed.

  FIG. 6 shows an operation of verify processing for verifying whether or not the program has been normally rewritten after rewriting to the rewrite program is completed. The rewrite tool 200 transmits a verify program (rewrite program) to the ECU 100 in order from the smallest memory address.

  In step S602, the microcomputer of the ECU 100 determines whether or not the verification target is the final address.

  In step S604, when the microcomputer of the ECU 100 determines that the verification target is the final address, the microcomputer 100 writes the data (check data B) transmitted from the rewriting tool 200.

  In step S606, the microcomputer of the ECU 100 collates the check data B written in step S604 with the check data A already written.

  In step S608, the microcomputer of the ECU 100 determines whether or not all the data match as a result of the check data B and the check data A being collated.

  In step S610, if it is determined in step S608 that all the data match, the microcomputer of the ECU 100 notifies the rewriting tool 200 that the verification has been completed normally.

  In step S612, if it is not determined in step S608 that all the data match, the microcomputer of the ECU 100 notifies the rewriting tool 200 that the verification has ended abnormally.

  In step S614, when it is determined in step S602 that the verification target is not the final address, the microcomputer of the ECU 100 collates the data transmitted from the rewriting tool 200 with the data written in the storage device.

  According to one embodiment of the ECU 100, even if the verification is interrupted due to power interruption or the like at the time of verification after rewriting to the rewriting program, a special area is not provided for the identification and the next startup is performed. It is possible to detect that the verification has been interrupted.

<Effect of the present invention>
FIG. 7 shows a conventional example (part 1) of the program rewriting process. FIG. 7 shows an example of a storage device area. The storage device is provided with an area not to be rewritten and an area to be rewritten, and the area not to be rewritten is divided into an area in which a program such as a rewrite processing program is stored and an empty area. In FIG. 7, the range of the area to be rewritten is indicated by hatching. In the conventional example, an area where check data A and check data B are written is prepared in an area to be rewritten. That is, the ECU microcomputer returns a write completion write response when writing up to check data B (the end of the transmitted program). In this case, when rewriting is interrupted due to power interruption or the like in the middle of rewriting, the value of check data A and the value of check data B do not match, so it can be verified that rewriting has not ended normally. On the contrary, when the value of the check data A matches the value of the check data B, it can be determined that the rewriting has been completed normally. FIG. 7 shows a state in which data corruption has occurred during program rewriting.

  FIG. 8 shows a conventional example (1) of verification. As shown in Fig. 8, when the verification is interrupted due to the power shutoff during the verification, because the verification is not performed for the data corruption part, the ECU microcomputer has detected an abnormality in the rewriting tool. Not notified. When only the ECU is turned off, communication with the rewriting tool is not established after that, so the rewriting tool can recognize that the verification has been interrupted without ending the verification as a communication error. If the rewriting tool can recognize that the verification has been interrupted without completing it, the verification can be performed again after the ECU power is turned on again.

  However, if the power of the rewrite tool is cut off together with the ECU, even if the power is turned on after that, the rewrite tool cannot recognize whether or not the previous verify has been completed normally. If it is mistakenly recognized as being completed, it cannot be recognized that there was an abnormality such as garbled data in writing.

  FIG. 9 shows a conventional example (part 2) of the program rewriting process. FIG. 9 shows an example of a storage device area. The storage device is provided with a non-rewrite area and a rewrite area, and the non-rewrite area is divided into an area where a program such as a rewrite processing program is stored and an empty area. An area for writing is provided. In FIG. 9, the range of the area to be rewritten is indicated by hatching.

  The rewrite status is data for confirming whether or not rewriting has been normally performed, and is embedded in the program in advance. The data embedded in the program indicates that rewriting has not been completed (hereinafter referred to as “rewriting incomplete”). The microcomputer of the ECU rewrites the rewrite status to data indicating completion of rewriting after the rewriting of the program is completed and the subsequent verification is normally completed. As a result, the rewrite status remains “incomplete rewrite” unless the verification is normally completed. Therefore, is the ECU written correctly by checking the rewrite status at the next power-on? Whether or not can be determined reliably. FIG. 9 shows a state in which data corruption has occurred during program rewriting.

  FIG. 10 shows a conventional example (part 2) of verification. As shown in FIG. 10, when the verification is interrupted during the verification due to the power shut-off etc., the verification of the data garbled part has not been performed. Not notified. However, since the verification has not been completed, the rewrite status remains “incomplete rewrite”. Therefore, when the power is turned on again, the ECU can recognize that the verification has not been completed normally by using the rewrite status information.

  However, this method rewrites the incomplete rewrite that was once written at the time of rewrite status write to the completion of rewrite after the end of verification. The memory (hereinafter referred to as “memory block”) must be erased once. Even if the data length of the rewrite status is 4 bytes, the memory block is generally on the order of several KB to several tens of KB, so several KB to several tens of KB must be secured as an area for writing the rewrite status. I must. Due to cost constraints, ECUs that originally have only a small memory capacity will put pressure on the memory capacity of the original vehicle control program. In particular, when the memory block size is larger than the total flash memory size, the area for storing the program may be compressed. In this case, it is necessary to prepare a flash memory having a higher memory size, which increases the cost.

  Further, it cannot be confirmed whether or not the rewrite status to be rewritten after the end of verification is correctly rewritten.

  According to one embodiment of the control device, when the program is rewritten, the data in the area where the check data B is written at the end of the verification is erased, and the check data A is written and checked at the end of the verification. By writing data B, there is no need to erase the memory block, so there is no need to secure a useless area.

  Although the present invention has been described above with reference to specific embodiments, each embodiment is merely an example, and those skilled in the art will understand various variations, modifications, alternatives, substitutions, and the like. I will. For convenience of explanation, an apparatus according to an embodiment of the present invention has been described using a functional block diagram, but such an apparatus may be implemented in hardware, software, or a combination thereof. The present invention is not limited to the above-described embodiments, and various variations, modifications, alternatives, substitutions, and the like are included without departing from the spirit of the present invention.

50 Communication line 100 Electronic control device 200 Rewriting tool 300 External device connector

Claims (1)

Receive the program sent from the tool,
When writing the program to the storage unit, the check data A embedded in the program and the check data B that is the same data as the check data A, the check data A is written to the storage unit,
After the program is written in the storage unit, a verification program is received from the tool during a verification process for verifying whether the program has been normally written,
Based on the verification program, the program written in the storage unit is verified, and the check data B embedded in the verification program is written in the storage unit,
A method for rewriting a program, wherein the check data A written in the storage unit and the check data B written in the storage unit are collated, and if they match, the tool is notified of successful writing.

Images