JP7081415B2 - Communication equipment, communication methods, and communication programs - Google Patents

Description

The present invention relates to a communication device or the like mounted on a vehicle.

The vehicle is equipped with a plurality of in-vehicle devices called ECUs (Electronic Control Units) to control various functions of the vehicle. For these ECUs, a work called reprogramming for rewriting a program or various other works may be performed at a vehicle factory at the time of vehicle manufacturing, a maintenance shop after shipment, or the like. Such work is performed by connecting an external tool to the connector provided in the vehicle, sending a rewrite program from the external tool to the ECU to be worked on, or sending data necessary for other work. Can be done.

When rewriting a program of an in-vehicle device using an external tool, it has been proposed to perform various authentications in order to prevent unauthorized work. Patent Document 1 discloses that an in-vehicle device authenticates an external tool. Further, in Patent Document 2, when an external tool is connected to the network in the vehicle to rewrite the program, the server authenticates the detection device for the immobility key via the public network, and the detection device detects it. It discloses that the in-vehicle device authenticates the immobility key.

Japanese Unexamined Patent Publication No. 2016-11299 Japanese Unexamined Patent Publication No. 2013-168007

Authentication by communication between an in-vehicle device and an external tool can eliminate the possibility of unauthorized work using an unauthorized external tool. Since external tools may be analyzed, security can be further guaranteed by using a server in a well-managed center for authentication.

However, if authentication is performed by communicating with the server, the takt time increases by the time required for communication with the server when working in the vehicle factory. In addition, if a communication failure with the server occurs, the work will be stopped until it is restored. In this way, if the server is used uniformly for authentication, there is a risk that productivity will decrease in the depot.

The present invention has been made in view of the above problems, and an object of the present invention is to provide a communication device for a vehicle, which enables improvement of security after shipment of a vehicle and maintenance of productivity in a vehicle factory. ..

In order to solve the above problems, one aspect of the present invention is a communication device mounted on a vehicle, in which an initial value is stored at the time of manufacturing the vehicle as a value indicating a state of a predetermined flag, and after the vehicle is shipped. Refers to the storage unit that stores values other than the initial value and the storage unit when the communication device receives a predetermined signal from an external tool, and whether or not the value indicating the state of the predetermined flag is the initial value. If the value indicating the state of the predetermined flag is the initial value, the authentication process is performed by communication with the external tool, and if it is not the initial value, the authentication including the communication with the external server is performed. It is a communication device provided with an authentication unit that performs processing.

According to the present invention, it is possible to provide a communication device for a vehicle that enables improvement of security after shipment of a vehicle and maintenance of productivity in a vehicle factory.

A functional block diagram showing one aspect of the work according to the embodiment of the present invention. A functional block diagram showing another aspect of the work according to the embodiment of the present invention. A flowchart showing the process according to the embodiment of the present invention. A flowchart showing a process according to a reference example of the present invention. A flowchart showing a process according to a reference example of the present invention.

(Embodiment)
The communication device according to the present invention performs authentication between the communication device and the external tool without communicating with the server at the time of work using the external tool in the vehicle factory at the time of manufacturing the vehicle. As a result, while ensuring a certain level of security, it is possible to avoid an increase in takt time due to the time required for communication with the server, eliminate the risk of work stoppage due to poor communication with the server, and suppress a decrease in vehicle productivity. .. Further, after the vehicle is shipped, the security can be further enhanced as compared with the authentication process in the vehicle factory by performing the authentication process including the communication with the server when working with the external tool.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.

<Structure>
FIG. 1 shows a functional block diagram showing a first aspect of work using an external tool according to the present embodiment. The vehicle 1 includes a communication device 10, a plurality of ECUs 21, 22 ..., And a connector 30. The communication device 10, the plurality of ECUs 21, 22 ... Are connected to each other by the in-vehicle communication bus 32. The communication device 10 may further include one or more configurations connected to each other by another in-vehicle communication bus by another in-vehicle communication bus, similarly to the in-vehicle communication bus 32 and the plurality of ECUs 21, 22 .... .. Further, the communication device 10 and the connector 30 are connected to each other by an external communication bus 31.

The communication device 10 is a gateway that connects the communication bus 32 for the inside of the vehicle and the communication bus 31 for the outside of the vehicle, and controls the communication of each bus. The communication device 10 includes a storage unit 11, a determination unit 12, an authentication unit 13, and a control unit 14. The storage unit 11 stores information such as data and programs used for control. The determination unit 12 acquires information with reference to the storage unit 11 and makes a determination for determining the processing content. The authentication unit 13 performs an authentication process according to the determination result of the determination unit 12. Further, the control unit 14 controls each of these units and controls communication.

In this aspect, the external tool 40 outside the vehicle is connected to the connector 30. The authentication unit 13 performs an authentication process by communicating with the external tool 40, and when the authentication is successful, the control unit 14 permits the work by the external tool 40.

FIG. 2 shows a functional block diagram showing a second aspect of work using an external tool according to the present embodiment. In this aspect, the external tool 40 can communicate with the specific server 50 via, for example, a public network, and the authentication unit 13 performs an authentication process including communication with the server 50 via the external tool 40. It is different from one aspect. When the authentication unit 13 succeeds in authentication, the control unit 14 permits the work by the external tool 40.

FIG. 3 is a flowchart showing an example of processing executed by the communication device 10. The processing of the communication device 10 will be described with reference to FIG. Here, as an example of work, it is assumed that the ECU 21 is reprogrammed using an external tool 40. This process is started by connecting the external tool 40 to the connector 30, and the external tool 40 transmitting a predetermined signal to the communication device 10. The predetermined signal is, in this example, a signal requesting that the operation mode of the communication device 10 be switched to the reprogramming communication relay mode. In the reprogramming communication relay mode, the communication device 10 relays the update data of the program sent by the external tool 40 to the vehicle external communication bus 31 to the vehicle internal communication bus 32, and the ECU 21 to be worked on can receive the update data. ..

(Step S101): The storage unit 11 stores the initial state flag. The initial state flag is set to an initial value indicating an on state when the communication device 10 is attached to the vehicle 1 at the time of manufacturing the vehicle 1. By the time the vehicle 1 is shipped, as will be described later, the value representing the state of the initial state flag is rewritten to the value representing the off state other than the initial value. In this step, the determination unit 12 refers to the storage unit 11 and acquires a value indicating the state of the initial state flag. If the value representing the state of the initial state flag indicates on, the process proceeds to step S102. If the value representing the state of the initial state flag indicates off (if it is not on), the process proceeds to step S104.

(Step S102): The authentication unit 13 communicates with the external tool 40 to perform authentication. That is, the authentication process is performed in the first aspect shown in FIG. The authentication method is not limited as long as the authentication unit 13 can authenticate the external tool 40, and for example, a challenge response method can be used.

(Step S103): If the authentication unit 13 succeeds in the authentication in step S102, the authentication unit 13 proceeds to step S106. If authentication fails, this process ends.

(Step S104): The authentication unit 13 communicates with the server 50 via the external tool 40 to perform authentication. That is, the authentication process is performed in the second aspect shown in FIG. The authentication method is not limited as long as the authentication unit 13 can finally authenticate the external tool 40 by using the communication result with the server 50, but the authentication unit 13 and the server 50 are in the process of communication. Authentication between the authentication unit 13 and the external tool 40, authentication between the external tool 40 and the server 50 are performed, and by combining these, analysis becomes difficult, and the authentication in step S102 is performed. It can increase reliability. For these authentications, for example, a challenge response method can be used. Further, the reliability of communication may be enhanced by appropriately combining digital signatures and the like.

(Step S105): If the authentication unit 13 succeeds in the authentication in step S104, the authentication unit 13 proceeds to step S106. If authentication fails, this process ends.

(Step S106): The control unit 14 starts the reprogramming communication relay mode as the operation mode of the communication device 10, and notifies the external tool 40 that, for example, the reprogramming communication relay mode has started. Upon receiving the notification, the external tool 40 sends the update data of the program to the communication bus 31 for outside the vehicle, and the communication device 10 relays the update data to the communication bus 32 for inside the vehicle. The ECU 21 acquires the update data and rewrites the program.

(Step S107): The control unit 14 determines whether or not the communication of the update data of the program is completed. The determination can be made, for example, based on whether or not a notification indicating that the communication has ended is received from the external tool 40. If it is determined that the communication is completed, the control unit 14 proceeds to step S108, and if it is determined that the communication is not completed, the control unit 14 repeats this step and waits for the end of the communication.

(Step S108): The control unit 14 ends the reprogramming communication relay mode.

This completes the process. When a plurality of ECUs 21, 22 ... Are work targets, the external tool 40 updates the program of each ECU to be rewritten while the communication device 10 is in the reprogramming communication relay mode in step S106 described above. Is sent to the communication bus 31 for outside the vehicle, and the communication device 10 relays each update data to the communication bus 32 for inside the vehicle. Each ECU acquires the update data of the program of its own device and rewrites the program respectively.

When such work is performed in the vehicle factory at the time of manufacturing the vehicle 1, when the work is completed for all the ECUs to be worked, the value indicating the state of the initial state flag stored in the storage unit 11 is turned off. Rewritten to the value to be represented. For example, when the work is completed for all the ECUs to be worked, the external tool 40 notifies the communication device 10 of a request to rewrite the initial state flag to off, and the control unit 14 is based on this request. Therefore, the value indicating the state of the initial state flag stored in the storage unit 11 can be rewritten to the value indicating off. Alternatively, when the work is completed for all the ECUs to be worked, the external tool 40 transmits a signal for another work to be executed thereafter to the communication device 10, and the control unit 14 detects this signal. Then, the value indicating the state of the initial state flag stored in the storage unit 11 may be rewritten to the value indicating off. Alternatively, the control unit 14 acquires an odometer value or the like from another device in the vehicle 1 via the in-vehicle communication bus 32, and based on this, the vehicle 1 travels for a predetermined distance or more and goes out of the vehicle factory. When it is detected, the value indicating the state of the initial state flag stored in the storage unit 11 may be rewritten to the value indicating off. In this way, the method of rewriting the value representing the state of the initial state flag is not limited.

The external tool 40 used in the vehicle factory does not have to have a communication function with the server 50, but may be the same as the external tool 40 having a communication function with the server 50 used outside the vehicle factory. , It may be another thing that does not have a communication function with the server 50.

The target of reprogramming may be the communication device 10. In that case, reprogramming of the communication device 10 is performed in steps S106, S107, and S108. For example, in step S106, the control unit 14 of the communication device 10 determines whether or not the update data is the update data for reprogramming of the own device, and if it is the update data for reprogramming of the own device. Instead of relaying the update data to the in-vehicle communication bus 32, the program is updated by storing it in the storage unit 11.

<Effect>
As described above, in the vehicle factory at the time of manufacturing the vehicle 1, when the work using the external tool 40 is performed, the authentication between the communication device 10 and the external tool 40 is performed without communicating with the server 50. As a result, while ensuring a certain level of security, it is possible to avoid an increase in takt time due to the time required for communication with the server 50, eliminate the risk of work stoppage due to poor communication with the server 50, and reduce vehicle productivity. Can be suppressed. Further, after the vehicle 1 is shipped, the security can be further enhanced as compared with the authentication process in the vehicle factory by performing the authentication process including the communication with the server 50 when working with the external tool 40.

(1st reference example)
A reference example obtained by modifying the present invention will be described. FIG. 4 is a flowchart showing an example of the process according to the first reference example. In the process shown in FIG. 4, steps S201, S202, S203, S204, S205, and S206 correspond to steps S101, S104, S105, S106, S107, and S108 in the example of the process according to the embodiment shown in FIG. 3, respectively. However, the process corresponding to steps S102 and S103 is not performed. That is, in the first reference example, when the initial state flag, which represents the case of performing work in the vehicle factory, is on, the authentication unit 13 does not perform the authentication process with the external tool 40. Different from the form. In the vehicle factory, for example, if the worker is limited to a specific person and the external tool 40 is strictly controlled, the security is sufficient, and the external tool 40 is authenticated as in this example. It does not have to be. According to the first reference example, it is possible to avoid an increase in tact time due to the time required for authentication with an external tool at the time of vehicle production, and to suppress a decrease in vehicle productivity as compared with the above-described embodiment. Further, after the vehicle 1 is shipped, security can be enhanced by performing an authentication process including communication with the server when working with an external tool.

(2nd reference example)
FIG. 5 is a flowchart showing an example of the process according to the second reference example. In the process shown in FIG. 5, steps S301, S302, S303, S307, S308, and S309 correspond to steps S101, S102, S103, S106, S107, and S108 in the example of the process according to the embodiment shown in FIG. 3, respectively. ..

In the second reference example, the processing of steps S304, S305, and S306 is different from the processing of steps S104 and S105 in the example of the processing according to the embodiment. The processing of steps S304, S305, and S306 will be described below.

(Step S304): The determination unit 12 selects one of the server 50 and the external tool 40 as the communication destination for the authentication process. For example, the determination unit 12 can make a selection by referring to the storage unit 11. In this case, when working in the vehicle factory, information for identifying either the server 50 or the external tool 40 is written in the storage unit 11 from the external tool 40, for example, depending on the destination of the vehicle 1. Alternatively, the determination unit 12 acquires information such as a destination stored in advance by another device in the vehicle 1 via the in-vehicle communication bus 32, and either the server 50 or the external tool 40 according to the acquired information. You may try to specify.

(Step S305): The authentication unit 13 performs an authentication process with the selected authentication destination. That is, if the selected authentication destination is the external tool 40, authentication is performed by communicating with the external tool 40. If the selected authentication destination is the server 50, the server 50 is communicated with the server 50 via the external tool 40 to perform authentication.

(Step S306): If the authentication unit 13 succeeds in the authentication in step S305, the authentication unit 13 proceeds to step S307. If authentication fails, this process ends.

In the second reference example, the authentication method after shipment can be switched according to, for example, the destination of the vehicle 1. That is, at the destination, if communication with the server 50 is suitably possible, the authentication process is set to be performed based on the communication with the server 50, and if communication with the server 50 is difficult, the server 50 and the server 50 are set. It can be set to perform authentication processing without communication. As a result, according to the second reference example, in the vehicle factory at the time of manufacturing the vehicle 1, when the work using the external tool 40 is performed, the authentication between the communication device 10 and the external tool 40 is communicated with the server 50. Do without doing. As a result, while ensuring a certain level of security, it is possible to avoid an increase in takt time due to the time required for communication with the server 50, eliminate the risk of work stoppage due to poor communication with the server 50, and reduce vehicle productivity. Can be suppressed. Further, after the vehicle 1 is shipped, if the destination is capable of communicating with the server 50, the authentication process including the communication with the server 50 is performed at the time of work using the external tool 40 in the vehicle factory. Security can be further enhanced than the authentication process. Further, even in a destination where communication with the server 50 is difficult, a certain level of security can be ensured by performing an authentication process by communicating with the external tool 40 when working with the external tool 40.

In the above description, reprogramming has been mentioned as an example of work performed by permitting access from an external tool, but the present invention is not limited to this, and the present invention determines whether or not access from an external tool is possible by a communication device provided in a vehicle or the like. It can be applied to the whole authentication process for judgment.

Although the present invention has been described above, the present invention includes not only a communication device but also a communication method executed by a computer of the communication device, a communication program, a computer-readable non-temporary recording medium that stores the communication program, a vehicle, and the like. You can catch it.

The present invention is useful for communication devices mounted on vehicles and the like.

1 Vehicle 10 Communication device 11 Storage unit 12 Judgment unit 13 Authentication unit 14 Control unit 21, 22 ECU
30 Connector 31 External communication bus 32 Internal communication bus 40 External tool 50 Server

Claims (8)

A communication device mounted on a vehicle
As a value representing the state of a predetermined flag, a storage unit that stores an initial value at the time of manufacturing the vehicle and stores a value other than the initial value after the vehicle is shipped.
When the communication device receives a predetermined signal from an external tool, a determination unit that refers to the storage unit and determines whether or not the value representing the state of the predetermined flag is an initial value, and a determination unit.
It is provided with an authentication unit that performs authentication processing according to the determination result of the determination unit.
The certification unit
When the value representing the state of the predetermined flag is not the initial value, an authentication process including communication with an external server is performed.
A communication device that performs authentication processing by communicating with the external tool without communicating with the external server when the value representing the state of the predetermined flag is the initial value . The authentication process including communication with the external server performed by the authentication unit includes authentication between the authentication unit and the external server, authentication between the authentication unit and the external tool, and the external tool. The communication device according to claim 1, which is executed by combining authentication with the external server. The communication device according to claim 1 or 2, wherein the external tool is connected to the communication device via a connector provided on the vehicle. The communication device according to any one of claims 1 to 3, wherein the external server is connected to the communication device via the external tool. The predetermined signal is a signal requesting that the operation mode of the communication device be switched to a mode in which the electronic control device included in the vehicle can receive the update data of the program transmitted by the external tool. The communication device according to any one of 4. The initial value stored in the storage unit of the communication device attached to the vehicle at the time of manufacturing the vehicle is rewritten to a value other than the initial value by the time the vehicle is shipped, according to claims 1 to 5. The communication device according to any one of the following items. It is a communication method performed by a communication device mounted on a vehicle.
As a value representing the state of a predetermined flag, a step of storing an initial value in a storage unit at the time of manufacturing the vehicle and storing a value other than the initial value in the storage unit after the vehicle is shipped.
When the communication device receives a predetermined signal from an external tool, the step of referring to the storage unit and determining whether or not the value representing the state of the predetermined flag is the initial value,
A step of performing authentication processing including communication with an external server when the value representing the state of the predetermined flag is not the initial value, and
A communication method comprising a step of performing an authentication process by communicating with the external tool without communicating with the external server when the value representing the state of the predetermined flag is the initial value. A communication program that is executed by the computer of the communication device installed in the vehicle.
As a value representing the state of a predetermined flag, a step of storing an initial value in a storage unit at the time of manufacturing the vehicle and storing a value other than the initial value in the storage unit after the vehicle is shipped.
When the communication device receives a predetermined signal from an external tool, the step of referring to the storage unit and determining whether or not the value representing the state of the predetermined flag is the initial value,
A step of performing authentication processing including communication with an external server when the value representing the state of the predetermined flag is not the initial value, and
A communication program including a step of performing an authentication process by communicating with the external tool without communicating with the external server when the value representing the state of the predetermined flag is the initial value.

Images