JP7085029B2 - Memory rewrite history recording device - Google Patents

Description

Cross-reference of related applications

This application is based on Patent Application No. 2019-014671 filed in Japan on January 30, 2019, and the content of the basic application is incorporated by reference in its entirety.

The disclosure in this specification relates to a memory rewrite history recording device.

Patent Document 1 discloses a control device that uses a rewritable memory. The contents of the prior art documents listed as prior art are incorporated by reference as an explanation of the technical elements in this specification.

Japanese Patent No. 6009290

A control device that uses a rewritable memory may record the rewriting action of the memory. The history of the rewriting action makes it possible to discover the rewriting of the stored data. From one point of view, it is required to be able to detect unauthorized rewriting. From another point of view, even a legitimate rewrite is required to be discoverable or reconfirmable. Further improvements are required in the vehicle control device in the above-mentioned viewpoint or in other viewpoints not mentioned.

One object disclosed is to provide a memory rewrite history recording device capable of efficiently discovering a rewrite action.

Another object disclosed is to provide a memory rewrite history recorder capable of discovering rewriting actions in a small scale configuration.

The memory rewrite history recording device disclosed here stores the program and / or numerical value of the control device (5), is externally rewritable, and has a non-volatile memory (8, M1) and a memory. It is provided with an inspection device (6, M2) that inspects the stored data of the memory and determines whether the memory is normal or abnormal, and a history recorder (10, M3) that records the history of external rewriting. Further, the memory has an area (36) for storing an adjustment value (SUM-ADJ) rewritten so as to prevent the inspection device from determining an abnormality, and a switch value (INT) for setting validity or invalidity of the inspection by the inspection device. It has an area (38) for storing −E / D), and the history includes both the adjustment value and the switch value.

According to the disclosed memory rewrite history recording device, both the adjustment value and the switch value are recorded as a history. Since not only the adjustment value but also the switch value is recorded, both a legitimate external rewrite and an illegal external rewrite can be recorded as a history. As a result, a memory rewriting history recording device capable of efficiently discovering the rewriting action is provided.

The disclosed embodiments herein employ different technical means to achieve their respective objectives. The claims and the reference numerals in parentheses described in this section exemplify the correspondence with the parts of the embodiments described later, and are not intended to limit the technical scope. The objectives, features, and effects disclosed herein will be further clarified by reference to the subsequent detailed description and accompanying drawings.

It is a block diagram of a vehicle system including a control device. It is a flowchart of the initial setting process. It is a flowchart of a rewrite process. It is a flowchart of an inspection process. It is a flowchart of history processing. It is a flowchart of output processing. It is a block diagram of the rewriting history recording device of memory.

A plurality of embodiments will be described with reference to the drawings. In a plurality of embodiments, functionally and / or structurally corresponding parts and / or related parts may be designated with the same reference code or reference numerals having different hundreds or more digits. References can be made to the description of other embodiments for the corresponding and / or associated parts.

1st Embodiment <Equipment system>
FIG. 1 shows the equipment system 1. The equipment system 1 includes a power source (PWRS) 2 as a control target. The equipment system 1 includes a control system for controlling a controlled object. The control system includes a sensor group (SNSR) 3, an actuator group (ACTR) 4, and a control device (ECU) 5.

In this specification, the term device should be construed broadly. Equipment includes stationary equipment and mobile equipment. Stationary equipment includes, for example, air conditioning equipment, power generation equipment, lighting equipment, and the like. Mobile devices include so-called vehicles. The term vehicle includes not only mobile vehicles but also stationary vehicles. Mobile vehicles include, for example, ground vehicles, ships, and aircraft. Stationary vehicles include, for example, simulation equipment for mastering operational techniques. Stationary vehicles include, for example, operational techniques, or amusement equipment for enjoying the behavior of the vehicle. In this embodiment, the equipment system 1 is a vehicle system. The vehicle is a saddle-riding type ground-based vehicle. A typical example of a vehicle is a two-wheeled vehicle.

The power source 2 is provided by an internal combustion engine system or an electric motor system. When the power source 2 is an internal combustion engine system, the power source 2 may include an internal combustion engine, a fuel supply system, and an ignition system. If the power source 2 is provided by a motor system, the power source 2 may include a battery and a motor. In this embodiment, the power source 2 provides power in the vehicle. The power source 2 is an internal combustion engine system. The power source 2 needs to be controlled by a control system in order to provide a preset function.

The control system including the control device 5 provides a memory rewrite history recording device. The control system also functions as a limiter that limits the operating state of the power source 2 within a preset normal range.

<Control system>
The sensor group 3 includes a plurality of sensors. The plurality of sensors output an electric signal indicating the operating state of the power source 2 as a detection signal. In this embodiment, the sensor group 3 includes a pressure sensor (PRES) 11 and a rotation angle sensor (ANGL) 12. The pressure sensor 11 detects the intake pressure of the internal combustion engine. The rotation angle sensor 12 detects the rotation angle of the crank shaft of the internal combustion engine. The sensor group 3 outputs a detection signal to the control device 5.

The actuator group 4 includes a plurality of actuators. The plurality of actuators provide a regulator for adjusting the operating state of the power source 2. In this embodiment, the actuator group 4 includes a fuel pump (PUMP) 13, a fuel injection valve (INJC) 14, an ignition device (IGNT) 15, and a warning light (WRNL) 16. The fuel pump 13 pressurizes the fuel stored in the fuel tank. The fuel pump 13 is an electric motor pump or an electromagnetic plunger pump. The fuel pump 13 is controlled to pressurize the fuel appropriately. The fuel injection valve 14 supplies fuel to the internal combustion engine by injecting pressurized fuel. The fuel injection valve 14 is a solenoid valve. The fuel injection valve 14 can adjust the injection start timing, injection end timing, injection period, and / or the number of injections. The fuel injection valve 14 is controlled to regulate the fuel supply in the internal combustion engine. The ignition device 15 provides ignition by electric sparks to the internal combustion engine. The ignition device 15 can adjust the ignition timing, ignition period, and / or the amount of ignition energy. The ignition device 15 is controlled to regulate ignition in the internal combustion engine. The warning light 16 warns the user of an abnormality (internal error) of the control device 5 by turning on, for example. The actuator group 4 is controlled by the control device 5.

When the power source 2 includes a battery and a motor, the sensor group 3 and the actuator group 4 include elements suitable for the power source 2. The sensor group 3 can include, for example, a plurality of temperature sensors for detecting the temperature of the battery and / or the motor, a current sensor for detecting the current flowing through the motor, and a voltage sensor for detecting the voltage of the battery. The actuator group 4 can include, for example, an inverter circuit that controls the electric power supplied to the electric motor.

The control device 5 includes a plurality of components as a general computer. These components can be placed in a single IC package. Instead, the plurality of components may be distributed in a plurality of IC packages. For example, a RAM (Random Access Memory) 7, a ROM (Read Only Memory) 8, and an EEPROM (Electrically Erasable and Program) described below are arranged in a single IC package having a CPU 6 as a processor core, which will be described later. You may. Instead of this, for example, the RAM 7 and the ROM 8 described later may be arranged in an IC package having the CPU 6 described later as a processor core, and the EEPROM 10 described later may be arranged in another IC package described later.

The control device 5 typically includes a CPU 6 as a processor, a RAM 7 as a volatile storage device, and a ROM 8 as a non-volatile storage device. The RAM 7 provides a temporary storage area for the CPU 6. The ROM 8 provides a program storage area for the CPU 6 and a numerical storage area. The ROM 8 is a flash ROM that can be repeatedly written and the stored contents are maintained even if the power supply is lost. ROM 8 is provided by EEPROM (Electrically Erasable and Programmable Read Only Memory). The ROM 8 provides a storage area for programs and numbers for the control system. Further, the storage area provided by the ROM 8 can be rewritten from the outside of the control device 5. The ROM 8 makes it possible to rewrite the storage area, for example, in the manufacturing process. The ROM 8 makes it possible to rewrite the storage area, for example, in the market. The ROM 8 makes it possible to rewrite the storage area from the external device 20 described later, for example.

The control device 5 has a bus circuit 9. The bus circuit 9 connects the sensor group 3, the actuator group 4, and the control device 5 to each other. From this point of view, the bus circuit 9 provides an I / O bus. The bus circuit 9 further connects the CPU 6, the RAM 7, and the ROM 8 to each other inside the control device 5. From this point of view, the bus circuit 9 provides a system bus. The bus circuit 9 can be directly connected to the outside of the control device 5. The bus circuit 9 interconnects the control device 5 and the external device 20 described later. The bus circuit 9 provides a direct connection between the ROM 8 and the external device 20. This direct connection enables so-called external rewriting, in which the stored data of the ROM 8 is rewritten from the outside of the control device 5. As a result, in this embodiment, the stored data in the ROM 8 can be rewritten without going through the CPU 6.

The control device 5 includes an EEPROM 10 as a non-volatile storage device. The storage area provided by the ROM 8 and the storage area provided by the EEPROM 10 are different storage areas from each other. The EEPROM 10 is not connected to the bus circuit 9. The EEPROM 10 is connected to the CPU 6 without going through the bus circuit 9. That is, the EEPROM 10 cannot directly rewrite the stored data of the EEPROM 10 from the outside of the control device 5.

The ROM 8 and the EEPROM 10 are provided as physically different storage areas. ROM 8 and EEPROM 10 are provided by, for example, two different IC packages. The ROM 8 and the EEPROM 10 may be provided by, for example, physically separated storage areas on one semiconductor chip. The ROM 8 and the EEPROM 10 may be provided by physically separated storage areas in one common IC package, for example.

The ROM 8 and the EEPROM 10 are provided as different storage areas with respect to the connection relationship with the bus circuit 9. The ROM 8 is directly connected to the bus circuit 9. The EEPROM 10 is indirectly connected to the bus circuit 9 via the CPU 6. The ROM 8 provides an externally rewritable storage area. The EEPROM 10 provides a storage area that cannot be rewritten externally. Note that this "impossible" does not mean that the external rewriting of the stored data of the EEPROM 10 is completely impossible. This means that it is impossible to rewrite the external connection form assumed in the control device 5. For example, it is unexpected to directly access the physical terminal of the EEPROM 10.

The device system 1 includes an external device (EXTL) 20 that can be attached to and detached from the control system. The external device 20 is a device capable of manipulating the contents of the ROM 8. The external device 20 is a device capable of operating the contents of the EEPROM 10 via the CPU 6. The external device 20 is provided by factory equipment at the manufacturing stage. The external device 20 is provided by a diagnostic system on the market. The diagnostic system is used to diagnose whether the device system 1 is sound or unhealthy. For example, the external device 20 acquires signals and / or data in the control system. The external device 20 provides the acquired signal and / or data for diagnosis. The external device 20 may output a diagnosis result by comparing the acquired signal and / or data with the normal signal and / or data inside the external device 20. Instead, the external device 20 may provide the acquired signal and / or data to the operator and / or the external diagnostic device.

When the external device 20 is a diagnostic system, the external device 20 has a diagnostic terminal device 21. The diagnostic terminal device 21 is installed in, for example, a service station. The diagnostic terminal device 21 is used by a worker who inspects or repairs the device system 1. The control device 5 and the diagnostic terminal device 21 can be connected by a wired connection device including the connector 22 and the cable 23. Instead of this, the control device 5 and the diagnostic terminal device 21 may be connected by a wireless connection device.

The diagnostic terminal device 21 has a terminal control device (CTRL) 24, an internal storage device (STRG) 25, a display (MNTR) 26, and an input device (MNSW) 27. The internal storage device 25 can be provided by ROM or RAM. The terminal control device 24 temporarily records the data stored in the EEPROM 10 in the internal storage device 25. The terminal control device 24 displays the data stored in the internal storage device 25 on the display 26. The input device 27 detects the operation of the operator and inputs the detection signal to the terminal control device 24. In this embodiment, the input device 27 detects an operation requesting history display and outputs this request to the terminal control device 24.

The control device 5 is also referred to as an electronic control device (ECU: Electronic Control Unit). The control device 5 is provided by (a) an algorithm as a plurality of logics called if-then-else form, or (b) a trained model tuned by machine learning, for example, an algorithm as a neural network.

The control device 5 includes at least one computer. The control device 5 may include a plurality of computers linked by a data communication device. A computer includes at least one processor (hardware processor) which is hardware. The hardware processor can be provided by (i), (ii), or (iii) below.

(I) The hardware processor may be at least one processor core that executes a program stored in at least one memory. In this case, the computer is provided by at least one memory and at least one processor core. The processor core is referred to as a CPU: Central Processing Unit, a GPU: Graphics Processing Unit, RISC-CPU, or the like. Memory is also called a storage medium. Memory is a non-transitional and substantive storage medium that stores "programs and / or data" that can be read by a processor non-temporarily. The storage medium is provided by a semiconductor memory, a magnetic disk, an optical disk, or the like. The program may be distributed by itself or as a storage medium in which the program is stored.

(Ii) The hardware processor may be a hardware logic circuit. In this case, the computer is provided by a digital circuit containing a large number of programmed logic units (gate circuits). The digital circuit is a logic circuit array, for example, ASIC: Application-Specific Integrated Circuit, FPGA: Field Programmable Gate Array, PGA: Programgable Gate Array, CPLD: Complex Program, etc. Digital circuits may include memory for storing programs and / or data. Computers may be provided by analog circuits. Computers may be provided by a combination of digital and analog circuits.

(Iii) The hardware processor may be a combination of the above (i) and the above (ii). (I) and (ii) are arranged on different chips or on a common chip. In these cases, the part (ii) is also referred to as an accelerator.

The control device, the signal source, and the controlled object provide various elements. At least some of those elements can be called blocks, modules, or sections. Moreover, the elements contained in the control system are called functional means only if they are intentional.

The controls and methods thereof described in this disclosure are realized by a dedicated computer provided by configuring a processor and memory programmed to perform one or more functions embodied by a computer program. May be done. Alternatively, the controls and methods thereof described in this disclosure may be implemented by a dedicated computer provided by configuring the processor with one or more dedicated hardware logic circuits. Alternatively, the controls and techniques described in this disclosure include a processor and memory programmed to perform one or more functions and a processor composed of one or more hardware logic circuits. It may be realized by one or more dedicated computers configured by a combination. Further, the computer program may be stored in a computer-readable non-transitional tangible recording medium as an instruction executed by the computer.

<Data to be stored>
The ROM 8 has a program area (PRGM) 31. The program area 31 stores a program for the control system. The program area 31 stores, for example, a fuel injection program and an ignition timing program. The ROM 8 has a numerical area (VLDT) 32. The numerical area 32 stores numerical values for the control system. The numerical region 32 stores, for example, a map that defines the fuel injection amount with respect to the load of the internal combustion engine and a map that defines the ignition timing with respect to the rotation speed of the internal combustion engine.

When the ROM 8 is externally rewritten, for example, the data in the rewrite area (REWR) 33, which is a part of the program area 31, is rewritten. When the ROM 8 is externally rewritten, for example, the data in the rewrite area (REWR) 34, which is a part of the numerical area 32, is rewritten.

The ROM 8 has an area for storing inspection data. The inspection data is used for error inspection of the stored data of the ROM 8 itself. If there is an error in the stored data of the ROM 8, it is treated as an error (internal error) of the control device 5. The "error checking" function can be implemented by hardware or software. The term "error checking" in this specification should be construed broadly. In the "error inspection", a calculated value is calculated from the "storage area to be inspected" by a predetermined calculation method. "Error inspection" compares the calculated value with the reference value and detects an error in the stored data. "Error checking" uses an "error detection code" to check for errors in stored data. In this embodiment, a checksum is used as the "error detection code". Vertical parity and / or horizontal parity may be used as the "error detection code". A hash function may be used as the "error detection code". As the "error detection code", a cryptographic hash function called MD5 (Message Digist Algorithm 5) or the like may be used. As the "error detection code", a cyclic redundancy check called CRC (Cyclic Redundancy Check) may be used.

The term "checksum" in this specification should be construed broadly. In this embodiment, the "checksum" is a method of calculating some bytes in the sum of the stored data of the "storage area to be inspected" as a calculated value. The "checksum" may be a method in which the remainder (surplus) obtained by dividing the sum of the above by a predetermined constant is used as the calculated value. The "checksum" may be a method in which the above sum is used as a calculated value. In this embodiment, the "storage area to be inspected" is all the storage areas of the ROM 8. The "storage area to be inspected" may be a part of the storage area in the ROM 8.

The ROM 8 stores two data as inspection data. The inspection data includes a checksum area 35 that stores a checksum value (SUM-CHK) as a reference value. The inspection data includes a sum adjustment value area 36 that stores a sum adjustment value (SUM-ADJ) as a difference value. The checksum value is a reference value as an initial value. The checksum value is, for example, the checksum value of all the data stored in the ROM 8 of the initial model. The thumb adjustment value corresponds to the difference between the calculated value and the reference value (thumb adjustment value = calculated value-reference value). Since the data stored as the sum adjustment value is also the target of the "checksum", the calculated value is changed. The thumb adjustment value is set so that a calculated value equal to the reference value is calculated.

The ROM 8 has a soft switch area (SFSW) 37. The soft switch area 37 stores a numerical value for switching the behavior of the control system. The soft switch area 37 has an internal error area 38 for storing an internal error switch value (INT-E / D). The internal error switch value contains information for setting whether to enable or disable the inspection of the control device 5 including the ROM 8. The internal error switch value includes a switch bit for performing the inspection itself of the controller 5 including the ROM 8, i.e., valid or invalid. Further, the internal error switch value includes a switch bit for selecting valid or invalid of the countermeasure processing when an abnormality (internal error) of the control device 5 including the ROM 8 is detected. Here, the term "valid or invalid of the test" includes a case where the execution of the test itself is permitted or hindered, and a case where the countermeasure process executed when the result of the test is abnormal is permitted or hindered.

The internal error area 38 sets the validity / invalidity of the ROM 8 inspection itself. 1/0 of the predetermined bit included in the internal error area 38 is associated with, for example, valid / invalid of the inspection itself. The internal error area 38 sets whether to enable / disable the countermeasure processing that can be used when an error is detected in the stored data of the ROM 8. 1/0 of the predetermined bit included in the internal error area 38 is associated with, for example, valid / invalidation of countermeasure processing. Countermeasure processing can be provided by "prohibition / permission of activation", "turning on / off of warning light", and / or "unlimited / limiting of functions of internal combustion engine". "Limited / unlimited functions of internal combustion engine" are, for example, "limited / unlimited fuel injection", "limited / unlimited ignition advance", "limited / unlimited rotation speed", "limited vehicle speed /". Provided by "Unlimited". In this embodiment, the internal error area 38 is set to turn on / off the warning light 16 when an error in the ROM 8 is detected.

The EEPROM 10 has a history area 41 for storing a plurality of history data LOGs (i = 0 to n). i indicates a number in a discrete system. i is an integer. For example, (i) indicates the current data, (i-1) indicates the previous data, and (i + 1) indicates the later data. n is the maximum value of the number of historical data. Here, n is set to be larger than the standard number of version upgrades in the market. The history area 41 stores a predetermined number of history data LOGs (i). The historical data LOG (i) may be stored by the first-in first-out method.

One historical data LOG (i) includes both historical data relating to the sum adjustment value region 36 and historical data relating to the internal error region 38. In the following description, the historical data relating to the thumb adjustment value region 36 is referred to as a thumb history LOG (i) ADJ. The history data regarding the internal error area 38 is called the switch history LOG (i) E / D.

The plurality of historical data LOGs (1) to LOGs (n) are sequentially and accumulated. When it is determined that either the sum adjustment value area 36 or the internal error area 38 has been changed, one historical data LOG (i) is accumulated and recorded. The determination involves two collations. One collation is performed by collating the thumb adjustment value SUM-ADJ in ROM 8 with the immediately preceding thumb history LOG (i-1) ADJ in EEPROM 10. One collation is performed by collating the internal error switch value INT-E / D in ROM 8 with the immediately preceding switch history LOG (i-1) E / D in EEPROM 10. The determination is executed when the power source 2 is activated or when the control device 5 is powered on and reset.

When the history area 41 stores a plurality of history data LOGs (i = 0 to n) as shown in the figure, the first history data LOG (0) is an initial value. In the historical data LOG (0), for example, both the factory-time sum adjustment value SUM-ADJ and the internal error switch value INT-E / D are recorded.

Regardless of whether it is legitimate or invalid, the thumb adjustment value area 36 or the internal error area 38 may be changed by external rewriting of the ROM 8. When the control device 5 detects the above change, the control device 5 accumulates the history data LOG (1) in the EEPROM 10. The cumulative storage process is repeated each time either the thumb adjustment value area 36 or the internal error area 38 is changed. By repeating this, history data LOGs (i = 1 to n) are added in order.

The diagnostic terminal device 21 displays the history data LOG (i = 0 to n) of the EEPROM 10 on the display 26. In the illustrated example, the same character string 42 as the history area 41 is displayed on the display 26.

<Initial setting process>
FIG. 2 shows an initial setting process 150 in the manufacturing stage of the control device 5. The initial setting process 150 includes a process of setting factory default data in the ROM 8. The illustrated initial setting process 150 includes a process of setting factory shipment data in the EEPROM 10. The initial setting process 150 is executed by the factory equipment as the external device 20.

In step 151, the external device 20 writes the factory-shipped data to the ROM 8. Factory shipping data are so-called initial values. In step 152, the external device 20 writes initial values in the program area 31 and the numerical value area 32. In step 153, the external device 20 writes initial values in the checksum area 35 and the sum adjustment value area 36. In step 154, the external device 20 writes an initial value in the internal error area 38.

In step 155, the external device 20 writes factory shipment data to the EEPROM 10 via the CPU 6. In step 156, the external device 20 writes the initial value in the EEPROM 10. The initial value includes both the sum history LOG (0) ADJ and the switch history LOG (0) E / D.

After the initial setting process 150, the control device 5 is combined with the power source 2 and the like, and is supplied to the market as the equipment system 1. The control device 5 provides a device for detecting external rewriting by executing a plurality of processes described later after being supplied to the market.

In this embodiment, step 155 is performed by the external device 20. Alternatively, step 155 may be performed by the control device 5 in step 186, which will be described later. In this case, all the historical data recorded in the EEPROM 10 is automatically accumulated.

<Rewriting process>
FIG. 3 shows the rewriting process 160. The rewriting process 160 is often performed after the control device 5 is shipped to the market. In rare cases, the rewriting process 160 may be performed in the factory before the control device 5 is shipped to the market. The rewriting process 160 is executed by a legitimate external device 20 or an unauthorized external device 20.

In step 161 the external device 20 writes a new rewrite value in the ROM 8. In step 162, the external device 20 writes new data in the program area 31 and the numerical value area 32. In step 163, the external device 20 writes new data in the sum adjustment value area 36. Here, the value of the checksum area 35 is not changed. As a result, even if the data in the rewriting areas 33 and 34 are rewritten, the abnormality in the ROM 8 is not detected by the checksum-based inspection. In the case of illegal rewriting, it can be said that the sum adjustment value area 36 is rewritten in order to deceive the check function based on the checksum. In step 164, the external device 20 writes new data in the internal error area 38. The internal error area 38 is rewritten to enable or disable inspection. One use of rewriting the internal error region 38 is to set execution or non-execution of the inspection itself. Another use of the rewriting of the internal error area 38 is to invalidate or disable the countermeasure processing generated by rewriting the rewriting areas 33 and 34.

<Inspection processing>
FIG. 4 shows the inspection process 170 of the ROM 8 executed by the control device 5. In step 171 the control device 5 determines whether or not the check timing of the ROM 8 has arrived. The check timing is, for example, when the power source 2 is activated, when the control device 5 is powered on and reset, and the like. If it is not the check timing (NO), the following processing is skipped. If it is the check timing (YES), the process proceeds to step 172.

Further, in step 171 the control device 5 determines whether or not the inspection process 170 itself is permitted by the internal error switch value INT-E / D. If the inspection process 170 itself is allowed by the internal error switch value INT-E / D (YES), the process proceeds to step 172. If the inspection process 170 itself is allowed by the internal error switch value INT-E / D (NO), the following process (step 172-177) is skipped.

In step 172, the control device 5 calculates a checksum for the ROM 8. The control device 5 calculates the calculated value SUMR from all the storage areas of the ROM 8 by the set checksum method. In step 173, the control device 5 reads the checksum value SUM-CHK as a reference value from the ROM 8.

In step 174, the control device 5 determines whether or not the calculated value SUMR is equal to the checksum value SUM-CHK. When the calculated value SUMR is equal to the checksum value SUM-CHK (YES), the inspection result of ROM 8 is normal. In this case, the process proceeds to step 175. When the calculated value SUMR is not equal to the checksum value SUM-CHK (NO), the inspection result of ROM 8 is abnormal (internal error). In this case, the process proceeds to step 176. Step 174 provides a checksum determination unit for determining whether the ROM 8 is normal or abnormal depending on whether or not the checksum value calculated from the stored data of the memory including the adjustment value is equal to the predetermined reference value.

In step 175, the control device 5 determines whether the program or numerical value is within the normal range. If the program or numerical value is in the normal range (YES), the test result of ROM 8 is normal. In this case, the following processing is skipped. If the program or numerical value is not in the normal range (NO), the inspection result of ROM 8 is abnormal (internal error). In this case, the process proceeds to step 176. Step 175 provides an internal error determination unit that determines whether the ROM 8 is normal or abnormal depending on whether the program and / or the numerical value is in the normal range. The normal range is preset as a range in which the normal function of the equipment system 1 can be maintained. For example, the normal range defines the upper limit rotation speed of the internal combustion engine. For example, when the numerical region 32 exceeds the upper limit rotation speed, the determination in step 175 branches to NO.

In step 176, the control device 5 inspects the internal error switch value INT-E / D. If the predetermined countermeasure processing is permitted by the internal error switch value INT-E / D (YES), the process proceeds to step 177. If the predetermined countermeasure processing is not permitted by the internal error switch value INT-E / D (NO), the following processing is skipped. In this case, although an abnormality (internal error) in ROM 8 is detected, countermeasure processing is not executed. Step 176 provides an internal switch determination unit that determines whether the countermeasure processing is valid or invalid based on the switch value when an abnormality in the ROM 8 is determined by the checksum. Step 176 provides an internal switch determination unit that determines whether the countermeasure processing is valid or invalid based on the switch value when an abnormality in the ROM 8 is determined by the internal error determination unit.

In step 177, the control device 5 executes a preset countermeasure process. In this embodiment, the warning light 16 indicating that an abnormality (internal error) in the ROM 8 has been detected is turned on. As a result, the user can know the abnormality of the device system 1.

<History processing>
FIG. 5 shows a history process 180 executed by the control device 5. In step 181 the control device 5 determines whether or not the power source 2 is activated. In this embodiment, history processing is executed each time the power source 2 is activated. When the power source 2 is activated, the control device 5 is activated by a power-on reset. In this embodiment, each time the history recorder provided by the history processing 180 is activated, the determination by the first determination unit and the second determination unit, which will be described later, is executed. When the power source 2 includes an internal combustion engine, the process of step 181 is provided by a process of detecting that the ignition switch has been switched from OFF to ON. If the power source 2 is activated, the process proceeds to step 182. If the power source 2 is not activated, the following processing is skipped.

In step 182, the control device 5 reads the sum adjustment value SUM-ADJ and the internal error switch value INT-E / D from the ROM 8. In step 183, the control device 5 reads the current history data LOG (i) from the EEPROM 10. The current history data LOG (i) is the data finally stored in the history area 41. The history data LOG (i) includes a sum history LOG (i) ADJ and a switch history LOG (i) E / D.

In step 184, the control device 5 determines whether or not the sum adjustment value SUM-ADJ stored in the ROM 8 and the current sum history LOG (i) ADJ stored in the EEPROM 10 are equal to each other. If the sum adjustment value SUM-ADJ and the sum history LOG (i) ADJ are equal (YES), the process proceeds to step 185. If the sum adjustment value SUM-ADJ and the sum history LOG (i) ADJ are not equal (NO), the process proceeds to step 186. Step 184 provides a first determination unit for determining whether or not the adjustment value stored in the ROM 8 and the history adjustment value included in the latest history (LOG (i)) are equal to each other.

In step 185, the control device 5 determines whether or not the internal error switch value INT-E / D stored in the ROM 8 and the current history data LOG (i) E / D stored in the EEPROM 10 are equal to each other. judge. If the internal error switch value INT-E / D and the history data LOG (i) E / D are equal (YES), the process ends. If the internal error switch value INT-E / D and the history data LOG (i) E / D are not equal (NO), the process proceeds to step 186. Step 185 provides a second determination unit for determining whether or not the switch value stored in the ROM 8 and the history switch value included in the latest history (LOG (i)) are equal to each other.

As a result, if the control device 5 is negatively determined in either step 184 or step 185, the control device 5 executes step 186. The control device 5 does not perform step 186 if it is positively determined in both step 184 and step 185. In step 186, the control device 5 writes both the sum adjustment value SUM-ADJ stored in the ROM 8 and the internal error switch value INT-E / D to the EEPROM 10 as the latest history data LOG (i + 1). Step 186 provides a recording unit that records the adjustment value and the switch value as a history when a negative determination is made by either the first determination unit 184 or the second determination unit 185.

<Output processing>
FIG. 6 shows an output process 190 executed by the control device 5 and the external device 20. In step 191 the external device 20 determines whether or not the control device 5 and the external device 20 are connected by the connector 22. If a communicable connection has not been established (NO), the following processing is skipped. If a communicable connection is established (YES), the process proceeds to step 192.

When the connection between the control device 5 and the external device 20 is established, the control device 5 and the external device 20 execute various diagnostic processes. The diagnostic process includes various processes for outputting the state of the device system 1. One of the diagnostic processes is a process of outputting the history data LOG (i = 0 to n) of the EEPROM 10.

In step 192, the external device 20 detects the requested operation by the user. The request operation is an operation for requesting the output of historical data. The request operation is input by the operation of the input device 27. If there is no request operation (NO), the following processing is skipped. If there is a request operation (YES), the process proceeds to step 193. In step 193, the external device 20 outputs the request signal RQ to the control device 5.

In step 194, the control device 5 determines whether or not there is a request signal RQ from the external device 20. If there is no request signal RQ (NO), the following processing is skipped. If there is a request signal RQ (YES), the process proceeds to step 195. In step 195, the control device 5 outputs all the history data LOGs (i = 0 to n) from the EEPROM 10 to the external device 20.

In step 196, the external device 20 receives the history data LOG (i = 0 to n) from the control device 5. The received history data is the history data stored in the EEPROM 10. The received history data is stored in the internal storage device 25 of the external device 20. In step 197, the external device 20 displays the history data LOG (i = 0 to n) stored in the internal storage device 25 on the display 26.

As a result of the output process 190, the worker is presented with both a legitimate external rewrite and an invalid external rewrite from the history data of the EEPROM 10. The worker can know the legitimate history data of the legitimate external rewriting. Legitimate history data is provided, for example, by the manufacturer. Alternatively, the legitimate history data is provided in response to a request from the worker to the manufacturer. The legitimate history data includes the sum adjustment value SUM-ADJ and the internal error switch value INT-E / D generated by the external rewrite for all the legitimate external rewrites. Therefore, the worker can know that there was an invalid external rewrite by comparing the history data of the EEPROM 10 with the legitimate history data.

The external device 20 may perform a self-diagnosis in step 197. In this case, the external device 20 stores the legitimate history data in the internal storage device 25 at least temporarily. The external device 20 determines whether or not all of the history data LOGs (i = 0 to n) acquired from the EEPROM 10 match the legitimate history data. If the history data LOG (i = 0 to n) acquired from the EEPROM 10 contains data that is not included in the legitimate history data, it is highly possible that the external rewriting is not legitimate. If the history data LOG (i = 0 to n) contains invalid history data, the external device 20 can be configured to issue a warning.

<Legal external rewriting>
When the ROM 8 is externally rewritten, the sum adjustment value SUM-ADJ is rewritten. As a legitimate external rewrite, for example, a version upgrade by the manufacturer can be assumed. In this case, the manufacturer not only rewrites the rewriting areas 33 and 34, but also rewrites the sum adjustment value area 36. As a result, it is possible to avoid the detection of an abnormality (internal error) caused by the inspection of the ROM 8 while maintaining the checksum value SUM-CHK which is the reference value. Since the manufacturer can avoid the internal error, the internal error area 38 is not rewritten. The manufacturer sets the internal error switch value INT-E / D so that the checksum inspection itself is performed. The manufacturer sets the internal error switch value INT-E / D so that a predetermined countermeasure process is executed when an abnormality in the ROM 8 is detected.

When either the sum adjustment value area 36 or the internal error area 38 is rewritten, the history data LOG (i) is additionally stored in the EEPROM 10 when the power source 2 is started next time. As a result, legitimate rewriting is left as a history.

<Illegal external rewriting>
It can be assumed that the ROM 8 is rewritten by an illegal external rewriting. As an illegal external rewrite, for example, a modification act without the permission of the manufacturer can be assumed. In this case, the remodeler rewrites the rewriting areas 33 and 34. Further, the remodeler rewrites the sum adjustment value SUM-ADJ in order to deceive the checksum inspection. In other words, the modifier rewrites the sum adjustment value SUM-ADJ so that the determination result of the checksum check in step 174 branches to YES. In addition, a careful remodeler rewrites the internal error switch value INT-E / D in order to block the checksum inspection itself. A careful remodeler rewrites the internal error switch value INT-E / D so that the determination result branches to NO as to whether or not the countermeasure processing in step 176 is necessary.

In many cases, the modder rewrites the rewrite areas 33, 34 to make the vehicle behave more violently. In this case, an abnormality (internal error) may be detected in order to protect the equipment system 1. In other words, the determination result in the normal range in step 175 may branch to NO. Even in this case, since the careful remodeler rewrites the internal error switch value INT-E / D, the determination in step 176 branches to NO.

Therefore, even if it is an illegal external rewrite, if the thumb adjustment value SUM-ADJ and / or the internal error switch value INT-E / D is rewritten, the control device 5 cannot detect an abnormality (internal error). .. However, if either the sum adjustment value SUM-ADJ or the internal error switch value INT-E / D is rewritten, the history data LOG (i) is additionally stored in the EEPROM 10 when the power source 2 is started next time. To. As a result, illegal rewriting is left as a history.

<Abnormality that is not external rewriting>
The data in ROM 8 may be inverted irregularly due to device instability, device life, or rare radiation. When an arbitrary bit of ROM 8 is inverted, an abnormality (internal error) is detected by inspection (checksum) of ROM 8. In this case, the control device 5 executes the countermeasure processing preset by the internal error switch value INT-E / D.

<Memory rewrite history recording device>
FIG. 7 is a block diagram of a memory rewrite history recording device. Each block is provided by a hardware resource of the control device 5 and a software resource for operating the hardware resource.

The memory M1 stores the program and / or the numerical value of the control device 5. The memory M1 is externally rewritable and non-volatile. The memory M1 is provided by the ROM 8.

The memory M1 is inspected by the inspector M2. The inspection device M2 inspects the stored data of the memory M1 and determines whether the memory M1 is normal or abnormal. The inspection device M2 executes "error inspection". The inspection device M2 is a checksum inspection device that inspects the stored data of the memory M1 by a checksum. The inspection device M2 determines whether the memory M1 is normal or abnormal based on whether the checksum value calculated from the stored data of the memory M1 including the adjustment value is equal to the predetermined reference value. To prepare for. The inspection device M2 includes internal switch determination units 171 and 176 that determine the validity or invalidity of the inspection of the memory M1 by the checksum based on the switch value. The inspection device M2 includes an internal switch determination unit 171 that determines whether or not to execute the inspection itself of the memory M1 by the checksum based on the switch value. The inspection device M2 includes an internal switch determination unit 176 that determines whether the countermeasure processing is valid or invalid based on the switch value when an abnormality in the memory M1 is determined by the checksum. The tester M2 includes an internal error determination unit 175 that determines whether the memory M1 is normal or abnormal depending on whether the program and / or the numerical value is within the normal range. The inspection device M2 includes an internal switch determination unit 176 that determines whether the countermeasure processing is valid or invalid based on the switch value when an abnormality in the memory M1 is determined by the internal error determination unit.

When an abnormality (internal error) is detected in the memory M1 by the inspection device M2, the inspection device M2 executes a countermeasure process.

The memory M1 has a sum adjustment value area 36 that stores an adjustment value (SUM-ADJ) that is rewritten so as to prevent the inspection device M2 from determining the abnormality. The memory M1 has an internal error area 38 for storing a switch value (INT-E / D) for setting the validity or invalidity of the inspection by the inspection device M2.

The first method of avoiding the countermeasure process is provided by deceiving the inspection by the inspection device M2. For the first method, the thumb adjustment value region 36 is used. When the thumb adjustment value area 36 is set to an appropriate adjustment value (sum adjustment value SUM-ADJ), the inspection device M2 does not detect an abnormality (internal error). In other words, the thumb adjustment value region 36 can be used to effectively function the inspection by the inspection device M2 while preventing the inspection from detecting an abnormality. Therefore, it can be said that the first method is a process of deceiving the inspection while operating the inspection device M2 normally.

A second method of avoiding the countermeasure process is provided by setting the validity or invalidity of the inspection itself by the inspection device M2. Here, the term "valid or invalid of the test" includes a case of hindering the execution of the test itself and a case of hindering the countermeasure processing executed when the result of the test is abnormal. The internal error area 38 is utilized for the second method. When the internal error area 38 is set to an appropriate switch value (internal error switch value INT-E / D), the validity or invalidity of the inspection by the inspection device M2 is set.

One of the second methods is to inhibit the execution of the inspection by the inspection device M2 itself. In this case as well, the internal error area 38 is used. When the internal error area 38 is set to an appropriate switch value (internal error switch value INT-E / D), the inspection device M2 does not execute the inspection itself.

One of the second methods is to prevent only the execution of the countermeasure process that is activated in response to the result of the inspection. In this case as well, the internal error area 38 is used. When the internal error area 38 is set to an appropriate switch value (internal error switch value INT-E / D), the inspection device M2 does not execute countermeasure processing even if it detects an abnormality (internal error).

In this embodiment, in order to monitor both the first method and the second method, the history recorder M3 cumulatively records both the adjustment value and the switch value. As a result, the history contains both adjustment and switch values. This records that there was an external rewrite, whether legitimate or fraudulent. Since not only the adjustment value but also the switch value is recorded, both a legitimate external rewrite and an illegal external rewrite can be recorded as a history. As a result, a memory rewriting history recording device capable of efficiently discovering the rewriting action is provided.

The history recorder M3 records the history of external rewriting to the memory M1. The history recorder M3 includes other non-volatile memory different from the memory M1. Other memories are provided by EEPROM 10.

The history recorder M3 is configured to record both the adjustment value and the switch value as a history when the memory M1 is externally rewritten. In this case, the history recorder M3 includes a first determination unit 184 and a second determination unit 185. The first determination unit 184 determines whether or not the adjustment value stored in the memory M1 is equal to the history adjustment value included in the latest history (LOG (i)). The second determination unit 185 determines whether or not the switch value stored in the memory M1 is equal to the history switch value included in the latest history (LOG (i)). The history recorder M3 includes a recording unit 186 that records an adjustment value and a switch value as a history when a negative determination is made by either the first determination unit or the second determination unit. The history recorder M3 is configured to execute a determination by the first determination unit 184 and the second determination unit 185 each time the history recorder M3 is activated. Specifically, the activation is the turning on of the power switch of the control device 5.

The memory rewriting history recording device may include an output device M4. The output device M4 outputs the history data recorded in the history recorder M3. Since the history contains both adjustment values and switch values, those values indicate legitimate external rewrites and illegal external rewrites. The control device 5 can include a memory M1, an inspection device M2, and a history recorder M3. In one embodiment, the output device M4 is provided by an external device 20 that can be data communicably connected to the control device 5.

According to the embodiment described above, specific data that enables external rewriting is accumulated and output as historical data. Therefore, the history of external rewriting is provided. As a result, it is possible to provide a memory rewrite history recording device capable of efficiently discovering external rewrites.

The specific data that enables external rewriting includes the sum adjustment value SUM-ADJ for deceiving the so-called checksum inspection. Further, the specific data that enables external rewriting includes an internal error switch value INT-E / D for setting the validity / invalidity of the inspection. By including both of these two data, the accuracy of detecting external rewriting is improved.

Externally rewritable storage areas may be rewritten regardless of whether they are legitimate or invalid. In this case, it is conceivable to generate a unique hash code for the storage area and record it as a history. However, a large amount of memory is required to store the hash code. In addition, it is necessary to install a hardware hash code generator or a software hash code generator. On the other hand, the amount of data of the sum adjustment value SUM-ADJ in this embodiment is much smaller than the amount of data of the hash code. Therefore, according to this embodiment, it is possible to provide a memory rewrite history recording device capable of efficiently discovering rewriting of a storage area. Moreover, the checksum-based storage inspection function can be provided by small-scale hardware or software. Therefore, it is possible to provide a memory rewrite history recording device capable of discovering the rewriting of the storage area with a small-scale configuration.

Other Embodiments The disclosure in this specification, drawings and the like is not limited to the exemplified embodiments. Disclosures include exemplary embodiments and modifications by those skilled in the art based on them. For example, the disclosure is not limited to the parts and / or combinations of elements shown in the embodiments. Disclosure can be carried out in various combinations. The disclosure can have additional parts that can be added to the embodiment. Disclosures include those in which the parts and / or elements of the embodiment are omitted. Disclosures include the replacement or combination of parts and / or elements between one embodiment and another. The technical scope disclosed is not limited to the description of the embodiments. Some technical scopes disclosed are indicated by the claims description and should be understood to include all modifications within the meaning and scope equivalent to the claims description.

Disclosure in the description, drawings, etc. is not limited by the description of the scope of claims. The disclosure in the description, drawings, etc. includes the technical ideas described in the claims, and further covers a wider variety of technical ideas than the technical ideas described in the claims. Therefore, various technical ideas can be extracted from the disclosure of the description, drawings, etc. without being bound by the description of the scope of claims.

In the above embodiment, the history processing 180 and the history recorder M3 record the history in the EEPROM 10. Instead, the history processing 180 and the history recorder M3 may record the history on a server connected wirelessly so as to be communicable. Further, the external device 20 may be provided by a server connected so as to be able to communicate wirelessly. In this case, the external rewriting in the plurality of control devices 5 can be centrally monitored and managed by the server.

Claims (10)

A non-volatile memory (8, M1) that stores the program and / or numerical value of the control device (5), can be externally rewritten, and
An inspection device (6, M2) that inspects the stored data of the memory and determines whether the memory is normal or abnormal.
It is equipped with a history recorder (10, M3) that records the history of the external rewriting.
The memory is
An area (36) for storing an adjustment value (SUM-ADJ) rewritten so as to prevent the inspection device from determining an abnormality, and
It has an area (38) for storing a switch value (INT-E / D) for setting the validity or invalidity of the inspection by the inspection device.
The history is
A memory rewrite history recording device that includes both the adjustment value and the switch value. The memory rewriting history recording device according to claim 1, further comprising an output device (20, M4) for outputting the history recorded in the history recorder. The control device includes the memory, the inspection device, and the history recorder.
The memory rewriting history recording device according to claim 2, wherein the output device is provided by an external device (20) capable of connecting to the control device so as to be capable of data communication. The memory rewriting according to any one of claims 1 to 3, wherein the history recorder is configured to record both the adjustment value and the switch value as the history when the memory is externally rewritten. History recording device. The history recorder is
A first determination unit (184) for determining whether or not the adjustment value stored in the memory is equal to the history adjustment value included in the latest history (LOG (i)).
A second determination unit (185) for determining whether or not the switch value stored in the memory is equal to the history switch value included in the latest history (LOG (i)).
The fourth aspect of claim 4 is provided with a recording unit (186) for recording the adjustment value and the switch value as the history when a negative determination is made by either the first determination unit or the second determination unit. Memory rewrite history recording device. The memory rewriting history recording device according to claim 5, wherein the history recorder is configured to execute a determination by the first determination unit and the second determination unit each time the history recorder is activated. .. The memory rewriting history recording device according to any one of claims 1 to 6, wherein the inspection device is a checksum inspection device that inspects stored data in the memory by a checksum. The inspection device is
A checksum determination unit (174) that determines whether the memory is normal or abnormal based on whether the checksum value calculated from the stored data of the memory including the adjustment value is equal to a predetermined reference value.
The memory rewrite history recording device according to claim 7, further comprising an internal switch determination unit (171, 176) for determining validity or invalidity of inspection by the checksum determination unit based on the switch value. The inspection device is
An internal error determination unit (175) that determines whether the memory is normal or abnormal depending on whether the program and / or the numerical value is within the normal range.
Any one of claims 1 to 8 including an internal switch determination unit (176) that determines whether the countermeasure processing is valid or invalid based on the switch value when the memory abnormality is determined by the internal error determination unit. The memory rewrite history recording device described in. The memory rewriting history recording device according to any one of claims 1 to 9, wherein the history recorder includes another non-volatile memory (10) different from the memory.

Images