JP7177616B2 - CONTROL DEVICE, CONTROL METHOD AND OPERATING METHOD OF UPDATE DATA CONTROL DEVICE - Google Patents

Description

The disclosed embodiments relate to control devices and security management methods.

2. Description of the Related Art Conventionally, an ECU (Electronic Control Unit), which is a control device mounted on a vehicle and electronically controlling various systems of the vehicle such as an engine, a transmission, and a car navigation system, is known. In such an ECU, for example, a microcomputer (hereinafter referred to as "microcomputer") reads out and executes a control program stored in advance in the ECU, thereby executing various functions assigned to each ECU.

It should be noted that the control program for such an ECU may need to be updated (reprogrammed) when a function is added or when a defect is found after the fact. Therefore, in recent years, update data is acquired from a management center via wireless communication, and the update data is distributed to each ECU via a CAN (Controller Area Network) or the like to execute reprogramming of each ECU. Techniques have been proposed (see Patent Document 1, for example). Further, in vehicles, not only the update data described above but also various data are obtained from a center via wireless communication.

JP 2012-178035 A

However, the conventional techniques described above have room for further improvement in terms of preventing data leakage and abuse.

For example, in the conventional technology described above, there is a control device that acquires update data from a management center and distributes it to each ECU. , there are concerns about data leakage and misuse if taken out.

One aspect of the embodiments has been made in view of the above, and an object thereof is to provide a control device and a security management method capable of preventing leakage and abuse of data.

A control device according to an aspect of an embodiment includes a storage unit and a control unit . The control unit acquires from the outside distribution data to be distributed to another device connected to the own device and stores it in the storage unit, and when the own device is removed from the other device or the vehicle, the data stored in the storage delete the distribution data held in the unit; Further, when the self-device is removed from the other device or the vehicle and the distribution data is held in the storage unit, the control unit controls, before the power of the self-device is turned off due to the removal, History information indicating that the removal has been performed is recorded in the storage unit.

According to one aspect of the embodiments, it is possible to prevent data leakage and abuse.

FIG. 1A is a schematic explanatory diagram of an in-vehicle system according to an embodiment. FIG. 1B is an image diagram of data outflow. FIG. 1C is a schematic explanatory diagram of a security management method according to the embodiment. FIG. 2 is a block diagram of an in-vehicle system according to the embodiment. FIG. 3A is a diagram (part 1) showing a specific example of removal history. FIG. 3B is a diagram (part 2) showing a specific example of the removal history. FIG. 4 is a flow chart showing a processing procedure executed by the repro control device according to the embodiment. FIG. 5 is a flow chart showing a modification of the processing procedure executed by the repro control device according to the embodiment.

Hereinafter, embodiments of an update control device and a security management method disclosed in the present application will be described in detail with reference to the accompanying drawings. In addition, this invention is not limited by embodiment shown below.

Also, hereinafter, the term "reprogramming" may be abbreviated as "repro". 1A to 1C, an outline of the security management method according to the present embodiment will be described below, and then a repro control device 10 (corresponding to an example of a “control device”) to which the security management method is applied will be described. A specific configuration example of the in-vehicle system 1 including the above will be described with reference to FIGS. 2 to 5. FIG.

First, an outline of a security management method according to this embodiment will be described with reference to FIGS. 1A to 1C. FIG. 1A is a schematic explanatory diagram of an in-vehicle system 1 according to this embodiment. FIG. 1B is an image diagram of data leakage. Also, FIG. 1C is a schematic explanatory diagram of the security management method according to the present embodiment.

As shown in FIG. 1A, vehicle C includes an in-vehicle system 1 . The in-vehicle system 1 includes a plurality of ECUs 20-1 to 20-n. The ECUs 20-1 to 20-n are connected by an in-vehicle network CN such as CAN so as to be able to communicate with each other, and electronically control various systems such as an engine, a transmission, and a car navigation system by executing respective control programs.

The in-vehicle system 1 also includes a repro control device 10 . The reprogramming control device 10 is a control device for controlling reprogramming of the ECUs 20-1 to 20-n. are connected so as to be able to communicate with each other.

Also, the repro control device 10 is provided so as to be able to wirelessly communicate with the center server 100 of the data center via the communication network N. As shown in FIG. Communication network N is, for example, a mobile phone network.

The data center is a management center that manages data relating to various programs operated by the ECUs 20-1 to 20-n, and is operated by the manufacturer of the vehicle C, for example. The center server 100 is managed and operated by such a data center, and when there is update data corresponding to at least one of the ECUs 20-1 to 20-n, downloads the update data to the repro control device 10. .

The reprocessing control device 10 acquires the update data downloaded from the center server 100, and stores it as the reprocessing-related data 13a in the storage unit 13 (see FIG. 2) not shown. The reprogramming related data 13a includes, in addition to program data for update, an encryption key required for reprogramming, such as restoring encrypted program data sent.

Then, the reprogramming control device 10 distributes update data to the ECUs 20-1 to 20-n to be reprogrammed based on the held reprogramming-related data 13a, and executes reprogramming. After execution of reprogramming, the reprogramming control device 10 erases the repro-related data 13a.

By the way, in addition to the reprogramming method using such wireless communication, there is also a reprogramming method in which a reprogramming tool dedicated to reprogramming is connected to the vehicle C by wire, and update data is installed via the tool. In the case of such a method, the person who performed the reprogramming work is often a person involved in the development and maintenance of vehicle C, such as a person in charge of the manufacturer of vehicle C, a dealer mechanic, etc. Therefore, data leakage and There are few concerns about misuse.

However, in the case of the reprogramming method using wireless communication, the user of the vehicle C, who does not have a repro tool, or even a third party can perform the reprogramming. For this reason, as shown in FIG. 1B, for example, an unauthorized person M with malicious intent removes the reprocessing control device 10 in which the reprocessing related data 13a is held, and attaches it to another vehicle C' or the analysis device P. , data is leaked and misused.

It should be noted that even if there is no malicious intent, it is conceivable that a general user, for example, accidentally removes the repro control device 10 holding the repro-related data 13a. It is necessary to take security measures against such situations.

Therefore, in the security management method according to the present embodiment, the repro control device 10 monitors the mounting state of its own device, and when removal of its own device is detected by such monitoring, records the history information and 100 and erases the repro-related data 13a held in the storage unit 13.

Specifically, as shown in FIG. 1C, in the security management method according to the present embodiment, the repro control device 10 monitors the mounting state of its own device during normal operation (step S1). In step S1, the repro control device 10 monitors, for example, the voltage state of a battery 50 (not shown) (see FIG. 2) that supplies power to itself and the communication state of the in-vehicle network CN.

Then, when the repro control device 10 detects, for example, a rapid voltage drop or communication interruption through such monitoring, it detects removal of its own device (step S2). When the removal of the own device is detected, if the repro-related data 13a is held, the repro control device 10 records history information regarding the removal (step S3).

Further, the reprocessing control device 10 notifies the history information to, for example, the center server 100 of the data center via the communication network N (step S4). On the other hand, the repro control device 10 erases the held repro-related data 13a (step S5).

The repro control device 10 is provided with an auxiliary power supply 15 (see FIG. 2), not shown, which is capable of preparatory power supply even if the power supply from the battery 50 is interrupted. Steps S2-S5 can be performed depending on the power supply.

Specifically, if the capacity of the auxiliary power supply 15 is small, the repro control device 10 executes steps S2 and S3 and once ends the process. Then, the repro control device 10 executes steps S4 and S5 when it is remounted somewhere (vehicle C', analysis device P, etc.) and normal power is supplied.

On the other hand, if the auxiliary power supply 15 has sufficient capacity, the reprocessing control device 10 may continuously execute steps S2 to S5 and terminate the process. In this way, even when steps S2 to S5 are executed continuously, and even when steps S2 to S5 are executed separately at the end/startup of the device as described above, for example, the unauthorized person M 10 is activated, the repro-related data 13a will be erased, so that data leakage and abuse can be prevented.

It should be noted that only the storage section 13 in which the repro-related data 13a is stored is removed from the repro-related control device 10 before the next startup after the repro-control device 10 is removed (during data erasing of the repro-related data 13a). Therefore, it is better from a security point of view to erase the repro-related data 13a when removal of the repro control device 10 is detected.

Alternatively, only the above-described encryption key may be deleted when removal of the repro control device 10 is detected. Since the update program data is stored in an encrypted state, it is impossible to restore the data without the encryption key. effective from the point of view. If only the encryption key is erased, even if the removal was not malicious, only the encryption key can be reacquired from the center server 100 after normal reconnection.

Note that specific processing procedures in the cases where steps S2 to S5 are executed separately at the end/startup of the device and in the cases where they are executed continuously will be described later with reference to FIGS. 4 and 5. FIG.

In addition, by notifying the center server 100 of the history information in step S4, it becomes possible to analyze the history information at the data center, which can contribute to identifying the fraudulent person M, for example.

Hereinafter, the in-vehicle system 1 including the repro control device 10 to which the security management method described above is applied will be described more specifically.

FIG. 2 is a block diagram of the in-vehicle system 1 according to this embodiment. It should be noted that FIG. 2 shows only the constituent elements necessary for explaining the features of this embodiment, and omits the description of general constituent elements.

In other words, each component illustrated in FIG. 2 is functionally conceptual and does not necessarily need to be physically configured as illustrated. For example, the specific form of distribution/integration of each block is not limited to the one shown in the figure. It is possible to integrate and configure.

Also, with regard to the components that have already been explained, the explanation using FIG. 2 may be simplified or omitted.

As shown in FIG. 2 , vehicle C includes an in-vehicle system 1 . The in-vehicle system 1 includes a repro control device 10, ECUs 20-1 to 20-n, an OBD connector 30, a gateway device 40, and a battery 50.

The OBD connector 30 is a connection interface for a so-called self-diagnostic function of the vehicle C, conforming to standards such as OBD2 (On Board Diagnosis second generation). The repro control device 10 is connected to the vehicle-mounted network CN via the OBD connector 30 . The gateway device 40 provides a gateway function in the in-vehicle network CN.

The battery 50 is the main power supply mounted on the vehicle C. As shown in FIG. The repro control device 10 receives power from such a battery 50 via the OBD connector 30 .

The repro control device 10 includes a communication section 11 , a GPS (Global Positioning System) sensor 12 , a storage section 13 , a control section 14 and an auxiliary power supply 15 . Although FIG. 2 illustrates a configuration in which the auxiliary power supply 15 is attached to the outside of the reprocessing control device 10, the auxiliary power supply 15 is installed in order to reliably supply power even if the reprocessing control device 10 is removed. may be mounted inside the repro control device 10 .

The communication unit 11 is implemented by, for example, a NIC (Network Interface Card) conforming to the wireless communication standard defined by the International Telecommunications Union. The communication unit 11 is wirelessly connected to the communication network N, and transmits and receives information to and from the center server 100 via the communication network N.

The GPS sensor 12 detects the current position of the vehicle C based on radio waves received from GPS satellites.

The storage unit 13 is a rewritable non-volatile memory, and is implemented by, for example, a semiconductor memory device such as a flash memory, or a storage device such as a hard disk or an optical disk. Related data 13a and removal history 13b are stored.

The repro-related data 13a is data for update from the center server 100, which is acquired by an acquisition unit 14a, which will be described later. As already described, the reprogramming related data 13a includes various information related to reprogramming, such as encryption keys necessary for reprogramming, in addition to program data for updating.

The removal history 13b is an example of the history information described above, and is recorded by the monitoring unit 14c when the removal of the own device is detected by the monitoring unit 14c, which will be described later.

Here, a specific example of the removal history 13b will be described. FIG. 3A is a diagram (part 1) showing a specific example of the removal history 13b. FIG. 3B is a diagram (part 2) showing a specific example of the removal history 13b.

As shown in FIG. 3A, the removal history 13b includes at least "removal time" and "current position at the time of removal", for example. The “current position at the time of removal” is based on the detection result of the GPS sensor 12 . Moreover, although not shown, various identification information such as the MAC (Media Access Control) address of the repro control device 10, the chassis number of the vehicle C, and the user's specific information may be included.

Further, as shown in FIG. 3A, the removal history 13b may further include "current position at reattachment". The “remounting current position” is the current position when the repro control device 10 is remounted somewhere and restarted, and is based on the detection result of the GPS sensor 12 .

The removal history 13b is notified to the center server 100 including the "current position at the time of reattachment", thereby contributing to identifying the unauthorized person M, for example.

Returning to the description of FIG. 2, the control unit 14 will be described. The control unit 14 is a controller, and for example, various programs (not shown) stored in the storage unit 13 are executed by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), a microcomputer, or the like. It is implemented by executing RAM (Random Access Memory) as a work area. Also, the control unit 14 can be implemented by an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array).

As shown in FIG. 2, the control unit 14 includes an acquisition unit 14a, an update processing unit 14b, a monitoring unit 14c, and a security processing unit 14d, and implements or implements the information processing functions and actions described below. Run.

The acquisition unit 14 a acquires update data from the center server 100 via the communication unit 11 . Further, the acquiring unit 14a causes the storage unit 13 to hold the acquired update data as the repro-related data 13a.

The update processing unit 14b executes update processing for reprogramming the ECUs 20-1 to 20-n based on the reprogramming related data 13a. Further, the update processing unit 14b erases the reprogramming related data 13a after the reprogramming of the ECUs 20-1 to 20-n is normally performed.

The monitoring unit 14c monitors the mounting state of its own device, that is, the repro control device 10, to the OBD connector 30. FIG. In addition, the monitoring unit 14c detects removal of its own device when, for example, a sudden drop in the voltage of the battery 50 or a communication interruption is detected in such monitoring.

Even in a configuration in which power is supplied from the battery 50 to the repro control device 10 without going through the OBD connector 30, monitoring the battery voltage of the battery 50 allows the removal of the repro control device 10 from the vehicle C. (removal of the battery line) can be detected. It is desirable to detect the attachment and detachment of the repro control device 10 by detecting the attachment and detachment of the OBD connector 30. However, as described above, the configuration may be such that the removal of the battery line is simply detected.

FIG. 2 illustrates a case where the monitoring unit 14c is operated by the control unit 14 configured by a CPU or the like. You may In such a case, for example, even when the IG switch is turned off and the control unit 14 shifts to a power-off state or sleep mode, the monitoring unit 14c can be configured to operate and detect removal. In this case, when the monitoring unit 14c detects the removal, the control unit 14 is activated.

Further, when the monitoring unit 14c detects the removal of the own device, if the repro-related data 13a is held in the storage unit 13, the monitoring unit 14c records the removal history 13b before terminating the own device by the removal.

In addition, the monitoring unit 14c includes at least the current time (see "removal time" in FIGS. 3A and 3B) and the current position (see "current position at time of removal" in FIGS. 3A and 3B) when the removal is detected. record the removal history 13b.

The security processing unit 14d erases the repro-related data 13a held in the storage unit 13 when the monitoring unit 14c detects the removal of the own device. Note that the security processing unit 14d erases the repro-related data 13a, for example, when the own device is remounted somewhere after removal and activated.

Further, when the removal history 13b is recorded in the storage unit 13, the security processing unit 14d notifies the center server 100 of the removal history 13b via the communication unit 11. FIG. Further, the security processing unit 14d deletes the repro-related data 13a when the removal history 13b is recorded in the storage unit 13. FIG.

Next, a processing procedure executed by the repro control device 10 according to the embodiment will be described with reference to FIG. FIG. 4 is a flowchart showing a processing procedure executed by the repro control device 10 according to the embodiment. Note that FIG. 4 shows a processing procedure in which steps S2 to S5 described in FIG. 1C are performed separately across the termination/startup of the apparatus. That is, this is the case when the auxiliary power supply 15 has a small capacity.

First, as a premise, it is assumed that the repro control device 10 is normally attached to the OBD connector 30 and is in normal operation. In this case, as shown in FIG. 4, the monitoring unit 14c monitors the wearing state of its own device (step S101). If the monitoring unit 14c does not detect removal (step S102, No), the process from step S101 is repeated.

On the other hand, when removal is detected (step S102, Yes), the monitoring unit 14c records the removal history 13b if there is repro-related data 13a in the storage unit 13 (step S103, Yes) (step S104).

If there is no repro-related data 13a in the storage unit 13 (step S103, No), the process proceeds to step S105.

Then, the monitoring unit 14c executes termination processing for terminating the repro control device 10 (step S105). It should be noted that subsequent steps S106 and S107 are not performed by the repro control device 10, so they are indicated by dashed lines for the sake of convenience.

First, the removed repro control device 10 is remounted somewhere (step S106). After that, power supply to the repro control device 10 is started (step S107).

When the power supply is started, the repro control device 10 starts start-up processing (step S108). During the activation process, the security processing unit 14d determines whether or not there is a removal history 13b in the storage unit 13 (step S109).

Here, if there is a removal history 13b (step S109, Yes), the security processing unit 14d notifies the contents of the removal history 13b to the center server 100 (step S110). After that, the security processing unit 14d erases the repro-related data 13a held in the storage unit 13 (step S111).

On the other hand, if there is no removal history 13b (step S109, No), the process proceeds to step S112. Note that even if there is no removal history 13b, the process of deleting the repro-related data 13a in step S111 may be executed just in case.

Then, the repro control device 10 starts normal operation after the activation process ends (step S112). Although not shown, if there is a removal history 13b in step S109, end processing may be executed instead of shifting to normal operation in step S112. That is, when there is a possibility that the repro control device 10 has been remounted by an unauthorized person M, the repro control device 10 does not need to operate normally.

Next, a modification of the processing procedure executed by the repro control device 10 according to the embodiment will be described with reference to FIG. FIG. 5 is a flow chart showing a modification of the processing procedure executed by the repro control device 10 according to the embodiment. Note that FIG. 5 shows a processing procedure for continuously executing steps S2 to S5 described in FIG. 1C.

As in the case of FIG. 4, it is assumed that the repro control device 10 is normally attached to the OBD connector 30 and is in normal operation. In this case, as shown in FIG. 5, the monitoring unit 14c monitors the mounting state of its own device (step S201). If the monitoring unit 14c does not detect removal (step S202, No), the process from step S201 is repeated.

On the other hand, when removal is detected (step S202, Yes), the monitoring unit 14c records the removal history 13b if there is repro-related data 13a in the storage unit 13 (step S203, Yes) (step S204).

The security processing unit 14d notifies the center server 100 of the content of the removal history 13b (step S205). Then, the security processing unit 14d erases the repro-related data 13a held in the storage unit 13 (step S206).

If there is no repro-related data 13a in the storage unit 13 (step S203, No), the process proceeds to step S207.

Then, the monitoring unit 14c executes termination processing for terminating the repro control device 10 (step S207), and terminates the processing.

As described above, the repro control device 10 according to this embodiment includes the acquisition unit 14a, the monitoring unit 14c, and the security processing unit 14d. The acquiring unit 14a acquires the reprogramming related data 13a (equivalent to an example of "delivery data") to the ECUs 20-1 to 20-n (equivalent to an example of "another device") connected to the own device to the center server 100 (equivalent to " (equivalent to an example of “external”) and stored in the storage unit 13 . The monitoring unit 14c monitors the mounting state of the own device to the ECUs 20-1 to 20-n or the OBD connector 30 (corresponding to an example of "vehicle"). The security processing unit 14d erases the repro-related data 13a held in the storage unit 13 when the monitoring unit 14c detects the removal of the own device.

Therefore, according to the repro control device 10 according to the present embodiment, it is possible to prevent leakage and abuse of data.

In addition, the security processing unit 14d erases the repro-related data 13a when the self-device is activated after the removal is detected.

Therefore, according to the reprocessing control device 10 of the present embodiment, since the reprocessing related data 13a is erased while the power is normally supplied, it is possible that the power is cut off in the middle and the erasing of the reprocessing related data 13a becomes incomplete. There is no That is, it is possible to prevent data leakage and abuse.

If the repro-related data 13a is held in the storage unit 13 when the removal is detected, the monitoring unit 14c detects that the removal is performed before the device itself is powered off due to the removal. A removal history 13 b (corresponding to an example of “history information”) indicating that the device has been removed is recorded in the storage unit 13 .

Therefore, according to the repro control device 10 according to the present embodiment, even if the capacity of the auxiliary power supply 15 is small, at least the removal history 13b can be left.

The security processing unit 14d also notifies the center server 100 of the removal history 13b.

Therefore, according to the repro control device 10 according to the present embodiment, the analysis in the center server 100 can contribute to identifying the fraudulent person M, for example.

Further, the security processing unit 14d deletes the repro-related data 13a when the removal history 13b indicating that the removal has been performed is recorded in the storage unit 13. FIG.

Therefore, according to the reprocessing control device 10 according to the present embodiment, if there is a removal history 13b indicating that the self-device has been removed and there is concern about data leakage or misuse, at least the reprocessing-related data 13a can be deleted. , data leakage and misuse can be prevented.

In addition, the monitoring unit 14c records the removal history 13b so as to include at least the current time and current position regarding removal.

Therefore, according to the repro control device 10 according to the present embodiment, the analysis in the center server 100 can contribute to identifying the fraudulent person M, for example.

Further, the repro-related data 13a is data relating to the update of the control program of the device mounted on the vehicle C. FIG.

Therefore, according to the repro control device 10 according to the present embodiment, it is possible to prevent leakage and abuse of data relating to updating of the control program of the device mounted on the vehicle C.

In the above-described embodiment, for example, the removal is performed by an unauthorized person M, but there are cases in which a user or a mechanic removes the cover properly for inspection or the like.

In such a case, if there is reprogramming-related data 13a that has already been downloaded and it is deleted, it will be necessary to download the reprogramming-related data 13a again, which may increase communication costs.

Therefore, when performing such regular removal, for example, an input of a personal identification number or the like for shifting to the maintenance mode may be received, and authentication processing may be performed based on this input. Then, if it is properly authenticated, even if the removal is performed, the removal history 13b, the notification to the center server 100, and the deletion of the repro-related data 13a may not be performed.

In the above-described embodiment, the reprogramming control device 10 is installed in the in-vehicle system 1, is connected to the ECUs 20-1 to 20-n, distributes update data to them, and executes reprogramming. However, the application of the repro control device 10 is not limited.

In other words, the reprogramming control device 10 can be installed in not only the in-vehicle system 1 but also various other systems as long as it includes various devices to be reprogrammed corresponding to the ECUs 20-1 to 20-n. be.

Also, the above-described "mounted state" may be read as "connected state".

Further effects and modifications can be easily derived by those skilled in the art. Therefore, the broader aspects of the invention are not limited to the specific details and representative embodiments so shown and described. Accordingly, various changes may be made without departing from the spirit or scope of the general inventive concept defined by the appended claims and equivalents thereof.

1 In-vehicle system 10 Repro control device 13 Storage unit 13a Repro-related data 13b Removal history 14a Acquisition unit 14c Monitoring unit 14d Security processing unit 15 Auxiliary power supply 20 ECU
30 OBD connector 50 battery 100 center server C vehicle

Claims (9)

a storage unit;
Acquiring distribution data to another device connected to the own device from the outside and storing it in the storage unit, and storing the data in the storage unit when the own device is removed from the other device or the vehicle a control unit for erasing the distribution data ,
The control unit
When the own device is removed from the other device or the vehicle and the distribution data is held in the storage unit, the removal is performed before the power of the own device is turned off due to the removal. record history information indicating to the storage unit
controller . The control unit
Erasing the distribution data when the own device is activated after the removal is performed
A control device according to claim 1 . The control unit
erasing the distribution data when the history information indicating that the removal has been performed is recorded in the storage unit;
A control device according to claim 1 . The control unit
Record the history information to include at least the current time and current location of the removal
A control device according to any one of claims 1 to 3. The distribution data is data relating to the update of the control program of the device mounted on the vehicle.
A control device according to any one of claims 1 to 4 . a storage unit;
Data distributed to another device connected to the own device is acquired from the outside and stored in the storage unit, and when the own device is removed from the other device or the vehicle, the data stored in the storage unit a control unit for erasing distribution data;
with
The distribution data is data relating to the update of the control program of the device mounted on the vehicle.
Control device. Acquiring distribution data to another device connected to the own device from the outside, storing it in a storage unit of the own device, and storing it in the storage unit when the own device is removed from the other device or the vehicle A control method in which the control unit of the own device performs control to erase the distribution data that has been received,
When the own device is removed from the other device or the vehicle and the distribution data is held in the storage unit, the removal is performed before the power of the own device is turned off due to the removal. record history information indicating to the storage unit
control method. Acquisition of data to be distributed to another device connected to the own device from the outside, holding it in a storage unit of the own device, and holding it in the storage unit when the own device is removed from the other device or a vehicle A control method in which the control unit of the own device performs control to erase the distribution data that has been received,
The distribution data is data relating to updating of a control program of a device mounted on a vehicle.
control method. An update data control device that acquires update data for a control program from outside the vehicle via wireless communication, stores the update data in a memory, and supplies the update data to an in-vehicle electronic control device that operates according to the control program,
In response to the detection of removal of the device from the vehicle, history information indicating that the device has been removed is recorded in the memory before the power of the device is turned off.
A method of operating an update data controller.

Images