WO2011062044A1 - Procédé permettant de désactiver l'exécution d'un programme, procédé permettant d'enregistrer un programme, et dispositif de commande de coussin de sécurité gonflable - Google Patents

Procédé permettant de désactiver l'exécution d'un programme, procédé permettant d'enregistrer un programme, et dispositif de commande de coussin de sécurité gonflable Download PDF

Info

Publication number
WO2011062044A1
WO2011062044A1 PCT/JP2010/069261 JP2010069261W WO2011062044A1 WO 2011062044 A1 WO2011062044 A1 WO 2011062044A1 JP 2010069261 W JP2010069261 W JP 2010069261W WO 2011062044 A1 WO2011062044 A1 WO 2011062044A1
Authority
WO
WIPO (PCT)
Prior art keywords
machine language
program
language program
execution
code
Prior art date
Application number
PCT/JP2010/069261
Other languages
English (en)
Japanese (ja)
Inventor
哲郎 寺西
Original Assignee
オートリブ ディベロップメント エービー
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by オートリブ ディベロップメント エービー filed Critical オートリブ ディベロップメント エービー
Priority to JP2011541867A priority Critical patent/JP5468086B2/ja
Priority to CN201080052705.8A priority patent/CN102666211B/zh
Publication of WO2011062044A1 publication Critical patent/WO2011062044A1/fr

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R21/00Arrangements or fittings on vehicles for protecting or preventing injuries to occupants or pedestrians in case of accidents or other traffic risks
    • B60R21/01Electrical circuits for triggering passive safety arrangements, e.g. airbags, safety belt tighteners, in case of vehicle accidents or impending vehicle accidents

Definitions

  • the present invention relates to a program execution disabling method for converting a machine language program for executing a process of forcibly deploying an airbag to a computer into an inexecutable state when the airbag is discarded, and the machine language program
  • the present invention relates to a program storage method that converts a computer program into an inexecutable state and stores it in a storage unit, and an airbag control device that stores a machine language program in an inexecutable state.
  • the airbag When a vehicle equipped with an airbag is to be discarded, the airbag must be forcibly deployed in advance to prevent accidental explosion of the airbag, and after the airbag is forcibly deployed, the vehicle should be discarded together with an inflator, etc. Has been done.
  • the storage unit of the airbag control apparatus uses the disposal processing execution code as a non-execution code so that the airbag does not explode during non-disposal processing under any circumstances. Is required to be stored in.
  • the non-executable code is stored in the ROM (Read Only Memory) of the airbag control device, and is stored in the RAM (Random Access Memory) only under a specific condition, that is, when a series of procedures is confirmed with the disposal tool. It must be restored and executed as executable code.
  • ROM Read Only Memory
  • RAM Random Access Memory
  • a method using an illegal instruction or undefined instruction of a CPU can be considered. Specifically, by partially storing each instruction after generating an execution code in machine language, the execution code is made unexecutable in a normal processing procedure. That is, a process of converting each instruction of the execution code into an illegal instruction or an undefined instruction of the CPU is performed.
  • a CPU Central Processing Unit
  • FIG. 16A and 16B are explanatory diagrams conceptually showing a conventional non-executable coding and non-executable code restoration method.
  • FIG. 16A is an explanatory diagram conceptually showing a process of converting an executable code into a non-executable code by partially storing it separately.
  • a rectangular bar composed of four hatched cells represents execution code.
  • One grid corresponds to 1 byte length, and the execution code shown in FIG. 16A is 4 bytes long.
  • the execution code is converted into a non-execution code by separating the first byte (left side in the figure) of the execution code.
  • Open squares indicate data portions separated from the execution code. The data portion is arbitrary data that can make the execution code undefined or illegal.
  • the data portion is 1-byte length data of “0000000”.
  • the separated 1-byte data at the head is stored in the ROM together with the non-executable code as mask data for restoring the non-executable code.
  • FIG. 16B is an explanatory diagram conceptually showing a process of restoring the separated non-executable code.
  • the non-executable code stored in the ROM has data of 3 bytes length after the executable code, and the mask data has the data of the first 1 byte length of the executable code. Can be used to restore the executable code.
  • the present invention has been made in view of such circumstances, and an object thereof is to provide a part of instruction codes included in a source program of a machine language program for causing a computer to execute a process of forcibly deploying an airbag.
  • the airbag is forcibly deployed by replacing it with another instruction code or by replacing a part of the reference memory address included in the source program with another reference memory address and compiling it into a non-executable code. It is not necessary to generate a non-executable machine language program after generating a machine language program that can be executed, and even if the non-executable machine language program is executed prior to execution coding, all operations are grasped and guaranteed. That can execute program, method for storing program, and air storing non-executable machine language program To provide a Tsu grayed controller.
  • the program execution disabling method is a program execution for converting a machine language program for causing a computer to execute a process for forcibly deploying an air bag to an inexecutable state when the air bag is discarded.
  • a part of the instruction code included in the source program of the machine language program is replaced with another instruction code, or a part of the reference memory address included in the source program is replaced with another reference memory address.
  • a step of converting the source program into a non-executable machine language program a step of compiling a source program incapable of deploying an air bag into a non-executable machine language program, and the non-executable machine language
  • a part of the instruction code included in the source program of the machine language program for causing the computer to execute the process of forcibly deploying the airbag is replaced with another instruction code, or the source program Is replaced with another reference memory address, thereby converting the machine language program into a source program incapable of deploying an airbag.
  • Other instruction codes used for the replacement are regular codes used for operating the CPU of the computer, and the operation of the computer is guaranteed.
  • the instruction code of the logical sum operation is replaced with the instruction code of the exclusive logical sum.
  • the reference address is an effective address where a reference destination exists.
  • the reference address is a broad address including all addresses necessary for reading and writing data.
  • the reference address includes a RAM, a CPU cache memory, a register, a data input / output memory, and other storage devices. Address, etc. are included. Then, the replaced source program is compiled to create an inexecutable machine language program. Also, restoration data for restoring the non-executable machine language program to the machine language program capable of forcibly deploying the airbag is created.
  • the execution order of the step of creating the restoration data and the step of creating the non-executable machine language program is not limited. Therefore, it is not necessary to generate a non-executable machine language program from the compiled machine language program. In addition, it is possible to verify and grasp the behavior of the CPU.
  • the restoration data includes data indicating a difference between the disable executable machine language program and the machine language program.
  • the restoration data includes data indicating a difference between the non-executable machine language program and the executable machine language program. Therefore, it is possible to restore an executable machine language program from the non-executable machine language program using the restored data.
  • the restoration data may be generated by a person or may be generated by a computer.
  • the restoration data includes an exclusive OR of the disable executable machine language program and the machine language program.
  • the restoration data is an exclusive OR of the non-executable machine language program and the machine language program. Therefore, the restoration data can be easily generated. It is also easy to restore the non-executable machine language program. Further, when the difference between the non-executable machine language program and the executable machine language program is expressed by exclusive OR, the machine language program can be disabled and restored by the same thought process or operation, that is, exclusive OR. Can be realized. For this reason, it is not necessary to distinguish between the calculation method at the time of disabling execution and the calculation method at the time of restoration. In particular, when a person generates restoration data, it is not necessary to consider what the calculation method is when execution is disabled and what the calculation method is when restoration.
  • the generation of the restoration data by exclusive OR may be performed by a person or may be generated by a computer.
  • the program storage method according to the present invention includes a step of storing in the storage unit the non-executable machine language program and the restoration data created using the above-described program execution disable method.
  • the non-executable machine language program and the restoration data are created using the above-described method for disabling the airbag discard program, and the created non-executable machine language program and the restoration data are stored in the storage unit.
  • the machine language program for forcibly deploying the airbag is stored in the storage unit in an inexecutable state.
  • the non-executable machine language program and the restored data may be stored in different storage units.
  • the program storage method stores in a storage unit a restoration machine language program for causing a computer to execute a process of restoring the non-executable machine language program to the machine language program using the restoration data. It has the step to make it feature.
  • the restoration machine language program for restoring the machine language program capable of deploying the airbag is stored in the storage unit using the restoration data and the non-executable machine language program. Therefore, by causing the CPU to execute the restored machine language program, it is possible to restore the machine language program that can deploy the airbag using the restored data and the non-executable machine language program.
  • the airbag control apparatus includes a storage unit storing the non-executable machine language program and restoration data created by using the program execution disable method, and the execution stored in the storage unit. Based on the disabling machine language program and restoration data, the control unit that restores the non-executable machine language program to the machine language program and executes the machine language program, and the control unit that executes the machine language program And a circuit for deploying the airbag according to the control.
  • the airbag is not deployed.
  • the control unit can restore and execute the non-executable machine language program using the restoration data into a machine language program capable of forcibly deploying the airbag.
  • the airbag is deployed under the control of the control unit that has executed the machine language program.
  • the airbag control apparatus When the airbag control apparatus according to the present invention discards an airbag, some instruction codes included in a machine language program for executing a process of forcibly deploying the airbag are used as other instruction codes.
  • the machine language program obtained by replacing or replacing a part of the reference memory address included in the machine language program with another reference memory address, and the machine language program disabled,
  • the storage unit of the airbag control device converts some instruction codes included in the machine language program for causing the computer to execute processing for forcibly deploying the airbag to other instruction codes.
  • a non-executable machine language program is stored by replacing or replacing a part of the reference memory address included in the machine language program with another reference memory address.
  • the other instruction codes used for the replacement are regular codes used for operating the CPU of the computer, and the operation of the computer is guaranteed.
  • the reference address is an effective address where a reference destination exists.
  • the storage unit stores restoration data for restoring the non-executable machine language program into the machine language program capable of forcibly deploying the airbag.
  • the control unit can restore and execute the non-executable machine language program using the restoration data into a machine language program capable of forcibly deploying the airbag.
  • the airbag is deployed under the control of the control unit that has executed the machine language program.
  • the present invention it is not necessary to perform the process of generating the non-executable machine language program after the generation of the machine language program capable of forcibly deploying the airbag, and the non-executable machine language is executed before execution coding. Even if the program is executed, all operations can be grasped and guaranteed. Therefore, it is possible to easily create an inexecutable machine language program having higher safety than the conventional inexecutability method and store it in the storage unit of the computer.
  • FIG. 1 is a block diagram schematically showing a configuration example of an airbag control device 1 and a disposal device 2 according to an embodiment of the present invention.
  • the airbag control device 1 is accommodated in a container (not shown), and is disposed at an appropriate location of the vehicle, for example, near the dashboard.
  • the airbag control device 1 includes a CPU 11 that controls the operation of each component constituting the airbag control device 1.
  • a ROM 12 and a RAM 13 are connected to the CPU 11 via a bus.
  • the acceleration sensor 14, the ignition circuit 15, and the communication circuit 16 are connected to the CPU 11 via an I / O port (not shown) connected to the bus.
  • the CPU 11 includes a control circuit, an arithmetic logic circuit, an instruction decoder, an address register, a data register, an instruction register, a program counter, a stack register, various registers such as a general-purpose register, an instruction decoder, and the like (not shown). Since the configurations and operations of various circuits and registers are well-known techniques, details thereof are omitted. In FIG. 1, only the r16 register, which is one general-purpose register, is shown for convenience of drawing and explanation. Further, the power source 3 mounted on the vehicle is connected to the CPU 11 via a regulator, and when the ignition switch is turned on, a predetermined voltage, for example, a voltage of 5V is applied to the CPU 11. ing.
  • the ROM (storage unit) 12 is a non-volatile storage unit that stores a non-executable code (non-executable machine language program) and a restoration code (restoration machine language program) according to the present embodiment.
  • the non-executable code terminates without executing the process of forcibly deploying the airbag even if the CPU 11 is deployed and executed in the RAM 13 as it is.
  • the restoration code is a program for restoring the non-execution code into an execution code (machine language program) that can forcibly deploy the airbag.
  • the execution code is a program for executing processing for forcibly deploying the airbag when the airbag is discarded. Details of the non-executable code and the restored code will be described later.
  • the ROM 12 stores a program for deploying the airbag when a vehicle collision is detected.
  • the ROM 12 includes a mask ROM and a PROM (Programmable Read Only Memory).
  • the ROM 12 is an example of a storage unit, and non-executable code and restoration code are stored in an EEPROM (Erasable and Programmable Read Only Memory), an EEPROM (Electrically-Erasable and Programmable Read Only Memory), a flash memory, and other nonvolatile memories. You may let them.
  • the RAM 13 is a volatile memory that temporarily stores data generated when the CPU 11 executes an execution code and other various programs.
  • the acceleration sensor 14 is a circuit for detecting a vehicle collision, and outputs a signal corresponding to the acceleration acting on the vehicle to the CPU 11.
  • a squib 15a is connected to the ignition circuit 15, and a voltage is applied to the squib 15a in accordance with a signal output from the CPU 11 to deploy the airbag.
  • the squib 15a is accommodated in an inflator arranged in a steering hole or a dashboard, and gunpowder is arranged around the squib 15a.
  • the squib 15a is connected to the power source 3 via a booster circuit (not shown) and has a heating element such as a filament that generates heat when it is turned on.
  • the ignition circuit 15 includes a switch for interrupting energization to the squib 15a.
  • the switch is, for example, a MOSFET, the gate terminal is connected to the I / O port of the CPU 11, the drain terminal is connected to the squib 15a, and the source terminal is grounded.
  • the communication circuit 16 includes a connector for connecting to the disposal device 2 via a cable.
  • the communication circuit 16 is a circuit for transmitting and receiving various data for forcibly deploying the airbag to and from the discarding device 2 under the control of the CPU 11.
  • the discarding device 2 includes a control unit 21, a communication circuit 22, and an operation unit 23.
  • the control unit 21 is a microcomputer provided with a CPU that controls the operation of each component of the discarding device 2, and a ROM, a RAM, and an I / O port (not shown) are connected to the CPU.
  • the communication circuit 22 includes a connector for connecting to the airbag control device 1 via a cable.
  • the communication circuit 22 is a circuit for transmitting and receiving various data for forcibly deploying the airbag to and from the airbag control device 1 under the control of the control unit 21.
  • the operation unit 23 is a button, switch, touch sensor, or the like for receiving an operation for forcibly deploying the airbag when the airbag is discarded.
  • the operation state of the operation unit 23 is controlled by the control unit 21. It is configured so that it can be detected.
  • FIG. 2 is a flowchart showing a program execution disable method and a program storage method according to the embodiment of the present invention.
  • the user of the program execution disablement method and the program storage method prepares an execution source code (source program) that is described in a lower language and for executing a process for forcibly deploying an airbag (step).
  • the lower language is, for example, an assembly language.
  • the lower language is an example of a language for describing a source program, and includes all computer languages except machine language.
  • FIG. 3 is a flowchart showing a part of the processing procedure described in the execution source code.
  • the CPU 11 executes the following processing by the execution code obtained by compiling the execution source code.
  • the CPU 11 assigns a numerical value based on the data transmitted from the discarding device 2 to the variable A (step S31).
  • the CPU 11 determines whether or not the value of the variable A is a predetermined value, for example, “0xAA” (step S32).
  • the airbag control device 1 is configured such that “0xAA” is stored in the variable A when a series of procedures for forcibly deploying the airbag is performed with the disposal device 2. Note that “0xAA” represents a numerical value “AA” expressed in hexadecimal, and “170” when expressed in decimal.
  • step S32: YES When it is determined that the variable A is “0xAA” (step S32: YES), the CPU 11 outputs a deployment signal for deploying the airbag to the ignition circuit 15, thereby discarding and deploying the airbag, and processing. Finish (step S33). When it is determined that the variable A is not “0xAA” (step S32: NO), the CPU 11 ends the process.
  • step S11 the user who has finished the process of step S11 then converts the instruction code included in the execution source code into another instruction code, thereby converting it into a non-execution source code (Ste S12).
  • FIGS. 4A and 4B are explanatory diagrams showing a method of converting execution source code into non-execution source code.
  • FIG. 4A shows a part of the execution source code written in the assembly language.
  • the assembly language shown in FIGS. 4A and 4B is a language for “NEC V850ES series microcomputer”.
  • the execution source code shown in FIG. 4A corresponds to the process of step S32 shown in FIG. Specifically, in the first line program, the CPU 11 reads the contents of the 1-byte length variable A into the r16 register, and in the second line program, the CPU 11 reads the 1-byte length data read into the r16 register. Is signed extended to 4-byte data.
  • the signed extension is an instruction for causing the CPU 11 to execute sign extension so that numerical values can be handled correctly as positive and negative numbers. Then, in the program on the third line, the CPU 11 performs an OR operation on the data in the r16 register and the data in the r16 register itself, and adds “0x56” to the r16 register in the program on the fourth line. To do. Note that “0x56” represents the numerical value “56” expressed in hexadecimal, and “86” when expressed in decimal. According to the above processing, when the content of the variable A is “0xAA”, the content of the r16 register is “0x00”, and when the content of the variable A is other than “0xAA”, the content of the r16 register is “0x00”. It will be other than. The following processing is executed forcibly deploying the airbag when the content of the r16 register is “0x00”, and forcibly terminated when the content of the r16 register is other than “0x00”. Is programmed.
  • the content of the r16 register may be “0x00” immediately before the execution of the “addi” instruction on the fourth line.
  • the content of the r16 register becomes “0x56” in the program on the fourth line. This is the same as the case where a value other than “0xAA” is stored in the variable A in the execution code, and the program is forcibly terminated without deploying the airbag.
  • FIG. 4B is an example of non-executable source code.
  • part of the instruction code included in the execution source code is converted so that the content of the r16 register becomes “0x00” immediately before the execution of the “addi” instruction on the fourth line.
  • the “sxb” instruction on the second line is replaced with a “zxb” instruction
  • the “or” instruction on the third line is replaced with an “xor” instruction.
  • the CPU 11 performs an exclusive OR operation between the data in the r16 register and the data in the r16 register itself.
  • the exclusive OR of data “1” and “1” expressed in binary numbers is “0”, and the exclusive OR of “0” and “0” is also “0” (FIG. 8A and FIG. 8B). Therefore, as a result of the exclusive OR operation on the same data, the content of the r16 register becomes “0x00” (see FIGS. 8A and 8B).
  • the “zxb” instruction on the second line is an instruction for causing the CPU 11 to execute sign extension so that a numerical value can be handled as all positive and negative numbers.
  • FIG. 5 is a flowchart showing a part of the processing procedure for non-executable data.
  • the CPU 11 executes the following processing. First, the CPU 11 substitutes a numerical value based on the data transmitted from the discarding device 2 for the variable A (step S131). Then, the CPU 11 determines whether or not the value of the variable A is a predetermined value, for example, “0xAA” (step S132). However, in the non-executable code, it is always determined that the variable A is not a predetermined value regardless of the value of the variable A. For this reason, the CPU 11 always determines that the variable A is not a predetermined value (step S132: NO), and the process is forcibly terminated.
  • a predetermined value for example, “0xAA”
  • step S12 restores the replaced instruction code to the instruction code before the replacement, that is, mask data for restoring the non-executed code to the executable code ( Restored data) is created (step S13).
  • 6A and 6B are explanatory diagrams showing execution codes and non-execution codes in which execution source code and non-execution source code are described in machine language.
  • 6A is an execution code in which execution source code is described in machine language
  • FIG. 6B is non-execution code in which non-execution source code is described in machine language.
  • the portion where the data contents are changed by the replacement of the instruction code is underlined.
  • r and R are data specifying a register
  • d is a memory reference address
  • i is data indicating a numerical value to be added.
  • FIG. 7 is an explanatory diagram showing mask data
  • FIGS. 8A and 8B are a truth table and a Venn diagram of exclusive OR operation.
  • Mask data for restoring non-execution data to execution data is obtained by an exclusive OR operation between the execution data and the non-execution data.
  • the exclusive OR operation as shown in FIGS. 8A and 8B, when the values of the first input and the second input are the same, the output is “0”, and the values of the first input and the second input are different. In this case, since the output is “1”, the difference between the execution data and the non-execution data can be expressed by the mask data.
  • the mask data for restoring the instruction code described in the second and third lines is “00000000000001”. It is also preferable to create mask data for the part where the instruction code is not replaced. This is because the calculation at the time of restoration becomes easy.
  • the mask data of the portion where the instruction code does not need to be restored is “0000...”.
  • it is not indispensable to create mask data corresponding to all instruction codes and only mask data of a portion where instruction codes are replaced may be created.
  • the mask data may be created manually by the user using an assembly language / machine language conversion table. However, the mask data can be generated by causing the computer to execute an exclusive OR operation of the execution code and the non-execution code. Data may be created.
  • exclusive OR was illustrated as a creation method of mask data, it is not limited to this, and other methods can be used as long as at least data indicating a difference between an execution code and a non-execution code can be created. It may be adopted. For example, a value obtained by subtracting a non-executable code from an executable code may be used as mask data. In this case, the execution code can be restored by adding the non-execution code and the mask data. A value obtained by adding the non-executable code to the executable code may be used as mask data. In this case, the execution code can be restored by subtracting the non-execution code from the mask data. Furthermore, the mask data may be calculated by multiplication, division, and other reversible operations between the execution code and the non-execution code.
  • the user who has finished the process of step S13 then compiles the non-executable code, the mask data, and the restoration program (step S14).
  • the restoration program is a program that restores the non-executable code to the execution code by executing an exclusive OR operation between the non-executable code and the mask data, and expands the restored execution code in the RAM 13.
  • the compiling is performed using a computer, but needless to say, it may be manually performed by a user using an assembly language / machine language conversion table.
  • the user stores the compiled non-executable code and the restored code including the mask data in the ROM 12 (step S15).
  • the mask data does not necessarily have to be integrated with the restoration code. If the non-execution code can be restored to the execution code using the mask data, the mask data may be stored in the ROM 12 separately. Further, it is not always necessary to store a non-executable code and a restoration code including mask data in one ROM 12.
  • the non-executable code may be stored in the ROM 12 of the airbag control device 1 and the restoration code including the mask data may be stored in an EEPROM (not shown) of the airbag control device 1. Alternatively, only mask data may be stored in an EEPROM (not shown) of the airbag control device 1.
  • FIG. 9 is a flowchart showing a processing procedure of the airbag control device 1 and the disposal device 2 related to disposal.
  • the processing contents will be described on the assumption that the discarding device 2 is connected to the airbag control device 1 and data is transmitted and received via the communication circuits 16 and 22.
  • the control unit 21 of the disposal apparatus 2 determines whether or not the start of the airbag disposal process has been instructed by monitoring the operation state of the operation unit 23 (step S51). If it is determined that the start of the discarding process has not been instructed (step S51: NO), the control unit 21 returns the process to step S51 again. If it is determined that the start of the discard process has been instructed (step S51: YES), the control unit 21 transmits the restoration execution data for requesting the restoration of the non-executed code to the airbag control device 1 through the communication circuit 22. (Step S52).
  • the CPU 11 of the airbag control device 1 receives the restoration execution data transmitted from the discarding device 2 by the communication circuit 16 (step S53).
  • the CPU 11 restores the execution code from the non-execution code stored in the ROM 12 and the mask data by executing the restoration code (restoration machine language program) stored in the ROM 12. Then, the restored execution code is expanded in the RAM 13 (step S54).
  • FIG. 10 is an explanatory diagram conceptually showing a general method for restoring execution code using mask data
  • FIGS. 11A and 11B conceptually show a specific method for restoring execution code using mask data
  • FIG. 12 is a block diagram schematically showing a configuration example of the airbag control device 1 and the discarding device 2 in which the restored execution data is expanded in the RAM 13.
  • the restoration of the non-executable code is performed by registering a non-executable code and a mask data for performing an exclusive OR operation for each predetermined byte from the beginning, for example, an exclusive OR operation. Is 16 bits, it is performed by sequentially executing 16 bits at a time.
  • the non-executable code is restored by sequentially executing an exclusive OR operation between the non-executable data shown in FIG. 6B and the mask data shown in FIG. Specifically, the content of the non-execution data corresponding to the numerical value “1” of the mask data is converted from “1” to “0” or from “0” to “1”. As a result, the “zxb” instruction is restored to the “sxb” instruction as shown in FIG. 11A, and the “xor” instruction is restored to the “or” instruction as shown in FIG. 11B.
  • the non-executable code shown in FIG. 6B is restored to the executable code shown in FIG. 6A, and the restored executable code is expanded in the RAM 13 as shown in FIG.
  • the CPU 11 transmits restoration end notification data for notifying the end of restoration to the discarding device 2 through the communication circuit 16 (step S55).
  • the control unit 21 of the discard apparatus 2 receives the restoration end notification data transmitted from the airbag control apparatus 1 by the communication circuit 22 (step S56). And the control part 21 determines whether execution of the disposal process of an airbag was instruct
  • the CPU 11 of the airbag control device 1 receives the discard execution data transmitted from the discard device 2 via the communication circuit 16 (step S59). When the discard execution data is received, the CPU 11 executes the restored execution code (step S60) and ends the process. If a series of procedures for forcibly deploying the airbag is correctly performed with the disposal device 2 and the execution code is correctly restored, the variable A includes the numerical value “0xAA”. When the process shown in FIG. 3 is executed in step S60, the squib 15a is ignited and the airbag is forcibly deployed.
  • the program execution disabling method, the program storage method, and the airbag control device it is not necessary to perform a non-executable code generation process after generating an execution code described in machine language. Further, even if a non-executable code is executed before restoration due to a malfunction of the CPU 11, all operations can be grasped and guaranteed. Therefore, it is possible to create a non-executable code with higher safety than the conventional execution disable method and store it in the ROM 12.
  • the mask data is created by exclusive OR of the execution code and the non-execution code. Even when restoring the non-executable code, the non-executable code can be restored to the executable code by exclusive OR of the non-executable code and the mask data. Therefore, it is possible to easily create mask data and restore it to an execution code. That is, when the difference between the execution data and the non-execution data is expressed by exclusive OR, execution of the execution data can be disabled and restored by the same thought process or operation, that is, exclusive OR. For this reason, it is not necessary to distinguish between the calculation method at the time of disabling execution and the calculation method at the time of restoration. Especially when a person generates restoration data, what is the calculation method at the time of disabling execution, There is no need to think about what the method is.
  • Modification 1 Since the airbag control device 1, the program execution disable method, and the program storage method according to the modification 1 are different only in the non-execution method, the difference will be mainly described below.
  • the program storing method according to the first modification a part of the reference addresses included in the execution source program is replaced with another reference address to make the execution impossible.
  • FIG. 13 is a flowchart showing a program execution disable method and a program storage method according to the first modification.
  • the user of the program storage method first prepares an execution source code written in a lower language and for executing a process of forcibly deploying an airbag, as in the above-described embodiment. (Step S111). Then, the user converts the reference address included in the execution source code into a non-execution source code by replacing it with another reference address (step S112). Thereafter, in steps S113 to S115, processing similar to that in steps S13 to S15 is executed.
  • FIG. 14A and FIG. 14B are explanatory diagrams showing an execution code and a non-execution code in which the execution source code and the non-execution source code in Modification 1 are described in machine language.
  • the reference address of the variable A is “0000000000001000”.
  • the user replaces the reference address of the variable A with “0000000000001000000”.
  • the reference address is changed so that the same result as when a value other than “0xAA” is stored in the variable A in the execution code, such as the numerical value “0x00” is always stored in the reference address after replacement. .
  • the program is forcibly terminated without deploying the airbag. Since the numerical value stored in the address may be replaced with an unexpected value when the CPU 11 malfunctions, it is better to replace the instruction code with another instruction code.
  • an example in which only the reference memory address is replaced will be described.
  • FIG. 15 is an explanatory diagram showing mask data in the first modification.
  • the mask data is a mask for restoring the reference address after replacement to the reference address before replacement by performing an exclusive OR operation between the reference address “0000000000001000” of the variable A and the reference address “0000000000000010000” after replacement. Data can be created. As in the above-described embodiment, in FIG. 15, mask data for other instruction codes that are not replaced is also created.
  • the same effects as those of the embodiment can be obtained.
  • fault tolerance can be improved and malfunctions can be more effectively prevented.

Abstract

L'invention concerne un procédé permettant de désactiver l'exécution d'un programme de sorte que, quand un coussin de sécurité gonflable doit être supprimé, le code exécutable qui sert à entraîner un ordinateur à exécuter un traitement en vue de déployer de force un coussin de sécurité gonflable peut être converti de manière facile et fiable dans un état dans lequel l'exécution est désactivée. Le procédé comporte une étape selon laquelle une partie du code des instructions inclus dans un programme source pour le code exécutable servant à entraîner l'ordinateur à exécuter un traitement en vue de déployer de force un coussin de sécurité gonflable est remplacée par un autre code des instructions, ou quelques-unes des adresses de mémoire de référence incluses dans le programme source sont remplacées par d'autres adresses de mémoire, pour ainsi convertir le programme source en un programme qui est incapable de déployer le coussin de sécurité gonflable ; une étape selon laquelle un programme source incapable de déployer un coussin de sécurité gonflable est compilé en code non exécutable ; et une étape selon laquelle des données de restauration sont créées pour restaurer le code non exécutable en code exécutable, qui est capable de déployer de force le coussin de sécurité gonflable.
PCT/JP2010/069261 2009-11-20 2010-10-29 Procédé permettant de désactiver l'exécution d'un programme, procédé permettant d'enregistrer un programme, et dispositif de commande de coussin de sécurité gonflable WO2011062044A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2011541867A JP5468086B2 (ja) 2009-11-20 2010-10-29 プログラム実行不能化方法、プログラム格納方法及びエアバッグ制御装置
CN201080052705.8A CN102666211B (zh) 2009-11-20 2010-10-29 程序执行无效化方法、程序存储方法以及安全气囊控制装置

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2009-265329 2009-11-20
JP2009265329 2009-11-20

Publications (1)

Publication Number Publication Date
WO2011062044A1 true WO2011062044A1 (fr) 2011-05-26

Family

ID=44059527

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2010/069261 WO2011062044A1 (fr) 2009-11-20 2010-10-29 Procédé permettant de désactiver l'exécution d'un programme, procédé permettant d'enregistrer un programme, et dispositif de commande de coussin de sécurité gonflable

Country Status (3)

Country Link
JP (1) JP5468086B2 (fr)
CN (1) CN102666211B (fr)
WO (1) WO2011062044A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104670145B (zh) * 2013-11-27 2019-06-07 博世汽车部件(苏州)有限公司 提供汽车安全缓冲的方法和装置

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH1129003A (ja) * 1997-05-15 1999-02-02 Toyota Motor Corp 乗員保護装置の起動装置
JPH11301390A (ja) * 1998-04-24 1999-11-02 Keihin Corp エアバッグの廃棄装置
JPH11301391A (ja) * 1998-04-24 1999-11-02 Keihin Corp エアバッグの廃棄装置
JPH11301387A (ja) * 1998-04-24 1999-11-02 Keihin Corp エアバッグの廃棄装置
JPH11301388A (ja) * 1998-04-24 1999-11-02 Keihin Corp エアバッグの廃棄装置
WO2004087468A1 (fr) * 2003-04-01 2004-10-14 Robert Bosch Gmbh Unite de controle pour systeme de retenue
JP2006256371A (ja) * 2005-03-15 2006-09-28 Toyota Motor Corp 乗員保護装置の起動装置

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19849079A1 (de) * 1998-10-24 2000-04-27 Bayerische Motoren Werke Ag Verfahren zur Entschärfen von pyrotechnischen Aktuatoren in einem Fahrzeug
JP4266357B2 (ja) * 2004-03-29 2009-05-20 三菱電機株式会社 車載電子制御装置

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH1129003A (ja) * 1997-05-15 1999-02-02 Toyota Motor Corp 乗員保護装置の起動装置
JPH11301390A (ja) * 1998-04-24 1999-11-02 Keihin Corp エアバッグの廃棄装置
JPH11301391A (ja) * 1998-04-24 1999-11-02 Keihin Corp エアバッグの廃棄装置
JPH11301387A (ja) * 1998-04-24 1999-11-02 Keihin Corp エアバッグの廃棄装置
JPH11301388A (ja) * 1998-04-24 1999-11-02 Keihin Corp エアバッグの廃棄装置
WO2004087468A1 (fr) * 2003-04-01 2004-10-14 Robert Bosch Gmbh Unite de controle pour systeme de retenue
JP2006256371A (ja) * 2005-03-15 2006-09-28 Toyota Motor Corp 乗員保護装置の起動装置

Also Published As

Publication number Publication date
JP5468086B2 (ja) 2014-04-09
CN102666211B (zh) 2014-09-17
CN102666211A (zh) 2012-09-12
JPWO2011062044A1 (ja) 2013-04-04

Similar Documents

Publication Publication Date Title
CN111164577B (zh) 车载电子控制装置及其异常时处理方法
EP2221724B1 (fr) Appareil de gestion de mémoire pour véhicule
JP2012060841A (ja) 車両用電子制御装置
JP6139386B2 (ja) プログラマブルコントローラ
US9654047B2 (en) Drive device
US20080235473A1 (en) Protection unit for a programmable data-processing system
JP5468086B2 (ja) プログラム実行不能化方法、プログラム格納方法及びエアバッグ制御装置
ITMI20001380A1 (it) Procedimento e dispositivo per variare il contenuto di memoria di apparecchi di comando.
US7263421B2 (en) Control unit for a restraint system
JP2002323902A (ja) 電子制御装置
JP2007066021A (ja) 外部データ改ざん検出装置、および外部データ改ざん検出方法
JP2012183877A (ja) 車両用乗員保護システムの検知処理装置
JP4254577B2 (ja) 制御装置
WO2019064644A1 (fr) Dispositif de commande électronique et procédé de vérification de programme de commande
US20220300612A1 (en) Security processing device
JP2016126692A (ja) 電子制御装置
JP2009289049A (ja) メモリ制御装置
JP4955417B2 (ja) 電子制御ユニットのメモリチェックシステム
JP4708088B2 (ja) 障害復旧方法およびマイクロコンピュータ
JP6714950B2 (ja) 車両用発電機の制御装置
CN114077729A (zh) 车辆中汽车软件的加速验证
KR102465668B1 (ko) 차량용 에어백 구동장치
JPH11255065A (ja) エアバッグ起爆許可方法、該方法に用いる起爆許可装置、並びに上記方法が適用されるエアバッグ装置
JP2020030589A (ja) 制御装置
JP7423959B2 (ja) 車両リプログラミングシステム

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201080052705.8

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10831439

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2011541867

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10831439

Country of ref document: EP

Kind code of ref document: A1