WO2018154949A1 - Système de mise à jour de programme, dispositif de commande, procédé de mise à jour de programme et programme informatique - Google Patents

Système de mise à jour de programme, dispositif de commande, procédé de mise à jour de programme et programme informatique Download PDF

Info

Publication number
WO2018154949A1
WO2018154949A1 PCT/JP2017/045982 JP2017045982W WO2018154949A1 WO 2018154949 A1 WO2018154949 A1 WO 2018154949A1 JP 2017045982 W JP2017045982 W JP 2017045982W WO 2018154949 A1 WO2018154949 A1 WO 2018154949A1
Authority
WO
WIPO (PCT)
Prior art keywords
program
update
control
version
control device
Prior art date
Application number
PCT/JP2017/045982
Other languages
English (en)
Japanese (ja)
Inventor
勝憲 牛田
竹嶋 進
長村 吉富
陽介 高田
Original Assignee
住友電気工業株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 住友電気工業株式会社 filed Critical 住友電気工業株式会社
Publication of WO2018154949A1 publication Critical patent/WO2018154949A1/fr

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating

Definitions

  • the present invention relates to a program update system, a control device, a program update method, and a computer program.
  • This application claims priority based on Japanese Patent Application No. 2017-031758 filed on Feb. 23, 2017, and incorporates all the content described in the above Japanese application.
  • ECUs Electronic Control Units
  • the ECU includes, for example, an engine, a brake, an EPS (Electric Power Steering) control for the operation of an accelerator, a brake, and a steering wheel, and a headlight is turned on / off according to a switch operation by an occupant Some of them operate the meters arranged near the driver's seat, such as wiper ON / OFF and door lock / unlock.
  • the ECU is configured by an arithmetic processing device such as a microcomputer, and the control of the in-vehicle device is realized by reading and executing a control program stored in a ROM (Read Only Memory).
  • the control program of the ECU needs to rewrite the old version of the control program with the new version of the control program in response to the upgrade of the control program.
  • a gateway such as an in-vehicle communication device receives an update program from a management server, and an ECU rewrites a control program from an old version to a new version using the received update program.
  • a technique for remotely executing program update for each ECU by wireless communication is disclosed.
  • a system includes a control device mounted on a vehicle, a relay device connected to the control device so as to enable in-vehicle communication, and a management server that performs wireless communication with the relay device.
  • the relay device or the control device transmits a transmission defined as follows until obtaining a plurality of update programs necessary for updating the control program of the control device to a new version of two or more generations.
  • a transmission / reception process for repeating the process and the reception process is executed.
  • Transmission process Process for transmitting a control message requesting an update program for upgrading the control program of the control device one generation at a time to the management server Reception process: Managing an update program transmitted by the management server in response to the control message Processing received from the server
  • An apparatus is a control device mounted on a vehicle, and includes a volatile memory, a storage unit having a rewritable nonvolatile memory that stores a control program, and the control program A control unit that controls a control target in the vehicle, and an acquisition unit that acquires an update program of the control program, and the control unit, when the acquisition unit acquires a plurality of the update programs,
  • the control program is read from the non-volatile memory to the volatile memory, a plurality of the update programs are sequentially applied to the control program on the volatile memory, and the control program is updated to a new version of two or more generations. Then, the updated new version of the control program is written into the nonvolatile memory.
  • a method includes a control device mounted on a vehicle, a relay device connected to the control device so as to enable in-vehicle communication, and a management server that performs wireless communication with the relay device.
  • a method for updating a program executed in a communication system wherein the relay device or the control device acquires a plurality of update programs necessary for updating the control program of the control device to a new new version for two generations or more. , Including the step of repeating the transmission process and the reception process defined above.
  • a computer program includes a control device mounted on a vehicle, a relay device connected to the control device so as to be able to perform in-vehicle communication, and a management server that performs wireless communication with the relay device.
  • 1 is an overall configuration diagram of a program update system according to an embodiment of the present invention. It is a block diagram which shows the internal structure of a gateway. It is a block diagram which shows the internal structure of ECU. It is a block diagram which shows the internal structure of a management server. It is a sequence diagram which shows the prior art example of the update procedure of a control program. It is a sequence diagram which shows the update procedure of the control program of 1st Embodiment. It is a sequence diagram which shows the update procedure of the control program of 2nd Embodiment. It is a sequence diagram which shows the update procedure of the control program of 3rd Embodiment. It is a sequence diagram which shows the update procedure of the control program of 4th Embodiment. It is a sequence diagram which shows the update procedure of the control program of 5th Embodiment.
  • the management server manages the version history of the control program of the ECU for each vehicle, and in the operation method in which an update program suitable for each vehicle is generated and provided to the vehicle, The server processing load becomes excessive.
  • the vehicle receives the update program by wireless communication, the above-mentioned tendency becomes remarkable because the update timing is diversified as compared with the case of wired communication. Therefore, on the management server side, when there are a plurality of version upgrades for a predetermined ECU, it is a reality that each differential program is prepared, and the ECU of the vehicle that is not the new version sequentially updates the differential program and the control program. Operation.
  • the update program is a differential program
  • the old version of the control program is expanded in the RAM
  • the new version of the control program to which the update program is applied is written in the ROM. Done. Therefore, when the difference between the current version and the new version is two generations or more with respect to the same ECU control program, at least the update process from the current version to the mid version and the update process from the mid version to the new version are at least Since two update processes are required, there is a problem that it takes time to reach the new version.
  • the update program is a differential program
  • it is necessary to perform writing / ROM check of the control program which is the main cause of lengthening the update time, at least twice.
  • the present disclosure has been made in view of such conventional problems, and an object thereof is to shorten the update time of a control program necessary for upgrading two or more generations.
  • a program update system includes a control device mounted on a vehicle, a relay device connected to the control device so that in-vehicle communication is possible, and a management server that wirelessly communicates with the relay device.
  • the relay apparatus or the control apparatus transmits a plurality of update programs necessary for updating the control program of the control apparatus to a new new version for two generations or more until the transmission process defined below The transmission / reception process is repeated to repeat the reception process.
  • Transmission process Process for transmitting a control message requesting an update program for upgrading the control program of the control device one generation at a time to the management server Reception process: Managing an update program transmitted by the management server in response to the control message Processing received from the server
  • the control device since the relay device or the control device executes the transmission / reception process described above, the control device can update a plurality of update programs or new versions required for generating a new version of the control program.
  • a control program can be acquired.
  • control device includes a volatile memory and a storage unit having a rewritable nonvolatile memory for storing the control program, and the control device acquires a plurality of the update programs
  • the control The apparatus reads the control program from the non-volatile memory to the volatile memory, sequentially applies the plurality of update programs to the control program on the volatile memory, and updates the control program to the new version.
  • the updated new version of the control program may be written into the nonvolatile memory.
  • control device only needs to write and check a new version of the control program (skip program) generated by itself once, and shorten the update time required for two or more generations of version upgrades. Can do.
  • control device does not update the control program until a plurality of the update programs are acquired, and after the plurality of the update programs are acquired, It is necessary to update the control program.
  • the control device may transmit a write completion notification when the updated control program is written to the nonvolatile memory after a plurality of the update programs are acquired. preferable. In this way, by sending the above write completion notification to the relay device or management server, it is possible to notify the relay device or management server that the control program has been updated to a new version of two or more generations. it can.
  • the relay device or the control device applies the plurality of acquired update programs to the volatile memory of its own device a plurality of times to generate two generations.
  • the generation process of the skip program which is the new version of the control program is executed, and the control apparatus executes the writing process of writing the generated skip program in the nonvolatile memory of the own apparatus.
  • the control device only needs to write and check a new version of the control program (skip program) that has been generated by itself or provided from the relay device once, and it can be upgraded to two or more generations.
  • the required update time can be shortened.
  • the relay device transfers the acquired plurality of update programs to the control device, and the control The apparatus uses the plurality of transferred update programs to generate a skip program that is a version of the control program that is two or more generations newer than the current version of the apparatus, and stores the generated skip program in the storage unit of the apparatus. Just write it. In this case, if the writing and checking of the skip program are completed successfully, the update to the new version, which is a new version of two generations or more, is completed, so the update time required for the version upgrade of two generations or more can be shortened. .
  • the relay device uses the plurality of acquired update programs to obtain the current version of the control device.
  • a skip program that is a version of the control program that is newer than two generations is generated, the generated skip program is transferred to the control device, and the control device writes the transferred skip program in the storage unit of the own device. You may do it.
  • the writing and checking of the skip program is completed successfully, the update to the new version, which is a new version of 2 generations or more, is completed, so the update time required for the upgrade of 2 generations or more can be shortened. it can.
  • the control device uses the plurality of acquired update programs to determine the current version of the device itself.
  • a skip program that is a new version of the control program of two or more generations may be generated, and the generated skip program may be written in the storage unit of the own device.
  • the update to the new version which is a new version of 2 generations or more, is completed, so the update time required for the upgrade of 2 generations or more can be shortened. it can.
  • control device In the program update system of the present embodiment, the control device generates a next-generation control program from the update program when the write of the skip program fails, and the generated control program It is preferable to perform writing to the storage unit of the own device step by step for each generation. In this way, even if the skip program writing fails, the control program of the control device can be reliably updated to the new version.
  • the control message may include a provisional completion notification requesting the management server to transmit the next update program in response to reception of the update program. preferable.
  • the management server since the management server further transmits the next update program in response to the provisional completion notification, a plurality of update programs necessary for updating to a new version that is a new version of two or more generations are transferred to the relay device or The control device can receive appropriately.
  • the control message includes a write completion notification for notifying the management server of completion of writing of the next generation control program generated from the update program. Also good.
  • the management server since the management server further transmits the next update program in response to the rewriting completion notification, a plurality of update programs necessary for updating to a new version that is a new version of two or more generations are transferred to the relay device or The control device can receive appropriately.
  • the program update system of the present embodiment whether or not the relay device or the control device executes the transmission / reception process based on at least one of a data size and a transmission time of a plurality of the update programs. It is preferable to determine whether or not. In this case, only when the data size and transmission time of a plurality of update programs are equal to or greater than a predetermined threshold, the program update system of the present embodiment can be flexibly operated, for example, by causing the relay device or the control device to execute the transmission / reception process described above become able to.
  • the control device of the present embodiment is a control device mounted on a vehicle, and includes a volatile memory, a storage unit having a rewritable nonvolatile memory for storing a control program, and the vehicle according to the control program.
  • a control unit that controls a control target of the control unit, and an acquisition unit that acquires an update program of the control program, and the control unit is configured such that when the acquisition unit acquires a plurality of the update programs, the nonvolatile unit
  • the control program is read from the volatile memory to the volatile memory, a plurality of the update programs are sequentially applied to the control program on the volatile memory, and the control program is updated to a new new version for two generations or more.
  • the new version of the control program is written into the nonvolatile memory.
  • the control unit reads the control program from the nonvolatile memory to the volatile memory, sequentially applies a plurality of update programs to the control program on the volatile memory, and generates the control program for two generations. Since the new new version is updated and the updated new version of the control program is written to the non-volatile memory, it is only necessary to write and check the generated new version of the control program (skip program) once and for two or more generations. The update time required for version upgrade can be shortened.
  • the program update method of the present embodiment relates to a program update method executed by a relay device included in the program update system described in any of (1) to (12) above. Therefore, the program update method of the present embodiment has the same effects as the program update system described in any of the above (1) to (12).
  • the computer program of the present embodiment relates to a computer program for causing a computer to function as a relay device included in the program update system described in any one of (1) to (12) above. Therefore, the computer program of the present embodiment has the same operational effects as the program update system described in any of the above (1) to (12).
  • FIG. 1 is an overall configuration diagram of a program update system according to an embodiment of the present invention.
  • the program update system of this embodiment includes a vehicle 1 and a management server 5 that can communicate via a wide area communication network 2.
  • the management server 5 is operated, for example, by a car manufacturer of the vehicle 1 and can communicate with a large number of vehicles 1 owned by a user who is registered as a member in advance.
  • the vehicle 1 is equipped with a gateway 10, a wireless communication device 15, a plurality of ECUs 30, and various in-vehicle devices (not shown) controlled by the ECUs 30.
  • a communication group including a plurality of ECUs 30 that are bus-connected to a common in-vehicle communication line, and the gateway 10 relays communication between the communication groups. Therefore, a plurality of in-vehicle communication lines are connected to the gateway 10.
  • the gateway 10 is connected to the wireless communication device 15 by an in-vehicle communication line.
  • the wireless communication device 15 wirelessly communicates with the management server 5 through the wide area communication network 2 such as a mobile phone network, and transfers information received from an external device such as the management server 5 to the gateway 10.
  • the gateway 10 transmits information received from the wireless communication device 15 to the ECU 30.
  • the gateway 10 transfers the information acquired from the ECU 30 to the wireless communication device 15, and the wireless communication device 15 transmits the received information to an external device such as the management server 5.
  • the wireless communication device 15 includes a communication device such as a mobile phone, a smartphone, a tablet terminal, or a notebook PC (Personal Computer) owned by the user.
  • the wireless communication device 15 may be a navigation device that is constantly mounted on the vehicle 1.
  • the gateway 10 communicates with an external device via the wireless communication device 15 is illustrated.
  • the gateway 10 includes the management server 5. You may decide to perform radio
  • the management server 5 is configured by one server device, but may be configured by two or more server devices.
  • the management server 5 is configured by a server device that plays a different role, such as an information management server that manages user registration information and control program version information, and a download server that stores control program update programs. Can do.
  • FIG. 2 is a block diagram showing the internal configuration of the gateway 10.
  • the gateway 10 includes a CPU (Central Processing Unit) 11, a RAM (Random Access Memory) 12, a storage unit 13, an in-vehicle communication unit 14, and the like.
  • the gateway 10 is connected to the wireless communication device 15 via the in-vehicle communication line, but may include the wireless communication device 15.
  • the CPU 11 causes the gateway 10 to function as a relay device for various information by reading one or more programs stored in the storage unit 13 into the RAM 12 and executing them.
  • the CPU 11 can execute a plurality of programs in parallel, for example, by switching and executing a plurality of programs in a time division manner.
  • the CPU 11 may represent a plurality of CPU groups. In this case, the functions realized by the CPU 11 are realized by the cooperation of a plurality of CPU groups.
  • the RAM 12 is composed of a volatile memory element such as SRAM (Static RAM) or DRAM (Dynamic RAM).
  • SRAM Static RAM
  • DRAM Dynamic RAM
  • the computer program executed by the CPU 11 can be transferred while being recorded on a known recording medium such as a CD-ROM or DVD-ROM, or can be transferred by information transmission (downloading) from a computer device such as a server computer. You can also. The same applies to a computer program executed by a CPU 31 (see FIG. 3) of an ECU 30 described later and a computer program executed by a CPU 51 (see FIG. 4) of a management server 5 described later.
  • the storage unit 13 includes a nonvolatile memory element such as a flash memory or an EEPROM (Electrically Erasable Programmable Read Only Memory).
  • the storage unit 13 has a storage area for storing a computer program executed by the CPU 11 and data necessary for execution.
  • the storage unit 13 also stores an update program for each ECU 30 received from the management server 5.
  • a plurality of ECUs 30 are connected to the in-vehicle communication unit 14 via an in-vehicle communication line disposed in the vehicle 1.
  • the in-vehicle communication unit 14 is, for example, CAN (Controller Area Network), CANFD (CAN with Flexible Data Rate), LIN (Local Interconnect Network), Ethernet (registered trademark), or MOST (Media Oriented Systems Transport: MOST is a registered trademark). Communication with the ECU 30 is performed according to the standard.
  • the in-vehicle communication unit 14 transmits the information given from the CPU 11 to the target ECU 30 and gives the information received from the ECU 30 to the CPU 11.
  • the in-vehicle communication unit 14 may communicate according to other communication standards used for the in-vehicle network as well as the above communication standards.
  • the wireless communication device 15 includes a wireless communication device including an antenna and a communication circuit that executes transmission / reception of a wireless signal from the antenna.
  • the wireless communication device 15 can communicate with an external device by being connected to a wide area communication network 2 such as a mobile phone network.
  • the wireless communication device 15 transmits information given from the CPU 11 to an external device such as the management server 5 through the wide area communication network 2 formed by a base station (not shown), and receives information received from the external device to the CPU 11. give.
  • FIG. 3 is a block diagram showing the internal configuration of the ECU 30.
  • the ECU 30 includes a CPU 31, a RAM 32, a storage unit 33, a communication unit 34, and the like.
  • the ECU 30 is a control device that individually controls a plurality of in-vehicle devices mounted on the vehicle 1. Examples of the ECU 30 include an engine control ECU, a steering control ECU, and a door lock control ECU.
  • the CPU 31 controls the operation of the in-vehicle device that it is in charge of by reading one or more programs stored in advance in the storage unit 33 into the RAM 32 and executing them.
  • the CPU 31 may also represent a plurality of CPU groups, and the control by the CPU 31 may be control by cooperation of a plurality of CPU groups.
  • the RAM 32 is composed of a volatile memory element such as SRAM or DRAM.
  • the RAM 32 temporarily stores computer programs executed by the CPU 31 and data necessary for execution.
  • the storage unit 33 is configured by a nonvolatile memory element such as a flash memory or an EEPROM, or a magnetic storage device such as a hard disk.
  • the information stored in the storage unit 33 includes, for example, a computer program (hereinafter referred to as “control program”) for causing the CPU 31 to execute processing for controlling the in-vehicle device that is the control target.
  • the communication unit 34 is connected to the gateway 10 via an in-vehicle communication line disposed in the vehicle 1.
  • the communication unit 34 communicates with the gateway 10 according to a standard such as CAN, Ethernet, or MOST.
  • the communication unit 34 transmits the information given from the CPU 31 to the gateway 10 and gives the information received from the gateway 10 to the CPU 31.
  • the communication unit 34 may communicate according to other communication standards used for the in-vehicle network as well as the above communication standards.
  • the communication unit 34 may be connected to another ECU 30 via an in-vehicle communication line disposed in the vehicle 1. In this case, the communication unit 34 communicates with the gateway 10 via another ECU 30.
  • the CPU 31 of the ECU 30 includes an activation unit 35 that switches the control mode by the CPU 31 to either “normal mode” or “reprogramming mode” (hereinafter also referred to as “repro mode”).
  • the normal mode is a control mode in which the CPU 31 of the ECU 30 executes original control contents (for example, engine control, steering control, etc.) by a control program.
  • the reprogramming mode is a mode in which the CPU 31 of the ECU 30 is given the authority to erase and rewrite the control program in the ROM area of the control program. The CPU 31 can update the control program to the new version only in this mode.
  • the activation unit 35 When the activation unit 35 writes the new version control program in the storage unit 33 in the repro mode, the activation unit 35 restarts (resets) the ECU 30 once, and executes the verification process on the storage area in which the new version control program is written.
  • the activation unit 35 causes the CPU 31 to operate according to the updated control program after the above-described verification processing is completed.
  • FIG. 4 is a block diagram showing the internal configuration of the management server 5.
  • the management server 5 includes a CPU 51, a ROM 52, a RAM 53, a storage unit 54, a communication unit 55, and the like.
  • the CPU 51 reads out one or more computer programs stored in advance in the ROM 52 to the RAM 53 and executes them, thereby controlling the operation of each hardware and causing the management server 5 to function as an external device that can communicate with the gateway 10.
  • the CPU 51 may also represent a plurality of CPU groups, and the functions realized by the CPU 51 may be realized by the cooperation of a plurality of CPU groups.
  • the RAM 53 is composed of a volatile memory element such as SRAM or DRAM.
  • the RAM 53 temporarily stores computer programs executed by the CPU 51 and data necessary for execution.
  • the storage unit 54 includes a nonvolatile memory element such as a flash memory or an EEPROM, or a magnetic storage device such as a hard disk.
  • the communication unit 55 includes a communication device that executes communication processing in accordance with a predetermined communication standard, and is connected to a wide-area communication network 2 such as a mobile phone network. The communication unit 55 transmits the information given from the CPU 51 to the external device via the wide area communication network 2 and gives the information received via the wide area communication network 2 to the CPU 51.
  • the information stored in the storage unit 54 includes an update management table RT for managing for each vehicle 1 whether or not the control program of the ECU 30 has been updated to the latest version.
  • “EI” is an identification number of the ECU 30.
  • the vehicle 1 that has received the update notification transmits a version notification including the current version (for example, 1.0) of the control program of the ECU 30 to the management server 5.
  • the CPU 51 determines an update program necessary for the vehicle 1 from the current version included in the received version notification, and transmits the determined update program to the vehicle 1.
  • FIG. 5 is a sequence diagram showing a conventional example of a control program update procedure in the program update system of the present embodiment.
  • the current version of the control program is 1.0 (two generations before the latest version).
  • the update program is a “difference program ⁇ ” from an old version one generation before.
  • the new version can be generated by applying ⁇ to the old version.
  • an update program from version 1.0 to version 2.0 of the control program is “ ⁇ 1”
  • an update program from version 2.0 to version 3.0 of the control program is “ ⁇ 2”.
  • current software current version of the control program
  • the starting unit 35 (see FIG. 3) of the ECU 30 switches the control mode of the CPU 31 from the normal mode to the repro mode, and stores the version 2.0 control program in the storage unit 33. Then, the data content is checked (step S9).
  • the above check includes, for example, a verify process performed on the storage area in which the ECU 30 is once restarted and the version 2.0 control program is written.
  • the CPU 31 of the ECU 30 transmits a write completion notification to the gateway 10 (step S10).
  • the gateway 10 transfers the received write completion notification to the management server 5 (step S11).
  • the activation unit 35 (see FIG. 3) of the ECU 30 switches the control mode of the CPU 31 from the normal mode to the repro mode, and stores the version 3.0 control program in the storage unit 33. After the data is written into the ROM, the data content is checked (step S20).
  • the above check also includes, for example, a verify process performed on the storage area in which the ECU 30 is once restarted and the version 3.0 control program is written.
  • the CPU 31 of the ECU 30 transmits a write completion notification to the gateway 10 (step S21).
  • the gateway 10 transfers the received write completion notification to the management server 5 (step S22).
  • the update program is the difference program ⁇
  • the control program on the ROM in the storage unit 33 is once expanded in the RAM 32
  • the file after the application of the difference program ⁇ is written back on the ROM
  • the ROM check (Verify processing) is performed (steps S9 and S20 in FIG. 5).
  • the control program of the latest version 3.0 is generated step by step using a plurality of update programs ⁇ 1, ⁇ 2. It was made possible to write and check in the ROM of the storage unit 33 in one time. In this case, since the control program needs to be written and checked only once, the update time required for upgrading two or more generations can be shortened.
  • FIG. 6 is a sequence diagram showing the update procedure of the control program of the first embodiment in the program update system of the present embodiment.
  • provisional completion notification is defined as a type of control message for controlling the download process between the management server 5 and the vehicle 1 (the gateway 10 in the first embodiment). Yes. Specifically, the provisional completion notification is a control message defined in advance so that the management server 5 and the gateway 10 of the vehicle 1 execute the following processes (1) to (4). The provisional completion notification is issued without receiving a writing completion notification from the ECU 30.
  • the management server 5 transmits an update program ⁇ i + 1 that is necessary next to the update program ⁇ i to the vehicle 1 (gateway 10).
  • the management server 5 transmits a final notification that the update program ⁇ i is final to the vehicle 1 (gateway 10).
  • the gateway 10 that has received the update program ⁇ 2 transmits a provisional completion notification to the management server 5 (step S108).
  • a control program hereinafter referred to as “skip program” of the new version 3.0 from the current version 1.0 is generated.
  • the activation unit 35 (see FIG. 3) of the ECU 30 switches the control mode of the CPU 31 from the normal mode to the repro mode, and writes the version 3.0 control program in the ROM of the storage unit 33. After that, the data content is checked (step S115).
  • the above check includes, for example, a verify process performed on the storage area in which the ECU 30 is once restarted and the version 3.0 control program is written.
  • the CPU 31 of the ECU 30 transmits a write completion notification to the gateway 10 (step S116).
  • the gateway 10 transfers the received write completion notification to the management server 5 (step S117).
  • FIG. 7 is a sequence diagram showing a control program update procedure according to the second embodiment in the program update system of the present embodiment.
  • the update procedure (FIG. 7) of the second embodiment is different from the update procedure (FIG. 6) of the first embodiment in that the latest version of the skip program write permission (step S114 in FIG. There is a point to execute.
  • the gateway 10 that has received the update program ⁇ 2 transmits a provisional completion notification to the management server 5 (step S208).
  • the CPU 31 of the ECU 30 reads version information from the generated skip program, and sends a version notification including the read version information to the gateway 10 (step S213).
  • the activation unit 35 (see FIG. 3) of the ECU 30 switches the control mode of the CPU 31 from the normal mode to the repro mode, and writes the version 3.0 control program in the ROM of the storage unit 33. Then, the data content is checked (step S216).
  • the above check includes, for example, a verify process performed on the storage area in which the ECU 30 is once restarted and the version 3.0 control program is written.
  • the CPU 31 of the ECU 30 transmits a write completion notification to the gateway 10 (step S217).
  • the gateway 10 transfers the received write completion notification to the management server 5 (step S218).
  • FIG. 8 is a sequence diagram showing a control program update procedure according to the third embodiment in the program update system of the present embodiment.
  • the update procedure (FIG. 8) of the third embodiment is different from the update procedure (FIG. 6) of the first embodiment in that the management server 5 that cannot recognize the provisional completion notification is adopted, and the gateway 10 replaces the provisional completion notification.
  • a normal write completion notification is transmitted to the management server 5.
  • the gateway 10 transmits a write completion notification to the management server 5 without receiving a write completion notification from the ECU 30.
  • the gateway 10 uses the update program ⁇ i before providing the update program ⁇ i to the ECU 30.
  • a notification to the effect that writing has been completed is transmitted to the management server 5.
  • the gateway 10 that has received the update program ⁇ 1 transmits a write completion notification to the management server 5 (step S306).
  • the gateway 10 that has received the update program ⁇ 2 transmits a write completion notification to the management server 5 (step S308).
  • the activation unit 35 (see FIG. 3) of the ECU 30 switches the control mode of the CPU 31 from the normal mode to the repro mode, and writes the version 3.0 control program in the ROM of the storage unit 33. After that, the data content is checked (step S315).
  • the above check includes, for example, a verify process performed on the storage area in which the ECU 30 is once restarted and the version 3.0 control program is written.
  • FIG. 9 is a sequence diagram showing a control program update procedure according to the fourth embodiment in the program update system of the present embodiment.
  • the update procedure (FIG. 9) of the fourth embodiment is different from the update procedure (FIG. 6) of the first embodiment in that the communication entity that exchanges the control message and the update program ⁇ i with the management server 5 is the ECU 30 itself, and the gateway 10 is that it functions as a mere repeater.
  • “temporary completion notification” is defined as a type of control message for controlling the download process between the management server 5 and the vehicle 1 (ECU 30 in the fourth embodiment).
  • the provisional completion notification is a control message defined in advance so that the management server 5 and the ECU 30 of the vehicle 1 execute the following processes (1) to (4).
  • the temporary completion notification is issued without the ECU 30 notifying the completion of writing.
  • the ECU 30 of the vehicle 1 manages the provisional completion notification without generating a next-generation control program using the received update program ⁇ i. Send to server 5.
  • the management server 5 transmits an update program ⁇ i + 1 that is necessary next to the update program ⁇ i to the vehicle 1 (ECU 30).
  • the management server 5 transmits a final notification that the update program ⁇ i is final to the vehicle 1 (gateway 10).
  • the ECU 30 of the vehicle 1 Upon receiving the final notification, the ECU 30 of the vehicle 1 generates a new version of the control program using the acquired one or more update programs ⁇ i, ⁇ i + 1.
  • the ECU 30 that has received the update program ⁇ 1 transmits a provisional completion notification to the management server 5 (step S404).
  • the ECU 30 that has received the update program ⁇ 2 transmits a provisional completion notification to the management server 5 (step S406).
  • the activation unit 35 (see FIG. 3) of the ECU 30 switches the control mode of the CPU 31 from the normal mode to the repro mode, and writes the version 3.0 control program in the ROM of the storage unit 33. After that, the data content is checked (step S411).
  • the above check includes, for example, a verify process performed on the storage area in which the ECU 30 is once restarted and the version 3.0 control program is written.
  • FIG. 10 is a sequence diagram showing a control program update procedure according to the fifth embodiment in the program update system of the present embodiment.
  • the update procedure (FIG. 10) of the fifth embodiment is different from the update procedure (FIG. 6) of the first embodiment in that the communication entity that exchanges the control message and the update program ⁇ i with the management server 5 is the ECU 30 itself, and the gateway 10 is that it functions as a mere repeater.
  • the update procedure (FIG. 10) of the fifth embodiment is different from the update procedure (FIG. 9) of the fourth embodiment in that the management server 5 that cannot recognize the provisional completion notification is adopted, and the ECU 30 receives the provisional completion notification. Instead, a normal write completion notification is transmitted to the management server 5.
  • the ECU 30 transmits a write completion notification to the management server 5 even if the writing of the new version of the control program has not been completed.
  • the ECU 30 used for the update procedure (FIG. 10) of the fifth embodiment writes the update program ⁇ i before applying the received update program ⁇ i. Is sent to the management server 5.
  • the ECU 30 that has received the update program ⁇ 1 transmits a write completion notification to the management server 5 (step S504).
  • the ECU 30 that has received the update program ⁇ 2 transmits a write completion notification to the management server 5 (step S506).
  • the activation unit 35 (see FIG. 3) of the ECU 30 switches the control mode of the CPU 31 from the normal mode to the repro mode, and writes the version 3.0 control program in the ROM of the storage unit 33. After that, the data content is checked (step S511).
  • the above check includes, for example, a verify process performed on the storage area in which the ECU 30 is once restarted and the version 3.0 control program is written.
  • a version upgrade from version 1.0 using update program ⁇ 1 to version 2.0 and a version upgrade from version 2.0 using update program ⁇ 2 to the latest version 3.0 are sequentially performed. You just have to do it. In this way, even if the writing of the skip program fails, the control program of the ECU 30 can be reliably updated to the latest version 3.0.
  • the gateway 10 or the ECU 30 does not unconditionally execute the update procedures (FIGS. 6 to 10) of the above-described embodiments, but the data sizes of the plurality of update programs ⁇ 1 and ⁇ 2. And transmission processing of a control message such as a provisional completion notification to the management server 5 based on at least one of the transmission time and reception of update programs ⁇ 1 and ⁇ 2 transmitted by the management server 5 in response to the control message, respectively. You may decide whether to perform a process.
  • the gateway 10 or the ECU 30 transmits and updates the control message only when the data size of the plurality of update programs ⁇ 1, ⁇ 2 is equal to or larger than a predetermined threshold or when the transmission time is equal to or larger than the predetermined threshold.
  • the update procedure of the present embodiment in which the reception of the program ⁇ i is repeated is executed.
  • the control program is upgraded one by one using the update programs ⁇ 1 and ⁇ 2 according to the conventional update procedure (FIG. 5). That's fine. In this way, when the update time is relatively long, the update procedure of this embodiment can be adopted, and the program update system of this embodiment can be operated more flexibly.
  • the gateway 10 or the ECU 30 receives three or more update programs ⁇ 1, ⁇ 2, ⁇ 3... From the management server 5, and receives the received update programs ⁇ 1, A skip program may be generated from ⁇ 2, ⁇ 3.
  • the ECU 30 generates a skip program from three or more update programs ⁇ 1, ⁇ 2, ⁇ 3..., And writes the generated skip program and performs a ROM check, thereby rapidly raising the version of the control program to the latest version. .
  • the skip program is not necessarily the latest version of the control program.
  • the gateway 10 may transfer the three update programs ⁇ 1 to ⁇ 3 that can be received to the ECU 30.
  • the ECU 30 uses the three update programs ⁇ 1 to ⁇ 3 transferred from the gateway 10 to generate a skip program of a version one generation before the latest version, and writes the generated skip program and ROM check As a result, the version of the control program is moved up to one generation before the latest version.
  • the gateway 10 can receive the fourth update program ⁇ 4, it may transfer the program ⁇ 4 to the ECU 30.
  • the ECU 30 uses the fourth update program ⁇ 4 transferred from the gateway 10 to generate the latest version of the control program, writes the generated control program, and checks the ROM, thereby controlling the version of the control program. To the latest version.
  • the gateway 10 may generate a skip program using a plurality of update programs ⁇ i received from the management server 5 and transfer the generated skip program to the ECU 30.
  • the ECU 30 since the ECU 30 does not execute the skip program generation process by itself, the ECU 30 writes the skip program transferred from the gateway 10 in the storage unit 33 of its own device.
  • the wireless communication device 15 may execute the processing of the gateway 10 in the above-described embodiment (including modifications). That is, the “relay device” of the present embodiment may be either the gateway 10 or the wireless communication device 15 shown in the figure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Mechanical Engineering (AREA)
  • Stored Programmes (AREA)

Abstract

La présente invention concerne un système de mise à jour de programme comprenant un dispositif de commande monté sur un véhicule, un dispositif de relais connecté au dispositif de commande de sorte à permettre une communication dans le véhicule, et un serveur de gestion qui communique sans fil avec le dispositif de relais. Le dispositif de relais ou le dispositif de commande exécute un traitement de transmission et de réception dans lequel les procédés de transmission et de réception définis ci-dessous sont répétés, jusqu'à ce qu'une pluralité de programmes de mise à jour requis pour mettre à jour un programme de commande du dispositif de commande vers une nouvelle version d'au moins deux générations plus récentes soient acquis. Procédé de transmission: un procédé transmet, au serveur de gestion, un message de commande demandant un programme de mise à jour pour mettre à jour, génération par génération, la version du programme de commande du dispositif de commande. Procédé de réception: un procédé reçoit, en provenance du serveur de gestion, le programme de mise à jour transmis par le serveur de gestion en réponse au message de commande.
PCT/JP2017/045982 2017-02-23 2017-12-21 Système de mise à jour de programme, dispositif de commande, procédé de mise à jour de programme et programme informatique WO2018154949A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017-031758 2017-02-23
JP2017031758A JP2018136816A (ja) 2017-02-23 2017-02-23 プログラム更新システム、制御装置、プログラム更新方法、及びコンピュータプログラム

Publications (1)

Publication Number Publication Date
WO2018154949A1 true WO2018154949A1 (fr) 2018-08-30

Family

ID=63253777

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/045982 WO2018154949A1 (fr) 2017-02-23 2017-12-21 Système de mise à jour de programme, dispositif de commande, procédé de mise à jour de programme et programme informatique

Country Status (2)

Country Link
JP (1) JP2018136816A (fr)
WO (1) WO2018154949A1 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020080273A1 (fr) * 2018-10-16 2020-04-23 株式会社オートネットワーク技術研究所 Dispositif de mise à jour embarqué, programme de traitement de mise à jour et procédé de mise à jour de programme
CN112733132A (zh) * 2021-01-05 2021-04-30 潍柴动力股份有限公司 一种ecu数据升级的方法和系统
CN112783521A (zh) * 2019-11-08 2021-05-11 丰田自动车株式会社 程序更新系统以及车辆管理服务器
CN115208868A (zh) * 2021-04-06 2022-10-18 丰田自动车株式会社 中心、分发控制方法以及非暂时性存储介质
CN115885256A (zh) * 2020-10-16 2023-03-31 Lg电子株式会社 用于更新iot装置的软件的软件更新网关和方法
CN116112595A (zh) * 2021-11-11 2023-05-12 丰田自动车株式会社 车辆管理系统、服务器、车辆以及车辆的管理方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011044039A (ja) * 2009-08-21 2011-03-03 Hitachi Solutions Ltd 更新データ生成装置、及び情報機器、並びにプログラム
JP2013054426A (ja) * 2011-09-01 2013-03-21 Nidec Sankyo Corp 周辺装置、周辺装置の制御方法およびファームウェアのダウンロードシステム
JP2013125517A (ja) * 2011-12-16 2013-06-24 Clarion Co Ltd 車載装置,更新システム,サーバ
JP2016170740A (ja) * 2015-03-16 2016-09-23 日立オートモティブシステムズ株式会社 ソフト更新装置、ソフト更新方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011044039A (ja) * 2009-08-21 2011-03-03 Hitachi Solutions Ltd 更新データ生成装置、及び情報機器、並びにプログラム
JP2013054426A (ja) * 2011-09-01 2013-03-21 Nidec Sankyo Corp 周辺装置、周辺装置の制御方法およびファームウェアのダウンロードシステム
JP2013125517A (ja) * 2011-12-16 2013-06-24 Clarion Co Ltd 車載装置,更新システム,サーバ
JP2016170740A (ja) * 2015-03-16 2016-09-23 日立オートモティブシステムズ株式会社 ソフト更新装置、ソフト更新方法

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
HASHIZUME, TOSHIO: "What does it mean that computer does not work?", NIKKEI SOFTWARE, vol. 12, no. 1, 24 December 2008 (2008-12-24), pages 22 - 33, ISSN: 1347-4685 *
SATO, MICHITOSHI, INSTALLATION AND UNTILIZATION OF MAIL AND SERVER [PART 2, vol. 9, no. 7, 1 July 1999 (1999-07-01), pages 072 - 077, ISSN: 0918-5453 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020080273A1 (fr) * 2018-10-16 2020-04-23 株式会社オートネットワーク技術研究所 Dispositif de mise à jour embarqué, programme de traitement de mise à jour et procédé de mise à jour de programme
JP2020062936A (ja) * 2018-10-16 2020-04-23 株式会社オートネットワーク技術研究所 車載更新装置、更新処理プログラム及び、プログラムの更新方法
CN113631429A (zh) * 2018-10-16 2021-11-09 株式会社自动网络技术研究所 车载更新装置、更新处理程序及程序的更新方法
JP7124627B2 (ja) 2018-10-16 2022-08-24 株式会社オートネットワーク技術研究所 車載更新装置、更新処理プログラム及び、プログラムの更新方法
US11967188B2 (en) 2018-10-16 2024-04-23 Autonetworks Technologies, Ltd. Vehicle mounted update apparatus, update processing program, and program update method
CN112783521A (zh) * 2019-11-08 2021-05-11 丰田自动车株式会社 程序更新系统以及车辆管理服务器
CN115885256A (zh) * 2020-10-16 2023-03-31 Lg电子株式会社 用于更新iot装置的软件的软件更新网关和方法
CN112733132A (zh) * 2021-01-05 2021-04-30 潍柴动力股份有限公司 一种ecu数据升级的方法和系统
CN115208868A (zh) * 2021-04-06 2022-10-18 丰田自动车株式会社 中心、分发控制方法以及非暂时性存储介质
CN116112595A (zh) * 2021-11-11 2023-05-12 丰田自动车株式会社 车辆管理系统、服务器、车辆以及车辆的管理方法

Also Published As

Publication number Publication date
JP2018136816A (ja) 2018-08-30

Similar Documents

Publication Publication Date Title
WO2018154949A1 (fr) Système de mise à jour de programme, dispositif de commande, procédé de mise à jour de programme et programme informatique
JP6376312B1 (ja) 制御装置、プログラム更新方法、およびコンピュータプログラム
WO2017149823A1 (fr) Système de mise à jour de programme, procédé de mise à jour de programme, et programme informatique
JP6323480B2 (ja) プログラム更新システム、プログラム更新方法及びコンピュータプログラム
JP6380461B2 (ja) 中継装置、プログラム更新システム、およびプログラム更新方法
CN110214308B (zh) 控制装置、程序更新方法和计算机程序
WO2017149825A1 (fr) Système de mise à jour de programme, procédé de mise à jour de programme, et programme informatique
JP6562134B2 (ja) 中継装置、プログラム更新システム、およびプログラム更新方法
JP2017157003A5 (fr)
CN111034132B (zh) 控制设备、控制方法和计算机程序
JP2017123012A (ja) 車載更新装置、更新システム及び更新処理プログラム
JP7207301B2 (ja) 更新制御装置、制御方法、およびコンピュータプログラム
JP6620891B2 (ja) 中継装置、中継方法、およびコンピュータプログラム
WO2017149821A1 (fr) Dispositif de commande, procédé de mise à jour de programme, et programme informatique
JPWO2018185994A1 (ja) 制御装置、転送方法、およびコンピュータプログラム
JP6562133B2 (ja) 中継装置、プログラム更新システム、およびプログラム更新方法
JP6547904B2 (ja) 制御装置、プログラム更新方法、およびコンピュータプログラム
JP2019074847A (ja) 電子制御装置
JP2020155026A (ja) 車載更新装置、更新処理システム、更新処理方法及び処理プログラム
JP6904067B2 (ja) ソフトウェア管理システム
CN114968316A (zh) Ota管理器、中心、更新方法、非暂时性存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17897604

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17897604

Country of ref document: EP

Kind code of ref document: A1