WO2019081395A1 - Procédé et dispositif de mise à jour de logiciel d'un appareil de commande d'un véhicule à moteur - Google Patents

Procédé et dispositif de mise à jour de logiciel d'un appareil de commande d'un véhicule à moteur

Info

Publication number
WO2019081395A1
WO2019081395A1 PCT/EP2018/078830 EP2018078830W WO2019081395A1 WO 2019081395 A1 WO2019081395 A1 WO 2019081395A1 EP 2018078830 W EP2018078830 W EP 2018078830W WO 2019081395 A1 WO2019081395 A1 WO 2019081395A1
Authority
WO
WIPO (PCT)
Prior art keywords
vehicle control
control unit
motor vehicle
code
updating
Prior art date
Application number
PCT/EP2018/078830
Other languages
German (de)
English (en)
Inventor
Daniel Krippner
Andreas Heyl
Manfred Spraul
Original Assignee
Robert Bosch Gmbh
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch Gmbh filed Critical Robert Bosch Gmbh
Priority to CN201880082909.2A priority Critical patent/CN111480141A/zh
Publication of WO2019081395A1 publication Critical patent/WO2019081395A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/572Secure firmware programming, e.g. of basic input output system [BIOS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Definitions

  • the invention relates to a method and a device for updating the software of at least one motor vehicle control unit installed in a motor vehicle.
  • end-to-end protection is used: the ASIL-compliant target controller checks itself after an update and only releases when it finds that the software update was done without error. Consequently, there is no feedback for the updating device.
  • An engine control unit may, for example, have the function of limiting the maximum speed.
  • the engine control unit receives information about the vehicle speed from an ESP control unit.
  • the currently engaged gear is interrogated by a transmission control unit, so that the engine control unit can perform a plausibility check of the vehicle speed on the basis of the engaged gear and the engine speed.
  • a method of updating the software of at least one motor vehicle control device installed in a motor vehicle comprises at least the following steps:
  • An updating device for updating the software of a motor vehicle control device mounted in a motor vehicle a storage device, which is adapted to store the software to be updated, a transmitting device, which is used to transmit a preparatory command, in particular a command to block the Motor vehicle, is formed on the vehicle control unit; and a receiving device configured to receive a confirmation message confirming execution of a received preparatory command by the vehicle controller.
  • the transmitting device is designed to transmit the software to be updated to the vehicle control unit.
  • the receiving device is designed to receive a parameter dependent on the software, in particular a current software version number, of one or more vehicle control units.
  • the updating device has a calculating device which is designed to calculate an activation code from the received characteristic values; and the transmitting device is formed using this
  • a vehicle control unit is designed to cooperate with an updating device to carry out a method according to an embodiment of the invention.
  • the vehicle control unit comprises a receiving device, which is used for receiving a preparatory command, in particular a command for blocking of the motor vehicle, is formed by an updating device, and a transmitting device, which is adapted to transmit an acknowledgment message, which confirms the execution of a received preparatory command by the vehicle control unit.
  • the transmitting device is designed to transmit a parameter dependent on the software, in particular a current software version number, to the updating device.
  • Receiving device is configured to communicate with the updating device.
  • the vehicle control unit further comprises a comparison and release device, which is designed to validate the received messages and to restore the driving readiness of the motor vehicle only if this validation has been completed successfully.
  • the transmitting device of the vehicle control unit that processes the command for blocking need not necessarily be configured to transmit a software-dependent characteristic value, in particular a current software version number, to the updating device. This feature only needs to be present in the car control unit to be updated.
  • the function for blocking the motor vehicle, as well as the comparison and release device must be formed only in a vehicle control unit in the vehicle.
  • the activation code is not kept on the update device, but it is calculated from the feedback from the environment (other vehicle control units, backend, driver interaction, support hotline, etc.).
  • the decision to reactivate the vehicle function is transferred from the update device to another vehicle control unit:
  • Updater calculates the activation code from the
  • the code is not known to the updater, so there are no (potential misdepects that can be made in the updater.
  • the activation code is in particular calculated by the updating device from data queried by the updated (reprogrammed) vehicle control units. If at least one of the vehicle control devices has not been successfully updated and / or is not in the expected state, it provides different data from which the updating device calculates a different activation code, which is subsequently used in the attempt of
  • the activation code is not compared by the updating device with a reference value. In such an approach the comparison could be skipped by an error or
  • the updating device may maintain the result of a one-way function of the activation code and pre-check before step (F) and (G) whether the restoration of the blocked vehicle function will be successful.
  • hash functions such as MD4, MD5, SHA1 or SHA256 could be used for this purpose.
  • the activation code can be sent in step (F), in particular directly as a value to the device that has blocked the vehicle function.
  • the value may represent a Service ID ("SID") or be used as a parameter in a U DS communication (ISO 14229: 2013), on which device the activation code must be validated, for example by comparison with a reference code, or by checking whether the result of a one-way function corresponds to a reference value.
  • SID Service ID
  • ISO 14229 U DS communication
  • one-way functions could be MD4, MD5, SHA1 or the
  • the activation code in step (F) may be included in the algorithm for authenticating the updating device to the at least one vehicle controller. This authentication could be done in particular according to UDS security access (see ISO 14229-1: 2013, ⁇ 9.4 - service 0x27) or according to ASAM XCP MCD-1 "UNLOCK".
  • the activation code in step (F) may be used to decrypt a program that requires the communication required Contains algorithms and commands.
  • the encryption does not have to offer any cryptographic security, it is sufficient if it is impossible for the updating device to reach the unencrypted program without knowing the activation code.
  • AES256 is an example of a cryptographically secure encryption algorithm
  • DES or RC4 are examples of algorithms that do not provide cryptographic security. Algorithms without cryptographic security usually require less computation time, depending on
  • encryption has the advantage that an arbitrarily complex algorithm for reactivating the vehicle function can be used without changes, and nevertheless it is ensured by the encryption that no part of this algorithm can be triggered without the presence of the activation code. In particular, this can be communicated with each vehicle control unit.
  • step (G) may be implemented as a simple comparison with a reference code: the updating device sends the calculated activation code to the vehicle control unit, which compares the activation code with a reference code.
  • one-way functions can also be used. If a one-way function is used, also the comparison device only the result of the function is known: The car control unit calculates the result of the one-way function with the activation code as input (s). If the result matches the reference value, the activation code is correct.
  • Activation code is sent to the car control unit and checked by the vehicle control unit.
  • the recognition can also take place in the context of existing authentications, in particular UDS Security Access or XCP UNLOCK: In the vehicle control unit, an authentication according to the prior art is implemented, but in the updating device - in contrast to the prior art - the necessary algorithms stored so that they are usable only when the correct activation code is present. This variant has the advantage that no change to the vehicle control unit is required. This is an example of an indirect check: The activation code is not sent, but without the value the authentication would fail.
  • the program (instructions, algorithms) executed by the updating device for communication with the vehicle controller is stored in encrypted form.
  • a password for the decryption is the activation code, only by the
  • the update device has access to the required commands.
  • the vehicle controller receives the correct commands, or commands with the correct parameters, from the updater, it is indirectly demonstrated that the updater has the correct activation code.
  • a key (hereinafter “key B") is sent by the vehicle control unit upon successful blocking of the vehicle function.
  • a key B is required if, in addition to preventing a false reactivation of the vehicle function, it must also be demonstrated that no erroneous start of the reprogramming is possible (point (C) in the
  • the key B is calculated from a key A, which has been previously transferred from the updating device to the vehicle control unit.
  • step (A) at least one vehicle control unit to store the key A long term and thus recognize and reject old keys safely.
  • the keys may also be digitally signed so that the updater does not function as the vehicle
  • key A can block incorrectly. It is also possible that the key A is sent either before or after the command to block the at least one vehicle function. Key B can also be sent after the successful blocking message.
  • the car control unit always calculates keys A from key A - and that enters into this calculation when a vehicle function is blocked.
  • This has the advantage that both states are safe, e.g. "Safe” in this context means that faults in the updater always result in a different code (Activation Code, Activation Code, Start Code, "Code n”), and these errors may then be noticed by the vehicle controllers become.
  • the vehicle control unit in the normal state can respond to requests for a key B with an error message and answer these requests only if at least one vehicle function is blocked.
  • the algorithm for calculating key B may be constructed such that the blocked vehicle function enters the key B as a parameter.
  • a start code can be calculated by the updating device from data (characteristic values) which are requested by the motor vehicle control units, in particular from the key B. This start code can then be used in step C. This has the advantage that without a previous blocking of the vehicle function, the SW update process can not be started.
  • the start code is used in the same way as the activation code: In particular, it can be used to decrypt commands for the execution of the software update; the start code can be used to decrypt the new software to be installed.
  • the start code can be used as a parameter or command to a vehicle manufacturer. Control unit are shipped, and / or it can be used for authentication.
  • the method includes updating the software of multiple vehicle control devices.
  • This is a code (“code n"), in particular from feedback of an nth vehicle control unit, its software has been updated, used to perform the SW update for a n + l-tes car control unit. Since the code that contains data of the nth vehicle control unit exists only when this vehicle control unit has been successfully updated and this code is used for the update of the n + lst car control unit, it is ensured that the car Control units can only be updated in the given order.
  • commands can be decrypted with them, they can be sent as parameters or commands to a motor vehicle control unit, and / or they can be used for authentication be used.
  • the transmission between the updating device and at least one vehicle control unit can also take place via an intermediary gateway.
  • this gateway can be designed to filter impermissible messages, on the other hand, the gateway can connect a wireless interface to a wired interface.
  • Illegal messages could be, for example, messages that contain speed information from the engine or a driving speed: This information may only be sent by the responsible vehicle control units.
  • the gateway can thus prevent the update device from disturbing vehicle functions.
  • the gateway may in particular have a CAN message identifier, a source or a destination IP address (eg according to IPV6, RFC2460), and / or a source or a destination port (eg after TCP, RFC793), and / or evaluate the direction from which the gateway received the message. It may also be inadmissible be too many messages are sent by the updating device, since the consequent bus load could lead to a malfunction of vehicle functions.
  • the gateway must be enabled by the updating device before transferring data between the updating device and at least one vehicle control unit.
  • the gateway may be designed so that it does not forward messages that are required for reprogramming during normal operation, such as, for example, the UDS programming session (ISO 14229-1: 2013, ⁇ 9.2.2.2).
  • a code (“gateway activation code") can be used, which is initially not available on the diagnostic tester, but is calculated in particular from the communication with at least one vehicle control unit.
  • the Gatwway unlock code may be the same as the start code, but it is also possible that both codes are different, in particular the gateway may receive feedback from the gateway.
  • the step of transmitting the calculated activation code to the vehicle control unit also includes transmitting the keys A and / or B, and the step of validating comprises evaluating all values (activation code, and / or key A, and / or Key B).
  • the step of validating comprises evaluating all values (activation code, and / or key A, and / or Key B).
  • the activation code could be used for decryption and the key A is transmitted.
  • the transmission of key A and / or B could be advantageous if these keys on the vehicle control unit that has blocked at least one vehicle function, can not be stored / should.
  • blocking the motor vehicle includes activating an immobilizer and / or blocking a starter and / or a fuel pump. In this way, the motor vehicle can be reliably blocked.
  • the method further includes computing the codes (activation code, enablement code, start code, "code n") from the content of at least portions of a memory of a vehicle controller, thereby further verifying the success of the software update who- because errors that result in different memory contents can be reliably detected.
  • Hedges are used; these may include, for example:
  • interrogating the characteristic value comprises interrogating the characteristic values of one or more vehicle control units which, during operation, interact with the vehicle control unit whose software has been updated. This ensures that all car control units that work together in operation are equipped with compatible software versions so that they can cooperate easily.
  • the communication between the updating device and the vehicle control device is encrypted. As a result, unauthorized changes to the vehicle control devices is prevented or at least considerably more difficult.
  • the interrogation of characteristic values comprises the query of data in at least one external backend system, for example a server of the manufacturer of the vehicle or the vehicle control unit.
  • a server of the manufacturer of the vehicle or the vehicle control unit This makes it easier to exclude unauthorized manipulations and allows complete documentation of the changes made, in particular the final or target state of the vehicle control devices.
  • two processes for restoring the driving readiness of the motor vehicle by the vehicle control device are provided on the updating device: A first process which requires an activation code which can be calculated in the event of a successful update.
  • a second sequence is provided, for which an activation code is required, which is calculated from the backend and / or hotline feedback, which then activates an emergency operation of the vehicle. This has the advantage that on the one hand accidental activation of the emergency operation is impossible, and on the other hand, it is avoided that the vehicle is no longer usable if the update has failed.
  • the method further includes user input (driver interaction), a chassis number, and / or a vehicle identification number in the calculation of the activation code. In this way it can be ensured that the motor vehicle is only reactivated when the user has confirmed the update of the software and / or the newly installed software with the respective motor vehicle (type) is compatible.
  • the interface for transmitting the data between the updating device and the vehicle control device is configured as a wired interface.
  • a wired interface enables reliable data transmission and is inexpensive to implement.
  • the wired interface can be designed as a standardized interface, in particular as an OBD / OBD2 interface.
  • the interface for transferring the data between the updating device and the vehicle control device is configured as a wireless interface.
  • a wireless interface allows a particularly convenient data transmission, since no cables need to be laid and connected.
  • the wireless interface can be made in particular as a WLAN or Bluetooth® connection.
  • communications between the updating device and the vehicle controllers may be known for communication purposes
  • the vehicle control units can, for example, observe minimum and maximum permissible times and
  • the updating device can also selectively use incorrect codes and then incorporate the negative response code of the respective vehicle control unit in another code.
  • the update device may be a separate vehicle control unit, but it may also be a software module in a vehicle control unit. For example, it could also be designed as a virtual machine on an existing vehicle control unit.
  • the advantage of a virtual machine is that a small, ISO 26262 compliant hypervisor can enforce boundary conditions. For example, the virtual machine might not contain writable non-volatile memory, and the hypervisor clears the volatile memory at the end or at the abort of the update. This prevents old acknowledgment messages or old key-values or activation codes from leading to invalid retries.
  • the invention is based on the recognition that the updating of the software ("re-breathing") of a vehicle control unit or of a vehicle control unit network is a variant of a "mobile agent” / "hostile host” configuration:
  • the "Mobile Agent” are the programs for updating the software
  • the "hostile host” is the updating device on which the programs for updating the software run.
  • the updating device may be a true "hostile hosts", for example when an end user's smartphone, tablet or laptop is used as an updating device.
  • FIG. 1 a shows a motor vehicle with a plurality of vehicle control devices and an external updating device.
  • Figure lb shows a motor vehicle with several vehicle control devices and an internal updating device.
  • Figure 2 shows an enlarged schematic view of an external updating device.
  • Figure 3 shows an enlarged schematic view of an internal updating device.
  • FIG. 4 shows an enlarged schematic view of a vehicle control device.
  • FIG. 5 shows a schematic diagram of the sequence of a method for updating the software of at least one motor vehicle control device installed in a motor vehicle according to an exemplary embodiment of the invention.
  • FIG. 1 a shows a motor vehicle 2 with a plurality of vehicle control devices 4, 6, 8, of which at least one is supplied (“updated") with new software by means of an external updating device 12 a.
  • FIG. 1b shows a motor vehicle 2 with a plurality of motor vehicle control devices 4, 6, 8, of which at least one is supplied (“updated”) with new software by means of an internal updating device 12b.
  • FIG 2 shows an enlarged schematic view of an external updating device 12a.
  • the external updating device 12a may e.g. B. a suitably equipped automotive diagnostic tester or a smartphone / tablet PC / laptop to be a user on which a suitable software (“App”) is installed.
  • App a suitable software
  • FIG. 3 shows an enlarged schematic view of an internal updating device 12b.
  • the internal updating device 12b may be a vehicle control device 4, 6, 8 built into the motor vehicle 2 for this purpose, or a module in an existing vehicle control device 4, 6, 8.
  • the internal updating device 12b may also be a software module in a motor vehicle Control 4, 6, 8 be. In particular, it can be designed as a virtual machine on an existing vehicle control unit 4, 6, 8.
  • the advantage of a virtual machine is that here a small, to ISO 26262 compliant hypervisor 38 conditions can force.
  • FIG. 4 shows an enlarged schematic view of a vehicle control device 4.
  • the updating device 12a, 12b in each case has a transmitting device 17 and a receiving device 19, which are connected via a wireless or wired data connection 10 to a transmitting device 30 and a receiving device 28 of at least one of the vehicle control devices 4, 6, 8.
  • a wired data connection 10 can be produced, for example, via a standard interface 16 present in the motor vehicle 2, in particular an OBD / OBD2 interface 16.
  • a wireless data connection 10 may be made, for example, by a WLAN or Bluetooth connection.
  • the transmission between the updating device 12a, 12b and at least one vehicle control device 4, 6, 8 can also take place via an intermediary gateway 34.
  • this gateway 34 can be designed to filter impermissible messages, on the other hand, the gateway 34 can connect a wireless interface to a wired interface.
  • the vehicle control units 4, 6, 8 can communicate with one another via data lines 18, in particular a data bus 18, or wirelessly.
  • FIG. 1 The sequence of a method for updating the software of at least one of the motor vehicle control units 4, 6, 8 installed in the motor vehicle 2 according to an exemplary embodiment of the invention is shown schematically in FIG.
  • the updating device 12a, 12b receives an order for updating the software via an input device 14 formed on the updating device 12a, 12b or an interface 15, in particular a mobile radio, WLAN, Bluetooth® or USB interface 15 at least one of the vehicle control units 4, 6, 8.
  • the new software which is to be transmitted to the at least one vehicle control device 4, 6, 8, is stored either in a storage device 13 of the updating device.
  • direction 12a, 12b is stored or via the interface 15, z. B. from a USB storage device ("USB stick", “Flash Drive”), transferred to the updating device 12 a, 12 b and possibly stored (temporarily) in the storage device 13.
  • USB stick USB stick
  • Flash Drive USB storage device
  • the software may optionally be in encrypted form, so it must first be decrypted before it can be used.
  • the updating device 12a, 12b of the key necessary for decrypting the software may not be (yet) known.
  • the updating device 12a, 12b then sends (at step 120) a command to at least one of the vehicle controllers 4, 6, 8 to shut down the motor vehicle 2 for the duration of the software update.
  • the command may include, for example, to activate an immobilizer 20 of the motor vehicle 2 and / or to block a starter 22 or a fuel pump 24 of the motor vehicle 2.
  • Blocking the motor vehicle 2 in this context may also mean placing the motor vehicle 2 in an "emergency operating state" in which, for example, only limited engine power is available, and / or activating a warning light which indicates that some functions of the motor vehicle 2, such as. As ABS or ESP, are not available.
  • the activation of the "emergency mode" may include user input by which the user confirms that he is aware that the motor vehicle 2 is in a restricted emergency mode in which not all functions are available.
  • the motor vehicle 2 is activated only in the emergency mode after the user has confirmed to have taken note of this.
  • a key to the relevant vehicle control unit 4, 6, 8 are transmitted.
  • the car control unit 4, 6, 8 has executed the command to block the motor vehicle 2, it sends in step 130 a confirmation message confirming that the command has been executed to the updating device 12a, 12b.
  • the vehicle control unit 4, 6, 8 can also send a key B to the updating device 12a, 12b, which has been calculated in the vehicle control unit 4, 6, 8. If a key A was previously transmitted (in step 120) to the motor vehicle control unit 4, 6, 8, the key B can be calculated in particular from this key A.
  • the algorithm for calculating the key B, or at least parameters which are included in the calculation, is known to the motor vehicle control unit 4, 6, 8 but not to the updating device 12a, 12b.
  • the vehicle control unit 4, 6, 8 may be designed so that key B is only shipped when the at least one vehicle function has been blocked. If the function is not blocked, an error message will be sent. Alternatively, providing a key B may be an always active function, and "Is the vehicle blocked?" Is a parameter that enters the calculation of the key.
  • a calculation device 26 provided in the updating device 12a, 12b calculates a code from data (characteristics) retrieved from the vehicle control devices 4, 6, 8 (step 130).
  • Computation device 26 may be implemented in hardware or software.
  • the key B can also be included in this calculation.
  • the interrogation of the data can also include the interrogation of data in at least one external back-end system 40, eg a server of the manufacturer of the motor vehicle 2 or the vehicle control units 4, 6, 8, to exclude unauthorized manipulations and a Complete documentation of the changes made, in particular the final or target state of the vehicle control units 4, 6, 8, to allow. If the new software is stored on the updating device 12a, 12b in encrypted form, this code can be used in particular for
  • Decrypt the software (step 140).
  • the encryption of the software does not have to provide cryptographic security.
  • this code is included in the algorithm for the U DS Secure Access (ISO 14229: 2013, ⁇ 9.4 - service 0x27) or for ASAM XCP MCD-1 "UNLOCK".
  • the software is transmitted in step 150 via the data link 10 on at least one of the vehicle control units 4, 6, 8 and installed on the at least one vehicle control unit 4, 6, 8.
  • the software may also comprise a plurality of software packages, wherein in particular each software package for updating each one of the vehicle control units 4, 6, 8 is provided. In particular, an order may be predetermined in which the software packages are to be recorded on the various vehicle control devices 4, 6, 8.
  • a vehicle controller 4, 6, 8 whose software has been successfully installed can provide a key value.
  • This key value is in turn used by the calculation device 26 to calculate a new code.
  • This new code is then used in particular for decrypting and updating the next software package.
  • an nth software package certain functions of the motor vehicle 2, such. B. the injection system is deactivated to bring the motor vehicle 2 in a safe state, and a subsequent m-th software package (m> n), which is later decrypted and installed, the deactivated function reactivated after the software update has been successfully performed is.
  • the calculation device 26 can be used again to generate data (characteristic values) generated by the motor vehicle control units 4, 6, 8 to calculate an activation code (step 160).
  • all vehicle control units 4, 6, 8 or only data of those vehicle control units 4, 6, 8 are queried whose software has been updated.
  • data of those vehicle control units 4, 6, 8 can be queried, which interact with the updated vehicle control units 4, 6, 8.
  • the queried data may include, for example, version numbers of the software currently installed on the respective vehicle control device 4, 6, 8 and / or the content of at least one defined subarea or an entire memory 7 of the respective vehicle control unit 4, 6, 8.
  • the queried data can additionally also comprise a user input, which is entered via an input device 5 provided on / in the motor vehicle 2. This makes it possible to ensure that the motor vehicle 2 is activated only after the software update has been confirmed by a user input on the motor vehicle 2 itself.
  • the user input can also be the copying of a release code ("captcha”), which has the advantage that this code can enter into the calculation of the activation code and thus can not be skipped.
  • an "emergency operation" of the motor vehicle 2 in which not all functions of the motor vehicle 2 are available, is activated only after the user has confirmed that he has taken note of the existence of an emergency operation and the associated restrictions Has.
  • the queried data may also include a vehicle identification number and / or a vehicle identification number or another variable that uniquely identifies the motor vehicle 2 or the vehicle type of the motor vehicle 2. Also features of the vehicle configuration, such as the Motorization, the number of driven axles and other equipment features can be included in the calculation of the activation code.
  • the activation code calculated in this way is used by the updating device 10 for communication with the at least one of the vehicle control units 4, 6, 8 (step 170), optionally additionally the previously calculated key A or B can be transmitted.
  • step 210 If the activation code with the algorithm stored in the respective vehicle control device 4, 6, 8 is not positively validated, the motor vehicle 2 is not reactivated. Instead, an error message is issued (step 210).
  • the comparison and release device 32 may be implemented in hardware or software.
  • the communication between the updater 10 and the car controllers 4, 6, 8 may be cryptographically secured, i. encrypted and / or signed done.
  • the vehicle control units 4, 6, 8 may consider minimum and maximum allowable times and activation codes that arrive outside these times, reject.
  • the updating device 12a, 12b can also send targeted false activation codes and then incorporate the negative response code of the respective vehicle control unit 4, 6, 8 in the broad process.

Abstract

La présente invention concerne un procédé de mise à jour du logiciel d'au moins un appareil de commande de véhicule à moteur (4, 6, 8) installé dans un véhicule à moteur (2). Le procédé comprend les étapes suivantes : (A) la transmission d'une instruction de préparation, en particulier d'une instruction pour bloquer le véhicule à moteur (2), d'un dispositif de mise à jour (12a, 12b) à l'appareil de commande de véhicule à moteur (4, 6, 8) ; (B) la transmission d'un message de confirmation par l'appareil de commande de véhicule à moteur (4, 6, 8) ; (C) la transmission d'un nouveau logiciel par le dispositif de mise à jour (12a, 12b) à l'appareil de commande de véhicule à moteur (4, 6, 8) ; (D) la demande d'une valeur d'identifiant d'un ou de plusieurs appareils de commande de véhicule à moteur (4, 6, 8) qui sont installés dans le véhicule à moteur (2) ; (E) le calcul d'un code d'activation à partir des valeurs d'identifiant demandées ; (F) l'utilisation du code d'activation calculé pour la communication subséquente avec l'appareil de commande de véhicule à moteur (4, 6, 8) qui a bloqué le fonctionnement du véhicule ; et (G) l'exécution d'une instruction pour le rétablissement de la disponibilité fonctionnelle du véhicule à moteur (2) par l'appareil de commande de véhicule à moteur (4, 6, 8) uniquement après que l'appareil de commande de véhicule à moteur (4, 6, 8) a vérifié directement ou indirectement que le code d'activation correct est présent.
PCT/EP2018/078830 2017-10-23 2018-10-22 Procédé et dispositif de mise à jour de logiciel d'un appareil de commande d'un véhicule à moteur WO2019081395A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201880082909.2A CN111480141A (zh) 2017-10-23 2018-10-22 用于更新机动车控制设备的软件的方法和设备

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102017218872.3A DE102017218872A1 (de) 2017-10-23 2017-10-23 Verfahren und Vorrichtung zum Aktualisieren von Software eines Kfz-Steuergerätes
DE102017218872.3 2017-10-23

Publications (1)

Publication Number Publication Date
WO2019081395A1 true WO2019081395A1 (fr) 2019-05-02

Family

ID=64049104

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2018/078830 WO2019081395A1 (fr) 2017-10-23 2018-10-22 Procédé et dispositif de mise à jour de logiciel d'un appareil de commande d'un véhicule à moteur

Country Status (3)

Country Link
CN (1) CN111480141A (fr)
DE (1) DE102017218872A1 (fr)
WO (1) WO2019081395A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113162959A (zh) * 2020-01-23 2021-07-23 华为技术有限公司 车载设备的升级方法和装置
CN114244828A (zh) * 2021-11-30 2022-03-25 三一汽车起重机械有限公司 一种数据传输方法及车载动态数据管理系统

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102018218736A1 (de) 2018-11-01 2020-05-07 Continental Automotive Gmbh Vorrichtung zum Konfigurieren und zum Validieren eines Eingriffs in ein Echtzeit-Ethernet-Datennetzwerk
DE102019131087A1 (de) * 2019-11-18 2021-05-20 Audi Ag Softwareinstallation in Fahrzeugsteuergeräten
DE102020116715A1 (de) * 2020-06-25 2021-12-30 Bayerische Motoren Werke Aktiengesellschaft Verfahren zum Ermitteln einer Fahrfreigabe nach einer Softwareaktualisierung einer Menge von Steuergeräten eines Fahrzeugs, computerlesbares Medium, System und Fahrzeug
CN112506536B (zh) * 2020-11-12 2023-05-30 东风汽车集团有限公司 一种车载控制器软件更新方法、装置、设备和介质
JP7452452B2 (ja) 2021-02-02 2024-03-19 トヨタ自動車株式会社 Otaマスタ、ソフトウェアの更新制御方法及び更新制御プログラム、otaマスタを備える車両
DE102021125672A1 (de) * 2021-10-04 2023-04-06 Bayerische Motoren Werke Aktiengesellschaft Prozessorsystem für ein Fahrzeug und Verfahren zum Überwachen eines Prozesszustands nach einem Remote-Software-Update

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102008056745A1 (de) * 2008-11-11 2010-05-12 Continental Automotive Gmbh Vorrichtung zum Steuern einer Fahrzeugfunktion und Verfahren zum Aktualisieren eines Steuergerätes
US20170060559A1 (en) * 2015-08-25 2017-03-02 Ford Global Technologies, Llc Multiple-stage secure vehicle software updating
US20170134164A1 (en) * 2014-11-12 2017-05-11 Panasonic Intellectual Property Corporation Of America Update management method, update management system, and non-transitory recording medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101930629A (zh) * 2010-06-09 2010-12-29 金龙联合汽车工业(苏州)有限公司 车辆信息采集装置的远程更新系统及其更新方法
US9858064B2 (en) * 2012-08-16 2018-01-02 Ford Global Technologies, Llc Methods and apparatus for vehicle computing system software updates
CN106533655B (zh) * 2016-10-27 2020-07-31 江苏大学 一种车内网ecu安全通信的方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102008056745A1 (de) * 2008-11-11 2010-05-12 Continental Automotive Gmbh Vorrichtung zum Steuern einer Fahrzeugfunktion und Verfahren zum Aktualisieren eines Steuergerätes
US20170134164A1 (en) * 2014-11-12 2017-05-11 Panasonic Intellectual Property Corporation Of America Update management method, update management system, and non-transitory recording medium
US20170060559A1 (en) * 2015-08-25 2017-03-02 Ford Global Technologies, Llc Multiple-stage secure vehicle software updating

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113162959A (zh) * 2020-01-23 2021-07-23 华为技术有限公司 车载设备的升级方法和装置
WO2021148028A1 (fr) * 2020-01-23 2021-07-29 华为技术有限公司 Procédé et appareil de mise à niveau de dispositif embarqué
JP2023511209A (ja) * 2020-01-23 2023-03-16 華為技術有限公司 車載デバイスアップグレード方法および装置
CN113162959B (zh) * 2020-01-23 2023-06-30 华为技术有限公司 车载设备的升级方法和装置
JP7418592B2 (ja) 2020-01-23 2024-01-19 華為技術有限公司 車載デバイスアップグレード方法および装置
CN114244828A (zh) * 2021-11-30 2022-03-25 三一汽车起重机械有限公司 一种数据传输方法及车载动态数据管理系统
CN114244828B (zh) * 2021-11-30 2023-02-24 三一汽车起重机械有限公司 一种数据传输方法及车载动态数据管理系统

Also Published As

Publication number Publication date
DE102017218872A1 (de) 2019-04-25
CN111480141A (zh) 2020-07-31

Similar Documents

Publication Publication Date Title
WO2019081395A1 (fr) Procédé et dispositif de mise à jour de logiciel d'un appareil de commande d'un véhicule à moteur
EP3326101B1 (fr) Procédé et système d'actualisation de microprogramme d'un dispositif de commande pour la commande de processus
DE102017125826A1 (de) Nachrichtenauthentifizierung über controller area network
DE102014114607A1 (de) Programmierung von Fahrzeugmodulen mit Remotevorrichtungen und zugehörige Methoden und Systeme
DE112019005701T5 (de) Sichere boot-unterstützung für vorrichtungen und zugehörige systeme, verfahren und vorrichtungen
DE102008056745A1 (de) Vorrichtung zum Steuern einer Fahrzeugfunktion und Verfahren zum Aktualisieren eines Steuergerätes
WO2017020999A1 (fr) Procédé de fonctionnement d'un véhicule automobile et système de fonctionnement d'un véhicule automobile
WO2019072840A1 (fr) Dispositif de protection des instructions de diagnostic destinées à un appareil de commande et véhicule automobile correspondant
DE102007022100A1 (de) Kraftfahrzeugsteuergerätedatenübertragungssystem und -verfahren
DE112016002785T5 (de) Elektronische Steuereinheiten für Fahrzeuge
WO2015197278A1 (fr) Procédé servant à faire fonctionner une station de charge
WO2017102295A1 (fr) Procédé et module de sécurité pour produire une fonction de sécurité pour un appareil
EP3811261A1 (fr) Module cryptogaphique et procédé de fonctionnement
EP3314339B1 (fr) Procédé, serveur, pare-feu, appareil de commande et système pour programmer un calculateur d'un véhicule
DE112020001126T5 (de) Fahrzeugsteuergerät
DE102020117552A1 (de) Sichere hybrid-boot-systeme und sichere boot-verfahren für hybridsysteme
WO2018007049A1 (fr) Procédé d'authentification sécurisée de dispositifs de commande dans un véhicule automobile
DE102023110645A1 (de) Sicherheitsverfahren und Sicherheitsvorrichtung
DE102019131087A1 (de) Softwareinstallation in Fahrzeugsteuergeräten
DE102015015627B3 (de) Verfahren zum Übertragen eines Funktionsbefehls zwischen einem Kraftfahrzeug und einer fahrzeugexternen Einrichtung sowie Schnittstellenvorrichtung und System
WO2018145798A1 (fr) Système de réseau et procédé de contrôle de la fonctionnalité d'une fonction de commande dématérialisée
WO2021214325A1 (fr) Procédé de protection contre la copie et système électronique protégé contre la copie
EP4078314A1 (fr) Appareil comportant une interface et procédé de mise en oeuvre d'un appareil comportant une interface
DE102020216071A1 (de) Verfahren zum Betreiben einer Vorrichtung, ein Steuergerät eines Kraftfahrzeugs, und Vorrichtung
DE102022123225A1 (de) Verifizierung einer rechenvorrichtung

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18795359

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18795359

Country of ref document: EP

Kind code of ref document: A1