WO2020105657A1 - Onboard relay device and relay method - Google Patents

Onboard relay device and relay method

Info

Publication number
WO2020105657A1
WO2020105657A1 PCT/JP2019/045350 JP2019045350W WO2020105657A1 WO 2020105657 A1 WO2020105657 A1 WO 2020105657A1 JP 2019045350 W JP2019045350 W JP 2019045350W WO 2020105657 A1 WO2020105657 A1 WO 2020105657A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
vehicle
ecu
identifier
relay device
Prior art date
Application number
PCT/JP2019/045350
Other languages
French (fr)
Japanese (ja)
Inventor
慎一 相羽
宮下 之宏
浩史 上田
直樹 足立
翔悟 上口
史也 石川
Original Assignee
株式会社オートネットワーク技術研究所
住友電装株式会社
住友電気工業株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社オートネットワーク技術研究所, 住友電装株式会社, 住友電気工業株式会社 filed Critical 株式会社オートネットワーク技術研究所
Publication of WO2020105657A1 publication Critical patent/WO2020105657A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]

Definitions

  • the present disclosure relates to an in-vehicle relay device and a relay method.
  • the present application claims priority based on Japanese application No. 2018-219313 filed on Nov. 22, 2018, and incorporates all the contents described in the Japanese application.
  • the CAN communication protocol has been widely adopted for communication between a plurality of in-vehicle ECUs (Electronic Control Units) mounted on a vehicle.
  • the number of in-vehicle ECUs mounted tends to increase as vehicles become more multifunctional and more sophisticated.
  • the in-vehicle ECUs may be divided into groups (segments) to form a vehicle network, and a plurality of vehicles may belong to the same group.
  • the in-vehicle ECUs are connected by a common communication line to mutually transmit and receive data, and the in-vehicle relay device (gateway) relays the transmission and reception of data between in-vehicle ECUs of different groups (for example, Patent Document 1).
  • the vehicle network of Patent Document 1 is equipped with a vehicle network monitoring device that is connected to each segment of the vehicle network and detects unauthorized data (message) flowing in the vehicle network.
  • the vehicle network monitoring device detects illegal data (message)
  • the vehicle network monitoring device transmits warning information (message code) to the vehicle-mounted control device (vehicle-mounted ECU).
  • An in-vehicle relay device includes a plurality of in-vehicle communication units that are mounted in a vehicle and to which communication lines for communicating with a plurality of in-vehicle ECUs are connected, and a message transmitted from the in-vehicle ECU is transmitted in the in-vehicle.
  • An in-vehicle relay device that relays between communication units, A control unit for controlling the relay of the message, The control unit determines whether the message is correct, stores the message identifier of the message that is determined to be invalid in an empty area in a data field of an existing message transmitted to the plurality of vehicle-mounted ECUs, and transmits the message.
  • FIG. 1 is a schematic diagram illustrating a system configuration including an in-vehicle relay device according to a first embodiment. It is a block diagram which illustrates the internal composition of an in-vehicle relay device etc. It is an explanatory view which illustrates one mode of a frame of a CAN message. It is explanatory drawing which illustrates one aspect of the configuration information of vehicle-mounted ECU. It is a flow chart which illustrates processing of a control part of an in-vehicle relay device. 9 is a flowchart illustrating a process of a control unit of the vehicle-mounted relay device according to the second embodiment.
  • the vehicle network monitoring device of Patent Document 1 has a problem that traffic of the vehicle network increases due to the warning information (message code).
  • the object of the present disclosure is to provide an in-vehicle relay device or the like that can suppress an increase in traffic of a vehicle network (in-vehicle LAN) when notifying an in-vehicle ECU that illegal data (message) has been detected.
  • a vehicle network in-vehicle LAN
  • an in-vehicle relay device or the like that can suppress an increase in traffic of a vehicle network (in-vehicle LAN) when notifying an in-vehicle ECU that illegal data (message) has been detected is provided. can do.
  • An in-vehicle relay device is installed in a vehicle, includes a plurality of in-vehicle communication units connected to communication lines for communicating with a plurality of in-vehicle ECUs, and transmits a message from the in-vehicle ECU.
  • control unit stores the message identifier of the message determined to be invalid, for example, in an empty area in the data field of the existing message transmitted to the plurality of vehicle-mounted ECUs and transmits the message. Therefore, it is not necessary to transmit a dedicated message for transmitting the message identifier of the message determined to be incorrect to a plurality of vehicle-mounted ECUs, and the traffic of the communication line (in-vehicle LAN) to which the relay device and the vehicle-mounted ECU are connected is increased. Can be suppressed.
  • the existing message is a message generated by the control unit.
  • the in-vehicle relay device is not limited to the relay timing of the message between the in-vehicle ECUs, and is not limited to the data field of the message generated by the own device. It is possible to store and send the message identifier of a message determined to be invalid in the free area. In this way, by making the message generated by the control unit, which is a message other than the message relayed between the vehicle-mounted ECUs, the existing message, the existing message can be efficiently transmitted. Further, when the existing message is the message generated by the control unit, the message generated by the vehicle-mounted ECU is not processed, so that it is possible to prevent the message generated by the vehicle-mounted ECU from being affected.
  • the existing message is a message relayed from any vehicle-mounted ECU among the plurality of vehicle-mounted ECUs to another vehicle-mounted ECU.
  • the existing message is a message relayed from any on-vehicle ECU among the plurality of on-vehicle ECUs to another on-vehicle ECU, the data field of the message relayed as a part of the relay processing by the on-vehicle relay device. It is possible to store the message identifier of the message determined to be invalid in an empty area in the file and send it. In this way, by making the message relayed between the vehicle-mounted ECUs the existing message, the existing message can be efficiently transmitted.
  • the existing message is a message that is periodically transmitted to the vehicle-mounted ECU.
  • the existing message is, for example, a polling message (polling frame), a network management frame (NM frame) for confirming alive information of the vehicle-mounted ECU or another vehicle-mounted relay device, or the like periodically.
  • the message to be sent Therefore, when the in-vehicle relay device determines that one of the messages is invalid, the message identifier of the message determined to be invalid in the empty area in the data field of the existing message that is periodically transmitted is relatively early. Can be stored and sent.
  • the existing message is a message transmitted based on a determination of active and sleep in the vehicle-mounted ECU.
  • the existing message is a message generated by some event or the like, and for example, a message that causes a communication device in a sleep mode to transition to a normal mode (wakeup message) or a communication device in a normal mode to transition to a sleep mode.
  • the message (sleep message) or the like is a message transmitted based on the determination of active and sleep in the vehicle-mounted ECU. Therefore, the message identifier of the message determined to be invalid can be efficiently transmitted by utilizing the empty area in the data field of the message transmitted based on the determination of active and sleep in the vehicle-mounted ECU.
  • the ECU identifier of the vehicle-mounted ECU and the message identifier included in the message when the vehicle-mounted ECU transmits the message are stored in association with each other. Equipped with storage
  • the control unit reads the ECU identifier associated with the message identifier of the message determined to be incorrect by referring to the storage unit after determining whether the message is correct,
  • the vehicle-mounted ECU corresponding to the read ECU identifier transmits a message
  • all the message identifiers corresponding to the read ECU identifier are read, stored in the empty area of the message, and transmitted.
  • the control unit reads from the message identifier of the message determined to be invalid, the in-vehicle ECU of the ECU identifier that transmits the message, and all the message identifiers included in the message to be transmitted from the in-vehicle ECU of the read ECU identifier. Is transmitted to a plurality of vehicle-mounted ECUs. Since the in-vehicle ECU of the read ECU identifier is likely to perform illegal processing due to a virus or the like, the message identifier included in the message transmitted from the in-vehicle ECU is stored in the empty area of the existing message. Therefore, the message transmitted from such an unauthorized vehicle-mounted ECU can be efficiently dealt with.
  • the control unit acquires a message including a message identifier that is the same as the message identifier of the message that is determined to be incorrect by determining whether the message is correct, When it is determined that the acquired message is valid, the message identifier of the acquired message is stored in the empty area and transmitted.
  • the control unit determines whether the acquired message is correct or not even when the message including the message identifier of the message determined to be invalid in the previous process is acquired. If the obtained message is valid as a result of the determination, the control unit stores the message identifier of the obtained message in the empty area of the existing message and transmits it. Therefore, when the vehicle-mounted ECU that transmits the message determined to be incorrect is excluded, and a valid message including the same message identifier as the message identifier of the message determined to be incorrect is transmitted from the normal vehicle-mounted ECU, The in-vehicle relay device and the in-vehicle ECU can appropriately handle the valid message.
  • An on-vehicle relay device is a relay method for relaying a message transmitted from a plurality of vehicle-mounted ECUs mounted on a vehicle, Acquire messages sent from multiple in-vehicle ECUs installed in the vehicle, Determine the correctness of the acquired message, The message identifier of the message determined to be invalid is stored in the empty area in the data field of the existing message transmitted to the plurality of vehicle-mounted ECUs and transmitted.
  • a relay method for suppressing an increase in traffic of the vehicle network can be provided when notifying the in-vehicle ECU that the illegal data (message) has been detected.
  • the computer can be made to function as an in-vehicle relay device.
  • FIG. 1 is a schematic diagram illustrating a system configuration including an in-vehicle relay device 2 according to the first embodiment.
  • FIG. 2 is a block diagram illustrating an internal configuration of the vehicle-mounted relay device 2 and the like.
  • the vehicle C is equipped with an external communication device 1, an in-vehicle relay device 2, and a plurality of in-vehicle ECUs 3 communicatively connected to the in-vehicle relay device 2.
  • the vehicle-mounted relay device 2 relays the message transmitted and received among the plurality of vehicle-mounted ECUs 3.
  • the in-vehicle relay device 2 also transmits a program or data acquired from the program providing device S1 connected to the in-vehicle network N via the in-vehicle communication device 1 to an in-vehicle ECU 3 (Electronic Control Unit) mounted in the vehicle C. It may be one that does.
  • ECU 3 Electronic Control Unit
  • the program providing device S1 is, for example, a computer such as a server connected to an external network N such as the Internet or a public line network, and has a storage unit S11 such as a RAM (Random Access Memory), a ROM (Read Only Memory), or a hard disk. It is provided and corresponds to an external server outside the vehicle.
  • a program or data created by a manufacturer or the like of the vehicle-mounted ECU 3 for controlling the vehicle-mounted ECU 3 is stored in the storage unit S11.
  • the program or data is transmitted to the vehicle C as an update program and is used to update the program or data of the vehicle-mounted ECU 3 mounted on the vehicle C.
  • the program providing device S1 (external server) configured as described above is also referred to as an OTA (Over The Air) server.
  • the vehicle-mounted ECU 3 installed in the vehicle acquires the update program transmitted by wireless communication from the program providing device S1 and applies the update program as a program for executing the update program, thereby updating the program executed by the own ECU (repro). can do.
  • the vehicle C is equipped with an on-vehicle communication device 1, an in-vehicle relay device 2, a display device 5, and a plurality of in-vehicle ECUs 3 for controlling various in-vehicle devices.
  • the vehicle exterior communication device 1 and the vehicle-mounted relay device 2 are communicatively connected by a harness such as a serial cable.
  • the in-vehicle relay device 2 and the in-vehicle ECU 3 are communicatively connected by an in-vehicle LAN 4 that supports a communication protocol such as CAN (Control Area Network / registered trademark).
  • the external communication device 1 includes an external communication unit 11 and an input / output I / F (interface) 12 for communicating with the in-vehicle relay device 2.
  • the external communication unit 11 is a communication device for performing wireless communication using a mobile communication protocol such as 3G, LTE, 4G, or WiFi, and is a program providing device via an antenna 13 connected to the external communication unit 11. Data is transmitted / received to / from S1. Communication between the vehicle exterior communication device 1 and the program providing device S1 is performed via an external network such as a public line network or the Internet.
  • the input / output I / F 12 is a communication interface for serial communication with the vehicle-mounted relay device 2, for example.
  • the vehicle exterior communication device 1 and the vehicle-mounted relay device 2 communicate with each other via an input / output I / F 12 and a harness such as a serial cable connected to the input / output I / F 12.
  • the vehicle exterior communication device 1 is a device separate from the vehicle-mounted relay device 2, and these devices are communicatively connected by the input / output I / F 12 or the like, but the invention is not limited to this.
  • the vehicle exterior communication device 1 may be incorporated in the vehicle-mounted relay device 2 as a component of the vehicle-mounted relay device 2.
  • the in-vehicle relay device 2 includes a control unit 20, a storage unit 21, an in-vehicle communication unit 23, and an input / output I / F 24.
  • the in-vehicle relay device 2 controls, for example, a segment of communication lines 41 (CAN bus / CAN cable) of a plurality of systems, such as a control system vehicle-mounted ECU 3, a safety system vehicle-mounted ECU 3, and a body system vehicle-mounted ECU 3, and the like. It is a gateway (relay device) that relays communication between the vehicle-mounted ECUs 3 between them.
  • the vehicle-mounted relay device 2 may be configured as one functional unit of the body ECU that controls the entire vehicle C.
  • the storage unit 21 is configured by a volatile memory device such as a RAM (Random Access Memory) or a non-volatile memory device such as a ROM (Read Only Memory), an EEPROM (Electrically Erasable Programmable ROM) or a flash memory, A control program and data to be referred to during processing are stored in advance.
  • the control program stored in the storage unit 21 may store the control program read from the recording medium 22 readable by the in-vehicle relay device 2. Alternatively, the control program may be downloaded from an external computer (not shown) connected to a communication network (not shown) and stored in the storage unit 21.
  • the storage unit 21 stores the configuration information of all the vehicle-mounted ECUs 3 mounted on the vehicle C and the route information (routing table) used for performing the relay process.
  • the in-vehicle communication unit 23 is, for example, an input / output interface (CAN transceiver) using a communication protocol of CAN (Control Area Network), and the control unit 20 is connected to the in-vehicle LAN 4 via the in-vehicle communication unit 23. It mutually communicates with vehicle-mounted devices such as the ECU 3 and other relay devices.
  • a plurality of (in the drawing, three) in-vehicle communication units 23 are provided, and each of the in-vehicle communication units 23 is connected to the communication line 41 that constitutes the in-vehicle LAN 4.
  • the in-vehicle LAN 4 is divided into a plurality of segments, and each of the vehicle-mounted ECUs has a function (control system function, safety system function, body system function) of the vehicle-mounted ECU. Connect accordingly.
  • the control unit 20 is configured by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like, and reads and executes a control program and data stored in advance in the storage unit 21 to perform various control processes and Arithmetic processing and the like are performed.
  • the control unit 20 receives a message transmitted from the vehicle-mounted ECU 3 connected to each of the communication lines 41 or transmits a message to the vehicle-mounted ECU 3, and functions as, for example, a CAN controller. Further, the control unit 20 refers to the message identifier such as CAN-ID included in the received message, and refers to the referred message identifier (CAN-ID) and the route information (routing table) stored in the storage unit 21.
  • CAN-ID referred message identifier
  • the in-vehicle communication unit 23 corresponding to the segment that is the transmission destination is specified.
  • the control unit 20 functions as a CAN gateway that relays the received message by transmitting the received message from the specified in-vehicle communication unit 23.
  • the control unit 20 functions as a CAN controller, the present invention is not limited to this.
  • the in-vehicle communication unit 23 may function as a CAN transceiver and a CAN controller.
  • the control unit 20 functions as a determination unit that determines the correctness of the message by analyzing the received message. In determining whether the message is correct or not, an invalid message is, for example, an in-vehicle ECU that is in an abnormal state due to a virus or the like that has entered from outside the vehicle via the in-vehicle communication device 1 or the like, or an in-vehicle ECU that has been illegally replaced. This is a message transmitted from the vehicle-mounted ECU.
  • the control unit 20 executes a diagnostic program (diagnosis process) on the received message or performs the function of IDS (Intrusion Detection System) to analyze the message and determine whether the message is correct.
  • diagnostic program diagnostic program
  • control unit 20 may determine, as an invalid message, a message that is transmitted in a cycle different from the prescribed transmission cycle for transmitting the message.
  • the control unit 20 analyzes the message received by such a method to determine whether the message is correct or not. For example, the message transmitted from the illegal (abnormal) vehicle-mounted ECU 3 that is spoofed as the legitimate (normal) vehicle-mounted ECU 3 is illegal. Can be determined as a message.
  • the control unit 20 sends a message identifier such as CAN-ID included in the message determined to be invalid to a data field of an existing message such as a wake-up message that is regularly or irregularly transmitted.
  • the existing message is not an error message determined to be invalid, but a message other than the error message, a message generated by the control unit 20 or a message generated by the vehicle-mounted ECU 3 and relayed by the control unit 20. It may be a message. Alternatively, it may be both messages generated by the control unit 20 and the vehicle-mounted ECU 3.
  • the in-vehicle ECU 3 includes a control unit 30, a storage unit 31, and an in-vehicle communication unit 32 similar to the in-vehicle communication unit 23 of the in-vehicle relay device 2.
  • the storage unit 31 is configured by a volatile memory device such as a RAM (Random Access Memory) or a non-volatile memory device such as a ROM (Read Only Memory), an EEPROM (Electrically Erasable Programmable ROM), or a flash memory,
  • the program or data of the vehicle-mounted ECU 3 is stored.
  • the storage unit 31 of the vehicle-mounted ECU 3 stores the message identifier stored in the empty area in the data field of the existing message transmitted from the vehicle-mounted relay device 2.
  • the control unit 30 of the vehicle-mounted ECU 3 is configured by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like, and reads and executes programs and data stored in the storage unit 31 to perform control processing and the like.
  • the in-vehicle device including the in-vehicle ECU 3 or the actuator is controlled.
  • the control unit 30 of the vehicle-mounted ECU 3 stores the message identifier stored in the empty area in the data field of the existing message transmitted from the vehicle-mounted relay device 2 in the storage unit 31 so that the same message identifier as the message identifier is stored. It is recognized that the included message is an illegal message and is not relayed by the vehicle-mounted relay device 2.
  • the display device 5 is, for example, an HMI (Human Machine Interface) device such as a car navigation display.
  • the display device 5 is communicatively connected to the input / output I / F 24 of the in-vehicle relay device 2 by a harness such as a serial cable.
  • the display device 5 displays data or information output from the control unit 20 of the in-vehicle relay device 2 via the input / output I / F 24.
  • the in-vehicle relay device 2 determines that the received message is an invalid message as described above, the in-vehicle relay device 2 transmits information such as a message identifier included in the invalid message to the display device 5, and the display device 5 receives the information. May be displayed.
  • connection form between the display device 5 and the onboard relay device 2 is not limited to the connection form by the input / output I / F 24 and the like, and the display device 5 and the onboard relay device 2 may be connected via the in-vehicle LAN 4. Good.
  • An IG switch 6 (ignition switch) for starting or stopping the vehicle C is communicably connected to the input / output I / F 24 of the in-vehicle relay device 2 by a wire harness such as a serial cable.
  • the control unit 20 of the in-vehicle relay device 2 acquires (receives) the signal output (transmitted) from the IG switch 6 via the input / output I / F 24.
  • the control unit 20 of the in-vehicle relay device 2 transmits information regarding ON or OFF of the IG switch 6 to all the in-vehicle ECUs 3 via the in-vehicle communication unit 23 based on the acquired signal.
  • the vehicle-mounted relay device 2 transmits a message indicating that the IG switch 6 is turned on to all the vehicle-mounted ECUs 3 regularly or irregularly.
  • the vehicle-mounted ECU 3 acquires information regarding ON or OFF of the IG switch 6 based on the information transmitted from the vehicle-mounted relay device 2 and performs a predetermined operation based on the acquired information. For example, the vehicle-mounted ECU that has received the message indicating that the IG switch 6 is in the on state determines whether or not to transition its own ECU to the sleep state corresponding to power saving, continue the sleep state, or transition to the active state. I do.
  • the existing message caused by the on / off of the IG switch is a message used when transitioning from the active state to the sleep state, when continuing the sleep state, or when transitioning from the sleep state to the active state. It is included in the existing message used when the message identifier is stored in the empty area in the data field and transmitted. Such a message is transmitted at the time of wakeup or sleep and is called a wakeup message or a sleep message.
  • the wake-up message and the sleep message may be transmitted by a network management frame (NW frame) transmitted regularly or an event frame transmitted irregularly.
  • NW frame network management frame
  • the wake-up message or the like transmitted regularly or irregularly is a message already used in the communication between the plurality of vehicle-mounted ECUs 3 and the vehicle-mounted relay device 2 by CAN, and is included in the existing message.
  • FIG. 3 is an explanatory diagram illustrating an example of a frame of a CAN message.
  • CAN is a communication protocol defined by ISO11898 and the like, and the frame types of CAN messages (frames) transmitted and received are classified into data frames, remote frames, error frames and overload frames. In FIG. 3, one mode of the data frame in these frame types is illustrated.
  • the data frame of the CAN message is classified into four fields of CAN-ID, DLC, DATA (data) and CRC.
  • the CAN-ID field stores a message identifier for identifying a message and indicating (determining) the priority of the message.
  • the message identifier is called a CAN-ID or an arbitration ID and is represented by 11-bit data, for example.
  • the vehicle-mounted relay device 2 and the vehicle-mounted ECU 3 extract (reference) the message identifier (CAN-ID) stored in the CAN-ID field of the received message, and determine whether or not to process the message based on the message identifier. To do.
  • Information indicating a data length code is stored in the DLC field, and indicates the number of bytes of data stored in the DATA field (data field).
  • the DATA field stores content data up to 8 bytes.
  • a cyclic redundancy check code and a recessive delimiter bit are stored in the CRC field, and are used for error detection when the content data stored in the DATA field is bit-inverted.
  • the CAN message of the data frame includes SOF (Start Of Frame), IDE (Identifier Extension), and ACK in addition to the above fields, but description thereof will be omitted.
  • the message (wakeup message) transmitted at wakeup belongs to the data frame.
  • the wake-up message is transmitted by the vehicle-mounted relay device 2 to all vehicle-mounted ECUs 3 connected to the in-vehicle communication unit 23 regularly or irregularly, triggered by an event caused by turning on the IG switch 6 or the like.
  • the DATA field (data field) of the wakeup message the entire area of 8 bytes is not used and there is a free area (free bit area).
  • the vehicle-mounted relay device 2 stores the message identifier (CAN-ID) of the message determined to be invalid in the empty area of the DATA field (data field), and transmits the wake-up message.
  • CAN-ID message identifier
  • the wake-up message is transmitted by multicast to all vehicle-mounted ECUs 3, and each vehicle-mounted ECU 3 can receive the wake-up message.
  • the wake-up message is an existing message that the in-vehicle relay device 2 periodically or irregularly transmits in order to determine whether the in-vehicle ECU 3 makes a transition to the sleep state.
  • the message identifier of the message determined to be invalid can be transmitted. It is possible to eliminate the process of generating and transmitting a dedicated message. That is, the in-vehicle relay device 2 suppresses an increase in traffic of the in-vehicle LAN 4 to which the in-vehicle ECU 3 is connected by effectively utilizing the empty area of the existing message when transmitting the message identifier of the message determined to be invalid. it can. Further, since the vehicle-mounted relay device 2 does not generate a dedicated message for transmitting the message identifier of the message determined to be invalid, the processing load of the control unit 20 of the vehicle-mounted relay device 2 can be reduced.
  • the existing message transmitted by the vehicle-mounted relay device 2 regularly or irregularly is the wake-up message, but the present invention is not limited to this.
  • the existing message may be a message that has a purpose other than the purpose of transmitting the message identifier of the message determined to be invalid and that the vehicle-mounted relay device 2 transmits regularly or irregularly.
  • a polling message transmitted periodically or irregularly to confirm the state of the vehicle-mounted ECU 3 a message periodically transmitted irregularly to request transmission of configuration information of the vehicle-mounted ECU 3, or due to some event
  • a message or the like that is transmitted irregularly is included in the existing message.
  • the existing message may be a network management frame (NM frame) for confirming alive information of the vehicle-mounted ECU 3 or another vehicle-mounted relay device connected to the in-vehicle LAN 4.
  • the existing message is not limited to a message generated by the control unit 20 of the in-vehicle relay device 2, such as a wake-up message or a network management frame, and may be a message generated by the in-vehicle ECU 3 and relayed by the control unit 20. ..
  • FIG. 4 is an explanatory diagram illustrating an example of the configuration information of the vehicle-mounted ECU 3.
  • the in-vehicle relay device 2 stores the configuration information of all in-vehicle ECUs 3 connected to the in-vehicle communication unit 23.
  • the configuration information is based on, for example, an information group (configuration information master table) indicated by the items in the table shown in FIG.
  • the configuration information includes, for example, a serial number of the vehicle-mounted ECU 3 and a CAN-ID (message identifier) included in a message transmitted by each vehicle-mounted ECU 3, and a serial number set so as not to be duplicated in each vehicle-mounted ECU 3. Is managed in association with the ECU-ID (ECU identifier).
  • the vehicle-mounted relay device 2 extracts the CAN-ID (message identifier) stored in the CAN-ID field of the received message, and uses the configuration information (configuration information master table) of the vehicle-mounted ECU 3 stored in the storage unit 21.
  • the in-vehicle ECU 3 that refers to and includes the extracted CAN-ID in the message is read out and specified (derived). Further, the vehicle-mounted relay device 2 can identify all CAN-IDs included in the message transmitted by the identified vehicle-mounted ECU 3.
  • the in-vehicle relay device 2 identifies that the in-vehicle ECU 3 that has transmitted the message in which the CAN-ID is 2 is the in-vehicle ECU 3 whose ECU-ID is 003. can do. Furthermore, the vehicle-mounted relay apparatus 2 can specify that CAN-IDs (message identifiers) included in the message transmitted by the specified vehicle-mounted relay apparatus 2 (stored in the CAN-ID field) are 2 and 9.
  • FIG. 5 is a flowchart illustrating the process of the control unit 20 of the vehicle-mounted relay device 2.
  • the control unit 20 of the in-vehicle relay device 2 constantly performs the following processing when the vehicle C is in the activated state (the IG switch 6 is on) or in the stopped state (the IG switch 6 is off).
  • the control unit 20 of the in-vehicle relay device 2 acquires the message (S10).
  • the control unit 20 acquires a message transmitted from any of the vehicle-mounted ECUs 3 by receiving the message via the in-vehicle communication unit 23, and stores the acquired message in the storage unit 21.
  • the control unit 20 of the in-vehicle relay device 2 determines whether the message is invalid (S11).
  • the control unit 20 analyzes the message acquired by exhibiting a function such as IDS, and determines whether the message is an unauthorized message transmitted from the unauthorized vehicle-mounted ECU 3, that is, whether the message is correct or not. Make a decision.
  • the control unit 20 of the in-vehicle relay device 2 stores the message identifier (S12).
  • the control unit 20 determines that the message is an invalid message, it extracts the CAN-ID (message identifier) stored in the CAN-ID field of the message and prohibits the CAN-ID (message identifier) from relaying. It is stored in the storage unit 21 as a message identifier (relay prohibition message identifier) to be used.
  • the control unit 20 of the in-vehicle relay device 2 determines whether it is the transmission timing of the existing message (S13).
  • the control unit 20 determines whether or not a predetermined operation such as turning on the IG switch 6 has been executed as a determination as to whether the present time is the transmission timing of the existing message.
  • the control unit 20 exerts a time counting function, and determines whether or not the present time is the transmission timing of the existing message, based on whether or not a predetermined cycle has elapsed while the IG switch 6 is in the ON state. For example, when a predetermined operation such as turning on the IG switch 6 is executed or when a predetermined period elapses while the IG switch 6 is on, the control unit 20 determines that the present time is the transmission timing of the existing message. ..
  • the control unit 20 of the in-vehicle relay device 2 When it is determined that it is not the transmission timing of the existing message (S13: NO), the control unit 20 of the in-vehicle relay device 2 performs a loop process to execute the process of S13 again. That is, the control unit 20 performs a standby process until the timing of transmitting an existing message.
  • the control unit 20 acquires the message transmitted from the vehicle-mounted ECU 3 even while performing the standby process, determines whether the acquired message is illegal, and detects an illegal message.
  • the message identifier of the message may be stored in the storage unit 21, and the relay prohibition message identifier stored in the storage unit 21 may be added.
  • the control unit 20 of the in-vehicle relay device 2 stores the message identifier in the empty area in the data field of the existing message and transmits it (S14).
  • the control unit 20 determines that the present time is the transmission timing of the existing message, the control unit 20 stores the relay prohibition message identifier stored in the storage unit 21 in the empty area of the DATA field of the existing message such as the wakeup message.
  • the existing message is transmitted to the vehicle-mounted ECU 3.
  • the control unit 20 stores the relay prohibition message identifier in the empty area, information indicating that the message including the same message identifier as the relay prohibition message identifier (stored in the CAN-ID field) is an invalid message. Alternatively, it may be stored together with the free area.
  • the control unit 20 of the vehicle-mounted relay device 2 causes the message identifier of the illegal message to be transmitted. It may be unnecessary to generate and send a dedicated message for sending the. Therefore, it is possible to reduce the processing load of the in-vehicle relay device 2 and suppress an increase in traffic of the in-vehicle LAN 4.
  • the vehicle-mounted ECU 3 that has received the existing message extracts the relay prohibition message identifier stored in the DATA field of the existing message and stores it in the storage unit 31 of its own ECU.
  • the vehicle-mounted ECU 3 that stores the relay prohibition message identifier in the storage unit 31 can recognize that the message including the same message identifier as the relay prohibition message identifier in the CAN-ID field is an invalid message. Therefore, the in-vehicle ECU 3 discards the unauthorized message without using it for controlling the own ECU, even if an unauthorized message including the same message identifier as the relay prohibition message identifier is transmitted to the own ECU. I do.
  • the vehicle-mounted ECU 3 that stores the relay prohibition message identifier in the storage unit 31 recognizes that the message including the same message identifier as the relay prohibition message identifier in the CAN-ID field is a message that is not relayed by the vehicle-mounted relay device 2. To do.
  • the control unit 20 of the in-vehicle relay device 2 prohibits relay of a message including the message identifier (S15).
  • the control unit 20 prohibits the relay of a message including the same message identifier as the relay prohibition message identifier (stored in the CAN-ID field).
  • the unauthorized message transmitted from the unauthorized vehicle-mounted ECU 3 becomes the communication line 41 (segment) to which the unauthorized vehicle-mounted ECU 3 is connected. It is possible to suppress the transmission (relay) to the vehicle-mounted ECU 3 connected to the different communication line 41 (segment).
  • the control unit 20 of the in-vehicle relay device 2 determines whether it corresponds to the relay prohibition message identifier. Is performed (S111).
  • the control unit 20 determines that the received message is a valid message, the control unit 20 stores the message identifier (CAN-ID) stored in the CAN-ID field of the message and the relay prohibition stored in the storage unit 21. By comparing with the message identifier, it is determined whether or not the message identifier (CAN-ID) corresponds to the relay prohibition message identifier.
  • the control unit 20 of the in-vehicle relay device 2 stores the message identifier in the empty area of the existing message and transmits it (S112).
  • the message identifier of the received message corresponds to the relay prohibition message identifier stored in the storage unit 21
  • the message including the message identifier is determined to be an invalid message in the previous process. ..
  • the in-vehicle ECU 3 that has transmitted an incorrect message is replaced with the in-vehicle ECU 3, or the program executed by the in-vehicle ECU 3 is restored so that the in-vehicle ECU 3 is in a normal state.
  • the control unit 20 determines that the message includes the same message identifier as the relay prohibition message identifier (stored in the CAN-ID field) and is not an invalid message, the control unit 20 stores the message identifier in the empty area of the existing message. Information indicating that the message including the message identifier is a valid message is stored and transmitted to the vehicle-mounted ECU 3. Alternatively, the control unit 20 informs the vehicle-mounted ECU 3 that the control for processing as an invalid message such as relay prohibition processing for the message identifier of the message determined to be normal (the message determined not to be invalid) is invalid (released). May be stored and transmitted to the vehicle-mounted ECU 3. When storing the message identifier of the message determined to be valid in the free space of the existing message and transmitting the message, the control unit 20 performs the transmission process based on the transmission timing of the existing message as in the process S13. Good.
  • the vehicle-mounted ECU 3 that has received the existing message transmitted from the vehicle-mounted relay device 2 is based on information indicating that the message identifier stored in the empty area of the existing message and the message including the message identifier are valid messages. Process the messages received by. That is, the vehicle-mounted ECU 3 receives the message including the message identifier and uses it for control of its own ECU or the like as necessary.
  • the control unit 20 of the in-vehicle relay device 2 determines whether the message including the message identifier is correct or not, and the message is valid (normal). If it is determined that the relay prohibition message identifier is deleted from the storage unit 21.
  • the control unit 20 of the in-vehicle relay device 2 restarts relaying the message including the message identifier (S113).
  • the message identifier stored in the storage unit 21 as the relay prohibition message identifier is deleted from the storage unit 21. Therefore, the control unit 20 specifies the message including the message identifier (stored in the CAN-ID field) on the basis of the route information stored in the storage unit 21, the in-vehicle communication unit 23 as the relay destination, and identifies the in-vehicle specified. The process of transmitting and relaying the message via the communication unit 23 is restarted.
  • the vehicle-mounted ECU 3 when the illegal (abnormal) vehicle-mounted ECU 3 that has transmitted the illegal message is restored to the legitimate (normal) vehicle-mounted ECU 3 that transmits the legitimate message, the vehicle-mounted ECU 3 or the vehicle-mounted relay device 2 returns the restored legitimate message.
  • the message transmitted from the vehicle-mounted ECU 3 can be received or relayed.
  • the control unit 20 of the in-vehicle relay device 2 relays the message (S1111).
  • the control unit 20 determines that the message is a valid message and performs the relay process based on the message identifier (CAN-ID) included in the CAN-ID field.
  • CAN-ID message identifier
  • control unit 20 After executing the processing of S15, S113, or S1111, the control unit 20 performs the loop processing to execute the processing of S10 again.
  • the control unit 20 of the in-vehicle relay device 2 uses the free space of the existing message that is transmitted regularly or irregularly to transmit the message identifier of the message determined to be incorrect to the in-vehicle ECU 3, the traffic of the in-vehicle LAN 4 increases. Can be suppressed. Further, even if the message includes the same message identifier as the message identifier of the message determined to be invalid, if the message is determined to be valid, information indicating that the message identifier is a valid message is added to the existing message. The message is stored in the empty area and transmitted to the vehicle-mounted ECU 3. Therefore, it is possible to allow the vehicle-mounted ECU 3 or the vehicle-mounted relay device 2 to receive or relay a valid message including the message identifier while suppressing an increase in traffic of the in-vehicle LAN 4.
  • the existing message for example, by using the wakeup message transmitted by the vehicle-mounted relay device 2 at the timing when the IG switch 6 is turned on (at the time of wakeup), the empty area of the DATA field of the wakeup message is used.
  • the message identifier of the message determined to be incorrect can be transmitted to the vehicle-mounted ECU 3.
  • the communication protocol of the vehicle-mounted relay device 2 and the vehicle-mounted ECU 3 is described based on CAN, but is not limited to this.
  • the communication between the vehicle-mounted relay device 2 and the vehicle-mounted ECU 3 may be a communication protocol other than CAN, and a communication protocol capable of transmitting an existing message having an empty area in the data field to a plurality of vehicle-mounted ECUs 3 by multicast or broadcast. What is necessary is to use.
  • FIG. 6 is a flowchart illustrating a process of the control unit 20 of the vehicle-mounted relay device 2 according to the second embodiment.
  • the process of the control unit 20 of the in-vehicle relay device 2 according to the second embodiment identifies the in-vehicle ECU 3 that has transmitted the message that is determined to be incorrect, and uses the message identifier that the identified in-vehicle ECU 3 may include in the message as the relay prohibition message. It differs from the first embodiment in that it is handled as an identifier.
  • the control unit 20 of the in-vehicle relay device 2 performs the process of (S20, S21) as in the process of (S10, S11) of the first embodiment.
  • the control unit 20 of the in-vehicle relay device 2 identifies the in-vehicle ECU 3 that has transmitted the message (S22).
  • the control unit 20 extracts the message identifier (CAN-ID) stored in the CAN-ID field of the received message, and extracts the extracted message identifier and the configuration information (configuration of the vehicle-mounted ECU 3 stored in the storage unit 21).
  • the vehicle-mounted ECU 3 that includes the message identifier (stores in the CAN-ID field) in the message is specified.
  • the control unit 20 of the in-vehicle relay device 2 stores the message identifier (S23).
  • the control unit 20 refers to the configuration information of the vehicle-mounted ECU 3 stored in the storage unit 21, identifies all message identifiers (CAN-ID) that may be included in the message transmitted by the identified vehicle-mounted ECU 3, and identifies the message identifiers. All the message identifiers (CAN-IDs) that have been processed are stored in the storage unit 21 as relay prohibition message identifiers.
  • the in-vehicle ECU 3 that has transmitted the illegal message has a high probability of being an illegal (abnormal) in-vehicle ECU 3. Therefore, the control unit 20 of the vehicle-mounted relay device 2 identifies the illegal (abnormal) vehicle-mounted ECU 3, and all the message identifiers (CAN-) that the illegal (abnormal) vehicle-mounted ECU 3 may include when transmitting a message. ID) is stored in the storage unit 21 as a relay prohibition message identifier. As a result, it is possible to efficiently cope with the illegal (abnormal) vehicle-mounted ECU 3, such as prohibiting the relay of the illegal message from the illegal (abnormal) vehicle-mounted ECU 3.
  • the control unit 20 of the vehicle-mounted relay device 2 performs the processing of (S24, S25, S26), similar to the processing of (S13, S14, S15) of the first embodiment.
  • the message identifiers (CAN-IDs) that are prohibited from being transmitted in S25 and relayed in S26 are all the message identifiers (CAN-IDs) included in the message transmitted by the unauthorized (abnormal) vehicle-mounted ECU 3 specified in S22.
  • the in-vehicle ECU 3 that has received the existing message transmitted from the in-vehicle relay device 2 receives the invalid message transmitted from the in-vehicle ECU 3 that is illegal (abnormal) based on the message identifier (CAN-ID) stored in the empty area of the existing message. Can be dealt with appropriately, such as discarding
  • the control unit 20 of the in-vehicle relay device 2 performs (S211, S212, S2111) similarly to the process of (S111, S112, S1111, S113) of the first embodiment. , S213) is performed.
  • the control unit 20 performs the process of S26, S213, or S2111, and then performs the loop process to perform the process of S20 again, as in the process of the first embodiment.
  • C vehicle S1 program providing device S11 storage unit 1 vehicle outside communication device 11 vehicle outside communication unit 12 input / output I / F 13 antenna 2 vehicle-mounted relay device 20 control unit 21 storage unit 22 recording medium 23 in-vehicle communication unit (CAN transceiver) 24 Input / output I / F 3 In-vehicle ECU 30 control unit 31 storage unit 32 in-vehicle communication unit (CAN transceiver) 4 Car LAN 41 communication line 5 display device 6 IG switch

Abstract

This onboard relay device is mounted in a vehicle and is provided with a plurality of in-vehicle communication units to which are connected a plurality of communication lines for communicating with a plurality of onboard ECUs, with a message transmitted from an onboard ECU being relayed between the in-vehicle communication units, wherein: the onboard relay device is provided with a control unit for controlling the relaying of the message; and the control unit assesses the legitimacy of the message, stores the message identifier of a message assessed as being illegitimate in a free space inside the data field of existing messages transmitted to the plurality of onboard ECUs, and transmits the message identifier of the message.

Description

車載中継装置及び中継方法In-vehicle relay device and relay method
 本開示は、車載中継装置及び中継方法に関する。
 本出願は、2018年11月22日出願の日本出願第2018-219312号に基づく優先権を主張し、前記日本出願に記載された全ての記載内容を援用するものである。 The present disclosure relates to an in-vehicle relay device and a relay method.
The present application claims priority based on Japanese application No. 2018-219313 filed on Nov. 22, 2018, and incorporates all the contents described in the Japanese application.
 従来、車両に搭載された複数の車載ECU(Electronic Control Unit)間の通信には、CANの通信プロトコルが広く採用されている。車両の多機能化及び高機能化に伴って、搭載される車載ECUの数が増加する傾向となるが、当該車載ECUをグループ(セグメント)に分けて車両ネットワークを構成し、同一グループとなる複数の車載ECUは共通の通信線で接続され相互にデータの送受信を行うと共に、異なるグループの車載ECU間のデータの送受信は、車載中継装置(ゲートウェイ)によって中継される(例えば、特許文献1)。 Conventionally, the CAN communication protocol has been widely adopted for communication between a plurality of in-vehicle ECUs (Electronic Control Units) mounted on a vehicle. The number of in-vehicle ECUs mounted tends to increase as vehicles become more multifunctional and more sophisticated. However, the in-vehicle ECUs may be divided into groups (segments) to form a vehicle network, and a plurality of vehicles may belong to the same group. The in-vehicle ECUs are connected by a common communication line to mutually transmit and receive data, and the in-vehicle relay device (gateway) relays the transmission and reception of data between in-vehicle ECUs of different groups (for example, Patent Document 1).
 特許文献1の車両ネットワークには、車載中継装置(ゲートウェイ)に加え、車両ネットワークのセグメント夫々に接続され、車両ネットワークに流れる不正なデータ(メッセージ)を検知する車両ネットワーク監視装置を備えている。当該車両ネットワーク監視装置は、不正なデータ(メッセージ)を検知したとき、車載制御装置(車載ECU)に対して警告情報(メッセージコード)を送信する。 In addition to the in-vehicle relay device (gateway), the vehicle network of Patent Document 1 is equipped with a vehicle network monitoring device that is connected to each segment of the vehicle network and detects unauthorized data (message) flowing in the vehicle network. When the vehicle network monitoring device detects illegal data (message), the vehicle network monitoring device transmits warning information (message code) to the vehicle-mounted control device (vehicle-mounted ECU).
特開2013-131907号公報JP, 2013-131907, A
 本開示の一態様に係る車載中継装置は、車両に搭載され、複数の車載ECUと通信するための通信線が接続される車内通信部を複数備え、前記車載ECUから送信されるメッセージを前記車内通信部間にて中継する車載中継装置であって、
 前記メッセージの中継を制御する制御部を備え、
 前記制御部は、前記メッセージの正否を判定し、不正と判定したメッセージのメッセージ識別子を、前記複数の車載ECUに送信される既存メッセージのデータフィールド内の空き領域に格納して送信する。 An in-vehicle relay device according to an aspect of the present disclosure includes a plurality of in-vehicle communication units that are mounted in a vehicle and to which communication lines for communicating with a plurality of in-vehicle ECUs are connected, and a message transmitted from the in-vehicle ECU is transmitted in the in-vehicle. An in-vehicle relay device that relays between communication units,
A control unit for controlling the relay of the message,
The control unit determines whether the message is correct, stores the message identifier of the message that is determined to be invalid in an empty area in a data field of an existing message transmitted to the plurality of vehicle-mounted ECUs, and transmits the message.
実施形態1に係る車載中継装置を含むシステム構成を例示する模式図である。1 is a schematic diagram illustrating a system configuration including an in-vehicle relay device according to a first embodiment. 車載中継装置等の内部構成を例示するブロック図である。It is a block diagram which illustrates the internal composition of an in-vehicle relay device etc. CANメッセージのフレームの一態様を例示する説明図である。It is an explanatory view which illustrates one mode of a frame of a CAN message. 車載ECUの構成情報の一態様を例示する説明図である。It is explanatory drawing which illustrates one aspect of the configuration information of vehicle-mounted ECU. 車載中継装置の制御部の処理を例示するフローチャートである。It is a flow chart which illustrates processing of a control part of an in-vehicle relay device. 実施形態2に係る車載中継装置の制御部の処理を例示するフローチャートである。9 is a flowchart illustrating a process of a control unit of the vehicle-mounted relay device according to the second embodiment.
[本開示が解決しようとする課題]
 特許文献1の車両ネットワーク監視装置は、当該警告情報(メッセージコード)により車両ネットワークのトラフィックが増加するという問題点がある。 [Problems to be solved by the present disclosure]
The vehicle network monitoring device of Patent Document 1 has a problem that traffic of the vehicle network increases due to the warning information (message code).
 本開示の目的は、不正なデータ(メッセージ)が検出されたことを車載ECUに通知するにあたり、車両ネットワーク(車内LAN)のトラフィックの増加を抑制することができる車載中継装置等を提供する。 The object of the present disclosure is to provide an in-vehicle relay device or the like that can suppress an increase in traffic of a vehicle network (in-vehicle LAN) when notifying an in-vehicle ECU that illegal data (message) has been detected.
[本開示の効果]
 本開示の一態様によれば、不正なデータ(メッセージ)が検出されたことを車載ECUに通知するにあたり、車両ネットワーク(車内LAN)のトラフィックの増加を抑制することができる車載中継装置等を提供することができる。 [Effect of the present disclosure]
According to an aspect of the present disclosure, an in-vehicle relay device or the like that can suppress an increase in traffic of a vehicle network (in-vehicle LAN) when notifying an in-vehicle ECU that illegal data (message) has been detected is provided. can do.
[本開示の実施形態の説明]
 最初に本開示の実施態様を列挙して説明する。また、以下に記載する実施形態の少なくとも一部を任意に組み合わせてもよい。 [Description of Embodiments of the Present Disclosure]
First, embodiments of the present disclosure will be listed and described. Further, at least a part of the embodiments described below may be arbitrarily combined.
(1)本開示の一態様に係る車載中継装置は、車両に搭載され、複数の車載ECUと通信するための通信線が接続される車内通信部を複数備え、前記車載ECUから送信されるメッセージを前記車内通信部間にて中継する車載中継装置であって、
 前記メッセージの中継を制御する制御部を備え、
 前記制御部は、前記メッセージの正否を判定し、不正と判定したメッセージのメッセージ識別子を、前記複数の車載ECUに送信される既存メッセージのデータフィールド内の空き領域に格納して送信する。 (1) An in-vehicle relay device according to an aspect of the present disclosure is installed in a vehicle, includes a plurality of in-vehicle communication units connected to communication lines for communicating with a plurality of in-vehicle ECUs, and transmits a message from the in-vehicle ECU. Is an in-vehicle relay device that relays between the in-vehicle communication units,
A control unit for controlling the relay of the message,
The control unit determines whether the message is correct, stores the message identifier of the message that is determined to be invalid in an empty area in a data field of an existing message transmitted to the plurality of vehicle-mounted ECUs, and transmits the message.
 本態様にあたっては、制御部は、不正と判定したメッセージのメッセージ識別子を、複数の車載ECUに送信される既存メッセージにおける例えばデータフィールド内の空き領域に格納して送信する。従って、不正と判定したメッセージのメッセージ識別子を複数の車載ECUに送信するための専用のメッセージを送信することを不要とし、中継装置及び車載ECUが接続される通信線(車内LAN)のトラフィックの増加を抑制することができる。 In this aspect, the control unit stores the message identifier of the message determined to be invalid, for example, in an empty area in the data field of the existing message transmitted to the plurality of vehicle-mounted ECUs and transmits the message. Therefore, it is not necessary to transmit a dedicated message for transmitting the message identifier of the message determined to be incorrect to a plurality of vehicle-mounted ECUs, and the traffic of the communication line (in-vehicle LAN) to which the relay device and the vehicle-mounted ECU are connected is increased. Can be suppressed.
(2)本開示の一態様に係る車載中継装置は、前記既存メッセージは、前記制御部が生成したメッセージである。 (2) In the vehicle-mounted relay device according to an aspect of the present disclosure, the existing message is a message generated by the control unit.
 本態様にあたっては、既存メッセージは、制御部が生成したメッセージであるため、車載中継装置は、車載ECU間におけるメッセージの中継タイミングに制限されることなく、自装置が生成するメッセージのデータフィールド内の空き領域に不正と判定したメッセージのメッセージ識別子を格納して送信することができる。このように車載ECU間にて中継するメッセージ以外のメッセージである制御部が生成したメッセージを、既存メッセージとすることにより、当該既存メッセージを効率的に送信することができる。更に、既存メッセージを制御部が生成したメッセージとする場合、車載ECUが生成したメッセージを加工しないため、車載ECUが生成するメッセージに影響が発生することを防止することができる。 In this aspect, since the existing message is a message generated by the control unit, the in-vehicle relay device is not limited to the relay timing of the message between the in-vehicle ECUs, and is not limited to the data field of the message generated by the own device. It is possible to store and send the message identifier of a message determined to be invalid in the free area. In this way, by making the message generated by the control unit, which is a message other than the message relayed between the vehicle-mounted ECUs, the existing message, the existing message can be efficiently transmitted. Further, when the existing message is the message generated by the control unit, the message generated by the vehicle-mounted ECU is not processed, so that it is possible to prevent the message generated by the vehicle-mounted ECU from being affected.
(3)本開示の一態様に係る車載中継装置は、前記既存メッセージは、前記複数の車載ECUの内のいずれかの車載ECUから他の車載ECUに中継するメッセージである。 (3) In the vehicle-mounted relay device according to the aspect of the present disclosure, the existing message is a message relayed from any vehicle-mounted ECU among the plurality of vehicle-mounted ECUs to another vehicle-mounted ECU.
 本態様にあたっては、既存メッセージは、複数の車載ECUの内のいずれかの車載ECUから他の車載ECUに中継するメッセージであるため、車載中継装置による中継処理の一部として中継するメッセージのデータフィールド内の空き領域に不正と判定したメッセージのメッセージ識別子を格納して送信することができる。このように車載ECU間にて中継するメッセージを、既存メッセージとすることにより、当該既存メッセージを効率的に送信することができる。 In this aspect, since the existing message is a message relayed from any on-vehicle ECU among the plurality of on-vehicle ECUs to another on-vehicle ECU, the data field of the message relayed as a part of the relay processing by the on-vehicle relay device. It is possible to store the message identifier of the message determined to be invalid in an empty area in the file and send it. In this way, by making the message relayed between the vehicle-mounted ECUs the existing message, the existing message can be efficiently transmitted.
(4)本開示の一態様に係る車載中継装置は、前記既存メッセージは、前記車載ECUへ定期的に送信されるメッセージである。 (4) In the vehicle-mounted relay device according to an aspect of the present disclosure, the existing message is a message that is periodically transmitted to the vehicle-mounted ECU.
 本態様にあたっては、既存メッセージは、例えば、ポーリング用のメッセージ(ポーリング用フレーム)、車載ECU又は他の車載中継装置等のアライブ情報を確認するためのネットワーク管理フレーム(NMフレーム)等、定期的に送信されるメッセージである。従って、車載中継装置は、いずれかのメッセージを不正と判定した場合、比較的に早期に、当該定期的に送信される既存のメッセージのデータフィールド内の空き領域に不正と判定したメッセージのメッセージ識別子を格納して送信することができる。 In this aspect, the existing message is, for example, a polling message (polling frame), a network management frame (NM frame) for confirming alive information of the vehicle-mounted ECU or another vehicle-mounted relay device, or the like periodically. The message to be sent. Therefore, when the in-vehicle relay device determines that one of the messages is invalid, the message identifier of the message determined to be invalid in the empty area in the data field of the existing message that is periodically transmitted is relatively early. Can be stored and sent.
(5)本開示の一態様に係る車載中継装置は、前記既存メッセージは、前記車載ECUにおけるアクティブとスリープとの判断に基づいて送信されるメッセージである。 (5) In the vehicle-mounted relay device according to the aspect of the present disclosure, the existing message is a message transmitted based on a determination of active and sleep in the vehicle-mounted ECU.
 本態様にあたっては、既存メッセージは、何らかのイベント等によって生じるメッセージであり、例えば、スリープモードの通信装置を通常モードに遷移させるメッセージ(ウェイクアップメッセージ)又は、通常モードの通信装置をスリープモードに遷移させるメッセージ(スリープメッセージ)等、車載ECUにおけるアクティブとスリープとの判断に基づいて送信されるメッセージである。従って、車載ECUにおけるアクティブとスリープとの判断に基づいて送信されるメッセージのデータフィールド内の空き領域を利用して、不正と判定したメッセージのメッセージ識別子を効率的に送信することができる。 In the present aspect, the existing message is a message generated by some event or the like, and for example, a message that causes a communication device in a sleep mode to transition to a normal mode (wakeup message) or a communication device in a normal mode to transition to a sleep mode. The message (sleep message) or the like is a message transmitted based on the determination of active and sleep in the vehicle-mounted ECU. Therefore, the message identifier of the message determined to be invalid can be efficiently transmitted by utilizing the empty area in the data field of the message transmitted based on the determination of active and sleep in the vehicle-mounted ECU.
(6)本開示の一態様に係る車載中継装置は、前記車載ECUのECU識別子と、前記車載ECUがメッセージを送信する際に当該メッセージに含められるメッセージ識別子とが、関連づけられて記憶されている記憶部を備え、
 前記制御部は、前記メッセージの正否を判定した後、前記記憶部を参照することによって前記不正と判定したメッセージのメッセージ識別子に関連付けられているECU識別子を読み出し、
 前記読み出したECU識別子に対応する車載ECUがメッセージを送信する際に、前記読み出したECU識別子に対応するメッセージ識別子を全て読み出して前記メッセージの前記空き領域に格納して送信する。 (6) In the vehicle-mounted relay device according to an aspect of the present disclosure, the ECU identifier of the vehicle-mounted ECU and the message identifier included in the message when the vehicle-mounted ECU transmits the message are stored in association with each other. Equipped with storage
The control unit reads the ECU identifier associated with the message identifier of the message determined to be incorrect by referring to the storage unit after determining whether the message is correct,
When the vehicle-mounted ECU corresponding to the read ECU identifier transmits a message, all the message identifiers corresponding to the read ECU identifier are read, stored in the empty area of the message, and transmitted.
 本態様にあたっては、制御部は、不正と判定したメッセージのメッセージ識別子から、当該メッセージを送信するECU識別子の車載ECUを読み出し、読み出したECU識別子の車載ECUから送信させるメッセージにおいて含まれる全てのメッセージ識別子を、複数の車載ECUに送信する。当該読み出したECU識別子の車載ECUは、ウィルス等により不正な処理を行う可能性が高いものであるところ、当該車載ECUから送信されるメッセージに含まれるメッセージ識別子を、既存メッセージの空き領域に格納して複数の車載ECUに送信するため、このような不正な車載ECUから送信されるメッセージに効率的に対応することができる。 In this aspect, the control unit reads from the message identifier of the message determined to be invalid, the in-vehicle ECU of the ECU identifier that transmits the message, and all the message identifiers included in the message to be transmitted from the in-vehicle ECU of the read ECU identifier. Is transmitted to a plurality of vehicle-mounted ECUs. Since the in-vehicle ECU of the read ECU identifier is likely to perform illegal processing due to a virus or the like, the message identifier included in the message transmitted from the in-vehicle ECU is stored in the empty area of the existing message. Therefore, the message transmitted from such an unauthorized vehicle-mounted ECU can be efficiently dealt with.
(7)本開示の一態様に係る車載中継装置は、前記制御部は、前記メッセージの正否の判定によって不正と判定されたメッセージのメッセージ識別子と同一のメッセージ識別子が含まれるメッセージを取得し、
 前記取得したメッセージが正当であると判定した場合、前記取得したメッセージのメッセージ識別子を前記空き領域に格納して送信する。 (7) In the vehicle-mounted relay device according to an aspect of the present disclosure, the control unit acquires a message including a message identifier that is the same as the message identifier of the message that is determined to be incorrect by determining whether the message is correct,
When it is determined that the acquired message is valid, the message identifier of the acquired message is stored in the empty area and transmitted.
 本態様にあたっては、制御部は、以前の処理において不正と判定したメッセージのメッセージ識別子が含まれるメッセージを取得した場合であっても、当該取得したメッセージの正否を判定する。当該判定により、取得したメッセージが正当である場合、制御部は、取得したメッセージのメッセージ識別子を既存メッセージの空き領域に格納して送信する。従って、不正と判定したメッセージを送信する車載ECUが排除等された後、当該不正と判定したメッセージのメッセージ識別子と同一のメッセージ識別子を含む正当なメッセージが、正常な車載ECUから送信された場合、車載中継装置及び車載ECUは、当該正当なメッセージを適切に取り扱うことができる。 In this aspect, the control unit determines whether the acquired message is correct or not even when the message including the message identifier of the message determined to be invalid in the previous process is acquired. If the obtained message is valid as a result of the determination, the control unit stores the message identifier of the obtained message in the empty area of the existing message and transmits it. Therefore, when the vehicle-mounted ECU that transmits the message determined to be incorrect is excluded, and a valid message including the same message identifier as the message identifier of the message determined to be incorrect is transmitted from the normal vehicle-mounted ECU, The in-vehicle relay device and the in-vehicle ECU can appropriately handle the valid message.
(8)本開示の一態様に係る車載中継装置は、車両に搭載される複数の車載ECUから送信されるメッセージを中継する中継方法であって、
 車両に搭載される複数の車載ECUから送信されるメッセージを取得し、
 取得した前記メッセージの正否を判定し、
 不正と判定したメッセージのメッセージ識別子を、前記複数の車載ECUに送信される既存メッセージのデータフィールド内の空き領域に格納して送信する。 (8) An on-vehicle relay device according to an aspect of the present disclosure is a relay method for relaying a message transmitted from a plurality of vehicle-mounted ECUs mounted on a vehicle,
Acquire messages sent from multiple in-vehicle ECUs installed in the vehicle,
Determine the correctness of the acquired message,
The message identifier of the message determined to be invalid is stored in the empty area in the data field of the existing message transmitted to the plurality of vehicle-mounted ECUs and transmitted.
 本態様にあたっては、不正なデータ(メッセージ)が検出されたことを車載ECUに通知するにあたり、車両ネットワーク(車内LAN)のトラフィックの増加を抑制する中継方法を提供することができる。 In this aspect, a relay method for suppressing an increase in traffic of the vehicle network (in-vehicle LAN) can be provided when notifying the in-vehicle ECU that the illegal data (message) has been detected.
 本態様にあたっては、コンピュータを車載中継装置として機能させることができる。 In this aspect, the computer can be made to function as an in-vehicle relay device.
[本開示の実施形態の詳細]
 本開示をその実施の形態を示す図面に基づいて具体的に説明する。本開示の実施形態に係る車載中継装置2を、以下に図面を参照しつつ説明する。なお、本開示はこれらの例示に限定されるものではなく、請求の範囲によって示され、請求の範囲と均等の意味及び範囲内でのすべての変更が含まれることが意図される。 [Details of the embodiment of the present disclosure]
The present disclosure will be specifically described based on the drawings showing the embodiments. The in-vehicle relay device 2 according to the embodiment of the present disclosure will be described below with reference to the drawings. It should be noted that the present disclosure is not limited to these exemplifications, and is indicated by the scope of the claims, and is intended to include meanings equivalent to the scope of the claims and all modifications within the scope.
(実施形態1)
 以下、実施の形態について図面に基づいて説明する。図1は、実施形態1に係る車載中継装置2を含むシステム構成を例示する模式図である。図2は、車載中継装置2等の内部構成を例示するブロック図である。車両Cには、車外通信装置1、車載中継装置2及び車載中継装置2と通信可能に接続された複数の車載ECU3が搭載されている。車載中継装置2は、これら複数の車載ECU3間において送受信されるメッセージを中継する。又、車載中継装置2は、車外通信装置1を介して車外ネットワークNに接続されたプログラム提供装置S1から取得したプログラム又はデータを、車両Cに搭載されている車載ECU3(Electronic Control Unit)に送信するものであってもよい。 (Embodiment 1)
Hereinafter, embodiments will be described with reference to the drawings. FIG. 1 is a schematic diagram illustrating a system configuration including an in-vehicle relay device 2 according to the first embodiment. FIG. 2 is a block diagram illustrating an internal configuration of the vehicle-mounted relay device 2 and the like. The vehicle C is equipped with an external communication device 1, an in-vehicle relay device 2, and a plurality of in-vehicle ECUs 3 communicatively connected to the in-vehicle relay device 2. The vehicle-mounted relay device 2 relays the message transmitted and received among the plurality of vehicle-mounted ECUs 3. The in-vehicle relay device 2 also transmits a program or data acquired from the program providing device S1 connected to the in-vehicle network N via the in-vehicle communication device 1 to an in-vehicle ECU 3 (Electronic Control Unit) mounted in the vehicle C. It may be one that does.
 プログラム提供装置S1は、例えばインターネット又は公衆回線網等の車外ネットワークNに接続されているサーバ等のコンピュータであり、RAM(Random Access Memory)、ROM(Read Only Memory)又はハードディスク等による記憶部S11を備え、車外の外部サーバに相当する。プログラム提供装置S1には、車載ECU3の製造メーカ等によって作成された当該車載ECU3を制御するためのプログラム又はデータが、記憶部S11に保存されている。当該プログラム又はデータは、更新プログラムとして車両Cに送信され、車両Cに搭載されている車載ECU3のプログラム又はデータを更新するために用いられる。このように構成されたプログラム提供装置S1(外部サーバ)は、OTA(Over The Air)サーバとも称される。車両に搭載される車載ECU3は、プログラム提供装置S1から無線通信により送信された更新プログラムを取得し、当該更新プログラムを実行するプログラムとして適用することにより、自ECUが実行するプログラムを更新(リプロ)することができる。 The program providing device S1 is, for example, a computer such as a server connected to an external network N such as the Internet or a public line network, and has a storage unit S11 such as a RAM (Random Access Memory), a ROM (Read Only Memory), or a hard disk. It is provided and corresponds to an external server outside the vehicle. In the program providing device S1, a program or data created by a manufacturer or the like of the vehicle-mounted ECU 3 for controlling the vehicle-mounted ECU 3 is stored in the storage unit S11. The program or data is transmitted to the vehicle C as an update program and is used to update the program or data of the vehicle-mounted ECU 3 mounted on the vehicle C. The program providing device S1 (external server) configured as described above is also referred to as an OTA (Over The Air) server. The vehicle-mounted ECU 3 installed in the vehicle acquires the update program transmitted by wireless communication from the program providing device S1 and applies the update program as a program for executing the update program, thereby updating the program executed by the own ECU (repro). can do.
 車両Cには、車外通信装置1、車載中継装置2、表示装置5、及び種々の車載機器を制御するための複数の車載ECU3が搭載されている。車外通信装置1と車載中継装置2とは、例えばシリアルケーブル等のハーネスにより通信可能に接続されている。車載中継装置2及び車載ECU3は、CAN(Control Area Network/登録商標)等の通信プロトコルに対応した車内LAN4によって通信可能に接続されている。 The vehicle C is equipped with an on-vehicle communication device 1, an in-vehicle relay device 2, a display device 5, and a plurality of in-vehicle ECUs 3 for controlling various in-vehicle devices. The vehicle exterior communication device 1 and the vehicle-mounted relay device 2 are communicatively connected by a harness such as a serial cable. The in-vehicle relay device 2 and the in-vehicle ECU 3 are communicatively connected by an in-vehicle LAN 4 that supports a communication protocol such as CAN (Control Area Network / registered trademark).
 車外通信装置1は、車外通信部11及び、車載中継装置2と通信するための入出力I/F(インターフェイス)12を含む。車外通信部11は、3G、LTE、4G、WiFi等の移動体通信のプロトコルを用いて無線通信をするための通信装置であり、車外通信部11に接続されたアンテナ13を介してプログラム提供装置S1とデータの送受信を行う。車外通信装置1とプログラム提供装置S1との通信は、例えば公衆回線網又はインターネット等の外部ネットワークを介して行われる。 The external communication device 1 includes an external communication unit 11 and an input / output I / F (interface) 12 for communicating with the in-vehicle relay device 2. The external communication unit 11 is a communication device for performing wireless communication using a mobile communication protocol such as 3G, LTE, 4G, or WiFi, and is a program providing device via an antenna 13 connected to the external communication unit 11. Data is transmitted / received to / from S1. Communication between the vehicle exterior communication device 1 and the program providing device S1 is performed via an external network such as a public line network or the Internet.
 入出力I/F12は、車載中継装置2と、例えばシリアル通信するための通信インターフェイスである。車外通信装置1と車載中継装置2とは、入出力I/F12及び入出力I/F12に接続されたシリアルケーブル等のハーネスを介して相互に通信する。本実施形態では、車外通信装置1は、車載中継装置2と別装置とし、入出力I/F12等によってこれら装置を通信可能に接続しているが、これに限定されない。車外通信装置1は、車載中継装置2の一構成部位として、車載中継装置2に内蔵されるものであってもよい。 The input / output I / F 12 is a communication interface for serial communication with the vehicle-mounted relay device 2, for example. The vehicle exterior communication device 1 and the vehicle-mounted relay device 2 communicate with each other via an input / output I / F 12 and a harness such as a serial cable connected to the input / output I / F 12. In the present embodiment, the vehicle exterior communication device 1 is a device separate from the vehicle-mounted relay device 2, and these devices are communicatively connected by the input / output I / F 12 or the like, but the invention is not limited to this. The vehicle exterior communication device 1 may be incorporated in the vehicle-mounted relay device 2 as a component of the vehicle-mounted relay device 2.
 車載中継装置2は、制御部20、記憶部21、車内通信部23及び入出力I/F24を含む。車載中継装置2は、例えば、制御系の車載ECU3、安全系の車載ECU3及び、ボディ系の車載ECU3等の複数の系統の通信線41(CANバス/CANケーブル)によるセグメントを統括し、これらセグメント間での車載ECU3同士の通信を中継するゲートウェイ(中継器)である。又は、車載中継装置2は、車両C全体をコントロールするボディECUの一機能部として構成されるものであってもよい。 The in-vehicle relay device 2 includes a control unit 20, a storage unit 21, an in-vehicle communication unit 23, and an input / output I / F 24. The in-vehicle relay device 2 controls, for example, a segment of communication lines 41 (CAN bus / CAN cable) of a plurality of systems, such as a control system vehicle-mounted ECU 3, a safety system vehicle-mounted ECU 3, and a body system vehicle-mounted ECU 3, and the like. It is a gateway (relay device) that relays communication between the vehicle-mounted ECUs 3 between them. Alternatively, the vehicle-mounted relay device 2 may be configured as one functional unit of the body ECU that controls the entire vehicle C.
 記憶部21は、RAM(Random Access Memory)等の揮発性のメモリ素子又は、ROM(Read Only Memory)、EEPROM(Electrically Erasable Programmable ROM)若しくはフラッシュメモリ等の不揮発性のメモリ素子により構成してあり、制御プログラム及び処理時に参照するデータがあらかじめ記憶してある。記憶部21に記憶された制御プログラムは、車載中継装置2が読み取り可能な記録媒体22から読み出された制御プログラムを記憶したものであってもよい。また、図示しない通信網に接続されている図示しない外部コンピュータから制御プログラムをダウンロードし、記憶部21に記憶させたものであってもよい。記憶部21には、車両Cに搭載される全ての車載ECU3の構成情報及び中継処理を行うにあたり用いる経路情報(ルーティングテーブル)が記憶される。 The storage unit 21 is configured by a volatile memory device such as a RAM (Random Access Memory) or a non-volatile memory device such as a ROM (Read Only Memory), an EEPROM (Electrically Erasable Programmable ROM) or a flash memory, A control program and data to be referred to during processing are stored in advance. The control program stored in the storage unit 21 may store the control program read from the recording medium 22 readable by the in-vehicle relay device 2. Alternatively, the control program may be downloaded from an external computer (not shown) connected to a communication network (not shown) and stored in the storage unit 21. The storage unit 21 stores the configuration information of all the vehicle-mounted ECUs 3 mounted on the vehicle C and the route information (routing table) used for performing the relay process.
 車内通信部23は、例えば、CAN(Control Area Network)の通信プロトコルを用いた入出力インターフェイス(CANトランシーバ)であり、制御部20は、車内通信部23を介して車内LAN4に接続されている車載ECU3又は他の中継装置等の車載機器と相互に通信する。車内通信部23は、複数個(図面上では3つ)設けられており、車内通信部23夫々に、車内LAN4を構成する通信線41が接続されている。このように車内通信部23を複数個設けることにより、車内LAN4を複数個のセグメントに分け、各セグメントに車載ECU夫々を、当該車載ECUの機能(制御系機能、安全系機能、ボディ系機能)に応じて接続する。 The in-vehicle communication unit 23 is, for example, an input / output interface (CAN transceiver) using a communication protocol of CAN (Control Area Network), and the control unit 20 is connected to the in-vehicle LAN 4 via the in-vehicle communication unit 23. It mutually communicates with vehicle-mounted devices such as the ECU 3 and other relay devices. A plurality of (in the drawing, three) in-vehicle communication units 23 are provided, and each of the in-vehicle communication units 23 is connected to the communication line 41 that constitutes the in-vehicle LAN 4. By providing a plurality of in-vehicle communication units 23 in this way, the in-vehicle LAN 4 is divided into a plurality of segments, and each of the vehicle-mounted ECUs has a function (control system function, safety system function, body system function) of the vehicle-mounted ECU. Connect accordingly.
 制御部20は、CPU(Central Processing Unit)又はMPU(Micro Processing Unit)等により構成してあり、記憶部21に予め記憶された制御プログラム及びデータを読み出して実行することにより、種々の制御処理及び演算処理等を行うようにしてある。制御部20は、通信線41夫々に接続されている車載ECU3から送信されるメッセージを受信、又は当該車載ECU3に対しメッセージを送信するものであり、例えばCANコントローラとして機能する。又、制御部20は、受信したメッセージ内に含まれるCAN-ID等のメッセージ識別子を参照し、参照したメッセージ識別子(CAN-ID)及び記憶部21に記憶してある経路情報(ルーティングテーブル)に基づいて送信先となるセグメントに対応する車内通信部23を特定する。そして、制御部20は、特定した車内通信部23から、当該受信したメッセージを送信することにより、該メッセージを中継するCANゲートウェイとして機能する。制御部20はCANコントローラとして機能するとしたがこれに限定されない。車内通信部23がCANトランシーバ及びCANコントローラとして機能するものであってもよい。 The control unit 20 is configured by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like, and reads and executes a control program and data stored in advance in the storage unit 21 to perform various control processes and Arithmetic processing and the like are performed. The control unit 20 receives a message transmitted from the vehicle-mounted ECU 3 connected to each of the communication lines 41 or transmits a message to the vehicle-mounted ECU 3, and functions as, for example, a CAN controller. Further, the control unit 20 refers to the message identifier such as CAN-ID included in the received message, and refers to the referred message identifier (CAN-ID) and the route information (routing table) stored in the storage unit 21. Based on this, the in-vehicle communication unit 23 corresponding to the segment that is the transmission destination is specified. Then, the control unit 20 functions as a CAN gateway that relays the received message by transmitting the received message from the specified in-vehicle communication unit 23. Although the control unit 20 functions as a CAN controller, the present invention is not limited to this. The in-vehicle communication unit 23 may function as a CAN transceiver and a CAN controller.
 制御部20は、受信したメッセージを解析等することにより、当該メッセージの正否を判定する判定部として機能する。メッセージの正否の判定において、不正なメッセージとは、例えば、車外通信装置1等を介して車外から侵入したウィルス等により異常な状態となった車載ECU又は不正に交換された車載ECU等の不正な車載ECUから送信されるメッセージである。制御部20は、受信したメッセージに対し、診断プログラム(ダイアグプロセス)を実行、又はIDS(Intrusion Detection System)の機能を発揮することにより、当該メッセージを解析し正否を判定する。又は、制御部20は、メッセージを送信するにあたり規程されている送信周期とは、異なる周期で送信されているメッセージを不正なメッセージとして判定してもよい。制御部20は、このような手法により受信したメッセージを解析等して正否を判定し、例えば、正当(正常)な車載ECU3になりすました不正(異常)な車載ECU3から送信されたメッセージを、不正なメッセージとして判定することができる。詳細は後述するが、制御部20は、不正と判定したメッセージに含まれるCAN-ID等のメッセージ識別子を、定期的又は不定期に送信しているウェイクアップ時のメッセージ等、既存メッセージのデータフィールド内の空き領域に格納し、全ての車載ECU3に対し送信(通知)する。すなわち、既存メッセージは、不正と判定したエラーメッセージではなく、当該エラーメッセージ以外のメッセージであり、制御部20が生成したメッセージ、又は車載ECU3によって生成されたメッセージであって制御部20により中継されるメッセージであってもよい。又は、制御部20と車載ECU3とが生成した両方のメッセージであってもよい。 The control unit 20 functions as a determination unit that determines the correctness of the message by analyzing the received message. In determining whether the message is correct or not, an invalid message is, for example, an in-vehicle ECU that is in an abnormal state due to a virus or the like that has entered from outside the vehicle via the in-vehicle communication device 1 or the like, or an in-vehicle ECU that has been illegally replaced. This is a message transmitted from the vehicle-mounted ECU. The control unit 20 executes a diagnostic program (diagnosis process) on the received message or performs the function of IDS (Intrusion Detection System) to analyze the message and determine whether the message is correct. Alternatively, the control unit 20 may determine, as an invalid message, a message that is transmitted in a cycle different from the prescribed transmission cycle for transmitting the message. The control unit 20 analyzes the message received by such a method to determine whether the message is correct or not. For example, the message transmitted from the illegal (abnormal) vehicle-mounted ECU 3 that is spoofed as the legitimate (normal) vehicle-mounted ECU 3 is illegal. Can be determined as a message. As will be described later in detail, the control unit 20 sends a message identifier such as CAN-ID included in the message determined to be invalid to a data field of an existing message such as a wake-up message that is regularly or irregularly transmitted. It is stored in a vacant area inside and is transmitted (notified) to all vehicle-mounted ECUs 3. That is, the existing message is not an error message determined to be invalid, but a message other than the error message, a message generated by the control unit 20 or a message generated by the vehicle-mounted ECU 3 and relayed by the control unit 20. It may be a message. Alternatively, it may be both messages generated by the control unit 20 and the vehicle-mounted ECU 3.
 車載ECU3は、制御部30、記憶部31及び、車載中継装置2の車内通信部23と同様の車内通信部32を含む。記憶部31は、RAM(Random Access Memory)等の揮発性のメモリ素子又は、ROM(Read Only Memory)、EEPROM(Electrically Erasable Programmable ROM)若しくはフラッシュメモリ等の不揮発性のメモリ素子により構成してあり、車載ECU3のプログラム又はデータが記憶されている。車載ECU3の記憶部31には、車載中継装置2から送信された既存メッセージのデータフィールド内の空き領域に格納されたメッセージ識別子が、記憶される。 The in-vehicle ECU 3 includes a control unit 30, a storage unit 31, and an in-vehicle communication unit 32 similar to the in-vehicle communication unit 23 of the in-vehicle relay device 2. The storage unit 31 is configured by a volatile memory device such as a RAM (Random Access Memory) or a non-volatile memory device such as a ROM (Read Only Memory), an EEPROM (Electrically Erasable Programmable ROM), or a flash memory, The program or data of the vehicle-mounted ECU 3 is stored. The storage unit 31 of the vehicle-mounted ECU 3 stores the message identifier stored in the empty area in the data field of the existing message transmitted from the vehicle-mounted relay device 2.
 車載ECU3の制御部30は、CPU(Central Processing Unit)又はMPU(Micro Processing Unit)等により構成してあり、記憶部31に記憶されたプログラム及びデータを読み出し実行して制御処理等を行い、当該車載ECU3を含む車載機器又はアクチュエータ等が制御される。車載ECU3の制御部30は、車載中継装置2から送信された既存メッセージのデータフィールド内の空き領域に格納されているメッセージ識別子を記憶部31に記憶することにより、当該メッセージ識別子と同じメッセージ識別子を含むメッセージは、不正なメッセージであり車載中継装置2により中継されないメッセージであることを認識する。 The control unit 30 of the vehicle-mounted ECU 3 is configured by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like, and reads and executes programs and data stored in the storage unit 31 to perform control processing and the like. The in-vehicle device including the in-vehicle ECU 3 or the actuator is controlled. The control unit 30 of the vehicle-mounted ECU 3 stores the message identifier stored in the empty area in the data field of the existing message transmitted from the vehicle-mounted relay device 2 in the storage unit 31 so that the same message identifier as the message identifier is stored. It is recognized that the included message is an illegal message and is not relayed by the vehicle-mounted relay device 2.
 表示装置5は、例えばカーナビゲーションのディスプレイ等のHMI(Human Machine Interface)装置である。表示装置5は、車載中継装置2の入出力I/F24とシリアルケーブル等のハーネスにより通信可能に接続されている。表示装置5には、車載中継装置2の制御部20から入出力I/F24を介して出力されたデータ又は情報が表示される。車載中継装置2は、上述のごとく、受信したメッセージが不正なメッセージであると判定した場合、当該不正なメッセージに含まれるメッセージ識別子等の情報を表示装置5に送信し、表示装置5に当該情報を表示させるものであってもよい。表示装置5に当該情報を表示させることにより、車両Cの操作者に不正なメッセージを検出したことを報知することができる。表示装置5と車載中継装置2との接続形態は、入出力I/F24等による接続形態に限定されず、表示装置5と車載中継装置2とは、車内LAN4を介した接続形態であってもよい。 The display device 5 is, for example, an HMI (Human Machine Interface) device such as a car navigation display. The display device 5 is communicatively connected to the input / output I / F 24 of the in-vehicle relay device 2 by a harness such as a serial cable. The display device 5 displays data or information output from the control unit 20 of the in-vehicle relay device 2 via the input / output I / F 24. When the in-vehicle relay device 2 determines that the received message is an invalid message as described above, the in-vehicle relay device 2 transmits information such as a message identifier included in the invalid message to the display device 5, and the display device 5 receives the information. May be displayed. By displaying the information on the display device 5, it is possible to notify the operator of the vehicle C that an unauthorized message has been detected. The connection form between the display device 5 and the onboard relay device 2 is not limited to the connection form by the input / output I / F 24 and the like, and the display device 5 and the onboard relay device 2 may be connected via the in-vehicle LAN 4. Good.
 車載中継装置2の入出力I/F24には、シリアルケーブル等のワイヤーハーネスにより、車両Cの起動又は停止を行うIGスイッチ6(イグニッションスイッチ)が通信可能に接続されている。IGスイッチ6がオン又はオフにされた場合、IGスイッチ6から出力(送信)された信号を、車載中継装置2の制御部20は、入出力I/F24を介して取得(受信)する。車載中継装置2の制御部20は、取得した信号に基づき、当該IGスイッチ6のオン又はオフに関する情報を、車内通信部23を介して全ての車載ECU3に送信する。又、車載中継装置2は、IGスイッチ6がオンとなっている場合、IGスイッチ6がオン状態であることを示すメッセージを、定期的又は不定期に全ての車載ECU3に送信する。車載ECU3は、車載中継装置2から送信された情報に基づき、IGスイッチ6のオン又はオフに関する情報を取得し、取得した情報に基づき所定の動作を行う。例えば、IGスイッチ6がオン状態であることを示すメッセージを受信した車載ECUは、自ECUを省電力に対応したスリープ状態に遷移、スリープ状態を継続、又はアクティブ状態に遷移させるか否かの判断を行う。IGスイッチのオンオフに起因する既存メッセージは、アクティブ状態からスリープ状態に遷移する場合、スリープ状態を継続する場合、スリープ状態からアクティブ状態に遷移する場合において用いられるメッセージであり、不正と判定したメッセージのメッセージ識別子をデータフィールド内の空き領域に格納して送信する際に用いられる既存メッセージに含まれるものである。このようなメッセージは、ウェイクアップ時又はスリープ時に送信されるものであり、ウェイクアップメッセージ又はスリープメッセージと称される。これらウェイクアップメッセージ及びスリープメッセージは、定期的に送信されるネットワーク管理フレーム(NWフレーム)又は不定期に送信されるイベントフレームによって送信されるものであってもよい。このように、定期的又は不定期に送信されるウェイクアップメッセージ等は、CANによる複数の車載ECU3及び車載中継装置2の通信において既に用いられているメッセージであり、既存メッセージに含まれる。 An IG switch 6 (ignition switch) for starting or stopping the vehicle C is communicably connected to the input / output I / F 24 of the in-vehicle relay device 2 by a wire harness such as a serial cable. When the IG switch 6 is turned on or off, the control unit 20 of the in-vehicle relay device 2 acquires (receives) the signal output (transmitted) from the IG switch 6 via the input / output I / F 24. The control unit 20 of the in-vehicle relay device 2 transmits information regarding ON or OFF of the IG switch 6 to all the in-vehicle ECUs 3 via the in-vehicle communication unit 23 based on the acquired signal. Further, when the IG switch 6 is turned on, the vehicle-mounted relay device 2 transmits a message indicating that the IG switch 6 is turned on to all the vehicle-mounted ECUs 3 regularly or irregularly. The vehicle-mounted ECU 3 acquires information regarding ON or OFF of the IG switch 6 based on the information transmitted from the vehicle-mounted relay device 2 and performs a predetermined operation based on the acquired information. For example, the vehicle-mounted ECU that has received the message indicating that the IG switch 6 is in the on state determines whether or not to transition its own ECU to the sleep state corresponding to power saving, continue the sleep state, or transition to the active state. I do. The existing message caused by the on / off of the IG switch is a message used when transitioning from the active state to the sleep state, when continuing the sleep state, or when transitioning from the sleep state to the active state. It is included in the existing message used when the message identifier is stored in the empty area in the data field and transmitted. Such a message is transmitted at the time of wakeup or sleep and is called a wakeup message or a sleep message. The wake-up message and the sleep message may be transmitted by a network management frame (NW frame) transmitted regularly or an event frame transmitted irregularly. As described above, the wake-up message or the like transmitted regularly or irregularly is a message already used in the communication between the plurality of vehicle-mounted ECUs 3 and the vehicle-mounted relay device 2 by CAN, and is included in the existing message.
 図3は、CANメッセージのフレームの一態様を例示する説明図である。CANは、ISO11898等により規定されている通信プロトコルであり、送受信されるCANメッセージ(フレーム)のフレームタイプは、データフレーム、リモートフレーム、エラーフレーム及びオーバーロードフレームに分類される。図3おいては、これらフレームタイプにおいて、データフレームの一態様を例示する。CANメッセージのデータフレームは、CAN-ID、DLC、DATA(データ)及びCRCの4つのフィールドに分類される。CAN-IDフィールドには、メッセージを識別し、メッセージの優先順位を示す(決定)するためのメッセージ識別子が格納される。メッセージ識別子は、CAN-ID又はアービトレーションIDと称され、例えば11bitのデータで表される。車載中継装置2及び車載ECU3は、受信したメッセージのCAN-IDフィールドに格納されているメッセージ識別子(CAN-ID)を抽出(参照)し、当該メッセージ識別子に基づいてメッセージに対する処理の要否を判定する。DLCフィールドには、データ長コードを示す情報が格納されるものであり、DATAフィールド(データフィールド)に格納されるデータのバイト数を示す。DATAフィールドには、8byteまでのコンテンツデータが格納される。CRCフィールドには、巡回冗長検査コードとリセッシブデリミタビットが格納され、DATAフィールドに格納されるコンテンツデータ等がビット反転した場合等のエラー検出に用いられる。なお、データフレームのCANメッセージには、上記フィールド以外にSOF(Start Of Frame)、IDE(Identifier Extension)及びACKが含まれるが、これについての説明は省略する。 FIG. 3 is an explanatory diagram illustrating an example of a frame of a CAN message. CAN is a communication protocol defined by ISO11898 and the like, and the frame types of CAN messages (frames) transmitted and received are classified into data frames, remote frames, error frames and overload frames. In FIG. 3, one mode of the data frame in these frame types is illustrated. The data frame of the CAN message is classified into four fields of CAN-ID, DLC, DATA (data) and CRC. The CAN-ID field stores a message identifier for identifying a message and indicating (determining) the priority of the message. The message identifier is called a CAN-ID or an arbitration ID and is represented by 11-bit data, for example. The vehicle-mounted relay device 2 and the vehicle-mounted ECU 3 extract (reference) the message identifier (CAN-ID) stored in the CAN-ID field of the received message, and determine whether or not to process the message based on the message identifier. To do. Information indicating a data length code is stored in the DLC field, and indicates the number of bytes of data stored in the DATA field (data field). The DATA field stores content data up to 8 bytes. A cyclic redundancy check code and a recessive delimiter bit are stored in the CRC field, and are used for error detection when the content data stored in the DATA field is bit-inverted. The CAN message of the data frame includes SOF (Start Of Frame), IDE (Identifier Extension), and ACK in addition to the above fields, but description thereof will be omitted.
 ウェイクアップ時に送信されるメッセージ(ウェイクアップメッセージ)は、データフレームに属するメッセージである。当該ウェイクアップメッセージは、IGスイッチ6のオン等によるイベントをトリガーとして、車載中継装置2が、車内通信部23に接続される全ての車載ECU3に対し定期的又は不定期に送信するものである。ウェイクアップメッセージのDATAフィールド(データフィールド)において、8byteの全ての領域が使用されておらず、空き領域(空きビット領域)が存在している。車載中継装置2は、当該DATAフィールド(データフィールド)の空き領域に、不正と判定したメッセージのメッセージ識別子(CAN-ID)を格納し、ウェイクアップメッセージを送信する。ウェイクアップメッセージは、マルチキャストにより全ての車載ECU3に送信されものであり、車載ECU3夫々は、ウェイクアップメッセージを受信することができる。当該ウェイクアップメッセージは、車載ECU3がスリープ状態に遷移するかを判断させるため、車載中継装置2が定期的又は不定期に送信している既存メッセージである。 The message (wakeup message) transmitted at wakeup belongs to the data frame. The wake-up message is transmitted by the vehicle-mounted relay device 2 to all vehicle-mounted ECUs 3 connected to the in-vehicle communication unit 23 regularly or irregularly, triggered by an event caused by turning on the IG switch 6 or the like. In the DATA field (data field) of the wakeup message, the entire area of 8 bytes is not used and there is a free area (free bit area). The vehicle-mounted relay device 2 stores the message identifier (CAN-ID) of the message determined to be invalid in the empty area of the DATA field (data field), and transmits the wake-up message. The wake-up message is transmitted by multicast to all vehicle-mounted ECUs 3, and each vehicle-mounted ECU 3 can receive the wake-up message. The wake-up message is an existing message that the in-vehicle relay device 2 periodically or irregularly transmits in order to determine whether the in-vehicle ECU 3 makes a transition to the sleep state.
 このように定期的又は不定期に送信している既存メッセージの空き領域に、不正と判定したメッセージのメッセージ識別子を格納して送信することにより、不正と判定したメッセージのメッセージ識別子を送信するための専用のメッセージを生成し送信する処理を不要とすることができる。すなわち、車載中継装置2は、不正と判定したメッセージのメッセージ識別子を送信にあたり、既存メッセージの当該空き領域を有効活用することにより、車載ECU3が接続される車内LAN4のトラフィックの増加を抑制することができる。又、車載中継装置2は、不正と判定したメッセージのメッセージ識別子を送信するための専用のメッセージを生成しないため、車載中継装置2の制御部20の処理負荷を低減することができる。 By storing and transmitting the message identifier of the message determined to be invalid in the free space of the existing message that is regularly or irregularly transmitted in this way, the message identifier of the message determined to be invalid can be transmitted. It is possible to eliminate the process of generating and transmitting a dedicated message. That is, the in-vehicle relay device 2 suppresses an increase in traffic of the in-vehicle LAN 4 to which the in-vehicle ECU 3 is connected by effectively utilizing the empty area of the existing message when transmitting the message identifier of the message determined to be invalid. it can. Further, since the vehicle-mounted relay device 2 does not generate a dedicated message for transmitting the message identifier of the message determined to be invalid, the processing load of the control unit 20 of the vehicle-mounted relay device 2 can be reduced.
 車載中継装置2が定期的又は不定期に送信している既存メッセージは、ウェイクアップメッセージであるとしたが、これに限定されない。既存メッセージは、不正と判定したメッセージのメッセージ識別子を送信する目的以外の目的を有し、車載中継装置2が定期的又は不定期に送信しているメッセージであればよい。例えば、車載ECU3の状態を確認するために定期的又は不定期に送信するポーリング用のメッセージ、車載ECU3の構成情報の送信を要求するために定期的又は不定期に送信するメッセージ、何らかのイベントに起因して不定期に送信するメッセージ等は、当該既存メッセージに含まれる。又は、既存メッセージは、車内LAN4に接続される車載ECU3又は他の車載中継装置等のアライブ情報を確認するためのネットワーク管理フレーム(NMフレーム)であってもよい。既存メッセージは、ウェイクアップメッセージ、ネットワーク管理フレーム等の車載中継装置2の制御部20が生成するメッセージに限定されず、車載ECU3によって生成され、当該制御部20によって中継されるメッセージであってもよい。 The existing message transmitted by the vehicle-mounted relay device 2 regularly or irregularly is the wake-up message, but the present invention is not limited to this. The existing message may be a message that has a purpose other than the purpose of transmitting the message identifier of the message determined to be invalid and that the vehicle-mounted relay device 2 transmits regularly or irregularly. For example, a polling message transmitted periodically or irregularly to confirm the state of the vehicle-mounted ECU 3, a message periodically transmitted irregularly to request transmission of configuration information of the vehicle-mounted ECU 3, or due to some event A message or the like that is transmitted irregularly is included in the existing message. Alternatively, the existing message may be a network management frame (NM frame) for confirming alive information of the vehicle-mounted ECU 3 or another vehicle-mounted relay device connected to the in-vehicle LAN 4. The existing message is not limited to a message generated by the control unit 20 of the in-vehicle relay device 2, such as a wake-up message or a network management frame, and may be a message generated by the in-vehicle ECU 3 and relayed by the control unit 20. ..
 図4は、車載ECU3の構成情報の一態様を例示する説明図である。車載中継装置2には、車内通信部23に接続された全ての車載ECU3の構成情報が記憶されている。当該構成情報は、例えば図4に示す表の項目によって示される情報群(構成情報マスターテーブル)によるものである。構成情報は、例えば車載ECU3の製造番号(シリアル番号)及び、各車載ECU3が送信するメッセージに含めるCAN-ID(メッセージ識別子)を含み、個々の車載ECU3において重複しないように設定された連番等によるECU-ID(ECU識別子)に関連付けられて管理される。 FIG. 4 is an explanatory diagram illustrating an example of the configuration information of the vehicle-mounted ECU 3. The in-vehicle relay device 2 stores the configuration information of all in-vehicle ECUs 3 connected to the in-vehicle communication unit 23. The configuration information is based on, for example, an information group (configuration information master table) indicated by the items in the table shown in FIG. The configuration information includes, for example, a serial number of the vehicle-mounted ECU 3 and a CAN-ID (message identifier) included in a message transmitted by each vehicle-mounted ECU 3, and a serial number set so as not to be duplicated in each vehicle-mounted ECU 3. Is managed in association with the ECU-ID (ECU identifier).
 車載中継装置2は、受信したメッセージのCAN-IDフィールドに格納されているCAN-ID(メッセージ識別子)を抽出し、記憶部21に記憶されている車載ECU3の構成情報(構成情報マスターテーブル)を参照し、抽出したCAN-IDをメッセージに含める車載ECU3を読み出し、特定(導出)する。更に、車載中継装置2は、特定した車載ECU3が送信するメッセージに含める全てのCAN-IDを特定することができる。例えば、抽出したCAN-ID(メッセージ識別子)が2である場合、CAN-IDが2であるメッセージを送信した車載ECU3は、ECU-IDが003の車載ECU3であると、車載中継装置2は特定することができる。更に、車載中継装置2は、特定した車載中継装置2が送信するメッセージに含める(CAN-IDフィールドに格納する)CAN-ID(メッセージ識別子)は、2及び9であると特定することができる。この様に車載ECU3夫々と、当該車載ECU3夫々が送信するメッセージに含めるCAN-ID(メッセージ識別子)とを関連づけて記憶又は管理することにより、受信したメッセージから抽出したCAN-IDに基づき、当該メッセージを送信した車載ECU3及び当該車載ECU3が用いる全てのCAN-IDを特定することができる。 The vehicle-mounted relay device 2 extracts the CAN-ID (message identifier) stored in the CAN-ID field of the received message, and uses the configuration information (configuration information master table) of the vehicle-mounted ECU 3 stored in the storage unit 21. The in-vehicle ECU 3 that refers to and includes the extracted CAN-ID in the message is read out and specified (derived). Further, the vehicle-mounted relay device 2 can identify all CAN-IDs included in the message transmitted by the identified vehicle-mounted ECU 3. For example, when the extracted CAN-ID (message identifier) is 2, the in-vehicle relay device 2 identifies that the in-vehicle ECU 3 that has transmitted the message in which the CAN-ID is 2 is the in-vehicle ECU 3 whose ECU-ID is 003. can do. Furthermore, the vehicle-mounted relay apparatus 2 can specify that CAN-IDs (message identifiers) included in the message transmitted by the specified vehicle-mounted relay apparatus 2 (stored in the CAN-ID field) are 2 and 9. In this way, by storing or managing each on-vehicle ECU 3 and the CAN-ID (message identifier) included in the message transmitted by each on-vehicle ECU 3 in association with each other, the corresponding message is extracted based on the CAN-ID extracted from the received message. It is possible to identify the vehicle-mounted ECU 3 that has transmitted the message and all CAN-IDs used by the vehicle-mounted ECU 3.
 図5は、車載中継装置2の制御部20の処理を例示するフローチャートである。車載中継装置2の制御部20は、車両Cが起動状態(IGスイッチ6がオン)又は停止状態(IGスイッチ6がオフ)において、常時的に以下の処理を行う。 FIG. 5 is a flowchart illustrating the process of the control unit 20 of the vehicle-mounted relay device 2. The control unit 20 of the in-vehicle relay device 2 constantly performs the following processing when the vehicle C is in the activated state (the IG switch 6 is on) or in the stopped state (the IG switch 6 is off).
 車載中継装置2の制御部20は、メッセージを取得する(S10)。制御部20は、いずれかの車載ECU3から送信されたメッセージを、車内通信部23を介して受信することにより取得し、取得したメッセージを記憶部21に記憶する。 The control unit 20 of the in-vehicle relay device 2 acquires the message (S10). The control unit 20 acquires a message transmitted from any of the vehicle-mounted ECUs 3 by receiving the message via the in-vehicle communication unit 23, and stores the acquired message in the storage unit 21.
 車載中継装置2の制御部20は、メッセージは不正であるかの判定を行う(S11)。制御部20は、例えばIDS等の機能を発揮することにより取得したメッセージを解析し、当該メッセージが不正な車載ECU3から送信された不正なメッセージであるか否かの判定、すなわち当該メッセージの正否の判定を行う。 The control unit 20 of the in-vehicle relay device 2 determines whether the message is invalid (S11). The control unit 20 analyzes the message acquired by exhibiting a function such as IDS, and determines whether the message is an unauthorized message transmitted from the unauthorized vehicle-mounted ECU 3, that is, whether the message is correct or not. Make a decision.
 不正なメッセージであると判定した場合(S11:YES)、車載中継装置2の制御部20は、メッセージ識別子を記憶する(S12)。制御部20は、不正なメッセージであると判定した場合、当該メッセージのCAN-IDフィールドに格納されているCAN-ID(メッセージ識別子)を抽出し、当該CAN-ID(メッセージ識別子)を中継禁止とするメッセージ識別子(中継禁止メッセージ識別子)として、記憶部21に記憶する。 When it is determined that the message is an invalid message (S11: YES), the control unit 20 of the in-vehicle relay device 2 stores the message identifier (S12). When the control unit 20 determines that the message is an invalid message, it extracts the CAN-ID (message identifier) stored in the CAN-ID field of the message and prohibits the CAN-ID (message identifier) from relaying. It is stored in the storage unit 21 as a message identifier (relay prohibition message identifier) to be used.
 車載中継装置2の制御部20は、既存メッセージの送信タイミングであるかの判定を行う(S13)。制御部20は、現時点が既存メッセージの送信タイミングであるかの判定として、IGスイッチ6のオン等の所定の動作が実行されたか否かを判定する。又は、制御部20は、計時機能を発揮し、IGスイッチ6がオン状態において所定の周期が経過したか否かに基づき、現時点が既存メッセージの送信タイミングであるか否かを判定する。制御部20は、例えば、IGスイッチ6のオン等の所定の動作が実行された又は、IGスイッチ6がオン状態において所定の周期が経過した場合、現時点が既存メッセージの送信タイミングであると判定する。 The control unit 20 of the in-vehicle relay device 2 determines whether it is the transmission timing of the existing message (S13). The control unit 20 determines whether or not a predetermined operation such as turning on the IG switch 6 has been executed as a determination as to whether the present time is the transmission timing of the existing message. Alternatively, the control unit 20 exerts a time counting function, and determines whether or not the present time is the transmission timing of the existing message, based on whether or not a predetermined cycle has elapsed while the IG switch 6 is in the ON state. For example, when a predetermined operation such as turning on the IG switch 6 is executed or when a predetermined period elapses while the IG switch 6 is on, the control unit 20 determines that the present time is the transmission timing of the existing message. ..
 既存メッセージの送信タイミングでないと判定した場合(S13:NO)、車載中継装置2の制御部20は、再度S13の処理を実行すべくループ処理を行う。すなわち、制御部20は、既存メッセージの送信タイミングとなるまで待機処理を行う。制御部20は、当該待機処理を行っている間においても、車載ECU3から送信されたメッセージを取得し、取得したメッセージが不正であるか否かの判定を行い、不正なメッセージを検出した場合は、当該メッセージのメッセージ識別子を記憶部21に記憶して、当該記憶部21に記憶される中継禁止メッセージ識別子を追加するものであってもよい。 When it is determined that it is not the transmission timing of the existing message (S13: NO), the control unit 20 of the in-vehicle relay device 2 performs a loop process to execute the process of S13 again. That is, the control unit 20 performs a standby process until the timing of transmitting an existing message. The control unit 20 acquires the message transmitted from the vehicle-mounted ECU 3 even while performing the standby process, determines whether the acquired message is illegal, and detects an illegal message. Alternatively, the message identifier of the message may be stored in the storage unit 21, and the relay prohibition message identifier stored in the storage unit 21 may be added.
 既存メッセージの送信タイミングであると判定した場合(S13:YES)、車載中継装置2の制御部20は、既存メッセージのデータフィールド内の空き領域にメッセージ識別子を格納して送信する(S14)。制御部20は、現時点が既存メッセージの送信タイミングであると判定した場合、例えばウェイクアップメッセージ等の既存メッセージのDATAフィールドの空き領域に、記憶部21に記憶されている中継禁止メッセージ識別子を格納し、当該既存メッセージを、車載ECU3に送信する。制御部20は、当該空き領域に中継禁止メッセージ識別子を格納するにあたり、中継禁止メッセージ識別子と同一のメッセージ識別子を含む(CAN-IDフィールドに格納する)メッセージは、不正なメッセージである旨を示す情報も、当該空き領域に併せて格納してもよい。 When it is determined that it is the transmission timing of the existing message (S13: YES), the control unit 20 of the in-vehicle relay device 2 stores the message identifier in the empty area in the data field of the existing message and transmits it (S14). When the control unit 20 determines that the present time is the transmission timing of the existing message, the control unit 20 stores the relay prohibition message identifier stored in the storage unit 21 in the empty area of the DATA field of the existing message such as the wakeup message. , The existing message is transmitted to the vehicle-mounted ECU 3. When the control unit 20 stores the relay prohibition message identifier in the empty area, information indicating that the message including the same message identifier as the relay prohibition message identifier (stored in the CAN-ID field) is an invalid message. Alternatively, it may be stored together with the free area.
 不正なメッセージのメッセージ識別子を送信する目的以外の目的で定期的又は不定期に送信される既存メッセージの空き領域を利用することにより、車載中継装置2の制御部20が、不正なメッセージのメッセージ識別子を送信するための専用のメッセージを生成及び送信することを不要とすることができる。従って、車載中継装置2の処理負荷を低減させると共に、車内LAN4のトラフィックの増加を抑制することができる。 By using the free space of the existing message that is regularly or irregularly transmitted for a purpose other than the purpose of transmitting the message identifier of the illegal message, the control unit 20 of the vehicle-mounted relay device 2 causes the message identifier of the illegal message to be transmitted. It may be unnecessary to generate and send a dedicated message for sending the. Therefore, it is possible to reduce the processing load of the in-vehicle relay device 2 and suppress an increase in traffic of the in-vehicle LAN 4.
 既存メッセージを受信した車載ECU3は、既存メッセージのDATAフィールドに格納されている中継禁止メッセージ識別子を抽出し、自ECUの記憶部31に記憶する。当該中継禁止メッセージ識別子を記憶部31に記憶した車載ECU3は、中継禁止メッセージ識別子と同じメッセージ識別子が、CAN-IDフィールドに含まれているメッセージは、不正なメッセージであると認識することができる。従って、車載ECU3は、中継禁止メッセージ識別子と同じメッセージ識別子が含まれる不正なメッセージが自ECUに対し送信された場合であっても、当該不正なメッセージを自ECUの制御に用いることなく破棄する処理を行う。又、中継禁止メッセージ識別子を記憶部31に記憶した車載ECU3は、中継禁止メッセージ識別子と同じメッセージ識別子がCAN-IDフィールドに含まれているメッセージは、車載中継装置2によって中継されないメッセージであると認識する。 The vehicle-mounted ECU 3 that has received the existing message extracts the relay prohibition message identifier stored in the DATA field of the existing message and stores it in the storage unit 31 of its own ECU. The vehicle-mounted ECU 3 that stores the relay prohibition message identifier in the storage unit 31 can recognize that the message including the same message identifier as the relay prohibition message identifier in the CAN-ID field is an invalid message. Therefore, the in-vehicle ECU 3 discards the unauthorized message without using it for controlling the own ECU, even if an unauthorized message including the same message identifier as the relay prohibition message identifier is transmitted to the own ECU. I do. Further, the vehicle-mounted ECU 3 that stores the relay prohibition message identifier in the storage unit 31 recognizes that the message including the same message identifier as the relay prohibition message identifier in the CAN-ID field is a message that is not relayed by the vehicle-mounted relay device 2. To do.
 車載中継装置2の制御部20は、メッセージ識別子を含むメッセージの中継を禁止する(S15)。制御部20は、中継禁止メッセージ識別子と同一のメッセージ識別子を含む(CAN-IDフィールドに格納する)メッセージの中継を禁止する。中継禁止メッセージ識別子と同一のメッセージ識別子を含むメッセージの中継を禁止することにより、不正な車載ECU3から送信された不正なメッセージが、当該不正な車載ECU3が接続される通信線41(セグメント)とは異なる通信線41(セグメント)に接続される車載ECU3に送信(中継)されることを抑制することができる。 The control unit 20 of the in-vehicle relay device 2 prohibits relay of a message including the message identifier (S15). The control unit 20 prohibits the relay of a message including the same message identifier as the relay prohibition message identifier (stored in the CAN-ID field). By prohibiting the relay of the message including the same message identifier as the relay prohibition message identifier, the unauthorized message transmitted from the unauthorized vehicle-mounted ECU 3 becomes the communication line 41 (segment) to which the unauthorized vehicle-mounted ECU 3 is connected. It is possible to suppress the transmission (relay) to the vehicle-mounted ECU 3 connected to the different communication line 41 (segment).
 不正なメッセージではないと判定した場合(S11:NO)、すなわち取得したメッセージは正当なメッセージであると判定した場合、車載中継装置2の制御部20は、中継禁止メッセージ識別子に該当するかの判定を行う(S111)。制御部20は、受信したメッセージは正当なメッセージであると判定した場合、当該メッセージのCAN-IDフィールドに格納されているメッセージ識別子(CAN-ID)と、記憶部21に記憶している中継禁止メッセージ識別子とを対比し、当該メッセージ識別子(CAN-ID)が、中継禁止メッセージ識別子に該当するか否かの判定を行う。 When it is determined that the message is not an invalid message (S11: NO), that is, when the acquired message is determined to be a valid message, the control unit 20 of the in-vehicle relay device 2 determines whether it corresponds to the relay prohibition message identifier. Is performed (S111). When the control unit 20 determines that the received message is a valid message, the control unit 20 stores the message identifier (CAN-ID) stored in the CAN-ID field of the message and the relay prohibition stored in the storage unit 21. By comparing with the message identifier, it is determined whether or not the message identifier (CAN-ID) corresponds to the relay prohibition message identifier.
 中継禁止メッセージ識別子に該当する場合(S111:YES)、車載中継装置2の制御部20は、既存メッセージの空き領域にメッセージ識別子を格納して送信する(S112)。受信したメッセージのメッセージ識別子が、記憶部21に記憶してある中継禁止メッセージ識別子に該当する場合、当該メッセージ識別子を含むメッセージは、不正なメッセージであると、これ以前の処理において判定したものである。しかしながら、このような判定をした後に、不正なメッセージを送信していた不正な車載ECU3が正当な車載ECU3に交換され、又は車載ECU3が実行するプログラムを復旧させることにより、車載ECU3が正常な状態となる場合がある。制御部20は、中継禁止メッセージ識別子と同一のメッセージ識別子を含む(CAN-IDフィールドに格納した)メッセージであっても、不正なメッセージでないと判定した場合、既存メッセージの空き領域に当該メッセージ識別子及び当該メッセージ識別子を含むメッセージは正当なメッセージである旨を示す情報を格納して、車載ECU3に送信する。又は、制御部20は、車載ECU3に対し、正常と判定したメッセージ(不正でないと判定したメッセージ)のメッセージ識別子に対する中継禁止処理等、不正メッセージとして処理する制御は無効である(解除された)旨を示す情報を格納して、車載ECU3に送信するものであってもよい。制御部20は、既存メッセージの空き領域に正当と判定したメッセージのメッセージ識別子等を格納して送信するにあたり、処理S13と同様に既存メッセージの送信タイミングに基づき、送信処理を行うものであってもよい。 If it corresponds to the relay prohibition message identifier (S111: YES), the control unit 20 of the in-vehicle relay device 2 stores the message identifier in the empty area of the existing message and transmits it (S112). When the message identifier of the received message corresponds to the relay prohibition message identifier stored in the storage unit 21, the message including the message identifier is determined to be an invalid message in the previous process. .. However, after making such a determination, the in-vehicle ECU 3 that has transmitted an incorrect message is replaced with the in-vehicle ECU 3, or the program executed by the in-vehicle ECU 3 is restored so that the in-vehicle ECU 3 is in a normal state. May be If the control unit 20 determines that the message includes the same message identifier as the relay prohibition message identifier (stored in the CAN-ID field) and is not an invalid message, the control unit 20 stores the message identifier in the empty area of the existing message. Information indicating that the message including the message identifier is a valid message is stored and transmitted to the vehicle-mounted ECU 3. Alternatively, the control unit 20 informs the vehicle-mounted ECU 3 that the control for processing as an invalid message such as relay prohibition processing for the message identifier of the message determined to be normal (the message determined not to be invalid) is invalid (released). May be stored and transmitted to the vehicle-mounted ECU 3. When storing the message identifier of the message determined to be valid in the free space of the existing message and transmitting the message, the control unit 20 performs the transmission process based on the transmission timing of the existing message as in the process S13. Good.
 車載中継装置2から送信された既存メッセージを受信した車載ECU3は、当該既存メッセージの空き領域に格納されたメッセージ識別子及び当該メッセージ識別子を含むメッセージは正当なメッセージである旨を示す情報に基づき、以降に受信するメッセージの処理を行う。すなわち、車載ECU3は、当該メッセージ識別子を含むメッセージを受信し、必要に応じて自ECUの制御等に用いる。 The vehicle-mounted ECU 3 that has received the existing message transmitted from the vehicle-mounted relay device 2 is based on information indicating that the message identifier stored in the empty area of the existing message and the message including the message identifier are valid messages. Process the messages received by. That is, the vehicle-mounted ECU 3 receives the message including the message identifier and uses it for control of its own ECU or the like as necessary.
 車載中継装置2の制御部20は、中継禁止メッセージ識別子として記憶部21に記憶したメッセージ識別子であっても、以降に当該メッセージ識別子を含むメッセージの正否を判定し、メッセージが正当(正常)であると判定した場合は、当該中継禁止メッセージ識別子を記憶部21から削除する。 Even if the message identifier stored in the storage unit 21 as the relay prohibition message identifier is used, the control unit 20 of the in-vehicle relay device 2 determines whether the message including the message identifier is correct or not, and the message is valid (normal). If it is determined that the relay prohibition message identifier is deleted from the storage unit 21.
 車載中継装置2の制御部20は、メッセージ識別子を含むメッセージの中継を再開する(S113)。中継禁止メッセージ識別子として記憶部21に記憶されていたメッセージ識別子は、記憶部21から削除されている。従って制御部20は、当該メッセージ識別子を含む(CAN-IDフィールドに格納した)メッセージを、記憶部21に記憶してある経路情報に基づき中継先となる車内通信部23を特定し、特定した車内通信部23を介して当該メッセージを送信して中継する処理を再開する。 The control unit 20 of the in-vehicle relay device 2 restarts relaying the message including the message identifier (S113). The message identifier stored in the storage unit 21 as the relay prohibition message identifier is deleted from the storage unit 21. Therefore, the control unit 20 specifies the message including the message identifier (stored in the CAN-ID field) on the basis of the route information stored in the storage unit 21, the in-vehicle communication unit 23 as the relay destination, and identifies the in-vehicle specified. The process of transmitting and relaying the message via the communication unit 23 is restarted.
 この様に、中継禁止メッセージ識別子として記憶部21に記憶したメッセージ識別子であっても、以降に当該メッセージ識別子を含むメッセージの正否を判定し、メッセージが正当(正常)であると判定した場合は、当該中継禁止メッセージ識別子を記憶部21から削除し、中継を再開する。従って、不正なメッセージを送信していた不正(異常)な車載ECU3が、正当なメッセージを送信する正当(正常)な車載ECU3に復旧した場合、車載ECU3又は車載中継装置2は、復旧した正当な車載ECU3から送信されるメッセージを受信又は中継することができる。又、車載中継装置2の記憶部21に記憶される中継禁止メッセージ識別子が増加しつづけ、当該記憶部21の領域が逼迫することを抑制することができる。 In this way, even if the message identifier stored in the storage unit 21 as the relay prohibition message identifier is used, it is determined whether the message including the message identifier is correct or not, and if it is determined that the message is valid (normal), The relay prohibition message identifier is deleted from the storage unit 21 and the relay is restarted. Therefore, when the illegal (abnormal) vehicle-mounted ECU 3 that has transmitted the illegal message is restored to the legitimate (normal) vehicle-mounted ECU 3 that transmits the legitimate message, the vehicle-mounted ECU 3 or the vehicle-mounted relay device 2 returns the restored legitimate message. The message transmitted from the vehicle-mounted ECU 3 can be received or relayed. In addition, it is possible to prevent the relay prohibition message identifier stored in the storage unit 21 of the vehicle-mounted relay device 2 from increasing and the area of the storage unit 21 from being tight.
 中継禁止メッセージ識別子に該当しない場合(S111:NO)、車載中継装置2の制御部20は、メッセージを中継する(S1111)。中継禁止メッセージ識別子に該当しない場合、制御部20は、当該メッセージは正当なメッセージであるとして、CAN-IDフィールドに含まれるメッセージ識別子(CAN-ID)に基づき、中継する処理を行う。 If it does not correspond to the relay prohibition message identifier (S111: NO), the control unit 20 of the in-vehicle relay device 2 relays the message (S1111). When the message does not correspond to the relay prohibition message identifier, the control unit 20 determines that the message is a valid message and performs the relay process based on the message identifier (CAN-ID) included in the CAN-ID field.
 制御部20は、S15,S113又はS1111の処理を実行した後、再度S10の処理を実行すべくループ処理を行う。 After executing the processing of S15, S113, or S1111, the control unit 20 performs the loop processing to execute the processing of S10 again.
 車載中継装置2の制御部20は、定期的又は不定期に送信する既存メッセージの空き領域を利用して、不正と判定したメッセージのメッセージ識別子を車載ECU3に送信するため、車内LAN4のトラフィックが増加することを抑制することができる。又、不正と判定したメッセージのメッセージ識別子と同一のメッセージ識別子を含むメッセージであっても、当該メッセージが正当であると判定した場合、当該メッセージ識別子が正当なメッセージである旨を示す情報を、既存メッセージの空き領域に格納して車載ECU3に送信する。従って、車内LAN4のトラフィックが増加することを抑制しつつ、当該メッセージ識別子を含む正当なメッセージを車載ECU3又は車載中継装置2が受信又は中継できるようにすることができる。 Since the control unit 20 of the in-vehicle relay device 2 uses the free space of the existing message that is transmitted regularly or irregularly to transmit the message identifier of the message determined to be incorrect to the in-vehicle ECU 3, the traffic of the in-vehicle LAN 4 increases. Can be suppressed. Further, even if the message includes the same message identifier as the message identifier of the message determined to be invalid, if the message is determined to be valid, information indicating that the message identifier is a valid message is added to the existing message. The message is stored in the empty area and transmitted to the vehicle-mounted ECU 3. Therefore, it is possible to allow the vehicle-mounted ECU 3 or the vehicle-mounted relay device 2 to receive or relay a valid message including the message identifier while suppressing an increase in traffic of the in-vehicle LAN 4.
 既存メッセージとして、例えばIGスイッチ6がオン等にされるタイミング(ウェイクアップ時)にて車載中継装置2が送信するウェイクアップメッセージを用いることにより、ウェイクアップメッセージのDATAフィールドの空き領域を利用して、不正と判定したメッセージのメッセージ識別子を車載ECU3に送信することができる。 As the existing message, for example, by using the wakeup message transmitted by the vehicle-mounted relay device 2 at the timing when the IG switch 6 is turned on (at the time of wakeup), the empty area of the DATA field of the wakeup message is used. The message identifier of the message determined to be incorrect can be transmitted to the vehicle-mounted ECU 3.
 本実施形態において、車載中継装置2及び車載ECU3の通信プロトコルはCANを基に記載したが、これに限定されない。車載中継装置2及び車載ECU3の通信は、CAN以外の通信プロトコルであってもよく、マルチキャスト又はブロードキャストにより、データフィールドに空き領域がある既存メッセージを、複数の車載ECU3に送信することができる通信プロトコルを用いるものであればよい。 In the present embodiment, the communication protocol of the vehicle-mounted relay device 2 and the vehicle-mounted ECU 3 is described based on CAN, but is not limited to this. The communication between the vehicle-mounted relay device 2 and the vehicle-mounted ECU 3 may be a communication protocol other than CAN, and a communication protocol capable of transmitting an existing message having an empty area in the data field to a plurality of vehicle-mounted ECUs 3 by multicast or broadcast. What is necessary is to use.
(実施形態2)
 図6は、実施形態2に係る車載中継装置2の制御部20の処理を例示するフローチャートである。実施形態2に係る車載中継装置2の制御部20の処理は、不正と判定したメッセージを送信した車載ECU3を特定し、特定した車載ECU3がメッセージに含める可能性があるメッセージ識別子を、中継禁止メッセージ識別子として取り扱う点で実施形態1と異なる。 (Embodiment 2)
FIG. 6 is a flowchart illustrating a process of the control unit 20 of the vehicle-mounted relay device 2 according to the second embodiment. The process of the control unit 20 of the in-vehicle relay device 2 according to the second embodiment identifies the in-vehicle ECU 3 that has transmitted the message that is determined to be incorrect, and uses the message identifier that the identified in-vehicle ECU 3 may include in the message as the relay prohibition message. It differs from the first embodiment in that it is handled as an identifier.
 車載中継装置2の制御部20は、実施形態1の(S10,S11)の処理と同様に、(S20,S21)の処理を行う。 The control unit 20 of the in-vehicle relay device 2 performs the process of (S20, S21) as in the process of (S10, S11) of the first embodiment.
 不正なメッセージであると判定した場合(S21:YES)、車載中継装置2の制御部20は、メッセージを送信した車載ECU3を特定する(S22)。制御部20は、受信したメッセージのCAN-IDフィールドに格納されているメッセージ識別子(CAN-ID)を抽出し、抽出したメッセージ識別子と、記憶部21に記憶してある車載ECU3の構成情報(構成情報マスターテーブル/図4参照)を参照して、当該メッセージ識別子をメッセージに含める(CAN-IDフィールドに格納する)車載ECU3を特定する。 When it is determined that the message is an invalid message (S21: YES), the control unit 20 of the in-vehicle relay device 2 identifies the in-vehicle ECU 3 that has transmitted the message (S22). The control unit 20 extracts the message identifier (CAN-ID) stored in the CAN-ID field of the received message, and extracts the extracted message identifier and the configuration information (configuration of the vehicle-mounted ECU 3 stored in the storage unit 21). With reference to the information master table (see FIG. 4), the vehicle-mounted ECU 3 that includes the message identifier (stores in the CAN-ID field) in the message is specified.
 車載中継装置2の制御部20は、メッセージ識別子を記憶する(S23)。制御部20は、記憶部21に記憶してある車載ECU3の構成情報を参照し、特定した車載ECU3が送信するメッセージに含める可能性のある全てのメッセージ識別子(CAN-ID)を特定し、特定した全てのメッセージ識別子(CAN-ID)を、中継禁止メッセージ識別子として記憶部21に記憶する。 The control unit 20 of the in-vehicle relay device 2 stores the message identifier (S23). The control unit 20 refers to the configuration information of the vehicle-mounted ECU 3 stored in the storage unit 21, identifies all message identifiers (CAN-ID) that may be included in the message transmitted by the identified vehicle-mounted ECU 3, and identifies the message identifiers. All the message identifiers (CAN-IDs) that have been processed are stored in the storage unit 21 as relay prohibition message identifiers.
 不正なメッセージを送信した車載ECU3は、不正(異常)な車載ECU3である蓋然性が高い。そこで、車載中継装置2の制御部20は、不正(異常)な車載ECU3を特定し、当該不正(異常)な車載ECU3がメッセージを送信する際に含める可能性のある全てのメッセージ識別子(CAN-ID)を中継禁止メッセージ識別子として記憶部21に記憶する。これにより、当該不正(異常)な車載ECU3からの不正なメッセージの中継を禁止する等、当該不正(異常)な車載ECU3に効率的に対応することできる。 The in-vehicle ECU 3 that has transmitted the illegal message has a high probability of being an illegal (abnormal) in-vehicle ECU 3. Therefore, the control unit 20 of the vehicle-mounted relay device 2 identifies the illegal (abnormal) vehicle-mounted ECU 3, and all the message identifiers (CAN-) that the illegal (abnormal) vehicle-mounted ECU 3 may include when transmitting a message. ID) is stored in the storage unit 21 as a relay prohibition message identifier. As a result, it is possible to efficiently cope with the illegal (abnormal) vehicle-mounted ECU 3, such as prohibiting the relay of the illegal message from the illegal (abnormal) vehicle-mounted ECU 3.
 車載中継装置2の制御部20は、実施形態1の(S13,S14,S15)の処理と同様に、(S24,S25,S26)の処理を行う。なお、S25で送信及びS26で中継を禁止するメッセージ識別子(CAN-ID)は、S22で特定した不正(異常)な車載ECU3が送信するメッセージに含める全てのメッセージ識別子(CAN-ID)である。車載中継装置2から送信された既存メッセージを受信した車載ECU3は、既存メッセージの空き領域に格納されたメッセージ識別子(CAN-ID)に基づき、不正(異常)な車載ECU3から送信される不正なメッセージを破棄等する、適切に対応することができる The control unit 20 of the vehicle-mounted relay device 2 performs the processing of (S24, S25, S26), similar to the processing of (S13, S14, S15) of the first embodiment. Note that the message identifiers (CAN-IDs) that are prohibited from being transmitted in S25 and relayed in S26 are all the message identifiers (CAN-IDs) included in the message transmitted by the unauthorized (abnormal) vehicle-mounted ECU 3 specified in S22. The in-vehicle ECU 3 that has received the existing message transmitted from the in-vehicle relay device 2 receives the invalid message transmitted from the in-vehicle ECU 3 that is illegal (abnormal) based on the message identifier (CAN-ID) stored in the empty area of the existing message. Can be dealt with appropriately, such as discarding
 不正なメッセージではないと判定した場合(S21:NO)、車載中継装置2の制御部20は、実施形態1の(S111,S112,S1111,S113)の処理と同様に、(S211,S212,S2111,S213)の処理を行う。制御部20は、実施形態1の処理と同様に、S26,S213又はS2111の処理を実行した後、再度S20の処理を実行すべくループ処理を行う。 When it is determined that the message is not an invalid message (S21: NO), the control unit 20 of the in-vehicle relay device 2 performs (S211, S212, S2111) similarly to the process of (S111, S112, S1111, S113) of the first embodiment. , S213) is performed. The control unit 20 performs the process of S26, S213, or S2111, and then performs the loop process to perform the process of S20 again, as in the process of the first embodiment.
 今回開示された実施形態はすべての点で例示であって、制限的なものではないと考えられるべきである。本発明の範囲は、上記した意味ではなく、請求の範囲によって示され、請求の範囲と均等の意味及び範囲内でのすべての変更が含まれることが意図される。 The embodiments disclosed this time are to be considered as illustrative in all points and not restrictive. The scope of the present invention is shown not by the above meaning but by the scope of the claims, and is intended to include meanings equivalent to the scope of the claims and all modifications within the scope.
 C 車両
 S1 プログラム提供装置
 S11 記憶部
 1 車外通信装置
 11 車外通信部
 12 入出力I/F
 13 アンテナ
 2 車載中継装置
 20 制御部
 21 記憶部
 22 記録媒体
 23 車内通信部(CANトランシーバ)
 24 入出力I/F
 3 車載ECU
 30 制御部
 31 記憶部
 32 車内通信部(CANトランシーバ)
 4 車内LAN
 41 通信線
 5 表示装置
 6 IGスイッチ
  C vehicle S1 program providing device S11 storage unit 1 vehicle outside communication device 11 vehicle outside communication unit 12 input / output I / F
13 antenna 2 vehicle-mounted relay device 20 control unit 21 storage unit 22 recording medium 23 in-vehicle communication unit (CAN transceiver)
24 Input / output I / F
3 In-vehicle ECU
30 control unit 31 storage unit 32 in-vehicle communication unit (CAN transceiver)
4 Car LAN
41 communication line 5 display device 6 IG switch

Claims (8)

  1.  車両に搭載され、複数の車載ECUと通信するための通信線が接続される車内通信部を複数備え、前記車載ECUから送信されるメッセージを前記車内通信部間にて中継する車載中継装置であって、
     前記メッセージの中継を制御する制御部を備え、
     前記制御部は、前記メッセージの正否を判定し、不正と判定したメッセージのメッセージ識別子を、前記複数の車載ECUに送信される既存メッセージのデータフィールド内の空き領域に格納して送信する
     車載中継装置。     An in-vehicle relay device that is installed in a vehicle and includes a plurality of in-vehicle communication units to which communication lines for communicating with a plurality of in-vehicle ECUs are connected, and that relays a message transmitted from the in-vehicle ECU between the in-vehicle communication units. hand,
    A control unit for controlling the relay of the message,
    The control unit determines whether the message is correct, stores the message identifier of the message determined to be invalid in an empty area in a data field of an existing message transmitted to the plurality of vehicle-mounted ECUs, and transmits the in-vehicle relay device. ..
  2.  前記既存メッセージは、前記制御部が生成したメッセージである
     請求項1に記載の車載中継装置。     The vehicle-mounted relay device according to claim 1, wherein the existing message is a message generated by the control unit.
  3.  前記既存メッセージは、前記複数の車載ECUの内のいずれかの車載ECUから他の車載ECUに中継するメッセージである
     請求項1又は請求項2に記載の車載中継装置。     The vehicle-mounted relay device according to claim 1, wherein the existing message is a message relayed from one vehicle-mounted ECU of the plurality of vehicle-mounted ECUs to another vehicle-mounted ECU.
  4.  前記既存メッセージは、前記車載ECUへ定期的に送信されるメッセージである
     請求項1から請求項3のいずれか一つに記載の車載中継装置。     The vehicle-mounted relay device according to any one of claims 1 to 3, wherein the existing message is a message that is periodically transmitted to the vehicle-mounted ECU.
  5.  前記既存メッセージは、前記車載ECUにおけるアクティブとスリープとの判断に基づいて送信されるメッセージである
     請求項1から請求項4のいずれか一つに記載の車載中継装置。     The vehicle-mounted relay device according to any one of claims 1 to 4, wherein the existing message is a message transmitted based on a determination of active or sleep in the vehicle-mounted ECU.
  6.  前記車載ECUのECU識別子と、前記車載ECUがメッセージを送信する際に当該メッセージに含められるメッセージ識別子とが、関連づけられて記憶されている記憶部を備え、
     前記制御部は、前記メッセージの正否を判定した後、前記記憶部を参照することによって前記不正と判定したメッセージのメッセージ識別子に関連付けられているECU識別子を読み出し、
     前記読み出したECU識別子に対応する車載ECUがメッセージを送信する際に、前記読み出したECU識別子に対応するメッセージ識別子を全て読み出して前記メッセージの前記空き領域に格納して送信する
     請求項1から請求項5のいずれか一つに記載の車載中継装置。     An ECU identifier of the vehicle-mounted ECU and a message identifier included in the message when the vehicle-mounted ECU sends a message are provided with a storage unit that is stored in association with each other,
    The control unit reads the ECU identifier associated with the message identifier of the message determined to be invalid by referring to the storage unit after determining whether the message is correct,
    When the vehicle-mounted ECU corresponding to the read ECU identifier transmits a message, all message identifiers corresponding to the read ECU identifier are read, stored in the empty area of the message, and transmitted. 5. The vehicle-mounted relay device described in any one of 5.
  7.  前記制御部は、前記メッセージの正否の判定によって不正と判定されたメッセージのメッセージ識別子と同一のメッセージ識別子が含まれるメッセージを取得し、
     前記取得したメッセージが正当であると判定した場合、前記取得したメッセージのメッセージ識別子を前記空き領域に格納して送信する
     請求項1から請求項6のいずれか一つに記載の車載中継装置。     The control unit obtains a message including the same message identifier as the message identifier of the message determined to be invalid by the determination of whether the message is correct,
    The vehicle-mounted relay apparatus according to claim 1, wherein when the acquired message is determined to be valid, the message identifier of the acquired message is stored in the empty area and transmitted.
  8.  車両に搭載される複数の車載ECUから送信されるメッセージを中継する中継方法であって、
     車両に搭載される複数の車載ECUから送信されるメッセージを取得し、
     取得した前記メッセージの正否を判定し、
     不正と判定したメッセージのメッセージ識別子を、前記複数の車載ECUに送信される既存メッセージのデータフィールド内の空き領域に格納して送信する
     中継方法。
          A relay method for relaying a message transmitted from a plurality of vehicle-mounted ECUs mounted on a vehicle,
    Acquire messages sent from multiple in-vehicle ECUs installed in the vehicle,
    Determine the correctness of the acquired message,
    A relay method of storing a message identifier of a message determined to be invalid in an empty area in a data field of an existing message transmitted to the plurality of vehicle-mounted ECUs and transmitting the message.
PCT/JP2019/045350 2018-11-22 2019-11-20 Onboard relay device and relay method WO2020105657A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018-219312 2018-11-22
JP2018219312 2018-11-22

Publications (1)

Publication Number Publication Date
WO2020105657A1 true WO2020105657A1 (en) 2020-05-28

Family

ID=70773809

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/045350 WO2020105657A1 (en) 2018-11-22 2019-11-20 Onboard relay device and relay method

Country Status (1)

Country Link
WO (1) WO2020105657A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022264762A1 (en) * 2021-06-15 2022-12-22 株式会社オートネットワーク技術研究所 Onboard device, information processing method, and program

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002073433A (en) * 2000-08-28 2002-03-12 Mitsubishi Electric Corp Break-in detecting device and illegal break-in measures management system and break-in detecting method
JP2012249107A (en) * 2011-05-27 2012-12-13 Toshiba Corp Communication system
JP2017007401A (en) * 2015-06-17 2017-01-12 株式会社オートネットワーク技術研究所 On-vehicle relay device, on-vehicle communication system, and relay program
JP2017092634A (en) * 2015-11-06 2017-05-25 日立オートモティブシステムズ株式会社 Information processor and unauthorized message detection method
JP2018160786A (en) * 2017-03-22 2018-10-11 パナソニックIpマネジメント株式会社 Monitor system, monitoring method and computer program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002073433A (en) * 2000-08-28 2002-03-12 Mitsubishi Electric Corp Break-in detecting device and illegal break-in measures management system and break-in detecting method
JP2012249107A (en) * 2011-05-27 2012-12-13 Toshiba Corp Communication system
JP2017007401A (en) * 2015-06-17 2017-01-12 株式会社オートネットワーク技術研究所 On-vehicle relay device, on-vehicle communication system, and relay program
JP2017092634A (en) * 2015-11-06 2017-05-25 日立オートモティブシステムズ株式会社 Information processor and unauthorized message detection method
JP2018160786A (en) * 2017-03-22 2018-10-11 パナソニックIpマネジメント株式会社 Monitor system, monitoring method and computer program

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022264762A1 (en) * 2021-06-15 2022-12-22 株式会社オートネットワーク技術研究所 Onboard device, information processing method, and program

Similar Documents

Publication Publication Date Title
US10909237B2 (en) Method of updating fraud detection rules for detecting malicious frames, fraud detecting electronic control unit, and on-board network system
US10693905B2 (en) Invalidity detection electronic control unit, in-vehicle network system, and communication method
CN105981336B (en) Abnormality detection electronic control unit, vehicle-mounted network system, and abnormality detection method
US10432645B2 (en) In-vehicle network system, fraud-detection electronic control unit, and fraud-detection method
CN106031098B (en) Abnormal frame coping method, abnormal detection electronic control unit and vehicle-mounted network system
JP5522160B2 (en) Vehicle network monitoring device
JP6807906B2 (en) Systems and methods to generate rules to prevent computer attacks on vehicles
JP6762347B2 (en) Systems and methods to thwart computer attacks on transportation
JP5919205B2 (en) Network device and data transmission / reception system
US10135866B2 (en) Method of preventing drive-by hacking, and apparatus and system therefor
US10462161B2 (en) Vehicle network operating protocol and method
US20200014758A1 (en) On-board communication device, computer program, and message determination method
WO2019116896A1 (en) On-vehicle update device, program, and program or data update method
CN109076016B9 (en) Illegal communication detection criterion determining method, illegal communication detection criterion determining system, and recording medium
WO2018110046A1 (en) Control apparatus, control system, control method, control program, and storage medium
JP2015199444A (en) Electronic control device
JP7412506B2 (en) Fraud detection rule update method, fraud detection electronic control unit and in-vehicle network system
KR101714526B1 (en) Method and apparatus for protecting hacking in vehicle network
WO2020105657A1 (en) Onboard relay device and relay method
JP2018160888A (en) Update processing method, on-vehicle network system, and electronic control unit
JP6913869B2 (en) Surveillance equipment, surveillance systems and computer programs
JP7192747B2 (en) In-vehicle relay device and information processing method
WO2021241415A1 (en) Anomaly detection system and anomaly detection method
JP2023096727A (en) On-vehicle device, program and information processing method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19886071

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19886071

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP