WO2020158075A1 - Dispositif d'enregistrement de l'historique des réinscriptions en mémoire - Google Patents

Dispositif d'enregistrement de l'historique des réinscriptions en mémoire Download PDF

Info

Publication number
WO2020158075A1
WO2020158075A1 PCT/JP2019/041841 JP2019041841W WO2020158075A1 WO 2020158075 A1 WO2020158075 A1 WO 2020158075A1 JP 2019041841 W JP2019041841 W JP 2019041841W WO 2020158075 A1 WO2020158075 A1 WO 2020158075A1
Authority
WO
WIPO (PCT)
Prior art keywords
history
memory
value
rewriting
determination unit
Prior art date
Application number
PCT/JP2019/041841
Other languages
English (en)
Japanese (ja)
Inventor
秀俊 宮田
Original Assignee
デンソートリム株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by デンソートリム株式会社 filed Critical デンソートリム株式会社
Priority to CN201980090587.0A priority Critical patent/CN113396398B/zh
Priority to JP2020569374A priority patent/JP7085029B2/ja
Publication of WO2020158075A1 publication Critical patent/WO2020158075A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • the disclosure in this specification relates to a memory rewriting history recording device.
  • Patent Document 1 discloses a control device using a rewritable memory.
  • the description of the prior art documents listed as the prior art is incorporated by reference as a description of technical elements in this specification.
  • control device that uses a rewritable memory may record the rewriting action of the memory.
  • the history of rewriting actions makes it possible to detect rewriting of stored data. From one viewpoint, it is required to be able to detect illegal rewriting. From another perspective, even legitimate rewriting is required to be discoverable or reconfirmable. In view of the above, or in other aspects not mentioned, there is a need for further improvements in vehicle controls.
  • One disclosed purpose is to provide a rewriting history recording device of a memory that can efficiently detect a rewriting action.
  • Another disclosed purpose is to provide a rewriting history recording device for a memory that can detect rewriting actions with a small-scale configuration.
  • the memory rewrite history recording device disclosed herein stores the program and/or numerical value of the control device (5), is externally rewritable, and is a nonvolatile memory (8, M1), and a memory.
  • the inspection device (6, M2) for inspecting the stored data of No. 1 to determine whether the memory is normal or abnormal, and the history recording device (10, M3) for recording the history of external rewriting.
  • the memory has an area (36) for storing an adjustment value (SUM-ADJ) that is rewritten so as to prevent the inspection device from determining an abnormality, and a switch value (INT) for setting whether the inspection by the inspection device is valid or invalid.
  • -E/D) storage area (38) and the history contains both adjustment values and switch values.
  • both the adjustment value and the switch value are recorded as history. Since not only the adjustment value but also the switch value is recorded, both the correct external rewriting and the unauthorized external rewriting can be recorded as the history.
  • a rewriting history recording device for a memory in which a rewriting action can be found efficiently.
  • FIG. 1 is a block diagram of a vehicle system including a control device. It is a flowchart of an initialization process. It is a flowchart of a rewriting process. It is a flow chart of inspection processing. It is a flow chart of history processing. It is a flowchart of an output process. It is a block diagram of a memory rewriting history recording device.
  • FIG. 1 shows an equipment system 1.
  • the device system 1 includes a power source (PWRS) 2 as a control target.
  • the device system 1 includes a control system for controlling a control target.
  • the control system includes a sensor group (SNSR) 3, an actuator group (ACTR) 4, and a control device (ECU) 5.
  • Equipment includes stationary equipment and mobile equipment.
  • Stationary devices include, for example, air conditioners, power generators, and lighting devices.
  • Mobile devices include so-called vehicles.
  • vehicle includes stationary vehicles as well as mobile vehicles.
  • Mobile vehicles include, for example, ground vehicles, ships, and aircraft.
  • Stationary vehicles include, for example, simulation equipment to familiarize themselves with operating techniques.
  • Stationary vehicles include, for example, operating techniques or amusement equipment for enjoying the behavior of the vehicle.
  • the equipment system 1 is a vehicle system.
  • the vehicle is a saddle-type ground traveling vehicle.
  • a typical example of a vehicle is a motorcycle.
  • the power source 2 is provided by an internal combustion engine system or an electric motor system.
  • the power source 2 may include an internal combustion engine, a fuel supply system, and an ignition system. If the power source 2 is provided by an electric motor system, the power source 2 may include a battery and an electric motor. In this embodiment, the power source 2 provides power for the vehicle.
  • the power source 2 is an internal combustion engine system. Power source 2 requires control by the control system in order to provide preset functions.
  • the control system including the control device 5 provides a memory rewriting history recording device.
  • the control system also functions as a limiter that limits the operating state of the power source 2 within a preset normal range.
  • the sensor group 3 includes a plurality of sensors.
  • the plurality of sensors output, as detection signals, electric signals indicating the operating state of the power source 2.
  • the sensor group 3 includes a pressure sensor (PRES) 11 and a rotation angle sensor (ANGL) 12.
  • the pressure sensor 11 detects the intake pressure of the internal combustion engine.
  • the rotation angle sensor 12 detects the rotation angle of the crankshaft of the internal combustion engine.
  • the sensor group 3 outputs a detection signal to the control device 5.
  • the actuator group 4 includes a plurality of actuators.
  • the plurality of actuators provide a controller for adjusting the operating state of the power source 2.
  • the actuator group 4 includes a fuel pump (PUMP) 13, a fuel injection valve (INJC) 14, an ignition device (IGNT) 15, and a warning light (WRNL) 16.
  • the fuel pump 13 pressurizes the fuel stored in the fuel tank.
  • the fuel pump 13 is an electric motor pump or an electromagnetic plunger pump.
  • the fuel pump 13 is controlled to appropriately pressurize the fuel.
  • the fuel injection valve 14 supplies the fuel to the internal combustion engine by injecting the pressurized fuel.
  • the fuel injection valve 14 is a solenoid valve.
  • the fuel injection valve 14 can adjust the injection start timing, the injection end timing, the injection period, and/or the number of injections.
  • the fuel injection valve 14 is controlled to regulate the fuel supply in the internal combustion engine.
  • the ignition device 15 provides ignition by electric spark to the internal combustion engine.
  • the ignition device 15 can adjust the ignition timing, the ignition period, and/or the amount of ignition energy.
  • the ignition device 15 is controlled to adjust ignition in the internal combustion engine.
  • the warning light 16 warns the user of an abnormality (internal error) of the control device 5 by lighting, for example.
  • the actuator group 4 is controlled by the control device 5.
  • the sensor group 3 and the actuator group 4 include elements suitable for the power source 2.
  • the sensor group 3 can include, for example, a plurality of temperature sensors that detect the temperature of the battery and/or the electric motor, a current sensor that detects a current flowing through the electric motor, and a voltage sensor that detects the voltage of the battery.
  • the actuator group 4 can include, for example, an inverter circuit that controls electric power supplied to the electric motor.
  • the control device 5 includes a plurality of components as a general computer. These components can be placed in a single IC package. Alternatively, the plurality of components may be distributedly arranged in the plurality of IC packages. For example, a RAM (Random Access Memory) 7, a ROM (Read Only Memory) 8, and an EEPROM (Electrically Erasable and Programmable ReadOnly) are arranged in a single IC package having a CPU 6 described below as a processor core. You may. Instead of this, for example, a RAM 7 and a ROM 8 described below may be arranged in an IC package having a CPU 6 described below as a processor core, and an EEPROM 10 described below may be arranged in another IC package separately provided.
  • a RAM Random Access Memory
  • ROM Read Only Memory
  • EEPROM Electrically Erasable and Programmable ReadOnly
  • the control device 5 includes a CPU 6 as a processor, a RAM 7 as a volatile storage device, and a ROM 8 as a non-volatile storage device as typical elements.
  • the RAM 7 provides a temporary storage area for the CPU 6.
  • the ROM 8 provides a program storage area for the CPU 6 and a numerical value storage area.
  • the ROM 8 is a flash ROM that can be repeatedly written and whose stored contents are maintained even when power supply is lost.
  • the ROM 8 is provided by an EEPROM (Electrically Erasable and Programmable Read Only Memory).
  • the ROM 8 provides a storage area for programs and numerical values for the control system. Further, the storage area provided by the ROM 8 can be rewritten from outside the control device 5.
  • the ROM 8 can rewrite the storage area in the manufacturing process, for example.
  • the ROM 8 makes it possible to rewrite the storage area in the market, for example.
  • the ROM 8 can rewrite the storage area from an external device 20 described later, for example.
  • the control device 5 has a bus circuit 9.
  • the bus circuit 9 connects the sensor group 3, the actuator group 4, and the control device 5 to each other.
  • the bus circuit 9 provides an I/O bus.
  • the bus circuit 9 further connects the CPU 6, the RAM 7, and the ROM 8 to each other inside the control device 5.
  • the bus circuit 9 provides the system bus.
  • the bus circuit 9 can be directly connected to the outside of the control device 5.
  • the bus circuit 9 connects the control device 5 and an external device 20 described later to each other.
  • the bus circuit 9 provides a direct connection between the ROM 8 and the external device 20. This direct connection enables so-called external rewriting, in which the data stored in the ROM 8 is rewritten from outside the control device 5. As a result, in this embodiment, the data stored in the ROM 8 can be rewritten without passing through the CPU 6.
  • the control device 5 includes an EEPROM 10 as a non-volatile storage device.
  • the storage area provided by the ROM 8 and the storage area provided by the EEPROM 10 are storage areas different from each other.
  • the EEPROM 10 is not connected to the bus circuit 9.
  • the EEPROM 10 is connected to the CPU 6 without passing through the bus circuit 9. That is, the EEPROM 10 cannot directly rewrite the data stored in the EEPROM 10 from outside the control device 5.
  • the ROM 8 and the EEPROM 10 are provided as physically different storage areas.
  • the ROM 8 and the EEPROM 10 are provided by, for example, two different IC packages.
  • the ROM 8 and the EEPROM 10 may be provided by physically separate storage areas on one semiconductor chip, for example.
  • the ROM 8 and the EEPROM 10 may be provided by physically separate storage areas in one common IC package, for example.
  • the ROM 8 and the EEPROM 10 are provided as different storage areas regarding the connection relationship with the bus circuit 9.
  • the ROM 8 is directly connected to the bus circuit 9.
  • the EEPROM 10 is indirectly connected to the bus circuit 9 via the CPU 6.
  • the ROM 8 provides an externally rewritable storage area.
  • the EEPROM 10 provides a storage area that cannot be externally rewritten.
  • the "impossible” does not mean that the external storage of the data stored in the EEPROM 10 is completely impossible. This means that rewriting in the external connection mode assumed in the control device 5 is impossible. For example, it is unexpected to directly access the physical terminals of the EEPROM 10.
  • the device system 1 includes an external device (EXTL) 20 that is detachable from the control system.
  • the external device 20 is a device capable of operating the contents of the ROM 8.
  • the external device 20 is a device that can operate the contents of the EEPROM 10 via the CPU 6.
  • the external device 20 is provided by factory equipment at the manufacturing stage.
  • the external device 20 is provided by a diagnostic system on the market. The diagnostic system is used to diagnose whether the equipment system 1 is healthy or unhealthy.
  • the external device 20 acquires signals and/or data in the control system.
  • the external device 20 provides the acquired signal and/or data for diagnosis.
  • the external device 20 may compare the acquired signal and/or data with the normal signal and/or data inside the external device 20, and output a diagnostic result.
  • the external device 20 may provide the acquired signal and/or data to an operator and/or an external diagnostic device.
  • the external device 20 When the external device 20 is a diagnostic system, the external device 20 has a diagnostic terminal device 21.
  • the diagnostic terminal device 21 is installed in, for example, a service station.
  • the diagnostic terminal device 21 is used by an operator who inspects or repairs the equipment system 1.
  • the control device 5 and the diagnostic terminal device 21 can be connected by a wired connection device including a connector 22 and a cable 23. Alternatively, the control device 5 and the diagnostic terminal device 21 may be connected by a wireless connection device.
  • the diagnostic terminal device 21 has a terminal control device (CTRL) 24, an internal storage device (STRG) 25, a display device (MNTR) 26, and an input device (MNSW) 27.
  • the internal storage device 25 can be provided by ROM or RAM.
  • the terminal control device 24 temporarily records the data stored in the EEPROM 10 in the internal storage device 25.
  • the terminal control device 24 displays the data stored in the internal storage device 25 on the display device 26.
  • the input device 27 detects the operation of the operator and inputs a detection signal to the terminal control device 24. In this embodiment, the input device 27 detects an operation requesting history display and outputs the request to the terminal control device 24.
  • the control device 5 is also called an electronic control device (ECU: Electronic Control Unit).
  • the controller 5 is provided by (a) an algorithm as a plurality of logics called if-then-else form, or (b) a trained model tuned by machine learning, for example, an algorithm as a neural network.
  • the control device 5 includes at least one computer. Controller 5 may include multiple computers linked by a data communication device.
  • the computer includes at least one processor (hardware processor) that is hardware.
  • the hardware processor can be provided by (i), (ii), or (iii) below.
  • the hardware processor may be at least one processor core that executes a program stored in at least one memory.
  • the computer is provided with at least one memory and at least one processor core.
  • the processor core is called CPU: Central Processing Unit, GPU: Graphics Processing Unit, RISC-CPU, etc.
  • the memory is also called a storage medium.
  • a memory is a non-transitional and tangible storage medium that stores "programs and/or data" readable by a processor in a non-transitory manner.
  • the storage medium is provided by a semiconductor memory, a magnetic disk, an optical disk, or the like.
  • the program may be distributed by itself or as a storage medium in which the program is stored.
  • the hardware processor may be a hardware logic circuit.
  • the computer is provided by a digital circuit including a large number of programmed logic units (gate circuits).
  • the digital circuit is a logic circuit array, for example, ASIC: Application-Specific Integrated Circuit, FPGA: Field Programmable Gate Array, PGA: Programmable Gate Array, CPLD: Complex Programmable, etc.
  • the digital circuit may include a memory that stores programs and/or data.
  • the computer may be provided by analog circuitry.
  • the computer may be provided by a combination of digital circuits and analog circuits.
  • the (iii) hardware processor may be a combination of the above (i) and the above (ii).
  • (I) and (ii) are arranged on different chips or on a common chip. In these cases, the part (ii) is also called an accelerator.
  • control device The control device, signal source, and controlled object provide various elements. At least some of these elements can be referred to as blocks, modules, or sections. Furthermore, elements included in the control system are referred to as functional means only if they are intentional.
  • control unit and the method described in this disclosure are realized by a dedicated computer provided by configuring a processor and a memory programmed to execute one or a plurality of functions embodied by a computer program. May be done.
  • control unit and the method described in this disclosure may be realized by a dedicated computer provided by configuring a processor with one or more dedicated hardware logic circuits.
  • the controller and method described in this disclosure may include a processor and memory programmed to perform one or more functions and a processor configured with one or more hardware logic circuits. It may be realized by one or more dedicated computers configured by combination.
  • the computer program may be stored in a computer-readable non-transition tangible recording medium as an instruction executed by the computer.
  • the ROM 8 has a program area (PRGM) 31.
  • the program area 31 stores a program for the control system.
  • the program area 31 stores, for example, a fuel injection program and an ignition timing program.
  • the ROM 8 has a numerical area (VLDT) 32.
  • the numerical area 32 stores numerical values for the control system.
  • the numerical area 32 stores, for example, a map that defines the fuel injection amount with respect to the load of the internal combustion engine and a map that defines the ignition timing with respect to the rotation speed of the internal combustion engine.
  • the ROM 8 When the ROM 8 is externally rewritten, for example, the data in the rewriting area (REWR) 33 which is a part of the program area 31 is rewritten.
  • the data in the rewriting area (REWR) 34 which is a part of the numerical value area 32 is rewritten.
  • the ROM 8 has an area for storing inspection data.
  • the check data is used for error check of the data stored in the ROM 8 itself. If the stored data in the ROM 8 has an error, it is treated as an abnormality (internal error) of the control device 5.
  • the "error checking” function can be implemented by hardware or by software.
  • the term “error checking” in this specification should be interpreted broadly.
  • the “error check” calculates a calculated value from the "storage area to be checked” by a predetermined calculation method.
  • the “error check” compares a calculated value with a reference value to detect an error in stored data.
  • the “error check” uses the "error detection code” to check the stored data for errors. In this embodiment, a checksum is used as the "error detection code”.
  • error detection code Vertical parity and/or horizontal parity may be used as the “error detection code”.
  • a hash function may be used as the “error detection code”.
  • a cryptographic hash function called MD5 (Message Digest Algorithm 5) or the like may be used as the “error detection code”.
  • MD5 Message Digest Algorithm 5
  • CRC Cyclic Redundancy Check
  • checksum in this specification should be interpreted in a broad sense.
  • the “checksum” is a method of calculating some bytes in the total sum of the storage data of the "storage area to be inspected” as the calculation value.
  • the “checksum” may be a method in which the calculated value is the remainder (surplus) obtained by dividing the above total sum by a predetermined constant.
  • the “checksum” may be a method in which the above sum is used as a calculated value.
  • the “storage area to be inspected” is all the storage areas of the ROM 8.
  • the “storage area to be inspected” may be a partial storage area in the ROM 8.
  • the ROM 8 stores two data as inspection data.
  • the inspection data includes a checksum area 35 that stores a checksum value (SUM-CHK) as a reference value.
  • the inspection data includes a sum adjustment value area 36 that stores a sum adjustment value (SUM-ADJ) as a difference value.
  • the checksum value is a reference value as an initial value.
  • the checksum value is, for example, the checksum value of all data stored in the ROM 8 of the initial model.
  • the sum adjustment value is set so that a calculated value equal to the reference value is calculated.
  • the ROM 8 has a soft switch area (SFSW) 37.
  • the soft switch area 37 stores a numerical value for switching the behavior of the control system.
  • the soft switch area 37 has an internal error area 38 for storing an internal error switch value (INT-E/D).
  • the internal error switch value includes information for setting validity or invalidity of the inspection of the control device 5 including the ROM 8.
  • the internal error switch value includes a switch bit for selecting whether to execute the check itself of the control unit 5 including the ROM 8, that is, enable or disable. Further, the internal error switch value includes a switch bit for selecting valid or invalid of the countermeasure process when an abnormality (internal error) of the control device 5 including the ROM 8 is detected.
  • the term “validation or invalidation of inspection” includes a case where the execution of the inspection itself is permitted or hindered, and a case where the countermeasure process executed when the result of the test is abnormal is permitted or hindered.
  • the internal error area 38 sets validity/invalidity of the inspection itself of the ROM 8. 1/0 of the predetermined bit included in the internal error area 38 is associated with, for example, the validity/invalidity of the inspection itself.
  • the internal error area 38 sets valid/invalid of the countermeasure process that can be used when an error is detected in the storage data of the ROM 8. 1/0 of the predetermined bit included in the internal error area 38 is associated with the valid/invalid of the countermeasure process, for example.
  • the countermeasure process can be provided by "prohibition/permission of start", "lighting/extinguishing of warning light", and/or "unlimited/limited function of internal combustion engine”.
  • “Limitation/unrestricted function of internal combustion engine” means, for example, “restricted/unlimited fuel injection amount”, “restricted/unlimited ignition angle”, “restricted/unlimited rotational speed”, “restricted/limited vehicle speed”. Provided by "Unlimited”.
  • the internal error area 38 sets turning on/off of the warning lamp 16 when an error in the ROM 8 is detected.
  • i indicates the number in the discrete system.
  • i is an integer.
  • (i) shows the present data
  • (i-1) shows the previous data
  • (i+1) shows the latter data.
  • n is the maximum value of the number of history data.
  • n is set to be larger than the standard number of version upgrades in the market.
  • the history area 41 stores a predetermined number of history data LOG(i).
  • the history data LOG(i) may be stored by a first-in first-out method.
  • One history data LOG(i) includes both history data regarding the sum adjustment value area 36 and history data regarding the internal error area 38.
  • the history data regarding the sum adjustment value area 36 is referred to as a sum history LOG(i)ADJ.
  • the history data regarding the internal error area 38 is called a switch history LOG(i)E/D.
  • a plurality of history data LOG(1) to LOG(n) are sequentially stored cumulatively. When it is determined that either the sum adjustment value area 36 or the internal error area 38 has been changed, one history data LOG(i) is cumulatively recorded. The decision includes two matches. One comparison is performed by comparing the sum adjustment value SUM-ADJ in the ROM 8 with the immediately previous sum history LOG(i-1)ADJ in the EEPROM 10. One comparison is performed by comparing the internal error switch value INT-E/D in the ROM 8 with the immediately previous switch history LOG(i-1)E/D in the EEPROM 10. The determination is performed when the power source 2 is activated or when the control device 5 is power-on reset.
  • the first history data LOG(0) is an initial value.
  • the history data LOG(0) for example, both the sum adjustment value SUM-ADJ and the internal error switch value INT-E/D at the time of factory shipment are recorded.
  • the sum adjustment value area 36 or the internal error area 38 may be changed by external rewriting of the ROM 8 regardless of whether it is legal or illegal.
  • the same character string 42 as the history area 41 is displayed on the display 26.
  • FIG. 2 shows an initial setting process 150 in the manufacturing stage of the control device 5.
  • the initial setting process 150 includes a process of setting factory shipping data in the ROM 8.
  • the illustrated initial setting process 150 includes a process of setting factory shipment data in the EEPROM 10.
  • the initial setting process 150 is executed by factory equipment as the external device 20.
  • the external device 20 writes factory shipment data in the ROM 8 in step 151.
  • the factory shipment data are so-called initial values.
  • step 152 the external device 20 writes initial values in the program area 31 and the numerical area 32.
  • step 153 the external device 20 writes initial values in the checksum area 35 and the sum adjustment value area 36.
  • step 154 the external device 20 writes the initial value in the internal error area 38.
  • the external device 20 writes factory shipment data to the EEPROM 10 via the CPU 6 in step 155.
  • the external device 20 writes the initial value in the EEPROM 10.
  • the initial value includes both the sum history LOG(0)ADJ and the switch history LOG(0)E/D.
  • control device 5 After the initial setting processing 150, the control device 5 is combined with the power source 2 and the like and supplied to the market as the device system 1.
  • the control device 5 provides a device for detecting external rewriting by executing a plurality of processes described below after being supplied to the market.
  • step 155 is executed by the external device 20.
  • step 155 may be executed by the controller 5 in step 186 described below. In this case, all history data recorded in the EEPROM 10 is automatically stored.
  • FIG. 3 shows the rewriting process 160.
  • the rewriting process 160 is often performed after the control device 5 is shipped to the market.
  • the rewriting process 160 may be rarely performed in the factory before the controller 5 is shipped to the market.
  • the rewriting process 160 is executed by the legitimate external device 20 or the unauthorized external device 20.
  • the external device 20 writes a new rewrite value in the ROM 8 in step 161.
  • the external device 20 writes new data in the program area 31 and the numerical area 32.
  • the external device 20 writes new data in the sum adjustment value area 36.
  • the value of the checksum area 35 is not changed.
  • the external device 20 writes new data in the internal error area 38.
  • the internal error area 38 is rewritten to set whether the inspection is valid or invalid.
  • One use of rewriting the internal error area 38 is to set the execution or non-execution of the inspection itself.
  • Another use of rewriting the internal error area 38 is to invalidate or disable the countermeasure processing that occurs when the rewriting areas 33 and 34 are rewritten.
  • FIG. 4 shows the inspection process 170 of the ROM 8 executed by the control device 5.
  • the control device 5 determines whether or not the check timing of the ROM 8 has arrived.
  • the check timing is, for example, when the power source 2 is activated or when the control device 5 is power-on reset. If it is not the check timing (NO), the following processing is skipped. If it is the check timing (YES), the process proceeds to step 172.
  • step 171 the control device 5 determines whether or not the inspection processing 170 itself is permitted by the internal error switch value INT-E/D. If the inspection process 170 itself is permitted by the internal error switch value INT-E/D (YES), the process proceeds to step 172. When the inspection process 170 itself is permitted by the internal error switch value INT-E/D (NO), the following process (steps 172-177) is skipped.
  • the controller 5 calculates a checksum for the ROM 8 in step 172.
  • the control device 5 calculates the calculated value SUMR from all the storage areas of the ROM 8 by the set checksum method.
  • the control device 5 reads the checksum value SUM-CHK as the reference value from the ROM 8.
  • the controller 5 determines in step 174 whether the calculated value SUMR is equal to the checksum value SUM-CHK.
  • the calculated value SUMR is equal to the checksum value SUM-CHK (YES)
  • the inspection result of the ROM 8 is normal.
  • the process proceeds to step 175.
  • the calculated value SUMR is not equal to the checksum value SUM-CHK (NO)
  • the inspection result of the ROM 8 is abnormal (internal error).
  • the process proceeds to step 176.
  • Step 174 provides a checksum determination unit that determines whether the ROM 8 is normal or abnormal depending on whether the checksum value calculated from the memory storage data including the adjustment value is equal to a predetermined reference value.
  • the controller 5 determines in step 175 whether the program or the numerical value is within the normal range.
  • the inspection result of the ROM 8 is normal. In this case, the following processing is skipped.
  • the program or the numerical value is not within the normal range (NO)
  • the inspection result of the ROM 8 is abnormal (internal error). In this case, the process proceeds to step 176.
  • Step 175 provides an internal error determination unit that determines whether the ROM 8 is normal or abnormal depending on whether the program and/or the numerical value are within the normal range.
  • the normal range is preset as a range in which the normal function of the device system 1 can be maintained. For example, the normal range defines the upper limit engine speed of the internal combustion engine. For example, when the numerical value region 32 exceeds the upper limit rotation speed, the determination in step 175 branches to NO.
  • the control device 5 inspects the internal error switch value INT-E/D in step 176.
  • the predetermined countermeasure process is permitted by the internal error switch value INT-E/D (YES)
  • the process proceeds to step 177.
  • the predetermined countermeasure process is not permitted by the internal error switch value INT-E/D (NO)
  • the following process is skipped. In this case, although the abnormality (internal error) of the ROM 8 is detected, the countermeasure process is not executed.
  • Step 176 provides an internal switch determination unit that determines whether the countermeasure process is valid or invalid based on the switch value when the checksum determines that the ROM 8 is abnormal.
  • Step 176 provides an internal switch determination unit that determines whether the countermeasure process is valid or invalid based on the switch value when the internal error determination unit determines that the ROM 8 is abnormal.
  • the control device 5 executes a preset countermeasure process.
  • the warning lamp 16 indicating that the abnormality (internal error) of the ROM 8 is detected is turned on. This allows the user to know the abnormality of the device system 1.
  • FIG. 5 shows a history process 180 executed by the control device 5.
  • the control device 5 determines whether or not the power source 2 is activated.
  • the history process is executed every time the power source 2 is activated.
  • the control device 5 is activated by a power-on reset.
  • each time the history recorder provided by the history processing 180 is activated the determination by the first determination unit and the second determination unit, which will be described later, is performed.
  • the process of step 181 is provided by the process of detecting that the ignition switch has been switched from OFF to ON. If the power source 2 is activated, the process proceeds to step 182.
  • the power source 2 is not activated, the following processing is skipped.
  • the control device 5 reads the sum adjustment value SUM-ADJ and the internal error switch value INT-E/D from the ROM 8.
  • the control device 5 reads the current history data LOG(i) from the EEPROM 10.
  • the current history data LOG(i) is the last data stored in the history area 41.
  • the history data LOG(i) includes a sum history LOG(i)ADJ and a switch history LOG(i)E/D.
  • step 184 the control device 5 determines whether or not the sum adjustment value SUM-ADJ stored in the ROM 8 and the current sum history LOG(i)ADJ stored in the EEPROM 10 are equal. If the sum adjustment value SUM-ADJ and the sum history LOG(i)ADJ are equal (YES), the process proceeds to step 185. If the sum adjustment value SUM-ADJ and the sum history LOG(i)ADJ are not equal (NO), the process proceeds to step 186. Step 184 provides a first determination unit that determines whether or not the adjustment value stored in the ROM 8 is equal to the history adjustment value included in the latest history (LOG(i)).
  • step 185 the control device 5 determines whether the internal error switch value INT-E/D stored in the ROM 8 is equal to the current history data LOG(i)E/D stored in the EEPROM 10. judge. If the internal error switch value INT-E/D and the history data LOG(i)E/D are equal (YES), the process ends. If the internal error switch value INT-E/D and the history data LOG(i)E/D are not equal (NO), the process proceeds to step 186. Step 185 provides a second determination unit that determines whether or not the switch value stored in the ROM 8 is equal to the history switch value included in the latest history (LOG(i)).
  • step 186 the control device 5 executes step 186 when a negative determination is made in either step 184 or step 185.
  • the controller 5 does not execute the step 186 when the determinations in both the step 184 and the step 185 are positive.
  • step 186 the control device 5 writes both the sum adjustment value SUM-ADJ and the internal error switch value INT-E/D stored in the ROM 8 into the EEPROM 10 as the latest history data LOG(i+1).
  • Step 186 provides a recording unit that records the adjustment value and the switch value as a history when a negative determination is made by either the first determination unit 184 or the second determination unit 185.
  • FIG. 6 shows an output process 190 executed by the control device 5 and the external device 20.
  • the external device 20 determines whether the control device 5 and the external device 20 are connected by the connector 22. When the communicable connection is not established (NO), the following processing is skipped. When the communicable connection is established (YES), the process proceeds to step 192.
  • the diagnostic process includes various processes for outputting the state of the device system 1.
  • the external device 20 detects the operation requested by the user in step 192.
  • the request operation is an operation for requesting output of history data.
  • the requested operation is input by operating the input device 27. When there is no requested operation (NO), the following processing is skipped. If there is the requested operation (YES), the process proceeds to step 193. In step 193, the external device 20 outputs the request signal RQ to the control device 5.
  • the received history data is history data stored in the EEPROM 10.
  • the received history data is stored in the internal storage device 25 of the external device 20.
  • the worker is presented with both legal external rewriting and invalid external rewriting from the history data of the EEPROM 10.
  • the worker can know the correct history data of the correct external rewriting.
  • the legal history data is provided by the manufacturer, for example.
  • the legitimate history data is provided in response to a request from the worker to the manufacturer.
  • the correct history data includes the sum adjustment value SUM-ADJ and the internal error switch value INT-E/D generated by the external rewriting for all the correct external rewriting. Therefore, the operator can know that the external rewriting is not valid by comparing the history data of the EEPROM 10 with the valid history data.
  • the external device 20 may perform self-diagnosis in step 197.
  • the external device 20 stores the valid history data in the internal storage device 25 at least temporarily.
  • the history data LOG(i) is additionally stored in the EEPROM 10 when the power source 2 is started next time. As a result, valid rewriting is left as a history.
  • ⁇ Unauthorized external rewriting> It can be assumed that the ROM 8 is rewritten by unauthorized external rewriting. As the unauthorized external rewriting, for example, a remodeling act without the manufacturer's permission can be assumed. In this case, the remodeler rewrites the rewrite areas 33 and 34. Further, the remodeling person rewrites the sum adjustment value SUM-ADJ in order to trick the checksum check. In other words, the remodeling person rewrites the sum adjustment value SUM-ADJ so that the determination result of the checksum inspection in step 174 branches to YES. Further, the careful remodeler rewrites the internal error switch value INT-E/D in order to prevent the checksum inspection itself. The careful remodeler rewrites the internal error switch value INT-E/D so that the determination result as to whether the countermeasure process in step 176 is necessary branches to NO.
  • the remodeling person rewrites the rewriting areas 33 and 34 so as to make the behavior of the vehicle more intense.
  • an abnormality (internal error) may be detected to protect the device system 1.
  • the determination result of the normal range in step 175 may branch to NO.
  • the determination in step 176 branches to NO.
  • the control device 5 cannot detect an abnormality (internal error). ..
  • the history data LOG(i) is additionally stored in the EEPROM 10 when the power source 2 is started next time. It As a result, unauthorized rewriting is left as a history.
  • the data in the ROM 8 may be inverted irregularly due to device instability, device life, rare radiation, or the like.
  • an abnormality is detected by the inspection (checksum) of the ROM 8.
  • the control device 5 executes the countermeasure process preset by the internal error switch value INT-E/D.
  • FIG. 7 is a block diagram of a memory rewriting history recording device. Each block is provided by the hardware resource of the control device 5 and the software resource for operating the hardware resource.
  • the memory M1 stores programs and/or numerical values of the control device 5.
  • the memory M1 is externally rewritable and non-volatile.
  • the memory M1 is provided by the ROM 8.
  • the memory M1 is inspected by the inspector M2.
  • the inspector M2 inspects the data stored in the memory M1 and determines whether the memory M1 is normal or abnormal.
  • the checker M2 executes "error check”.
  • the checker M2 is a checksum checker that checks the data stored in the memory M1 with a checksum.
  • the checker M2 determines whether the memory M1 is normal or abnormal depending on whether the checksum value calculated from the storage data of the memory M1 including the adjustment value is equal to a predetermined reference value. Equipped with.
  • the inspection device M2 includes internal switch determination units 171 and 176 that determine whether the inspection of the memory M1 based on the checksum is valid or invalid based on the switch value.
  • the inspection device M2 includes an internal switch determination unit 171 that determines whether or not to execute the inspection itself of the memory M1 using the checksum based on the switch value.
  • the checker M2 includes an internal switch determination unit 176 that determines whether the countermeasure process is valid or invalid based on the switch value when the checksum determines that the memory M1 is abnormal.
  • the checker M2 includes an internal error determination unit 175 that determines whether the memory M1 is normal or abnormal depending on whether or not the program and/or the numerical value is within the normal range.
  • the tester M2 includes an internal switch determination unit 176 that determines whether the countermeasure process is valid or invalid based on the switch value when the internal error determination unit determines that the memory M1 is abnormal.
  • the inspection device M2 When the inspection device M2 detects an abnormality (internal error) in the memory M1, the inspection device M2 executes a countermeasure process.
  • the memory M1 has a sum adjustment value area 36 that stores an adjustment value (SUM-ADJ) that is rewritten so as to prevent the inspection device M2 from determining an abnormality.
  • the memory M1 has an internal error area 38 for storing a switch value (INT-E/D) for setting whether the inspection by the inspector M2 is valid or invalid.
  • the first method to avoid the countermeasure process is provided by tricking the inspection by the inspection device M2.
  • the sum adjustment value area 36 is utilized.
  • the tester M2 does not detect an abnormality (internal error).
  • the sum adjustment value region 36 can be used for effectively preventing the inspection by the inspecting device M2 while preventing the abnormality from being detected by the inspection. Therefore, it can be said that the first method is a process of tricking the inspection while allowing the inspection device M2 to function normally.
  • the second method of avoiding the countermeasure process is provided by setting the validity or invalidity of the inspection itself by the inspection device M2.
  • the term “validation or invalidation of the inspection” includes a case where the execution of the inspection itself is obstructed and a case where the countermeasure process executed when the result of the inspection is abnormal is obstructed.
  • the internal error area 38 is utilized. When the internal error area 38 is set to an appropriate switch value (internal error switch value INT-E/D), the inspection by the inspector M2 is set to be valid or invalid.
  • One of the second methods is to obstruct the execution of the inspection itself by the inspection device M2.
  • the internal error area 38 is used.
  • the internal error area 38 is set to an appropriate switch value (internal error switch value INT-E/D), the inspector M2 does not execute the inspection itself.
  • One of the second methods is to block only the execution of countermeasures that are activated in response to the inspection results.
  • the internal error area 38 is used.
  • the inspector M2 does not execute the countermeasure process even if it detects an abnormality (internal error).
  • the history recorder M3 cumulatively records both the adjustment value and the switch value in order to monitor both the first method and the second method.
  • the history contains both adjustment values and switch values.
  • the fact that external rewriting has been performed is recorded regardless of whether it is valid or illegal. Since not only the adjustment value but also the switch value is recorded, both the correct external rewriting and the unauthorized external rewriting can be recorded as the history.
  • a rewriting history recording device for a memory in which a rewriting action can be found efficiently.
  • the history recorder M3 records the history of external rewriting for the memory M1.
  • the history recorder M3 includes another non-volatile memory different from the memory M1.
  • the other memory is provided by the EEPROM 10.
  • the history recorder M3 is configured to record both the adjustment value and the switch value as history when the memory M1 is externally rewritten.
  • the history recorder M3 includes a first determination unit 184 and a second determination unit 185.
  • the first determination unit 184 determines whether or not the adjustment value stored in the memory M1 and the history adjustment value included in the latest history (LOG(i)) are the same.
  • the second determination unit 185 determines whether the switch value stored in the memory M1 is equal to the history switch value included in the latest history (LOG(i)).
  • the history recorder M3 includes a recording unit 186 that records the adjustment value and the switch value as a history when a negative determination is made by either the first determination unit or the second determination unit.
  • the history recorder M3 is configured to execute the determination by the first determination unit 184 and the second determination unit 185 each time the history recorder M3 is activated. Specifically, the activation is the turning on of the power switch of the control device 5.
  • the memory rewriting history recording device may include an output device M4.
  • the output device M4 outputs the history data recorded in the history recording device M3. Since the history includes both the adjustment value and the switch value, these values indicate valid external rewriting and unauthorized external rewriting.
  • the control device 5 can include a memory M1, an inspector M2, and a history recorder M3. In one embodiment, the output device M4 is provided by the external device 20 connectable to the control device 5 in data communication.
  • the specific data that can be externally rewritten includes a sum adjustment value SUM-ADJ for tricking an inspection by a so-called checksum. Further, the specific data that enables external rewriting includes an internal error switch value INT-E/D for setting valid/invalid of the inspection. By including both of these two data, the accuracy of detecting external rewriting is improved.
  • the externally rewritable storage area may be rewritten regardless of whether it is legal or illegal.
  • a large memory capacity is required to store the hash code.
  • the data amount of the sum adjustment value SUM-ADJ in this embodiment is significantly smaller than the data amount of the hash code. Therefore, according to this embodiment, it is possible to provide a memory rewriting history recording device that can efficiently detect rewriting of a storage area.
  • the check function of the storage area by the checksum can be provided by small-scale hardware or software. Therefore, it is possible to provide a memory rewrite history recording device in which rewriting of the storage area can be found by a small-scale configuration.
  • the disclosures in this specification and the drawings are not limited to the illustrated embodiments.
  • the disclosure encompasses the illustrated embodiments and variations on them based on them.
  • the disclosure is not limited to the combination of parts and/or elements shown in the embodiments.
  • the disclosure can be implemented in various combinations.
  • the disclosure may have additional parts that may be added to the embodiments.
  • the disclosure includes omissions of parts and/or elements of the embodiments.
  • the disclosure includes replacements or combinations of parts and/or elements between one embodiment and another.
  • the disclosed technical scope is not limited to the description of the embodiments. It is to be understood that some technical scopes disclosed are shown by the description of the claims, and further include meanings equivalent to the description of the claims and all modifications within the scope.
  • the history processing 180 and the history recorder M3 record the history in the EEPROM 10.
  • the history processing 180 and the history recorder M3 may record the history in a server communicably connected by wireless.
  • the external device 20 may be provided by a server that is communicably connected by wireless. In this case, external rewriting in the plurality of control devices 5 can be centrally monitored and managed by the server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Techniques For Improving Reliability Of Storages (AREA)
  • Combined Controls Of Internal Combustion Engines (AREA)

Abstract

La présente invention concerne un système comprenant une mémoire non volatile, laquelle mémorise un programme de commande et/ou une valeur numérique de commande d'un dispositif de commande, et laquelle est réinscriptible de manière externe. Ledit système est pourvu d'un dispositif d'inspection pour inspecter des données de mémorisation de la mémoire et pour déterminer si la mémoire est normale ou anormale. Ledit système est pourvu d'un dispositif d'enregistrement de l'historique pour enregistrer un historique d'une réinscription externe. La mémoire comporte une zone dans laquelle une valeur de réglage SUM-ADJ est mémorisée, ladite valeur de réglage SUM-ADJ étant réinscrite de manière à arrêter un jugement que la mémoire est anormale par le dispositif d'inspection. La mémoire comporte une zone dans laquelle une valeur de commutation INT-E/D est mémorisée, ladite valeur de commutation INT-E/D réglant l'inspection par le dispositif d'inspection pour être valide ou invalide. L'historique comprend à la fois la valeur de réglage et la valeur de commutation. L'invention concerne en outre un dispositif d'enregistrement de l'historique des réinscriptions en mémoire conçu pour trouver de manière efficace une action de réinscription.
PCT/JP2019/041841 2019-01-30 2019-10-25 Dispositif d'enregistrement de l'historique des réinscriptions en mémoire WO2020158075A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980090587.0A CN113396398B (zh) 2019-01-30 2019-10-25 存储器的改写历史记录装置
JP2020569374A JP7085029B2 (ja) 2019-01-30 2019-10-25 メモリの書き換え履歴記録装置

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2019-014671 2019-01-30
JP2019014671 2019-01-30

Publications (1)

Publication Number Publication Date
WO2020158075A1 true WO2020158075A1 (fr) 2020-08-06

Family

ID=71840044

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/041841 WO2020158075A1 (fr) 2019-01-30 2019-10-25 Dispositif d'enregistrement de l'historique des réinscriptions en mémoire

Country Status (3)

Country Link
JP (1) JP7085029B2 (fr)
CN (1) CN113396398B (fr)
WO (1) WO2020158075A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008004524A1 (fr) * 2006-07-03 2008-01-10 Panasonic Corporation Dispositif de certification, dispositif de vérification, système de vérification, programme informatique et circuit intégré
JP2013143095A (ja) * 2012-01-12 2013-07-22 Toyota Motor Corp 電子制御装置、メモリ検査方法

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1372068A3 (fr) * 2002-06-11 2006-02-08 Seiko Epson Corporation Système, méthode et programme pour réinscrire une mémoire flash
US9158618B2 (en) * 2010-03-11 2015-10-13 Mitsubishi Electric Corporation Memory diagnostic method, device, and non-transitory computer-readable storage medium for diagnosing a memory used by a process during execution of the process
JP5575338B2 (ja) * 2012-01-05 2014-08-20 三菱電機株式会社 情報処理装置、情報処理方法、およびコンピュータプログラム

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008004524A1 (fr) * 2006-07-03 2008-01-10 Panasonic Corporation Dispositif de certification, dispositif de vérification, système de vérification, programme informatique et circuit intégré
JP2013143095A (ja) * 2012-01-12 2013-07-22 Toyota Motor Corp 電子制御装置、メモリ検査方法

Also Published As

Publication number Publication date
JPWO2020158075A1 (ja) 2021-09-30
JP7085029B2 (ja) 2022-06-15
CN113396398A (zh) 2021-09-14
CN113396398B (zh) 2023-11-28

Similar Documents

Publication Publication Date Title
CN106775716B (zh) 一种基于度量机制的可信plc启动方法
US6915192B2 (en) Vehicular electronic control apparatus
US6678606B2 (en) Tamper detection for vehicle controller
US20090182489A1 (en) Intake air temperature (iat) rationality diagnostic with an engine block heater
JP5148015B2 (ja) 自動車用データ異常判定装置
CN113849212B (zh) 一种软件升级控制方法、装置及电子设备
CN101369141B (zh) 用于可编程数据处理设备的保护单元
CN112651030A (zh) 一种面向bmc固件系统安全的可信启动方法
US20070226694A1 (en) Control unit for a machine
JP2019185575A (ja) 制御装置および制御方法
WO2020158075A1 (fr) Dispositif d'enregistrement de l'historique des réinscriptions en mémoire
JP2013143095A (ja) 電子制御装置、メモリ検査方法
US9390258B2 (en) Systems and methods for verifying the authenticity of an application during execution
JP5842783B2 (ja) 車両用制御装置
US11361600B2 (en) Method for authenticating a diagnostic trouble code generated by a motor vehicle system of a vehicle
US11169828B2 (en) Electronic control unit and method for verifying control program
US20230177894A1 (en) Information processing apparatus and information processing method
JP4534731B2 (ja) 電子制御装置及びその識別コード生成方法
KR101572854B1 (ko) 사이버 보안 기능이 강화된 피엘씨 장치
JP2015049785A (ja) プログラム処理装置
JP2007138726A (ja) 車両用電子制御装置及び表示装置
JP2019068341A (ja) 制御装置および制御方法
JP2013220764A (ja) 車両用電子制御装置
JP2021033700A (ja) 電子制御装置
JP2002047998A (ja) 車両用制御装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19912358

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020569374

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19912358

Country of ref document: EP

Kind code of ref document: A1