WO2020179592A1 - 車載更新装置、更新処理プログラム及び、プログラムの更新方法 - Google Patents

車載更新装置、更新処理プログラム及び、プログラムの更新方法 Download PDF

Info

Publication number
WO2020179592A1
WO2020179592A1 PCT/JP2020/007925 JP2020007925W WO2020179592A1 WO 2020179592 A1 WO2020179592 A1 WO 2020179592A1 JP 2020007925 W JP2020007925 W JP 2020007925W WO 2020179592 A1 WO2020179592 A1 WO 2020179592A1
Authority
WO
WIPO (PCT)
Prior art keywords
vehicle
update
program
storage unit
update program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2020/007925
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
拓也 小林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sumitomo Wiring Systems Ltd
AutoNetworks Technologies Ltd
Sumitomo Electric Industries Ltd
Original Assignee
Sumitomo Wiring Systems Ltd
AutoNetworks Technologies Ltd
Sumitomo Electric Industries Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sumitomo Wiring Systems Ltd, AutoNetworks Technologies Ltd, Sumitomo Electric Industries Ltd filed Critical Sumitomo Wiring Systems Ltd
Priority to CN202080014751.2A priority Critical patent/CN113453959B/zh
Priority to US17/434,651 priority patent/US11630659B2/en
Publication of WO2020179592A1 publication Critical patent/WO2020179592A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • G06F8/656Updates while running
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • B60R16/023Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements for transmission of signals between vehicle parts or subsystems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operations
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1405Saving, restoring, recovering or retrying at machine instruction level
    • G06F11/1407Checkpointing the instruction stream
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/004Error avoidance
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operations
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/1433Saving, restoring, recovering or retrying at system level during software upgrading

Definitions

  • the present disclosure relates to an in-vehicle update device, an update processing program, and a program update method.
  • This application claims priority based on Japanese Application No. 2019-38882 filed on March 4, 2019, and incorporates all the contents described in the Japanese application.
  • the vehicle is equipped with an in-vehicle control device for controlling in-vehicle devices of a power train system such as engine control and a body system such as air conditioner control, for example, an in-vehicle ECU (Electronic Control Unit).
  • the in-vehicle control device includes an arithmetic processing unit such as an MPU (Micro Processing Unit), a rewritable nonvolatile storage unit such as a RAM (Random Access Memory), and a communication unit for communicating with another in-vehicle control device.
  • the in-vehicle device is controlled by reading and executing the control program stored in the storage unit.
  • a relay device onboard updating device having a wireless communication function is mounted on the vehicle.
  • the relay device communicates with a program providing device such as an external server connected to a network outside the vehicle, and downloads (receives) a control program of the vehicle-mounted control device from the program providing device.
  • the downloaded program is stored in the storage unit of the relay device.
  • the program stored in the storage unit is transmitted to the vehicle-mounted control device, and the control program of the vehicle-mounted control device is updated (reprogramming, repro).
  • the in-vehicle update device is an in-vehicle update device that acquires an update program transmitted from an external server outside the vehicle and performs a process for updating the program of the in-vehicle control device mounted on the vehicle.
  • a storage unit and a control unit wherein the storage unit stores the acquired update program, and the control unit controls transmission of the acquired update program to the vehicle-mounted control device.
  • the control unit interrupts the transmission due to the stop of the vehicle, compares each of the derived values derived based on the update program stored in the storage unit before and after the interruption, and obtains a comparison result. Based on this, the validity of the update program stored in the storage unit is determined.
  • FIG. 1 is a schematic diagram showing a configuration of an onboard updating system according to a first embodiment.
  • 1 is a block diagram showing a configuration of an in-vehicle updating device according to a first embodiment.
  • FIG. It is a flow chart which illustrates processing of a control part of an in-vehicle update device. It is a sequence diagram which shows the communication signal and update program transmitted/received among a program provision apparatus, an in-vehicle update apparatus, and an in-vehicle control apparatus.
  • the present disclosure has been made in view of such circumstances, and an object thereof is to provide an in-vehicle update device or the like that can ensure the legitimacy of a program stored in a storage unit of the in-vehicle update device. There is.
  • the in-vehicle update device is an in-vehicle update device that acquires an update program transmitted from an external server outside the vehicle and performs a process for updating the program of the in-vehicle control device mounted on the vehicle.
  • a storage unit and a control unit are provided, and the acquired update program is stored in the storage unit, and the control unit controls transmission of the acquired update program to the vehicle-mounted control device.
  • the control unit compares each of the derived values derived based on the update program stored in the storage unit before and after the interruption when the transmission is interrupted by the stop of the vehicle. The validity of the update program stored in the storage unit is determined based on the comparison result.
  • the control unit determines the validity of the update program stored in the storage unit. Therefore, when resuming the transmission, the validity of the update program stored in the storage unit can be ensured. For example, it can be guaranteed that the update program has not been tampered with during the interruption.
  • the control unit determines that the update program stored in the storage unit is invalid. The determination is made and the update program is acquired from the beginning from the external server.
  • control unit determines that the update program stored in the storage unit is invalid, the control unit obtains the update program from the external server from the beginning and restarts the update of the in-vehicle control device. Therefore, it is possible to prevent the unauthorized update program from being transmitted to the on-vehicle control device.
  • the control unit when the derived values before and after the interruption are the same, the control unit is valid for the update program stored in the storage unit. It is determined that there is, and the transmission is restarted from the interruption point.
  • control unit determines that the update program stored in the storage unit is valid
  • the control unit restarts updating the in-vehicle control device using the update program stored in the storage unit. Therefore, it is not necessary to acquire the update program again after ensuring the appropriateness of the update program stored in the storage unit, and it is possible to reduce the communication cost and the processing time for acquiring the update program.
  • the interruption point is derived based on the checkpoint included in the acquired update program.
  • the update of the in-vehicle control device is restarted from the interruption point derived from the checkpoint included in the update program. Therefore, the update is efficiently restarted.
  • the control unit erases the update program stored in the storage unit from the storage unit. To do.
  • the update processing program acquires an update program transmitted from an external server outside the vehicle to a computer, stores the acquired update program in a storage unit, and controls the update program in a vehicle.
  • the derived values that are transmitted to the device and are derived based on the update program stored in the storage unit before and after the interruption of the transmission are compared, and the storage units are stored based on the comparison result.
  • the processing for determining the validity of the update program is executed.
  • the computer can be caused to function as the in-vehicle update device of one aspect of the present disclosure.
  • an update program transmitted from an external server outside the vehicle is acquired, the acquired update program is stored in a storage unit, and the update program is stored in an in-vehicle control device.
  • the update program is transmitted, and each of the derived values derived based on the update program stored in the storage unit before and after the interruption of the transmission is compared, and the update program stored in the storage unit is stored based on the comparison result. To judge the validity of.
  • the validity of the update program stored in the storage unit is determined when the transmission of the update program stored in the storage unit to the in-vehicle control device is resumed after being interrupted. Therefore, it is possible to provide a program update method that can guarantee the validity of the update program stored in the storage unit when the transmission is restarted.
  • FIG. 1 is a schematic diagram showing the configuration of the vehicle-mounted update system S according to the first embodiment.
  • FIG. 2 is a block diagram showing a configuration of the vehicle-mounted update device 2 according to the first embodiment.
  • the vehicle-mounted update system S includes the vehicle-mounted communication device 1 and the vehicle-mounted update device 2 mounted on the vehicle C, and mounts the program or data acquired from the program providing device S1 connected via the vehicle-mounted network N on the vehicle C. It is transmitted to the on-vehicle control device 3 (on-vehicle ECU).
  • the program providing device S1 is a computer such as a server connected to an external network N such as the Internet or a public line network, and includes a storage unit S11 such as a RAM, a ROM (Read Only Memory) or a hard disk, and is provided outside the vehicle. Corresponds to the server.
  • the storage unit S11 of the program providing device S1 stores a program or data created by a manufacturer or the like of the in-vehicle control device 3 for controlling the in-vehicle control device 3.
  • the program or data is transmitted to the vehicle C as an update program as described later, and is used to update the program or data of the vehicle-mounted control device 3 mounted on the vehicle C.
  • the program providing device S1 (external server) configured in this way is also referred to as an OTA (Over The Air) server.
  • the vehicle-mounted control device 3 mounted on the vehicle C acquires the update program transmitted by wireless communication from the program providing device S1 and is applied as a program executed by the update program, so that the on-vehicle control device 3 executes the program. Can be updated (repro).
  • the program will be described as including a program code including a control syntax and the like for the in-vehicle control device 3 to perform processing, and an external file in which data to be referred to when executing the program code is described.
  • the external file in which these program codes and data are described is transmitted from the program providing device S1 as, for example, an encrypted archive file.
  • the vehicle C is equipped with an external communication device 1, an in-vehicle update device 2, a display device 5, an IG (ignition) switch 6, and a plurality of in-vehicle control devices 3 for controlling various in-vehicle devices.
  • the vehicle exterior communication device 1 and the vehicle-mounted update device 2 are communicatively connected by a harness such as a serial cable.
  • the vehicle-mounted update device 2 and the vehicle-mounted control device 3 are communicatively connected by an in-vehicle LAN 4 that supports a communication protocol such as CAN (Control Area Network/registered trademark) or Ethernet (registered trademark).
  • the out-of-vehicle communication device 1 includes an out-of-vehicle communication unit 11 and an input / output I / F (interface) 12 for communicating with the in-vehicle update device 2.
  • the external communication unit 11 is a communication device for performing wireless communication using a mobile communication protocol such as 3G, LTE, 4G, or WiFi, and is a program providing device via an antenna 13 connected to the external communication unit 11. Send and receive data to and from S1. Communication between the out-of-vehicle communication device 1 and the program providing device S1 is performed via an external network such as a public network or the Internet.
  • the input/output I/F 12 is a communication interface for the external communication device 1 and the in-vehicle update device 2 to perform serial communication, for example.
  • the external communication device 1 and the vehicle-mounted update device 2 communicate with each other via harnesses such as a serial cable connected to the input / output I / F12 and the input / output I / F24 included in the vehicle-mounted update device 2.
  • the vehicle exterior communication device 1 is a device separate from the vehicle-mounted update device 2, and these devices are communicably connected by the input/output I/F 12 or the like, but the invention is not limited to this.
  • the vehicle exterior communication device 1 may be incorporated in the vehicle-mounted update device 2 as a component of the vehicle-mounted update device 2.
  • the onboard updating device 2 includes a control unit 20, a storage unit 21, and an in-vehicle communication unit 23.
  • the in-vehicle update device 2 acquires the update program received by the external communication device 1 from the program providing device S1 by wireless communication from the external communication device 1 and executes the predetermined (update target) in-vehicle control of the update program via the in-vehicle LAN 4. It is configured to send to the device 3.
  • the in-vehicle update device 2 controls, for example, a plurality of system segments such as a control system in-vehicle control device 3, a safety system in-vehicle control device 3 and a body system in-vehicle control device 3, and in-vehicle control between these segments. It is a gateway (relay device) that relays communication between the devices 3.
  • the vehicle-mounted update device 2 may be configured as one functional unit of the body ECU that controls the entire vehicle C.
  • the control unit 20 is configured by a CPU (Central Processing Unit), MPU, or the like, and performs various control processes and arithmetic processes by reading and executing a control program and data stored in advance in the storage unit 21. It is done like this.
  • the control unit 20 transmits the update program to the in-vehicle control device 3 via the in-vehicle communication unit 23.
  • the control unit 20 derives the derived value based on the update program stored in the storage unit 21, compares the derived derived values, and determines the validity of the update program stored in the storage unit 21. Do.
  • the control unit 20 erases the update program stored in the storage unit 21.
  • the storage unit 21 is configured by a volatile memory element such as a RAM or a non-volatile memory element such as a ROM, an EEPROM (Electrically Erasable Programmable ROM) or a flash memory, and a control program and data to be referred to at the time of processing are stored in advance. It is remembered.
  • the control program stored in the storage unit 21 may be one that stores the control program read from the recording medium 22 that can be read by the vehicle-mounted updater 2. Alternatively, the control program may be downloaded from an external computer (not shown) connected to a communication network (not shown) and stored in the storage unit 21. Although details will be described later, the storage unit 21 stores a program or data for deriving a derived value, and stores the update program acquired from the program providing apparatus S1.
  • the in-vehicle communication unit 23 is an input/output interface using a communication protocol such as CAN (registered trademark) or Ethernet (registered trademark), and the control unit 20 is connected to the in-vehicle LAN 4 via the in-vehicle communication unit 23.
  • the vehicle-mounted control device 3 and other relay devices communicate with each other.
  • a plurality of (three in the drawing) in-vehicle communication units 23 are provided, and each in-vehicle communication unit 23 is connected to a communication line that constitutes the in-vehicle LAN 4.
  • the in-vehicle LAN 4 is divided into a plurality of segments, and the in-vehicle control device 3 has a function (control system function, safety system function, Connected according to body function).
  • the on-vehicle control device 3 includes a control unit 30, a storage unit 31, and an in-vehicle communication unit 32.
  • the storage unit 31 is composed of a volatile memory element such as a RAM or a non-volatile memory element such as a ROM, EEPROM or a flash memory, and stores a program or data of the vehicle-mounted control device 3. This program or data is a target to be updated by the update program transmitted from the vehicle-mounted update device 2.
  • the storage unit 31 includes a first storage area (first surface) 311 and a second storage area (second surface) 312.
  • the storage unit 31 stores two programs, a program currently executed (applied) by the vehicle-mounted control device 3 (current version) and a program previously applied to the current version (old version). ..
  • the current version of the program and the old version of the program are stored separately in either the first storage area 311 or the second storage area 312. That is, when the current version of the program is stored in the first storage area 311, the old version of the program is stored in the second storage area 312. When the old version program is stored in the first storage area 311, the current version program is stored in the second storage area 312.
  • the control unit 30 has previously applied the normal operation.
  • the reliability of the in-vehicle control device 3 can be ensured by reading and executing (switching) the program of the old version that was operating in.
  • the storage unit 31 stores information about the versions of the two programs, the current version and the old version, and information about the area (operation surface) in which the program currently being executed (applied) is stored. That is, when the program stored in the first storage area (first surface) 311 is being executed at present, the storage unit 31 stores that the operating surface is the first storage area (first surface) 311. Will be done. When the program stored in the second storage area (second surface) 312 is being executed at present, the storage unit 31 stores that the operating surface is the second storage area (second surface) 312. ..
  • the storage unit 31 stores the version information of the programs (current version and old version) and information on the operation side.
  • the control unit 30 is composed of a CPU, an MPU, or the like, and reads and executes programs and data stored in the storage unit 31 (operating surface) to perform control processing and the like, and is an in-vehicle device including the in-vehicle control device 3. Actuators and the like are controlled.
  • the control unit 30 of the in-vehicle control device 3 receives the update program transmitted from the in-vehicle update device 2 via the in-vehicle communication unit 32 and acquires the update program. Therefore, the control unit 30 of the vehicle-mounted control device 3 acquires the update program transmitted from the program providing device S1 via the vehicle exterior communication device 1 and the vehicle-mounted update device 2.
  • the control unit 30 stores the acquired update program in a storage area (first storage area 311 or second storage area 312) that is not an operating surface. That is, when acquiring the update program transmitted from the vehicle-mounted update device 2, the control unit 30 erases the program stored in the storage area (non-operating surface) other than the operating surface as a preparatory process for the acquisition.
  • the program stored in the storage area other than the operation surface is an old version of the program executed before the current version of the program, so that the control unit 30 stops the control function of the in-vehicle control device 3 for the in-vehicle device. Without doing so, the old version of the program is erased, and the update program transmitted from the vehicle-mounted update device 2 is stored in the non-operation surface.
  • the in-vehicle update device 2 acquires the update program from the program providing device S1 and transmits the update program from the in-vehicle update device 2 to the in-vehicle control device 3 by, for example, a predetermined data size. It is done in block units divided by. A block ID for individually identifying the block is assigned to each of the acquired and transmitted blocks, and the control unit 20 of the vehicle-mounted update device 2 stores the acquired and transmitted block ID in the storage unit 21. Thereby, the block ID can be used as a checkpoint to identify the interruption point at which the acquisition and transmission of the previous update program were interrupted.
  • the control unit 30 of the vehicle-mounted control device 3 may store the received block ID in the storage unit 31.
  • the control unit 30 of the in-vehicle control device 3 normally ends the reception of the update program, that is, normally ends the reception of all the divided blocks, and then switches the operation surface to set the received update program as the current version of the program. Apply and execute.
  • the control unit 30 normally ends the reception of the update program and normally switches the operation surface, the control unit 30 stores in the storage unit 31 that the update of the program is completed (normal end), and further, in the in-vehicle update device 2. Send (notify).
  • the control unit 30 of the vehicle-mounted control device 3 operates the rollback process, that is, the storage area on the non-operation surface in which the program of the previous version (old version) of the update program is stored. The storage area of the surface is switched (rolled back), and the program of the previous version is executed (applied).
  • the control unit 30 may store the failure (abnormal end) of the update in the storage unit 31 and further transmit (notify) to the vehicle-mounted update device 2.
  • the display device 5 is an HMI (Human Machine Interface) device such as a car navigation display.
  • the display device 5 is communicatively connected to the input/output I/F 24 of the vehicle-mounted update device 2 by a harness such as a serial cable.
  • the display device 5 displays data or information output from the control unit 20 of the vehicle-mounted update device 2 via the input/output I/F 24.
  • the connection form between the display device 5 and the onboard update device 2 is not limited to the connection form by the input/output I/F 24, and the display device 5 and the onboard update device 2 may be a connection form via the in-vehicle LAN 4.
  • the IG switch 6 is a switch for switching the operating state of a prime mover (not shown) such as an engine of vehicle C. For example, the user switches the IG switch 6 from off to on, starts the vehicle C, and starts traveling of the vehicle C. After that, after the traveling of the vehicle C is completed, the user switches the IG switch 6 from on to off and stops the vehicle.
  • the IG switch 6 is communicatively connected to the input/output I/F 24 of the vehicle-mounted update device 2 by a harness such as a serial cable. The switching state (ON or OFF) of the IG switch 6 is notified to the control unit 20 of the vehicle-mounted update device 2 via the input/output I/F 24.
  • a signal indicating ON or OFF of the IG switch 6 is input from the IG switch 6 to the control unit 20 of the vehicle-mounted update device 2 via the input/output I/F 24.
  • the connection form between the IG switch 6 and the vehicle-mounted update device 2 is not limited to the connection form by the input / output I / F 24, and the IG switch 6 and the vehicle-mounted update device 2 may be connected via the in-vehicle LAN 4.
  • FIG. 3 is a flowchart exemplifying the processing of the control unit 20 of the vehicle-mounted update device 2.
  • FIG. 4 is a sequence diagram showing communication signals and update programs transmitted and received among the program providing device S1, the vehicle-mounted update device 2, and the vehicle-mounted control device 3.
  • the control unit 20 of the vehicle-mounted update device 2 communicates with the program providing device S1 via the vehicle exterior communication device 1 at regular or non-periodical intervals and should be updated.
  • the program or data that is, the update program is prepared in the program providing device S1
  • the control unit 20 may perform the following processing based on the update notification from the program providing device S1 acquired via the external communication device 1.
  • the control unit 20 causes the display device 5 to display the update notification, and performs the following processing based on the approval of the update input by the operator of the vehicle C through the input terminal such as the touch panel included in the display device 5. May be good.
  • the control unit 20 of the in-vehicle updating device 2 requests the program providing device S1 to send the update program.
  • the control unit 20 acquires (receives) the update program from the program providing device S1 in block units (S11), and transmits the acquired update program to the vehicle-mounted control device 3 in block units.
  • the control unit 20 acquires an update program in block units via the external communication device 1, and the acquired update program is stored in the storage unit 21.
  • the update program stored in the storage unit 21 is transmitted by the control unit 20 to the vehicle-mounted control device 3 in block units via the in-vehicle LAN 4.
  • the update program to be acquired may be subjected to concealment processing such as encryption by a common key method or a public key method.
  • the encrypted update program is stored in the storage unit 21 and decrypted by the control unit 20.
  • the decoded update program is stored in the storage unit 21, and is transmitted to the in-vehicle control device 3 in block units by the control unit 20.
  • the control unit 20 of the in-vehicle update device 2 transmits the update program to the in-vehicle control device 3 in block units divided into a predetermined data size.
  • the control unit 20 may extract a separator included in the update program and divide the update program based on the separator to form a block.
  • the control unit 20 acquires the update program in units of blocks similarly divided. A block ID for identifying each block is given to the block.
  • the control unit 20 stores the block ID of the acquired and transmitted block in the storage unit 21.
  • the control unit 20 of the in-vehicle update device 2 determines whether the transmitted block is the last block.
  • the control unit 20 determines the number of blocks to be generated when, for example, the update program is divided into blocks with a predetermined data size.
  • the number of the confirmed blocks becomes the number at the end of the block ID, and the control unit 20 determines whether or not the block ID of the block to be transmitted this time is the number at the end to complete the transmission of the update program. It is determined whether or not it is.
  • the control unit 20 of the vehicle-mounted update device 2 transmits the block with the block ID in the next order from the block ID of the previously transmitted block.
  • the control unit 20 sequentially transmits blocks of the update program divided by a predetermined data size to the vehicle-mounted control device 3 to be updated.
  • the in-vehicle control device 3 to be updated Upon receiving the block of the update program transmitted from the in-vehicle update device 2, the in-vehicle control device 3 to be updated stores the block in the storage area (first storage area 311 or second storage area 312) on the non-operation side.
  • the vehicle-mounted control device 3 may store the block ID of the received block in the storage unit 31.
  • the control unit 20 of the vehicle-mounted update device 2 uses the stored block ID as a checkpoint for acquisition and transmission of the update program, and derives an interruption point at which acquisition and transmission of the update program is interrupted based on the checkpoint. Can be done.
  • the update program may include a plurality of checkpoints and an EOF (End Of File) indicating information indicating the end of the file of the update program.
  • the control unit 20 may detect the checkpoint by tracing back to the beginning of the file from the EOF and derive the interruption point based on the checkpoint detected (confirmed) first.
  • the checkpoint may use, for example, a predetermined character code or a separator that divides a segment in the file.
  • the derivation of the interruption point is not limited to the derivation based on the checkpoint, and the control unit 20 may communicate with the program providing device S1 to derive the interruption point.
  • the control unit 20 of the in-vehicle update device 2 uses the electricity stored in the power storage device (not shown) of the in-vehicle update device 2 after the vehicle C is stopped.
  • a first derived value is derived (S13). That is, the first derived value is a derived value derived based on the update program stored in the storage unit 21 before the acquisition and transmission of the update program are interrupted.
  • the derived first derived value is stored in the storage unit 21.
  • the first derived value is, for example, a hash value or a MAC (Message Authentication Code, message authentication code) value.
  • the first derived value which is a hash value, is derived using the hash function stored in the storage unit 21 based on the update program stored in the storage unit 21.
  • the first derived value that is the MAC value is derived based on the update program stored in the storage unit 21 using the common key (shared key) and the MAC algorithm stored in the storage unit 21.
  • the derivation of the derived value is not limited to the derivation by the control unit 20, and the vehicle-mounted update device 2 may include a dedicated processor communicably connected to the control unit 20, and the processor may derive the derived value.
  • the control unit 20 of the vehicle-mounted update device 2 When the vehicle C is in a stopped state, that is, when the IG switch is not on (S14: NO), the control unit 20 of the vehicle-mounted update device 2 performs a loop process to make the determination in S14 again. In performing the loop process, the control unit 20 may execute a standby process (sleep) for a predetermined time.
  • the control unit 20 of the vehicle-mounted update device 2 derives the second derived value based on the update program stored in the storage unit 21. (S15). That is, the second derived value is derived based on the update program stored in the storage unit 21 after the acquisition and transmission of the update program are interrupted.
  • the derived second derived value is stored in the storage unit 21.
  • the second derived value is a derived value derived by the same method as the above-mentioned first derived value, and is, for example, a hash value or a MAC value.
  • the control unit 20 of the vehicle-mounted update device 2 compares the first derived value and the second derived value stored in the storage unit 21 and determines whether they are the same value (S16). When the first derived value and the second derived value are the same, the control unit 20 determines that the update program stored in the storage unit 21 is valid. That is, it is determined that the update program stored in the storage unit 21 has not been changed by falsification or the like. By comparing the derived values (first derived value and second derived value) derived based on the update program stored in the storage unit 21 before and after the interruption, the derived values are stored in the storage unit 21 before the transmission is restarted. It is possible to judge the adequacy of the update program.
  • the control unit 20 restarts the update (acquisition and transmission of the update program) from the above-mentioned interruption point (S17). More specifically, the control unit 20 requests the program providing apparatus S1 to transmit the last (pre-interruption) update program from the block in the next order of the block ID acquired last time, in block units. Resume getting updates.
  • the acquired update program is stored in the storage unit 21.
  • the update program stored in the storage unit 21 is transmitted to the in-vehicle control device 3 in block units.
  • control unit 20 transmits the blocks in the next order of the block ID of the last transmitted block to the in-vehicle control device 3 in the transmission of the previous update program, and the blocks are transmitted to the in-vehicle control device 3 in block units. Resume sending updates. That is, the update of the onboard controller 3 is restarted.
  • the control unit 20 of the vehicle-mounted update device 2 displays the update restart notification on the display device 5 via the input / output I / F 24, and notifies the operator of the vehicle C of the update restart (S18).
  • the control unit 20 of the vehicle-mounted update device 2 determines that the update program stored in the storage unit 21 is invalid. That is, it is determined that the update program stored in the storage unit 21 has been illegally changed due to falsification or the like. Therefore, the control unit 20 acquires the update program from the beginning from the program providing apparatus S1 in order to transmit the valid update program (S161). Specifically, the control unit 20 requests the program providing device S1 to transmit an update program from the block having the first block ID. The control unit 20 acquires the update program in block units from the program providing apparatus S1 and stores the acquired update program in the storage unit 21. The update program stored in the storage unit 21 is transmitted to the vehicle-mounted control device 3 in block units. By acquiring the update program from the beginning, it is possible to prevent the illegally changed update program from being transmitted to the in-vehicle control device 3.
  • the control unit 20 of the vehicle-mounted update device 2 displays on the display device 5 via the input/output I/F 24 that the update program has been illegally changed while the vehicle C is stopped, and informs the operator of the vehicle C. (S162).
  • the control unit 20 may display the display device 5 that the update program is to be acquired from the beginning and notify the operator of the vehicle C.
  • the control unit 20 may transmit (notify) to the program providing device S1 that the stored update program has been tampered with.
  • the control unit 20 of the vehicle-mounted update device 2 ends the transmission of the update program to the vehicle-mounted control device 3 by transmitting the last block (S19). Since the acquired update program is transmitted, it goes without saying that the acquisition of the update program is completed before the last block is transmitted.
  • the control unit 20 stores in the storage unit 21 that the update of the in-vehicle control device 3 is completed. Although omitted in FIG. 3, when the vehicle C is stopped again (the IG switch 6 is turned off) before the transmission of the update program is completed, the process of S13 is performed.
  • the in-vehicle control device 3 After receiving the last block transmitted from the in-vehicle update device 2, the in-vehicle control device 3 stores in the storage unit 31 that the update of its own control device is completed. The in-vehicle control device 3 receives the last block and switches to the update program that has completed reception, that is, after switching the operation surface to a storage area in which the update program is stored, and then switching to the update program is completed. (Update complete) is transmitted (notified) to the in-vehicle update device 2. The control unit 20 of the vehicle-mounted update device 2 may store in the storage unit 21 that the vehicle-mounted control device 3 to be updated has completed switching to the update program.
  • the control unit 20 transmits (notifies) the update completion of the in-vehicle control device 3 to be updated to the program providing device S1.
  • the control unit 20 may display the update completion of the in-vehicle control device 3 to be updated on the display device 5 via the input/output I/F 24 to notify the operator of the vehicle C.
  • control unit 20 deletes the update program stored in the storage unit 21 (S20). By deleting the update program, it is possible to prevent the storage unit 21 from being pressed by the update program.
  • control unit 20 performs loop processing to determine S12 again.
  • the control unit 20 may continue the acquisition and transmission of the update program during the loop process, and when the transmission of the update program is completed, the control unit 20 may perform the process of S20.
  • In-vehicle update system S1 Program providing device (external server) S11 storage unit 1 exterior communication device 11 exterior communication unit 12 input/output I/F 13 antenna 2 vehicle-mounted update device 20 control unit 21 storage unit 22 recording medium 23 in-vehicle communication unit 24 input/output I/F 3 In-vehicle control device 30 Control unit 31 Storage unit 311 First storage area 312 Second storage area 32 In-vehicle communication unit 4 In-vehicle LAN 5 Display device 6 IG switch N Network outside the vehicle

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Mechanical Engineering (AREA)
  • Stored Programmes (AREA)
  • Information Transfer Between Computers (AREA)
PCT/JP2020/007925 2019-03-04 2020-02-27 車載更新装置、更新処理プログラム及び、プログラムの更新方法 Ceased WO2020179592A1 (ja)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202080014751.2A CN113453959B (zh) 2019-03-04 2020-02-27 车载更新装置、更新处理程序及程序的更新方法
US17/434,651 US11630659B2 (en) 2019-03-04 2020-02-27 In-vehicle update device, update processing program, and program update method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2019-038882 2019-03-04
JP2019038882A JP7111030B2 (ja) 2019-03-04 2019-03-04 車載更新装置、更新処理プログラム及び、プログラムの更新方法

Publications (1)

Publication Number Publication Date
WO2020179592A1 true WO2020179592A1 (ja) 2020-09-10

Family

ID=72337952

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/007925 Ceased WO2020179592A1 (ja) 2019-03-04 2020-02-27 車載更新装置、更新処理プログラム及び、プログラムの更新方法

Country Status (4)

Country Link
US (1) US11630659B2 (https=)
JP (1) JP7111030B2 (https=)
CN (1) CN113453959B (https=)
WO (1) WO2020179592A1 (https=)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114201187A (zh) * 2020-09-17 2022-03-18 丰田自动车株式会社 车载设备、软件更新方法、非临时存储介质、车辆、电子控制单元

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7504440B2 (ja) * 2020-08-26 2024-06-24 株式会社高尾 遊技機
JP7494712B2 (ja) 2020-11-27 2024-06-04 株式会社デンソー 電子制御装置、ソフトウェア更新方法、ソフトウェア更新プログラム、及び電子制御システム
JP7452452B2 (ja) * 2021-02-02 2024-03-19 トヨタ自動車株式会社 Otaマスタ、ソフトウェアの更新制御方法及び更新制御プログラム、otaマスタを備える車両
JP2023170662A (ja) 2022-05-19 2023-12-01 株式会社デンソー 電子制御装置、ソフトウェア更新方法、ソフトウェア更新プログラム、及び電子制御システム
JP2023170887A (ja) 2022-05-20 2023-12-01 株式会社デンソー 電子制御装置、ソフトウェア更新方法、及びソフトウェア更新プログラム
JP7815993B2 (ja) 2022-05-20 2026-02-18 株式会社デンソー 更新制御装置、更新制御方法、及び更新制御プログラム
JP7754000B2 (ja) * 2022-06-22 2025-10-15 トヨタ自動車株式会社 管理装置、管理方法、及び管理プログラム
JP7775789B2 (ja) * 2022-07-06 2025-11-26 トヨタ自動車株式会社 Otaマスタ
JP7771892B2 (ja) 2022-08-09 2025-11-18 株式会社デンソー 更新制御装置、更新制御方法、及び更新制御プログラム
JP2024041005A (ja) 2022-09-13 2024-03-26 株式会社デンソー 更新制御装置及び電子制御装置
JP7835179B2 (ja) * 2023-03-07 2026-03-25 トヨタ自動車株式会社 ソフトウェア更新システム

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011108167A (ja) * 2009-11-20 2011-06-02 Toyota Infotechnology Center Co Ltd コンピューターシステム

Family Cites Families (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3954271B2 (ja) * 2000-03-16 2007-08-08 本田技研工業株式会社 車両制御装置のためのメモリ書き換えシステム
JP2004199490A (ja) * 2002-12-19 2004-07-15 Komatsu Ltd 車載プログラムの書き換え制御装置
JP2004249914A (ja) * 2003-02-21 2004-09-09 Matsushita Electric Ind Co Ltd 車載装置
KR100703175B1 (ko) * 2004-05-17 2007-04-05 에스케이 텔레콤주식회사 초고속 휴대 인터넷 망에서 핸드 오프에 따른 ip어드레스 할당 절차의 최적화를 통한 핸드오프로 인한지연 시간 최소화 시스템 및 방법
JP2007011734A (ja) * 2005-06-30 2007-01-18 Denso Corp 車載制御装置
JP2010195111A (ja) * 2009-02-24 2010-09-09 Fujitsu Ten Ltd 車載コンピュータシステム
JP2010198155A (ja) * 2009-02-24 2010-09-09 Fujitsu Ten Ltd プログラム更新装置、プログラム更新方法、及び情報処理装置
JP2011003020A (ja) * 2009-06-18 2011-01-06 Toyota Infotechnology Center Co Ltd コンピューターシステムおよびプログラム起動方法
US9152408B2 (en) * 2010-06-23 2015-10-06 Toyota Jidosha Kabushiki Kaisha Program update device
US9098367B2 (en) * 2012-03-14 2015-08-04 Flextronics Ap, Llc Self-configuring vehicle console application store
JP2013254264A (ja) * 2012-06-05 2013-12-19 Denso Corp 電子制御装置
JP6366354B2 (ja) * 2014-05-14 2018-08-01 キヤノン株式会社 情報処理装置、画像形成装置、およびそのプログラムの更新方法、並びにプログラム
JP6618480B2 (ja) * 2014-11-12 2019-12-11 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America 更新管理方法、更新管理システム及び制御プログラム
JP6216730B2 (ja) * 2015-03-16 2017-10-18 日立オートモティブシステムズ株式会社 ソフト更新装置、ソフト更新方法
JP6678548B2 (ja) * 2015-11-13 2020-04-08 株式会社東芝 中継装置、中継方法およびプログラム
US10437680B2 (en) * 2015-11-13 2019-10-08 Kabushiki Kaisha Toshiba Relay apparatus, relay method, and computer program product
JP6390644B2 (ja) * 2016-03-02 2018-09-19 住友電気工業株式会社 プログラム更新システム、プログラム更新方法及びコンピュータプログラム
JP2018073245A (ja) * 2016-11-01 2018-05-10 パナソニックIpマネジメント株式会社 検査装置、検査システム、情報処理装置、検査方法およびコンピュータプログラム
US10246930B2 (en) * 2017-08-08 2019-04-02 Honda Motor Co., Ltd. System and method for remotely controlling and determining a status of a barrier
DE102017217807A1 (de) * 2017-10-06 2019-04-11 Bayerische Motoren Werke Aktiengesellschaft Verfahren und vorrichtung zum verarbeiten einer software-aktualisierung
DE102017220526A1 (de) * 2017-11-17 2019-05-23 Bayerische Motoren Werke Aktiengesellschaft Verfahren und Vorrichtung zur Aktualisierung von Software
JP7047444B2 (ja) * 2018-02-16 2022-04-05 トヨタ自動車株式会社 車両制御装置、電子制御ユニット、制御方法、制御プログラム、車両、otaマスタ、システム及びセンタ

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011108167A (ja) * 2009-11-20 2011-06-02 Toyota Infotechnology Center Co Ltd コンピューターシステム

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114201187A (zh) * 2020-09-17 2022-03-18 丰田自动车株式会社 车载设备、软件更新方法、非临时存储介质、车辆、电子控制单元

Also Published As

Publication number Publication date
JP2020142565A (ja) 2020-09-10
US11630659B2 (en) 2023-04-18
CN113453959B (zh) 2024-06-21
CN113453959A (zh) 2021-09-28
JP7111030B2 (ja) 2022-08-02
US20220197630A1 (en) 2022-06-23

Similar Documents

Publication Publication Date Title
JP7111030B2 (ja) 車載更新装置、更新処理プログラム及び、プログラムの更新方法
US11967188B2 (en) Vehicle mounted update apparatus, update processing program, and program update method
US10437680B2 (en) Relay apparatus, relay method, and computer program product
CN113168382B (zh) 监视装置、监视程序及监视方法
JP6780724B2 (ja) 車載更新装置、更新処理プログラム及び、プログラムの更新方法
CN109478155B (zh) 车载更新装置、车载更新系统及通信装置的更新方法
JP7283359B2 (ja) 車載更新装置、及び更新処理プログラム
JP2022093680A (ja) ゲートウェイ装置、車載ネットワークシステム及びファームウェア更新方法
US20210397433A1 (en) On-board update device, update processing program, program update method, and on-board update system
US20210255845A1 (en) On-board update apparatus, program, and method for updating program or data
US10625754B2 (en) Control apparatus, control method, and computer program
JP2017097851A (ja) 中継装置、中継方法およびプログラム
US20220276851A1 (en) Vehicle controller, updated program, program updating system, and writing device
WO2019116922A1 (ja) 車載更新装置、プログラム及びプログラム又はデータの更新方法
CN108228212A (zh) 程序更新方法和装置
CN105511920A (zh) 一种基于容器的移动终端操作系统升级方法和装置
CN113900685A (zh) 汽车仪表系统用软件升级方法及汽车仪表系统
KR20230025107A (ko) 차량 소프트웨어 관리 시스템 및 그의 소프트웨어 복구 방법
JP2022077803A (ja) 車載ecu、プログラム及び情報処理方法
CN108804126A (zh) 一种软件升级方法及装置
CN114144759A (zh) 用于更新车辆的车载计算机的软件的更新方法和更新装置,所述车载计算机包括执行存储器、备份存储器和检查存储器
CN118444955A (zh) 一种车载设备安全升级方法、装置、电子设备和存储介质
CN118395510A (zh) 一种车载显示屏的升级方法、装置、电子设备及存储介质
JP6297889B2 (ja) 無線による車上装置のデータベースのデータ更新方法
JP7771860B2 (ja) 制御システム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20767351

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20767351

Country of ref document: EP

Kind code of ref document: A1