Patent Application
20060248172
The present invention relates to a method for executing a software update of an electronic control unit using flash programming via a serial interface.
Flash memory is increasingly used as memory technology for program stock and data stock in electronic control units. This memory technology makes a software update of the control units possible by reprogramming the respective flash memory of the control units via serial interfaces. The serial interface may be, for example, a central off-board diagnostic interface of a vehicle via which the flash memory of an electronic control unit of the vehicle is reprogrammed using what is known as a flash programming tool. A software update is thus possible without removing the respective electronic control unit from the vehicle, which results in considerable cost savings compared to a control unit exchange or removal. In the described type of flash programming, high security and reliability demands must be met, in particular with regard to vehicle service as well as in the area of safety-relevant electronic control units.
Only entire flash segments of a flash memory may be deleted or reprogrammed in currently used flash technologies. A smallest, physically associated, completely deletable or programmable memory unit of the flash memory is referred to as a segment. Therefore, the deleting and programming steps for flash segments should be differentiated in flash programming. Moreover, it should be taken into consideration that it is not possible to simultaneously export one program from a flash segment while another flash segment of the same flash module is reprogrammed. Therefore, the program sections for controlling the programming process for a flash module must be, at least temporarily during the execution of flash programming, swapped out into another memory module of the control unit, e.g., into another flash module or a free RAM (random access memory) section.
The limited transmission capacity of the off-board diagnostic interface results in quite long flash programming times in large flash memories of electronic control units. Therefore, shortening the flash programming times is a frequent demand in production and service.
Furthermore, for liability reasons attention should be paid in flash programming that unauthorized flash programming or flash programming using manipulated program or data stock is to be prevented to the greatest possible extent. Finally, it should be pointed out that flash programming via the mentioned off-board diagnostic interface may take up a relatively long period of time. Aborts of the programming procedure due to possibly occurring interferences may be anticipated at any time. Such interferences are, for example, failure of the voltage supply of a vehicle or of the flash programming tool, incorrect response of other network control units, interruption of the communication link between the electronic control unit to be programmed and the flash programming tool used for this purpose, or an operating error. A failed authentication and signature check may also result in the abort of the flash programming procedure. It may be necessary to be able to ensure the availability or an immediate restart of the flash programming procedure at any time.
In one example embodiment, a method for executing a software update of a control unit by flash programming a flash memory of the control unit having multiple segments via a serial interface is provided. The demands to be made on the flash programming procedure are established in a first step of the method, in such a way that a flash programming procedure is specified by a finite-state machine which defines the states and transitions of the software of the control unit and that finally availability, security, and reliability requirements of each state and each transition of the finite-state machine are checked.
Different operating states are preferably initially specified for the software of the control unit when the demands to be made on the flash programming procedure are established. A differentiation is preferably made between a “starting state,” a “normal state,” and a “software update state” in this context. Furthermore, the transitions between the above-mentioned operating states and the transition conditions are defined. In a further example embodiment of the method, memory arrays of the software of the control unit, which are relevant for the flash programming procedure, are divided into programmable and non-programmable memory arrays and components of the software to be reprogrammed are correspondingly assigned to the memory arrays. Furthermore, the memory arrays of the software may be assigned to a memory of the control unit, in particular one programmable memory array to a segment of the flash memory and one non-programmable memory array to a ROM (read only memory) of the electronic control unit. The limited transmission capacity of the off-board diagnostic interface results in quite long flash programming times in large flash memories. It may therefore be desirable to shorten the flash programming times, which is possible, for example, by reducing the flash segments to be reprogrammed. This is preferably achieved by flash programming individual software functions or by a separate flash programming procedure for the program stock and data stock of the electronic control unit. The program stock is frequently already programmed during control unit production, while the data stock is programmed later, e.g., at the end of production of a vehicle in a vehicle-specific manner. As a result, the boot block, the program stock, and the data stock are each stored in segments of the flash memory of the control unit in a further example embodiment of the method according to the present invention. This means that different software functions as well as the program stock and data stock are stored in different flash segments. All program sections of the control unit, which are needed for communication between the control unit and a flash programming tool via the off-board diagnostic interface during a flash programming procedure, must be stored, together with corresponding flash programming routines, in a flash loader in the ROM of the electronic control unit or in a different additional flash segment. The program sections, which are needed for the communication between the control unit and the flash programming tool, are divided into programmable and non-programmable sections, i.e., a base extent stored in the ROM and referred to in the following as the start-up block, and a base extent stored in the flash memory and referred to in the following as the boot block. The start-up block and boot block together provide the software functionality of a microcontroller of the control unit necessary for flash programming via an off-board diagnostic interface. A division into start-up block and boot block may be expedient for a number of reasons. The boot block itself may be reprogrammed if it is stored, as described, in the flash memory. Furthermore, the current status of a flash programming procedure may be stored in a non-erasable manner in the boot block so that, for example, a restart is possible after an abort of the flash programming procedure. The unchangeable base functionality of the start-up block and an identifier for a hardware variant of the electronic control unit may be stored in the more cost-effective and non-reprogrammable ROM of the control unit. According to the present invention, the program stock and the data stock are each stored in a different segment of the flash memory.
Security, reliability, and availability requirements of the flash programming procedure to be executed may be provided by a further preferred embodiment of the method according to the present invention. A transition of a microcontroller of the control unit to the “software update” operating state is initiated by a flash programming tool. In addition to possibly necessary plausibility checks, such as the check for engine shutdown in engine controllers, which must be carried out prior to completion of a driving program and a transition to the “software update” operating state, additional security measures are necessary when used in production and service. According to this, it is necessary for liability reasons, for example, that unauthorized flash programming or flash programming using manipulated program or data stock is to be prevented to the greatest possible extent. Such flash programming procedures should at least be detected and verified.
Flash programming access is generally protected by two different encryption methods. One method is authentication which corresponds to a check of the actual access permission and is carried out subsequent to a plausibility check. A digital key is used to check whether a user of the flash programming tool is actually permitted to execute a software update. A second encryption method is what is known as a signature check. The data consistency of program stock or data stock to be reprogrammed is checked here.
During the signature check, a flash programming tool uses a further digital key to check whether the program stock or the data stock to be reprogrammed matches the control unit hardware and whether the program stock or data stock to be reprogrammed has been improperly manipulated after delivery by the vehicle manufacturer to the service organization, for example. Only after successful completion of the mentioned check should the actual deletion and programming of the respective segments of the flash memory be enabled or unblocked. Unblocking takes place here using the above-mentioned boot block. During specification of the security and reliability requirements for flash programming, it should be ensured that the signature of a microcontroller of the control unit is calculated subsequent to flash programming, on the basis of the program stock and data stock actually programmed into the flash memory in order to detect errors during programming. After a successful signature check, this calculated signature is stored in the flash memory. In addition, special memory structures, i.e., program stock and data stock logistics, are stored in the flash memory as part of the program stock and data stock. Only after a successful signature check, the boot block unblocks the activation of the new program, a drive program, for example.
Moreover, the availability requirement of the flash programming procedure is preferably specified in the method according to the present invention. Since flash programming via the off-board diagnostic interface may take up a relatively long period of time despite the above-described optimization measures, aborts of the programming procedure due to interferences may generally be anticipated at any time. Such interferences are, for example, failure of a voltage supply of a vehicle or of a flash programming tool, incorrect responses of other network control units, interruptions of the communication link between the electronic control unit and the flash programming tool used, or operating errors. Generally, failed authentication and failed signature checks also result in an abort of the flash programming procedure. Therefore, it may be important for a design of the flash programming procedure to ensure the availability of the flash programming procedure under all possible circumstances. This means, for example, that after an abort, a restart of the programming procedure should be ensured anytime in all situations. In a further preferred example embodiment of the method according to the present invention, substates, adoptable in the “software update” operating state, transitions between them, and transition conditions are specified by the finite-state machine during execution of the flash programming procedure. The substates may be the “abort/error message” substate or the “completion/success message” substate. Furthermore, substates for authentication and signature check as well as substates for the deletion and programming of segments of the flash memory may preferably be specified. Moreover, may be desirable to specify substates for the swapping-out and flash programming of the boot block. Transitions between the mentioned substates and corresponding transition conditions are also specified according to the present invention.
Furthermore, the present invention includes a computer program made up of program code elements via which predefined availability, security, and reliability requirements of each state and each transition of an above-described finite-state machine are checked automatically when the program code elements are run on a computer or on a computer system.
Finally, the present invention relates to a method for flash programming an above-described boot block. A method is provided for flash programming a boot block which provides the software functionality necessary for executing the flash programming. The boot block is stored in a first segment of a flash memory. In a first step, the old boot block to be reprogrammed is copied into a free RAM section. The still active old boot block is swapped out into another memory module of the control unit during flash programming, which means that the boot block should be relocatable. In a second step, the old boot block is subsequently activated in the RAM and deactivated in the flash memory where it is stored in a first segment. Furthermore, the new boot block is temporarily stored in a second segment of the flash memory. This step includes deletion of the second segment of the flash memory, programming of the new boot block into the second segment of the flash memory, and a signature check for the new boot block in the second segment of the flash memory. After an abort during these method steps, the flash programming procedure may be restarted using the valid, old boot block in the first segment of the flash memory. In a further step of the method according to the present invention, the new boot block is finally programmed by copying the second segment of the flash memory into the first segment of the flash memory. This step includes deletion of the first flash segment, programming of the new boot block into the first flash segment by copying the second flash segment into the first flash segment, and a signature check for the new boot block in the first flash segment. After an abort during these method steps, the flash programming procedure may be restarted using the valid, new boot block in the second flash segment. One boot block, which is valid for restarting the flash programming procedure, is always preferably marked in the flash memory. This validity marker itself must be stored in a non-erasable manner in the flash memory so that a restart is possible using this information. In a last step of the example method according to the present invention, the new boot block is subsequently activated in the first segment of the flash memory and the old boot block is simultaneously deactivated in the RAM.
Further advantages and preferred embodiments of the present invention are explained in greater detail on the basis of the following figures.
| Number | Date | Country | Kind |
|---|---|---|---|
| 103 28 241.6 | Jun 2003 | DE | national |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/DE04/01326 | 6/24/2004 | WO | 4/26/2006 |
