The present disclosure relates to a vehicle information communication system including a center device and an in-vehicle device.
There is a proposed technique in which an update program of an electronic control unit (hereinafter, referred to as an ECU) of a vehicle is distribution from a center device to an in-vehicle device through Over the Air (OTA), and the update program is rewritten in the vehicle.
The present disclosure provides a vehicle information communication system comprising a center device that manages data to be written in a plurality of electronic control units mounted on a vehicle and an in-vehicle device that is mounted on the vehicle When a plurality of pieces of configuration information regarding configurations of respective devices are received from the plurality of electronic control units, the in-vehicle device transmits a configuration information list including the plurality of pieces of configuration information to the center device. The center device includes a configuration information storage unit storing the configuration information list approved with respect a vehicle type, compares the configuration information list received from the in-vehicle device with the configuration information list stored in the configuration information storage unit, and transmits a presence of abnormality to the in-vehicle device when the center device determines that the configuration information list received from the in-vehicle device is disapproved.
Objects, features and advantages of the present disclosure will become more apparent from the following detailed description with reference to the accompanying drawings. In the drawings:
In recent years, the scale of an application program for vehicle control, diagnosis, and the like, installed in an electronic control unit (hereinafter, referred to as an ECU) of a vehicle, has been increased due to the diversification of vehicle control such as a driving support function and an autonomous driving function. An opportunity to rewrite (reprogram) an application program of an ECU has been increased in accordance with upgrading based on functional improvement. On the other hand, a technique for connected cars has also been spread with the progress of communication networks or the like. In light of such circumstances, for example, there is a proposed technique in which an update program of an ECU is distribution from a center device to an in-vehicle device through Over the Air (OTA), and the update program is rewritten on a vehicle side.
In this case, when part of ECUs on the vehicle side is replaced and its configuration information, e.g., application program version and the like, is updated, it becomes inoperable depending on combination with versions of application programs of other ECUs.
The present disclosure has been made in light of the foregoing circumstances and an object is to provide a vehicle information communication system in which a center device can check whether a combination of configuration information pieces of respective electronic control units mounted on a vehicle is appropriate or not.
According to a vehicle information communication system of the present disclosure, when an in-vehicle device receives from a plurality of electronic control units a plurality of pieces of configuration information regarding configurations of respective electronic control units, the in-vehicle device transmits a configuration information list including the plurality of pieces of configuration information to a center device. The center device includes a configuration information storage unit storing the configuration information list approved with respect a vehicle type, compares the configuration information list received from the in-vehicle device with the configuration information list stored in the configuration information storage unit, and transmits a presence of abnormality to the in-vehicle device when the center device determines that the configuration information list received from the in-vehicle device is disapproved. Accordingly, the in-vehicle device can take measures such as prohibiting traveling of the vehicle or the like.
Hereinafter, a first embodiment of the present invention will be described with reference to
The display terminal 5 is a terminal having a function of receiving operation input from a user and a function of displaying various screens, and is, for example, a mobile terminal 6 such as a smartphone or a tablet computer that can be carried by a user, and an in-vehicle display 7 such as a display or a meter display that is also used as a navigation function disposed in a vehicle compartment. The mobile terminal 6 can be connected to the communication network 2 as long as the mobile terminal 6 is within a communication range of a mobile communication network. The in-vehicle display 7 is connected to the vehicle-side system 4.
As long as a user is located outside the vehicle compartment and is within the communication range of the mobile communication network, the user can perform operation input while checking various screens related to rewriting of an application program with the mobile terminal 6, and can perform a procedure related to the rewriting of the application program. In the vehicle compartment, the user can perform operation input while checking various screens related to rewriting of the application program with the in-vehicle display 7, and can perform a procedure related to rewriting of the application program. That is, the user can selectively use the mobile terminal 6 and the in-vehicle display 7 depending on whether the user is outside the vehicle compartment and in the vehicle compartment, and can perform a procedure related to rewriting of the application program.
The center device 3 controls an OTA function of the communication network 2 side in the vehicle program rewriting system 1, and functions as an OTA center. The center device 3 includes a file server 8, a web server 9, and a management server 10, and each of the servers 8 to 10 is configured to be able to perform data communication with each other.
The file server 8 has a function of managing an application program transmitted from the center device 3 to the vehicle-side system 4, and is a server that manages an ECU program provided from a supplier or the like that is a provider of the application program, information associated with the ECU program, distribution specification data provided from an original equipment manufacturer (OEM), vehicle conditions acquired from the vehicle-side system 4, and the like. The file server 8 can perform data communication with the vehicle-side system 4 via the communication network 2, and transmits a distribution package in which the reprogramming data and the distribution specification data are packaged to the vehicle-side system 4 when a download request for the distribution package is generated. The web server 9 is a server that manages web information, and provides various screens related to rewriting an application program to the mobile terminal 6. The management server 10 manages personal information of a user registered in a service of rewriting an application program, a rewrite history of an application program for each vehicle, and the like.
The vehicle-side system 4 has a master device 11. The master device 11 has a DCM 12 and a CGW 13, and the DCM 12 and the CGW 13 are connected to each other via a first bus 14 to be able to perform data communication. The DCM 12 is a vehicle-mounted communication device that performs data communication with the center device 3 via the communication network 2, and, when a distribution package is downloaded from the file server 8, extracts write data from the distribution package, and transfers the write data to the CGW 13.
The CGW 13 is a vehicle gateway device having a data relay function, and, when the write data is acquired from the DCM 12, distributes the write data to a rewrite target ECU in which an application program is rewritten. The master device 11 controls the OTA function of the vehicle side in the vehicle program rewriting system 1, and functions as an OTA master. In
In addition to the first bus 14, a second bus 15, a third bus 16, a fourth bus 17, and a fifth bus 18 are connected to the CGW 13 as buses inside the vehicle, and various ECUs 19 are connected via the buses 15 to 17, and a power supply management ECU 20 is connected via the bus 18.
The second bus 15 is, for example, a body system network bus. The ECUs 19 connected to the second bus 15 are ECUs controlling the body system including, for example, a door ECU controlling locking/unlocking of a door, a meter ECU controlling display on the meter display, an air conditioner ECU controlling driving of an air conditioner, and a window ECU controlling opening and closing of a window. The third bus 16 is, for example, a travel system network bus. The ECUs 19 connected to the third bus 16 are ECUs controlling the travel system including, for example, an engine ECU controlling driving of an engine, a brake ECU controlling driving of a brake, an ECT (Electronic Toll Collection System (ETC) (registered trademark)) ECU controlling driving of an automatic transmission, and a power steering ECU controlling a driving of a power steering.
The fourth bus 17 is, for example, a multimedia system network bus. The ECUs 19 connected to the fourth bus 17 are ECUs controlling the multimedia system including, for example, a navigation ECU controlling a navigation system, and an ETC ECU controlling an electronic toll collection system, that is, an ECT system. The buses 15 to 17 may be system buses other than the body system network bus, the travel system network bus, and the multimedia system network bus. The number of buses and the number of the ECUs 19 are not limited to the exemplified configuration.
The power supply management ECU 20 is an ECU having a function of managing power to be supplied to the DCM 12, the CGW 13, the various ECUs 19, and the like.
A sixth bus 21 is connected to the CGW 13 as a bus outside the vehicle. A data link coupler (DLC) connector 22 to which a tool 23 is detachably connected is connected to the sixth bus 21. The buses 14 to 18 inside the vehicle and the bus 21 outside the vehicle are configured with, for example, Controller Area Network (CAN) (registered trademark) buses, and the CGW 13 performs data communication with the DCM 12, the various ECUs 19, and the tool 23 in accordance with the CAN data communication standard and the diagnosis communication standard (UDS: ISO14229). The DCM 12 and the CGW 13 may be connected to each other via Ethernet, and the DLC connector 22 and the CGW 13 may be connected to each other via Ethernet.
When write data is received from the CGW 13, the rewrite target ECU 19 writes the write data into a flash memory to rewrite an application program. In the above configuration, when a request for acquiring write data is received from the rewrite target ECU 19, the CGW 13 functions as a reprogramming master that distributes the write data to the rewrite target ECU 19. When the write data is received from the CGW 13, the rewrite target ECU 19 functions as a reprogramming slave that writes the write data into the flash memory to rewrite the application program.
As an aspect of rewriting the application program, there are a wired rewrite aspect and a wireless rewrite aspect. In the aspect in which the application program is rewritten in a wired manner, when the tool 23 is connected to the DLC connector 22, the tool 23 transfers the write data to the CGW 13. The CGW 13 relays or distributes the write data transferred from the tool 23 to the rewrite target ECU 19. In the aspect of rewriting the application program in a wireless manner, as described above, when the distribution package is downloaded from the file server 8, the DCM 12 extracts the write data from the distribution package, and transfers the write data to the CGW 13.
As illustrated in
The data transfer circuit 25 controls data communication with the buses 14 to 18 and 21 in accordance with the CAN data communication standard and the diagnosis communication standard. The power supply circuit 26 receives battery power (hereinafter, referred to as +B power), accessory power (hereinafter, referred to as ACC power), and ignition power (hereinafter, referred to as IG power). The power detection circuit 27 detects a voltage value of the +B power, a voltage value of the ACC power, and a voltage value of the IG power received by the power supply circuit 26, compares the detected voltage values with predetermined voltage threshold values, and outputs comparison results to the microcomputer 24. The microcomputer 24 determines whether the +B power, the ACC power, and the IG power supplied to the CGW 13 from the outside are normal or abnormal on the basis of the comparison results that are input from the power detection circuit 27.
As illustrated in
The data transfer circuit 29 controls data communication with the buses 15 to 17 in accordance with the CAN data communication standard. The power supply circuit 30 receives +B power, ACC power, and IG power. The power detection circuit 31 detects a voltage value of the +B power, a voltage value of the ACC power, and a voltage value of the IG power received by the power supply circuit 30, compares the detected voltage values with predetermined voltage threshold values, and outputs comparison results to the microcomputer 28. The microcomputer 28 determines whether the +B power, the ACC power, and the IG power supplied to the ECU 19 from the outside are normal or abnormal on the basis of the comparison results that are input from the power detection circuit 27. The ECUs 19 fundamentally have the same configuration except that loads such as sensors or actuators connected thereto are different from each other. A fundamental configuration of each of the DCM 12, the in-vehicle display 7, and the power supply management ECUs is the same as that of the ECU 19 illustrated in
As illustrated in
The IG power line 34 is connected to the positive electrode of the vehicle battery 35 via an IG switch 37. When the user performs an IG operation, the IG switch 37 switches from an OFF state to an ON state, and an output voltage of the vehicle battery 35 is applied to the IG power line 34. For example, in a case of a vehicle of the type to insert a key into an insertion port, the IG operation is an operation of rotating the key from an “OFF” position to an “ON” position by inserting the key into the insertion port, and, in a case of a vehicle of the type to press a start button, the IG operation is an operation of pressing the start button twice. A negative electrode of the vehicle battery 35 is grounded.
When both of the ACC switch 36 and the IG switch 37 are in an OFF state, only the +B power is supplied to the vehicle-side system 4. The state in which only the +B power is supplied to the vehicle-side system 4 will be referred to as a +B power supply state. When the ACC switch 36 is in an ON state and the IG switch 37 is in an OFF state, the ACC power and the +B power are supplied to the vehicle-side system 4. The state in which the ACC power and the +B power are supplied to the vehicle-side system 4 will be referred to as an ACC power supply state. When of both the ACC switch 36 and the IG switch 37 are in an ON state, the +B power, the ACC power, and the IG power are supplied to the vehicle-side system 4. The state in which the +B power, the ACC power, and the IG power are supplied to the vehicle-side system 4 will be referred to as an IG power supply state.
The ECUs 19 have different start conditions depending on power supply states, and are classified as a +B ECU that is started in the +B power supply state, an ACC ECU that is started in the ACC power supply state, and an IG ECU that is started in the IG power supply state. For example, the ECU 19 driven in an application such as vehicle theft is the +B ECU. For example, the ECU 19 driven in a non-travel system application such as an audio is the ACC ECUs. For example, the ECU 19 driven in a travel system application such as engine control is the IG ECU.
The CGW 13 transmits a start request to the ECU 19 that is in a sleep state, and thus causes the ECU 19 that is a transmission destination of the start request to transition from the sleep state to a start state. The CGW 13 also transmits a sleep request to the ECU 19 that is in a start state, and thus causes the ECU 19 that is a transmission destination of the sleep request to transition from the start state to a sleep state. The CGW 13 selects the ECU 19 that is a transmission destination of the start request or the sleep request from among the plurality of ECUs, for example, by making waveforms of the transmission signals to be transmitted to the buses 15 to 17 different from each other.
The power supply control circuit 38 is connected in parallel to the ACC switch 36 and the IG switch 37. The CGW 13 transmits a power supply control request to the power supply management ECU 20 and causes the power supply management ECU 20 to control the power supply control circuit 38. That is, the CGW 13 transmits a power supply start request as the power supply control request to the power supply management ECU 20, to connect the ACC power line 33 or the IG power line 34 to the positive electrode of the vehicle battery 35 in the power supply control circuit 38. In this state, the ACC power or IG power is supplied to the vehicle-side system 4 even when the ACC switch 36 and the IG switch 37 is turned off. The CGW 13 transmits a power supply stop request as the power supply control request to the power supply management ECU 20, to disconnect the ACC power line 33 or IG power line 34 from the positive electrode of the vehicle battery 35 in the power supply control circuit 38.
The DCM 12, the CGW 13, and the ECU 19 have a self-retention power function. That is, when vehicle power switches from the ACC power or the IG power to the +B power in the start state, the DCM 12, the CGW 13, and the ECU 19 do not transition from the start state to the stop state or the sleep state immediately after the switching, but continue the start state for a predetermined time even immediately after the switching, and thus self-retain drive power. The DCM 12, the CGW 13, and the ECU 19 transition from the start state to the stop state or the sleep state when a predetermined time (for example, several seconds) has elapsed immediately after the vehicle power switches from the ACC power or IG power to the +B power.
Next, a distribution package distributed from the center device 3 to the master device 11 will be described with reference to
Although
The rewrite specification data provided from the OEM includes, as information related to rewriting of the application program, information for specifying the rewrite target ECU 19, information for specifying a rewrite order when there are a plurality of rewrite target ECUs 19, information for specifying a rollback method described later, and the like, and is data defining an operation related to rewriting in the DCM 12, the CGW 13, or rewrite target ECU 19. The rewrite specification data is classified into DCM rewrite specification data used by the DCM 12 and CGW rewrite specification data used by the CGW 13. Information required to read files corresponding to the rewrite target ECU 19 is described in the DCM rewrite specification data. As described above, information required to control rewriting in the rewrite target ECU 19 is described in the CGW rewrite specification data.
When the DCM rewrite specification data is acquired, the DCM 12 analyzes the DCM rewrite specification data, and controls operations related to rewriting such as transferring write data to the CGW 13 according to the analysis result. When the CGW rewrite specification data is acquired, the CGW 13 analyzes the CGW rewrite specification data, and controls operations related to rewriting such as acquiring write data from the DCM 12 and distributing the write data to the rewrite target ECU 19 according to the analysis result.
In the file server 8, the above-described reprogramming data is registered, and the distribution specification data provided from the OEM is registered. The distribution specification data provided from the OEM is data defining an operation related to display of various screens in the display terminal 5.
When the reprogramming data and the distribution specification data are registered, the file server 8 encrypts the registered reprogramming data, and generates a distribution package in which a package authenticator for authenticating the package, the encrypted reprogramming data, and the distribution specification data are packaged into a single file. When a download request for the distribution package is received from the outside, the file server 8 transmits the distribution package to the DCM 12. In
When the distribution package is downloaded from the file server 8, the DCM 12 verifies the package authenticator stored in the distribution package and the encrypted reprogramming data, and decrypts the encrypted reprogramming data when the verification result is positive. When the encrypted reprogramming data is decrypted, the DCM 12 unpackages the decrypted reprogramming data, and generates encrypted difference data, an authenticator, DCM rewrite specification data, and CGW rewrite specification data for each of the ECUs.
The supplier registers ECU individual data by using an input unit 218 and a display unit 219 that are user interface (UI) functions of the management server 10. The ECU individual data includes a program file such as a new program or difference data, verification data or a size of the program file, program file related information such as encryption methods, and ECU attribute information such as a memory structure of the ECU 19. The program file is stored in the ECU reprogramming data DB 204. The ECU attribute information is stored in the ECU metadata DB 205. The program file related information may be stored in the ECU reprogramming data DB 204 or may be stored in the ECU metadata DB 205. The ECU reprogramming data DB 204 is an example of an update data storage unit. The ECU metadata DB 205 is an example of a device related information storage unit.
The OEM registers approved configuration information in the configuration information DB 208 for each vehicle type via the configuration information registration unit 207. The approved configuration information is configuration information of a vehicle approved by a public organization. The configuration information is identification information regarding hardware and software of the ECU 19 mounted on a vehicle, and is an example of vehicle related information. The configuration information includes identification information of a system configuration formed of a plurality of ECUs 19 and identification information of a vehicle configuration formed of a plurality of systems. As the configuration information, vehicle restriction information related to program update may be registered. For example, group information of the ECU described in the rewrite specification data, a bus load table, and information regarding a battery load may be registered. The ECU metadata DB 205 is an example of a device related information storage unit. The configuration information DB 208 is an example of a vehicle information storage unit.
The specification data generation unit 201 refers to each DB and generates rewrite specification data. The package generation unit 202 generates a distribution package including rewrite specification data and reprogramming data, and registers the distribution package in the package DB 206. The package generation unit 202 may generate a distribution package including the distribution specification data. The package distribution unit 203 distributes the registered distribution package to the vehicle-side system 4. The distribution package corresponds to a file.
The individual vehicle information management unit 3C includes an individual vehicle information registration unit 209, a configuration information check unit 210, an update availability check unit 211, an SMS transmission control unit 212, and an individual vehicle information DB 213. The individual vehicle information registration unit 209 registers individual vehicle information uploaded from individual vehicles in the individual vehicle information DB 213. The individual vehicle information registration unit 209 may register, as initial values, individual vehicle information at the time of vehicle production or sales in the individual vehicle information DB 213. When the uploaded individual vehicle information is registered, the configuration information check unit 210 collates the individual vehicle information with the configuration information of the same type vehicle registered in the configuration information DB 208. The update availability check unit 211 checks the availability of update using a new program, that is, the availability of a campaign with respect to the individual vehicle information. In a case where the individual vehicle information is updated, the SMS transmission control unit 212 transmits a message related to the update to a corresponding vehicle by a short message service (SMS).
The campaign management unit 3D includes a campaign generation unit 214, a campaign distribution unit 215, an instruction notification unit 216, and a campaign DB 217. The OEM causes the campaign generation unit 214 to generate campaign information that is information related to the program update, and registers the campaign information in the campaign DB 217. The campaign information here corresponds to the “distribution specification data” described above, and is mainly information regarding an update content displayed on the vehicle-side system 4. The campaign distribution unit 215 distributes the campaign information to the vehicle. The instruction notification unit 216 notifies the vehicle of a necessary instruction related to the program update. In the vehicle-side system 4, for example, the user determines whether or not to download the update program on the basis of the campaign information transmitted from the center device 3, and downloads the update program if necessary.
The portions of each of the management units 3A to 3D except the databases are functions realized by computer hardware and software.
The vehicle communication unit 222 is a functional block for performing data communication between the center device 3 and the vehicle-side system 4 in a wireless manner.
Hereinafter, the above process will be described in more detail, and, first, a content of data registered in each database will be described. As illustrated in
For example, in
For example, “ECU SW IDs” of “Vehicle SW ID”=“0001” are “ads_001”, “eng_010”, “brk_001”, and “eps_010”, whereas “ECU SW IDs” of “Vehicle SW ID”=“0002” is “ads_002”, “eng_010”, “brk_005”, and “eps_011”, and three software versions are updated. As a result, “Sys ID”=“SA01” is updated to “SA02”, and “Sys ID”=“SA02” is updated to “SA03”. As mentioned above, the initial value is registered in the configuration information DB 208 at the time of production or sales of the vehicle, and is then is updated as the version of an application program of any one or more ECUs is updated. That is, the configuration information DB 208 indicates approved configuration information that is present in the market for each vehicle type.
As illustrated in
Although a data structure of the latest “ECU SW ID” is illustrated in
As illustrated in
Attribute information indicating an attribute of the ECU 19 is also registered in the ECU metadata DB 205. The attribute information is information indicating a hardware attribute and a software attribute regarding the ECU. The “transfer size” is a transfer size when rewrite data is divided and transferred from the CGW 13 to the ECU 19, and the “key” is a key used when the CGW 13 securely accesses the ECU 19. These are examples of software attribute information. The “vehicle type” and “ECU ID” also include a memory configuration of the flash memory 28d of the ECU 19, the type of bus to which the ECU 19 is connected, the type of power supply connected to the ECU 19, and the like. These are examples of hardware attribute information.
Here, as the memory configuration, a “single-bank” is a single-bank memory having a single flash bank, a “double-bank” is a double-bank memory having double flash banks, and “suspend” is a single-bank suspend memory having a pseudo-double flash banks. The hardware attribute information and the software attribute information are information used for rewrite control of each ECU 19 in the vehicle-side system 4. Although the hardware attribute information may be stored in advance in the CGW 13, in the present embodiment, the hardware attribute information is managed by the center device 3 in order to reduce the management load on the vehicle-side system 4. The software attribute information is data that directly designates a rewrite operation of each ECU 19. The software attribute information is managed by the center device 3 such that flexible control in the vehicle-side system 4 can be realized.
As illustrated in
An “access log” is the date and time when the vehicle uploaded the individual vehicle information to the center device 3. A “reprogramming status” indicates a status of reprogramming in the vehicle, and includes, for example, “campaign issued”, “activation completed”, and “download completed”. That is, it can be seen from this progress status to which phase the reprogramming in the vehicle advances and in which phase the reprogramming is delayed. When the configuration information or the like is uploaded from the vehicle-side system 4 to the center device 3, the “VIN” of each vehicle is added to the information or the like.
As illustrated in
As illustrated in
Next, an operation of the present embodiment will be described. In
Next, a difference data file as rollback difference data for update to the old program on the basis of the new program and integrity verification data of the data are generated (A5 and A6). The program files and the verification data are registered in the ECU reprogramming data DB 204, and a new “ECU SW ID” is generated and registered on the basis of the previous “ECU SW ID” (A7). Here, when the entire data is distributed instead of the difference, the step related to the difference data may be omitted.
The integrity verification data is a hash value generated, for example, by applying a hash function. For example, in a case where Secure Hash Algorithm 256-bit (SHA-256) is used as the hash function, data values are separated into message blocks every 64 bytes. Then, when data values of the first message block are applied to an initial hash value and thus a hash value with 32-byte length is obtained, a hash value with 32-byte length is sequentially and repeatedly obtained by applying data values of the next message block to the hash value.
In
The center device 3 starts a specification data generation program of the specification data generation unit 201, and receives input from an operator of the OEM via the display unit 219 and the input unit 218. First, the specification data generation unit 201 determines the update target ECU 19. As illustrated in
The specification data generation unit 201 may access the configuration information DB 208 to determine the update target ECU 19 without receiving input from the operator of the OEM. The specification data generation unit 201 refers to an “ECU SW ID” for the latest “Vehicle SW ID” and an “ECU SW ID” for the previous “Vehicle SW ID”, and extracts the ECU 19 subjected to update. For example, in
The specification data generation unit 201 generates group information for ECUs having a plurality of update target “ECU SW IDs” (B2). Here, with reference to the configuration information DB 208, by using the “Sys ID”, for example, a group 1 includes “ECU IDs” in which the “Sys ID” is “SA01_02”, and a group 2 includes “ECU IDs” in which the “Sys ID” is “SA02_02”. For example, in
Next, the specification data generation unit 201 accesses the ECU metadata DB 205, and acquires the update data related information, the hardware attribute information, and the software attribute information as the specification data regarding the update target ECU 19 (B3). For example, as illustrated in
Hereinafter, each piece of information will be described.
The “Write data type” is a type indicating whether a program is difference data or the entire data. The write data type for an update program and the write data type for a rollback program may be described separately.
The “write bank” is information indicating a bank in which a program is written for the double-bank memory ECU 19.
The “connection bus” is information for identifying a bus to which the ECU 19 is connected.
The “connection power supply” is information indicating a state of a power supply to which the ECU 19 is connected, in which a value indicating any of the battery power (+B power), the accessory power (ACC power), and the ignition power (IG power) is described.
The “memory type” is information for identifying a memory configuration of the ECU 19, in which values indicating a double-bank memory, a single-bank suspend memory (pseudo-double-bank memory), a single-bank memory, and the like are described.
The “rewrite bank information” is information indicating which bank of the ECU 19 is a start bank (active bank) and which bank is a rewrite bank (inactive bank).
The “security access key information” is information for authenticating access to the ECU 19 by using a key, and includes information such as a key derivation key, a key pattern, and a decryption operation pattern.
The “transfer size” is a data size when a program is divided and transferred to the ECU 19.
For example, as illustrated in
The rewrite environment information for the group includes the ECUs 19 belonging to the group, the order of ECUs in the group, and the like. In the vehicle-side system 4, program update is controlled to be synchronized in the group unit, and writing into the ECU 19 is executed in the designated ECU order. The specification data generation unit 201 starts a screen for registering rewrite environment information, and receives input from the operator of the OEM. Alternatively, Excel (registered trademark) in which rewrite environment information is input may be imported. Alternatively, the restriction information registered in the configuration information DB 208 may be extracted. The specification data generation unit 201 uses the generation result in the above step B2 as the rewrite environment information for the group.
The bus load table is a table illustrating a correspondence relationship between a power supply state and an allowable transmission amount for a bus. As illustrated in
Finally, the specification data generation unit 201 locates each piece of the generated or acquired data in accordance with a predetermined data structure, and thus generates rewrite specification data as illustrated in
In the specification data illustrated in
In
As described above, according to the present embodiment, data of an update program of the application program update target ECU 19 among a plurality of ECUs 19 mounted on the vehicle is stored in the ECU reprogramming data DB 204 of the center device 3. The vehicle related information such as an “ECU ID” for each of a plurality of the ECUs 19 mounted on the vehicle and an “ECU SW ID” of an application program stored in the ECU 19 is stored in the configuration information DB 208 along with the type of vehicle. The attribute of the rewrite target ECU 19 and the update data related information related to update data are stored in the ECU metadata DB 205.
The specification data generation unit 201 generates the specification data to be transmitted to the vehicle along with the update data to be written to the target ECU 19, the specification data including the type, the attribute, the update data related information, and the information indicating the rewrite environment related to the data update for the target ECU 19 on the basis of the information stored in the configuration information DB 208 and the ECU metadata DB 205. The package generation unit 202 generates the distribution package including the specification data and the reprogramming data, and registers the distribution package in the package DB 206. The package distribution unit 203 distributes the registered distribution package to the vehicle-side system 4. Thus, the vehicle-side system 4 receives the specification data transmitted along with the update data, and can thus appropriately select the target ECU 19 on the basis of the specification data, and appropriately control a write process by using the update data.
Since the specification data generation unit 201 generates specification data for a plurality of ECUs 19 as one file, and the package generation unit 202 further packages the file into one file along with the reprogramming data for the plurality of ECUs 19, the vehicle-side system 4 can write the update data into the plurality of ECUs 19 when a single distribution package is received.
Since the vehicle related information as the specification data includes group information in which some of ECUs 19 are grouped, the vehicle-side system 4 can select a target ECU 19 according to an order defined by the group information, and can write update data. For example, when there are a plurality of ECUs 19 that are improvement targets of a certain function, by setting the group 1 as the body system ECU 19, the group 2 as the travel system ECU 19, and the group 3 as the MM system ECU 19, program update in the vehicle-side system 4 can be divisionally executed three times. Therefore, the waiting time of a user for each update time can be shortened compared with a case where the program update is executed collectively in all the ECUs.
Since the rewrite environment information includes the “vehicle condition (IG ON state)” and the “battery load” related to the vehicle and the “bus load table” related to the ECU 19, the vehicle-side system 4 can determine a timing or the like for writing update data on the basis of the information. That is, a service provider using the OEM or the center device 3 can operate flexible program update by designating execution restriction conditions for the vehicle as the rewrite environment information.
Since the specification data generation unit 201 generates specification data in accordance with predetermined data structures in order by using information related to the ECU 19 having the earlier rewrite order set in advance, the vehicle-side system 4 can write update data in accordance with the location order of ECU IDs in the specification data. That is, since the ECUs 19 having mutually cooperative process are grouped into one group and an ECU order is defined by considering a content of the mutually cooperative process, even in a case where an update timing to the new program is not completely synchronized in the vehicle-side system 4, the program update can be completed without inconvenience. For example, in a case where a new program of the ECU (ID1) has a process of transmitting a predetermined message to the ECU (ID2), and a new program of the ECU (ID2) has a process of generating a timeout error when the predetermined message transmitted from the ECU (ID1) cannot be received, it is preferable to define an ECU order such that the ECU (ID1) is subjected to update first and the ECU (ID2) is subjected to update later.
As illustrated in
When reception of the “ECU SW ID” from each ECU 19 is completed, the CGW 13 transmits all the pieces of information to the DCM 12 along with the “VIN”. In this case, the “Vehicle SW ID” and the “Sys ID” managed by the CGW 13 may also be transmitted to the DCM 12. The DCM 12 receives the information, and generates a single hash value that is a digest value for all of the “ECU SW IDs” by using, for example, a hash function. As described above, in a case where SHA-256 is used as the hash function, data values obtained by serially connecting values of all of the “ECU SW IDs” to each other are divided into message blocks every 64 bytes, the data values of the first message block is applied to an initial hash value to obtain a hash value with 32-byte length, and the data values of the succeeding message block is sequentially applied to the hash value, and, finally, a hash value of 32-byte length is obtained. Here, the DCM 12 may generate a single hash value not only for all of the “ECU SW IDs” but also for values including the “Vehicle SW ID”, the “Sys ID”, the bank information, and the calibration information.
The DCM 12 transmits the digest value of the “ECU SW ID” obtained as described above to the center device 3 along with the “VIN”. The DCM 12 may transmit the trouble code or the license information along with the digest value. Hereinafter, the digest value may be referred to as a “configuration information digest”, and all data values of the “ECU SW IDs” that are a basis thereof may be referred to as “configuration information all”. The “configuration information all” may include the “Vehicle SW ID”, the “Sys ID”, the bank information, and the calibration information.
As will be described later, the center device 3 compares digest values or updates the individual vehicle information DB 213. The center device 3 synchronized with the configuration information checks availability of program update, and notifies the vehicle-side system 4 of the campaign information in a case where the program update is available. Thereafter, the vehicle-side system 4 downloads a distribution package, installs the distribution package in the target ECU 19, and activates a new program. The CGW 13 transmits a “synchronization initiation request” to the DCM 12 with completion of the update process as a trigger, and then performs the same process as described above until a synchronization completion notification is performed. The above-described process that is performed with turning-on of the IG switch 37 as a trigger may also be performed after the program is updated.
As illustrated in
Here, for example, as illustrated in
In contrast, the vehicle C with VIN=300 is also “Vehicle SW ID=0001”, but an “ECU SW ID” of “ECU ID=ADS” is “ads_002” and an “ECU SW ID” of “ECU ID=BRK” is “brk_003”. These two ECUs 19 are different from the configuration information registered in the configuration information DB 208. Therefore, in step D6, “NO”, that is, it is determined to be disapproved and “NG”, and the configuration information check unit 210 notifies the vehicle-side system 4 and the management device 220 illustrated in
On the other hand, the vehicle A with VIN=100 has “Vehicle SW ID=0001”, the “ECU SW ID” of “ECU ID=ADS” is “ads_001”, and the “ECU SW ID” of “ECU ID=BRK” is “brk_001”, all of which match the configuration information registered in the configuration information DB 208. Therefore, in step D6, “YES”, that is, it is determined to be approved and “OK”, and the process proceeds to step D7. Here, the configuration information check unit 210 may determine whether the combination of “ECU SW IDs” of the vehicle C is present in the configuration information DB 208 to determine whether the vehicle C is approved or disapproved. The “Sys ID” may also be used for determination in addition to the “Vehicle SW ID”.
Next, the update availability check unit 211 accesses the campaign DB 217 via the campaign management unit 3D to check availability of update using a new program (D7). The availability of update is determined by comparing the “Vehicle SW ID” uploaded from the vehicle-side system 4 with the “pre-update Vehicle SW ID” of the campaign DB 217. For example, as illustrated in
When the campaign DB 217 stores “Sys IDs” before and after update, availability of the update can be checked by using the “Sys IDs”. Instead of the “Vehicle SW ID”, the uploaded “ECU SW ID” list may be compared with the “pre-update ECU SW ID list” of the campaign DB 217 to determine availability of update.
The vehicle-side system 4 acquires a campaign file corresponding to the ID from the center device 3 by using the notified campaign ID as a key (D9). The campaign file includes text statements that describe a campaign content, restrictions on execution of program update, and so on. The restrictions are conditions for executing download or installation, and include, for example, a remaining battery charge, a free capacity of the RAM required for downloading a distribution package, and the current position of the vehicle. The vehicle-side system 4 analyzes the campaign file and displays the campaign content by using the in-vehicle display 7. The user refers to a message displayed on the in-vehicle display 7 according to the campaign content, and decides whether or not to update an application program of the ECU 19. When the user's approval operation is received via the in-vehicle display 7, the CGW 13 notifies the center device 3 of the approval for the update via the DCM 12. The center device 3 transmits the distribution package file with the package ID corresponding to the campaign ID and the integrity verification data to the vehicle-side system 4 (D10).
When the update is unavailable in step D7 (NO), the vehicle-side system 4 is notified of “update unavailable” (D11). For example, as illustrated in
On the other hand, when the collation result of the “configuration information digest” shows mismatch (NO) in step D2, the center device 3 requests the vehicle-side system 4 to transmit the “configuration information all” (D3). This transmission corresponds to an “entire data transmission request notification”. When the vehicle-side system 4 transmits the “configuration information all” in response to the request, the center device 3 receives the “configuration information all” (D4). The individual vehicle information management unit 3C of the center device 3 updates the information regarding the vehicle registered in the individual vehicle information DB 213 (D4). The process proceeds to step D6. The individual vehicle information DB 213 is an example of a vehicle-side configuration information storage unit.
The CGW 13 may transmit the “synchronization initiation request” at a timing at which the IG switch 37 is turned off.
As described above, according to the second embodiment, when configuration information regarding a configuration of each ECU 19 is received from a plurality of ECUs 19, the vehicle-side system 4 generates a hash value on the basis of data values of a plurality of pieces of configuration information, and transmits the hash value to the center device 3. The center device 3 includes the individual vehicle information DB 213, and compares the hash value transmitted from the vehicle-side system 4 with a hash value of the vehicle configuration information stored in the individual vehicle information DB 213. When both of the values do not match each other, a request for transmission of “configuration information all” is transmitted to the vehicle-side system 4. The vehicle-side system 4 receives the transmission of the request, and transmits the “configuration information all” to the center device 3. When the “configuration information all” is received, the center device 3 updates the configuration information stored in the individual vehicle information DB 213 on the basis of data values thereof.
With this configuration, the vehicle-side system 4 initially transmits the hash value of the configuration information to the center device 3, and transmits all data values of the configuration information to the center device 3 only when a comparison result of the hash values in the center device 3 shows mismatch. Consequently, since a size of data transmitted from the vehicle-side system 4 can be reduced, even when the vehicle-side system 4 is mounted on a plurality of vehicles, it is possible to reduce a total amount of communication. In particular, in a case where the configuration information is uploaded at a predetermined timing such as IG-on in the vehicle-side system 4, a time period in which the communication concentrates may occur. Thus, an amount of transmitted data is reduced by using a hash value, and thus it is possible to reduce a communication load.
The CGW 13 receives the configuration information from all the rewrite target ECUs 19 of update data, and generates a hash value on the basis of all data values thereof, and the DCM 12 transmits the hash value at a timing at which the ignition switch 37 of the vehicle is turned on or off. Therefore, it is possible to transmit the hash value to the center device 3 at a timing at which traveling of the vehicle is initiated or finished. Thus, the center device 3 can appropriately synchronize the configuration information of the individual vehicle information DB 213 with that of the vehicle.
When an “ECU SW ID” of each ECU 19 is received from a plurality of ECUs 19, the vehicle-side system 4 transmits a configuration information list in which a “Vehicle SW ID” is combined therewith to the center device 3. The center device 3 compares the “ECU SW ID” list transmitted from the vehicle-side system 4 with an approved “ECU SW ID” list of a corresponding vehicle stored in the configuration information DB 208″, and transmits abnormality detection to the vehicle-side system 4 and the management device 220 when it is determined that the transmitted lists of combinations are disapproved.
With this configuration, the center device 3 can detect, as an abnormality, that a combination of the configuration information of the vehicle is in a state in which the plurality of ECUs 19 cannot cooperate with each other and traveling of the vehicle is hindered, and notify the vehicle-side system 4 of the abnormality. Thus, the vehicle-side system 4 can perform measures such as prohibiting traveling of the vehicle.
The center device 3 does not perform the update availability check process (D7) on a vehicle in which a combination of vehicle configuration information is disapproved. Thus, it is possible to prevent program update from being executed in a disapproved vehicle. Even when the disapproved ECU 19 is not an update target ECU of a new program, the center device 3 does not execute the update availability check process (D7). In the vehicle-side system 4, when program update is executed, control for the ECU 19 which is not an update target is also generated. Therefore, in a vehicle having a disapproved ECU 19, there is a probability that the program update may not be normally completed, and thus the center device 3 prevents the program update from being executed in the vehicle.
The center device 3 includes the campaign DB 217 in which the campaign information used to notify the vehicle side that update using a new program has occurred is stored, and, for a vehicle determined to be approved, checks availability of the campaign information of the corresponding vehicle. When the update is available, the campaign information is transmitted to the vehicle-side system 4. Consequently, the campaign information can be presented to a user, and thus update of an application program can be prompted. Synchronization of the configuration information, determination of whether or not the configuration information is approved, and checking of update availability are executed as a series of processes by the center device 3 with upload of the configuration information from a vehicle as a trigger, and thus it is possible to promptly notify an adequate vehicle of update of a program.
The second embodiment may be modified and implemented as follows.
The center device 3 may transmit the “synchronization initiation request” to the vehicle-side system 4, and the DCM 12 may transmit the “configuration information collection request” to the CGW 13 when the “synchronization initiation request” is received. For example, when the configuration information DB 208 of “vehicle type=aaa” is updated, the center device 3 transmits the “synchronization initiation request” to a vehicle of the vehicle type.
The hash value may be transmitted to the center device 3 at a timing when rewriting is completed in the ECU 19 where the update data is rewritten. That is, the flowchart of steps D1 to D12 illustrated in
The center device 3 requests the vehicle-side system 4 to transmit a combination list of the configuration information of the respective ECUs 16 when a comparison result of both hash values shows match. When the combination list is received, the processes in steps D6 to D12 may be performed.
Even when the comparison result of both of the hash values shows match, the center device 3 may refer to the campaign DB 217 to check availability of the campaign information of a corresponding vehicle.
The transmission of a hash value from the vehicle-side system 4 to the center device 3 may be performed as illustrated in
The third embodiment relates to a function executed by a campaign management unit 3D of the center device 3 in order to improve a rate of updating an application program in the vehicle-side system 4. As illustrated in
In above-described way, in the configuration in which update availability is checked with a notification from a vehicle as a trigger, the center device 3 does not need to transmit campaign information from the center device 3 to all the vehicles that are campaign targets at the time at which the campaign information is set. However, in a case where a user does not use a vehicle for a long period of time, the user does not check update availability using HTTP during that time. Thus, it is supposed that the user does not know that a new campaign has been issued, and an application program may not be updated in the vehicle.
Therefore, as illustrated in
In the individual vehicle information DB 213, initial data is registered by the OEM when a vehicle is produced in a factory, and, thereafter, an initial access log is input due to a notification from the OEM in response to, for example, sales of the vehicle. This access log substantially corresponds to a notification for validating subsequent program update. A vehicle for which an access log has not been input is excluded from the determination in step E2.
When there is a vehicle for which the update has not been checked for a predetermined period (YES), the SMS transmission control unit 212 determines characteristics of the vehicle on the basis of the vehicle type in the individual vehicle information DB 213, equipment information, and the like (E3). Here, as the characteristics, the SMS transmission control unit 212 determines whether the vehicle is an electric vehicle, an EV capable of receiving a short message service (SMS), a conventional gasoline engine vehicle capable of receiving an SMS, that is, a conventional engine vehicle (conventional vehicle), or a vehicle for which it is difficult to receive an SMS. For example, in a case where the DCM 12 mounted on the vehicle does not have a function of receiving an SMS or does not have a contract for receiving an SMS, it is determined that it is difficult for the vehicle to receive an SMS.
In a case of the EV, an SMS for initiating a configuration information transmission sequence by starting the ECU 19 of the vehicle is transmitted (E5; refer to
In a case where a remaining battery charge of the battery of the EV vehicle is small, the vehicle-side system 4 refers to the rewrite specification data illustrated in
In the conventional vehicle, the SMS transmission control unit 212 transmits an SMS that is displayable on the in-vehicle display 7 to a vehicle which is ready to receive the SMS in a period in which the DCM 12 is intermittently started (E4; refer to
As described above, according to the third embodiment, the vehicle-side system 4 transmits the configuration information of a plurality of ECUs 19 to the center device 3, and the individual vehicle information DB 213 stores the configuration information transmitted from the respective vehicles along with the transmission date thereof. The campaign DB 217 stores, as campaign information, a target VIN list for identifying a campaign ID and a data update target vehicle. The center device 3 refers to the individual vehicle configuration DB 213, and, when there is no transmission of the configuration information within a predetermined period from the transmission date linked to a target vehicle, transmits a message for prompting data update to the vehicle-side system 4 of the target vehicle by using an SMS.
With this configuration, even in a case where the situation is continued in which the configuration information is not transmitted to the center device 3 because a user does not have an opportunity to ride on a vehicle, the center device 3 transmits a message for prompting data update to the vehicle-side system 4 of the target vehicle when a predetermined period has elapsed from the transmission date stored in the individual vehicle information DB 213. Therefore, the user can recognize that the data update is necessary by referring to the message.
The center device 3 refers to the individual vehicle information DB 213 and the campaign DB 217 to determine a program update target vehicle. That is, the individual vehicle information DB 213 stores the date on which the configuration information is transmitted from each vehicle, and the campaign DB 217 stores a target VIN list. Therefore, the center device 3 can determine a program update target vehicle on the basis of the transmission date of the configuration information from each vehicle and the target VIN list.
When the configuration information is received from each ECU 19 with turning-on of the ignition switch 37 as a trigger, the vehicle-side system 4 transmits the configuration information to the center device 3. Therefore, when the user rides on the vehicle, the configuration information can be reliably transmitted to the center device 3.
When the target vehicle is an electric vehicle, the center device 3 transmits a message including a command for starting an ECU of the target vehicle, and the vehicle-side system 4 having received the message starts the ECU 19 to execute a process related to data update. That is, since the electric vehicle has a relatively large capacity of the battery, the ECU 19 can execute processes related to data update without waiting for a user operation. Therefore, it is possible to execute the data update efficiently.
When the target vehicle is a conventional vehicle, the center device 3 transmits at least text information displayable on the in-vehicle display 7 of the target vehicle as a message. Therefore, a user of the conventional vehicle can recognize that the data update is necessary by referring to the text information displayed on the in-vehicle display 7.
When a transmission destination of the user's mobile terminal 6 is stored in the individual vehicle information DB 213, the center device 3 transmits text information displayable on the mobile terminal 6 as a message. As a result, the user can recognize that the data update is necessary by referring to the text information displayed on the mobile terminal 6 even when there is no opportunity to ride on the vehicle.
When the user transmits the transmission date and a transmission destination of a campaign to the center device 3 in advance via the mobile terminal 6, the center device 3 stores the transmission date and the transmission destination in the individual vehicle information DB 213. For example, the user designates the day after the campaign is issued as the transmission date, and designates the mobile terminal 6 as the transmission destination instead of the in-vehicle display 7. The user designates a predetermined time at which the user does not ride as the transmission date, designates the vehicle as the transmission destination, and performs an operation of approving that a program is automatically updated. Consequently, the center device 3 transmits the campaign information to the transmission destination on the transmission date regardless of whether or not the configuration information is transmitted. Therefore, when the user knows in advance that there is no opportunity to ride on the vehicle for a while, the campaign information can be set to be received on the transmission date set by the user.
The third embodiment may be modified and implemented as follows.
The user information storage unit may be provided separately from the individual vehicle information DB 213.
The campaign information may be transmitted by using means other than SMS.
Instead of storing the transmission date in the individual vehicle information DB 213, the center device 3 may store, for example, a day on which no data is transmitted from the vehicle, and may transmit a message for prompting data update when the day continues for seven consecutive days.
The fourth embodiment relates to a case where a user designates campaign information and a message notification method. For example, a case is supposed that the user does not ride for about one month, and that it is determined in advance that there is no opportunity to turn on the IG switch 37. As illustrated in
As described above, according to the fourth embodiment, when the user transmits the transmission date and a transmission destination of campaign information to the center device 3 via the mobile terminal 6, the center device 3 stores the transmission date and the transmission destination in the individual vehicle information DB 213. The center device 3 transmits the campaign information to the transmission destination on the stored transmission date. Consequently, it is possible to stop transmission of unnecessary campaign information from the center device 3 when it is determined that the user does not ride on the vehicle for a certain period.
The fifth embodiment relates to a function of adding verification data used for the vehicle-side system 4 to verify the integrity of data when the center device 3 transmits data of an update program to the vehicle-side system 4. As illustrated in
The package management unit 3A generates an authenticator by applying encryption using a key value which is a predetermined key for each hash value (Y3). The package management unit 3A transmits the update data and the integrity verification data with each authenticator, and stores the transmitted data in the ECU reprogramming data DB 204 (Y4). As described above, the package management unit 3A generates a package, generates integrity verification data for the package, and transmits the integrity verification data to the vehicle-side system 4 (Y5).
The master device (OTA master) 11 calculates the integrity verification data for the package, compares a calculated value with the integrity verification data of the received package, and verifies the integrity of the package (Y6). When the package integrity verification is successful, the master device 11 transmits the update data and the integrity verification data of the ECU to the rewrite target ECU 19 (target ECU) (Y7).
The rewrite target ECU 19 calculates the integrity verification data for the update data, compares a calculated value with the integrity verification data of the received update data, and verifies the integrity of the update data (Y8). When the update data integrity verification is successful, the rewrite target ECU 19 restores the difference data that is the update data and writes the data into the flash memory 28d (Y9). When the writing is completed, the rewrite target ECU 19 calculates the integrity verification data for the data written in the flash memory 28d, compares a calculated value with the integrity verification data of the received new program, and verifies the integrity of the flash memory 28d (Y10). The rewrite target ECU 19 transmits the verification result to the master device 11 (Y11), and the master device 11 transmits the received verification result to the center device 3 as an installation result notification (Y12).
For example, as illustrated in
(1) A hash value that is integrity verification data for a new program of the ECU is generated. A functional portion for performing this process is an example of a first verification value generation unit (step A1).
(2) Update data that is difference data for update to a new program on the basis of an old program of the ECU, and a hash value that is integrity verification data of the update data, are generated. The functional portion for performing this process is an example of a second verification value generation unit in step A4.
(3) A hash value that is the integrity verification data for the old program of the ECU is generated. A functional portion for performing this process is an example of a fourth verification value generation unit in step A5.
(4) Update data that is difference data for update to the old program on the basis of the new program of the ECU, and a hash value that is integrity verification data of the update data, are generated. A functional portion for performing this process is an example of a fifth verification value generation unit in step A7.
The “program” includes constant data to be used in the program. When “ECU SW ID=ads_002”, a hash value xl is generated for update data “Adsfile001-002”. As a hash function, for example, SHA-256 is used as described above. The hash value corresponds to a verification value. Here, the package management unit 3A may be configured to generate integrity verification data with an authenticator by generating an authenticator by applying encryption by using a key value that is a predetermined key to the hash value.
Next, the supplier generates integrity verification data with an authenticator by applying encryption using a key value that is a predetermined key to the integrity verification data, and provides the OEM with the update data and the integrity verification data with the authenticator in correlation with each other. In other words, the package management unit 3A provides the OEM with each program and integrity verification data with an authenticator for the program registered in the ECU reprogramming data DB 204. In response to an instruction from the OEM, the package management unit 3A generates rewrite specification data as described above by using the ECU reprogramming data DB 204 or the like, generates a distribution package, and registers it in the package DB 206. When a download request for update data is generated from the vehicle-side system 4, the center device 3 distributes a distribution package including the update data and the integrity verification data with the authenticator to the vehicle-side system 4 in response to the download request.
The “integrity verification data” in the claims includes both a hash value only and integrity verification data with an authenticator including encryption using a key.
When the distribution package is received, the master device 11 of the vehicle-side system 4 verifies the validity of the distribution package by using the integrity verification data (third verification value) added to the distribution package. Specifically, integrity verification data calculated by using the distribution package is compared with the received integrity verification data, and, when the pieces of data match each other, it is determined to be normal. When it is checked that the distribution package is normal as a result of the verification, the master device 11 unpackages the distribution package into data for each ECU (refer to
The ECU 19 verifies the validity of the update data by using integrity verification data with the authenticator (second verification value). Specifically, the integrity verification data calculated by using the received update data is compared with the received integrity verification data, and when the data matches, it is determined to be normal. When it is checked to be normal as a result of the verification, the CPU 28a of the ECU 19 performs a write process on the flash memory 28d. When the write process is completed, the ECU 19 uses the integrity verification data with the authenticator (first verification value) to read the data written in the flash memory 28d and verify its validity. Specifically, integrity verification data calculated by using the read data is compared with the received integrity verification data, and, when the pieces of data match each other, it is determined to be normal. The integrity verification data is stored in a predetermined area of the flash memory 28d for use when the ECU 19 is started. When these processes are completed, the ECU 19 transmits a write response to the master device 11, including the verification results. The master device 11 notifies the center device 3 of an installation result. The “target ECU” in the figure is synonymous with a “target ECU” and the “OTA master” is synonymous with a “DCM”. The CPU 28a is an example of a write processing unit.
Here, in a case where program update cancellation occurs during installation, the ECU 19 performs a rollback process. The ECU 19 writes the update data and verifies the validity of the rollback difference data by using the integrity verification data with the authenticator (fifth verification value). Specifically, the integrity verification data calculated by using the rollback difference data is compared with the received integrity verification data, and when the data matches, it is determined to be normal. When it is checked to be normal as a result of the verification, the ECU 19 initiates writing using the rollback difference data after writing of the update data is completed. After the writing is completed, the ECU 19 reads the data written in the flash memory 28d by using the integrity verification data with the authenticator (fourth verification value), and verifies its validity.
The integrity verification of the received difference data (the update data or the rollback difference data) may be performed by the master device 11 instead of the ECU 19.
As illustrated in
On the other hand, when a result of verification for any ECU 19 is abnormal, that is, “NG”, the ECU 19 stores a log of the process and notifies the master device 11 of the error. The master device 11 similarly stores the log and notifies the center device 3 of the error. The center device 3 similarly stores the log and notifies the management device 220 of the OEM or the like of an error. The notification sent to the management device 220 is performed, for example, by the SMS transmission control unit 212 by using SMS, or through transmission of an e-mail via an Internet line.
In the embodiment described above, the vehicle-side system 4 is configured to verify the integrity. In
The center device 3 accesses the ECU reprogramming data DB 204, acquires integrity verification data with an authenticator that matches the “ECU SW ID” of the target ECU 19 (X3 and X4), and verifies the acquired data with the integrity verification data uploaded from the vehicle (X5). Specifically, integrity verification data of the new program corresponding to the “ECU SW ID” is acquired from the ECU reprogramming data DB and is collated with the uploaded integrity verification data. When a result of the collation is inconsistent, that is, NG (X6; NG), the management device 220 of the OEM is notified of an abnormality (X7). A function of this processing unit corresponds to an abnormality notification unit.
The center device 3 transmits the collation result to the master device 11 (X8), and the master device 11 transmits the received collation result to the rewrite target ECU 19 (X9). In a case where the collation result is OK, the rewrite target ECU 19 operates an application program as usual. In a case where the collation result is NG, the application program is not operated. In the present embodiment, the package management unit 3A may omit the integrity verification data generation (step A1) of a new program and the integrity verification data generation (step A5) of an old ECU program.
In the above description, the ECU 19 verifies the integrity of update data at a timing at which the IG switch 37 of the vehicle is turned on after the update data is written, but, instead, the integrity of the update data may be verified immediately after the update data is written.
In the above embodiment, the integrity verification data with an authenticator is added to only update data, but this may be implemented as follows.
A new program and corresponding update data are acquired from the ECU reprogramming data DB 204 (data acquisition procedure; step A1).
The first verification value generation unit generates a first hash value for the new program (first verification value generation procedure; step A2).
The second verification value generation unit generates a second hash value for the update data (second verification value generation procedure; step A4). The package generation unit 202 causes the update data, specification data, and the first and second hash values to be included in a distribution package (distribution package generation procedure). The update data correspond to new difference data.
The third verification value generation unit generates a third hash value for the distribution package (third verification value generation procedure; step C4).
The package distribution unit 203 transmits the distribution package and the third hash value to the vehicle-side system 4.
An authenticator may be added only to the distribution package and the third hash value, or may be added in each stage of generating each hash value. The package distribution unit 203 corresponds to a transmission unit.
In this case, in the vehicle-side system 4:
The DCM 12 that is a reception processing unit receives the distribution packages and the third hashing values.
The third verification processing unit compares a hash value generated from the distribution package data with the received third hash value, and verifies the integrity of the distribution package data.
The second verification processing unit compares a hash value generated from the update data with the received second hash value, and verifies the integrity of the update data.
The CPU 28a that is an example of a write processing unit writes the update data into the flash memory 28d.
The first verification processing unit writes the update data to generate a hash value for data values in the flash memory 28d, serving as a new program, and compares the hash value with the received first hash value to verify the integrity of the new program.
When a verification result of the update data is NG, writing into the flash memory 28d is stopped. When a verification result of the new program written in the flash memory 28d is NG, the new program is invalidated, and a rollback process is performed as necessary. The first to third verification processing units may be realized by the CPU 28a. When any of the verification results in the first to third verification processing units is NG, the DCM 12 as a transmission processing unit notifies the center device 3 of an abnormality.
In addition to the above configuration, as illustrated in
The fourth verification value generation unit generates a fourth hash value for the old program (fourth verification value generation procedure; step A5).
The fifth verification value generation unit generates a fifth hash value for the rollback data for returning the new program to the old program (fifth verification value generation procedure; step A7). The rollback data indicates rollback difference data and corresponds to old difference data.
The package generation unit 202 causes the update data, the rollback difference data, rewrite specification data, and the first, second, third, and fourth hash values to be included in a distribution package (distribution package generation procedure).
In this case, in the vehicle-side system 4, while the update data is rewritten into the flash memory 28d, for example, when the user gives an instruction for stopping the rewriting, the rewriting is cancelled, and restoration to the old program, that is, rollback is performed. This corresponds to only a case where a memory configuration of the ECU 19 is a single-bank memory.
The second verification processing unit calculates a hash value for the rollback data included in the distribution package, compares the calculated hash value with the fifth hash value, and verifies the integrity of the rollback data.
The CPU 28a performs writing into the flash memory 28d by using the rollback data.
The first verification processing unit calculates a hash value for the old program restored through writing into the flash memory 28d, compares the calculated hash value with the fourth hash value, and verifies the integrity of the old program.
As described above, according to the fifth embodiment, the ECU reprogramming data DB 204 stores new program of the target ECU 19 that is a rewrite target, an old program, and update data that is new difference data for update from the old program to the new program. The first verification value generation unit generates a first hash value by using the new program, and the second verification value generation unit generates a second hash value by using the update data. The package generation unit 202 generates a package including the update data, first and second verification values, and specification data for a plurality of target ECUs 19. The third verification value generation unit generates a third hash value by using the distribution package, and the package distribution unit 203 transmits the distribution package to the vehicle-side system 4 along with the third hash value.
When the vehicle-side system 4 receives the distribution package and the third hash value, the third verification processing unit calculates a hash value for the distribution package and verifies the integrity of the distribution package by comparing the hash value with the third hash value. The second verification processing unit calculates a hash value for the update data corresponding to the target ECU 19 included in the distribution package, compares the hash value with the second hash value included in the distribution package, and verifies the integrity of the update data.
The CPU 28a writes the update data into the flash memory 28d, and the first verification processing unit calculates a hash value for data of the updated new program in the flash memory 28d, compares the hash value with the first hash value, and verifies the integrity of the data of the new program. Thus, each hash value can be used to verify the integrity of each data value in a plurality of stages. The integrity of the new program can be verified in triplicate, and thus it is possible to prevent the vehicle-side system 4 from writing an incomplete new program and operating with an incorrect new program.
When the rollback data is present in the ECU reprogramming data DB 204, the fourth verification value generation unit generates a fourth hash value for the old program, and the fifth verification value generation unit generates a fifth hash value for the rollback data. The package generation unit 202 causes the update data, the first and second hash values, the rollback data, and the fourth and fifth hash values to be included in a distribution package.
When rollback is performed in the vehicle-side system 4, the second verification processing unit calculates a hash value for the rollback data included in the distribution package, and verifies the integrity of the rollback data by comparing the hash value with the fifth hash value. The CPU 28a perform writing into the flash memory 28d by using the rollback data. The first verification processing unit calculates a hash value for the old program restored through writing into the flash memory 28d, and verifies the integrity of the old program by comparing the hash value with the fourth hash value. Consequently, the integrity of the old program that has been rolled back can be verified. In the above description, the first to fifth verification value generation units are functional blocks in the package management unit 3A of the center device 3. The first, second, fourth, and fifth verification processing units are functional blocks in the target ECU 19 of the vehicle-side system 4. The third verification processing unit is a functional block in the master device 11 of the vehicle-side system 4 (OTA master 11).
As illustrated in
In this case, as illustrated in
In the specification data generation process, a value input by an operator as specification data information is output in a data structure in which the number of bits or an order of arrangement is determined in advance, and specification data is generated. The specification data information is, for example, values exemplified in
In the package generation process, generated specification data, update data of each ECU, and a value and a file input as integrity verification data for each ECU are output in a data structure in which the number of bits or the arrangement order is determined in advance, and a file of a distribution package is generated. The update data and the integrity validation data for each ECU are arranged in an ascending order of groups, or an ascending order of ECU orders. Here, in addition to the update data (new difference data), rollback data (old difference data) may also be input. As the integrity verification data, “integrity verification data of an ECU program (new)” and “integrity verification data of update data” are input. In a case where rollback data is also added, “integrity verification data of an ECU old program” and “integrity verification data of old difference data” are also input.
In the integrity verification data generation process, integrity verification data is generated for the generated package file as described in step C4 of
The generated package file or the integrity verification data generated for the package file is registered in the package DB 206 by an operator.
The functions executed by the center device 3 may be realized by hardware or software. The functions may be realized by hardware and software in cooperation.
The rewrite data may be not only an application program, but also data such as a map or data such as control parameters.
A content of the configuration information is not limited to the example, and may be appropriately selected according to individual design.
A content of the specification data is not limited to the example.
The campaign information and the distribution specification data may be included in a distribution package and transmitted to the vehicle side, or may be transmitted to the vehicle side separately from the distribution package.
In the fifth embodiment, the distribution package and the third verification value may be stored in the package storage unit in advance, and the package transmission unit 213 may transmit the distribution package and the third verification value linked to a request to the in-vehicle-side system 4 in response to the request from the in-vehicle-side system 4.
Hereinafter, a sixth embodiment centering on an operation of a vehicle program rewriting system 1 will be described with reference to the drawings. A vehicle program rewriting system (corresponding to a vehicle electronic control system) is a system in which application programs for vehicle control, diagnosis, and the like, installed in an electronic control device (hereinafter referred to as an electronic control unit (ECU)) can be rewritten through Over The Air (OTA). In the present embodiment, a case where an application program is rewritten in a wired or wireless manner will be described, but the present disclosure may be applied to a case where data used in various applications, such as map data used in a map application, and control parameters used in an ECU is rewritten in a wired or wireless manner.
The rewriting of an application program in a wired manner includes not only acquiring and rewriting the application program from the outside of a vehicle in the wired manner but also acquiring and rewriting various pieces of data used when the application program is executed from the outside of the vehicle in the wired manner. The rewriting of the application program in a wireless manner includes not only acquiring and rewriting an application program from the outside of a vehicle in the wireless manner but also acquiring and rewriting various pieces of data used when the application program is executed from the outside of the vehicle in the wireless manner.
As illustrated in
The display terminal 5 is a terminal having a function of receiving operation input from a user and a function of displaying various screens, and is, for example, a mobile terminal 6 such as a smartphone or a tablet computer that can be carried by a user, and an in-vehicle display 7 disposed in a vehicle compartment. The mobile terminal 6 can perform data communication with the center device 3 via the communication network 2 as long as the mobile terminal 6 is within a communication range of a mobile communication network. The in-vehicle display 7 is connected to the vehicle-side system 4, and may also have a navigation function. The in-vehicle display 7 may be an in-vehicle display ECU having an ECU function, and may have a function of controlling display on a center display, a meter display, etc.
When a user is located outside the vehicle compartment and is within the communication range of the mobile communication network, the user can perform operation input while checking various screens related to rewriting of an application program with the mobile terminal 6, and can perform a procedure related to the rewriting of the application program. In the vehicle compartment, the user can perform operation input while checking various screens related to rewriting of the application program with the in-vehicle display 7, and can perform a procedure related to rewriting of the application program. That is, depending on whether the user is outside the vehicle compartment or in the vehicle compartment, the user can selectively use the mobile terminal 6 or the in-vehicle display 7, and can perform a procedure related to rewriting of the application program.
In the vehicle program rewriting system 1, the center device 3 controls a program update function of the communication network 2 side, and functions as an OTA center. The center device 3 includes a file server 8, a web server 9, and a management server 10, and each of the servers 8 to 10 is configured to be able to perform data communication with each other. That is, the center device 3 is configured to include a plurality of different servers having different functions.
The file server 8 is a server that manages a file of an application program distributed from the center device 3 to the vehicle-side system 4. The file server 8 manages: update data (hereinafter, also referred to as reprogramming data or write data) provided from a supplier or the like, which is a provider of an application program distributed from the center device 3 to the vehicle-side system 4; distribution specification data provided from an original equipment manufacturer (OEM); vehicle conditions acquired from the vehicle-side system 4; and the like. The file server 8 can perform data communication with the vehicle-side system 4 via the communication network 2, and transmits a distribution package in which the reprogramming data and the distribution specification data are packaged into one file to the vehicle-side system 4 when a download request for the distribution package is generated.
The web server 9 is a server that manages web information. The web server 9 transmits web data managed thereby in response to a request from a web browser of the mobile terminal 6 or the like. The management server 10 is a server that manages personal information of a user registered in a service of rewriting an application program, a rewrite history of an application program for each vehicle, and the like.
The vehicle-side system 4 includes a master device 11 (corresponding to a vehicle master device). The master device 11 includes a data communication module (DCM) 12 (corresponding to a vehicle-mounted communication device) and a central gateway (CGW) 13 (corresponding to a vehicle gateway device). The DCM 12 and the CGW 13 are connected to each other via a first bus 14 to be able to perform data communication. The DCM 12 performs data communication with the center device 3 via the communication network 2. When the DCM 12 downloads the distribution package from the file server 8, the DCM extracts write data from the downloaded distribution package and transfers the extracted write data to the CGW 13.
The CGW 13 has a data relay function, and, when the write data is acquired from the DCM 12, the CGW instructs a rewrite target ECU, a rewrite target of an application program, to write the acquired write data, and distributes the write data to the rewrite target ECU. When writing of the write data has been completed in the rewrite target ECU and rewriting of the application program has been completed, the CGW 13 instructs the rewrite target ECU to perform activation for validating the application program after being rewritten.
The master device 11 controls a program update function of the vehicle side in the vehicle program rewriting system 1, and functions as an OTA master. In
The CGW 13 is connected to a second bus 15, a third bus 16, a fourth bus 17, and a fifth bus 18 in addition to the first bus 14 as buses inside the vehicle, and is connected to various ECUs 19 via the buses 15 to 17, and connected to a power supply management ECU 20 via the bus 18.
The second bus 15 is, for example, a body system network bus. The ECUs 19 connected to the second bus 15 are ECUs controlling a body system. The ECUs controlling the body system include, for example, a door ECU controlling locking/unlocking of a door, a meter ECU controlling display on the meter display, an air conditioner ECU controlling driving of an air conditioner, a window ECU controlling opening and closing of a window, and a security ECU driven to prevent theft of the vehicle.
The third bus 16 is, for example, a travel system network bus. The ECUs 19 connected to the third bus 16 are ECUs controlling a travel system. The ECUs controlling the travel system include, for example, an engine ECU controlling driving of an engine, a brake ECU controlling driving of a brake, an electronic controlled transmission (ECT) ECU controlling driving of an automatic transmission, and a power steering ECU controlling a driving of a power steering.
The fourth bus 17 is, for example, a multimedia system network bus. The ECUs 19 connected to the fourth bus 17 are ECUs controlling a multimedia system. The ECUs controlling the multimedia system include, for example, a navigation ECU controlling a navigation system, and an ETC ECU controlling an electronic toll collection system (ETC) (registered trademark). The buses 15 to 17 may be system buses other than the body system network bus, the travel system network bus, and the multimedia system network bus. The number of buses and the number of the ECUs 19 are not limited to the exemplified configuration.
The power supply management ECU 20 is an ECU that manages power to be supplied to the DCM 12, the CGW 13, the various ECUs 19, and the like.
A sixth bus 21 is connected to the CGW 13 as a bus outside the vehicle. A data link coupler (DLC) connector 22 to which a tool 23 (corresponding to a service tool) is detachably connected is connected to the sixth bus 21. The buses 14 to 18 inside the vehicle and the bus 21 outside the vehicle are configured with, for example, Controller Area Network (CAN) (registered trademark) buses, and the CGW 13 performs data communication with the DCM 12, the various ECUs 19, and the tool 23 in accordance with the CAN data communication standard and the diagnosis communication standard (Unified Diagnosis Services (UDS): ISO14229). The DCM 12 and the CGW 13 may be connected to each other via Ethernet, and the DLC connector 22 and the CGW 13 may be connected to each other via Ethernet.
When write data is received from the CGW 13, the rewrite target ECU 19 writes the received write data into a flash memory (corresponding to a non-volatile memory) to rewrite an application program. In the above configuration, when a request for acquiring write data is received from the rewrite target ECU 19, the CGW 13 functions as a reprogramming master that distributes the write data to the rewrite target ECU 19. When the write data is received from the CGW 13, the rewrite target ECU 19 functions as a reprogramming slave that writes the received write data into the flash memory to rewrite the application program.
As an aspect of rewriting the application program, there are a wired rewrite aspect and a wireless rewrite aspect. The aspect in which the application program is rewritten in a wired manner is an aspect in which the rewrite target ECU 19 is rewritten by using an application program acquired from the outside of the vehicle in a wired manner. Specifically, when the tool 23 is connected to the DLC connector 22, the tool 23 transfers the write data to the CGW 13. The CGW 13 functions as a gateway, transmits a wired rewrite request to the rewrite target ECU 19, instructs the rewrite target ECU 19 to write (install) the write data, and distributes the write data transferred from the tool 23 to the rewrite target ECU 19. Distributing the write data to the rewrite target ECU 19 is to relay the write data.
The aspect in which the application program is rewritten in a wireless manner is an aspect in which the rewrite target ECU 19 is rewritten by using an application program acquired from the outside of the vehicle in a wireless manner. Specifically, when a distribution package is downloaded from the file server 8, the DCM 12 extracts write data from the downloaded distribution package, and transfers the write data to the CGW 13. The CGW 13 functions as a rewrite tool, instructs the rewrite target ECU 19 to write (install) the write data, and distributes the write data transferred from the DCM 12 to the rewrite target ECU 19.
Aspects of diagnosing the ECU 19 include a wired diagnosis aspect and a wireless diagnosis aspect. The wired diagnosis aspect is an aspect in which the ECU 19 is diagnosed from the outside of the vehicle in a wired manner. Specifically, when the tool 23 is connected to the DLC connector 22, the tool 23 transfers a diagnosis request to the CGW 13. The CGW 13 functions as a gateway, transmits a diagnosis request to the diagnosis target ECU 19, and distributes a diagnosis command transferred from the tool 23 to a diagnosis target ECU 19. The diagnosis target ECU 19 performs a diagnosis process in accordance with the diagnosis command received from the CGW 13.
The wireless diagnosis aspect is an aspect in which the ECU 19 is diagnosed from the outside of the vehicle in a wireless manner. Specifically, when a diagnosis command is transmitted as a diagnosis request from the center device 3 to the DCM 12, the DCM 12 transfers the diagnosis command to the CGW 13. The CGW 13 functions as a gateway and distributes the diagnosis command as a diagnosis request to the diagnosis target ECU 19. The diagnosis target ECU performs a diagnosis process in accordance with the diagnosis command received from the CGW 13.
As illustrated in
The data transfer circuit 25 controls data communication with the buses 14 to 18 and 21 in accordance with the CAN data communication standard and the diagnosis communication standard. The power supply circuit 26 receives battery power (hereinafter, referred to as +B power), accessory power (hereinafter, referred to as ACC power), and ignition power (hereinafter, referred to as IG power). The power detection circuit 27 detects a voltage value of the +B power, a voltage value of the ACC power, and a voltage value of the IG power received by the power supply circuit 26, compares the detected voltage values with predetermined voltage threshold values, and outputs comparison results to the microcomputer 24. The microcomputer 24 determines whether the +B power, the ACC power, and the IG power supplied to the CGW 13 from the outside are normal or abnormal on the basis of the comparison results that are input from the power detection circuit 27.
As illustrated in
The radio circuit 29 controls data communication with the center device 3 via the communication network 2. The data transfer circuit 30 controls data communication with the bus 14 in accordance with the CAN data communication standard. The power supply circuit 31 receives +B power, ACC power, and IG power. The power detection circuit 32 detects a voltage value of the +B power, a voltage value of the ACC power, and a voltage value of the IG power received by the power supply circuit 31, compares the detected voltage values with predetermined voltage threshold values, and outputs comparison results to the microcomputer 28. The microcomputer 28 determines whether the +B power, the ACC power, and the IG power supplied to the DCM 12 from the outside are normal or abnormal on the basis of the comparison results that are input from the power detection circuit 32.
The DCM 12 has a vehicle position detection function of detecting a vehicle position, for example, by using a global positioning system (GPS). The flash memory 28d of the DCM 12 has a memory capacity sufficient to store a distribution package downloaded from the center device 3 and has a memory capacity larger than that of the flash memory 24d of the CGW 13. That is, since the flash memory 28d of the DCM 12 has a sufficient memory capacity, even though the flash memory 24d of the CGW 13 does not have a sufficient memory capacity, the master device 11 can download the distribution package from the center device 3 and store the downloaded distribution package in the DCM 12.
As illustrated in
The data transfer circuit 34 controls data communication with the buses 15 to 17 in accordance with the CAN data communication standard. The power supply circuit 35 receives +B power, ACC power, and IG power. The power detection circuit 36 detects a voltage value of the +B power, a voltage value of the ACC power, and a voltage value of the IG power received by the power supply circuit 35, compares the detected voltage values with predetermined voltage threshold values, and outputs comparison results to the microcomputer 33. The microcomputer 33 determines whether the +B power, the ACC power, and the IG power supplied to the ECU 19 from the outside are normal or abnormal on the basis of the comparison results that are input from the power detection circuit 27. The ECUs 19 fundamentally have the same configuration except that loads such as sensors or actuators connected thereto are different from each other.
The in-vehicle display 7 has the same configuration as that of the ECU 19 illustrated in
As illustrated in
The IG power line 39 is connected to the positive electrode of the vehicle battery 40 via an IG switch 42. When the user performs an IG operation, the IG switch 42 switches from an OFF state to an ON state, and an output voltage of the vehicle battery 40 is applied to the IG power line 39. For example, in a case of a vehicle of the type to insert a key into an insertion port, the IG operation is an operation of rotating the key from an “OFF” position to an “ON” position by inserting the key into the insertion port, and, in a case of a vehicle of the type to press a start button, the IG operation is an operation of pressing the start button twice. A negative electrode of the vehicle battery 40 is grounded.
When both of the ACC switch 41 and the IG switch 42 are in an OFF state, only the +B power is supplied to the vehicle-side system 4. The state in which only the +B power is supplied to the vehicle-side system 4 will be referred to as a +B power supply state. When the ACC switch 41 is in an ON state and the IG switch 42 is in an OFF state, the ACC power and the +B power are supplied to the vehicle-side system 4. The state in which the ACC power and the +B power are supplied to the vehicle-side system 4 will be referred to as an ACC power supply state. When of both the ACC switch 41 and the IG switch 42 are in an ON state, the +B power, the ACC power, and the IG power are supplied to the vehicle-side system 4. The state in which the +B power, the ACC power, and the IG power are supplied to the vehicle-side system 4 will be referred to as an IG power supply state. In addition to each of the above-described power supply states, a power supply state or the like for providing power suitable for program update in a wireless manner is also conceivable.
The ECUs 19 have different start conditions depending on power supply states, and are classified as a +B power ECU that is started in the +B power supply state, an ACC ECU that is started in the ACC power supply state, and an IG ECU that is started in the IG power supply state. For example, the ECU 19 driven in an application such as vehicle theft is classified as the +B power ECU. For example, the ECU 19 driven in a non-traveling application such as an audio is classified as the ACC ECUs. For example, the ECU 19 driven in a traveling application such as engine control is classified as the IG ECU.
The +B power ECU is connected to the +B power line 37, the ACC power line 38, and the IG power line 39, and is configured to select the +B power line 37 in the +B power supply state, select the ACC power line 38 in the ACC power supply state, and select the IG power line 39 in the IG power supply state. The ACC ECU is connected to the ACC power line 38 and the IG power line 39, and is configured to select the ACC power line 38 in the ACC power supply state, and select the IG power line 39 in the IG power supply state. The IG ECU is connected to the IG power line 39.
The CGW 13 transmits a start request to the ECU 19 that is in a sleep state, and thus causes the ECU 19 that is a transmission destination of the start request to transition from the sleep state to a start state. The CGW 13 also transmits a sleep request to the ECU 19 that is in a start state, and thus causes the ECU 19 that is a transmission destination of the sleep request to transition from the start state to a sleep state. The CGW 13 can cause a specific ECU 19 to transition to a start state or a sleep state, for example, by making waveforms of the transmission signals to be transmitted to the buses 15 to 17 different from each other. That is, a start request waveform and a sleep request waveform are predefined for each ECU 19, and the ECU 19 transitions from the sleep state to the start state when a start request waveform conforming thereto is received, and transitions from the start state to the sleep state when a sleep request waveform conforming thereto is received from the CGW 13.
For example, in a case where an ECU (ID1) and an ECU (ID2) are in the start state, the CGW 13 transmits a first waveforms, and thus causes the ECU (ID1) to transition from the start state to the sleep state and maintains the ECU (ID2) in the start state. In a case where the ECU (ID1) and the ECU (ID2) are in the start state, the CGW 13 transmits a second waveform, and thus maintains the ECU (ID1) in the start state and causes the ECU (ID2) to transition from the start state to the sleep state.
The power supply control circuit 43 is connected in parallel to the ACC switch 41 and the IG switch 42. The CGW 13 transmits a power supply control request to the power supply management ECU 20 and causes the power supply management ECU 20 to control the power supply control circuit 43. That is, the CGW 13 transmits a power supply start request as the power supply control request to the power supply management ECU 20, to connect the ACC power line 38 or the IG power line 39 to the positive electrode of the vehicle battery 40 in the power supply control circuit 43. In this state, the ACC power or IG power is supplied to the vehicle-side system 4 even though the ACC switch 41 or the IG switch 42 is turned off. The CGW 13 transmits a power supply stop request as the power supply control request to the power supply management ECU 20, to disconnect the ACC power line 38 or IG power line 39 from the positive electrode of the vehicle battery 40 in the power supply control circuit 43.
Each of the DCM 12, the CGW 13, the ECU 19, and the power supply management ECU 20 has a self-retention power circuit, and has a self-retention power function of retaining power supplied from the vehicle battery 40. That is, when vehicle power switches from the ACC power or the IG power to the +B power in the start state, the DCM 12, the CGW 13, the ECU 19, and the power supply management ECU 20 do not transition from the start state to the stop state or the sleep state immediately after the switching, but continue the start state for a predetermined time (for example, a few minutes) with power supplied from the vehicle battery 40 and thus self-retain drive power. The DCM 12, the CGW 13, the ECU 19, and the power supply management ECU 20 transition from the start state to the stop state or the sleep state when a predetermined time has elapsed immediately after the vehicle power switches from the ACC power or IG power to the +B power. For example, in the ECU 19 of the engine control system, the self-retention power function is activated after the vehicle power switches from the ACC power or the IG power to the +B power, and thus stores various pieces of data regarding the engine control acquired during traveling of the vehicle as a log.
Next, a distribution package distributed from the center device 3 to the master device 11 will be described. As illustrated in
The authenticator is data added to each piece of write data in order to verify the integrity of the difference data, and is generated from, for example, an ECU (ID), key information linked to the ECU (ID), and difference data. Here, write data for rollback to an old version may be included in the reprogramming data in preparation for a case where rewriting of an application program is cancelled halfway.
The rewrite specification data provided from the OEM includes, as information related to rewriting of the application program, information for specifying the rewrite target ECU 19, information for specifying a rewrite order when there are a plurality of rewrite target ECUs 19, information for specifying a rollback method described later, and the like. The rewrite specification data is data defining an operation related to rewriting in the DCM 12, the CGW 13, the rewrite target ECU 19, and the like. The rewrite specification data is classified into DCM rewrite specification data used by the DCM 12 and CGW rewrite specification data used by the CGW 13.
As illustrated in
As illustrated in
The ECU information is information regarding the rewrite target ECU 19, and includes at least an ECU_ID (corresponding to device identification information), a connection bus (corresponding to bus identification information), a connection power supply, security access key information, a memory type, a rewrite method, a self-retention power time, rewrite bank information, an update program version, an update program acquisition address, an update program size, a rollback program version, a rollback program acquisition address, a rollback program size, and a write data type.
The connection bus indicates a bus to which the ECU 19 is connected. The connection power supply indicates a power line to which the ECU 19 is connected. The security access key information indicates key information used for authentication performed by the CGW 13 in order to access the rewrite target ECU 19, and includes a random number value or unique information, a key pattern, and a decryption operation pattern. The memory type indicates whether a memory mounted on the rewrite target ECU 19 is a single-bank memory, a single-bank suspend memory (also referred to as a pseudo-double-bank memory), or a double-bank memory. The rewrite method indicates whether the rewriting is performed on the basis of self-retention power or power supply control. The self-retention power time indicates a time for continuing the self-retention power when the rewrite method is rewriting based on self-retention power. The rewrite bank information indicates which bank is an active bank and which bank is an inactive bank. The active bank is also referred to as a start bank, and the inactive bank is also referred to as a rewrite bank.
The update program version indicates a version of an update program. The update program acquisition address indicates an address of the update program. The update program size indicates a data size of the update program. The rollback program version indicates a version of a rollback program. The rollback program acquisition address indicates an address of the rollback program. The rollback program size indicates a data size of the rollback program. The write data type indicates whether the write data is difference data or the entire data. In addition to these pieces of information, the rewrite specification data may include information uniquely defined by the system.
When the DCM rewrite specification data is acquired, the DCM 12 analyzes the acquired DCM rewrite specification data. When the DCM rewrite specification data is analyzed, the DCM 12 controls operations related to rewriting such as acquiring write data from an address in which an update program of the rewrite target ECU 19 is stored and transferring the acquired write data to the CGW 13.
When the CGW rewrite specification data is acquired, the CGW 13 analyzes the acquired CGW rewrite specification data. When the CGW rewrite specification data is analyzed, the CGW 13 controls operations related to rewriting such as requesting the DCM 12 to transfer a predetermined size of an update program of the rewrite target ECU 19 in accordance with the analysis result, or distributing the write data to the rewrite target ECU 19 in a designated order.
In the file server 8, the above-described reprogramming data is registered, and the distribution specification data provided from the OEM is registered. The distribution specification data provided from the OEM is data defining an operation related to display of various screens in the display terminal 5. As illustrated in
When the distribution specification data is acquired from the CGW 13, the display terminal 5 analyzes the acquired distribution specification data, and controls display of various screens according to the analysis result. For example, the display terminal 5 superimposes a display text acquired from the distribution specification data on a display frame stored in advance, and executes a display control program acquired from the distribution specification data. In addition to these pieces of information, the distribution specification data may include information uniquely defined by the system.
When the reprogramming data and the distribution specification data are registered, the file server 8 encrypts the registered reprogramming data, and generates a distribution package storing a package authenticator for authenticating the package, the encrypted reprogramming data, and the distribution specification data. The authenticator is data added to verify the integrity of the reprogramming data and the distribution specification data, and is generated from, for example, key information, the reprogramming data, and the distribution specification data linked to the CGW 13. When a download request for the distribution package is received from the outside, the file server 8 transmits the distribution package to the DCM 12. In
As illustrated in
Next, the flash memory 33d of the ECU 19 will be described with reference to
Since the single-bank memory has a single flash bank, there is no concept of an active bank and an inactive bank, and an application program cannot be rewritten while the application program is being executed. On the other hand, since the single-bank suspend memory or the double-bank memory has double flash banks, there is a concept of an active bank and an inactive bank, and an application program in the inactive bank can be rewritten while the application program in the active bank is being executed. Since the double-bank memory has double flash banks that are completely separated from each other, an application program can be rewritten at any timing, for example, when the vehicle is traveling. Since the single-bank suspend memory has a configuration in which the single-bank memory is divided into pseudo-double banks, there are restrictions on a timing at which reading and writing can be normally performed, and an application program cannot be rewritten while the vehicle is traveling, and the application program can be rewritten while the IG power is turned off and the vehicle is parked.
Each of the single-bank memory, the single-bank suspend memory, and the double-bank memory includes a reprogramming firmware embedded type (hereinafter, referred to as the embedded type) in which reprogramming firmware is embedded, and a reprogramming firmware download type (hereinafter, referred to as the download type) in which the reprogramming firmware is downloaded from the outside. The reprogramming firmware is firmware for rewriting an application program.
A configuration of each flash memory will be described below in order.
(A) Single-Bank Memory
(A-1) Embedded Type Single-Bank Memory
The embedded type single-bank memory will be described with reference to
As illustrated in
The microcomputer 33 executes the wireless or wired reprogramming firmware instead of the application program in a rewrite operation of executing a rewrite process on the application program.
(A-2) Download Type Single-Bank Memory
The download type single-bank memory will be described with reference to
As illustrated in
As illustrated in
(B) Single-Bank Suspend Memory
(B-1) Embedded Type Single-Bank Suspend Memory
The embedded type single-bank suspend memory will be described with reference to
As illustrated in
As illustrated in
(B-2) Download Type Single-Bank Suspend Memory
The download type single-bank suspend memory will be described with reference to
As illustrated in
(C) Double-Bank Memory
(C-1) Embedded Type Double-Bank Memory
The embedded type double-bank memory will be described with reference to
As illustrated in
As illustrated in
(C-2) Download Type Double-Bank Memory
The download type double-bank memory will be described with reference to
As illustrated in
As illustrated in
As described above, in both configurations of the embedded type and the download type, the application program and the rewrite programs for rewriting the application program are located in each application area. In
Next, the overall sequence of rewriting an application program will be described with reference to
Each of the rewrite target ECU (ID1) and the rewrite target ECU (ID2) determines that a transmission condition for a version notification signal is established, for example, when it is determined that a transmission request for the version notification signal has been received from the master device 11. When the transmission condition for the version notification signal is established, the rewrite target ECU (ID1) transmits the version notification signal including version information of an application program stored therein and an ECU (ID) that can identify the ECU to the master device 11. When the version notification signal is received from the rewrite target ECU (ID1), the master device 11 transmits the received version notification signal to the center device 3. Similarly, when the transmission condition for the version notification signal is established, the rewrite target ECU (ID2) transmits the version notification signal including a version of an application program stored therein and an ECU (ID) that can identify the ECU to the master device 11. When the version notification signal is received from the rewrite target ECU (ID2), the master device 11 transmits the received version notification signal to the center device 3.
When the version notification signals are received from the rewrite target ECU (ID1) and the rewrite target ECU (ID2), the center device 3 specifies the versions of the application programs included in the received version notification signals and the ECUs (ID), and determines availability of write data to be distributed to the rewrite target ECU 19 that is a transmission source of the version notification signal. The center device 3 specifies the version of the current application program of the rewrite target ECU 19 from the version notification signal received from the rewrite target, and collates the version of the current application program with the managed latest version.
When the version specified from the version notification signal has the same value as that of the managed latest version, the center device 3 determines that write data to be distributed to the rewrite target ECU 19 that is a transmission source of the version notification signal is unavailable, and the application program stored in the rewrite target ECU 19 does not need to be updated. On the other hand, when the version specified from the version notification signal has a value smaller than that of the managed newest version, the center device 3 determines that write data to be distributed to the rewrite target ECU 19 that is a transmission source of the version notification signal is available, and the application program stored in the rewrite target ECU 19 needs to be updated.
When it is determined that the application program stored in the rewrite target ECU 19 needs to be updated, the center device 3 notifies the mobile terminal 6 of information indicating that update is necessary. When the mobile terminal 6 is notified of the information indicating that update is necessary, the mobile terminal displays a distribution feasibility screen (A1). The distribution feasibility screen is the same as a campaign notification screen which will be described later. The user can check the necessity of update from the distribution feasibility screen displayed on the mobile terminal 6, and can thus select whether or not to perform the update.
When the user selects that the update is to be performed on the mobile terminal 6 (A2), the mobile terminal 6 notifies the center device 3 of a download request for a distribution package. When the center device 3 is notified of the download request for the distribution package from the mobile terminal 6, the center device transmits the distribution package to the master device 11.
When the master device 11 downloads the distribution package from the center device 3, the master device initiates a package authentication process on the downloaded distribution package (B1). When the master device 11 authenticates the distribution package and completes the package authentication process, the master device initiates a write data extraction process (B2). When the master device 11 extracts the write data from the distribution package, and completes the write data extraction process, the master device transmits a download completion notification signal to the center device 3.
When the center device 3 receives the download completion notification signal from the master device 11, the center device 3 notifies the mobile terminal 6 of completion of the download. When the mobile terminal 6 is notified of completion of the download from the center device 3, the mobile terminal 6 displays a download completion notification screen (A3). The user can check that the download has been completed from the download completion notification screen displayed on the mobile terminal 6, and can thus set a rewrite initiation time of an application program on the vehicle side.
When the user sets the rewrite initiation time of the application program on the vehicle side on the mobile terminal 6 (A4), the mobile terminal 6 notifies the center device 3 of the rewrite initiation time. When the center device 3 is notified of the rewrite initiation time from the mobile terminal 6, the center device 3 stores the rewrite initiation time set by the user as a set initiation time. When the current time reaches the set initiation time (A5), the center device 3 transmits a rewrite instruction signal to the master device 11.
When the rewrite instruction signal is received from the center device 3, the master device 11 transmits a power supply start request to the power supply management ECU 20, and thus causes the rewrite target ECU (ID1), the rewrite target ECU (ID2), and the other ECUs to transition from a stop state or a sleep state to a start state (X1).
The master device 11 initiates to distribute the write data to the rewrite target ECU (ID1) and instructs the rewrite target ECU (ID1) to write the write data. The rewrite target ECU (ID1) initiates to receive the write data from the master device 11, and initiates to write the write data and initiates a program rewrite process when the write data is instructed to be written (C1). When the rewrite target ECU (ID1) completes reception of the write data from the master device 11, completes writing of the write data, and completes the program rewrite process, the rewrite target ECU (ID1) transmits a rewrite completion notification signal to the master device 11.
When the rewrite completion notification signal is received from the rewrite target ECU (ID1), the master device 11 initiates to distribute the write data to the rewrite target ECU (ID2), and instructs the rewrite target ECU (ID2) to write the write data. The rewrite target ECU (ID2) initiates to receive the write data from the master device 11, and initiates to write the write data and initiates a program rewrite process when the write data is instructed to be written (D1). When the rewrite target ECU (ID2) completes reception of the write data from the master device 11, completes writing of the write data, and completes the program rewrite process, the rewrite target ECU (ID2) transmits a rewrite completion notification signal to the master device 11. When the rewrite completion notification signal is received from the rewrite target ECU (ID2), the master device 11 transmits the rewrite completion notification signal to the center device 3.
When the rewrite completion notification signal is received from the master device 11, the center device 3 notifies the mobile terminal 6 of the completion of rewriting of the application program. When the mobile terminal 6 is notified of the completion of rewriting of the application program from the center device 3, the mobile terminal 6 displays a rewrite completion notification screen (A6). The user can check that rewriting of the application program has been completed from the rewrite completion notification screen displayed on the mobile terminal 6, and can thus set execution of synchronization as activation.
When the user sets the execution of synchronization on the mobile terminal 6 (A7), that is, when the user sets an approval for activation of a new program, the mobile terminal 6 notifies the center device 3 of the execution of synchronization. When the center device 3 is notified of the execution of synchronization from the mobile terminal 6, the center device transmits a synchronization switching instruction signal to the master device 11. When the synchronization switching instruction signal is received from the center device 3, the master device 11 distributes the received synchronization switching instruction signal to the rewrite target ECU (ID1) and the rewrite target ECU (ID2).
When the synchronization switching instruction signal is received from the master device 11, each of the rewrite target ECU (ID1) and the rewrite target ECU (ID2) initiates a program switching process of switching an application program to be started next time from the old application program to the new application program (C2 and D2). When the program switching process has been completed, each of the rewrite target ECU (ID1) and the rewrite target ECU (ID2) transmits a switching completion notification signal to the master device 11.
When the switching completion notification signal is received from the rewrite target ECU (ID1) and the rewrite target ECU (ID2), the master device 11 distributes a version read signal to the rewrite target ECU (ID1) and the rewrite target ECU (ID2). When the version read signal is received from the master device 11, each of the rewrite target ECU (ID1) and the rewrite target ECU (ID2) reads a version of an application program to be operated thereafter (C3 and D3), and transmits a latest version notification signal including the read version to the master device 11. The master device 11 checks a version of software or performs rollback as necessary by receiving the version notification signal from the rewrite target ECU (ID1) and the rewrite target ECU (ID2).
When the version notification signal is received from the rewrite target ECU (ID1) and the rewrite target ECU (ID2), the master device 11 transmits a power supply stop request to the power supply management ECU 20, and thus causes the rewrite target ECU (ID1), the rewrite target ECU (ID2), and the other ECUs to transition from the start state to the stop state or the sleep state (X2).
The master device 11 transmits the latest version notification signal to the center device 3. When the latest version notification signal is received from the master device 11, the center device 3 specifies the latest versions of the application programs of the rewrite target ECU (ID1) and the rewrite target ECU (ID2) from the received latest version notification signal, and notifies the mobile terminal 6 of the specified latest versions. When a notification of the latest versions is sent from the center device 3, the mobile terminal 6 displays a latest version notification screen indicating the latest versions of which the notification is sent on the mobile terminal 6 (A8). The user can check the latest versions from the latest version notification screen displayed on the mobile terminal 6, and can thus check that the activation has been completed.
Next, with reference to
(a) Case where Application Program is Rewritten by Using Power Supply Control
The case where the application program is rewritten by using power supply control will be described with reference to
When a notification of download initiation is sent from the center device 3, the DCM 12 transitions from the normal operation to a download operation, and initiates to download a distribution package from the center device 3 (t2). The DCM 12 may download the distribution package on the background while performing the normal operation. When the download of the distribution package from the center device 3 has been completed, the DCM 12 returns from the download operation to the normal operation (t3).
When a notification of a rewrite instruction signal (installation instruction signal) is sent from the center device 3 or the CGW 13, the DCM 12 transitions from the normal operation to a data transfer/center communication operation, and initiates the data transfer/center communication operation (t4). That is, the DCM 12 extracts write data from the distribution package, initiates to transfer the write data to the CGW 13, acquires a rewrite progress situation from the CGW 13, and initiates to notify the center device 3 of the rewrite progress situation.
When acquisition of the write data from the DCM 12 is initiated, the CGW 13 transitions from the normal operation to a reprogramming master operation, initiates the reprogramming master operation, initiates to distribute the write data to the double-bank memory ECU, and instructs the double-bank memory ECU to write the write data. When the double-bank memory ECU initiates to receive write data from the CGW 13, the double-bank memory ECU initiates a programming phase (hereinafter, also referred to as an installation phase) in a normal operation. That is, the double-bank memory ECU performs the installation of the application program on the background while performing the normal operation. The double-bank memory ECU initiates to write the received write data into the flash memory and initiates to rewrite the application program.
When the user switches off the IG switch in an ON state such that the vehicle power switches from the IG power to the +B power during rewriting of the application program in the double-bank memory ECU, the DCM 12 stops the data transfer/center communication operation, the CGW 13 stops the reprogramming master operation, and the double-bank memory ECU stops the installation phase and stops rewriting of the application program (t5).
Thereafter, when the user switches on the IG switch in an OFF state such that the vehicle power switches from the +B power to the IG power, the DCM 12 resumes the data transfer/center communication operation, the CGW 13 resumes the reprogramming master operation, and the double-bank memory ECU resumes the installation phase and resumes rewriting of the application program (t6). That is, the user switches off the IG switch in an ON state such that the vehicle power switches from the IG power to +B power, and then the user switches on the IG switch in an OFF state such that the vehicle power switches from the +B power to the IG power, and, each time a trip occurs, the double-bank memory ECU repeats stopping and resuming of rewriting of the application program (t7 and t8).
When the double-bank memory ECU completes writing of the write data, and completes rewriting of the application program, the double-bank memory ECU finishes the installation phase, and transitions from the normal operation to activation standby. That is, the double-bank memory ECU is not started on the new bank (bank-B) in which the application program is rewritten at the time point when the activation phase is not performed, and remains started on the old bank (bank-A) (t9).
After the user switches off the IG switch in an ON state such that the vehicle power switches from the IG power to the +B power (t10), when the double-bank memory ECU completes rewriting of the application program at that time, the CGW 13 transmits a power supply start request to the power supply management ECU 20. When the vehicle power switches from the +B power to the IG power by the CGW 13 transmitting the power supply start request to the power supply management ECU 20, the DCM 12 resumes the data transfer/center communication operation, and the CGW 13 resumes the reprogramming master operation, and initiates to distribute the write data to the single-bank suspend memory ECU and the single-bank memory ECU. When reception of the write data from the CGW 13 is initiated, the single-bank suspend memory ECU and the single-bank memory ECU transition from the normal operation to a boot process and initiate the installation phase in the boot process (t11). That is, the single-bank suspend memory ECU and the single-bank memory ECU do not perform installation in parallel to the normal operation, and perform installation in the boot process in which the application program is not operated.
When rewriting of the application program is initiated, the single-bank suspend memory ECU stops rewriting of the application program in a case where the IG switch 42 switches from an OFF state to an ON state due to the user operation before rewriting of the application program is completed. The single-bank suspend memory ECU returns to an active bank (bank-A) as a start bank instead of an inactive bank (bank-B) in which rewriting of the application program is stopped. When rewriting of the application program is initiated, the single-bank memory ECU continues rewriting of the application program even though the IG switch 42 switches from an OFF state to an ON state due to the user operation before rewriting of the application program is completed. This is because the single-bank memory ECU cannot return to the normal operation if rewriting of the application program is stopped halfway. Preferably, after rewriting of the application program of the single-bank memory ECU is initiated, it is desirable to disable the user operation on the IG switch 42 until rewriting of the application program is completed.
When the single-bank suspend memory ECU completes writing of the write data and completes rewriting of the application program, the single-bank suspend memory ECU finishes the installation phase in the boot process and transitions from the boot process to activation standby. That is, the single-bank suspend memory ECU is not started on the new bank (bank-B) in which the application program is rewritten at the time point when the activation phase is not performed, and remains started on the old bank (bank-A). When the single-bank memory ECU completes writing of the write data and completes rewriting of the application program, the single-bank memory ECU finishes the installation phase in the boot process and waits for activation (t12).
When the power supply management ECU 20 switches the vehicle power from the IG power to the +B power in response to an activation instruction from the CGW 13, each of the double-bank memory ECU and the single-bank suspend memory ECU switches from the old bank to the new bank to be started in the new bank, and initiates a post-programming phase (hereinafter, also referred to as an activation phase) in the new bank start. The single-bank memory ECU initiates restart, and initiates the activation phase in restart after installation is completed (t13 and t14). In the activation, for example, it is checked that accurate start is performed by the new program, or the CGW 13 is notified of version information.
When the activation has been completed, and the power supply management ECU 20 switches the vehicle power from the IG power to the +B power in response to an activation completion instruction from the CGW 13, the DCM 12 transitions from the data transfer/center communication operation to a sleep/stop operation and initiates the sleep/stop operation. The CGW 13 transitions from the reprogramming master operation to the sleep/stop operation and initiates the sleep/stop operation. Each of the double-bank memory ECU, single-bank suspend memory ECU, and single-bank memory ECU transitions from the new bank start to the sleep/stop operation (t15).
Thereafter, when the user switches on the IG switch in an OFF state such that the vehicle power switches from the +B power to the IG power, each of the double-bank memory ECU and the single-bank suspend memory ECU starts the new application program with the new bank (bank-B) as a start bank, and the single-bank memory ECU starts the new application program (t16).
(b) Case where Application Program is Rewritten by Using Self-Retention Power
The case where an application program is rewritten by using self-retention power will be described with reference to
When a notification of initiation of download is sent from the center device 3, that is, when a notification that update is available due to a new program is sent, the DCM 12 transitions from the normal operation to a download operation, and initiates to download a distribution package from the center device 3 (t22). When the download of the distribution package from the center device 3 has been completed, the DCM 12 returns from the download operation to the normal operation (t23).
When a notification of a rewrite instruction signal (installation instruction signal) is sent from the center device 3 or the CGW 13, the DCM 12 transitions from the normal operation to a data transfer/center communication operation, and initiates the data transfer/center communication operation (t24). That is, the DCM 12 extracts write data from the distribution package, initiates to transfer the write data to the CGW 13, acquires a rewrite progress situation from the CGW 13, and initiates to notify the center device 3 of the rewrite progress situation.
When acquisition of the write data from the DCM 12 is initiated, the CGW 13 transitions from the normal operation to a reprogramming master operation, initiates the reprogramming master operation, initiates to distribute the write data to the double-bank memory ECU, and instructs the double-bank memory ECU to write the write data. When the double-bank memory ECU initiates to receive write data from the CGW 13, the double-bank memory ECU initiates a programming phase (hereinafter, also referred to as an installation phase) in a normal operation. That is, the double-bank memory ECU performs the installation of the application program on the background while performing the normal operation. The double-bank memory ECU initiates to write the received write data into the flash memory and initiates to rewrite the application program.
When the user switches off the IG switch in an ON state such that the vehicle power switches from the IG power to the +B power during rewriting of the application program in the double-bank memory ECU (t25), the DCM 12 continues the data transfer/center communication operation, the CGW 13 continues the reprogramming master operation, and the double-bank memory ECU continues the installation phase and continues rewriting of the application program immediately after the vehicle power switches from the IG power to the +B power. When a self-retention period that is a preset period elapses after the vehicle power switches from the IG power to the +B power, the DCM 12 stops the data transfer/center communication operation, the CGW 13 stops the reprogramming master operation, and the double-bank memory ECU stops the installation phase and stops rewriting of the application program (t26). That is, the installation is continued by supplying power from the vehicle battery 40 until a predetermined time elapses after the IG switch 42 is turned off.
Thereafter, when the user switches on the IG switch in an OFF state such that the vehicle power switches from the +B power to the IG power, the DCM 12 resumes the data transfer/center communication operation, the CGW 13 resumes the reprogramming master operation, and the double-bank memory ECU resumes the installation phase and resumes rewriting of the application program (t27). That is, the user switches off IG switch in an ON state such that the vehicle power switches from IG power to +B power, and then the user switches on the IG switch in an OFF state such that the vehicle power switches from +B power to IG power, and, each time a trip occurs, the double-bank memory ECU repeats stopping and resuming of rewriting of the application program (t28 to t30). However, until the self-retention period elapses after the vehicle power switches from the IG power to the +B power, the DCM 12 continues the data transfer/center communication operation, the CGW 13 continues the reprogramming master operation, and the double-bank memory ECU continues the installation phase and continues rewriting of the application program.
When the double-bank memory ECU completes writing of the write data, and completes rewriting of the application program, the double-bank memory ECU finishes the installation phase, and transitions from the normal operation to activation standby. That is, the double-bank memory ECU is not started on the new bank (bank-B) in which the application program is rewritten at the time point when the activation phase is not performed, and remains started on the old bank (bank-A) (t31).
When the user switches off the IG switch in an ON state such that the vehicle power from the IG power to the +B power and rewriting of the application program is completed at that time in the double-bank memory ECU at that time, each of the single-bank suspend memory ECU and the single-bank memory ECU transitions from the normal operation to a boot process, initiates the boot process, and initiates the installation phase in the boot process (t32).
When the single-bank suspend memory ECU and the single-bank memory ECU complete writing of the write data, and complete rewriting of the application program, the single-bank suspend memory ECU and the single-bank memory ECU finish the installation phase in the boot process (t33). When the vehicle power switches from the +B power to the IG power by the CGW 13 transmitting the power supply start request to the power supply management ECU 20, the DCM 12 resumes the data transfer/center communication operation (t34).
When the single-bank suspend memory ECU completes writing of the write data and completes rewriting of the application program, the single-bank suspend memory ECU transitions from the boot process to activation standby. That is, the single-bank suspend memory ECU is not started on the new bank (bank-B) in which the application program is rewritten at the time point when the activation phase is not performed, and remains started on the old bank (bank-A). When the single-bank memory ECU completes writing of the write data and completes rewriting of the application program, the single-bank memory ECU finishes the installation phase in the boot process and waits for activation (t35).
When the power supply management ECU 20 switches the vehicle power from the IG power to the +B power in response to an activation instruction from the CGW 13, each of the double-bank memory ECU and the single-bank suspend memory ECU switches from the old bank to the new bank to be started on the new bank, and initiates an activation phase in the new bank start. The single-bank memory ECU initiates restart, and initiates the activation phase in restart after installation is completed (t36 and t37).
When the activation has been completed, and the power supply management ECU 20 switches the vehicle power from the IG power to the +B power in response to an activation completion instruction from the CGW 13, the DCM 12 transitions from the data transfer/center communication operation to a sleep/stop operation and initiates the sleep/stop operation. The CGW 13 transitions from the reprogramming master operation to the sleep/stop operation and initiates the sleep/stop operation. Each of the double-bank memory ECU, single-bank suspend memory ECU, and single-bank memory ECU transitions from the new bank start to the sleep/stop operation (t38).
Thereafter, when the user switches on the IG switch in an OFF state such that the vehicle power switches from the +B power to the IG power, each of the double-bank memory ECU and the single-bank suspend memory ECU starts the new application program with the new bank (bank-B) as a start bank, and the single-bank memory ECU starts the new application program (t39).
Prior to download of a distribution package from the center device 3 and distribution of write data to the rewrite target ECU 19, the CGW 13 performs the following checking. Prior to download of a distribution package from the center device 3, the CGW 13 checks a radio wave environment, a remaining battery charge of the vehicle battery 40, and a memory capacity of the DCM 12 such that the distribution package can be downloaded normally. Prior to distribution of write data to the rewrite target ECU 19, the CGW 13 performs detection of an intrusion sensor, detection of a door lock, detection of a curtain, and detection of IG-off as a check of a manned environment in order not to make an installation environment unstable such that write data can be distributed normally, and checks a version and the occurrence of abnormality as a check of whether or not the rewrite target ECU 19 can be written. The CGW 13 performs a falsification check, access authentication, a version check, and the like as a check of write data to be distributed to the rewrite target ECU 19 prior to initiation of installation, performs a communication disruption check, an error occurrence check, and the like during the installation, and performs a version check, an integrity check, a diagnostic trouble code (DTC, error code) check, and the like after the installation is completed.
Next, a screen displayed on the display terminal 5 will be described with reference to
As illustrated in
When the user operates the campaign notification icon 501a in this state, as illustrated in
When the user operates the “check” button 502a in this state, as illustrated in
When the user operates the “details check” button 503b in a state in which the download approval screen 503 is displayed, as illustrated in
When the user operates the download-in-progress icon 501b in this state, as illustrated in
When the download has been completed, the CGW 13 displays a download completion notification screen 505 in a pop-up form on the navigation screen 501 as illustrated in
When the user operates the “check” button 505a in this state, as illustrated in
When the user operates the “immediate update” button 506a in this state, as illustrated in
When the installation is initiated, as illustrated in
When the user operates the installation-in-progress icon 501c in this state, as illustrated in
When the installation has been completed, as illustrated in
When the user turns on the IG power in the state after the user operates the “OK” button 508b, as illustrated in
When the user operates the “OK” button 509a in this state, as illustrated in
When the user operates the “details check” button 510a in this state, as illustrated in
As described above, the vehicle-side system 4 controls the respective operation phases such as the campaign notification, the download, the installation, the activation, and the update completion, and presents display corresponding to each operation phase to the user. In the above description, the CGW 13 is configured to control the display, but the in-vehicle display 7 may be configured to receive an operation phase or distribution specification data from the CGW 13 and to perform the display.
Next, characteristic processes performed by the vehicle program rewriting system 1 will be described with reference to
(1) Distribution package transmission determination process
(2) Distribution package download determination process
(3) Write data transfer determination process
(4) Write data acquisition determination process
(5) Installation instruction determination process
(6) Security access key management process
(7) Write data verification process
(8) Data storage bank information transmission control process
(9) Non-rewrite target power supply management process
(10) File transfer control process
(11) Write data distribution control process
(12) Activation request instruction process
(13) Activation execution control process
(14) Rewrite target group management process
(15) Rollback execution control process
(16) Rewrite progress situation display control process
(17) Difference data consistency determination process
(18) Rewrite execution control process
(19) Session establishment process
(20) Retry point specifying process
(21) Progress state synchronization control process
(22) Display control information transmission control process
(23) Display control information reception control process
(24) Screen display control process for progress display
(25) Program update notification control process
(26) Self-retention power execution control process
Each of the center device 3, the DCM 12, the CGW 13, the ECU 19, and the in-vehicle display 7 has the following functional blocks as configurations for performing the characteristic processes (1) to (26) described above.
As illustrated in
As illustrated in
When the write data is extracted from the distribution package by the write data extraction unit 63, the write data transfer unit 64 transfers the extracted write data to the CGW 13. When the distribution package is downloaded from the center device 3 by the distribution package download unit 62, the rewrite specification data extraction unit 65 extracts rewrite specification data from the downloaded distribution package. When rewrite specification data is extracted from the distribution package by the rewrite specification data extraction unit 56, the rewrite specification data transfer unit 66 transfers the extracted rewrite specification data to the CGW 13. In addition to the above-described configuration, the DCM 12 includes a distribution package download determination unit 67 and a write data transfer determination unit 68 as a configuration of performing the characteristic processes. The functional blocks performing the characteristic processes will be described later.
As illustrated in
In addition to the above-described configuration, the CGW 13 includes, as a configuration of performing the characteristic processes, a write data acquisition determination unit 76, an installation instruction determination unit 77, a security access key management unit 78, a write data verification unit 79, a data storage bank information transmission control unit 80, a non-rewrite target power supply management unit 81, a file transfer control unit 82, a write data distribution control unit 83, an activation request instruction unit 84, a rewrite target group management unit 85, a rollback execution control unit 86, a rewrite progress situation display control unit 87, a progress state synchronization control unit 88, a display control information reception control unit 89, a progress display screen display control unit 90, a program update notification control unit 91, and a self-retention power execution control unit 92. The functional blocks performing the characteristic processes will be described later.
As illustrated in
As illustrated in
Hereinafter, each of the processes (1) to (26) described above will be described in order.
(1) Distribution Package Transmission Determination Process and (2) Distribution Package Download Determination Process
The distribution package transmission determination process in the center device 3 will be described with reference to
As illustrated in
When the software information is acquired by the software information acquisition unit 52a, the update availability determination unit 52b determines whether or not availability of update data for the vehicle on the basis of the acquired software information. That is, the update availability determination unit 52b compares a version of the acquired software information with a version of the latest software information to be managed thereby, to determine whether both of the versions match each other, and thus determines availability of update data for the vehicle. The update availability determination unit 52b determines that update data for the vehicle is unavailable when it is determined that both of the versions match each other, and determines that update data for the vehicle is available when it is determined that both of the versions do not match each other.
When it is determined by the update availability determination unit 52b that update data for the vehicle is available, the update propriety determination unit 52c determines whether or not a vehicle condition is a condition suitable for updating a program or the like using a distribution package. Specifically, the update propriety determination unit 52c determines whether or not a license contract is established, whether or not a vehicle position is within a predetermined range registered in advance by the user, whether or not a setting of an alarm function of the vehicle is validated, whether or not trouble information regarding the ECU 19 is generated, and determines whether or not a vehicle condition is a condition suitable for downloading a distribution package. That is, the update propriety determination unit 52c determines whether or not the vehicle is a vehicle in which a program may be updated against the intention of the user, or a vehicle in which installation may fail after download even when the download is successful.
When it is determined that the license contract is established, the vehicle position is within a predetermined range registered in advance by the user, the setting of the alarm function of the vehicle is validated, and the trouble information regarding the ECU 19 is not generated, the update propriety determination unit 52c determines that the vehicle condition is a condition suitable for updating a program or the like using a distribution package. The update propriety determination unit 52c determines that the vehicle condition is not a condition suitable for updating a program or the like using a distribution package when it is determined that at least any of the following is true: the license contract is not established, the vehicle position is not within a predetermined range registered in advance by the user, the setting of the alarm function of the vehicle is not validated, and the trouble information regarding the ECU 19 is generated.
The campaign information transmission unit 52d transmits campaign information to the master device 11 when the update propriety determination unit 52c determines that the vehicle condition is a condition suitable for updating a program or the like using a distribution package. The campaign information transmission unit 52d does not transmit the campaign information to the master device 11 when it is determined by the update propriety determination unit 52c that the vehicle condition is not a condition suitable for updating a program or the like using a distribution package. The campaign information transmission unit 52d performs the determination described above, and thus stores information regarding a vehicle in which the campaign information is not transmitted to the master device 11. The center device 3 may display the information regarding a vehicle in which the campaign information is not transmitted to the master device 11.
Next, an operation of the distribution package transmission determination unit 52 in the center device 3 will be described with reference to
When it is determined that update data for the vehicle is not available (S102: NO), the center device 3 transmits, to the master device 11, information indicating that the vehicle is not a distribution package transmission target, that is, update of an application program is not available (S105), and finishes the transmission determination process of the distribution package. When it is determined that the vehicle condition is not a condition suitable for updating a program or the like using the distribution package (S103: NO), the center device 3 transmits, to the master device 11, information indicating that the vehicle condition is not suitable for updating a program or the like and the reason therefor (S106), and finishes the distribution package transmission determination process. In this case, the master device 11 displays, on the in-vehicle display 7, the information indicating that the vehicle condition is not suitable for updating a program or the like and the reason therefor. For example, when a license contract is not established, the master device 11 displays the content that “the program cannot be updated because the license is not valid; please contact your dealer” on the in-vehicle display 7. Consequently, it is possible to present the reason why the vehicle condition is not suitable for updating a program or the like to the user, and thus to present appropriate information to the user.
As described above, the center device 3 can determine whether or not a condition is suitable for updating a program or the like using a distribution package by performing the distribution package transmission determination process before transmission of the distribution package to the master device 11 and before transmission of campaign information. The center device 3 can transmit campaign information to the master device 11 so as to transmit a distribution package to the master device 11 only in a case where it is determined that a condition is suitable for updating a program or the like using the distribution package.
The center device 3 can transmit the campaign information to the master device 11 in a case where a license contract is established, a vehicle position is within a predetermined range registered in advance by the user, a setting of an alarm function of the vehicle is validated, and trouble information regarding the ECU 19 is not generated as a case where a condition is suitable for updating a program or the like using a distribution package. That is, the center device 3 can prevent a situation in which the campaign information is transmitted to the master device 11 in a case where the license contract is not established, the vehicle position is out of a predetermined range such as a position far away from the home, the setting of the alarm function of the vehicle is invalidated, or the trouble information regarding the ECU 19 is generated. As described above, the center device 3 can prevent the campaign information from being transmitted to the master device 11 for a vehicle in which a program may be updated against the intention of the user, or installation may fail after download even when the download is successful.
The center device 3 may perform the distribution package transmission determination process during transmission of a distribution package. In this case, when it is determined that a vehicle condition is suitable for updating a program using the distribution package during the transmission of the distribution package, the center device 3 continues the transmission of the distribution package, but, when it is determined that the vehicle condition is not suitable for updating a program using the distribution package during transmission of the distribution package, the center device stops transmission of the distribution package. That is, the center device 3 stops the transmission of the distribution package, for example, when trouble information regarding the ECU 19 occurs during the transmission of the distribution package.
Next, a description will be made of a process in the master device 11 that has received the campaign information transmitted from the center device 3. The distribution package download determination process in the master device 11 will be described with reference to
As illustrated in
When it is determined that the radio wave environment is favorable, the remaining battery charge of the vehicle battery 40 is equal to or larger than the predetermined capacity, and the free memory capacity of the DCM 12 is equal to or larger than the predetermined capacity, the downloadability determination unit 67b determines that the vehicle condition is a condition in which the distribution package is downloadable. The downloadability determination unit 67b determines that the vehicle condition is not a condition in which the distribution package is downloadable when it is determined that at least any of the following is true: the radio wave environment is not favorable, and the remaining battery charge of the vehicle battery 40 is not equal to or larger than the predetermined capacity, and the free memory capacity of the DCM 12 is not equal to or larger than the predetermined capacity.
As mentioned above, the downloadability determination unit 67b determines whether or not there is a possibility that the download cannot be completed normally. The determination in the downloadability determination unit 67b is performed on the condition that the “download initiation” button 503a is operated by the user on the download approval screen 503 illustrated in
The download execution unit 67c downloads the distribution package from the center device 3 when the downloadability determination unit 67b determines that the vehicle condition is a condition in which the distribution package is downloadable. That is, the download execution unit 67c executes download of the distribution package after confirming that the download can be completed normally.
The download execution unit 67c does not download the distribution package from the center device 3 when the downloadability determination unit 67b determines that the vehicle condition is not a condition in which the distribution package is downloadable. That is, the download execution unit 67c does not execution download of the distribution package in a case where there is a possibility that the download cannot be completed normally. In this case, the download execution unit 67c instructs the in-vehicle display 7 to display a pop-up screen indicating that the download cannot be initiated and the reason therefor on the navigation screen 501.
Next, a description will be made of an operation of the distribution package download determination unit 67 in the master device 11 with reference to
The master device 11 receives campaign information from the center device 3 when the distribution package download determination process is initiated (S201; corresponding to a campaign information reception procedure). The master device 11 determines whether or not a vehicle condition is a condition in which the distribution package is downloadable (S202; corresponding to a downloadability determination procedure). When it is determined that the vehicle condition is a condition in which the distribution package is downloadable (S202: YES), the master device 11 downloads the distribution package corresponding to the campaign from the center device 3 (S203; corresponding to a download execution procedure), and finishes the distribution package download determination process. When it is determined that the vehicle condition is not a condition in which the distribution package is downloadable (S202: NO), the master device 11 does not download the distribution package from the center device 3 and finishes the distribution package download determination process.
As described above, the master device 11 can determine whether or not a vehicle condition is a condition in which a distribution package is downloadable by performing the distribution package download determination process before downloading the distribution package from the center device 3. The master device 11 can download the distribution package only in a case where the vehicle condition is a condition in which the distribution package is downloadable.
The master device 11 can download the distribution package from the center device 3 in a case where the radio wave environment is favorable, the remaining battery charge of the vehicle battery 40 is equal to or larger than the predetermined capacity, and the free memory capacity of the DCM 12 is equal to or larger than the predetermined capacity, as a case suitable for downloading the distribution package. That is, in a case where the radio wave environment is not favorable, the remaining battery charge of the vehicle battery 40 is smaller than the predetermined capacity, or the free memory capacity of the DCM 12 is smaller than the predetermined capacity, it is possible to prevent a situation in which the distribution package is downloaded from the center device 3.
The master device 11 may perform the distribution package download determination process during download of the distribution package. In this case, when it is determined that the vehicle condition is a condition in which the distribution package is downloadable during download of the distribution package, the master device 11 continues download of the distribution package from the center device 3, but, when it is determined that the vehicle condition is not a condition in which the distribution package is downloadable during download of the distribution package, the master device stops download of the distribution package from the center device 3. That is, the master device 11 stops download of the distribution package, for example, in a case where the radio wave environment becomes unfavorable, the remaining battery charge of the vehicle battery 40 becomes smaller than the predetermined capacity, or the free memory capacity of the DCM 12 becomes smaller than the predetermined capacity, during download of the distribution package.
In the above-described way, the center device 3 determines whether or not the vehicle is a vehicle in which a program may be updated against the intention of the user, or installation may fail, and the master device 11 determines whether or not there is a possibility that the download may fail in the master device 11, so that transmission of unnecessary campaign information and a distribution package from the center device 3 to the master device 11 can be suppressed.
The center device 3 has the following configuration. The center device includes the software information acquisition unit 52a acquiring software information of an electronic control unit from a vehicle side, the update availability determination unit 52b determining availability of update data for the vehicle on the basis of the software information acquired by the software information acquisition unit, the update propriety determination unit 52c determining whether or not a vehicle condition is a condition suitable for update in a case where it is determined by the update availability determination unit that update data is available, and the campaign information transmission unit 52d transmitting campaign information regarding update to a vehicle master device in a case where it is determined by the update propriety determination unit that the vehicle condition is a condition suitable for the update.
The master device 11 has the following configuration. The master device includes the campaign information receiving unit 67a receiving campaign information from a center device, the downloadability determination unit 67b determining whether or not a vehicle condition is a condition in which a distribution package is downloadable in a case where the campaign information is received by the campaign information receiving unit, and the download execution unit 67c downloading the distribution package from the center device in a case where it is determined by the downloadability determination unit that the vehicle condition is a condition in which the distribution package is downloadable.
(3) Write Data Transfer Determination Process, (4) Write Data Acquisition Determination Process, and (5) Installation Instruction Determination Process
The write data transfer determination process will be described with reference to
As illustrated in
Next, with reference to
When it is determined that an acquisition request for the write data from the CGW 13 has been received, the DCM 12 initiates the write data transfer determination process. When the write data transfer determination process is initiated, the DCM 12 determines the transfer feasibility determination flag (S301 and S302). When it is determined that the transfer feasibility determination flag has the first predetermined value (S301: YES), the DCM 12 determines a state of data communication between the center device 3 and the DCM 12 (S303). When it is determined that the data communication between the center device 3 and the DCM 12 is in a connection state (S303: YES), the DCM 12 transfers the write data to the CGW 13 (S304) and finishes the write data transfer determination process. When it is determined that the data communication between the center device 3 and the DCM 12 is not in a connection state but in a disconnection state (S303: NO), the DCM 12 does not transfer the write data to the CGW 13 and finishes the write data transfer determination process.
When it is determined that the transfer feasibility determination flag has the second predetermined value (S302: YES), the DCM 12 transfers the write data to the CGW 13 without determining a state of the data communication between the center device 3 and the DCM 12, and finishes the write data transfer determination process.
As described above, the DCM 12 performs the write data transfer determination process prior to transfer of the write data to the CGW 13, and determines a state of a data communication between the center device 3 and the DCM 12 in a case where the transfer feasibility determination flag has the first predetermined value. When it is determined that the data communication is in a connection state, the DCM 12 initiates transfer of the write data, and when it is determined that the data communication is in a disconnection state, the DCM 12 waits without initiating transfer of the write data. In a situation in which data communication with the center device 3 is possible, the write data can be transferred to the CGW 13, and installation can be performed in the rewrite target ECU 19.
For example, in a case where there are a plurality of rewrite target ECUs 19 and installation takes time, the in-vehicle-side system 4 can notify the center device 3 of an installation progress situation, and the mobile terminal 6 can display the progress situation one by one. The DCM 12 may perform the write data transfer determination process during transfer of the write data. In this case, when it is determined that data communication is in a connection state during the transfer of the write data, the DCM 12 continues the transfer of the write data, but when it is determined that the data communication is in a disconnection state during the transfer of the write data, the DCM stops the transfer of the write data.
Next, the write data acquisition determination process will be described. The vehicle program rewriting system 1 performs the write data acquisition determination process in the CGW 13. (3) The write data transfer determination process is a determination process performed by the DCM 12 in the installation phase, and the write data acquisition determination process is a determination process performed by the CGW 13 in the same installation phase.
As illustrated in
Next, with reference to
When it is determined that the event of the request to acquire the write data has occurred, the CGW 13 initiates the write data acquisition determination process. When the write data acquisition determination process is initiated, the CGW 13 determines the acquisition feasibility determination flag (S401 and S402). When it is determined that the acquisition feasibility determination flag has the first predetermined value (S401: YES), the CGW 13 determines a state of data communication between the center device 3 and the DCM 12 (S403). When it is determined that data communication between the center device 3 and the DCM 12 is a connection state (S403: YES), the CGW 13 transmits an acquisition request for the write data to the DCM 12 (S404), and finishes the write data acquisition determination process. Thereafter, when the write data is transferred from the DCM 12, the CGW 13 distributes the transferred write data to the rewrite target ECU 19. When it is determined that the data communication between the center device 3 and the DCM 12 is not in a connection state but is in a disconnection state (S403: NO), the CGW 13 does not transmit the acquisition request for the write data to the DCM 12 and finishes the write data acquisition determination process.
When it is determined that the acquisition feasibility determination flag has the second predetermined value (S402: YES), the CGW 13 transmits an acquisition request the write data to the DCM 12 without determining a state of the data communication between the center device 3 and the DCM 12, and finishes the write data acquisition determination process.
As described above, the CGW 13 performs the write data acquisition determination process prior to acquisition of the write data from the DCM 12, and determines a state of the data communication between the center device 3 and the DCM 12 in a case where the acquisition feasibility determination flag has the first predetermined value. When it is determined that the data communication is in a connection state, the CGW 13 initiates acquisition of the write data, and, when it is determined that the data communication is in a disconnection state, the CGW waits without initiating acquisition of the write data. In a situation in which communication with the center device 3 is possible, the write data can be acquired from the DCM 12, and installation can be performed in the rewrite target ECU 19.
For example, in a case where there are a plurality of rewrite target ECUs 19 and installation takes time, the in-vehicle-side system 4 can notify the center device 3 of an installation progress situation, and the mobile terminal 6 can display the progress situation one by one. The CGW 13 may perform the write data acquisition determination process during acquisition of the write data. In this case, when it is determined that the data communication is in a connection state during the acquisition of the write data, the CGW 13 continues the acquisition of the write data, but when it is determined that the data communication is in a disconnection state during the acquisition of the write data, the CGW stops the acquisition of the write data.
Next, the write data acquisition determination described above will be described in more detail. Acquisition of the write data is one of the processes related to installation, and the installation instruction determination process will be described here with reference to
As illustrated in
The second condition is a condition that the CGW 13 can perform data communication with the center device 3. The third condition is a condition that a vehicle condition is an installable condition. The fourth condition is a condition that installation can be performed in the rewrite target ECU 19. Here, the fourth condition includes not only that installation can be performed in the rewrite target ECU 19 which is an installation target, but also that installation can be performed in the rewrite target ECU 19 cooperating with the rewrite target ECU 19 which is an installation target. The fifth condition is a condition that the write data is normal data. Here, the normal data includes data suitable for the rewrite target ECU 19, data that is not falsified, and the like.
When it is determined by the installation condition determination unit 77a that all of the first condition, the second condition, the third condition, the fourth condition, and the fifth condition are established, the installation instruction unit 77b instructs the rewrite target ECU 19 to install an application program. That is, when the installation instruction unit 77b obtains the user's approval for the installation, the CGW 13 can perform data communication with the center device 3, the vehicle condition is an installable condition, the installation can be performed in the rewrite target ECU 19, and it is determined by the installation condition determination unit 77a that the write data is normal data, the rewrite target ECU 19 is instructed to install the application program. Specifically, the installation instruction unit 77b acquires the write data from the DCM 12, and transfers the acquired write data to the rewrite target ECU 19. When it is determined by the installation condition determination unit 77a that at least any of the first condition, the second condition, the third condition, the fourth condition, and the fifth condition is not established, the installation instruction unit 77b does not instruct the rewrite target ECU 19 to install the application program, and waits or presents, to the user, information indicating that installation cannot be initiated and the reason therefor.
The vehicle condition information acquisition unit 77c acquires vehicle condition information from the center device 3. The activation condition determination unit 77d determines whether or not a sixth condition, a seventh condition, and an eighth condition are established in a case where the installation of the application program has been completed in all of the rewrite target ECUs 19. The sixth condition is a condition that the user's approval for activation is obtained. The user's approval for the activation indicates the user's approval operation (for example, pressing the “OK” button 508b) for the activation on the screen illustrated in
When it is determined by the activation condition determination unit 77d that all of the sixth condition, the seventh condition, and the eighth condition are established, the activation instruction unit 77e instructs the rewrite target ECU 19 to activate the application program. A detailed description will be made of (12) the activation request instruction process which will be described later. That is, the activation instruction unit 77e instructs the rewrite target ECU 19 to activate the application program when the activation condition determination unit 77d determines that the user's approval for the activation is obtained, the vehicle condition is an activatable condition, and the rewrite target ECU 19 is in an activatable condition. The activation is performed, and thus an update program written in the rewrite target ECU 19 is validated. When it is determined by the activation condition determination unit 77d that at least any of the sixth condition, the seventh condition, and the eighth condition is not established, the activation instruction unit 77e does not instruct the rewrite target ECU 19 to activate the application program, and waits or presents, to the user, information indicating that the activation cannot be initiated and the reason therefor.
Next, an operation of the installation instruction determination unit 77 in the CGW 13 will be described with reference to
When the installation instruction determination process is initiated, the CGW 13 determines whether or not the first condition is established, and determines whether or not the user's approval for the installation is obtained (S501; corresponding to a part of an installation condition determination procedure). When it is determined that the user's approval for installation is obtained (S501: YES), the CGW 13 determines whether or not the second condition is established, and determines whether or not data communication with the center device 3 is possible (S502; corresponding to a part of the installation condition determination procedure). The CGW 13 determines whether or not data communication with the center device 3 is possible on the basis of a communication radio wave status in the DCM 12.
When it is determined that data communication with the center device 3 is possible (S502: YES), the CGW 13 determines whether or not the third condition is established, and determines whether or not a vehicle condition is an installable condition (S503; corresponding to a part of the installation condition determination procedure). The CGW 13 determines, as the vehicle condition, for example, whether or not a remaining battery charge of the vehicle battery 40 is equal to or larger than a predetermined capacity, or whether or not the vehicle is in a parking state (IG OFF state) in a case where a memory configuration of the rewrite target ECU 19 is a single-bank memory, and thus determines whether or not the vehicle condition is an installable condition. The condition of the vehicle condition may refer to received rewrite specification data (refer to
When it is determined that the vehicle condition is an installable condition (S503: YES), the CGW 13 determines whether or not the fourth condition is established, and determines whether or not the rewrite target ECU 19 is in an installable condition (S504; corresponding to a part of the install condition determination procedure). The CGW 13 determines that the rewrite target ECU 19 is in an installable condition, for example, in a case where a trouble code is not generated in the rewrite target ECU 19 and security access to the rewrite target ECU 19 is successful. Here, whether or not the trouble code is generated may be checked not only for the rewrite target ECU 19 to which the write data is written but also for the ECU 19 performing cooperative control with the rewrite target ECU 19. That is, the CGW 13 determines whether or not the trouble code is generated not only for the rewrite target ECU 19 but also for the ECU 19 performing cooperative control with the rewrite target ECU 19.
When it is determined that the rewrite target ECU 19 is an installable condition (S504: YES), the CGW 13 determines whether or not the fifth condition is established, and determines whether or not the write data is normal data (S505; corresponding to a part of an installation condition determination procedure). The CGW 13 determines that the write data is normal data in a case where the write data matches a write bank (inactive bank) of the rewrite target ECU 19, and a verification result of the integrity of the write data is normal. When it is determined that the write data is normal data (S505: YES), the CGW 13 instructs the rewrite target ECU 19 to install the application program (S506; corresponding to an installation instruction procedure), and thus the CGW 13 performs determination of the second condition and the subsequent conditions on the condition that the first condition is satisfied. The CGW 13 finally determines the fifth condition. When it is determined that all of the first to fifth conditions are established, the CGW 13 instructs the rewrite target ECU 19 to install the application program.
On the other hand, when the CGW 13 determines that the user's approval for installation is not obtained (S501: NO), determines that data communication with the center device 3 is not possible (S502: NO), determines that the vehicle condition is not an installable condition (S503: NO), determines that the rewrite target ECU 19 is not in an installable condition (S504: NO), or determines that the write data is not normal data (S505: NO), the CGW does not instruct the rewrite target ECU 19 to install the application program. In the above-described process, a configuration has been described in which the condition that the user's approval for installation is obtained is determined earlier than the other conditions, but a configuration in which the condition is determined later than the other conditions may be used.
When the CGW 13 instructs the rewrite target ECU 19 to install the application program, the CGW distributes the write data to the rewrite target ECU 19 (S507), and determines whether or not the installation has been completed (S508). When it is determined that the installation has been completed (S508: YES), the CGW 13 determines whether or not the sixth condition is established, and determines whether or not the user's approval for the activation is obtained (S509). When it is determined that the user's approval for the activation is obtained (S509: YES), the CGW 13 determines whether or not the seventh condition is established, and determines whether or not the vehicle condition is an activatable condition (S510).
When it is determined that the vehicle condition is an activatable condition (S510: YES), the CGW 13 determines whether or not the eighth condition is established, and determines whether or not the rewrite target ECU 19 is in an activatable condition (S511). When it is determined that the rewrite target ECU 19 is in an activatable condition (S511: YES), the CGW 13 instructs the rewrite target ECU 19 to perform activation (S512). As mentioned above, when it is determined that all of the sixth condition to the eighth condition are established, the CGW 13 instructs the rewrite target ECU 19 to perform activation.
In a case where there are a plurality of rewrite target ECUs 19, the CGW 13 may individually or collectively give an instruction for installation. In a case where the rewrite target ECUs 19 are the ECU (ID1) and the ECU (ID2), in an aspect of individually giving an instruction for the installation, the CGW 13 determines whether or not installation conditions are established for the ECU (ID1), as illustrated in
In a case where the rewrite target ECUs 19 are the ECU (ID1) and the ECU (ID2), in an aspect of collectively giving an instruction for installation, the CGW 13 determines whether or not installation conditions are established for the ECU (ID1), as illustrated in
As described above, the CGW 13 performs the installation instruction determination process before instructing the rewrite target ECU 19 to install an application program, and thus instructs the rewrite target ECU 19 to install the application program when it is determined that all of the first condition that the user's approval for the installation is obtained, the second condition that data communication with the center device 3 is possible, the third condition that a vehicle condition is an installable condition, the fourth condition that the rewrite target ECU 19 is in an installable condition, and the fifth condition that the write data is normal data are established. It is possible to appropriately instruct the rewrite target ECU 19 to install an application program.
(6) Security Access Key Management Process
The security access key management process will be described with reference to
When the CGW 13 distributes the write data to the rewrite target ECU 19, the CGW 13 is required to perform security access (device authentication) with the rewrite target ECU 19 by using the security access key. In this case, a method is considered in which the CGW 13 requests the rewrite target ECU 19 to generate a random number value, acquires the random number value generated by the rewrite target ECU 19 from the rewrite target ECU 19, generates a security access key by computing the acquired random number value. However, in such a method, in a case where the random number value is acquired from the rewrite target ECU 19 even when an application program is not rewritten, the security access key can be stored, so that there may be a risk of security access key leakage.
In a configuration in which the CGW 13 transmits a random number value acquired from the rewrite target ECU 19 to the center device 3, and the center device 3 generate a security access key by computing the random number value, it is not necessary to store the security access key, and thus it is possible to reduce the risk of security access key leakage. However, in the configuration in which the center device 3 computes the random number value, the waiting time until the rewrite target ECU 19 acquires the random number value from the center device 3 is increased, and thus it is difficult to satisfy the time specification for the diagnosis communication. In view of such circumstances, the present embodiment employs the following configuration.
As illustrated in
When the OEM is provided with the random number value along with the reprogramming data from the supplier, the OEM correlates the provided random number value with an ECU (ID) for identifying the ECU 19, and stores the random number value into the CGW rewrite specification data illustrated in
When rewrite specification data (DCM rewrite specification data and CGW rewrite specification data) is provided along with the reprogramming data from the OEM, the center device 3 transmits a distribution package including the provided rewrite specification data and reprogramming data to the master device 11. In the master device 11, when the distribution package is downloaded from the center device 3, the DCM 12 transfers the rewrite specification data and write data to the CGW 13.
As illustrated in
The key pattern extraction unit 78c extracts, from an analysis result of the CGW rewrite specification data, a key pattern included in the rewrite specification data. The decryption operation pattern extraction unit 78d extracts, from an analysis result of the CGW rewrite specification data, a decryption operation pattern included in the rewrite specification data.
When the random number value is extracted by the random number value extraction unit 78b, the key generation unit 78e searches the secure area 78a, decrypts the extracted random number value by using a decryption key corresponding to the ECU (ID) from a bundle of decryption keys of the security access key located in the secure area 78a, and generates the security access key. In this case, the key generation unit 78e decrypts the key derivation value according to a decryption operation method specified by the decryption operation pattern extracted by the decryption operation pattern extraction unit 78d by using a decryption key specified by the key pattern extracted by the key pattern extraction unit 78c. That is, a plurality of key patterns and a plurality of decryption operation patterns are prepared, and a key pattern and a decryption operation pattern are specified by the CGW rewrite specification data, and thus the key generation unit 78e generates a security access key by using the key pattern and the decryption operation pattern.
When the security access key is generated by the key generation unit 78e, the security access execution unit 78f executes security access to the rewrite target ECU 19 by using the generated security access key. Specifically, the security access execution unit 78f transmits encrypted data in which an ECU (ID) is encrypted by using, for example, a security access key, and requests access to the rewrite target ECU 19. When receiving the encrypted data, the rewrite target ECU 19 decrypts the received encrypted data by using the security access key held by itself. The rewrite target ECU 19 compares decrypted data generated through the decryption with an ECU (ID) thereof, and permits access to the rewrite target ECU in a case where the data matches the ECU (ID), and does not permit access thereto in a case where the data does not match the ECU (ID).
The session transition request unit 78g requests transition to a rewrite session. After transition from a default session to the rewrite session, the security access execution unit 78f executes security access. After transition to a session (for example, a diagnosis session) other than the default session, security access may be performed, and then transition to the rewrite session may occur. The key erasure unit 78h erases the security access key generated by the key generation unit 78e after the security access to the rewrite target ECU 19 is executed by the security access execution unit 78f and rewriting of an application program in the rewrite target ECU 19 is completed.
Next, an operation of the security access key management unit 78 in the CGW 13 will be described with reference to
(6-1) Security Access Key Generation Process
When the security access key generation process is initiated, the CGW 13 analyzes rewrite specification data acquired from the DCM 12 (S601; corresponding to a rewrite specification data analysis procedure), and extracts a random number value, a key pattern, and a decryption operation pattern from CGW rewrite specification data (S602; corresponding to a key derivation value extraction procedure).
The CGW 13 searches the secure area 78a, decrypts the random number value extracted from the CGW rewrite specification data by using a decryption key corresponding to an ECU (ID) from a bundle of decryption keys of a security access key located in the secure area 78a, and generates the security access key (S603; corresponding to a key generation procedure).
As illustrated in
(6-2) Security Access Key Deletion Process
When the security access key erasure process is initiated, the CGW 13 determines whether or not rewriting of the application program in the rewrite target ECU 19 has been completed (S611). When it is determined that rewriting of the application program in the rewrite target ECU 19 has been completed (S611: YES), the CGW 13 executes the security access key generation process to erase the generated security access key (S612), and finishes the security access key erasure process.
As described above, the CGW 13 executes the security access key management process, extracts a random number value corresponding to the rewrite target ECU 19 from an analysis result of rewrite specification data, decrypts the random number value by using a decryption key corresponding to the rewrite target ECU 19 stored in the secure area 78a, and generates a security access key. The CGW 13 generates a security access key without acquiring the security access key from the outside, and thus security access to the rewrite target ECU 19 can be appropriately executed while reducing the risk of security access key leakage.
When there are a plurality of the rewrite target ECUs 19, it is desirable for the CGW 13 to generate a security access key immediately before each piece of write data is installed. In other words, in a case where rewrite target ECUs 19 are the ECU (ID1), the ECU (ID2), and the ECU (ID3), it is desirable for the CGW 13 to execute processes of generating a security access key of the ECU (ID1), installing write data into the ECU (ID1), generating a security access key of the ECU (ID2), installing write data into the ECU (ID2), generating a security access key of the ECU (ID3), and installing write data into the ECU (ID3) in this order. For example, as illustrated in
When the CGW 13 performs security access to the rewrite target ECU 19 which then permits access thereto, the rewrite target ECU unlocks the security access by receiving a session transition request from the CGW 13, and thus makes write data writable into the flash memory. The session transition request is, for example, a “rewrite session transition request” in a second state illustrated in
For example, when a campaign notification to the version 2.0 occurs by canceling an operation in the middle of rewriting in a state in which an application program of the version 1.0 is written in an active bank-And an application program of the version 2.0 is written in an inactive bank, and when from this state, it is preferable that only activation is performed without performing installation, and thus the security access process may be omitted.
(7) Write Data Verification Process
The write data verification process will be described with reference to FIGS. 106 to 114. The vehicle program rewriting system 1 verifies write data in the CGW 13. The CGW 13 may perform the write data verification process described in the present embodiment before acquiring an access permission in (6) the security access key management process, or may perform the write data verification process after acquiring the access permission.
As illustrated in
When a download request for the distribution package from the master device 11 is generated, the center device 3 transmits the distribution package including the write data and the authenticator to the master device 11 in response to the download request. In this case, the write data transmitted from the center device 3 to the master device 11 is ciphertext, and the authenticator transmitted from the center device 3 to the master device 11 is also ciphertext. The authenticator transmitted from the center device 3 to the master device 11 may be plaintext. When the authenticator transmitted from the center device 3 to the master device 11 is plaintext, a decryption process which will be described later is not necessary.
When the distribution package is downloaded from the center device 3, the master device 11 extracts the write data for the rewrite target ECU 19 from the downloaded distribution package, and verifies validity of the write data before distributing the write data to the rewrite target ECU 19. That is, the master device 11 sequentially executes a decryption process, a first verification value calculation process, a second verification value calculation process, a comparison process, and a determination process, and thus verifies the write data. The decryption process is a process of decrypting the authenticator transmitted in the ciphertext. The first verification value calculation process is a process of calculating a first data verification value that is an expected value, from the decrypted authenticator by using the key (key value). The second verification value calculation process is a process of calculating a second data verification value from the write data by using the data verification value calculation algorithm. The comparison process is a process of comparing the first data verification value with the second data verification value. The determination process is a process of determining validity of the write data on the basis of a comparison result in the comparison process.
As illustrated in
Next, an operation of the write data verification unit 79 in the CGW 13 will be described with reference to
When the write data verification process is initiated, the CGW 13 notifies the DCM 12 of a process execution request and thus requests the DCM 12 to execute a process (S701; corresponding a process execution request procedure). The CGW 13 notifies the DCM 12 of a process execution request for at least any of the decryption process, the first verification value calculation process, the second verification value calculation process, the comparison process, and the determination process. When a process result is acquired from the DCM 12 (S702; corresponding to a process result acquisition procedure), the CGW 13 verifies the write data by using the acquired process result (S703; corresponding to a verification procedure).
Hereinafter, some cases where the CGW 13 notifies the DCM 12 of a process execution request will be exemplified. In an example illustrated in
In an example illustrated in
In the example illustrated in
In an example illustrated in
In a case where there are a plurality of rewrite target ECUs 19, the CGW 13 performs a verification process on write data for two or more the rewrite target ECUs 19 as follows. In a case where there are a plurality of rewrite target ECUs 19, the CGW 13 has a method of collectively verifying write data for the plurality of rewrite target ECU 19 and a method of individually verifying write data.
In the method of collectively verifying the write data for a plurality of rewrite target ECUs 19, as illustrated in
In the method of individually verifying the write data of a plurality of rewrite target ECUs 19, as illustrated in
As described above, the CGW 13 performs write data verification process, and thus causes the DCM 12 downloading a distribution package from the center device 3 to execute at least some of the processes related to verification of the write data. Even though an area for storing write data cannot be allocated or a verification computation program cannot be installed in the CGW 13 or the rewrite target ECU 19, the write data can be appropriately verified before the write data is written to the rewrite target ECU 19.
In the configuration in which the CGW 13 illustrated in
As described above, although the configuration in which the CGW 13 notifies the DCM 12 of the process execution request has been exemplified, for example, in a case where a processing load increases in the DCM 12 and thus a problem occurs in an original process, a navigation apparatus or an ECU other than the rewrite target ECU 19 may be used instead of the DCM 12 to notify the navigation apparatus or the ECU other than the rewrite target ECU 19 of the process execution request.
In a case where the DCM 12 and the CGW 13 are integrated with each other and can cope with an original process without causing a problem, the process execution request may be requested to the process execution unit of the process execution unit itself. For example, the process may be performed between different software components in the same ECU. The above-described invention may be applied to the master device 11 configured as one integrated ECU having the functions of the DCM 12 and the CGW 13. For example, in
As the data verification value, a single value may be calculated for the entire application program, and a plurality of values may be calculated for respective blocks of the application program. When the write data is entire data, the data verification value may be used for integrity verification after the write data is completed.
Whereas the security access is a method for verifying whether or not the CGW 13 and the rewrite target ECU 19 are connectable, verification of the write data includes the concepts that the center device 3 which is a distribution destination of the write data is approved (connection and mutual authentication through TLS communication), a communication channel for downloading the write data from the center device 3 is approved (communication channel concealment or encryption), the write data downloaded from the center device 3 is not falsified (falsification detection), and the write data downloaded from the center device 3 cannot be falsified (encryption).
The write data at the time of rewriting a new program has been described, but the same applies to write data during rollback at the time of rollback to an old program. In this case, the CGW 13 may verify the write data during rollback at the time of downloading the write data from the center device 3, but may verify the rollback write data immediately before the rollback write data is distributed to the rewrite target ECU 19 when a write cancellation request is generated.
(8) Data Storage Bank Information Transmission Control Process
The data storage bank information transmission control process will be described with reference to
As illustrated in
When the ECU configuration information including the bank information is acquired by the data storage bank information acquisition unit 80a, the data storage bank information transmission unit 80b transmits the acquired bank information from the DCM 12 to the center device 3 as one of the ECU configuration information. The data storage bank information transmission unit 80b may transmit the ECU configuration information to the center device 3 each time the IG switch 42 switches between an ON state and an OFF state, and may transmit the ECU configuration information to the center device 3 in response to a request from the center device 3. The data storage bank information transmission unit 80b may transmit the ECU configuration information not only to a double-bank memory ECU and a single-bank suspend memory ECU but also to a single-bank memory ECU along with an ECU configuration including the bank information.
The rewrite method specifying unit 80c specifies a rewrite method on the basis of an analysis result of rewrite specification data for the CGW 13. The rewrite method indicates a power supply switching method during installation in the rewrite target ECU 19. When the rewrite method is specified by the rewrite method specifying unit 80c, the rewrite method instruction unit 80d instructs the rewrite target ECU 19 to rewrite an application program according to the specified rewrite method. That is, when a rewrite method based on self-retention power is specified by the rewrite method specifying unit 80c, the rewrite method instruction unit 80d instructs the rewrite target ECU 19 to rewrite an application program based on the self-retention power. When a rewrite method based on power supply control is specified by the rewrite method specifying unit 80c, the rewrite method instruction unit 80d instructs the rewrite target ECU 19 to rewrite an application program based on the power supply control without using the self-retention power.
Next, with reference to
When the data storage bank information transmission control process is initiated, the CGW 13 transmits an ECU configuration information request including the bank information to all of the ECUs 19 (S801), and acquires ECU configuration information including the bank information from all of the ECUs 19 (S802; corresponding to a data storage bank information acquisition procedure). When the ECU configuration information is acquired from each rewrite target ECU 19, the CGW 13 transmits the acquired ECU configuration information to the DCM 12 (S803; corresponding to a data storage bank information transmitting procedure), and waits for write data and rewrite specification data to be acquired from the DCM 12 (S804). Here, in a case where the rewrite target ECU 19 is specified in advance, the CGW 13 may acquire bank information or the like from only the specified rewrite target ECU 19.
When the ECU configuration information is received from the CGW 13, the DCM 12 temporarily stores the received ECU configuration information, and transmits the ECU configuration information to the center device 3 at a timing of transmitting (uploading) the ECU configuration information to the center device 3. When the ECU configuration information is received from the DCM 12, the center device 3 stores and analyzes the received ECU configuration information.
The center device 3 specifies a version of an application program on each bank of each ECU 19 that is a transmission source of the bank information and which bank is an active bank, and specifies write data conforming to the version of the application program and the active bank corresponding to the specified double banks (corresponding to an update data selection procedure). For example, in a case where the bank-A is an active bank, the application program stored in the active bank has the version 2.0, the bank-B is an inactive bank, and the application program stored in the inactive bank has the version 1.0, the center device 3 specifies write data of the version 3.0 for the bank-B as the write data. In a case where the write data is difference data, the center device 3 specifies the difference data for update from the version 1.0 to the version 3.0. When the write data is specified, the center device 3 transmits a distribution package including the specified write data and rewrite specification data to the DCM 12 (corresponding to a distribution package transmission procedure).
The center device 3 may statically select or dynamically generate a distribution package to be transmitted to the DCM 12. In a case where the center device 3 statically selects the distribution package to be transmitted to the DCM 12, the center device manages a plurality of distribution packages in which the write data is stored, selects write data conforming to an inactive bank, selects a distribution package in which the selected write data is stored from among the plurality of distribution packages, and transmits the selected distribution package to the DCM 12. In a case where the center device 3 dynamically generates a distribution package to be transmitted to the DCM 12, when write data conforming to the inactive bank is specified, the center device generates a distribution package in which the specified write data is stored and transmits the generated distribution package to the DCM 12.
When the distribution package is downloaded from the center device 3, the DCM 12 extracts the write data and the rewrite specification data from the downloaded distribution package, and transfers the extracted write data and rewrite specification data to the CGW 13.
When it is determined that the write data and the rewrite specification data are acquired from the DCM 12 (S804: YES), the CGW 13 analyzes the acquired rewrite specification data (S805), and determines a rewrite methods for the rewrite target ECU 19 on the basis of an analysis result of the rewrite specification data (S806 and S807).
When it is determined that the rewrite method is a rewrite method using self-retention power (S806: YES), the CGW 13 transmits a write data acquisition request to the DCM 12 on the condition of being in an installable vehicle condition, acquires the write data from the DCM 12, distributes the acquired write data to the rewrite target ECU 19, rewrites the application program by using self-retention power (S808), and finishes the data storage bank information transmission control process. The method of rewriting the application program by using the self-retention power is the same as described in (b) Case where application program is rewritten by using self-retention power with reference to
When it is determined that a rewrite method is rewriting based on power supply control (S807: YES), the CGW 13 transmits a write data acquisition request to the DCM 12 on the condition that the vehicle is parked, acquires write data from the DCM 12, distributes the acquired write data to the rewrite target ECU 19, rewrites the application program by using the power supply control (S809), and finishes the data storage bank information transmission control process. The method of rewriting the application program by using the power supply control is the same as described in (a) Case where application program is rewritten by using power supply control with reference to
As described above, the CGW 13 performs the data storage bank information transmission control process, and thus notifies the center device 3 of ECU configuration information including bank information, and downloads a distribution package including write data conforming to the ECU configuration information from the center device 3 to the DCM 12. The CGW 13 acquires write data conforming to the bank information from the DCM 12 and distributes the write data to the rewrite target ECU 19. In a case where the ECU 19 equipped with a flash memory having double data storage banks is mounted is a rewrite target, an application program can be appropriately rewritten.
As an aspect in which the center device 3 distributes the distribution package, there are the following first to third distribution aspects. In the first distribution aspect, the center device 3 distributes a single distribution package storing, for example, write data of the version 2.0 for the bank-A and write data of the version 2.0 for the bank-B. The DCM 12 extracts the write data of the version 2.0 for the bank-A and the write data of the version 2.0 for the bank-B from the distribution package downloaded from the center device 3, and transfers the extracted write data to the CGW 13. When the write data of the version 2.0 for the bank-A and the write data of the version 2.0 for the bank-B are transferred from the DCM 12, the CGW 13 selects one of the two pieces of write data and distributes the selected write data to the rewrite target ECU 19. That is, there is a configuration in which write data corresponding to each data storage bank is included in a distribution package, and rewrite data suitable for the rewrite target ECU 19 is selected in the master device 11.
In the second distribution aspect, the center device 3 selects and distributes either a distribution package storing write data of the version 2.0 for the bank-A or a distribution package storing write data of the version 2.0 for the bank-B, for example. The DCM 12 extracts the write data from the distribution package downloaded from the center device 3 and transfers the extracted write data to the CGW 13. The CGW 13 distributes the write data transferred from the DCM 12 to the rewrite target ECU 19. That is, there is a configuration in which the center device 3 selects a distribution package including inactive bank write data on the basis of bank information uploaded from the DCM 12.
In the third distribution aspect, the center device 3 distributes a distribution package storing, for example, write data of the version 2.0 shared by the bank-A and the bank-B. The DCM 12 extracts the write data of the version 2.0 shared by the bank-A and the bank-B from the distribution package downloaded from the center device 3, and transfers the extracted write data to the CGW 13. The CGW 13 distributes the write data of the version 2.0 shared by the bank-A and the bank-B transferred from the DCM 12 to the rewrite target ECU 19. When the write data of the version 2.0 shared by the bank-A and the bank-B is received from the CGW 13, the rewrite target ECU 19 writes the received write data to either the bank-A or the bank-B. In this case, when an application program is executed in the rewrite target ECU 19, an address solving function of the microcomputer works, so that the rewrite target ECU 19 is appropriately operated even when the write data is written to either the bank-A or the bank-B. That is, the microcomputer of the write target ECU 19 solves a differences between execution addresses due to a difference between the banks such that the center device 3 and the master device 11 can be operated without being aware of the banks.
The ECU configuration information including the bank information transmitted from the CGW 13 to the center device 3 via the DCM 12 may include not only information for specifying a version of an application program and an active bank corresponding to the double banks but also vehicle specifying information, system specifying information, ECU specifying information, usage environment information, and the like.
The vehicle specifying information is unique information for specifying a vehicle that is a distribution destination of a distribution package, and is, for example, a vehicle identification number (VIN). In vehicles that fall under the on-board diagnostics (OBD) regulations, a VIN can be used in accordance with provisions of the OBD regulations, but in vehicles that do not fall under the OBD Regulations, such as EV vehicles, the VIN is not available, and thus individual vehicle identification information may be used instead of the VIN.
The system specifying information is unique information for identifying the type of reprogramming system. The CGW 13 can perform wireless rewriting for a system in which wired rewriting using diagnosis communication managed by the CGW can be performed, but cannot perform wireless rewriting for other individual systems. That is, this is because the system updates a program that is acquired in a wireless manner by using an update mechanism of a program acquired in a wired manner. Thus, it is necessary for the center device 3 to determine which distribution package is to be distributed to which system, and it is possible to manage which system is mounted on the vehicle by using the system specifying information. The center device 3 can determine a rewrite method for each system, a rewrite order in a case where a plurality of systems are rewrite targets, and the like by determining the system specifying information.
The ECU specifying information is unique information for specifying the rewrite target ECU 19, and is information including a software version for uniquely specifying the rewrite ECU and an application program written in the rewrite target ECU 19, and a hardware version. The ECU specifying information also corresponds to an ECU part number. In a case where the latest software is written with entire data, only the hardware version is required. It is also possible to define information that can be specified by an application program, such as a specification version or a configuration version, and to further define a microcomputer ID, a sub-microcomputer ID, a flash ID, a software child version, a software grandchild version, and the like.
The usage environment information is unique information for specifying an environment in which the user uses the vehicle. When the usage environment information is transmitted from the CGW 13 to the center device 3 via the DCM 12, the center device 3 can distribute an application program suitable for the environment in which the user uses the vehicles. It is possible to distribute application programs suitable for environments in which users use vehicles, for example, application programs specialized for acceleration are distributed to users who prefer sudden acceleration driving from the time of stop, and application programs that are inferior in acceleration performance but specialized for eco-driving are distributed to users who prefer eco-driving.
As described above, the case has been described in which the flash memory is mounted on the microcomputer of the rewrite target ECU 19, but, in a case where an external memory is connected to the microcomputer of the rewrite target ECU 19, the external memory is processed as the same as a double-bank memory, and write data is written by dividing a write area of the external memory into two areas. In a case where the flash memory is mounted on the microcomputer of the rewrite target ECU 19 and the external memory is connected, a program stored in the external memory may be temporarily copied to a memory of the microcomputer in some cases. Since the external memory may generally be used as a storage area of an operation log of the ECU, it is desirable to stop storing the operation log in a case where writing of write data to the external memory is initiated, and to resume storing of the operation log in a case where writing of the write data to the external memory has been completed.
The same applies to a case of rewriting map data because there is a concept of double banks and a version not only in a case of rewriting an application program but also in a case of data having the property of being updated one by one, such as the map data.
(9) Non-Rewrite Target Power Supply Management Process
The power supply management process for the non-rewrite target ECU 19 will be described with reference to
As illustrated in
The state transition control unit 81c can cause a state of the ECU 19 to transition, and causes the ECU 19 in a stop state or a sleep state to transition to a start state (wake-up state), or causes the ECU 19 in the start state to transition to the stop state or the sleep state. The state transition control unit 81c causes the ECU 19 in a normal operating state to transition to a power saving operating state or causes the ECU 19 in the power saving operating state to transition to the normal operating state. When it is determined by the installability determination unit 81b that the installation is feasible, the state transition control unit 81c controls at least one non-rewrite target ECU 19 to be in the stop state, the sleep state, or the power saving operating state. The rewrite order specifying unit 81d specifies a rewrite order of the rewrite target ECU 19 on the basis of the analysis result of the rewrite specification data.
Next, a description will be made of an operation of the power supply management unit 81 of the non-rewrite target ECU 19 in the CGW 13 will be described with reference to
When the power supply management process for the non-rewrite target ECU 19 is initiated, the CGW 13 specifies the rewrite target ECU 19 and the non-rewrite target ECU 19 on the basis of an analysis result of the CGW rewrite specification data (S901), and specifies a rewrite order of one or more rewrite target ECUs 19 on the basis of the analysis result of the rewrite specification data (S902). When the CGW 13 determines whether or not write data can be written (S903; corresponding to a writability determination procedure) and determines that the write data can be written (S903: YES), the CGW transmits a power-off request (stop request) to the non-rewrite target ECU 19 of the ACC system and the non-rewrite target ECU 19 of the IG system, and thus causes the non-rewrite target ECU 19 of the ACC system and the non-rewrite target ECU 19 of the IG system to transition from the start state to the stop state (S904; corresponding to a state transition control procedure).
When the CGW 13 determines whether or not transmission of the power-off request to all of the corresponding ECUs 19 has been completed (S905), and determines that transmission of the power-off request to all of the corresponding ECUs 19 has been completed (S905: YES), the CGW transmits a sleep request to the non-rewrite target ECU 19 of the +B power system, and thus causes the non-rewrite target ECU 19 of the +B power system to transition from the start state to the sleep state (S906; corresponding to a state transition control procedure).
When the CGW 13 determines whether or not transmission of the sleep request to all of the corresponding ECUs 19 has been completed (S907), and determines that the transmission of the sleep request to all of the corresponding ECUs 19 has been completed (S907: YES), the CGW determines whether or not rewriting of an application program in all of the rewrite target ECUs 19 has been completed (S908). When it is determined that rewriting of the application program has been completed in all of the rewrite target ECUs 19 (S908: YES), the CGW 13 finishes the power supply management process for the non-rewrite target ECU 19. When it is determined that rewriting of the application program is not completed in all of the rewrite target ECUs 19 (S908: NO), the CGW 13 returns to step S904, and repeatedly performs step S904 and the subsequent steps.
In a case where there are a plurality of rewrite target ECUs 19, the CGW 13 may individually cause states of the plurality of rewrite target ECUs 19 to transition, or may collectively cause the states of the plurality of rewrite target ECUs 19 to transition. That is,
First, a description will be made of a case where the CGW 13 individually causes states of a plurality of rewrite target ECUs 19 to transition with reference to
The CGW 13 causes all of the ECU (ID1), ECU (ID2), and ECU (ID3) to transition from the stop state or the sleep state to the start state. The CGW 13 maintains the first rewrite target ECU (ID1) to be in the start state, causes the ECU (ID2) and the ECU (ID3) to transition from the start state to the stop state or the sleep state, and distributes the write data to the ECU (ID1). When the distribution of the write data to the ECU (ID1) has been completed, the CGW 13 causes the ECU (ID1) to transition from the start state to the stop state or the sleep state, causes the second rewrite target ECU (ID2) to transition from the stop state or the sleep state to the start state, maintains the ECU (ID3) to be in the stop state or the sleep state, and distributes the write data to the ECU (ID2).
When the distribution of the write data to the ECU (ID2) has been completed, the CGW 13 maintains the ECU (ID1) to be in the stop state or the sleep state, causes the ECU (ID2) to transition from the start state to the stop state or the sleep state, causes the third rewrite target ECU (ID3) to transition from the stop state or the sleep state to the start state, and distributes the write data to the ECU (ID3). When the distribution of the write data to the ECU (ID3) has been completed, the CGW 13 maintains the ECU (ID1) and the ECU (ID2) to be in the stop state or the sleep state, and causes the ECU (ID3) to transition from the start state to the stop state or the sleep state. As mentioned above, the CGW 13 controls only the ECU 19 that is a current rewrite target among the plurality of the rewrite target ECUs 19 to be in the start state.
Next, a description will be made a case where the CGW 13 collectively causes states of a plurality of rewrite target ECUs 19 to transition with reference to
The CGW 13 causes all of the ECU (ID1), ECU (ID2), and ECU (ID3) to transition from the stop state or the sleep state to the start state. The CGW 13 maintains all of the ECU (ID1), ECU (ID2), and ECU (ID3) to be in the start state and distributes the write data to the ECU (ID1). When the distribution of the write data to the ECU (ID1) has been completed, the CGW 13 distributes the write data to the ECU (ID2). When the distribution of the write data to the ECU (ID2) has been completed, the CGW 13 distributes the write data to the ECU (ID3). When the distribution of the write data to the ECU (ID3) has been completed, the CGW 13 causes all of the ECU (ID1), ECU (ID2), and ECU (ID3) to transition from the start state to the stop state or the sleep state. As mentioned above, the CGW 13 controls a plurality of all rewrite target ECUs 19 to be in the start state until installation has been completed in all of the rewrite target ECUs. Here, the CGW 13 may simultaneously distribute write data to the ECU (ID1), the ECU (ID2), and the ECU (ID3) in parallel.
In a case where the rewrite target ECU 19 rewrites an application program during parking, a voltage supplied to the rewrite target ECU 19 is not necessarily in a stable environment, and there is concern that exhaustion of the vehicle battery 40 may occur during the rewriting of the application program. Particularly, where there are a plurality of rewrite target ECUs 19, the time required for rewriting the application program increases, and thus there is a high probability that exhaustion of the vehicle battery 40 may occur during rewriting of the application program. In relation to this fact, the non-rewrite target ECU 19 is brought into the stop state or the sleep state as described above, and thus a situation in which a remaining battery charge of the vehicle battery 40 becomes insufficient during rewriting of a program is prevented in advance. The ECU 19 that is not a current rewrite target among the rewrite target ECUs 19 is brought into the stop state or the sleep state, and thus power consumption can be further reduced.
The above description relates to a case where an application program of the rewrite target ECU 19 is rewritten during parking, and a description will be made of a case where an application program of the rewrite target ECU 19 is rewritten while the vehicle is traveling. In a case where the rewrite target ECU 19 rewrites the application program while the vehicle is traveling, a voltage supplied to the rewrite target ECU 19 is in a stable environment, and thus there is no concern that exhaustion of the vehicle battery 40 may occur during the rewriting of the application program, but a remaining battery charge of the vehicle battery 40 may be small. In light of such circumstances, it is desirable to cause the ECU 19 that does not need to perform an operation to transition to the stop state or the sleep state while the vehicle is traveling. As illustrated in
The CGW 13 monitors a remaining battery charge of the vehicle battery 40, and performs the above-described non-rewrite target power supply management process. Here, a remaining battery charge monitoring process will be described with reference to
When it is determined that the remaining battery charge is equal to or more than the first predetermined capacity (S912: YES), the CGW 13 maintains the non-rewrite target ECU 19 to be in the start state, and continues the distribution of the write data to the rewrite target ECU 19 (S915). When it is determined that the remaining battery charge is less than the first predetermined capacity and is equal to or more than the second predetermined capacity (S913: YES), the CGW 13 causes an ECU that does not need to perform an operation during traveling among the non-rewrite target ECUs 19 to transition to the stop state or the sleep state, and continues the distribution of the write data to the rewrite target ECU 19 (S916). When it is determined that the remaining battery charge is less than the second predetermined capacity (S914: YES), the CGW 13 determines whether or not rewriting can be stopped (S917).
When it is determined that rewriting can be stopped (S917: YES), the CGW 13 stops the distribution of the write data (S918). When it is determined that rewriting cannot be stopped (S917: NO), the CGW 13 causes all ECUs among the non-rewrite target ECUs 19 that can transition to the stop state or the sleep state to transition to the stop state or the sleep state (S919).
When the CGW 13 determines whether or not rewriting has been completed (S920), and determines that rewriting is not completed (S920: NO), the CGW returns to step S911, and repeatedly performs step S911 and the subsequent steps. When it is determined that the rewriting has been completed (S920: YES), the CGW 13 causes the rewrite target ECU 19 in the stop state or the sleep state to transition to the start state (S921), and finishes the remaining battery charge monitoring process. Here, values of the first predetermined capacity and the second predetermined capacity may be stored in advance by the CGW 13, or values designated by rewrite specification data may be used.
In the step S919, the CGW 13 may exclude the ECU 19 having a specific function such as an alarm function from targets that transition to the stop state or the sleep state, and may cause the non-rewrite target ECU 19 to transition from the start state to the stop state or the sleep state except the ECU 19 having the specific function. In a case where the rewrite target ECU 19 can execute application control while an application program is being rewritten, the CGW 13 may bring the non-rewrite target ECU 19 into the stop state or the sleep state except the ECU 19 that can communicate with the rewrite target ECU 19. The CGW 13 may cause the rewrite target ECU 19 to transition from the stop state or the sleep state to the start state in a case where rewrite conditions are established when all the ECUs 19 are in the stop state or the sleep state, for example, when a vehicle position becomes a predetermined position or the present time reaches a predetermined time.
The CGW 13 may group the rewrite target ECUs 19 or the non-rewrite target ECUs 19 on the basis of any of start power (a +B power ECU, an ACC ECU, or an IG ECU), a domain group (a body system, a travel system, or a multimedia system), and a synchronization timing, and may bring the rewrite target ECU 19 into the start state in the group unit, or may bring the non-rewrite target ECU 19 into the stop state or sleep state in the group unit.
The CGW 13 may be configured to control the power supply in the bus unit. That is, when it is determined that all of the ECUs 19 connected to a specific bus are the non-rewrite target ECUs 19, the CGW 13 may turn off power of the specific bus to cause all of the non-rewrite target ECUs 19 connected to the specific bus to transition to the stop state or the sleep state.
As described above, the CGW 13 performs the non-rewrite target power supply management process, and thus brings at least one non-rewrite target ECU 19 into the stop state, the sleep state, or the power saving operating state when it is determined that installation can be performed in the rewrite target ECU 19. It is possible to prevent a situation in which a remaining battery charge of the vehicle battery 40 becomes insufficient during rewriting of an application program. Since the non-rewrite target ECU 19 is brought into the stop state, the sleep state, or the power saving operating state, it is possible to suppress an increase in communication loads.
(10) File Transfer Control Process
The file transfer control process will be described with reference to
As illustrated in
When the transfer target file is specified by the transfer target file specifying unit 82a, the first data size specifying unit 82b specifies a first data size for acquiring the transfer target file. When the transfer target file is specified by the transfer target file specifying unit 82a, the acquisition information specifying unit 82c specifies an address as acquisition information for acquiring the transfer target file. In the present embodiment, the address is specified as the acquisition information for acquiring the transfer target file, but, as long as the acquisition information is used for acquiring the transfer target file, not only an address but also a file name or an ECU (ID) may be used. The second data size specifying unit 82d specifies a second data size for distributing write data to the rewrite target ECU 19. That is, the first data size is a data transfer size from the DCM 12 to the CGW 13, and the second data size is a data transfer size from the CGW 13 to the rewrite target ECU 19.
When the address is specified by the acquisition information specifying unit 82c and the first data size is specified by the first data size specifying unit 82b, the divided file transfer request unit 82e designates the address and the first data size in the DCM 12, and requests the DCM 12 to transfer a divided file. For example, in a case where a data amount of a write file to be distributed to the ECU (ID1) is 1 M bytes, the divided file transfer request unit 82e requests that the write data is transferred from the address of 0x10000000 every 1 k bytes.
Next, an operation of the file transfer control unit 82 in the CGW 13 will be described with reference to
When it is determined that an unpackaging completion notification signal is received from the DCM 12, the CGW 13 initiates the file transfer control process. As illustrated in
When the CGW rewrite specification data is acquired from the DCM 12, the CGW 13 analyzes the acquired CGW rewrite specification data (S1003), and specifies a transfer target file on the basis of an analysis result of the rewrite specification data (S1004; corresponding to a transfer target file specifying procedure). The CGW 13 specifies an address corresponding to the transfer target file (S1005; corresponding to an acquisition information specifying procedure), and specifies the first data size corresponding to the transfer target file (S1006; corresponding to a first data size specifying procedure). The CGW 13 transmits the specified address and data size to the DCM 12 in accordance with the provisions of Service Identifier (SID) 35, designates the address and the data size in a memory area, and requests the DCM 12 to transfer a divided file (S1007).
When the address and the data size are received from the CGW 13, the DCM 12 analyzes the DCM rewrite specification data, and transfers a file corresponding to the address and the data size to the CGW 13 as the divided file. The CGW 13 acquires the divided file due to transfer of the divided file from the DCM 12 (S1008). In this case, the CGW 13 may store the acquired file into a RAM and then store the acquired file into a flash memory.
The CGW 13 determines whether or not acquisition of all divided files to be acquired has been completed (S1009). For example, in a case where a data amount of a write file to be distributed to the ECU (ID1) is 1 M bytes, the CGW 13 acquires a divided file every 1 k bytes and determines whether or not acquisition of the data amount of 1 M byte has been completed by repeating the acquisition of the divided file every 1 k bytes. When it is determined that acquisition of all divided files to be acquired is not completed (S1009: NO), the CGW 13 returns to step S1004 and repeatedly performs step S1004 and the subsequent steps. When it is determined that acquisition of all of the files to be acquired has been completed (S1009: YES), the CGW 13 finishes the file transfer control process. In a case where there are a plurality of rewrite target ECUs 19, the CGW 13 repeatedly performs the file transfer control process on each rewrite target ECU 19.
That is, for example, in a case where the rewrite target ECUs 19 are the ECU (ID1), the ECU (ID2), and the ECU (ID3), the CGW 13 performs the file transfer control process on the ECU (ID2) when distribution of write data to the ECU (ID1) has been completed, and performs the file transfer control process on the ECU (ID3) when distribution of write data to the ECU (ID2) has been completed. The CGW 13 may sequentially perform the transfer control process on a plurality of rewrite target ECUs 19, and may perform the transfer control process in parallel.
In this case, as illustrated in
Subsequently, the CGW 13 similarly designates the ECU (ID1) as a transfer target of write data, designates the address “2000” and the data size “1 k bytes”, and acquires a divided file including write data of the ECU (ID1) stored at the addresses “2000” to “2999” from the DCM 12. When the divided file is acquired from the DCM 12, the CGW 13 distributes the write data included in the divided file to the ECU (ID1). The CGW 13 repeatedly acquires the divided file every 1 k bytes from the DCM 12 until writing of all pieces of write data to the ECU (ID1) is completed, and repeatedly distributes the write data included in the divided file to the ECU (ID1). That is, when the write data of 1 k bytes is acquired from the DCM 12, the CGW 13 transmits the write data of 1 k bytes to the rewrite target ECU 19, and acquires the next write data of 1 k bytes from the DCM 12 when transmission to the rewrite target ECU 19 has been completed. The CGW 13 repeatedly performs these processes until writing of all pieces of write data is complete.
When writing of the write data in the ECU (ID1) is normally completed, the CGW 13 designates the ECU (ID2) as a transfer target of write data, designates the address “4000” and the data size “1 k bytes”, and acquires a divided file including write data of the ECU (ID2) stored at the addresses “4000” to “4999” from the DCM 12. When the divided file is acquired from the DCM 12, the CGW 13 distributes the write data included in the divided file to the ECU (ID2).
When writing of the write data in the ECU (ID2) is normally completed, the CGW 13 designates the ECU (ID3) as a transfer target of write data, designates the address “7000” and the data size “1 k bytes”, and acquires a divided file including write data of the ECU (ID2) stored at the addresses “7000” to “7999” from the DCM 12. When the divided file is acquired from the DCM 12, the CGW 13 distributes the write data included in the divided file to the ECU (ID2).
As described above, the CGW 13 performs the file transfer control process, and thus specifies a transfer target file on the basis of an analysis result of rewrite specification data, and specifies an address and a data size corresponding to the transfer target file. The CGW 13 designates the address and the data size in the DCM 12, requests the DCM 12 to transfer a divided file obtained by dividing the transfer target file, and acquires the divided file from the DCM 12. Consequently, it is possible to distribute write data to the ECU 19 while storing a large volume of write data in the memory of the DCM 12. That is, in the CGW 13, it is not necessary to prepare a memory for storing a large volume of a file and thus to reduce a memory capacity of the CGW 13.
Here, a description will be made of a relationship between a data amount of a divided file transferred from the DCM 12 to the CGW 13 and a data amount of a write file distributed from the CGW 13 to the rewrite target ECU 19. In the above example, as illustrated in
That is, for example, when the rewrite target ECU 19 has a specification of receiving the write data in 4 k bytes for the reason of CAN communication, the CGW 13 distributes a data amount of a write file to the rewrite target ECU 19 in the unit of 4 k bytes. In this case, when a data amount of the divided file transferred from the DCM 12 to the CGW 13 is 1 k bytes, the CGW 13 acquires four divided files from the DCM 12 and then distributes 4 k bytes to the rewrite target ECU 19. That is, a data amount of a divided file transferred from the DCM 12 to the CGW 13 is smaller than a data amount of a write file distributed from the CGW 13 to the rewrite target ECU 19. In such a relationship, in the CGW 13, it is possible to acquire a divided file from the DCM 12 and distribute write data to the rewrite target ECU 19 in parallel while suppressing an increase in a memory capacity.
That is, when a data amount of a divided file transferred from the DCM 12 to the CGW 13 is 4 k bytes, a memory capacity of the CGW 13 is required to be set to 8 k bytes in order to acquire the divided file from the DCM 12 and distribute write data to the rewrite target ECU 19 in parallel. A data amount of the divided file transferred from the DCM 12 to the CGW 13 is set to 1 k bytes, and thus it is possible to acquire the divided file from the DCM 12 and distribute write data to the rewrite target ECU 19 in parallel without changing the memory capacity of the CGW 13 to 8 k bytes. For example, the memory capacity of the CGW 13 is allocated to 5 k bytes, and the CGW 13 acquires the next 1 k bytes from the DCM 12 while distributing 4 k bytes acquired from the DCM 12 to the rewrite target ECU 19. The CGW 13 further acquires the next 1 k bytes from the DCM 12 after the distribution of 4 k byte to the rewrite target ECU 19 is completed.
On the other hand, for example, when the rewrite target ECU 19 has a specification of receiving the write data in 128 bytes for the reason of CAN communication, the CGW 13 distributes the write data to the rewrite target ECU 19 in 128 bytes. In this case, when a data amount of a divided file transferred from the DCM 12 to the CGW 13 is 1 k bytes, the CGW 13 acquires a single divided file from the DCM 12 and then distributes 128 bytes to the rewrite target ECU 19 at a time. That is, a data amount of the divided file transferred from the DCM 12 to the CGW 13 is larger than a data amount of the write file distributed from the CGW 13 to the rewrite target ECU 19. For example, a memory capacity of the CGW 13 is allocated to 2 k bytes, and the CGW 13 acquires the next 1 k bytes from the DCM 12 while distributing 1 k bytes acquired from the DCM 12 to the rewrite target ECU 19 in the unit of 128 bytes. The CGW 13 further acquires the next 1 k bytes from the DCM 12 after eight number of times of distribution of 128 bytes to the rewrite target ECU 19 is completed.
In the above-described way, a data amount of a divided file transferred from the DCM 12 to the CGW 13 may be set to a fixed value (for example, 1 k bytes), and a data amount of a write file distributed from the CGW 13 to the rewrite target ECU 19 may be set to a variable value in accordance with a specification of the rewrite target ECU 19. The CGW 13 may determine an amount of data to be distributed to the rewrite target ECU 19 by using a data transfer size of each ECU specified in the rewrite specification data, for example.
The CGW 13 transmits a transfer request to the DCM 12 and requests the DCM 12 to transfer a divided file, and there are a first request aspect and a second request aspect as aspects of requesting the DCM 12 to transfer the divided file. When reception of write data has been completed, the rewrite target ECU 19 transmits a reception completion notification indicating that the reception of the write data has been completed to the CGW 13, and, when writing of the write data has been completed, the rewrite target ECU transmits a write completion notification indicating that the writing of the write data has been completed to the CGW 13.
The first distribution aspect will be described with reference to
As described above, in the first distribution aspect, the CGW 13 acquires the next write data from the DCM 12 and distributes the next write data to the rewrite target ECU 19 without waiting for completion of writing of the write data in the rewrite target ECU 19. Thus, in the first distribution aspect, in the CGW 13, in a case where the rewrite target ECU 19 has not completed writing of the write data, there is concern that the next write data may not be received by the rewrite target ECU 19 even though the next divided file is acquired from the DCM 12 and the next write data is distributed to the rewrite target ECU 19. However, in a case where the rewrite target ECU 19 has completed writing of the write data, the next divided file can be quickly acquired from the DCM 12 and the next write data can be quickly distributed to the rewrite target ECU 19.
The second distribution aspect will be described with reference to
As described above, in the second distribution aspect, the CGW 13 waits for completion of writing of the write data in the rewrite target ECU 19, then acquires the next write data from the DCM 12, and distributes the next write data to the rewrite target ECU 19. Thus, in the second distribution aspect, it takes time for the CGW 13 to acquire the next divided file from the DCM 12, but it is possible to request the DCM 12 to transfer a divided file in a state in which the rewrite target ECU 19 has completed writing of write data. Therefore, when the next divided file is acquired from the DCM 12 and the next write data is distributed to the rewrite target ECU 19, the next write data can be reliably distributed to the rewrite target ECU 19.
The CGW 13 distributes write data to the rewrite target ECU 19 according to SID 3436, and 37, and there are a first distribution aspect and a second distribution aspect as aspects of distributing the write data to the rewrite target ECU 19. In the first distribution aspect, as illustrated in
Although an address and a file are correlated with each other in the DCM rewrite specification data, as a method of correlating an address with a file, for example, a folder configuration may be devised, specification data may be stored and managed in a folder 1, a file 1 may be stored and managed in a folder 2, a file 2 may be stored and managed in a folder 3, and the files may be managed in an order of file names. For example, in unpackaging illustrated in
For example, in a case where distribution of write data to the rewrite target ECU 19 is stopped for some reason such as communication disruption, the CGW 13 acquires information that can specify an address at which writing of the write data has been completed from the rewrite target ECU 19, and requests the DCM 12 to transfer a divided file including the write data from a time point at which writing thereof is not completed. Alternatively, the CGW 13 may request the DCM 12 to transfer a divided file including write data from the beginning.
As described above, the CGW 13 performs the file transfer control process, thus specifies a file including write data to be written to the rewrite target ECU 19 as a transfer target file, specifies an address for acquiring the transfer target file and the first data size, requests the DCM 12 to transfer a divided file, and distributes the write data to the rewrite target ECU when the divided file is transferred from the DCM 12. Transfer of write data from the DCM 12 to the CGW 13 and distribution of the write data from the CGW 13 to the rewrite target ECU 19 can be efficiently performed.
(11) Write Data Distribution Control Process
The write data distribution control process will be described with reference to
As illustrated in
As illustrated in
The first correspondence relationship specifying unit 83a specifies a first correspondence relationship indicating a relationship between a power supply state and an allowable transmission amount for a bus on the basis of an analysis result of rewrite specification data, and specifies a bus load table illustrated in
In the example illustrated in
The second correspondence relationship specifying unit 83b specifies a second correspondence relationship indicating a relationship between a bus to which the rewrite target ECU 19 belongs and a power supply system on the basis of an analysis result of rewrite specification data, and specifies a rewrite target ECU-belonging table illustrated in
In an example illustrated in
The CGW 13 uses the data of the “connection bus” and the “connection power supply” in the rewrite specification data illustrated in
The allowable transmission amount specifying unit 83c specifies an allowable transmission amount for a bus to which the rewrite target ECU 19 belongs, the allowable transmission amount corresponding to a power supply states of the vehicle when a program is updated, according to the specifying result of the first correspondence relationship and the specifying result of the second correspondence relationship. Specifically, the allowable transmission amount specifying unit 83c specifies a bus to which the rewrite target ECU 19 belongs by using the rewrite target ECU-belonging table that is the second correspondence relationship, and specifies an allowable transmission amount in each power supply state for the specified bus by using the bus load table that is the first correspondence relationship.
The distribution frequency specifying unit 83d specifies a distribution frequency of write data corresponding to a power supply state at the time of installation, by using a predefined correspondence relationship between a power supply state and a distribution frequency of write data. Specifically, the distribution frequency specifying unit 83d specifies, by using the bus load table, an allowable transmission amount allocated for distributing write data among allowable transmission amounts specified by the allowable transmission amount specifying unit 83c, and specifies a distribution frequency of the write data. For example, when it is specified that a bus to which the rewrite target ECU 19 belongs is the first bus, when a power supply state at the time of installation is the IG power supply state, the distribution frequency specifying unit 83d specifies an allowable transmission amount as “80%”, specifies an allowable transmission amount allocated for distributing the write data as “30%” out of 80%, and thus specifies a distribution frequency of the write data. The allowable transmission amount allocated for distributing the write data corresponds to transmission restriction information.
The bus load measurement unit 83e measures a bus load of a bus to which the rewrite target ECU 19 belongs. The bus load measurement unit 83e measures the bus load by counting the number of frames or the number of bits received per unit time, for example. The distribution control unit 83f controls distribution of the write data depending on the distribution frequency specified by the distribution frequency specifying unit 83d.
Next, an operation of the write data distribution control unit 83 in the CGW 13 will be described with reference to
When an unpackaging completion notification signal is received from the DCM 12, the CGW 13 initiates the write data distribution control process. The CGW 13 acquires the CGW rewrite specification data from the DCM 12 (S1101), and specifies a bus load table and a rewrite target ECU-belonging table by using the CGW rewrite specification data (S1102). The CGW 13 specifies a bus to which the rewrite target ECU 19 belongs by using the rewrite target ECU-belonging table (S1103). The CGW 13 specifies an allowable transmission amount for the bus to which the rewrite target ECU 19 belongs, the allowable transmission amount corresponding to a power supply state of the vehicle when update is performed by using the bus load table. The CGW 13 specifies a distribution frequency of the write data by considering the specified allowable transmission amount (S1104; corresponding to a distribution frequency specifying procedure). The CGW 13 refers to the allowable transmission amount for the first bus in the IG power supply state, for example, in a case where the write data is distributed to the ECU (ID1) as the first rewrite target ECU 19 while the vehicle is traveling. In the example illustrated in
Since one frame is about 250 μs in the specification on 500 kbps of CAN, when interruption occurs four times for one second, four frames are generated, and a bus load is 100%. The CGW 13 specifies a distribution frequency of the write data by determining the interruption occurring in the bus. The CGW 13 initiates to measure the number of frames received in the unit time, initiates to measure a bus load (S1105), determines whether or not the measured bus load exceeds the allowable transmission amount (S1106), and sets a distribution interval. The distribution interval is a time interval until the CGW 13 distributes write data to the rewrite target ECU 19, receives a write completion notification (ACK) from the rewrite target ECU 19, and transmits the next write data to the rewrite target ECU 19.
When it is determined that the measured bus load does not exceed the allowable transmission amount (S1106: NO), the CGW 13 sets the distribution interval of the write data to the shortest interval set in advance, and initiates to distribute the write data to the rewrite target ECU 19 as illustrated in
On the other hand, when it is determined that the measured bus load exceeds the allowable transmission amount (S1106: YES), the CGW 13 computes an interval at which the bus load does not exceed the allowable transmission amount (S1108), sets the distribution interval of the write data to the computed interval, and initiates to distribute the write data to the rewrite target ECU 19 as illustrated in
For example, in the IG power supply state, the CGW 13 determines whether or not the bus load exceeds the allowable transmission amount of “80%” for the first bus, and, when it is determined that the bus load does not exceed the allowable transmission amount, sets a distribution interval T1 at which an allowable transmission amount of the write data is “30%”. That is, as shown in the bus load table of
When distribution of the write data to the rewrite target ECU 19 is initiated, the CGW 13 determines whether or not the distribution of the write data to the rewrite target ECU 19 has been completed, and continuously determines whether or not the measured bus load exceeds the allowable transmission amount (S1110 and S1011). When it is determined that the measured bus load does not exceed the allowable transmission amount (S1111: NO), the CGW 13 sets a distribution interval of the write data to the shortest interval set in advance, and changes the distribution interval of the write data to the rewrite target ECU 19 (S1112). On the other hand, when it is determined that the measured bus load exceeds the allowable transmission amount (S1111: YES), the CGW 13 computes an interval at which the bus load does not exceed the allowable transmission amount (S1113), sets a distribution interval of the write data to the computed interval, and changes the distribution interval of the write data to the rewrite target ECU 19 (S1114).
When it is determined that the distribution of the write data to the rewrite target ECU 19 has been completed (S1110: YES), the CGW 13 stops measuring the number of frames received per unit time, stops measuring the bus load (S1115), and finishes the write data distribution control process. Here, in a case where there are a plurality of the rewrite target ECUs 19, the CGW 13 performs the write data distribution control process on installation in all of the rewrite target ECUs 19.
As described above, the CGW 13 performs the write data distribution control process, thus specifies a distribution frequency of write data to the rewrite target ECU 19 by using a correspondence relationship between a predetermined power supply state and a distribution frequency of write data, and controls distribution of the write data according to the distribution frequency. It is possible to reduce, for example, data collision or delay during installation. Distribution of write data can coexist without hindering distribution of vehicle control data on the same bus.
In the above description, the configuration has been exemplified in which the bus load table is specified on the basis of an analysis result of the rewrite specification data in the CGW 13, but the bus load table may be stored in advance. The configuration has been exemplified in which the rewrite target ECU-belonging table is specified on the basis of an analysis result of the rewrite specification data in the CGW 13, but the rewrite target ECU-belonging table may be stored in advance.
In a power supply state in which the vehicle is traveling, a distribution amount of write data may be relatively reduced, and, in a power supply state in which the vehicle is parked, the distribution amount of the write data may be relatively increased. That is, in the CGW 13, as illustrated in
As illustrated in
As illustrated in
The bus load table incorporated in the rewrite specification data is set uniformly and commonly by, for example, a vehicle manufacturer regardless of a vehicle model, grade, or the like. This is because, for example, when equipment of an ECU greatly changes depending on the vehicle model, grade, or the like, a bus load greatly changes, and, when the optimum bus load table is individually set depending on the vehicle model, grade, or the like, complicated labor such as labor to verify the bus load table is required, so that such complicated labor is reduced.
As described above, similarly to the case where installation is performed while the vehicle is traveling, also in a case where installation is performed while the vehicle is parked, the write data distribution control process is performed. When the rewrite target ECU 19 is a +B power ECU, update can be performed in the +B power supply state, and thus an allowable transmission amount in the +B power supply state in the bus load table is referred to. On the other hand, in a case where the rewrite target ECU 19 is an IG ECU, installation is performed in the IG power supply state, and thus an allowable transmission amount in the IG power supply state in the bus load table is referred to. Here, for example, in a case where the rewrite target ECU 19 is an ACC ECU, installation can be performed in the IG power supply state. In this case, an allowable transmission amount in the IG power supply state in the bus load table is referred to. The configuration of storing the bus load table and the rewrite target ECU-belonging table has been described, but any table may be stored as long as a distribution frequency of write data in each power supply state can be specified.
(12) Activation Request Instruction Process
The activation request instruction process will be described with reference to
As illustrated in
When it is determined by the rewrite completion determination unit 84b that the rewriting of the programs has been completed in all of the plurality of rewrite target ECUs 19, the activation executability determination unit 84c determines whether or not activation is executable. The activation executability determination unit 84c determines that the activation is executable in a case where the activation is approved by the user and the vehicle is in a parking state.
The activation request instruction unit 84d gives an instruction for an activation request in a case where it is determined by the activation executability determination unit 84c that the activation is executable. Specifically, the activation request instruction unit 84d gives the instruction for the activation request by giving an instruction for a reset request, monitoring session transition timeout, or monitoring the internal reset of the rewrite target ECU 19 after giving an instruction for a request for switching to a new bank. In a double-bank memory ECU or a single-bank suspend memory ECU, an application program is activated by starting the application program on a new bank (inactive bank) in which the application program is written. On the other hand, in a single-bank memory ECU, the application program is activated through restart. The rewrite target ECU 19 may be configured to be reset by itself regardless of an activation request after an instruction for a request for switching to a new bank is received.
Next, with reference to
When the activation request instruction process is initiated, the CGW 13 specifies a plurality of rewrite target ECUs 19 (S1201; corresponding to a rewrite target specifying procedure). Specifically, the CGW 13 specifies the rewrite target ECUs 19 by referring to ECUs (IDs) described in the rewrite specification data. The CGW 13 determines whether or not rewriting of application programs has been completed in all of the plurality of specified rewrite target ECUs 19 (S1202; corresponding to a rewrite completion determination procedure). For example, the CGW 13 sequentially performs installation on the rewrite target ECUs 19 according to the order of the ECUs (IDs) described in the rewrite specification data, and determines that writing has been completed in all of the rewrite target ECUs 19 when installation for an ECU (ID) described last has been completed.
When it is determined that rewriting of the application program has been completed in all of the plurality of specified rewrite target ECUs 19 (S1202: YES), the CGW 13 determines whether or not activation is executable (S1203; corresponding to an activation executability determination procedure). Specifically, the CGW 13 determines whether or not the user's approval for the update has been obtained so far, whether or not the vehicle is in a parking state, and the like, and determines that the activation is executable when these conditions are satisfied. The user's approval may be an approval for the entire update process or an approval for the activation. When it is determined that activation is executable (S1203: YES), the CGW 13 subsequently gives instructions for activation requests to the plurality of rewrite target ECUs 19 at the same time (corresponding to an activation request instruction procedure). Here, a description will be made assuming that the ECU (ID1), the ECU (ID2), and the ECU (ID3) are the rewrite target ECUs 19 of the same group.
When it is determined that activation is executable for the ECU (ID1), the ECU (ID2), and the ECU (ID3), the CGW 13 initiates the activation request instruction process. When the activation request instruction process is initiated, the CGW 13 gives an instruction for a request for switching to a new bank to the rewrite target ECU 19 (S1204). The CGW 13 requests the power supply management ECU 20 to switch on the IG power in an OFF state (S1205). The CGW 13 switches on the IG power in an OFF state in order to perform activation although the vehicle is in a parking state and the IG switch 42 is in an OFF state. In a case where the CGW 13 performs installation and subsequently performs activation, since the IG power is in an ON state, S1205 is not performed, and a start request (wake-up request) is made to the rewrite target ECU 19 in the sleep state.
The CGW 13 transmits a software reset request to the rewrite target ECU 19, and gives an instruction for the software reset request to the rewrite target ECU 19 (S1206). In a case where the rewrite target ECU 19 has a specification of coping with the software reset request, when the software reset request is received from the CGW 13, the rewrite target ECU 19 is restarted by resetting the software, and activates an application program. In a case where the rewrite target ECU 19 is a single-bank memory ECU, the rewrite target ECU 19 is restarted by the new application program and thus switches from the old application program to the new application program. In a case where the rewrite target ECU 19 is a single-bank suspend memory ECU or a double-bank memory ECU, the rewrite target ECU 19 updates the active bank information (the bank-A or the bank-B) stored in the flash memory, causes a bank to which the new application program is written to switch to an active bank, and thus switches from the old application program to the new application program.
The CGW 13 requests the power supply management ECU 20 to switch off the IG power in an ON state and to switch on the IG power in an OFF state, gives an instruction for a power reset request to the rewrite target ECU 19, and instructs the rewrite target ECU 19 to be restarted (S1207). Even in a case where the rewrite target ECU 19 does not have a specification of coping with the software reset request, when the IG power switches from an ON state to an OFF state and the IG power switches from an OFF state to an ON state, the rewrite target ECU is reset and restarted to activate the application program. Also in this case, in a case where the rewrite target ECU 19 is a single-bank memory ECU, the rewrite target ECU 19 is restarted by the new application program and thus switches from the old application program to the new application program. In a case where the rewrite target ECU 19 is a single-bank suspend memory ECU or a double-bank memory ECU, the rewrite target ECU 19 updates the active bank information (the bank-A or the bank-B) stored in the flash memory, causes a bank to which the new application program is written to switch to an active bank, and thus switches from the old application program to the new application program. The CGW 13 monitors session transition timeout (S1208) and monitors the internal reset of the rewrite target ECU 19 (S1209).
That is, in a case where the rewrite target ECU 19 does not have the specification of coping with the software reset request, the CGW 13 cannot give an instruction for activation even when the software reset request is transmitted to the rewrite target ECU 19. Therefore, an instruction for the power reset request is given to the rewrite target ECU 19, and thus activation is performed in the rewrite target ECU 19 that does not have the specification of coping with the software reset request. For example, an IG ECU such as an engine ECU is configured to be reset without fail when the power is turned on or off, and, thus, in many cases, a configuration does not cope with the software reset request. From the viewpoint of the rewrite target ECU 19, activation is performed (started by the new program) by any of reception of an instruction for the software reset request from the CGW 13, reception of an instruction for the power reset request from the CGW 13, the session transition timeout, and the internal reset.
When an instruction for the software reset request is received from the CGW 13, the rewrite target ECU 19 coping with the software reset request is forced to be reset to perform activation. The rewrite target ECU 19 that is an ACC ECU or an IG ECU is reset to perform activation when power is supplied next since the power is forced not to be supplied in a case where an instruction for the power reset request is received from the CGW 13. Unlike the rewrite target ECU 19 that is an ACC or IG ECU, the rewrite target ECU 19 that is a +B power ECU is supplied with power at all times, and thus activation is performed by the session transition timeout or the internal reset. An activation method for each rewrite target ECU 19 is specified by the rewrite specification data.
When the CGW 13 is notified that the new application program is normally started from all of the rewrite target ECUs 19, the CGW transmits a switching completion notification to the DCM 12 (S1210). The DCM 12 notifies the center device 3 that activation of the update programs has been completed. The CGW 13 requests the power supply management ECU 20 to switch on the IG power in an OFF state, and finishes an application program activation synchronization instruction process. When the IG power switches from an OFF state to an ON state through the user operation, the CGW 13 transmits a program version, a start bank, and the like of the ECU to the DCM 12. The DCM 12 notifies the center device 3 of the information of each ECU 19 received from the CGW 13. Here, when the DCM 12 notifies the center device 3 of completion of the activation, ECU configuration information including a program version and bank information of each ECU may be transmitted to the center device 3.
As described above, the CGW 13 performs the activation request instruction process, thus prevents a situation in which a plurality of rewrite target ECUs 19 having completed rewriting of application programs switch from old programs to new programs at their own timings, and appropriately aligns timings of switching from the old programs to the new programs in the plurality of rewrite target ECUs 19. That is, a situation is prevented in which program versions of a plurality of rewrite target ECUs 19 which cooperate with each other do not match each other, and thus a problem occurs in a cooperative process.
(13) Activation Execution Control Process
The activation execution control process will be described with reference to
As illustrated in
The execution condition determination unit 107b determines whether or not an instruction for a software reset request is received from the CGW 13, whether or not an instruction for a power reset request is given from the CGW 13 to the power supply management ECU 20, and whether or not disruption of communication with the CGW 13 lasts for a predetermined time, as activation execution conditions. When any one of the conditions is satisfied, the execution condition determination unit 107b determines that the activation execution conditions are established. Whether or not an instruction for the power reset request is received may be detected by the power detection circuit 36 instead of an instruction from the CGW 13. When it is determined by the execution condition determination unit 107b that the activation execution condition is established, the execution control unit 107c performs new bank switching (activation) of causing the start bank to switch from the old bank (the bank currently operated) to the new bank (the bank not currently operated) in accordance with the active bank information. The notification unit 107d notifies the CGW 13 of notification information such as active bank information and version information.
Next, an operation of the activation execution control unit 107 in the rewrite target ECU 19 will be described with reference to
(13-1) Rewrite Process
When the rewrite process is initiated, the rewrite target ECU 19 performs processes up to immediately before memory erasure, such as part number reading or authenticating as a pre-rewrite process (S1301). The rewrite target ECU 19 determines whether or not rewrite bank information has been received from the center device 3 (S1302). The rewrite target ECU 19 determines whether or not the rewrite bank information has been received on the basis of, for example, whether or not the rewrite bank information described in rewrite specification data included in a distribution package has been acquired from the CGW 13. When it is determined that the rewrite bank information has been received from the center device 3 (S1302: YES), the rewrite target ECU 19 collates the rewrite bank information with rewrite bank information (active bank information) managed thereby, and thus determines whether or not the two pieces of information match each other (S1303). Here, the rewrite bank information is described in the rewrite specification data transmitted from, for example, the center device 3. For example, in a case where the rewrite bank information managed by the rewrite target ECU indicates that an active bank is the bank-A and an inactive bank is the bank-B, when the rewrite bank information described in the rewrite specification data indicates the inactive bank (bank-B), it is determined that both of the pieces of information match each other, and, when the rewrite bank information described in the specification data indicates the active bank (bank-A), it is determined that both of the pieces of information do not match each other.
When it is determined that both of the pieces of information match each other (S1303: YES), the rewrite target ECU 19 performs, as the rewrite process, memory erasure, writing of write data, and verification (S1304), and finishes the rewrite process. The verification is, for example, to verify the integrity of data written in the flash memory. When it is determined that both of the pieces of information do not match each other (S1303: NO), the rewrite target ECU 19 transmits a negative acknowledgement to the CGW 13 (S1305), and finishes the rewrite process.
(13-2) Activation Execution Control Process
When the activation execution control process is initiated, the rewrite target ECU 19 sets an inactive bank as a rewrite bank, and determines whether or not rewriting of an application program into the rewrite bank has been completed (S1311). When it is determined that rewriting of the application program into the rewrite bank has been completed (S1311: YES), the rewrite target ECU 19 verifies the integrity of the application program written in the flash memory, and determines whether or not data verification after the rewriting is positive (S1312). When it is determined that the data verification after the rewriting is positive (S1312: YES), the rewrite target ECU 19 sets a rewrite completion flag of the new bank to “OK” and stores the rewrite completion flag (S1313).
Thereafter, the rewrite target ECU 19 determines whether or not an instruction for an activation request has been received from the CGW 13 (S1314). When it is determined that the instruction for the activation request has been received (S1314: YES), the rewrite target ECU 19 determines whether or not the rewrite completion flag of the new bank is “OK” (S1315), and updates the active bank information when it is determined that the rewrite completion flag of the new bank is “OK” (S1315: YES) (S1316; corresponding to an active bank information update procedure). That is, for example, in a case where an active bank is the bank-A and an inactive bank is the bank-B, when rewriting of the application program into the rewrite bank has been completed by using the bank-B as the rewrite bank, the rewrite target ECU 19 updates the active bank information indicating that an active bank is the bank-A and an inactive bank is the bank-B to active bank information indicating that an active bank is the bank-B and an inactive bank is the bank-A.
When the active bank information is updated, the rewrite target ECU 19 determines whether or not a software reset request has been received from the CGW 13, whether or not an instruction for a power reset request has been given from the CGW 13 to the power supply management ECU 20, and whether or not disruption of communication with the CGW 13 lasts for a predetermined time after the instruction for the software reset request is received, and thus determines whether or not the activation execution condition is established (S1317; corresponding to an execution condition determination procedure). Here, the rewrite target ECU 19 is restarted when any of the activation execution conditions is established, and restart conditions are defined for each ECU.
The rewrite target ECU 19 determines whether an instruction for the software reset request has been received from the CGW 13, the instruction for the power reset request has been given from the CGW 13 to the power supply management ECU 20, or the predetermined time has elapsed after the instruction for the software reset request is received, and executes restart (reset) when it is determined that the activation execution condition is established (S1317: YES). The rewrite target ECU 19 executes the restart and is started by using the new bank (bank-B) as a start bank (S1318; corresponding to a start control procedure) according to the updated active bank information, and finishes the activation execution control process. That is, after the rewrite target ECU 19 is restarted, the rewrite target ECU is started in the bank-B in which the application program is installed.
When it is determined that rewriting of the application program to the new bank is not completed (S1311: NO), or it is determined that the data verification after the rewriting is negative (S1312: NO), the rewrite target ECU 19 determines whether or not an instruction for an activation request has been received (S1319), transmits a negative acknowledgement to the CGW 13 (S1320) when it is determined that the instruction for the activation request has been received (S1319: YES), and returns to step S1311. When it is determined that the data verification after the rewriting is negative, the rewrite target ECU 19 may finish the activation execution control process and perform a process such as rollback. When it is determined that the rewrite completion flag of the new bank is not “OK” (S1315: NO), the rewrite target ECU 19 transmits a negative acknowledgement to the CGW 13 (S1321) and returns to step S1311.
As described above, the rewrite target ECU 19 performs the activation execution control process, thus updates the active bank information in preparation for the next restart when an instruction for an activation request is received from the CGW 13, and performs new bank switching for causing a start bank to switch from the old bank to the new bank according to the active bank information after restarting when the activation execution condition is established. That is, the rewrite target ECU 19 is not started by an update program unless the CGW 13 gives an instruction for activation thereto even though installation of the update program has been completed. For example, even when the rewrite target ECU 19 is restarted due to the user turning on the IG switch 42 in an OFF state, unless an instruction for activation is received from the CGW 13, the rewrite target ECU is started in the same active bank. The CGW 13 simultaneously gives instructions for activation to a plurality of rewrite target ECUs 19, and then update programs of the plurality of the rewrite target ECUs 19 can be simultaneously validated when being restarted by software reset, power reset, or session timeout. In the above description, the case where data storage banks are double banks has been described, but the same applies to a case where data storage banks are three or more banks.
In (12) the activation request instruction process in the CGW 13, the CGW 13 performs the activation request instruction process on a plurality of rewrite target ECUs 19 having completed rewriting of application programs, and thus it is possible to prevent a situation in which the plurality of rewrite target ECUs 19 having completed rewriting of the application programs switch from old programs to new programs at their own timings, and to appropriately align timings of switching from the old programs to the new programs in the plurality of rewrite target ECUs 19.
(14) Rewrite Target Group Management Process
The rewrite target group management process will be described with reference to
As illustrated in
Next, with reference to
When it is determined that the rewrite target ECU 19 is initially subjected to rewriting (S1403: YES) or it is determined that the rewrite target ECU 19 belonging to the same group as that of the previous rewrite target ECU 19 is subjected to rewriting (S1404: YES), the CGW 13 instructs the rewrite target ECU 19 to rewrite an application program such that the application program of the rewrite target ECU 19 is rewritten (S1406). The CGW 13 determines whether or not there is the next rewrite target ECU 19 (S1407). When it is determined that there is the next rewrite target ECU 19 in the same group (S1407: YES), the CGW 13 returns to the above steps S1403 to S1405, and repeatedly performs S1403 to S1405.
When it is determined that the rewrite target ECU 19 belonging to a group different from that of the previous rewrite target ECU 19 is subjected to rewriting (S1405: YES), the CGW 13 proceeds to an activation request instruction process (S1408; corresponding to an instruction execution procedure).
When the activation request instruction process is initiated, the CGW 13 determines whether or not there is the next rewrite target ECU 19 (S1411). That is, the CGW 13 determines whether or not there is a group in which installation is not completed. When it is determined that there is the next the rewrite target ECU 19 (S1411: YES), the CGW 13 gives an instruction for an activation request to the rewrite target ECU 19 belonging to the group in which the rewriting has been completed (S1412). That is, in a case where installation has not yet been performed on the rewrite target ECU 19 belonging to the second group, the CGW 13 gives an instruction for activation to the rewrite target ECU (ID1) and the rewrite target ECU (ID2) of the first group in which rewriting is already completed.
The CGW 13 gives an instruction for a software reset request to the rewrite target ECU 19, and instructs the rewrite target ECU 19 to be restarted by switching on the power in an OFF state and switching off the power in an ON state via the power supply management ECU 20, and thus the application programs of the rewrite target ECU (ID1) and the rewrite target ECU (ID2) are started together.
The CGW 13 determines a rewrite timing for the next rewrite target ECU 19 (S1413 and S1314). That is, the CGW 13 determines rewrite timings for the rewrite target ECUs 19 belonging to the second group. When it is determined that the rewrite timing for the next rewrite target ECU 19 is a timing of the user's switching from the next riding to getting-off (S1413: YES), the CGW 13 switches off the IG power in an ON state (S1415), finishes the activation request instruction process, and the returns to the rewrite target group management process. For example, when a time period in which rewriting of an application program is allowed to be updated is set by the user in advance, and it is predicted that installation in the rewrite target ECU 19 belonging to the second group is not completed during the time period, the CGW 13 performs installation in the next parking state. In this case, the CGW 13 instructs the power supply management ECU 20 to turn off the IG power in order to return to the original parking state.
When it is determined that the rewrite timing for the next rewrite target ECU 19 is the present getting-off (parking state) (S1414: YES), the CGW 13 determines whether or not a remaining battery charge of the vehicle battery 40 is equal to or more than a threshold value (S1417). Here, the threshold value may be a value set in advance or a value acquired from CGW rewrite specification data. When it is determined that the remaining battery charge of the vehicle battery 40 is not equal to or more than the threshold value (S1416: NO), the CGW 13 instructs the power supply management ECU 20 to switch off the IG power in an ON state (S1415), finishes the activation request instruction process, and returns to the rewrite target group management process. When it is determined that the remaining battery charge of the vehicle battery 40 is equal to or more than the threshold value (S1416: YES), the CGW 13 maintains the IG power to be in an ON state (S1417), finishes the activation request instruction process, and returns to the rewrite target group management process. As illustrated in
When it is determined that there is no next rewrite target ECU 19 (S1411: NO), the CGW 13 gives an instruction for an activation request to the rewrite target ECU 19 belonging to the group in which rewriting has been completed (S1418), switches off the IG power in an ON state (S1419), finishes the instruction process of the activation request, and returns to the group management process of the rewrite target. For example, when rewriting in the rewrite targets ECU (ID11), ECU (ID12), and ECU (ID13) belonging to the second group has been completed, the next rewrite target ECU 19, that is, the next group is not present. In this case, the CGW 13 instructs the ECU (ID11), the ECU (ID12), and the ECU (ID12) to activate the update programs, and instructs the power supply management ECU 20 to turn off the IG power after the activation has been completed.
As illustrated in
As described above, the CGW 13 performs the group management process on the rewrite target ECUs 19 to which an activation request is made, and thus gives an instruction for an activation request thereto in the unit of the group. A plurality of ECUs having a cooperative control relationship can be simultaneously upgraded. That is, it is possible to prevent the occurrence of a problem in a cooperative control process due to mismatching among versions of application programs of the plurality of rewrite target ECUs 19 having a cooperative control relationship. The CGW 13 performs installation in a predetermined order in the unit of the group. That is, the CGW 13 performs control such that processes from installation to activation are performed in the group unit.
The present embodiment relates to a configuration in which, after installation in the rewrite target ECU 19 belonging to the first group has been completed, activation in the rewrite target ECU 19 belonging to the first group is performed, and, subsequently, after installation in the rewrite target ECU 19 belonging to the second group has been completed, activation in the rewrite target ECU 19 belonging to the second group is performed. However, activation in the rewrite target ECU 19 belonging to the first group and activation in the rewrite target ECU 19 belonging to the second group may be performed successively. That is, installation in the rewrite target ECU 19 belonging to the first group may be completed, installation in the rewrite target ECU 19 belonging to the second group may be completed, and then activation in rewrite target ECU 19 belonging to the first group may be performed, and activation in the rewrite target ECU 19 belonging to the second group may be performed. In this case, activation in the rewrite target ECUs 19 belonging to the first group and the second group may be performed simultaneously.
In a case where the rewrite target ECU 19 includes a single-bank memory ECU, an instruction for installation in the single-bank memory ECU may be given last in a group. In a case where an instruction for installation is given to the rewrite target ECUs 19 having a cooperative operation relationship, the instruction for installation may be first given to the rewrite target ECU 19 that operates as a data transmission side, and the instruction for installation may be later given to the rewrite target ECU that operates as a data reception side.
The CGW 13 refers to the memory type in rewrite specification data and determines the installation order according to the memory type of the rewrite target ECU 19. For example, installation is performed in an order of a double-bank memory, a single-bank suspend memory, and a single-bank memory. The CGW 13 stores in advance which of a data transmission side and a data reception side the ECU is as information regarding the ECUs 19 having a cooperative operation relationship, and determines an installation order of the rewrite target ECUs 19 on the basis of the information.
In a case where there are a plurality of groups, an installation order may be determined on the basis of, for example, the degree of urgency, the degree of safety, a function, or a time. The degree of urgency is an index indicating whether or not it is necessary to perform immediate installation. The degree of urgency is high in a case where there is a high probability that man-made disasters or accidents may occur if the ECU is left without installation. The degree of urgency is low in a case where there is a low probability that man-made disasters or accidents may occur even if the ECU is left without installation. Installation is preferentially performed on a group having a high degree of urgency. The degree of safety is an index of the restriction due to the type of microcomputer at the time of installation, and installation is performed in an ascending order of restriction, that is, in an order of a double-bank memory, a single-bank suspend memory, and a single-bank memory. The function is an index of user's convenience, and installation is preferentially performed on a group that is more convenient to a user. The time is an index of the time required for installation, and installation is preferentially performed on a group requiring a short installation time.
In a case where the CGW 13 instructs the first rewrite target ECU 19 and the second rewrite target ECU 19 belonging to the same group to perform installation, when the first rewrite target ECU 19 succeeds in installation, and the second rewrite target ECU 19 fails in installation, the CGW 13 instructs the second rewrite target ECU 19 to perform rollback and instructs the first rewrite target ECU 19 to perform rollback.
In a case where the CGW 13 instructs the rewrite target ECU 19 belonging to the first group and the rewrite target ECU 19 belonging to the second group to perform installation, when the rewrite target ECU 19 belonging to the first group fails in installation, the CGW 13 instructs the rewrite target ECU 19 belonging to the second group to perform installation. For example, in
In a case where there are two groups in a single campaign (within a single distribution package), the user's approval operation for the campaign and the user's approval operation for download are performed once, and the user's approval operation for installation and the user's approval operation for activation are performed twice for each group. That is, in a case where a function changed due to update differs for each group, it is desirable to perform the user's approval operation for installation and the user's approval operation for activation for each function. Since some users feel complicated about the user's approval operation for installation and the user's approval operation for activation for each group, the user's approval operation for installation and the user's approval operation for activation may be performed once for all groups.
Although the configuration in which a group to which the rewrite target ECU 19 belongs is determined by using the rewrite specification data has been exemplified, there may be a configuration in which a group to which the rewrite target ECU 19 belongs is stored in the CGW 13.
(15) Rollback Execution Control Process
The rollback execution control process will be described with reference to
As illustrated in
In a case where an abnormality occurs in the system, when the center device 3 is notified of the abnormality in the system, the center device 3 notifies the CGW 13 of the program rewrite cancellation request via the DCM 12. The abnormality in the system is, for example, a case where a certain rewrite target ECU 19 succeeds in writing, but another rewrite target ECU 19 performing cooperative control with the certain rewrite target ECU 19 fails in writing. As mentioned above, when at least one of a plurality of rewrite target ECUs 19 performing cooperative control fails in writing, it is determined that the system is abnormal, and the center device 3 notifies the CGW 13 of the program rewrite cancellation request via the DCM 12 with respect to the rewrite target ECU 19 that has succeeds in writing. That is, causes of generation of the cancellation request include an operation performed by the user and the occurrence of an abnormality in the system.
The rollback method specifying unit 86b specifies a rollback method for returning a state of the rewrite target ECU 19 to a state before writing of write data is initiated according to the memory type of the flash memory mounted on the rewrite target ECU 19 and the data type of write data of a new program or an old program. That is, the rollback method specifying unit 86b specifies whether the flash memory is a single-bank memory, a single-bank suspend memory, or a double-bank memory as the memory type of the rewrite target ECU 19, and specifies whether the write data is the entire data or difference data as the data type of the write data.
The rollback method specifying unit 86b specifies a first rollback process, a second rollback process, or a third rollback process according to the memory type and the data type. When the rollback method is specified by the rollback method specifying unit 86b, the rollback execution unit 86c instructs the rewrite target ECU 19 to perform rollback in accordance with the rollback method, and operates the rewrite target ECU 19 with the old program. That is, the rollback execution unit 86c performs rollback for returning an operation state of the rewrite target ECU 19 to a state before rewriting of the application program is initiated.
Next, an operation of the rollback execution control unit 86 in the CGW 13 will be described with reference to
(15-1) Rollback Method Specifying Process
When the rollback method specifying process is initiated, the CGW 13 analyzes the CGW rewrite specification data acquired from the DCM 12 (S1501), specifies a rollback method on the basis of an analysis result thereof (S1502), and finishes the rollback method specifying process. The CGW 13 acquires the memory type and the data type of a rollback program from the rewrite specification data illustrated in
That is, in a case where the flash memory of the rewrite target ECU 19 is a single-bank memory and the write data is the entire data, as a rollback method when a cancellation request is generated, the CGW 13 immediately stops distribution of the entire data, and specifies a method (first rollback process) in which data of the old application program is written into a rewrite area in the rewrite target ECU 19 to be rewritten into the old application program. The old application program (rollback rewrite data) for a single-bank memory is included in a distribution package along with an update program, and the CGW 13 distributes the old application program to the rewrite target ECU 19 in the same manner as in the new application program.
When the flash memory of the rewrite target ECU 19 is a single-bank memory and write data is difference data, as a rollback method when a cancellation request is generated, the CGW 13 continues distribution of the difference data, and specifies a method (second rollback process) in which the difference data is written into a rewrite area in the rewrite target ECU 19 to be rewritten into the new application program, then the difference data of the old application program is distributed, and the old data is written into the rewrite area in the rewrite target ECU 19 to be rewritten into the old application program.
In a case where write data is difference data, the rewrite target ECU 19 restores the new application program by using the current application program written in the flash memory and the difference data acquired from the CGW 13, and writes the new application program. In a state in which a different application program is written in the flash memory, the write target ECU 19 cannot restore the new application program by using the difference data. Thus, in a single-bank memory, it is necessary to perform a process of rewriting data into the new application program. Here, for example, when a version of the current application program is 1.0 and a version of the new application program is 2.0, a rewrite program (rewrite data) is difference data for updating the version 1.0 to the version 2.0, and rollback rewrite data is difference data for updating the version 2.0 to the version 1.0.
When the flash memory of the rewrite target ECU 19 is a single-bank suspend memory or a double-bank memory, the CGW 13 continues distribution of write data, and specifies a method (third rollback process) in which, when an active bank is the bank-A and an inactive bank is the bank-B in the rewrite target ECU 19, the write data is written into the bank-B that is the inactive bank such that the new application program is installed, but switching of the active bank from bank-A to bank-B is suppressed.
(15-2) Cancellation Request Determination Process
When it is specified that rewriting of an application program is initiated in the rewrite target ECU 19, the CGW 13 initiates the cancellation request determination process, determines whether or not the rewriting of the application program has been completed (S1511), and determines whether or not a cancellation request has been generated (S1512). That is, as described above, the CGW 13 determines whether or not the cancellation request has been generated due to an operation performed by the user, the occurrence of abnormality in the system, or the like.
When it determines that the cancellation request is generated before the rewriting of the application program has been completed, that is, the cancellation request is generated during installation (S1512: YES), the CGW 13 specifies the rewrite target ECU 19 that is a rollback target (S1513). It is assumed that the rewrite target ECUs 19 belonging to the same group are the ECU (ID1), the ECU (ID2), and the ECU (ID3), the ECU (ID1) is a single-bank memory, the ECU (ID2) and the ECU (ID3) are double-bank memories, installation in the ECU (ID1) has been completed, and a cancellation request is generated during installation in the ECU (ID2). In this case, the CGW 13 determines whether or not rollback is required for all of the rewrite target ECUs 19 belonging to the first group in S1413.
The CGW 13 specifies the ECU (ID1) in which the entire application program is rewritten and the ECU (ID2) in which a part of the application program is rewritten as rollback targets. The CGW 13 determines the memory type of the flash memories of the rewrite target ECUs 19 that are the specified rollback targets, and determines whether each flash memory is a single-bank memory, a single-bank suspend memory, or a double-bank memory (S1514 and S1515). When it is determined that the flash memory is a single-bank memory (S1514: YES), the CGW 13 determines the data type of the rollback program, and determines whether the rollback write data is the entire data or difference data (S1516 and S1517).
When it is determined that the rollback write data is the entire data (S1516: YES), the CGW 13 proceeds to the first rollback process (S1518; corresponding to a rollback execution procedure). When the first rollback process is initiated, the CGW 13 immediately stops distribution of the write data that is the new program (S1531). The CGW 13 acquires the rollback write data (old program) that is the entire data from the DCM 12 and distributes the rollback write data to the rewrite target ECU 19. The rewrite target ECU 19 writes the data of the old application program acquired from the CGW 13 into the flash memory such that the data is rewritten into the old application program (S1532), finishes the first rollback process, and returns to the cancellation request determination process.
When it is determined that the rollback write data is difference data (S1517: YES), the CGW 13 proceeds to the second rollback process (S1519; corresponding to a rollback execution procedure). When the second rollback process is initiated, the CGW 13 continues distribution of write data that is a new program (S1541), restores the difference data in the rewrite target ECU 19, and writes the difference data into the flash memory such that the difference data is rewritten into the new application program (S1542). The CGW 13 distributes the write data of the old application program acquired from the DCM 12 to the rewrite target ECU 19 after rewriting into the new application program has been completed (S1543). The difference data that is the write data of the old application program is restored in the rewrite target ECU 19, and is written into the flash memory to be rewritten into the old application program (S1544), and the CGW 13 finishes the second rollback process and returns to the cancellation request determination process.
When it is determined that the rewrite target ECU 19 is a single-bank suspend memory ECU or a double-bank memory ECU (S1515: YES), the CGW 13 proceeds to the third rollback process (S1520; corresponding to a rollback execution procedure). In this case, the CGW 13 proceeds to the third rollback process regardless of the rewrite data type. When the third rollback process is initiated, the CGW 13 continues distribution of write data (S1551), writes the write data into an inactive bank (bank-B) in the rewrite target ECU 19 such that the write data is rewritten into the new application program (S1552). The CGW 13 suppresses switching of an active bank from the old bank (active bank: bank-A) to the new bank (inactive bank: bank-B) (S1553), finishes the third rollback process, and returns to the cancellation request determination process. In addition to suppressing the switching of the active bank, the CGW 13 may roll back the inactive bank in which the version 2.0 is written to a state (for example, the version 1.0) before rewriting into the new application program, as illustrated in
When the CGW 13 returns to the cancellation request determination process, the CGW 13 determines whether or not the rollback process has been performed on all the rewrite target ECUs 19 that are the rollback targets (S1521). For example, in the exemplified case where the rewrite target ECUs 19 are the ECU (ID1), the ECU (ID2), and the ECU (ID3), first, the CGW 13 performs the first rollback process or the second rollback process on the single-bank memory ECU (ID1) in which installation was being performed, according to the rollback data type. Thereafter, the CGW 13 performs the third rollback process on the double-bank memory ECU (ID2) in which installation has been completed.
The CGW 13 performs the first rollback process or the second rollback process on the single-bank memory ECU (ID1) according to the rewrite data type. When it is determined that the rollback process has not been performed on all the rewrite target ECUs 19 that are the rollback targets (S1521: NO), the CGW 13 returns to step S1513 and repeatedly performs step S1513 and the subsequent steps. When it is determined that the rollback process has been performed on all the rewrite target ECUs 19 that are rollback targets (S1521: YES), the CGW 13 finishes the cancellation request determination process. The CGW 13 simultaneously instructs the ECU (ID1), the ECU (ID2), and the ECU (ID3) belonging to the first group on which the rollback process has been performed, to activate the old application programs. The ECU (ID1) having a single-bank memory switches to the old application program through restart. The ECU (ID2) and the ECU (ID3) having double-bank memories are started in the same active bank (bank-A) as before instead of the inactive bank (bank-B) in which the update program is written. When the user's intention changes and the program update is executed again, the new application program is written in the ECU (ID1) and the ECU (ID3). However, since the new application program has already been installed in the inactive bank of the ECU (ID2), writing is omitted.
When it is determined that rewriting of the application program has been completed without the cancellation request being generated (S1511: YES), the CGW 13 determines whether activation has been completed (S1522), and determines whether the cancellation request has been generated (S1523).
When it is determined that the cancellation request has been generated before completion of the activation, that is, the cancellation request has been generated during the activation (S1523: YES), the CGW 13 determines whether or not an activation instruction has reached the rewrite target ECU 19, and determines whether or not switching of the active bank has been completed (S1524).
When it is determined that the activation instruction has not reached the rewrite target ECU 19 and that the switching of the active bank is not completed (S1524: NO), the CGW 13 performs a fourth rollback process (S1525). It is assumed that the CGW 13 does not switch the active bank as the fourth rollback process. Alternatively, the CGW 13 may return the inactive bank to a state before rewriting into the new application program without switching the active bank. When the active bank is not switched, the CGW 13 uses a bank in which the version 1.0 is written as the active bank, and uses a bank in which the version 2.0 is written as the inactive bank, as illustrated in
When it is determined that the activation instruction has reached the rewrite target ECU 19 and switching of the active bank has been completed (S1524: YES), the CGW 13 performs a fifth rollback process. The completion of switching of the active bank indicates a state in which a bank in which the version 2.0 is written switches from the inactive bank to the active bank, and a bank of the version 1.0 switches from the active bank to the inactive bank, as illustrated in
As described above, the CGW 13 performs the rollback execution control process, and, thus, when a rewrite cancellation request is generated during rewriting of an application program, the CGW 13 returns an operation state of the rewrite target ECU 19 to a state before rewriting of the application program is initiated from the viewpoint of the user. Thus, all the rewrite target ECUs 19 belonging to the same group can be returned to original program versions together. Even in a case where difference data is used in the next program update, write data can be correctly restored.
(16) Rewrite Progress Situation Display Control Process
The rewrite progress situation display control process will be described with reference to
As illustrated in
The write instruction unit 87b distributes the second write data to the rewrite target ECU 19 and instructs the rewrite target ECU 19 to write the second write data. The notification instruction unit 87c gives an instruction for a notification of a progress situation related to rewriting of an application program. The notification instruction unit 87c gives an instruction for a notification of the progress situation related to rewriting of the application program in a first aspect while the second write data is being distributed by the write instruction unit 87b, and gives an instruction for a notification of the progress situation related to the rewriting of the application program in a second aspect when the cancellation detection unit 87a detects cancellation. When cancellation is detected by the cancellation detection unit 87a while the second write data is being distributed, the write instruction unit 87b continues distribution of the second write data.
The CGW 13 specifies rewriting of the application programs in the rewrite target ECU 19 by specifying an internal state of the rewrite target ECU 19, specifying an instruction from the center device 3, or specifying the user operation. When the rewriting of the application program is specified, the CGW 13 determines whether the rewriting is rewriting (installation) during the normal time or rewriting (uninstallation) during rollback. When it is determined whether the rewriting is rewriting during the normal time or rewriting is performed during rollback by specifying the internal state of the rewrite target ECU 19, specifying the instruction from the center device 3, and specifying the user operation, the CGW 13 calculates a progress situation of rewriting during the normal time or during rollback on the basis of the determination result, and instructs the display terminal 5 to display the calculated progress situation.
The CGW 13 instructs the display terminal 5 to display the progress situation during the normal time or the progress situation during rollback in accordance with the rewrite determination result indicating whether the rewriting is rewriting during the normal time or rewriting during rollback. The CGW 13 gives an instruction such that progress display indicating the progress situation of the rewriting during the normal time is displayed to be differentiated from progress display indicating the progress situation of the rewriting during rollback. That is, the CGW 13 displays the progress situation in the first aspect in a case of the rewriting during the normal time, and displays the progress situation in the second aspect different from the first aspect in a case of the rewriting during rollback. The CGW 13 differentiates the progress display during the normal time from the progress display during rollback by differentiating characters, items, colors, numerical values, flashing, and the like on a display screen between the normal time and the rollback time, as an aspect related to display when a progress situation is displayed. The CGW 13 differentiates progress display during the normal time from progress display during rollback by differentiating sounds, vibrations, and the like between the normal time and the rollback time, as an aspect other than the display at the time of displaying the progress display.
Next, an operation of the CGW 13 will be described with reference to
When a rewrite initiation signal indicating that rewriting of a program has been initiated in the rewrite target ECU 19 is received (when installation of the program is initiated in the rewrite target ECU 19), the CGW 13 initiates the rewrite progress situation display control process. When rewrite progress situation display control process is initiated, the CGW 13 analyzes the CGW rewrite specification data, specifies the memory type and the write data type of the flash memory of the rewrite target ECU 19, and specifies the rewrite target ECU 19 during the normal time (S1601). When the memory type and the write data type of the flash memory of the rewrite target ECU 19, and a size of an update program are specified (S1602), the CGW 13 calculates a rewrite progress situation during the normal time according to the specified result, and gives an instruction for display of the rewrite progress situation during the normal time (S1603). The display terminal 5 displays rewrite progress situation in a rewrite display aspect during the normal time in response to the instruction from the CGW 13.
The CGW 13 determines whether or not rewriting of the application program has been completed (S1604), and determines whether or not a cancellation request has been generated (S1605; corresponding to a cancellation detection procedure). The CGW 13 repeatedly performs S1604 and S1605, and updates and displays a progress situation at any time, for example, during installation in the rewrite target ECU (ID1).
When a rewrite completion signal indicating that the rewriting of the application program has been completed in the rewrite target ECU 19 is received, and it is determined that the rewriting of the application program has been completed without a cancellation request being generated (S1604: YES), the CGW 13 finishes the display of the rewrite progress situation during the normal state (S1606), and determines whether or not rewriting has been completed in all the rewrite target ECUs 19 (S1607). For example, when installation has been completed in the rewrite target ECU (ID1), the CGW 13 displays the progress situation of the ECU (ID1) as 100%. When it is determined that rewriting is not completed yet in all the rewrite target ECUs 19 (S1607: NO), the CGW 13 returns to step S1601 and repeatedly performs step S1601 and the subsequent steps. The CGW 13 performs progress display related to the rewrite target ECU (ID2) subjected to next installation, for example, after S1601.
When it is determined that the cancellation request has been generated before completion of rewriting of the application program (S1605: YES), the CGW 13 finishes the display of the rewrite progress situation during the normal time (S1608), and proceeds to a display control process during rollback (S1609; corresponding to a notification instruction procedure). Here, the cancellation request includes a cancellation request made by the user, and a cancellation request made by the system based on a failure in writing into the rewrite target ECU 19 or the like.
When the display control process during rollback is initiated, the CGW 13 specifies the rewrite target ECU 19 during rollback (S1611), and specifies the memory type of the flash memory of the rewrite target ECU 19 during rollback, and the data type and a size of a rollback program (S1612). The CGW 13 performs a process, for example, assuming that the rewrite target ECUs 19 belonging to the same group are the ECU (ID1), the ECU (ID2), and the ECU (ID3), installation has been completed in the ECU (ID1) and the ECU (ID2), and a cancellation request has been generated during installation in the ECU (ID3). In this case, the CGW 13 specifies whether or not rollback is required and a rollback method according to the memory type and the write data type of each rewrite target ECU 19.
The CGW 13 specifies the memory type and the write data type of the flash memory of the rewrite target ECU 19 that is a rollback target, and specifies whether or not rollback is required and a rollback method (the first rollback process in S1518, the second rollback process in S1519, and the third rollback process in S1520). The CGW 13 calculates a progress situation according to the specified result, displays the progress situation, and gives an instruction for display of a rewrite progress situation during rollback (S1613). An amount of write data in the CGW 13 differs depending on the first to third rollback processes. Thus, the CGW 13 determines a total amount of write data according to the first to third rollback processes, and calculates the progress (how much of the data has been written) on the basis of a ratio of an amount of written data. The CGW 13 determines whether or not rewriting as the rollback process of the application program has been completed (S1614).
The CGW 13 distributes the write data to the rewrite target ECU 19 until the rewriting as the rollback process has been completed, and repeatedly performs the above-described progress calculation and display instruction. In S1613, the CGW 13 displays the calculated progress situation in a display aspect during rollback. In S1614, the CGW 13 determines whether or not the rollback for the ECU (ID3) in which rewriting was being performed is normally completed.
When it is determined that the rollback for the rewrite target ECU 19 that is a rollback target has been completed (S1614: YES), the CGW 13 finishes displaying the rewrite progress situation during rollback (S1615). For example, the CGW 13 continues to display that rollback has been completed by 100% for the ECU (ID3). The CGW 13 determines whether or not rewriting during rollback has been completed in all rollback target ECUs 19 (S1616). When it is determined that rewriting during rollback is not completed for all the rollback target ECUs 19 (S1616: NO), the CGW 13 returns to step S1611 and repeatedly performs step S1611 and the subsequent steps.
For example, in a case where the ECU (ID1) in which installation has been completed is a single-bank memory, the CGW 13 displays the rewrite progress situation during rollback (S1613). On the other hand, for example, in a case where the ECU (ID2) in which installation has been completed is a double-bank memory and does not require rollback, the ECU (ID2) is excluded from a rewrite target during rollback. When the rollback for the ECU (ID3) and the ECU (ID1) has been completed, rewriting in the rewrite target ECUs 19 that are all rollback targets has been completed (S1616: YES), and the CGW 13 finishes the display control process during rollback.
In the above description, the CGW 13 performs the display control process during rollback, but the in-vehicle display ECU 7 or the center device 3 may be configured to perform the display control process during rollback while acquiring necessary information from the CGW 13. There may be a configuration in which the CGW 13 performs rewriting during rollback, progress calculation, and the like, and the in-vehicle display ECU 7 or the center device 3 performs display control during rollback. That is, there is no limitation to the configuration in which only the CGW 13 has the function of the display control device, and the function of the display control device may be distributed between the CGW 13 and the in-vehicle display ECU 7, or the function of the display control device may be distributed between the CGW 13 and the center device 3.
Hereinafter, display of a rewrite progress situation will be described with reference to
The display terminal 5 displays the progress state as “waiting for synchronization instruction” for the rewrite target ECU 19 that completes rewriting of an application program and is waiting for a synchronization instruction for activating the update program, and displays the progress state as “normal rewriting” for the rewrite target ECU 19 that is rewriting an application program. The “waiting for synchronization instruction” may be displayed as “waiting for activation”. The “normal rewriting in progress” may be displayed as “installation in progress”.
When a cancellation request is generated in this state, for example, as illustrated in
When the CGW 13 prepares for rewriting during rollback, the display terminal 5 displays the entire progress situation as “rollback rewrite” as illustrated in
When rewrite during rollback is initiated, the CGW 13 displays the progress state of the rewrite target ECU 19 in a rewriting state as “rollback rewrite in progress (or uninstallation in progress)” as illustrated in
In a case where the rollback target ECU 19 is a single-bank memory ECU and the entire data is to be rewritten, the display terminal 5 causes the display of the progress graph to transition as illustrated in
For example, when a cancellation request is generated in a stage in which normal rewriting has been completed up to “50%” (
When the rollback target ECU 19 is a single-bank memory ECU and difference data is to be rewritten, the display terminal 5 causes the display of the progress graph to transition as illustrated in
For example, when a cancellation request is generated in a stage in which normal rewriting (installation) has been completed up to “50%” (
In this case, as illustrated in
As illustrated in
In a case where the rollback target ECU 19 is a single-bank suspend memory ECU or a double-bank memory ECU, as illustrated in
For example, when a cancellation request is generated in a stage in which normal rewriting (installation) has been completed up to “50%” (
As described above, since the rewrite progress situation display control process is performed, the display terminal 5 displays a progress situation in a display aspect of differentiating rewriting of an application program between rewriting (installation) during the normal time and rewriting (uninstallation) during rollback on the basis of the rollback process. The user can recognize that rollback is in progress by receiving cancellation of an update program. Although the configuration of displaying a progress state for each rewrite target ECU 19 has been described above, as illustrated in
(17) Difference Data Consistency Determination Process
The difference data consistency determination process will be described with reference to
As illustrated in
The difference data acquisition unit 103a acquires difference data that is used to rewrite a data storage area of an electronic control unit which is the rewrite target ECU 19 and that indicates a difference between old data and new data. The consistency determination unit 103b determines whether or not the difference data is consistent with a data storage area or stored data on the basis of first determination information related to the stored data that is stored in the data storage area of the flash memory and second determination information acquired in a manner linked to the difference data. For example, the first determination information is a data verification value for the stored data, and the second determination information is a data verification value for old data or a data verification value for new data. The write data restoration unit 103c restores write data by using the difference data and the stored data when it is determined by the consistency determination unit 103b that the consistency of the difference data is positive, and does not restore the write data when it is determined by the consistency determination unit 103b that the consistency of the difference data is negative. When the write data is restored by the write data restoration unit 103c, the data writing unit 103d stores the restored write data into the data storage area. The data verification value calculation unit 103e calculates a data verification value for each of blocks obtained by dividing the stored data into one or more blocks. The data verification value calculation unit 103e acquires the data verification value for each block received along with the difference data.
The rewrite specification data acquisition unit 103f acquires rewrite specification data corresponding thereof in the CGW rewrite specification data from the CGW 13. The data identification information acquisition unit 103g acquires data identification information stored in the difference data and data identification information of an old application program that is the old data. The data identification information is information for identifying whether or not the difference data is data for the ECU, and is, for example, data calculated by applying a predetermined algorithm to the old data.
The rewrite bank information acquisition unit 103h acquires rewrite bank information stored in the rewrite specification data acquired from the CGW 13 and rewrite bank information of the old application program that is old data. The rewrite bank information is information indicating which bank of the flash memory is to be written with the difference data that is the write data. In a case where the rewrite target ECU 19 is a double-bank memory or a single-bank suspend memory, the bank-A or the bank-B is designated. In a case where the rewrite target ECU 19 is a single-bank memory, the rewrite bank information is not used. When the difference data distributed from the CGW 13 is received by the write data receiving unit 101, the consistency determination unit 103b determines the consistency of the difference data by using at least one of the data identification information, the data verification value, and the rewrite bank information.
Next, an operation of the difference data consistency determination unit 103 in the rewrite target ECU 19 will be described with reference to
The rewrite target ECU 19 determines whether or not the data identification information of the first determination information matches the data identification information of the second determination information, and whether or not the rewrite bank information of the first determination information matches the rewrite bank information of the second determination information (S1703). When it is determined that the data identification information of the first determination information does not match the data identification information of the second determination information, or the rewrite bank information of the first determination information does not match the rewrite bank information of the second determination information (S1703: NO), the rewrite target ECU 19 determines that the write data is improper, notifies the CGW 13 of error information, and finishes the difference data consistency determination process.
When it is determined that the data identification information of the first determination information matches the data identification information of the second determination information and that the rewrite bank information of the first determination information matches the rewrite bank information of the second determination information (S1703: YES), the rewrite target ECU 19 collates the data verification value of the first determination information with the data verification value of the new data of the second determination information, and determines whether or not both of the data verification values match each other (S1704; corresponding to a consistency determination procedure). When it is determined that both of the data verification values do not match each other (S1704: NO), the rewrite target ECU 19 collates the data verification value of the first determination information with the data verification value of the old data of the second determination information, and determines whether both of the data verification values match each other (S1705; corresponding to a consistency determination procedure).
When it is determined that both of the data verification values match each other (S1705: YES), the rewrite target ECU 19 restores write data (S1706; corresponding to a write data restoration procedure), writes the restored write data into the flash memory (S1707; corresponding to a data write procedure), and determines whether or not writing of the entire write data has been completed (S1708). When it is determined that writing of the entire write data has not been completed (S1708: NO), the rewrite target ECU 19 returns to step S1703 and repeatedly performs step S1703 and the subsequent steps. When it is determined that all writing of the entire write data has been completed (S1708: YES), the rewrite target ECU 19 finishes the difference data consistency determination process.
When it is determined that the data verification value of the first determination information does not match the data verification value of the new data of the second determination information (S1704: NO), and it is determined that the data verification value of the first determination information does not match the data verification value of the old data of the second determination information (S1705: NO), the rewrite target ECU 19 determines whether or not writing for a first block is performed (S1709).
When it is determined that writing for the first block is performed (S1709: YES), the rewrite target ECU 19 determines whether or not writing of the entire write data has been completed because writing for the first block has not been completed (S1708). When it is determined that writing for the first block is not performed, that is, writing for a second block and the subsequent blocks is performed (S1709: NO), the rewrite target ECU 19 retries the writing (S1710), and determines whether or not writing of entire write data has been completed (S1708).
A description will be made of a case where the rewrite target ECU 19 is a single-bank memory ECU with reference to
When the data verification value is used as determination information, the rewrite target ECU 19 computes a CRC value for each block of the program stored in the flash memory, collates a CRC value (CRC (B1 to Bn)) for the old data attached to the received difference data and a CRC value (CRC (B1′ to Bn′)) for the new data with the computed CRC value, and determines the consistency of the difference data. When no new program is written in the flash memory, the received CRC value in all blocks matches the computed CRC value. In a case where writing is stopped in a state in which the new program is written up to m (<n) blocks of the flash memory, and the writing is resumed, the computed CRC value matches the CRC value (CRC (B1′ to Bn′) of the new data in the blocks 1 to m, and thus the rewrite target ECU 19 skips a write process (S1706 and S1707). The rewrite target ECU 19 performs the write process (S1706 and S1707) from the block m+1 by checking match with the CRC value (CRC (B1 to Bn)) for the old data.
Data identification information (new) of a new program (new data) and a CRC value (CRC (B1′ to Bn′)) for each block may be attached to the difference data. The rewrite target ECU 19 writes the difference data into the flash memory, stores the data identification information (new) together when the new program is installed, and uses the difference data to determine the consistency in the next program update. When installation of the new program is completed, the rewrite target ECU 19 reads the new program written in the flash memory for each block, computes a CRC value, compares the CRC value with the CRC value attached to the difference data, and verifies whether or not the new program has been correctly written.
A description will be made of a case where the rewrite target ECU 19 is a double-bank memory ECU with reference to
It is assumed that the bank-A of the flash memory is an active bank and has the version 2.0, the bank-B thereof is an inactive bank and has the version 1.0, and the difference data is difference data (difference data between the version 1.0 and the version 3.0) for updating the bank-B to the version 3.0. The difference data distributed from the CGW 13 is attached with data identification information (information indicating old (version 1.0)), a CRC value calculated for each block of the old data (old program (version 1.0)), and a CRC value computed for each block of the new data (new program (version 3.0)).
The rewrite specification data includes rewrite bank information indicating into which bank of the flash memory the difference data for the rewrite target ECU 19 is to be written. In a case where the rewrite bank information is used as determination information, the rewrite target ECU 19 collates the rewrite bank information acquired from the rewrite specification data with inactive bank information (bank-B) of the rewrite target ECU 19, and determines the consistency of the difference data. In a case where the data identification information is used as determination information, the rewrite target ECU 19 collates the data identification information (old (version 1.0)) attached to the difference data with the data identification information (old) of the old program (version 1.0) stored in the inactive bank (bank-B) of the flash memory, and determines the consistency of the difference data. In a case where the data verification value is used as determination information, the rewrite target ECU 19 computes a CRC value for each block of the old program (version 1.0) stored in the inactive bank (bank-B) of the flash memory, collates the CRC value (CRC (B1 to Bn)) attached to the difference data with the computed CRC value, and determines the consistency of the difference data.
In the examples illustrated in
In
As described above, the rewrite target ECU 19 performs the difference data consistency determination process, thus writes write data generated on the basis of the difference data only in a case where the consistency of the difference data is positive, and prevents a situation in which write data generated on the basis of the difference data is written in a case where the consistency of the difference data is negative. For example, in a case where difference data to be written into the bank-A is included in a distribution package for the rewrite target ECU 19 in which the bank-B of the flash memory is not an inactive bank, inconsistency can be detected before the difference data is written into the flash memory. In a case where difference data for other ECUs or difference data of which version is inconsistent is included in a distribution package as difference data for the rewrite target ECU, inconsistency can be detected before the difference data is written into the flash memory.
In a case where the rewrite target ECU 19 stops and then resumes writing of the write data, the rewrite target ECU 19 determines the consistency of the difference data on the basis of the data verification value for the stored data in the flash memory, and the data verification value of the old data and the data verification value of the new data associated with the received difference data. The rewrite target ECU 19 may determine the consistency of the difference data on the basis of the data verification value for the stored data and the verification value of the received new data, and may determine the consistency of the difference data on the basis of the data verification value for the stored data and the data verification value of the received old data from the final block for which a determination result is negative.
The rewrite target ECU 19 skips writing of the write data at least up to the preceding block of the final block for which the consistency of the difference data is determined as being negative, and resumes writing of the write data from the final block or the subsequent block of the final block. In a case where a block size is same as a data size of a write area for the write data, since writing of the write data has been completed up to the final block, it is sufficient to skip writing to the final block and resume writing from the final block. On the other hand, in a case where the block size is not the same as the data size of the write area for the write data, writing of the write data may be stopped in the final block, and thus it is necessary to resume writing from the final block.
(18) Rewrite Execution Control Process
The rewrite execution control process will be described with reference to
As illustrated in
Next, an operation of the rewrite execution control unit 104 in the ECU 19 will be described with reference to
(18-1) Normal Operation Process
The rewrite target ECU 19 initiates the normal operation process when the rewrite target ECU 19 transitions from the stop state or the sleep state to the start state due to turning-on of the IG power or the like. When the normal operation process is initiated, the rewrite target ECU 19 specifies a start bank on the basis of start bank determination information regarding the bank-A and the bank-B (S1801), and is started in the start bank (S1802). The rewrite target ECU 19 verifies the integrity of a program stored in the start bank (active bank), and determines whether the start bank is positive (S1803).
When it is determined that a verification result of the integrity of the start bank is negative, and it is determined that the start bank is negative (S1803: NO), the rewrite target ECU 19 transmits error information indicating that the verification result of the integrity of the start bank is negative to the CGW 13 (S1804), and finishes the normal operation process. When the error information is received from the rewrite target ECU 19, the CGW 13 transmits the error information to the DCM 12. When the error information is received from the CGW 13, the DCM 12 uploads the received error information to the center device 3. That is, when it is determined that the verification result of the integrity of the start bank is negative in the rewrite target ECU 19, the CGW 13, the DCM 12, and the center device 3 are notified of this fact.
When it is determined that the verification result of the integrity of the start bank is positive, and it is determined that the start bank is positive (S1803: YES), the rewrite target ECU 19 verifies the integrity of the program stored in the rewrite bank (inactive bank), and determines whether or not the rewrite bank is positive (S1805).
When it is determined that a verification result of the integrity of the rewrite bank is negative, and it is determined that a verification result of the rewrite bank is negative (S1805: NO), the rewrite target ECU 19 transmits error information indicating that the verification result of the integrity of the rewrite bank is negative to the CGW 13 (S1806). When the error information is received from the rewrite target ECU 19, the CGW 13 transmits the error information to the DCM 12. When the error information is received from the CGW 13, the DCM 12 uploads the received error information to the center device 3. That is, when it is determined that the verification result of the integrity of the rewrite bank is negative in the rewrite target ECU 19, the CGW 13, the DCM 12, and the center device 3 are notified of this fact.
The integrity verification process described above is executed by a boot program before an application program is executed. When the integrity verification is finished, the rewrite target ECU 19 specifies a location address of the boot vector table (S1807), specifies a location address of the normal time vector table (S1808), specifies a leading address of the application program (S1809), executes the application program, and finishes the normal operation process.
(18-2) Rewrite Operation Process
When a rewrite request is received from the CGW 13, the rewrite target ECU 19 initiates the rewrite operation process. When the rewrite operation process is initiated, the rewrite target ECU 19 performs authentication with the CGW 13 by using a security access key (S1811). When it is determined that an authentication result is positive (S1812: YES), the rewrite target ECU 19 waits for write data to be received (S1813). When it is determined that the write data has been received from the CGW 13 (S1813: YES), the rewrite target ECU 19 rewrites an application program located in a rewrite bank (inactive bank) while executing an application program located in a start bank (active bank) (S1814).
It is determined whether or not rewriting of the application program has been completed (S1815), and, when it is determined that rewriting of the application program has been completed (S1815: YES), the rewrite target ECU 19 determines whether or not verification is positive (S1816). When it is determined that the verification is positive (S1816: YES), the rewrite target ECU 19 sets a rewrite completion flag to “OK” (S1817). The verification is verification of the integrity of the application program written in the inactive bank.
The rewrite target ECU 19 determines whether or not an activation request has been received from the CGW 13 (S1818). When it is determined that the activation request has been received from the CGW 13 (S1818: YES), the rewrite target ECU 19 increments, for example, a numerical value of start bank information regarding the rewrite bank, and thus updates the start bank information regarding the rewrite bank (S1819). That is, update to information indicating that the rewrite target ECU will be started in the rewrite bank thereafter is performed. It is determined whether or not a version read signal has been received from the CGW 13 (S1820), and, when it is determined that the version read signal has been received (S1820: YES), the rewrite target ECU 19 transmits, to the CGW 13, version information regarding the active bank, version information regarding the inactive bank, and identification information for specifying which bank is the active bank (S1821), and finishes the rewrite operation process. Here, the rewrite target ECU 19 may execute all of the processes from S1811 to S1821 according to the application program in the active bank (old bank) before switching. The rewrite target ECU 19 may execute the processes from S1811 to S1819 according to the application program in the active bank (old bank) before switching, and may be restarted after performing S1819, to execute the processes from S1820 to S1821 according to the application program in the active bank (new bank) after switching.
(18-3) Information Notification Process
The rewrite target ECU 19 initiates the information notification process when the rewrite target ECU 19 transitions from the stop state or the sleep state to the start state, or when, for example, the IG power is turned on or a notification request is received from the CGW 13. When the information notification process is initiated, the rewrite target ECU 19 notifies the CGW 13 of identification information for uniquely specifying an application program and parameter data related to an active bank or an inactive bank and identification information for uniquely specifying a place where the active bank or the inactive bank is located on the memory. That is, the rewrite target ECU 19 acquires start bank information regarding a start bank (S1831), and transmits the start bank information to the CGW 13 (S1832). The rewrite target ECU 19 transmits, to the CGW 13, information indicating which of the bank-A and the bank-B is the start bank, version information of the start bank, and the like as the start bank information.
When the transmission of the start bank information to the CGW 13 has been completed, the rewrite target ECU 19 acquires rewrite bank information (hereinafter, also referred to as bank information) regarding the rewrite bank (S1833), and transmits the acquired rewrite bank information to the CGW 13 (S1834). The rewrite target ECU 19 transmits, to the CGW 13, information indicating which bank of the bank-A and the bank-B is the rewrite bank, version information of the rewrite bank, and the like as the rewrite bank information. When transmission of the rewrite bank information to the CGW 13 has been completed, the rewrite target ECU 19 transmits identification information for specifying location addresses of the start bank and the rewrite bank on the memory to the CGW 13 (S1835), and finishes the information notification process. The rewrite target ECU 19 transmits, to the CGW 13, for example, an initiation address and an end address of the bank-A and an initiation address and an end address of the bank-B in the flash memory as the identification information for specifying addresses.
(18-4) Rewrite Program Verification Process
When the rewrite program verification process is initiated, the rewrite target ECU 19 determines whether or not identification information for specifying an address for executing a rewrite program has been acquired (S1841). When it is determined that the identification information for specifying the address for executing the rewrite program has been acquired (S1841: YES), the rewrite target ECU 19 determines whether or not the identification information matches the start bank information of the rewrite target ECU 19 (S1842). Specifically, the rewrite target ECU 19 determines whether or not the bank information indicating the start bank in the start bank information matches the identification information.
When it is determined that the identification information matches the start bank information of the rewrite target ECU 19 (S1842: YES), the rewrite target ECU 19 acquires the rewrite program (S1843), and determines whether or not identification information for specifying an address for rewriting the application program has been acquired (S1844). Here, in a case of an embedded type configuration in which the rewrite program is embedded in the flash memory in advance, in S1843, the rewrite target ECU 19 acquires a write program in the start bank from the flash memory and executes the write program on the RAM. In a case of a download type configuration in which the rewrite program is not embedded in the flash memory in advance but is downloaded from the outside, in S1843, the rewrite target ECU 19 downloads the rewrite program to the RAM and executes the rewrite program.
When it is determined that the identification information for specifying the address for rewriting the application program has been acquired (S1844: YES), the rewrite target ECU 19 determines whether or not the identification information matches the start bank information of the rewrite target ECU 19 (S1845). Specifically, the rewrite target ECU 19 determines whether or not bank information indicating the non-start bank in the start bank information matches the identification information. When it is determined that the identification information matches the start bank information of the ECU 19 (S1845: YES), the rewrite target ECU 19 rewrites the application program (S1846), and finishes the rewrite program verification process.
When it is determined that the identification information does not match the start bank information of the ECU 19 do (S1842: NO), or it is determined that the identification information does not match the start bank information of the rewrite target ECU 19 (S1845: NO), the rewrite target ECU 19 determines that the application program or the parameter data is not executable in the active bank or the inactive bank, and transmits a negative acknowledgement to the CGW 13 (S1847), and finishes the rewrite program verification process. For example, in the case of a double-bank memory ECU in which the bank-A of the flash memory is an active bank and the bank-B is an inactive bank, an address for executing a rewrite program is an address of the bank-A that is the active bank, and an address for rewriting an application program is an address of the bank-B that is the inactive bank.
As illustrated in
The rewrite target ECU 19 performs (18-2) the rewrite operation process described above in response to the CGW 13 performing an installation instruction process. Here, the installation instruction process performed by the CGW 13 will be described.
When the installation instruction process is initiated, the CGW 13 identifies the rewrite specification data (S1851), and determines whether installation during is designated for all of the rewrite target ECUs 19, installation during vehicle traveling is designated for all of the rewrite target ECUs 19, or installation is designated for each memory type of the rewrite target ECU 19 (S1852 to S1854).
When it is determined that the installation during parking is designated for all of the rewrite target ECUs 19 (S1852: YES), the CGW 13 instructs the rewrite target ECU 19 to perform the installation on the condition that an approval for the installation has been obtained and the vehicle is parked (S1855). When it is determined that the installation during vehicle traveling is designated for all of the rewrite target ECUs 19 (S1853: YES), the CGW 13 instructs the rewrite target ECU 19 to perform the installation on condition that an approval for the installation has been obtained and the vehicle is traveling (S1856).
When it is determined that the installation is designated for each memory type of the rewrite target ECU 19 (S1854: YES), the CGW 13 determines whether the memory type is a double-bank memory, or a single-bank suspend memory or a single-bank memory on the basis of the rewrite specification data (S1857 and S1858).
When it is determined that the memory type of the rewrite target ECU 19 is the double-bank memory and satisfies a first predetermined condition (S1857: YES), the CGW 13 instructs the rewrite target ECU 19 to perform the installation on the condition that an approval for the installation has been obtained and the vehicle is traveling (S1859). When it is determined that the memory type of the rewrite target ECU 19 is the single-bank suspend memory or the single-bank memory and satisfies a second predetermined condition (S1858: YES), the CGW 13 instructs the rewrite target ECU 19 to perform the installation on the condition that an approval for the installation has been obtained and the vehicle is parked (S1860).
It is determined whether or not the installation has been completed in all of the rewrite target ECUs 19 (S1861), and, when it is determined that the installation has not been completed in all of the rewrite target ECUs 19 (S1861: NO), the CGW 13 returns to step S1851 and repeatedly performs step S1851 and the subsequent steps.
That is, when the rewrite target ECU 19 is a double-bank memory ECU, the CGW 13 gives an instruction for the installation while the vehicle is ready to travel. The double-bank memory ECU is instructed to perform the installation from the CGW 13 while the vehicle is ready to travel, and thus performs the installation while the vehicle is ready to travel (corresponding to an installation execution procedure). When the rewrite target ECU 19 is a single-bank suspend memory ECU or a single-bank memory ECU, the CGW 13 gives an instruction for the installation during parking. The single-bank suspend memory ECU or the single-bank memory ECU is instructed to perform the installation during parking from the CGW 13 and thus performs the installation during parking (corresponding to an installation execution procedure).
When it is determined that the installation has been completed in all of the rewrite target ECUs 19 (S1861: YES), it is determined whether or not the vehicle is parked (S1862), and, when, it is determined that the vehicle is parked (S1862: YES), the CGW 13 instructs the rewrite target ECU 19 to perform activation while the vehicle is parked (S1863), and finishes the installation instruction process. The rewrite target ECU 19 is instructed to perform the activation from the CGW 13 while the vehicle is parked, and thus performs the activation (corresponding to an activation execution procedure).
As described above, the rewrite target ECU 19 performs the rewrite execution control process, and thus executes a rewrite program in an active bank and rewrites an inactive bank while an application program in the active bank is being executed in a configuration having a plurality of data storage banks. A period in which an application program is rewritable is not limited to a parking state, and the application program can be rewritten during vehicle traveling. When the rewrite target ECU 19 is a double-bank memory ECU, the rewrite target ECU 19 is instructed to perform installation from the CGW 13 while the vehicle is ready to travel, and can thus perform the installation while the vehicle is ready to travel. When the rewrite target ECU 19 is a single-bank suspend memory ECU or a single-bank memory ECU, the rewrite target ECU 19 is instructed to perform installation during parking from the CGW 13, and can thus perform the installation during parking.
(19) Session Establishment Process
The session establishment process will be described with reference to
As illustrated in
The application execution unit 105a controls the first program, the second program, and the third program to be executable simultaneously (performs non-exclusive control). The application execution unit 105a makes, for example, the vehicle control program, the wired diagnosis program, and the wireless diagnosis program executable simultaneously. That is, the application execution unit 105a can simultaneously execute vehicle control, wired diagnosis of the ECU 19, and wireless diagnosis of the ECU 19. Similarly, the application execution unit 105a performs control such that the vehicle control program, the wired diagnosis program, and the wireless rewrite program can be executed simultaneously, the vehicle control program, the wired rewrite program, and the wireless diagnosis program can be executed simultaneously, and the vehicle control program, the wired rewrite program, and the wireless rewrite program can be executed simultaneously.
On the other hand, the application execution unit 105a performs exclusive control such that the respective programs in the second program cannot be executed simultaneously. Similarly, the application execution unit 105a performs exclusive control such that the respective programs in the third program cannot be executed simultaneously. The application execution unit 105a subjects, for example, the wired diagnosis program and the wired rewrite program to exclusive control, and subjects the wireless diagnosis program and the wireless rewrite program to exclusive control. That is, the application execution unit 105a executes only one program in the wired special processes. Similarly, the application execution unit 105a executes only one program in the wireless special processes.
In other words, it may be said that the wireless rewrite program is located inside the wireless diagnosis program and is embedded as a part of the wireless diagnosis program. That is, with the configuration in which the wireless rewrite program is located in the wireless diagnosis program, he application execution unit 105a performs control such that the wireless rewrite program is executed while continuing execution of the vehicle control program and the wired diagnosis program when a state transition is made from a default session or a wireless diagnosis session to a wireless rewrite session as will be described later while executing the vehicle control program and the wired diagnosis program. The application execution unit 105a initiates to execute the wireless rewrite program while continuing execution of the vehicle control program and the wired diagnosis program, and thus makes the vehicle control program, the wired diagnosis program, and the wireless rewrite program executable simultaneously. That is, the application execution unit 105a performs control such that vehicle control, wired diagnosis of the ECU 19, and wireless rewriting of an application program can be executed simultaneously.
Here, a situation occurs in which wired diagnosis, wireless diagnosis, wired rewriting, and wireless rewriting cannot be executed simultaneously depending on specific contents of a diagnosis process and a rewrite process. For example, in a case where wired rewriting and wireless rewriting are rewriting of the same area, both of the processes collide with each other. Thus, the application execution unit 105a performs exclusive control on the wired diagnosis program and the wireless diagnosis program according to specific contents of a process or a request, and performs exclusive control on the wired rewrite program and the wireless rewrite program. Normal vehicle control may not be continued depending on contents of the diagnosis process. For example, in a case of the diagnosis process in which the ECU is operated and an operation result is read, the diagnosis process cannot be executed simultaneously with the normal vehicle control. In this case, the application execution unit 105a performs arbitration control of causing the vehicle control program to wait and executing the wired or wireless diagnosis program.
On the other hand, in a case where the wired rewrite program is not located in the application area but is located in the boot area as the fourth program, the application execution unit 105a performs arbitration control which is partially different from the above-described arbitration control. The wired rewrite program is located as the fourth program outside the wired diagnosis program as indicated by a broken line in
As illustrated in
As a state transition of the first state, the application execution unit 105a performs exclusive state transition among the default session in which vehicle control is possible in accordance with the diagnosis communication standard, the wired diagnosis session in which wired diagnosis of the ECU 19 is possible from the outside of the vehicle, and the wired rewrite session in which rewriting of an application program acquired from the outside of the vehicle in a wired manner is possible. The exclusive state transition of the session indicates that the sessions cannot be established simultaneously, and the non-exclusive state transition of the session indicates that the sessions can be established simultaneously.
The default session in the first state is a mode indicating a state in which the wired special process is not performed, and is a state in which vehicle control can be executed. It may also be said that the default session is a mode in which a process that does not influence the vehicle control at all, for example, a diagnosis program that is not related to the vehicle control, may be executed. The diagnosis program not related to the vehicle control is a program for reading information such as a trouble code. The wired diagnosis session is a mode of executing a diagnosis program related to diagnosis of the ECU 19. In a case of the occurrence of a state in which at least the vehicle control may be influenced by executing the diagnosis program, the default session transitions to the wired diagnosis session. The diagnosis program related to diagnosis of the ECU 19 is a program for performing communication stoppage, diagnosis masking, actuator driving, and the like. The wired rewrite session is a mode of rewriting an application program acquired from the outside of the vehicle in a wired manner.
The application execution unit 105a performs the session state transition in the first state as follows. When a wired diagnosis request is generated in a state of a first default session, the application execution unit 105a makes a transition from the first default session to the wired diagnosis session in response to a diagnosis session transition request, and executes a wired diagnosis process. The application execution unit 105a makes a transition from the wired diagnosis session to the first default session when a session return request is generated, a timeout is generated, the power is turned off, or a legal service is received in a state of the wired diagnosis session. When a wired rewrite request is generated in a state of the first default session, the application execution unit 105a makes a transition from the first default session to the wired diagnosis session in response to a diagnosis session transition request, then makes a transition from the wired diagnosis session to the wired rewrite session in response to a rewrite session transition request, and executes a wired rewrite process. The application execution unit 105a makes a transition from the wired rewrite session to the first default session when a session restoration request is generated, a timeout is generated, the power is turned off, or a legal service is received in a state of the wired rewrite session. The application execution unit 105a maintains the current session without making a transition in response to a session maintenance request.
As a state transition of the second state, the application execution unit 105a makes an exclusive state transition between a default session in which the vehicle control is possible in accordance with the diagnosis communication standard and a wireless rewrite session related to rewriting of an application program acquired from the outside of the vehicle in a wireless manner. The wireless rewrite session is a mode of rewriting an application program acquired from the outside of the vehicle in a wireless manner.
The application execution unit 105a performs the session state transition in the second state as follows. When a wireless rewrite request is generated in a state of a second default session, the application execution unit 105a makes a transition from the second default session to the wireless rewrite session in response to a rewrite session transition request, and executes a wireless rewrite process. The application execution unit 105a makes a transition from the wireless rewrite session to the second default session when a session return request is generated, a timeout occurs, or the power is turned off in a state of the wireless rewrite session. The application execution unit 105a maintains the current session without making a transition in response to a session maintenance request.
The application execution unit 105a manages the first state related to the wired special process and the second state related to the wireless special process while executing the vehicle control program as the first program. For example, when a wired diagnosis request is generated in the default session in both of the first state and the second state, the application execution unit 105a causes the first state to transition to the wired diagnosis session while continuing the vehicle control program, and initiates execution of the wired diagnosis program. In this state, when a wireless rewrite request is generated, the application execution unit 105a causes the second state to transition to the wireless rewrite session while continuing execution of the vehicle control program and the wired diagnosis program, and initiates execution of the wireless rewrite program. In this state, when a wired rewrite request is generated, the application execution unit 105a finishes, for example, the execution of the wireless rewrite program, causes the second state to transition to the default session, finishes the execution of the wired diagnosis program, causes the first state to transition to the wired rewrite session, and initiates execution of the wired rewrite program. The application execution unit 105a performs an exclusive state transition such that the wired rewrite session in the first state and the wireless rewrite session in the second state are not established simultaneously, in order to prevent write processes in the same memory area from colliding with each other (exclusive control).
The wireless rewrite request specifying unit 105b determines identification information regarding a rewrite request received from the outside, and specifies a wireless rewrite request. That is, when reprogramming data is downloaded from the center device 3 to the DCM 12, and the CGW 13 distributes the reprogramming data transferred from the DCM 12 to the rewrite target ECU 19, the wireless rewrite request specifying unit 105b specifies the wireless rewrite request by receiving the identification information indicating the wireless rewrite request from the CGW 13 along with the reprogramming data.
The wired rewrite request specifying unit 105c determines identification information regarding a rewrite request received from the outside, and specifies a wired rewrite request. That is, when the tool 23 is connected to the DLC connector 22, and the CGW 13 distributes reprogramming data transferred from the tool 23 to the rewrite target ECU 19, the wired rewrite request specifying unit 105c specifies the wired rewrite request by receiving the identification information indicating the wired rewrite request along with the reprogramming data from the CGW 13.
The identification information may be, for example, information corresponding to different identification IDs in the wired rewrite request and the wireless rewrite request, and may be information corresponding to the same identification ID but different data in the wired rewrite request and the wireless rewrite request. That is, any information may be used as long as the wired rewrite request and the wireless rewrite request can be differentiated from each other.
In the application execution unit 105a, in
In a case of the configuration illustrated in
In a case of the configuration illustrated in
In the wired diagnosis session in the first state and the wireless diagnosis session in the second state, the same diagnosis program may be executed or different diagnosis programs may be executed. In the wired rewrite session in the first state and the wireless rewrite session in the second state, the same rewrite program may be executed or different rewrite programs may be executed. For example, a common rewrite program such as erasure or writing for a memory may be executed.
Arbitration of each session in the first state and each session in the second state in the configurations illustrated in
In a case where the second state is the wireless rewrite session and the first state is the default session, the application execution unit 105a executes the wireless rewrite program while executing the vehicle control program. In a case where the second state is the wireless rewrite session and the first state is the wired diagnosis session, the application execution unit 105a simultaneously executes the wireless rewrite program and the wired diagnosis program while executing the vehicle control program.
On the other hand, in a case where the first state is the wired rewrite session and the second state is the default session, the application execution unit 105a finishes the vehicle control program and executes only the wired rewrite program. In a case where the first state is the wired rewrite session and the second state is the wireless diagnosis session, the application execution unit 105a finishes the wireless diagnosis program and the vehicle control program, and executes only the wired rewrite program. That is, the application execution unit 105a exclusively controls the first to third programs as a dedicated mode of executing only the wired rewrite program that is the fourth program.
In a configuration in which the wired diagnosis program and the wired rewrite program are located in the application area as the second program, the arbitration of each program is partially different from that in
Next, an operation of the above-described configuration will be described with reference to
When the microcomputer 33 is started by detecting the supply of power, the microcomputer 33 executes the session establishment program to perform a state transition management process, and performs a state transition management process of managing a state transition of the first state and a state transition management process of managing a state transition of the second state. Each state transition management process will be described below. Here, a description will be made of a case where the application execution unit 105a manages the second state by using the configuration illustrated in
(19-1) State Transition Management Process of First State
When the microcomputer 33 is started by detecting the supply of power, and initiates the state transition management process of the first state, the microcomputer 33 determines a rewrite completion flag, and determines whether or not rewriting of the previous application program has been completed normally (S1901). When it is determined that the rewrite completion flag is positive, and it is determined that rewriting of the previous application program has been completed normally (S1901: YES), the microcomputer 33 causes the first state to transition to the default session (S1902). That is, the microcomputer 33 causes the first state to transition to the default session, and thus initiates the vehicle control process.
When the vehicle control process is initiated by executing the vehicle control program, while executing the vehicle control process, the microcomputer 33 determines whether or not a wired diagnosis request has been generated (S1903), determines whether or not a wired rewrite request has been generated (S1904), and determines whether a completion condition for the state transition management is established (S1905). When it is determined that a wired diagnosis request has been generated (S1903: YES) while executing the vehicle control process, the microcomputer 33 causes the first state to transition from the default session to the wired diagnosis session (S1906), and executes the wired diagnosis program to initiate the wired diagnosis process (S1907). It is determined whether the completion condition for the wired diagnosis process is established (S1908), and, when it is determined that the completion condition for the wired diagnosis process is established (S1908: YES), the microcomputer 33 finishes the wired diagnosis program to finish the wired diagnosis process (S1909), and causes the first state to transition from the wired diagnosis session to the default session (S1910).
When it is determined that a wired rewrite request has been generated (S1904: YES) while executing the vehicle control process, the microcomputer 33 initiates an exclusive rewrite process at the time of generation of a wired rewrite request (S1911). That is, the process is a process for performing exclusive control such that the wired rewrite process and the wireless rewrite process do not collide with each other. When the exclusive rewrite process at the time of generation of the wired rewrite request is initiated, the microcomputer 33 determines whether or not a transition to the wireless rewrite session is in progress in the second state, that is, whether or not the second state is the wireless rewrite session (S1921). When it is determined that the transition to the wireless rewrite session is not in progress in the second state (S1921: NO), the microcomputer 33 specifies that the first state can transition to the wired rewrite session (S1922). The microcomputer 33 finishes the exclusive rewrite process at the time of generation of the wired rewrite request, and returns to the state transition management process of the first state.
When it is determined that the transition to the wireless rewrite session is in progress in the second state (S1921: YES), the microcomputer 33 determines whether or not to perform exclusive control by giving priority to either the wired rewrite session or the wireless rewrite session. Specifically, the microcomputer 33 determines whether or not any of a wired rewrite session priority condition, a wireless rewrite session priority condition, and a rewrite session priority condition during transition is established (S1923 to S1925). The wired rewrite session priority condition is a condition that the wired rewrite session is prioritized to the wireless rewrite session. The wireless rewrite session priority condition is a condition that the wireless rewrite session is prioritized to the wired rewrite session. The rewrite session priority condition during transition is a condition that a rewrite session during transition is prioritized, that is, a session of which a transition is performed earlier is prioritized. Which of these priority conditions is employed is set in advance, and, for example, a priority condition flag may be set for the vehicle, and the priority condition flag may be set for each rewrite ECU.
When it is determined that the wired rewrite session priority condition is established (S1923: YES), the microcomputer 33 causes the second state to transition from the wireless rewrite session to the default session in response to a session return request, stops the wireless rewriting (S1926), and specifies that the first state can transition to the wired rewrite session (S1922). The microcomputer 33 finishes the wireless rewrite program in accordance with the transition to the default session. The microcomputer 33 finishes the exclusive rewrite process at the time of generation of the wired rewrite request, and returns to the state transition management process of the first state.
When it is determined that the wireless rewrite session priority condition is established (S1924: YES), the microcomputer 33 discards the wired rewrite request and continues the wireless rewriting (S1927). That is, the microcomputer 33 maintains the second state in the wireless rewrite session, continues to execute the wireless rewrite program, and specifies that the first state cannot transition to the wired rewrite session (S1928). The microcomputer 33 finishes the exclusive rewrite process at the time of generation of the wired rewrite request, and returns to the state transition management process of the first state.
When it is determined that the rewrite session priority condition during transition is established (S1925: YES), also in this case, the microcomputer 33 discards the wired rewrite request and continues the wireless rewriting (S1927). That is, the microcomputer 33 maintains the second state in the wireless rewrite session, continues to execute the wireless rewrite program, and specifies that the first state cannot transition to the wired rewrite session (S1928). The microcomputer 33 finishes the exclusive rewrite process at the time of generation of the wired rewrite request, and returns to the state transition management process of the first state. The microcomputer 33 executes the exclusive rewrite process at the time of generation of the wired rewrite request as mentioned above, and thus the wired rewrite session and the wireless rewrite session are exclusively controlled not to be established simultaneously.
When the microcomputer 33 returns to the state transition management process of the first state, the microcomputer 33 determines whether or not the first state can transition to the wired rewrite session as a result of the exclusive rewrite process at the time of generation of the wired rewrite request (S1912). When it is specified and thus determined that the first state can transition to the wired rewrite session through the exclusive rewrite process at the time of generation of the wired rewrite request (S1912: YES), the microcomputer 33 causes the first state to transition from the default session to the wired rewrite session via the wired diagnosis session (S1913), stops the vehicle control process, and initiates the wired rewrite process (S1914). The microcomputer 33 finishes the vehicle control program in accordance with the transition to the wired rewrite session.
It is determined whether the completion condition for the wired rewrite process is established (S1915), and, when it is determined that a completion condition for the wired rewrite process is established (S1915: YES), the microcomputer 33 finishes the wired rewrite process (S1916), and causes the first state to transition from the wired rewrite session to the default session (S1917). Here, the completion condition for the wired rewrite process is, for example, a case where writing of the entire application program has been completed and integrity verification is executed.
When it is specified and thus determined that the first state cannot transition to the wired rewrite session through the exclusive rewrite process at the time of generation of the wired rewrite request (S1912: NO), the microcomputer 33 does not cause the first state to transition from the default session to the wired rewrite session via the wired diagnosis session. That is, the microcomputer 33 maintains the first state in the default session. When it is determined that a completion condition for the state transition management is established (S1905: YES), the microcomputer 33 completes the state transition management process of the first state.
In the above description, a description has been made of a case where, when it is determined that a transition to the wireless rewrite session is in progress in the second state in the exclusive rewrite process at the time of generation of the wired rewrite request, and it is determined that the wired rewrite session priority condition is established, the microcomputer 33 stops the wireless rewriting in the second state, but the microcomputer 33 may determine whether or not to stop the wireless rewrite session according to a non-rewritten remaining amount in the wireless rewriting.
When it is determined that the transition to the wireless rewrite session is in progress in the second state (S1921: YES), and it is determined that the wired rewrite session priority condition is established (S1923: YES), the microcomputer 33 determines whether or not a non-rewritten remaining amount in the wireless rewriting is equal to or larger than a predetermined amount (for example, 20% or more) in the wireless rewrite session during the transition (S1931). When it is determined that the non-rewritten remaining amount in the wireless rewriting is equal to or larger than the predetermined amount (S1931: YES), the microcomputer 33 causes the second state to transition from the wireless rewrite session to the default session, and stops the wireless rewriting (S1926). The microcomputer 33 finishes the wireless rewrite program in accordance with the transition to the default session. When it is determined that the non-rewritten remaining amount of the wireless rewriting is not equal to or larger than the predetermined amount (S1931: NO), the microcomputer 33 discards the wired rewrite request and continues the wireless rewriting (S1927). That is, the microcomputer 33 stops the wireless rewrite session when the remaining time until completion of the wireless rewriting is relatively long, but does not stop and continues the wireless rewrite session when the remaining time until completion of the wireless rewriting is relatively short.
(19-2) State Transition Management Process of Second State
When the microcomputer 33 is started by detecting the supply of power, and initiates the state transition management process of the second state, the microcomputer 33 determines a rewrite completion flag, and determines whether or not rewriting of the previous application program has been completed normally (S1941). When it is determined that the rewrite completion flag is positive, and it is determined that rewriting of the previous application program has been completed normally (S1941: YES), the microcomputer 33 causes the second state to transition to the default session (S1942). That is, the microcomputer 33 causes the second state to transition to the default session, and thus executes the vehicle control program to initiate the vehicle control process.
When the vehicle control process is initiated, the microcomputer 33 determines whether or not a wireless rewrite request has been generated (S1943), and determines whether a completion condition for the state transition management is established (S1944). When it is determined that a wireless diagnosis request has been generated (S1943: YES) while executing the vehicle control process, the microcomputer 33 initiates an exclusive rewrite process at the time of generation of a wireless rewrite request (S1944). When the exclusive rewrite process at the time of generation of the wireless rewrite request is initiated, the microcomputer 33 determines whether or not a transition to the wired rewrite session is in progress in the first state, that is, whether or not the first state is the wired rewrite session (S1961). When it is determined that the transition to the wired rewrite session is not in progress in the first state (S1961: NO), the microcomputer 33 specifies that transition to the wireless rewrite session can occur (S1962). The microcomputer 33 finishes the exclusive rewrite process at the time of generation of the wireless rewrite request, and returns to the state transition management process of the second state.
When it is determined that the transition to the wired rewrite session is in progress in the first state (S1961: YES), the microcomputer 33 determines whether or not to perform exclusive control by giving priority to either the wired rewrite session or the wireless rewrite session. Specifically, the microcomputer 33 determines whether or not any of a wireless rewrite session priority condition, a wired rewrite session priority condition, and a rewrite session priority condition during transition is established (S1963 to S1965).
When it is determined that the wireless rewrite session priority condition is established (S1963: YES), the microcomputer 33 causes the first state to transition from the wired rewrite session to the default session in response to a session return request, stops the wired rewriting (S1966), and specifies that the second state can transition to the wireless rewrite session (S1962). The microcomputer 33 finishes the wired rewrite program in accordance with the transition to the default session. The microcomputer 33 finishes the exclusive rewrite process at the time of generation of the wireless rewrite request, and returns to the state transition management process of the second state.
When it is determined that the priority condition for the wired rewrite session is established (S1964: YES), the microcomputer 33 discards the wireless rewrite request and continues the wired rewriting (S1967). That is, the microcomputer 33 maintains the first state in the wired rewrite session, continues execution of the wired rewrite program, and specifies that the second state cannot transition to the wireless rewrite session (S1968). The microcomputer 33 finishes the exclusive rewrite process at the time of generation of the wireless rewrite request, and returns to the state transition management process of the second state.
When it is determined that the rewrite session priority condition during transition is established (S1965: YES), also in this case, the microcomputer 33 discards the wireless rewrite request and continues the wired rewriting (S1967). That is, the microcomputer 33 maintains the first state in the wired rewrite session, continues execution of the wired rewrite program, and specifies that the second state cannot transition to the wireless rewrite session (S1968). The microcomputer 33 finishes the exclusive rewrite process at the time of generation of the wireless rewrite request, and returns to the state transition management process of the second state. The microcomputer 33 executes the exclusive rewrite process at the time of generation of the wireless rewrite request as mentioned above, and thus the wired rewrite session and the wireless rewrite session are exclusively controlled not to be established simultaneously.
When the microcomputer 33 returns to the state transition management process of the second state, the microcomputer 33 determines whether or not the second state can transition to the wireless rewrite session as a result of the exclusive rewrite process at the time of generation of the wireless rewrite request (S1945). When it is specified and thus determined that the second state can transition to the wireless rewrite session through the exclusive rewrite process at the time of generation of the wireless rewrite request (S1945: YES), the microcomputer 33 causes the second state to transition from the default session to the wireless rewrite session (S1946), and executes the wireless rewrite program to initiate the wireless rewrite process (S1847). It is determined whether the completion condition for the wireless rewrite process is established (S1948), and, when it is determined that a completion condition for the wireless rewrite process is established (S1948: YES), the microcomputer 33 finishes the wireless rewrite process (S1949), and causes the second state to transition from the wireless rewrite session to the default session (S1950). The microcomputer 33 finishes the wireless rewrite program in accordance with the transition to the default session. Here, the completion condition for the wireless rewrite process is, for example, a case where writing of the entire application program has been completed and the integrity verification is executed.
When it is specified and thus determined that the second state cannot transition to the wireless rewrite session through the exclusive rewrite process at the time of generation of the wireless rewrite request (S1945: NO), the microcomputer 33 does not cause the second state to transition from the default session to the wireless rewrite session. That is, the microcomputer 33 maintains the second state in the default session. When it is determined that a completion condition for the state transition management is established (S1951: YES), the microcomputer 33 finishes the state transition management process of the second state.
In the above description, a description has been made of a case where the application execution unit 105a can execute the program related to the wired special process and the program related to the wireless special process independently (simultaneously), but there may be a configuration in which the wired diagnosis program and the wireless diagnosis program are shared as illustrated in
As illustrated in
Also in this configuration, the application execution unit 105a initiates execution of the diagnosis program while executing the vehicle control program. The application execution unit 105a initiates execution of the wireless rewrite program or the wired rewrite program while executing the vehicle control program. On the other hand, the application execution unit 105a exclusively controls execution of the wireless diagnosis program and the wired diagnosis program. The application execution unit 105a also exclusively controls execution of the wired diagnosis program and the wireless diagnosis program, and the wired rewrite program and the wireless rewrite program. That is, the application execution unit 105a exclusively controls execution of each program forming the second program.
Here, in a case where the wired rewrite program is located in the boot area as the third program, the application execution unit 105a exclusively controls execution of the third program, and the first and second programs. That is, in a case where the wired rewrite program is executed, the first program and the second program are finished and are operated in a dedicated mode.
As illustrated in
Even when the wireless rewrite program is located inside the diagnosis program, the application execution unit 105a stops execution of the vehicle control program and the diagnosis program and then initiates execution of the wireless rewrite program when a state transition is made from the diagnosis session to the wireless rewrite session during execution of the vehicle control program and the diagnosis program. In a case where there is no session, the process can be continued.
When the wired rewrite program is located outside the diagnosis program, the application execution unit 105a stops execution of the vehicle control program and the wireless diagnosis program and initiates execution of the wired rewrite program when a state transition is made from the diagnosis session to the wired rewrite session during execution of the vehicle control program and the diagnosis program. That is, the application execution unit 105a performs control such that the vehicle control, the wired or wireless diagnosis of the ECU 19, and the wired rewriting of an application program cannot be executed simultaneously, and only the wired rewriting of the application program can be executed.
As described above, the ECU 19 performs the session establishment process, thus executes the state transition management process of the first state and the state transition management process of the second state, manages a state transition of each session of the first state and the second state, and non-exclusively establishes the default session or the wired diagnosis session of the first state and the wireless rewrite session of the second state. The vehicle control program or the diagnosis program for the ECU 19 and the wireless rewrite program are controlled to be executed non-exclusively in response to requests for the vehicle control or the diagnosis of the ECU 19 and the wireless rewriting of a program, and thus it is possible to appropriately arbitrate various requests from the outside.
In the ECU 19, the wired rewrite session and the wireless rewrite session are exclusively established. The wired rewrite program and the wireless rewrite program are controlled to be executed exclusively, and wired rewriting of the program and wireless rewriting of the program can be appropriately arbitrated.
In the ECU 19, when the wired rewrite session priority condition is established, the wired rewrite session is prioritized to the wireless rewrite session. The wired rewrite session priority condition is set, and thus wired rewriting of the program can be executed prior to wireless rewriting of the program. For example, wired rewriting of a program for which an instruction is given by a maintenance person in a dealer or the like can be executed prior to wireless rewriting of the program for which an instruction is given by a user of a vehicle.
In the ECU 19, the wireless rewrite session is prioritized to the wired rewrite session when the wireless rewrite session priority condition is established. The wireless rewrite session priority condition is set, and thus wireless rewriting of a program can be executed prior to wired rewriting of the program. For example, wireless rewriting of a program for which an instruction is given by a user of a vehicle can be executed prior to wired rewriting of the program for which an instruction is given by a maintenance person in a dealer or the like.
In the ECU 19, when the rewrite session priority condition during transition is established, a rewrite session during transition is prioritized. The rewrite session priority condition during transition is set, and thus rewriting during transition can be preferentially executed. That is, one of wired rewriting and wireless rewriting, which has been initiated earlier, can be continued without stoppage.
In a configuration having double-bank application areas, the vehicle control program, the diagnosis program, and the wireless rewrite program are located in each application area, and the vehicle control program or the diagnosis program and the wireless rewrite program are executed in parallel (simultaneously). A memory configuration of the flash memory 30d is devised, and thus the vehicle control program or the diagnosis program and the wireless rewrite program can be executed in parallel.
When a wireless rewrite request is specified during execution of the vehicle control program or the wired diagnosis program, execution of the vehicle control program or the wired diagnosis program is continued, and the wireless rewrite program is executed. When a wireless rewrite request is generated during execution of the vehicle control program or the wired diagnosis program, the vehicle control program or the wired diagnosis program and the wireless rewrite program can be executed in parallel (simultaneously).
When a vehicle control request or a wired diagnosis request is specified during execution of the wireless rewrite program, execution of the wireless rewrite program is continued, and the vehicle control program or the wired diagnosis program is executed. When a vehicle control request or a wired diagnosis request is generated during execution of the wireless rewrite program, the wireless rewrite program and the vehicle control program or the wired diagnosis program can be executed in parallel (simultaneously).
When a wired rewrite request is specified during execution of while the vehicle control program or the wireless diagnosis program, execution of the vehicle control program or the wireless diagnosis program is stopped, and the wired rewrite program is executed. When a wired rewrite request is generated during execution of the vehicle control program or the wireless diagnosis program, only the wired rewrite program can be executed exclusively.
In a case of the reprogramming firmware embedded type in which reprogramming firmware is embedded, the rewrite program is executed by using the firmware located in the application area. It is possible to execute a rewrite process on an application program in an inactive bank without downloading the reprogramming firmware from the outside.
In a case of the reprogramming firmware download type in which reprogramming firmware is downloaded from the outside, the rewrite program is executed by using the firmware downloaded from the outside. It is possible to execute a rewrite process on an application program in an inactive bank after reducing a capacity of a rewrite program in the application area.
Although the double-bank memory having two tangible application areas has been described, the present embodiment is also applicable to a single-bank suspend memory or an external memory having two pseudo-application areas.
Although a description has been made of a case of difference rewriting in which new data is generated from old data and difference reprogramming data, the present embodiment is also applicable to a case of rewriting in which the entire new data is written by deleting old data.
Although a description has been made of a case where an application program of the ECU 19 is rewritten, the present embodiment is also applicable to a case of rewriting an application program of the CGW 13. That is, the flash memory 26d of the CGW 13 may have a double-bank configuration equivalent to that of the flash memory 30d of the ECU 19, and the microcomputer 26 may have a function equivalent to that of the microcomputer 33 of the ECU 19.
(20) Retry Point Specifying Process
The retry point specifying process will be described with reference to
In the ECU 19, the program rewriting unit 102 shares a series of processes related to rewriting of an application program among a plurality of rewrite programs. The program rewriting unit 102 includes a first rewrite program for performing a first process and a second rewrite program for performing a second process, and sequentially executes the respective rewrite programs. The first process performed by the first rewrite program is, for example, a memory erasure process of erasing data in the flash memory and a data write process for writing write data. The second process performed by the second rewrite program is, for example, a verification process and a falsification check process.
As illustrated in
When the program rewriting unit 102 executes the second rewrite program, the second process flag setting unit 106b determines whether or not the program rewriting unit 102 has completed the second process by using the second rewrite program, and sets a second process flag indicating the determination result. When it is determined that the program rewriting unit 102 has completed the second process, the second process flag setting unit 106b sets the second process flag to “OK”.
The retry point specifying unit 106c specifies a retry point when the program rewriting unit 102 retries rewriting of an application program according to the first process flag and the second process flag in a case where a part of the process related to the rewriting of the program is stopped. The retry point specifying unit 106c stores a write amount of update data until the stoppage, and requests the CGW 13 to transmit the update data on the basis of the stored write amount of the update data in a case where the process related to rewriting of the program is resumed. As illustrated in
Next, an operation of the retry point specifying unit 106 in the rewrite target ECU 19 will be described with reference to
(20-1) Process Flag Setting Process
When the process flag setting process is initiated, the rewrite target ECU 19 determines whether or not a pre-process before rewriting of an application program has been completed (S2001). When it is determined that the pre-process before rewriting of the application program has been completed (S2001: YES), the rewrite target ECU 19 sets the first process flag to “NG”, sets the second process flag to “NG”, and stores the set process flags (S2002; corresponding to a first process flag setting procedure and a second process flag setting procedure).
When write data is received from the CGW 13, the rewrite target ECU 19 initiates the first process (S2003) and determines whether or not the first process has been completed (S2004). When it is determined that the first process has been completed (S2004: YES), the rewrite target ECU 19 sets the first process flag to “OK” in a state in which the second process flag is still set to “NG”, and stores the set first process flag (S2005; corresponding to a first process flag setting procedure and a second process flag setting procedure). The rewrite target ECU 19 stores a write completion address indicating a portion where writing has been completed in the flash memory.
The rewrite target ECU 19 initiates the second process such as sending a write completion notification to the CGW 13 (S2006), and determines whether or not the second process has been completed (S2007). When it is determined that the second process has been completed (S2007: YES), the rewrite target ECU 19 sets the second process flag to “OK” and stores the set second process flag in a state in which the first process flag is still set to “OK” (S2008; corresponding to a first process flag setting procedure and a second process flag setting procedure), and finishes the process flag setting process finishes.
(20-2) Process Flag Determination Process
When the rewrite target ECU 19 is started from the sleep state or the stop state, and the process flag determination process is initiated, the rewrite target ECU 19 is started by the boot program (S2011), and reads the first process flag and the second process flag from the flash memory and determines the flags (S2012 to S2015).
When it is determined that the first process flag is set to “NG” and the second process flag is set to “NG” (S2012: YES), the rewrite target ECU 19 specifies a retry point at the beginning of the first process, notifies the CGW 13 of a retry request from the beginning of the first process (S2016; corresponding to a retry point specifying procedure), and finishes the retry point specifying process. That is, the rewrite target ECU 19 requests the CGW 13 to distribute the write data. In this case, the rewrite target ECU 19 also notifies the CGW 13 of the write completion address read from the flash memory, and thus the CGW 13 specifies which of the write data to be divided and distributed will be distributed. When it is determined that the first process flag is set to “NG” and the second process flag is set to “OK” (S2013: YES), also in this case, the rewrite target ECU 19 specifies a retry point at the beginning of the first process (S2016; corresponding to a retry point specifying procedure), notifies the CGW 13 of a retry request from the beginning of the first process (S2017), and finishes the process flag determination process.
When it is determined that the first process flag is set to “OK” and the second process flag is set to “NG” (S2014: YES), the rewrite target ECU 19 specifies a retry point at the beginning of the second process (S2018; corresponding to a retry point specifying procedure), notifies the CGW 13 of a retry request from the beginning of the second process (S2019), and finishes the process flag determination process. The ECU 19 notifies the CGW 13 of, for example, up to which address the writing has been completed as the second process.
When it is determined that the first process flag is set to “OK” and the second process flag is set to “OK” (S2015: YES), the rewrite target ECU 19 notifies the CGW 13 of the completion of the process related to rewriting of the application program (S2020), and finishes the process flag determination process. When the CGW 13 distributes divided write data, the rewrite target ECU 19 sets the above-described retry point in the unit of the divided write data.
As described above, the rewrite target ECU 19 performs the retry point specifying process, thus sets the first process flag indicating whether or not the first process has been completed, sets the second process flag indicating whether or not the second process has been completed, and specifies a retry point according to the first process flag and the second process flag. For example, in a case where the first process has been completed, and the rewrite target ECU 19 is restarted in a state in which the second process is not completed, the same write data can be prevented from being written again.
The rewrite target ECU 19 stores a data amount of the write data of which writing has been completed, that is, how many bytes of the write data have been written, and requests the CGW 13 to transmit the write data from the bytes in a case where writing of the write data is resumed. In a case where the rewrite target ECU 19 stores how many bytes of the write data have been written and resumes the writing, the rewrite target ECU 19 requests the CGW 13 to transmit the write data from the bytes. Therefore, at the time of resuming the writing, the CGW 13 can avoid waste of retransmitting the transmitted write data, and the rewrite target ECU 19 can write the write data from the next write area of a write area in which the write data has been written. The rewrite target ECU 19 that does not have the function of storing how many bytes of write data have been written requests the CGW 13 to transmit the write data from the leading write data in a case where writing of the write data is resumed.
(21) Progress State Synchronization Control Process
The progress state synchronization control process will be described with reference to
As illustrated in
As illustrated in
The first progress state determination unit 88a specifies an operation performed by the user on the in-vehicle display 7 and determines a first progress state by transmitting a user operation signal from the in-vehicle display 7 to the CGW 13 when the user is riding on the vehicle and the user selects “approve execution of program update” on the in-vehicle display 7 and performs an operation for progress to the next phase. In this case, selecting “approve execution of program update” corresponds to operating any one of the “download initiation” button 503a illustrated in
When the first progress state is determined by the first progress state determination unit 88a, the first progress state transmission unit 88b transmits the determined first progress state to the center device 3, and also transmits the determined first progress state to each in-vehicle display device such as the in-vehicle display 7. The second progress state acquisition unit 88c acquires a second progress state related to the rewriting of the program from the center device 3. When the first progress state is determined by the first progress state determination unit 88a and the second progress state is acquired by the second progress state acquisition unit, the first display instruction unit 88d gives an instruction for creation of contents displayable on the in-vehicle display 7 on the basis of the determined first progress state and the acquired second progress state.
Here, in a case where the second progress state acquisition unit 88c acquires the second progress state from the center device 3, the first progress state determination unit 88a manages the second progress state as the current progress state when the second progress state is a phase earlier than the current progress state. That is, the first progress state is updated to a value of the second progress state. The first progress state transmission unit 88b transmits the first progress state that is the current progress state to the center device 3. For example, in a case where the first progress state is a “download waiting phase” and a user approval operation is performed on the mobile terminal 6, the second progress state acquisition unit 88c acquires a “download-in-progress phase” as the second progress state from the center device 3. Since the “download-in-progress phase” acquired from the center device 3 is a phase earlier than the current progress state, the first progress state determination unit 88a updates the first progress state that is the current progress state to a value of the second progress state, transmits the updated first progress state to the center device 3, and also transmits the updated first progress state to various in-vehicle display devices such as the in-vehicle display 7. In addition to the “download-in-progress phase” as the first progress state, a “download completion X %” indicating the degree of progress of the download may be transmitted.
In a case where a user operation signal is generated in the in-vehicle display 7, the first display instruction unit 88d gives an instruction for creation of contents on the basis of the first progress state determined by the first progress state determination unit 88a. In a case where a user operation signal is generated in the mobile terminal 6, the first display instruction unit 88d gives an instruction for creation of contents on the basis of the second progress state acquired by the second progress state acquisition unit 88c. In a configuration in which the first progress state determined by the first progress state determination unit 88a is managed to be the current progress state at all times, that is, the master device 11 manages the current progress state, the first display instruction unit 88d may give an instruction for creation of contents on the basis of the first progress state.
As illustrated in
The second progress state determination unit 53a determines the second progress state on the basis of the current progress state that is the first progress state previously received from the master device 11 by the first progress state acquisition unit 53c, and the user operation signal. For example, when the current progress state is an “installation waiting phase” and the user operation signal indicating “approval” is received, the second progress state determination unit 53a determines that the second progress state is an “installation-in-progress phase”. The second progress state determination unit 53a may determine “with user's approval in the installation waiting phase.” The user operation signal in the mobile terminal 6 is transmitted from the center device 3 to the DCM 12 in an environment in which the DCM 12 and the center device 3 can perform data communication with each other. The user operation signals is transferred from the DCM 12 to the CGW 13, and thus the CGW 13 can determine the operation performed by the user on the mobile terminal 6 to determine the progress state.
When the second progress state is determined by the second progress state determination unit 53a, the second progress state transmission unit 53b transmits the determined second progress state to the master device 11. The first progress state acquisition unit 53c acquires the first progress state related to rewrite of the program from the master device 11, and manages the first progress state as the current progress state. As the current progress state, the second progress state may be updated to a value of the first progress state. When the second progress state is determined by the second progress state determination unit 53a and the first progress state is acquired by the first progress state acquisition unit 53d, the second display instruction unit 53d gives an instruction for creation of contents displayable on the mobile terminal 6 on the basis of the determined second progress state and the acquired first progress state.
For example, in a case where there is only a user operation signal in the mobile terminal 6, the second progress state determined by the second progress state determination unit 53a and the first progress state acquired by the first progress state acquisition unit 53d indicate the same progress state. Therefore, the second display instruction unit 53d may give an instruction for creation of the contents on the basis of the second progress state. Thereafter, when the user operation signal is generated in the in-vehicle display 7, the second display instruction unit 53d gives an instruction for creation of the contents on the basis of the acquired first progress state.
When an SMS is received as a progress state signal from the center device 3, for example, the mobile terminal 6 is connected to the center device 3 when the user selects a URL described in the SMS, and displays a screen of a predetermined phase provided by the center device 3.
Next, with reference to
As illustrated in
The master device 11 which has acquired the second progress state signal may update the first progress state that is the current progress state, and then may transmit the first progress state to the center device 3 and each in-vehicle display device such as the in-vehicle display 7. That is, the master device 11 transmits the current progress state to the center device 3 and each in-vehicle display device such as the in-vehicle display 7, and thus functions as a phase management device. Here, the second progress state signal transmitted from the mobile terminal 6, the in-vehicle display 7, and the center device 3 may be a notification indicating any phase, or may be a notification indicating that a user approval operation has been performed or a notification indicating the meaning of an operated button.
When the progress state synchronization control process is initiated, the CGW 13 transmits distribution specification data to the in-vehicle display 7 (S2101). The distribution specification data includes text or contents to be displayed to the user by the in-vehicle display 7. The CGW 13 determines whether or not the user has performed an operation on the in-vehicle display 7 or the mobile terminal 6 on the basis of a notification from the in-vehicle display 7 or the center device 3 (S2102). When it is determined that the user has performed the operation on the in-vehicle display 7 or the mobile terminal 6 (S2102: YES), the CGW 13 determines a phase corresponding to the operation on the basis of the first progress state (S2103 to S2106; corresponding to a first progress state determination procedure).
When the campaign notification phase is determined (S2103: YES), the CGW 13 performs a process in the campaign notification phase (S2107), and transmits a first progress state signal indicating a progress state of the process in the campaign notification phase to the in-vehicle display 7 and the center device 3 (S2111). The process in the campaign notification phase is, for example, a process of acquiring the user's input operation on the in-vehicle display 7 or the mobile terminal 6.
The CGW 13 acquires, from the in-vehicle display 7 or the mobile terminal 6 via the center device 3, for example, conditions such as a date and a place where a program is permitted to be executed, in addition to an approval or disapproval for update of the program. When information indicating that there is the user's input operation for an approval on the mobile terminal 6 is acquired from the center device 3 via the DCM 12, the CGW 13 notifies the in-vehicle display 7 of the progress such as completion of the approval. On the other hand, when information indicating that there is the user's input operation for an approval on the in-vehicle display 7 is acquired from the in-vehicle display 7, the CGW 13 notifies the center device 3 of the progress such as completion of the approval.
When the download phase is determined (S2104: YES), the CGW 13 performs a process in the download phase (S2108), and transmits a first progress state signal indicating a progress state of the process in the download phase to the in-vehicle display 7 and the center device (S2111). The process in the download phase is, for example, a process of calculating a percentage of completed download of a distribution package.
The CGW 13 determines the percentage of the completed download on the basis of a notification from the center device 3. The CGW 13 notifies the in-vehicle display 7 and the center device 3 of the progress indicating the percentage of the completed download. The CGW 13 repeatedly performs the process until download of the distribution package is completed. When the download has been completed, the CGW 13 notifies the in-vehicle display 7 and the center device 3 of the progress indicating completion of the download phase.
When the installation phase is determined (S2104: YES), the CGW 13 performs a process in the installation phase (S2108), and transmits a progress state signal indicating a progress state of the process in the installation phase to the in-vehicle display 7 and the DCM 12 (S2111). The process in the installation phase is, for example, a process of calculating a percentage of completed installation in the rewrite target ECU 19.
The CGW 13 determines the percentage of the completed installation on the basis of a notification from the rewrite target ECU 19. The CGW 13 notifies the in-vehicle display 7 and the center device 3 of the progress indicating the percentage of the completed installation. The CGW 13 repeatedly performs the process until installation is completed in all of the rewrite target ECUs 19. When the installation in all of the rewrite target ECUs 19 has been completed, the CGW 13 notifies the in-vehicle display 7 and the center device 3 of the progress indicating completion of the installation phase.
When the activation phase is determined (S2104: YES), the CGW 13 performs a process in the activation phase (S2108), and transmits a progress state signal indicating a progress state of the process in the activation phase to the in-vehicle display 7 and the DCM 12 (S2111; corresponding to a first progress state transmission procedure). The process in the activation phase is, for example, a process of calculating a percentage of completed activation in one or more rewrite target ECUs 19 belonging to the same group. The CGW 13 determines the percentage of the completed activation on the basis of a notification from the rewrite target ECU 19. The CGW 13 notifies the in-vehicle display 7 and the center device of the progress indicating the percentage of the completed activation.
It is determined whether or not the activation phase has been completed (S2112), and, when it is determined that the activation phase has been completed (S2112: YES), the CGW 13 finishes the progress state synchronization control process. When it is determined that the activation phase has not been completed (S2112: NO), the CGW 13 returns to S2102. The CGW 13 causes the process in each phase to progress and calculates a percentage of a completed process (S2107 to S2110). The CGW 13 periodically transmits the phase and information indicating that X % of a completed phase as the first progress state to the center device 3 (S2111).
When the distribution specification data is transmitted and the progress state synchronization control process is initiated, the center device 3 monitors reception of the first progress state signal transmitted from the DCM 12 (S2121). When it is determined that the first progress state signal has been received from the DCM 12 (S2121: YES), the center device 3 permits access from the mobile terminal 6 (S2122), determines a phase specified by the first progress state signal (S2123 to S2126).
When the campaign notification phase is determined (S2123: YES), the center device 3 performs the process in the campaign notification phase (S2127). That is, the center device 3 creates a campaign notification phase screen, transmits a display instruction signal for giving an instruction for display of the campaign notification phase screen to the mobile terminal 6, and causes the mobile terminal 6 to display the campaign notification phase screen through connection to the center device 3.
When the download phase is determined (S2124: YES), the center device 3 performs a process in the download phase (S2128). That is, the center device 3 creates a download phase screen, transmits a display instruction signal for giving an instruction for display of the download phase screen to the mobile terminal 6, and causes the mobile terminal 6 to display the download phase screen through connection to the center device 3. When the center device 3 is notified of the progress indicating the percentage of the completed download from the DCM 12, the center device 3 updates the download phase screen.
When the installation phase is determined (S2125: YES), the center device 3 performs a process in the installation phase (S2129). That is, the center device 3 creates an installation phase screen, transmits a display instruction signal for giving an instruction for display of the installation phase screen to the mobile terminal 6, and causes the mobile terminal 6 to display the installation phase screen through connection to the center device 3. When the center device 3 is notified of the progress indicating the percentage of the completed installation from the DCM 12, the center device 3 updates the installation phase screen.
When the activation phase is determined (S2126: YES), the center device 3 performs a process in the activation phase (S2130). That is, the center device 3 creates an activation phase screen, transmits a display instruction signal for giving an instruction for display of the activation phase screen to the mobile terminal 6, and causes the mobile terminal 6 to display the activation phase screen through connection to the center device 3. When the center device 3 is notified of the progress indicating the percentage of the completed activation from the DCM 12, the center device 3 updates the activation phase screen. When an operation such the user's approval is performed on the screens displayed in S2127 to S2130, the center device 3 transmits a second progress state signal to the master device 11 (S2131), and finishes the progress state synchronization control process.
When the distribution specification data is received from the CGW 13, the in-vehicle display 7 initiates the progress display process, and monitors reception of the progress state signal transmitted from the CGW 13 (S2141). When it is determined that the progress state signal has been received from the CGW 13 (S2141: YES), the in-vehicle display 7 permits the user operation on the in-vehicle display 7 (S2142), determines a phase specified by the progress state signal (S2143 to S2146).
When the campaign notification phase is determined (S2143: YES), the in-vehicle display 7 displays a campaign notification phase screen by using text, contents, and the like included in the distribution specification data (S2147). When the download phase is determined (S2144: YES), the in-vehicle display 7 displays a download phase screen (S2148). The in-vehicle display 7 updates the download phase screen when notified of the progress indicating the percentage of completion of the download from the CGW 13.
When it is determined that the in-vehicle display 7 is in the installation phase (S2145: YES), the installation phase screen is displayed (S2149). When the in-vehicle display 7 is notified of the progress indicating the percentage of the completed installation from the CGW 13, the in-vehicle display 7 updates the installation phase screen. When the activation phase is determined (S2146: YES), the in-vehicle display 7 displays an activation phase screen (S2150). When the in-vehicle display 7 is notified of the progress indicating the percentage of the completed activation from the CGW 13, the in-vehicle display 7 updates the activation phase screen.
As described above, the first progress state and the second progress state are transmitted and received between the master device 11 and the center device 3. For example, even in a configuration in which the mobile terminal 6 is accessible to the center device 3 and the in-vehicle display 7 is inaccessible to the center device 3, the first progress state and the second progress state are transmitted and received between the master device 11 and the center device 3, and thus progress states or the like of rewriting of an application program can be appropriately synchronized among a plurality of display terminals.
(22) Display Control Information Transmission Control Process and (23) Display Control Information Reception Control Process
The display control information transmission control process in the center device 3 will be described with reference to
As illustrated in
The display information is data configuring various screens (a campaign notification screen, an installation screen, and the like) related to rewriting of the application program. The display control program is a program for realizing a function equivalent to that of a web browser. The property information is information defining display characters, display positions, colors, and the like. The information transmission unit 54c transmits the write data stored in the write data storage unit 54a and the display control information stored in the display control information storage unit 54b to the master device 11. The information transmission unit 54c transmits the write data for the plurality of rewrite target ECUs 19 to the master device 11 as a single package. Here, the display control information may include phase identification information indicating a phase in which information is displayed. For example, the phase identification information indicates a phase in which information is displayed among the campaign notification phase, the download phase, the installation phase, and the activation phase.
Next, a description will be made of an operation performed by the display control information transmission control unit 54 in the center device 3 with reference to
When the display control information transmission control process is initiated, the center device 3 transmits the distribution specification data to the CGW 13 via the DCM 12 (S2201; corresponding to a control information transmission procedure), and transmits the write data to the CGW 13 via the DCM 12 (S2202). The center device 3 transmits the display information to the CGW 13 via the DCM 12 (S2203; corresponding to a display information transmission procedure), and finishes the display control information transmission control process. In a case where the display control information corresponding to each of the campaign notification phase, the download phase, the installation phase, and the activation phase is transmitted, the center device 3 may transmit the display control information corresponding to each phase to the in-vehicle display 7 in a single file, or may transmit the display control information corresponding to the next phase to the in-vehicle display 7 each time the phase is finished. Here, the timing at which the center device 3 transmits the distribution specification data may be configured to be transmitted in response to a request from the master device 11.
As illustrated in
Next, a description will be made of an operation performed by the display control information reception control unit 89 in the CGW 13 with reference to
When the display control information reception control process is initiated, the CGW 13 receives the distribution specification data from the center device 3 via the DCM 12 (S2301; corresponding to a control information reception procedure). The write data is received from the center device 3 via the DCM 12 (S2302). The CGW 13 receives the display information from the center device 3 via the DCM 12 (S2303; corresponding to a display information reception procedure). The CGW 13 determines whether or not to use the display control information included in the distribution specification data from the center device 3 (S2304). When it is determined that the display control information is to be used (S2304: YES), the CGW 13 instructs the in-vehicle display 7 to display the display information by using the display control information (S2305). That is, the CGW 13 instructs the in-vehicle display 7 to display screens related to rewriting of an application programs by using the display control information. The in-vehicle display 7 displays the display information by using the display control information in response to the instruction from the CGW 13.
When it is determined that the display control information is not to be used (S2304: NO), the CGW 13 instructs the in-vehicle display 7 to display the display information by using contents stored in advance (S2306). That is, the CGW 13 instructs the in-vehicle display 7 to display screens related to rewriting of the application program by using the contents stored in advance. The in-vehicle display 7 displays the display information by using the contents stored in advance in response to the instruction from the CGW 13. In a case where the display information corresponding to each of the campaign notification phase, the download phase, the installation phase, and the activation phase is displayed, the in-vehicle display 7 may collectively receive the display control information corresponding to each phase from the center device 3, or may receive the display control information corresponding to the next phase from the center device 3 each time the phase is finished.
As illustrated in
When the in-vehicle display 7 does not have the function of a web browser, and the distribution specification data transmitted from the center device 3 to the in-vehicle display 7 via the DCM 12 and the CGW 13 includes the display control program and the property information, the in-vehicle display 7 displays the display information on a screen equivalent to that of the center device 3. Here, the display control program and the property information included in the distribution specification data are the same as those used in the screen created by the center device 3.
When the in-vehicle display 7 does not have the function of a web browser but stores the display control program, and the property information is included in the distribution specification data transmitted from the center device 3 to the in-vehicle display 7, the in-vehicle display 7 displays the display information on a screen equivalent to that of the center device 3. Here, the display control program stored in the in-vehicle display 7 is different in version from the display control program used in the screen created by the center device 3, for example.
When the in-vehicle display 7 has the function of a web browser, the in-vehicle display 7 displays the display information on the same screen as that of the center device 3 through connection to the center device.
As described above, the center device 3 performs the display control information transmission control process, thus transmits the display control information to the in-vehicle display 7, and displays the display information on the in-vehicle display 7 according to the display control information. Consequently, in a case where the mobile terminal 6 and the in-vehicle display 7 are provided as display terminals, these display aspects can be brought close to each other, and thus the user's convenience can be improved. The CGW 13 performs the display control information reception control process, thus receives the display control information from the center device 3, receives the display information from the center device 3, and displays the display information according to the display control information.
(24) Screen Display Control Process for Progress Display
The progress display screen display control process will be described with reference to
As illustrated in
The mode determination unit 90a determines whether or not a customization mode is set by the user's customization operation. The mode determination unit 90a determines whether or not an external mode from the outside is set on the basis of scene information included in the rewrite specification data. That is, the mode determination unit 90a refers to the scene information included in the rewrite specification data illustrated in
The recall flag is a flag for designating screen display in a case where an application program is rewritten in response to a recall. The recall indicates implementation of measures such as repair, replacement, or recovery without charge due to the provisions of the regulations or at the discretion of a manufacturer or seller in a case where a defect in a product is found due to a design or manufacturing error, or the like.
The dealer flag is a flag for designating screen display in a case where an application program is rewritten in a dealer. The factory flag is a flag for designating screen display in a case where the application program is rewritten in a factory. The function update notification flag is a flag for designating screen display in a case where the application program is rewritten in response to a function update notification. The function update notification is performed to update a specific function. For example, the function update notification flag is a flag for designating screen display in the program update for adding a new function for a fee (or for free).
The forced execution flag is a flag for designating screen display in a case where the application program is rewritten in response to forced execution. The forced execution indicates that the application program is forced to be rewritten because campaign notifications are performed a predetermined number of times but the application program is not rewritten. For example, the forced execution flag is a flag for designating screen display in a case where a program is forced to be updated.
The flags indicating the scene information are all set to 0 (flag is not established) in a case where there is no relevant item, and any thereof is set to 1 (flag is established) in a case where there is a relevant item. For example, the mode determination unit 90a determines that a recall mode is set when the dealer flag is established, determines that a dealer mode is set when the recall flag is established, determines that a factory mode is set when the factory flag is established, determines that a function update mode is set when the function update notification flag is established, and determines that a forced execution mode is set when the forced execution flag is established.
The expiration date information is information indicating the expiration date, and is information serving as a criterion for determining whether or not rewrite of the application program is to be executed. The CGW 13 executes rewriting of the application program when the current time is within the expiration date indicated by the expiration date information, and does not execute rewriting of the application program when the current time exceeds the expiration date indicated by the expiration date information. That is, after a distribution package is downloaded, the CGW 13 refers to the expiration date information when installing the program, and does not execute installation of the program and discards the distribution package when the current time exceeds the expiration date.
The position information is information indicating a position, is information serving as a criterion for determining whether or not rewriting of the application program is to be executed, and includes a permitted area and a prohibited area. In a case where the permitted area is designated as the position information, the CGW 13 executes rewriting of the application program when the current position of the vehicle is inside the permitted area indicated by the position information, and does not execute rewriting of the application program when the current position of the vehicle is outside the permitted area indicated by the position information. In a case where the prohibited area is designated as the position information, the CGW 13 executes rewriting of the application program when the current position of the vehicle is outside the prohibited area indicated by the position information, and does not execute rewriting of the application program when the current position of the vehicle is inside the prohibited area indicated by the position information. That is, after the distribution package is downloaded, the CGW 13 refers to the position information when installing a program, and does not execute installation of the program when the current position is outside the permitted area, and delays the installation until the vehicle enters the permitted area.
The screen display instruction unit 90b instructs the display terminal 5 to display a screen corresponding to rewriting of the application program. The screen display instruction unit 90b instructs the display terminal 5 to display the screen by giving an instruction for whether or not the screen corresponding to a rewriting phase of the application program is displayed, giving an instruction for whether or not items of the screen are displayed, and giving an instruction for changing display contents of the items of the screen.
A description will be made of the user's customization operation. Here, a screen displayed on the in-vehicle display 7 will be described, but the same applies to a screen displayed on the mobile terminal 6. In a screen described later, a layout of the number, disposition, and the like of buttons may be other than the exemplified layout. When the user performs an operation of displaying a menu screen on the in-vehicle display 7, the CGW 13 displays a menu selection screen 511 on the in-vehicle display 7 as illustrated in
When the user operates the “user information registration” button 511e in this state, the CGW 13 displays a user selection screen 512 on the in-vehicle display 7 as illustrated in
When the user operates the “user” button 512a in this state, the CGW 13 displays a user registration screen 513 on the in-vehicle display 7, as illustrated in
The “ON/OFF” buttons 513a to 513d for a campaign notification, download, installation, and activation are buttons for selecting whether or not to display screens for a campaign notification, download, installation, and activation. Specifically, when a campaign notification is received, download is initiated, installation is initiated, and activation is initiated, the buttons are buttons that allow the user to select in advance whether or not to display the contents for requesting the user's approval. The “detailed information” button 513e is a button for registering the above-described expiration date information and position information. The information set by the user is transmitted to the center device 3 via the DCM 12. In a case where the user sets the pieces of information on the mobile terminal 6, the CGW 13 acquires the pieces of information from the center device 3 via the DCM 12.
The user may set the corresponding “ON/OFF” buttons 513a to 513d to OFF in a case where the user feels the screens bothersome about a campaign notification, download, installation, and activation. The buttons are set to OFF, and display of the contents for requesting the user's approval is omitted. For example, in a case where the user does not feel bothersome about screen display of a campaign notification or activation, but feels bothersome about screen display of download or installation, the user may set the campaign notification to ON with the “ON/OFF” button 513a, set the download to OFF with the “ON/OFF” button 513b, set the installation to OFF with the “ON/OFF” button 513c, and set the activation to ON with the “ON/OFF” button 513d.
In this case, for example, when the campaign notification is set to ON, the download is set to OFF, the installation is set to OFF, and the activation is set to ON, the display terminal 5 displays a campaign notification screen, does not display a download approval screen and a download-in-progress screen, does not display an installation approval screen and the installation-in-progress screen, and displays an activation screen according to a rewriting phase of the application program. That is, in the campaign notification, download, installation, and activation phases, when a corresponding phase is set to ON, the user performs screen display of the phase set to ON, and, when a corresponding phase is set to OFF, the user does not perform screen display of the phase set to OFF. Therefore, screen display can be customized. The ON/OFF setting of the screen display may be set individually for each phase, or all phases may be collectively set at a time.
In a case where the user wants to register the expiration date, the permitted area, and the prohibited area, the user may set the expiration date, the permitted area, and the prohibited area by operating the “detailed information” button 513e. The user can customize the expiration date for permitting rewriting of the application program as the expiration date information, and can customize the permitted area for permitting rewriting of the application program as the location information or the prohibited area for prohibiting the rewriting.
Next, an operation of the above-described configuration will be described with reference to
When the progress display screen display control process is initiated, the CGW 13 determines whether or not the expiration date information is stored in the rewrite specification data and whether or not the expiration date information is set in the customization information (S2401). When it is determined that the expiration date information is stored in the rewrite specification data (S2401: YES), the CGW 13 determines whether the current time satisfies the expiration date information (S2402). In a case where the expiration date information stored in the rewrite specification data and the expiration date information set as the customization information are present, the CGW 13 determines whether both are satisfied. When it is determined that the current time exceeds the expiration date indicated by the expiration date information and the current time does not satisfy the expiration date information (S2402: NO), the CGW 13 finishes the progress display screen display control process.
When it is determined that the current time is within the expiration date indicated by the expiration date information and the current time satisfies the expiration date information (S2402: YES), the CGW 13 determines whether or not the scene information is stored in the rewrite specification data (S2403). When it is determined that the scene information is stored in the rewrite specification data (S2403: YES), the CGW 13 determines that the external mode is set, proceeds to the display instruction process according to the set content in the scene information (S2404), and instructs the in-vehicle display 7 to perform screen display corresponding to rewriting of the application program according to a mode of an established flag. For example, when the recall flag is established, the CGW 13 instructs the in-vehicle display 7 to perform screen display according to the recall mode during rewriting of the application program. For example, when the dealer flag is established, the CGW 13 instructs the in-vehicle display 7 to perform screen display according to the dealer mode during rewrite of the application program.
When it is determined that the scene information is not stored in the rewrite specification data (S2403: NO), the CGW 13 determines whether or not the customization mode is set through the user's customization operation (S2405; corresponding to a customization mode determination procedure). When it is determined that the customization mode is set (S2405: YES), the CGW 13 proceeds to a display instruction process according to the set content in the customization operation (S2406; corresponding to a screen display instruction procedure), and instructs the in-vehicle display 7 to perform screen display corresponding to rewriting of the application program according to the customization mode.
When it is determined that the customization mode is not set (S2405: NO), the CGW 13 proceeds to a display instruction process according to a set content in the initial setting (S2407; corresponding to a screen display instruction procedure), and instructs the in-vehicle display 7 to perform screen display corresponding to rewriting of the application program according to the customization mode. That is, the CGW 13 preferentially applies the scene information stored in the rewrite specification data, and applies the customization mode when the scene information is not stored. When neither the scene information nor the customization mode is present, the initial setting is applied. Here, the initial setting is a preset value, and the initial setting is a setting of turning on all settings of, for example, a campaign notification, download, installation, and activation.
Next, the screen display instruction processes in S2404, S2406, and S2407 will be described with reference to
When it is determined that the operation result information is received from the DCM 12 by transmitting an operation result from the in-vehicle display 7 to the DCM 12 (S2415: YES), the CGW 13 checks an approval on the basis of the operation result information, and determines whether or not the user has approved rewriting of the application program (S2416).
When it is determined that the user has approved rewriting of the application program (S2416: YES), the CGW 13 determines whether or not the rewrite specification data stores the position information (S2417). When it is determined that the position information is stored in the rewrite specification data (S2417: YES), the CGW 13 determines whether or not the current position of the vehicle satisfies the position information (S2418). S2417 and S2418 may be omitted in phases other than the installation phase. In a case where the position information is the permitted area, when the current position of the vehicle is inside the permitted area, the CGW 13 determines that the current position of the vehicle satisfies the position information (S2418: YES), and continues the rewriting of the application program (S2419).
On the other hand, when the current position of the vehicle is outside the permitted area, the CGW 13 determines that the current position of the vehicle does not satisfy the position information, does not continue and stops the rewriting of the application program, and finishes the screen display instruction process. In a case where the position information is the prohibited area, when the current position of the vehicle is outside the prohibited area, the CGW 13 determines that the current position of the vehicle satisfies the position information (S2418: YES), continues the rewriting of the application program (S2419), and finishes the screen display instruction process. When the current position of the vehicle is inside the prohibited area, the CGW 13 determines that the current position of the vehicle does not satisfy the position information, does not continue and stops the rewriting of the application program, and finishes the display instruction process.
A description will be made of the screen display request notification transmitted from the CGW 13 to the DCM 12 and the operation result information transmitted from the DCM 12 to the CGW 13. As illustrated in
That is, when the phase ID and the scene ID stored in the screen display request notification transmitted to the DCM 12 matches the phase ID and the scene ID stored in the operation result information received from the DCM 12, the CGW 13 determines that the screen display request notification and the operation result information are consistent with each other, the screen display request notification and the operation result information are not deviated from each other, and thus arbitration is not required to be performed. On the other hand, when the phase ID and the scene ID stored in the screen display request notification transmitted to the DCM 12 do not match the phase ID and the scene ID stored in the operation result information received from the DCM 12, the CGW 13 determines that the screen display request notification and the operation result information are inconsistent with each other, the screen display request notification and the operation result information are deviated from each other, and thus arbitration is required to be performed. The CGW 13 arbitrates whether or not to perform a process according to the operation result information received from the DCM 12.
The screen configuration information is information indicating configuration elements of a screen, and, as illustrated in
On the other hand, as illustrated in
A description will be made of a message framework regarding screen display and a user operation transmitted and received among the CGW 13, the DCM 12, the in-vehicle display 7, the center device 3, and a meter device 45. As illustrated in
The CGW 13 performs data communication with the center device 3 via the DCM 12. Data transmitted from the CGW 13 through diagnosis communication is subjected to protocol conversion by the DCM 12 and is received from the DCM 12 by the center device 3 through HTTP communication. For example, the CGW 13 transmits data indicating the current progress state such as the current phase or a progress ratio, to the center device 3 via the DCM 12. The data transmitted from the center device 3 through HTTP communication is subjected to protocol conversion by the DCM 12 and is received from the DCM 12 by the CGW 13 through diagnosis communication.
The CGW 13 performs data communication with the in-vehicle display 7 via the DCM 12. The data transmitted from the CGW 13 through the diagnosis communication is subjected to protocol conversion by the DCM 12 and is received from the DCM 12 by the in-vehicle display 7 through USB communication. The data transmitted from the in-vehicle display 7 through the USB communication is subjected to protocol conversion by the DCM 12 and is received from the DCM 12 by the CGW 13 through the diagnosis communication. For example, the CGW 13 acquires information regarding the user operation on the in-vehicle display 7 via the DCM 12. As described above, in the vehicle program rewriting system 1, the DCM 12 is provided with the protocol conversion function, and the mobile terminal 6 and the in-vehicle display 7 are configured to be equally handled by the CGW 13. Information regarding the user operation is aggregated into the CGW 13, and thus the CGW 13 arbitrates user operation results from a plurality of operation terminals so as to manage the current progress state.
A description will be made of a sequence of a message frame transmitted and received among the CGW 13, the DCM 12, and the in-vehicle display 7. As illustrated in
The screen display will be described with reference to
In a case where the user's customization mode is set, the CGW 13 instructs the display terminal 5 to perform screen display corresponding to the rewriting of the application program according to a content of the customization mode (S2406). However, this is limited to a case where scene information is not designated. For example, when the campaign notification is set to ON, the download is set to OFF, the installation is set to OFF, and the activation is set to ON in the customization mode, the CGW 13 gives a screen display instruction to the display terminal 5 in order not to display the download approval screen 503, the download-in-progress screen 504, the download completion notification screen 505, the installation approval screen 506, and the installation-in-progress screen 507 and to display the activation approval screen 508 after the campaign notification screen 502 is displayed.
In a case where the recall flag is set in the scene information of the rewrite specification data, the CGW 13 instructs the display terminal 5 to perform screen display corresponding to the rewriting of the application program according to a content of the recall mode (S2404). In this case, as illustrated in
That is, in a case where the recall flag is set in the scene information of the rewrite specification data, as described above, the “later” button or the “back” button may be set to non-display such that the “later” button or the “back” button is not displayed. Alternatively, after the campaign notification screen 502 may be displayed and the user's approval is obtained on the download approval screen 503, display of the installation approval screen 505 and the activation approval screen 518 may be omitted. Although a case where the recall flag is set in the scene information of the rewrite specification data has been described above, the same applies to a case where the dealer flag, the factory flag, the function update notification flag, and the forced execution flag are set in the scene information of the rewrite specification data, and an instruction may be given for availability of display of a screen corresponding to a phase, availability of display of an item of the screen, or changing of a display content of the item of the screen depending on a situation in which the application program is rewritten.
Specifically, in a case where the dealer flag is set in the scene information of the rewrite specification data, since it is necessary to display a dedicated screen in the repair process in the dealer environment, a dedicated screen for a dealer may be displayed instead of a screen for a user. That is, since a user does not perform an operation related to rewriting of an application program, but a dealer's operator performs the operation related to the rewriting of the application program, the “later” button or the “back” button may be set to be displayed for the dealer's work, so that the “later” button or the “back” button is displayed. For example, a guidance such as “please rewrite in dealer” may be displayed to prompt the user to take the vehicle to the dealer.
In a case where the factory flag is set in the scene information of the rewrite specification data, screen display is not required in the manufacturing process in the factory environment, and thus a screen may not be displayed.
In a case where the function update notification flag is set in the scene information of the rewrite specification data, even when the user has customized the display unnecessary setting, a screen display for reliably notifying the user of the change content is required, so a screen for the user may be displayed regardless of the customized setting. That is, even in a case where the user determines that the approval is unnecessary, since it is desirable that the approval is forced to be obtained and an approval screen is forced to be displayed, as described above, the “later” button or the “back” button is set to display such that the “later” button or the “back” button is displayed.
In a case where the forced execution flag is set in the scene information of the rewrite specification data, even when the user sets display to be required through customization, and thus the user does not give an approval, forced execution for reliably updating software of the vehicle is required. Therefore, a dedicated screen for the user may be displayed regardless of the customization setting. That is, since the user determines that the approval is necessary, but the application program is rewritten even when the approval is not given, the “later” button or the “back” button may be set to non-display as described above such that the “later” button or the “back” button is not displayed. Since the function is based on an approval being obtained, rewriting may be performed by obtaining the approval without displaying the screen itself.
As described above, the CGW 13 performs the progress display screen display control process, and thus instructs the display terminal 5 to perform screen display corresponding to a setting content of a customization mode in a case where the customization mode is set. The user can customize screen display corresponding to the progress of rewriting.
(25) Program Update Notification Control Process
The program update notification control process will be described with reference to
As illustrated in
When the phase of the program update is specified by the phase specifying unit 91a, the display instruction unit 91b gives an instruction for displaying an indicator in an aspect corresponding to the phase of the specified program update. When the instruction for displaying the indicator is given from the display instruction unit 91, the indicator display control unit 91c controls display of the indicator in response to the instruction. Specifically, the indicator display control unit 91c controls lighting of an indicator 46 in the meter device 45.
The icon display control unit 91d controls display of an icon on the in-vehicle display 7 following the indicator display control unit 91c controlling display of the indicator. The detailed information display control unit 91e controls display of an icon and detailed information related to the program update on the in-vehicle display 7 or the mobile terminal 6 following the indicator display control unit 91c controlling display of the indicator. The icon is the campaign notification icon 501a illustrated in
The invalidation instruction unit 91f instructs the power supply management ECU 20 and the respective ECUs 19 related to the user operation to invalidate reception of the user operation even in a case where the power supply management ECU 20 performs the power supply control by updating the programs during parking. For example, by instructing the engine ECU 47 (refer to
Next, an operation of the above-described configuration will be described with reference to
When the program update notification control process is initiated, the CGW 13 determines whether or not a campaign of program update has occurred (S2501). When it is determined that the campaign of the program update has occurred (S2501: YES), the CGW 13 specifies a phase of the program update and a memory configuration (S2502; corresponding to a phase specifying procedure). The CGW 13 instructs the meter device 45 to display the indicator 46 in an aspect corresponding to the specified phase of the program update (S2503; corresponding to a display instruction procedure). The in-vehicle display 7 is instructed to display an icon corresponding to the specified phase of the program update (S2504).
It is determined whether or not a detailed display request is available (S2505), and, when it is determined that the detailed display request is available (S2505: YES), the CGW 13 determines whether or not data communication with the in-vehicle display 7 is possible (S2506). For example, when the user presses the campaign notification icon 501a illustrated in
The CGW 13 acquires a notification content received along with the campaign notification and a notification content of the distribution specification data, and notifies the in-vehicle display 7 of the notification contents to be instructed to display the detailed information. The CGW 13 notifies the center device 3 of the phase and a content of the user operation as an instruction for displaying the detailed information such that the same content as that in the in-vehicle display 7 is also displayed on the mobile terminal 6.
The CGW 13 determines whether or not an event of the program updating event is finished (S2510).
For example, when the user confirms that the activation has been completed and the program has been updated, the CGW 13 determines that the event is finished. When it is determined that the event of the program update is not finished (S2510: NO), the CGW 13 returns to step S2502 and repeatedly performs step S2502 and the subsequent steps. The CGW 13 repeatedly performs S2502 and the subsequent steps in each phase of the campaign notification, the download approval, the download in progress, the installation approval, the installation in progress, the activation approval, the activation in progress, and the update completion.
When it is determined that the event of the program update is finished (S2510: YES), the CGW 13 finishes the program update notification control process.
In the meter device 45, the indicator 46 is disposed at a predetermined position which can be recognized by the user, and, when a notification request notification is received from the CGW 13, the indicator 46 is lighted or flashed as a notification during rewriting of the application program. Here, instead of the flashing, there may be the use of lighting display which is emphasized more than normal lighting display such as changing a color or increasing luminance of the indicator 46. That is, any display may be used as long as the display is emphasized more than normal display. The indicator 46 related to program update is a single indicator and is formed of a single design.
As illustrated in
As illustrated in
Hereinafter, a case where the meter device 45 controls a notification aspect of the indicator 46 will be described below, but the indicator display control unit 91c may control a notification aspect of the indicator 46 as described above.
In a case where the ECUs 19 having a double-bank memory, a single-bank suspend memory, and a single-bank memory are included as the program rewrite target ECUs 19 in one campaign notification, the meter device 45 performs rewriting of application programs on the ECUs 19 in an order of the double-bank memory, the single-bank suspend memory, and the single-bank memory. After the campaign notification, the CGW 13 performs the download approval to the installation in progress on the double-bank memory ECU 19, and the meter device 45 lights the indicator 46 during this period. When the installation-in-progress phase on the double-bank memory ECU 19 is completed, the CGW 13 performs the download approval to the installation in progress on the single-bank suspend memory ECU 19, and the meter device 45 lights the indicator 46 during this period. When the installation-in-progress phase on the single-bank suspend memory ECU 19 is completed, the CGW 13 performs the download approval to the installation approval on the single-bank memory ECU 19, and the meter device 45 lights the indicator 46 during this period.
The meter device 45 flashes the indicators 46 from the installation in progress in the single-bank memory to the activation in progress in three types of the ECUs 19 of which the memory types are different from each other. The meter device 45 lights off the indicator 46 at subsequent IG-off, lights the indicator 46 at IG-on, and lights off the indicator 46 when the user performs a check operation for completion of the update.
The meter device 45 may perform the following control in a case where the ECUs 19 having a double-bank memory, a single-bank suspend memory, and a single-bank memory are included as the program rewrite target ECUs 19 in one campaign notification. The meter device 45 performs rewriting of application programs on the ECUs 19 in an order of the double-bank memory, the single-bank suspend memory, and the single-bank memory. After the campaign notification, the CGW 13 gives an instruction for lighting a predetermined green design as the indicator 46 in the download approval for download of a distribution package including update data of rewrite target ECUs 19 and the download in progress. Thereafter, the CGW 13 gives an instruction for lighting a predetermined green design as the installation approval indicator 46. The installation approval here also serves as the activation approval for the convenience of including the single-bank memory ECU 19. When the user's approval for the installation is obtained, the CGW 13 first performs installation on the double-bank memory ECU 19. While the installation is performed in the double-bank memory ECU 19, the meter device 45 lights the indicators 46. When the CGW 13 completes the installation-in-progress phase for the double-bank memory ECU 19, the CGW 13 performs installation on the single-bank suspend memory ECU 19. While the installation is performed in the single-bank suspend memory ECU 19, the meter device 45 lights the indicator 46. When the CGW 13 completes the installation-in-progress phase for the single-bank suspend memory ECU 19, the CGW 13 performs installation on the single-bank memory ECU 19. While the installation is performed in the single-bank suspend memory ECU 19, the meter device 45 flashes the indicator 46. When the installation is completed in all of the rewrite target ECUs 19, the CGW 13 performs activation in a state in which the indicator 46 is flashed. The CGW 13 instructs the meter device 45 to light off the indicator 46 at subsequent IG-off, instructs the meter device 45 to light the indicator 46 at IG-on, and instructs the meter device 46 to light off the indicator 46 when the user performs a check operation for completion of the update.
In the respective phases illustrated in
As described above, in a case where the CGW 13 gives an instruction for a notification that the application program is being rewritten by using the indicator 46, when an abnormality occurs during rewriting of the application program, a notification aspect differs from that during the normal time. The CGW 13 gives an instruction for green lighting display or green flashing display, for example, when the rewriting of the application program is being performed normally, and gives an instruction for yellow or red lighting display or yellow or red flashing display, for example, when an abnormality occurs. The CGW 13 may change colors according to the degree of abnormality, give an instruction for red lighting display or red flashing display, for example, when the degree of abnormality is relatively high, and give an instruction for yellow lighting display or yellow flashing display when the degree of abnormality is relatively low. Here, the abnormality mentioned here includes a state in which a distribution package cannot be downloaded, a state in which write data cannot be installed, a state in which write data cannot be written in the rewrite target ECU 19, a state in which write data is incorrect, and the like.
The in-vehicle display 7 sequentially displays the campaign notification screen 502, the download approval screen 503, the download-in-progress screen 504, the download completion notification screen 505, the installation approval 506, the installation-in-progress screen 507, the activation approval screen 508, the IG-on screen 509, and the update completion check operation screen 510 as detailed display on the basis of the user operation. The same detailed display as in the in-vehicle display 7 may be performed in the mobile terminal 6 that is communicatively connected to the center device 3. For example, in a vehicle in which the in-vehicle display 7 is not mounted, in a case where the user requests the detailed display by operating a steering wheel switch or the like, the CGW 13 requests the detailed display to the center device 3 via the DCM 12. The center device 3 creates content of the detailed display, and the mobile terminal 6 displays the content such that the user can check the detailed information on the mobile terminal 6.
As illustrated in
When the power supply management ECU 20 is forced to be started to turn on the vehicle power, engine control is possible by receiving an operation on a push switch from the user, but the CGW 13 instructs the power supply management ECU 20 to invalidate reception of the user operation, and instructs the meter device 45, the in-vehicle display 7, and the ECU 19 related to the user operation to perform a notification of the invalidation of the reception of the user operation. In a case where the meter device 45 is instructed to invalidate the reception of the user operation from the CGW 13, the meter device 45 invalidates the reception of the operation even when the user performs the operation on the meter device 45. Similarly, in a case where the in-vehicle display 7 is instructed to invalidate the reception of the user operation from the CGW 13, the in-vehicle display 7 invalidates the reception of the operation even when the user performs the operation on the in-vehicle display 7. In a case where the engine ECU 47 is instructed to invalidate the reception of the user operation from the CGW 13, the engine ECU 47 invalidates the reception of the operation to prevent the engine from being started even when the user performs the operation of starting the engine with the push switch.
As described above, the CGW 13 instructs the meter device 45 to perform a notification that an application program is being rewritten by performing the program update notification control process. Even in a situation where the user cannot be notified that an application program is being rewritten by using the mobile terminal 6 or the in-vehicle display 7, the user can be appropriately notified that an application program is being rewritten by notifying the user that an application program is being rewritten by using the meter device 45. The CGW 13 may change a notification aspect in accordance with a progress situation of rewriting of an application program.
(26) Self-Retention Power Execution Control Process
The self-retention power execution control process will be described with reference to
As illustrated in
The vehicle power determination unit 92a determines turning-on and turning-off of the vehicle power. The rewrite-in-progress determination unit 92b determines whether or not an application program is being rewritten. The rewrite-in-progress determination unit 95b also determines the rewrite target ECU 19 in which the application program is being rewritten. The first self-retention power enable unit 92c determines the necessity of self-retaining the power in the vehicle slave devices when it is determined by the vehicle power determination unit 92a, that the vehicle power is turned off and it is determined by the rewrite-in-progress determination unit 92b that the program is being rewritten. That is, the first self-retention power enable unit 92c refers to the rewrite specification data illustrated in
When it is determined by the first self-retention power determination unit 92c that the power needs to be self-retained in the vehicle slave device, the self-retention power instruction unit 92d instructs the vehicle slave device to enable the first self-retention power circuit. As an aspect in which the self-retention power instruction unit 92d gives an instruction for enabling the first self-retention power circuit, there is an aspect of designating a completion time of the self-retention power, an aspect of giving an instruction for an extension time of the self-retention power, and an aspect of continuing to periodically output a self-retention request to the vehicle slave device. The self-retention power instruction unit 92d refers to the rewrite data illustrated in
That is, in the aspect of designating the completion time of the self-retention power, the self-retention power instruction unit 92d designates, as the completion time, the time obtained by adding the time designated in the rewrite specification data from the current time. In the case of designating the extension time of the self-retention power, the self-retention power instruction unit 92d designates the time specified in the rewrite specification data as the extension time. In the aspect of continuing to periodically output the self-retention request to the vehicle slave device, the self-retention power instruction unit 92d continues to periodically output the self-retention request to the vehicle slave device until the time specified in the rewrite specification data elapses.
The second self-retention power determination unit 92e determines the necessity of self-retaining the power therein when it is determined by the vehicle power determination unit 92a that the vehicle power is turned off and it is determined by the rewrite-in-progress determination unit 92b that the program is being rewritten. That is, the necessity of self-retaining the power is determined in consideration of a configuration in which the CGW 13 is an IG power system or an ACC power system. When it is determined by the second self-retention power determination unit 92e that it is necessary to self-retain the power supply therein, the second self-retention power enable unit 92f enables the second self-retention power circuit.
In this case, when the second self-retention power circuit is currently stopped, the second self-retention power enable unit 92f starts the second self-retention power circuit and thus enables the second self-retention power circuit. In a case where the second self-retention power circuit is currently started, the second self-retention power enable unit 92f extends an operation period of the second self-retention power circuit, and thus enables the self-retention power circuit.
The second stop condition establishment determination unit 92g determines whether or not a stop condition for the self-retention power of the second self-retention power circuit is established. Specifically, the second stop condition establishment determination unit 92g monitors a remaining battery charge of the vehicle battery 40, the occurrence of a timeout, and completion of rewriting in the rewrite target ECU 19, and determines that the stop condition for the self-retention power of the second self-retention power circuit is estimated when it is determined that the remaining battery charge of the vehicle battery 40 is less than a predetermined capacity, the timeout occurs, or the rewriting in the rewrite target ECU 19 is completed. When it is determined by the second stop condition establishment determination unit 92g that the stop condition for the self-retention power of the second self-retention power circuit is established, the second self-retention power stop unit 92h stops the second self-retention power circuit.
As illustrated in
The first self-retention power enable unit 108b enables the first self-retention power circuit when it is determined by the instruction determination unit 108a that the instruction for enabling the first self-retention power circuit has been given. In a case where a completion time of the self-retention power is designated, the first self-retention power enable unit 108b enables the first self-retention power circuit until the designated completion time. In a case where an extension time of the self-retention power is designated, the first self-retention power enable unit 108b enables the first self-retention power circuit until the designated extension time elapses from the current time. In a case where a self-retention request is input from the CGW 13, the first self-retention power enable unit 108b enables the first self-retention power circuit as long as the self-retention request is continuously input.
In this case, when the first self-retention power circuit is currently stopped, the first self-retention power enable unit 108b starts the first self-retention power circuit and thus enables the first self-retention power circuit. In a case where the first self-retention power circuit is currently started, the first self-retention power enable unit 108b extends an operation period of the first self-retention power circuit, and thus enables the first self-retention power circuit. The first self-retention power enable unit 108b stores a default self-retention power time, and enables the first self-retention power circuit for the default self-retention power time even when an instruction for enabling the first self-retention power circuit is not given. That is, when the instruction for enabling the first self-retention power circuit is given, the first self-retention power enable unit 108b enables the first self-retention power circuit with priority to the longer time of the default self-retention power time and the self-retention power time based on the instruction from the CGW 13.
The first stop condition establishment determination unit 108c determines whether or not a stop condition for the self-retention power of the first self-retention power circuit is established. Specifically, when a self-retention power target is the rewrite target ECU 19, the first stop condition establishment determination unit 108c monitors the occurrence of a timeout and a stop instruction from the CGW 13, and determines that the stop condition for the self-retention power of the first self-retention power circuit is established when it is determined that the timeout has occurred or the stop instruction from the CGW 13 has been received, When a self-retention power target is the in-vehicle display 7, the first stop condition establishment determination unit 108c monitors the occurrence of a timeout, the user's getting-off, and a stop instruction from the CGW 13, and determines that the stop condition for the self-retention power of the first self-retention power circuit is established when it is determined that the timeout has occurred, the user has gotten off, or the stop instruction has been received from the CGW 13. When a self-retention power target is the power supply management ECU 20, the first stop condition establishment determination unit 108c monitors a stop instruction from the CGW 13, and determines that the stop condition for the self-retention power of the first self-retention power circuit is established when it is determined that the stop instruction from the CGW 13 has been received. The first self-retention power stop unit 108d stops the first self-retention power circuit when it is determined by the second stop condition establishment determination unit 108c that the stop condition for the self-retention power of the first self-retention power circuit is established.
Next, an operation of the above-described configuration will be described with reference to
When the self-retention power execution control process is initiated, the CGW 13 determines whether or not the vehicle power is turned off (S2601; corresponding to a vehicle power determination procedure). When it is determined that the vehicle power is turned off (S2601: YES), the CGW 13 determines whether or not the application program is being rewritten (S2602; corresponding to a rewrite-in-progress determination procedure). When it is determined that the application program is being rewritten (S2602: YES), the CGW 13 starts the second self-retention power circuit (S2603; corresponding to a second self-retention power enable procedure), and determines the necessity of self-retaining the power in the rewrite target ECU 19 (S2604; corresponding to a self-retention power determination procedure).
When it is determined that it is necessary to self-retain the power in the rewrite target ECU 19 (S2604: YES), the CGW 13 instructs the rewrite target ECU 19 to enable the first self-retention power circuit (S2605; corresponding to a self-retention power instruction procedure). It is determined whether or not a stop condition for the self-retention power is established (S2606), and, when it is determined that the stop condition for the self-retention power is established (S2606: YES), the CGW 13 stops the second self-retention power circuit (S2607), and finishes the self-retention power execution control process.
Although the CGW 13 is configured to start the self-retention power circuit when it is determined that an application program is being rewritten, the CGW 13 may be configured to start the self-retention power circuit when it is determined that the vehicle power is turned off, and to extend an operation period of the self-retention power circuit that is currently started when it is determined that the application program is being rewritten.
When the self-retention power execution control process is initiated, the rewrite target ECU 19 determines whether or not the vehicle power is turned off (S2611). When it is determined that the vehicle power is turned off (S2611: YES), the rewrite target ECU 19 starts the self-retaining circuit (S2612), determines whether or not a stop condition for the self-retention power is established (S2613), and determines whether or not an instruction for enabling the self-retention power circuit has been given from the CGW 13 (S2614). When it is determined that the instruction for enabling the self-retention power circuit has been given from the CGW 13 (S2614: YES), the rewrite target ECU 19 extends an operation period of the self-retention power circuit that is currently started (S2615). When it is determined that the stop condition for the self-retention power is established (S2613: YES), the rewrite target ECU 19 stops the self-retention power circuit (S2616), and finishes the self-retention power execution control process.
Although the rewrite target ECU 19 is configured to start the self-retention power circuit in a case where it is determined that the vehicle power is turned off, the rewrite target ECU 19 may be configured not to start the self-retention power circuit and to determine that the vehicle power is turned off in a case where it is determined that the vehicle power is turned off, and to start the self-retention power circuit that is currently stopped when it is determined that an instruction for enabling the self-retention power circuit is given from the CGW 13.
The above description relates to a case where a vehicle slave device is the rewrite target ECU 19, but the same applies to a case where a vehicle slave device is the in-vehicle display 7 or the power supply management ECU 20. As illustrated in
As described above, by performing the self-retention power execution control process, when it is determined that the vehicle power is turned off and an application program is being rewritten, the CGW 13 determines the necessity of self-retaining the power in the rewrite target ECU 19, and, when it is determined that it is necessary to self-retain the power, the CGW 13 instructs the rewrite target ECU 19 to enable the self-retention power circuit. When it is determined that an instruction for enabling the self-retention power circuit has been given from the CGW 13, the rewrite target ECU 19 enables the self-retention power circuit. The self-retention power circuit is enabled such that operation power for rewriting the application program can be secured, and rewriting of the application program can be appropriately completed.
The overall sequence of program update including the above-described characteristic processes (1) to (26) will now be described with reference to
First, as a preliminary preparation, the user operates the mobile terminal 6 or the like, inputs personal information such as a vehicle number (an identification number of a vehicle) or a mobile telephone number, and registers an account in the center device 3 (S5001). Further, the user operates the mobile terminal 6 or the like, inputs execution conditions, and designates a vehicle position, a time period, or the like as conditions for permitting execution of program update. The center device 3 stores personal information or the like received via the mobile terminal 6 into a database (S5002).
In the vehicle-side system 4, the CGW 13 collects information regarding the vehicle (S5011), and uploads the information to the center device 3 via the DCM 12 (S5012). Specifically, the information includes a program version, a memory configuration of each ECU 19, active bank information, electrical components mounted on the vehicle, a vehicle position, a vehicle power state, and the like. The center device 3 stores the information received from the vehicle-side system 4 into the database (S5013).
When program update is necessary, the center device 3 generates the rewrite specification data illustrated in
After the distribution package is prepared, the center device 3 notifies the user of program update. The center device 3 refers to the personal information stored in the database, and transmits a short message service (SMS) to the mobile terminal 6 (S5031). The mobile terminal 6 is connected to a uniform resource locator (URL) described in the SMS through the user operation, and displays a notification content (S5032). The mobile terminal 6 notifies the center device 3 of an approval or disapproval for the program update through the user operation (S5033). The center device 3 registers the user's intention information (approval or disapproval) in the database (S5034). Here, instead of the mobile terminal 6, the user may be notified by using the in-vehicle display 7.
The CGW 13 receives the distribution specification data transmitted from the center device 3 via the DCM 12, and transfers the distribution specification data to the in-vehicle display 7 (S5035). The in-vehicle display 7 analyzes the distribution specification data and displays a display wording or the like that is the notification content (S5036). The in-vehicle display 7 displays image data such as icons and receives input as to whether or not the user approves the program update. The CGW 13 receives the user's intention information from the in-vehicle display 7 and notifies the center device 3 of the user's intention information via the DCM 12 (S5037).
In a case where the approval for the program update is obtained from the user, the vehicle-side system 4 downloads the distribution package from the center device 3. First, the center device 3 checks whether the execution conditions designated in advance for the user are satisfied (S5041). In a case where at least one of the execution conditions is not satisfied, the center device 3 does not transmit the distribution package to the DCM 12. In a case where all the execution conditions are satisfied, the center device 3 transmits the distribution packages to the DCM 12 (S5042). When the distribution package is downloaded from the center device 3, the DCM 12 stores the downloaded distribution package into the flash memory. The DCM 12 extracts the distribution package authenticator from the distribution package, and verifies the integrity of the reprogramming data and the distribution specification data (S5043).
The DCM 12 calculates authenticators of the reprogramming data and the distribution specification data by using, for example, key information stored in the CGW 13. The DCM 12 compares the calculated authenticators with the distribution package authenticator extracted from the distribution package, and determines that the verification is successful when the authenticators match each other, and determines that the verification fails when the authenticators do not match each other. When it is determined that the verification fails, the DCM 12 deletes the distribution package, and also notifies the CGW 13 and the center device 3 of the verification failure.
In a case where it is determined that the verification of the distribution package is successful, the DCM 12 unpackages the reprogramming data included in the distribution package as illustrated in
The DCM 12 transmits the CGW rewrite specification data to the CGW 13 (S5045). The CGW 13 analyzes the CGW rewrite specification data received from the DCM 12, extracts necessary information, and then authenticates the write data for each ECU 19 with the DCM 12 (S5046). For example, the CGW 13 calculates an authenticator of the write data (difference data) of the ECU (ID1) by using the key information of the ECU (ID1) stored therein. The CGW 13 compares the calculated authenticator with the authenticator extracted from the reprogramming data, and determines that the verification is successful in a case where the authenticators match each other, and determines that the verification fails in a case where the authenticators do not match each other. When it is determined that the verification fails, the CGW 13 deletes the distribution package, and notifies the DCM 12 and the center device 3 of the verification failure. Here, in a case where it is determined that verification of any one of the pieces of write data fails, the CGW 13 does not perform program update on all the ECUs 19.
When it is determined that all of the pieces of write data are successfully verified, the CGW 13 receives the distribution specification data from the DCM 12, and transfers the received distribution specification data to the in-vehicle display 7 (S5047). The in-vehicle display 7 stores the distribution specification data transferred from the CGW 13. When the download process described above is completed, the CGW 13 notifies the center device 3 of download completion via the DCM 12 (S5048).
When the center device 3 is notified of the download completion from the vehicle-side system 4, the center device 3 transmits an SMS to the mobile terminal 6 (S5049). The mobile terminal 6 is connected to a URL described in the SMS through the user operation, and displays an installation reservation screen (S5050). The mobile terminal 6 notifies the center device 3 of the installation date and time entered through the user operation (S5051). The center device 3 stores the installation date and time into the database in linking with the personal information (S5052). Here, the user may be caused to reserve the installation date and time by using the in-vehicle display 7 instead of the mobile terminal 6. When the in-vehicle display 7 is notified of the download completion from the CGW 13 (S5053), the in-vehicle display 7 displays the installation reservation screen (S5054). The CGW 13 notifies the center device 3 of the install date and time received from the in-vehicle display 7, via the DCM 12 (S5055).
In a case where the current date and time reaches the installation date and time registered in the database, the center device 3 instructs the vehicle-side system 4 to initiate installation (S5071). When an instruction for the installation is given from the center device 3, the DCM 12 checks installation execution conditions (S5072). The DCM 12 checks, for example, a vehicle position or a status of communication with the center device 3. In a case where all of the execution conditions are satisfied, the DCM 12 uses the package authenticator to authenticate the distribution package (S5073). When the authentication is successful, the DCM 12 unpackages the distribution package (S5074), extracts the DCM rewrite specification data and the CGW rewrite specification data, divides the rewrite specification data into pieces of write data for the respective ECUs 19, and notifies the CGW 13 of installation initiation (S5075).
When the CGW 13 is notified of the installation initiation from the DCM 12, the CGW 13 analyzes the CGW rewrite specification data acquired from the DCM 12, and determines an order of performing rewriting on the ECUs 19 (S5076). Here, it is assumed that the ECU (ID1) is subjected to rewriting first, the ECU (ID2) is subjected to rewriting second, and the ECU (ID3) is subjected to rewriting third. The CGW 13 verifies all the pieces of write data for the respective rewrite target ECUs 19 stored in the DCM 12 by using the respective authenticators (S5077). Here, it is better to verify not only write data for version upgrade but also write data for rollback.
When the verification of the write data is successful, the CGW 13 requests the power supply management ECU 20 to turn on the IG power (S5078). When installation is performed during parking (the IG switch 42 is turned off and the ACC switch 41 is turned off), in a case where the rewrite target ECU 19 is an IG ECU or an ACC ECU, power is required to be supplied to start the rewrite target ECU 19. The power supply management ECU 20 requests the power supply control circuit 43 to provide the same power as in an ON state of the IG power (S5079). When the power is supplied to the IG power line 39 by the power supply control circuit 43, the IG ECU and the ACC ECU are started (wake-up).
Thereafter, the CGW 13 requests the ECU (ID5), the ECU (ID5), and the ECU (ID6), which are the non-rewrite target ECUs 19, and the ECU (ID2) and the ECU (ID3), which are subjected to rewriting second and the subsequent order, to sleep (S5080). Here, the second rewrite target ECU 19 is subjected to rewriting after the first rewrite target ECU 19 is subjected to rewriting, but a plurality of rewrite target ECUs 19 may be subjected to rewriting simultaneously and in parallel. In this case, only the non-rewrite target ECU 19 is requested to sleep.
The CGW 13 monitors a remaining battery charge (S5081) and monitors communication loads of the buses (S5082) in parallel with installation in each rewrite target ECU 19. The CGW 13 refers to a value of a battery load and a value of a bus load (bus load table) extracted from the CGW rewrite specification data, and controls installation within a range that does not exceed an allowable value. For example, when the battery load reaches the allowable value in a parking state, the CGW 13 stops the installation at that time.
For example, when the bus load of the first bus to which the rewrite target ECU (ID1) is connected reaches the allowable value, the CGW 14 reduces the frequency of transmitting the write data to the ECU (ID1). The monitoring is finished when installation in all of the rewrite target ECUs 19 is completed. In a case of a single-bank memory, since the installation cannot be finished in the middle of the installation, it is necessary to check that there is a sufficient remaining battery charge before initiation of the installation.
The CGW 13 notifies the ECU (ID1) subjected to rewriting first to initiate installation (S5101). When the ECU (ID1) is notified of initiation of installation from the CGW 13, the ECU (ID1) causes a state to transition to a wireless program update mode (S5102). Since the ECU (ID1) is a single-bank memory ECU, the ECU (ID1) cannot execute an application program or perform a diagnosis process using a tool in parallel, and enters a wireless program update only mode.
When the CGW 13 performs installation on the ECU (ID1) subjected to rewriting first, the CGW 13 authenticates access by using a security access key (S5103). When authentication of access to the ECU (ID1) is successful, the CGW 13 transmits information of the entire data that is the write data to the ECU (ID1). The ECU (ID1) uses the information of the received entire data to determine whether or not the write data is consistent with the ECU (S5104). In a case where it is determined that the write data is consistent, the ECU (ID1) performs a write process.
The CGW 13 acquires a divided file of a predetermined size (for example, 1 k bytes) of the write data that is transmitted from the DCM 12 to the ECU (ID1) and distributes the divided file to the ECU (ID1) (S5105). The ECU (ID1) writes the divided file received from the CGW 13 into the flash memory 33d (S5106). When writing is completed, the ECU (ID1) stores a retry point indicating a flash memory address at which the divided file is written such that writing can be resumed from the middle (S5107). As the retry point, a flag indicating a process that has been executed among erasure, writing, and the subsequent processes on the flash memory may be stored. When the retry point is stored, the ECU (ID1) notifies the CGW 13 of write completion (S5108).
When the write completion notification is received from the ECU (ID1), the CGW 13 notifies the center device 3 of rewrite status progress information via the DCM 12 (S5109). The progress information includes data such as the installation phase and the write data that has been written in terms of cumulative bytes in the ECU (ID1). The center device 3 updates a web screen that can be connected from the mobile terminal 6 on the basis of the progress information transmitted from the DCM 12 (S5110). The mobile terminal 6 is connected to the center device 3 and displays, for example, a percentage of currently completed installation as the updated progress situation (S5111). Consequently, even in a case where the vehicle is in the parking state and the user is outside the vehicle, the mobile terminal 6 can recognize a progress situation of the installation. Here, the progress may be displayed on the in-vehicle display 7 instead of the mobile terminal 6. When a rewrite completion notification is received from the ECU (ID1), the CGW 13 notifies the in-vehicle display 7 of rewrite status progress information (S5112). The in-vehicle display 7 updates and displays a progress situation screen (S5113). In a case of a double-bank memory configuration such as the ECU (ID2) and the ECU (ID3), installation is possible even when the vehicle is in a traveling state. Thus, for example, when the vehicle is in an IG switch-on state, the in-vehicle display 7 may display the progress situation.
When the write completion notification is received from the ECU (ID1), the CGW 13 acquires a second divided file as the next write data and distributes the divided file to the ECU (ID1). Thereafter, the processes in S5105 to S5113 are repeatedly performed up to an N-th divided file as the last write data. When writing up to the N-th divided file is completed, the ECU (ID1) verifies the integrity of the update program of the flash memory and checks whether or not the update program has been written correctly (S5114). When the CGW 13 is notified from the ECU (ID1) that all of the divided files have been written and the integrity verification has been successful, the CGW 13 requests the ECU (ID1) to sleep (S5115). The ECU (ID1) temporarily sleeps without being started by the installed update program. The CGW 13 requests the second rewrite ECU (ID2) to wake up (S5201).
The CGW 13 notifies the ECU (ID2) that a program is to be updated wirelessly and installation is initiated (S5202). The ECU (ID2) causes a state to transition to a wireless program update mode as an internal state (S5203). The ECU (ID2) having a double-bank memory can execute an application program and diagnosis using tools during the wireless program update mode. The CGW 13 authenticates access to the ECU (ID2) (S5204). The ECU (ID2) determines whether or not difference data that is the write data is consistent with the ECU (S5205). Since the ECU (ID2) has a double-bank memory, the ECU (ID2) also determines whether or not the write data is consistent with an inactive bank of the flash memory. For example, assuming that the bank-A of the ECU (ID2) is an active bank and the bank-B is an inactive bank, in a case where the write data is an address that is not consistent with the bank-B, the CGW 13 notifies the center device 3 via the DCM 12 that the write data is erroneous without proceeding to the subsequent process. The CGW 13 performs a rollback process described later. In a case where it is determined that the write data is consistent with the ECU, a write process is performed on the ECU (ID2). Thereafter, processes in S5206 to S5216 related to the ECU (ID2) are the same as those in S5105 to S5115. In S5207, when the difference data is written into the ECU (ID2) having a double-bank memory, as illustrated in
The CGW 13 requests the third rewrite ECU (ID3) to wake up when the entire installation is completed in the ECU (ID2) and the ECU (ID2) sleeps (S5301). The CGW 13 notifies the ECU (ID3) that the program is to be updated wirelessly and installation is initiated (S5302). The ECU (ID3) causes a state to transition to a wireless program update mode as an internal state (S5303). The CGW 13 authenticates access to the ECU (ID3) (S5304). The ECU (ID3) determines whether or not difference data that is the write data is consistent with the ECU (S5305). In a case where it is determined that the write data is consistent with the ECU, a write process is performed on the ECU (ID3). Thereafter, processes in S5306 to S5315 related to the ECU (ID3) are the same as those in S5105 to S5114.
When the entire installation in the ECUs (ID3) is completed, the CGW 13 finishes monitoring of the remaining battery charge and monitoring of the communication loads of the buses (S5316 and S5317). The CGW 13 requests the ECU (ID1) and the ECU (ID2) to wake up (S5401).
The CGW 13 requests each ECU to activate the updated program in order to start the ECU (ID1), the ECU (ID2), and the ECU (ID3) simultaneously with the updated programs (S5402). In a case of an ECU that does not cope with an activation request, it is preferable to notify the ECU of power-off and power-on instead of the activation request and thus to cause the ECU to be restarted.
When an activation request is received from the CGW 13, the ECU (ID1) restarts itself (S5403). Since the ECU (ID1) has a single-bank memory, the ECU (ID1) is started by the updated program when being restarted. When restarting after installation is completed, the ECU (ID1) notifies the CGW 13 of an updated program version along with activation completion (S5404).
When an activation request is received from the CGW 13, the ECU (ID2) updates the stored active bank information from the bank-A to the bank-B (S5405), and restarts itself (S5406). When the ECU (ID2) is started normally in the bank-B, the ECU (ID2) notifies the CGW 13 of activation completion along with an updated program version and the active bank information (S5407).
When an activation request is received from the CGW 13, the ECU (ID3) updates the stored active bank information from the bank-A to the bank-B (S5408), and restarts itself (S5409). When the ECU (ID3) is started normally in the bank-B, the ECU (ID3) notifies the CGW 13 of activation completion along with an updated program version and the active bank information (S5410).
When the activation completion notifications are received from the ECU (ID1), the ECU (ID2), and the ECU (ID3), the CGW 13 notifies the center device 3 of the program update completion along with the updated program versions and the active bank information related to the rewrite targets ECU (ID1), ECU (ID2), and ECU (ID3) via the DCM 12 (S5411). The center device 3 registers the information of which the notification is sent from the DCM 12 into the database (S5412), and also updates the web screen to display indicating completion as a progress situation (S5413). The mobile terminal 6 is connected to the center device 3, and displays a web screen indicating that the program update is completed (S5414). When the activation completion notifications are received from the ECU (ID1), the ECU (ID2), and the ECU (ID3), the CGW 13 notifies the in-vehicle display 7 of program update completion as a progress situation (S5415). The in-vehicle display 7 displays information indicating that the program update has been completed (S5416). In a case where progress display is not necessary, such as when the vehicle is in a parking state, the CGW 13 does not notify the in-vehicle display 7 of the progress.
Finally, the CGW 13 requests the power supply management ECU 20 to turn off the IG power (S5418). The power supply management ECU 20 requests the power supply control circuit 43 to cut off the supply of power in order to return to a power supply state of IG switch-off before initiation of the installation. When the supply of power to the IG power line 39 and the ACC power line 38 is cut off by the power supply control circuit 43, the ECU (ID1), the ECU (ID2), the ECU (ID4), the ECU (ID5), and the ECU (ID6) are brought into a stop state.
In the above examples, a description has been made of a case where the ECU (ID1) having a single-bank memory is also subjected to program update, and thus when the processes from installation to activation are continuously performed when the vehicle is in a parking state. However, for example, in a case where all the rewrite target ECUs 19 have double-bank memories, installation can be performed on the background while the vehicle is traveling. There may be a configuration in which the mobile terminal 6 obtains an approval for activation from the user at the time at which installation in the rewrite target ECU 19 is completed,
Next, a description will be made of a rollback sequence when cancellation of program update is selected by the user during installation of an application program with reference to
When the center device 3 is notified of cancellation of program update from the mobile terminal 6, the center device 3 instructs the vehicle-side system 4 to cancel the program update (S6001). The center device 3 changes a web screen to a display aspect during rollback as a progress situation (S6002). Mobile terminal 6 displays a web screen indicating the progress situation during rollback (S6003).
When the CGW 13 is instructed to cancel the program update from the center device 3 via the DCM 12, the CGW 13 determines an ECU requiring a rollback process and a necessary rollback process on the basis of memory configurations and installation statuses of the rewrite targets ECU (ID1), ECU (ID2), and ECU (ID3) (S6004). In this example, it is determined that a rollback process of completing installation in the ECU (ID2) and returning the ECU (ID1) to an original version is necessary.
The CGW 13 notifies the in-vehicle display 7 of rollback progress (S6005). When the in-vehicle display 7 is notified of the rollback progress from the CGW 13, the in-vehicle display 7 changes a display aspect to a rollback display aspect, and displays the progress (S6006). The in-vehicle display 7 displays, for example, “during rollback”, and also displays the progress of the ECU (ID1) requiring rollback as 0% and the progress of the ECU (ID2) as 0%.
The CGW 13 continues to install the write data as a rollback process for the ECU (ID2). Since the ECU (ID2) has a double-bank memory, the ECU (ID2) can stop the installation in the bank-B that is an inactive bank halfway, and can be continuously operated with the bank-A as an active bank. However, in a case where the write data is installed halfway in the bank-B which is thus in an incomplete state, a difference cannot be restored correctly at the next installation using difference data. Therefore, the installation is continuously performed in the ECU (ID2) to the end.
Specifically, the CGW 13 acquires a divided file (for example, 1 k bytes) of the write data that is transmitted to the ECU (ID2) from the DCM 12, and distributes the divided file to the ECU (ID2) (S6007). The ECU (ID2) writes the divided file received from the CGW 13 into the flash memory 33d (S6008). When writing is completed, the ECU (ID2) stores a retry point (S6009) such that writing can be resumed from the middle, and notifies the CGW 13 of write completion (S6010).
When the write completion notification is received from the ECU (ID2), the CGW 13 notifies the center device 3 of rollback status progress information via the DCM 12 (S6011). The rollback status progress information is, for example, data such as a data amount required to be written as rollback for the ECU (ID2), and a cumulative amount of written data of the required data amount. The center device 3 updates a web screen that can be connected from the mobile terminal 6 on the basis of the progress information transmitted from the DCM 12 (S6012). The mobile terminal 6 displays, for example, a web screen related to a percentage of currently completed rollback or the like as the updated progress situation (S6013). Here, the progress may be displayed on the in-vehicle display 7 instead of the mobile terminal 6. When a rewrite completion notification is received from the ECU (ID2), the CGW 13 notifies the in-vehicle display 7 of rollback status progress information (S6014). The in-vehicle display 7 updates and displays a progress situation screen (S6015). Thereafter, the processes in S6007 to S6015 are repeatedly performed up to an N-th divided file as the last write data.
When the N-th divided file is written, the ECU (ID2) verifies the integrity of the update program of the flash memory 33d (S6016). When an installation completion notification is received from the ECU (ID2), the CGW 13 requests the ECU (ID2) to sleep (S6017). The ECU (ID2) sleeps without being started by the update program installed in the bank-B that is an inactive bank.
Subsequently, the CGW 13 requests the ECU (ID1) to wake up so as to perform a rollback process on the ECU (ID1) (S6101). The CGW 13 notifies the ECU (ID1) that installation for rollback is to be initiated (S6102). When the ECU (ID1) is notified of the installation initiation from the CGW 13, the ECU (ID1) causes a state to transition to a wireless program update mode (S6103). The CGW 13 authenticates access to ECU (ID1) (S6104). When access authentication is successful, the ECU (ID1) determines whether or not rollback write data is consistent with the ECU (S6105). In a case where it is determined that the rollback write data is consistent with the ECU, a write process is performed on the ECU (ID1).
The CGW 13 acquires a divided file of a predetermined size (for example, 1 k bytes) of the rollback write data that is transmitted from the DCM 12 to the ECU (ID1), and distributes the divided file to the ECU (ID1) (S6016). The ECU (ID1) writes the divided file received from the CGW 13 into the flash memory 33d (S6107). When writing is completed, the ECU (ID1) stores a retry point indicating a flash memory address at which the divided file is written such that writing can be resumed from the middle (S6108). When the retry point is stored, the ECU (ID1) notifies the CGW 13 of write completion (S6109).
When the write completion notification is received from the ECU (ID1), the CGW 13 notifies the center device 3 of rewrite status progress information via the DCM 12 (S6110). The center device 3 updates a web screen that can be connected from the mobile terminal 6 on the basis of the progress information transmitted from the DCM 12 (S6111). The mobile terminal 6 is connected to the center device 3 and displays, for example, a percentage of currently completed rollback as the updated progress situation (S6112). Here, the progress may be displayed on the in-vehicle display 7 instead of the mobile terminal 6. When a write completion notification is received from the ECU (ID1), the CGW 13 notifies the in-vehicle display 7 of rewrite status progress information (S6113). The in-vehicle display 7 updates and displays a rollback progress situation screen (S6114). When the write completion notification is received from the ECU (ID1), the CGW 13 acquires a second divided file as the next write data and distributes the divided file to the ECU (ID1). Thereafter, he processes in S6106 to S6114 are repeatedly performed up to an N-th divided file as the last write data.
When writing up to the N-th divided file is completed, the ECU (ID1) verifies the integrity of the rollback program of the flash memory and checks whether or not the rollback program has been written correctly (S6115). When the CGW 13 is notified from the ECU (ID1) that all of the divided files have been written and the integrity verification has been successful, the CGW 13 finishes monitoring of the remaining battery charge and monitoring of the communication loads of the buses (S6116 and S6117).
Subsequently, the CGW 13 requests the ECU (ID2) and the ECU (ID3) to wake up (S6201). The CGW 13 requests rollback activation tot the ECU (ID1), the ECU (ID2), and the ECU (ID3) to be started in an old version before the installation (S6202). The ECU (ID1) having a single-bank memory starts the old version program through restarting as in rewriting during the normal time. Unlike rewriting during the normal time, the ECU (ID2) and ECU (ID3) having double-bank memories start the programs in the bank-A that is the current active bank without changing the active bank.
When the rollback activation request is received from the CGW 13, the ECU (ID1) restarts itself (S6203). When the restart is completed, the ECU (ID1) notifies the CGW 13 of a program version along with rollback activation completion (S6204).
When the rollback activation request is received from the CGW 13, the ECU (ID2) restarts itself without updating the stored active bank information (S6205). When the ECU (ID2) is started normally in the bank-A that is still an active bank, the ECU (ID2) notifies the CGW 13 of a program version and active bank information along with rollback activation completion (S6206).
When the rollback activation request is received from the CGW 13, the ECU (ID3) restarts itself without updating the stored active bank information (S6207). When the ECU (ID3) is started normally in the bank-A that is still an active bank, the ECU (ID3) notifies the CGW 13 of a program version and active bank information along with rollback activation completion (S6208).
When the rollback activation completion notifications are received from the ECU (ID1), the ECU (ID2), and the ECU (ID3), the CGW 13 notifies the center device 3 of the rollback completion via the DCM 12 (S6209). Here, the CGW 13 also sends a notification of the program version and the active bank information related to the ECU (ID1), the ECU (ID2), and the ECU (ID3). The center device 3 registers the information sent from the DCM 12 into the database (S6210) and also updates the web screen to display indicating cancellation completion as a progress situation (S6211). The mobile terminal 6 is connected to the center device 3, and displays a web screen indicating that cancellation is completed (S6212).
When the rollback activation completion notifications are received from the ECU (ID1), the ECU (ID2), and the ECU (ID3), the CGW 13 notifies the in-vehicle display 7 of rollback completion as a progress situation (S6213). The in-vehicle display 7 displays the fact that the rollback is completed (S6214).
Finally, the CGW 13 requests the power supply management ECU 20 to turn off the IG power (S6215). The power supply management ECU 20 requests the power supply control circuit 43 to cut off the supply of power in order to return to a state of IG switch-off before initiation of the installation. When the supply of power to the IG power line 39 and the ACC power line 38 is cut off by the power supply control circuit 43, the ECU (ID1), the ECU (ID2), the ECU (ID4), the ECU (ID5), and the ECU (ID6) are brought into a stop state.
As described above, it is possible to perform program update on a plurality of the rewrite target ECUs 19 by using the CGW 13 as a reprogramming master. In the present embodiment, a description has been made of a case where an application program is rewritten with the ECU (ID1), the ECU (ID2), and the ECU (ID3) as one group, but the same applies to a case where the application program is rewritten in the ECU (ID4), the ECU (ID5), and the ECU (ID6) as a second group. In this case, installation and activation are performed on the ECUs 19 of the first group, and then installation and activation are performed on the ECUs 19 of the second group.
Application programs in the DCM 12, the CGW 13, the in-vehicle display device 7, the power supply management ECU 20, alternatively can be rewritten in the same manner. However, since the application programs are required to be able to be operated during program update, these ECUs are configured to have double-bank memories.
Although the present disclosure has been described in accordance with the embodiments, it is understood that the present disclosure is not limited to the embodiments and structures described above. The present disclosure encompasses various modification examples or variations within the scope of equivalents. Various combinations or forms as well as other combinations or forms including only one element, one or more elements, or one or less elements, fall within the scope or the spirit of the present disclosure.
Number | Date | Country | Kind |
---|---|---|---|
2018-151414 | Aug 2018 | JP | national |
2019-129951 | Jul 2019 | JP | national |
This application is a continuation application of PCT/JP2019/031457 filed on Aug. 8, 2019, which designated the U.S. and claims the benefit of priority from Japanese Patent Application No. 2018-151414 filed on Aug. 10, 2018 and Japanese Patent Application No. 2019-129951 filed on Jul. 12, 2019. The entire disclosures of all of the above applications are incorporated herein by reference.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/JP2019/031457 | Aug 2019 | US |
Child | 17167342 | US |