CN116339178A - Method and equipment for safely brushing Electronic Control Unit (ECU) - Google Patents
Method and equipment for safely brushing Electronic Control Unit (ECU) Download PDFInfo
- Publication number
- CN116339178A CN116339178A CN202111596887.1A CN202111596887A CN116339178A CN 116339178 A CN116339178 A CN 116339178A CN 202111596887 A CN202111596887 A CN 202111596887A CN 116339178 A CN116339178 A CN 116339178A
- Authority
- CN
- China
- Prior art keywords
- verification
- electronic control
- control unit
- software image
- unit ecu
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000001680 brushing effect Effects 0.000 title claims abstract description 20
- 238000012795 verification Methods 0.000 claims abstract description 61
- 238000004590 computer program Methods 0.000 claims abstract description 11
- 238000011010 flushing procedure Methods 0.000 claims description 10
- 238000012360 testing method Methods 0.000 claims description 5
- 238000002405 diagnostic procedure Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 239000000306 component Substances 0.000 description 2
- 239000008358 core component Substances 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0423—Input/output
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/25—Pc structure of the system
- G05B2219/25257—Microcontroller
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a method for safely brushing an Electronic Control Unit (ECU), which comprises the following steps: receiving a software image, wherein the software image is used for updating the electronic control unit ECU; performing a verification on the software image; and after the verification is passed, executing a brushing operation on the electronic control unit ECU. The invention also relates to a device, a computer storage medium, a computer program product and a host for secure swiping of an electronic control unit ECU.
Description
Technical Field
The present invention relates to the field of Electronic Control Unit (ECU) flashing, and more particularly, to a method and apparatus for secure flashing of an ECU, a computer storage medium, a computer program product, and a host computer.
Background
Currently, when an electronic control unit ECU (particularly, an ECU having a secure flashing function, for example, a radar sensor/domain controller/vision sensor, etc.) is flashed, a software image is generally transmitted to the ECU to be updated by a FOTA host side (i.e., an online upgrade host side) and is flashed. After the refreshing is completed, the ECU to be updated checks whether the signature of the software image and the like meet the requirements.
However, in some cases, the software image is typically large, e.g., 130MB when uncompressed, requiring a longer time (e.g., ten minutes or even longer) for the image to be transferred for a typical on-board network (including CAN, CANFD, or ethernet, etc.). It is undesirable for the engineer to find that the software image is unsatisfactory after a long period of transmission and flashing. In the context of diagnostic testing, this existing secure flush scheme also affects the efficiency of the diagnostic test.
Disclosure of Invention
According to an aspect of the present invention, there is provided a method of securely refreshing an electronic control unit ECU, the method comprising: receiving a software image, wherein the software image is used for updating the electronic control unit ECU; performing a verification on the software image; and after the verification is passed, executing a brushing operation on the electronic control unit ECU.
Additionally or alternatively to the above, in the above method, receiving the software image includes: the software image is received from a remote upgrade FOTA server.
Additionally or alternatively to the above, in the above method, performing a check on the software image includes: decryption verification and signature verification are performed on the software image using the authentication information and the certificate key obtained in advance.
Additionally or alternatively to the above, in the above method, the identity authentication information comprises an object identifier OID, and the certificate key comprises a root certificate.
Additionally or alternatively to the above, the method further comprises: and if the verification is not passed, discarding the brushing operation of the electronic control unit ECU and reporting errors.
According to another aspect of the present invention, there is provided an apparatus for safely refreshing an electronic control unit ECU, the apparatus comprising: receiving means for receiving a software image for updating the electronic control unit ECU; verification means for performing a verification on the software image; and a brushing device for executing the brushing operation of the electronic control unit ECU after the verification is passed.
Additionally or alternatively to the above, in the above apparatus, the receiving means is configured to: the software image is received from a remote upgrade FOTA server.
Additionally or alternatively to the above, in the above apparatus, the verification device is configured to: decryption verification and signature verification are performed on the software image using the authentication information and the certificate key obtained in advance.
Additionally or alternatively to the above, in the above device, the authentication information comprises an object identifier OID, and the certificate key comprises a root certificate.
Additionally or alternatively to the above, the above apparatus further comprises: and the error reporting device is used for reporting errors when the verification fails, and does not carry out the brushing operation on the electronic control unit ECU.
According to yet another aspect of the invention, there is provided a computer storage medium comprising instructions which, when executed, perform a method as described above.
According to a further aspect of the invention there is provided a computer program product comprising a computer program which, when executed by a processor, implements a method as described above.
According to a further aspect of the invention there is provided a host comprising a device as hereinbefore described.
In addition or alternatively to the above, the host comprises a hardware security module HSM, wherein the pre-obtained authentication information and the certificate key are stored in the hardware security module.
In addition to or in place of the above, the host is a cloud service device, a locally located diagnostic device, or a test device.
The scheme for safely refreshing the electronic control unit ECU of the embodiment of the invention avoids the unfavorable situation that the software image is not found to be satisfactory after long-time transmission and refreshing by executing the verification on the software image before refreshing the electronic control unit ECU, is also beneficial to avoiding repeated refreshing of invalid software (or modified malicious software), and improves the refreshing efficiency.
Drawings
The above and other objects and advantages of the present invention will become more fully apparent from the following detailed description taken in conjunction with the accompanying drawings, in which identical or similar elements are designated by the same reference numerals.
FIG. 1 shows a flow diagram of a method of secure flushing an electronic control unit ECU according to one embodiment of the invention; and
fig. 2 shows a schematic structural view of an apparatus for secure flushing of an electronic control unit ECU according to an embodiment of the present invention.
Detailed Description
Hereinafter, a scheme of brushing the electronic control unit ECU according to various exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Fig. 1 shows a flow diagram of a method 1000 of secure flushing of an electronic control unit ECU according to an embodiment of the invention. As shown in fig. 1, the method 1000 of securely swiping an electronic control unit ECU includes the steps of:
in step S110, a software image is received, the software image being used for updating the electronic control unit ECU;
in step S120, a verification is performed on the software image; and
in step S130, after the verification is passed, a swiping operation to the electronic control unit ECU is performed.
ECU (Electronic Control Unit) electronic control units, also known as "driving computers" for automobiles, are used to control the driving state of the automobile and to perform various functions thereof. The method mainly uses various sensors and buses for data acquisition and exchange to judge the state of the vehicle and the intention of a driver and controls the automobile through an actuator. When an electronic control system of an automobile fails, many failures may be associated with the ECU, so that the failure can be removed by brushing the ECU to improve the performance of the vehicle. Whereas in the context of the present invention, the term "secure flashing" means ensuring that only authorized flashing software images are allowed for software updates, while preventing modified or unauthorized software images from being loaded into the ECU.
In addition, the term "software image" means a software file for soft/firmware updating of the electronic control unit. In one embodiment, the software image used to perform the software update to the electronic control unit is encrypted and signed and, when uncompressed, is up to 130MB.
In one embodiment, step S110 includes: the software image is received from a remote upgrade FOTA server. The remote upgrade FOTA server is a server providing FOTA functionality as the name implies. The so-called "FOTA" is an abbreviation for Firmware Over The Air, i.e. firmware over-the-air or remote upgrade. The definition range of firmware is relatively fuzzy, and remote upgrades of windows operating system upgrade, mobile phone upgrade, embedded system, single chip microcomputer control program and the like can be generally called as FOTA. In the context of the present invention, FOTA is only aimed at remote upgrades of the ECU.
In recent years, with the development of internet of vehicles, automobiles are gradually evolving from mechanical products to electronic products. None of the various systems of the automobile, from wiper to navigation, from active safety to advanced driving assistance systems, are realized without the aid of various sophisticated and reliable electronic systems. The proportion of electronic control units ECU, which are one of the core components of the automobile, in the total control components of the automobile is increasing. The number and complexity of the automobile software systems matched with the software system are also increased continuously, and the instability of the software is unavoidable due to the reasons of incomplete consideration, incomplete test and the like in the software programming process of designers. Thus, there is a concomitant increase in the potential risk of automobiles. Typically, an automotive ECU software version upgrade requires a visit to a 4S store or a return to the factory. If the version of the upgrade software is not timely, a certain ECU part is possibly not used, and great inconvenience is brought to a vehicle owner. And by means of FOTA remote upgrading, software faults can be effectively solved, software risks are responded in an emergency mode, and information vulnerabilities are repaired in time.
In step S120, verification is performed on the software image received from the user. That is, unlike the prior art scheme in which the verification is performed by the ECU to be software updated upon receipt and flashing of the software image, in this embodiment of the present invention, the verification is performed on the software image by a third party device other than the ECU to be updated to determine whether the software image is authorized, i.e., secure, and thereby secure (e.g., not tampered with) the software of the subsequently flashing ECU.
In one embodiment, step S120 includes: decryption verification and signature verification are performed on the software image using the authentication information and the certificate key obtained in advance. In one embodiment, the authentication information comprises an object identifier OID, and the certificate key comprises a root certificate. By performing decryption and signature verification on the software images, respectively, problems such as wrong selection, image writing, or ECU writing during diagnostic tests can be avoided, and thus the influence on the vehicle working performance or fault resolution is avoided.
In one embodiment, the pre-obtained authentication information and the certificate key are stored in the hardware security module HSM. Thus, in this embodiment, the decryption verification and signature verification performed on the software image may also be performed in the hardware security module HSM.
If the verification (including, for example, decryption verification and signature verification) passes, in step S130, the electronic control unit ECU continues to be refreshed. Otherwise, the brush writing operation of the electronic control unit ECU is abandoned and errors are reported.
In addition, it will be readily appreciated by those skilled in the art that the method for securely refreshing an electronic control unit ECU provided in one or more of the above-described embodiments of the present invention may be implemented by a computer program. For example, the computer program is embodied in a computer program product that when executed by a processor implements a method of secure flushing an electronic control unit ECU of one or more embodiments of the invention. For another example, when a computer storage medium (e.g., a usb disk) storing the computer program is connected to a computer, the computer program is executed to perform a method for securely refreshing an ECU according to one or more embodiments of the present invention.
Referring to fig. 2, fig. 2 shows an apparatus 2000 for secure flushing of an electronic control unit ECU according to an embodiment of the present invention. As shown in fig. 2, the apparatus 2000 for secure flushing of the electronic control unit ECU includes: receiving means 210, verifying means 220 and brushing means 230. Wherein, the receiving device 210 is used for receiving a software image, and the software image is used for updating the electronic control unit ECU; the verification means 220 is configured to perform verification on the software image; and a brushing means 230 for performing a brushing operation on the electronic control unit ECU after the verification is passed.
ECU (Electronic Control Unit) electronic control units, also known as "driving computers" for automobiles, are used to control the driving state of the automobile and to perform various functions thereof. The method mainly uses various sensors and buses for data acquisition and exchange to judge the state of the vehicle and the intention of a driver and controls the automobile through an actuator. When an electronic control system of an automobile fails, many failures may be associated with the ECU, so that the failure can be removed by brushing the ECU to improve the performance of the vehicle. Whereas in the context of the present invention, the term "secure flashing" means ensuring that only authorized flashing software images are allowed for software updates, while preventing modified or unauthorized software images from being loaded into the ECU.
In addition, the term "software image" means a software file for soft/firmware updating of the electronic control unit. In one embodiment, the software image used to perform the software update to the electronic control unit is encrypted and signed and, when uncompressed, is up to 130MB.
In one embodiment, the receiving device 210 is configured to: the software image is received from a remote upgrade FOTA server. The remote upgrade FOTA server is a server providing FOTA functionality as the name implies. The so-called "FOTA" is an abbreviation for Firmware Over The Air, i.e. firmware over-the-air or remote upgrade. The definition range of firmware is relatively fuzzy, and remote upgrades of windows operating system upgrade, mobile phone upgrade, embedded system, single chip microcomputer control program and the like can be generally called as FOTA. In the context of the present invention, FOTA is only aimed at remote upgrades of the ECU.
In recent years, with the development of internet of vehicles, automobiles are gradually evolving from mechanical products to electronic products. None of the various systems of the automobile, from wiper to navigation, from active safety to advanced driving assistance systems, are realized without the aid of various sophisticated and reliable electronic systems. The proportion of electronic control units ECU, which are one of the core components of the automobile, in the total control components of the automobile is increasing. The number and complexity of the automobile software systems matched with the software system are also increased continuously, and the instability of the software is unavoidable due to the reasons of incomplete consideration, incomplete test and the like in the software programming process of designers. Thus, there is a concomitant increase in the potential risk of automobiles. Typically, an automotive ECU software version upgrade requires a visit to a 4S store or a return to the factory. If the version of the upgrade software is not timely, a certain ECU part is possibly not used, and great inconvenience is brought to a vehicle owner. And by means of FOTA remote upgrading, software faults can be effectively solved, software risks are responded in an emergency mode, and information vulnerabilities are repaired in time.
The verification means 220 is configured to perform a verification of the software image received from the software image. That is, unlike the prior art scheme in which the verification is performed by the ECU to be updated by itself after receiving the software image and refreshing it, in this embodiment of the present invention, the verification is performed on the software image by a third party device (i.e., the verification device 220 in the apparatus 2000 for securely refreshing the electronic control unit) other than the ECU to be updated, so as to determine whether the software image is authorized, i.e., secure, and thus secure (e.g., not tampered with) the software of the subsequently refreshed ECU.
In one embodiment, the verification device 220 is configured to perform decryption verification and signature verification on the software image using the pre-obtained authentication information and the certificate key. In one embodiment, the authentication information comprises an object identifier OID, and the certificate key comprises a root certificate. By performing decryption and signature verification on the software images respectively by the verification device 220, the problems of wrong selection, image writing, or ECU writing during diagnostic tests can be avoided, and thus the influence on the vehicle working performance or fault resolution is avoided.
In one embodiment, the pre-obtained authentication information and the certificate key are stored in the hardware security module HSM. Thus, in this embodiment, the verification device 220 may be configured to obtain the authentication information and the certificate key from the hardware security module HSM in order to perform decryption verification and signature verification on the software image. The hardware security module HSM may be included in the verification device 220 in one or more embodiments.
If the verification means 220 verifies that it is passed, the flushing means 230 is configured to continue to perform a flushing of the electronic control unit ECU.
In one embodiment, although not shown in fig. 2, the apparatus 2000 for secure brushing of the electronic control unit ECU further includes: error reporting means for reporting an error when the (verification means 220) verification fails without performing a brush operation on the electronic control unit ECU.
In one or more embodiments, the above-described device 2000 for secure flushing of an electronic control unit ECU may be included in a host or a host computer. The host may be located at the remote end (e.g., cloud service device) of the electronic control unit ECU to be refreshed, or may be located at the near end (e.g., via a wired test device or diagnostic device).
In one embodiment, the host comprises a hardware security module HSM, wherein the pre-obtained authentication information and the certificate key are stored in the hardware security module. A so-called hardware security module is a computer hardware device that is used to protect and manage keys used by a strong authentication system while providing the associated cryptographic operations. It is for example a separate microcontroller connected by a firewall to the host system bus, a dedicated flash memory area with its protected memory (RAM), program code and data, and its peripherals such as timers, hardware accelerators for certain cryptographic algorithms or generators for true random numbers. It has access to all hardware of the host. The security, authentication start-up or host monitoring of the system is achieved at run-time. The special data flash memory can be used for storing secret keys, and the host system cannot access at will. This means that the host can request the HSM to perform the encryption operation without the key leaving the HMS. However, a particular advantage of HSM in this respect is that it is freely programmable. As a separate microcontroller, the HSM can run any program code optimized for the current use case. This makes its security requirements higher than a simple coprocessor.
In summary, the scheme of the embodiment of the invention for safely refreshing the electronic control unit ECU avoids the disadvantage that the software image is not satisfactory after long-time transmission and refreshing by performing verification on the software image before refreshing the electronic control unit ECU, and is also helpful for avoiding repeated refreshing of invalid software (or modified malicious software) and improving refreshing efficiency.
While the above description describes only some of the embodiments of the present invention, those of ordinary skill in the art will appreciate that the present invention can be embodied in many other forms without departing from the spirit or scope thereof. Accordingly, the present examples and embodiments are to be considered as illustrative and not restrictive, and the invention is intended to cover various modifications and substitutions without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (15)
1. A method of securely flashing an electronic control unit ECU, the method comprising:
receiving a software image, wherein the software image is used for updating the electronic control unit ECU;
performing a verification on the software image; and
after the verification is passed, a swiping operation to the electronic control unit ECU is performed.
2. The method of claim 1, wherein receiving a software image comprises:
the software image is received from a remote upgrade FOTA server.
3. The method of claim 1, wherein performing a check on the software image comprises:
decryption verification and signature verification are performed on the software image using the authentication information and the certificate key obtained in advance.
4. A method as claimed in claim 3, wherein the authentication information comprises an object identifier OID and the certificate key comprises a root certificate.
5. The method of claim 1, further comprising:
and if the verification is not passed, discarding the brushing operation of the electronic control unit ECU and reporting errors.
6. An apparatus for secure flushing of an electronic control unit ECU, the apparatus comprising:
receiving means for receiving a software image for updating the electronic control unit ECU;
verification means for performing a verification on the software image; and
and the brushing device is used for executing the brushing operation on the electronic control unit ECU after the verification is passed.
7. The apparatus of claim 6, wherein the receiving means is configured to:
the software image is received from a remote upgrade FOTA server.
8. The apparatus of claim 6, wherein the verification device is configured to:
decryption verification and signature verification are performed on the software image using the authentication information and the certificate key obtained in advance.
9. The apparatus of claim 8, wherein the authentication information comprises an object identifier OID, and the certificate key comprises a root certificate.
10. The apparatus of claim 6, further comprising:
and the error reporting device is used for reporting errors when the verification fails, and does not carry out the brushing operation on the electronic control unit ECU.
11. A computer storage medium comprising instructions which, when executed, perform the method of any one of claims 1 to 5.
12. A computer program product comprising a computer program which, when executed by a processor, implements the method of any one of claims 1 to 5.
13. A host comprising the apparatus of any one of claims 6 to 10.
14. The host of claim 13, wherein the host comprises a hardware security module HSM, wherein the pre-obtained authentication information and the certificate key are stored in the hardware security module.
15. The host of claim 13, wherein the host is a cloud service device or a test device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111596887.1A CN116339178A (en) | 2021-12-24 | 2021-12-24 | Method and equipment for safely brushing Electronic Control Unit (ECU) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111596887.1A CN116339178A (en) | 2021-12-24 | 2021-12-24 | Method and equipment for safely brushing Electronic Control Unit (ECU) |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116339178A true CN116339178A (en) | 2023-06-27 |
Family
ID=86875054
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111596887.1A Pending CN116339178A (en) | 2021-12-24 | 2021-12-24 | Method and equipment for safely brushing Electronic Control Unit (ECU) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116339178A (en) |
-
2021
- 2021-12-24 CN CN202111596887.1A patent/CN116339178A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108762783B (en) | Software updating method and device for vehicle system and vehicle system | |
| CN109697081B (en) | Firmware safety upgrading method and device, vehicle-mounted system and vehicle | |
| US11182485B2 (en) | In-vehicle apparatus for efficient reprogramming and controlling method thereof | |
| US10491392B2 (en) | End-to-end vehicle secure ECU unlock in a semi-offline environment | |
| US20180218158A1 (en) | Evaluation apparatus, evaluation system, and evaluation method | |
| CN102043680B (en) | Method and system for refreshing ECU (Electronic Control Unit) embedded software and downloading program | |
| CN109923518B (en) | Software update mechanism for safety critical systems | |
| JP5696669B2 (en) | Gateway device and vehicle communication system | |
| CN111480141A (en) | Method and device for updating software of a motor vehicle control device | |
| JP2019071572A (en) | Control apparatus and control method | |
| CN113805916A (en) | An upgrade method, system, readable storage medium and vehicle | |
| JP7177272B2 (en) | Security processor | |
| JP2019185575A (en) | Controller and control method | |
| CN114091008A (en) | Method for securely updating a control device | |
| CN116339178A (en) | Method and equipment for safely brushing Electronic Control Unit (ECU) | |
| US10789365B2 (en) | Control device and control method | |
| CN114175706B (en) | System and method for securing diagnostic requests to a motor vehicle computer | |
| JP2019066984A (en) | Control device | |
| JP7699102B2 (en) | Software update device, software update method and software update processing program | |
| CN111367559B (en) | Refreshing method for online refreshing patch of electric control module | |
| US20200076805A1 (en) | Information processing apparatus, system and method | |
| US20230333838A1 (en) | Method and device for updating software of an onboard computer in a vehicle, comprising a runtime memory, a backup memory and a control memory | |
| JP2025005114A (en) | Electronic control device and session transition method | |
| CN117492846A (en) | Method for starting electronic control unit | |
| CN119473350A (en) | OTA update method, vehicle, storage medium and product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |