JP7586026B2 - Center for controlling software updates - Google Patents

Description

This disclosure relates to a center that controls software updates for electronic control units installed in vehicles.

A vehicle is equipped with multiple electronic control units (ECUs) for controlling the operation of the vehicle. The electronic control unit includes a processor, a temporary storage unit such as RAM, and a non-volatile memory that is a non-volatile storage unit such as flash ROM. The processor executes software stored in the non-volatile memory to realize the control functions of the electronic control unit. The software stored in each electronic control unit is rewritable, and by updating to a newer version of the software, it is possible to improve the functions of each electronic control unit or add new vehicle control functions.

One known technology for updating software in an electronic control unit is OTA (Over The Air) technology, in which an in-vehicle communication device connected to an in-vehicle network is wirelessly connected to a communication network such as the Internet, and a device responsible for updating the vehicle's software downloads software from a server via wireless communication, writes and installs the downloaded software in the electronic control unit, and activates the installed software, thereby updating or adding software to the electronic control unit. For example, see Patent Document 1.

JP 2017-149323 A

In software updates using OTA, the OTA functions related to software updates are uniformly provided by the center to all vehicle users and administrators. For this reason, even if vehicle users and administrators want to impose restrictions on some or all of the OTA functions, they are unable to freely impose restrictions.

This disclosure has been made in consideration of the above-mentioned problems, and aims to provide a center for controlling software updates that can impose restrictions on some or all of the OTA functions related to software updates.

In order to solve the above problem, one aspect of the disclosed technology is a center that controls software updates for an electronic control unit mounted on a vehicle, and includes a communication unit that communicates with the vehicle, and a control unit that controls software updates based on an update request from the vehicle, and the control unit is a center that restricts software updates when an update restriction request is made to the vehicle from a predetermined first information terminal among information terminals linked to the vehicle.

The center disclosed herein allows the user or administrator of the vehicle that owns the first information terminal to restrict some or all of the OTA functions related to software updates.

FIG. 1 is a block diagram showing an overall configuration of a network system according to an embodiment; Block diagram showing the general configuration of the center Center functional block diagram Block diagram showing the schematic configuration of the OTA master OTA Master Functional Block Diagram Flowchart of the process of adding an information terminal for which authority is to be set to the system Flowchart of OTA function restriction process for software update Flowchart of OTA function restriction process for software update

According to the present disclosure, a center that controls software updates for an electronic control unit mounted on a vehicle restricts software updates when a request for restricting updates is received from a specific information terminal among information terminals linked to the vehicle. This allows a user or administrator of the vehicle who owns the specific information terminal to restrict a part or all of the OTA functions related to software updates.
Hereinafter, an embodiment of the present disclosure will be described in detail with reference to the drawings.

<Embodiment>
[System configuration]
Fig. 1 is a block diagram showing the overall configuration of a network system according to an embodiment of the present disclosure. The network system shown in Fig. 1 is a system for updating software of a plurality of electronic control units (ECUs) 50a to 50d mounted on a vehicle, and includes a center 10 located outside the vehicle, an in-vehicle network 90 established within the vehicle, and an information terminal 95 linked to the vehicle.

(1) Center The center 10 can communicate with an OTA master 30 (described later) provided in the in-vehicle network 90 via the network 100, and can control and manage software updates of the multiple electronic control units 50a to 50d connected to the OTA master 30 by sending notifications to vehicle users and managers that software updates are available and explanations about the software updates, sending update data for the software of the electronic control units 50a to 50d and information defining the procedure for the update process, and receiving notifications indicating the progress of the software update process. This center 10 functions as a so-called server.

Figure 2 is a block diagram showing the schematic configuration of the center 10 in Figure 1. As shown in Figure 2, the center 10 includes a CPU (Central Processing Unit) 11, a RAM (Random Access Memory) 12, a storage device 13, and a communication device 14. The storage device 13 is a device equipped with a readable and writable storage medium such as a hard disk drive (HDD) or a solid state drive (SSD), and stores a program for performing software update management, information used for software update control and update management, and software update data for each electronic control unit. In the center 10, the CPU 11 executes a program read from the storage device 13 using the RAM 12 as a working area, thereby performing a predetermined process related to software updates. The communication device 14 is a device for communicating with the OTA master 30 via the network 100.

Figure 3 is a functional block diagram of the center 10 shown in Figure 2. The center 10 shown in Figure 3 includes a memory unit 16, a communication unit 17, and a control unit 18. The memory unit 16 is realized by the storage device 13 shown in Figure 2. The communication unit 17 and the control unit 18 are realized by the CPU 11 shown in Figure 2 executing a program stored in the storage device 13 using the RAM 12.

The storage unit 16 stores information related to software update processing of one or more electronic control units mounted on the vehicle. As information related to the software update processing, the storage unit 16 stores at least update management information in which information indicating software available in the electronic control units 50a to 50d is associated with information indicating software available in the electronic control units 50a to 50d for each vehicle identification information (vehicle ID) that identifies the vehicle, and update data for the software of the electronic control units 50a to 50d. As information indicating software available in the electronic control units 50a to 50d, for example, a combination of the latest version information of each software of the multiple electronic control units 50a to 50d is defined. As information related to the software update processing, the storage unit 16 can store an update status indicating the update status of the software being implemented in the vehicle. As information related to the software update processing, the storage unit 16 can store information related to an update sequence that indicates the procedure of the software update processing for issuing control instructions to the OTA master 30. In addition, the storage unit 16 can store information related to restrictions on the OTA function related to software updates obtained from the authority control device 70 of the vehicle, which will be described later.

The communication unit 17 functions as a transmitting unit and a receiving unit that transmits and receives data, information, notifications, requests, etc. between the OTA master 30 (vehicle) and the information terminal 95. The communication unit 17 receives a software update confirmation request from the OTA master 30 (receiving unit). The update confirmation request is information transmitted from the OTA master 30 to the center 10 when, for example, the power or ignition is turned on in the vehicle (hereinafter referred to as "power ON"), and is information for requesting the center 10 to confirm whether or not there is update data for the electronic control units 50a to 50d based on the vehicle configuration information described later. In addition, in response to the update confirmation request received from the OTA master 30, the communication unit 17 transmits information indicating the presence or absence of update data to the OTA master 30 (transmitting unit). In addition, the communication unit 17 receives a request to transmit a distribution package (download request) from the OTA master 30 (receiving unit). Furthermore, when the communication unit 17 receives a download request for a distribution package (reception unit), it transmits a distribution package including software update data for the electronic control units 50a to 50d generated by the control unit 18 described below to the OTA master 30 (transmission unit). Furthermore, the communication unit 17 receives information regarding the presence or absence of an update restriction request and an update restriction lift request from the vehicle, as well as information regarding the authority of the OTA function related to software updates for the information terminal linked to the vehicle (reception unit). Furthermore, the communication unit 17 notifies the vehicle of restrictions on the OTA function related to software updates based on the update restriction request and the update restriction lift request (transmission unit).

When the communication unit 17 receives an update confirmation request from the OTA master 30, the control unit 18 determines whether or not there is software update data for the electronic control units 50a to 50d installed in the vehicle identified by the vehicle ID included in the update confirmation request, based on the update management information stored in the memory unit 16. The control unit 18 transmits the determination result of whether or not there is update data to the OTA master 30 by the communication unit 17. When the control unit 18 determines that there is software update data for the electronic control units 50a to 50d, and receives a distribution package download request from the OTA master 30, it generates one or more distribution packages including the corresponding update data stored in the memory unit 16. In addition, when a specific information terminal (described later) among the information terminals 95 linked to the vehicle requests the vehicle to restrict the update, the control unit 18 restricts the software update of the electronic control units 50a to 50d.

(2) Information Terminal The information terminal 95 is a device such as a smartphone or a personal computer owned by a user or manager of the vehicle. This information terminal 95 is linked to the vehicle by, for example, registering and managing unique information (such as a terminal ID) in the vehicle. The number of information terminals 95 linked to the vehicle is not limited to one, and may be multiple. The information terminal 95 of this embodiment is provided with at least one information terminal 95 (hereinafter referred to as the "authority management information terminal 95") for managing the authority of the OTA function related to software update. One or more information terminals 95 can communicate with the authority control device 70 provided in the vehicle, and can cooperate with the authority control device 70 to restrict the OTA function related to software update. The authority management information terminal 95 can determine which information terminal 95 is to be given the authority to restrict the OTA function related to software update.

(3) In-Vehicle Network The in-vehicle network 90 includes an OTA master 30, a plurality of electronic control units 50a to 50d, an authority controller 70, and a communication module 80. The OTA master 30 and the communication module 80 are connected via a bus 60a. The OTA master 30 and the electronic control units 50a and 50b are connected via a bus 60b. The OTA master 30 and the electronic control units 50c and 50d are connected via a bus 60c. The OTA master 30 and the authority controller 70 are connected via a bus 60d.

The OTA master 30 can communicate wirelessly with the center 10 via the network 100 through the bus 60a and the communication module 80. The OTA master 30 can also communicate wired with the electronic control units 50a to 50d and the authorized controller 70 through the buses 60b to 60d. The OTA master 30 is a device that has the function of managing the OTA state and controlling the update sequence, which is the flow of the software update process, to perform software updates of the electronic control units to be updated (hereinafter referred to as "target electronic control units"). The OTA master 30 controls software updates of the target electronic control units among the electronic control units 50a to 50d based on update data acquired from the center 10. The OTA master 30 can also control appropriate screen displays on a specified display device based on information and notifications about software updates received from the center 10. The OTA master 30 is sometimes called a central gateway (CGW).

Figure 4 is a block diagram showing a schematic configuration of the OTA master 30 in Figure 1. As shown in Figure 4, the OTA master 30 includes a CPU 31, a RAM 32, a ROM (Read-Only Memory) 33, a storage device 34, and a communication device 36. The CPU 31, RAM 32, ROM 33, and storage device 34 constitute a microcomputer 35. In the OTA master 30, the CPU 31 executes a program read from the ROM 33 using the RAM 32 as a working area, thereby performing a predetermined process related to software updates. The communication device 36 is a device for communicating with the communication module 80, the electronic control units 50a to 50d, and the authority controller 70, respectively, via the buses 60a to 60d shown in Figure 1.

Figure 5 is a functional block diagram of the OTA master 30 shown in Figure 4. The OTA master 30 shown in Figure 5 includes a memory unit 37, a communication unit 38, and a control unit 39. The memory unit 37 is realized by the storage device 34 shown in Figure 4. The communication unit 38 and the control unit 39 are realized by the CPU 31 shown in Figure 4 executing a program stored in the ROM 33 using the RAM 32.

The storage unit 37 stores a program for executing software updates for the multiple electronic control units 50a-50d (a control program for the OTA master 30), various data used when executing software updates, and software update data downloaded from the center 10. The storage unit 37 can also store information about the type of non-volatile memory installed in each of the multiple electronic control units 50a-50d.

The communication unit 38 functions as a transmitter and a receiver that transmits and receives data, information, notifications, requests, and the like to and from the center 10. The communication unit 38 transmits a software update confirmation request to the center 10, for example, when the vehicle is turned on (transmitter). The update confirmation request includes, for example, a vehicle ID for identifying the vehicle and information on the current version of the software of the electronic control units 50a to 50d connected to the in-vehicle network 90. The vehicle ID and the current version of the software of the electronic control units 50a to 50d are used to determine whether or not there is update data for the software of the electronic control units 50a to 50d by comparing them with the latest version of the software held by the center 10 for each vehicle ID. The communication unit 38 also receives a notification indicating the presence or absence of update data from the center 10 in response to the update confirmation request (receiver). When there is software update data for the electronic control units 50a-50d, the communication unit 38 transmits a download request for a distribution package including the software update data to the center 10 (transmission unit), and receives (downloads) the distribution package transmitted from the center 10 (reception unit). The communication unit 38 also transmits the update status of the software transmitted by the electronic control units 50a-50d to the center 10 (transmission unit). Based on instructions from the control unit 39, the communication unit 38 can also display information related to the software update, notifications related to the transmission of that information, and the software update status on a display device.

The control unit 39 determines whether there is update data for the software of the electronic control units 50a to 50d based on the response from the center 10 to the update confirmation request received by the communication unit 38. The control unit 39 also verifies the authenticity of the update data that the communication unit 38 receives (downloads) from the center 10 in a distribution package and stores in the storage unit 37. The control unit 39 also uses the update data downloaded from the center 10 to control the software update process (installation, activation, etc.) of the electronic control units 50a to 50d. Specifically, the control unit 39 transfers the downloaded update data to the target electronic control unit and causes the target electronic control unit to install update software based on the update data. After the installation is completed, the control unit 39 instructs the target electronic control unit to activate the installed update software. During the software update process, the control unit 39 restricts and executes the software update based on an update restriction request from the information terminal 95 instructed by the center 10.

The multiple electronic control units 50a-50d are devices (ECUs) for controlling the operation of each part of the vehicle. In FIG. 1, an example is shown in which the in-vehicle network 90 includes four electronic control units 50a-50d, but the number of electronic control units is not particularly limited. In addition, the number of buses connecting the electronic control units 50a-50d to the OTA master 30 is also not particularly limited.

The authority control device 70 is a device that can manage/determine the authority of the OTA function related to software updates. The authority control device 70 can be a display device (HMI) such as a car navigation system that can perform various displays such as displaying the presence of update data during software update processing of the electronic control units 50a to 50d, displaying an explanation of the software update, displaying a consent request screen for requesting consent to the software update from the vehicle user or administrator, and displaying the results and status of the software update. In this embodiment, the authority control device 70 communicates with the center 10 and the information terminal 95 via the OTA master 30, but it may communicate directly from the communication module 80 without going through the OTA master 30, or directly via other communication devices (DCM, smartphone, etc.) not shown in the figure instead of the communication module 80. In addition to the authority control device 70, an electronic control unit or the like may be further connected to the bus 60d shown in FIG. 1.

Examples of the authority of the OTA function related to software updates managed by the authority control device 70 include whether to notify the contents of the software update by OTA [update notification restriction], to what extent (download, installation, activation) the execution of the software update process by OTA is restricted or permitted [update execution restriction], and which functions to be updated (entertainment system, driving control system, brake system, etc.) are enabled [function selection]. Which of these OTA functions is enabled/disabled is set in advance by the information terminal 95 that has been granted the authority. As an example of a setting method, items related to restrictions are selectively displayed on the display screen of the authority control device 70, and an item is selected by the owner of the information terminal 95, etc. The contents of the authority of the set OTA function are linked to the individual information (ID) of the information terminal 95 and managed by the authority control device 70 (and the center 10).

The communication module 80 is a unit with the function of controlling communication between the center 10 and the vehicle, and is a communication device for connecting the in-vehicle network 90 to the center 10 and the information terminal 95. The communication module 80 is wirelessly connected to the center 10 via the network 100, and performs vehicle authentication by the OTA master 30 and downloads update data. This communication module 80 may be configured as part of the OTA master 30.

[Overview of the software update process]
The OTA master 30 transmits a software update confirmation request to the center 10, for example, when the power supply of the vehicle is turned on. The update confirmation request includes a vehicle ID for identifying the vehicle, and vehicle configuration information, which is information on the state (system configuration) of the electronic control units 50a to 50d connected to the in-vehicle network 90, such as the current versions of the hardware and software of the electronic control units 50a to 50d. The vehicle configuration information can be created by acquiring the identification number (ECU_ID) of the electronic control unit and the identification number (ECU_Software_ID) of the software version of the electronic control unit from the electronic control units 50a to 50d connected to the in-vehicle network 90. The vehicle ID and the current version of the software of the electronic control units 50a to 50d are used to determine whether or not there is update data for the software of the electronic control units 50a to 50d by comparing them with the latest version of the software held by the center 10 for each vehicle ID. The center 10 transmits to the OTA master 30, as a response to the update confirmation request received from the OTA master 30, a notification indicating the presence or absence of update data, information regarding software updates, and the like. When there is update data for the software of the electronic control units 50a to 50d, the OTA master 30 transmits a download request for a distribution package to the center 10. In addition, the OTA master 30 transmits to the center 10, as necessary, the authority of the OTA function regarding software updates based on an update restriction request/update restriction release request from the information terminal 95. The center 10 transmits to the OTA master 30 a distribution package including update data and the like based on the download request received from the OTA master 30 and the authority of the OTA function regarding software updates. In addition to the update data, the distribution package may include verification data for verifying the authenticity of the update data, the number of update data, type information, various control information used during software updates, and the like.

The OTA master 30 determines whether there is update data for the software of the electronic control units 50a to 50d based on the response to the update confirmation request received from the center 10. The OTA master 30 also verifies the authenticity of the distribution package received from the center 10 and stored in the storage device 13. The OTA master 30 also transfers the update data downloaded in the distribution package to the target electronic control unit based on the contents notified by the center 10 according to the authority of the OTA function related to software updates, and has the target electronic control unit install the update data. After the installation is completed, the OTA master 30 instructs the target electronic control unit to activate the installed updated software to make it valid.

In addition, in the consent request process, the center 10 causes the output device to output information explaining the software update, a notification that consent is required for the software update, and a notification prompting input that consent has been given to the software update, according to the authority of the OTA function related to the software update. An authority control device provided in the in-vehicle network 90 can be used as the output device. For example, in the consent request process, if it is possible to display information that should be explained in advance to the vehicle user or administrator on the screen of the authority control device 70, the authority control device 70 is used as the output device. When the authority control device 70 is used as the output device, the OTA master 30 can cause the authority control device 70 to display information regarding the software update, a consent request screen for requesting consent to the software update from the user or administrator, and a notification prompting a specific input operation such as pressing an consent button if the user or administrator consents. When the center 10 receives input of consent from the user or administrator via the OTA master 30, it instructs the OTA master 30 to execute the above-mentioned installation and activation control process according to the authority of the OTA function related to software updates, and updates the software of the target electronic control unit.

Here, if the non-volatile memory of the target electronic control unit is a single bank memory having one storage area for storing data such as software, in principle, installation and activation are performed consecutively, so consent request processing for software update is performed before installation is performed. Note that even if the target electronic control unit is a single bank memory, depending on the information on the update sequence instructed by the center 10, it may be requested to temporarily stop the update processing when installation is complete, that is, to put activation on hold (wait). Also, if the non-volatile memory of the target electronic control unit is a dual bank memory having two storage areas for storing data such as software, consent request processing for software update is performed at least after installation is performed and before activation is performed. Note that if the non-volatile memory of the target electronic control unit is a dual bank memory, consent request processing for software update before installation may be performed or may be omitted.

The software update process consists of a phase in which the OTA master 30 downloads update data from the center 10 (download phase), a phase in which the OTA master 30 transfers the downloaded update data to the target electronic control unit and installs update software based on the update data in the storage area of the target electronic control unit (installation phase), and a phase in which the target electronic control unit activates the installed update software (activation phase).

Downloading is a process in which the OTA master 30 receives update data for updating the software of the electronic control unit, which is transmitted from the center 10 in a distribution package, and stores it in the storage unit 37. When receiving update data by downloading, the download phase not only executes the download, but also includes control of a series of processes related to the download, such as determining whether the download can be executed and verifying the update data.

The update data transmitted from the center 10 to the OTA master 30 may include update software for the electronic control unit (all data or difference data), compressed data obtained by compressing the update software, or divided data obtained by dividing the update software or compressed data. The update data may also include the ECU_ID (or serial number) of the target electronic control unit and the ECU_Software_ID of the target electronic control unit before the update. The update data is downloaded as the distribution package described above, and the distribution package includes update data for a single electronic control unit or multiple electronic control units.

Installation is a process in which the OTA master 30 writes update software (an updated program) to the non-volatile memory of the target electronic control unit based on the update data downloaded from the center 10. The installation phase not only executes the installation, but also includes control of a series of processes related to the installation, such as determining whether or not the installation can be executed, transferring the update data, and verifying the update software.

If the update data includes the update software itself (all data), in the installation phase, the OTA master 30 transfers the update data (update software) to the target electronic control unit. Also, if the update data includes compressed data, difference data, or divided data of the update software, the OTA master 30 may transfer the update data to the target electronic control unit, and the target electronic control unit may generate the update software from the update data, or the OTA master 30 may generate the update software from the update data and then transfer the update software to the target electronic control unit. Here, the update software can be generated by decompressing the compressed data or assembling (integrating) the difference data or divided data.

The target electronic control unit can install the update software based on an installation request from the OTA master 30. Note that for a specific target electronic control unit that has received the update data, the installation may be performed autonomously without receiving an explicit instruction from the OTA master 30.

Activation is a process in which the target electronic control unit activates the update software installed in its own non-volatile memory. The activation phase not only executes the activation, but also includes a series of controls related to the activation, such as determining whether or not to execute the activation, requesting consent to the activation from the vehicle user or administrator, and verifying the execution results.

The target electronic control unit can activate the update software based on an activation request from the OTA master 30. Note that for a specific target electronic control unit that has received the update data, the activation can be performed autonomously after the installation is complete, without receiving an explicit instruction from the OTA master 30.

The software update process can be performed consecutively or in parallel for each of the multiple target electronic control units.

In addition, the "software update process" in this specification includes not only a process in which download, installation, and activation are all performed consecutively, but also a process in which only some of the download, installation, and activation are performed.

[process]
Next, with further reference to FIGS. 6, 7A, and 7B, the software update process executed in the network system of this embodiment will be described.

Figure 6 is a flowchart that explains an example of a process for adding an information terminal 95 that grants authority for the OTA function related to software updates to a network system by an authority management information terminal 95.

(Step S601)
The authority management information terminal 95 communicates with the authority control device 70 (authentication, cooperation) and transitions the authority control device 70 from normal mode to authority management mode. The normal mode refers to a state in which the OTA function related to software update can be restricted based on an update restriction request and an update restriction release request received from the information terminal 95. The authority management mode refers to a state in which the authority of the OTA function related to software update can be set. When the authority control device 70 transitions to the authority management mode, the process proceeds to step S602.

(Step S602)
The authority management information terminal 95 communicates with the authority control device 70 (authentication, cooperation) with the information terminal 95 that is newly permitted to be granted authority for the OTA function related to software update, and adds this information terminal 95 as a "first information terminal" having authority for the OTA function related to software update. When the first information terminal 95 is added, the process proceeds to step S603.

(Step S603)
The authority control device 70 sets the authority of the OTA function related to software update in the newly added first information terminal 95. The authority to be set may be set by the authority management information terminal 95, or may be set by the newly added first information terminal 95 itself. The contents of the set authority are registered in association with unique information (such as a terminal ID) of the first information terminal 95, and are managed by the authority control device 70 and/or the center 10. When the authority of the OTA function related to software update of the newly added first information terminal 95 is set, the process proceeds to step S604.

(Step S604)
The authority management information terminal 95 switches the authority control device 70 from the authority management mode to the normal mode. When the authority control device 70 switches to the normal mode, this process ends.

Figures 7A and 7B are flowcharts that explain the procedure for processing related to restricting some or all of the OTA functions related to software updates performed by the center 10 and the authority control device 70. The processing of Figure 7A and the processing of Figure 7B are connected by connectors X, Y, and Z.

(Step S701)
The center 10 judges whether or not there is software in the vehicle that needs to be updated. This judgment can be made, for example, based on the current version of the software in each of the electronic control units 50a to 50d mounted on the vehicle obtained from the vehicle configuration information included in the update confirmation request transmitted from the OTA master 30, and the latest version of each piece of software stored in the storage unit 16 of the center 10. If there is software in the target vehicle that needs to be updated (step S701, Yes), the process proceeds to step S702. On the other hand, if there is no software in the target vehicle that needs to be updated (step S701, No), this process ends.

(Step S702)
The authority control device 70 judges whether or not an update restriction request has been received from the information terminal 95. That is, the authority control device 70 judges whether or not there is an update restriction request for the vehicle from the first information terminal that has been granted the authority to restrict a part or all of the OTA function related to the software update. For example, the driver gets in the vehicle while carrying the information terminal 95 in which the OTA function restriction is set, and the information terminal 95 and the authority control device 70 cooperate (Bluetooth (registered trademark), etc.), so that the authority control device 70 can receive the update restriction request. If there is an update restriction request from the first information terminal 95 (step S702, Yes), the process proceeds to step S703. On the other hand, if there is no update restriction request from the first information terminal 95 (step S702, No), the process proceeds to step S707.

(Step S703)
The authority control device 70 judges whether or not authentication of the first information terminal 95, which is the information terminal 95 for which the update restriction request was made, has been successful. If authentication of the first information terminal 95 has been successful (step S703, Yes), the process proceeds to step S704. The center 10 is notified of the success of authentication of the first information terminal 95 (and the OTA function that is restricted as necessary). On the other hand, if authentication of the first information terminal 95 has failed (step S703, No), the process proceeds to step S702.

(Step S704)
The center 10 restricts and executes the software update process (transmission, instruction, notification, permission, etc.) based on the update restriction request received from the first information terminal 95 that has been successfully authenticated by the authority control device 70. For example, if the restriction on the update process based on the update restriction request is "prohibit software installation," the center 10 executes the processes (notification, transmission, etc.) required until the vehicle downloads the update software. When the software update is restricted and executed, the process proceeds to step S705.

(Step S705)
The authority control device 70 judges whether or not an update restriction release request has been received from the information terminal 95. That is, the authority control device 70 judges whether or not there is an update restriction release request from a first information terminal that has been granted authority to restrict some or all of the OTA functions related to software updates. This update restriction release request can be made not only by the first information terminal 95 that has sent the update restriction request, but also by an information terminal other than the information terminal 95 that has sent the update restriction request, or by the authority management information terminal 95. If there is an update restriction release request from the information terminal 95 (step S705, Yes), the process proceeds to step S706. On the other hand, if there is no update restriction release request from the information terminal 95 (step S706, No), the process proceeds to step S705.

(Step S706)
The authority control device 70 judges whether or not the authentication of the information terminal 95 that has requested the release of the update restriction has been successful. If the authentication of the information terminal 95 has been successful (step S706, Yes), the process proceeds to step S707. The center 10 is notified of the success of the authentication of the information terminal 95. On the other hand, if the authentication of the information terminal 95 has failed (step S706, No), the process proceeds to step S705.

(Step S707)
The center 10 performs the necessary processing (notification, transmission, etc.) to release the restriction and execute the software update, based on the update restriction release request from the information terminal 95 that has been successfully authenticated by the authority control device 70. When the restriction is released and the software update is executed, this processing ends.

<Action and Effects>
As described above, according to the embodiment of the present disclosure, the center for controlling software updates of the electronic control unit mounted on the vehicle restricts software updates in the vehicle when an update restriction request is received from a specific information terminal for which authority has been set in advance among the information terminals linked to the vehicle. This process allows a user or administrator of the vehicle who owns the specific information terminal to restrict a part or all of the OTA functions related to software updates.

Although one embodiment of the disclosed technology has been described above, the present disclosure can be understood not only as a center, but also as a method executed by a center equipped with a processor and memory, a program, a computer-readable non-transitory storage medium storing a program, an OTA master capable of communicating with a center, or a vehicle equipped with an OTA master.

The disclosed technology can be used in centers that control software updates for electronic control units installed in vehicles.

10 Center 11, 31 CPU
12,32 RAM
13, 34 Storage device 14, 36 Communication device 16, 37 Storage unit 17, 38 Communication unit 18, 39 Control unit 30 OTA master 33 ROM
35 Microcomputers 50a to 50d Electronic Control Unit (ECU)
60a to 60d Bus 70 Display device 80 Communication module 90 In-vehicle network 95 Information terminal 100 Network

Claims (1)

A center for controlling software updates of an electronic control unit mounted on a vehicle, comprising:
A communication unit that communicates with the vehicle;
a control unit that controls the software update based on an update request from the vehicle,
The control unit restricts the software update when an update restriction request is made to the vehicle from a predetermined first information terminal among information terminals linked to the vehicle.

Images