JPH10105468A - Electronic controller, memory rewriting device and memory rewriting system of electronic controller - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent a control program and control data incorporated in an electronic controller from being rewritten to be the ones unsuitable for the electronic controller. SOLUTION: In the electronic controller where a program for engine control is stored in a flash ROM, an identifying code (ID in the following) from an external device isreceived when a rewriting command is received (S100: YES and S120) and a rewriting control program transmitted from the external device is transferred to a volatile RAM so as to execute it (S150 and S160) only when the received ID coincides with the self incorporated ID (S130: YES) so that the program in the flash ROM is rewritten into the new program which is transmitted from the external device (S300). By the electronic controller, the control program is not rewritten to be the unsuitable one and the rewriting control program is not normally incorporated so that the control program is not changed in spite of the runaway of CPU.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to a technique for rewriting control programs and control data stored in an electrically rewritable nonvolatile memory while the nonvolatile memory is mounted on an electronic control unit. .

[0002]

2. Description of the Related Art Conventionally, as an electronic control unit for controlling, for example, an engine of an automobile, a control program and control for engine control are provided in a nonvolatile memory capable of electrically rewriting data (specifically, erasing and writing data). There has been proposed a configuration in which data is stored and such a control program or control data can be rewritten even after being supplied to the market.

That is, this type of electronic control unit normally controls a control target such as an engine according to a control program and control data constituted by data stored in a nonvolatile memory, but is separately prepared. When the memory rewriting device is connected and receives a rewriting command from the memory rewriting device, the current data stored in the nonvolatile memory is erased, and a new area transmitted from the memory rewriting device to the erased area is erased. It is configured to perform a rewriting process such as writing data (new control program and control data).

On the other hand, the memory rewriting device connected to such an electronic control device includes a storage medium for storing new data to be rewritten, and when a predetermined operation is performed by an operator, the storage medium is rewritten. Is transmitted to the electronic control unit.

In a memory rewriting system for an electronic control device comprising such an electronic control device and a memory rewriting device, a control program and control data stored in a nonvolatile memory of the electronic control device are electronically controlled by the memory rewriting device. It can be rewritten with a new control program or control data to be transmitted to the device, whereby the operation content (control content) of the electronic control device can be arbitrarily changed.

[0006]

However, for example, in the case of automobiles, the grade (mounted equipment), engine model, destination (exporting country), etc. of the same type of vehicle as well as between different types of vehicles, etc. The content of the control to be performed by the electronic control device differs depending on the difference. In other words, control programs and control data to be stored in the non-volatile memory of the electronic control device are different for each control target controlled by the electronic control device.

Therefore, in this type of memory rewriting system for an electronic control unit, a worker operates the electronic control unit (more specifically,
From the memory rewriting device to the electronic control device without knowing that data constituting a control program or the like that is incompatible with the (control target) is stored in the storage medium on the memory rewriting device side,
There is a possibility that the inappropriate data may be transmitted.
Then, when such an operation error occurs, there is a problem that the electronic control device cannot appropriately control the control target.

In addition, in the conventional electronic control device, a rewrite control program executed for performing a rewrite process for rewriting the contents of the nonvolatile memory is previously stored in a non-rewriteable non-volatile memory (such as a mask ROM). Therefore, if the CPU runs out of control at normal times and the rewrite control program is erroneously started, the normal control program and control data stored in the nonvolatile memory may be lost or changed. was there.

SUMMARY OF THE INVENTION The present invention has been made in view of such a problem, and an electronic control device capable of reliably preventing a control program or control data stored in a nonvolatile memory from being rewritten to an inappropriate one. It is another object of the present invention to provide a memory rewriting device suitable for rewriting a control program and control data stored in a nonvolatile memory of the electronic control device and a memory rewriting system of the electronic control device.

[0010]

Means for Solving the Problems and Advantages of the Invention The electronic control device according to the first aspect of the present invention has an electrically rewritable nonvolatile memory. Normally, a predetermined control target is controlled in accordance with a control program and control data constituted by data stored in the non-volatile memory. The rewriting control program is transferred to a volatile memory area and activated to perform a rewriting process for rewriting data in the nonvolatile memory with new data transmitted from the external device.

The electronic control unit according to the first aspect includes an identification information storage unit that stores identification information of the electronic control unit in advance, a determination unit, and a transfer permission unit. When the external device receives the rewrite command, the external device communicates with the external device before the rewrite control program is transmitted from the external device. New information to be written to the non-volatile memory), identification information indicating a device that is stored in advance and corresponding to the new data, and identification information stored in the identification information storage unit. It is determined whether or not the rewriting control program is transferred to the memory area only when the transfer permission means determines that the two pieces of identification information match each other. Allow.

In other words, in the electronic control device according to the first aspect, when a rewrite command is received from the outside, first, communication is performed with the external device so that the external device can correspond to new data. It is determined whether or not the identification information stored in advance and the own identification information stored in the identification information storage means match, and only when the two pieces of identification information match, transmission from the external device is performed. The rewriting control program is transferred to a volatile memory area and activated. Then, by starting and executing the rewriting control program, a rewriting process for rewriting data in the nonvolatile memory with new data transmitted from the external device is performed.

According to the electronic control device of the first aspect, the external device stores a control program and new data constituting control data that are not compatible with the electronic control device. If the incompatible data is likely to be transmitted to the electronic control unit, the identification information on the external device side (that is, the information stored in advance in the external device corresponding to the new data, Since the identification information indicating a compatible device) does not match the identification information of the electronic control device stored in the identification information storage means, the electronic control device does not transfer the rewrite control program to the volatile memory area.

Therefore, according to the electronic control device of the first aspect, the control program or control data in the nonvolatile memory is erroneously rewritten to a control program or control data that is not compatible with the electronic control device. This can be reliably prevented. Moreover, in the electronic control device according to the first aspect, the rewrite control program transmitted from the external device is transferred to the volatile memory area and activated to perform the rewrite process for rewriting the data in the nonvolatile memory. With this configuration, if the power of the electronic control unit is once turned off after the operation of rewriting the contents of the nonvolatile memory is completed, the rewrite control program transferred to the volatile memory area disappears.

Therefore, according to the electronic control device of the first aspect, in a normal time when a predetermined control target is controlled, after the power supply to the electronic control device is started, the CPU that executes the program should be executed. Even if a runaway occurs, the rewrite control program for performing the rewrite process is not built-in, so it is ensured that the normal control program and control data stored in the nonvolatile memory are lost or changed. Can be prevented.

As the electrically rewritable nonvolatile memory, a flash EEPROM (hereinafter referred to as a flash ROM) or an EEPROM is generally used, but another electrically rewritable ROM may be used. As a volatile memory area to which the rewrite control program is transferred, a RAM from which data can be read and to which data can be written can be used.

In the electronic control device according to the first aspect, the determining means receives the identification information of the external device transmitted from the external device and receives the information. By comparing the obtained identification information with the identification information stored in the identification information storage means, it is determined whether or not the identification information on the external device side matches the identification information stored in the identification information storage means. It can be configured as follows.

The external device connected to the electronic control unit configured as described in claim 2 may be configured as a memory rewriting device described in claim 3. That is, the memory rewriting device according to claim 3 transmits the rewrite control program and the new data to the electronic control device according to claim 2, and stores the new data in the new data. A data storage unit for storing the identification information corresponding to the new data before transmitting the rewrite control program to the electronic control device. Send.

Furthermore, as in the present invention described in claim 4, the memory rewriting device according to claim 3 and the electronic control device according to claim 2 are mounted on an electronic control device. By configuring the memory rewriting system of the electronic control device for rewriting the contents of the non-volatile memory, the device that matches the new data before the rewriting control program is transmitted from the memory rewriting device to the electronic control device. Only when the identification information from the memory rewriting device and the self identification information stored in the identification information storage means match, the electronic control unit transmits the volatile information of the rewriting control program. Is permitted to be transferred to the memory area, and the effect of the electronic control device according to the first aspect can be reliably obtained.

On the other hand, in the electronic control device according to the first aspect, as the determination means, the identification information stored in the identification information storage means is transmitted to an external device, and thereafter, By receiving from the external device a response signal indicating whether or not the identification information on the external device side and the transmitted identification information match, the identification information on the external device side and the identification information stored on the identification information storage means are stored. It can be configured to determine whether or not the identification information matches.

The external device connected to the electronic control device configured as described in claim 5 may be configured as a memory rewriting device described in claim 6. That is, the memory rewriting device according to claim 6 transmits the rewriting control program and the new data to the electronic control device according to claim 5, and stores the new data in the new data. Data storage means for storing in advance in association with identification information indicating a device conforming to the data, and determining whether or not the identification information from the electronic control device matches the identification information corresponding to the new data. Is determined, and when the two pieces of identification information match each other, the identification information on the memory rewriting device side and the identification information stored in the identification information storage means of the electronic control device are transmitted to the electronic control device. The retransmission control program transmits the response signal indicating that the rewriting is performed, and then transmits the rewrite control program.

Further, as in the present invention described in claim 7, the memory rewriting device according to claim 6 and the electronic control device according to claim 5 are mounted on an electronic control device. If the memory rewriting system of the electronic control device for rewriting the contents of the non-volatile memory is configured, first, the identification information stored in the identification information storage means is transmitted from the electronic control device to the memory rewriting device, and the memory rewriting is performed. On the device side, it is determined whether or not the identification information from the electronic control device matches the identification information corresponding to the new data. When the two pieces of identification information match, the identification information on the memory rewriting device side matches the identification information stored in the identification information storage means of the electronic control device from the memory rewriting device to the electronic control device. Is transmitted, and then the rewrite control program is transmitted.

Then, the electronic control unit responds to the response signal from the memory rewriting device only when the identification information of the memory rewriting device matches the identification information stored in the identification information storage means ( That is, only when the response signal from the memory rewriting device indicates that the identification information on the memory rewriting device side matches the identification information stored in the identification information storage means of the electronic control device) The transfer of the control program to the volatile memory area is permitted, so that the effect of the electronic control device according to the first aspect can be reliably obtained.

However, according to the electronic control device configured as described in claim 2, or according to the memory rewriting system of the electronic control device described in claim 4, the identification information stored in the identification information storage means is electronically controlled. Since it is not transmitted to the outside of the device, the act of decrypting the identification information stored in the electronic control unit and intentionally rewriting the data stored in the non-volatile memory with other data is more reliably prevented. In such a point, it is superior to the electronic control device according to claim 5 or the memory rewriting system of the electronic control device according to claim 7.

On the other hand, the electronic control device according to claim 8 is
Like the electronic control device according to claim 1, at normal time,
A predetermined control target is controlled in accordance with a control program and control data constituted by data stored in an electrically rewritable non-volatile memory, and when an external rewrite command is received, The rewriting control program transmitted is transferred to a volatile memory area and activated, thereby performing a rewriting process for rewriting data in the nonvolatile memory with new data transmitted from the external device.

The electronic control unit according to the present invention includes an identification information storage unit for storing identification information of the electronic control unit in advance, a determination unit, and a transfer permission unit. Upon receiving the rewrite command from the outside, before the rewrite control program is transmitted from the external device, the identification information transmitted from the external device is received, and the received identification information and the identification information storage are received. It is determined whether the identification information stored in the rewriting control program matches the identification information stored in the rewriting control program. The transfer to the memory area is permitted.

According to the electronic control device of the eighth aspect, before transmitting the rewrite control program from the external device, the same identification information as the identification information stored in the identification information storage means of the electronic control device is provided. Unless the information is transmitted from the external device, the transfer of the rewrite control program to the volatile memory area is not permitted. Therefore, it is possible to reliably prevent data (control program and control data) in the nonvolatile memory from being carelessly rewritten or intentionally rewritten with other data.

According to the electronic control unit of the present invention, similarly to the electronic control unit of the first aspect, the rewriting control program transmitted from the external device is transferred to the volatile memory area. Is configured to perform a rewriting process of rewriting data in the non-volatile memory by starting up. Loss or change of the control program or control data can be reliably prevented.

[0029]

Embodiments of the present invention will be described below with reference to the drawings. It is needless to say that the embodiments of the present invention are not limited to the following examples, and can take various forms as long as they belong to the technical scope of the present invention.

First Embodiment First, FIG. 1 shows an engine control device (hereinafter referred to as an ECU) 2 mounted on an automobile for controlling an internal combustion engine, and an engine control program built in the ECU 2. FIG. 3 is a block diagram illustrating an overall configuration of a memory rewriting system 5 of the electronic control device of the embodiment, which includes a memory rewriting device 4 connected to the ECU 2 when rewriting data or writing new data.

As shown in FIG. 1, the ECU 2 receives signals from various sensors for detecting the operating state of the engine and performs waveform processing on the signals. The ECU 2 controls the engine based on the sensor signals from the input circuit 6. A single-chip microcomputer that executes various processes for controlling
A microcomputer 8, and an output circuit 10 that outputs a drive signal to an actuator such as an injector (fuel injection valve) or an igniter attached to the engine based on a control signal from the microcomputer 8.

The microcomputer 8 includes a well-known CPU 18 that operates according to a program, a non-volatile ROM 20 that stores programs and data necessary for operating the CPU 18, and a RAM 22 that temporarily stores calculation results of the CPU 18 and the like. I / O for receiving a signal from the input circuit 6 and the like and outputting a control signal to the output circuit 10
A communication circuit 25 for performing data communication between the O24 and the memory rewriting device 4 is provided.

Here, the ROM 20 includes a flash ROM (flash EEPROM) 20a in which data can be electrically erased and written, and a mask ROM 20b in which data cannot be rewritten. Then, after the microcomputer 8 is mounted on the ECU 2 in the manufacturing process of the ECU 2, a control program and control data for engine control are newly written in the flash ROM 20 a, and are executed in the mask ROM 20 b immediately after the reset. The boot program and an identification code (hereinafter, referred to as ID) of the ECU 2 on which the microcomputer 8 is mounted are stored in advance before the microcomputer 8 is mounted on the ECU 2.

The ID is set for each model or specification of the engine controlled by the ECU 2, or for a vehicle type name or a vehicle grade name on which the ECU 2 is mounted. Further, instead of the mask ROM 20b, a non-volatile memory capable of electrically erasing and writing data as well as the flash ROM 20a may be used as long as data rewriting is prohibited.

In such an ECU 2, the microcomputer 8
(CPU 18) immediately after the reset, the mask ROM 20
b), and at normal times when the memory rewriting device 4 is not connected, the boot program calls the engine control program (control program for engine control) in the flash ROM 20a to control the engine. Do.

When the microcomputer 8 determines that the rewriting mode is set as described later when the boot program is started, the microcomputer 8 executes the boot program without calling the control program in the flash ROM 20a. When a predetermined condition described later is satisfied, a write control program transmitted from the memory rewriting device 4 is received and stored in the RAM 22, and the write control program is called and executed on the RAM 22, whereby the flash memory is read. A rewrite process is performed to rewrite the current control program and control data stored in the ROM 20a with a new control program and control data transmitted from the memory rewriting device 4 thereafter.

It should be noted that even when the ECU 2 in which the control program and the control data for engine control have not yet been written in the flash ROM 20a, the flash RO 20a is manufactured.
The same is true except that a control program and control data for engine control are newly written in M20a.

On the other hand, the memory rewriting device 4 has a microcomputer 30 having a built-in CPU, ROM, RAM and the like for executing a process for causing the microcomputer 8 of the ECU 2 to rewrite the flash ROM 20a, and a command from the microcomputer 30. Accordingly, the flash RO is sent to the microcomputer 8 on the ECU 2 side.
A power supply circuit 32 for supplying a rewrite voltage (12 V in this embodiment) Vpp required for rewriting the data of M20a;
And a rewrite switch SW for changing the operation mode from the normal mode for controlling the engine to the rewrite mode for rewriting (or newly writing) the data in the flash ROM 20a.

Further, the memory rewriting device 4 includes an ECU
A first ROM 34 storing a rewrite control program (specifically, a program code constituting the rewrite control program) to be transmitted to the ECU 2, and a flash ROM 20 of the ECU 2
and a second ROM 36 in which a new control program and control data prepared for writing to a are stored. The first ROM 34 and the second ROM 36 are detachably provided to the memory rewriting device 4 by well-known IC sockets 38 and 40, respectively.

The second RAM 36 stores the ID of the ECU that matches the engine control program and the control data stored in the second RAM 36, that is, the ID of the ECU whose data is to be rewritten. As shown in FIG. 1, the connection between the memory rewriting device 4 and the ECU 2 is established by connecting the female connector 42F of the memory rewriting device 4 to the ECU 2 as shown in FIG.
This is performed by fitting the male connector 42M provided in the connector.

That is, when the two connectors 42F and 42M are fitted, serial data communication between the microcomputer 30 on the memory rewriting device 4 side and the microcomputer 8 on the ECU 2 becomes possible via the communication line 44. In addition, a rewrite voltage Vpp necessary for rewriting data in the flash ROM 20a is supplied from the power supply circuit 32 of the memory rewrite device 4 to the microcomputer 8 of the ECU 2 via the power supply line 46. Further, a signal line 48 connected to the ground potential (0 V) via the rewriting switch SW on the memory rewriting device 4 side is connected to the ECU.
When the rewriting switch SW is turned on on the memory rewriting device 4 side, the ECU 2 is connected to the mode determination signal line L pulled up to 5 V by the resistor R on the 2 side.
On the side, the mode determination signal line L changes from the high level (5 V) to the low level (0 V). When the mode determination signal line L is at the low level when the boot program is started as described above, the microcomputer 8 of the ECU 2 determines that the rewrite mode is set.

Next, the processing executed by the microcomputer 8 of the ECU 2 and the processing executed by the microcomputer 30 of the memory rewriting device 4 will be described with reference to FIGS. FIG. 2 is a flowchart showing the processing executed by the microcomputer 8 of the ECU 2, and its steps (hereinafter simply referred to as "S") are shown.
The processing from 100 to S170 is performed by the mask ROM 20.
b, and the processing of S200 is executed by the engine control program in the flash ROM 20a. Then, the process of S300 is executed by the rewriting control program transmitted from the memory rewriting device 4 and transferred to the RAM 22. Also,
FIG. 3 is a flowchart illustrating a process executed by the microcomputer 30 of the memory rewriting device 4.

First, in the ECU 2, when the power is turned on by turning on the ignition switch of the vehicle and the microcomputer 8 starts operating from the reset state, the mask R
The boot program stored in the OM 20b starts.
Then, as shown in FIG. 2, first, in S100, it is determined whether or not the mode is the rewrite mode based on whether or not the mode determination signal line L is at a low level. For example, it is determined that the normal mode is not the rewriting mode, the process proceeds to S110, and jumps to the engine control program.

Then, the control program stored in the flash ROM 20a is started.
As shown by 0, an engine control process performed with reference to engine control data is executed. S20
The engine control process of 0 calculates an optimal fuel injection amount, an ignition timing, and the like for the engine based on various sensor signals from the input circuit 6 and control data stored in the flash ROM 20a. The control signal for driving an actuator such as an injector or an igniter is output to the output circuit 10 repeatedly. Then, by executing such an engine control process, the engine can be operated.

On the other hand, in the boot program,
If it is determined at 100 that the mode is the rewriting mode, that is, if the memory rewriting device 4 is connected to the ECU 2 and the rewriting switch SW is turned on, the mode determination signal line L is at a low level, ROM2
The process directly proceeds to S120 without jumping to the engine control program in 0a.

In step S120, as described later, the process waits until an ID transmitted from the memory rewriting device 4 is received. When an ID from the memory rewriting device 4 is received, the process proceeds to the next step S130, where the reception is performed. Memory rewriting device 4
Then, it is determined whether or not the ID (received ID) from the server and its own ID (built-in ID) stored in the mask ROM 20b match. If it is determined that the two IDs match, the process proceeds to S140, where the memory rewriting device 4
, A request signal for requesting transmission of the rewrite control program is transmitted.

Then, as described later, the memory rewriting device 4
The rewrite control program is transmitted from the memory rewrite device 4 to the ECU 2. The rewrite control program is received from the memory rewrite device 4 and transferred and stored in a predetermined area of the RAM 22 in S150. Then, in subsequent S160, S150
To jump to the rewrite control program stored in the RAM 22.

As a result, the rewriting control program transmitted from the memory rewriting device 4 is executed on the RAM 22, and the current control program and control data stored in the flash ROM 20a are transmitted from the memory rewriting device 4. The rewriting process of S300 for rewriting the new control program and control data to be performed is performed.

The rewriting process in S300 is executed, for example, in the following procedure. 1. First, a program and data stored in the flash ROM 20a are erased in response to an erase command from the memory rewriting device 4. 2. Next, it waits for a new control program and control data to be transmitted from the memory rewriting device 4, and upon receiving them, the received control program and control data are replaced with the flash memory in which the old programs and data are stored. The data is sequentially written to the storage area of the ROM 20a.

3. Then, when all the control programs and control data from the memory rewriting device 4 are received and the rewriting of the flash ROM 20a is completed, all the processes are thereafter terminated. When the rewriting process in S300 is performed, the flash ROM 20a
Is rewritten with a new control program and control data from the memory rewriting device 4.

On the other hand, in S130 of the boot program,
ID (reception ID) transmitted from the memory rewriting device 4
And its own ID stored in the mask ROM 20b
(Internal ID) does not match,
The process moves to S170. In S170, an error signal indicating that the ID from the memory rewriting device 4 does not match the ID on the ECU 2 side is output to the memory rewriting device 4.
And then the ECU 2 ends the process.

Next, in the memory rewriting device 4, when the worker is connected to the ECU 2 and turns on the rewriting switch SW, the microcomputer 30 executes the processing shown in FIG. That is, first, in S400, an ECU that matches the new control program and control data stored in the second RAM 36
(The ID of the ECU whose data is to be rewritten)
Read from the second ROM 36 and read the ID
(Built-in ID) is transmitted to the ECU 2.

Then, as described above, the ECU 2 transmits the ID transmitted from the memory rewriting device 4 to the ECU 2.
And whether the ID stored in its own mask ROM 20b matches (S130). If both IDs match, a request signal of the rewrite control program is transmitted to the memory rewriting device 4. If the two IDs do not match (S140), an error signal is transmitted to the memory rewriting device 4 (S170).
At S410, a signal (request signal or error signal) transmitted from ECU 2 is received, and the type of the signal is determined.

If the signal from the ECU 2 is a request signal of the rewrite control program, the process proceeds to S420, where the first
The rewrite control program stored in the ROM 34 of
Send to CU2. Further, in the following S430, E
After transmitting the above-mentioned erase command to CU2, the second RO
The new control program and control data stored in M36 are transmitted.

Then, on the ECU 2 side, the control program and the control data in the flash ROM 20a are transferred to the memory rewriting device 4 by the rewriting process of S300 in FIG. 2 (that is, by executing the rewriting control program).
Will be rewritten with a new control program and control data transmitted from.

Then, in the memory rewriting device 4, the S4
When the process of 30 is completed, all the processes are completed. on the other hand,
If it is determined in step S410 that the signal from the ECU 2 is an error signal, the process proceeds to step S440, and an error display indicating that data cannot be rewritten is displayed on a predetermined display device (not shown). After that, the processing on the memory rewriting device 4 side ends.

In the first embodiment, in the ECU 2, the flash ROM 20a corresponds to an electrically rewritable nonvolatile memory, and the RAM 22
The mask ROM 20b corresponds to a volatile memory area,
It corresponds to identification information storage means. Then, the processes of S120 and S130 in FIG. 2 correspond to the determination unit and the transfer permission unit. In the memory rewriting device 4, the second ROM 36 corresponds to a data storage unit.

In the memory rewriting system 5 of the first embodiment, when rewriting the control program and the control data stored in the flash ROM 20a of the ECU 2, the operator first needs to rewrite the IC socket 38 of the memory rewriting device 4. A first ROM 34 in which a rewrite control program to be executed by the ECU 2 is stored is mounted.
A second control program in which a new control program and control data and an ID of an ECU conforming thereto are stored in the C socket 40.
Is mounted. Then, the memory rewriting device 4 is connected to the ECU 2, the rewriting switch SW of the memory rewriting device 4 is turned on, and the ignition switch of the vehicle is turned on to operate the ECU 2 from the initial state.

Then, from the memory rewriting device 4 to the ECU 2
The ECU ID that is compatible with the new control program and control data stored in the second RAM 36 is transmitted to the ECU 2 (S400), and the ECU 2 sends the ID from the memory rewriting device 4 and the self ID stored in the mask ROM 20b. I
It is determined whether or not D matches (S130).

When both IDs match (S1
30: YES), the ECU 2 sends the memory rewriting device 4
To the request signal of the rewrite control program (S14).
0), and in response to this, the memory rewriting device 4
The rewrite control program is transmitted to (S410: request signal, S420).

Thereafter, in the ECU 2, the rewriting control program from the memory rewriting device 4 is transferred to the RAM 22 and executed (S150, S160, S300). In the memory rewriting device 4, a new control program for the ECU 2 is transmitted. And transmission of control data is performed (S43).
0), the data of the flash ROM 20a mounted on the ECU 2 is rewritten by the operation of both devices.

On the other hand, the memory rewriting device 4
If the ID transmitted to U2 does not match the ID stored in ECU2 (S130: NO), ECU2
Sends an error signal to the memory rewriting device 4 and ends all the processing (S170).
When an error signal is received from U2 (S410: error signal), an error is displayed without transmitting a rewrite control program to the ECU 2 (S440).

As described in detail above, in the memory rewriting system 5 of the first embodiment, first, the memory rewriting device 4 is configured so that the I / O of the ECU adapted to the new control program and control data
D is transmitted, and the ECU 2 determines whether or not the ID transmitted from the memory rewriting device 4 matches its own ID stored in the mask ROM 20b. Only when the ID from the memory rewriting device 4 matches the ID of the own device, the ECU 2 transmits a transmission request of the rewriting control program to the memory rewriting device 4 and responds to the request. Is transferred to the RAM 22 and executed, thereby converting the control program and control data in the flash ROM 20a into a new control program and control data subsequently transmitted from the memory rewriting device 4. I try to rewrite.

Accordingly, the ECU 2 according to the first embodiment has the following features.
According to the memory rewriting system 5, a worker stores in the IC socket 40 of the memory rewriting device 4 a control program and control data that are not compatible with the ECU 2.
If the (second ROM) 36 is mounted and the incompatible control program and control data are likely to be transmitted to the ECU 2, the ID of the memory rewriting device 4 (that is, the second
Of the ECU 2 stored in the mask ROM 20b does not match with the ID stored in advance in the ROM 36 in correspondence with the new control program or the like.
The operation does not shift to the transfer operation of the rewrite control program to the RAM 22. Therefore, it is possible to reliably prevent the control program and the control data in the flash ROM 20a from being erroneously rewritten to the control program and the control data that are not suitable for the ECU 2.

When the control program and the control data are not rewritten, the operator stores the control program and the control data suitable for the ECU 2 in the second ROM 36 of the memory rewriting device 4. After that, the rewriting operation may be performed again. Further, in the ECU 2 of the first embodiment, the rewriting control program transmitted from the memory rewriting device 4 is transferred to the volatile RAM 22 and activated to perform the rewriting process for rewriting the data in the flash ROM 20a. The flash ROM 20a
After the operation of rewriting the contents of
Once the power supply to the RAM 22 is turned off, the rewrite control program transferred to the RAM 22 disappears. Therefore, the EC of the first embodiment
According to U2, a rewriting control program for performing a rewriting process is built in even if the CPU 18 that executes the program runs out of control after the power supply to the ECU 2 is started during the normal time of controlling the engine. Therefore, it is possible to reliably prevent the normal control program and control data stored in the flash ROM 20a from being lost or changed.

Further, in the ECU 2 and the memory rewriting system 5 of the first embodiment, the ECU 2 receives the ID from the memory rewriting device 4, and receives the ID and its own ID (ie, the ID stored in the mask ROM 20b). Is determined, and since the ID stored in the mask ROM 20b is not transmitted to the outside of the ECU 2, the ID on the ECU 2 side is decoded and the ID in the flash ROM 20a is read. The act of intentionally rewriting the control program or the like with another one can be reliably prevented.

For the same reason, for example, a program for performing a read process such as reading data in the flash ROM 20a and transmitting the read data to the outside is stored in an EC.
U2 is transferred to the RAM 22 and executed.
The act of illegally reading the stored contents of the OM 20a can also be prevented, and the confidentiality can be increased.

On the other hand, in the memory rewriting system 5 of the first embodiment, if the ECU 2 determines that the ID from the memory rewriting device 4 does not match its own ID, the ECU 2 sends an error signal to the memory rewriting device 4. Transmit and rewrite memory 4
Receives an error signal from the ECU 2 and displays an error on a display device.

Therefore, the operator needs to renew the new control program and control data prepared for rewriting.
Is not surely confirmed by the error display on the memory rewriting device 4 side. [Second Embodiment] Next, a memory rewriting system for an electronic control unit according to a second embodiment will be described. The memory rewriting system of the second embodiment differs from the memory rewriting system 5 of the first embodiment only in the processing executed on the ECU 2 side and the memory rewriting device 4 side, respectively. The configuration is exactly the same.

Therefore, in the memory rewriting system of the second embodiment, the processing executed by the microcomputer 8 of the ECU 2 and the processing executed by the microcomputer 30 of the memory rewriting device 4 will be described with reference to FIGS. Will be explained. FIG. 4 is a flowchart showing a process executed by the microcomputer 8 of the ECU 2. The same processes as those in FIG. 2 of the first embodiment are denoted by the same step numbers, and therefore detailed description is omitted. . FIG. 5 is a flowchart showing processing executed by the microcomputer 30 of the memory rewriting device 4. Since the same steps as those in FIG. 3 of the first embodiment are denoted by the same step numbers, detailed description will be made. Is omitted.

First, as shown in FIG. 4, when the microcomputer 8 of the ECU 2 determines that the rewrite mode is set in S100 immediately after the reset start, the microcomputer 8 executes the flash ROM 20 operation.
S12 without jumping to the control program in
Move to 5. Then, in this S125, the mask RO
The self-ID stored in M20b is transmitted to the memory rewriting device 4, and in S135, as described later, the signal (response signal) transmitted from the memory rewriting device 4 is a normal signal or an error signal. Is determined.

Then, in S135, the memory rewriting device 4
Is determined to be a normal signal from S1
50, S160, and S300, that is, the rewrite control program from the memory rewriting device 4 is received, transferred and stored in the RAM 22, and the rewrite control program is executed on the RAM 22 to be stored in the flash ROM 20a. A process of rewriting the control program and control data with a new control program and control data transmitted from the memory rewriting device 4 is performed.

On the other hand, if it is determined in S135 that the signal from the memory rewriting device 4 is an error signal, the processing on the ECU 2 side is terminated. In the second embodiment, the processes in S125 and S135 correspond to the determination unit and the transfer permission unit.

Next, as shown in FIG. 5, the microcomputer 30 of the memory rewriting device 4 first waits in step S405 until an ID transmitted from the ECU 2 is received. To the received E
It is determined whether or not the ID (reception ID) from the CU 2 matches the ID (built-in ID) of the ECU stored in the second RAM 36.

If it is determined that the two IDs match, the process proceeds to S417, in which the ECU 2 informs the ECU 2 that the ID of the memory rewriting device 4 and the ID of the ECU 2 match. Send a signal. Then, as described above, the microcomputer 8 on the ECU 2 side starts the processing after S150 in FIG. 4, so that the memory rewriting device 4 transmits the normal signal in S417, and then returns to the case of the first embodiment. Similarly, the processes of S420 and S430 are executed, and the rewrite control program stored in the first ROM 34 and the new control program and control data stored in the second ROM 36 are sequentially transmitted to the ECU 2. Send.

On the other hand, at S415, the ID
(Reception ID) and E stored in the second RAM 36.
If it is determined that the ID (built-in ID) of the CU does not match, the process proceeds to S445, and the ECU 2 is informed that the ID of the memory rewriting device 4 and the ID of the ECU 2 do not match. After transmitting the error signal, the processing on the memory rewriting device 4 side is terminated. Then EC
In U2, as described above, all the processes are terminated without executing the processes in and after S150 in FIG.

That is, in the memory rewriting system of the second embodiment, contrary to the memory rewriting system 5 of the first embodiment, E
The CU 2 transmits its own ID to the memory rewriting device 4 (S2).
125), the memory rewriting device 4 transmits the ID from the ECU 2
And E adapted to the new control program and control data
It is determined whether or not the ID of the CU matches (S415). If the two IDs match (S415: YES), the memory rewriting device 4
A normal signal is transmitted to U2 (S417), and thereafter, a rewrite control program, a new control program and control data are transmitted (S420, S430), and E
Only when the CU 2 receives a normal signal from the memory rewriting device 4 (S135: normal signal), the CU 2
The rewriting control program from the memory rewriting device 4 is determined to be identical to the ID of the
(S150, S160).

Then, the ECU 2 according to the second embodiment is used.
Also, according to the memory rewriting system, similarly to the first embodiment, the operator mounts the ROM 36 storing the control program and the control data that are not compatible with the ECU 2 into the IC socket 40 of the memory rewriting device 4. If the incompatible control program and control data are likely to be transmitted to the ECU 2, the ID of the memory rewriting device 4 (that is, the ID stored in advance in the second ROM 36 corresponding to the new control program or the like). ) Does not match the ID of the ECU 2 stored in the mask ROM 20b.
In No. 2, the operation does not shift to the operation of transferring the rewrite control program to the RAM 22. Therefore, it is possible to reliably prevent the control program and the control data in the flash ROM 20a from being erroneously rewritten to the control program and the control data that are not suitable for the ECU 2.

Also, similarly to the ECU 2 of the first embodiment, the ECU 2 of the second embodiment transfers the rewrite control program transmitted from the memory rewriting device 4 to the volatile RAM 22 and starts the flash control. Since the rewriting process of the ROM 20a is performed, the CPU 1 that executes a program during normal operation of controlling the engine is used.
Even if the controller 8 runs away, it is possible to reliably prevent the normal control program and control data stored in the flash ROM 20a from being lost or changed.

[Others] In the first embodiment described above,
The ID of the memory rewriting device 4 may not be stored in the second ROM 36 in advance, but may be input by an operator operating a predetermined input device.

Further, even with such a memory rewriting system, the memory rewriting device 4 sends the ECU 2
If the same ID as the ID stored in the mask ROM 20b is not transmitted, the transfer of the rewriting control program to the RAM 22 is not permitted by the ECU 2, so that the data (the control program and the control data) in the flash ROM 20a cannot be transferred. It is possible to reliably prevent the data from being easily rewritten or intentionally rewriting the data with another data.

On the other hand, the ECU 2 of each of the above-described embodiments has the flash ROM 20a as a nonvolatile memory to which data can be electrically written.
An EEPROM may be used. In the above embodiment,
The mask ROM 20b and the flash ROM 2 in the ECU 2
0a respectively, but the flash ROM
The contents (programs, IDs, etc.) of the above-described mask ROM 20b are stored in the flash ROM 20a only as 20a.
May be stored separately from the engine control program.

In the above embodiments, the ECU 2 for controlling the engine has been described. However, the scope of the present invention is not limited to this. That is, the present invention can be applied to an electronic control device that controls a control target such as a brake, a transmission, and a suspension.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating an overall configuration of a memory rewriting system of an electronic control device according to a first embodiment.

FIG. 2 is a flowchart illustrating a process executed on the engine control device (ECU) side of the first embodiment.

FIG. 3 is a flowchart illustrating a process executed on the memory rewriting device side of the first embodiment.

FIG. 4 is a flowchart illustrating a process executed on an engine control device (ECU) according to a second embodiment.

FIG. 5 is a flowchart illustrating a process executed on the memory rewriting device side of the second embodiment.

[Explanation of symbols]

2 ... Engine control device (ECU) 4 ... Memory rewriting device 5 ... Memory rewriting system 6 ... Input circuit 8, 30 ... Single chip microcomputer (microcomputer) 10 ... Output circuit 18 ... CPU 20 ... ROM 20a ... Flash ROM 20b ... Mask ROM 22 RAM 24 I / O 25 Communication circuit
32 power supply circuit 34 first ROM 36 second ROM 38
40 ... IC socket 42F ... female connector 42M ... male connector 44 ...
Communication line 46 ... Power supply line 48 ... Signal line SW ... Rewrite switch L ... Mode determination signal line R ... Resistor

 ──────────────────────────────────────────────────続 き Continued on the front page (72) Inventor Takashi Ishida 1-1-1 Showa-cho, Kariya-shi, Aichi Prefecture Nippon Denso Co., Ltd.

Claims (8)

[Claims] In a normal state, a predetermined control target is controlled in accordance with a control program and control data constituted by data stored in an electrically rewritable nonvolatile memory, and receives a rewrite command from outside. In the case where the electronic control unit performs a rewriting process for rewriting data in the nonvolatile memory to new data transmitted from an external device, the electronic control device transmits the data from the external device. An identification information storage unit configured to perform the rewrite processing by transferring the rewrite control program to a volatile memory area and activating the rewrite control program, and storing identification information of the electronic control device in advance; When a rewrite command is received, communication with the external device is performed before the rewrite control program is transmitted from the external device. By performing the above, identification information that is stored in advance in association with the new data on the external device side and indicates a device that matches the new data, and that is stored in the identification information storage unit. Determining means for determining whether or not the identification information matches; and transferring the rewrite control program to the memory area only when the determination means determines that the two pieces of identification information match. An electronic control device comprising: a transfer permission unit that permits the transfer. 2. The electronic control device according to claim 1, wherein the determination unit receives identification information of the external device transmitted from the external device, and stores the received identification information and the identification information. Comparing the identification information stored in the means with the identification information stored in the external device and the identification information stored in the identification information storage means. Electronic control unit. 3. A memory rewriting device that is connected to the electronic control device according to claim 2 as the external device and that transmits the rewriting control program and the new data to the electronic control device. Data storing means for storing the new data in advance in association with identification information indicating a device conforming to the new data, and before transmitting the rewriting control program, the identification information corresponding to the new data. Is transmitted to the electronic control unit. 4. A memory rewriting system for an electronic control device, comprising: the electronic control device according to claim 2; and the memory rewriting device according to claim 3. 5. The electronic control device according to claim 1, wherein the determination unit transmits identification information stored in the identification information storage unit to the external device, and thereafter, the identification information on the external device side. Receiving from the external device a response signal indicating whether or not the transmitted identification information matches the identification information on the external device side and the identification information stored in the identification information storage means. An electronic control device, wherein the electronic control device is configured to determine whether or not the operation is performed. 6. A memory rewriting device that is connected to the electronic control device according to claim 5 as the external device and transmits the rewriting control program and the new data to the electronic control device. Data is stored in advance in association with the identification data indicating the device conforming to the new data, and the identification information from the electronic control unit is provided with identification information corresponding to the new data. It is determined whether or not they match, and when the two pieces of identification information match, the identification information on the memory rewriting device side and the identification information stored in the identification information storage means of the electronic control device are stored in the electronic control device. And transmitting the response signal indicating that the identification information matches the rewriting control program, and thereafter transmitting the rewrite control program. . 7. A memory rewriting system for an electronic control device, comprising: the electronic control device according to claim 5; and the memory rewriting device according to claim 6. 8. Normally, a predetermined control target is controlled in accordance with a control program and control data constituted by data stored in an electrically rewritable nonvolatile memory, and a rewrite command is received from the outside. In the case where the electronic control unit performs a rewriting process for rewriting data in the nonvolatile memory to new data transmitted from an external device, the electronic control device transmits the data from the external device. An identification information storage unit configured to perform the rewrite processing by transferring the rewrite control program to a volatile memory area and activating the rewrite control program, and storing identification information of the electronic control device in advance; When a rewrite command is received, the rewrite control program is transmitted from the external device before the rewrite control program is transmitted from the external device. Determining means for receiving the received identification information and determining whether the received identification information matches the identification information stored in the identification information storage means. Transfer permitting means for permitting the transfer of the rewrite control program to the memory area only when it is determined that the rewrite control program is performed.