There are methods of protecting data stored in a memory arrangement of a microcomputer system in other systems, in particular for protecting a control program stored there against manipulation. Such a method is referred to in, for example, German Published Patent Application No. 197 23 332. Such methods are, for example, used to prevent unauthorized manipulation of a control program stored in a control device of a motor vehicle or parameters or limiting values stored from this program. The control program controls or regulates specific functions in the motor vehicle, for example an internal combustion engine, a driving dynamics regulator, a stop control system (SCS) or an electronic steering system (steer-by-wire). A defect in the controlled or regulated unit of the motor vehicle may occur due to a manipulation of the control program. Therefore, manipulation of the control program or the data is to be prevented.
In spite of any risks of manipulation of the control program or the data by unauthorized persons, it may not be advisable to forbid access to the memory arrangement of the control device completely. In order to, for example, perform reprogramming of the control device, an authorized user group should be able to access the memory arrangement. Specifically, it may be necessary from time to time to store a new version of a control program or new parameters or limiting values in the control device in order to, for example, remove errors in the software or to take new legal requirements into account.
In automotive control devices, a distinction may be made between serial equipment and application equipment. Control devices are usually shipped as serial equipment after manufacturing. In serial equipment, checking mechanisms (for example, formation of a checksum) for checking for manipulation of data stored in a memory arrangement of the control device are activated. Manipulated data may be detected by these mechanisms and such data may be blocked. The checking mechanisms may be referred to in various exemplary embodiments from other prior systems.
In certain situations, in particular during the development and testing phase of control devices, it may be necessary to deactivate the checking mechanisms so that various data may be stored in the memory arrangement rapidly and easily. A control device including deactivated checking mechanisms may be referred to as an application device.
To be able to ensure complete test coverage of data stored in the memory arrangement, the same data, in particular the same control program, is stored in the memory arrangement of the control device in both the series case and the application case. Therefore, a control device is able to be switched from a series case to an application case without having to load other data into the memory arrangement. Switching from the application case back to the series case may not be desirable and may even be impossible in order to prevent control devices, whose control program has not been tested and approved by the manufacturer of the control device, from being in circulation.
According to other systems, an identifier (marker) may be defined for blocking manipulated data. This marker is a storage area in a nonvolatile memory of the microcomputer system which is used to identify a block (code area or data area) as logically valid or invalid. A test pattern may be programmed in this storage area to set the marker as valid or invalid. The marker is used to store the result of the manipulation check. This may save time in a subsequent check for manipulation, because it is no longer necessary to perform a complete check of the memory arrangement, and instead only the marker need be analyzed.
The marker is defined as invalid at the beginning of the reprogramming or new programming. Then the memory arrangement is reprogrammed or programmed anew and next the new data is checked by the checking mechanisms for manipulation. If the check of the memory arrangement is in order, the marker is set at logically valid. Otherwise, the marker is not programmed and it remains logically invalid.
In powering up the microcomputer system, a check is performed to determine whether the marker has been set (logically valid). If so, the check has been conducted successfully and the data may be used entirely normally. However, if the marker has not been set (logically invalid), either the check has failed or it has been interrupted due to an interruption in power supply (power down), for example.
The marker is located in a storage area which is inaccessible from the outside and yet accessible to modification (set at valid or invalid). These conditions are met when the marker is stored in the storage area of the memory arrangement in which the data is also stored or in which new data is stored in a reprogramming or new programming. There is the risk that the marker might also be programmed and set at valid during the reprogramming or new programming using manipulated data and then the control device might be shut down after the reprogramming or new programming to prevent execution of the checking mechanisms following the reprogramming or new programming. The next time the computer is powered up, the marker has the value valid and the newly programmed data may be used entirely normally, although it is manipulated data.