A plurality of electronic control units (ECUs) are normally installed in a vehicle. For example, the ECUs include an engine control unit for controlling fuel injection of an engine installed in a vehicle and a brake control unit for controlling a brake system installed therein.
Each of the ECUs is equipped with a nonvolatile memory in which a control program and control data used to control at least one target device installed in the vehicle are stored in advance. Specifically, each ECU is programmed to execute the control program based on the control data and/or signals measured by in-vehicle sensors and sent therefrom, thereby controlling the corresponding target device in accordance with the control program; these measured signals represent the operating condition of the vehicle.
Descriptions of such control program and control data associated therewith stored in the nonvolatile memory may be required to be reprogrammed with a version upgrade of the control program.
In this case, a circuit board (on which an ECU whose control program and control data associated therewith are targets for reprogramming is mounted) is retrieved from the vehicle, and thereafter, the retrieved ECU and a proper external tool are connected via a cable to be communicable therebetween. Thereafter, communications between the ECU and the external tool allow the control program and/or the control data to be reprogrammed.
However, it may take a lot of trouble and time to use the control program and data reprogramming method set forth above.
In order to solve the problem, a control unit is conventionally disclosed in Japanese Unexamined Patent Publication No. H05-195859.
Specifically, in the Publication, an external management center stores in advance VIN (Vehicle Identification Number) codes of vehicles to be managed and version information indicative of a specific version of a control program (software item) that are used to distinguish this version from other versions. When receiving a request for reprogramming at least one item in the control program and the control data, a control unit installed in a vehicle wirelessly communicates with the management center to obtain reprogramming data therefrom. Next, the control unit reprograms the at least one item stored in a rewritable region of the nonvolatile memory based on the reprogramming data. Installation of the above-structured control unit in a vehicle allows a control program and control data stored therein to be very simply updated.
If the control unit is configured such that a control program and control data stored therein are unconditionally reprogrammable, unauthorized reprogramming and/or illegal modification may be made, resulting in vehicle-performance deterioration and/or environmental damage due to vehicle emission deterioration, such as emissions of NOx (Nitrous Oxides), HC (Hydrocarbons), and CO (Carbon Monoxide) exceeding the legal emission standards.
In order to avoid such unauthorized reprogramming and/or illegal modification, the control unit disclosed in the Publication is configured to receive an identifier (identification code) identifying, as a target to be reprogrammed, at least one of the vehicles to be managed; this identifier has been sent together with the reprogramming data.
In addition, the control unit is configured to determine whether the received identification code and a code, such as a VIN code specifying the vehicle and stored therein. If it is determined that the received identification code and the specifying code coincide with each other, the control unit is configured to perform control program and data reprogramming operations based on the reprogramming data.
In the conventional control unit, the control program and data reprogramming operations can be performed on the condition that the received identification code and the specifying code coincide with each other. This allows the security level of the control unit associated with the control program and data reprogramming to be highly maintained.
Control units of this type designed to wirelessly communicate with the management center to obtain the reprogramming data are more frequently accessed from external devices than previous control units designed to communicate with an external tool via a cable to obtain the reprogramming data therefrom. The high frequency of access may cause an identification code together with unauthorized data and/or illegal modified data to coincide with a specifying code of the vehicle. The match between the identification code together with the unauthorized data and/or illegal modified data and the specifying code of the vehicle by accident or intention may cause a control program and control data to be reprogrammed based on the unauthorized data and/or illegal modified data.
Specifically, the accidental or intended match of these codes may cause vehicle-performance deterioration and/or environmental damage due to vehicle emission deterioration, such as emissions of NOx, HC, and CO exceeding the legal emission standards.