1. Field of the Invention
The present invention relates to a technique for rewriting nonvolatile memories in an electronic control apparatus for a vehicle such as a motor vehicle, and more particularly to the prevention of illegal rewriting thereof.
2. Description of the Related Art Techniques for determination of illegal rewriting by using preset data (e.g., a keyword, a passcode, etc.) have been proposed as means for preventing the illegal rewriting of nonvolatile memories in an electronic control apparatus for a vehicle (hereinafter simply referred to as an ECU) in, for instance, Japanese Patent Application Laid-Open No. Hei 9-180486, Japanese Patent Application Laid-Open No. Hei 11-175331, etc.
According to an embodiment described in Japanese Patent Application Laid-Open No. Hei 9-180486, an arbitrary keyword indicative of rewriting the contents of a nonvolatile memory after a predetermined time has elapsed is registered in advance in a program in the ECU. For instance, in cases where the data in a ROM is desired to be rewritten after an internal combustion engine has been run for the predetermined time, the rewriting is executed when this keyword is input to the ECU from external equipment. A plurality of such keywords are provided according to the operating conditions of the engine.
In addition, according to an embodiment described in Japanese Patent Application Laid-Open No. Hei 11-175331, when an ECU receives a passcode sent from external equipment, it is determined whether the passcode thus received is in :agreement with a passcode stored in advance in a ROM in the ECU. If there is agreement between them, the execution of rewriting the ROM is permitted.
Since the conventional ECUs are constructed as mentioned above, there has been a problem that once the data (keyword or passcode) stored in advance in the ECUs is leaked, it is impossible to prevent illegal rewriting of the ECUs.
In particular, in cases where a function of rewriting a ROM is given to a lot of mass-produced ECUs, once a keyword or a passcode is leaked, it becomes impossible to prevent illegal rewriting to such mass-produced ECUs having the same keyword or passcode. On the other hand, if mutually different keywords or passcodes are set to the mass-produced individual ECUs, respectively, it is necessary for external equipment to grasp or store all the keywords or passcodes for the related ECUs, but it is substantially impractical to grasp or store, all the keywords or passcodes for mass-produced individual ECUs.
Accordingly, the object of the present invention is to provide an electronic control apparatus for a vehicle which is capable of preventing the leakage of a keyword or passcode in a reliable manner as well as making a determination as to whether the execution of rewriting is permitted or not, while eliminating the necessity of grasping such a keyword or passcode on the part of external equipment requesting the rewriting.
Bearing the above object in mind, the present invention resides in an electronic control apparatus for a vehicle which includes: a nonvolatile memory for storing control programs and control data for controlling the vehicle; a rewriting part for rewriting the contents of the nonvolatile memory in accordance with a request from the outside; and a rewrite execution permission/refusal determination part for creating a passcode which is uniquely defined in accordance with a prescribed rule from identification data which is decided upon receipt of a rewrite request, and for making a rewrite execution permission/refusal determination based on the result of collation between a passcode which has been created similarly by external equipment from the identification data which has been sent to the external device and returned therefrom. According to the above arrangement, there can be created, like random numbers, identification data and a passcode, which are different for each rewrite execution request, so that it is possible to maintain high security against illegal rewriting as an electronic control apparatus for use with a vehicle, in particular a motor vehicle. In addition, it becomes unnecessary for the external equipment, which performs rewriting of the contents of electronic control apparatuses, to grasp all the passcodes for the individual electronic control apparatuses to be rewritten.
In a preferred form of the invention, the electronic control apparatus further includes a timing element for controlling the vehicle. The identification data decided upon receipt of the rewrite request is created by utilizing the timing element.
In another preferred form of the invention, the electronic control apparatus further includes a rewrite execution permission/refusal determination memory for recording identification data response histories. The rewrite execution permission/refusal determination part omits the creation of a passcode for which a corresponding identification data response history has been already stored, or the rewrite execution permission/refusal determination part deletes the record of an identification data response history for which the collation of a corresponding passcode results in disagreement.