The invention relates to a system of control devices in a motor vehicle. The control devices communicate by way of one or more databuses of the motor vehicle. Furthermore, the system exhibits at least two diagnostics access points, by way of which the state of at least one of the control devices is diagnosed on the basis of a diagnostics request message; in particular, an error memory entry of a control device is requested by way of one of the diagnostics access points and is transmitted to the outside.
In modern motor vehicles the diagnostics capacity of all control devices is usually implemented and safeguarded by means of a central connecting node to the vehicle. The central connecting node is configured in the vehicle and in this way access is protected in the case of a locked vehicle. Usually the control device of one manufacturer (said control device providing not only physically the diagnostics access points but also ensuring the data integrity of the diagnostics communications and optionally also ensuring that the diagnostics communication is secure outwardly against manipulation) is compatible with the control device of a different manufacturer. If there are a plurality of physical access points, then they are implemented and secured independently of each other in accordance with the prior art.
This method of implementing a plurality of independent diagnostics access points leads correspondingly to greater complexity in the requirements imposed on the control devices as well as in the implementation. In each control device, equipped with a diagnostics access point, commensurate integrity checking mechanisms and the necessary methods for protecting and detecting any potential manipulation of the diagnostics communication have to be implemented. In addition, it may be necessary to select, as a function of the requirements, those resources in the relevant access control device that are necessary with respect to the computing power, data buffer, etc. and that exhibit the requisite capability in order to be able to fulfill the corresponding demand for performance/protection.
In the case of a wireless diagnostics communication system, in which an external attacker introduces radio-based data packages without any physical intervention in the vehicle and, thus, as a consequence information can be read out and possibly altered, each diagnostics package that is transmitted by radio has to be ensured against falsification. Furthermore, it must be possible to prove reliably the authenticity of the authorized external diagnostics unit and/or vehicle. Therefore, each diagnostics package that is transmitted by radio must be checked individually for falsification and authenticity and optionally rejected. Correspondingly, it is necessary to place very strict requirements on the hardware of the control device providing the diagnostics access point. During normal operations (no diagnostics communication), that is, while the control devices carry out their intended functions while the motor vehicle is running, the hardware would not be necessary.
The object of the present invention is to make the known system of control devices in a motor vehicle with at least one diagnostics access point more cost effective.
This and other objects are achieved by a system of control devices in a motor vehicle. The control devices communicate by way of one or more databuses of the motor vehicle. The system exhibits at least two diagnostics access points, by way of which the state of at least one of the control devices is diagnosed on the basis of a diagnostics request message; in particular, an error memory entry of a control device being requested by way of one of the diagnostics access points and being transmitted to the outside. A diagnostics request message, which is fed to the system by way of the first diagnostics access point, is recognized as such by an identification and forwarding system and is transmitted to a checking system. The checking system checks at least the authenticity of the diagnostics request message and, optionally, forwards it to that control device, for which the diagnostics request message is intended.
In contrast to the decentralized security architecture of the prior art, in which each control device with a diagnostics access point has a protection system, a central protection system (or rather checking system) is provided. In addition, the invention provides that a diagnostics request message at the access point to the system of the invention is recognized as such and is forwarded (preferably directly) to the central checking system for verification purposes.
Upon successful verification, the diagnostics request messages are forwarded by the central authority to the respective destination control devices, the state of which is to be diagnosed, and processed by the control devices. The respective answer message (or rather diagnostics messages) are also preferably fed to the central checking system.
In addition, the diagnostics messages are preferably signed and protected against falsification and/or fraud on the part of the sender, before they are transmitted (if expedient, they are also encrypted), to the querying external diagnostics system.
Preferably, the inventive diagnostics access points are at least to some extent wireless access points to the system of control devices, in particular of the type D-CAN, WLAN, channel and/or frequency, by way of which the vehicle key and the vehicle communicate together in conjunction with the disarming of the immobilizer and/or the unlocking of the vehicle doors, GSM, TDMA, or a combination thereof.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of one or more preferred embodiments when considered in conjunction with the accompanying drawings.