This invention relates to an electronic control information rewriting system having nonvolatile memory with which electrical rewriting of data is possible, and particularly relates to technology for preventing the illegitimate rewriting of control information such as vehicle control programs or control data stored in the nonvolatile memory.
In electronic control units (ECUs) for controlling vehicle engines or the like, control information is stored in a nonvolatile memory with which electrical rewriting of data is possible. The control information includes programs and data and is rewritable even in the market after production.
For instance, this kind of ECU is constructed as shown in FIG. 9. A rewriting device 200 is connected to a vehicle 100 via a vehicle diagnosis connector 120. A plurality of ECUs 101, 102, 103 and 104 are mounted in the vehicle 100, and the ECUs 101 through 104 are connected by a network line 110. The rewriting device 200 performs data communication with one of the four ECUs 101 through 104 by transmitting each ECU code on the basis of a manipulation of an operator.
In this system, as shown in FIG. 10, the rewriting device 200 selects the ECU 101, for instance, on which rewriting of control information is to be carried out, and transmits a rewriting request (b1). The selection of the ECU 101 is carried out by transmitting an ECU code. This ECU code is inputted to the rewriting device 200 by an operator. When this is done, the selected ECU 101 generates a random number r (b2), and transmits this random number r to the rewriting device 200 (b3).
A function f is pre-stored in the rewriting device 200, and it calculates a function value f(r) with respect to the transmitted random number r (b4). Then, it transmits this calculated function f(r) (b5). In the ECU 101, on the other hand, a function F is pre-stored, and a function value F(f(r)) is calculated with respect to the transmitted function value f(r) (b6). Then, if the calculated F(f(r)) corresponds to the random number r, that is if f=F−1, it transmits a permission signal permitting rewriting (b7).
The above processing is for the ECU 101 to determine that the rewriting device 200 is legitimate when the rewriting device 200 has the inverse function f of the function F stored by the ECU 101.
The rewriting device 200, when receiving the permission signal transmitted from the ECU 101 (b8), transmits modification data. The ECU 101 carries out rewriting of control information on the basis of this modification data (b10). When the rewriting of control information completes normally, the ECU reports normal completion (b11), and the rewriting device receives the report (b12) and one chain of rewriting processing ends.
In the above rewriting processing by communication processing (b1 through b7) using the function f, which is information inside the rewriting device 200, each ECU determines the legitimacy of the rewriting device 200. As a result, when the rewriting device 200 itself is stolen or information inside the rewriting device 200 is stolen, illegitimate rewriting of control information cannot be prevented. In particular, because the rewriting device 200 is provided, for instance, at a work site such as a car dealer, the possibility of the above theft is relatively high.