Vehicles are subjected to various types of control by an electronic control unit (hereafter referred to as “ECU”) Such control includes engine-related control for an air fuel ratio, fuel injection amount, and emission as well as body-related control for a power window, an air bag, and an ABS. The ECU provides various types of control for the vehicle based on current conditions and traveling status of the vehicle sensed by various sensors mounted on the vehicle.
On the other hand, the vehicle may include an anti-theft system. In general, the anti-theft system electronically checks if an ignition key used by a driver to start the engine is authentic. If it is determined that the key is authentic, the anti-theft system transfers a signal for permitting vehicle operation to the ECU. On the other hand, if it is determined that the ignition key is not authentic, the driver is judged to be not an authorized person and cannot operate the vehicle. Thus, until the permission signal is received, the ECU does not allow the engine to start by, for example, stopping fuel injection.
The ECU comprises a central processing unit (CPU), a ROM (Read Only Memory) that stores programs and data to be executed, a RAM (Random Access Memory) which provides a work area for execution and which stores results of computation, and an I/O interface for receiving signals from various sensors and transmitting control signals to various parts of the engine.
The ROM often includes a rewritable memory such as a flash memory, an EEPROM, or an EPROM to allow a program or data therein to be rewritten. Japanese Patent Application Laid-Open No. 63-223901 describes a method for changing a program stored in the EEPROM of the ECU in response to a request from an external device with the ECU being mounted on the vehicle.
Such a function of changing a program or data stored in a ROM of the ECU makes it necessary to protect them from access from an external device, thus preventing a user or other third parties from rewriting a program or data stored in the ROM without proper authorization. Japanese Patent Application Laid-Open No. 3-238541 describes a vehicle controller for determining that a program or data in a ROM of the ECU is tampered using a check data mechanism. According to the mechanism, check data based on data stored in the ROM are stored beforehand. After shipment of the vehicle, the ECU creates new check data based on the data stored in the ROM. The ECU then compares the new check data with the previously stored check data, determines that the data have been tampered if they are unequal and turns on the alarm light.
A key for releasing the above-mentioned security feature is known only to a manufacturer of a rewriting device under contract to the automobile manufacturer. Thus, only the rewriting device authorized by the automobile manufacturer can use the “key” and change the data stored in the ROM of the ECU of that automobile.
A typical procedure for changing a program in the ROM will be described in brief. The above-mentioned key is typically expressed by a certain function, which is provided both in the rewriting device and in the ECU. The rewriting device is connected to the ECU and then uses its own function (i.e., key) to calculate a function value for an arbitrary numerical value transmitted from the ECU. The rewriting device then transfers the function value to the ECU. At the same time, the ECU uses its own function (i.e.,key) to calculate a function value for the same numerical value. The ECU compares the function value received from the rewriting device with the function value determined by itself. If they are equal, the ECU releases the security feature. Thus, the rewriting device is permitted to rewrite data stored in the ROM. If they are unequal, then the rewriting device is judged to be not authentic because the rewriting device and the ECU have different functions (keys). Consequently, the security feature is not released and the rewriting device cannot rewrite the data stored in the ROM.
The key for releasing the security feature, however, is conventionally stored in a non-rewritable area of the ROM in the ECU, so that it is impossible to use the rewriting device to change the key after the vehicle has been shipped. Thus, if the key is accidentally divulged to a user or another third party who is not authorized, a rewriting device other than the authorized one can rewrite the key in the ROM, thereby breaking the security feature.
On the other hand, if the vehicle includes an anti-theft system and if a program used to operate the anti-theft system is rewritten, then the anti-theft system would be invalidated. Accordingly, a system for rewriting a program or data stored in the ROM requires higher security than that for the anti-theft system.