The invention relates to a method and an apparatus for connecting a diagnostic unit to a controller in a motor vehicle. The invention relates particularly to the connection of a diagnostic unit to a controller in the form of a network connection.
Motor vehicles today contain a multiplicity of controllers that are connected to one another via data buses. The data buses provided may be networkable buses, in particular, such as a controller area network (CAN) bus or a bus based on the Ethernet or IP standard.
For the purpose of analysis and diagnosis for the controllers and other electronic components of a motor vehicle it is possible for recordings of the data transmitted via the respective associated bus to be made in the form of what is known as a data logging, for example. The data can then be evaluated directly by the vehicle manufacturer, in a service organization or in a repair workshop, for example. To this end, data packets sent via the respective data bus are read by a reader connected thereto and recorded. In this case, the bus data that are read can be stored or mirrored particularly in suitable memories on a local data logger or a central, peripheral, or mobile computer temporarily or permanently, and in part or in full. In the text that follows, the term diagnosis data covers all data sent on buses from controllers or from the diagnostic unit and hence also data that are not produced explicitly for diagnostic purposes, but rather are interchanged among the controllers during normal operation of the vehicle too, for example.
With regard to the reading of bus data, a vehicle diagnostic system having an appropriate standardized plug connection has been standardized under the name on-board diagnosis (OBD). This interface can be used not only to transmit data from the respective buses to a diagnostic unit but also to send data from the outside to the data buses of the vehicle. By way of example, DE 10 2009 027 673 A1 describes the use of an interface connector based on the OBD standard.
In the event of full reading or logging of bus data from a vehicle, a very large volume of data can arise, for example if full operating data are regularly requested by a multiplicity of controllers that are involved in the course of vehicle operation. In addition, particularly when operating data are transmitted from Ethernet buses to a diagnostic unit, the problem can arise that data packets from the Ethernet bus enter a further Ethernet or IP network to which the diagnostic unit or a vehicle-based controller is additionally connected. By way of example, this may be a company network like an intranet for the repair workshop, the service provider or the vehicle manufacturer, or else an Internet connection that exists in the vehicle. When Ethernet data packets enter such a network, this can result in disruption or even collapse of the further Ethernet network, e.g. on account of the large flood of data or on account of colliding data packet conventions or contents when bus data are read for diagnostic purposes.
It is an object of the invention to prevent data packets of the diagnosis data from unintentionally entering a further network to which the controller or the diagnostic unit is connected when transferring diagnosis data from a vehicle controller situated in a motor vehicle to a diagnostic unit.
This and other objects are achieved in accordance with embodiments of the invention.
According to the invention, for the purpose of connecting a diagnostic unit to a vehicle controller in a motor vehicle via a network connection there is provision for a connection setup between the diagnostic unit and the vehicle controller to prompt performance of a check to determine whether the diagnostic unit is directly connected to the vehicle controller and for the diagnostic unit to be provided with diagnosis data from the vehicle controller only when the connection has been made directly.
The effect that can be achieved by the invention is that from the point of view of the motor vehicle it is established whether the vehicle is connected to the diagnostic unit directly or indirectly, for example via one or more other network components. In this case, the invention is based on the insight that a check to determine whether a direct or indirect connection of this kind is made is possible with a feasible amount of effort. Secondly, it has been identified that the effort is justified by the advantage that another network, to which the diagnostic unit and/or the vehicle controller is additionally connected, for example, does not have its operation disrupted by the transmission of diagnosis data between vehicle controller and diagnostic unit in large quantity and with possibly disruptive data packets. The invention can also prevent erroneous or improper actuation of the vehicle controller for the output of diagnosis data while the vehicle or vehicle controller is connected to another network. This also allows the prevention of damage occurring on such other network as a result of unauthorized loading of diagnosis data.
The invention can also achieve the effect that the vehicle controller is not connected to a further network or networkable unit situated outside the vehicle via the same network connection. The invention can be used particularly advantageously if the network connection is an Ethernet connection, a wireless local area network (WLAN) connection or another wireless connection that is used to transmit Ethernet packets.
A direct connection or network connection between vehicle controller and diagnostic unit within the context of the invention can be distinguished by one or more of the following properties, for example:                the connection is not made by way of another network,        the network connection contains only a prescribed configuration of coupling elements (switches), for example:        
a) only a prescribed number or maximum number n of switches (n>=0),
b) only registered switches,
c) only switches that forward only prescribed switching commands, for example only prescribed bridge protocol data units (BPDUs), if the network is an Ethernet network, and do not forward other switching commands, and/or
d) only switches that have a particular configuration, e.g. for virtual local area networks (VLANs), port forwarding or other switch mechanisms.                the network connection contains only subscribers having prescribed Internet Protocol (IP) addresses and/or media access control (MAC) addresses. As soon as subscribers having other IP or MAC addresses send data via the network connection, the connection or network connection is no longer deemed to be direct.        
A direct connection between vehicle controller and diagnostic unit can be set up particularly by way of an access unit connected between the vehicle controller and the diagnostic unit, in the case of which the access unit has a switching device that sets up a point-to-point connection between vehicle controller and diagnostic unit such that only prescribed but no further network components engage in the communication on the network connection.
In a first preferred exemplary embodiment of the invention, the vehicle controller outputs diagnosis data to the diagnostic unit only when the connection has been made directly. In a second preferred exemplary embodiment of the invention, the diagnostic unit and the vehicle controller have an access unit connected between them, said access unit nevertheless being able to be used to set up a direct connection between diagnostic unit and vehicle controller within the context of the invention. In this exemplary embodiment, the vehicle controller outputs diagnosis data to the access unit. However, the access unit forwards the diagnosis data to the diagnostic unit only if the connection between the latter and the vehicle controller has been made directly, within the context of the invention. On the other hand, the connection is not deemed to be direct and the access unit does not forward the diagnosis data to the diagnosis data if the access unit is connected via the network connection to at least one network component that is independent of the diagnostic unit and/or that is not authorized, particularly to a multiplicity of network components that are independent of the diagnostic unit. The network components may particularly be switches and/or components that are addressable using a network address, for example ports, routers or servers or other components of a computer network.
By way of example, the diagnostic unit may be a personal computer, a laptop or a data logger that sets up the connection to a diagnostic computer and/or stores the diagnosis data in a dedicated memory. In the diagnostic unit, the transmitted and possibly stored diagnosis data can be processed using appropriate computer programs, in particular can be displayed, can be analyzed and/or data derived therefrom can be produced.
The invention particularly provides checking or verification mechanisms that can be used to ensure that there is a direct connection between vehicle controller and diagnostic unit. The checking or verification mechanisms can include measures in one or more layers of a network connection, for example in the physical layer, the data link layer or the network layer according to the Open Systems Interconnection (OSI) reference model.
According to a first checking or verification mechanism, the starting point for which is the physical layer of the network connection, for example, at least one characteristic of the physical layer, particularly the transmission rate, between the network interfaces of the diagnostic unit, the vehicle controller and/or the access unit (if present) is changed over to prescribed values in a prescribed temporal sequence. Full communication between vehicle controller and diagnostic unit is enabled only when the vehicle controller and/or the access unit (if present) receives the prescribed sequence. In this case, the diagnostic unit and/or the access controller (if present) changes over the data transmission rate between the respective network interfaces to prescribed values in a prescribed temporal sequence in the course of connection setup. The vehicle controller and/or the access controller (if present) enables full communication with the diagnostic unit only when it receives the prescribed sequence and can validate it in accordance with its stored check parameters.
According to a second checking or verification mechanism, the starting point for which is a higher-level layer of the network connection, for example the data link layer (layer 2, Ethernet) or the network layer (layer 3, IP), verification additionally involves communication data being interchanged between the diagnostic unit and the vehicle controller with prescribed contents and/or according to prescribed communication rules. By way of example, provision may be made for prescribed BPDU data packet contents and/or data packets having prescribed network addresses, particularly having multicast addresses, to be interchanged.
The contents or communication rules can be designed such that they are normally not forwarded by network switches, i.e. they arrive at the respective destination unit only when the connection between diagnostic unit and vehicle controller exists directly without the interposition of network switches, particularly of regular network switches. By way of example, the access unit then sends diagnosis data to the diagnostic unit via the network connection only if it has previously received a BPDU data packet that has been transmitted by the diagnostic unit and that, according to its type, is not forwarded by the network switches.
The contents or communication rules can also be designed such that the vehicle controller terminates output of diagnosis data immediately if it contains, via the network connection, data packets that, on the basis of their content or on the basis of the form of communication, come from interposed network switches, i.e. they have not been transmitted to the vehicle controller directly by the diagnostic unit.
In addition to the check to determine whether there is a direct network connection, a cryptographic authorization check can take place before and/or during the transmission of the diagnosis data. To this end, vehicle controller and diagnostic unit can each have an encryption and decryption routine (cryptography routine) that is used to encrypt and decrypt data transmitted via the network connection, and/or other authentication mechanisms, for example a signature-based mechanism, a challenge/response method or a method based on the IEEE 802.1X standard for authenticating units in a network.
In one advantageous embodiment of the invention, the diagnostic unit or a connecting device connected between the diagnostic unit and the vehicle controller has a first network port for the connection between diagnostic unit and vehicle controller and a second network port of the same network type for the connection to further network units. The network type may be Ethernet, for example. However, the network ports may be of various type, e.g. the first network port may be wired and the second wireless and particularly a WLAN port. In this case, the second network port is at least temporarily physically or functionally isolated from the first network port such that while there is a communication connection between diagnostic unit and vehicle controller via the first network port, it is not possible for the diagnostic unit and/or the vehicle controller to simultaneously communicate via the second network port. The temporary physical or functional isolation may be of switchable design. Further network units that may be provided are particularly routers, servers, clients, switches, etc., from a larger network, for example a company network.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of one or more preferred embodiments when considered in conjunction with the accompanying drawings.