This application claims the priority of German patent document 102 13 165.1, filed Mar. 23, 2002, the disclosure of which is expressly incorporated by reference herein.
The invention relates to a method and apparatus for entering program data (software download) into a control unit in a motor vehicle, where safe running of the vehicle must be ensured.
The acceptance of program data by a control unit is also called “flashing”. Flashing in control units affords the particular advantage that faulty control need not necessarily be replaced. By providing control units which can accept new software or data through flashing, the opportunity has been provided to repair faulty control units by means of a software update or to implement new functionalities in a control unit without needing to replace it.
By introducing flash capability for control units, however, problems arise regarding the safety of the program data accepted by the control unit and regarding the safety of the program data acceptance process itself. The first safety problem is how to prevent an unauthorized party from putting a manipulated piece of software into a control unit and thus inflicting a loss on the vehicle user. For the safety of the program data acceptance process, there is the question of what state a control unit needs to be in to accept a flash operation. For example, a control unit cannot permit a flash operation in all circumstances while the vehicle is running, depending on its functionality.
A flash process can produce errors which can have various consequences, depending on the functionality of a control unit. If flashing results in the loss of a particular functionality of a control, in the worst case such loss can affect the safety of the occupants. When flashing software into vehicle control units, using a communication link or a data storage medium it is therefore necessary to ensure that flashing does not result in any risk.
German patent document DE 100 08 974 A1 discloses a method for ensuring the data integrity of software for a control unit in a motor vehicle, in which program data are provided with a signature that is checked for authenticity in the control unit before the data are accepted. The method merely ensures that no data are programmed into the control unit by unauthorized parties. It is concerned with the question of safety of the software itself.
German patent document DE 199 21 845 A1 discloses a method for entering program data into a control unit in a motor vehicle, in which a diagnostic test apparatus asks the control unit what program version the control unit contains and, if appropriate, replaces the program version with a new version. The method ensures that only suitable program data are programmed into the control unit.
The restrictions below are drawbacks of the methods for accepting data in a control unit, based on the prior art:                During flashing, a safe vehicle state is not automatically ensured. The methods are therefore not suitable for flashing program data outside a workshop, particularly while the vehicle is running.        The methods do not guarantee that the operability of the flashed control unit will be maintained.        No explanation is given regarding what operating state a control unit or the vehicle needs to be in for performing the flash operation. There is no allowance for a control unit having to reject a flash process if it is in a state in which execution of the flash process could threaten the safety of the driver or of the vehicle.        There is no automatic differentiation of the control units in terms of their relevance to safety, and the same levels of complexity arise for flashing all control units. Since control units which are not critical to safety are treated with the same level of complexity as control units which are critical to safety, avoidable costs arise.        
One object of the invention is to provide a method and apparatus for entering program data into a control unit in a motor vehicle, which avoids the drawbacks of the prior art and, in particular, automatically ensures safe running of the motor vehicle.
This and other objects and advantages are achieved by the method and apparatus according to the invention, in which the control units themselves can check the existence of the conditions required to ensure the functionality thereof when accepting program data. These conditions are referred to hereinafter as program data acceptance conditions. These program data acceptance conditions are prescribed by assigning the various control units into safety classes, based on the operating state of the control unit or of the vehicle in which a flash operation needs to be performed. Assignment of a control unit to one of these safety classes describes precisely the operating states in which a control unit can permit a flash process, and those in which the control unit must reject a flash process.
This arrangement gives the checks which need to be carried out by the control unit before a flash process. If the control unit has been notified that a flash process is required (that is, a program data acceptance request has been sent to the control unit), it must take its safety class as a basis for checking whether it is in a state in which it can or cannot permit a flash process. On the basis of this decision, either the control unit then changes to a program data acceptance state (the “flash” state) in order to be able to perform the flash process, or it responds to the flash request with an error message. When the control unit changes to its program data acceptance state, the program data are transmitted to the control unit from a data transfer point providing the program data, and the control unit accepts the program data.
Before a software download is performed, the control unit checks the existence of the program data acceptance conditions prescribed by the control unit's safety classification. Preferably, the sender of the program data (that is, a data transfer point) also checks the existence of program data acceptance conditions prescribed for the control unit in question. In this case, the program data acceptance conditions which are to be checked by the control unit and by the data transfer point preferably match. It is then preferably possible to establish which program data acceptance conditions need to exist by requesting the control unit's safety classification. By way of example, the control unit's safety classification can be stored in the control unit.
In one preferred embodiment of the inventive method, the control unit requests the result of the check from the program transfer point. This request can also replace at least some of the check to determine whether the program data acceptance conditions existing for the control unit exist. This advantageously results in a potential saving when technically equipping the control unit.
If one or more requirements placed on the program data acceptance conditions corresponding to the safety classification do not match the current situation, then the software download can be rejected by the control unit and/or the software is not provided by the data transfer point. If the prescribed program data acceptance conditions do not exist, the program data to be accepted can be buffer-stored by the data transfer point until the right situation has actively been produced by the control unit and/or has arisen. The software download can then be carried out.
During the software download, the control unit and/or the data transfer point ensure/ensures that the prescribed program data acceptance situations are maintained. By way of example, it is possible to prevent the engine from being started. If there is a communication link between the control unit and a tester and/or a data acceptance control center (central control station) during the software download, the control unit preferably does not exit the program data acceptance state until a data acceptance end command sent by the central control station has been received by the control unit.
To establish the safety classes, allowance is preferably made for the following influencing factors on the program data acceptance conditions:                Data transmission path (flash paths); e.g., flashing over a radio link (air interface);        Vehicle states; e.g., whether the vehicle is currently running,        Type of flash data;        Initialization of a control unit program which is to be accepted (flashware); and        Control unit program backup options (“backup options”) for the old program data which are to be overwritten and/or complemented with the program data which are to be accepted.        
In particular, these are program data acceptance conditions which exist in addition to the requirement of authenticity and integrity of the program data which are to be accepted; that is, they are program-data-independent situations. Authenticity is understood to mean the certainty that the program data come from an authorized source. The integrity of the data means that the data are accepted by the control unit in uncorrupted and/or error-free form. To make sure of the integrity and authenticity, known prior art methods can be used in addition to the method according to the invention. Preferably, an authenticity check on the program data is carried out by the control unit or by the data transfer point. This can be done using the method disclosed in German patent document DE 100 08 974 A1, for example. In this case, the authenticity check on the program data is carried out by checking a signature using a public key. A key pair is used for encrypting and decrypting the program data (comprising a secret key and the public key), and the program data are signed with the secret key. In this context, the public key is preferably stored in the control unit; e.g., within the boot sector.
The inventive method and the apparatuses for carrying out the method avoid the drawbacks of the prior art. In particular, the following advantages are realized:                It is possible to download software into a control unit without putting persons and goods at risk, e.g., using a communication link or a data storage medium;        The invention allows software to be flashed safely even outside a workshop, including while the vehicle is in use; and        Complex flashing methods are used only for safety-critical control units, resulting in potential cost savings.        
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of the invention when considered in conjunction with the accompanying drawings.