The present invention relates to the detection of tampering with controller data; more specifically, the detection of changes to software, control parameters, and calibration data (some or all of which is referred to as xe2x80x9ccontrol dataxe2x80x9d herein) in embedded control systems.
Many vehicle engines are controlled by engine control modules (ECMs). Individuals or companies sometimes modify fuel system software and calibration data to increase the power output of the engine. In some modifications, the control data are temporarily or permanently altered, resulting in operation outside the fuel system design limits, which damages vital components of the engine. This damage may result in additional warranty repair costs to the manufacturer, even though the damage was the result of tampering by another party.
Present tamper detection and tamper-proofing systems suffer from a lack of effectiveness, excessive cost, and/or excessive complexity. For example, U.S. Pat. No. 5,884,210 to Rettig et al. discloses a communications device connectable to an engine controller. In the communications device are a predetermined set of vehicle operating parameters that are expected to be used in the engine. When the communications device is connected to the engine, the parameters present in the engine controller are compared to values stored in the communications device. An exception is stored and reported for each parameter that does not match.
U.S. Pat. No. 5,787,367 to Berra discloses a system and method for providing secured programming and reprogramming for on-board vehicle computer systems. A pair of passwords is used to establish whether a user is authorized to reprogram the computer with new data, then to encrypt the data during transfer from a communications tool to the computer. Reprogramming of the computer""s control software is allowed only when a certain encrypted data value matches the data value stored in the device.
U.S. Pat. No. 5,426,585 to Stepper et al. discloses a method and apparatus for generating calibration information in which subfiles are defined for different categories of engine data. Each subfile includes line checksums, a CRC, a date, a type identifier, and an authorization level. Data is verified using rules from a rules file, associated with the subfile type, that defines criteria for individual data items and relationships between them. The checksums, CRC values, and authorization levels are checked before a subfile is used by the engine (or by a communications tool used to reprogram such devices).
There is thus a need for further contributions and improvements to controller software and data tamper detection technology.
It is an object of the present invention to provide an improved system and method for detecting tampering with controller software, parameters, and data.
These objects and others are achieved by various forms of the present invention. One form of the present invention is a system for detecting modification of control data in an electronically controlled engine. A memory contains the control data, and a data storage unit contains a stored hash value (corresponding to the result of applying a hash function to a first portion of the memory). A processor executes instructions from a computer-readable medium to apply the hash function to the portion of the memory to obtain a calculated hash value. If the calculated hash value is not equal to the stored hash value, the processor generates an error signal in an error log.
In one variation of this embodiment, the data storage unit also contains a second stored value, which corresponds to the result of applying the first hash function to a second portion of the memory, and where the second portion is different from the first portion. In this variation, the programming instructions are also executable by the processor to apply the hash function to the second portion of the memory to obtain a second calculated hash value while the engine is operating; and to generate an error signal in the error log if the second calculated hash value and the second stored value are not equal.
In some such embodiments, the first portion of the memory is made up of two or more address ranges. Sometimes the memory is made up of a first memory device and a second memory device, and the two or more address ranges cover at least part of each device. In one case, one device is a flash memory device, while the other is an EEPROM.
In some embodiments of this form of the invention, the data storage is in the memory.
In other embodiments, the first portion of the memory is defined by one, two, or more address range data elements stored in the memory. Each element might be, for example, a starting and ending address, or a starting address and data length. Other encodings may be used as would occur to one skilled in the art. In some embodiments of this variation, the memory is divided into program space and data space, with the address range data element(s) being stored in the program space. When the system also includes a port connectable to an external service tool for reading the error log, the error log may be stored in the data space, and access by the external service tool can be limited to the data space, so that it cannot read the program space, including the address range data element(s).
In still other variations of this form of the invention, the hash value is a cyclic redundancy check. In other embodiments, a second stored value corresponds to the result of applying a second hash function to a second portion of the memory, and the processor executes the programming instructions to apply that second hash value to the second portion of the memory to obtain a second calculated hash value, then to generate an error signal if the second calculated hash value and the second stored hash value are not equal.
Another form of the invention is a method for detecting changes to control data in a vehicles engine control system, comprising (1) storing in a memory a first stored hash value calculated by applying a first hash function to a portion of the control data; (2) after a trigger event, calculating a first calculated hash value by applying the first hash function to the first portion of the control data; and (3) if the first hash value does not equal the first calculated hash value, signaling the mismatch.
In certain embodiments of this form of the invention, the trigger event is powering-on the vehicle.
In one variation of this form, a second stored hash value is also stored in the memory. This second hash value is calculated by applying the first hash function to a second portion of the controlled data. A second calculated hash value is then calculated by applying the first hash function to the second portion of the control data. Then, if the second stored hash value does not equal the second calculated hash value, the mismatch is signaled. In another variation of this form of the invention, the second stored hash value and the second calculated hash value are calculated by applying a second hash function to the second portion of the control data.
In some embodiments of this form, the calculating act comprises executing a first phase by applying the first hash function to a first segment of the first portion of control data, and executing a second phase by applying the first hash function to a second segment of the first portion of controlled data. These phases are separated in time-in some embodiments by a predetermined amount of time, and in other embodiments by the occurrence of a trigger event.
In other variations of this form, the signaling comprises recording an error log in a computer-readable medium. Then a service tool having a display is placed in communication with the computer-readable medium. The error log is read into the service tool, and information from the error log is shown on the display.