A vehicle is equipped with various apparatuses which are connected via a network and which exchange data via this network in accordance with a predetermined communication protocol (see JP-2005-47488A corresponding to US-2005/0027404A).
For the data exchange between the apparatuses connected to the network, a communication protocol specifies that a process be time-out and ended when there is no response within a specified time after requesting to send a data.
For example, in diagnostic communication of a CAN communication protocol, when a diagnostic tool sends a request message to a diagnosis target electronic control unit (ECU) via a gateway, and when the diagnostic tool does not receive a response message responding to the request massage within a specified time (e.g., 100 milliseconds) from sending the request message to the diagnosis target ECU, the diagnostic tool determines that the diagnosis target ECU could not receive the request message.
In recent years, in accordance with communication protocol diversification, the number of gateways performing protocol conversion is increasing and a network configuration is becoming complex, and as a result, a request massage and a response massage are relayed by multiple gateways. As the network configuration becomes complex, it becomes difficult to receive the response message within a time-out period specified in the communication protocol.
There is a system in which a vehicle manager ECU monitors data of each ECU on a network to provide a diagnostic service for each ECU (see JP-2003-19931A corresponding to US-2003/0009271A)
There is also a system in which a diagnostic tool can connect to an in-vehicle network, acquire various data from each ECU connected to the in-vehicle network, and provide a diagnostic service for the ECU.
In the above system, it is possible to perform various diagnoses by making a change in setting state of a specific service. For example, it is possible to individually configure a security setting for a general maintenance, for an authorized store (dealer), and for a developer, and it is possible to individually perform the diagnosis by unlocking the security setting. In this kind of system, it is possible to unlock a security lock in accordance with procedures specified in a communication protocol to perform the diagnosis. For example, in the diagnostic communication of the CAN communication, the diagnostic tool sends a session transition request to request the ECU to transition from an initial session, in which a security-locked state is to be maintained, to a diagnostic session, in which a security-unlocked state is to be maintained. In response to this session transition request, the ECU transition from the initial session to the diagnostic session. After the ECU sends a session response (affirmative response) to the diagnostic tool in response to the session transition request, the diagnostic tool sends a security unlocking request to the ECU. Upon establishment of the security unlocking, the ECU becomes the security unlocked state. In this system, continuation of the security unlocked state for a long time lowers the security. Thus, after elapse of a predetermined session time-out period (e.g., 5 seconds), the ECU returns to the security-locked state by transitioning from the session, which maintains the security-unlocked state, to the session, which maintains the security-locked state.
According to the diagnostic communication of the CAN communication, upon elapse of a specified time, the specific service setting state such as security setting, door lock setting and the like returns to an initial state. Additionally, times for various settings to return to the initial state are managed by session.
In a case of simple network configuration, it is possible to unlock the security of the ECU and diagnose the ECU in the above-described procedure.
However, in recent years, in accordance with diversification and sophistication of services of in-vehicle apparatuses, a vehicle is mounted with ECUs supporting various communication protocols such as CAN, LIN, FlexRay, KWP2000 and the like. The ECUs diffrent in communication protocol from each other are connected to each other via gateways in the network system. Because of this, there are multiple gateways between a diagnostic tool and an ECU.
In the above complex network configuration, data latency and delay is large. Thus, for example, the following situation may arise. After the diagnostic tool sends the session transition request to an ECU and the ECU sends an affirmative response to the diagnostic tool in response to the session transition request, the ECU is time-out (session time-out) and returns to the initial session before the diagnostic tool sends the security unlocking request to the ECU. In this case, it becomes impossible to diagnose the ECU.