The present invention relates to an arrangement and method for storing a data set in an ECU in a vehicle control system according to the preamble of claim 1. The invention further relates to a computer program adapted to perform a method for storing a data set in an ECU in a vehicle control system when said program is run on a computer, and a computer program product comprising such program code means stored on a computer readable medium. The arrangement is suitable for workshops working with vehicles of different kinds, both passenger vehicles and heavy vehicles.
In a work shop for repairing vehicles, computers are used more and more both for diagnostics of faults on the vehicle and for updates of the vehicle control system. Normally, each vehicle manufacturer uses their own specific computer equipped instruments for diagnostic purposes and also their own computer based system for updating the control system of the vehicle. The vehicle control system comprises several Electronic Control Units (ECU) connected to each other through one or more buss systems, where each ECU comprises a specific software adapted for that specific ECU and the functions controlled by the ECU.
By connecting the workshop update system for updating the software in one or more ECUs in the vehicle, a handshake routine is performed between the workshop update system and the ECU in order to prepare the ECU for the update and to make sure that the workshop system is authorized to update the ECU. When the handshake is successfully finished, the new software or data can be uploaded to the ECU and stored in a memory in the ECU. When the update is completed, the ECU is returned to a working condition.
In order to ensure that only authorized workshops can update software in the control system of the vehicle, the initial handshake between the workshop update system and the ECU will normally comprise an unlock procedure in which the workshop update system sends a password to the ECU in order to unlock the ECU and to make sure that the workshop update system is authorized to update the ECU. When the update is completed, the ECU is locked again such that no unauthorised personal can access the ECU. This unlock procedure is manufacturer specific and is normally integrated in the specific workshop update system provided by a manufacturer. The use of such a system is normally only allowed for approved and appointed retailers and distributors and their workshops.
Coming legislation will force the vehicle manufacturers to provide information regarding diagnostics and updates of the vehicle control system both to independent workshops and to external tool vendors. In this way, independent workshops will be able to diagnose and update vehicles from different manufacturers by using the same protocols as the official workshops of a specific manufacturer. External tool vendors will be able to offer computerized tools for both diagnostics and for updating data in vehicles of different manufacturers.
The purpose of the new legislation is to prevent manufacturers to stop independent workshops from repairing vehicles from that manufacturer. A further purpose is to allow independent tool vendors to provide tools to independent workshops that can communicate with vehicles from different manufacturers. In this way, it will be easier for an independent workshop to afford the tools required for repairs of a vehicle from a specific manufacturer. The specific original tools offered by the manufacturer have historically been too expensive for most independent workshops, especially considering when a workshop needs tools form several different manufacturers. Sometimes, a specific tool is required for each vehicle model. This situation has lead to the fact that some repairs on a vehicle has only been possible to do at manufacturer-approved workshops.
Because of this, the manufacturer must be able to ensure that their vehicles are safe to be used in traffic and that they have not been manipulated with by a third party. If a workshop accidentally or on purpose updates the wrong data or changes the wrong software, the consequence may be that the vehicle no longer behaves as expected. This in turn will lead to insecurity for the user, concerning who is responsible for the performance and specifications of the vehicle. Several cases are already known, where the manufacturer of a vehicle has had to justify the performance and specifications of a vehicle involved in an accident, on which vehicle an independent workshop had made modifications which were not approved by the manufacturer. These modifications did not involve any data update in the vehicle control system. When every workshop has the possibility to update data in the vehicle control system, it will be impossible for a manufacturer to guarantee the road safety of their vehicles without any type of authorization to perform the update.
At the same time, the manufacturer must also be able to guarantee the specifications of a vehicle, e.g. when it comes to carbon dioxide emissions or the power of the engine. There is a possibility that unscrupulous workshops or mechanics use the possibility to modify data in order to manipulate the specifications of the vehicle such that the specifications no longer conform to the specifications of the original vehicle.
U.S. Pat. No. 7,551,986 describes a system for distributing software to a vehicle. A program distribution system having a vehicle type table is used to distribute vehicle-specific software using an in-vehicle gateway. The program distributing system can also use an identifier to control that no alterations has been made to the software during the distribution. This solution may solve the problem of distributing software to a vehicle in a secure way, but does not mention the problem of updating data in the vehicle.
There is thus room for improvements.
It is desirable to provide an improved arrangement for storing a data set in an ECU in a vehicle control system. It is also desirable to provide an improved method for storing a data set in an ECU in a vehicle control system.
In an arrangement for storing a data set in an ECU in a vehicle control system, wherein the arrangement comprises a computer means connected to the vehicle, where the computer means is adapted to execute an access application, where the access application comprises vehicle specific information and service action specific information, and where the information is encrypted, where the arrangement is adapted to decrypt the vehicle specific information and the service action specific information, to unlock the vehicle ECU by sending a password from the computer means to the ECU, to perform a service action by storing service action specific information in the ECU and to lock the ECU by sending a lock command to the ECU from the computer means, the arrangement is adapted to corrupt the access application software after the service action specific information is stored in the ECU such that it cannot be used again.
By this first embodiment of the arrangement for storing a data set in an ECU in a vehicle control system, an arrangement with which an independent workshop can be allowed to update a vehicle in a secure manner is obtained. In the inventive arrangement, the independent workshop receives a specific access application from the manufacturer, which corresponds to the exact needs of the workshop for that specific repair action. When the access application is ordered by the workshop, the workshop specifies the exact vehicle, e.g. by supplying the serial number of the vehicle, and the repair action that is to be performed. A central database of the manufacturer will then compile the access application for that specific repair action. The access application will comprise all the necessary code and data that will be required to access and update the vehicle control system. The data will be encrypted such that unauthorized access to the data itself is prohibited. The access application will further comprise a function that will corrupt the access application when the repair action is completed, such that the access application cannot be used more than once. In this way, the manufacturer can allow any independent workshop to perform repair actions requiring software updates in a secure and controlled manner, without the risk that a third party will be able to retrieve secret information.
In an advantageous development of the inventive arrangement, the access application is adapted to be used for a predefined number of vehicles, and the corruption of the access application software is performed after the access application has been used the predefined number of times. In this way, it is possible for a work shop to order an access application that can be used for several similar vehicles, where at least the specification for the specific component is the same. This may e.g. be the case for a general component that is used on several different types of cars, and where the access application only contains specific information regarding that specific component, e.g. calibration data or data that identifies that specific component. Such data may e.g. be data identifying a specific type of brake pads used to set the brake parameters of the vehicle or calibration data for a specific sensor used on different car models. This may be advantageous for fleet owners that owns several similar or identical vehicles, or for workshops performing a campaign when several identical components are replaced.
In an advantageous development of the inventive arrangement, the arrangement is adapted to update one or more data parameters corresponding to a vehicle component. In this way, it is possible to update an ECU of the vehicle control system with new parameters corresponding to a specific vehicle component, e.g. calibration data for a replaced component. It is also possible to recalibrate an existing vehicle component, e.g. due to drift or to adapt it to another replaced vehicle component. Since the source code or the original access code must not be supplied to the workshop in question, the manufacturer can allow independent workshops to replace vehicle components that require a software update of the vehicle control system.
It is also possible to update one or more data parameters corresponding to different vehicle components at the same time. In this way, more than one ECU of the vehicle control system may be updated with new parameters corresponding to the different vehicle components by using the same access application.
In an advantageous development of the inventive arrangement, the arrangement is adapted to add a software module to existing software in the ECU. This will allow independent workshops to add functions to the vehicle control system, both dedicated software functions and software functions associated with a new vehicle component that is added to the vehicle.
In an advantageous development of the inventive arrangement, the access application is compiled by the manufacturer of the specific vehicle. In this way, it is ensured that the access application is adapted to the specific vehicle. Since the data of the manufacturer regarding a specific vehicle is always up to date, compatibility issues are reduced as much as possible.
In an advantageous development of the inventive arrangement, the access application comprises information that will unlock more than one ECU in the vehicle. In this way, updates in the vehicle control system can be performed for vehicle parameters that are stored in more than one location.
In an advantageous development of the inventive arrangement, the access application for a specific vehicle is compiled by the manufacturer of the vehicle when a workshop demands it. This is of advantage for vehicle data that relies on other vehicle systems that in turn may be updated. In this way, it is ensured that the latest vehicle data is always used.
In an advantageous development of the inventive arrangement, the access application that comprises data corresponding to a specific hardware part is compiled when the hardware part is produced. In this way, the specific parameter, e.g. calibration parameters, for a component can be retrieved in an easy way. The access application may be linked to the hardware part by a unique number, which enables the access application to be retrieved by sending the unique number to the manufacturer of the hardware part and/or to the manufacturer of the vehicle. In this way, the workshop can obtain the access application without the need of supplying the vehicle specifications.
In a method for storing a data set in an ECU in a vehicle control system, the steps of executing an access application on a computer connected to the vehicle, where the access application comprises vehicle specific information and service action specific information, where the information is encrypted, decrypting the vehicle specific information and the service action specific information by the access application, unlocking the vehicle ECU by sending a password from the access application to the ECU, performing a service action by storing service action specific information in the ECU, locking the ECU by sending a lock command to the ECU from the access application, and corrupting the access application software such that it cannot be used again are comprised.
With the inventive method, a safe and secure way to update and store a data set in a vehicle control system is obtained. Since all important information required for performing the update is included in the access application, which is decrypted, independent workshops can be entrusted to perform software updates on vehicles from a specific manufacturer. The inventive method further allows independent tool vendors to supply update tools for different vehicles, without the need to provide the tool vendor with manufacturer specific data, such as passwords to the vehicle control system. The manufacturer of a vehicle will thus be able to ensure the specifications of a vehicle even when a component requiring a data update has been replaced by an independent workshop. The method further ensures that the correct data parameters are used for the update, since the access application is compiled by the manufacturer.
In an advantageous development of the inventive method, the service action comprises an update of data parameters corresponding to a vehicle component. The advantage is that the vehicle control system can be updated or recalibrated with new parameters corresponding to a specific vehicle component, e.g. calibration data for a replaced component, in an easy and secure manner. Since the source code or the original access code must not be supplied to the workshop in question, the manufacturer can allow independent workshops to replace vehicle components that require a software update of the vehicle control system.
In an advantageous development of the inventive method, the service action comprises adding a software module to existing software in the ECU. In this way, a software function can be added to the vehicle control system, both a dedicated software function and a software function associated with a new vehicle component that is to be mounted to the vehicle. This allows independent workshops to update vehicles with software functions in a secure and controlled manner.
In an advantageous development of the inventive method, the access application is compiled by the manufacturer of the specific vehicle. In this way, it is ensured that also independent workshops use the proper vehicle parameters.