Programming control units of motor vehicles may be carried out in most cases during a production process or manufacturing process of the motor vehicle, for example, at the end of a production line or in a repair shop in the course of maintenance or repair work. In the course of such programming, for example, a firmware update may be carried out, for example, a new, revised program code being written into the control unit. For this purpose, a computing unit may be connected to the control unit, and the new program code may be transmitted to the control unit. In this case, a program code previously stored and executed in the control unit is deleted or overwritten by the new program code.
In the course of so-called firmware-over-the-air (FOTA) programming or over-the-air (OTA) programming, programming of control units may also be carried out in the field itself. For this purpose, the new program code may be wirelessly transmitted to the vehicle via a radio contact, for example, WLAN or mobile networks, for example, from a server of the vehicle manufacturer.
For protection against chip tuning and malicious software, for example, from unauthorized parties, it is highly important to subject new program code introduced into a control unit to a signature check and to verify the new program code. If this signature check fails and if it is not possible to successfully verify the new program code, the new program code is marked as invalid and its execution is prevented. In this case, there is the risk that the control unit will remain in the bootloader, and normal operation will no longer be achievable. In order to put the control unit back into normal operation, in this case, a valid program code must again be transmitted to the control unit.
During the production or manufacturing process or in a repair shop, it is usually no problem to retransmit a valid program code to the control unit in such a case, since access to verified, valid program code is ensured here, and this program code is, for example, stored in a central database and/or in storage media.
In the case of programming a control unit in the field (FOTA, OTA), such access to a verified, valid program code is no longer ensured. If, for example, the radio contact between the vehicle and the server of the vehicle manufacturer is interrupted, for example, if the vehicle is situated in a closed underground garage, in a tunnel, or in a dead spot, it is potentially no longer readily possible to transmit a valid program code to the control unit and to restore the functionality of the control unit.
When programming a control unit in the field via radio contacts, the risk thus exists that the corresponding control unit is no longer able to ensure normal operation and in addition, that it is no longer possible to transmit valid program code to the control unit without transporting the vehicle to a repair shop.
It is therefore desirable to provide an improved option for programming a control unit of a motor vehicle, with the aid of which reliable programming of the control unit is made possible, particularly in the field.