Automobiles are understood herein as being in the widest sense vehicles with an internal combustion engine that is controllable by control units. Such control units are used in automotive engineering for a variety of functions, for example as engine control units. In chip-tuning of engine control units, for example, frequently the non-volatile but repeatedly writable memory (e.g. flash) is manipulated. The data stored therein are altered in such a way that greater engine power is obtained. Methods for controlling the microcontroller are also known from the related art, which methods activate verification routines at start-up and/or during the run time of the control unit program. Such control units are furthermore also used for controlling transmission systems or ABS systems.
A method and a device for controlling an internal combustion engine are known from German laid open print No. 197 53 730. The device includes at least one microprocessor, at least one programmable memory and a rewritable memory. Programs and/or data processed by the microprocessor are stored in the rewritable memory. The programs are executed only after they have been checked. If the contents of a programmable memory assume a first value, the program is executed without further checking; otherwise, at least one further check is carried out. The purpose of that method is to ensure that a data set that contains altered data and/or programs or that has not been released by the manufacturer of the control unit is executable on a series control unit. At the same time, the motor vehicle manufacturer is to have the possibility of customizing control units, that is to say, of altering data sets in individual control units, without having knowledge of the checks. Protection of the contents of the programmable memory presents problems in that case.
German Patent No. 197 23 332 describes a method for protecting a microcomputer against manipulation of its program and a microcomputer protected in that manner. The microcomputer has a processor core, a read-only memory and a rewritable memory. In the read-only memory, a verification program is stored that constructs a code word from the memory contents of the rewritable memory using a key. The code word is then compared with a comparison code word which is also stored in the rewritable memory. Depending on that comparison, the microcomputer is disabled or enabled.
In the case of the known methods, even when a protected, internal flash area is used, protection is possible only if the application requires only that area and no external memory. Since, however, the applications usually make use of an external memory, the built-in manipulation protection does not work in those applications—or, rather, it is possible to circumvent it. Furthermore, manipulation of the verification routines is possible if controllers not having internal, protected memories are used. In the simplest case, calling of those routines is prevented.
If, on the other hand, those verification routines are stored in a non-alterable area in the controller (e.g. in ROM), this on the one hand means an increase in costs and on the other hand means less flexibility in the choice of algorithms. Moreover, a ROM is often not obtainable in the corresponding controller technology. Even if a ROM is available, the problems that have to be taken into account as a general principle when using a large ROM area remain. Changing the program code is very expensive, since new masks are required in each case. If code has to be changed, it takes at least 4 months before the new code can be used in the project (line throughput time). In the case of a customer-specific code, either every customer needs his own ROM or the ROM has to be made correspondingly larger. Both result in additional costs, which are not in the interests of the customer or of the semiconductor manufacturer. Here too, the issue of how the execution of the code may be forced remains unresolved.
The problem underlying the present invention therefore resides in providing a method for verifying memories of a microcontroller in a control unit, which method affords better protection against unauthorized intervention. The object is further to prevent more effectively the unauthorized manipulation of memory contents in the case of a microcontroller in a control unit.