The present invention relates to a method for protecting a microcomputer of a control unit for a motor vehicle against the manipulation of a control program stored at least partially in a rewriteable memory of the microcomputer, by executing a validation program stored in the microcomputer for detecting an unauthorized manipulation of the control program. The present invention additionally relates to a control unit for a motor vehicle, having a microcomputer which has a rewriteable memory, in which a control program can at least partially be stored, and on which a validation program can be executed for protecting the microcomputer against the manipulation of the control program.
A method of the type cited above is known, for example, from German Published Patent Application No. 197 23 332. In this document, a method is disclosed for protecting a microcomputer of a control unit for a motor vehicle, in which a validation program stored in the microcomputer is executed. In the context of the validation program, a code word is formed from at least one part of the memory contents of a rewriteable memory of the microcomputer using a predetermined key, which is stored in the microcomputer. The code word is compared with a comparison word that is stored in the rewriteable memory. Subsequent to a programming or reprogramming of the rewriteable memory, the comparison word is stored in the memory on the basis of knowledge of the key and of the memory contents of the rewriteable memory. This method for protecting the microcomputer against the manipulation of its control program is standardized in ISO 14230. The key is dependent on the manufacturer and as a rule is only known to the manufacturer (for programming the control unit) and to authorized dealers (for reprogramming the control unit in the context of software updates). The method is also designated as the seed-and-key method.
In the event that the rewriteable memory is reprogrammed by an unauthorized party, the latter, after the reprogramming, must in any case create a comparison word and store it in the rewriteable memory. In the context of the validation program, a code word is formed as a function of the key and of the memory contents of the reprogrammed rewriteable memory, and it is compared with the stored comparison word. Since the unauthorized party as a rule does not know the key of the microcomputer, the comparison word is most likely invalid and does not agree with the code word. In this manner, the unauthorized manipulation of the control program is detected.
However, it can sometimes be necessary or useful to deactivate the validation program in order, after every reprogramming of the rewriteable memory, not to have to create a comparison word from the memory contents and from the key and to store it in the rewriteable memory. This is the case, for example, when the control unit must frequently be reprogrammed, whether for development, examination, or testing purposes, especially in the initial phase of the development of the control unit or of the control program or for varying the settings in an internal combustion engine controlled by the control unit.
The present invention therefore is based on the objective of being able to temporarily deactivate a validation program stored in a microcomputer of a motor vehicle control unit without the deactivation of the validation program leading to the reduced protection of a control program stored in a rewriteable memory of the microcomputer.
For achieving this objective, on the basis of the method for protecting a microcomputer of a control unit of the type cited above, the present invention provides that the control units be subdivided into serial modules and application modules, which are distinguished one from the other by an electronic hardware identifier, the validation program being switched from an activated to a deactivated state in the application modules using standard commands and in the serial modules using special measures, as appropriate, only the standard commands being freely available.
According to the present invention, proceeding on the basis of the known software identifier of the seed-and-key method, a hardware identifier is provided as superstructure for deactivating the software identifier. On the basis of the electronic hardware identifier, the control unit itself acts as the information carrier for the query as to whether the unit is an application module or a serial module.
Usually, only as many control units are developed as there are application modules, such as are necessary for developing the control unit, the control program, or the internal combustion engine which is controlled by the control unit and the control program. The number and distribution of application modules is therefore sharply limited. The application modules are especially distinguished from serial modules by the fact that the validation programs can be switched between an activated and a deactivated state using standard commands that are freely available.
If the validation program is in an activated state, it is necessary, after every reprogramming of the rewriteable memory of the microcomputer, to determine a comparison word, to store it in the rewriteable memory, and to execute the software identifier. In a deactivated validation program, a reprogramming of the rewriteable memory can be repeated virtually an indefinite number of times without each time having to execute the software identifier. In contrast, the serial modules constitute by far the greatest number of control units. In the serial modules, the validation program can only be switched from an activated into a deactivated state using special measures, which are only available on a limited basis. The special measures are advantageously only known to the manufacturer of the control units.
The standard commands in the method according to the present invention correspond roughly to the deactivation code in the method known from the related art. However, the difference between the method according to the present invention and the related art lies in the fact that the number and distribution of application modules, in which alone the validation program can be switched from an activated into a deactivated state using standard commands, is sharply limited. On the other hand, the widely used serial modules can only be switched using the special measures which are not freely available.
The safety of the method according to the present invention can be increased even further by limiting the availability of the standard commands for switching the validation program in the application modules from an activated into the deactivated state. It is conceivable that the standard commands be known not only to the manufacturer of the control units but also to some few selected developers at customer sites and to the employees of some few selected authorized dealers of the customer. In addition, the distribution of the application modules can be precisely monitored and controlled.
According to one advantageous refinement of the present invention, the software identifier is based on the so-called seed-and-key method, a code word being formed, in the context of the validation program, from at least one part of the memory contents of the rewriteable memory with the assistance of a key, and the code word being compared with a comparison word stored in the rewriteable memory. This method is described in detail in German Published Patent Application No. 197 23 332.
According another embodiment of the present invention, it is provided that the validation program be switched from a deactivated to an activated state in the application modules and in the serial modules using standard commands. Since switching the validation program of a control unit into an activated state runs no danger of manipulating the control program of the control unit, this switching can be carried out by anyone, using standard commands.
According to a further embodiment of the present invention, it is provided that in the application modules the validation program be switched from the deactivated to a locked activated state using standard commands and from the locked activated state into the deactivated state using special measures.
According to this specific embodiment of the method according to the present invention, the application module can therefore be switched among three distinct states. In addition to the state having the simply activated (not locked) software identifier and the state having the deactivated software identifier, the application module can also be switched to a state having a locked activated software identifier. In this state, after the end of the application and development phase, the application module can be used as a normal serial module. From the state having the deactivated software identifier, the application module is switched using standard commands to the state having a locked activated software identifier. The application module can only exit from this state using special measures. The latter are only available on a limited basis, for example, only to the manufacturer of the control units. An unauthorized modification of the control program in the rewriteable memory of an application module, i.e., the state of the application module being switched in an unauthorized manner to the state having the deactivated software identifier, is therefore virtually impossible.
If the attempt is made in serial modules to switch the validation program from the deactivated to the simple activated (not locked) state using a standard command, the validation program according to a further embodiment of the present invention is automatically switched to the locked activated state. In this way, it is assured that the serial module, after the conclusion of a reprogramming of the control program, will in every case again be in the locked activated state in order to prevent an unauthorized manipulation of the control program.
According to an advantageous refinement of the present invention, it is provided that the standard commands for activating or deactivating the validation program be transmitted to the control unit via a communications interface. The communications interface is configured, for example, as a controller-area-network (CAN) bus or a K-line. For purposes of testing and diagnosis, it is known from the related art to arrange a K-line between the control unit and a diagnostic or testing device. Via a K-line, data are transmitted in accordance with the Key Word Protocol 2000 (ISO 14 230). This K-line is also used for transmitting the commands to switch the validation program between an activated and an inactivated state.
As a further means of achieving the objective of the present invention, it is provided, on the basis of the control unit of the type cited above, that the control unit have an electronic hardware identifier for identifying the control unit as a serial module or an application module, the validation program being switchable from an activated state into a deactivated state in an application module using standard commands and in a serial module using special measures, as appropriate, with the standard commands being freely available and the special measures being available on a limited basis.
The electronic hardware identifier can be configured as any electronic component of the circuitry of the control unit. The electronic component can be configured, for example, as an EPROM, an EEPROM, as a programmable logical device (PLD), as a programmable array logic (PAL), or as a GAL. The logic components (PLDs) can be programmed in varying ways for application modules and for serial modules. Externally, distinguishing between application modules and serial modules is only possible in the context of switching the validation program between an activated and deactivated state.
However, alternatively, according to one advantageous refinement of the present invention, it is provided that the electronic hardware identifier be configured as at least one additional electronic component integrated into the circuitry of the control unit. According to this refinement, application modules and serial modules are distinguished by circuitries having different inserted components. The differently inserted components of the circuitry can be achieved, for example, using resistors having different resistance values, using coils having different inductances, using capacitors having different capacitances, using additional resistors, inductances, or capacitors, using additional transistors, or using additional logic components.