JP6935694B2 - Electronic control device - Google Patents

Description

The present disclosure relates to an electronic control device having a rewritable memory.

Patent Document 1 discloses an electronic control device having a non-volatile memory which is a rewritable memory.

Japanese Unexamined Patent Publication No. 2005-56144

At the time of rewriting, in the non-volatile memory, the data stored in the non-volatile memory is once erased in block units, and the target data is written to the block in which the data is erased for each predetermined byte. The target data referred to here means data to be rewritten. That is, the rewriting of the non-volatile memory is realized by sequentially rewriting one or a plurality of blocks. At the time of rewriting, the electronic control device described in Patent Document 1 stores information (hereinafter, history information) indicating a block for which rewriting has been completed in a predetermined block in the non-volatile memory.

Also in the electronic control device, the history information is updated by writing new history information to the block after the data of the block in which the history information is stored is once deleted. Therefore, for example, when the data of the block in which the history information is stored is erased and the power supply to the non-volatile memory is cut off, the history information may be lost.

One aspect of the present disclosure is to provide an electronic control device having a non-volatile memory, which retains information indicating the progress of data rewriting in the non-volatile memory even when the power supply is interrupted.

One aspect of the present disclosure is an electronic control device (13) having a non-volatile memory (33) which is a rewritable memory. The non-volatile memory has a plurality of blocks representing a storage area of a predetermined size, and the block is a state in which all the data stored in the block is erased in block units. It is configured so that the rewriting is performed by writing the target data, which is the data to be rewritten, to the block after the state is set. The electronic control device includes an information acquisition unit (S55, S60) and a storage execution unit (S85, S95, S100).

The information acquisition unit is configured to repeatedly acquire progress information, which is information indicating the degree of progress of rewriting. The storage execution unit is configured to store the progress information in at least one of a plurality of predetermined management blocks different from the block in which the target data is written each time the progress information is acquired. Then, the storage execution unit is configured to store the progress information in a management block different from the management block in which the progress information was previously stored, among the plurality of management blocks.

According to such a configuration, new progress information is stored in a management block different from the management block in which the progress information was previously stored, among the plurality of management blocks in the non-volatile memory. That is, even if the power supply to the non-volatile memory is interrupted while the progress information is being rewritten, the progress information is stored in any one of the plurality of management blocks. As a result, in the electronic control device having the non-volatile memory, even when the power supply is interrupted, the information indicating the progress of data rewriting in the non-volatile memory can be retained.

In addition, the reference numerals in parentheses described in this column and the scope of claims indicate the correspondence with the specific means described in the embodiment described later as one embodiment, and the technical scope of the present disclosure is defined. It is not limited.

The block diagram which shows the structure of the vehicle control system. Explanatory drawing which shows the storage area of ROM. Explanatory drawing which shows a plurality of rewriting procedures for rewriting a control program. A sequence diagram showing a processing flow when rewriting is performed from the first procedure among a plurality of procedures based on the rewriting processing. The figure explaining the transition of the progress information in FIG. A sequence diagram showing a processing flow when rewriting is performed from an intermediate procedure among a plurality of procedures based on the rewriting processing. The figure explaining the transition of the progress information in FIG. The flowchart of the start processing executed by the ECU. The flowchart (1/2) of the rewriting process executed by the ECU. Flow chart of rewriting process executed by ECU (2/2). Flowchart of external processing executed by an external device.

Hereinafter, embodiments of the present disclosure will be described with reference to the drawings.
[1. composition]
The vehicle control system 1 shown in FIG. 1 is a rewriting of a control program, data, etc. (hereinafter, control program, etc.) in an electronic control device (hereinafter, ECU) 13 included in an in-vehicle control system 10 mounted on a vehicle such as a passenger car. It is a system that performs. ECU is an abbreviation for Electronic Control Unit. The rewriting referred to here may include rewriting the control program or the like stored in advance in the ECU 13 or writing the control program or the like to the ECU 13 for the first time.

The vehicle control system 1 includes an in-vehicle control system 10 and an external device 20. The external device 20 is a device external to the vehicle on which the vehicle-mounted control system 10 is mounted, and may include a center 21 and a diagnostic device 22.

The center 21 is fixed at a predetermined position. Although not shown, the center 21 includes a communication device, a CPU, and a computer having memories such as RAM and ROM. The control program is stored in the memory. When the center 21 needs to update the control program stored in the ECU 13 of the vehicle-mounted control system 10, the center 21 transmits a new control program stored in the memory of the center 21 to the ECU 13 to transmit the control program of the ECU 13. rewrite.

The diagnostic device 22 receives data related to the ECU 13 from the ECU 13 to be diagnosed, diagnoses the vehicle on which the in-vehicle control system 10 is mounted, and rewrites the data stored in the ECU 13 according to the diagnosis result. .. Although not shown, the diagnostic device 22 includes a communication device, a CPU, and a computer having memories such as RAM and ROM.

When the diagnostic device 22 needs to update the control program stored in the ECU 13 of the in-vehicle control system 10, the diagnostic device 22 transmits a new control program stored in the memory of the diagnostic device 22 to the ECU 13 to send the new control program to the ECU 13. It may be configured to rewrite the control program of.

The in-vehicle control system 10 includes an ECU 13. The in-vehicle control system 10 may include an external communication device (hereinafter, DCM-ECU) 11 and a central gateway (hereinafter, C-GW) 12. The DCM-ECU 11, C-GW 12, and ECU 13 are connected by a communication line 15 and communicate according to the CAN standard. CAN is a registered trademark.

That is, the ECU 13 is communicably connected to the DCM-ECU 11 and the C-GW 12 by the communication line 15 to form a vehicle network. Although not shown, the ECU 13 may be connected to another ECU mounted on the vehicle by a communication line 15 so as to form a vehicle network. The above-mentioned external device 20 corresponds to a device outside the vehicle network.

The DCM-ECU 11 is a device that performs wireless communication with the center 21.
The C-GW 12 is a device that is connected to the diagnostic device 22 by a communication line 5 and communicates with the diagnostic device 22 in accordance with the CAN standard.

The ECU 13 is an electronic control device that controls a controlled object mounted on a vehicle, such as an engine and a brake. The ECU 13 includes a microcomputer having a CPU 31 and semiconductor memories (hereinafter, memory 32) such as RAM 33 and ROM 34. Although not shown, the ECU 13 is provided with a power supply device (hereinafter referred to as a power supply), and is configured so that power is supplied when the power is on and power is stopped when the power is off. There is.

The CPU 31 is an arithmetic unit, and the RAM 33 is a volatile memory for temporarily storing the arithmetic results of the CPU 31 and the like. The ROM 34 is a non-volatile memory having a rewritable storage area. The non-volatile memory referred to here may include, for example, a flash memory, an EEPROM, and the like. Various programs executed by the CPU 31 are stored in the ROM 34. The details of the configuration of the ROM 34 will be described later.

Various functions of the ECU 13 are realized by the CPU 31 executing a program stored in the ROM 34. The ECU 13 realizes rewriting of the control program stored in the ROM 34 by executing the rewriting process described later.

As shown in FIG. 2, the ROM 34 has a non-rewritable area (hereinafter, non-rewritable area) 341 and a rewritable area (hereinafter, rewritable area) 342. In the ROM 34, an area having a predetermined size is called a block. The block can be, for example, tens to hundreds of bytes.

The ROM 34 can erase data in block units according to instructions from the CPU 31. Further, the ROM 34 can write data in units of one or a plurality of bytes, for example, 2 bytes, 4 bytes, and the like. In the initial state of the ROM 34, the logical value 1 is written in all the blocks. Further, the ROM 34 is rewritten in block units by writing the target data to the block after the block is put into the erased state in which all the data stored in the block is erased. Will be. The target data referred to here is data to be rewritten. A logical value of 1 is written to all of the blocks in the erased state.

The repro program is stored in the non-rewriting area 341. The repro program is a program for rewriting the control program stored in the rewrite area 342 by being executed by the CPU 31. The rewriting process represents a processing procedure when executing a repro program.

The control program, the completion flag, and the progress information are stored in the rewrite area 342. The control program is a program executed by the CPU 31 to control the control target of the ECU 13.

The completion flag is a flag indicating whether or not the rewriting of the control program to be rewritten by the repro program is completed in the ROM 34. When the completion flag is off, it means that the rewriting of the control program is not completed, and when the completion flag is on, it means that the rewriting of the control program is completed. The completion flag is set to off as the initial state when the repro program is executed.

The progress information is information indicating the degree of progress of rewriting of the control program to be rewritten by the repro program in the ROM 34. The progress information is stored in a plurality of management blocks in the ROM 34. The management block referred to here refers to a predetermined block different from the block in which the target data is written among the plurality of blocks included in the ROM 34.

Specifically, two different blocks, such as the first information block 101 and the second information block 102 included in the rewrite area 342 of the ROM 34, correspond to the management blocks. Hereinafter, the progress information stored in the first information block 101 is referred to as the first information, and the progress information stored in the second information block 102 is referred to as the second information.

As shown in FIG. 3, the ROM 34 is configured so that the control program is rewritten by sequentially executing a plurality of predetermined rewriting procedures (hereinafter, a plurality of procedures) by the ECU 13 to be rewritten. ing. The ECU 13 rewrites the control program based on the communication with the center 21 as the external device 20 or the diagnostic device 22. The plurality of procedures may include an authentication procedure, an erasure procedure, a writing procedure, a verification procedure, and a completion procedure.

For example, if a procedure whose execution has been completed is specified among a plurality of procedures, the degree of progress of rewriting of the control program can be indicated by the procedure whose execution has been completed. The termination procedure referred to below means a procedure in which execution by the ECU 13 is completed among a plurality of procedures.

In the authentication procedure, it is confirmed whether or not the external device 20 is the correct communication partner of the ECU 13. For example, A6-A8 in FIG. 4, which will be described later, corresponds to the authentication procedure.
In the erasing procedure, in accordance with the erasing request from the external device 20, the block (hereinafter referred to as the target block) for writing the control program to be rewritten is put into the erasing state in the ROM 34. For example, A9-A12 in FIG. 4 corresponds to the erasing procedure.

In the writing procedure, the external device 20 transmits a control program to be rewritten to the ECU 13, and the control program is written to the ROM 34. The writing procedure may be performed for each of the divided data in which the data representing the control program to be rewritten is divided into a plurality of pieces. The divided data may be data having a size of one block. In this embodiment, ACK is transmitted from the ECU 13 to the external device 20 each time the writing of the divided data is completed. For example, A13-A20 in FIG. 4 corresponds to the writing procedure.

In the verification procedure, it is verified whether or not the control program to be rewritten has been rewritten normally. A21-A24 in FIG. 4 corresponds to the verification procedure.
In the completion process, it is determined whether or not the rewriting of the control program to be rewritten is completed. For example, A25-A27 in FIG. 4 corresponds to the completion procedure.

Each of the plurality of procedures is executed in the order of an authentication procedure, an erasure procedure, a writing procedure, a verification procedure, and a completion procedure, and a predetermined identification code is attached to one or more rewriting procedures. The identification code may be, for example, a symbol or a number that can identify each rewriting procedure, a combination thereof, or the like.

In the present embodiment, the data representing the control program to be rewritten is composed of two divided data such as the first divided data and the second divided data. Further, among the plurality of procedures, "1" is used for the erasing procedure, "2" is used for the writing procedure for writing the first divided data (hereinafter, the first writing procedure), and the writing procedure for the second divided data is performed. (Hereinafter, the second writing procedure) is given an identification code such as "3", the verifying procedure is given an identification code such as "4", and the completion procedure is given an identification code such as "5". Of the plurality of procedures, the rewriting procedure with the identification code in this way is also referred to as a rewriting notification procedure.

[2. process]
[2-1. Rewriting sequence from the first rewriting procedure]
Next, the flow of processing when the ECU 13 executes rewriting of the control program by communicating with the external device 20 based on the rewriting processing will be described. Here, the center 21 is an external device 20. When the diagnostic device 22 is used as the external device 20, the processing is performed in the same flow.

FIG. 4 shows a processing flow when rewriting is performed from the first rewriting procedure among the above-mentioned plurality of procedures in order to rewrite the control program when the power is turned on after the power is turned off in the ECU 13. There is. The ECU 13 is configured so that the power is turned off when, for example, communication with the external device 20 is interrupted.

First, in A1, the power of the ECU 13 is turned on. In the situation where the power is turned on, when the rewriting of the control program in the ECU 13 is interrupted due to, for example, communication interruption with the external device 20, the power of the ECU 13 is once turned off, and then the power of the ECU 13 is again supplied. Can be included, such as when is turned on.

Subsequently, in A2, the ECU 13 confirms the completion flag. The completion flag is set to off.
Next, in A3 and A4, the ECU 13 reads the progress information from the ROM 34 because the completion flag is off.

Subsequently, in A5, the ECU 13 identifies the restart procedure according to the read progress information, and notifies the external device 20 of the restart procedure. The resumption procedure is one procedure included in the above-mentioned plurality of procedures, and is the first rewriting procedure when rewriting is restarted. Here, the ECU 13 specifies the first rewriting procedure among the above-mentioned plurality of procedures, that is, the authentication procedure which is the first procedure (hereinafter, the first procedure) as the restart procedure, and transmits the information indicating the restart procedure to the external device 20. Send. The resumption procedure is specified based on the progress information in the rewriting process described later.

Next, in A6, the ECU 13 receives the ACK transmitted from the external device 20. The ACK referred to here is a response indicating that the restart procedure has been received by the external device 20.
Subsequently, in A7, the ECU 13 receives the authentication request transmitted from the external device 20. The authentication request is a communication frame in which the external device 20 requests the ECU 13 to authenticate the external device 20. The authentication request includes information for identifying the external device 20 (hereinafter, identification information).

Next, in A8, the ECU 13 confirms that the identification information about the external device 20 stored in advance in the ROM 34 of the ECU 13 and the identification information included in the authentication request match. When these match, the ECU 13 transmits an ACK to the external device 20. The ACK referred to here is a response indicating that the authentication of the external device 20 is completed.

Subsequently, in A9, the ECU 13 receives the erasure request transmitted from the external device 20. The erasure request refers to a request for putting a block in which data to be rewritten is stored into an erasure state when executing a rewrite procedure after the restart procedure among the above-mentioned plurality of procedures. Here, since the first procedure is the restart procedure, all the blocks in which the control program to be rewritten is stored and the first information block 101 and the second information block 102 are designated as the targets to be erased. Receive the erase request.

Next, in A10, the ECU 13 erases the block according to the erase request. In erasing the block, the ECU 13 sets all the bits in the designated block to the logical value 1 as described above.

Subsequently, in A11, the ECU 13 updates the progress information. Specifically, the ECU 13 writes "1", which is an identification code representing the erasing procedure, as progress information in the first information block 101 with the erasing procedure as the ending procedure.

Next, in A12, the ECU 13 transmits an ACK to the external device 20. The ACK referred to here is a response indicating that the block has been erased according to the erase request.
Subsequently, in A13, the ECU 13 receives the first partition data transmitted from the external device 20.

Next, in A14, the ECU 13 writes the received first partition data to the address corresponding to the first partition data in the ROM 34.
Subsequently, in A15, the ECU 13 updates the progress information. Specifically, the ECU 13 uses the first writing procedure as the ending procedure and the identification code "2" indicating that the first writing procedure is completed as progress information in the second information block 102. Write.

Next, in A16, the ECU 13 transmits an ACK to the external device 20. The ACK referred to here is a response indicating that the first writing procedure has been completed.
Subsequently, in A17, the ECU 13 receives the second divided data transmitted from the external device 20.

Next, in A18, the ECU 13 writes the received second divided data to the address corresponding to the second divided data in the ROM 34.
Subsequently, in A19, the ECU 13 updates the progress information. Specifically, the ECU 13 temporarily puts the first information block 101 in the erased state, and then completes the second writing procedure in the first information block 101 with the second writing procedure as the ending procedure. Write "3", which is an identification code indicating that the information has been done, as progress management information.

Next, in A20, the ECU 13 transmits an ACK to the external device 20. The ACK referred to here is a response indicating that the second writing procedure has been completed.
Subsequently, in A21, the ECU 13 receives the verification request transmitted from the external device 20. The verification request referred to here is a request to the ECU 13 to verify whether or not the rewriting of the control program has been completed normally (hereinafter referred to as verification).

Next, in A22, ECU 13 executes verification. Verification can be performed by various methods such as parity bits and error correction codes.
Subsequently, in A23, the ECU 13 updates the progress information when it is verified by verification that the control program has been normally rewritten. Specifically, the ECU 13 is an identification code indicating that the second information block 102 is temporarily erased, and then the verification procedure is completed in the second information block 102 with the verification procedure as the end procedure. Write "4" as progress management information.

Next, in A24, the ECU 13 transmits an ACK to the external device 20. The ACK referred to here is a response indicating the completion of verification.
Subsequently, in A25, the ECU 13 receives the completion notification transmitted from the external device 20. The completion notification is a notification indicating that all the data of the control program to be rewritten has been transmitted.

Next, in A26, the ECU 13 updates the progress information. Specifically, the ECU 13 temporarily puts the first information block 101 in the erased state, and then the first information block 101 is an identification code indicating that the completion procedure is completed with the completion procedure as the end procedure. Write "5" as progress management information.

Finally, in A25, the ECU 13 transmits an ACK to the external device 20. The ACK referred to here is a response (hereinafter, final response) indicating that the rewriting of the control program to be rewritten has been completed.

In this way, the ECU 13 communicates with the external device 20 to rewrite the control program to be rewritten. At this time, the progress information, that is, the first information and the second information transitions as shown in FIG. FIG. 5 shows the transition of progress information until the second writing procedure is completed.

That is, progress information is alternately written in the first information block 101 and the second information block 102 each time the rewriting procedure is completed. In other words, among a plurality of management blocks such as the first information block 101 and the second information block 102, progress is made each time the rewriting procedure is completed in a management block different from the management block in which the progress information was written last time. Information is written.

[2-2. Rewriting sequence from the procedure in the middle]
FIG. 6 shows a processing flow when rewriting is performed from an intermediate procedure among the above-mentioned plurality of procedures in order to rewrite the control program when the power is turned on after the power is turned off in the ECU 13. .. That is, when the rewriting is interrupted while the rewriting of the control program is being executed in the ECU 13, the rewriting is restarted from a procedure other than the first procedure among the above-mentioned plurality of procedures for rewriting the control program. The processing flow of is shown. FIG. 6 shows an example in which the power of the ECU 13 is turned off while the A18 in FIG. 4 is being executed. In the following, power off means a state in which the power is turned off.

After the power of the ECU 13 is turned off and the rewriting is interrupted, first, in B1, the power of the ECU 13 is turned on.
Subsequently, in B2, the ECU 13 confirms the completion flag. The completion flag is set to off.

Next, in B3 and B4, the ECU 13 reads the progress information from the ROM 34 because the completion flag is off.
Subsequently, in B5, the ECU 13 identifies the restart procedure according to the read progress information, and notifies the external device 20 of the restart procedure. Here, as shown in FIG. 7 described later, at the time of restart, the first information is “FFH” and the second information is “2”. Therefore, according to the rewriting process described later, the ECU 13 is set to “2”. The first writing procedure corresponding to is specified as the ending procedure, and the second writing procedure, which is the next procedure of the ending procedure, is specified as the restarting procedure. The ECU 13 uses the second writing procedure as the restarting procedure, and transmits information indicating the restarting procedure to the external device 20.

Next, the B6 receives the ACK transmitted from the external device 20. The ACK referred to here is a response indicating that the restart procedure has been received by the external device 20, and is also a processing request that the external device 20 requests the ECU 13 to execute the restart procedure.

Subsequently, in B7, the ECU 13 receives the authentication request transmitted from the external device 20.
Next, in B8, the ECU 13 transmits an ACK to the external device 20. The ACK referred to here is a response indicating that the authentication of the external device 20 is completed.

Subsequently, in B9, the ECU 13 receives the erasure request transmitted from the external device 20. In the erase request referred to here, since the second write procedure is set as the restart procedure, all the blocks in which the second divided data is stored among the control programs to be rewritten are designated as the erase targets. Will be done.

Next, in B10, the ECU 13 erases the block according to the erase request.
Subsequently, in B11, the ECU 13 transmits an ACK to the external device 20. The ACK referred to here is a response indicating that the block has been erased according to the erase request.

Then, the ECU 13 executes the same processing as after A17 in FIG. 4 after B12.
Here, in B7-B8, when the rewriting is restarted between the ECU 13 and the external device 20, the authentication procedure is performed again. This is to realize highly robust and secure communication. However, the present invention is not limited to this, and the authentication procedure may be omitted.

Further, when resuming writing to a block that has been written until immediately before, it is necessary to temporarily erase the data in the corresponding block due to the characteristics of the non-volatile memory. The data in the block is erased.

In this way, the ECU 13 rewrites the control program to be rewritten when the power is cut off due to communication interruption or the like. As described above, the progress information is written in a management block different from the previous one among the first information block 101 and the second information block 102, which are a plurality of management blocks. That is, when the power of the ECU 13 is turned off, it is restarted based on the first information written in the first information block 101 and the second information written in the second information block 102. It is possible to identify the resumption procedure, which is the rewriting procedure to be performed.

For example, if the power of the ECU 13 is turned off when writing the progress information about the second writing procedure to the first information block 101, as shown in FIG. 7, the first information block 101 and the second information block 101 Of the information block 102, based on the "2" written as the second information in the second information block, the second writing procedure corresponding to the "3" following the "2" is the restart procedure. Be identified. Then, the second writing procedure is executed again. The restart procedure is specified according to the rewriting process described later.

[2-3. Process executed by ECU]
Next, the process executed by the ECU 13 will be described with reference to the flowcharts of FIGS. 8 to 10.
[2-3-1. Start process]
The start-up process shown in FIG. 8 is executed when the power of the ECU 13 is turned on after being turned off. The startup process represents a processing procedure when the startup program is executed. Although not shown, the boot program is stored in advance in the non-rewrite area 341 of the ROM 34.

First, the ECU 13 determines in S5 whether or not the completion flag is on. That is, it is determined whether or not the rewriting of the control program is completed. The ECU 13 shifts the process to S10 when the completion flag is on, and shifts the process to S15 when the completion flag is off.

In S10, the ECU 13 appropriately activates a predetermined control program and ends the main activation process.
In S15, the ECU 13 activates the repro program and ends the main activation process.

[2-3-2. Rewriting process]
The rewriting process shown in FIGS. 9 to 10 represents a processing procedure when the ECU 13 determines in S15 of the start-up process that the rewriting of the control program has not been completed and executes the repro program.

The ECU 13 acquires progress information in S20. Specifically, the ECU 13 acquires the first information and the second information from the first information block 101 and the second information block 102, respectively. The acquisition here means that the ECU 13 reads out the first information and the second information, which are progress information, from the first information block 101 and the second information block 102, respectively.

In S25, the ECU 13 determines whether or not the first information is FFH. That is, it is determined whether or not the first information block 101 is in the erased state. The ECU 13 shifts the process to S30 when the first information is FFH, and shifts the process to S40 when the first information is not FFH.

In S30, the ECU 13 determines whether or not the second information is FFH. That is, it is determined whether or not the second information block 102 is in the erased state. The ECU 13 shifts the process to S35 when the second information is FFH, and shifts the process to S55 when the first information is not FFH.

In S35, the ECU 13 specifies the authentication procedure, which is the first procedure among the above-mentioned plurality of procedures, as the restart procedure. The ECU 13 transmits information indicating the restart procedure to the center 21. Then, the ECU 13 shifts the process to S70.

In S40, the ECU 13 determines whether or not the second information is FFH. The ECU 13 shifts the process to S60 when the second information is FFH, and shifts the process to S45 when the first information is not FFH.

In S45, the ECU 13 determines whether or not there is continuity between the end procedure represented by the first information and the end procedure represented by the second information. That is, it is determined whether or not these are procedures that are continuous with each other. In this step, neither the first information nor the second information is FFH. The update information referred to below refers to progress information that does not represent the erased state, that is, first information or second information.

That is, in this step, when the progress information acquired in S20 includes a plurality of update information, is the ECU 13 a procedure in which the plurality of end procedures represented by each of the update information are continuous with each other? I'm judging whether or not.

As described above, the termination procedure is represented by a numerical identification code such as "1", "2", or the like. When the information indicating the end procedure based on the first information and the information indicating the end procedure based on the second information are continuous, the ECU 13 shifts the process to S50. Further, when there is no continuity between them, the ECU 13 shifts the process to S35 described above.

In S50, when the information indicating the end procedure based on the first information and the information indicating the end procedure based on the second information are continuous, the ECU 13 uses the end procedure according to the first information and the second information. Identify which of the termination procedures is the closest to the final procedure (hereinafter referred to as the final procedure) in the above-mentioned plurality of procedures. The immediately preceding procedure referred to below refers to the procedure closest to the final procedure among the end procedure based on the first information and the end procedure based on the second information.

Here, when the identification code as the information indicating the end procedure by the first information is larger than the identification code as the information indicating the end procedure by the second information, the ECU 13 performs the end procedure by the first information. It is specified as the immediately preceding procedure, and the process is transferred to S60. On the other hand, when the identification code as the information indicating the end procedure by the first information is smaller than the identification code as the information indicating the end procedure by the second information, the ECU 13 immediately before the end procedure by the second information. Specify as a procedure and shift the process to S55.

The ECU 13 acquires the second information in S55. That is, the end information represented by the second information is acquired. Then, the ECU 13 shifts the process to S65.
The ECU 13 acquires the first information in S60. That is, the end information represented by the first information is acquired. Then, the ECU 13 shifts the process to S65.

In S65, the ECU 13 specifies, among the above-mentioned plurality of procedures, the procedure following the end procedure acquired in S55 or S60 as the restart procedure. The ECU 13 transmits information indicating the restart procedure to the center 21. Then, the ECU 13 shifts the process to S70.

In S70, the ECU 13 determines whether or not a processing request requesting execution of the restart procedure has been received from the center 21. The ECU 13 waits until the processing request is received, and when the processing request is received, the processing shifts to S75.

In S75, the ECU 13 executes the procedure required by the processing request in accordance with the processing request.
In S80, the ECU 13 determines whether or not the procedure requested by the processing request has been completed. The ECU 13 waits until the procedure requested by the processing request is completed, and shifts the processing to S85 when the procedure requested by the processing request is completed.

The ECU 13 acquires new progress information in S85. Here, the ECU 13 generates progress information including information representing the end information which is the rewriting procedure requested by the processing request and is the completed rewriting procedure as new progress information.

In S90, the ECU 13 determines whether or not all the progress information stored in each of the all management blocks is FFH. Specifically, the ECU 13 determines whether or not both the first information block 101 and the second information block 102 are in the erased state.

Here, the ECU 13 shifts the process to S95 when all the progress information is FFH. In S95, the ECU 13 updates one of the first information block 101 and the second information block 102, which is predetermined. Updating here means writing the new progress information acquired in S85 in one management block. Here, the ECU 13 updates the first information block 101. That is, the ECU 13 writes the new progress information acquired in S85 in the first information block 101. Then, the ECU 13 shifts the process to S115. On the other hand, the ECU 13 shifts the process to S100 when all the progress information is not FFH.

In S100, the ECU 13 determines whether or not FFH is included in all the progress information. That is, the ECU 13 determines whether or not there is a block in the erased state among the first information block 101 and the second information block 102. Here, the ECU 13 shifts the processing to S105 when there is a block in the erased state among the first information block 101 and the second information block 102. In S105, the ECU 13 updates the erased block of the first information block 101 and the second information block 102. That is, the new progress information acquired in S85 is written in the erased block. Then, the process is transferred to S115.

On the other hand, the ECU 13 shifts the process to S110 when there is no block in the erased state among the first information block 101 and the second information block 102. That is, when each of the progress information stored in the plurality of management blocks is the update information, the process is shifted to S110.

In S105, the ECU 13 identifies the procedure closest to the start procedure in the above-mentioned plurality of procedures among the information indicating the end procedure represented by the first information and the information representing the end procedure represented by the second information, and the procedure. Update the management block where is stored. Then, the ECU 13 shifts the process to S115.

In S115, the ECU 13 determines whether or not the completion notification has been received from the center 21. Here, when the ECU 13 receives the completion notification, the processing shifts to S115. On the other hand, when the completion notification is not received, the ECU 13 shifts the process to S70, and repeatedly executes the process of S70-S110 from the restart procedure to the subsequent procedure in the above-mentioned plurality of procedures. That is, the ECU 13 repeatedly executes S70-S110 from the restart procedure to the final procedure.

In S115, the ECU 13 transmits a final response, which is an ACK, to the center 21 in response to the completion notification received from the center 21, and ends the rewriting process.
[2-4. Processing executed by the external device]
Next, the external device 20 transmits a new control program stored in the external device 20 to the ECU 13, and the external device process for rewriting the control program of the ECU 13 will be described with reference to the flowchart of FIG. The external device 20 is configured to be able to detect that the communication with the ECU 13 is interrupted. The process shown in FIG. 11 is started, for example, when communication with the ECU 13 is interrupted.

First, the external device 20 determines in S210 whether or not the restart procedure has been received from the ECU 13. If it is determined that the restart procedure has not been received, the external device 20 waits until it is determined that the restart procedure has been received. When it is determined that the restart procedure has been received, the external device 20 shifts the process to S220.

In S220, the external device 20 transmits a processing request to the ECU 13. The processing request referred to here is a request to the ECU 13 to execute the restart procedure received from the ECU 13.
The external device 20 determines in S230 whether or not ACK has been received from the ECU 13. The ACK referred to here is a response indicating that the procedure according to the processing request transmitted in S230 has been executed in the ECU 13. If it is determined that the ACK has not been received, the external device 20 waits until it is determined that the ACK has been received. When it is determined that the restart procedure has been received, the external device 20 shifts the process to S240.

In S240, the external device 20 determines whether or not all the rewriting procedures among the above-mentioned plurality of procedures have been completed. Here, the external device 20 shifts the process to S250 when it is determined that all the rewriting procedures have been completed. On the other hand, when it is determined that all the rewriting procedures have not been completed, the external device 20 shifts the processing to S220, and repeatedly executes the processing of S220-S240 for each of the restart procedure to the final procedure.

In S250, the external device 20 transmits a completion notification to the ECU 13.
In S260, the external device 20 determines whether or not ACK indicating the final response has been received from the ECU 13. When it is determined that the ACK representing the final response has not been received, the external device 20 waits until it is determined that the ACK has been received, and when it is determined that the ACK has been received, the external device 20 processes the external device. To finish.

[3. effect]
According to the embodiment described in detail above, the following effects are obtained.
(3a) The ECU 13 has a ROM 34 which is a non-volatile memory. In S85, the ECU 13 repeatedly acquires new progress information. In S85, S95, and S100, the ECU 13 sends progress information to at least one of a plurality of management blocks such as the first information block 101 and the second information block 102 each time the progress information is acquired. Remember. Here, in particular, the ECU 13 stores the progress information in a management block different from the management block in which the progress information was previously stored among the plurality of management blocks.

As a result, even if the power of the ECU 13 is turned off while the progress information is being rewritten, the progress information is stored in any of the plurality of management blocks. That is, even when the power of the ECU 13 having the non-volatile memory is turned off, progress information indicating the progress of data rewriting in the non-volatile memory can be retained.

(3b) In the configuration described in (3a), the ECU 13 acquires progress information each time the rewriting procedure is executed in S85. Progress information includes information that represents the end procedure. In S95, S105, and S110, the ECU 13 stores the acquired progress information in a management block that is one of the plurality of management blocks and is different from the management block in which the progress information was previously stored.

In S5, the ECU 13 determines whether or not all the rewriting procedures among the above-mentioned plurality of procedures are executed and the rewriting of the ROM 34 is completed when the power supply to the ECU 13 is started from the stop. .. When it is determined that the rewriting is not completed, the ECU 13 acquires progress information from each of the plurality of management blocks in S20, and in S35 and S65, specifies the restart procedure based on the acquired progress information.

As a result, since the end procedure included in the progress information represents the rewrite procedure in which the execution of the above-mentioned plurality of procedures has been completed, it is possible to specify the restart procedure based on the end information. Further, since the progress information is stored in a block different from the previously stored management block among the plurality of management blocks, if the progress information is written to one of the plurality of management blocks, communication interruption or the like may occur. Even if the power of the ECU 13 is turned off for some reason, the progress information already written remains in the other of the plurality of management blocks.

Therefore, even if the power of the ECU 13 is turned off, the progress information can be retained. Further, since the rewriting can be restarted from the restart procedure specified based on the progress information, the time required for the rewriting can be shortened.

(3c) In the configuration described in (3b), the ECU 13 determines in S35 whether or not all the progress information acquired from each of the plurality of management blocks in S20 represents the erased state, and all the progress information. When the progress information indicates the erased state, the first procedure among the above-mentioned plurality of procedures is specified as the restart procedure.

As a result, even if all of the plurality of management blocks are in the erased state, the first procedure is specified as the restart procedure, so that the rewriting of the control program can be reliably restarted.
(3d) In the configuration described in (3b) or (3c), in S65, at least one of all the progress information acquired from each of the plurality of management blocks in S20 represents the erased state. It is determined whether or not there is no update information, and if at least one of all the progress information is the update information, the restart procedure is specified based on the update information.

That is, when at least one update information is acquired, the restart procedure can be specified based on the update information. As a result, the time required for rewriting can be shortened.
(3e) In the configuration described in (3d), in S65, when the ECU 13 includes a plurality of update information in all the progress information acquired from each of the plurality of management blocks, the ECU 13 depends on each of the plurality of update information. Among the plurality of end procedures represented, the immediately preceding procedure, which is the procedure closest to the final procedure in the above-mentioned plurality of procedures, is specified, and the procedure following the immediately preceding procedure is specified as the restart procedure.

That is, when a plurality of update information is acquired, rewriting can be restarted from a procedure closer to the final procedure. As a result, the time required for rewriting can be shortened.
(3f) In the configuration described in (3e), in S45, when a plurality of update information is included in all the progress information, the ECU 13 determines whether or not each of the plurality of end procedures is a continuous procedure. To judge.

As a result, for example, when progress information is stored in each of a plurality of management blocks in a predetermined order, and it is determined that each of the plurality of end procedures is a procedure that is continuous with each other, the progress information. Can be recognized as a normally memorized situation.

(3g) In the configuration described in (3f), the ECU 13 identifies the immediately preceding procedure and immediately before, when it is determined in S65 that each of the plurality of ending procedures is a continuous procedure, as described above. Identify the next step in the procedure as the restart procedure.

That is, when it is recognized that the progress information is normally stored, the rewriting can be restarted from a procedure closer to the final procedure. As a result, the procedure for starting rewriting can be accurately specified.

(3h) In the configuration described in (3f) or (3g), the ECU 13 has the above-mentioned plurality of procedures when it is determined in S65 that each of the plurality of termination procedures is not a continuous procedure. Of these, the first procedure is specified as the restart procedure.

That is, when it is recognized that the progress information is not normally stored, the rewriting is restarted from the first procedure. As a result, rewriting can be reliably executed.
(3i) In the configuration described in any one of (3d) to (3h), the ECU 13 has a configuration in which one update information is included in all the progress information acquired from each of the plurality of management blocks in S35. In addition, the next step of the termination procedure represented by the update information is specified as the restart procedure.

That is, when one update information is acquired, the restart procedure can be specified based on the update information. As a result, the time required for rewriting can be shortened.
(3j) In the configuration according to any one of (3b) to (3i), the ECU 13 is mounted on a vehicle and is mounted on the vehicle as another electronic control device such as the DCM-ECU 11 or the C-GW 12. It is connected by a communication line 15 so as to be communicable and constitutes a vehicle network. In S35 and S65, the ECU 13 transmits information indicating the restart procedure to the external device 20 which is a device outside the vehicle network and can communicate with the ECU 13.

As described above, the external device 20 is configured to transmit the target data to the ECU 13. The ECU 13 is configured to execute rewriting by writing the target data received from the external device 20 to the ROM 34. In the present embodiment, since the restart procedure is transmitted to the external device 20, it is possible to cause the external device 20 to transmit the target data necessary for restarting the rewriting among the data constituting the control program.

(3k) In the configuration described in any one of (3b) to (3j), the ECU 13 determines whether or not all the management blocks are in the erased state in S95, and all the management blocks are in the erased state. In some cases, it is configured to store progress information in one predetermined management block. As a result, when all the management blocks are in the erased state, the management blocks for storing the progress information are predetermined, so that the progress information can be reliably stored.

(3l) In the configuration described in any one of (3b) to (3k), the ECU 13 determines in S105 whether or not at least one management block among all the management blocks is in the erased state, and at least 1 When one management block is in the erased state, at least one of the management blocks is configured to store progress information. For example, as described above, when one of the first information block 101 and the second information block 102 is in the erased state, the progress information is stored in the second information block 102 in the erased state.

That is, since the new progress information is stored in the management block that is in the erased state with priority over the management block that is not in the erased state, the past progress information and the new progress information can be stored in different management blocks. As a result, the same effect as in (3a) can be obtained.

(3m) The ECU 13 is configured to determine whether or not all the management blocks are in the non-erased state in S110 in the configuration described in any of (3b) to (3l). When all the management blocks are in the non-erased state, the ECU 13 stores the end procedure that is one of the plurality of end procedures stored in each of the all management blocks and is closest to the above-mentioned first procedure. It is configured to store progress information in the management block.

For example, as described above, when both the first information block 101 and the second information block 102 are in the non-erased state, they are stored in the first information block 101 and the second information block 102, respectively. Progress information is stored in the management block in which the end procedure closest to the first procedure is stored among the plurality of end procedures. As a result, more recent progress information can be retained.

The vehicle control system 1 in the above embodiment corresponds to the control system, the ECU 13 corresponds to the electronic control device, and the ROM 34 corresponds to the non-volatile memory. Further, the ECU 13 corresponds to an information acquisition unit, a storage execution unit, a completion determination unit, a restart identification unit, a continuous determination unit, and a restart transmission unit. Further, S85 corresponds to the processing as the information acquisition unit, S95, S105, and S110 correspond to the processing as the storage execution unit, S5 corresponds to the processing as the completion determination unit, and S35 and S65 correspond to the restart identification unit. It corresponds to the process as the restart transmission unit, and S45 corresponds to the process as the continuous determination unit.

The DCM-ECU 11 and C-GW 12 correspond to other electronic control devices constituting the vehicle network. Each of the first information block 101 and the second information block corresponds to a management block, each of the first information and the second information corresponds to progress information, and a plurality of procedures correspond to a plurality of rewriting procedures. Further, the first procedure corresponds to the first rewriting procedure among the plurality of rewriting procedures, and the ending procedure corresponds to the last rewriting procedure in the plurality of rewriting procedures.

[4. Other embodiments]
Although the embodiments of the present disclosure have been described above, the present disclosure is not limited to the above-described embodiments, and can be implemented in various modifications.

(4a) In the above embodiment, the DCM-ECU 11, C-GW 12, and ECU 13 are configured to perform communication according to the CAN standard. However, the present invention is not limited to this. The DCM-ECU 11, C-GW 12, and ECU 13 may be configured to communicate according to Ethernet standards. Ethernet is a registered trademark.

(4b) In the above-described embodiment, the above-mentioned plurality of procedures include an authentication procedure, an erasing procedure, a first writing procedure and a second writing procedure as a writing procedure, a verification procedure, and a completion procedure. However, it is not limited to these. The plurality of procedures described above may include one or more of an authentication procedure, an erasure procedure, a writing procedure, a verification procedure, and a completion procedure. Further, the writing procedure may be performed without dividing the data representing the control program to be rewritten.

(4c) In the above embodiment, the progress information is alternately stored in two different management blocks such as the first information block 101 and the second information block 102, but the present invention is not limited thereto. The progress information may be stored in three different management blocks, such as a first information block 101, a second information block 102, and a third information block (not shown). Alternatively, the progress information may be stored in four or more different management blocks. In any case, the same effect as that of the above-described embodiment is obtained by writing the progress information to a management block different from the previously written management block.

(4d) In the above embodiment, an example of rewriting the control program has been described, but the present invention is not limited to this. For example, the ECU 13 may store data (hereinafter, diagnostic data) that is rewritten according to the diagnosis result of the vehicle by the diagnostic device 22 in the rewrite area 342 of the ROM 34. Then, the ECU 13 may realize rewriting of the diagnostic data using the diagnostic data stored in the ROM 34 as the target data by executing the rewriting process in the same manner as in the above embodiment.

(4e) In the above embodiment, the ECU 13 stores the progress information in one of the plurality of management blocks each time the progress information is acquired in S85, but the present invention is not limited to this. No. The ECU 13 may be configured to store the progress information in two or more management blocks among the plurality of management blocks each time the progress information is acquired in S85.

(4f) In the above embodiment, as shown in the description of the second writing procedure in FIGS. 5 and 7, when the rewriting procedure is completed, the management block whose progress information should be updated is deleted. However, the present invention is not limited to this. For example, in FIGS. 5 and 7, immediately before the start of the rewriting procedure, the first information block 101, which is a management block whose progress information should be updated, is deleted immediately before the start of the second writing procedure. The management block whose progress information should be updated may be deleted.

(4g) In the above embodiment, when the restart procedure is notified from the ECU 13 in B5 shown in FIG. 6, the external device 20 transmits the information indicating the restart procedure received from the ECU 13 to the ECU 13 as ACK in B6. It was configured like this. However, the present invention is not limited to this. The ECU 13 may be configured in B6 to determine whether or not the restart procedure and the restart procedure received as ACK from the external device 20 match. Here, the ECU 13 may be configured to execute the process after B7 when the restart procedure and the restart procedure received as ACK from the external device 20 match. On the other hand, when the restart procedure and the restart procedure received as ACK from the external device 20 do not match, the ECU 13 transmits a negative response to the external device 20 and executes rewriting from the heading process to the external device 20. It may be configured to require.

(4h) The above embodiment may be realized as a vehicle control system 1. The vehicle control system 1 comprises an ECU 13 mounted on a vehicle to form a vehicle network and having a non-volatile memory which is a rewritable memory, and an external device 20 which is a device outside the vehicle network and can communicate with the ECU 13. You may have it. Here, the vehicle control system 1 may include an ECU 13 configured as described in (3a) above. Further, the ECU 13 included in the vehicle control system 1 may be further configured as described in (3b)-(3m) above.

(4i) A plurality of functions possessed by one component in the above embodiment may be realized by a plurality of components, or one function possessed by one component may be realized by a plurality of components. .. Further, a plurality of functions possessed by the plurality of components may be realized by one component, or one function realized by the plurality of components may be realized by one component. Further, a part of the configuration of the above embodiment may be omitted. In addition, at least a part of the configuration of the above embodiment may be added or replaced with the configuration of the other above embodiment. It should be noted that all aspects included in the technical idea specified from the wording described in the claims are embodiments of the present disclosure.

(4j) In addition to the vehicle control system 1, the in-vehicle control system 10, the external device 20, the center 21, the diagnostic device 22, and the ECU 13 described above, a program for operating the external device 20, the center 21, and the ECU 13 is recorded. The present disclosure can also be realized in various forms such as a non-transitional actual recording medium such as a semiconductor memory and a rewriting method.

1 Vehicle control system, 13 ECU, 20 external device.

Claims (10)

An electronic control device (13) having a non-volatile memory which is a rewritable memory.
The non-volatile memory has a plurality of blocks representing a storage area having a predetermined size, and in the block unit, all the data stored in the block is erased. It is configured so that rewriting is performed by writing the target data, which is the data to be rewritten, to the block after being put into a certain erased state.
An information acquisition unit (S85) configured to generate and acquire progress information, which is information indicating the degree of progress of the rewriting, and
Each time the progress information is acquired, the progress information is set in a management block different from the management block in which the progress information was previously stored among a plurality of predetermined management blocks different from the block in which the target data is written. Storage execution units (S95, S105, S110) configured to store
Bei obtain an electronic control device. The electronic control device according to claim 1.
The non-volatile memory is configured so that the rewriting is performed by sequentially executing a plurality of predetermined rewriting procedures.
Each time the rewriting procedure is executed, the information acquisition unit generates and acquires progress information including information indicating a completion procedure which is the progress information and is a procedure whose execution has been completed among the plurality of rewriting procedures. death,
The storage execution unit stores the progress information in a management block that is one of the plurality of management blocks and is different from the management block in which the progress information was previously stored.
A completion determination unit (S5) configured to determine whether or not all the plurality of rewriting procedures have been executed and the rewriting has been completed.
When it is determined that the rewriting is not completed, the progress information is acquired from each of the plurality of management blocks, and based on the progress information, it is one procedure included in the plurality of rewriting procedures. Resumption identification units (S35, S65) configured to specify the resumption procedure representing the first rewriting procedure when resuming the rewriting, and
An electronic control device further equipped with. The electronic control device according to claim 2.
The restart specifying unit (S35) determines whether or not all the progress information acquired from each of the plurality of management blocks represents the erased state, and all the progress information represents the erased state. When the electronic control device is configured to specify the first rewriting procedure among the plurality of rewriting procedures as the restarting procedure. The electronic control device according to claim 2 or 3.
In the restart identification unit (S65), whether or not at least one of all the progress information acquired from each of the plurality of management blocks is the progress information and the update information that does not represent the erased state. An electronic control device configured to identify the restart procedure based on the update information when at least one of all the progress information is the update information. The electronic control device according to claim 4.
The resumption identification unit (S65), when containing the plurality of the update information to all of the progress information obtained from each of the plurality of management blocks, the plurality represented by each of the plurality of update information An electron configured to identify the immediately preceding procedure that is one of the termination procedures and is closest to the last rewriting procedure in the plurality of rewriting procedures, and identifies the next procedure of the immediately preceding procedure as the restarting procedure. Control device. The electronic control device according to claim 5.
The resumption identification unit (S65), if that contain multiple updates to the all progress information, each of said plurality of termination procedure is configured to determine whether the procedure of mutually sequential An electronic control device including a continuous determination unit (S45). The electronic control device according to claim 6.
When it is determined that each of the plurality of end procedures is a continuous procedure, the restart identification unit (S65) specifies the immediately preceding procedure and specifies the next procedure of the immediately preceding procedure as the restart procedure. An electronic control unit configured to do so. The electronic control device according to claim 6 or 7.
The restart identification unit (S35) is configured to specify the first rewrite procedure among the plurality of rewrite procedures as the restart procedure when it is determined that each of the plurality of end procedures is not a continuous procedure. Electronic control device. The electronic control device according to any one of claims 4 to 8.
When all the progress information acquired from each of the plurality of management blocks includes one update information, the restart identification unit (S65) is next to the end procedure represented by the update information. An electronic control device configured to identify the procedure as said resumption procedure. The electronic control device according to any one of claims 2 to 9.
It is mounted on a vehicle and is communicably connected to other electronic control devices mounted on the vehicle by a communication line to form a vehicle network.
A restart transmission unit (S35, S65) configured to transmit information indicating the restart procedure to an external device that is outside the vehicle network and is capable of communicating with the electronic control device.
An electronic control device further equipped with.

Images