Data processing: vehicles – navigation – and relative location – Vehicle control – guidance – operation – or indication
Reexamination Certificate
2001-01-19
2003-08-05
Chin, Gary (Department: 3661)
Data processing: vehicles, navigation, and relative location
Vehicle control, guidance, operation, or indication
C713S152000
Reexamination Certificate
active
06604024
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to a method for protecting a microcomputer of a control unit for a motor vehicle against the manipulation of a control program stored at least partially in a rewriteable memory of the microcomputer, by executing a validation program stored in the microcomputer for detecting an unauthorized manipulation of the control program. The present invention additionally relates to a control unit for a motor vehicle, having a microcomputer which has a rewriteable memory, in which a control program can at least partially be stored, and on which a validation program can be executed for protecting the microcomputer against the manipulation of the control program.
BACKGROUND INFORMATION
A method of the type cited above is known, for example, from German Published Patent Application No. 197 23 332. In this document, a method is disclosed for protecting a microcomputer of a control unit for a motor vehicle, in which a validation program stored in the microcomputer is executed. In the context of the validation program, a code word is formed from at least one part of the memory contents of a rewriteable memory of the microcomputer using a predetermined key, which is stored in the microcomputer. The code word is compared with a comparison word that is stored in the rewriteable memory. Subsequent to a programming or reprogramming of the rewriteable memory, the comparison word is stored in the memory on the basis of knowledge of the key and of the memory contents of the rewriteable memory. This method for protecting the microcomputer against the manipulation of its control program is standardized in ISO 14230. The key is dependent on the manufacturer and as a rule is only known to the manufacturer (for programming the control unit) and to authorized dealers (for reprogramming the control unit in the context of software updates). The method is also designated as the seed-and-key method.
In the event that the rewriteable memory is reprogrammed by an unauthorized party, the latter, after the reprogramming, must in any case create a comparison word and store it in the rewriteable memory. In the context of the validation program, a code word is formed as a function of the key and of the memory contents of the reprogrammed rewriteable memory, and it is compared with the stored comparison word. Since the unauthorized party as a rule does not know the key of the microcomputer, the comparison word is most likely invalid and does not agree with the code word. In this manner, the unauthorized manipulation of the control program is detected.
However, it can sometimes be necessary or useful to deactivate the validation program in order, after every reprogramming of the rewriteable memory, not to have to create a comparison word from the memory contents and from the key and to store it in the rewriteable memory. This is the case, for example, when the control unit must frequently be reprogrammed, whether for development, examination, or testing purposes, especially in the initial phase of the development of the control unit or of the control program or for varying the settings in an internal combustion engine controlled by the control unit.
SUMMARY OF THE INVENTION
The present invention therefore is based on the objective of being able to temporarily deactivate a validation program stored in a microcomputer of a motor vehicle control unit without the deactivation of the validation program leading to the reduced protection of a control program stored in a rewriteable memory of the microcomputer.
For achieving this objective, on the basis of the method for protecting a microcomputer of a control unit of the type cited above, the present invention provides that the control units be subdivided into serial modules and application modules, which are distinguished one from the other by an electronic hardware identifier, the validation program being switched from an activated to a deactivated state in the application modules using standard commands and in the serial modules using special measures, as appropriate, only the standard commands being freely available.
According to the present invention, proceeding on the basis of the known software identifier of the seed-and-key method, a hardware identifier is provided as superstructure for deactivating the software identifier. On the basis of the electronic hardware identifier, the control unit itself acts as the information carrier for the query as to whether the unit is an application module or a serial module.
Usually, only as many control units are developed as there are application modules, such as are necessary for developing the control unit, the control program, or the internal combustion engine which is controlled by the control unit and the control program. The number and distribution of application modules is therefore sharply limited. The application modules are especially distinguished from serial modules by the fact that the validation programs can be switched between an activated and a deactivated state using standard commands that are freely available.
If the validation program is in an activated state, it is necessary, after every reprogramming of the rewriteable memory of the microcomputer, to determine a comparison word, to store it in the rewriteable memory, and to execute the software identifier. In a deactivated validation program, a reprogramming of the rewriteable memory can be repeated virtually an indefinite number of times without each time having to execute the software identifier. In contrast, the serial modules constitute by far the greatest number of control units. In the serial modules, the validation program can only be switched from an activated into a deactivated state using special measures, which are only available on a limited basis. The special measures are advantageously only known to the manufacturer of the control units.
The standard commands in the method according to the present invention correspond roughly to the deactivation code in the method known from the related art. However, the difference between the method according to the present invention and the related art lies in the fact that the number and distribution of application modules, in which alone the validation program can be switched from an activated into a deactivated state using standard commands, is sharply limited. On the other hand, the widely used serial modules can only be switched using the special measures which are not freely available.
The safety of the method according to the present invention can be increased even further by limiting the availability of the standard commands for switching the validation program in the application modules from an activated into the deactivated state. It is conceivable that the standard commands be known not only to the manufacturer of the control units but also to some few selected developers at customer sites and to the employees of some few selected authorized dealers of the customer. In addition, the distribution of the application modules can be precisely monitored and controlled.
According to one advantageous refinement of the present invention, the software identifier is based on the so-called seed-and-key method, a code word being formed, in the context of the validation program, from at least one part of the memory contents of the rewriteable memory with the assistance of a key, and the code word being compared with a comparison word stored in the rewriteable memory. This method is described in detail in German Published Patent Application No. 197 23 332.
According another embodiment of the present invention, it is provided that the validation program be switched from a deactivated to an activated state in the application modules and in the serial modules using standard commands. Since switching the validation program of a control unit into an activated state runs no danger of manipulating the control program of the control unit, this switching can be carried out by anyone, using standard commands.
According to a further embodiment of the present invention, it i
Braun Guenter
Djahangard-Mahboob Alireza
Chin Gary
Kenyon & Kenyon
Robert & Bosch GmbH
LandOfFree
Method for protecting a microcomputer of a control unit... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method for protecting a microcomputer of a control unit..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method for protecting a microcomputer of a control unit... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3093168