1. Patent Search
  2. Details

BLOCKING AND UNBLOCKING MECHANISM FOR SOFTWARE UPDATES FOR A CONTROLLER

20210019139 ยท 2021-01-21

    Inventors

    Cpc classification

    International classification

    Abstract

    The invention relates to a controller (1) for controlling a component (10) of a motor vehicle, in particular an electric motor, a valve, a pump, a fan drive, in particular for HVAC applications or for drive system temperature control, having a processor (30), preferably a microcontroller (40), and an interface (20) that is designed such that a software update is able to be received, in particular applied, by way of the interface (20). It is proposed for the controller (1) to have a blocking mechanism that, when it is activated, prevents the software update from being applied, wherein the blocking mechanism is able to be activated in a time-controlled, event-controlled and/or signal-controlled manner.

    Claims

    1. A control device (1) for controlling a component (10) of a motor vehicle, the control device (1) having a processor (30) and an interface (20) configured to receive a software update, wherein the control device (1) has a blocking mechanism which, upon activation, inhibits the application of the software update, wherein the blocking mechanism can be activated in a time-controlled, event-controlled and/or signal-controlled manner.

    2. The control device (1) as claimed in claim 1, wherein the interface (20) is configured to allow a communication with the blocking mechanism activated, with internal data, traceability data, status information and/or device configurations continuing to be received or transmitted.

    3. The control device (1) as claimed in claim 1, wherein the interface (20) is configured to connect the control device (1) to the motor vehicle, via a bus system.

    4. The control device (1) as claimed in claim 1, wherein the blocking mechanism is implemented by the interface (20).

    5. The control device (1) as claimed in claim 1, wherein the blocking mechanism is implemented the processor (30).

    6. The control device (1) as claimed in claim 1, further comprising a housing, and wherein the processor (30) is arranged within the housing, wherein the housing is filled with a curing potting compound in such a way that contacting of the processors (30) is possible only after at least partial removal of the potting compound.

    7. The control device (1) as claimed in claim 1, wherein the interface (20) is configured to receive signals on a vehicle bus connected to it, wherein the interface and/or the processor (30) is/are configured to evaluate the signals and to activate the blocking mechanism in dependence on defined events, received signals, and/or a combination thereof.

    8. The control device (1) as claimed in clam 1, wherein the control device (1) is configured to activate the blocking mechanism during or after the production of the control device (1) and/or during or after the motor vehicle production and/or during the first use of the motor vehicle by the end customer.

    9. A method (100) for operating a control device (1) which is designed to control a component (10) of a motor vehicle, the method comprising the following steps: detecting (110) whether the blocking mechanism of the control device, which inhibits the application of software updates, is activated, activating (140) the blocking mechanism of the control device (1) if a determination (115, 130) reveals that a number or a defined number of events have occurred, a defined time has passed and/or a number or a defined number of signals have been received.

    10. The method (100) as claimed in claim 9, further comprising the following step: activating (140) the blocking mechanism when it is detected that the motor vehicle is used by evaluating signals received by the interface (20).

    11. The method (100) as claimed in claim 9, wherein, after the activating (140) the blocking mechanism, the interface continues to be used for receiving or transmitting control commands, internal data, traceability data, status information and/or device configurations.

    12. The method (100) as claimed in claim 9, wherein the method is run through for each signal received at the interface (20), and in that the run-through of the method (100) is ended when the blocking mechanism is activated.

    13. The method (100) as claimed in claim 9, further comprising inhibiting the application of software updates with the blocking mechanism activated.

    14. (canceled)

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0031] The invention is described in more detail below. In the figures:

    [0032] FIG. 1 shows a control device according to the invention, and

    [0033] FIG. 2 shows a flow diagram with the method according to the invention.

    DETAILED DESCRIPTION

    [0034] FIG. 1 illustrates a control device 1 according to the invention. The control device 1 is designed to control or regulate a component of a motor vehicle. A component 10 of a motor vehicle can be understood to mean in particular an electric motor, a pump, a valve, a fan motor, in particular for HVAC applications and/or for drive system temperature control. The components mentioned here are preferably supply units or miniature drives which are provided to supply, in particular to assist, the operation of the drive motor, of the inverter and/or of the battery in an electrically driven vehicle. It is also possible for such miniature drives or supply units to be used in vehicles having an internal combustion engine or another drive, for example a hydrogen-based drive system. The components 10 can also be part of the HVAC system of the vehicle or be used for cooling or heating further motor vehicle components, in particular components of the drive.

    [0035] According to one development, what is concerned here is the vehicle drive itself, or individual components of the vehicle drive.

    [0036] According to one development of the invention, the components 10 are electrically commutated electric motors. These electrically commutated electric motors can also be used as a drive for pumps, valves, fans and/or compressors. The electrically commutated electric motor has in particular at least three motor phases. The motor phases are traversed by a flow of current in such a way as to produce a rotating electrical field which is entrained by the magnets of the rotor. The rotating electrical field brings about a rotational movement of the rotor.

    [0037] The activation of the electrically commutated electric motor, that is to say of the electrically commutated component 10, is effected by means of an output stage. The output stage has electronic switches which in particular have a B6 arrangement. The electronic switches are preferably designed as power transistors or MOSFETs. The electronic switches are activated by a control signal. The current which flows through the three phases and hence through windings of the electric motor is regulated in dependence on the control signal. The control signals are provided by the control device 1.

    [0038] The control device 1 comprises an interface 20 and a processor 30, in particular a microprocessor. The interface 20 is designed in such a way that, being connected to the communication network of the motor vehicle, it allows communication via the latter. Communication networks in the motor vehicle sector are in particular bus systems, preferably CAN, LIN, Powertrain, x-by-wire, TTP/B, MOST, D2B or FlexRay bus systems. The interface 20 allows commands to be received and transmitted. Furthermore, the interface 20 is designed to receive software updates. According to the invention, the interface can also communicate wirelessly, in particular by means of Bluetooth, Wifi, Zigbee, radio and/or Z-Wave.

    [0039] The processor 30, in particular the microprocessor, is a programmable computing unit consisting of electrical circuits. A processor is also understood below to mean a microprocessor or the like. The processor 30 is designed in such a way that it controls other machines or electrical circuits in dependence on commands and thereby executes an algorithm. The commands are received by the processor 30 via the interface 20. The interface 20 and the processor 30 are connected in such a way that communication from the interface to the processor 30, and vice versa, is possible. The interface 20 is preferably part of the processor 30.

    [0040] According to one development of the invention, the control device 1 has a microcontroller 40. The microcontroller 40 is a semiconductor chip which contains the processor 30 and at the same time also peripheral functions. The main memory and programming memory are preferably also situated partially or completely on one and the same chip. The microcontroller can also comprise complex peripheral functions, such as for example the interface 20.

    [0041] According to one development of the invention, the output stage 50 can be a peripheral function of the microcontroller 40. The microcontroller 40 comprises in particular the output stage 50.

    [0042] The control device 1 is designed to carry out software updates. The software updates are applied in particular via the interface 20 to the control device 1 or to the microcontroller and/or processor. The software updates preferably change and/or update the software of the processor 30 and/or of the microcontroller 40. The software update can for example bring about a change in the activating behavior of the component. The software updates are preferably applied via the interface to a memory which interacts with the processor and/or the microcontroller. The software updates are applied in particular by means of a bootloader.

    [0043] The bootloader carries out the software update by overwriting the previous data memory locations of the software with the new software. The software update is in particular installed.

    [0044] What is to be understood by software is the firmware or the operating software which is required to operate the processor or the component.

    [0045] The control device 1 has a blocking mechanism which allows it, after activation, to inhibit the application of software updates. If the blocking mechanism is activated, the software of the control device 1 cannot be updated or changed. Defined parameters and/or variables can preferably no longer be changed. In particular, a changing of nonvolatile or persistent memories is prevented. The control device is designed, after activation, to inhibit the changing of defined parameters and/or variables. The control device 1, in particular the interface, prevents the application of a software update after the activation of the blocking mechanism. Here, a software update is understood to also always mean a firmware update. Nevertheless, in spite of the blocking mechanism being activated, the interface can continue to be used for communication and thus to exchange data.

    [0046] According to a first embodiment, the blocking mechanism is part of the interface 20. The interface 20 thus comprises the blocking mechanism. If the blocking mechanism is activated, the interface 20 prevents the software update from being forwarded to the processor 30 or the microprocessor 40, or the data memory in which the software is stored.

    [0047] According to a second embodiment, the blocking mechanism is part of the processor 30 and/or of the microcontroller 40. If the blocking mechanism is activated, the processor 30 and/or the microcontroller 40 prevent/prevents the application of a software update. The execution or the starting of a software update is preferably prevented.

    [0048] Furthermore, the bootloader, which allows the software update, in particular carries it out, is prevented from being executed. When the blocking mechanism is activated, the system no longer starts the bootloader.

    [0049] A changing of the software of the control device 1 is inhibited or prevented after activation of the blocking mechanism. Also prevented is the possibility of applying supplements of the software, for example new modules which allow the function range to be extended, or the like.

    [0050] The microcontroller 40 and the processor 30 are designed to communicate with further components 10 of the motor vehicle via the interface 20. The microcontroller 40 and the processor 30 can receive and/or transmit signals, in particular information signals and/or command signals, via the interface 20. Internal data can also be read by the control device, such as voltages, consumption, test results and/or measuring times. There can also be read traceability data, such as in particular production data, information about factory, line, date, timestamp, production steps, TTNR, device configuration, status, point in time of the activation of the blocking mechanism. The processor 30 and/or microcontroller 40 are/is designed to evaluate and process the received signals and correspondingly activate the component.

    [0051] The blocking mechanism is activated in particular in a time-dependent manner, in dependence on defined events, received signals or a combination thereof.

    [0052] A time-dependent activation of the blocking mechanism can occur for example after a defined time. Such a time can be for example the operating time of the motor vehicle. In particular, the activation can occur in particular after X hours' operating time. The activation is prevented from already occurring during the production.

    [0053] An activation of the blocking mechanism can occur in dependence on a signal, for example if a specific signal is detected at the connected vehicle bus, and/or if a combination of signals is detected at the control device 1 and/or if a signal is detected which signals that the vehicle has ended the production phase and/or if it is detected by means of a signal that the component has been put into operation for the first time and/or that the production process for the component has been successively concluded and/or if it is detected that the vehicle has exceeded a certain speed.

    [0054] Furthermore, the activation of the blocking mechanism can occur in dependence on the number and/or type of the detected bus signals, in particular data packets. For this purpose, the control device 1 for example counts the number of bus signals, in particular the number of specific bus signals, which it receives via the interface 20. If a predefined value is exceeded, the blocking mechanism is activated.

    [0055] The activation preferably occurs at the end of production, in particular before the delivery to the OEM, the TIER company or the end customer.

    [0056] The detection of events can also be used to activate the blocking mechanism.

    [0057] For example, the activation of the blocking mechanism occurs after the component has been in operation in the motor vehicle for a defined minimum time. The vehicle bus signals are evaluated at the interface 20 of the control device 1. For as long as the vehicle bus signals are detected, a timer in the control device 1 is incremented. After a limit value has been reached, the blocking mechanism is activated. If for example other signals are used during the production by the component manufacturer or by the vehicle manufacturer, the timer is not incremented. For the manufacturer of the component, it is possible to apply software updates as often as desired up to the activation of the blocking mechanism. Furthermore, the vehicle manufacturer, in particular during the production, can apply software updates as often as desired.

    [0058] As a development, a combination of the aforementioned detected signals, events and/or operating times can be used to activate the blocking mechanism. In particular, there can also occur an activation of different criteria and/or operations which by means of or are linked with one another. For example, an activation can occur if a certain number of bus signals have been received by the interface 20. At the same time, an activation can also occur if the motor vehicle exceeds a certain speed for the first time. Depending on which of the conditions occurs first, the activation occurs on the basis of the occurrence of these conditions.

    [0059] According to one development of the invention, the activation of the blocking mechanism can occur in dependence on the number of the software updates carried out. A situation would thus be possible in particular in which for example the component manufacturer can apply one or more software updates and the car manufacturer can likewise apply one or more software updates.

    [0060] According to one development of the invention, the control device 1 has a housing. The processor 30 and the microcontroller 40 are arranged within the housing. The housing is filled with a potting compound. The potting compound cures after being poured in. The potting compound has the effect that contacting, in particular direct contacting with the pins of the processor 30 or of the microcontroller 40, is then only possible if the potting compound is removed and thus damaged.

    [0061] FIG. 2 illustrates the method 100 according to the invention. The method is started in method step 105. Such a start occurs for example during the starting of the engine or shortly before the driver of the motor vehicle drives away. It occurs if a new signal, in particular a data packet, arrives at the interface. However, the method is also carried out during test runs in the production. In general, the method can always be carried out when the motor vehicle is used.

    [0062] In method step 110, it is checked whether the blocking mechanism is already activated or has been activated. If the blocking mechanism is not activated, the procedure continues with method step 115. If the blocking mechanism is activated, the procedure continues with method step 145, which will be described below.

    [0063] In method step 115, it is checked whether one or more defined conditions have occurred. Such a condition can be an event, for example. The event can preferably be for example the use of the motor vehicle. The conditions also comprise the aforementioned conditions. If the event has not occurred, the procedure continues with method step 120. In method step 120, the application of a software update is possible. Subsequent to method step 120, the control device 1 switches into the extended operation mode 125. If the control device is in the extended operation mode/method step 125, the application of a software update is possible. The extended operation mode 125 corresponds to the standard use mode 150 only the a application of software updates and/or parameters is possible, since the blocking mechanism is deactivated.

    [0064] Optionally, subsequent to the method step, the method can switch back into method step 105.

    [0065] According to one development of the invention, the method step 105 is left only if it is attempted to apply a software update. In method step 105, it is checked whether an attempt is made to apply a software update.

    [0066] If the conditions are satisfied in method step 115, further conditions can be interrogated in an optional method step 130. However, it is also possible to switch directly to method step 140.

    [0067] In method step 140, the blocking mechanism is activated. If the optional further conditions are not satisfied in the optional method step 130, the procedure is continued with method step 120.

    [0068] If the checking in method step 110 reveals that the blocking mechanism is already activated, the system passes into the standard use mode 145. In the standard use mode 145, the application of software updates is inhibited. The blocking mechanism is activated. Nevertheless, communication can continue via the interface. In particular, a writing to the memory in which parameters and the software are stored is inhibited. The bootloader is preferably prevented from being executed.

    [0069] According to one development of the invention, the method 100 is carried out for each incoming signal, in particular data packet. If the blocking mechanism is activated, the data packet, which contains software or parameters, in particular also a command for changing a parameter, is rejected or refused.

    [0070] If the blocking mechanism is activated, there is no writing to and/or overwriting of the software or firmware memory of the processor, in particular microcontroller, such that the software, in particular of the control device, is overwritten. The software update is inhibited.

    [0071] It is preferably no longer possible to write to or overwrite the persistent memory of the microcontroller or processor.

    [0072] Optionally, it is possible in method step 120 also for method step 110 to follow. As a result, there occurs a continuous interrogation of the conditions in method step 115 and the optional method step 130.

    [0073] In the optional method step 150, a signal, in particular a packet, is awaited. If a signal is received, method step 105 is carried out. This occurs in particular when the method is carried out for each incoming data packet.

    [0074] According to one development, the blocking mechanism is not activated if a software update is being carried out.

    [0075] What is concerned according to the invention is a method 100 for activating a blocking mechanism which inhibits updates, in particular software updates, being applied to a control device for controlling components of a motor vehicle. An update of the software is also understood to mean a changing of the software by means of a software update. Furthermore, this can also be understood to include a software change, in particular a software downgrade. In particular, the control software and/or firmware is to be understood here under software.

    [0076] What is also concerned according to the invention is a method 100 for blocking the possibility of changing, in particular updating and/or downgrading, a control device 1 which is designed to control a component of a vehicle.

    [0077] According to one embodiment, the blocking mechanism is designed as a software switch. In particular, a variable and/or a parameter are/is set and/or a function is started. According to one development, the blocking mechanism is configured as a type of firewall which blocks or does not forward the corresponding data packets. The blocking mechanism is advantageously designed as part of the interface.

    [0078] According to a second embodiment, the blocking mechanism is configured as a hardware switch. This can be implemented in particular by throwing a switch and/or switching an electrical switch, such as for example a transistor or MOSFET. However, it can also be implemented by the blowing of a fuse or the melting of a component. An electrical energy accumulator, in particular a capacitor, can also be charged or discharged. The hardware switch can here be part of the control device 1. The hardware switch can also be implemented in the interface 20 or the processor 30 or the microcontroller 40. In particular, a flag is set by means of the hardware switch that has the effect of inhibiting software-changing measures. The flag is checked in particular in method step 110. Once set, the flag can no longer be changed.

    [0079] A memory location is preferably changed. The memory location is part of a nonvolatile memory, in particular of a permanent, preferably a persistent, memory which once changed can no longer be changed. The memory is part of the control device 1, in particular of the microcontroller 40, preferably of the processor 30. The memory can also be part of the interface 20. The memory location is checked in method step 110.