CN118092373A - OTA rollback control method of vehicle-mounted controller based on partition downloading technology - Google Patents
OTA rollback control method of vehicle-mounted controller based on partition downloading technology Download PDFInfo
- Publication number
- CN118092373A CN118092373A CN202311496875.0A CN202311496875A CN118092373A CN 118092373 A CN118092373 A CN 118092373A CN 202311496875 A CN202311496875 A CN 202311496875A CN 118092373 A CN118092373 A CN 118092373A
- Authority
- CN
- China
- Prior art keywords
- code
- partition
- controller
- ota
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000005192 partition Methods 0.000 title claims abstract description 36
- 230000009191 jumping Effects 0.000 claims abstract 3
- 230000008569 process Effects 0.000 claims description 16
- 101150053844 APP1 gene Proteins 0.000 claims description 7
- 101100189105 Homo sapiens PABPC4 gene Proteins 0.000 claims description 7
- 102100039424 Polyadenylate-binding protein 4 Human genes 0.000 claims description 7
- 101100055496 Arabidopsis thaliana APP2 gene Proteins 0.000 claims description 5
- 101100016250 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) GYL1 gene Proteins 0.000 claims description 5
- 230000000694 effects Effects 0.000 description 5
- 230000007547 defect Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000002411 adverse Effects 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Landscapes
- Stored Programmes (AREA)
Abstract
The invention relates to a control method, in particular to an OTA rollback control method of a vehicle-mounted controller based on a partition downloading technology, which comprises the following steps: setting a storage unit as a boot partition, a user code partition unit and an information marking unit; the system of the controller starts in the boot partition, reads the mark value from the information mark unit, determines the entrance address of the boot code jumping to the user code, and executes the user code of the entrance address; executing user codes, erasing a start guide mark when an OAT upgrading instruction is received, then jumping to a Boot guide code, and erasing and online programming a corresponding user area in a Boot program according to a second guide mark; after the online programming is finished, re-writing marks to the two information mark units; and acquiring data in an OTA mode, and upgrading the current controller program in the starting storage unit by utilizing the acquired data so as to ensure the normal running of the vehicle.
Description
Technical Field
The invention relates to a control method, in particular to an OTA rollback control method of a vehicle-mounted controller based on a partition downloading technology.
Background
Currently, many electric vehicles are equipped with an OTA upgrade function of an on-board controller to obtain an updated controller program, and control the vehicle by using the updated controller program. To facilitate rapid repair of system defects, or to iterate quickly in software to enhance the product and use experience. And simultaneously, the time and the funds required by the local maintenance of the system are saved. Through the mode of OTA upgrading, recall cost caused by software defects can be greatly reduced.
There is also a certain risk with OTA upgrades that the upgrade may fail. If the OTA upgrade fails, the vehicle-mounted controller has no programs capable of running, so that the system is down and the vehicle cannot run. In the prior art, the FLASH of the MCU is divided into A, B areas, the A area is used as an APP normal operation area, and the Boot Loader only guides the APP in the A area and the B area is used as a backup area. When OTA, the backup area is firstly erased, then the operation area (A area) APP1 is compressed and backed up to the backup area (B area), then the APP1 is erased, the updated program is brushed, when the brushed new program is illegal or damaged through verification, the brushed new program is erased, the backup program of the backup area is decompressed and is brushed back to the operation area, and the operation according to the original program can be continued after the OTA fails.
The distribution method has the defects that in the upgrading process, the two code areas are erased successively, codes are compressed and decompressed, so that the guide codes occupy excessive FLASH space, and once the codes are compressed or decompressed, the system cannot operate.
Disclosure of Invention
The invention provides an OTA rollback control method of a vehicle-mounted controller based on a partition downloading technology, which aims to solve the problems that in the prior art, a guide code occupies a large FLASH space due to compression decoding, and a system cannot operate under the condition of compression or decoding failure.
The aim of the invention can be achieved by the following technical scheme:
an OTA rollback control method of a vehicle-mounted controller based on a partition downloading technology comprises the following specific steps:
Setting a starting storage unit, a user code partition unit and an information marking unit, wherein the starting storage unit is a guide partition;
the system of the controller starts in the guide partition and reads the mark value from the information mark unit, thereby determining the jump entrance address of the guide code to the user code, and executing the user code of the entrance address;
In the executing process of the user code, when an OAT upgrading instruction is received, a first starting guide mark is erased, then the Boot code is jumped to, and the corresponding user area is erased and programmed on line in a Boot program according to a second guide mark;
After the online programming is finished, re-writing marks to the two information mark units; and acquiring data in an OTA mode, and upgrading the current controller program in the starting storage unit by using the acquired data.
Preferably, the start-up storage unit is used for storing a controller program for the vehicle-mounted controller to execute.
Preferably, the result of the upgrade of the controller program includes:
if the upgrade is successful, marking the current updated program entry address as the latest available program entry address in the system marking area, marking the old version program as the rollback backup code entry address, and updating the controller program in the starting storage unit as the current controller program which can be executed by the vehicle-mounted controller;
If the upgrade fails, the current updated program entry address is not marked in the system marking area, at this time, the old version program code entry address is marked as the entry address of the rollback code, the control program in the starting storage unit is not executed by the current controller, and the system still executes the old version program.
Preferably, the FLASH space of the controller is set to 256Kb, and is divided into four areas.
Preferably, the four areas in the FLASH space of the controller include a Boot area, a user code area and a tag area, which correspond to the start storage unit, the user code partition unit and the information tag unit.
Preferably, the user code region includes an APP1 region and an APP2 region, and the tag region includes a FLAG1 block and a FLAG2 block.
Preferably, the user codes stored in the user code partition unit with different versions can all run independently, and both codes have independent storage space and offset interrupt vector table.
Preferably, in the boot code, the system of the controller reads the value of the FLAG1 block of the FLASH FLAG area, and determines whether to jump to the a user code or the B user code according to the value of the FLAG1 block.
The beneficial effects of the invention are as follows: in the OTA rollback control method of the vehicle-mounted controller of the partition downloading technology, through reasonable division of the A, B area, two code areas respectively keep two different new and old versions of codes and are in an operable state, and through modifying and reading two marking blocks in the FLASH marking area, switching of different versions of operating codes or erasure of a user area can be realized, and the vehicle-mounted controller can be ensured to always obtain executable controller programs so as to ensure normal running of a vehicle.
Drawings
The present invention is further described below with reference to the accompanying drawings for the convenience of understanding by those skilled in the art.
Fig. 1 is an operation procedure of an OTA rollback control method of a vehicle-mounted controller based on a partition downloading technology according to an embodiment of the present invention;
fig. 2 is a FLASH space allocation diagram of a vehicle-mounted controller based on a partition downloading technology according to an embodiment of the present invention;
Fig. 3 is a flowchart illustrating user code and boot code skipping in an OTA rollback control method of a vehicle-mounted controller based on a partition downloading technology according to an embodiment of the present invention.
Detailed Description
In order to further describe the technical means and effects adopted by the invention for achieving the preset aim, the following detailed description is given below of the specific implementation, structure, characteristics and effects according to the invention with reference to the attached drawings and the preferred embodiment.
Technical terms related to the embodiment of the invention:
OTA: over-the-Air Technology; over the air technology, OTA can be understood as a remote wireless upgrade technology;
boot: a boot program widely used in embedded systems is used to boot an operating system to activate;
FLASH memory: the flash memory combines the advantages of ROM and RAM, not only has the electronic erasable programmable performance, but also can rapidly read data, so that the data cannot be lost due to power failure;
FLAG: EFLAGS REGISTER is a technical term in a computer, namely a state flag register;
and (3) programming: the method refers to the process of writing the program into a storage medium such as ROM or FLASH, solidifying the generated program into the storage medium, and the programming can be a single event or a task repeatedly performed in the whole life cycle of the device, so as to provide new software, instructions or configuration files for the device.
The vehicle controller controls the system and operation of the vehicle, processes the sensor and other data input of the vehicle to automatically control the motion of the vehicle, needs to monitor and adjust the performance of the engine and other systems during the running of the vehicle so as to ensure the optimal running effect, but some driving risks caused by unsuccessful upgrading occur in the process, so an OTA rollback control method of the vehicle controller based on the zone downloading technology is provided, as shown in fig. 1, and the specific steps include:
In step S1, a starting storage unit, two user code partition units and an information marking unit are set, wherein the starting storage unit is a guide partition;
In step S2, the system of the controller starts up in the boot partition and reads the tag value from the information tag unit, thereby determining the entry address of the jump of the boot code to the user code, and executing the user code of the entry address;
In step S3, in the executing process of the user code, when an OAT upgrading instruction is received, the first starting guide mark is erased, then the Boot code is jumped to, and the corresponding user area is erased and programmed on line in the Boot program according to the second guide mark; the Boot code is the Boot code, and is a key part of the loading process of the operating system.
In step S4, after the online programming is finished, re-writing marks to the two information mark units; and acquiring data in an OTA mode, and upgrading the current controller program in the starting storage unit by using the acquired data.
When the user code receives the OAT upgrading instruction in the executing process, the Boot mark is erased, then the Boot code is jumped to, the corresponding user area is erased and programmed in the Boot program according to the other mark, and the re-writing mark is performed on the two mark areas again until the online programming is finished.
Further, in a preferred embodiment of the present application, the result of the upgrade of the controller program includes:
If the upgrade is successful, marking the current updated program entry address as the latest available program entry address in the system marking area, and marking the old version program as the rollback code entry address; thus, an updated program entry occurs, and the controller program is changed, and the controller program in the start-up storage unit is updated to the current controller program executable by the in-vehicle controller;
If the upgrade fails, the current updated program entry address is not marked in the system marking area, the updated program code entry does not replace the old version program code entry, and at the moment, the old version program code entry address is marked as the entry address of the rollback code.
The rollback control can enable the data or the program code entry to be restored to the state before upgrading when the vehicle-mounted controller is not successfully upgraded, and can resist the danger brought to the driving system by unsuccessful upgrading. Rollback control is implemented through a transaction log and a locking mechanism, wherein the transaction log is a collection of recorded operations of each instruction thing in the system and is used as a support for keeping normal operation when faults occur in the execution process. If any fault occurs in the process of executing things, the data can be restored to a state of normal operation before the fault according to the things log in the system, so that the influence of the sudden event on the whole system can be dealt with, and the stable operation of the system can be maintained. The locking mechanism is arranged for ensuring the consistency and the integrity of the data, locks the accessed data and the object, and automatically releases the locking after the operation of things is completed. If the operation failure is caused by the mistake of things in the operation, the locking mechanism can protect the data in the system from being disturbed, and when the system needs to perform rollback operation, the rollback operation is performed on the locked data object, so that the data is restored to the previous state.
Further, in a preferred embodiment of the present application, the space of the FLASH memory is allocated to each module in the embedded system, and different sizes of memory space are allocated to different modules, so as to ensure the stability of the system. Different module intervals can store program codes, data configuration information and the like, and the data information is called and used during running, so that the storage can be better managed through space allocation, and data conflict or overlapping is prevented, and adverse effects are caused on system running and upgrading. As shown in fig. 2, the controller FLASH space allocation diagram herein assumes that the controller FLASH space is 256kb, and is divided into four areas, namely a boot area, two user code areas and a flag area, where the space setting of each area in the FLASH is allocated according to the execution requirement, and the user code areas need to store different user codes for independent operation, so that the required space is more than the flag area and the boot area. The space of the mark area is 4Kb, the space of the user code APP1 area is distributed to 118Kb, the space of the user code APP2 area is distributed to 118Kb, and the space of the Boot guide area is distributed to 16Kb. Through FLASH space allocation, the memory space can be reasonably utilized, so that the waste of resources is avoided, and the efficiency and performance of the system are improved. The program and the data are stored in the FLASH memory, so that the safety of the data can be ensured, and the problem that the controller is blocked from being upgraded due to the loss of the data caused by unexpected factors is avoided, thereby causing unexpected occurrence of driving.
Further, in a preferred embodiment of the present application, four areas in the FLASH space of the controller include a Boot area, a user code area, and a tag area, where the Boot area is used to receive update information, corresponding to the start storage unit, the user code partition unit, and the information tag unit. Further, in a preferred embodiment of the present application, the user code area includes an APP1 area and an APP2 area, and the tag area is further divided into two FLASH blocks, namely, a FLAG1 block and a FLAG2 block.
Further, in a preferred embodiment of the present application, the user code partition unit stores different versions of user codes that can be independently run, and each code has a relatively independent memory space and an offset interrupt vector table. If the user codes are interdependent, there is a risk of version incompatibility, and if one of the versions of the codes has a problem, it may cause the problem of upgrading the whole system, and finally, the system is unstable or the system operates abnormally. In addition, if the codes are interdependent, when a problem occurs in the user codes, the modification and testing of the codes become difficult, more time and labor are required, and development cost and operation and maintenance cost are increased. The user codes in the user code partition units are designed to be of different versions, the different versions can be operated independently, and different operation programs are carried out according to the instructions, so that independent storage spaces are reserved among the codes, different code contents are stored in a targeted mode, the storage and operation of the two codes are not interfered with each other, the influence on each other is small, and meanwhile, the stable OTA of the controller system is small. The independently operated user codes enable the system to have higher reliability, and when a certain user code has a problem or crashes, other codes can still continue to operate, and the content of the part of the user code is prepared, so that the risk of the system facing crashes is reduced.
Further, in a preferred embodiment of the present application, within the boot code, the system of the controller reads the value of the FLAG1 block of the FLASH FLAG area and determines whether to jump to the a user code or the B user code based on the value of the FLAG1 block. After the controller is reset, the code always starts to execute from the boot area with the address of 0x00000000, and the system reads the value of the FLAG1 block of the FLASH marking area in the boot code, and determines whether to jump to the A user code or the B user code according to the value of the FLAG1 block of the FLASH marking area. Under normal conditions, user codes with different versions stored in two code areas can be independently operated, and the two codes are provided with a storage space and an offset interrupt vector table which are relatively independent, and the operation condition depends on a FLAG value stored in a FLAG1 block in a FLASH FLAG area during power-on booting.
When the A area code is the latest code and is available, the FLAG1 block of the FLASH marking area stores the entry address identification of the A area code, the entry address is 0x00004000, the storage space of the A area code is 118Kb, and the FLAG2 block in the FLASH marking area marks the identification of the FLASH block to be erased when the FLASH marking area is used for the next OTA.
Otherwise, when the code of the area B is the latest code and is available, the FLAG1 block of the FLASH marking area stores the entry address identification of the code of the area B, the entry address is 0x00021800, the storage space of the code of the area B is 118Kb, and meanwhile, the FLAG2 block in the FLASH marking area marks the identification of the FLASH block to be erased when the next OTA is carried out.
As shown in fig. 3, in the Boot code jump flow chart, after the system is powered on or reset, the Boot code jumps to the right side in the flow chart, the system starts to start from the 0x00000000 address, namely the Boot area, reads the FLAG value of the FLAG1 block in the Boot program, judges the jump-in address of the APP code of the user code according to the current FLAG value, and finally jumps to the corresponding APP user code area, namely the APP1 area or the APP2 area by the Boot program, and runs the corresponding user code, thereby completing the starting process. Otherwise, if the read FLAG1 block FLAG value fails or is abnormal, indicating that the current system is in an OTA receiving state, the system stays in the Boot area and does not jump, and waits for the OTA to receive and execute the erase and write work of FLASH.
When the APP user code receives an OTA updating instruction in the normal operation process, the system erases the entry address identification of the code stored in the FLAG1 block of the FLASH marking area in the APP code, then the system resets, after the system resets, the system automatically jumps to the Boot area, and reads the value stored in the FLAG1 block of the FLASH marking area in the Boot program.
As shown in fig. 3, in the Boot code skip flow chart, in the left OTA receiving process in the Boot code skip flow chart, when the Boot code receives the FLASH erasing instruction, the value of the FLAG2 block is read from the FLASH marking area address, and the FLAG2 block records the identifier of the FLASH block to be erased when the current OTA is recorded. The Boot code decides whether to erase the A block or the B block according to the value stored in the FLAG2 block, after the block is erased, the Boot code receives OTA information and writes the OTA information into the erased block, after the code is received, the system writes a new entry address identifier into the FLAG1 block of the FLAG mark area, and simultaneously writes a new identifier of the OTA erased FLASH block into the FLAG2 block of the FLAG mark area. And restarting the system, and executing the newly loaded code by the restarted system.
If errors occur or the upgraded code function is abnormal in the OTA process, the system restarts the system after revising the newly written entry address mark in the FLAG1 block of the FLASH marking area in the bootstrap program, and the old version of user codes are recalled, so that the user codes can still be used in running under the unexpected condition, and the adverse effect on the safe and normal running of the vehicle caused by the vehicle-mounted controller in the upgrading process is reduced.
The present invention is not limited to the above embodiments, but is capable of modification and variation in detail, and other modifications and variations can be made by those skilled in the art without departing from the scope of the present invention.
Claims (8)
1. The OTA rollback control method of the vehicle-mounted controller based on the partition downloading technology is characterized by comprising the following specific steps:
Setting a starting storage unit, a user code partition unit and an information marking unit, wherein the starting storage unit is a guide partition;
The system of the controller starts in the guide partition, reads the mark value from the information mark unit, determines the entrance address of the guide code jumping to the user code, and executes the user code of the entrance address;
In the executing process of the user code, when an OAT upgrading instruction is received, a first starting guide mark is erased, then the Boot code is jumped to, and the corresponding user area is erased and programmed on line in a Boot program according to a second guide mark;
After the online programming is finished, re-writing marks to the two information mark units; and acquiring data in an OTA mode, and upgrading the current controller program in the starting storage unit by using the acquired data.
2. The OTA rollback control method of an in-vehicle controller based on a zone download technique according to claim 1 wherein the start-up storage unit is configured to store a controller program for execution by the in-vehicle controller.
3. The OTA rollback control method of an in-vehicle controller based on a zone download technique of claim 1 wherein upgrading the controller program comprises:
if the upgrade is successful, marking the current updated program entry address as the latest available program entry address in the system marking area, marking the old version program as the rollback backup code entry address, and updating the controller program in the starting storage unit as the current controller program which can be executed by the vehicle-mounted controller;
If the upgrade fails, the current updated program entry address is not marked in the system marking area, at this time, the old version program code entry address is marked as the entry address of the rollback code, the control program in the starting storage unit is not executed by the current controller, and the system still executes the old version program.
4. The OTA rollback control method of an on-board controller based on a zone download technology according to claim 1, wherein the FLASH space of the controller is set to 256kb, and is divided into four areas.
5. The method for OTA rollback control of a vehicle-mounted controller based on a partition downloading technology according to claim 4 wherein four areas in a FLASH space of the controller include a Boot area, two user code partitions and a tag area, corresponding to the start storage unit, the user code partition unit and the information tag unit.
6. The OTA roll-back control method of an in-vehicle controller based on a partition download technique according to claim 5 wherein the user code partition includes an APP1 area and an APP2 area, and the FLAG area includes a FLAG1 block and a FLAG2 block.
7. The method for OTA rollback control of a vehicle-mounted controller based on a partition downloading technology according to claim 1, wherein user codes stored in different versions in the user code partition unit can all run independently, and both codes have a storage space and an offset interrupt vector table which are relatively independent.
8. The OTA rollback control method of an on-board controller based on a partition download technology according to claim 1, wherein in the boot code, a system of the controller reads a value of a FLAG1 block of a FLASH FLAG area, and determines whether to jump to an a user code or a B user code according to the value of the FLAG1 block.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311496875.0A CN118092373A (en) | 2023-11-10 | 2023-11-10 | OTA rollback control method of vehicle-mounted controller based on partition downloading technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311496875.0A CN118092373A (en) | 2023-11-10 | 2023-11-10 | OTA rollback control method of vehicle-mounted controller based on partition downloading technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118092373A true CN118092373A (en) | 2024-05-28 |
Family
ID=91150691
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311496875.0A Pending CN118092373A (en) | 2023-11-10 | 2023-11-10 | OTA rollback control method of vehicle-mounted controller based on partition downloading technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118092373A (en) |
-
2023
- 2023-11-10 CN CN202311496875.0A patent/CN118092373A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109933348B (en) | Method and device for updating Bootloader in electronic control unit | |
| KR101427755B1 (en) | Device and method for firmware upgrade using usb | |
| CN1304946C (en) | Booting and boot code update method and system thereof | |
| CN111796848A (en) | Bootloader software updating method and device, embedded controller and storage medium | |
| CN101826027A (en) | Embedded system and updating method thereof | |
| CN109062598B (en) | Safe OTA (over the air) upgrading method and system | |
| GB2466685A (en) | Fault tolerant updating of firmware | |
| CN104360877A (en) | ECU (electronic control unit) firmware updating method based on Bootloader self update | |
| JP2000357095A (en) | Method and device for downloading software to embedded system | |
| KR20070039841A (en) | Digital tv and upgrade method of bootloader for the same | |
| CN111240720A (en) | Boot program upgrading method and device and storage medium | |
| CN111651174A (en) | Method and system for remotely upgrading MCU (microprogrammed control Unit) program | |
| CN110764486B (en) | Method and device for operating vehicle-mounted controller, vehicle-mounted controller and storage medium | |
| CN111273928B (en) | Bootloader design method for self-upgrading | |
| JP3805195B2 (en) | Program rewriting apparatus and program rewriting method | |
| CN118092373A (en) | OTA rollback control method of vehicle-mounted controller based on partition downloading technology | |
| CN116954674A (en) | eMMC firmware upgrading method, firmware upgrading equipment and storage device | |
| CN114398087B (en) | Method for improving running stability of singlechip after program updating and singlechip | |
| CN113467797B (en) | Program updating method, device and system and computer readable storage medium | |
| CN111045709B (en) | Firmware upgrading method and firmware upgrading device | |
| CN114546455A (en) | MCU software upgrading method and device for double partitions | |
| CN112346770A (en) | Embedded program online updating method | |
| CN112667444A (en) | System upgrading method, storage medium and terminal equipment | |
| CN115437670B (en) | Automobile controller program upgrading system based on TFTP | |
| KR101113342B1 (en) | Boot-loader version managing method for mobile communication terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |