WO2005004160A2 - Verfahren zur durchführung eines software-updates eines elektronischen steuergerätes durch eine flash-programmierung über eine serielle schnittstelle und ein entsprechender zustandsautomat - Google Patents
Verfahren zur durchführung eines software-updates eines elektronischen steuergerätes durch eine flash-programmierung über eine serielle schnittstelle und ein entsprechender zustandsautomat Download PDFInfo
- Publication number
- WO2005004160A2 WO2005004160A2 PCT/DE2004/001326 DE2004001326W WO2005004160A2 WO 2005004160 A2 WO2005004160 A2 WO 2005004160A2 DE 2004001326 W DE2004001326 W DE 2004001326W WO 2005004160 A2 WO2005004160 A2 WO 2005004160A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- flash
- programming
- memory
- segment
- boot block
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
- G06F8/654—Updates using techniques specially adapted for alterable solid state memories, e.g. for EEPROM or flash memories
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1415—Saving, restoring, recovering or retrying at system level
- G06F11/1433—Saving, restoring, recovering or retrying at system level during software upgrading
Definitions
- the present invention relates to a method for carrying out a software update of an electronic control unit by means of flash programming via a serial interface.
- Control units too.
- This memory technology enables software updates of the control units by reprogramming the corresponding flash memory of the control units via serial interfaces.
- the serial interface can be, for example, a central off-board diagnostic interface of a vehicle, via which the flash memory of an electronic device can be used with a so-called flash programming tool Control unit of the vehicle is reprogrammed.
- a software update is therefore possible without removing the corresponding electronic control unit from the vehicle, which leads to considerable cost savings compared to replacing or removing a control unit.
- high safety and reliability requirements must be met, particularly in the service of vehicles and in the area of safety-relevant electronic control units.
- flash programming a distinction must therefore be made between the steps of deleting and programming flash segments. It must also be noted that it is not possible to run a program from one flash segment at the same time as another flash segment of the same flash module is being reprogrammed.
- the program parts for controlling the programming sequence for a flash component must therefore, at least temporarily while the flash programming is being carried out, in another memory module, for example in another flash module or in a free RAM (random access memory) area of the control device be outsourced.
- flash programming via a so-called off-board diagnostic interface can always take a relatively long time. It is to be expected that the programming process will be terminated at any time due to any faults that may occur. Such faults are, for example, the failure of the voltage supply of a vehicle or the flash programming tool, impermissible reaction of other control devices in the network, interruption of the communication link between the electronic control device to be programmed and the flash programming tool used for this, or an operating error. A failed authentication and signature check can also lead to the termination of flash programming. It is therefore necessary to be able to guarantee the availability or an immediate restart of the flash programming at any time.
- a method for performing a software update of a control device by a flash Programming of a multi-segment flash memory of the control device is provided via a serial interface, with requirements to be made of the flash programming being specified in a first step of the method, so that a sequence of the
- Flash programming is specified by a state machine that defines states and transitions of the software of the control device, and ultimately availability, security and reliability requirements of each state and each transition of the state machine are checked.
- different operating states are preferably first specified for the software of the control device.
- a distinction is preferably made between an “initial state”, a “normal state” and a “software update” state.
- the transitions between the mentioned operating states and the transition conditions are defined.
- memory blocks of the software of the control device relevant for the flash programming are subdivided into programmable and non-programmable memory blocks and software components to be reprogrammed are correspondingly assigned to the control blocks.
- the memory blocks of the software are preferably each assigned to a memory of the control unit, in particular a programmable memory block to a segment of the flash memory or a non-programmable memory block to a ROM (read-only memory) of the electronic control unit.
- a memory of the control unit in particular a programmable memory block to a segment of the flash memory or a non-programmable memory block to a ROM (read-only memory) of the electronic control unit.
- ROM read-only memory
- the program status is often already programmed during control unit production, while the data status is later programmed, for example, vehicle-specifically at the end of the production of a vehicle. Because of this, in a further preferred embodiment of the method according to the invention, the so-called boot block, the program status and the data status are stored in each segment of the flash memory of the control device. That means different
- All program parts of the control unit which are required for communication between the control unit and a flash programming tool via the off-board diagnostic interface during flash programming, must be together with corresponding flash programming routines, a so-called flash loader in the ROM of the electronic control unit or in another other flash segment.
- the program parts required for communication between the control unit and the flash programming tool are subdivided into programmable and non-programmable parts, namely a basic scope stored in the ROM hereinafter referred to as a start-up block, and a basic scope stored in the flash, hereinafter referred to as a boot block designated.
- Start-up and boot block together the a 'flash programming via an off-board diagnostic interface necessary software functionality a microcontroller of the control unit.
- a division into start-up and boot blocks makes sense for various reasons.
- the boot block itself can be reprogrammed if it is stored in the flash memory as described. Furthermore, in
- Boot block the current status of flash programming can be saved so that it can be restarted, for example, after the flash programming has been canceled.
- the unchangeable basic functionality of the start-up block and an identifier for a hardware variant of the electronic control unit can be stored in the cheaper and non-reprogrammable ROM of the control unit.
- the program and data status are each stored in a different segment of the flash memory.
- a flash programming tool triggers a transition of a microcontroller of the control device into the "software update" operating state.
- additional safety measures are required for use in production and service. Accordingly, for reasons of liability, for example, it is necessary to prevent unauthorized flash programming or flash programming with manipulated program or data status as far as possible. At least such flash programming should be recognized and proven. Flash programming access is therefore usually secured using two different encryption methods. On the one hand, there is an authentication, which corresponds to a check of the actual access authorization and after one
- Plausibility check is carried out.
- a digital key is used to check whether a user of the flash programming tool is even authorized to carry out a software update.
- a second encryption method is a so-called signature check. The data consistency of a new program or data status to be programmed is checked.
- a flash programming tool uses a further digital key to check whether the program or data status to be re-programmed matches the control unit hardware and whether the program or data status to be re-programmed, for example after delivery by the vehicle manufacturer to the Service organization has been tampered with.
- the actual deletion and programming of the corresponding segments of the flash memory should only be made possible or released after a successful conclusion in the aforementioned test. The release is carried out by the boot block described above.
- the signature of a microcontroller of the control unit is calculated on the basis of the program and data status actually programmed in the flash memory in order to avoid errors during the To be able to recognize programming.
- this calculated signature is stored in the flash memory itself.
- special memory structures a so-called Program status and data status logistics as part of the program and data status stored in flash memory. Only after a successful signature check does the boot block release the activation of the new program, such as a driving program.
- the availability requirement of the flash programming is preferably also specified in the method according to the invention. Since flash programming via the off-board diagnostic interface can take a relatively long time despite the optimization measures already described, the programming process can generally be terminated at any time due to malfunctions. Such faults are, for example, a failure of a voltage supply to a vehicle or a flash programming tool, impermissible reactions of other interference devices in the network, interruptions in the communication link between the electronic control unit and the flash programming tool used, or operating errors. Failed authentication and signature checks also usually lead to the flash programming being aborted. For a design of the flash programming process, it is therefore important to ensure the availability of flash programming under all conceivable circumstances. This means, for example, that a restart of the programming process is guaranteed at all times after an abort in all situations. For this purpose, in a further preferred embodiment of the method according to the invention, the state machine executes the flash programming in
- Operating state specifiable sub-states, transitions between these and transition conditions specified.
- the sub-states can be the sub-state "Abort / error message” or Act “completion / success report”.
- sub-states for authentication and signature verification can preferably be specified, as well as sub-states for deleting and programming segments of the flash memory.
- the present invention comprises a computer program consisting of program code elements, by means of which, when the program code elements are executed on a computer or on a computer system, automatically predefined availability, security and
- the present invention relates to a method for flash programming a boot block described above.
- a method is provided for carrying out flash programming of a boot block providing the software functionality required for carrying out the flash programming.
- the boot block is stored in a first segment of a flash memory.
- the old boot block to be reprogrammed is copied into a free RAM area. This means that the still active old boot block must be transferred to another memory module of the control unit during flash programming, which means that the boot block must be relocatable.
- the old boot block is then activated in RAM and in Flash memory, where it is stored in a first segment, deactivated.
- the new boot block is buffered in a second segment of the flash memory. This step includes deleting the second segment of the flash memory and programming the new one
- Boot blocks in the second segment of the flash memory and a signature check for the new boot block in the second segment of the flash memory After an abort during these procedural steps, the flash programming can be started again with the valid, old boot block in the first segment of the flash memory.
- the new boot block is ultimately programmed by copying the second segment of the flash memory into the first segment of the flash memory. This step comprises deleting the first flash segment, programming the new boot block into the first flash segment by copying the second flash segment into the first flash segment and a signature check for the new boot block in the first flash -Segment. After a break during this
- a boot block is always marked in the flash memory as a boot block valid for a restart of the flash programming.
- This validation marker itself must be stored in the flash memory so that it cannot be restarted with this information.
- the new boot block is then activated in the first segment of the flash memory and at the same time the old boot block is deactivated in RAM.
- FIG. 1 shows a schematic representation of a specification of memory blocks of a control device relevant for flash programming according to an embodiment of the method according to the invention
- FIG. 2 shows a schematic representation of a specification of security requirements and measures according to a further embodiment of the method according to the invention
- FIG. 3 shows a schematic representation of states and transitions of a boot block in the case of flash programming of the program and data status of an electronic control unit
- Figure 4 is a schematic representation of the sequence of an embodiment of a method according to the invention for performing flash programming of a boot block.
- FIG. 1 shows an allocation of memory blocks of software of a control device for carrying out a software update of a control device by means of flash programming.
- a control device 1 with a microcontroller 2 is shown.
- the microcontroller 2 has a microprocessor 3 and three different memories, namely a ROM (read-only memory) 4, a flash memory 5 and a RAM (random access memory) 6.
- Control unit 1 has a serial interface 7 for coupling to an off-board diagnostic interface 8, via which a flash programming tool can be connected.
- a memory allocation of memory blocks of the software of the control device 1 relevant for the flash programming is shown.
- the memory blocks are subdivided into programmable and non-programmable memory blocks and software components to be reprogrammed are assigned to the memory blocks accordingly.
- the start-up block 9 and the boot block 10 together provide the software functionality of the microcontroller 2 necessary for flash programming via the off-board diagnostic interface 8.
- the division into start-up block 9 and boot block 10 makes sense for various reasons.
- the boot block 10 itself, which in the case shown here is stored in a segment A of the flash memory 11, can thus be reprogrammed.
- the current status of the flash programming can be stored captively in boot block 10, so that, for example, a restart is possible after an abort.
- the unchangeable basic functionality of the start-up block 9, on the other hand, can be stored in the cheaper and non-reprogrammable ROM 12.
- the program status is stored in a further segment of the flash memory, a flash segment B, and the data status is stored in a flash segment C.
- Microcontrollers 2 performed plausibility check 14, which must be carried out before a transition to the "software update" operating state, a check is carried out with respect to the actual access authorization.
- This step is referred to as authentication 15.
- a digital key is used to check whether a user of the flash programming tool 13 is authorized to carry out a software update.
- the data consistency of the program or data status to be newly programmed is checked.
- This step is also called signature verification.
- the flash programming tool 13 uses a further digital key to check whether the program or data status to be newly programmed matches the control unit hardware and whether the program or data status to be newly programmed has been manipulated inadmissibly since it was delivered.
- the signature is calculated by the microcontroller 2 on the basis of the program and data status actually programmed in the flash memory in order to be able to recognize errors during the programming.
- this calculated signature check is itself stored in the flash memory.
- special memory structures, so-called program status and data status logistics, are stored in the flash memory as part of the program and data status. Only after a successful signature check 19 does the boot block give the Activation of the new program such as a driving program freely.
- Figure 3 shows a schematic representation of the state and transitions of a boot block in a flash programming of program and data status.
- step 21 the programming process is immediately terminated with the simultaneous output of an error message F.
- step 22 the user of the connected flash programming tool is authenticated. There is also an abort with an error message F if an error is detected in step 23.
- a signature check 24 is then carried out, which is accompanied by a check of the data consistency via hardware
- a detected error 25 is also signaled here with an abort and an accompanying error message F.
- the flash segment in which the program status is stored is erased.
- the new program status is then programmed in a step 27 and a signature check 28 is carried out for the new program status.
- the same steps are carried out in steps 29, 30, 31 with regard to the flash programming of the data status. If an error is detected during the signature check for the program status or for the data status, then there is an abort with an accompanying error message F. If, on the other hand, no errors are detected, a transition takes place in a step 32 of the microcontroller in the operating state "initial state" by a reset.
- FIG. 4 describes the method steps in flash programming a boot block.
- the active boot block "A” must be swapped to another memory chip of the microcontroller during flash programming, i.e. Boot block "A” must be relocatable. This can be done, for example, by copying boot block "A” into a free RAM area during flash programming.
- the boot block "A” is then executed from the RAM. A restart of the programming sequence must be possible even after the flash programming of the boot block has failed. An error-free boot block is sufficient to maintain availability after a termination.
- the old boot block "A" is copied into a free RAM area.
- the old boot block is activated in RAM, which is identified by the marking "A", and deactivated in the flash memory.
- the new boot block is buffered in a flash segment C. Flash segment C is first deleted, the new boot block is programmed in flash segment C and a signature check is carried out for the new boot block in flash segment C. After a break during this
- Process steps can be restarted with the valid, old boot block in flash segment A.
- the new boot block is programmed, which is done by copying flash segment C to flash segment A.
- This step includes deleting flash segment A, programming the new boot block in flash segment A by copying flash segment C to A, and a signature check for the new boot block in flash segment A.
- the flash programming can be started again with the valid, new boot block in flash segment C.
- the valid boot block in the flash memory must be marked. This validation marker itself must be stored captively in the flash memory so that it can be restarted with this information.
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP04738775A EP1639603A2 (de) | 2003-06-24 | 2004-06-24 | Verfahren zur durchführung eines software-updates eines elektronischen steuergerätes durch eine flash-programmierung über eine serielle schnittstelle und ein entsprechender zustandsautomat |
JP2006515278A JP2007507016A (ja) | 2003-06-24 | 2004-06-24 | シリアルインターフェイスを介したフラッシュプログラミングによる電子制御装置のソフトウェアアップデート方法およびこれに対応する状態自動装置 |
DE112004001633T DE112004001633D2 (de) | 2003-06-24 | 2004-06-24 | Verfahren zur Durchführung eines Software-Updates eines elektronischen Steuergerätes durch eine Flash-Programmierung über eine serielle Schnittstelle und ein entsprechender Zustandsautomat |
US10/561,111 US20060248172A1 (en) | 2003-06-24 | 2004-06-24 | Method for updating software of an electronic control device by flash programming via a serial interface and corresponding automatic state machine |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE10328241 | 2003-06-24 | ||
DE10328241.6 | 2003-06-24 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2005004160A2 true WO2005004160A2 (de) | 2005-01-13 |
WO2005004160A3 WO2005004160A3 (de) | 2006-03-16 |
Family
ID=33559737
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/DE2004/001326 WO2005004160A2 (de) | 2003-06-24 | 2004-06-24 | Verfahren zur durchführung eines software-updates eines elektronischen steuergerätes durch eine flash-programmierung über eine serielle schnittstelle und ein entsprechender zustandsautomat |
Country Status (5)
Country | Link |
---|---|
US (1) | US20060248172A1 (de) |
EP (1) | EP1639603A2 (de) |
JP (1) | JP2007507016A (de) |
DE (1) | DE112004001633D2 (de) |
WO (1) | WO2005004160A2 (de) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102007039809A1 (de) * | 2007-08-23 | 2009-02-26 | Bayerische Motoren Werke Aktiengesellschaft | Verfahren und Bordnetz zur Aktualisierung der Software in mindestens einem Steuergerät eines Kraftfahrzeugs mit einem USB-Speicherstick |
WO2011019390A1 (en) * | 2009-08-11 | 2011-02-17 | Silver Spring Networks, Inc. | Method and system for securely updating field upgradeable units |
US20140351460A1 (en) * | 2013-05-23 | 2014-11-27 | Honda Motor Co., Ltd. | Relay device |
DE102015214382A1 (de) | 2015-07-29 | 2017-02-02 | Robert Bosch Gmbh | Verfahren und Vorrichtung zum Aktualisieren eines Steuergerätes mit einem Bootmanager, einem Hypervisor und mindestens einem unter dem Hypervisor betriebenen Gastsystem |
DE102016201769A1 (de) | 2016-01-20 | 2017-07-20 | Robert Bosch Gmbh | Verfahren zum Aktualisieren von Software eines Steuergerätes, vorzugsweise für ein Kraftfahrzeug |
DE102016200711A1 (de) | 2016-01-20 | 2017-07-20 | Robert Bosch Gmbh | Verfahren zum Aktualisieren von Software eines Steuergerätes, vorzugsweise für ein Kraftfahrzeug |
Families Citing this family (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
AU2002232426A1 (en) * | 2000-11-17 | 2002-05-27 | Biftone Corporation | System and method for updating and distributing information |
US7409685B2 (en) | 2002-04-12 | 2008-08-05 | Hewlett-Packard Development Company, L.P. | Initialization and update of software and/or firmware in electronic devices |
US8479189B2 (en) | 2000-11-17 | 2013-07-02 | Hewlett-Packard Development Company, L.P. | Pattern detection preprocessor in an electronic device update generation system |
US8555273B1 (en) | 2003-09-17 | 2013-10-08 | Palm. Inc. | Network for updating electronic devices |
US7904895B1 (en) | 2004-04-21 | 2011-03-08 | Hewlett-Packard Develpment Company, L.P. | Firmware update in electronic devices employing update agent in a flash memory card |
US7366589B2 (en) * | 2004-05-13 | 2008-04-29 | General Motors Corporation | Method and system for remote reflash |
US8526940B1 (en) | 2004-08-17 | 2013-09-03 | Palm, Inc. | Centralized rules repository for smart phone customer care |
US20070185624A1 (en) * | 2006-02-07 | 2007-08-09 | General Motors Corporation | Method for remote reprogramming of vehicle flash memory |
EP2025095A2 (de) | 2006-06-08 | 2009-02-18 | Hewlett-Packard Development Company, L.P. | Geräteverwaltung in einem netzwerk |
EP2047420A4 (de) | 2006-07-27 | 2009-11-18 | Hewlett Packard Development Co | Benutzererfahrungs- und abhängigkeitsverwaltung bei einer mobilen vorrichtung |
US8397228B2 (en) * | 2007-11-14 | 2013-03-12 | Continental Automotive Systems, Inc. | Systems and methods for updating device software |
US8881134B2 (en) * | 2010-04-29 | 2014-11-04 | International Business Machines Corporation | Updating elements in data storage facility using predefined state machine over extended time period |
CN102073522A (zh) * | 2011-01-13 | 2011-05-25 | 深圳市科陆电子科技股份有限公司 | 面向嵌入式***的应用程序在线自我更新方法 |
CN102591692B (zh) * | 2012-01-11 | 2015-07-29 | 株洲南车时代电气股份有限公司 | 一种电力机车微机控制柜控制软件升级更新方法 |
CN103631607B (zh) * | 2012-08-21 | 2016-10-05 | 广州汽车集团股份有限公司 | 一种车载ecu软件刷新防错方法及*** |
US20140058532A1 (en) * | 2012-08-23 | 2014-02-27 | GM Global Technology Operations LLC | Method for partial flashing of ecus |
CN104702631B (zh) * | 2013-12-04 | 2018-04-10 | 航天信息股份有限公司 | 一种客户端软件的升级方法和*** |
JP6281535B2 (ja) * | 2015-07-23 | 2018-02-21 | 株式会社デンソー | 中継装置、ecu、及び、車載システム |
US9959125B2 (en) * | 2015-08-05 | 2018-05-01 | Samsung Electronics Co., Ltd. | Field update of boot loader using regular device firmware update procedure |
US10402561B2 (en) * | 2015-10-01 | 2019-09-03 | Samsung Electronics Co., Ltd. | Apparatus and method for protection of critical embedded system components via hardware-isolated secure element-based monitor |
CN109644153B (zh) * | 2016-04-12 | 2020-10-13 | 伽德诺克斯信息技术有限公司 | 具有被配置为实现安全锁定的相关设备的特别编程的计算***及其使用方法 |
DE102016221108A1 (de) * | 2016-10-26 | 2018-04-26 | Volkswagen Aktiengesellschaft | Verfahren zum Aktualisieren einer Software eines Steuergeräts eines Fahrzeugs |
FR3077399A1 (fr) * | 2018-01-29 | 2019-08-02 | Psa Automobiles Sa | Dispositif et procede pour eviter l’obsolescence des calculateurs a logiciel telechargeable utilisant une memoire a duree de retention limitee |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5701492A (en) * | 1996-03-29 | 1997-12-23 | Canon Kabushiki Kaisha | Fail-safe flashing of EPROM |
EP1120709A2 (de) * | 2000-01-28 | 2001-08-01 | Nec Corporation | Verfahren zum Überschreiben eines Boot-Programms in einem Flash-Mikrocomputer |
EP1260907A1 (de) * | 2001-10-16 | 2002-11-27 | Siemens Schweiz AG | Verfahren zur persistenten Speicherung von Daten |
US20030041182A1 (en) * | 1999-09-30 | 2003-02-27 | Andrew W. Martwick | Self updating a firmware device |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5838981A (en) * | 1995-10-05 | 1998-11-17 | Ricoh Company, Ltd. | Data communication apparatus with a program renewal function |
JP2001056787A (ja) * | 1999-08-20 | 2001-02-27 | Fujitsu General Ltd | メモリ書込装置およびその書込方法 |
US6442067B1 (en) * | 2000-05-23 | 2002-08-27 | Compaq Information Technologies Group, L.P. | Recovery ROM for array controllers |
-
2004
- 2004-06-24 DE DE112004001633T patent/DE112004001633D2/de not_active Expired - Fee Related
- 2004-06-24 WO PCT/DE2004/001326 patent/WO2005004160A2/de active Application Filing
- 2004-06-24 JP JP2006515278A patent/JP2007507016A/ja active Pending
- 2004-06-24 US US10/561,111 patent/US20060248172A1/en not_active Abandoned
- 2004-06-24 EP EP04738775A patent/EP1639603A2/de not_active Withdrawn
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5701492A (en) * | 1996-03-29 | 1997-12-23 | Canon Kabushiki Kaisha | Fail-safe flashing of EPROM |
US20030041182A1 (en) * | 1999-09-30 | 2003-02-27 | Andrew W. Martwick | Self updating a firmware device |
EP1120709A2 (de) * | 2000-01-28 | 2001-08-01 | Nec Corporation | Verfahren zum Überschreiben eines Boot-Programms in einem Flash-Mikrocomputer |
EP1260907A1 (de) * | 2001-10-16 | 2002-11-27 | Siemens Schweiz AG | Verfahren zur persistenten Speicherung von Daten |
Non-Patent Citations (2)
Title |
---|
ROLAND C. BACKHOUSE: "Program construction and verification" 1986, PRENTICE-HALL, INC. , UPPER SADDLE RIVER, NJ, USA 6 902873 , XP002332801 Seite 5, Zeile 1 - Seite 11, Zeile 39 * |
See also references of EP1639603A2 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102007039809A1 (de) * | 2007-08-23 | 2009-02-26 | Bayerische Motoren Werke Aktiengesellschaft | Verfahren und Bordnetz zur Aktualisierung der Software in mindestens einem Steuergerät eines Kraftfahrzeugs mit einem USB-Speicherstick |
WO2011019390A1 (en) * | 2009-08-11 | 2011-02-17 | Silver Spring Networks, Inc. | Method and system for securely updating field upgradeable units |
US9652755B2 (en) | 2009-08-11 | 2017-05-16 | Silver Spring Networks, Inc. | Method and system for securely updating field upgradeable units |
US20140351460A1 (en) * | 2013-05-23 | 2014-11-27 | Honda Motor Co., Ltd. | Relay device |
US9081699B2 (en) * | 2013-05-23 | 2015-07-14 | Honda Motor Co., Ltd. | Relay device |
DE102015214382A1 (de) | 2015-07-29 | 2017-02-02 | Robert Bosch Gmbh | Verfahren und Vorrichtung zum Aktualisieren eines Steuergerätes mit einem Bootmanager, einem Hypervisor und mindestens einem unter dem Hypervisor betriebenen Gastsystem |
DE102016201769A1 (de) | 2016-01-20 | 2017-07-20 | Robert Bosch Gmbh | Verfahren zum Aktualisieren von Software eines Steuergerätes, vorzugsweise für ein Kraftfahrzeug |
DE102016200711A1 (de) | 2016-01-20 | 2017-07-20 | Robert Bosch Gmbh | Verfahren zum Aktualisieren von Software eines Steuergerätes, vorzugsweise für ein Kraftfahrzeug |
WO2017125181A1 (de) | 2016-01-20 | 2017-07-27 | Robert Bosch Gmbh | Verfahren zum aktualisieren von software eines steuergerätes, vorzugsweise für ein kraftfahrzeug |
Also Published As
Publication number | Publication date |
---|---|
JP2007507016A (ja) | 2007-03-22 |
EP1639603A2 (de) | 2006-03-29 |
DE112004001633D2 (de) | 2006-06-22 |
WO2005004160A3 (de) | 2006-03-16 |
US20060248172A1 (en) | 2006-11-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2005004160A2 (de) | Verfahren zur durchführung eines software-updates eines elektronischen steuergerätes durch eine flash-programmierung über eine serielle schnittstelle und ein entsprechender zustandsautomat | |
EP3326101A1 (de) | Verfahren und system zur firmware-aktualisierung einer steuereinrichtung zur prozesssteuerung | |
DE102009020389A1 (de) | System zur Aktualisierung von Firmware und Verfahren dazu, und Verfahren zum Erzeugen von Firmware | |
EP1903436B1 (de) | Computersystem und Verfahren zum Aktualisieren von Programmcode | |
EP1346881A2 (de) | Verfahren und Vorrichtung zum Übernehmen von Daten | |
DE102011075776A1 (de) | Verfahren und System zum Aktualisieren eines gemeinsam genutzten Speichers | |
DE4235193A1 (de) | Netzwerksystem und zugehoeriges softwareverwaltungsverfahren | |
DE60205162T2 (de) | Verfahren zur Verwaltung eines Netzwerkgerätes, Verwaltungssystem und Netzwerkgerät | |
WO2013029940A1 (de) | Verfahren und system zum bereitstellen von gerätespezifischen betreiberdaten für ein automatisierungsgerät einer automatisierungsanlage | |
WO2006100232A1 (de) | Verfahren und vorrichtung zum konfigurieren eines steuergeräts und steuergerät | |
WO2003003200A1 (de) | Verfahren zum übertragen von software-modulen | |
DE19839680B4 (de) | Verfahren und Vorrichtung zur Veränderung des Speicherinhalts von Steuergeräten | |
DE102011102425A1 (de) | Simultanes Softwareupdate | |
EP1804144A1 (de) | Überprüfung des Steuerprogramms eines Steuergerätes für eine Maschine | |
EP3353650A1 (de) | System und verfahren zur verteilung und/oder aktualisierung von software in vernetzten steuereinrichtungen eines fahrzeugs | |
WO2005022382A2 (de) | Verfahren zur installation einer programmkomponente | |
WO2008019767A1 (de) | Verfahren zur programmierung eines steuergerätes eines kraftfahrzeugs | |
DE10234063A1 (de) | Verfahren zum variantenspezifischen Programmieren eines Programm- und Datenspeichers eines Steuergeräts, insbesondere eines Steuergeräts eines Kraftfahrzeugs | |
DE69916682T2 (de) | Verfahren zum Entriegeln des Zugriffs auf einen Rechner von einem Fernladungssystem einer Datei | |
DE102010016257A1 (de) | Generisches Firmware-Fileformat | |
DE102019103985A1 (de) | System und Verfahren zur Übertragung eines Betriebssoftware-Updates auf ein sicherheitsgerichtetes Gerät | |
DE102006030979A1 (de) | Anordnung und Verfahren zum Laden von Daten in einen Speicher | |
EP3811203A1 (de) | Verfahren zum aktualisieren von software auf einem zielgerät | |
DE102020216481A1 (de) | Verfahren zum Betreiben eines Steuergeräts und Steuergerät | |
DE102021202015A1 (de) | Verfahren zum Betreiben eines Steuergeräts und Steuergerät |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2004738775 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006515278 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1120040016339 Country of ref document: DE |
|
WWP | Wipo information: published in national office |
Ref document number: 2004738775 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006248172 Country of ref document: US Ref document number: 10561111 Country of ref document: US |
|
REF | Corresponds to |
Ref document number: 112004001633 Country of ref document: DE Date of ref document: 20060622 Kind code of ref document: P |
|
WWE | Wipo information: entry into national phase |
Ref document number: 112004001633 Country of ref document: DE |
|
WWP | Wipo information: published in national office |
Ref document number: 10561111 Country of ref document: US |