[go: up one dir, main page]

WO2020158075A1 - Memory rewrite history recording device - Google Patents

Memory rewrite history recording device Download PDF

Info

Publication number
WO2020158075A1
WO2020158075A1 PCT/JP2019/041841 JP2019041841W WO2020158075A1 WO 2020158075 A1 WO2020158075 A1 WO 2020158075A1 JP 2019041841 W JP2019041841 W JP 2019041841W WO 2020158075 A1 WO2020158075 A1 WO 2020158075A1
Authority
WO
WIPO (PCT)
Prior art keywords
history
memory
value
rewriting
determination unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2019/041841
Other languages
French (fr)
Japanese (ja)
Inventor
秀俊 宮田
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DensoTrim Corp
Original Assignee
DensoTrim Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DensoTrim Corp filed Critical DensoTrim Corp
Priority to CN201980090587.0A priority Critical patent/CN113396398B/en
Priority to JP2020569374A priority patent/JP7085029B2/en
Publication of WO2020158075A1 publication Critical patent/WO2020158075A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • the disclosure in this specification relates to a memory rewriting history recording device.
  • Patent Document 1 discloses a control device using a rewritable memory.
  • the description of the prior art documents listed as the prior art is incorporated by reference as a description of technical elements in this specification.
  • control device that uses a rewritable memory may record the rewriting action of the memory.
  • the history of rewriting actions makes it possible to detect rewriting of stored data. From one viewpoint, it is required to be able to detect illegal rewriting. From another perspective, even legitimate rewriting is required to be discoverable or reconfirmable. In view of the above, or in other aspects not mentioned, there is a need for further improvements in vehicle controls.
  • One disclosed purpose is to provide a rewriting history recording device of a memory that can efficiently detect a rewriting action.
  • Another disclosed purpose is to provide a rewriting history recording device for a memory that can detect rewriting actions with a small-scale configuration.
  • the memory rewrite history recording device disclosed herein stores the program and/or numerical value of the control device (5), is externally rewritable, and is a nonvolatile memory (8, M1), and a memory.
  • the inspection device (6, M2) for inspecting the stored data of No. 1 to determine whether the memory is normal or abnormal, and the history recording device (10, M3) for recording the history of external rewriting.
  • the memory has an area (36) for storing an adjustment value (SUM-ADJ) that is rewritten so as to prevent the inspection device from determining an abnormality, and a switch value (INT) for setting whether the inspection by the inspection device is valid or invalid.
  • -E/D) storage area (38) and the history contains both adjustment values and switch values.
  • both the adjustment value and the switch value are recorded as history. Since not only the adjustment value but also the switch value is recorded, both the correct external rewriting and the unauthorized external rewriting can be recorded as the history.
  • a rewriting history recording device for a memory in which a rewriting action can be found efficiently.
  • FIG. 1 is a block diagram of a vehicle system including a control device. It is a flowchart of an initialization process. It is a flowchart of a rewriting process. It is a flow chart of inspection processing. It is a flow chart of history processing. It is a flowchart of an output process. It is a block diagram of a memory rewriting history recording device.
  • FIG. 1 shows an equipment system 1.
  • the device system 1 includes a power source (PWRS) 2 as a control target.
  • the device system 1 includes a control system for controlling a control target.
  • the control system includes a sensor group (SNSR) 3, an actuator group (ACTR) 4, and a control device (ECU) 5.
  • Equipment includes stationary equipment and mobile equipment.
  • Stationary devices include, for example, air conditioners, power generators, and lighting devices.
  • Mobile devices include so-called vehicles.
  • vehicle includes stationary vehicles as well as mobile vehicles.
  • Mobile vehicles include, for example, ground vehicles, ships, and aircraft.
  • Stationary vehicles include, for example, simulation equipment to familiarize themselves with operating techniques.
  • Stationary vehicles include, for example, operating techniques or amusement equipment for enjoying the behavior of the vehicle.
  • the equipment system 1 is a vehicle system.
  • the vehicle is a saddle-type ground traveling vehicle.
  • a typical example of a vehicle is a motorcycle.
  • the power source 2 is provided by an internal combustion engine system or an electric motor system.
  • the power source 2 may include an internal combustion engine, a fuel supply system, and an ignition system. If the power source 2 is provided by an electric motor system, the power source 2 may include a battery and an electric motor. In this embodiment, the power source 2 provides power for the vehicle.
  • the power source 2 is an internal combustion engine system. Power source 2 requires control by the control system in order to provide preset functions.
  • the control system including the control device 5 provides a memory rewriting history recording device.
  • the control system also functions as a limiter that limits the operating state of the power source 2 within a preset normal range.
  • the sensor group 3 includes a plurality of sensors.
  • the plurality of sensors output, as detection signals, electric signals indicating the operating state of the power source 2.
  • the sensor group 3 includes a pressure sensor (PRES) 11 and a rotation angle sensor (ANGL) 12.
  • the pressure sensor 11 detects the intake pressure of the internal combustion engine.
  • the rotation angle sensor 12 detects the rotation angle of the crankshaft of the internal combustion engine.
  • the sensor group 3 outputs a detection signal to the control device 5.
  • the actuator group 4 includes a plurality of actuators.
  • the plurality of actuators provide a controller for adjusting the operating state of the power source 2.
  • the actuator group 4 includes a fuel pump (PUMP) 13, a fuel injection valve (INJC) 14, an ignition device (IGNT) 15, and a warning light (WRNL) 16.
  • the fuel pump 13 pressurizes the fuel stored in the fuel tank.
  • the fuel pump 13 is an electric motor pump or an electromagnetic plunger pump.
  • the fuel pump 13 is controlled to appropriately pressurize the fuel.
  • the fuel injection valve 14 supplies the fuel to the internal combustion engine by injecting the pressurized fuel.
  • the fuel injection valve 14 is a solenoid valve.
  • the fuel injection valve 14 can adjust the injection start timing, the injection end timing, the injection period, and/or the number of injections.
  • the fuel injection valve 14 is controlled to regulate the fuel supply in the internal combustion engine.
  • the ignition device 15 provides ignition by electric spark to the internal combustion engine.
  • the ignition device 15 can adjust the ignition timing, the ignition period, and/or the amount of ignition energy.
  • the ignition device 15 is controlled to adjust ignition in the internal combustion engine.
  • the warning light 16 warns the user of an abnormality (internal error) of the control device 5 by lighting, for example.
  • the actuator group 4 is controlled by the control device 5.
  • the sensor group 3 and the actuator group 4 include elements suitable for the power source 2.
  • the sensor group 3 can include, for example, a plurality of temperature sensors that detect the temperature of the battery and/or the electric motor, a current sensor that detects a current flowing through the electric motor, and a voltage sensor that detects the voltage of the battery.
  • the actuator group 4 can include, for example, an inverter circuit that controls electric power supplied to the electric motor.
  • the control device 5 includes a plurality of components as a general computer. These components can be placed in a single IC package. Alternatively, the plurality of components may be distributedly arranged in the plurality of IC packages. For example, a RAM (Random Access Memory) 7, a ROM (Read Only Memory) 8, and an EEPROM (Electrically Erasable and Programmable ReadOnly) are arranged in a single IC package having a CPU 6 described below as a processor core. You may. Instead of this, for example, a RAM 7 and a ROM 8 described below may be arranged in an IC package having a CPU 6 described below as a processor core, and an EEPROM 10 described below may be arranged in another IC package separately provided.
  • a RAM Random Access Memory
  • ROM Read Only Memory
  • EEPROM Electrically Erasable and Programmable ReadOnly
  • the control device 5 includes a CPU 6 as a processor, a RAM 7 as a volatile storage device, and a ROM 8 as a non-volatile storage device as typical elements.
  • the RAM 7 provides a temporary storage area for the CPU 6.
  • the ROM 8 provides a program storage area for the CPU 6 and a numerical value storage area.
  • the ROM 8 is a flash ROM that can be repeatedly written and whose stored contents are maintained even when power supply is lost.
  • the ROM 8 is provided by an EEPROM (Electrically Erasable and Programmable Read Only Memory).
  • the ROM 8 provides a storage area for programs and numerical values for the control system. Further, the storage area provided by the ROM 8 can be rewritten from outside the control device 5.
  • the ROM 8 can rewrite the storage area in the manufacturing process, for example.
  • the ROM 8 makes it possible to rewrite the storage area in the market, for example.
  • the ROM 8 can rewrite the storage area from an external device 20 described later, for example.
  • the control device 5 has a bus circuit 9.
  • the bus circuit 9 connects the sensor group 3, the actuator group 4, and the control device 5 to each other.
  • the bus circuit 9 provides an I/O bus.
  • the bus circuit 9 further connects the CPU 6, the RAM 7, and the ROM 8 to each other inside the control device 5.
  • the bus circuit 9 provides the system bus.
  • the bus circuit 9 can be directly connected to the outside of the control device 5.
  • the bus circuit 9 connects the control device 5 and an external device 20 described later to each other.
  • the bus circuit 9 provides a direct connection between the ROM 8 and the external device 20. This direct connection enables so-called external rewriting, in which the data stored in the ROM 8 is rewritten from outside the control device 5. As a result, in this embodiment, the data stored in the ROM 8 can be rewritten without passing through the CPU 6.
  • the control device 5 includes an EEPROM 10 as a non-volatile storage device.
  • the storage area provided by the ROM 8 and the storage area provided by the EEPROM 10 are storage areas different from each other.
  • the EEPROM 10 is not connected to the bus circuit 9.
  • the EEPROM 10 is connected to the CPU 6 without passing through the bus circuit 9. That is, the EEPROM 10 cannot directly rewrite the data stored in the EEPROM 10 from outside the control device 5.
  • the ROM 8 and the EEPROM 10 are provided as physically different storage areas.
  • the ROM 8 and the EEPROM 10 are provided by, for example, two different IC packages.
  • the ROM 8 and the EEPROM 10 may be provided by physically separate storage areas on one semiconductor chip, for example.
  • the ROM 8 and the EEPROM 10 may be provided by physically separate storage areas in one common IC package, for example.
  • the ROM 8 and the EEPROM 10 are provided as different storage areas regarding the connection relationship with the bus circuit 9.
  • the ROM 8 is directly connected to the bus circuit 9.
  • the EEPROM 10 is indirectly connected to the bus circuit 9 via the CPU 6.
  • the ROM 8 provides an externally rewritable storage area.
  • the EEPROM 10 provides a storage area that cannot be externally rewritten.
  • the "impossible” does not mean that the external storage of the data stored in the EEPROM 10 is completely impossible. This means that rewriting in the external connection mode assumed in the control device 5 is impossible. For example, it is unexpected to directly access the physical terminals of the EEPROM 10.
  • the device system 1 includes an external device (EXTL) 20 that is detachable from the control system.
  • the external device 20 is a device capable of operating the contents of the ROM 8.
  • the external device 20 is a device that can operate the contents of the EEPROM 10 via the CPU 6.
  • the external device 20 is provided by factory equipment at the manufacturing stage.
  • the external device 20 is provided by a diagnostic system on the market. The diagnostic system is used to diagnose whether the equipment system 1 is healthy or unhealthy.
  • the external device 20 acquires signals and/or data in the control system.
  • the external device 20 provides the acquired signal and/or data for diagnosis.
  • the external device 20 may compare the acquired signal and/or data with the normal signal and/or data inside the external device 20, and output a diagnostic result.
  • the external device 20 may provide the acquired signal and/or data to an operator and/or an external diagnostic device.
  • the external device 20 When the external device 20 is a diagnostic system, the external device 20 has a diagnostic terminal device 21.
  • the diagnostic terminal device 21 is installed in, for example, a service station.
  • the diagnostic terminal device 21 is used by an operator who inspects or repairs the equipment system 1.
  • the control device 5 and the diagnostic terminal device 21 can be connected by a wired connection device including a connector 22 and a cable 23. Alternatively, the control device 5 and the diagnostic terminal device 21 may be connected by a wireless connection device.
  • the diagnostic terminal device 21 has a terminal control device (CTRL) 24, an internal storage device (STRG) 25, a display device (MNTR) 26, and an input device (MNSW) 27.
  • the internal storage device 25 can be provided by ROM or RAM.
  • the terminal control device 24 temporarily records the data stored in the EEPROM 10 in the internal storage device 25.
  • the terminal control device 24 displays the data stored in the internal storage device 25 on the display device 26.
  • the input device 27 detects the operation of the operator and inputs a detection signal to the terminal control device 24. In this embodiment, the input device 27 detects an operation requesting history display and outputs the request to the terminal control device 24.
  • the control device 5 is also called an electronic control device (ECU: Electronic Control Unit).
  • the controller 5 is provided by (a) an algorithm as a plurality of logics called if-then-else form, or (b) a trained model tuned by machine learning, for example, an algorithm as a neural network.
  • the control device 5 includes at least one computer. Controller 5 may include multiple computers linked by a data communication device.
  • the computer includes at least one processor (hardware processor) that is hardware.
  • the hardware processor can be provided by (i), (ii), or (iii) below.
  • the hardware processor may be at least one processor core that executes a program stored in at least one memory.
  • the computer is provided with at least one memory and at least one processor core.
  • the processor core is called CPU: Central Processing Unit, GPU: Graphics Processing Unit, RISC-CPU, etc.
  • the memory is also called a storage medium.
  • a memory is a non-transitional and tangible storage medium that stores "programs and/or data" readable by a processor in a non-transitory manner.
  • the storage medium is provided by a semiconductor memory, a magnetic disk, an optical disk, or the like.
  • the program may be distributed by itself or as a storage medium in which the program is stored.
  • the hardware processor may be a hardware logic circuit.
  • the computer is provided by a digital circuit including a large number of programmed logic units (gate circuits).
  • the digital circuit is a logic circuit array, for example, ASIC: Application-Specific Integrated Circuit, FPGA: Field Programmable Gate Array, PGA: Programmable Gate Array, CPLD: Complex Programmable, etc.
  • the digital circuit may include a memory that stores programs and/or data.
  • the computer may be provided by analog circuitry.
  • the computer may be provided by a combination of digital circuits and analog circuits.
  • the (iii) hardware processor may be a combination of the above (i) and the above (ii).
  • (I) and (ii) are arranged on different chips or on a common chip. In these cases, the part (ii) is also called an accelerator.
  • control device The control device, signal source, and controlled object provide various elements. At least some of these elements can be referred to as blocks, modules, or sections. Furthermore, elements included in the control system are referred to as functional means only if they are intentional.
  • control unit and the method described in this disclosure are realized by a dedicated computer provided by configuring a processor and a memory programmed to execute one or a plurality of functions embodied by a computer program. May be done.
  • control unit and the method described in this disclosure may be realized by a dedicated computer provided by configuring a processor with one or more dedicated hardware logic circuits.
  • the controller and method described in this disclosure may include a processor and memory programmed to perform one or more functions and a processor configured with one or more hardware logic circuits. It may be realized by one or more dedicated computers configured by combination.
  • the computer program may be stored in a computer-readable non-transition tangible recording medium as an instruction executed by the computer.
  • the ROM 8 has a program area (PRGM) 31.
  • the program area 31 stores a program for the control system.
  • the program area 31 stores, for example, a fuel injection program and an ignition timing program.
  • the ROM 8 has a numerical area (VLDT) 32.
  • the numerical area 32 stores numerical values for the control system.
  • the numerical area 32 stores, for example, a map that defines the fuel injection amount with respect to the load of the internal combustion engine and a map that defines the ignition timing with respect to the rotation speed of the internal combustion engine.
  • the ROM 8 When the ROM 8 is externally rewritten, for example, the data in the rewriting area (REWR) 33 which is a part of the program area 31 is rewritten.
  • the data in the rewriting area (REWR) 34 which is a part of the numerical value area 32 is rewritten.
  • the ROM 8 has an area for storing inspection data.
  • the check data is used for error check of the data stored in the ROM 8 itself. If the stored data in the ROM 8 has an error, it is treated as an abnormality (internal error) of the control device 5.
  • the "error checking” function can be implemented by hardware or by software.
  • the term “error checking” in this specification should be interpreted broadly.
  • the “error check” calculates a calculated value from the "storage area to be checked” by a predetermined calculation method.
  • the “error check” compares a calculated value with a reference value to detect an error in stored data.
  • the “error check” uses the "error detection code” to check the stored data for errors. In this embodiment, a checksum is used as the "error detection code”.
  • error detection code Vertical parity and/or horizontal parity may be used as the “error detection code”.
  • a hash function may be used as the “error detection code”.
  • a cryptographic hash function called MD5 (Message Digest Algorithm 5) or the like may be used as the “error detection code”.
  • MD5 Message Digest Algorithm 5
  • CRC Cyclic Redundancy Check
  • checksum in this specification should be interpreted in a broad sense.
  • the “checksum” is a method of calculating some bytes in the total sum of the storage data of the "storage area to be inspected” as the calculation value.
  • the “checksum” may be a method in which the calculated value is the remainder (surplus) obtained by dividing the above total sum by a predetermined constant.
  • the “checksum” may be a method in which the above sum is used as a calculated value.
  • the “storage area to be inspected” is all the storage areas of the ROM 8.
  • the “storage area to be inspected” may be a partial storage area in the ROM 8.
  • the ROM 8 stores two data as inspection data.
  • the inspection data includes a checksum area 35 that stores a checksum value (SUM-CHK) as a reference value.
  • the inspection data includes a sum adjustment value area 36 that stores a sum adjustment value (SUM-ADJ) as a difference value.
  • the checksum value is a reference value as an initial value.
  • the checksum value is, for example, the checksum value of all data stored in the ROM 8 of the initial model.
  • the sum adjustment value is set so that a calculated value equal to the reference value is calculated.
  • the ROM 8 has a soft switch area (SFSW) 37.
  • the soft switch area 37 stores a numerical value for switching the behavior of the control system.
  • the soft switch area 37 has an internal error area 38 for storing an internal error switch value (INT-E/D).
  • the internal error switch value includes information for setting validity or invalidity of the inspection of the control device 5 including the ROM 8.
  • the internal error switch value includes a switch bit for selecting whether to execute the check itself of the control unit 5 including the ROM 8, that is, enable or disable. Further, the internal error switch value includes a switch bit for selecting valid or invalid of the countermeasure process when an abnormality (internal error) of the control device 5 including the ROM 8 is detected.
  • the term “validation or invalidation of inspection” includes a case where the execution of the inspection itself is permitted or hindered, and a case where the countermeasure process executed when the result of the test is abnormal is permitted or hindered.
  • the internal error area 38 sets validity/invalidity of the inspection itself of the ROM 8. 1/0 of the predetermined bit included in the internal error area 38 is associated with, for example, the validity/invalidity of the inspection itself.
  • the internal error area 38 sets valid/invalid of the countermeasure process that can be used when an error is detected in the storage data of the ROM 8. 1/0 of the predetermined bit included in the internal error area 38 is associated with the valid/invalid of the countermeasure process, for example.
  • the countermeasure process can be provided by "prohibition/permission of start", "lighting/extinguishing of warning light", and/or "unlimited/limited function of internal combustion engine”.
  • “Limitation/unrestricted function of internal combustion engine” means, for example, “restricted/unlimited fuel injection amount”, “restricted/unlimited ignition angle”, “restricted/unlimited rotational speed”, “restricted/limited vehicle speed”. Provided by "Unlimited”.
  • the internal error area 38 sets turning on/off of the warning lamp 16 when an error in the ROM 8 is detected.
  • i indicates the number in the discrete system.
  • i is an integer.
  • (i) shows the present data
  • (i-1) shows the previous data
  • (i+1) shows the latter data.
  • n is the maximum value of the number of history data.
  • n is set to be larger than the standard number of version upgrades in the market.
  • the history area 41 stores a predetermined number of history data LOG(i).
  • the history data LOG(i) may be stored by a first-in first-out method.
  • One history data LOG(i) includes both history data regarding the sum adjustment value area 36 and history data regarding the internal error area 38.
  • the history data regarding the sum adjustment value area 36 is referred to as a sum history LOG(i)ADJ.
  • the history data regarding the internal error area 38 is called a switch history LOG(i)E/D.
  • a plurality of history data LOG(1) to LOG(n) are sequentially stored cumulatively. When it is determined that either the sum adjustment value area 36 or the internal error area 38 has been changed, one history data LOG(i) is cumulatively recorded. The decision includes two matches. One comparison is performed by comparing the sum adjustment value SUM-ADJ in the ROM 8 with the immediately previous sum history LOG(i-1)ADJ in the EEPROM 10. One comparison is performed by comparing the internal error switch value INT-E/D in the ROM 8 with the immediately previous switch history LOG(i-1)E/D in the EEPROM 10. The determination is performed when the power source 2 is activated or when the control device 5 is power-on reset.
  • the first history data LOG(0) is an initial value.
  • the history data LOG(0) for example, both the sum adjustment value SUM-ADJ and the internal error switch value INT-E/D at the time of factory shipment are recorded.
  • the sum adjustment value area 36 or the internal error area 38 may be changed by external rewriting of the ROM 8 regardless of whether it is legal or illegal.
  • the same character string 42 as the history area 41 is displayed on the display 26.
  • FIG. 2 shows an initial setting process 150 in the manufacturing stage of the control device 5.
  • the initial setting process 150 includes a process of setting factory shipping data in the ROM 8.
  • the illustrated initial setting process 150 includes a process of setting factory shipment data in the EEPROM 10.
  • the initial setting process 150 is executed by factory equipment as the external device 20.
  • the external device 20 writes factory shipment data in the ROM 8 in step 151.
  • the factory shipment data are so-called initial values.
  • step 152 the external device 20 writes initial values in the program area 31 and the numerical area 32.
  • step 153 the external device 20 writes initial values in the checksum area 35 and the sum adjustment value area 36.
  • step 154 the external device 20 writes the initial value in the internal error area 38.
  • the external device 20 writes factory shipment data to the EEPROM 10 via the CPU 6 in step 155.
  • the external device 20 writes the initial value in the EEPROM 10.
  • the initial value includes both the sum history LOG(0)ADJ and the switch history LOG(0)E/D.
  • control device 5 After the initial setting processing 150, the control device 5 is combined with the power source 2 and the like and supplied to the market as the device system 1.
  • the control device 5 provides a device for detecting external rewriting by executing a plurality of processes described below after being supplied to the market.
  • step 155 is executed by the external device 20.
  • step 155 may be executed by the controller 5 in step 186 described below. In this case, all history data recorded in the EEPROM 10 is automatically stored.
  • FIG. 3 shows the rewriting process 160.
  • the rewriting process 160 is often performed after the control device 5 is shipped to the market.
  • the rewriting process 160 may be rarely performed in the factory before the controller 5 is shipped to the market.
  • the rewriting process 160 is executed by the legitimate external device 20 or the unauthorized external device 20.
  • the external device 20 writes a new rewrite value in the ROM 8 in step 161.
  • the external device 20 writes new data in the program area 31 and the numerical area 32.
  • the external device 20 writes new data in the sum adjustment value area 36.
  • the value of the checksum area 35 is not changed.
  • the external device 20 writes new data in the internal error area 38.
  • the internal error area 38 is rewritten to set whether the inspection is valid or invalid.
  • One use of rewriting the internal error area 38 is to set the execution or non-execution of the inspection itself.
  • Another use of rewriting the internal error area 38 is to invalidate or disable the countermeasure processing that occurs when the rewriting areas 33 and 34 are rewritten.
  • FIG. 4 shows the inspection process 170 of the ROM 8 executed by the control device 5.
  • the control device 5 determines whether or not the check timing of the ROM 8 has arrived.
  • the check timing is, for example, when the power source 2 is activated or when the control device 5 is power-on reset. If it is not the check timing (NO), the following processing is skipped. If it is the check timing (YES), the process proceeds to step 172.
  • step 171 the control device 5 determines whether or not the inspection processing 170 itself is permitted by the internal error switch value INT-E/D. If the inspection process 170 itself is permitted by the internal error switch value INT-E/D (YES), the process proceeds to step 172. When the inspection process 170 itself is permitted by the internal error switch value INT-E/D (NO), the following process (steps 172-177) is skipped.
  • the controller 5 calculates a checksum for the ROM 8 in step 172.
  • the control device 5 calculates the calculated value SUMR from all the storage areas of the ROM 8 by the set checksum method.
  • the control device 5 reads the checksum value SUM-CHK as the reference value from the ROM 8.
  • the controller 5 determines in step 174 whether the calculated value SUMR is equal to the checksum value SUM-CHK.
  • the calculated value SUMR is equal to the checksum value SUM-CHK (YES)
  • the inspection result of the ROM 8 is normal.
  • the process proceeds to step 175.
  • the calculated value SUMR is not equal to the checksum value SUM-CHK (NO)
  • the inspection result of the ROM 8 is abnormal (internal error).
  • the process proceeds to step 176.
  • Step 174 provides a checksum determination unit that determines whether the ROM 8 is normal or abnormal depending on whether the checksum value calculated from the memory storage data including the adjustment value is equal to a predetermined reference value.
  • the controller 5 determines in step 175 whether the program or the numerical value is within the normal range.
  • the inspection result of the ROM 8 is normal. In this case, the following processing is skipped.
  • the program or the numerical value is not within the normal range (NO)
  • the inspection result of the ROM 8 is abnormal (internal error). In this case, the process proceeds to step 176.
  • Step 175 provides an internal error determination unit that determines whether the ROM 8 is normal or abnormal depending on whether the program and/or the numerical value are within the normal range.
  • the normal range is preset as a range in which the normal function of the device system 1 can be maintained. For example, the normal range defines the upper limit engine speed of the internal combustion engine. For example, when the numerical value region 32 exceeds the upper limit rotation speed, the determination in step 175 branches to NO.
  • the control device 5 inspects the internal error switch value INT-E/D in step 176.
  • the predetermined countermeasure process is permitted by the internal error switch value INT-E/D (YES)
  • the process proceeds to step 177.
  • the predetermined countermeasure process is not permitted by the internal error switch value INT-E/D (NO)
  • the following process is skipped. In this case, although the abnormality (internal error) of the ROM 8 is detected, the countermeasure process is not executed.
  • Step 176 provides an internal switch determination unit that determines whether the countermeasure process is valid or invalid based on the switch value when the checksum determines that the ROM 8 is abnormal.
  • Step 176 provides an internal switch determination unit that determines whether the countermeasure process is valid or invalid based on the switch value when the internal error determination unit determines that the ROM 8 is abnormal.
  • the control device 5 executes a preset countermeasure process.
  • the warning lamp 16 indicating that the abnormality (internal error) of the ROM 8 is detected is turned on. This allows the user to know the abnormality of the device system 1.
  • FIG. 5 shows a history process 180 executed by the control device 5.
  • the control device 5 determines whether or not the power source 2 is activated.
  • the history process is executed every time the power source 2 is activated.
  • the control device 5 is activated by a power-on reset.
  • each time the history recorder provided by the history processing 180 is activated the determination by the first determination unit and the second determination unit, which will be described later, is performed.
  • the process of step 181 is provided by the process of detecting that the ignition switch has been switched from OFF to ON. If the power source 2 is activated, the process proceeds to step 182.
  • the power source 2 is not activated, the following processing is skipped.
  • the control device 5 reads the sum adjustment value SUM-ADJ and the internal error switch value INT-E/D from the ROM 8.
  • the control device 5 reads the current history data LOG(i) from the EEPROM 10.
  • the current history data LOG(i) is the last data stored in the history area 41.
  • the history data LOG(i) includes a sum history LOG(i)ADJ and a switch history LOG(i)E/D.
  • step 184 the control device 5 determines whether or not the sum adjustment value SUM-ADJ stored in the ROM 8 and the current sum history LOG(i)ADJ stored in the EEPROM 10 are equal. If the sum adjustment value SUM-ADJ and the sum history LOG(i)ADJ are equal (YES), the process proceeds to step 185. If the sum adjustment value SUM-ADJ and the sum history LOG(i)ADJ are not equal (NO), the process proceeds to step 186. Step 184 provides a first determination unit that determines whether or not the adjustment value stored in the ROM 8 is equal to the history adjustment value included in the latest history (LOG(i)).
  • step 185 the control device 5 determines whether the internal error switch value INT-E/D stored in the ROM 8 is equal to the current history data LOG(i)E/D stored in the EEPROM 10. judge. If the internal error switch value INT-E/D and the history data LOG(i)E/D are equal (YES), the process ends. If the internal error switch value INT-E/D and the history data LOG(i)E/D are not equal (NO), the process proceeds to step 186. Step 185 provides a second determination unit that determines whether or not the switch value stored in the ROM 8 is equal to the history switch value included in the latest history (LOG(i)).
  • step 186 the control device 5 executes step 186 when a negative determination is made in either step 184 or step 185.
  • the controller 5 does not execute the step 186 when the determinations in both the step 184 and the step 185 are positive.
  • step 186 the control device 5 writes both the sum adjustment value SUM-ADJ and the internal error switch value INT-E/D stored in the ROM 8 into the EEPROM 10 as the latest history data LOG(i+1).
  • Step 186 provides a recording unit that records the adjustment value and the switch value as a history when a negative determination is made by either the first determination unit 184 or the second determination unit 185.
  • FIG. 6 shows an output process 190 executed by the control device 5 and the external device 20.
  • the external device 20 determines whether the control device 5 and the external device 20 are connected by the connector 22. When the communicable connection is not established (NO), the following processing is skipped. When the communicable connection is established (YES), the process proceeds to step 192.
  • the diagnostic process includes various processes for outputting the state of the device system 1.
  • the external device 20 detects the operation requested by the user in step 192.
  • the request operation is an operation for requesting output of history data.
  • the requested operation is input by operating the input device 27. When there is no requested operation (NO), the following processing is skipped. If there is the requested operation (YES), the process proceeds to step 193. In step 193, the external device 20 outputs the request signal RQ to the control device 5.
  • the received history data is history data stored in the EEPROM 10.
  • the received history data is stored in the internal storage device 25 of the external device 20.
  • the worker is presented with both legal external rewriting and invalid external rewriting from the history data of the EEPROM 10.
  • the worker can know the correct history data of the correct external rewriting.
  • the legal history data is provided by the manufacturer, for example.
  • the legitimate history data is provided in response to a request from the worker to the manufacturer.
  • the correct history data includes the sum adjustment value SUM-ADJ and the internal error switch value INT-E/D generated by the external rewriting for all the correct external rewriting. Therefore, the operator can know that the external rewriting is not valid by comparing the history data of the EEPROM 10 with the valid history data.
  • the external device 20 may perform self-diagnosis in step 197.
  • the external device 20 stores the valid history data in the internal storage device 25 at least temporarily.
  • the history data LOG(i) is additionally stored in the EEPROM 10 when the power source 2 is started next time. As a result, valid rewriting is left as a history.
  • ⁇ Unauthorized external rewriting> It can be assumed that the ROM 8 is rewritten by unauthorized external rewriting. As the unauthorized external rewriting, for example, a remodeling act without the manufacturer's permission can be assumed. In this case, the remodeler rewrites the rewrite areas 33 and 34. Further, the remodeling person rewrites the sum adjustment value SUM-ADJ in order to trick the checksum check. In other words, the remodeling person rewrites the sum adjustment value SUM-ADJ so that the determination result of the checksum inspection in step 174 branches to YES. Further, the careful remodeler rewrites the internal error switch value INT-E/D in order to prevent the checksum inspection itself. The careful remodeler rewrites the internal error switch value INT-E/D so that the determination result as to whether the countermeasure process in step 176 is necessary branches to NO.
  • the remodeling person rewrites the rewriting areas 33 and 34 so as to make the behavior of the vehicle more intense.
  • an abnormality (internal error) may be detected to protect the device system 1.
  • the determination result of the normal range in step 175 may branch to NO.
  • the determination in step 176 branches to NO.
  • the control device 5 cannot detect an abnormality (internal error). ..
  • the history data LOG(i) is additionally stored in the EEPROM 10 when the power source 2 is started next time. It As a result, unauthorized rewriting is left as a history.
  • the data in the ROM 8 may be inverted irregularly due to device instability, device life, rare radiation, or the like.
  • an abnormality is detected by the inspection (checksum) of the ROM 8.
  • the control device 5 executes the countermeasure process preset by the internal error switch value INT-E/D.
  • FIG. 7 is a block diagram of a memory rewriting history recording device. Each block is provided by the hardware resource of the control device 5 and the software resource for operating the hardware resource.
  • the memory M1 stores programs and/or numerical values of the control device 5.
  • the memory M1 is externally rewritable and non-volatile.
  • the memory M1 is provided by the ROM 8.
  • the memory M1 is inspected by the inspector M2.
  • the inspector M2 inspects the data stored in the memory M1 and determines whether the memory M1 is normal or abnormal.
  • the checker M2 executes "error check”.
  • the checker M2 is a checksum checker that checks the data stored in the memory M1 with a checksum.
  • the checker M2 determines whether the memory M1 is normal or abnormal depending on whether the checksum value calculated from the storage data of the memory M1 including the adjustment value is equal to a predetermined reference value. Equipped with.
  • the inspection device M2 includes internal switch determination units 171 and 176 that determine whether the inspection of the memory M1 based on the checksum is valid or invalid based on the switch value.
  • the inspection device M2 includes an internal switch determination unit 171 that determines whether or not to execute the inspection itself of the memory M1 using the checksum based on the switch value.
  • the checker M2 includes an internal switch determination unit 176 that determines whether the countermeasure process is valid or invalid based on the switch value when the checksum determines that the memory M1 is abnormal.
  • the checker M2 includes an internal error determination unit 175 that determines whether the memory M1 is normal or abnormal depending on whether or not the program and/or the numerical value is within the normal range.
  • the tester M2 includes an internal switch determination unit 176 that determines whether the countermeasure process is valid or invalid based on the switch value when the internal error determination unit determines that the memory M1 is abnormal.
  • the inspection device M2 When the inspection device M2 detects an abnormality (internal error) in the memory M1, the inspection device M2 executes a countermeasure process.
  • the memory M1 has a sum adjustment value area 36 that stores an adjustment value (SUM-ADJ) that is rewritten so as to prevent the inspection device M2 from determining an abnormality.
  • the memory M1 has an internal error area 38 for storing a switch value (INT-E/D) for setting whether the inspection by the inspector M2 is valid or invalid.
  • the first method to avoid the countermeasure process is provided by tricking the inspection by the inspection device M2.
  • the sum adjustment value area 36 is utilized.
  • the tester M2 does not detect an abnormality (internal error).
  • the sum adjustment value region 36 can be used for effectively preventing the inspection by the inspecting device M2 while preventing the abnormality from being detected by the inspection. Therefore, it can be said that the first method is a process of tricking the inspection while allowing the inspection device M2 to function normally.
  • the second method of avoiding the countermeasure process is provided by setting the validity or invalidity of the inspection itself by the inspection device M2.
  • the term “validation or invalidation of the inspection” includes a case where the execution of the inspection itself is obstructed and a case where the countermeasure process executed when the result of the inspection is abnormal is obstructed.
  • the internal error area 38 is utilized. When the internal error area 38 is set to an appropriate switch value (internal error switch value INT-E/D), the inspection by the inspector M2 is set to be valid or invalid.
  • One of the second methods is to obstruct the execution of the inspection itself by the inspection device M2.
  • the internal error area 38 is used.
  • the internal error area 38 is set to an appropriate switch value (internal error switch value INT-E/D), the inspector M2 does not execute the inspection itself.
  • One of the second methods is to block only the execution of countermeasures that are activated in response to the inspection results.
  • the internal error area 38 is used.
  • the inspector M2 does not execute the countermeasure process even if it detects an abnormality (internal error).
  • the history recorder M3 cumulatively records both the adjustment value and the switch value in order to monitor both the first method and the second method.
  • the history contains both adjustment values and switch values.
  • the fact that external rewriting has been performed is recorded regardless of whether it is valid or illegal. Since not only the adjustment value but also the switch value is recorded, both the correct external rewriting and the unauthorized external rewriting can be recorded as the history.
  • a rewriting history recording device for a memory in which a rewriting action can be found efficiently.
  • the history recorder M3 records the history of external rewriting for the memory M1.
  • the history recorder M3 includes another non-volatile memory different from the memory M1.
  • the other memory is provided by the EEPROM 10.
  • the history recorder M3 is configured to record both the adjustment value and the switch value as history when the memory M1 is externally rewritten.
  • the history recorder M3 includes a first determination unit 184 and a second determination unit 185.
  • the first determination unit 184 determines whether or not the adjustment value stored in the memory M1 and the history adjustment value included in the latest history (LOG(i)) are the same.
  • the second determination unit 185 determines whether the switch value stored in the memory M1 is equal to the history switch value included in the latest history (LOG(i)).
  • the history recorder M3 includes a recording unit 186 that records the adjustment value and the switch value as a history when a negative determination is made by either the first determination unit or the second determination unit.
  • the history recorder M3 is configured to execute the determination by the first determination unit 184 and the second determination unit 185 each time the history recorder M3 is activated. Specifically, the activation is the turning on of the power switch of the control device 5.
  • the memory rewriting history recording device may include an output device M4.
  • the output device M4 outputs the history data recorded in the history recording device M3. Since the history includes both the adjustment value and the switch value, these values indicate valid external rewriting and unauthorized external rewriting.
  • the control device 5 can include a memory M1, an inspector M2, and a history recorder M3. In one embodiment, the output device M4 is provided by the external device 20 connectable to the control device 5 in data communication.
  • the specific data that can be externally rewritten includes a sum adjustment value SUM-ADJ for tricking an inspection by a so-called checksum. Further, the specific data that enables external rewriting includes an internal error switch value INT-E/D for setting valid/invalid of the inspection. By including both of these two data, the accuracy of detecting external rewriting is improved.
  • the externally rewritable storage area may be rewritten regardless of whether it is legal or illegal.
  • a large memory capacity is required to store the hash code.
  • the data amount of the sum adjustment value SUM-ADJ in this embodiment is significantly smaller than the data amount of the hash code. Therefore, according to this embodiment, it is possible to provide a memory rewriting history recording device that can efficiently detect rewriting of a storage area.
  • the check function of the storage area by the checksum can be provided by small-scale hardware or software. Therefore, it is possible to provide a memory rewrite history recording device in which rewriting of the storage area can be found by a small-scale configuration.
  • the disclosures in this specification and the drawings are not limited to the illustrated embodiments.
  • the disclosure encompasses the illustrated embodiments and variations on them based on them.
  • the disclosure is not limited to the combination of parts and/or elements shown in the embodiments.
  • the disclosure can be implemented in various combinations.
  • the disclosure may have additional parts that may be added to the embodiments.
  • the disclosure includes omissions of parts and/or elements of the embodiments.
  • the disclosure includes replacements or combinations of parts and/or elements between one embodiment and another.
  • the disclosed technical scope is not limited to the description of the embodiments. It is to be understood that some technical scopes disclosed are shown by the description of the claims, and further include meanings equivalent to the description of the claims and all modifications within the scope.
  • the history processing 180 and the history recorder M3 record the history in the EEPROM 10.
  • the history processing 180 and the history recorder M3 may record the history in a server communicably connected by wireless.
  • the external device 20 may be provided by a server that is communicably connected by wireless. In this case, external rewriting in the plurality of control devices 5 can be centrally monitored and managed by the server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Techniques For Improving Reliability Of Storages (AREA)
  • Combined Controls Of Internal Combustion Engines (AREA)

Abstract

A system has a non-volatile memory which stores a control program and/or a control numerical value of a control device, and is externally rewritable. The system is provided with an inspection device for inspecting storage data of the memory, and determining whether the memory is normal or abnormal. The system is provided with a history recording device for recording a history of an external rewrite. The memory has an area in which an adjustment value SUM-ADJ is stored, the adjustment value SUM-ADJ being rewritten so as to stop a judgment that the memory is abnormal by the inspection device. The memory has an area in which a switch value INT-E/D is stored, the switch value INT-E/D setting the inspection by the inspection device to be valid or invalid. The history includes both of the adjustment value and the switch value. A memory rewrite history recording device capable of efficiently finding a rewrite action is provided.

Description

メモリの書き換え履歴記録装置Memory rewriting history recorder 関連出願の相互参照Cross-reference of related applications

 この出願は、2019年1月30日に日本に出願された特許出願第2019-014671号を基礎としており、基礎の出願の内容を、全体的に、参照により援用している。 This application is based on the patent application No. 2019-014671 filed in Japan on January 30, 2019, and the contents of the basic application are entirely incorporated by reference.

 この明細書における開示は、メモリの書き換え履歴記録装置に関する。 The disclosure in this specification relates to a memory rewriting history recording device.

 特許文献1は、書き換え可能なメモリを利用する制御機器を開示する。従来技術として列挙された先行技術文献の記載内容は、この明細書における技術的要素の説明として、参照により援用される。 Patent Document 1 discloses a control device using a rewritable memory. The description of the prior art documents listed as the prior art is incorporated by reference as a description of technical elements in this specification.

特許第6009290号公報Japanese Patent No. 6009290

 書き換え可能なメモリを利用する制御機器では、メモリの書き換え行為を記録する場合がある。書き換え行為の履歴は、記憶データの書き換えを発見可能とする。ひとつの観点では、不正な書き換えを発見可能とすることが求められている。別の観点では、正当な書き換えであっても、それを発見可能とすること、または再確認可能とすることが求められている。上述の観点において、または言及されていない他の観点において、乗り物用制御装置にはさらなる改良が求められている。 -A control device that uses a rewritable memory may record the rewriting action of the memory. The history of rewriting actions makes it possible to detect rewriting of stored data. From one viewpoint, it is required to be able to detect illegal rewriting. From another perspective, even legitimate rewriting is required to be discoverable or reconfirmable. In view of the above, or in other aspects not mentioned, there is a need for further improvements in vehicle controls.

 開示されるひとつの目的は、書き換え行為を効率的に発見可能なメモリの書き換え履歴記録装置を提供することである。 One disclosed purpose is to provide a rewriting history recording device of a memory that can efficiently detect a rewriting action.

 開示される他のひとつの目的は、書き換え行為を小さい規模の構成によって発見可能なメモリの書き換え履歴記録装置を提供することである。 Another disclosed purpose is to provide a rewriting history recording device for a memory that can detect rewriting actions with a small-scale configuration.

 ここに開示されたメモリの書き換え履歴記録装置は、制御装置(5)のプログラムおよび/または数値を記憶しており、外部書き換えが可能であり、かつ不揮発性のメモリ(8、M1)と、メモリの記憶データを検査し、メモリの正常または異常を判定する検査器(6、M2)と、外部書き換えの履歴を記録する履歴記録器(10、M3)とを備える。さらに、メモリは、検査器による異常との判定を阻止するように書き換えられる調整値(SUM-ADJ)を記憶する領域(36)と、検査器による検査の有効または無効を設定するスイッチ値(INT-E/D)を記憶する領域(38)とを有し、履歴は、調整値とスイッチ値との両方を含んでいる。 The memory rewrite history recording device disclosed herein stores the program and/or numerical value of the control device (5), is externally rewritable, and is a nonvolatile memory (8, M1), and a memory. The inspection device (6, M2) for inspecting the stored data of No. 1 to determine whether the memory is normal or abnormal, and the history recording device (10, M3) for recording the history of external rewriting. Further, the memory has an area (36) for storing an adjustment value (SUM-ADJ) that is rewritten so as to prevent the inspection device from determining an abnormality, and a switch value (INT) for setting whether the inspection by the inspection device is valid or invalid. -E/D) storage area (38) and the history contains both adjustment values and switch values.

 開示されるメモリの書き換え履歴記録装置によると、調整値と、スイッチ値との両方が履歴として記録される。調整値だけでなく、スイッチ値が記録されるから、正当な外部書き換え、および、不正な外部書き換えの両方を履歴として記録することができる。この結果、書き換え行為を効率的に発見可能なメモリの書き換え履歴記録装置が提供される。 According to the disclosed memory rewriting history recording device, both the adjustment value and the switch value are recorded as history. Since not only the adjustment value but also the switch value is recorded, both the correct external rewriting and the unauthorized external rewriting can be recorded as the history. As a result, there is provided a rewriting history recording device for a memory in which a rewriting action can be found efficiently.

 この明細書における開示された複数の態様は、それぞれの目的を達成するために、互いに異なる技術的手段を採用する。請求の範囲およびこの項に記載した括弧内の符号は、後述する実施形態の部分との対応関係を例示的に示すものであって、技術的範囲を限定することを意図するものではない。この明細書に開示される目的、特徴、および効果は、後続の詳細な説明、および添付の図面を参照することによってより明確になる。 The disclosed aspects of this specification employ different technical means to achieve their respective purposes. The claims and the reference numerals in parentheses in this section exemplify the corresponding relationship with the portions of the embodiments described below, and are not intended to limit the technical scope. The objects, features, and advantages disclosed in this specification will become more apparent with reference to the following detailed description and the accompanying drawings.

制御装置を含む乗り物システムのブロック図である。1 is a block diagram of a vehicle system including a control device. 初期設定処理のフローチャートである。It is a flowchart of an initialization process. 書き換え処理のフローチャートである。It is a flowchart of a rewriting process. 検査処理のフローチャートである。It is a flow chart of inspection processing. 履歴処理のフローチャートである。It is a flow chart of history processing. 出力処理のフローチャートである。It is a flowchart of an output process. メモリの書き換え履歴記録装置のブロック図である。It is a block diagram of a memory rewriting history recording device.

 図面を参照しながら、複数の実施形態を説明する。複数の実施形態において、機能的におよび/または構造的に対応する部分および/または関連付けられる部分には同一の参照符号、または百以上の位が異なる参照符号が付される場合がある。対応する部分および/または関連付けられる部分については、他の実施形態の説明を参照することができる。 A plurality of embodiments will be described with reference to the drawings. In some embodiments, functionally and/or structurally corresponding parts and/or associated parts may be given the same reference signs, or hundreds or more different reference signs. For the corresponding part and/or the related part, the description of the other embodiments can be referred to.

 第1実施形態
 <機器システム>
 図1は、機器システム1を示す。機器システム1は、制御対象としての動力源(PWRS)2を備える。機器システム1は、制御対象を制御するための制御システムを備える。制御システムは、センサ群(SNSR)3、アクチュエータ群(ACTR)4、および制御装置(ECU)5を備える。 First Embodiment <Device System>
FIG. 1 shows an equipment system 1. The device system 1 includes a power source (PWRS) 2 as a control target. The device system 1 includes a control system for controlling a control target. The control system includes a sensor group (SNSR) 3, an actuator group (ACTR) 4, and a control device (ECU) 5.

 この明細書において、機器の語は、広義に解釈されるべきである。機器は、定置の機器、および移動機器を含む。定置の機器は、例えば、空調機器、発電機器、および照明機器などを含む。移動機器は、いわゆる乗り物を含む。乗り物の語は、移動用乗り物だけでなく、定置型の乗り物を含む。移動用乗り物は、例えば、地上走行車両、船舶、および航空機を含む。定置型の乗り物は、例えば、操作技術を習熟するためのシミュレーション機器を含む。定置型の乗り物は、例えば、操作技術、または乗り物の挙動を楽しむためのアミューズメント機器を含む。この実施形態では、機器システム1は、乗り物システムである。乗り物は、鞍乗り型の地上走行車両である。乗り物の典型的な一例は、二輪車である。 In this specification, the term device should be interpreted in a broad sense. Equipment includes stationary equipment and mobile equipment. Stationary devices include, for example, air conditioners, power generators, and lighting devices. Mobile devices include so-called vehicles. The term vehicle includes stationary vehicles as well as mobile vehicles. Mobile vehicles include, for example, ground vehicles, ships, and aircraft. Stationary vehicles include, for example, simulation equipment to familiarize themselves with operating techniques. Stationary vehicles include, for example, operating techniques or amusement equipment for enjoying the behavior of the vehicle. In this embodiment, the equipment system 1 is a vehicle system. The vehicle is a saddle-type ground traveling vehicle. A typical example of a vehicle is a motorcycle.

 動力源2は、内燃機関システム、または電動機システムによって提供される。動力源2が内燃機関システムである場合、動力源2は、内燃機関と、燃料供給システムと、点火システムとを含む場合がある。動力源2が、電動機システムによって提供される場合、動力源2は、電池と、電動機とを含む場合がある。この実施形態では、動力源2は、乗り物における動力を提供する。動力源2は、内燃機関システムである。動力源2は、予め設定された機能を提供するために、制御システムによる制御を必要とする。 The power source 2 is provided by an internal combustion engine system or an electric motor system. When the power source 2 is an internal combustion engine system, the power source 2 may include an internal combustion engine, a fuel supply system, and an ignition system. If the power source 2 is provided by an electric motor system, the power source 2 may include a battery and an electric motor. In this embodiment, the power source 2 provides power for the vehicle. The power source 2 is an internal combustion engine system. Power source 2 requires control by the control system in order to provide preset functions.

 制御装置5を含む制御システムは、メモリの書き換え履歴記録装置を提供する。また、制御システムは、動力源2の運転状態を予め設定された正規範囲内に制限する制限器としても機能する。 The control system including the control device 5 provides a memory rewriting history recording device. The control system also functions as a limiter that limits the operating state of the power source 2 within a preset normal range.

 <制御システム>
 センサ群3は、複数のセンサを備える。複数のセンサは、動力源2の運転状態を示す電気信号を検出信号として出力する。この実施形態では、センサ群3は、圧力センサ(PRES)11、および回転角センサ(ANGL)12を備える。圧力センサ11は、内燃機関の吸気圧力を検出する。回転角センサ12は、内燃機関のクランク軸の回転角度を検出する。センサ群3は、検出信号を制御装置5に出力する。 <Control system>
The sensor group 3 includes a plurality of sensors. The plurality of sensors output, as detection signals, electric signals indicating the operating state of the power source 2. In this embodiment, the sensor group 3 includes a pressure sensor (PRES) 11 and a rotation angle sensor (ANGL) 12. The pressure sensor 11 detects the intake pressure of the internal combustion engine. The rotation angle sensor 12 detects the rotation angle of the crankshaft of the internal combustion engine. The sensor group 3 outputs a detection signal to the control device 5.

 アクチュエータ群4は、複数のアクチュエータを備える。複数のアクチュエータは、動力源2の運転状態を調節するための調節器を提供する。この実施形態では、アクチュエータ群4は、燃料ポンプ(PUMP)13、燃料噴射弁(INJC)14、点火装置(IGNT)15、および警告灯(WRNL)16を備える。燃料ポンプ13は、燃料タンクに貯められた燃料を加圧する。燃料ポンプ13は、電動機ポンプ、または電磁プランジャポンプである。燃料ポンプ13は、燃料を適切に加圧するように制御される。燃料噴射弁14は、加圧された燃料を噴射することにより、内燃機関に燃料を供給する。燃料噴射弁14は、電磁弁である。燃料噴射弁14は、噴射開始時期、噴射終了時期、噴射期間、および/または噴射回数を調節可能である。燃料噴射弁14は、内燃機関における燃料供給を調節するように制御される。点火装置15は、内燃機関に対して電気火花による点火を提供する。点火装置15は、点火時期、点火期間、および/または点火エネルギ量を調節可能である。点火装置15は、内燃機関における点火を調節するように制御される。警告灯16は、例えば、点灯することによって制御装置5の異常(内部エラー)を利用者に警告する。アクチュエータ群4は、制御装置5によって制御される。 The actuator group 4 includes a plurality of actuators. The plurality of actuators provide a controller for adjusting the operating state of the power source 2. In this embodiment, the actuator group 4 includes a fuel pump (PUMP) 13, a fuel injection valve (INJC) 14, an ignition device (IGNT) 15, and a warning light (WRNL) 16. The fuel pump 13 pressurizes the fuel stored in the fuel tank. The fuel pump 13 is an electric motor pump or an electromagnetic plunger pump. The fuel pump 13 is controlled to appropriately pressurize the fuel. The fuel injection valve 14 supplies the fuel to the internal combustion engine by injecting the pressurized fuel. The fuel injection valve 14 is a solenoid valve. The fuel injection valve 14 can adjust the injection start timing, the injection end timing, the injection period, and/or the number of injections. The fuel injection valve 14 is controlled to regulate the fuel supply in the internal combustion engine. The ignition device 15 provides ignition by electric spark to the internal combustion engine. The ignition device 15 can adjust the ignition timing, the ignition period, and/or the amount of ignition energy. The ignition device 15 is controlled to adjust ignition in the internal combustion engine. The warning light 16 warns the user of an abnormality (internal error) of the control device 5 by lighting, for example. The actuator group 4 is controlled by the control device 5.

 動力源2が、電池と電動機とを含む場合、センサ群3およびアクチュエータ群4は、動力源2に適合した要素を含む。センサ群3は、例えば、電池および/または電動機の温度を検出する複数の温度センサ、電動機に流れる電流を検出する電流センサ、および、電池の電圧を検出する電圧センサを含むことができる。アクチュエータ群4は、例えば、電動機に供給する電力を制御するインバータ回路を含むことができる。 When the power source 2 includes a battery and an electric motor, the sensor group 3 and the actuator group 4 include elements suitable for the power source 2. The sensor group 3 can include, for example, a plurality of temperature sensors that detect the temperature of the battery and/or the electric motor, a current sensor that detects a current flowing through the electric motor, and a voltage sensor that detects the voltage of the battery. The actuator group 4 can include, for example, an inverter circuit that controls electric power supplied to the electric motor.

 制御装置5は、一般的なコンピュータとしての複数の構成要素を備える。これら構成要素は、単一のICパッケージの中に配置することができる。これに代えて、複数の構成要素は、複数のICパッケージに分散的に配置されてもよい。例えば、後述のCPU6をプロセッサコアとする単一のICパッケージの中に、後述のRAM(Random Access Memory)7、ROM(Read Only Memory)8、EEPROM(Electrically Erasable and Programmable Read Only Memory)10を配置してもよい。これに代えて、例えば、後述のCPU6をプロセッサコアとするICパッケージの中に、後述のRAM7、ROM8を配置し、別体の他のICパッケージの中に後述のEEPROM10を配置してもよい。 The control device 5 includes a plurality of components as a general computer. These components can be placed in a single IC package. Alternatively, the plurality of components may be distributedly arranged in the plurality of IC packages. For example, a RAM (Random Access Memory) 7, a ROM (Read Only Memory) 8, and an EEPROM (Electrically Erasable and Programmable ReadOnly) are arranged in a single IC package having a CPU 6 described below as a processor core. You may. Instead of this, for example, a RAM 7 and a ROM 8 described below may be arranged in an IC package having a CPU 6 described below as a processor core, and an EEPROM 10 described below may be arranged in another IC package separately provided.

 制御装置5は、典型的な要素として、プロセッサとしてのCPU6と、揮発性の記憶装置としてのRAM7と、不揮発性の記憶装置としてのROM8とを備える。RAM7は、CPU6のための一時記憶領域を提供する。ROM8は、CPU6のためのプログラム格納領域、および数値格納領域を提供する。ROM8は、繰り返して書き込みが可能であり、かつ、電源供給が失われても記憶内容が維持されるフラッシュROMである。ROM8は、EEPROM(Electrically Erasable and Programmable Read Only Memory)によって提供されている。ROM8は、制御システムのためのプログラムおよび数値のための記憶領域を提供する。さらに、ROM8が提供する記憶領域は、制御装置5の外部から書き換えが可能である。ROM8は、例えば、製造工程において、記憶領域を書き換えることを可能とする。ROM8は、例えば、市場において、記憶領域を書き換えることを可能とする。ROM8は、例えば、後述の外部機器20から記憶領域を書き換えることを可能とする。 The control device 5 includes a CPU 6 as a processor, a RAM 7 as a volatile storage device, and a ROM 8 as a non-volatile storage device as typical elements. The RAM 7 provides a temporary storage area for the CPU 6. The ROM 8 provides a program storage area for the CPU 6 and a numerical value storage area. The ROM 8 is a flash ROM that can be repeatedly written and whose stored contents are maintained even when power supply is lost. The ROM 8 is provided by an EEPROM (Electrically Erasable and Programmable Read Only Memory). The ROM 8 provides a storage area for programs and numerical values for the control system. Further, the storage area provided by the ROM 8 can be rewritten from outside the control device 5. The ROM 8 can rewrite the storage area in the manufacturing process, for example. The ROM 8 makes it possible to rewrite the storage area in the market, for example. The ROM 8 can rewrite the storage area from an external device 20 described later, for example.

 制御装置5は、バス回路9を有する。バス回路9は、センサ群3、アクチュエータ群4、および制御装置5を相互に接続する。この観点では、バス回路9は、I/Oバスを提供する。バス回路9は、さらに、制御装置5の内部において、CPU6、RAM7、およびROM8を相互に接続する。この観点では、バス回路9は、システムバスを提供する。バス回路9は、制御装置5の外部に対して直接的に接続可能である。バス回路9は、制御装置5と後述の外部機器20とを相互に接続する。バス回路9は、ROM8と外部機器20との直接的な接続を提供する。この直接的な接続は、制御装置5の外部からROM8の記憶データを書き換える、いわゆる外部書き換えを可能とする。この結果、この実施形態では、CPU6を経由することなくROM8の記憶データを書き換え可能である。 The control device 5 has a bus circuit 9. The bus circuit 9 connects the sensor group 3, the actuator group 4, and the control device 5 to each other. In this respect, the bus circuit 9 provides an I/O bus. The bus circuit 9 further connects the CPU 6, the RAM 7, and the ROM 8 to each other inside the control device 5. In this respect, the bus circuit 9 provides the system bus. The bus circuit 9 can be directly connected to the outside of the control device 5. The bus circuit 9 connects the control device 5 and an external device 20 described later to each other. The bus circuit 9 provides a direct connection between the ROM 8 and the external device 20. This direct connection enables so-called external rewriting, in which the data stored in the ROM 8 is rewritten from outside the control device 5. As a result, in this embodiment, the data stored in the ROM 8 can be rewritten without passing through the CPU 6.

 制御装置5は、不揮発性の記憶装置としてのEEPROM10を備える。ROM8が提供する記憶領域と、EEPROM10が提供する記憶領域とは、互いに異なる記憶領域である。EEPROM10は、バス回路9に接続されていない。EEPROM10は、バス回路9を経由することなく、CPU6に接続されている。すなわち、EEPROM10は、制御装置5の外部から直接的にEEPROM10の記憶データを書き換え可能ではない。 The control device 5 includes an EEPROM 10 as a non-volatile storage device. The storage area provided by the ROM 8 and the storage area provided by the EEPROM 10 are storage areas different from each other. The EEPROM 10 is not connected to the bus circuit 9. The EEPROM 10 is connected to the CPU 6 without passing through the bus circuit 9. That is, the EEPROM 10 cannot directly rewrite the data stored in the EEPROM 10 from outside the control device 5.

 ROM8と、EEPROM10とは、物理的に異なる記憶領域として提供されている。ROM8と、EEPROM10とは、例えば、異なる2つのICパッケージによって提供されている。ROM8と、EEPROM10とは、例えば、ひとつの半導体チップの上において物理的に離れた記憶領域によって提供されていてもよい。ROM8と、EEPROM10とは、例えば、共通のひとつのICパッケージの中において物理的に離れた記憶領域によって提供されていてもよい。 The ROM 8 and the EEPROM 10 are provided as physically different storage areas. The ROM 8 and the EEPROM 10 are provided by, for example, two different IC packages. The ROM 8 and the EEPROM 10 may be provided by physically separate storage areas on one semiconductor chip, for example. The ROM 8 and the EEPROM 10 may be provided by physically separate storage areas in one common IC package, for example.

 ROM8と、EEPROM10とは、バス回路9に対する接続関係に関して異なる記憶領域として提供されている。ROM8は、バス回路9に対して直接的に接続されている。EEPROM10は、CPU6を経由することによって、バス回路9に対して間接的に接続されている。ROM8は、外部書き換え可能な記憶領域を提供する。EEPROM10は、外部書き換えが不可能な記憶領域を提供する。なお、この「不可能」は、EEPROM10の記憶データの外部書き換えが完全に不可能であることを意味するものではない。制御装置5において想定された外部接続形態での書き換えが不可能であることを意味する。例えば、EEPROM10の物理端子に直接にアクセスすることは想定外である。 The ROM 8 and the EEPROM 10 are provided as different storage areas regarding the connection relationship with the bus circuit 9. The ROM 8 is directly connected to the bus circuit 9. The EEPROM 10 is indirectly connected to the bus circuit 9 via the CPU 6. The ROM 8 provides an externally rewritable storage area. The EEPROM 10 provides a storage area that cannot be externally rewritten. The "impossible" does not mean that the external storage of the data stored in the EEPROM 10 is completely impossible. This means that rewriting in the external connection mode assumed in the control device 5 is impossible. For example, it is unexpected to directly access the physical terminals of the EEPROM 10.

 機器システム1は、制御システムに対して着脱可能な外部機器(EXTL)20を含む。外部機器20は、ROM8の内容を操作することができる機器である。外部機器20は、CPU6を介してEEPROM10の内容を操作することができる機器である。外部機器20は、製造段階では、工場設備によって提供される。外部機器20は、市場では、診断システムによって提供される。診断システムは、機器システム1が健全であるか、不健全であるかを診断するために利用される。例えば、外部機器20は、制御システムにおける信号および/またはデータを取得する。外部機器20は、取得した信号および/またはデータを、診断のために提供する。外部機器20は、外部機器20の内部において、取得した信号および/またはデータと、正常な信号および/またはデータとを比較して、診断結果を出力する場合がある。これに代えて、外部機器20は、取得した信号および/またはデータを、作業者、および/または外部診断装置に提供する場合がある。 The device system 1 includes an external device (EXTL) 20 that is detachable from the control system. The external device 20 is a device capable of operating the contents of the ROM 8. The external device 20 is a device that can operate the contents of the EEPROM 10 via the CPU 6. The external device 20 is provided by factory equipment at the manufacturing stage. The external device 20 is provided by a diagnostic system on the market. The diagnostic system is used to diagnose whether the equipment system 1 is healthy or unhealthy. For example, the external device 20 acquires signals and/or data in the control system. The external device 20 provides the acquired signal and/or data for diagnosis. The external device 20 may compare the acquired signal and/or data with the normal signal and/or data inside the external device 20, and output a diagnostic result. Alternatively, the external device 20 may provide the acquired signal and/or data to an operator and/or an external diagnostic device.

 外部機器20が診断システムである場合、外部機器20は診断端末装置21を有する。診断端末装置21は、例えば、サービスステーションに設置されている。診断端末装置21は、機器システム1を点検または修理する作業者によって使用される。制御装置5と診断端末装置21とは、コネクタ22およびケーブル23を含む有線接続装置によって接続可能である。これに代えて、制御装置5と診断端末装置21とは、無線接続装置によって接続されてもよい。 When the external device 20 is a diagnostic system, the external device 20 has a diagnostic terminal device 21. The diagnostic terminal device 21 is installed in, for example, a service station. The diagnostic terminal device 21 is used by an operator who inspects or repairs the equipment system 1. The control device 5 and the diagnostic terminal device 21 can be connected by a wired connection device including a connector 22 and a cable 23. Alternatively, the control device 5 and the diagnostic terminal device 21 may be connected by a wireless connection device.

 診断端末装置21は、端末制御装置(CTRL)24と、内部記憶装置(STRG)25と、表示器(MNTR)26と、入力器(MNSW)27とを有する。内部記憶装置25は、ROMまたはRAMによって提供可能である。端末制御装置24は、EEPROM10に記憶されているデータを内部記憶装置25に一時記録する。端末制御装置24は、内部記憶装置25に記憶されたデータを表示器26に表示する。入力器27は、作業者の操作を検出し、検出信号を端末制御装置24に入力する。この実施形態では、入力器27は、履歴表示を要求する操作を検出し、この要求を端末制御装置24に出力する。 The diagnostic terminal device 21 has a terminal control device (CTRL) 24, an internal storage device (STRG) 25, a display device (MNTR) 26, and an input device (MNSW) 27. The internal storage device 25 can be provided by ROM or RAM. The terminal control device 24 temporarily records the data stored in the EEPROM 10 in the internal storage device 25. The terminal control device 24 displays the data stored in the internal storage device 25 on the display device 26. The input device 27 detects the operation of the operator and inputs a detection signal to the terminal control device 24. In this embodiment, the input device 27 detects an operation requesting history display and outputs the request to the terminal control device 24.

 制御装置5は、電子制御装置(ECU:Electronic Control Unit)とも呼ばれる。制御装置5は、(a)if-then-else形式と呼ばれる複数の論理としてのアルゴリズム、または(b)機械学習によってチューニングされた学習済みモデル、例えばニューラルネットワークとしてのアルゴリズムによって提供される。 The control device 5 is also called an electronic control device (ECU: Electronic Control Unit). The controller 5 is provided by (a) an algorithm as a plurality of logics called if-then-else form, or (b) a trained model tuned by machine learning, for example, an algorithm as a neural network.

 制御装置5は、少なくともひとつのコンピュータを含む。制御装置5は、データ通信装置によってリンクされた複数のコンピュータを含む場合がある。コンピュータは、ハードウェアである少なくともひとつのプロセッサ(ハードウェアプロセッサ)を含む。ハードウェアプロセッサは、下記(i)、(ii)、または(iii)により提供することができる。 The control device 5 includes at least one computer. Controller 5 may include multiple computers linked by a data communication device. The computer includes at least one processor (hardware processor) that is hardware. The hardware processor can be provided by (i), (ii), or (iii) below.

 (i)ハードウェアプロセッサは、少なくともひとつのメモリに格納されたプログラムを実行する少なくともひとつのプロセッサコアである場合がある。この場合、コンピュータは、少なくともひとつのメモリと、少なくともひとつのプロセッサコアとによって提供される。プロセッサコアは、CPU:Central Processing Unit、GPU:Graphics Processing Unit、RISC-CPUなどと呼ばれる。メモリは、記憶媒体とも呼ばれる。メモリは、プロセッサによって読み取り可能な「プログラムおよび/またはデータ」を非一時的に格納する非遷移的かつ実体的な記憶媒体である。記憶媒体は、半導体メモリ、磁気ディスク、または光学ディスクなどによって提供される。プログラムは、それ単体で、またはプログラムが格納された記憶媒体として流通する場合がある。 (I) The hardware processor may be at least one processor core that executes a program stored in at least one memory. In this case, the computer is provided with at least one memory and at least one processor core. The processor core is called CPU: Central Processing Unit, GPU: Graphics Processing Unit, RISC-CPU, etc. The memory is also called a storage medium. A memory is a non-transitional and tangible storage medium that stores "programs and/or data" readable by a processor in a non-transitory manner. The storage medium is provided by a semiconductor memory, a magnetic disk, an optical disk, or the like. The program may be distributed by itself or as a storage medium in which the program is stored.

 (ii)ハードウェアプロセッサは、ハードウェア論理回路である場合がある。この場合、コンピュータは、プログラムされた多数の論理ユニット(ゲート回路)を含むデジタル回路によって提供される。デジタル回路は、ロジック回路アレイ、例えば、ASIC:Application-Specific Integrated Circuit、FPGA:Field Programmable Gate Array、PGA:Programmable Gate Array、CPLD:Complex Programmable Logic Deviceなどとも呼ばれる。デジタル回路は、プログラムおよび/またはデータを格納したメモリを備える場合がある。コンピュータは、アナログ回路によって提供される場合がある。コンピュータは、デジタル回路とアナログ回路との組み合わせによって提供される場合がある。 (Ii) The hardware processor may be a hardware logic circuit. In this case, the computer is provided by a digital circuit including a large number of programmed logic units (gate circuits). The digital circuit is a logic circuit array, for example, ASIC: Application-Specific Integrated Circuit, FPGA: Field Programmable Gate Array, PGA: Programmable Gate Array, CPLD: Complex Programmable, etc. The digital circuit may include a memory that stores programs and/or data. The computer may be provided by analog circuitry. The computer may be provided by a combination of digital circuits and analog circuits.

 (iii)ハードウェアプロセッサは、上記(i)と上記(ii)との組み合わせである場合がある。(i)と(ii)とは、異なるチップの上、または共通のチップの上に配置される。これらの場合、(ii)の部分は、アクセラレータとも呼ばれる。 The (iii) hardware processor may be a combination of the above (i) and the above (ii). (I) and (ii) are arranged on different chips or on a common chip. In these cases, the part (ii) is also called an accelerator.

 制御装置と信号源と制御対象物とは、多様な要素を提供する。それらの要素の少なくとも一部は、ブロック、モジュール、またはセクションと呼ぶことができる。さらに、制御システムに含まれる要素は、意図的な場合にのみ、機能的な手段と呼ばれる。 -The control device, signal source, and controlled object provide various elements. At least some of these elements can be referred to as blocks, modules, or sections. Furthermore, elements included in the control system are referred to as functional means only if they are intentional.

 この開示に記載の制御部及びその手法は、コンピュータプログラムにより具体化された一つ乃至は複数の機能を実行するようにプログラムされたプロセッサ及びメモリーを構成することによって提供された専用コンピュータにより、実現されてもよい。代替的に、この開示に記載の制御部及びその手法は、一つ以上の専用ハードウエア論理回路によってプロセッサを構成することによって提供された専用コンピュータにより、実現されてもよい。代替的に、この開示に記載の制御部及びその手法は、一つ乃至は複数の機能を実行するようにプログラムされたプロセッサ及びメモリーと一つ以上のハードウエア論理回路によって構成されたプロセッサとの組み合わせにより構成された一つ以上の専用コンピュータにより、実現されてもよい。また、コンピュータプログラムは、コンピュータにより実行されるインストラクションとして、コンピュータ読み取り可能な非遷移有形記録媒体に記憶されていてもよい。 The control unit and the method described in this disclosure are realized by a dedicated computer provided by configuring a processor and a memory programmed to execute one or a plurality of functions embodied by a computer program. May be done. Alternatively, the control unit and the method described in this disclosure may be realized by a dedicated computer provided by configuring a processor with one or more dedicated hardware logic circuits. Alternatively, the controller and method described in this disclosure may include a processor and memory programmed to perform one or more functions and a processor configured with one or more hardware logic circuits. It may be realized by one or more dedicated computers configured by combination. Further, the computer program may be stored in a computer-readable non-transition tangible recording medium as an instruction executed by the computer.

 <記憶されるデータ>
 ROM8は、プログラム領域(PRGM)31を有する。プログラム領域31は、制御システムのためのプログラムを記憶する。プログラム領域31は、例えば、燃料噴射プログラム、および点火タイミングプログラムを記憶する。ROM8は、数値領域(VLDT)32を有する。数値領域32は、制御システムのための数値を記憶する。数値領域32は、例えば、内燃機関の負荷に対する燃料噴射量を規定するマップ、および内燃機関の回転数に対する点火時期の規定するマップを記憶する。 <Stored data>
The ROM 8 has a program area (PRGM) 31. The program area 31 stores a program for the control system. The program area 31 stores, for example, a fuel injection program and an ignition timing program. The ROM 8 has a numerical area (VLDT) 32. The numerical area 32 stores numerical values for the control system. The numerical area 32 stores, for example, a map that defines the fuel injection amount with respect to the load of the internal combustion engine and a map that defines the ignition timing with respect to the rotation speed of the internal combustion engine.

 ROM8が外部書き換えされる場合、例えば、プログラム領域31の一部である書換領域(REWR)33のデータが書き換えられる。ROM8が外部書き換えされる場合、例えば、数値領域32の一部である書換領域(REWR)34のデータが書き換えられる。 When the ROM 8 is externally rewritten, for example, the data in the rewriting area (REWR) 33 which is a part of the program area 31 is rewritten. When the ROM 8 is externally rewritten, for example, the data in the rewriting area (REWR) 34 which is a part of the numerical value area 32 is rewritten.

 ROM8は、検査データを格納するための領域を有する。検査データは、ROM8自身の記憶データの誤り検査に利用される。ROM8の記憶データに誤りがある場合、制御装置5の異常(内部エラー)として扱われる。「誤り検査」の機能は、ハードウェアにより、または、ソフトウェアにより実装することができる。この明細書における「誤り検査」の語は、広義に解釈されるべきである。「誤り検査」は、「検査対象である記憶領域」から所定の算出方式によって算出値を算出する。「誤り検査」は、算出値と、基準値とを比較し、記憶データの誤りを検出する。「誤り検査」は、「誤り検出符号」を利用して記憶データの誤りを検査する。この実施形態では、「誤り検出符号」として、チェックサムが利用される。「誤り検出符号」として、垂直パリティ、および/または水平パリティが利用されてもよい。「誤り検出符号」として、ハッシュ関数が利用されてもよい。「誤り検出符号」として、MD5(Message Digest Algorithm 5)などと呼ばれる暗号学的ハッシュ関数が利用されてもよい。「誤り検出符号」として、CRC(Cyclic Redundancy Check)と呼ばれる巡回冗長検査が利用されてもよい。 ROM 8 has an area for storing inspection data. The check data is used for error check of the data stored in the ROM 8 itself. If the stored data in the ROM 8 has an error, it is treated as an abnormality (internal error) of the control device 5. The "error checking" function can be implemented by hardware or by software. The term "error checking" in this specification should be interpreted broadly. The "error check" calculates a calculated value from the "storage area to be checked" by a predetermined calculation method. The "error check" compares a calculated value with a reference value to detect an error in stored data. The "error check" uses the "error detection code" to check the stored data for errors. In this embodiment, a checksum is used as the "error detection code". Vertical parity and/or horizontal parity may be used as the “error detection code”. A hash function may be used as the “error detection code”. A cryptographic hash function called MD5 (Message Digest Algorithm 5) or the like may be used as the “error detection code”. As the "error detection code", a cyclic redundancy check called CRC (Cyclic Redundancy Check) may be used.

 この明細書における「チェックサム」の語は、広義に解釈されるべきである。この実施形態では、「チェックサム」は、「検査対象である記憶領域」の記憶データの総和の中のいくつかのバイトを算出値として算出する方式である。「チェックサム」は、上記総和を所定の定数で割った余り(余剰)を算出値とする方式でもよい。「チェックサム」は、上記総和を算出値とする方式でもよい。この実施形態では、「検査対象である記憶領域」は、ROM8のすべての記憶領域である。「検査対象である記憶領域」は、ROM8の中の一部の記憶領域でもよい。 The term "checksum" in this specification should be interpreted in a broad sense. In this embodiment, the "checksum" is a method of calculating some bytes in the total sum of the storage data of the "storage area to be inspected" as the calculation value. The “checksum” may be a method in which the calculated value is the remainder (surplus) obtained by dividing the above total sum by a predetermined constant. The “checksum” may be a method in which the above sum is used as a calculated value. In this embodiment, the “storage area to be inspected” is all the storage areas of the ROM 8. The “storage area to be inspected” may be a partial storage area in the ROM 8.

 ROM8は、検査データとして、2つのデータを記憶している。検査データは、基準値としてのチェックサム値(SUM-CHK)を記憶するチェックサム領域35を含む。検査データは、差分値としてのサム調整値(SUM-ADJ)を記憶するサム調整値領域36を含む。チェックサム値は、初期値としての基準値である。チェックサム値は、例えば、初期モデルのROM8に記憶された全データのチェックサム値である。サム調整値は、算出値と基準値との差(サム調整値=算出値-基準値)に相当する。サム調整値として記憶されたデータは、「チェックサム」の対象でもあるから、算出値を変化させる。基準値と等しい算出値が算出されるように、サム調整値は設定されている。 The ROM 8 stores two data as inspection data. The inspection data includes a checksum area 35 that stores a checksum value (SUM-CHK) as a reference value. The inspection data includes a sum adjustment value area 36 that stores a sum adjustment value (SUM-ADJ) as a difference value. The checksum value is a reference value as an initial value. The checksum value is, for example, the checksum value of all data stored in the ROM 8 of the initial model. The sum adjustment value corresponds to the difference between the calculated value and the reference value (sum adjustment value=calculated value−reference value). Since the data stored as the sum adjustment value is also the target of the "checksum", the calculated value is changed. The sum adjustment value is set so that a calculated value equal to the reference value is calculated.

 ROM8は、ソフトスイッチ領域(SFSW)37を有する。ソフトスイッチ領域37は、制御システムの挙動を切り替えるための数値を記憶する。ソフトスイッチ領域37は、内部エラースイッチ値(INT-E/D)を記憶する内部エラー領域38を有する。内部エラースイッチ値は、ROM8を含む制御装置5の検査の有効または無効を設定するための情報を含む。内部エラースイッチ値は、ROM8を含む制御装置5の検査それ自体を実行するか否か、すなわち有効または無効を選択するためのスイッチビットを含む。さらに、内部エラースイッチ値は、ROM8を含む制御装置5の異常(内部エラー)が検出された場合の対策処理の有効または無効を選択するためのスイッチビットを含む。ここで、「検査の有効または無効」の語は、検査の実行そのものを許容または阻害する場合と、検査の結果が異常である場合に実行される対策処理を許容または阻害する場合とを含む。 ROM 8 has a soft switch area (SFSW) 37. The soft switch area 37 stores a numerical value for switching the behavior of the control system. The soft switch area 37 has an internal error area 38 for storing an internal error switch value (INT-E/D). The internal error switch value includes information for setting validity or invalidity of the inspection of the control device 5 including the ROM 8. The internal error switch value includes a switch bit for selecting whether to execute the check itself of the control unit 5 including the ROM 8, that is, enable or disable. Further, the internal error switch value includes a switch bit for selecting valid or invalid of the countermeasure process when an abnormality (internal error) of the control device 5 including the ROM 8 is detected. Here, the term “validation or invalidation of inspection” includes a case where the execution of the inspection itself is permitted or hindered, and a case where the countermeasure process executed when the result of the test is abnormal is permitted or hindered.

 内部エラー領域38は、ROM8の検査それ自体の有効/無効を設定する。内部エラー領域38に含まれる所定ビットの1/0は、例えば、検査そのものの有効/無効に対応付けられる。内部エラー領域38は、ROM8の記憶データに誤りが検出された場合に利用可能な対策処理の有効/無効を設定する。内部エラー領域38に含まれる所定ビットの1/0は、例えば、対策処理の有効/無効に対応付けられる。対策処理は、「起動の禁止/許可」、「警告灯の点灯/消灯」、および/または、「内燃機関の機能の無制限/制限」によって提供することができる。「内燃機関の機能の制限/無制限」は、例えば、「燃料噴射量の制限/無制限」、「点火進角の制限/無制限」、「回転数の制限/無制限」、「乗り物の速度の制限/無制限」によって提供される。この実施形態では、内部エラー領域38は、ROM8の誤りが検出された場合の警告灯16の点灯/消灯を設定する。 The internal error area 38 sets validity/invalidity of the inspection itself of the ROM 8. 1/0 of the predetermined bit included in the internal error area 38 is associated with, for example, the validity/invalidity of the inspection itself. The internal error area 38 sets valid/invalid of the countermeasure process that can be used when an error is detected in the storage data of the ROM 8. 1/0 of the predetermined bit included in the internal error area 38 is associated with the valid/invalid of the countermeasure process, for example. The countermeasure process can be provided by "prohibition/permission of start", "lighting/extinguishing of warning light", and/or "unlimited/limited function of internal combustion engine". "Limitation/unrestricted function of internal combustion engine" means, for example, "restricted/unlimited fuel injection amount", "restricted/unlimited ignition angle", "restricted/unlimited rotational speed", "restricted/limited vehicle speed". Provided by "Unlimited". In this embodiment, the internal error area 38 sets turning on/off of the warning lamp 16 when an error in the ROM 8 is detected.

 EEPROM10は、複数の履歴データLOG(i=0~n)を記憶する履歴領域41を有する。iは、離散系における番号を示す。iは、整数である。例えば、(i)は現在のデータを示し、(i-1)は前のデータを示し、(i+1)は後のデータを示す。nは、履歴データの数の最大値である。ここでは、nは、市場での標準的なバージョンアップ回数より大きく設定されている。なお、履歴領域41は、所定個数の履歴データLOG(i)を記憶する。履歴データLOG(i)は、先入れ先出し方式によって記憶されてもよい。 The EEPROM 10 has a history area 41 that stores a plurality of history data LOG (i=0 to n). i indicates the number in the discrete system. i is an integer. For example, (i) shows the present data, (i-1) shows the previous data, and (i+1) shows the latter data. n is the maximum value of the number of history data. Here, n is set to be larger than the standard number of version upgrades in the market. The history area 41 stores a predetermined number of history data LOG(i). The history data LOG(i) may be stored by a first-in first-out method.

 ひとつの履歴データLOG(i)は、サム調整値領域36に関する履歴データと、内部エラー領域38に関する履歴データとの両方を含む。以下の説明では、サム調整値領域36に関する履歴データは、サム履歴LOG(i)ADJと呼ばれる。内部エラー領域38に関する履歴データは、スイッチ履歴LOG(i)E/Dと呼ばれる。 One history data LOG(i) includes both history data regarding the sum adjustment value area 36 and history data regarding the internal error area 38. In the following description, the history data regarding the sum adjustment value area 36 is referred to as a sum history LOG(i)ADJ. The history data regarding the internal error area 38 is called a switch history LOG(i)E/D.

 複数の履歴データLOG(1)~LOG(n)は、順に、蓄積的に記憶される。サム調整値領域36または内部エラー領域38のいずれか一方が変更されていることが判定されると、ひとつの履歴データLOG(i)が蓄積的に記録される。判定は、2つの照合を含む。ひとつの照合は、ROM8におけるサム調整値SUM-ADJと、EEPROM10における直前のサム履歴LOG(i-1)ADJとの照合によって実行される。ひとつの照合は、ROM8における内部エラースイッチ値INT-E/Dと、EEPROM10における直前のスイッチ履歴LOG(i-1)E/Dとの照合によって実行される。判定は、動力源2が起動される場合、または制御装置5がパワーオンリセットされる場合に実行される。 A plurality of history data LOG(1) to LOG(n) are sequentially stored cumulatively. When it is determined that either the sum adjustment value area 36 or the internal error area 38 has been changed, one history data LOG(i) is cumulatively recorded. The decision includes two matches. One comparison is performed by comparing the sum adjustment value SUM-ADJ in the ROM 8 with the immediately previous sum history LOG(i-1)ADJ in the EEPROM 10. One comparison is performed by comparing the internal error switch value INT-E/D in the ROM 8 with the immediately previous switch history LOG(i-1)E/D in the EEPROM 10. The determination is performed when the power source 2 is activated or when the control device 5 is power-on reset.

 図示のように履歴領域41が複数の履歴データLOG(i=0~n)を記憶する場合、最初の履歴データLOG(0)は、初期値である。履歴データLOG(0)は、例えば、工場出荷時におけるサム調整値SUM-ADJおよび内部エラースイッチ値INT-E/Dの両方が記録されている。 When the history area 41 stores a plurality of history data LOGs (i=0 to n) as shown in the figure, the first history data LOG(0) is an initial value. As the history data LOG(0), for example, both the sum adjustment value SUM-ADJ and the internal error switch value INT-E/D at the time of factory shipment are recorded.

 正当であると不正であるとを問わず、ROM8の外部書き換えによってサム調整値領域36または内部エラー領域38が変更されることがある。制御装置5は、上記変更を検出すると、履歴データLOG(1)をEEPROM10に蓄積的に書き込む。蓄積的な記憶処理は、サム調整値領域36または内部エラー領域38のいずれか一方が変更されるたびに繰り返される。この繰り返しによって履歴データLOG(i=1~n)が順に追加される。 The sum adjustment value area 36 or the internal error area 38 may be changed by external rewriting of the ROM 8 regardless of whether it is legal or illegal. When the controller 5 detects the change, the controller 5 cumulatively writes the history data LOG(1) in the EEPROM 10. The cumulative storage process is repeated each time either the sum adjustment value area 36 or the internal error area 38 is changed. By repeating this, history data LOG (i=1 to n) is sequentially added.

 診断端末装置21は、EEPROM10の履歴データLOG(i=0~n)を表示器26に表示する。図示の例では、表示器26に履歴領域41と同じ文字列42が表示されている。 The diagnostic terminal device 21 displays the history data LOG (i=0 to n) of the EEPROM 10 on the display 26. In the illustrated example, the same character string 42 as the history area 41 is displayed on the display 26.

 <初期設定処理>
 図2は、制御装置5の製造段階における初期設定処理150を示す。初期設定処理150は、ROM8に工場出荷データを設定する処理を含む。図示された初期設定処理150は、EEPROM10に工場出荷データを設定する処理を含む。初期設定処理150は、外部機器20としての工場設備によって実行される。 <Initial setting processing>
FIG. 2 shows an initial setting process 150 in the manufacturing stage of the control device 5. The initial setting process 150 includes a process of setting factory shipping data in the ROM 8. The illustrated initial setting process 150 includes a process of setting factory shipment data in the EEPROM 10. The initial setting process 150 is executed by factory equipment as the external device 20.

 外部機器20は、ステップ151では、ROM8に工場出荷データを書き込む。工場出荷データは、いわゆる初期値である。外部機器20は、ステップ152では、プログラム領域31と、数値領域32とに初期値を書き込む。外部機器20は、ステップ153では、チェックサム領域35と、サム調整値領域36とに初期値を書き込む。外部機器20は、ステップ154では、内部エラー領域38に初期値を書き込む。 The external device 20 writes factory shipment data in the ROM 8 in step 151. The factory shipment data are so-called initial values. In step 152, the external device 20 writes initial values in the program area 31 and the numerical area 32. In step 153, the external device 20 writes initial values in the checksum area 35 and the sum adjustment value area 36. In step 154, the external device 20 writes the initial value in the internal error area 38.

 外部機器20は、ステップ155では、CPU6を経由してEEPROM10に工場出荷データを書き込む。外部機器20は、ステップ156では、EEPROM10に初期値を書き込む。初期値は、サム履歴LOG(0)ADJと、スイッチ履歴LOG(0)E/Dとの両方を含む。 The external device 20 writes factory shipment data to the EEPROM 10 via the CPU 6 in step 155. In step 156, the external device 20 writes the initial value in the EEPROM 10. The initial value includes both the sum history LOG(0)ADJ and the switch history LOG(0)E/D.

 初期設定処理150の後、制御装置5は、動力源2などと組み合わせられ、機器システム1として市場に供給される。制御装置5は、市場に供給された後、後述する複数の処理を実行することにより外部書換を検出するための装置を提供する。 After the initial setting processing 150, the control device 5 is combined with the power source 2 and the like and supplied to the market as the device system 1. The control device 5 provides a device for detecting external rewriting by executing a plurality of processes described below after being supplied to the market.

 この実施形態では、ステップ155が外部機器20によって実行される。これに代えて、ステップ155は、後述のステップ186において、制御装置5によって実行されてもよい。この場合、EEPROM10に記録されるすべての履歴データは、自動的に蓄積される。 In this embodiment, step 155 is executed by the external device 20. Alternatively, step 155 may be executed by the controller 5 in step 186 described below. In this case, all history data recorded in the EEPROM 10 is automatically stored.

 <書き換え処理>
 図3は、書き換え処理160を示す。書き換え処理160は、多くの場合、制御装置5を市場に出荷した後に実施される。書き換え処理160は、稀に、制御装置5を市場に出荷する前の段階において工場内で実施される場合がある。書き換え処理160は、正当な外部機器20、または不正な外部機器20によって実行される。 <Rewriting process>
FIG. 3 shows the rewriting process 160. The rewriting process 160 is often performed after the control device 5 is shipped to the market. The rewriting process 160 may be rarely performed in the factory before the controller 5 is shipped to the market. The rewriting process 160 is executed by the legitimate external device 20 or the unauthorized external device 20.

 外部機器20は、ステップ161では、ROM8に新たな書き換え値を書き込む。外部機器20は、ステップ162では、プログラム領域31と、数値領域32とに新たなデータを書き込む。外部機器20は、ステップ163では、サム調整値領域36に新たなデータを書き込む。ここでは、チェックサム領域35の値は変更されない。これにより、書換領域33、34のデータが書き換えられても、チェックサムに基づく検査によってROM8の異常が検出されることがない。不正な書き換えである場合、サム調整値領域36は、チェックサムに基づき検査機能を騙すために書き換えられるといえる。外部機器20は、ステップ164では、内部エラー領域38に新たなデータを書き込む。内部エラー領域38は、検査の有効または無効を設定するために書き換えられる。内部エラー領域38の書き換えのひとつの用途は、検査そのものの実行または非実行を設定することである。内部エラー領域38の書き換えの他のひとつの用途は、書換領域33、34を書き換えることに伴って生じる対策処理を無効化、または無力化することである。 The external device 20 writes a new rewrite value in the ROM 8 in step 161. In step 162, the external device 20 writes new data in the program area 31 and the numerical area 32. In step 163, the external device 20 writes new data in the sum adjustment value area 36. Here, the value of the checksum area 35 is not changed. As a result, even if the data in the rewriting areas 33 and 34 is rewritten, the abnormality of the ROM 8 is not detected by the checksum based inspection. In the case of illegal rewriting, it can be said that the sum adjustment value area 36 is rewritten in order to trick the inspection function based on the checksum. In step 164, the external device 20 writes new data in the internal error area 38. The internal error area 38 is rewritten to set whether the inspection is valid or invalid. One use of rewriting the internal error area 38 is to set the execution or non-execution of the inspection itself. Another use of rewriting the internal error area 38 is to invalidate or disable the countermeasure processing that occurs when the rewriting areas 33 and 34 are rewritten.

 <検査処理>
 図4は、制御装置5によって実行されるROM8の検査処理170を示す。制御装置5は、ステップ171では、ROM8のチェックタイミングが到来したか否かを判定する。チェックタイミングは、例えば、動力源2が起動されるとき、制御装置5がパワーオンリセットされるときなどである。チェックタイミングではない場合(NO)、以下の処理はスキップされる。チェックタイミングである場合(YES)、処理はステップ172へ進む。 <Inspection process>
FIG. 4 shows the inspection process 170 of the ROM 8 executed by the control device 5. In step 171, the control device 5 determines whether or not the check timing of the ROM 8 has arrived. The check timing is, for example, when the power source 2 is activated or when the control device 5 is power-on reset. If it is not the check timing (NO), the following processing is skipped. If it is the check timing (YES), the process proceeds to step 172.

 さらに、制御装置5は、ステップ171では、内部エラースイッチ値INT-E/Dによって検査処理170自体が許容されているか否かを判定する。内部エラースイッチ値INT-E/Dによって検査処理170それ自身が許容されている場合(YES)、処理は、ステップ172へ進む。内部エラースイッチ値INT-E/Dによって検査処理170それ自身が許容されている場合(NO)、以下の処理(ステップ172-177)はスキップされる。 Further, in step 171, the control device 5 determines whether or not the inspection processing 170 itself is permitted by the internal error switch value INT-E/D. If the inspection process 170 itself is permitted by the internal error switch value INT-E/D (YES), the process proceeds to step 172. When the inspection process 170 itself is permitted by the internal error switch value INT-E/D (NO), the following process (steps 172-177) is skipped.

 制御装置5は、ステップ172では、ROM8に対するチェックサムを計算する。制御装置5は、ROM8のすべての記憶領域から、設定されたチェックサム方式によって算出値SUMRを計算する。制御装置5は、ステップ173では、ROM8から、基準値としてのチェックサム値SUM-CHKを読み出す。 The controller 5 calculates a checksum for the ROM 8 in step 172. The control device 5 calculates the calculated value SUMR from all the storage areas of the ROM 8 by the set checksum method. In step 173, the control device 5 reads the checksum value SUM-CHK as the reference value from the ROM 8.

 制御装置5は、ステップ174では、算出値SUMRが、チェックサム値SUM-CHKと等しいか否かを判定する。算出値SUMRが、チェックサム値SUM-CHKと等しい場合(YES)、ROM8の検査結果は正常である。この場合、処理は、ステップ175へ進む。算出値SUMRが、チェックサム値SUM-CHKと等しくない場合(NO)、ROM8の検査結果は異常(内部エラー)である。この場合、処理は、ステップ176へ進む。ステップ174は、調整値を含むメモリの記憶データから計算されたチェックサム値と予め定められた基準値とが等しいか否かによってROM8が正常か異常かを判定するチェックサム判定部を提供する。 The controller 5 determines in step 174 whether the calculated value SUMR is equal to the checksum value SUM-CHK. When the calculated value SUMR is equal to the checksum value SUM-CHK (YES), the inspection result of the ROM 8 is normal. In this case, the process proceeds to step 175. When the calculated value SUMR is not equal to the checksum value SUM-CHK (NO), the inspection result of the ROM 8 is abnormal (internal error). In this case, the process proceeds to step 176. Step 174 provides a checksum determination unit that determines whether the ROM 8 is normal or abnormal depending on whether the checksum value calculated from the memory storage data including the adjustment value is equal to a predetermined reference value.

 制御装置5は、ステップ175では、プログラムまたは数値は、正常範囲であるか否かを判定する。プログラムまたは数値が正常範囲である場合(YES)、ROM8の検査結果は正常である。この場合、以下の処理はスキップされる。プログラムまたは数値が正常範囲ではない場合(NO)、ROM8の検査結果は異常(内部エラー)である。この場合、ステップ176へ進む。ステップ175は、プログラムおよび/または数値が、正常範囲にあるか否かによってROM8が正常か異常かを判定する内部エラー判定部を提供する。正常範囲は、機器システム1の正常な機能を維持することができる範囲として予め設定されている。例えば、正常範囲は、内燃機関の上限回転数を規定する。例えば、数値領域32が上限回転数を上回る場合、ステップ175における判定は、NOに分岐する。 The controller 5 determines in step 175 whether the program or the numerical value is within the normal range. When the program or the numerical value is within the normal range (YES), the inspection result of the ROM 8 is normal. In this case, the following processing is skipped. When the program or the numerical value is not within the normal range (NO), the inspection result of the ROM 8 is abnormal (internal error). In this case, the process proceeds to step 176. Step 175 provides an internal error determination unit that determines whether the ROM 8 is normal or abnormal depending on whether the program and/or the numerical value are within the normal range. The normal range is preset as a range in which the normal function of the device system 1 can be maintained. For example, the normal range defines the upper limit engine speed of the internal combustion engine. For example, when the numerical value region 32 exceeds the upper limit rotation speed, the determination in step 175 branches to NO.

 制御装置5は、ステップ176では、内部エラースイッチ値INT-E/Dを検査する。内部エラースイッチ値INT-E/Dによって所定の対策処理が許容されている場合(YES)、ステップ177へ進む。内部エラースイッチ値INT-E/Dによって所定の対策処理が許容されていない場合(NO)、以下の処理はスキップされる。この場合、ROM8の異常(内部エラー)が検出されているのに、対策処理が実行されない。ステップ176は、チェックサムによってROM8の異常が判定された場合に、スイッチ値によって対策処理の有効または無効を判定する内部スイッチ判定部を提供する。ステップ176は、内部エラー判定部によってROM8の異常が判定された場合に、スイッチ値によって対策処理の有効または無効を判定する内部スイッチ判定部を提供する。 The control device 5 inspects the internal error switch value INT-E/D in step 176. When the predetermined countermeasure process is permitted by the internal error switch value INT-E/D (YES), the process proceeds to step 177. When the predetermined countermeasure process is not permitted by the internal error switch value INT-E/D (NO), the following process is skipped. In this case, although the abnormality (internal error) of the ROM 8 is detected, the countermeasure process is not executed. Step 176 provides an internal switch determination unit that determines whether the countermeasure process is valid or invalid based on the switch value when the checksum determines that the ROM 8 is abnormal. Step 176 provides an internal switch determination unit that determines whether the countermeasure process is valid or invalid based on the switch value when the internal error determination unit determines that the ROM 8 is abnormal.

 制御装置5は、ステップ177では、予め設定された対策処理を実行する。この実施形態では、ROM8の異常(内部エラー)が検出されていることを示す警告灯16が点灯される。これにより、利用者は機器システム1の異常を知ることができる。 At step 177, the control device 5 executes a preset countermeasure process. In this embodiment, the warning lamp 16 indicating that the abnormality (internal error) of the ROM 8 is detected is turned on. This allows the user to know the abnormality of the device system 1.

 <履歴処理>
 図5は、制御装置5によって実行される履歴処理180を示す。制御装置5は、ステップ181では、動力源2が起動されるか否かを判定する。この実施形態では、動力源2が起動されるたびに履歴処理が実行される。動力源2が起動されるとき、制御装置5はパワーオンリセットによって起動される。この実施形態では、履歴処理180によって提供される履歴記録器が起動されるたびに、後述の第1判定部および第2判定部による判定を実行するように構成されている。動力源2が内燃機関を含む場合、ステップ181の処理は、イグニッションスイッチがOFFからONに切り替えられたことを検出する処理によって提供される。動力源2が起動される場合、処理はステップ182へ進む。動力源2が起動されない場合、以下の処理はスキップされる。 <History processing>
FIG. 5 shows a history process 180 executed by the control device 5. In step 181, the control device 5 determines whether or not the power source 2 is activated. In this embodiment, the history process is executed every time the power source 2 is activated. When the power source 2 is activated, the control device 5 is activated by a power-on reset. In this embodiment, each time the history recorder provided by the history processing 180 is activated, the determination by the first determination unit and the second determination unit, which will be described later, is performed. When the power source 2 includes an internal combustion engine, the process of step 181 is provided by the process of detecting that the ignition switch has been switched from OFF to ON. If the power source 2 is activated, the process proceeds to step 182. When the power source 2 is not activated, the following processing is skipped.

 制御装置5は、ステップ182では、ROM8からサム調整値SUM-ADJと、内部エラースイッチ値INT-E/Dとを読み出す。制御装置5は、ステップ183では、EEPROM10から現在の履歴データLOG(i)を読み出す。現在の履歴データLOG(i)は、最後に履歴領域41に記憶されたデータである。履歴データLOG(i)は、サム履歴LOG(i)ADJと、スイッチ履歴LOG(i)E/Dとを含む。 At step 182, the control device 5 reads the sum adjustment value SUM-ADJ and the internal error switch value INT-E/D from the ROM 8. In step 183, the control device 5 reads the current history data LOG(i) from the EEPROM 10. The current history data LOG(i) is the last data stored in the history area 41. The history data LOG(i) includes a sum history LOG(i)ADJ and a switch history LOG(i)E/D.

 制御装置5は、ステップ184では、ROM8に記憶されているサム調整値SUM-ADJと、EEPROM10に記憶されている現在のサム履歴LOG(i)ADJとが等しいか否かを判定する。サム調整値SUM-ADJとサム履歴LOG(i)ADJとが等しい場合(YES)、処理は、ステップ185へ進む。サム調整値SUM-ADJとサム履歴LOG(i)ADJとが等しくない場合(NO)、処理は、ステップ186へ進む。ステップ184は、ROM8に記憶されている調整値と、最新の履歴(LOG(i))に含まれる履歴調整値とが等しいか否かを判定する第1判定部を提供する。 In step 184, the control device 5 determines whether or not the sum adjustment value SUM-ADJ stored in the ROM 8 and the current sum history LOG(i)ADJ stored in the EEPROM 10 are equal. If the sum adjustment value SUM-ADJ and the sum history LOG(i)ADJ are equal (YES), the process proceeds to step 185. If the sum adjustment value SUM-ADJ and the sum history LOG(i)ADJ are not equal (NO), the process proceeds to step 186. Step 184 provides a first determination unit that determines whether or not the adjustment value stored in the ROM 8 is equal to the history adjustment value included in the latest history (LOG(i)).

 制御装置5は、ステップ185では、ROM8に記憶されている内部エラースイッチ値INT-E/Dと、EEPROM10に記憶されている現在の履歴データLOG(i)E/Dとが等しいか否かを判定する。内部エラースイッチ値INT-E/Dと履歴データLOG(i)E/Dとが等しい場合(YES)、処理は、終了する。内部エラースイッチ値INT-E/Dと履歴データLOG(i)E/Dとが等しくない場合(NO)、処理は、ステップ186へ進む。ステップ185は、ROM8に記憶されているスイッチ値と、最新の履歴(LOG(i))に含まれる履歴スイッチ値とが等しいか否かを判定する第2判定部を提供する。 In step 185, the control device 5 determines whether the internal error switch value INT-E/D stored in the ROM 8 is equal to the current history data LOG(i)E/D stored in the EEPROM 10. judge. If the internal error switch value INT-E/D and the history data LOG(i)E/D are equal (YES), the process ends. If the internal error switch value INT-E/D and the history data LOG(i)E/D are not equal (NO), the process proceeds to step 186. Step 185 provides a second determination unit that determines whether or not the switch value stored in the ROM 8 is equal to the history switch value included in the latest history (LOG(i)).

 この結果、制御装置5は、ステップ184またはステップ185のいずれか一方において否定的に判定された場合、ステップ186を実行する。制御装置5は、ステップ184およびステップ185の両方において肯定的に判定された場合、ステップ186を実行しない。制御装置5は、ステップ186では、ROM8に記憶されているサム調整値SUM-ADJと内部エラースイッチ値INT-E/Dとの両方を、最新の履歴データLOG(i+1)としてEEPROM10に書き込む。ステップ186は、第1判定部184または第2判定部185のいずれかにおいて否定的に判定された場合に、調整値およびスイッチ値を履歴として記録する記録部を提供する。 As a result, the control device 5 executes step 186 when a negative determination is made in either step 184 or step 185. The controller 5 does not execute the step 186 when the determinations in both the step 184 and the step 185 are positive. In step 186, the control device 5 writes both the sum adjustment value SUM-ADJ and the internal error switch value INT-E/D stored in the ROM 8 into the EEPROM 10 as the latest history data LOG(i+1). Step 186 provides a recording unit that records the adjustment value and the switch value as a history when a negative determination is made by either the first determination unit 184 or the second determination unit 185.

 <出力処理>
 図6は、制御装置5と外部機器20とによって実行される出力処理190を示す。外部機器20は、ステップ191では、制御装置5と外部機器20とがコネクタ22によって接続されているか否かを判定する。通信可能な接続が確立されていない場合(NO)、以下の処理がスキップされる。通信可能な接続が確立されている場合(YES)、処理は、ステップ192に進む。 <Output processing>
FIG. 6 shows an output process 190 executed by the control device 5 and the external device 20. In step 191, the external device 20 determines whether the control device 5 and the external device 20 are connected by the connector 22. When the communicable connection is not established (NO), the following processing is skipped. When the communicable connection is established (YES), the process proceeds to step 192.

 制御装置5と外部機器20との接続が確立されている場合、制御装置5と外部機器20とは、多様な診断処理を実行する。診断処理は、機器システム1の状態を出力する多様な処理を含む。診断処理のひとつは、EEPROM10の履歴データLOG(i=0~n)を出力する処理である。 When the connection between the control device 5 and the external device 20 is established, the control device 5 and the external device 20 execute various diagnostic processes. The diagnostic process includes various processes for outputting the state of the device system 1. One of the diagnostic processes is a process of outputting history data LOG (i=0 to n) of the EEPROM 10.

 外部機器20は、ステップ192では、利用者による要求操作を検出する。要求操作は、履歴データの出力を求める操作である。要求操作は、入力器27の操作によって入力される。要求操作がない場合(NO)、以下の処理がスキップされる。要求操作がある場合(YES)、処理は、ステップ193に進む。外部機器20は、ステップ193では、制御装置5へ要求信号RQを出力する。 The external device 20 detects the operation requested by the user in step 192. The request operation is an operation for requesting output of history data. The requested operation is input by operating the input device 27. When there is no requested operation (NO), the following processing is skipped. If there is the requested operation (YES), the process proceeds to step 193. In step 193, the external device 20 outputs the request signal RQ to the control device 5.

 制御装置5は、ステップ194では、外部機器20から要求信号RQがあるか否かを判定する。要求信号RQがない場合(NO)、以下の処理はスキップされる。要求信号RQがある場合(YES)、処理は、ステップ195へ進む。制御装置5は、ステップ195では、EEPROM10から外部機器20へすべての履歴データLOG(i=0~n)を出力する。 The control device 5 determines in step 194 whether or not there is a request signal RQ from the external device 20. When there is no request signal RQ (NO), the following processing is skipped. If there is the request signal RQ (YES), the process proceeds to step 195. At step 195, the control device 5 outputs all the history data LOG (i=0 to n) from the EEPROM 10 to the external device 20.

 外部機器20は、ステップ196では、制御装置5から履歴データLOG(i=0~n)を受信する。受信される履歴データは、EEPROM10に記憶されている履歴データである。受信された履歴データは、外部機器20の内部記憶装置25に記憶される。外部機器20は、ステップ197では、内部記憶装置25に記憶された履歴データLOG(i=0~n)を表示器26に表示する。 In step 196, the external device 20 receives the history data LOG (i=0 to n) from the control device 5. The received history data is history data stored in the EEPROM 10. The received history data is stored in the internal storage device 25 of the external device 20. In step 197, the external device 20 displays the history data LOG (i=0 to n) stored in the internal storage device 25 on the display device 26.

 出力処理190の結果、作業者は、EEPROM10の履歴データから、正当な外部書き換えと、正当ではない外部書き換えとの両方を提示される。作業者は、正当な外部書き換えの正当履歴データを知ることができる。正当履歴データは、例えば、製造者から提供されている。または、正当履歴データは、作業者から製造者への求めに応じて提供される。正当履歴データは、正当な外部書き換えのすべてに関して、外部書き換えに伴って生成されたサム調整値SUM-ADJと内部エラースイッチ値INT-E/Dとを含む。したがって、作業者は、EEPROM10の履歴データと、正当履歴データとを対比することにより、正当ではない外部書き換えがあったことを知ることができる。 As a result of the output process 190, the worker is presented with both legal external rewriting and invalid external rewriting from the history data of the EEPROM 10. The worker can know the correct history data of the correct external rewriting. The legal history data is provided by the manufacturer, for example. Alternatively, the legitimate history data is provided in response to a request from the worker to the manufacturer. The correct history data includes the sum adjustment value SUM-ADJ and the internal error switch value INT-E/D generated by the external rewriting for all the correct external rewriting. Therefore, the operator can know that the external rewriting is not valid by comparing the history data of the EEPROM 10 with the valid history data.

 外部機器20は、ステップ197において、自己診断を実施してもよい。この場合、外部機器20は、正当履歴データを内部記憶装置25に少なくとも一時的に記憶する。外部機器20は、EEPROM10から取得された履歴データLOG(i=0~n)のすべてが、正当履歴データに一致するか否かを判定する。EEPROM10から取得された履歴データLOG(i=0~n)が、正当履歴データにないデータを含む場合、その外部書き換えは、正当ではない可能性が高い。履歴データLOG(i=0~n)が、正当ではない履歴データを含む場合、外部機器20は、警告を発するように構成することができる。 The external device 20 may perform self-diagnosis in step 197. In this case, the external device 20 stores the valid history data in the internal storage device 25 at least temporarily. The external device 20 determines whether or not all the history data LOG (i=0 to n) acquired from the EEPROM 10 matches the valid history data. If the history data LOG (i=0 to n) acquired from the EEPROM 10 includes data that is not included in the valid history data, it is highly likely that the external rewriting is not valid. When the history data LOG (i=0 to n) includes invalid history data, the external device 20 can be configured to issue a warning.

 <正当な外部書き換え>
 ROM8が外部書き換えされる場合、サム調整値SUM-ADJが書き換えられる。正当な外部書き換えとして、例えば、製造者によるバージョンアップを想定することができる。この場合、製造者は、書換領域33、34を書き換えるだけでなく、サム調整値領域36を書き換える。これにより、基準値であるチェックサム値SUM-CHKを維持したままで、ROM8の検査に起因する異常(内部エラー)の検出を回避することができる。製造者は、内部エラーを回避できるから、内部エラー領域38を書き換えることはない。製造者は、チェックサムによる検査そのものが実行されるように、内部エラースイッチ値INT-E/Dを設定する。製造者は、ROM8の異常が検出された場合には、予め定められた対策処理が実行されるように、内部エラースイッチ値INT-E/Dを設定する。 <Legal external rewriting>
When the ROM 8 is externally rewritten, the sum adjustment value SUM-ADJ is rewritten. As a valid external rewrite, for example, a version upgrade by the manufacturer can be assumed. In this case, the manufacturer not only rewrites the rewrite areas 33 and 34, but also rewrites the sum adjustment value area 36. As a result, it is possible to avoid detection of an abnormality (internal error) due to the inspection of the ROM 8 while maintaining the checksum value SUM-CHK which is the reference value. Since the manufacturer can avoid the internal error, the manufacturer does not rewrite the internal error area 38. The manufacturer sets the internal error switch value INT-E/D so that the checksum check itself is performed. The manufacturer sets the internal error switch value INT-E/D so that a predetermined countermeasure process is executed when an abnormality in the ROM 8 is detected.

 サム調整値領域36または内部エラー領域38のいずれか一方が書き換えられると、次に動力源2を起動する際に、履歴データLOG(i)がEEPROM10に追加記憶される。この結果、正当な書き換えが、履歴として残される。 When either the sum adjustment value area 36 or the internal error area 38 is rewritten, the history data LOG(i) is additionally stored in the EEPROM 10 when the power source 2 is started next time. As a result, valid rewriting is left as a history.

 <不正な外部書き換え>
 不正な外部書き換えによってROM8が書き換えられる場合を想定することができる。不正な外部書き換えとして、例えば、製造者の許可を得ない改造行為を想定することができる。この場合、改造者は、書換領域33、34を書き換える。さらに、改造者は、チェックサムによる検査を騙すために、サム調整値SUM-ADJを書き換える。言い換えると、改造者は、ステップ174におけるチェックサム検査の判定結果がYESに分岐するようにサム調整値SUM-ADJを書き換える。また、周到な改造者は、チェックサムによる検査そのものを封じるために、内部エラースイッチ値INT-E/Dを書き換える。周到な改造者は、ステップ176における対策処理の要否を判定結果がNOに分岐するように内部エラースイッチ値INT-E/Dを書き換える。 <Unauthorized external rewriting>
It can be assumed that the ROM 8 is rewritten by unauthorized external rewriting. As the unauthorized external rewriting, for example, a remodeling act without the manufacturer's permission can be assumed. In this case, the remodeler rewrites the rewrite areas 33 and 34. Further, the remodeling person rewrites the sum adjustment value SUM-ADJ in order to trick the checksum check. In other words, the remodeling person rewrites the sum adjustment value SUM-ADJ so that the determination result of the checksum inspection in step 174 branches to YES. Further, the careful remodeler rewrites the internal error switch value INT-E/D in order to prevent the checksum inspection itself. The careful remodeler rewrites the internal error switch value INT-E/D so that the determination result as to whether the countermeasure process in step 176 is necessary branches to NO.

 多くの場合、改造者は、乗り物の挙動を激しくするように書換領域33、34を書き換える。この場合、機器システム1を保護するために異常(内部エラー)が検出される場合がある。言い換えると、ステップ175における正常範囲の判定結果がNOに分岐する場合がある。この場合でも、周到な改造者は、内部エラースイッチ値INT-E/Dを書き換えているから、ステップ176における判定がNOに分岐する。 In many cases, the remodeling person rewrites the rewriting areas 33 and 34 so as to make the behavior of the vehicle more intense. In this case, an abnormality (internal error) may be detected to protect the device system 1. In other words, the determination result of the normal range in step 175 may branch to NO. Even in this case, since the careful remodeler has rewritten the internal error switch value INT-E/D, the determination in step 176 branches to NO.

 したがって、不正な外部書き換えであっても、サム調整値SUM-ADJ、および/または内部エラースイッチ値INT-E/Dが書き換えられると、制御装置5は異常(内部エラー)を検出することができない。ただし、サム調整値SUM-ADJまたは内部エラースイッチ値INT-E/Dのいずれか一方が書き換えられると、次に動力源2を起動する際に、履歴データLOG(i)がEEPROM10に追加記憶される。この結果、不正な書き換えが、履歴として残される。 Therefore, even if the external adjustment is unauthorized, if the sum adjustment value SUM-ADJ and/or the internal error switch value INT-E/D is rewritten, the control device 5 cannot detect an abnormality (internal error). .. However, if either the sum adjustment value SUM-ADJ or the internal error switch value INT-E/D is rewritten, the history data LOG(i) is additionally stored in the EEPROM 10 when the power source 2 is started next time. It As a result, unauthorized rewriting is left as a history.

 <外部書き換えではない異常>
 ROM8のデータは、デバイスの不安定、デバイスの寿命、または稀な放射線などに起因して、不規則に反転する場合がある。ROM8の任意のビットが反転すると、ROM8の検査(チェックサム)によって異常(内部エラー)が検出される。この場合、制御装置5は、内部エラースイッチ値INT-E/Dによって予め設定された対策処理を実行する。 <Abnormality not external rewriting>
The data in the ROM 8 may be inverted irregularly due to device instability, device life, rare radiation, or the like. When any bit of the ROM 8 is inverted, an abnormality (internal error) is detected by the inspection (checksum) of the ROM 8. In this case, the control device 5 executes the countermeasure process preset by the internal error switch value INT-E/D.

 <メモリの書き換え履歴記録装置>
 図7は、メモリの書き換え履歴記録装置のブロック図である。それぞれのブロックは、制御装置5のハードウェア資源、およびハードウェア資源を機能させるためのソフトウェア資源によって提供されている。 <Memory rewriting history recording device>
FIG. 7 is a block diagram of a memory rewriting history recording device. Each block is provided by the hardware resource of the control device 5 and the software resource for operating the hardware resource.

 メモリM1は、制御装置5のプログラムおよび/または数値を記憶している。メモリM1は、外部書き換えが可能であり、かつ不揮発性である。メモリM1は、ROM8によって提供されている。 The memory M1 stores programs and/or numerical values of the control device 5. The memory M1 is externally rewritable and non-volatile. The memory M1 is provided by the ROM 8.

 メモリM1は、検査器M2によって検査される。検査器M2は、メモリM1の記憶データを検査し、メモリM1の正常または異常を判定する。検査器M2は、「誤り検査」を実行する。検査器M2は、メモリM1の記憶データをチェックサムによって検査するチェックサム検査器である。検査器M2は、調整値を含むメモリM1の記憶データから計算されたチェックサム値と予め定められた基準値とが等しいか否かによってメモリM1が正常か異常かを判定するチェックサム判定部174を備える。検査器M2は、チェックサムによるメモリM1の検査の有効または無効をスイッチ値によって判定する内部スイッチ判定部171、176を備える。検査器M2は、チェックサムによるメモリM1の検査そのものを実行するか否かをスイッチ値によって判定する内部スイッチ判定部171を備える。検査器M2は、チェックサムによってメモリM1の異常が判定された場合に、スイッチ値によって対策処理の有効または無効を判定する内部スイッチ判定部176を備える。検査器M2は、プログラムおよび/または数値が、正常範囲にあるか否かによってメモリM1が正常か異常かを判定する内部エラー判定部175を備える。検査器M2は、内部エラー判定部によってメモリM1の異常が判定された場合に、スイッチ値によって対策処理の有効または無効を判定する内部スイッチ判定部176を備える。 The memory M1 is inspected by the inspector M2. The inspector M2 inspects the data stored in the memory M1 and determines whether the memory M1 is normal or abnormal. The checker M2 executes "error check". The checker M2 is a checksum checker that checks the data stored in the memory M1 with a checksum. The checker M2 determines whether the memory M1 is normal or abnormal depending on whether the checksum value calculated from the storage data of the memory M1 including the adjustment value is equal to a predetermined reference value. Equipped with. The inspection device M2 includes internal switch determination units 171 and 176 that determine whether the inspection of the memory M1 based on the checksum is valid or invalid based on the switch value. The inspection device M2 includes an internal switch determination unit 171 that determines whether or not to execute the inspection itself of the memory M1 using the checksum based on the switch value. The checker M2 includes an internal switch determination unit 176 that determines whether the countermeasure process is valid or invalid based on the switch value when the checksum determines that the memory M1 is abnormal. The checker M2 includes an internal error determination unit 175 that determines whether the memory M1 is normal or abnormal depending on whether or not the program and/or the numerical value is within the normal range. The tester M2 includes an internal switch determination unit 176 that determines whether the countermeasure process is valid or invalid based on the switch value when the internal error determination unit determines that the memory M1 is abnormal.

 検査器M2によってメモリM1に異常(内部エラー)が検出されると、検査器M2は、対策処理を実行する。 When the inspection device M2 detects an abnormality (internal error) in the memory M1, the inspection device M2 executes a countermeasure process.

 メモリM1は、検査器M2による異常との判定を阻止するように書き換えられる調整値(SUM-ADJ)を記憶するサム調整値領域36を有する。メモリM1は、検査器M2による検査の有効または無効を設定するスイッチ値(INT-E/D)を記憶する内部エラー領域38を有する。 The memory M1 has a sum adjustment value area 36 that stores an adjustment value (SUM-ADJ) that is rewritten so as to prevent the inspection device M2 from determining an abnormality. The memory M1 has an internal error area 38 for storing a switch value (INT-E/D) for setting whether the inspection by the inspector M2 is valid or invalid.

 対策処理を回避する第1の方法は、検査器M2による検査を騙すことによって提供される。第1の方法のために、サム調整値領域36が利用される。サム調整値領域36が適切な調整値(サム調整値SUM-ADJ)に設定された場合、検査器M2は異常(内部エラー)を検出しない。言い換えると、サム調整値領域36は、検査器M2による検査を有効に機能させながら、その検査によって異常が検出されることを阻止するために利用することが可能である。よって、第1の方法は、検査器M2を正常に機能させながら、その検査を騙す処理であるといえる。 The first method to avoid the countermeasure process is provided by tricking the inspection by the inspection device M2. For the first method, the sum adjustment value area 36 is utilized. When the sum adjustment value area 36 is set to an appropriate adjustment value (sum adjustment value SUM-ADJ), the tester M2 does not detect an abnormality (internal error). In other words, the sum adjustment value region 36 can be used for effectively preventing the inspection by the inspecting device M2 while preventing the abnormality from being detected by the inspection. Therefore, it can be said that the first method is a process of tricking the inspection while allowing the inspection device M2 to function normally.

 対策処理を回避する第2の方法は、検査器M2による検査それ自体の有効または無効を設定することによって提供される。ここで、「検査の有効または無効」の語は、検査の実行そのものを阻害する場合と、検査の結果が異常である場合に実行される対策処理を阻害する場合とを含む。第2の方法のために、内部エラー領域38が利用される。内部エラー領域38が適切なスイッチ値(内部エラースイッチ値INT-E/D)に設定された場合、検査器M2による検査の有効または無効が設定される。 The second method of avoiding the countermeasure process is provided by setting the validity or invalidity of the inspection itself by the inspection device M2. Here, the term “validation or invalidation of the inspection” includes a case where the execution of the inspection itself is obstructed and a case where the countermeasure process executed when the result of the inspection is abnormal is obstructed. For the second method, the internal error area 38 is utilized. When the internal error area 38 is set to an appropriate switch value (internal error switch value INT-E/D), the inspection by the inspector M2 is set to be valid or invalid.

 第2の方法のひとつは、検査器M2による検査の実行そのものを阻害することである。この場合も、内部エラー領域38が利用される。内部エラー領域38が適切なスイッチ値(内部エラースイッチ値INT-E/D)に設定された場合、検査器M2は検査そのものを実行しない。 One of the second methods is to obstruct the execution of the inspection itself by the inspection device M2. In this case also, the internal error area 38 is used. When the internal error area 38 is set to an appropriate switch value (internal error switch value INT-E/D), the inspector M2 does not execute the inspection itself.

 第2の方法のひとつは、検査の結果に応答して起動される対策処理の実行だけを阻害することである。この場合も、内部エラー領域38が利用される。内部エラー領域38が適切なスイッチ値(内部エラースイッチ値INT-E/D)に設定された場合、検査器M2は異常(内部エラー)を検出しても、対策処理を実行しない。 -One of the second methods is to block only the execution of countermeasures that are activated in response to the inspection results. In this case also, the internal error area 38 is used. When the internal error area 38 is set to an appropriate switch value (internal error switch value INT-E/D), the inspector M2 does not execute the countermeasure process even if it detects an abnormality (internal error).

 この実施形態では、第1の方法と、第2の方法との両方を監視するために、履歴記録器M3は、調整値と、スイッチ値との両方を蓄積的に記録する。この結果、履歴は、調整値とスイッチ値との両方を含んでいる。これにより、正当であるか不正であるかを問わずに、外部書き換えがあったことが記録される。調整値だけでなく、スイッチ値が記録されるから、正当な外部書き換え、および、不正な外部書き換えの両方を履歴として記録することができる。この結果、書き換え行為を効率的に発見可能なメモリの書き換え履歴記録装置が提供される。 In this embodiment, the history recorder M3 cumulatively records both the adjustment value and the switch value in order to monitor both the first method and the second method. As a result, the history contains both adjustment values and switch values. As a result, the fact that external rewriting has been performed is recorded regardless of whether it is valid or illegal. Since not only the adjustment value but also the switch value is recorded, both the correct external rewriting and the unauthorized external rewriting can be recorded as the history. As a result, there is provided a rewriting history recording device for a memory in which a rewriting action can be found efficiently.

 履歴記録器M3は、メモリM1に対する外部書き換えの履歴を記録する。履歴記録器M3は、メモリM1とは異なる不揮発性の他のメモリを含む。他のメモリは、EEPROM10によって提供されている。 The history recorder M3 records the history of external rewriting for the memory M1. The history recorder M3 includes another non-volatile memory different from the memory M1. The other memory is provided by the EEPROM 10.

 履歴記録器M3は、メモリM1が外部書き換えされると調整値およびスイッチ値の両方を履歴として記録するよう構成されている。この場合、履歴記録器M3は、第1判定部184と、第2判定部185とを備える。第1判定部184は、メモリM1に記憶されている調整値と、最新の履歴(LOG(i))に含まれる履歴調整値とが等しいか否かを判定する。第2判定部185は、メモリM1に記憶されているスイッチ値と、最新の履歴(LOG(i))に含まれる履歴スイッチ値とが等しいか否かを判定する。履歴記録器M3は、第1判定部または第2判定部のいずれかにおいて否定的に判定された場合に、調整値およびスイッチ値を履歴として記録する記録部186を備える。履歴記録器M3は、履歴記録器M3が起動されるたびに第1判定部184および第2判定部185による判定を実行するように構成されている。起動は、具体的には、制御装置5の電源スイッチの投入である。 The history recorder M3 is configured to record both the adjustment value and the switch value as history when the memory M1 is externally rewritten. In this case, the history recorder M3 includes a first determination unit 184 and a second determination unit 185. The first determination unit 184 determines whether or not the adjustment value stored in the memory M1 and the history adjustment value included in the latest history (LOG(i)) are the same. The second determination unit 185 determines whether the switch value stored in the memory M1 is equal to the history switch value included in the latest history (LOG(i)). The history recorder M3 includes a recording unit 186 that records the adjustment value and the switch value as a history when a negative determination is made by either the first determination unit or the second determination unit. The history recorder M3 is configured to execute the determination by the first determination unit 184 and the second determination unit 185 each time the history recorder M3 is activated. Specifically, the activation is the turning on of the power switch of the control device 5.

 メモリの書き換え履歴記録装置は、出力器M4を備える場合がある。出力器M4は、履歴記録器M3に記録された履歴データを出力する。履歴は、調整値およびスイッチ値の両方を含むから、それらの値によって、正当な外部書き換えと、不正な外部書き換えとが示される。制御装置5は、メモリM1、検査器M2、および履歴記録器M3を備えることができる。ひとつの実施形態では、出力器M4は、制御装置5とデータ通信可能に接続可能な外部機器20によって提供される。 The memory rewriting history recording device may include an output device M4. The output device M4 outputs the history data recorded in the history recording device M3. Since the history includes both the adjustment value and the switch value, these values indicate valid external rewriting and unauthorized external rewriting. The control device 5 can include a memory M1, an inspector M2, and a history recorder M3. In one embodiment, the output device M4 is provided by the external device 20 connectable to the control device 5 in data communication.

 以上に述べた実施形態によると、外部書き換えを可能とする特定のデータが履歴データとして蓄積され出力される。よって、外部書き換えの履歴が提供される。この結果、外部書き換えを効率的に発見可能なメモリの書き換え履歴記録装置を提供することができる。 According to the embodiment described above, specific data that enables external rewriting is accumulated and output as history data. Therefore, the history of external rewriting is provided. As a result, it is possible to provide a rewriting history recording device for a memory that can efficiently detect external rewriting.

 外部書き換えを可能とする特定のデータは、いわゆるチェックサムによる検査を騙すためのサム調整値SUM-ADJを含む。さらに、外部書き換えを可能とする特定のデータは、検査の有効/無効を設定するための内部エラースイッチ値INT-E/Dを含む。これら2つのデータを両方とも含むことにより、外部書き換えを検出する精度が高められる。 The specific data that can be externally rewritten includes a sum adjustment value SUM-ADJ for tricking an inspection by a so-called checksum. Further, the specific data that enables external rewriting includes an internal error switch value INT-E/D for setting valid/invalid of the inspection. By including both of these two data, the accuracy of detecting external rewriting is improved.

 外部書き換え可能な記憶領域は、正当であるか、不正であるかを問わず、書き換えられることがある。この場合、記憶領域のユニークなハッシュコードを生成し、履歴として記録することが考えられる。しかし、ハッシュコードを蓄積するための大きいメモリ容量が必要である。また、ハードウェアによるハッシュコード生成器、またはソフトウェアによるハッシュコード生成器を搭載する必要がある。これに対し、この実施形態におけるサム調整値SUM-ADJのデータ量は、ハッシュコードのデータ量より格段に少ない。このため、この実施形態によると、記憶領域の書き換えを効率的に発見可能なメモリの書き換え履歴記録装置を提供することができる。しかも、チェックサムによる記憶領域の検査機能は、小さい規模のハードウェアまたはソフトウェアによって提供することができる。このため、記憶領域の書き換えを小さい規模の構成によって発見可能なメモリの書き換え履歴記録装置を提供することができる。 The externally rewritable storage area may be rewritten regardless of whether it is legal or illegal. In this case, it is possible to generate a unique hash code for the storage area and record it as a history. However, a large memory capacity is required to store the hash code. Further, it is necessary to install a hash code generator by hardware or a hash code generator by software. On the other hand, the data amount of the sum adjustment value SUM-ADJ in this embodiment is significantly smaller than the data amount of the hash code. Therefore, according to this embodiment, it is possible to provide a memory rewriting history recording device that can efficiently detect rewriting of a storage area. Moreover, the check function of the storage area by the checksum can be provided by small-scale hardware or software. Therefore, it is possible to provide a memory rewrite history recording device in which rewriting of the storage area can be found by a small-scale configuration.

 他の実施形態
 この明細書および図面等における開示は、例示された実施形態に制限されない。開示は、例示された実施形態と、それらに基づく当業者による変形態様を包含する。例えば、開示は、実施形態において示された部品および/または要素の組み合わせに限定されない。開示は、多様な組み合わせによって実施可能である。開示は、実施形態に追加可能な追加的な部分をもつことができる。開示は、実施形態の部品および/または要素が省略されたものを包含する。開示は、ひとつの実施形態と他の実施形態との間における部品および/または要素の置き換え、または組み合わせを包含する。開示される技術的範囲は、実施形態の記載に限定されない。開示されるいくつかの技術的範囲は、請求の範囲の記載によって示され、さらに請求の範囲の記載と均等の意味及び範囲内での全ての変更を含むものと解されるべきである。 Other Embodiments The disclosures in this specification and the drawings are not limited to the illustrated embodiments. The disclosure encompasses the illustrated embodiments and variations on them based on them. For example, the disclosure is not limited to the combination of parts and/or elements shown in the embodiments. The disclosure can be implemented in various combinations. The disclosure may have additional parts that may be added to the embodiments. The disclosure includes omissions of parts and/or elements of the embodiments. The disclosure includes replacements or combinations of parts and/or elements between one embodiment and another. The disclosed technical scope is not limited to the description of the embodiments. It is to be understood that some technical scopes disclosed are shown by the description of the claims, and further include meanings equivalent to the description of the claims and all modifications within the scope.

 明細書および図面等における開示は、請求の範囲の記載によって限定されない。明細書および図面等における開示は、請求の範囲に記載された技術的思想を包含し、さらに請求の範囲に記載された技術的思想より多様で広範な技術的思想に及んでいる。よって、請求の範囲の記載に拘束されることなく、明細書および図面等の開示から、多様な技術的思想を抽出することができる。 The disclosure in the description and drawings is not limited by the scope of claims. The disclosure in the specification, drawings, and the like includes the technical ideas described in the claims, and further extends to various and broader technical ideas than the technical ideas described in the claims. Therefore, various technical ideas can be extracted from the disclosure of the specification and drawings without being restricted by the description of the claims.

 上記実施形態では、履歴処理180および履歴記録器M3は、EEPROM10に履歴を記録する。これに代えて、履歴処理180および履歴記録器M3は、無線によって通信可能に接続されたサーバに履歴を記録してもよい。また、外部機器20は、無線によって通信可能に接続されたサーバによって提供されてもよい。この場合、複数の制御装置5における外部書き換えを、サーバにおいて集中的に監視し、管理することができる。

  In the above embodiment, the history processing 180 and the history recorder M3 record the history in the EEPROM 10. Instead of this, the history processing 180 and the history recorder M3 may record the history in a server communicably connected by wireless. Also, the external device 20 may be provided by a server that is communicably connected by wireless. In this case, external rewriting in the plurality of control devices 5 can be centrally monitored and managed by the server.

Claims (10)

 制御装置(5)のプログラムおよび/または数値を記憶しており、外部書き換えが可能であり、かつ不揮発性のメモリ(8、M1)と、
 前記メモリの記憶データを検査し、前記メモリの正常または異常を判定する検査器(6、M2)と、
 前記外部書き換えの履歴を記録する履歴記録器(10、M3)とを備え、
 前記メモリは、
 前記検査器による異常との判定を阻止するように書き換えられる調整値(SUM-ADJ)を記憶する領域(36)と、
 前記検査器による検査の有効または無効を設定するスイッチ値(INT-E/D)を記憶する領域(38)とを有し、
 前記履歴は、
 前記調整値と前記スイッチ値との両方を含んでいるメモリの書き換え履歴記録装置。 A non-volatile memory (8, M1) which stores a program and/or numerical value of the control device (5), can be externally rewritten, and
An inspector (6, M2) for inspecting stored data in the memory to determine whether the memory is normal or abnormal;
A history recorder (10, M3) for recording the history of the external rewriting,
The memory is
An area (36) for storing an adjustment value (SUM-ADJ) that is rewritten so as to prevent the determination by the inspection device from being abnormal,
An area (38) for storing a switch value (INT-E/D) for setting validity or invalidity of the inspection by the inspection device,
The history is
A memory rewriting history recording device including both the adjustment value and the switch value.  さらに、前記履歴記録器に記録された履歴を出力する出力器(20、M4)を備える請求項1に記載のメモリの書き換え履歴記録装置。 The memory rewriting history recording device according to claim 1, further comprising an output device (20, M4) for outputting the history recorded in the history recording device.  前記制御装置は、前記メモリ、前記検査器、および前記履歴記録器を備え、
 前記出力器は、前記制御装置とデータ通信可能に接続可能な外部機器(20)によって提供される請求項2に記載のメモリの書き換え履歴記録装置。 The control device includes the memory, the inspection device, and the history recording device,
The memory rewriting history recording device according to claim 2, wherein the output device is provided by an external device (20) connectable to the control device so as to be capable of data communication.  前記履歴記録器は、前記メモリが外部書き換えされると前記調整値および前記スイッチ値の両方を前記履歴として記録するよう構成されている請求項1から請求項3のいずれかに記載のメモリの書き換え履歴記録装置。 The memory rewriting according to any one of claims 1 to 3, wherein the history recorder is configured to record both the adjustment value and the switch value as the history when the memory is externally rewritten. History recording device.  前記履歴記録器は、
 前記メモリに記憶されている前記調整値と、最新の前記履歴(LOG(i))に含まれる履歴調整値とが等しいか否かを判定する第1判定部(184)と、
 前記メモリに記憶されている前記スイッチ値と、最新の前記履歴(LOG(i))に含まれる履歴スイッチ値とが等しいか否かを判定する第2判定部(185)と、
 前記第1判定部または前記第2判定部のいずれかにおいて否定的に判定された場合に、前記調整値および前記スイッチ値を前記履歴として記録する記録部(186)とを備える請求項4に記載のメモリの書き換え履歴記録装置。 The history recorder is
A first determination unit (184) for determining whether or not the adjustment value stored in the memory and the history adjustment value included in the latest history (LOG(i)) are equal to each other;
A second determination unit (185) for determining whether or not the switch value stored in the memory is equal to a history switch value included in the latest history (LOG(i));
The recording unit (186) for recording the adjustment value and the switch value as the history when a negative determination is made by either the first determination unit or the second determination unit. Memory rewriting history recording device.  前記履歴記録器は、前記履歴記録器が起動されるたびに前記第1判定部および前記第2判定部による判定を実行するように構成されている請求項5に記載のメモリの書き換え履歴記録装置。 6. The memory rewriting history recording device according to claim 5, wherein the history recorder is configured to execute the determination by the first determination unit and the second determination unit each time the history recorder is activated. ..  前記検査器は、前記メモリの記憶データをチェックサムによって検査するチェックサム検査器である請求項1から請求項6のいずれかに記載のメモリの書き換え履歴記録装置。 The memory rewriting history recording device according to any one of claims 1 to 6, wherein the inspector is a checksum inspector that inspects data stored in the memory by a checksum.  前記検査器は、
 前記調整値を含む前記メモリの記憶データから計算されたチェックサム値と予め定められた基準値とが等しいか否かによって前記メモリが正常か異常かを判定するチェックサム判定部(174)と、
 前記スイッチ値によって前記チェックサム判定部による検査の有効または無効を判定する内部スイッチ判定部(171、176)とを備える請求項7に記載のメモリの書き換え履歴記録装置。 The inspection device is
A checksum determination unit (174) for determining whether the memory is normal or abnormal depending on whether a checksum value calculated from the storage data of the memory including the adjustment value is equal to a predetermined reference value;
8. The memory rewriting history recording device according to claim 7, further comprising an internal switch determination unit (171, 176) that determines whether the check by the checksum determination unit is valid or invalid according to the switch value.  前記検査器は、
 前記プログラムおよび/または数値が、正常範囲にあるか否かによって前記メモリが正常か異常かを判定する内部エラー判定部(175)と、
 前記内部エラー判定部によって前記メモリの異常が判定された場合に、前記スイッチ値によって対策処理の有効または無効を判定する内部スイッチ判定部(176)とを備える請求項1から請求項8のいずれかに記載のメモリの書き換え履歴記録装置。 The inspection device is
An internal error determination unit (175) that determines whether the memory is normal or abnormal depending on whether the program and/or numerical value is within a normal range,
The internal switch determination unit (176) for determining whether the countermeasure processing is valid or invalid based on the switch value when the internal error determination unit determines that the memory is abnormal. A memory rewriting history recording device described in.  前記履歴記録器は、前記メモリとは異なる不揮発性の他のメモリ(10)を含む請求項1から請求項9のいずれかに記載のメモリの書き換え履歴記録装置。

  10. The memory rewriting history recording device according to claim 1, wherein the history recorder includes another non-volatile memory (10) different from the memory.

PCT/JP2019/041841 2019-01-30 2019-10-25 Memory rewrite history recording device Ceased WO2020158075A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980090587.0A CN113396398B (en) 2019-01-30 2019-10-25 Memory rewrite history recording device
JP2020569374A JP7085029B2 (en) 2019-01-30 2019-10-25 Memory rewrite history recording device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2019-014671 2019-01-30
JP2019014671 2019-01-30

Publications (1)

Publication Number Publication Date
WO2020158075A1 true WO2020158075A1 (en) 2020-08-06

Family

ID=71840044

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/041841 Ceased WO2020158075A1 (en) 2019-01-30 2019-10-25 Memory rewrite history recording device

Country Status (3)

Country Link
JP (1) JP7085029B2 (en)
CN (1) CN113396398B (en)
WO (1) WO2020158075A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008004524A1 (en) * 2006-07-03 2008-01-10 Panasonic Corporation Certifying device, verifying device, verifying system, computer program and integrated circuit
JP2013143095A (en) * 2012-01-12 2013-07-22 Toyota Motor Corp Electronic control device, and memory check method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1372068A3 (en) * 2002-06-11 2006-02-08 Seiko Epson Corporation System, method and program for rewriting a flash memory
WO2011111211A1 (en) * 2010-03-11 2011-09-15 三菱電機株式会社 Memory diagnostic method, memory diagnostic device, and memory diagnostic program
DE112012005589B8 (en) * 2012-01-05 2025-07-10 Mitsubishi Electric Corporation Information processing device, information processing method and computer program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008004524A1 (en) * 2006-07-03 2008-01-10 Panasonic Corporation Certifying device, verifying device, verifying system, computer program and integrated circuit
JP2013143095A (en) * 2012-01-12 2013-07-22 Toyota Motor Corp Electronic control device, and memory check method

Also Published As

Publication number Publication date
CN113396398B (en) 2023-11-28
JP7085029B2 (en) 2022-06-15
CN113396398A (en) 2021-09-14
JPWO2020158075A1 (en) 2021-09-30

Similar Documents

Publication Publication Date Title
US6915192B2 (en) Vehicular electronic control apparatus
US10509568B2 (en) Efficient secure boot carried out in information processing apparatus
JP2018156452A (en) Data storage device
JP5148015B2 (en) Automotive data abnormality judgment device
CN113849212B (en) Software upgrading control method and device and electronic equipment
KR20180023524A (en) Method for verifying of Actuator control data
CN101369141B (en) Protection unit for a programmable data processing unit
EP2975546A1 (en) Systems and methods for verifying the authenticity of an applicatiotn during execution
JP2013143095A (en) Electronic control device, and memory check method
JP7085029B2 (en) Memory rewrite history recording device
US11361600B2 (en) Method for authenticating a diagnostic trouble code generated by a motor vehicle system of a vehicle
JP6180462B2 (en) Automotive electronic control device
JP5842783B2 (en) Vehicle control device
US10789365B2 (en) Control device and control method
US11169828B2 (en) Electronic control unit and method for verifying control program
JP4534731B2 (en) Electronic control device and identification code generation method thereof
US20070226694A1 (en) Control unit for a machine
CN117094035A (en) PLC software protection method and device
US12272187B2 (en) Information processing apparatus and information processing method
JP2016134082A (en) Microcomputer
CN117421780A (en) Vehicle-mounted system data verification method and device, electronic equipment and storage medium
US20250217505A1 (en) System And Method For Remote Attestation Of Vehicle Features
US20250094548A1 (en) Assembly control with authentication of user
CN115309132B (en) Control system
JP2002047998A (en) Controller for vehicle

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19912358

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020569374

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19912358

Country of ref document: EP

Kind code of ref document: A1

WWG Wipo information: grant in national office

Ref document number: 202147033656

Country of ref document: IN