JP2018011155A - CAN communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To appropriately discriminate the presence/absence of an irregular controller within an in-vehicle network.SOLUTION: The present invention relates to an in-vehicle network on which multiple controllers ECUn of different priorities are connected to a gateway G/W via a BUS 1 in a communicable manner. The gateway G/W comprises: transmission means 211 for simultaneously transmitting a reply request signal requesting a reply to the gateway G/W to the controllers ECUn via the BUS 1; and abnormality discrimination means 213 for discriminating the presence/absence of abnormality based on a reception order of reply signals that are redirected from the controllers ECUn. In a case where signals (including reply signals) are simultaneously outputted from each the controllers ECUn to the BUS 1, in the in-vehicle network, the signal is transmitted in the order starting from a controller of a highest priority.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a CAN communication system.

  In order to confirm whether or not the controller (CPU) of the in-vehicle device connected to the in-vehicle network is a legitimate controller (CPU), various techniques for referring to information of an external server have been proposed (for example, patents) Reference 1).

JP 2014-193654 A

  However, in the case of the technique disclosed in Patent Document 1, it is impossible to determine whether or not the vehicle is a regular controller (CPU) unless the host vehicle is in a communication environment that can be connected to an external server. There is a need to be able to appropriately determine whether or not (CPU) is connected.

The present invention
When a plurality of controllers having different ranks are communicably connected to a gateway apparatus via a common transmission line, and signals are output simultaneously from the plurality of controllers, the gateway apparatus sequentially from the controller signal having the highest rank. A CAN communication system transmitted to
The gateway device is
A transmission means for simultaneously transmitting a reply request signal for requesting a reply to the gateway device to the plurality of controllers via the common transmission path;
Receiving means for receiving a reply signal from each of the controllers;
And an abnormality determining means for determining presence / absence of abnormality based on the reception order of the reply signals.

  ADVANTAGE OF THE INVENTION According to this invention, it can be determined appropriately whether the regular controller is connected to the vehicle interior network.

It is a schematic block diagram of a normal in-vehicle network. It is a figure explaining the gateway and controller connected to the in-vehicle network. It is a sequence chart when gateway G / W performs an authentication process. 1 is a schematic configuration diagram of an in-vehicle network in which a fake ECU is provided between a BUS and one ECU. It is a sequence chart in case gateway G / W transmits a reply request signal 3 times continuously. It is a sequence chart in case gateway G / W transmits a reply request signal 4 times continuously.

  In the following, the embodiment of the present invention is applied to a controller (ECU1 to ECUn) of each in-vehicle device mounted on the vehicle V on a CAN bus (hereinafter referred to as BUS1) installed in the vehicle V. The case of an in-vehicle network 2 (CAN: Controller Area Network) that is communicably connected to W will be described as an example.

  First, a normal in-vehicle network 2 in which a false ECU (non-regular controller) is not provided and controllers (ECU1 to ECUn) connected to the in-vehicle network 2 will be described.

FIG. 1 is a schematic configuration diagram of a normal in-vehicle network 2 in which no fake ECU is provided.
FIG. 2 is a diagram illustrating a controller connected to the in-vehicle network 2, and FIG. 2A is a block diagram of a part related to the gateway G / W authentication process having a function of performing the controller authentication process. b) is a block diagram of a part related to generation of a reply signal of a controller (hereinafter also referred to as a controller (ECUn)) having a function of generating a reply signal for authentication in accordance with a reply request from the gateway G / W. is there. Here, “n” of ECUn is an arbitrary integer determined according to the total number of controllers (ECUs) connected to the in-vehicle network 2.

  As shown in FIG. 1, a gateway G / W and controllers (ECU1, ECU2,..., ECUn) of in-vehicle devices mounted on the vehicle V are connected to the BUS1, and the controllers (ECU1, Each of the ECUs 2,..., ECUn) can exchange information (signals) with the gateway G / W and other controllers via a common BUS1 (transmission path).

  The gateway G / W is a node that collects information output from the controllers (ECU1, ECU2,..., ECUn) of the in-vehicle device, and is a controller having a security function for detecting unauthorized access in this embodiment. . The gateway G / W may have a frame conversion function between different protocols, a safety function for detecting an abnormality, and the like.

  The gateway G / W may be connected to a plurality of in-vehicle networks such as an in-vehicle network organized for each communication protocol or an in-vehicle network organized according to functions such as a control system and a safety system. In the present embodiment, a single in-vehicle network 2 will be described.

In the in-vehicle network 2, when the output signals of the controllers (ECU1, ECU2,..., ECUn) are simultaneously output to the BUS1, the output signal from the controller having the higher priority (order) is the priority (order). The signal is transmitted before the output signal from the low controller.
For this reason, when the output signals of the controllers are simultaneously output to BUS1, they are transmitted through the BUS1 in order from the controller output signal having the highest priority.
On the other hand, when the output signals of the controllers (ECU1, ECU2,..., ECUn) are output at different timings (non-simultaneous), the output signals are transmitted to BUS1 in the output order. It has become.

In the embodiment, different priorities (orders) are set for the respective controllers (ECU1, ECU2,..., ECUn) connected to the BUS1.
In the controllers (ECU1, ECU2,..., ECUn), a lower priority is set as the ECU1 changes to ECUn.

As shown in FIG. 2A, the gateway G / W includes a storage unit 20, a CPU 21, and an input / output port (I / O) 22, which are connected via an internal bus 23. Are connected to each other.
The BUS 1, the ignition switch 24, the speaker 25, and the indicator panel 26 are connected to the input / output port 22 of the gateway G / W.

  When the gateway G / W is activated by turning on the ignition switch 24, the gateway G / W performs authentication processing of the controllers (ECU1, ECU2,..., ECUn) of the in-vehicle devices connected to the BUS1, and false The ECU (non-regular controller) has a function of confirming whether or not it is connected to the BUS1.

  The storage unit 20 is configured by a non-volatile memory or the like, stores a program or the like necessary for the authentication process, and stores a value calculated during the authentication process, a reference value referenced during the authentication process, or the like. Remember.

  The CPU 21 includes a transmission unit 211, a reception unit 212, an abnormality determination unit 213, a notification unit 214, and an authentication unit 215, and an authentication process based on a program stored in the storage unit 20. To implement.

The transmission means 211 sends a reply request signal (authentication start message) for requesting a reply to the gateway G / W to the controller (ECU1 to ECUn) connected to the BUS1 via the BUS1. (ECU1 to ECUn).
The receiving means 212 receives a reply signal (response message) returned from each controller (ECU1 to ECUn).

Abnormality determination means 213 determines the presence / absence of an abnormality based on the reception order of reply signals returned from each of the controllers (ECU1 to ECUn).
Specifically, it is confirmed whether or not a fake ECU (non-regular controller) is connected to BUS1, and when it is determined that a fake ECU is connected, it is determined that “abnormality exists”.
The abnormality determination unit 213 determines “no abnormality” when it is determined that the fake ECU is not connected.

When the abnormality determination unit determines that “there is abnormality”, the notification unit 214 turns on the warning lamp 261 of the indicator panel 26 to notify the passenger of the own vehicle of the occurrence of the abnormality.
Note that it may be notified by the output of audio information from the speaker 25 that it has been determined that there is “abnormal”.

  The authentication unit 215 performs authentication processing of each controller (ECU1 to ECUn) that has returned the reply signal based on the reply signal (response message) returned from each controller (ECU1 to ECUn).

As shown in FIG. 2B, the controller ECUn includes a storage unit 30, a CPU 31, and an input / output port (I / O) 32, which are connected to each other via an internal bus 33. It is connected.
BUS1 is connected to the input / output port 32 of the controller ECUn.

  Controller ECUn confirms the signal level of BUS1, confirms whether the output signal of the other controller is transmitted via BUS1, and when the output signal of the other controller is transmitted, It waits for the completion of transmission of the output signal of the other controller, and outputs the output signal generated by the controller ECUn to BUS1.

  Further, while the output signal generated by the controller ECUn is being output to the BUS1, the signal level of the BUS1 is confirmed, and when the output signal of the controller having a higher priority than the self is also output to the BUS1 simultaneously, The output of the output signal to the BUS1 is stopped, and the output signal generated by the controller ECUn is output to the BUS1 again after waiting for the end of transmission of the output signal of the controller having a higher priority than itself.

  Here, when the controller ECUn receives a reply request signal from the gateway G / W, each controller ECUn generates a reply signal for authentication, and the generated reply signal is sent to the gateway via the BUS1. It has a function to reply to G / W. When the controller ECUn receives the reply request signal from the gateway G / W and each controller ECUn outputs a reply signal at the same time, as described above, each controller ECUn has a higher priority than the controller itself. It waits for the end of transmission of the reply signal and then outputs its own reply signal to BUS1 again.

  The storage unit 30 includes a non-volatile memory and the like. The storage unit 30 stores a program and the like necessary for the generation process of the return signal, and the value calculated in the process of the return signal generation process and the process of the return signal generation process. A reference value or the like referred to in the process is stored.

The CPU 31 includes a reply signal generation unit 311 and performs a reply signal generation process based on a program stored in the storage unit 30.
When the reply signal generation means 311 receives the reply request signal from the gateway G / W, the reply signal generation means 311 generates a reply signal and returns the generated reply signal to the gateway G / W via BUS1.

Hereinafter, the processing performed by the gateway G / W and the controllers (ECU1 to ECUn) when the gateway G / W performs the authentication processing is exchanged between the gateway G / W and the controllers (ECU1 to ECUn). The signal (information) will be described.
FIG. 3 is a sequence chart when the gateway G / W performs the authentication process.

  As shown in FIG. 3, when the gateway G / W is activated by turning on the ignition switch 24 (step S101, Yes), the transmission unit 211 of the gateway G / W is the controller of the in-vehicle device connected to the BUS 1 in step S102. In order to perform the authentication processing of (ECU1 to ECUn), a reply request signal (authentication start message) for requesting a reply to the gateway G / W is generated.

Here, the reply request signal includes an identification ID indicating the priority order of the gateway G / W and information necessary for generating a reply signal in each controller (ECU1 to ECUn) of the in-vehicle device connected to BUS1 (essential information). And.
The essential information necessary for generating a reply signal in each controller (ECU1 to ECUn) is prepared for each controller. For example, the information necessary for processing in the controller ECU1 includes information indicating the priority order of the controller ECU1. (Identifier ID) and information (additional information) to be added to the reply signal generated by the controller ECU 1 are included, and these pieces of information are encrypted by a method that can be decrypted only by the controller ECU 1.
In the reply request signal, the identifier ID of the gateway G / W and the essential information of each controller (ECU1 to ECUn) are connected in series.

When the generation of the reply request signal (step S102) is completed, the transmission unit 211 outputs the generated reply request signal to BUS1 via the input / output port 22 in step S103.
Thereby, the controllers (ECU1 to ECUn) of other in-vehicle devices directly connected to BUS1 simultaneously receive the reply request signal transmitted by the gateway G / W.

The reply signal generating means 311 of the controller (ECU1 to ECUn) that has received the reply request signal generates a reply signal (step S104).
Specifically, each controller (ECU1 to ECUn) decodes the reply request signal and generates the essential information necessary for generating the reply signal, that is, information (identifier ID) indicating the priority order of the controller and the controller. Information to be added to the reply signal (additional information) is acquired.

Here, the case of the controller (ECU1) will be described as an example. The controller (ECU1) is essential information included in the reply request signal and is essential for generating a reply signal in the controller (ECU1). Information is obtained by decryption.
That is, each controller (ECU1 to ECUn) can acquire essential information necessary for generating a reply signal by decoding the controller itself.

  Then, the return signal generating means 311 of each controller (ECU1 to ECUn) acquires the identifier ID and the additional information from the essential information necessary for generating the return signal by itself, and uses the acquired additional information as the gateway G / W. The information is encrypted by a method that can be decrypted by the method, and the information (identifier ID) indicating the priority order of the controller is added to the encrypted additional information to generate a reply signal.

For example, in the case of the controller ECU 1, the reply signal generation unit 311 acquires information (identifier ID) indicating the priority order of the controller ECU 1 and additional information for the controller (ECU 1) from the reply request signal.
Then, the reply signal generation means 311 encrypts the acquired additional information by a method that can be decrypted by the gateway G / W, and adds the reply signal dedicated to the controller (ECU1) to the encrypted additional information by adding it to the identifier ID. Generate.

  Here, as described above, the additional information for the controller (ECU1) is encrypted by a method that can be decrypted only by the controller (ECU1). It is known that a MAC (Message Authentication Code) is used for communication between the gateway G / W and the controller ECUn.

Each controller (ECU1 to ECUn) outputs the generated reply signal to BUS1 in order to send it back to gateway G / W (step S105).
As described above, when a plurality of signals are output to BUS1, signals are transmitted in order from the signal with the highest priority.

  Therefore, when a reply signal is simultaneously output from each controller (ECU1 to ECUn) to BUS1, a reply signal from the controller ECU1, a reply signal from the controller ECU2, a reply signal from the controller ECU3, ..., a reply signal from the controller ECUn. In order, they are input to the gateway G / W.

In gateway G / W, when receiving means 212 receives a reply signal returned from the controller (ECU1 to ECUn), authentication means 215 authenticates based on the additional information included in the reply signal in step S106. Whether or not is established is determined.
Specifically, the authentication unit 215 of the gateway G / W specifies the controller (ECU1 to ECUn) that transmitted the reply signal from the identifier ID of the received reply signal, and decrypts the reply information to obtain additional information. get.
Then, the acquired additional information is compared with the additional information added to the above-described reply request signal, and when both pieces of additional information match, it is determined that the authentication has been established, and when they do not match, the authentication is not established ( It is determined that authentication is not established.

  For example, in the case of a reply signal from the controller ECU1, the additional information acquired from the reply signal is compared with the additional information for the controller ECU1 that is the additional information added to the reply request signal. On the other hand, it is determined that the authentication has been established.

In subsequent step S107, the gateway G / W abnormality determination means 213 determines whether or not a fake ECU (non-regular controller) is connected to the in-vehicle network 2 based on the reception order of the reply signals at the gateway G / W. When it is confirmed that it is determined that the fake ECU is connected, it is determined as “abnormal”, and when it is not determined that the fake ECU is connected, it is determined as “no abnormality”.
Note that the processing in step S107 will be described in detail later.

In the subsequent step S108, the notifying unit 214 of the gateway G / W, when it is determined that “authentication is not established” in the above-described step S106, the voice information for notifying that “authentication is not established” is transmitted to the speaker. 25.
Further, when it is determined that there is “abnormal” in the above-described step S107, the notification unit 214 is provided on the indicator panel 26 in order to notify that the fake ECU is connected to the in-vehicle network 2. The warning lamp 261 is turned on.

Further, the notification unit 214 turns on the abnormality determination flag stored in the storage unit 20. As a result, when an external inspection device is connected to the gateway G / W for inspection of the vehicle V, it is possible to grasp that the inspection device has been determined to be “abnormal”.
At this time, sound information for notifying that the fake ECU is connected to the in-vehicle network 2 may be output from the speaker 25.

  Hereinafter, the determination of the presence or absence of abnormality by the abnormality determination means 213 is a case where there are three controllers connected to the BUS1, and a false ECU (non-regular controller) is provided between the BUS1 and the controller ECU1. An example will be described.

  FIG. 4A is a schematic configuration diagram of the in-vehicle network 2 when a fake ECU (non-regular controller) is provided between the BUS1 (CAN bus) and the ECU 1 (controller). ) Is a sequence chart when the gateway G / W performs an authentication process in the case of (a).

  Here, when the fake ECU mediates communication between the gateway G / W and the controller (ECU1) and inputs a reply signal from the legitimate controller (ECU1) to the gateway G / W as it is, In the authentication process (FIG. 3: step S106), the presence of this false ECU cannot be detected. In the following, security measures assuming such a fake ECU will be described.

When the reply request signal from the gateway G / W is received simultaneously by the fake ECU and the controllers (ECU2, ECU3), the fake ECU transfers the received reply request signal to the controller (ECU1), while the controller (ECU2 , ECU 3) generates a reply signal and sends it back to the gateway G / W.
Then, the controller (ECU1) generates a reply signal in response to the transferred reply request signal and sends it back to the gateway G / W. Since this reply signal is also forwarded by the fake ECU, The reply signal from the controller (ECU 1) in which the false EUC is interposed is input to the gateway G / W with a delay from the reply signals from the other controllers (ECU 2, ECU 3).

  At this time, the delay time T from the reception of the return signal from the controller (ECU2, ECU3) at the gateway G / W to the reception of the return signal from the controller (ECU1) at the gateway G / W is determined by the fake ECU. This corresponds to two transfer delay times Tx (T = 2 × Tx).

  Then, in the in-vehicle network 2 (CAN communication network), first, the reply signal is transmitted according to the priority (ECU2 → ECU3) of the controller (ECU2, ECU3) among the reply signals output simultaneously, A reply signal from the controller (ECU 1) output with a delay is transmitted. As a result, the gateway G / W receives the reply signals in the order of ECU2 → ECU3 → ECU1.

  That is, the reply signal of the controller (ECU1) in which the false ECU is interposed is transmitted in a descending order from the original priority order (ECU1 → ECU2 → ECU3).

  Therefore, the abnormality determination means 213 checks whether or not the reply signals from the controller (ECUn) are input in the order of preset priority in the above-described abnormality determination process S107. ) Is not received in the order corresponding to the priority order, it is determined that an unauthorized controller is connected to the in-vehicle network 2 and it is determined that there is an abnormality.

  As a result, as in the case where a fake ECU having a function of mediating communication between the gateway G / W and the controller (ECU1) is installed between the BUS1 and the controller (ECU1), the authentication means 215 In the authentication process, even if the presence of an unauthorized controller (fake ECU) cannot be detected on the gateway G / W side, the presence of an unauthorized controller (fake ECU) is determined by the above-described determination process by the abnormality determination unit 213. Can be detected.

  In addition, the abnormality determination means 213 recognizes that the non-regular controller is not connected to the in-vehicle network 2 when the reply signal from the controller (ECU) is received in the order according to the priority order. It is determined that there is no abnormality.

As described above, in the embodiment,
(1) A plurality of controllers (ECU1 to ECUn) having different priorities (order) are communicably connected to the gateway device (G / W) via BUS1 (common transmission path), and a plurality of controllers A CAN communication system in which, when signals are simultaneously output from (ECU1 to ECUn), signals are sequentially transmitted from a controller signal having a higher priority to a gateway device (G / W),
Gateway device (G / W)
A transmission unit 211 for simultaneously transmitting a reply request signal for requesting a reply to the gateway device (G / W) to the plurality of controllers (ECU1 to ECUn) via the BUS1;
Receiving means 212 for receiving a return signal from each of the controllers (ECU1 to ECUn);
An abnormality determination unit 213 that determines whether or not there is an abnormality based on the reception order of the return signals.

When an unauthorized controller (fake ECU) that mediates transmission of signals between BUS1 and the authorized controller is installed between BUS1 and at least one of the authorized controllers (ECU1 to ECUn). The delay of the timing at which the return signal is output to BUS1 is delayed by the amount of the false ECU interposed in the signal transmission.
Then, for example, when the false ECU is provided between the BUS1 and the controller (ECU1), the reply signal output from the regular controller (ECU1) connected to the BUS1 via the false ECU is The signal is received by the receiving means 212 of the gateway G / W after a reply signal output from the controller (ECU2) having a lower priority than the controller (ECU1).
Therefore, it is configured as described above, and by confirming the reception order of the reply signals returned from the controller, it is appropriately determined whether or not an unauthorized controller (fake ECU) that mediates signal transmission is connected. I can judge.

(2) In a CAN communication system, a reply signal output with a delay from the output of a reply signal from another controller is delayed from the priority order (order) of the reply source controller of the reply signal output with a delay. Configured to be transmitted,
The abnormality determination means 213
When the reception order of the reply signals returned from each of the controllers (ECU1 to ECUn) is different from the priority order of the controllers (ECU1 to ECUn), any one of the plurality of controllers (ECU1 to ECUn) and the gateway device ( G / W) is determined to be “abnormal” and an unauthorized controller is present,
When the receiving order of the reply signals returned from each of the controllers (ECU1 to ECUn) is the same as the priority order of the controllers (ECU1 to ECUn), it is determined that there is no abnormality,
In-car network 2
When the abnormality determination unit 213 determines “abnormal”, the notification unit 214 is further provided to notify the occurrence of the abnormality.

As described above, when a non-regular controller (fake ECU) that mediates signal transmission is installed between BUS1 and any of the controllers (ECU1 to ECUn), the signal transmission is false. The timing at which the return signal is output to BUS1 is delayed by the amount of intervention of the ECU.
Therefore, if comprised as mentioned above, by comparing the order of reception of the reply signals returned from the controllers (ECU1 to ECUn) and the order of priority of the controllers (ECU1 to ECUn), a false ECU (non-regular ECU) It is possible to appropriately determine whether or not the controller is connected.

  When the abnormality determination unit 213 determines that “there is abnormality”, the notification unit 214 (a) turns on the warning lamp 261 of the indicator panel 26 to notify the passenger of the vehicle V of the occurrence of the abnormality. And / or (b) by notifying that it is determined as “abnormal” by outputting audio information from the speaker 25, it is possible to detect an abnormality in which it is recognized that a fake ECU is installed in the in-vehicle network 2. Can be surely communicated to the passengers.

  Further, when the abnormality determination unit 213 determines that “there is abnormality”, the notification unit 214 (c) checks the vehicle V by turning on the abnormality determination flag stored in the storage unit 20. For example, when an external inspection device is connected to the gateway G / W, it is possible to grasp that the inspection device has been determined to be “abnormal”.

(3) To the reply request signal, rank data (identification ID) that defines the priority order of each of the controllers (ECU1 to ECUn) is added.
The controllers (ECU1 to ECUn)
When the reply request signal is received, the priority order of the controller (ECU1 to ECUn) is specified with reference to the identification ID, and the reply signal generating means 311 for transmitting the identification ID indicating the identified priority order added to the reply signal. It was set as the structure which has.

  If comprised in this way, since identification ID which shows a priority is added to the reply signal returned from a controller (ECU1-ECU), the reply signal output from a controller (ECU1-ECUn) is made into a priority. The data can be transmitted to the gateway G / W in an appropriate order according to the order.

  In particular, the controller (ECU1 to ECUn) checks the signal level of BUS1 while outputting the output signal generated by the controller (ECU1 to ECUn) to the BUS1, and outputs the controller having a higher priority than itself. If the signal is also output simultaneously to BUS1, output of the output signal to BUS1 is stopped, the output of the output signal of the controller having a higher priority than that of itself is terminated, and the output signal generated by controller ECUn is output. Since it is configured to output to BUS1 again, even if signals are output from each controller (ECU1 to ECUn) to BUS1 at the same timing, a signal having a higher priority is used. In turn, it can be transmitted over BUS1.

  Furthermore, by setting the order data included in the reply request signal on the gateway G / W side, the priority order of each of the controllers (ECU1 to ECUn) is set to the original function of each of the controllers (ECU1 to ECUn). Since the configuration can be changed within a range that does not hinder the performance, the order of the reply signals output from the controllers (ECU1 to ECUn) to the BUS1 can be changed periodically.

[Modification 1]
In the above-described embodiment, the gateway G / W transmits a reply request signal once, and the controllers (ECU1 to ECUn) receive the reply request signal at the same timing and generate a reply signal at the same timing. Is supposed to start.
However, the controllers (ECU1 to ECUn) of the in-vehicle devices connected to the BUS1 have different performance such as processing speed for each controller. In the case of a controller with a slow processing speed, a controller having a lower priority than the controller. It is also assumed that the reply signal is generated earlier.
In this case, there is a possibility that the abnormality determination unit 213 determines that “abnormality exists” even though the false ECU is not provided.

  Therefore, in the first modification, the gateway G / W is set to continuously transmit the reply request signal a plurality of times, and the number of reply request signals transmitted is the controller (ECU1 to ECUn) connected to the BUS1. Of these, it is set based on the time required for generating a reply signal in the controller that takes the longest time to generate the reply signal.

Hereinafter, a case where the gateway G / W is set to continuously transmit a reply request signal a plurality of times will be described as an example.
FIG. 5 is a sequence chart when the gateway G / W transmits the reply request signal three times in succession. Of the three controllers (ECU1 to ECU3) connected to BUS1, BUS1 and the controller (ECU1 ) Is a sequence chart when a fake ECU is provided.

The controllers (ECU2, ECU3) directly connected to the BUS1 have different times Δta and Δtb required from the reception of the reply request signal to the generation of the reply signal, and the controller (ECU2) with higher priority is the controller (ECU2). The controller (ECU 3) having a lower priority than the ECU 2) takes time to generate a reply signal.
Therefore, if the reply request signal is transmitted only once, the reply signal from the controller (ECU2) is generated later than the reply signal from the controller (ECU3), and therefore the reply signal from the controller (ECU2) is output to BUS1. The timing is delayed from the output timing of the return signal of the controller (ECU 3).

  Then, in BUS1, when signals are output at different timings, the signals are transmitted in the order in which the signals are output to BUS1, and are output with a delay from the output of reply signals from other controllers. Since the reply signal is transmitted later than the priority (order) of the reply-source controller of the reply signal output with a delay, the reply signal of the controller (ECU 3) is transmitted to the controller ( As a result of transmission to the gateway G / W prior to the reply signal from the ECU 2), it is determined that the controller (ECU 2) is “abnormal” although no fake ECU is provided.

  Therefore, in order to prevent the occurrence of such a situation, in the first modification, each controller outputs a reply signal to BUS1 after waiting for a reply signal to be generated by a controller (ECU2) that is slow in generating a reply signal. In order to do this, the gateway G / W continuously transmits a reply request signal a plurality of times.

As described above, in the in-vehicle network 2, each controller uses a common BUS1 to transmit and receive signals. When signals transmitted by the BUS1 compete, Only the signal output by the controller with the highest priority is set to be transmitted.
Since the priority order of the gateway G / W is higher than that of the controllers (ECU1 to ECU3), while the gateway G / W outputs the reply request signal and occupies BUS1, the controllers (ECU1 to ECU3) The signal cannot be transmitted via BUS1.

Therefore, in the embodiment, the gateway G / W has a time (Δt) longer than the time Δta required to generate the return signal in the controller (the controller (ECU 2 in the case of FIG. 5)) that generates the return signal the slowest. Repeatedly sends a reply request signal.
Note that the transmission interval Δtx of the reply request signal by the gateway G / W (see FIG. 5) occupies BUS1 until transmission of all reply request signals is completed, and signals from other controllers connected to BUS1. It is set to a transmission interval that can prevent transmission.

  Then, since the BUS1 is occupied by the transmission of the reply request signal, the storage unit 30 of the controller (ECU2, ECU3) is the reply signal generated by the controller (ECU2, ECU3) while the reply request signal is being transmitted. And after the occupation of BUS1 by the reply request signal is completed, the reply signal having a higher priority is transmitted.

  In the case of FIG. 5, the gateway G / W transmits the reply request signal three times in total, and BUS1 is occupied by this reply request signal while the reply request signal is being transmitted. Therefore, the reply signal of the controller (ECU 3) is not transmitted to the gateway G / W via BUS1.

  Since the generation of the reply signal by the controller (ECU2) is completed while the reply request signal is being transmitted, the reply signal by the controller (ECU2) and the controller (ECU3) when the transmission of the reply request signal is completed. However, since the controller (ECU2) has a higher priority than the controller (ECU3), the controller (ECU2) generates a response signal from the controller (ECU3) previously generated. Is transmitted to the gateway G / W via the BUS1 prior to the reply signal.

Here, also in the case of FIG. 5, a fake ECU having the same signal transfer function as that of the above-described embodiment is provided between the BUS 1 and the controller (ECU 1).
In this case, as a result of the delay in transmission of the reply signal generated by the legitimate controller (ECU1) due to the two transfers by the fake ECU, the reply signal from the controller (ECU1) becomes the reply from the controller (ECU2). The signal is transmitted to the gateway G / W after the signal.

  Therefore, in this case, the order in which the reply signals are transmitted to the gateway G / W is different from the predetermined priority order, so the abnormality determination unit 213 described above with respect to the controller (ECU1) It is determined that there is an abnormality.

The number of times the gateway G / W repeatedly transmits the reply request signal (time (Δt)) is at least before the first reply signal generated by the regular controller (ECU1) is transmitted to the fake ECU. It is set to the number of times (time) at which the occupation of BUS1 by the signal ends.
If the reply signal generated by the legitimate controller (ECU1) is transmitted to the fake ECU before the occupation of BUS1 by the reply request signal ends, the order in which the reply signals are transmitted to the gateway G / W is: This is because there is a case where it becomes impossible to detect the presence of a fake ECU because the priority order is the same as that determined in advance.

  As described above, in Modification 1, each of the legitimate controllers (ECU2, ECU3) directly connected to BUS1 is caused by a difference in time required for generating a return signal in the controller (ECU2, ECU3) (difference in signal processing capability). Thus, it is possible to accurately determine “abnormal” with respect to a regular controller (ECU 1) connected to the BUS 1 via the fake ECU 1 while preventing erroneous determination as “abnormal”. It has become.

In the case of the first modification, it is determined whether or not the reply signals from the controllers (ECU1 to ECU3) have been input to the gateway G / W in the same order of priority as the reply request signal. By checking, the presence or absence of a fake ECU is determined.
That is, in the case of the first modification, when the reply signals from the controllers (ECU1 to ECU3) are input to the gateway G / W in the order of predetermined priority, the same number of times as the reply request signal, It is determined that the ECU is not provided (“no abnormality”).

  However, as shown in FIG. 6, when the transmission time Δt (number of transmissions) of the reply request signal is long (large), the controller (ECU 2) is in the middle of transmitting the reply signal generated by the controller (ECU 1). May be transmitted to the fake ECU, and the fake ECU may output the reply signal generated by the legitimate controller (ECU1) to the BUS1.

  In this case, the reply signal generated by the controller (ECU1) is transmitted to the gateway G / W before all the reply signals generated by the controller (ECU2) are transmitted to the gateway G / W. Become.

  Therefore, the abnormality determination means 213 receives (a) a reply signal with a higher priority than the immediately preceding reply signal, or (b) a reply signal with a higher priority than the immediately preceding reply signal. It is preferable to determine “abnormal” when the reply signal transmitted immediately before is received again.

  Further, when a false ECU is provided between the controller with the lowest priority (ECU 3 in the case of FIG. 5) and BUS1, the ECU 3 has the lowest priority and sends a reply signal after the ECU 3. Since there is no ECU to transmit, the presence of the fake ECU cannot be detected only by the method described above.

  Therefore, when the reply request signal is transmitted a plurality of times, the priority order of the controller (ECU3) having the lowest priority order and the priority order of the controller (ECU2) having a higher priority order than this controller in at least one reply request signal. It is preferable to determine whether or not there is an abnormality in the controller (ECU 3) with the lowest priority based on the return signal for the reply request signal when the priority is changed.

In this case, when a plurality of controllers (ECU1 to ECUn) are connected to BUS1, the controller (ECUn) having the lowest priority and the remaining controllers (ECU1) having a higher priority than this controller (ECUn). The priority order may be exchanged with at least one controller of .about.ECUn-1).
Therefore, when determining whether or not there is an abnormality in the controllers (ECU1 to ECUn) connected to the BUS1, the gateway G / W sends a reply request signal to the controllers (ECU1 to ECUn) at least twice. It is preferable to be configured to transmit.

As above,
(4) The gateway G / W is a controller having a higher priority than the controllers (ECU1 to ECUn),
The transmission unit 211 continuously transmits the reply request signal a predetermined number of times at a timing (FIG. 5, Δtx) where the common transmission path BUS1 continues to be occupied by the reply request signal after the gateway G / W is activated. Occupy BUS1 in the transmission of the reply request signal for a predetermined time Δt,
The abnormality determination means 213
It is determined that there is an abnormality when the return signals returned from each of the controllers (ECU1 to ECUn) have not been received by the receiving means 212 a predetermined number of times in the priority order of the controllers (ECU1 to ECUn). And
It is determined as “no abnormality” when the return signals returned from each of the controllers (ECU1 to ECUn) are received by the receiving unit 212 a predetermined number of times in the priority order of the controllers (ECU1 to ECUn). It was set as the structure to do.

  If comprised in this way, the presence or absence of abnormality can be determined more correctly than the case where the presence or absence of abnormality is determined only by one transmission of a reply request signal.

(5) The number of transmissions of the reply request signal by the transmission means 221 (time Δt) is determined by a false ECU (illegal controller) that mediates transmission of signals (reply request signal, reply signal) with the gateway G / W. It is set to the number of times (time) at which the transmission of the reply request signal is completed before the reply signal generated by the intervening regular controller (ECU1) is transmitted (transmitted) to BUS1 (common transmission path). It was set as the composition.

  With this configuration, if the reply signal generated by the legitimate controller (ECU1) is transmitted to the fake ECU before the BUS1 is occupied by the reply request signal, the reply signal is sent to the gateway G / W. It is possible to determine whether there is an abnormality while preventing the transmission order from being the same as a predetermined priority order and preventing the presence of a false ECU from being detected.

(6) The abnormality determination means 213
When the priority (order) of the reply source controller of the reply signal received by the receiving means 212 is higher than the priority (order) of the reply source controller of the reply signal received earlier, it is determined as “abnormal”. It was set as the structure to do.

  If comprised in this way, it can be determined appropriately whether the non-regular controller (fake ECU) which mediates transmission of a signal is connected by confirming the reception order of the reply signal returned from the controller.

(7) The abnormality determination means 213 returns a reply from a controller having a higher priority (order) than a controller having the same priority (order) while receiving a response signal from the controller having the same priority (order) a predetermined number of times. When a signal is received, it is determined to be “abnormal”.

As shown in FIG. 6, when the transmission time Δt (number of transmissions) of the reply request signal becomes long (large), the legitimate controller (ECU1) generates while the reply signal generated by the controller (ECU2) is being transmitted. The transmitted reply signal may be transmitted to the fake ECU, and the fake ECU may output the reply signal generated by the legitimate controller (ECU1) to the BUS1.
In this case, the reply signal generated by the controller (ECU1) and transmitted by the fake ECU interrupts the transmission of the reply signal generated by the controller (ECU2) and is transmitted to the gateway G / W. .

  Therefore, by configuring as described above, it is also possible to check whether there is an interrupt of a transmission signal returned from another controller while receiving a response signal returned from the controller a plurality of times. It is possible to appropriately determine whether or not a non-regular controller (fake ECU) that mediates transmission is connected.

(8) The transmission unit 211 transmits an identification ID (order data) that defines the priority (order) of the controllers (ECU1 to ECUn) in addition to the reply request signal,
When the reply request signal is transmitted a plurality of times, a controller (ECUn) having the lowest priority among the identification IDs and a controller (ECU1 to ECUn-1) having a higher priority than the controller having the lowest priority The reply request signal to which the confirmation order data in which the priorities are switched is added is transmitted at least once.

When a false ECU is provided between the controller (ECU) having the lowest priority and the BUS1, it is not possible to determine whether there is an abnormality in the order in which the gateway G / W receives the return signal.
By configuring as described above, the presence / absence of an abnormality is determined by both the reception order of reply signals with respect to reply request signals whose priority is not changed and the reception order of reply signals with respect to reply request signals whose priority is exchanged. Thus, even when a false ECU is provided between the controller (ECUn) having the lowest priority and the BUS1, it is possible to check whether there is an abnormality, that is, whether there is a false ECU.

(9) The number of transmissions of the reply request signal is set based on the time required for generating the reply signal in the controller (ECU1 to ECUn) connected to the BUS 1 that takes the longest time to generate the reply signal. The reply request signal output by the gateway G / W is set to be occupied by the reply request signal output from the gateway G / W for a time longer than the time required for the reply signal to be generated by the controller that takes the longest time to generate the reply signal. It was supposed to be.

With such a configuration, each controller (ECU1 to ECUn) outputs a reply signal to BUS1 after waiting for a reply signal to be generated by a controller that is slow in generating a reply signal. It can be suitably prevented that the reply signal from the controller is received by the gateway G / W before the reply signal from the controller having a higher priority than the controller.
Thereby, it is possible to suitably prevent the abnormality determination unit 213 from determining that there is “abnormality” for a controller that is slow in generating a reply signal even though no fake ECU is provided.

1 BUS
2 In-car network 20 Storage unit 21 CPU
22 I / O Port 23 Internal Bus 24 Ignition Switch 25 Speaker 26 Indicator Panel 30 Storage Unit 31 CPU
31 Storage Unit 32 Input / Output Port 33 Internal Bus 211 Transmitting Means 212 Receiving Means 213 Abnormality Determination Means 214 Notification Means 215 Authentication Means 217 Notification Means 261 Warning Light 311 Reply Signal Generation Means G / W Gateway ECU1 to ECUn Controller V Vehicle

Claims (11)

When a plurality of controllers having different ranks are communicably connected to a gateway apparatus via a common transmission line, and signals are output simultaneously from the plurality of controllers, the gateway apparatus sequentially from the controller signal having the highest rank. A CAN communication system transmitted to
The gateway device is
A transmission means for simultaneously transmitting a reply request signal for requesting a reply to the gateway device to the plurality of controllers via the common transmission path;
Receiving means for receiving a reply signal from each of the controllers;
A CAN communication system comprising: an abnormality determination unit configured to determine presence / absence of an abnormality based on a reception order of the reply signals. In the CAN communication system, among the plurality of controllers, the reply signal of the controller output with a delay is transmitted with a delay from the order of the controllers,
The abnormality determining means includes
When the reception order of the reply signals from each of the controllers is different from the order of the controllers, it is determined that there is an abnormality as an unauthorized controller is interposed between any of the plurality of controllers and the gateway device. The CAN communication system according to claim 1. The abnormality determining means includes
3. The CAN communication system according to claim 2, wherein when the order of receiving the reply signals from each of the controllers is the same as the order of order of the controllers, it is determined that there is no abnormality. In the reply request signal, order data defining the order of each of the controllers is added,
The controller is
Upon receipt of the reply request signal, it has reply signal generation means for identifying the order of the controller with reference to the order data and adding information indicating the identified order to the reply signal for transmission. The CAN communication system according to any one of claims 1 to 3, wherein: The transmission means continuously transmits the reply request signal a predetermined number of times at a timing at which the common transmission line continues to be occupied by the reply request signal after the gateway device is activated,
The abnormality determining means includes
5. The method according to claim 1, wherein the return signal from each of the controllers is determined to be abnormal when it has not been received the predetermined number of times in the order of the controllers. The CAN communication system as described in any one. The number of transmissions of the reply request signal by the transmission means is:
It is set to the number of times the transmission of the reply request signal is completed before a reply signal from a legitimate controller having an unauthorized controller intervening with the gateway device is sent to the common transmission path. The CAN communication system according to claim 5. The abnormality determining means includes
7. The CAN communication system according to claim 5, wherein when the reply signal from each of the controllers is received the predetermined number of times in the order of the controllers, it is determined that there is no abnormality. The abnormality determining means includes
6. The apparatus according to claim 5, wherein when there is a higher rank of the reply source controller of the reply signal received by the receiving means than the rank of the reply source controller of the previously received reply signal, it is determined that there is an abnormality. The described CAN communication system.   The abnormality determining means determines that there is an abnormality when a reply signal is received from a controller having a higher order than the controller having the same order while the reply signal from the controller having the same order is received the predetermined number of times. The CAN communication system according to claim 5. The transmission means transmits the order data defining the order of each of the controllers, added to the reply request signal, and
When the reply request signal is transmitted a plurality of times, confirmation order data in which the order is switched between the controller having the lowest order in the order data and the controller having the higher order than the controller having the lowest order is added. The CAN communication system according to any one of claims 5 to 9, wherein the response request signal transmitted is transmitted at least once.   The number of transmissions of the reply request signal is set based on the time required to generate the reply signal by the controller that takes the longest time to generate the reply signal among the plurality of controllers connected to the transmission path. The CAN communication system according to any one of claims 5 to 10, wherein:

Images