Remote firmware differential encryption upgrade method and system for automobile electronic control system

By generating a dynamic session key in the automotive electronic control system to encrypt firmware difference data blocks, the problem of insufficient data transmission security during remote firmware upgrades is solved. This enables dynamic binding of hardware identity and communication link, improving the security and integrity of the upgrade process.

CN121900799BActive Publication Date: 2026-06-23SHENZHEN FOXWELL TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SHENZHEN FOXWELL TECHNOLOGY CO LTD
Filing Date
2026-03-16
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

In the existing technology, during the remote firmware upgrade of automotive electronic control systems, if the communication link is intercepted or the server-side key is cracked, attackers can obtain the session key, resulting in insufficient data transmission security.

Method used

By collecting the current firmware version information and communication link security parameters of the target electronic control unit, a dynamic session key is generated. This key is then used to perform feature encryption on the firmware difference data block, generating an encrypted differential upgrade package. Finally, the digital signature and differential reconstruction are verified in the target electronic control unit to complete the firmware upgrade.

Benefits of technology

It achieves dynamic binding of communication link characteristics and hardware identity, improves data transmission security during remote firmware upgrades, prevents replay attacks and data tampering, and ensures the integrity and security of the upgrade process.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121900799B_ABST
    Figure CN121900799B_ABST
Patent Text Reader

Abstract

The application provides a remote firmware differential encryption upgrade method and system for an automobile electric control system. A dynamic session key for this remote upgrade session is generated through the encryption protocol features of the current link, the session key negotiation mechanism, and the unique device identifier of the target electric control unit. The target firmware version to be upgraded and the current firmware version information are compared and differentiated to obtain firmware difference data blocks. The dynamic session key is used to encrypt the firmware difference data blocks to generate an encrypted differential upgrade package. The differential upgrade package is distributed to the target electric control unit through the secure communication link of the vehicle electric control system. In the target electric control unit, the digital signature is verified, the firmware difference data blocks are decrypted using the dynamic session key, and the firmware is differentially reorganized with the current firmware to complete the firmware upgrade. Based on the above scheme, dynamic binding of communication link features and hardware identity can be achieved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of automotive safety technology, and more specifically, to a method and system for remote firmware differential encryption upgrade of an automotive electronic control system. Background Technology

[0002] The automotive electronic control system is the core control unit of a vehicle. Through embedded hardware and real-time software algorithms, it collects sensor data and executes precise control commands to achieve coordinated management of key components such as the engine, transmission, and vehicle stability system. Relying on the vehicle network for data interaction, it has the capabilities of fault diagnosis, performance optimization, and remote upgrades. It is the intelligent control center that ensures the vehicle's power, economy, and safety.

[0003] Existing technologies typically employ fixed pre-shared keys or session keys generated solely through random number negotiation between the communicating parties. This key generation method lacks binding to the hardware identity of the electronic control unit (ECU). If the communication link is intercepted or the server-side key is compromised, an attacker can obtain the session key and subsequently decrypt all upgrade data. Therefore, how to dynamically bind communication link characteristics to hardware identity to improve data transmission security during remote firmware upgrades has become a significant challenge for the industry. Summary of the Invention

[0004] This application provides a method and system for remote firmware differential encryption upgrade of an automotive electronic control system, which can realize the dynamic binding of communication link characteristics and hardware identity, thereby improving the data transmission security during the remote firmware upgrade process.

[0005] In a first aspect, this application provides a method for remote firmware differential encryption upgrade of an automotive electronic control system, including:

[0006] When the vehicle electronic control system initiates a remote upgrade, the current firmware version information of the target electronic control unit is collected, and the security parameters of the communication link between the target electronic control unit and the backend upgrade server are obtained.

[0007] The encryption protocol features and session key negotiation mechanism of the current link are extracted from the communication link security parameters. The dynamic session key for this remote upgrade session is generated using the encryption protocol features, the session key negotiation mechanism, and the unique device identifier of the target electronic control unit.

[0008] The target firmware version to be upgraded and the current firmware version information are differentially compared to obtain a firmware difference data block. The firmware difference data block is then feature-encrypted using the dynamic session key to generate an encrypted differential upgrade package.

[0009] The differential upgrade package is sent to the target electronic control unit via the secure communication link of the vehicle electronic control system. In the target electronic control unit, the digital signature is verified, the firmware difference data block is decrypted using the dynamic session key, and differential reassembly is performed with the current firmware to complete the firmware upgrade.

[0010] In some embodiments, extracting the encryption protocol features and session key negotiation mechanism of the current link from the communication link security parameters specifically includes:

[0011] Version suite parsing is performed on the protocol handshake records in the communication link security parameters to obtain the encryption protocol characteristics of the current link;

[0012] The negotiation mechanism type of the current link is obtained by negotiating and identifying the key exchange messages during the protocol handshake process of the security parameters of the communication link.

[0013] In some embodiments, generating the dynamic session key for this remote upgrade session using the encryption protocol features, the session key negotiation mechanism, and the unique device identifier of the target electronic control unit specifically includes:

[0014] The encryption protocol features and the unique device identifier of the target electronic control unit are used to construct the context fingerprint of this upgrade session;

[0015] Based on the server-side temporary public key and elliptic curve parameters in the session key negotiation mechanism, a client-side temporary key pair is generated.

[0016] The dynamic session key for this remote upgrade session is generated using the context fingerprint and the client temporary key pair.

[0017] In some embodiments, the differential comparison between the target firmware version to be upgraded and the current firmware version information to obtain a firmware difference data block specifically includes:

[0018] Using fixed-size data blocks as units, perform block-by-block hash comparison between the target firmware version to be upgraded and the current firmware version information, and mark data blocks with inconsistent hash values ​​as difference blocks;

[0019] Record the starting address and length of each difference block in the current firmware, and generate a difference block mapping table;

[0020] Extract the binary data of all marked difference blocks from the difference block mapping table and merge them into firmware difference data blocks.

[0021] In some embodiments, using the dynamic session key to perform feature encryption on the firmware difference data block to generate an encrypted differential upgrade package specifically includes:

[0022] The firmware difference data block is divided into fixed-length encrypted groups;

[0023] Using the sequential index of each encrypted packet in the set as the initial vector, each encrypted packet is encrypted sequentially using the dynamic session key;

[0024] The encrypted differential upgrade package is obtained by encapsulating the encrypted differential data block and the digital digest of the hardware security module signature.

[0025] In some embodiments, the target electronic control unit is a vehicle domain controller or engine management unit based on the AUTOSAR architecture.

[0026] In some embodiments, the backend upgrade server is a vehicle-to-everything (V2X) cloud platform based on in-vehicle Ethernet communication.

[0027] Secondly, this application provides a remote firmware differential encryption upgrade system for an automotive electronic control system, including an encryption upgrade unit, the encryption upgrade unit comprising:

[0028] The acquisition module is used to collect the current firmware version information of the target electronic control unit and obtain the communication link security parameters between the target electronic control unit and the backend upgrade server when the vehicle electronic control system initiates a remote upgrade.

[0029] The processing module is used to extract the encryption protocol features and session key negotiation mechanism of the current link from the communication link security parameters, and generate the dynamic session key for this remote upgrade session through the encryption protocol features, the session key negotiation mechanism and the device unique identifier of the target electronic control unit;

[0030] The processing module is also used to perform differential comparison between the target firmware version to be upgraded and the current firmware version information to obtain a firmware difference data block, and use the dynamic session key to perform feature encryption on the firmware difference data block to generate an encrypted differential upgrade package.

[0031] The execution module is used to send the differential upgrade package to the target electronic control unit through the secure communication link of the vehicle electronic control system, verify the digital signature in the target electronic control unit, decrypt the firmware difference data block using the dynamic session key, and perform differential reconstruction with the current firmware to complete the firmware upgrade.

[0032] Thirdly, this application provides a computer device, which includes a memory and a processor. The memory is used to store a computer program, and the processor is used to call and run the computer program from the memory, so that the computer device executes the above-described remote firmware differential encryption upgrade method for automotive electronic control systems.

[0033] Fourthly, this application provides a computer-readable storage medium storing instructions or code that, when executed on a computer, cause the computer to implement the aforementioned remote firmware differential encryption upgrade method for automotive electronic control systems.

[0034] The technical solutions provided by the embodiments disclosed in this application have the following beneficial effects:

[0035] This application provides a remote firmware differential encryption upgrade method and system for an automotive electronic control system. When the vehicle's electronic control system initiates a remote upgrade, the system collects the current firmware version information of the target electronic control unit and obtains the communication link security parameters between the target electronic control unit and the backend upgrade server. From the communication link security parameters, it extracts the encryption protocol features and session key negotiation mechanism of the current link. Using the encryption protocol features, the session key negotiation mechanism, and the unique device identifier of the target electronic control unit, it generates a dynamic session key for this remote upgrade session. It performs a differential comparison between the target firmware version to be upgraded and the current firmware version information to obtain a firmware difference data block. The dynamic session key is used to perform feature encryption on the firmware difference data block to generate an encrypted differential upgrade package. The differential upgrade package is sent to the target electronic control unit through the secure communication link of the vehicle's electronic control system. In the target electronic control unit, the digital signature is verified, the dynamic session key is used to decrypt the firmware difference data block, and differential reassembly is performed with the current firmware to complete the firmware upgrade.

[0036] Therefore, in this application, the differential upgrade package is sent to the target electronic control unit (ECU) via the secure communication link of the vehicle's electronic control system. In the target ECU, the digital signature is verified, the firmware difference data block is decrypted using the dynamic session key, and differentially reassembled with the current firmware to complete the firmware upgrade. First, determining the dynamic session key yields a temporary encryption key strongly bound to the current upgrade session environment and hardware unique identifier. This deeply integrates the communication link characteristics with the ECU hardware identity as a key generation factor, ensuring that the encryption key for each upgrade session has an unpredictable, one-time characteristic. Even if an attacker intercepts historical communication data or cracks a session key, they cannot deduce the key material for other upgrade sessions, severing the correlation between keys and constructing hardware-level security. A full isolation barrier is established; then, by determining the differential upgrade package, a set of firmware difference data encrypted block by block based on dynamic session keys can be obtained. This extends the binding relationship between link characteristics and hardware identity to each encrypted group of firmware data, making the encrypted difference data block uniquely correspond to this upgrade session. Attackers cannot apply the intercepted encrypted data packets to other vehicles or other upgrade times for replay attacks. At the same time, the encryption method using sequential index as the initial vector for each data block effectively prevents substitution attacks between data blocks, ensuring the integrity and tamper resistance of the differential upgrade package during storage and transmission. In summary, based on the above scheme, dynamic binding between communication link characteristics and hardware identity can be achieved, thereby improving the data transmission security of the remote firmware upgrade process. Attached Figure Description

[0037] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0038] Figure 1 This is an exemplary flowchart of a remote firmware differential encryption upgrade method for an automotive electronic control system according to some embodiments of this application;

[0039] Figure 2 This is a schematic diagram of the process for determining the differential upgrade package according to some embodiments of this application;

[0040] Figure 3 This is a schematic diagram of the structure of the encryption upgrade unit shown in some embodiments of this application;

[0041] Figure 4 This is a schematic diagram of the structure of a computer device for implementing a remote firmware differential encryption upgrade method for an automotive electronic control system, according to some embodiments of this application. Detailed Implementation

[0042] To better understand the technical solution of this application, the technical solution of this application will be described in detail below with reference to the accompanying drawings and specific embodiments.

[0043] refer to Figure 1 The figure is an exemplary flowchart of a remote firmware differential encryption upgrade method for an automotive electronic control system according to some embodiments of this application. The remote firmware differential encryption upgrade method for an automotive electronic control system mainly includes the following steps:

[0044] In step 101, when the vehicle electronic control system initiates a remote upgrade, the current firmware version information of the target electronic control unit is collected, and the communication link security parameters between the target electronic control unit and the backend upgrade server are obtained.

[0045] It should be noted that, in this application, the target electronic control unit is a vehicle domain controller or engine management unit based on the AUTOSAR architecture; the back-end upgrade server is a vehicle networking cloud platform based on in-vehicle Ethernet communication; the current firmware version information is a unique identifier used to identify the existing software version in the target electronic control unit; and the communication link security parameters are basic data used to describe the network connection security status between the target electronic control unit and the back-end upgrade server.

[0046] In practice, when the vehicle's electronic control system initiates a remote upgrade process, the target electronic control unit first actively reads the program version number recorded in its internal storage area and uses this program version number as the current firmware version information. Simultaneously, during the process of establishing a network connection with the backend upgrade server, the target electronic control unit records all interactive data during the handshake negotiation between the two parties. From the interactive data, it extracts the encryption protocol type, encryption algorithm suite, and random numbers used for the connection. The set of encryption protocol type, encryption algorithm suite, and random numbers from both parties is used as the communication link security parameters. Thus, the read program version number is used as the current firmware version information, and the recorded encryption protocol type, encryption algorithm suite, and random numbers from both parties are used as the communication link security parameters.

[0047] In step 102, the encryption protocol features and session key negotiation mechanism of the current link are extracted from the communication link security parameters. The dynamic session key for this remote upgrade session is generated by using the encryption protocol features, the session key negotiation mechanism and the device unique identifier of the target electronic control unit.

[0048] In some embodiments, extracting the encryption protocol features and session key negotiation mechanism of the current link from the communication link security parameters can be achieved through the following steps:

[0049] Version suite parsing is performed on the protocol handshake records in the communication link security parameters to obtain the encryption protocol characteristics of the current link;

[0050] The negotiation mechanism type of the current link is obtained by negotiating and identifying the key exchange messages during the protocol handshake process of the security parameters of the communication link.

[0051] It should be noted that, in this application, the protocol handshake record is used to record the original interactive data of the two communicating parties during the initial negotiation process of establishing a connection; the encryption protocol features are a set of specific attributes used to identify the encryption standard adopted by the current communication link; the key exchange message is a data packet used to transmit key generation materials between the two communicating parties; and the negotiation mechanism type is used to describe the category of calculation rules followed by both parties when exchanging key materials.

[0052] In practice, firstly, the protocol version declaration and encryption algorithm selection data sent by both parties at the initial stage of connection establishment are separated from the communication link security parameters. This set of protocol version declarations and encryption algorithm selection data is used as a protocol handshake record. This handshake record is parsed segment by segment to extract the transport layer security protocol version number ultimately confirmed by both parties; for example, if both parties agree to use protocol version number 1.2, this is done by extracting the ultimately selected encryption algorithm suite from the mutually supported suites. This suite contains the specific algorithm names used for data encryption and data integrity verification. Finally, the extracted protocol version number and the selected encryption algorithm suite are combined. The information serves as the encryption protocol feature of the current link. Then, from the communication link security parameters, data packets specifically used for transmitting key generation materials are selected. These data packets are used as key exchange messages. The content of these key exchange messages is analyzed to identify the key material exchange method used, such as whether both parties generate a random number and exchange it directly, or whether the parameters are exchanged based on the dot product operation on an elliptic curve. Based on the identified exchange method, a predefined rule classification table is used to determine the rule category corresponding to this key exchange. For example, if the message contains the base point of an elliptic curve and the public key, it is classified as an elliptic curve-based key negotiation mechanism. The rule category name obtained after identification and classification is used as the negotiation mechanism type of the current link.

[0053] In some embodiments, generating the dynamic session key for this remote upgrade session using the encryption protocol features, the session key negotiation mechanism, and the unique device identifier of the target electronic control unit can be achieved through the following steps:

[0054] The encryption protocol features and the unique device identifier of the target electronic control unit are used to construct the context fingerprint of this upgrade session;

[0055] Based on the server-side temporary public key and elliptic curve parameters in the session key negotiation mechanism, a client-side temporary key pair is generated.

[0056] The dynamic session key for this remote upgrade session is generated using the context fingerprint and the client temporary key pair.

[0057] It should be noted that, in this application, the unique device identifier is a hardware identity code that is assigned to each electronic control unit during manufacturing and cannot be changed; the context fingerprint is a digital digest used to characterize the environmental features of this upgrade session; the server-side temporary public key is a public key material temporarily generated by the backend upgrade server for this session and sent to the electronic control unit; the elliptic curve parameter is a mathematical constant used to define the specified curve equation and reference point used by the elliptic curve cryptography algorithm; the client-side temporary key pair is a set of key materials containing a private key and a public key temporarily generated by the target electronic control unit for this session; and the dynamic session key is a temporary key used only during this round of upgrades to encrypt and protect the transmitted data.

[0058] In practice, firstly, the parsed encryption protocol features are obtained. These features specifically include the protocol version number and encryption algorithm suite agreed upon by both parties. Simultaneously, the unique serial number burned into the target electronic control unit's hardware secure storage area is read and used as the device's unique identifier. The protocol version number, encryption algorithm suite, and device unique identifier are then combined in a fixed order into a continuous input string. This input string is then subjected to a hash operation. A hash operation is a calculation method that compresses input data of arbitrary length into a fixed-length output value through a specified mathematical transformation. For example, the input string is placed into... In the secure hash algorithm, after multiple rounds of data padding, grouping, and compression function iterations, a fixed-length output value is finally obtained. This fixed-length output value is used as the context fingerprint of the current upgrade session. Then, the temporary public key sent by the backend upgrade server is extracted from the parameter set corresponding to the negotiation mechanism type. This key is used as the server's temporary public key. Simultaneously, a predefined elliptic curve equation and the coordinates of a fixed reference point on the curve are extracted from this parameter set. The elliptic curve equation and the reference point coordinates are used as elliptic curve parameters. The target electronic control unit randomly generates a parameter that is only used in this session. The client takes a large integer as its temporary private key. Using a reference point defined in the elliptic curve parameters, the client's temporary private key is multiplied by the reference point on an elliptic curve. The dot product operation (multiplication of an integer with a point on an elliptic curve) yields the coordinates of a new point, which is then used as the client's temporary public key. The generated client temporary private key and client temporary public key are combined to form a client temporary key pair. Finally, the client's temporary private key is extracted from the client temporary key pair, and this private key is multiplied by the server's temporary public key on an elliptic curve. The calculation method on a circular curve multiplies an integer by a point to obtain another point. This operation yields a shared coordinate point. The x-coordinate value of this shared coordinate point is extracted, and this x-coordinate value is concatenated with the context fingerprint in a fixed order to form a combined input value. This combined input value is then input into a key derivation function. The key derivation function is a calculation method that derives key data that meets the length requirements from the input seed material. This function performs multiple hash operations and feedback iterations on the input value, and finally outputs a fixed-length key material. This fixed-length key material output by the key derivation function is used as the dynamic session key for this remote upgrade session.

[0059] In step 103, the target firmware version to be upgraded and the current firmware version information are differentially compared to obtain a firmware difference data block. The firmware difference data block is then feature-encrypted using the dynamic session key to generate an encrypted differential upgrade package.

[0060] In some embodiments, the firmware difference data block can be obtained by differentially comparing the target firmware version to be upgraded with the current firmware version information using the following steps:

[0061] Using fixed-size data blocks as units, perform block-by-block hash comparison between the target firmware version to be upgraded and the current firmware version information, and mark data blocks with inconsistent hash values ​​as difference blocks;

[0062] Record the starting address and length of each difference block in the current firmware, and generate a difference block mapping table;

[0063] Extract the binary data of all marked difference blocks from the difference block mapping table and merge them into firmware difference data blocks.

[0064] It should be noted that, in this application, the target firmware version is a complete data set used to prepare a new program file for writing to the electronic control unit; the current firmware version information is a unique identifier used to identify the existing software version in the target electronic control unit, and this identifier corresponds to a complete existing program file; the difference block is a binary data segment used to describe the inconsistency between the old and new firmware at a specified location; the storage start address is a value used to indicate the specific insertion position of the difference block in the original file; the length is a value used to describe the number of data bytes contained in the difference block; the difference block mapping table is a structured data list used to record the location and size information of all difference blocks; and the firmware difference data block is a binary data set used to contain all the inconsistent old and new data and arranged sequentially.

[0065] In practice, firstly, the new program file to be upgraded is prepared on the cloud server, serving as the target firmware version. Simultaneously, based on the current firmware version information, the existing program file currently stored in the target electronic control unit (ECU) corresponding to this version is located. Both program files are then divided into segments of the same fixed length, for example, each segment is divided into 512-byte blocks. A hash operation is performed on each data block after the target firmware version is segmented. A hash operation is a calculation method that compresses data of arbitrary length into a fixed-length output value through a specified mathematical transformation, yielding the target hash value for each block. Simultaneously, the same hash operation is performed on each data block after the existing program file corresponding to the current firmware version is segmented, yielding the current hash value for each block. The target hash values ​​at the same position are compared one by one with the current hash values. If two hash values ​​at a certain position are different, the data block in the target firmware version at that position is marked as a difference block. Then, for each difference block, the difference is determined... The location number corresponding to the differential block in the current firmware is used to calculate the starting byte position of the differential block in the original file based on the location number and a fixed data block size. This starting byte position is used as the storage start address. At the same time, the number of bytes of binary data actually contained in the differential block is counted and used as the length. The storage start address and length corresponding to each differential block are recorded one by one in the order of the differential blocks in the file, forming a data list with multiple lines of records. This data list is used as the differential block mapping table. Finally, based on each piece of information recorded in the differential block mapping table, each corresponding marked differential block is selected. According to the order recorded in the differential block mapping table, the actual binary data corresponding to each differential block is extracted from the target firmware version. The binary data of the first extracted differential block is placed at the beginning, followed by the binary data of the second differential block. The binary data of all differential blocks are concatenated continuously in the above manner to form a continuous long data string. The long data string formed by continuous concatenation is used as the firmware differential data block.

[0066] In some embodiments, the dynamic session key is used to perform feature encryption on the firmware difference data block to generate an encrypted differential upgrade package, referencing... Figure 2 The diagram is a flowchart illustrating the process of determining the differential upgrade package in some embodiments of this application. In this embodiment, determining the differential upgrade package can be achieved using the following steps:

[0067] In step 1031, the firmware difference data block is divided into encrypted blocks of fixed length;

[0068] In step 1032, the sequential index of each encrypted packet in the set is used as an initial vector, and each encrypted packet is encrypted sequentially using the dynamic session key;

[0069] In step 1033, the encrypted differential data block and the digital digest of the hardware security module signature are encapsulated to obtain the encrypted differential upgrade package.

[0070] It should be noted that, in this application, the encrypted packet is a fixed-length data segment used to adapt to the input requirements of the encryption algorithm; the hardware security module is a dedicated hardware component used to provide secure storage and cryptographic operation functions within the electronic control unit; the digital digest is a data fingerprint used to verify data integrity and authenticity of its source; and the differential upgrade package is a transmission file used to contain all the information required to restore the new firmware.

[0071] In practice, firstly, the firmware difference data block is obtained. This data block is a continuous long binary data string. According to the fixed input length required by the pre-selected encryption algorithm, this continuous long data string is sequentially divided into multiple data segments of equal length, starting from the beginning. For example, if the encryption algorithm requires processing 16 bytes at a time, the firmware difference data block is sequentially divided into segments of 16 bytes each. If the length of the last segment is less than 16 bytes, it is padded to the end according to the padding rules of the encryption algorithm to reach 16 bytes. Each equal-length data segment obtained after segmentation is used as an encrypted block. Then, each encrypted block is determined within the entire encrypted block set. The sequence number in the block is used as the sequential index of the block. For the first encrypted block, its sequential index is converted into a fixed-length byte string, which is used as the initial vector. The dynamic session key is used as the encryption key. This initial vector, along with the first encrypted block, is input into the block cipher algorithm. The block cipher algorithm is a computational method that combines fixed-length plaintext data with the key and the initial vector to convert it into ciphertext data. After multiple rounds of iterative computation, the encryption result of the first block is obtained. For the second encrypted block, its sequential index is similarly converted into a fixed-length byte string as a new initial vector, and the same dynamic session key is used as the input into the block cipher algorithm. The group encryption algorithm is used to obtain the encryption result of the second group. Following this method, each encryption group is encrypted sequentially, with each group using its own sequential index as the initial vector. All the encrypted results are arranged in their original order, and the arranged data sequence is used as the encrypted difference data block. Finally, a difference block mapping table is obtained, which records the position information of each difference block in the original file. The difference block mapping table and the encrypted difference data blocks are concatenated to form a complete data set to be signed. This data set to be signed is then input into a hash operation, which is a method of transforming input data of arbitrary length through a specified mathematical transformation. The calculation method for reducing the output value to a fixed length yields a fixed-length hash value. This hash value is then sent to the hardware security module of the target electronic control unit. The hardware security module uses its internally stored, non-exportable private signature key to perform a signature operation on the hash value. The signature operation is a calculation method that uses a private key to encrypt and transform data to prove the source of the data. After the operation, a signature value is obtained, which is used as the digital digest of the signature of the hardware security module. The three parts—the difference block mapping table, the encrypted difference data block, and the digital digest of the signature of the hardware security module—are assembled into a complete file according to a predetermined format. The assembled complete file is used as the encrypted differential upgrade package.

[0072] In step 104, the differential upgrade package is sent to the target electronic control unit through the secure communication link of the vehicle electronic control system. In the target electronic control unit, the digital signature is verified, the firmware difference data block is decrypted using the dynamic session key, and differential reassembly is performed with the current firmware to complete the firmware upgrade.

[0073] It should be noted that in this application, the secure communication link is an encrypted transmission channel used to ensure that data transmission is not stolen or tampered with during the data transmission process. Specifically, the backend upgrade server first obtains the encapsulated differential upgrade package, which is a complete binary file. The backend upgrade server then sends the data of the differential upgrade package segment by segment through the encrypted transmission channel already established with the target electronic control unit (ECU). This channel encrypts the transmitted data to prevent man-in-the-middle eavesdropping. This data is transmitted via the vehicle network and finally reaches the communication interface of the target ECU. After receiving this data, the target ECU's communication interface reassembles the received data sequentially in its local buffer. The reassembled complete binary file is used as the differential upgrade package received by the target ECU. Then, the target ECU first separates three parts from the received differential upgrade package: a difference block mapping table, encrypted difference data blocks, and a digital digest of the hardware security module signature. The difference block mapping table and the encrypted difference data blocks are concatenated together to form a data set to be verified. A hash operation is performed on the dataset to be verified. A hash operation is a computational method that compresses input data of arbitrary length into a fixed-length output value through a specified mathematical transformation, resulting in a locally calculated hash value. This locally calculated hash value is sent to the hardware security module inside the target electronic control unit. Simultaneously, a digital digest of the signature from the hardware security module is also sent to it. The hardware security module uses its internally stored public verification key, paired with the signature, to decrypt the digital digest, obtaining an original hash value. The hardware security module compares the locally calculated hash value with the decrypted original hash value. If the two values ​​are identical, it proves that the upgrade package has not been tampered with during transmission and indeed comes from a legitimate upgrade server. This successful comparison is taken as the sign of successful digital signature verification.

[0074] Furthermore, in specific implementation, after the digital signature verification is successful, the target electronic control unit (ECU) extracts the encrypted difference data block from the received differential upgrade package. This encrypted difference data block is then divided into multiple equally long encrypted blocks according to the block length used during encryption. Each block corresponds to an output during encryption. The target ECU uses the exact same method described above—based on encryption protocol features, device unique identifier, and key negotiation mechanism—to recalculate the same dynamic session key locally. For each encrypted block, its sequential index within the whole is determined. This sequential index is converted into a fixed-length byte string as an initial vector. The calculated dynamic session key is used as the decryption key. This initial vector, along with the encrypted block, is input into the block decryption algorithm. The block decryption algorithm is the inverse operation of block encryption, capable of restoring the original plaintext data by combining the ciphertext data with the key and initial vector. After computation, the decryption result for each block is obtained. All the decrypted blocks are then concatenated in their original order, and this concatenated continuous data is used as the decrypted firmware difference data block. Finally, the target ECU extracts the encrypted difference data from the received differential upgrade package. The received differential upgrade package extracts a difference block mapping table, which records the starting address and length of each difference block in the original current firmware. Simultaneously, the target electronic control unit (ECU) reads the existing complete program file from its program storage area, using this file as the current firmware. Following the order recorded in the difference block mapping table, it sequentially retrieves fragments from the decrypted firmware difference data blocks, with the length of each fragment corresponding to the length recorded in the mapping table. These fragments are then written one by one to the corresponding location in the current firmware according to the starting address recorded in the mapping table, overwriting the original data at that location. For example, if the mapping table records the first difference block's starting address as 1024 and its length as 256 bytes, then the first 256 bytes of the firmware difference data block are written to the current firmware starting at address 1024. After all difference blocks are written, all inconsistent locations in the current firmware are replaced with the new data. At this point, the program file in memory has become a complete new firmware version. The new program file formed after writing to the program storage area is taken as the completion result of this remote firmware upgrade.

[0075] Furthermore, in another aspect of this application, in some embodiments, this application provides a remote firmware differential encryption upgrade system for an automotive electronic control system. This system includes an encryption upgrade unit, as referenced... Figure 3 The figure is a schematic diagram of the structure of an encryption upgrade unit according to some embodiments of this application. The encryption upgrade unit includes: an acquisition module 201, a processing module 202, and an execution module 203, which are described below:

[0076] The acquisition module 201 in this application is mainly used to collect the current firmware version information of the target electronic control unit and obtain the communication link security parameters between the target electronic control unit and the backend upgrade server when the vehicle electronic control system starts a remote upgrade.

[0077] Processing module 202, in this application, is used to extract the encryption protocol features and session key negotiation mechanism of the current link from the communication link security parameters, and generate the dynamic session key for this remote upgrade session through the encryption protocol features, the session key negotiation mechanism and the device unique identifier of the target electronic control unit;

[0078] It should be noted that the processing module 202 is also used to perform differential comparison between the target firmware version to be upgraded and the current firmware version information to obtain firmware difference data blocks, and use the dynamic session key to perform feature encryption on the firmware difference data blocks to generate encrypted differential upgrade packages.

[0079] The execution module 203 in this application is mainly used to send the differential upgrade package to the target electronic control unit through the secure communication link of the vehicle electronic control system, verify the digital signature in the target electronic control unit, decrypt the firmware difference data block using the dynamic session key, and perform differential reconstruction with the current firmware to complete the firmware upgrade.

[0080] The foregoing detailed examples of the remote firmware differential encryption upgrade method and system for automotive electronic control systems provided in this application. It is understood that the corresponding apparatus, in order to achieve the above functions, includes hardware structures and / or software modules corresponding to the execution of each function. Those skilled in the art should readily recognize that, based on the units and algorithm steps of the examples described in conjunction with the embodiments disclosed herein, this application can be implemented in hardware or a combination of hardware and computer software. Whether a function is executed by hardware or by computer software driving hardware depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specified application, but such implementation should not be considered beyond the scope of this application.

[0081] In some embodiments, this application also provides a computer device, the computer device including a memory and a processor, the memory for storing a computer program, and the processor for calling and running the computer program from the memory, so that the computer device executes the above-described remote firmware differential encryption upgrade method for automotive electronic control systems.

[0082] In some embodiments, reference Figure 4The dashed lines in the figure indicate that the unit or module is optional. This figure is a structural schematic diagram of a computer device for implementing a remote firmware differential encryption upgrade method for an automotive electronic control system according to an embodiment of this application. The remote firmware differential encryption upgrade method for an automotive electronic control system described in the above embodiments can be achieved through… Figure 4 The computer device shown is used to implement this, and the computer device includes at least one processor 301, a memory 302 and at least one communication unit 305. The computer device may be a terminal device, a server or a chip.

[0083] Processor 301 can be a general-purpose processor or a special-purpose processor. For example, processor 301 can be a central processing unit (CPU), which can be used to control computer devices, execute software programs, and process data from software programs. The computer device may also include a communication unit 305 for inputting (receiving) and outputting (transmitting) signals.

[0084] For example, the computer device may be a chip, and the communication unit 305 may be the input and / or output circuit of the chip, or the communication unit 305 may be the communication interface of the chip, which may be a component of a terminal device, network device or other device.

[0085] For example, the computer device may be a terminal device or a server, and the communication unit 305 may be a transceiver of the terminal device or the server, or the communication unit 305 may be a transceiver circuit of the terminal device or the server.

[0086] The computer device may include one or more memories 302 storing a program 304. The program 304 can be executed by a processor 301 to generate instructions 303, causing the processor 301 to execute the method described in the above method embodiments according to the instructions 303. Optionally, the memory 302 may also store data (such as a target audit model). Optionally, the processor 301 may also read data stored in the memory 302, which may be stored at the same storage address as the program 304, or it may be stored at a different storage address than the program 304.

[0087] The processor 301 and memory 302 can be configured separately or integrated together, for example, integrated on the system on chip (SOC) of the terminal device.

[0088] It should be understood that each step of the above method embodiment can be completed by hardware logic circuits or software instructions in the processor 301. The processor 301 can be a CPU, a digital signal processor (DSP), an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or other programmable logic devices, such as discrete gate, transistor logic devices, or discrete hardware components.

[0089] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0090] For example, in some embodiments, this application also provides a computer-readable storage medium storing instructions or code that, when executed on a computer, cause the computer to implement the above-described remote firmware differential encryption upgrade method for automotive electronic control systems.

[0091] Although preferred embodiments of this application have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including the preferred embodiments as well as all changes and modifications falling within the scope of this application.

[0092] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.

Claims

1. A method for remote firmware differential encryption upgrade of an automotive electronic control system, characterized in that, Includes the following steps: When the vehicle electronic control system initiates a remote upgrade, the current firmware version information of the target electronic control unit is collected, and the security parameters of the communication link between the target electronic control unit and the backend upgrade server are obtained. The encryption protocol features and session key negotiation mechanism of the current link are extracted from the communication link security parameters. The dynamic session key for this remote upgrade session is generated using the encryption protocol features, the session key negotiation mechanism, and the unique device identifier of the target electronic control unit. The target firmware version to be upgraded and the current firmware version information are differentially compared to obtain a firmware difference data block. The firmware difference data block is feature-encrypted using the dynamic session key to generate an encrypted differential upgrade package. The firmware difference data block is a set of binary data containing all inconsistent old and new data arranged in a sequential order. The differential upgrade package is sent to the target electronic control unit through the secure communication link of the vehicle electronic control system. In the target electronic control unit, the digital signature is verified, the firmware difference data block is decrypted using the dynamic session key, and differential reassembly is performed with the current firmware to complete the firmware upgrade. Specifically, using the dynamic session key to perform feature encryption on the firmware difference data block to generate the encrypted differential upgrade package includes: The firmware difference data block is divided into fixed-length encrypted groups; Using the sequential index of each encrypted packet in the set as the initial vector, each encrypted packet is encrypted sequentially using the dynamic session key; The encrypted differential upgrade package is obtained by encapsulating the encrypted differential data block and the digital digest of the hardware security module signature.

2. The method as described in claim 1, characterized in that, Extracting the encryption protocol features and session key negotiation mechanism of the current link from the communication link security parameters specifically includes: Version suite parsing is performed on the protocol handshake records in the communication link security parameters to obtain the encryption protocol characteristics of the current link; The negotiation mechanism type of the current link is obtained by negotiating and identifying the key exchange messages during the protocol handshake process of the security parameters of the communication link.

3. The method as described in claim 1, characterized in that, The dynamic session key for this remote upgrade session is generated using the encryption protocol features, the session key negotiation mechanism, and the unique device identifier of the target electronic control unit, specifically including: The encryption protocol features and the unique device identifier of the target electronic control unit are used to construct the context fingerprint of this upgrade session; Based on the server-side temporary public key and elliptic curve parameters in the session key negotiation mechanism, a client-side temporary key pair is generated. The dynamic session key for this remote upgrade session is generated using the context fingerprint and the client temporary key pair.

4. The method as described in claim 1, characterized in that, The target firmware version to be upgraded and the current firmware version are compared differentially to obtain the firmware difference data block, which specifically includes: Using fixed-size data blocks as units, perform block-by-block hash comparison between the target firmware version to be upgraded and the current firmware version information, and mark data blocks with inconsistent hash values ​​as difference blocks; Record the starting address and length of each difference block in the current firmware, and generate a difference block mapping table; Extract the binary data of all marked difference blocks from the difference block mapping table and merge them into firmware difference data blocks.

5. The method as described in claim 1, characterized in that, The target electronic control unit is a vehicle domain controller or engine management unit based on the AUTOSAR architecture.

6. The method as described in claim 1, characterized in that, The backend upgrade server is a vehicle-to-everything (V2X) cloud platform based on in-vehicle Ethernet communication.

7. A remote firmware differential encryption upgrade system for an automotive electronic control system, comprising an encryption upgrade unit, wherein the system performs remote firmware differential encryption upgrade of the automotive electronic control system using the method described in any one of claims 1 to 6, characterized in that, The encryption upgrade unit includes: The acquisition module is used to collect the current firmware version information of the target electronic control unit and obtain the communication link security parameters between the target electronic control unit and the backend upgrade server when the vehicle electronic control system initiates a remote upgrade. The processing module is used to extract the encryption protocol features and session key negotiation mechanism of the current link from the communication link security parameters, and generate the dynamic session key for this remote upgrade session through the encryption protocol features, the session key negotiation mechanism and the device unique identifier of the target electronic control unit; The processing module is also used to perform differential comparison between the target firmware version to be upgraded and the current firmware version information to obtain a firmware difference data block, and use the dynamic session key to perform feature encryption on the firmware difference data block to generate an encrypted differential upgrade package. The execution module is used to send the differential upgrade package to the target electronic control unit through the secure communication link of the vehicle electronic control system, verify the digital signature in the target electronic control unit, decrypt the firmware difference data block using the dynamic session key, and perform differential reconstruction with the current firmware to complete the firmware upgrade.

8. A computer device, characterized in that, The computer device includes a memory and a processor. The memory is used to store computer programs, and the processor is used to call and run the computer programs from the memory, so that the computer device executes the remote firmware differential encryption upgrade method for automotive electronic control systems according to any one of claims 1 to 6.

9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores instructions or code that, when executed on a computer, cause the computer to implement the remote firmware differential encryption upgrade method for automotive electronic control systems as described in any one of claims 1 to 6.