A method and system for security management and policy control of OTA upgrade

By performing multi-dimensional verification and encrypted authentication of vehicle status parameters, combined with segmented transmission and compatibility assessment, the security and stability issues in vehicle ECU OTA upgrades have been resolved, achieving a safe and controllable upgrade process.

CN122247667APending Publication Date: 2026-06-19JIANGSU HEYI TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
JIANGSU HEYI TECH CO LTD
Filing Date
2026-03-11
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

The existing OTA upgrade process for vehicle ECUs suffers from issues such as missing security certifications, lax process control, and lack of data integrity and compatibility, leading to upgrade failures and security risks.

Method used

The upgrade process ensures security and stability by using diagnostic tools to perform multi-dimensional weighted grey relational analysis on vehicle status parameters, employing an improved elliptic curve integrated encryption algorithm for identity authentication, transmitting upgrade data in blocks and performing integrity checks, and combining an improved Bayesian network evaluation model for compatibility checks.

Benefits of technology

It achieves secure and controllable OTA upgrade process, standardized procedures and reliable data, effectively ensuring the security, stability and compatibility of online upgrades of electronic control units, reducing version conflicts and the risk of unauthorized flashing, and improving the upgrade success rate.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247667A_ABST
    Figure CN122247667A_ABST
Patent Text Reader

Abstract

This invention provides a method and system for secure management and policy control of OTA upgrades, relating to the field of vehicle OTA upgrade security technology. The method includes: sending a diagnostic session control service to an electronic control unit (ECU) via a diagnostic tool to switch the extended session state; sending a precondition check routine control service to the target ECU to trigger vehicle status verification, obtaining a random seed through a secure access service, calculating a key, and sending it to the target ECU to unlock upgrade permissions; sending a diagnostic session control service to the target ECU, which then activates a boot download program and transmits upgrade data in chunks; and triggering a restart of the target ECU, sending a diagnostic session control service to the ECU, and clearing upgrade fault information. This achieves secure and controllable OTA upgrades with standardized processes, effectively ensuring the security, stability, and compatibility of online upgrades for ECUs.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of vehicle OTA upgrade security technology, and in particular to a security management and strategy control method and system for OTA upgrades. Background Technology

[0002] With the rapid development of automotive electronics technology, the number of on-board electronic control units (ECUs) is constantly increasing, and their functions are becoming increasingly complex. Over-the-air (OTA) upgrades of ECU programs via CAN networks have become a mainstream requirement in the automotive industry.

[0003] However, the current OTA upgrade process for automotive ECUs faces numerous security and standardization issues: On the one hand, some ECUs lack effective secure access mechanisms, making them vulnerable to unauthorized flashing attacks from illegal devices, leading to the writing of incorrect applications or incompatible data, causing vehicle malfunctions or even safety hazards; on the other hand, the upgrade process lacks unified timing control and strict condition verification, and performing upgrade operations under unsuitable scenarios such as vehicle operation or unstable power supply may cause flashing interruptions or ECU damage; simultaneously, existing upgrade solutions do not pay enough attention to data integrity verification and software compatibility checks, making it difficult to avoid upgrade failures due to data transmission errors or software / hardware version incompatibility. Furthermore, the coexistence of non-reprogrammable and reprogrammable ECUs in CAN networks, without targeted communication control strategies, can lead to excessive bus load, affecting the stability and reliability of the upgrade process. Currently, no OTA upgrade management system that balances security, standardization, and compatibility has been established, failing to meet the automotive industry's stringent requirements for online ECU flashing.

[0004] Therefore, it is necessary to provide a method and system for security management and policy control of OTA upgrades to solve the above-mentioned technical problems. Summary of the Invention

[0005] To address the aforementioned technical problems, this invention provides a security management and strategy control method and system for OTA upgrades, which solves the problems of missing security authentication, lax process control, lack of data integrity and compatibility, and network communication interference in the online upgrade process of existing vehicle electronic control units.

[0006] This invention provides a security management and policy control method for OTA upgrades, the method comprising: The diagnostic tool sends a diagnostic session control service to all electronic control units in the vehicle network, instructing all electronic control units to switch to extended session mode. At the same time, it periodically sends online diagnostic service to maintain the extended session state and simultaneously sends a communication control service to prohibit the transmission of all non-diagnostic messages. The diagnostic tool sends a precondition check routine control service to the target electronic control unit via physical addressing, triggering the target electronic control unit to verify the current vehicle status parameters. After the verification is successful, a random seed is obtained through the secure access service and a key is calculated and sent to the target electronic control unit. After the target electronic control unit verifies the key, the upgrade operation permission is unlocked. The diagnostic tool sends a diagnostic session control service to the target electronic control unit to switch to programming session mode. The target electronic control unit activates the boot download program and configures upgrade resources. The diagnostic tool transmits the upgrade data in blocks according to the network transmission caching capacity. After each upgrade data block is transmitted, an integrity check is performed. After all upgrade data blocks are transmitted, a compatibility check is performed. The diagnostic tool sends a hard reset service to trigger the target electronic control unit to restart. It then sends a diagnostic session control service to all electronic control units via function addressing to switch back to the default session mode, restoring normal communication control and fault code recording functions. At the same time, it sends a fault information clearing service to clear fault information generated during the upgrade process.

[0007] Preferably, the diagnostic tool sends a pre-condition check routine control service to the target electronic control unit via physical addressing, triggering the target electronic control unit to verify the current vehicle state parameters, specifically including: The diagnostic tool collects the current vehicle status parameters, including driving status parameters, power parameters, energy storage parameters, communication parameters, and operating condition parameters, through the pre-condition check routine control service. The compliance index A is calculated based on a multi-dimensional weighted grey relational verification algorithm, and the corresponding formula is as follows: In the formula, Let represent the weight of the i-th current vehicle state parameter, and ; This represents the grey relational coefficient between the i-th current vehicle state parameter and the safety baseline value; Preset security verification threshold ,like If the current vehicle status parameters meet the upgrade prerequisites, a status compliance signal is generated; otherwise, an abnormal status signal is generated with an abnormal parameter identifier, and the status compliance signal or the abnormal status signal is sent to the diagnostic tool.

[0008] Preferably, the grey correlation coefficient between the i-th current vehicle state parameter and the safety benchmark value The calculation formula is as follows: In the formula, This represents the measured value of the i-th current vehicle state parameter; Indicates the safety baseline value; This represents the resolution coefficient.

[0009] Preferably, after the verification is successful, a random seed is obtained through the secure access service, a key is calculated and sent to the target electronic control unit, and the upgrade operation permission is unlocked after the target electronic control unit verifies the information. Specifically, this includes: The diagnostic tool sends a secure access service request to the target electronic control unit and receives a 256-bit random seed S generated by the target electronic control unit based on the hardware encryption module. The unlocking key K is calculated using an improved elliptic curve integrated encryption algorithm, and the corresponding formula is as follows: In the formula, k represents the 256-bit private key pre-set in the diagnostic tool; G represents the generator of the elliptic curve secp256r1; H represents the 512-bit hash function based on SHA-3; and Q represents the public key of the target electronic control unit. This represents byte-level concatenation operations; This represents the XOR encryption operation; The diagnostic tool sends the unlock key K and the diagnostic device identification information to the target electronic control unit. The target electronic control unit then invokes its built-in security chip based on its own private key. and public key Perform a verification operation on the unlock key K to generate a verification unlock key. as follows: The target electronic control unit compares the unlock key K with the verification unlock key. If they match, a permission unlock confirmation signal is generated and the upgrade operation permission is unlocked; otherwise, an upgrade termination command is sent.

[0010] Preferably, the diagnostic tool sends a diagnostic session control service to the target electronic control unit to switch to programming session mode, and the target electronic control unit activates the boot download program and configures upgrade resources, specifically including: The diagnostic tool sends the diagnostic session control service to the target electronic control unit, instructing the target electronic control unit to switch to the programming session mode; The target electronic control unit activates the boot download program after sending a session switch confirmation response; The bootloader allocates network buffers and storage resources according to a resource allocation algorithm. After the upgrade resource configuration is completed, the target electronic control unit sends an upgrade resource ready signal to the diagnostic tool and outputs the configured upgrade execution environment.

[0011] Preferably, the diagnostic tool transmits upgrade data in blocks according to network transmission caching capacity, specifically including: The diagnostic tool obtains the receive buffer capacity C, maximum transmission unit (MTU), and real-time network bandwidth B of the target electronic control unit through a resource query service, and calculates the initial block size for block transmission. as follows: In the formula, Indicates the cache safety factor; Indicates the MTU adaptation factor; The initial block size is adjusted based on a dynamic adaptation algorithm of transmission rate. The final block size L is generated as follows: In the formula, v represents the real-time transmission rate; Indicates the reference transmission rate; Indicates the rate adjustment coefficient; Indicates the initial network bandwidth; The diagnostic tool divides the upgrade data into N upgrade data blocks according to the final block size L, and assigns a unique identifier ID and target storage address to each upgrade data block; The system requests a download service to send the first upgrade data block, along with its corresponding unique identifier ID and target storage address, to the target electronic control unit. It then receives a data block reception confirmation signal from the target electronic control unit and sends the next upgrade data block based on the data block reception confirmation signal, continuing this process until all upgrade data blocks have been sent.

[0012] Preferably, after all upgrade data blocks have been transmitted, a compatibility check is performed, specifically including: The diagnostic tool obtains upgrade package version information, including application version, through a version query service. 1. Download program version Hardware compatibility version Underlying driver version Construct a four-dimensional version vector ; The compatibility probability P corresponding to the four-dimensional version vector V is calculated based on the improved Bayesian network compatibility evaluation model as follows: In the formula, Indicates the bias coefficient; These represent the standardized application versions. 1. Download program version Hardware compatibility version Underlying driver version ; These represent the standardized application versions. 1. Download program version Hardware compatibility version Underlying driver version The weights; exp represents an exponential function with the natural constant e as its base; Preset compatibility probability threshold ,like If the upgrade package does not conflict with the target electronic control unit, a compatibility pass signal is generated; otherwise, a conflict analysis report is generated and the conflict version item is identified. The compatibility is sent to the diagnostic tool via a signal, and the diagnostic tool terminates the transmission of the upgrade data based on the compatibility.

[0013] Preferably, the fault information clearing service clears fault information generated during the upgrade process, specifically including: The diagnostic tool obtains a set of fault information generated by all electronic control units during the upgrade period through a fault code reading service. ,in, This represents the j-th fault information, including the fault code, fault occurrence time, fault associated module, and fault level. Fault information is calculated based on hierarchical correlation analysis algorithm. Correlation with upgrade operations as follows: In the formula, Indicates the time-related weight; This indicates the degree of overlap between the time the fault occurred and the time of the upgrade. This indicates the logical correlation between the fault association module and the upgrade process, and and The values ​​range from 0 to 1; Preset correlation threshold Filter out The fault information forms a set to be cleaned, retaining The fault information is recorded as a non-upgrade-related fault record; The diagnostic tool sends a fault code clearing service to all electronic control units to specifically clear fault information in the set to be cleared.

[0014] A security management and policy control system for OTA upgrades, the system comprising: The mode switching module is used by the diagnostic tool to send diagnostic session control services to all electronic control units in the vehicle network, instructing all electronic control units to switch to extended session mode, while periodically sending online diagnostic services to maintain the extended session state, and synchronously sending communication control services to prohibit the transmission of all non-diagnostic messages. The permission unlocking module is used by the diagnostic tool to send a precondition check routine control service to the target electronic control unit through physical addressing, triggering the target electronic control unit to verify the current vehicle status parameters. After the verification is successful, a random seed is obtained through the secure access service and a key is calculated and sent to the target electronic control unit. After the target electronic control unit verifies the key, the upgrade operation permission is unlocked. The data transmission module is used for the diagnostic tool to send a diagnostic session control service to the target electronic control unit to switch to the programming session mode, the target electronic control unit to activate the boot download program and configure upgrade resources, the diagnostic tool to transmit upgrade data in blocks according to the network transmission caching capacity, and to perform integrity verification after each upgrade data block is transmitted, and to perform compatibility verification after all upgrade data blocks are transmitted. The function recovery module is used by the diagnostic tool to send a hard reset service to trigger the target electronic control unit to restart, and to send a diagnostic session control service to all electronic control units through function addressing to switch back to the default session mode, restore normal communication control and fault code recording functions, and at the same time send a fault information clearing service to clear fault information generated during the upgrade process.

[0015] Compared with related technologies, the OTA upgrade security management and policy control method and system provided by the present invention have the following beneficial effects: This invention sends a diagnostic session control service to all electronic control units (ECUs) in the vehicle network via a diagnostic tool, instructing all ECUs to switch to extended session mode. Simultaneously, it periodically sends online diagnostic services to maintain the extended session state and sends communication control services to prohibit the transmission of all non-diagnostic messages. The diagnostic tool sends a pre-condition check routine control service to the target ECU via physical addressing, triggering the target ECU to verify the current vehicle status parameters. Upon successful verification, it obtains a random seed through a secure access service, calculates a key, and sends it to the target ECU. After successful verification by the target ECU, upgrade operation permissions are unlocked. Finally, the diagnostic tool sends a diagnostic session control service to the target ECU to switch to programming session mode, activating the... The diagnostic tool downloads the program and configures upgrade resources. It then transmits the upgrade data in blocks according to network transmission caching capacity. After each upgrade data block is transmitted, an integrity check is performed, and after all upgrade data blocks are transmitted, a compatibility check is performed. The diagnostic tool sends a hard reset service to trigger the target electronic control unit to restart. Through function addressing, it sends a diagnostic session control service to all electronic control units to switch back to the default session mode, restoring normal communication control and fault code recording functions. At the same time, it sends a fault information clearing service to clear fault information generated during the upgrade process. Thus, through full-process security verification, standardized process control, and multi-dimensional data verification, the OTA upgrade process is made safe and controllable, with standardized processes and reliable data, effectively ensuring the security, stability, and compatibility of online upgrades for electronic control units.

[0016] This invention constructs an OTA upgrade system that balances security, stability, and compatibility through end-to-end security control, standardized process design, and multi-dimensional intelligent verification. At the security level, this invention employs an improved elliptic curve integrated encryption algorithm for identity authentication, and effectively resists unauthorized flashing and access through a 256-bit random seed and dual-key verification mechanism, eliminating upgrade security risks at the source and ensuring the safe operation of the vehicle's electronic control unit. At the process control level, this invention uses a multi-dimensional weighted grey relational verification algorithm to accurately evaluate core parameters such as vehicle driving status and power supply stability, initiating upgrades only under safe conditions to avoid flashing interruptions or ECU damage caused by unsuitable scenarios, thus improving the standardization of the upgrade process. Regarding data reliability, this invention uses upgrade data block transmission combined with a dynamic block size adjustment algorithm to adapt to network bandwidth and caching capabilities, coupled with improved cyclic redundancy check, to ensure data transmission without loss or errors; based on an improved Bayesian network compatibility evaluation model, it comprehensively verifies the compatibility of multiple versions of applications and underlying drivers, significantly reducing the upgrade failure rate caused by version conflicts. At the network optimization level, this invention reduces the load on the CAN network bus by dynamically maintaining session modes and controlling non-diagnostic messages, ensuring smooth upgrade data transmission channels and improving upgrade stability in complex network environments. Regarding post-upgrade processing, this invention specifically cleans up upgrade-related fault information, restores the system's default session and fault record functions, prevents residual data from affecting normal device operation, and provides a basis for upgrade traceability through operation traceability identification. This invention effectively solves the pain points of existing technologies such as lack of security authentication, loose processes, and unreliable data, significantly improving the success rate and security of OTA upgrades, meeting the stringent requirements of the automotive electronics industry for online flashing, and providing reliable assurance for the entire lifecycle upgrade of vehicle ECUs. Attached Figure Description

[0017] Figure 1 A flowchart illustrating a security management and policy control method for OTA upgrades provided in an embodiment of the present invention; Figure 2 A system block diagram of a security management and policy control system for OTA upgrades provided in an embodiment of the present invention; Figure 3 This is a schematic diagram of the hardware structure of an electronic device provided in an embodiment of the present invention. Detailed Implementation

[0018] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0019] like Figure 1 The diagram shown is a flowchart of a security management and policy control method for OTA upgrades provided in an embodiment of the present invention. Figure 1 The execution entity of the method shown can be a software and / or hardware device. The execution entity of this application can include, but is not limited to, at least one of the following: user equipment, network equipment, etc. User equipment can include, but is not limited to, computers, smartphones, personal digital assistants (PDAs), and the aforementioned electronic devices. Network equipment can include, but is not limited to, a single network server, a server group consisting of multiple network servers, or a cloud based on cloud computing consisting of a large number of computers or network servers. Cloud computing is a type of distributed computing, consisting of a super virtual computer composed of a group of loosely coupled computers. This embodiment does not limit this. Steps S1 to S4 are detailed as follows: S1, the diagnostic tool sends a diagnostic session control service to all electronic control units in the vehicle network, instructing all electronic control units to switch to extended session mode, and periodically sends online diagnostic service to maintain the extended session state, and simultaneously sends a communication control service to prohibit the transmission of all non-diagnostic messages; S2, the diagnostic tool sends a precondition check routine control service to the target electronic control unit through physical addressing, triggering the target electronic control unit to verify the current vehicle status parameters. After the verification is passed, a random seed is obtained through the secure access service and a key is calculated and sent to the target electronic control unit. After the target electronic control unit verifies the key, the upgrade operation permission is unlocked. S3, the diagnostic tool sends a diagnostic session control service to the target electronic control unit to switch to programming session mode. The target electronic control unit activates the boot download program and configures upgrade resources. The diagnostic tool transmits the upgrade data in blocks according to the network transmission caching capacity. After each upgrade data block is transmitted, an integrity check is performed. After all upgrade data blocks are transmitted, a compatibility check is performed. S4, the diagnostic tool sends a hard reset service to trigger the target electronic control unit to restart, and sends a diagnostic session control service to all electronic control units through function addressing to switch back to the default session mode, restore normal communication control and fault code recording functions, and at the same time sends a fault information clearing service to clear the fault information generated during the upgrade process.

[0020] Understandably, the diagnostic tool initiates a diagnostic session control service to all electronic control units (ECUs) via the vehicle's CAN network, instructing all ECUs to switch from the default session mode to the extended session mode. The extended session mode provides a dedicated operating environment for upgrade operations, supporting complex diagnostic services such as pre-condition verification and security authentication. To prevent ECUs from automatically reverting to the default mode due to timeout, the diagnostic tool continuously sends online diagnostic services at preset intervals to maintain the consistency of the extended session state across all network devices. Simultaneously, the diagnostic tool sends communication control services to manage message transmission in the vehicle network, prohibiting the sending and receiving of all non-diagnostic messages. This reduces the load on the CAN network bus, minimizes interference from irrelevant communication with subsequent upgrade data transmission, and ensures the stability and exclusivity of the upgrade channel.

[0021] Then, the diagnostic tool uses physical addressing to send a pre-condition check routine control service to the target electronic control unit (ECU) to be upgraded. This service triggers the target ECU to initiate a self-test process, comprehensively verifying the current core state parameters of the vehicle. The verification scope covers key dimensions such as driving status, power supply stability, energy storage system capacity, network communication quality, and equipment operating conditions, ensuring that the upgrade operation is performed under safe operating conditions. After the pre-condition verification passes, the diagnostic tool initiates a secure access service request, receiving random verification information generated by the target ECU through a hardware encryption module. Based on a pre-set encryption algorithm and key system, the diagnostic tool calculates the unlocking key in combination with the acquired random verification information and sends the key back to the target ECU. The target ECU calls its built-in security chip to verify the legality of the received key through a matching encryption verification mechanism. If the verification passes, the upgrade operation permission is unlocked; otherwise, the upgrade process is terminated, preventing unauthorized flashing risks from the source.

[0022] After security authorization is completed, the diagnostic tool sends a diagnostic session control service to the target electronic control unit (ECU), instructing it to switch from extended session mode to programming session mode. Programming session mode provides a dedicated runtime environment for writing upgrade data. After the target ECU sends a session switch confirmation response, the bootloader is automatically activated. Once started, the bootloader configures the network buffer, storage area, and computing resources according to a preset resource allocation strategy, creating an adapted environment for upgrade data transmission and writing. The diagnostic tool obtains the target ECU's network transmission caching capacity and real-time bandwidth data through a resource query service. Based on this data, the upgrade package is split into adapted data packet blocks, and the upgrade data is sent block by block using a block transmission mechanism. After each data packet block is transmitted, an integrity verification process is triggered, verifying the accuracy of data transmission through a verification algorithm to avoid upgrade anomalies caused by transmission errors. After all data packet blocks have been transmitted, a compatibility verification process is initiated to verify the compatibility of the upgrade package with the target ECU's application version, bootloader version, hardware adaptation version, and underlying driver version, eliminating version conflict risks.

[0023] Differentiated controls are required for upgrade modes of different vehicle types: for new energy vehicles, the upgrade mode is maintained by the core control module, and the mode maintenance message of the remote communication module is suspended after the whole vehicle is silent; for fuel vehicles, the upgrade mode is maintained by the remote communication module, while the engine start permission is restricted.

[0024] After the upgrade data verification is successful, the diagnostic tool sends a hard reset service to the target electronic control unit (ECU), triggering a forced restart of the device. This thoroughly clears residual upgrade code and cached data from the temporary storage area, ensuring the purity of the system operation after the upgrade. Subsequently, the diagnostic tool uses function addressing to send a diagnostic session control service to all ECUs in the network, instructing all devices to switch from extended session mode or programmable session mode back to the default session mode, restoring the normal communication mechanism and fault code recording function of the vehicle network. Simultaneously, the diagnostic tool sends a fault information clearing service to specifically clean up temporary fault records generated during the upgrade process due to mode switching, resource configuration, and other operations. It retains fault information not related to the upgrade, preventing false fault reports from affecting subsequent vehicle fault diagnosis and ensuring that the ECU returns to normal operating status.

[0025] If the upgrade task is a factory mode operation, the upgrade page should be accessed directly after the upgrade conditions are verified. The upgrade page should automatically exit upon successful upgrade or rollback, and a pop-up window should appear if the rollback fails. After the upgrade is complete, all upgrade-related pages should be closed, and the interface should be restored to its normal display state. Temporary page navigation records and progress bar statuses generated during the upgrade process should be cleared to ensure that subsequent operations are not affected.

[0026] In practice, the diagnostic tool sends a pre-condition check routine control service to the target electronic control unit via physical addressing, triggering the target electronic control unit to verify the current vehicle status parameters, specifically including: The diagnostic tool collects the current vehicle status parameters, including driving status parameters, power parameters, energy storage parameters, communication parameters, and operating condition parameters, through the pre-condition check routine control service. The compliance index A is calculated based on a multi-dimensional weighted grey relational verification algorithm, and the corresponding formula is as follows: In the formula, Let represent the weight of the i-th current vehicle state parameter, and ; This represents the grey relational coefficient between the i-th current vehicle state parameter and the safety baseline value; Preset security verification threshold ,like If the current vehicle status parameters meet the upgrade prerequisites, a status compliance signal is generated; otherwise, an abnormal status signal is generated with an abnormal parameter identifier, and the status compliance signal or the abnormal status signal is sent to the diagnostic tool.

[0027] The grey correlation coefficient between the i-th current vehicle state parameter and the safety benchmark value The calculation formula is as follows: In the formula, This represents the measured value of the i-th current vehicle state parameter; Indicates the safety baseline value; This represents the resolution coefficient.

[0028] The diagnostic tool uses physical addressing to send a pre-condition check routine control service to the target electronic control unit (ECU). This service triggers the ECU to initiate a status parameter verification process. First, the diagnostic tool uses this service to comprehensively collect core vehicle status parameters, covering five key dimensions: driving status parameters, including indicators reflecting vehicle motion such as speed and driving mode; power parameters, focusing on core data such as voltage stability and power supply continuity of the power supply system; energy storage parameters, mainly referring to the remaining power and charging / discharging status of onboard energy storage devices; communication parameters, involving network quality indicators such as transmission latency and communication success rate of the onboard network; and operating condition parameters, including equipment operating status data such as workload and temperature of the target ECU.

[0029] After parameter collection, a multi-dimensional weighted grey relational analysis algorithm is used for comprehensive evaluation, with the core calculation being the state compliance index. This algorithm assigns a corresponding weight coefficient to each state parameter, with the sum of these coefficients being 1, to reflect the varying degrees of impact of different parameters on safety upgrades. Simultaneously, the grey relational coefficient quantifies the closeness of each parameter's measured value to a preset safety benchmark value, where a discrimination coefficient is used to adjust the sensitivity of the correlation coefficient, ensuring the accuracy of the evaluation results. The state compliance index is obtained by weighting and summing the weights of each parameter with their corresponding grey relational coefficients, comprehensively reflecting the vehicle's current safety compliance level.

[0030] The system presets an upgrade safety verification threshold and compares the calculated status compliance index with this threshold. If the status compliance index reaches or exceeds the threshold, the vehicle's current status is determined to meet the prerequisite safety conditions for the upgrade, and the target electronic control unit generates a status compliance signal. If the threshold is not reached, the status is determined to be non-compliant, and a status anomaly signal is generated. Simultaneously, the non-compliant abnormal parameters are precisely identified for subsequent troubleshooting. Finally, the target electronic control unit feeds back the status compliance signal or status anomaly signal to the diagnostic tool.

[0031] After the verification is successful, a random seed is obtained through the secure access service, a key is calculated, and sent to the target electronic control unit. After the target electronic control unit verifies the key, the upgrade operation permission is unlocked, specifically including: The diagnostic tool sends a secure access service request to the target electronic control unit and receives a 256-bit random seed S generated by the target electronic control unit based on the hardware encryption module. The unlocking key K is calculated using an improved elliptic curve integrated encryption algorithm, and the corresponding formula is as follows: In the formula, k represents the 256-bit private key pre-set in the diagnostic tool; G represents the generator of the elliptic curve secp256r1; H represents the 512-bit hash function based on SHA-3; and Q represents the public key of the target electronic control unit. This represents byte-level concatenation operations; This represents the XOR encryption operation; The diagnostic tool sends the unlock key K and the diagnostic device identification information to the target electronic control unit. The target electronic control unit then invokes its built-in security chip based on its own private key. and public key Perform a verification operation on the unlock key K to generate a verification unlock key. as follows: The target electronic control unit compares the unlock key K with the verification unlock key. If they match, a permission unlock confirmation signal is generated and the upgrade operation permission is unlocked; otherwise, an upgrade termination command is sent.

[0032] After the vehicle status precondition verification passes, the diagnostic tool initiates a secure access service request to the target electronic control unit (ECU) to begin the identity authentication process. Upon receiving the request, the target ECU calls its built-in hardware encryption module to generate a 256-bit random seed. The hardware encryption module has an independent encryption computing environment, effectively resisting tampering and cracking attacks. The generated random seed possesses high randomness, providing a secure foundation for subsequent encryption authentication. The target ECU then sends this random seed back to the diagnostic tool.

[0033] After receiving the random seed, the diagnostic tool calculates the unlocking key using an improved elliptic curve integrated encryption algorithm. This algorithm combines the high security of elliptic curve encryption with the fast verification characteristics of hash functions. During the calculation, it calls the 256-bit private key pre-set in the diagnostic tool, combines it with the standard generator of the elliptic curve secp256r1, and obtains the basic encrypted data through specific operations. At the same time, a 512-bit hash function based on SHA-3 is used to process the random seed and the public key of the target electronic control unit. Then, through byte-level concatenation and XOR encryption operations, the results of the two types of processing are merged to generate the final unlocking key. Multiple encryption mechanisms ensure the security of key transmission and verification.

[0034] The diagnostic tool sends the calculated unlock key along with its own diagnostic device identification information to the target electronic control unit (ECU). The device identification information assists in identity verification and provides a basis for subsequent upgrade operations. Upon receiving the relevant data, the target ECU invokes its built-in security chip to initiate the verification process. As a hardware-level security component, the security chip isolates external interference, ensuring the independence and security of the verification process. Based on its pre-set private and public keys, the target ECU performs the same encryption operation on the received random seed and other data using the same improved elliptic curve integrated encryption algorithm as the diagnostic tool, generating the verification unlock key.

[0035] The target electronic control unit (ECU) compares the unlock key sent by the diagnostic tool with its own generated verification unlock key. If the two keys match perfectly, it indicates that the diagnostic tool is legitimate and the data transmission has not been tampered with. The target ECU generates an unlock confirmation signal and simultaneously unlocks the upgrade operation permission, allowing subsequent upgrade data transmission and write operations. If the comparison results are inconsistent, it is determined that there is a risk of unauthorized access or data tampering. The target ECU immediately sends an upgrade termination command, terminating the entire OTA upgrade process, blocking unsafe upgrade behavior at the source, and ensuring the operational security of the vehicle's electronic control unit.

[0036] The diagnostic tool sends a diagnostic session control service to the target electronic control unit to switch to programming session mode. The target electronic control unit activates the boot download program and configures upgrade resources, specifically including: The diagnostic tool sends the diagnostic session control service to the target electronic control unit, instructing the target electronic control unit to switch to the programming session mode; The target electronic control unit activates the boot download program after sending a session switch confirmation response; The bootloader allocates network buffers and storage resources according to a resource allocation algorithm. After the upgrade resource configuration is completed, the target electronic control unit sends an upgrade resource ready signal to the diagnostic tool and outputs the configured upgrade execution environment.

[0037] It should be noted that after completing identity authentication and permission unlocking, the diagnostic tool sends a diagnostic session control service to the target electronic control unit, explicitly instructing it to switch from extended session mode to programming session mode. Programming session mode is a dedicated operating mode designed specifically for firmware flashing and data updates, possessing core features such as resource priority allocation and open data write permissions, which can meet the high bandwidth and high stability transmission requirements during the upgrade process.

[0038] After receiving the session switching command, the target electronic control unit first sends a session switching confirmation response to the diagnostic tool to ensure that the command transmission is error-free. Subsequently, the target electronic control unit automatically activates the built-in boot download program, which serves as the core execution carrier for the upgrade operation and is responsible for coordinating key processes such as resource allocation, data reception, and writing.

[0039] After the download program starts, it invokes a preset resource allocation algorithm to configure the core hardware resources of the target electronic control unit. The configuration objects mainly include network buffers and storage resources. The network buffer is used to temporarily cache upgrade data during transmission, while a dedicated area is allocated for storing the final upgrade file. The resource allocation algorithm dynamically adjusts the resource allocation ratio based on parameters such as the estimated size of the upgrade data and transmission rate requirements, ensuring uncongested network transmission and conflict-free storage writes, while reserving sufficient redundant resources to handle unforeseen circumstances.

[0040] Once all the necessary upgrade resources, such as network buffers and storage areas, are configured, the target electronic control unit sends an upgrade resource ready signal to the diagnostic tool. This signal contains key information such as resource configuration status, available bandwidth, and storage capacity, indicating that the upgrade execution environment is fully adapted. Upon receiving this signal, the diagnostic tool can initiate the subsequent upgrade data block transmission process.

[0041] The diagnostic tool will transmit upgrade data in chunks according to network transmission caching capacity, specifically including: The diagnostic tool obtains the receive buffer capacity C, maximum transmission unit (MTU), and real-time network bandwidth B of the target electronic control unit through a resource query service, and calculates the initial block size for block transmission. as follows: In the formula, Indicates the cache safety factor; Indicates the MTU adaptation factor; The initial block size is adjusted based on a dynamic adaptation algorithm of transmission rate. The final block size L is generated as follows: In the formula, v represents the real-time transmission rate; Indicates the reference transmission rate; Indicates the rate adjustment coefficient; Indicates the initial network bandwidth; The diagnostic tool divides the upgrade data into N upgrade data blocks according to the final block size L, and assigns a unique identifier ID and target storage address to each upgrade data block; The system requests a download service to send the first upgrade data block, along with its corresponding unique identifier ID and target storage address, to the target electronic control unit. It then receives a data block reception confirmation signal from the target electronic control unit and sends the next upgrade data block based on the data block reception confirmation signal, continuing this process until all upgrade data blocks have been sent.

[0042] Before initiating upgrade data transmission, the diagnostic tool first establishes communication with the target electronic control unit (ECU) through a resource query service to obtain three key resource parameters: receive buffer capacity (the maximum space the target ECU can temporarily store for transmitted data); maximum transmission unit (MTU) (the maximum data unit size that can be transmitted in a single transmission through a network link); and real-time network bandwidth (reflecting the current data transmission capacity of the vehicle network). Based on these parameters, the diagnostic tool calculates the initial block size, incorporating a buffer safety factor and an MTU adaptation factor. The buffer safety factor reserves some buffer space to prevent overflow, while the MTU adaptation factor ensures that the data block size does not exceed the network transmission unit limit. The initial block size is the smaller of the two calculated results, balancing device buffer capacity and network transmission compatibility.

[0043] To adapt to dynamic changes in network transmission status, the diagnostic tool employs a dynamic transmission rate adaptation algorithm to adjust the initial block size in real time, generating the final block size. During adjustment, a baseline transmission rate is used as a reference standard, combined with fluctuations in the real-time transmission rate, to balance transmission efficiency and stability through a rate adjustment coefficient. Simultaneously, the difference between the initial network bandwidth and the current real-time bandwidth is considered to dynamically optimize the block size. When network bandwidth is sufficient and the transmission rate is stable, the block size is appropriately increased to improve transmission efficiency; when network bandwidth is limited and the transmission rate fluctuates, the block size is decreased to reduce the risk of transmission failure and ensure data transmission continuity.

[0044] Once the block size is determined, the diagnostic tool divides the complete upgrade data into several independent upgrade data blocks according to this size, assigning a unique identifier (ID) and a target storage address to each data block. The unique identifier (ID) is used to distinguish different data blocks, facilitating sorting and assembly after the target electronic control unit (ECU) receives the data; the target storage address specifies the exact location of each data block in the ECU's storage area, providing precise guidance for subsequent data writing and avoiding storage address conflicts.

[0045] After data block splitting and identifier allocation are completed, the diagnostic tool initiates the data transmission process by requesting a download service. It first sends the first upgrade data block, along with its corresponding unique identifier (ID) and target storage address, to the target electronic control unit (ECU). Once the target ECU successfully receives and identifies the data block, it returns a data block reception confirmation signal to the diagnostic tool. Using this confirmation signal as a trigger, the diagnostic tool sequentially sends subsequent data blocks until all upgrade data blocks have been transmitted. This mechanism of transmitting block by block, confirming receipt, and then sending again allows for real-time verification of data block reception status, timely detection and resending of lost or corrupted data blocks, ensuring the integrity and reliability of upgrade data transmission.

[0046] After all upgrade data blocks have been transmitted, a compatibility check is performed, specifically including: The diagnostic tool obtains upgrade package version information, including application version, through a version query service. 1. Download program version Hardware compatibility version Underlying driver version Construct a four-dimensional version vector ; The compatibility probability P corresponding to the four-dimensional version vector V is calculated based on the improved Bayesian network compatibility evaluation model as follows: In the formula, Indicates the bias coefficient; These represent the standardized application versions. 1. Download program version Hardware compatibility version Underlying driver version ; These represent the standardized application versions. 1. Download program version Hardware compatibility version Underlying driver version The weights; exp represents an exponential function with the natural constant e as its base; Preset compatibility probability threshold ,like If the upgrade package does not conflict with the target electronic control unit, a compatibility pass signal is generated; otherwise, a conflict analysis report is generated and the conflict version item is identified. The compatibility is sent to the diagnostic tool via a signal, and the diagnostic tool terminates the transmission of the upgrade data based on the compatibility.

[0047] After completing the transmission of all upgrade data blocks, the diagnostic tool initiates a version information collection process. It communicates with the target electronic control unit (ECU) and the upgrade package via a version query service to obtain four types of core version information: the application version in the upgrade package, the bootloader version built into the target ECU, the hardware adaptation version, and the underlying driver version. These four types of version information correspond to the core software executed during the upgrade, the boot media, the hardware adaptation interface, and the underlying operating environment, respectively, collectively determining the compatibility between the upgrade package and the target device. The diagnostic tool integrates these four types of version information according to a preset format to construct a four-dimensional version vector, forming the basic data model for compatibility assessment.

[0048] Based on the constructed four-dimensional version vector, the diagnostic tool invokes an improved Bayesian network compatibility assessment model for adaptation analysis. This model possesses powerful multi-dimensional correlation processing capabilities, effectively uncovering potential adaptation patterns between different version dimensions. During the calculation process, the version information in the four-dimensional version vector is first standardized to eliminate evaluation biases caused by differences in encoding rules and numerical ranges between versions, ensuring data comparability. Subsequently, the model introduces weighting coefficients to weight the standardized version information. These weighting coefficients are preset based on the degree of influence of different version dimensions on compatibility, highlighting the role of core adaptation elements; simultaneously, a bias coefficient is incorporated to calibrate model output bias and improve evaluation accuracy. Through model computation, the compatibility probability between the upgrade package and the target electronic control unit is finally obtained, which quantitatively reflects the reliability of their adaptation.

[0049] The system presets a compatibility probability threshold, which is calibrated based on a large amount of adaptation test data and is the core standard for judging whether compatibility meets the requirements. The diagnostic tool compares the calculated compatibility probability with the preset threshold: if the compatibility probability reaches or exceeds the threshold, it indicates that there is no compatibility conflict between the upgrade package and the target electronic control unit's hardware and software environment, meeting the upgrade operation requirements, and a compatibility pass signal is generated; if the compatibility probability does not reach the threshold, it is determined that there is a compatibility risk, and a conflict analysis report is automatically generated, accurately identifying the version item that caused the conflict, providing a clear basis for subsequent upgrade package optimization or device adaptation adjustments.

[0050] After receiving the compatibility verification results, the diagnostic tool executes corresponding process controls: if a compatibility pass signal is received, indicating that the upgrade data meets the conditions for safe operation, the diagnostic tool terminates the upgrade data transmission process, preparing for subsequent system reset and function restoration; if a conflict analysis report is received, the upgrade process is paused, the report is fed back to the relevant control terminal, and the upgrade operation is restarted after the compatibility issue is resolved. The entire compatibility verification process, through a scientific evaluation model and rigorous threshold determination, blocks upgrade risks caused by version incompatibility at the source, ensuring the reliability and security of OTA upgrades.

[0051] The fault information clearing service clears fault information generated during the upgrade process, specifically including: The diagnostic tool obtains a set of fault information generated by all electronic control units during the upgrade period through a fault code reading service. ,in, This represents the j-th fault information, including the fault code, fault occurrence time, fault associated module, and fault level. Fault information is calculated based on hierarchical correlation analysis algorithm. Correlation with upgrade operations as follows: In the formula, Indicates the time-related weight; This indicates the degree of overlap between the time the fault occurred and the time of the upgrade. This indicates the logical correlation between the fault association module and the upgrade process, and and The values ​​range from 0 to 1; Preset correlation threshold Filter out The fault information forms a set to be cleaned, retaining The fault information is recorded as a non-upgrade-related fault record; The diagnostic tool sends a fault code clearing service to all electronic control units to specifically clear fault information in the set to be cleared.

[0052] After the upgrade process is completed, the diagnostic tool initiates a fault information collection process. It establishes communication with all electronic control units (ECUs) in the vehicle network via the fault code reading service to obtain fault information generated by all ECUs during the upgrade period, forming a complete fault information set. Each fault information includes four core attributes: fault code, used to uniquely identify the fault type; fault occurrence time, precisely pinpointing the specific time period in which the fault occurred; associated module, identifying the hardware or software module to which the fault belongs; and fault level, indicating the severity of the fault. These attributes provide comprehensive data support for subsequent correlation analysis.

[0053] For the collected fault information set, the diagnostic tool employs a hierarchical correlation analysis algorithm to calculate the correlation between each fault and the upgrade operation. This algorithm constructs a correlation evaluation model from two core dimensions: first, the temporal correlation dimension, which quantifies the temporal correlation between the fault and the upgrade operation by calculating the overlap between the fault occurrence time and the upgrade period; second, the logical correlation dimension, which analyzes the logical correlation between the fault-related modules and the upgrade process to determine whether the fault was caused by operations such as resource configuration, data transmission, and mode switching during the upgrade process. The algorithm introduces a temporal correlation weight to adjust the influence ratio of the two dimensions, ensuring that the evaluation results closely reflect the actual scenario. The values ​​for temporal overlap and logical correlation both range from 0 to 1, with values ​​closer to 1 indicating a stronger correlation.

[0054] The system has a preset correlation threshold, which is calibrated based on a large amount of upgrade test data to distinguish between upgrade-related and non-upgrade-related faults. The diagnostic tool compares the correlation of each fault information with the preset threshold: if the correlation reaches or exceeds the threshold, the fault is determined to be a temporary fault generated during the upgrade process and is included in the cleanup set; if the correlation is below the threshold, the fault is determined to be an inherent fault of the electronic control unit itself, unrelated to the upgrade operation, and is retained as a non-upgrade-related fault record to provide a basis for subsequent equipment maintenance.

[0055] After correlation filtering is completed, the diagnostic tool sends a fault code clearing service to all electronic control units via function addressing, performing precise clearing operations on the fault information in the set to be cleared. The clearing process only affects temporary faults associated with the upgrade and does not affect the retained non-upgrade-related fault records, ensuring the targeted and safe nature of fault information clearing. After the fault information clearing is completed, the fault recording function of the electronic control unit returns to normal, accurately recording faults generated during subsequent use and ensuring the reliability of the vehicle fault diagnosis system. Through scientific correlation analysis and precise targeted clearing, effective separation of temporary upgrade faults and native equipment faults is achieved, avoiding interference from false fault reports and ensuring the integrity of the fault diagnosis function.

[0056] like Figure 2The diagram shown is a system block diagram of a security management and policy control system for OTA upgrades provided in an embodiment of the present invention. The system includes: The mode switching module is used by the diagnostic tool to send diagnostic session control services to all electronic control units in the vehicle network, instructing all electronic control units to switch to extended session mode, while periodically sending online diagnostic services to maintain the extended session state, and synchronously sending communication control services to prohibit the transmission of all non-diagnostic messages. The permission unlocking module is used by the diagnostic tool to send a precondition check routine control service to the target electronic control unit through physical addressing, triggering the target electronic control unit to verify the current vehicle status parameters. After the verification is successful, a random seed is obtained through the secure access service and a key is calculated and sent to the target electronic control unit. After the target electronic control unit verifies the key, the upgrade operation permission is unlocked. The data transmission module is used for the diagnostic tool to send a diagnostic session control service to the target electronic control unit to switch to the programming session mode, the target electronic control unit to activate the boot download program and configure upgrade resources, the diagnostic tool to transmit upgrade data in blocks according to the network transmission caching capacity, and to perform integrity verification after each upgrade data block is transmitted, and to perform compatibility verification after all upgrade data blocks are transmitted. The function recovery module is used by the diagnostic tool to send a hard reset service to trigger the target electronic control unit to restart, and to send a diagnostic session control service to all electronic control units through function addressing to switch back to the default session mode, restore normal communication control and fault code recording functions, and at the same time send a fault information clearing service to clear fault information generated during the upgrade process.

[0057] Figure 2 The apparatus of the illustrated embodiment can be used to perform corresponding actions. Figure 1 The steps in the method embodiments shown are implemented in a similar manner and have similar technical effects, and will not be repeated here.

[0058] An electronic device includes a memory and a processor, wherein the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the steps of the OTA upgrade security management and policy control method described in any of the above descriptions.

[0059] like Figure 3 The diagram shown is a hardware structure schematic of an electronic device according to an embodiment of the present invention. The electronic device 30 includes: a processor 31, a memory 32, and a computer program; wherein... The memory 32 is used to store the computer program, and the memory may also be flash memory. The computer program is, for example, an application program or functional module that implements the above method.

[0060] Processor 31 is configured to execute the computer program stored in the memory to implement the various steps performed by the device in the above method. For details, please refer to the relevant descriptions in the preceding method embodiments.

[0061] Alternatively, the memory 32 can be either standalone or integrated with the processor 31.

[0062] When the memory 32 is a device independent of the processor 31, the device may further include: Bus 33 is used to connect the memory 32 and the processor 31.

[0063] A readable storage medium storing a computer program, which, when executed by a processor, is used to implement the steps of a security management and policy control method for OTA upgrades as described in any of the above claims.

[0064] The readable storage medium can be a computer storage medium or a communication medium. A communication medium includes any medium that facilitates the transfer of computer programs from one location to another. A computer storage medium can be any available medium accessible to a general-purpose or special-purpose computer. For example, a readable storage medium is coupled to a processor, enabling the processor to read information from and write information to the readable storage medium. Of course, the readable storage medium can also be a component of the processor. The processor and the readable storage medium can reside in an Application-Specific Integrated Circuit (ASIC). Alternatively, the ASIC can be located in a user equipment. Of course, the processor and the readable storage medium can also exist as discrete components in a communication device. The readable storage medium can be a read-only memory (ROM), random access memory (RAM), CD-ROM, magnetic tape, floppy disk, and optical data storage device, etc.

[0065] The present invention also provides a program product including executable instructions stored in a readable storage medium. At least one processor of the device can read the executable instructions from the readable storage medium, and the at least one processor executes the executable instructions to cause the device to implement the methods provided in the various embodiments described above.

[0066] In the embodiments of the above-described device, it should be understood that the processor can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), etc. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the method disclosed in this invention can be directly manifested as execution by a hardware processor, or execution by a combination of hardware and software modules within the processor.

[0067] Through the above embodiments, the present invention, through an OTA upgrade security management and policy control method and system, sends a diagnostic session control service to all electronic control units (ECUs) in the vehicle network via a diagnostic tool, instructing all ECUs to switch to extended session mode. Simultaneously, it periodically sends online diagnostic services to maintain the extended session state and synchronously sends communication control services to prohibit the transmission of all non-diagnostic messages. The diagnostic tool sends a pre-condition check routine control service to the target ECU via physical addressing, triggering the target ECU to verify the current vehicle status parameters. After successful verification, it obtains a random seed through a secure access service, calculates a key, and sends it to the target ECU. After successful verification by the target ECU, the upgrade operation permission is unlocked. The diagnostic tool sends a diagnostic session control service to the target ECU to switch to extended session mode. In the OTA (Over-The-Air) upgrade process, the target electronic control unit (ECU) activates the bootloader and configures upgrade resources. The diagnostic tool transmits the upgrade data in blocks according to network transmission caching capacity. After each upgrade data block is transmitted, an integrity check is performed, and after all upgrade data blocks are transmitted, a compatibility check is performed. The diagnostic tool sends a hard reset service to trigger the target ECU to restart. Through function addressing, it sends a diagnostic session control service to all ECUs to switch back to the default session mode, restoring normal communication control and fault code recording functions. At the same time, it sends a fault information clearing service to clear fault information generated during the upgrade process. Thus, through full-process security verification, standardized process control, and multi-dimensional data verification, the OTA upgrade process is made safe and controllable, with standardized processes and reliable data, effectively ensuring the security, stability, and compatibility of online upgrades for ECUs.

[0068] This invention constructs an OTA upgrade system that balances security, stability, and compatibility through end-to-end security control, standardized process design, and multi-dimensional intelligent verification. At the security level, this invention employs an improved elliptic curve integrated encryption algorithm for identity authentication, and effectively resists unauthorized flashing and access through a 256-bit random seed and dual-key verification mechanism, eliminating upgrade security risks at the source and ensuring the safe operation of the vehicle's electronic control unit. At the process control level, this invention uses a multi-dimensional weighted grey relational verification algorithm to accurately evaluate core parameters such as vehicle driving status and power supply stability, initiating upgrades only under safe conditions to avoid flashing interruptions or ECU damage caused by unsuitable scenarios, thus improving the standardization of the upgrade process. Regarding data reliability, this invention uses upgrade data block transmission combined with a dynamic block size adjustment algorithm to adapt to network bandwidth and caching capabilities, coupled with improved cyclic redundancy check, to ensure data transmission without loss or errors; based on an improved Bayesian network compatibility evaluation model, it comprehensively verifies the compatibility of multiple versions of applications and underlying drivers, significantly reducing the upgrade failure rate caused by version conflicts. At the network optimization level, this invention reduces the load on the CAN network bus by dynamically maintaining session modes and controlling non-diagnostic messages, ensuring smooth upgrade data transmission channels and improving upgrade stability in complex network environments. Regarding post-upgrade processing, this invention specifically cleans up upgrade-related fault information, restores the system's default session and fault record functions, prevents residual data from affecting normal device operation, and provides a basis for upgrade traceability through operation traceability identification. This invention effectively solves the pain points of existing technologies such as lack of security authentication, loose processes, and unreliable data, significantly improving the success rate and security of OTA upgrades, meeting the stringent requirements of the automotive electronics industry for online flashing, and providing reliable assurance for the entire lifecycle upgrade of vehicle ECUs.

[0069] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, and not to limit them. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of the present invention.

Claims

1. A security management and policy control method for OTA upgrades, characterized in that, The method includes: The diagnostic tool sends a diagnostic session control service to all electronic control units in the vehicle network, instructing all electronic control units to switch to extended session mode. At the same time, it periodically sends online diagnostic service to maintain the extended session state and simultaneously sends a communication control service to prohibit the transmission of all non-diagnostic messages. The diagnostic tool sends a precondition check routine control service to the target electronic control unit via physical addressing, triggering the target electronic control unit to verify the current vehicle status parameters. After the verification is successful, a random seed is obtained through the secure access service and a key is calculated and sent to the target electronic control unit. After the target electronic control unit verifies the key, the upgrade operation permission is unlocked. The diagnostic tool sends a diagnostic session control service to the target electronic control unit to switch to programming session mode. The target electronic control unit activates the boot download program and configures upgrade resources. The diagnostic tool transmits the upgrade data in blocks according to the network transmission caching capacity. After each upgrade data block is transmitted, an integrity check is performed. After all upgrade data blocks are transmitted, a compatibility check is performed. The diagnostic tool sends a hard reset service to trigger the target electronic control unit to restart. It then sends a diagnostic session control service to all electronic control units via function addressing to switch back to the default session mode, restoring normal communication control and fault code recording functions. At the same time, it sends a fault information clearing service to clear fault information generated during the upgrade process.

2. The OTA upgrade security management and policy control method according to claim 1, characterized in that, The diagnostic tool sends a pre-condition check routine control service to the target electronic control unit via physical addressing, triggering the target electronic control unit to verify the current vehicle status parameters, specifically including: The diagnostic tool collects the current vehicle status parameters, including driving status parameters, power parameters, energy storage parameters, communication parameters, and operating condition parameters, through the pre-condition check routine control service. The compliance index A is calculated based on a multi-dimensional weighted grey relational verification algorithm, and the corresponding formula is as follows: In the formula, Let represent the weight of the i-th current vehicle state parameter, and ; This represents the grey relational coefficient between the i-th current vehicle state parameter and the safety baseline value; Preset security verification threshold ,like If the current vehicle status parameters meet the upgrade prerequisites, a status compliance signal is generated; otherwise, an abnormal status signal is generated with an abnormal parameter identifier, and the status compliance signal or the abnormal status signal is sent to the diagnostic tool.

3. The OTA upgrade security management and policy control method according to claim 2, characterized in that, The grey correlation coefficient between the i-th current vehicle state parameter and the safety benchmark value The calculation formula is as follows: In the formula, This represents the measured value of the i-th current vehicle state parameter; Indicates the safety baseline value; This represents the resolution coefficient.

4. The security management and policy control method for OTA upgrades according to claim 1, characterized in that, After the verification is successful, a random seed is obtained through the secure access service, a key is calculated, and sent to the target electronic control unit. After the target electronic control unit verifies the key, the upgrade operation permission is unlocked, specifically including: The diagnostic tool sends a secure access service request to the target electronic control unit and receives a 256-bit random seed S generated by the target electronic control unit based on the hardware encryption module. The unlocking key K is calculated using an improved elliptic curve integrated encryption algorithm, and the corresponding formula is as follows: In the formula, k represents the 256-bit private key pre-set in the diagnostic tool; G represents the generator of the elliptic curve secp256r1; H represents the 512-bit hash function based on SHA-3; and Q represents the public key of the target electronic control unit. This represents byte-level concatenation operations; This represents the XOR encryption operation; The diagnostic tool sends the unlock key K and the diagnostic device identification information to the target electronic control unit. The target electronic control unit then invokes its built-in security chip based on its own private key. and public key Perform a verification operation on the unlock key K to generate a verification unlock key. as follows: The target electronic control unit compares the unlock key K with the verification unlock key. If they match, a permission unlock confirmation signal is generated and the upgrade operation permission is unlocked; otherwise, an upgrade termination command is sent.

5. The security management and policy control method for OTA upgrades according to claim 1, characterized in that, The diagnostic tool sends a diagnostic session control service to the target electronic control unit to switch to programming session mode. The target electronic control unit activates the boot download program and configures upgrade resources, specifically including: The diagnostic tool sends the diagnostic session control service to the target electronic control unit, instructing the target electronic control unit to switch to the programming session mode; The target electronic control unit activates the boot download program after sending a session switch confirmation response; The bootloader allocates network buffers and storage resources according to a resource allocation algorithm. After the upgrade resource configuration is completed, the target electronic control unit sends an upgrade resource ready signal to the diagnostic tool and outputs the configured upgrade execution environment.

6. The security management and policy control method for OTA upgrades according to claim 1, characterized in that, The diagnostic tool will transmit upgrade data in chunks according to network transmission caching capacity, specifically including: The diagnostic tool obtains the receive buffer capacity C, maximum transmission unit (MTU), and real-time network bandwidth B of the target electronic control unit through a resource query service, and calculates the initial block size for block transmission. as follows: In the formula, Indicates the cache safety factor; Indicates the MTU adaptation factor; The initial block size is adjusted based on a dynamic adaptation algorithm of transmission rate. The final block size L is generated as follows: In the formula, v represents the real-time transmission rate; Indicates the reference transmission rate; Indicates the rate adjustment coefficient; Indicates the initial network bandwidth; The diagnostic tool divides the upgrade data into N upgrade data blocks according to the final block size L, and assigns a unique identifier ID and target storage address to each upgrade data block; The system requests a download service to send the first upgrade data block, along with its corresponding unique identifier ID and target storage address, to the target electronic control unit. It then receives a data block reception confirmation signal from the target electronic control unit and sends the next upgrade data block based on the data block reception confirmation signal, continuing this process until all upgrade data blocks have been sent.

7. The security management and policy control method for OTA upgrades according to claim 1, characterized in that, After all upgrade data blocks have been transmitted, a compatibility check is performed, specifically including: The diagnostic tool obtains upgrade package version information, including application version, through a version query service.

1. Download program version Hardware compatibility version Underlying driver version Construct a four-dimensional version vector ; The compatibility probability P corresponding to the four-dimensional version vector V is calculated based on the improved Bayesian network compatibility evaluation model as follows: In the formula, Indicates the bias coefficient; These represent the standardized application versions.

1. Download program version Hardware compatibility version Underlying driver version ; These represent the standardized application versions.

1. Download program version Hardware compatibility version Underlying driver version The weights; exp represents an exponential function with the natural constant e as its base; Preset compatibility probability threshold ,like If the upgrade package does not conflict with the target electronic control unit, a compatibility pass signal is generated; otherwise, a conflict analysis report is generated and the conflict version item is identified. The compatibility is sent to the diagnostic tool via a signal, and the diagnostic tool terminates the transmission of the upgrade data based on the compatibility.

8. The security management and policy control method for OTA upgrades according to claim 1, characterized in that, The fault information clearing service clears fault information generated during the upgrade process, specifically including: The diagnostic tool obtains a set of fault information generated by all electronic control units during the upgrade period through a fault code reading service. ,in, This represents the j-th fault information, including the fault code, fault occurrence time, fault associated module, and fault level. Fault information is calculated based on hierarchical correlation analysis algorithm. Correlation with upgrade operations as follows: In the formula, Indicates the time-related weight; This indicates the degree of overlap between the time the fault occurred and the time of the upgrade. This indicates the logical correlation between the fault association module and the upgrade process, and and The values ​​range from 0 to 1; Preset correlation threshold Filter out The fault information forms a set to be cleaned, retaining The fault information is recorded as a non-upgrade-related fault record; The diagnostic tool sends a fault code clearing service to all electronic control units to specifically clear fault information in the set to be cleared.

9. A security management and policy control system for OTA upgrades, applied to the security management and policy control method for OTA upgrades as described in any one of claims 1-8, characterized in that, The system includes: The mode switching module is used by the diagnostic tool to send diagnostic session control services to all electronic control units in the vehicle network, instructing all electronic control units to switch to extended session mode, while periodically sending online diagnostic services to maintain the extended session state, and synchronously sending communication control services to prohibit the transmission of all non-diagnostic messages. The permission unlocking module is used by the diagnostic tool to send a precondition check routine control service to the target electronic control unit through physical addressing, triggering the target electronic control unit to verify the current vehicle status parameters. After the verification is successful, a random seed is obtained through the secure access service and a key is calculated and sent to the target electronic control unit. After the target electronic control unit verifies the key, the upgrade operation permission is unlocked. The data transmission module is used for the diagnostic tool to send a diagnostic session control service to the target electronic control unit to switch to the programming session mode, the target electronic control unit to activate the boot download program and configure upgrade resources, the diagnostic tool to transmit upgrade data in blocks according to the network transmission caching capacity, and to perform integrity verification after each upgrade data block is transmitted, and to perform compatibility verification after all upgrade data blocks are transmitted. The function recovery module is used by the diagnostic tool to send a hard reset service to trigger the target electronic control unit to restart, and to send a diagnostic session control service to all electronic control units through function addressing to switch back to the default session mode, restore normal communication control and fault code recording functions, and at the same time send a fault information clearing service to clear fault information generated during the upgrade process.