Version downgrade method, apparatus, and vehicle
By verifying the signature validity and version information of the downgraded authorization file, the security vulnerability caused by vehicle version downgrade was resolved, achieving the dual goals of vehicle network security and operational convenience.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- YINWANG INTELLIGENT TECHNOLOGIES CO LTD
- Filing Date
- 2024-12-12
- Publication Date
- 2026-06-18
Smart Images
Figure CN2024138849_18062026_PF_FP_ABST
Abstract
Description
Version downgrade methods, devices, and vehicles Technical Field
[0001] This application relates to the field of intelligent vehicles, and more specifically, to a method, apparatus, and vehicle for version downgrading. Background Technology
[0002] As the automotive industry rapidly moves towards electrification and intelligentization, vehicles, while offering diverse and personalized services, are increasingly exposed to complex cybersecurity risks. Automakers typically use over-the-air (OTA) technology to remotely update the software of vehicle electronic control units (ECUs) to patch security vulnerabilities. However, some vehicles currently do not restrict version downgrades due to a lack of mechanisms to prevent them. This allows potential hackers to downgrade the vehicle to an older version with known security vulnerabilities, exploiting these vulnerabilities to launch attacks on the vehicle system. This compromises vehicle security and, consequently, the safety of passengers. Summary of the Invention
[0003] This application provides a method, apparatus, and vehicle for downgrading vehicle versions, which ensures safety and helps improve user driving safety.
[0004] In a first aspect, a method for version downgrading is provided, the method comprising: receiving a downgrading authorization file of a first device, the downgrading authorization file including a first signature, the first signature being obtained by signing the downgrading authorization file with a private key; verifying the legality of the first signature according to a public key to obtain a first verification result; and, if the first verification result indicates that the first signature is legal, performing a version downgrading operation for the first device according to a version flashing task.
[0005] Based on the above technical solution, the signed downgrade authorization file is verified using a public key. If the verification result indicates that the signature is valid, a version downgrade operation for the first device can be executed according to the version flashing task. In this way, by verifying the validity of the downgrade authorization file, attackers can be prevented from affecting vehicle security by downgrading the vehicle version to an older version with known security vulnerabilities, thus helping to improve the safety of users.
[0006] Taking vehicles as an example of electronic devices, the above technical solution performs security verification on the signature of the downgrade authorization file before performing the version downgrade operation, which helps to improve the network security of the vehicle (preventing attackers from exploiting vulnerabilities in the vehicle by using the old version through version downgrade). On the other hand, the cloud server can flexibly issue downgrade authorization files to specific vehicles, which enables vehicle manufacturers to provide flexible version downgrade functions for specific vehicles when necessary, and helps to achieve the dual goals of network security and operational convenience (or, practicality).
[0007] In some possible implementations, the downgrade authorization file includes first identification information, the version flashing task includes a software package, and when the first verification result indicates that the first signature is valid, a version downgrade operation for the first device is performed according to the version flashing task, including: when the first verification result indicates that the first signature is valid, the version number of the software package for the first device is less than the current version number of the first device, and the first identification information matches the identification information of the first device in the electronic device, a version downgrade operation for the first device is performed according to the software package; or, when the first verification result indicates that the first signature is valid, the version number of the software package for the first device is less than the current version number of the first device, and the first identification information matches the identification information of the electronic device, a version downgrade operation for the first device is performed according to the software package.
[0008] In some possible implementations, the downgrade authorization file includes information about a first version number, the version flashing task includes a software package, and if the first verification result indicates that the first signature is valid, a version downgrade operation for the first device is performed according to the version flashing task, including: if the first verification result indicates that the first signature is valid, and the version number for the first device included in the software package is less than the current version number of the first device and the version number for the first device included in the software package is the first version number, then a version downgrade operation for the first device is performed according to the software package.
[0009] Based on the above technical solution, the decision on whether an electronic device can be downgraded is shifted from the electronic device itself to the cloud server. This ensures security while allowing downgrading of specific batches or models of electronic devices to specific versions, significantly improving the flexibility of version updates and addressing version downgrade requirements across multiple business scenarios, including testing and commercial applications.
[0010] In some possible implementations, the validity of the first signature is verified based on the public key, including: verifying the validity of the first signature based on the public key infrastructure (PKI) root certificate or the PKI root certificate chain, which includes the public key.
[0011] In some possible implementations, the PKI root certificate or root certificate chain also includes information about the validity period of the public key.
[0012] In some possible implementations, the PKI root certificate or root certificate chain (or public key) may be pre-installed inside the electronic device at the time of manufacture, or pre-installed inside the first device within the electronic device.
[0013] In some possible implementations, the downgrade authorization file is obtained by a cloud server signing the unsigned downgrade authorization file based on a PKI private key.
[0014] In conjunction with the first aspect, in certain implementations of the first aspect, the downgrade authorization file includes information on one or more version numbers. Before performing the version downgrade operation for the first device, the method further includes: receiving a version flashing task, the version flashing task including a software package, the software package including information on a first version number for the first device; wherein, if the verification result indicates that the first signature is valid, performing the version downgrade operation according to the version flashing task includes: if the verification result indicates that the first signature is valid, the first version number is less than the current version number of the first device, and the first version number is one of one or more version numbers, performing the version downgrade operation for the first device according to the software package.
[0015] Based on the above technical solution, the downgrade authorization file can include one or more version numbers. Thus, after receiving a version flashing task, the electronic device can determine whether to perform a version downgrade operation based on whether the version number for the first device included in the version flashing task falls within one or more version numbers. This transforms the behavior of allowing version downgrades from a fixed, static configuration into a dynamically configurable option.
[0016] Because the cloud server carries one or more version numbers in the downgrade license file, the electronic device needs to determine whether the version number in the software package is one of those version numbers before performing a downgrade operation. This shifts the decision on whether to allow a version downgrade from the electronic device itself to the cloud server. This allows for the downgrade of specific batches or models of electronic devices to specific versions while ensuring security, greatly improving the flexibility of version flashing and addressing version downgrade requirements in various business scenarios, including testing and commercial applications.
[0017] In some possible implementations, the downgrade authorization file includes information on one or more version numbers. Before verifying the validity of the first signature based on the public key, the method further includes: receiving a version flashing task, the version flashing task including a software package, the software package including information on a first version number for the first device; wherein, if the verification result indicates that the first signature is valid, performing a version downgrade operation based on the version flashing task includes: if the verification result indicates that the first signature is valid, the first version number is less than the current version number of the first device, and the first version number is one of one or more version numbers, performing a version downgrade operation for the first device based on the software package.
[0018] Based on the above technical solution, the verification of the legitimacy of the first signature can be performed after receiving the version flashing task.
[0019] In some possible implementations, before receiving the version flashing task, the method further includes: verifying the validity of the first signature based on the public key to obtain a second verification result; and saving the downgraded authorization file if the second verification result indicates that the downgraded authorization file is valid.
[0020] Based on the above technical solution, the legitimacy of the first signature can be verified before receiving the version flashing task. If the verification passes, the downgraded license file can be saved. This prevents attackers from sending illegally obtained downgraded license files that consume significant storage resources to electronic devices over the network, thus helping to prevent the electronic device's memory from being occupied by illegally obtained downgraded license files.
[0021] In conjunction with the first aspect, in some implementations of the first aspect, the downgraded license file includes first identification information. Before performing the version downgrade operation, the method further includes: determining that the first identification information matches second identification information of the first device, or determining that the first identification information matches third identification information of the electronic device; wherein the electronic device includes the first device.
[0022] Based on the above technical solution, the downgrade authorization document also includes identification information. Before performing a version downgrade operation, the vehicle can first determine whether this identification information matches the identification information of the electronic device or the identification information of the first device. This helps to avoid affecting vehicle safety due to performing a version downgrade operation.
[0023] In conjunction with the first aspect, in some implementations of the first aspect, before performing a version downgrade operation for the first device, the method further includes: determining that the downgrade license file is valid.
[0024] Based on the above technical solution, before performing a version downgrade operation, it can be determined whether the downgrade license document is still valid. If the downgrade license document is valid, it can be considered as the basis for determining whether to perform the version downgrade operation.
[0025] In conjunction with the first aspect, in certain implementations of the first aspect, before verifying the validity of the first signature based on the public key, the method includes: controlling a prompting device to prompt a user whether to allow the electronic device to save the downgraded license file; and saving the downgraded license file in response to receiving a first input from the user, wherein the first input indicates that the electronic device is allowed to save the downgraded license file.
[0026] Based on the above technical solution, upon receiving the downgrade license file, the electronic device can prompt the user whether to save the downgrade license file. This helps to satisfy the user's right to know about possible future version downgrade operations.
[0027] In some possible implementations, the method further includes: when the control prompting device prompts the user whether to allow the electronic device to save the downgrade license file, controlling the prompting device to prompt the user to indicate the space occupied (or size) of the downgrade license file.
[0028] In some possible implementations, the method further includes: when the space occupied by the downgraded license file is greater than or equal to a preset space, controlling the prompting device to prompt the user that the downgraded license file may pose a security risk.
[0029] In conjunction with the first aspect, in some implementations of the first aspect, before the control prompting device prompts the user whether to allow the electronic device to save the downgrade authorization file, the method further includes: verifying the legality of the first signature based on the public key to obtain a second verification result, wherein the second verification result indicates that the downgrade authorization file is legal.
[0030] Based on the above technical solution, the legitimacy of the first signature can be verified before prompting the user. Once the verification is successful, the user can be prompted whether to save the downgraded license file. This prevents attackers from maliciously sending illegally obtained downgraded license files that consume significant storage resources to electronic devices over the network, and avoids the electronic device's memory being occupied by illegally obtained downgraded license files.
[0031] In conjunction with the first aspect, in some implementations of the first aspect, receiving a downgrade authorization file from the first device includes: receiving a downgrade authorization file sent by a cloud server; or, receiving a downgrade authorization file sent by the cloud server through a diagnostic instrument.
[0032] In conjunction with the first aspect, in some implementations of the first aspect, the downgraded license file is a license file for the electronic control unit (ECU) in the vehicle.
[0033] Secondly, this application provides a method for version downgrading, the method comprising: generating a first downgrading authorization file to be signed; signing the first downgrading authorization file to be signed according to a private key to obtain a second downgrading authorization file; and sending the second downgrading authorization file to an electronic device, the second downgrading authorization file being used by the electronic device to determine whether to perform a version downgrading operation for the first device.
[0034] In conjunction with the second aspect, in some implementations of the second aspect, the second downgrade license file includes information on one or more version numbers, and the method further includes: sending a version flashing task to an electronic device, the version flashing task including a software package, the software package including information on a first version number for the first device; wherein the first version number is one of one or more version numbers.
[0035] In conjunction with the second aspect, in some implementations of the second aspect, the second downgraded license file includes information on the validity period; and / or, the second downgraded license file includes first identification information, which includes identification information of the electronic device and / or identification information of the first device in the electronic device.
[0036] Thirdly, this application provides a version downgrade apparatus, comprising: a receiving unit for receiving a downgrade authorization file of a first device, the downgrade authorization file including a first signature, the first signature being obtained by signing the downgrade authorization file with a private key; a verification unit for verifying the legality of the first signature based on a public key to obtain a first verification result; and a version flashing unit for performing a version downgrade operation for the first device according to a version flashing task if the first verification result indicates that the first signature is legal.
[0037] In conjunction with the third aspect, in some implementations of the third aspect, the downgrade authorization file includes information on one or more version numbers. The receiving unit is further configured to receive a version flashing task before the version flashing unit performs the version downgrade operation. The version flashing task includes a software package, which includes information on a first version number for the first device. The version flashing unit is configured to: perform a version downgrade operation for the first device based on the software package if the verification result indicates that the first signature is valid, the first version number is less than the current version number of the first device, and the first version number is one of one or more version numbers.
[0038] In conjunction with the third aspect, in some implementations of the third aspect, the downgrade authorization file includes first identification information, and the device further includes: a first determining unit, configured to determine, before the version flashing unit performs the version downgrade operation, that the first identification information matches the second identification information of the first device, or to determine that the first identification information matches the third identification information of the electronic device; wherein the electronic device includes the first device.
[0039] In conjunction with the third aspect, in some implementations of the third aspect, the apparatus further includes: a second determining unit, used to determine that the downgrade license file is within its validity period before the version flashing unit performs the version downgrade operation.
[0040] In conjunction with the third aspect, in some implementations of the third aspect, the apparatus includes: a control unit, configured to control a prompting device to prompt a user whether to allow the electronic device to save the downgraded license file before the verification unit verifies the legality of the first signature; and a file storage unit, configured to save the downgraded license file in response to the acquisition unit acquiring a first input from the user, wherein the first input indicates that the electronic device is allowed to save the downgraded license file.
[0041] In conjunction with the third aspect, in some implementations of the third aspect, the verification unit is further configured to verify the legality of the first signature based on the public key before the control unit prompts the user whether to allow the electronic device to save the downgrade authorization file, and obtain a second verification result, the second verification result indicating that the downgrade authorization file is legal.
[0042] In conjunction with the third aspect, in some implementations of the third aspect, the receiving unit is used to: receive a downgrade authorization file sent by the cloud server; or, receive a downgrade authorization file sent by the cloud server through a diagnostic tool.
[0043] In conjunction with the third aspect, in some implementations of the third aspect, the downgraded license file is a license file for the ECU in the vehicle.
[0044] Fourthly, this application provides a version downgrade apparatus, comprising: a generation unit for generating a first downgrade authorization file to be signed; a file signing unit for signing the first downgrade authorization file to be signed according to a private key to obtain a second downgrade authorization file; and a sending unit for sending the second downgrade authorization file to an electronic device, wherein the second downgrade authorization file is used by the electronic device to determine whether to perform a version downgrade operation for the first device.
[0045] In conjunction with the fourth aspect, in some implementations of the fourth aspect, the second downgrade authorization file includes information on one or more version numbers, and the sending unit is further configured to send a version flashing task to the electronic device. The version flashing task includes a software package, which includes information on a first version number for the first device; wherein the first version number is one of one or more version numbers.
[0046] In conjunction with the fourth aspect, in some implementations of the fourth aspect, the second downgraded license file includes information on the validity period; and / or, the second downgraded license file includes first identification information, which includes identification information of the electronic device and / or identification information of the first device.
[0047] Fifthly, this application provides a version downgrade apparatus, the apparatus including a processor and a memory, wherein the memory is used to store instructions, and the processor executes the instructions stored in the memory to cause the apparatus to perform any of the possible methods in the first aspect.
[0048] In a sixth aspect, this application provides a version downgrade apparatus, the apparatus including a processor and a memory, wherein the memory is used to store instructions, and the processor executes the instructions stored in the memory to cause the apparatus to perform any of the possible methods in the second aspect.
[0049] In a seventh aspect, this application provides an electronic device that includes any of the possible devices described in the third or fifth aspect above.
[0050] In conjunction with the seventh aspect, in some implementations of the seventh aspect, the electronic device is a vehicle.
[0051] Eighthly, this application provides a cloud server that includes any of the possible devices described in the fourth or sixth aspect above.
[0052] Ninthly, this application provides a computer program product comprising: computer program code, which, when executed on a computer, causes the computer to perform any one of the possible methods described in the first or second aspect above.
[0053] It should be noted that the above-mentioned computer program code can be stored in whole or in part on the first storage medium, wherein the first storage medium can be packaged together with the processor or packaged separately from the processor. This application embodiment does not specifically limit this.
[0054] In a tenth aspect, this application provides a computer-readable storage medium storing program code that, when executed on a computer, causes the computer to perform any of the possible methods described in the first or second aspect above.
[0055] In one aspect, this application provides a chip system including circuitry for performing any of the possible methods described in the first or second aspect above. Attached Figure Description
[0056] Figure 1 is a functional block diagram of the vehicle provided in an embodiment of this application.
[0057] Figure 2 is a schematic flowchart of the version downgrade method provided in the embodiments of this application.
[0058] Figure 3 is a graphical user interface (GUI) provided in an embodiment of this application.
[0059] Figure 4 is a schematic diagram of the system architecture provided in an embodiment of this application.
[0060] Figure 5 is another schematic flowchart of the version downgrade method provided in the embodiments of this application.
[0061] Figure 6 is another schematic flowchart of the version downgrade method provided in the embodiments of this application.
[0062] Figure 7 is a schematic block diagram of a version downgrade device provided in an embodiment of this application.
[0063] Figure 8 is another schematic block diagram of the version downgrade device provided in the embodiments of this application. Detailed Implementation
[0064] The technical solutions of the embodiments of this application will be described below with reference to the accompanying drawings. In the description of the embodiments of this application, unless otherwise stated, " / " means "or," for example, A / B can mean A or B; "and / or" in this document is merely a description of the association relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, and B existing alone. "At least one" refers to one or more. For example, "at least one of A and B," similar to "A and / or B," describes the association relationship between related objects, indicating that three relationships can exist. For example, at least one of A and B can represent: A existing alone, A and B existing simultaneously, and B existing alone.
[0065] The prefixes such as "first" and "second" used in this application embodiment are merely for distinguishing different descriptive objects and do not limit the position, order, priority, quantity, or content of the described objects. The use of ordinal numbers and other prefixes used to distinguish descriptive objects in this application embodiment does not constitute a limitation on the described objects. The description of the described objects is given in the claims or the context of the embodiments, and should not constitute unnecessary restrictions due to the use of such prefixes. Furthermore, in the description of this embodiment, unless otherwise stated, "multiple" means two or more.
[0066] As mentioned earlier, with the rapid development of the automotive industry towards electrification and intelligentization, vehicles, while providing diversified and personalized services, are also increasingly exposed to complex cybersecurity risks. Automakers typically use OTA (Over-The-Air) technology to remotely update vehicle ECU software to patch security vulnerabilities. Currently, there are several methods for version downgrading:
[0067] (1) No restrictions on version downgrades: There are no excessive restrictions on ECU version downgrades; only the legitimacy of the software package source and the integrity of the software package are verified. As long as the software package source is reliable and its content has not been tampered with, it is allowed to be updated to the ECU. This approach is extremely insecure because it lacks a mechanism to prevent downgrades, allowing attackers to easily obtain older versions of software with high-risk vulnerabilities and then achieve their goals through downgrade attacks.
[0068] (2) Prohibiting Version Downgrades: Prohibiting version downgrades is a security measure that compares the target version number with the current version number during ECU flashing. If the target version number is lower than the current version number, the system will refuse to perform the flashing operation. This version number-based verification mechanism effectively prevents software downgrades and avoids reverting to older versions with potential security risks. While this method is effective in preventing the exploitation of vulnerabilities in older versions in terms of network security, in the automotive field, supporting version downgrades is necessary in certain special circumstances. Scenario 1 and Scenario 2 are illustrated as examples:
[0069] Scenario 1: If a vehicle's software version has a serious problem that could threaten property or personal safety, then providing a downgrade option allows the software to revert to a stable and reliable older version. The lack of this downgrade capability could cause the problem to escalate and become uncontrollable.
[0070] Scenario 2: Before releasing a software version, automakers need to conduct repeated upgrade and downgrade tests to ensure the reliability of the upgrade path and avoid overlooking low-probability issues. If downgrades are not supported, it will increase the difficulty and complexity of testing.
[0071] Therefore, in the automotive industry, completely banning version downgrades would have some adverse effects.
[0072] This application provides a method, apparatus, and electronic device for version downgrading. On the one hand, it can prevent attackers from exploiting vulnerabilities in older versions through version downgrading. On the other hand, it can provide a secure and controllable version downgrading capability for specific electronic devices, thereby achieving the dual goals of network security and operational convenience.
[0073] Taking a vehicle as an example, Figure 1 is a functional block diagram of a vehicle 100 provided in an embodiment of this application.
[0074] As shown in Figure 1, vehicle 100 may include a perception system 110, a computing platform 120, and a communication system 130. The perception system 110 may include one or more sensors for sensing information about the environment surrounding vehicle 100. For example, the perception system 110 may include a positioning system, which may be a Global Positioning System (GPS), a BeiDou Navigation Satellite System, or another positioning system. Alternatively, the perception system 110 may include one or more of the following: an inertial measurement unit (IMU), an accelerometer, a lidar, millimeter-wave radar, ultrasonic radar, and a camera device. Furthermore, the perception system 110 may include one or more collision sensors.
[0075] Some or all of the functions of vehicle 100 can be controlled by computing platform 120. Computing platform 120 may include one or more processors, such as processors 121 to 12n (n being a positive integer). A processor is a circuit with signal processing capabilities. In one implementation, the processor can be a circuit with instruction read and execute capabilities, such as a central processing unit (CPU), microprocessor, graphics processing unit (GPU) (which can be understood as a type of microprocessor), or digital signal processor (DSP). In another implementation, the processor can implement certain functions through the logical relationships of hardware circuits. These logical relationships are fixed or reconfigurable. For example, the processor may be a hardware circuit implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD), such as a field-programmable gate array (FPGA). In reconfigurable hardware circuits, the process of the processor loading a configuration document and configuring the hardware circuit can be understood as the process of the processor loading instructions to implement some or all of the functions of the aforementioned units. Furthermore, the processor can also be a hardware circuit designed for artificial intelligence, which can be understood as an ASIC, such as a neural network processing unit (NPU), tensor processing unit (TPU), deep learning processing unit (DPU), etc. In addition, the computing platform 120 may also include a memory for storing instructions. Some or all of the processors 121 to 12n can call the instructions in the memory to implement the corresponding functions.
[0076] The communication system 130 may integrate one or more devices, including at least one communication module. The communication system 130 can transmit and receive electromagnetic waves via an antenna, enabling the vehicle 100 to communicate with servers, other vehicles, roadside equipment, etc., based on a vehicle-to-everything (V2X) network, such as vehicle-to-vehicle (V2V) communication networks, vehicle-to-infrastructure (V2I) communication networks, and vehicle-to-network (V2N) communication networks. Wireless communication technologies may also include short-range wireless communication technologies, such as Bluetooth (BT), radio frequency identification (RFID), and NearLink. For example, the communication system 130 may include an onboard telematics box (T-box), or it may include other communication modules. In practice, vehicle 100 communicates with cloud servers, roadside equipment, etc. via T-box. Vehicle 100 can also communicate with other devices that have the same wireless short-range communication module via other wireless short-range communication modules.
[0077] Optionally, the structure of the vehicle 100 described above is merely illustrative. In actual applications, various components of the vehicle 100 may be added or removed as needed.
[0078] The vehicle 100 in this application may include: road vehicles, water vehicles, air vehicles, industrial equipment, agricultural equipment, or entertainment equipment, etc. For example, vehicle 100 may be a means of transportation (such as commercial vehicles, passenger cars, motorcycles, flying cars, trains, etc.), industrial vehicles (such as forklifts, trailers, tractors, etc.), engineering vehicles (such as excavators, bulldozers, cranes, etc.), agricultural equipment (such as lawnmowers, harvesters, etc.), amusement equipment, toy vehicles, etc. The embodiments of this application do not specifically limit the type of vehicle.
[0079] Figure 2 shows a schematic flowchart of a version downgrade method 200 provided in an embodiment of this application. This method 200 can be executed by an electronic device (e.g., the vehicle 100 described above); or by a computing platform 120; or by an ECU in the vehicle 100 that is to be downgraded. The method 200 includes:
[0080] S210, receive the downgrade authorization file from the first device. The downgrade authorization file includes a first signature, which is obtained by signing the downgrade authorization file with a private key.
[0081] Optionally, the first signature in the downgraded license file is obtained by the cloud server signing the downgraded license file to be signed based on the PKI private key.
[0082] Optionally, the downgrade authorization document includes identification information for the first device. Taking the first device as an example, which is an ECU in a vehicle, the identification information for the first device can be the unique identifier of the ECU.
[0083] Optionally, the downgrade authorization document includes identification information of the electronic device. For example, if the first device is a vehicle, the identification information could be the vehicle's VIN. If the first device is a mobile phone, the identification information could be the mobile phone's unique identifier.
[0084] Optionally, the downgrade authorization document may include identification information for one or more devices.
[0085] Taking one or more devices as ECU1 and ECU2 in a vehicle as an example, the downgrade authorization document may include the identification information of ECU1 and ECU2.
[0086] Optionally, the downgrade license file may include information on one or more version numbers.
[0087] For example, taking ECU1 in a vehicle as the first device, the downgrade authorization file may include multiple version numbers for ECU1, such as version number 1.0, version number 2.0 and version number 3.0.
[0088] Optionally, the downgrade authorization document includes a mapping between each of the multiple devices and one or more version numbers corresponding to each device. For example, taking multiple devices as multiple ECUs in a vehicle, Table 1 shows one such mapping.
[0089] Table 1
[0090] Optionally, the downgrade license file includes information about its validity period. For example, the validity period is (T1, T2). Before performing a version downgrade operation, the electronic device can determine whether the current time is within the validity period of the downgrade license file. If it is within the validity period, the version downgrade operation can be performed; otherwise, the version downgrade operation can be skipped.
[0091] For example, Table 2 shows the format of the downgrade license file provided in the embodiments of this application.
[0092] Table 2
[0093] The format of the downgrade authorization document shown in Table 2 above is merely illustrative, and this application embodiment does not impose specific limitations on it. For example, the validity periods corresponding to ECU1 and ECU2 may also be different.
[0094] S220, Based on the public key, verify the validity of the first signature to obtain the first verification result.
[0095] Optionally, the validity of the first signature is verified based on the public key, including: verifying the validity of the first signature based on the public key in the PKI root certificate or the PKI root certificate chain.
[0096] For example, the PKI root certificate or root certificate chain also includes information about the validity period of the public key.
[0097] For example, the PKI root certificate or root certificate chain (or public key) may be pre-installed inside the electronic device at the time of manufacture, or pre-installed inside a first device within the electronic device.
[0098] S230, if the first verification result indicates that the first signature is valid, execute the version downgrade operation for the first device according to the version flashing task.
[0099] In this embodiment, the signed downgrade authorization file is verified using a public key. If the verification result indicates that the signature is valid, a version downgrade operation for the first device can be performed according to the version flashing task. Taking a vehicle as an example, by verifying the validity of the downgrade authorization file, attackers can be prevented from affecting the vehicle's security by downgrading the vehicle version to an older version with known security vulnerabilities, thus helping to improve the user's driving safety.
[0100] Taking vehicles as an example of electronic devices, the above technical solution helps improve the vehicle's network security by verifying the security of the downgrade authorization file before performing the version downgrade operation (preventing attackers from exploiting vulnerabilities in the vehicle by using the old version through version downgrade). On the other hand, the cloud server can flexibly issue downgrade authorization files to specific vehicles, enabling vehicle manufacturers to provide flexible version downgrade functions for specific vehicles when necessary, which helps to achieve the dual goals of network security and operational convenience (or, practicality).
[0101] Optionally, taking the downgrade authorization file including a first signature and first identification information as an example, the version flashing task includes a software package. If the first verification result indicates that the first signature is valid, a version downgrade operation for the first device is performed according to the version flashing task, including: if the first verification result indicates that the first signature is valid, the version number of the software package for the first device is less than the current version number of the first device, and the first identification information matches the identification information of the first device in the electronic device, then a version downgrade operation for the first device is performed according to the software package; or, if the first verification result indicates that the first signature is valid, the version number of the software package for the first device is less than the current version number of the first device, and the first identification information matches the identification information of the electronic device, then a version downgrade operation for the first device is performed according to the software package.
[0102] For example, the downgrade authorization file includes identification information 1, indicating that ECU1's current version number is 2.0, and the software package includes a version corresponding to ECU1's version number 1.0. When it is determined that the version number of ECU1 included in the software package is less than ECU1's current version number, it can be determined that a version downgrade operation for ECU1 needs to be performed. If the first signature is valid and identification information 1 matches the identification information of ECU1, a version downgrade operation for ECU1 can be performed. That is, the version of ECU1 is flashed from the version corresponding to version number 2.0 to the version corresponding to version number 1.0.
[0103] For example, the downgrade authorization file includes identification information 1, indicating that ECU1's current version number is 2.0, and the software package includes a version corresponding to ECU1's version number 1.0. When it is determined that the version number of ECU1 included in the software package is less than the current version number of ECU1, it can be determined that a version downgrade operation for ECU1 needs to be performed. If the first signature is valid and the identification information 1 matches the vehicle's VIN, a version downgrade operation for ECU1 can be performed. That is, the version of ECU1 is flashed from the version corresponding to version number 2.0 to the version corresponding to version number 1.0.
[0104] In this embodiment of the application, the downgrade authorization file may carry first identification information, which enables the electronic device to downgrade the version of the first device from the current version to the version in the software package when it is determined that the first signature is valid and the first identification information matches the identification information of the first device or the identification information of the electronic device.
[0105] Optionally, the downgrade authorization file includes information about a first version number, and the version flashing task includes a software package. If the first verification result indicates that the first signature is valid, a version downgrade operation for the first device is performed according to the version flashing task, including: if the first verification result indicates that the first signature is valid, and the version number of the software package for the first device is less than the current version number of the first device and the version number of the software package for the first device is the first version number, then a version downgrade operation for the first device is performed according to the software package.
[0106] For example, the downgrade license file includes information about ECU1's version number 1.0, ECU1's current version number is 2.0, and the software package includes a version corresponding to ECU1's version number 1.0. If it is determined that the version number of ECU1 included in the software package is less than the current version number of ECU1, it can be determined that a version downgrade operation for ECU1 needs to be performed. If the first signature is valid and the version number of ECU1 included in the software package is the same as the version number of ECU1 included in the downgrade license file, a version downgrade operation for ECU1 can be performed. That is, the version of ECU1 is flashed from the version corresponding to version number 2.0 to the version corresponding to version number 1.0.
[0107] The above explanation uses the example of determining that the version number of ECU1 included in the software package is the same as the version number of ECU1 included in the downgrade license file. This embodiment of the application is not limited to this. For example, the version number of ECU1 included in the downgrade license file can be a first string, and the version number of ECU1 included in the software package can be a second string. Thus, if the first signature is valid and the first string matches the second string, a version downgrade operation for ECU1 can be performed.
[0108] For example, matching the first string with the second string includes the first string being identical to the second string, or the first string being identical to a portion of the second string.
[0109] In this embodiment, the decision on whether an electronic device (e.g., a vehicle) is allowed to be downgraded is shifted from the electronic device itself to the cloud server. This ensures security while allowing downgrading of specific batches or models of electronic devices to specific versions, improving the flexibility of version updates and addressing version downgrade requirements across multiple business scenarios, including testing and commercial applications.
[0110] Taking vehicles as an example of electronic devices, the above technical solutions help improve the network security of vehicles (preventing attackers from exploiting vulnerabilities in vehicles by downgrading versions), and also allow vehicle manufacturers to provide flexible version downgrading functions for specific vehicles when necessary, which helps to achieve the dual goals of network security and ease of operation (or, practicality).
[0111] Optionally, the downgrade authorization file includes information on one or more version numbers. Before performing the downgrade operation for the first device, the method further includes: receiving a version flashing task, the version flashing task including a software package, the software package including information on a first version number for the first device; wherein, if the verification result indicates that the first signature is valid, performing the downgrade operation according to the version flashing task includes: if the verification result indicates that the first signature is valid, the first version number is less than the current version number of the first device, and the first version number is one of one or more version numbers, performing the downgrade operation for the first device according to the software package.
[0112] For example, the downgrade license file includes version numbers 1.0, 2.0, and 3.0 for ECU1. ECU1's current version number is 4.0, and the software package includes a version corresponding to ECU1's version number 2.0. If it is determined that the version number of ECU1 included in the software package is less than ECU1's current version number, it can be determined that a version downgrade operation for ECU1 needs to be performed. If the first signature is valid and the version number of ECU1 included in the software package is one of the multiple version numbers of ECU1 included in the downgrade license file, a version downgrade operation for that ECU1 can be performed. That is, the version of ECU1 is flashed from the version corresponding to version number 4.0 to the version corresponding to version number 2.0.
[0113] In this embodiment, the downgrade authorization file may include one or more version numbers. Thus, after receiving a version flashing task, the electronic device can determine whether to perform a version downgrade operation based on whether the version number for the first device included in the version flashing task is among one or more version numbers. This transforms the behavior of allowing version downgrades from a fixed, static configuration into a dynamically configurable option.
[0114] Because the cloud server carries one or more version numbers in the downgrade license file, the electronic device needs to determine whether the version number in the software package is one of those version numbers before performing a downgrade operation. This shifts the decision on whether to allow a version downgrade from the electronic device itself to the cloud server. This allows for the downgrade of specific batches or models of electronic devices to specific versions while ensuring security, greatly improving the flexibility of version flashing and addressing version downgrade requirements in various business scenarios, including testing and commercial applications.
[0115] Optionally, the downgrade authorization file includes a correspondence between multiple devices and multiple version numbers. Before performing a version downgrade operation for the first device, the method further includes: receiving a version flashing task, the version flashing task including a software package, the software package including information about a first version number for the first device; wherein, if the verification result indicates that the first signature is valid, performing a version downgrade operation according to the version flashing task includes: obtaining one or more version numbers corresponding to the first device based on the correspondence; if the verification result indicates that the first signature is valid, the first version number is less than the current version number of the first device, and the first version number is one of one or more version numbers, performing a version downgrade operation for the first device according to the software package.
[0116] For example, the correspondence can be as shown in Table 1 above.
[0117] For example, the downgrade authorization file includes information on version numbers 1.0, 2.0, and 3.0 of ECU1 and version numbers 1.1, 2.1, and 3.1 of ECU2. The current version number of ECU1 is 4.0, and the current version number of ECU2 is 4.1. The software package includes the version corresponding to version number 2.0 of ECU1 and the version corresponding to version number 2.2 of ECU2.
[0118] If it is determined that the version number of ECU1 included in the software package is lower than the current version number of ECU1, it can be determined that a version downgrade operation for ECU1 needs to be performed. If the first signature is valid and the version number of ECU1 included in the software package is one of the multiple version numbers of ECU1 included in the downgrade license file, a version downgrade operation for ECU1 can be performed. That is, the version of ECU1 is flashed from the version corresponding to version number 4.0 to the version corresponding to version number 2.0.
[0119] If the version number of ECU2 included in the software package is determined to be lower than the current version number of ECU2, then a version downgrade operation for ECU2 needs to be performed. If the first signature is valid and the version number of ECU2 included in the software package is not one of the multiple version numbers of ECU2 included in the downgrade license file, then a version downgrade operation for ECU2 may not be performed. That is, no flashing operation will be performed on ECU2.
[0120] Optionally, the downgrade authorization file includes information on one or more version numbers. Before verifying the validity of the first signature based on the public key, the method further includes: receiving a version flashing task, the version flashing task including a software package, the software package including information on a first version number for the first device; wherein, if the verification result indicates that the first signature is valid, performing a version downgrade operation based on the version flashing task includes: if the verification result indicates that the first signature is valid, the first version number is less than the current version number of the first device, and the first version number is one of one or more version numbers, performing a version downgrade operation for the first device based on the software package.
[0121] For example, the validity verification of the first signature can be performed after receiving the version flashing task.
[0122] Optionally, before receiving the version flashing task, the method 200 further includes: verifying the legality of the first signature based on the public key to obtain a second verification result; and saving the downgraded authorization file if the second verification result indicates that the downgraded authorization file is legal.
[0123] In this embodiment, the legitimacy of the first signature can be verified before receiving the version flashing task. If the verification passes, the downgraded license file can be saved. This prevents attackers from sending illegally obtained downgraded license files that consume significant storage resources to electronic devices over the network, thus helping to prevent the electronic device's memory from being occupied by illegally obtained downgraded license files.
[0124] Optionally, the downgrade authorization file includes first identification information. Before performing the version downgrade operation, method 200 further includes: determining that the first identification information matches second identification information of the first device, or determining that the first identification information matches third identification information of the electronic device; wherein the electronic device includes the first device.
[0125] In this embodiment, the downgrade authorization file also includes identification information. Before performing a version downgrade operation, the vehicle can first determine whether the identification information matches the identification information of the electronic device or the identification information of the first device. This helps to avoid affecting vehicle safety due to performing a version downgrade operation.
[0126] Optionally, before performing the version downgrade operation for the first device, method 200 further includes: determining that the downgrade license file is valid.
[0127] In this embodiment, before performing a version downgrade operation, the vehicle can first determine whether the downgrade license is valid. If the downgrade license is valid, it can be considered as a basis for determining whether to perform the version downgrade operation.
[0128] Optionally, before verifying the validity of the first signature based on the public key, the method includes: controlling the prompting device to prompt the user whether to allow the electronic device to save the downgraded license file; and saving the downgraded license file in response to receiving a first input from the user, wherein the first input indicates that the electronic device is allowed to save the downgraded license file.
[0129] For example, Figure 3 illustrates a graphical user interface (GUI) provided in an embodiment of this application.
[0130] As shown in Figure 3, after the vehicle receives the downgrade authorization file, a prompt box can be displayed on the central control screen. The prompt box includes the message "The vehicle has received downgrade authorization files for multiple ECUs. Before performing the version downgrade operation for these ECUs, the downgrade authorization files will be used for legality verification. Please confirm whether to save the downgrade authorization files", as well as a view control, a cancel control, and a confirm control.
[0131] Optionally, in response to detecting user input by clicking the view control, the vehicle can display the version number information corresponding to each ECU in the downgrade authorization file on the central control screen.
[0132] Optionally, the vehicle can display a description of each ECU's version number (e.g., function introduction) on the central control screen.
[0133] Optionally, in response to detecting user input by clicking the OK control, the vehicle can save the downgrade license file locally on the vehicle.
[0134] In this embodiment, upon receiving the downgrade license file, the electronic device can prompt the user whether to save the downgrade license file. This helps to satisfy the user's right to know about possible future version downgrade operations.
[0135] Optionally, the method 200 further includes: when the control prompting device prompts the user whether to allow the electronic device to save the downgrade license file, controlling the prompting device to prompt the user to indicate the space occupied (or size) of the downgrade license file.
[0136] Optionally, the method 200 further includes: when the space occupied by the downgraded license file is greater than or equal to a preset space, controlling the prompting device to prompt the user that the downgraded license file may pose a security risk.
[0137] Optionally, before the control prompting device prompts the user whether to allow the electronic device to save the downgrade authorization file, method 200 further includes: verifying the legality of the first signature based on the public key to obtain a second verification result, wherein the second verification result indicates that the downgrade authorization file is legal.
[0138] In this embodiment, the validity of the first signature can be verified before prompting the user. After successful verification, the user can be prompted whether to save the downgraded license file. This prevents attackers from maliciously sending illegal downgraded license files that consume significant storage resources to electronic devices over the network, and prevents the electronic device's memory from being occupied by illegal downgraded license files.
[0139] Optionally, receiving a downgrade authorization file from the first device includes: receiving a downgrade authorization file sent by a cloud server; or receiving a downgrade authorization file sent by the cloud server through a diagnostic instrument.
[0140] Optionally, the downgraded license is a license for the electronic control unit (ECU) in the vehicle.
[0141] Figure 4 illustrates a schematic diagram of the system architecture provided in an embodiment of this application. This system architecture includes a cloud server 410 and a vehicle 420. The cloud server 410 includes a PKI 411 and a version management platform 412, and the vehicle 420 includes an ECU 421.
[0142] As a basic functional module of cloud server 410, PKI411 can provide digital signature services for downgraded license documents, ensuring their integrity and credible origin. Furthermore, PKI411 can also provide trusted PKI root certificates or PKI root certificate chains, enabling vehicles to verify the signature of downgraded license documents. For example, the process of providing the root certificate by PKI411 can be completed before the vehicle leaves the factory, or it can be implemented on the component production line of ECU421. For instance, the ECU equipment system on the production line can obtain the PKI root certificate from the cloud server and store it in ECU421.
[0143] For example, a PKI root certificate or a PKI root certificate chain may include a public key and the validity period of the public key.
[0144] Version management platform 412, as another fundamental capability module of cloud services, provides a unified management portal for vehicle downgrade license files. Through this version management platform 412, maintenance personnel of cloud server 410 can view the status of downgrade license files for all vehicles and can distribute, update, and delete downgrade license files for specific vehicles.
[0145] Downgrade authorization files can be created by the version management platform 412 and signed by PKI411 before being distributed to the designated vehicles. The downgrade authorization file may contain a unique identifier for the vehicle or ECU, the target version number for which downgrading is permitted, and a valid PKI signature.
[0146] The vehicle or ECU421 can act as the entity performing the version flashing task. For example, the vehicle can receive a downgrade authorization file issued by the version management platform 412. To ensure the legitimacy of the downgrade authorization file, the vehicle needs to verify information such as the validity period and unique identifier of the downgrade authorization file. In addition, the vehicle must pre-install a PKI root certificate and use the root certificate to verify the signature of the downgrade authorization file to ensure the integrity and legitimate origin of the downgrade authorization file. When performing the version flashing operation, the vehicle or ECU421 controller can determine whether the version downgrade operation is allowed based on the downgrade authorization file.
[0147] Figure 5 shows a schematic flowchart of a version downgrade method 500 provided in an embodiment of this application. The flowchart includes a downgrade authorization file distribution stage and a version flashing stage. The method 500 includes:
[0148] S501, PKI sends the PKI root certificate to the vehicle.
[0149] For example, the PKI root certificate includes a public key and information about the validity period of the public key.
[0150] The S501 mentioned above can be implemented before the vehicle leaves the factory, or on the ECU component production line.
[0151] S502, the version management platform obtains the downgrade license file to be signed.
[0152] For example, the downgraded license file to be signed includes first identification information, one or more version numbers, and validity period information.
[0153] S503, the version management platform sends a first request message to the PKI, which requests the PKI to sign the downgrade license file to be signed.
[0154] Optionally, the first request information may include the downgraded license file to be signed.
[0155] S504, PKI uses its private key to sign the downgrade authorization file based on the first request information, and obtains the signed downgrade authorization file.
[0156] For example, the downgraded license file after signing includes a first signature, first identification information, one or more version numbers, and validity period information.
[0157] S505, PKI sends the first response information to the version management platform.
[0158] Optionally, the first response information includes the signed downgraded license file.
[0159] S506, the version management platform sends a signed downgrade authorization file to the vehicle.
[0160] Optionally, in response to receiving the signed downgraded license file, the vehicle may control a prompting device to ask the user whether to allow the vehicle to save the downgraded license file.
[0161] Optionally, the version management platform sends a signed downgrade authorization file to the vehicle, including: the version management platform sending the signed downgrade authorization file to the diagnostic tool; and the diagnostic tool sending the downgrade authorization file to the vehicle in response to receiving it. In this way, the downgrade authorization file is first sent to the diagnostic tool, which then transmits it to the vehicle. The advantage of this method is that the operation can be performed without the owner's confirmation.
[0162] Optionally, if the version management platform sends a signed downgrade authorization file to the vehicle via a diagnostic tool, the method 500 further includes:
[0163] S502a, the diagnostic instrument obtains input from maintenance personnel.
[0164] For example, the input includes the VIN of the vehicle for which a version downgrade needs to be performed, as well as the version number information that allows downgrades.
[0165] S502b, in response to receiving this input, the diagnostic tool can request the vehicle's VIN from the vehicle.
[0166] S502c, the vehicle sends its VIN to the diagnostic tool.
[0167] In response to receiving the vehicle's VIN, the S502d diagnostic tool sends the VIN and the version number requested for downgrade permission to the version management platform.
[0168] Thus, the version number information of one or more downgrade authorization documents to be signed in S502 can be determined by the version number information of the request for downgrade permission in S502d. The first identification information in the downgrade authorization document to be signed in S502 can be determined by the vehicle's VIN in S502d.
[0169] The above S502-S506 can be referred to as the downgrade license document distribution stage.
[0170] S507: The version management platform sends OTA tasks to the vehicle, which include version flashing tasks.
[0171] Optionally, this flashing task can also be sent to the vehicle by the diagnostic tool. For example, the S507 can also be implemented by the S507a:
[0172] S507a, the diagnostic tool sends a near-end flashing task to the vehicle.
[0173] This near-end flashing task can be understood as the flashing task described above.
[0174] S508, detects whether the version flashing task is a downgrade task.
[0175] For example, whether a task is a downgrade can be determined based on the version number of the ECU in the flashing task and the current version number of the ECU in the vehicle. For instance, if the version number of the ECU in the flashing task is less than the current version number of the ECU in the vehicle, it can be determined as a downgrade task; otherwise, it can be determined as an upgrade task.
[0176] For example, if it is a downgrade task, S509 can continue to be executed. If it is an upgrade task, the vehicle can directly perform the version upgrade operation after the legality and integrity of the software package are verified.
[0177] S509, check if a downgraded license file exists.
[0178] For example, the software package includes the ECU version number, and the vehicle can determine whether a downgrade authorization file for that ECU has been saved previously. If the downgrade authorization file has been saved, S510 can be executed; otherwise, the version downgrade operation for that ECU can be skipped.
[0179] S510 uses the PKI root certificate to verify the validity of downgraded license files.
[0180] For example, verifying the validity of a downgrade authorization file using a PKI root certificate includes: verifying the validity of the downgrade authorization file using the public key in the PKI root certificate.
[0181] Optionally, before verifying the validity of the downgrade authorization file using the public key in the PKI root certificate, the method 500 further includes: determining that the public key is valid.
[0182] For example, if the downgrade authorization file is determined to be valid, S511 can be executed; otherwise, the version downgrade operation for the ECU can be omitted.
[0183] S511, check if the downgrade license document is still valid.
[0184] The process of checking whether the downgraded license file is within its validity period can be referred to the description in the above embodiments, and will not be repeated here.
[0185] For example, if the downgrade authorization document is valid, execute S512; otherwise, the vehicle may not perform a version downgrade operation for that ECU.
[0186] S512, check if the version number for ECU flashing in the software package is among one or more version numbers included in the downgrade authorization file.
[0187] The process of checking whether the version number for ECU flashing in the above software package is among one or more version numbers included in the downgrade authorization file can be referred to the description in the above embodiments, and will not be repeated here.
[0188] For example, if the version number for flashing the ECU in the software package is one of the version numbers included in the downgrade authorization file, execute S513; otherwise, the vehicle may not perform the version downgrade operation for that ECU.
[0189] S511 and S512 above are optional steps.
[0190] S513, perform version downgrade operation.
[0191] In this embodiment, the order of S510, S511, and S512 is not limited. For example, it can be first determined whether the downgrade authorization document is within its validity period. If it is determined that the downgrade authorization document is within its validity period, the validity of the downgrade authorization document can be further determined; otherwise, the vehicle may not perform the version downgrade operation for that ECU.
[0192] Alternatively, you can first determine if the downgrade authorization document is valid. If it is valid, you can then determine if the downgrade authorization document is still valid; otherwise, the vehicle may not need to perform a version downgrade operation for that ECU.
[0193] S514, the vehicle sends the flashed result to the version management platform.
[0194] For example, the result of the flashing indicates that the vehicle has successfully performed a version downgrade operation for that ECU.
[0195] Optionally, the version management platform sends an OTA task to the vehicle, and the vehicle can send the flashed result to the version management platform after performing the version downgrade operation.
[0196] Optionally, if the above-mentioned flashing task is sent to the vehicle by the diagnostic tool in S507a, then the flashed result can be sent to the diagnostic tool by S514a.
[0197] The above S507-S514 can be referred to as the version flashing stage.
[0198] Figure 6 shows a schematic flowchart of a version downgrade method 600 provided in an embodiment of this application. The method 600 includes:
[0199] S610 generates the first downgrade license file to be signed.
[0200] For example, the first downgrade license file to be signed can be generated by the version management platform 412 shown in Figure 4 above.
[0201] S620, based on the private key, signs the first downgraded authorization file to be signed, to obtain the second downgraded authorization file.
[0202] For example, PKI411 can use a PKI private key to sign the first downgraded license file to obtain a second downgraded license file.
[0203] S630, a second downgrade authorization file is sent to the electronic device. The second downgrade authorization file is used by the electronic device to determine whether to perform a version downgrade operation for the first device.
[0204] Optionally, the second downgrade license file includes a first signature (e.g., obtained by signing the first downgrade license file by a PKI411), which can be used by the electronic device to determine whether to perform a version downgrade operation for the first device.
[0205] The second downgrade license file in S630 above can be the downgrade license file in S210 above.
[0206] Optionally, the second downgrade authorization file includes information on one or more version numbers, and method 600 further includes: sending a version flashing task to an electronic device, the version flashing task including a software package, the software package including information on a second version number for the first device; wherein the second version number is one of one or more version numbers.
[0207] Optionally, the second downgrade license file includes information on the validity period; and / or, the second downgrade license file includes first identification information, which includes identification information of the electronic device and / or identification information of the first device in the electronic device.
[0208] Figure 7 shows a schematic block diagram of a version downgrade apparatus 700 provided in an embodiment of this application. The apparatus 700 includes: a receiving unit 710, configured to receive a downgrade authorization file for a first device, the downgrade authorization file including a first signature obtained by signing the downgrade authorization file with a private key; a verification unit 720, configured to verify the legality of the first signature based on a public key, obtaining a first verification result; and a version flashing unit 730, configured to perform a version downgrade operation for the first device according to a version flashing task if the first verification result indicates that the first signature is legal.
[0209] Optionally, the downgrade authorization file includes information on one or more version numbers. The receiving unit 710 is further configured to receive a version flashing task before the version flashing unit performs the version downgrade operation. The version flashing task includes a software package, which includes information on a first version number for the first device. The version flashing unit 730 is configured to: perform a version downgrade operation for the first device based on the software package if the verification result indicates that the first signature is valid, the first version number is less than the current version number of the first device, and the first version number is one of one or more version numbers.
[0210] Optionally, the downgrade authorization document includes first identification information, and the device 700 further includes: a first determining unit, configured to determine that the first identification information matches the second identification information of the first device, or to determine that the first identification information matches the third identification information of the electronic device, before the version flashing unit 730 performs the version downgrade operation; wherein the electronic device includes the first device.
[0211] Optionally, the apparatus 700 further includes a second determining unit, configured to determine that the downgrade license file is valid before the version flashing unit 730 performs the version downgrade operation.
[0212] Optionally, the device 700 includes: a control unit, configured to control the prompting device to prompt the user whether to allow the electronic device to save the downgraded license file before the verification unit verifies the legality of the first signature; and a file storage unit, configured to save the downgraded license file in response to the acquisition unit acquiring a first input from the user, wherein the first input indicates that the electronic device is allowed to save the downgraded license file.
[0213] Optionally, the verification unit 720 is further configured to verify the legality of the first signature based on the public key before the control unit prompts the user whether to allow the electronic device to save the downgrade authorization file, and obtain a second verification result, wherein the second verification result indicates that the downgrade authorization file is legal.
[0214] Optionally, the receiving unit 710 is configured to: receive a downgrade authorization file sent by the cloud server; or, receive a downgrade authorization file sent by the cloud server through a diagnostic tool.
[0215] Optionally, the downgraded license file is a license file for the ECU in the vehicle.
[0216] Figure 8 shows a schematic block diagram of a version downgrade apparatus 800 provided in an embodiment of this application. The apparatus 800 includes: a generation unit 810 for generating a first downgrade authorization file to be signed; a file signing unit 820 for signing the first downgrade authorization file to be signed according to a private key to obtain a second downgrade authorization file; and a sending unit 830 for sending the second downgrade authorization file to an electronic device, wherein the second downgrade authorization file is used by the electronic device to determine whether to perform a version downgrade operation for the first device.
[0217] Optionally, the second downgrade authorization file includes information on one or more version numbers, and the sending unit 830 is further configured to send a version flashing task to the electronic device. The version flashing task includes a software package, which includes information on a first version number for the first device; wherein the first version number is one of one or more version numbers.
[0218] Optionally, the second downgrade license file includes information on the validity period; and / or, the second downgrade license file includes first identification information, which includes identification information of the electronic device and / or identification information of the first device.
[0219] It should be understood that the division of units in the above device is only a logical functional division. In actual implementation, they can be fully or partially integrated into a single physical entity, or they can be physically separated. Furthermore, the units in the device can be implemented by a processor calling software; for example, the device includes a processor connected to memory, which stores instructions. The processor calls the instructions stored in memory to implement any of the above methods or to implement the functions of each unit in the device. The processor can be, for example, a general-purpose processor, such as a CPU or microprocessor, and the memory can be internal or external to the device. Alternatively, the units in the device can be implemented as hardware circuits. The functions of some or all units can be implemented through the design of the hardware circuits, which can be understood as one or more processors. For example, in one implementation, the hardware circuit is an ASIC, and the functions of some or all units are implemented through the design of the logical relationships between the components within the circuit. In another implementation, the hardware circuit can be implemented using a PLD, such as an FPGA, which can include a large number of logic gates. The connection relationships between the logic gates are configured through configuration files, thereby implementing the functions of some or all units. All units of the above devices can be implemented entirely through processor calling software, or entirely through hardware circuits, or partially through processor calling software with the remaining parts implemented through hardware circuits.
[0220] In this application embodiment, a processor is a circuit with signal processing capabilities. In one implementation, the processor can be a circuit with instruction reading and execution capabilities, such as a CPU, microprocessor, GPU, or DSP. In another implementation, the processor can implement certain functions through the logical relationships of hardware circuits. These logical relationships are fixed or reconfigurable. For example, the processor may be a hardware circuit implemented as an ASIC or PLD, such as an FPGA. In a reconfigurable hardware circuit, the process of the processor loading a configuration document and configuring the hardware circuit can be understood as the processor loading instructions to implement the functions of some or all of the above units. Furthermore, it can also be a hardware circuit designed for artificial intelligence, which can be understood as an ASIC, such as an NPU, TPU, or DPU.
[0221] As can be seen, each unit in the above device can be one or more processors (or processing circuits) configured to implement the above methods, such as: CPU, GPU, NPU, TPU, DPU, microprocessor, DSP, ASIC, FPGA, or a combination of at least two of these processor forms.
[0222] Furthermore, the units in the above devices can be integrated in whole or in part, or they can be implemented independently. In one implementation, these units are integrated together as a System-on-a-Chip (SoC). The SoC may include at least one processor for implementing any of the above methods or implementing the functions of the units in the device. The at least one processor may be of different types, such as CPU and FPGA, CPU and AI processor, CPU and GPU, etc.
[0223] This application also provides a version downgrade apparatus, which includes a processing unit and a storage unit. The storage unit stores instructions, and the processing unit executes the instructions stored in the storage unit to enable the apparatus to perform the methods or steps performed by the electronic device (or vehicle) in the above embodiments.
[0224] Optionally, if the device for downgrading this version is located in a vehicle, the aforementioned processing unit may be the processor 121-12n shown in FIG1.
[0225] This application also provides a version downgrade apparatus, which includes a processing unit and a storage unit. The storage unit is used to store instructions, and the processing unit executes the instructions stored in the storage unit to enable the apparatus to perform the methods or steps executed by the cloud server in the above embodiments.
[0226] This application also provides an electronic device that may include the aforementioned downgraded device 700.
[0227] Alternatively, the electronic device can be a vehicle.
[0228] This application also provides a cloud server, which may include the above-described version downgrade device 800.
[0229] This application also provides a computer program product, which includes computer program code that, when run on a computer, causes the computer to perform the methods described in the above embodiments.
[0230] This application also provides a computer-readable medium storing program code that, when run on a computer, causes the computer to perform the methods described in the above embodiments.
[0231] This application also provides a chip, which includes circuitry for performing the methods described in the above embodiments.
[0232] In implementation, each step of the above method can be completed by integrated logic circuits in the processor's hardware or by instructions in software. The method disclosed in the embodiments of this application can be directly implemented by a hardware processor, or by a combination of hardware and software modules within the processor. The software modules can reside in random access memory, flash memory, read-only memory, programmable read-only memory, power-on erasable programmable memory, registers, or other mature storage media in the art. This storage medium is located in memory, and the processor reads information from the memory and, in conjunction with its hardware, completes the steps of the above method. To avoid repetition, detailed descriptions are omitted here.
[0233] It should be understood that in the embodiments of this application, the memory may include read-only memory and random access memory, and provides instructions and data to the processor.
[0234] It should also be understood that, in the various embodiments of this application, the order of the above-mentioned processes does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this application.
[0235] Those skilled in the art will recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of this application.
[0236] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0237] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or units may be electrical, mechanical, or other forms.
[0238] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0239] In addition, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.
[0240] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0241] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in this application should be covered. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A method for version downgrading, characterized in that, include: Receive a downgrade authorization file from a first device, the downgrade authorization file including a first signature, the first signature being obtained by signing the downgrade authorization file with a private key; Based on the public key, the validity of the first signature is verified to obtain the first verification result; If the first verification result indicates that the first signature is valid, a version downgrade operation is performed on the first device according to the version flashing task.
2. The method according to claim 1, characterized in that, The downgrade license file includes one or more version numbers. Prior to performing the version downgrade operation for the first device, the method further includes: Receive the version flashing task, the version flashing task includes a software package, the software package includes information about a first version number for the first device; Wherein, the step of performing a version downgrade operation according to the version flashing task when the verification result indicates that the first signature is valid includes: If the verification result indicates that the first signature is valid, the first version number is less than the current version number of the first device, and the first version number is one of the one or more version numbers, then the version downgrade operation for the first device is performed according to the software package.
3. The method according to claim 1 or 2, characterized in that, The downgrade authorization file includes first identification information. Before performing the version downgrade operation, the method further includes: Determine that the first identification information matches the second identification information of the first device, or determine that the first identification information matches the third identification information of the electronic device; The electronic device includes the first device.
4. The method according to any one of claims 1 to 3, characterized in that, Before performing the version downgrade operation for the first device, the method further includes: It was confirmed that the downgraded license document was within its validity period.
5. The method according to any one of claims 1 to 4, characterized in that, Before verifying the validity of the first signature based on the public key, the method includes: The control prompt device prompts the user whether to allow the electronic device to save the downgraded license file; In response to receiving a first input from the user, the downgraded license file is saved, wherein the first input indicates that the electronic device is allowed to save the downgraded license file.
6. The method according to claim 5, characterized in that, Before the control prompting device prompts the user whether to allow the electronic device to save the downgraded license file, the method further includes: The validity of the first signature is verified based on the public key to obtain a second verification result, which indicates that the downgrade authorization file is valid.
7. The method according to any one of claims 1 to 6, characterized in that, The downgrade authorization file received from the first device includes: Receive the downgrade authorization file sent by the cloud server; or, Receive the downgrade authorization file sent by the cloud server through the diagnostic tool.
8. The method according to any one of claims 1 to 7, characterized in that, The downgrade authorization document is an authorization document for the electronic control unit (ECU) in the vehicle.
9. A method for version downgrading, characterized in that, include: Generate the first downgrade license file to be signed; The first downgraded authorization file is signed using the private key to obtain the second downgraded authorization file; The second downgrade authorization file is sent to the electronic device, which is used by the electronic device to determine whether to perform a version downgrade operation for the first device.
10. The method according to claim 9, characterized in that, The second downgrade license file includes one or more version numbers, and the method further includes: Send a version flashing task to the electronic device, the version flashing task including a software package, the software package including information on a first version number for the first device; Wherein, the first version number is one of the one or more version numbers.
11. The method according to claim 9 or 10, characterized in that, The second downgrade authorization file includes information on the validity period; and / or, The second downgrade authorization document includes first identification information, which includes the identification information of the electronic device and / or the identification information of the first device in the electronic device.
12. A device for version downgrading, characterized in that, include: A receiving unit is configured to receive a downgrade authorization file from a first device, the downgrade authorization file including a first signature, the first signature being obtained by signing the downgrade authorization file with a private key; The verification unit is used to verify the validity of the first signature based on the public key and obtain the first verification result; The version flashing unit is used to perform a version downgrade operation for the first device according to the version flashing task when the first verification result indicates that the first signature is valid.
13. The apparatus according to claim 12, characterized in that, The downgrade license file includes one or more version numbers. The receiving unit is further configured to receive the version flashing task before the version flashing unit performs the version downgrade operation, the version flashing task including a software package, the software package including information on a first version number for the first device; The version flashing unit is configured to: perform the version downgrade operation for the first device according to the software package when the verification result indicates that the first signature is valid, the first version number is less than the current version number of the first device, and the first version number is one of the one or more version numbers.
14. The apparatus according to claim 12 or 13, characterized in that, The downgrade authorization file includes first identification information, and the device further includes: The first determining unit is configured to determine, before the version flashing unit performs the version downgrade operation, whether the first identification information matches the second identification information of the first device or the first identification information matches the third identification information of the electronic device. The electronic device includes the first device.
15. The apparatus according to any one of claims 12 to 14, characterized in that, The device further includes: The second determining unit is used to determine that the downgrade authorization file is within its validity period before the version flashing unit performs the version downgrade operation.
16. The apparatus according to any one of claims 12 to 15, characterized in that, The device includes: The control unit is configured to, before the verification unit verifies the legality of the first signature, control the prompting device to prompt the user whether to allow the electronic device to save the downgraded authorization file; The file storage unit is configured to save the downgraded license file in response to the acquisition unit receiving a first input from the user, wherein the first input indicates that the electronic device is allowed to save the downgraded license file.
17. The apparatus according to claim 16, characterized in that, The verification unit is further configured to verify the legality of the first signature based on the public key before the control unit controls the prompting device to prompt the user whether to allow the electronic device to save the downgraded authorization file, and obtain a second verification result, wherein the second verification result indicates that the downgraded authorization file is legal.
18. The apparatus according to any one of claims 12 to 17, characterized in that, The receiving unit is used for: Receive the downgrade authorization file sent by the cloud server; or, Receive the downgrade authorization file sent by the cloud server through the diagnostic tool.
19. The apparatus according to any one of claims 12 to 18, characterized in that, The downgrade authorization document is an authorization document for the ECU in the vehicle.
20. A device for version downgrading, characterized in that, include: The generation unit is used to generate the first downgraded license file to be signed; The file signing unit is used to sign the first downgraded authorization file according to the private key to obtain the second downgraded authorization file; The sending unit is configured to send the second downgrade authorization file to the electronic device, the second downgrade authorization file being used by the electronic device to determine whether to perform a version downgrade operation for the first device.
21. The apparatus according to claim 20, characterized in that, The second downgrade license file includes one or more version numbers. The sending unit is further configured to send a version flashing task to the electronic device, the version flashing task including a software package, the software package including information on a first version number for the first device; Wherein, the first version number is one of the one or more version numbers.
22. The apparatus according to claim 20 or 21, characterized in that, The second downgrade authorization file includes information on the validity period; and / or, The second downgrade authorization document includes first identification information, which includes the identification information of the electronic device and / or the identification information of the first device.
23. A device for version downgrading, characterized in that, include: Memory, used to store computer programs; A processor for executing a computer program stored in the memory to cause the apparatus to perform the method as described in any one of claims 1 to 8.
24. A device for version downgrading, characterized in that, include: Memory, used to store computer programs; A processor for executing a computer program stored in the memory to cause the apparatus to perform the method as described in any one of claims 9 to 11.
25. An electronic device, characterized in that, Includes the apparatus as described in any one of claims 12 to 19 and 23.
26. A server, characterized in that, Includes the apparatus as described in any one of claims 20 to 22, 24.
27. A computer-readable storage medium, characterized in that, It stores instructions that, when executed by a processor, cause the processor to implement the method as described in any one of claims 1 to 11.
28. A computer program product, characterized in that, The computer program product includes computer program code that, when run on a computer, causes the computer to perform the method as described in any one of claims 1 to 11.
29. A chip, characterized in that, The chip includes circuitry for performing the method as described in any one of claims 1 to 11.