CN-121116364-B - Firmware upgrading method for vehicle-mounted controller

Abstract

The invention discloses a firmware upgrading method of a vehicle-mounted controller, which relates to the technical field of intelligent networking automobiles and comprises the steps of accurately describing the dependency relationship among versions by introducing a directed acyclic graph, providing clear topology sequencing basis for upgrading process, fundamentally avoiding system function conflict and disorder caused by disordered upgrading sequence, ensuring that each controller achieves state coordination before upgrading by using a distributed consensus protocol, effectively improving the overall robustness of a multi-controller cluster when the network delay or the abnormality of individual nodes is faced, avoiding upgrading failure or version bifurcation caused by the fact that part of nodes are not ready, and ensuring that a controller group with strong dependency relationship can be effectively updated as a unified transaction unit by combining a group-level binding token and an atomic switching mechanism, thereby remarkably enhancing the safety and reliability of cross-domain function linkage.

Inventors

• LI MUZE
• HE WENXIN
• GAO ZHIYUAN
• YI CHUNSHAN
• CAO KAI

Assignees

• 华夏龙晖（北京）汽车电子科技股份有限公司

Dates

Publication Date

20260508

Application Date

20250906

Claims (9)

1. 1. The firmware upgrading method for the vehicle-mounted controller is characterized by being cooperatively executed by a master control gateway, a cloud server and at least two domain controllers and comprising the following steps of: Step S1, a master control gateway discovers a currently-on-network domain controller through a vehicle-mounted network bus, obtains running version information of each domain controller and a locally-stored version compatibility matrix, and generates a version dependency relationship of a directed acyclic graph according to a function dependency relationship; step S2, a master control gateway sends an upgrade request to a cloud server, wherein the upgrade request comprises target version configuration and version dependency relationship; step S3, the cloud server returns a collaborative upgrade package set, wherein the set respectively comprises differential data, list information and digital signatures for a plurality of domain controllers, and attaches a group-level binding token to a domain controller group to be simultaneously validated, and the list information comprises a target version identifier, a basic version identifier, a mirror image size and hash, a signature algorithm identifier, a group constraint and a rollback mark; Step S4, the master control gateway determines an upgrade execution sequence according to the version dependency relationship and the constraint of the domain controller group, and distributes the corresponding collaborative upgrade package to each domain controller in sequence; step S5, each domain controller enters a pre-upgrade state and reports readiness to a master control gateway, and the master control gateway generates a transaction submission certificate after meeting legal majority threshold conditions; Step S6, the master control gateway issues a synchronous upgrading instruction, each domain controller applies differential data to a local shadow partition, and after signature verification and rollback prevention verification are completed, atomic switching is performed to complete version activation; Step S7, the master control gateway performs version consistency verification according to the version abstracts reported by the domain controllers after upgrading, and if the version abstracts are inconsistent, the master control gateway triggers the cooperative rollback to restore the related domain controllers to the previous compatible version; the step S5 comprises the following steps: Each domain controller exchanges ready acknowledgement messages in a digital signature mode; After meeting legal majority threshold, the master control gateway generates transaction commit credentials and serves as a triggering condition of synchronous upgrading instructions; a deterministic relationship exists between the quorum threshold and the number of tolerable fault nodes, defined as follows: determining the number of domain controllers participating in ready voting as the total number of nodes Setting the number of fault-tolerant nodes as Recording the participation list of the current upgrade round, removing the isolated or maintained nodes, and obtaining the actual participation ; Selecting fault model indicators according to vehicle platform and safety level The method comprises the steps of taking crash when nodes are only likely to lose connection/downtime without any disfigurement, taking the family when any error including falsification, repetition and falsification messages need to be resisted; within the voting window, the master gateway counts ready acknowledgements using the following quorum thresholds: , Wherein, the Representing the minimum number of ready acknowledgements required to trigger a synchronous upgrade instruction, in units of one, Representing the total number of domain controllers involved in the ready vote, in units of one, Representing the number of fault-tolerant nodes, in units of one, Indicating the fault model indication quantity, wherein the value set is { , }, The quorum threshold takes into account two properties, namely one of them, any two triggerable sets exist at intersections, and the other one is at most The submission can still be completed by reaching the threshold under the condition that the individual nodes are not available; When a crash model is used, the crash model is used, , By using In the case of the model, the model is formed, , , 。
2. 2. The method for upgrading firmware of an on-vehicle controller according to claim 1, wherein the discovery and relationship construction of step S1 includes: Node discovery is carried out based on a vehicle-mounted network protocol, and domain controller identification and version information are read; Reading a version compatibility matrix from a trusted store; And generating version dependency relationships according to the functional dependency and compatibility constraint, and eliminating rings to obtain the directed acyclic graph.
3. 3. The method for upgrading firmware of an on-vehicle controller according to claim 1, wherein step S3 comprises: The cloud server analyzes cross-domain dependence according to the directed acyclic graph; Generating differential data and list information of each domain controller relative to the current version, and carrying out digital signature on the whole body of the bag and the list information; Generating a group-level binding token for the domain controller group to be validated simultaneously, wherein the group-level binding token binds the intra-group image and the target version configuration into the same upgrade transaction.
4. 4. The method for upgrading firmware of an on-board controller according to claim 1, wherein step S6 comprises: applying differential data at the local shadow partition and performing copy-on-write; Verifying digital signatures of the bag body and the list through a hardware security module, and verifying rollback prevention count or version monotonicity; after passing the verification, the atomic switch of the starting partition is completed by the indivisible transaction.
5. 5. The method for upgrading firmware of an on-vehicle controller according to claim 1, wherein step S7 includes: returning the cryptography abstract and the version identification of the current active version by each domain controller; The master control gateway compares the consistency with the target configuration; when an inconsistency is detected, backtracking determines a subset of affected domain controllers according to the dependency relationship, and performs cooperative rollback on the subset of domain controllers to a previous compatible version.
6. 6. The method for upgrading firmware of an on-board controller according to claim 1, wherein the version compatibility matrix is based on: compatible information of hardware and software versions of each domain controller, historical upgrade data and field operation telemetry; Judging compatibility or incompatibility to be simultaneously effective or incompatible by using multidimensional input and periodically updating a version compatibility matrix; A compatibility scoring rule of weight aggregation is adopted in the judging process; In the judging process, the following steps are adopted: establishing a dimension set, wherein the dimension set comprises hardware-software version matching, cross-domain coupling risk, history upgrading success rate, operation telemetry compatibility, simultaneous validation and dependence label, environment and working condition consistency, rollback history risk and supplier safety bulletin influence degree, and each dimension forms dimension original quantity ; Passing the original quantity of each dimension through a dimension exclusive function Conversion to interval The missing test item is recorded by a mask, and interpolation is not performed; in one matrix evaluation, weighting and normalizing average is carried out on the effective dimension, and the weight is automatically renormalized on the missing measurement item; , Wherein, the Representing compatibility scores, values The method has the advantages of no dimension, Representing the number of scoring dimensions, in terms of items, Is a dimension index, the unit is a term order, The value is non-negative and the sum is used for normalization for the dimension weight, For dimension mask, take 1 Indicates that the dimension is valid at this time of evaluation, The output interval is that for the function of dimension normalization and direction unification Is the dimension original quantity; setting a hierarchical threshold pair, namely a compatible threshold And group constraint threshold ; The caliber is determined as Is judged to be compatible when And when the simultaneous validation dependent tags exist, the simultaneous validation is judged to be needed, and the rest are not compatible.
7. 7. The method for upgrading firmware of an in-vehicle controller according to claim 1, wherein, when a network interruption or a power abnormality is detected during the upgrading process: The master control gateway pauses the upgrade sequence and records the breakpoint context; Each domain controller maintains a pre-upgrade context and maintains a current running version; continuing to execute from the breakpoint after recovery, and checking the version dependency relationship and the ready state preferentially; and the triggering of the upgrade needs to meet vehicle working condition constraints including at least one of a parking or parking state, a power health threshold, an environment or device temperature threshold.
8. 8. A vehicle-mounted collaborative upgrade system comprises a master control gateway, a cloud server and a plurality of domain controllers, wherein the master control gateway is configured to execute the vehicle-mounted controller firmware upgrade method according to any one of claims 1-7, the cloud server is configured to generate a collaborative upgrade package set and issue and verify group-level binding tokens, and each domain controller comprises a local shadow partition and hardware security module and is configured to execute signature verification, rollback prevention and atomic handover.
9. 9. A computer readable storage medium having a computer program stored thereon, wherein the computer program when executed by a processor implements the steps of the firmware upgrade method of a vehicle-mounted controller as claimed in any one of claims 1 to 7.

Description

Firmware upgrading method for vehicle-mounted controller Technical Field The invention relates to the technical field of intelligent network automobiles, in particular to a firmware upgrading method of a vehicle-mounted controller. Background The intelligent network-connected automobile generally adopts a distributed electronic and electric architecture, a plurality of functional domain controllers are arranged in the automobile, the functional domain controllers comprise a power domain, a chassis domain, a body domain, a cabin domain, an automatic driving domain and the like, data interaction and function coordination are carried out among the domain controllers through an on-board network, a complex system dependency relationship is formed, and under the architecture, on-board software is required to repair loopholes, update functions and improve performance through firmware upgrading. Aiming at the requirement of cooperative upgrading of multiple controllers, most schemes in the prior art adopt a hierarchical upgrading management strategy, part of schemes coordinate upgrading time sequences of all controllers through a central gateway and manage compatible relations among the controllers by adopting a version dependency graph, and other schemes ensure that a single controller can fall back to a previous version when upgrading fails by utilizing a double-partition backup mechanism, and in the communication level, the prior art transmits upgrading data through a CANFD (computer aided design) or Ethernet and the like high-speed buses and verifies the integrity and the authenticity of an upgrading packet by adopting a digital signature. However, in the multi-controller cross-domain collaborative upgrading process, a plurality of technical problems still exist, version dependency management among the domain controllers is still insufficient, time sequence coordination in the upgrading process is difficult to ensure functional consistency, when upgrading of part of controllers is successful and upgrading of other controllers fails, a system may be in an inconsistent state to influence normal functions of a vehicle, in addition, the processing capacity of the conventional scheme for sudden network faults in the upgrading process is limited, abnormal system state after the upgrading process is possibly caused, resource isomerism of the cross-domain controllers also increases complexity of collaborative upgrading, and compatibility problems of different processing architectures and operating system platforms are not completely solved. Disclosure of Invention The present invention has been made in view of the above-described problems occurring in the prior art. The invention provides a firmware upgrading method for a vehicle-mounted controller, which solves the problems that the current vehicle-mounted multi-controller upgrading is complex in dependence management, difficult to guarantee in coordination consistency, easy to cause interruption due to network abnormality, inconsistent in system state and the like. In order to solve the technical problems, the invention provides the following technical scheme: in a first aspect, an embodiment of the present invention provides a firmware upgrade method for a vehicle-mounted controller, which is cooperatively executed by a master control gateway, a cloud server and at least two domain controllers, and includes: Step S1, a master control gateway discovers a currently-on-network domain controller through a vehicle-mounted network bus, obtains running version information of each domain controller and a locally-stored version compatibility matrix, and generates a version dependency relationship of a directed acyclic graph according to a function dependency relationship; step S2, a master control gateway sends an upgrade request to a cloud server, wherein the request comprises target version configuration and version dependency relationship; step S3, the cloud server returns a collaborative upgrade package set, wherein the set respectively comprises differential data, list information and digital signatures for a plurality of domain controllers, and a group-level binding token is attached to a controller group to be simultaneously validated; Step S4, the master control gateway determines an upgrade execution sequence according to the version dependency relationship and the constraint of the controller group, and distributes corresponding collaborative upgrade packages to each domain controller in sequence; step S5, each domain controller enters a pre-upgrade state and reports readiness to a master control gateway, and the master control gateway generates a transaction submission certificate after meeting legal majority threshold conditions; Step S6, the master control gateway issues a synchronous upgrading instruction, each domain controller applies differential data to a local shadow partition, and after signature verification and rollback prevention verification are compl