EFFICIENT AND SECURE METHOD AND APPARATUS FOR FIRMWARE UPDATE

US 20180145991A1
Filed: 06/30/2017
Published: 05/24/2018
Est. Priority Date: 06/30/2016
Status: Active Grant

First Claim

Patent Images

1. A vehicle, comprising:

an untrusted electronic control unit (ECU) comprising a receiver, a processor, and a memory, the receiver configured for receiving from a secure server a firmware update package including one or more firmware updates, and the memory of the untrusted ECU configured to store the firmware update package;

a secure ECU operatively coupled to the untrusted ECU, the secure ECU configured for authenticating the firmware update package; and

one or more target ECUs, each operatively coupled to the untrusted ECU and to the secure ECU, each respective target ECU comprising a bootloader configured for computing a checksum for a respective firmware update of the one or more firmware updates and signing the checksum with a unique key associated with the respective target ECU.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This relates to a vehicle and, more particularly to, a vehicle configured to perform a secure firmware update. Some examples of the disclosure include receiving a firmware update package including updated firmware for one or more electronic control units (ECUs) of a vehicle. According to the disclosure, the firmware update package can be transmitted to and stored on an untrusted ECU and distributed to one or more target ECUs in a secure firmware update process monitored by a secure ECU.

Citations

17 Claims

1. A vehicle, comprising:
- an untrusted electronic control unit (ECU) comprising a receiver, a processor, and a memory, the receiver configured for receiving from a secure server a firmware update package including one or more firmware updates, and the memory of the untrusted ECU configured to store the firmware update package;
  
  a secure ECU operatively coupled to the untrusted ECU, the secure ECU configured for authenticating the firmware update package; and
  
  one or more target ECUs, each operatively coupled to the untrusted ECU and to the secure ECU, each respective target ECU comprising a bootloader configured for computing a checksum for a respective firmware update of the one or more firmware updates and signing the checksum with a unique key associated with the respective target ECU.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The vehicle of claim 1, wherein the firmware update package is encrypted with an asymmetric key and each of the one or more firmware updates is encrypted with the unique key corresponding to a respective target ECU of the one or more target ECUs.
  - 3. The vehicle of claim 1, wherein the untrusted ECU is further configured for:
    - decrypting the firmware update package; and
      
      transmitting a signed update command to the secure ECU.
  - 4. The vehicle of claim 1, wherein the secure ECU is configured for:
    - receiving a signed update command from the untrusted ECU, the signed update command indicative of the received firmware update package;
      
      authenticating the signed update command; and
      
      in accordance with a determination that the signed update command is authentic, transmitting a signed distribution command to initiate a transmission of one or more firmware updates to one or more target ECUs.
  - 5. The vehicle of claim 4, wherein the secure ECU is configured for:
    - in accordance with a determination that the signed updated command is inauthentic, transmitting a signed erase command to the untrusted ECU to initiate an erasure of the firmware update package.
  - 6. The vehicle of claim 1, wherein the secure ECU is configured for:
    - receiving the signed checksum from one or more target ECUs;
      
      verifying a signature of the signed checksum;
      
      verifying a result of the signed checksum; and
      
      in accordance with a determination that the signature is valid and the result is correct, transmitting one or more installation commands to the one or more target ECUs to install a respective firmware update corresponding to the signed checksum.
  - 7. The vehicle of claim 6, wherein the secure ECU is configured for:
    - in accordance with a determination that the signature is not valid or the result is incorrect, transmitting one or more erase commands to the one or more target ECUs to erase a respective firmware update corresponding to the signed checksum.
  - 8. The vehicle of claim 1, wherein each unique key associated with each target ECU is a symmetric key.

9. A method for updating firmware at a vehicle, the method comprising:
- receiving, from a secure server, a firmware update package including one or more firmware updates;
  
  storing the firmware update package at a memory of an untrusted electronic control unit (ECU);
  
  authenticating, with a secure ECU, the firmware update package;
  
  in accordance with a determination that the firmware update package is authentic;
  
  transmitting one or more firmware updates included in the firmware update package to one or more respective target ECUs;
  
  computing, with a bootloader included in a target ECU of the one or more respective target ECUs, a checksum for a respective firmware update; and
  
  signing, with the bootloader, the checksum using a unique key associated with the target ECU.
- View Dependent Claims (10, 11, 12, 13, 14, 16)
- - 10. The method of claim 9, wherein the firmware update package is encrypted with an asymmetric key and each of the one or more firmware updates is encrypted with the unique key corresponding to the respective target ECU.
  - 11. The method of claim 9, further comprising, at the untrusted ECU:
    - decrypting the firmware update package; and
      
      transmitting a signed update command to the secure ECU.
  - 12. The method of claim 9, further comprising, at the secure ECU:
    - receiving a signed update command from the untrusted ECU, the signed update command indicative of the received firmware update package;
      
      authenticating the signed update command; and
      
      in accordance with a determination that the signed update command is authentic, transmitting a signed distribution command to initiate a transmission of one or more firmware updates to one or more target ECUs.
  - 13. The method of claim 12, further comprising, at the secure ECU:
    - in accordance with a determination that the signed updated command is inauthentic, transmitting a signed erase command to the untrusted ECU to initiate an erasure of the firmware update package.
  - 14. The method of claim 9, further comprising, at the secure ECU:
    - receiving a signed checksum from one or more target ECUs;
      
      verifying a signature of the signed checksum;
      
      verifying a result of the signed checksum; and
      
      in accordance with a determination that the signature is valid and the result is correct, transmitting one or more installation commands to the one or more target ECUs to install a respective firmware update corresponding to the signed checksum.
  - 16. The method of claim 9, wherein each unique key associated with each target ECU is a symmetric key.

15. The method of claim 15, further comprising, at the secure ECU:
- in accordance with a determination that the signature is not valid or the result is incorrect, transmitting one or more erase commands to the one or more target ECUs to erase a respective firmware update corresponding to the signed checksum.

17. A non-transitory computer-readable medium including instructions, which when executed by one or more processors, cause the one or more processors to perform a method for updating firmware at a vehicle, the method comprising:
- receiving, from a secure server, a firmware update package including one or more firmware updates;
  
  storing the firmware update package at a memory of an untrusted electronic control unit (ECU);
  
  authenticating, with a secure ECU, the firmware update package;
  
  in accordance with a determination that the firmware update package is authentic;
  
  transmitting one or more firmware updates included in the firmware update package to one or more respective target ECUs;
  
  computing, with a bootloader included in a target ECU of the one or more respective target ECUs, a checksum for a respective firmware update; and
  
  signing, with the bootloader, the checksum using a unique key associated with the target ECU.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Faraday & Future Inc.
Original Assignee
Faraday & Future Inc.
Inventors
McCauley, Phillip, Fernando, Jana Mahen, Coerper, Nathan

Granted Patent

US 10,171,478 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 8/65   Updates security arrangemen...

H04L 2209/84   Vehicles

H04L 63/0428   wherein the data content is...

H04L 63/0435   wherein the sending and rec...

H04L 63/0442   wherein the sending and rec...

H04L 63/045   wherein the sending and rec...

H04L 63/123   received data contents, e.g...

H04L 67/34   involving the movement of s...

H04L 9/0891   Revocation or update of sec...

H04L 9/3247   involving digital signatures

H04W 4/40   for vehicles, e.g. vehicle-...

EFFICIENT AND SECURE METHOD AND APPARATUS FOR FIRMWARE UPDATE

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

EFFICIENT AND SECURE METHOD AND APPARATUS FOR FIRMWARE UPDATE

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links