在汽車行業內,可升級車載模塊(Reprogrammable Onboard Module)的應用已經超過25年。但在電子控制遍布各種系統的今天,所有新車車主都明白一個道理,那就是自己車上的電子控制系統總有需要軟件“升級”的時候,而且經常不止一次。
事實上,即使是軸承震動等純機械問題,也能通過發動機模塊中的軟件升級而得到改善。
雖然的確有部分升級純屬是為了提高客戶的滿意度,比如解決空調系統無法維持設定溫度這類問題的升級,但目前已經出現了越來越多出于安全考慮的升級。在最好的情況下,大約僅有70%的安全召回緊急通知能將顧客帶回到經銷商那里進行升級,這也就意味著剩余的車輛可能最終都未進行升級。目前,政府和汽車行業都在想法設法地提高這一比例,使獲得升級的車輛其盡可能接近100%。
隨著自動駕駛逐漸進入人們的視野,其安全方面的要求使得“為車輛進行及時升級”的需求變得日益迫切,如今的情況根本不允許等車主有空了,再去預約經銷商進行升級。
特斯拉憑借OTA大獲成功
最近,特斯拉(Tesla)的空中升級(Over-the-air,下簡稱OTA)服務非常成功,但由于特斯拉擁有的客戶基數相對較小,因此對車輛進行識別并不困難。一般而言,特斯拉的常規升級需要45分鐘。不過由于特斯拉是電動車,需要充電,因此完全可以在充電時完成升級。汽油或柴油車的情況則更為復雜,因為在升級前必須先判斷電池的剩余電量,確定其能否堅持到升級完成。
事實上,部分汽車升級所需要的時間非常長,甚至可能超過1天。這種情況下,車主就必須去經銷商那里利用廠家的專用工具或SAE J2534 “Pass-Thru(直通工具)”來完成升級。此類升級還需用到特種用途的專用電池充電器,因為只有這種充電器才能提供沒有電噪聲的“干凈”電流,而電噪聲則有可能導致升級失敗。
由于汽車廠商應該為升級負責,因此他們可能會為充電設施安裝可以“過濾”電噪聲的電容器,從而使OTA的普及更加容易。
另一個影響升級的因素是可用帶寬,這與移動網絡的狀況有很大關系。正是為了保證相對穩定的可用帶寬,特斯拉才推薦車主在Wi-Fi環境下進行升級。此外,廠商還需為升級增加斷點續傳功能,這樣車主就能在系統和電池電容可供使用的時候逐步完成升級。
對某個模塊進行的升級,絕非僅僅只是和這個模塊有關。由于數據總線的設計,有些升級可能需要持續很長時間。雖然升級本身可能僅針對一個模塊,但總線上的其他模塊也必須做出反應,在出現新信息時及時進行學習,判斷是該進行識別還是選擇忽略。
目前幾乎所有信息娛樂系統/車載通信系統和Wi-Fi設備供應商都在與汽車廠商合作,開發特斯拉式的支持OTA升級的系統。但車輛基數越大、型號越復雜,這項任務就越困難。有報道稱,若有一些汽車廠商將在今年開始提供OTA升級。
安全是首要問題
汽車系統供應商風河(Wind River)公司的汽車解決方案架構部總監Russ Christensen表示,首當其沖的是安全問題。OTA在端與端之間進行,類似云服務器等升級來源在一端,車輛的信息娛樂系統在另一端。因此,就相當于這兩端都在與一個“確定的可信機構”對話。在汽車內部,“確定的可信機構”一般是指車輛的遠程通信或網關模塊。
Christensen告訴《SAE汽車工程雜志》記者,在這種結構下,智能手機、智能手表和免鑰入車系統等現在常被忽視的附件,都有可能成為汽車“安全威脅的載體”。他補充說,雖然現在也有一些項目在為CAN(Controller Area Network,即控制器局域網)總線進行加密,但總線本身并未設計此類功能。
Christensen表示,OTA升級還需要途徑將認證內容(這里指升級軟件)下載至車內,以及用來存儲這些內容的“位置”。在進行升級時,車輛會收到一份清單,上面列明了所有升級項目;當車輛發出“okay”信號后,云端就會發送自己的簽名,而后車輛再進行驗證。接著,車輛的ECU模塊就會開始進行首個升級任務。這就引出了一個問題:如果安裝失敗了,系統必須能夠激活“恢復(restore)”功能,以便能夠恢復至升級前的狀態。
假設一份清單上有三個升級任務,如果第三個升級任務安裝失敗,系統就需要用到“清除(removal)”功能,將系統恢復至升級前的狀態。
這些都不困難,”Christensen指出,“我們只需在汽車設計階段為車輛配備這些功能就行了。”他引用了“原子更新(atomic update)”的例子作為類比,其中所有更新任務必須一起進行,否則一個也不能安裝。
繞過車主沒問題
Christenson通過在銀行進行轉款的例子,介紹了車輛進行升級安裝時必須遵循的安全協議。要知道,在銀行轉錢時,所有計劃中的數據交換都必須瞬時完成,否則整個交易都得恢復至交易前的狀態。
當需要進行緊急的安全升級時,由于需要得到車主的“評估”和“同意”,升級的過程相對緩慢,此時可能需要一些變通,比如設置一些有關何時可以跳過“需要車主授權”的規定,雖然不到萬不得已時,廠商絕不會這樣做。
在OTA升級面臨的所有挑戰中,最為關鍵的一項是如何準確識別車輛配置。目前很多廠商手中并沒有置信水平可靠的車輛軟件配置表,因此很難保證能為所有車輛選擇合適的軟件。
Christensen表示,“一旦車輛下線,廠商就不能再指望通過車輛識別碼(Vehicle Identification Number,簡稱VIN碼)來辨識車輛配置了,”特別是還有可能存在一些車內模塊的更換,情況就更為復雜了。
作者:
來源:SAE 《汽車工程雜志》
翻譯:SAE 上海辦公室
OTA reflashing: the challenges and solutions
Reprogrammable onboard modules have been in automotive use for more than a quarter century. But as electronic controls inhabit virtually every system today, anyone with a late-model vehicle knows that at some point, one or more of its electronic control systems will need to be "reflashed" with new software—often more than once.
In fact, even where the problem may be all-mechanical, including bearing knock, it can be ameliorated by new software for the engine computer.
While some of the reflashes are for customer satisfaction items, such as the air conditioning system that won't maintain set temperature, an increasing number are safety related. At best, perhaps 70% of the urgent notifications of a safety recall bring the customer into the dealership, and both government and industry are looking for ways to bring it as close to 100% as possible.
With autonomous driving on the horizon, the security and safety aspects create a new urgency for the ability to perform updates on a timeline that doesn't wait for the leisurely pace of a service appointment at the dealership.
Tesla success with OTA
Tesla's recent use of over-the-air (OTA) reprogramming has been successful, but this emergent OEM has a comparatively small owner base and that makes vehicle identification a simpler task. The typical Tesla reflash takes 45 minutes, but because the vehicles are electric drive, they can be reprogrammed during a recharge. Vehicles powered by gasoline and diesel engines face the more difficult issue of assessing battery state of charge to ensure it is high enough to complete the reflash.
Some automotive reflashes require so much time (perhaps more than a day) that presently the only way they can be made is with the car in a shop, using a proprietary factory tool or an SAE J2534 "Pass-Thru." Such reprogramming also includes use of a dedicated battery charger made for the specific purpose, so it produces a "clean" current flow that is free of electrical noise ("ripple') that could cause the operation to fail.
Because the carmakers are responsible for updates, they may start to install capacitors to smooth out the ripples from the charging system, making OTAs more feasible.
A related factor is available bandwidth, which could be subject to considerable change over a cellular network. That's why Tesla recommends its updates be performed with WiFi. Additionally, the OEM would have to design updates for piecemeal reflashing, so they can be installed incrementally as the system and needed battery capacity are available.
This issue goes beyond the need of a single module. Many updates are lengthy because of the design of the data bus in which it is installed. The update itself may apply for just the one module, but other modules on the bus may need to know about it, whether because there are new messages they must recognize, or know to ignore.
All suppliers of infotainment/ onboard communications and WiFi are working with car makers to develop systems with OTA reprogramming function comparable to Tesla, but the larger and more diverse the vehicle base, the more complex the task. There have been reports that several makers will begin to do some OTA this year.
Security is No. 1 issue
Russ Christensen, Director of Automotive Solutions Architecture for Wind River, a systems supplier in this area, said the No. 1 issue has become security. It begins at each end (the source of the update at one, likely a cloud server, and the car's infotainment system at the other) so each is talking to a known authority. In the car that authority usually would be the telematics/gateway module.
The key to security is in the architecture, he said, telling Automotive Engineering that presently such appendages as the smartphone and watch, and keyless entry, hitherto not so considered, can be "threat vectors" into the car. He added that the CAN bus (Controller Area Network) was not designed for encryption, although there are some strategies for accomplishing that.
Also required is a way to get an authenticated payload (the updated software) to the car and having an electronic "place" to hold it, Christensen said. A manifest comes down with all updates; the car says okay, a signature comes from the cloud and the car validates it. The first update is then discharged to the ECU. Which raises this issue: if the installation fails, the system needs to be able to activate a "restore" function to get the system back to original setting.
If there are three updates in the manifest, and the failure occurs during the third, there may need to be a removal function, so the system reflashes back to the original state.
"None of this is hard," Christensen noted. "We just need the vehicle design to be able to do it." He cited the example of an "atomic update," where all updates must be installed at once or none should be.
Bypassing owner OK
Christenson cited banking industry money transfers as an example of the way installations must be executed with secure protocols, where a scheduled data transfer must be completed instantaneously, or the entire transaction goes back to its previous state.
When there is an urgent safety update, the comparatively slow pace that includes owner evaluation and approval may need a work-around. There might be have to be a provision for abrogating authorization, although that would be a last resort for an OEM.
A critical aspect of the entire challenge of OTA updating is identifying the vehicle configuration. Many OEMs right now do not have software configuration matrixes at a sufficient level of confidence to always be certain of the right software for all vehicles.
"The manufacturer can't even rely on the VIN once the car has left the assembly line," Christensen said, and certainly not if a module has been replaced.