在汽车行业内，可升级车载模块(Reprogrammable Onboard Module)的应用已经超过25年。但在电子控制遍布各种系统的今天，所有新车车主都明白一个道理，那就是自己车上的电子控制系统总有需要软件“升级”的时候，而且经常不止一次。

事实上，即使是轴承震动等纯机械问题，也能通过发动机模块中的软件升级而得到改善。

虽然的确有部分升级纯属是为了提高客户的满意度，比如解决空调系统无法维持设定温度这类问题的升级，但目前已经出现了越来越多出于安全考虑的升级。在最好的情况下，大约仅有70%的安全召回紧急通知能将顾客带回到经销商那里进行升级，这也就意味着剩余的车辆可能最终都未进行升级。目前，政府和汽车行业都在想法设法地提高这一比例，使获得升级的车辆其尽可能接近100%。

随着自动驾驶逐渐进入人们的视野，其安全方面的要求使得“为车辆进行及时升级”的需求变得日益迫切，如今的情况根本不允许等车主有空了，再去预约经销商进行升级。

特斯拉凭借OTA大获成功 

最近，特斯拉(Tesla)的空中升级（Over-the-air，下简称OTA）服务非常成功，但由于特斯拉拥有的客户基数相对较小，因此对车辆进行识别并不困难。一般而言，特斯拉的常规升级需要45分钟。不过由于特斯拉是电动车，需要充电，因此完全可以在充电时完成升级。汽油或柴油车的情况则更为复杂，因为在升级前必须先判断电池的剩余电量，确定其能否坚持到升级完成。

事实上，部分汽车升级所需要的时间非常长，甚至可能超过1天。这种情况下，车主就必须去经销商那里利用厂家的专用工具或SAE J2534 “Pass-Thru（直通工具）”来完成升级。此类升级还需用到特种用途的专用电池充电器，因为只有这种充电器才能提供没有电噪声的“干净”电流，而电噪声则有可能导致升级失败。 

由于汽车厂商应该为升级负责，因此他们可能会为充电设施安装可以“过滤”电噪声的电容器，从而使OTA的普及更加容易。

另一个影响升级的因素是可用带宽，这与移动网络的状况有很大关系。正是为了保证相对稳定的可用带宽，特斯拉才推荐车主在Wi-Fi环境下进行升级。此外，厂商还需为升级增加断点续传功能，这样车主就能在系统和电池电容可供使用的时候逐步完成升级。

对某个模块进行的升级，绝非仅仅只是和这个模块有关。由于数据总线的设计，有些升级可能需要持续很长时间。虽然升级本身可能仅针对一个模块，但总线上的其他模块也必须做出反应，在出现新信息时及时进行学习，判断是该进行识别还是选择忽略。

目前几乎所有信息娱乐系统/车载通信系统和Wi-Fi设备供应商都在与汽车厂商合作，开发特斯拉式的支持OTA升级的系统。但车辆基数越大、型号越复杂，这项任务就越困难。有报道称，若有一些汽车厂商将在今年开始提供OTA升级。

安全是首要问题 

汽车系统供应商风河(Wind River)公司的汽车解决方案架构部总监Russ Christensen表示，首当其冲的是安全问题。OTA在端与端之间进行，类似云服务器等升级来源在一端，车辆的信息娱乐系统在另一端。因此，就相当于这两端都在与一个“确定的可信机构”对话。在汽车内部，“确定的可信机构”一般是指车辆的远程通信或网关模块。

Christensen告诉《SAE汽车工程杂志》记者，在这种结构下，智能手机、智能手表和免钥入车系统等现在常被忽视的附件，都有可能成为汽车“安全威胁的载体”。他补充说，虽然现在也有一些项目在为CAN（Controller Area Network，即控制器局域网）总线进行加密，但总线本身并未设计此类功能。

Christensen表示，OTA升级还需要途径将认证内容（这里指升级软件）下载至车内，以及用来存储这些内容的“位置”。在进行升级时，车辆会收到一份清单，上面列明了所有升级项目；当车辆发出“okay”信号后，云端就会发送自己的签名，而后车辆再进行验证。接着，车辆的ECU模块就会开始进行首个升级任务。这就引出了一个问题：如果安装失败了，系统必须能够激活“恢复(restore)”功能，以便能够恢复至升级前的状态。

假设一份清单上有三个升级任务，如果第三个升级任务安装失败，系统就需要用到“清除(removal)”功能，将系统恢复至升级前的状态。

这些都不困难，”Christensen指出，“我们只需在汽车设计阶段为车辆配备这些功能就行了。”他引用了“原子更新（atomic update）”的例子作为类比，其中所有更新任务必须一起进行，否则一个也不能安装。

绕过车主没问题 

Christenson通过在银行进行转款的例子，介绍了车辆进行升级安装时必须遵循的安全协议。要知道，在银行转钱时，所有计划中的数据交换都必须瞬时完成，否则整个交易都得恢复至交易前的状态。

当需要进行紧急的安全升级时，由于需要得到车主的“评估”和“同意”，升级的过程相对缓慢，此时可能需要一些变通，比如设置一些有关何时可以跳过“需要车主授权”的规定，虽然不到万不得已时，厂商绝不会这样做。

在OTA升级面临的所有挑战中，最为关键的一项是如何准确识别车辆配置。目前很多厂商手中并没有置信水平可靠的车辆软件配置表，因此很难保证能为所有车辆选择合适的软件。

Christensen表示，“一旦车辆下线，厂商就不能再指望通过车辆识别码（Vehicle Identification Number，简称VIN码）来辨识车辆配置了，”特别是还有可能存在一些车内模块的更换，情况就更为复杂了。

作者：

来源：SAE 《汽车工程杂志》

翻译：SAE 上海办公室

OTA reflashing: the challenges and solutions

Reprogrammable onboard modules have been in automotive use for more than a quarter century. But as electronic controls inhabit virtually every system today, anyone with a late-model vehicle knows that at some point, one or more of its electronic control systems will need to be "reflashed" with new software—often more than once.

In fact, even where the problem may be all-mechanical, including bearing knock, it can be ameliorated by new software for the engine computer.

While some of the reflashes are for customer satisfaction items, such as the air conditioning system that won't maintain set temperature, an increasing number are safety related. At best, perhaps 70% of the urgent notifications  of a safety recall bring the customer into the dealership, and both government and industry are looking  for ways to bring  it as close to 100% as possible.

With autonomous driving on the horizon, the security and safety aspects create a new urgency for the ability to perform updates on a timeline that doesn't wait for the leisurely pace of a service appointment at the dealership.

Tesla success with OTA 

Tesla's recent use of over-the-air (OTA) reprogramming has been successful, but this emergent OEM has a comparatively small owner base and that makes vehicle identification a simpler task. The typical Tesla reflash takes 45 minutes, but because the vehicles are electric drive, they can be reprogrammed during a recharge. Vehicles powered by gasoline and diesel engines face the more difficult issue of assessing battery state of charge to ensure it is high enough to complete the reflash.

Some automotive reflashes  require so much time (perhaps more than a day) that presently the only way they can be made is with the car in a shop, using a proprietary factory tool or an SAE J2534 "Pass-Thru." Such reprogramming also includes use of a dedicated battery charger made for the specific purpose, so it produces a "clean" current flow that is free of electrical noise ("ripple') that could cause the operation to fail. 

Because the carmakers are responsible for updates, they may start to install capacitors to smooth out the ripples from the charging  system, making OTAs more feasible.

A related factor is available bandwidth, which could be subject to considerable change over a cellular network. That's why Tesla recommends its updates be performed with WiFi. Additionally, the OEM would have to design updates for piecemeal reflashing, so they can be installed incrementally as the system and needed battery capacity are available.

This issue goes beyond the need of a single module. Many updates are lengthy because of the design of the data bus in which it is installed. The update itself may apply for just the one module, but other modules on the bus may need to know about it, whether because there are new messages they must recognize, or know to ignore.

All suppliers of infotainment/ onboard communications and WiFi are working with car makers to develop systems with OTA reprogramming function comparable to Tesla, but the larger and more diverse the vehicle base, the more complex the task. There have been reports that several makers will begin to do some OTA this year.

Security is No. 1 issue 

Russ Christensen, Director of Automotive Solutions Architecture for Wind River, a systems supplier in this area, said the No. 1 issue  has become security. It begins at each end (the source of the update at one, likely a cloud server, and the car's infotainment system at the other) so each is talking to a known authority.  In the car that authority usually would be the telematics/gateway module.

The key to security is in the architecture, he said, telling Automotive Engineering that presently such appendages as the smartphone and watch, and keyless entry, hitherto not so considered, can be "threat vectors" into the car.  He added that the CAN bus (Controller Area Network) was not designed for encryption, although there are some strategies for accomplishing that.

Also required is a way to get an authenticated payload (the updated software) to the car and having an electronic "place" to hold it, Christensen said. A manifest comes down with all updates; the car says okay, a signature comes from the cloud and the car validates it.  The first update is then discharged to the ECU.  Which raises this issue: if the installation fails, the system needs to be able to activate a "restore" function to get the system back to original setting.

If there are three updates in the manifest, and the failure occurs during the third, there may need to be a removal function, so the system reflashes back to the original state.

"None of this is hard," Christensen noted. "We just need the vehicle design to be able to do it." He cited the example of an  "atomic update," where all updates must be installed at once or none should be.

Bypassing owner OK 

Christenson cited banking industry money transfers as an example of the way installations must be executed with secure protocols, where a scheduled data transfer must be completed instantaneously, or the entire transaction goes back to its previous state.

When there is an urgent safety update, the comparatively slow pace that includes owner evaluation and approval may need a work-around. There might be have to be a provision for abrogating authorization, although that would be a last resort for an OEM.

A critical aspect of the entire challenge of OTA updating is identifying the vehicle configuration.  Many OEMs right now do not have software configuration matrixes at a sufficient level of confidence to always be certain of the right software for all vehicles.

"The manufacturer can't even rely on the VIN once the car has left the assembly line," Christensen said, and certainly not if a module has been replaced.