- ZC.QingLong Secureboot Based On Infineon TC2XX
- ZC.QingLong SPI OTA Product Manual Based On Infineon TC397
- ZC.QingLong SecureBoot Product Manual Based on NXP S32K3 For CHERY QSQR
- ZC.QingLong BootLoader Product Manual Based on NXP S32K3
- ZC.QingLong FOTA Solution
- ZC.QingLong BootLoader
- ZC.QingLong BootLoader Product Manual Based on NXP KW45
- ZC.QingLong SecureBoot Product Manual Based on Infineon TC377
- ZC.QingLong FOTA Product Manual Based on Infineon TC387
- Introduction to ZC.QingLong Ethernet Flashing Based on RH850U2A
- ZC.Qinglong Ethernet BootLoader Product Manual Based on RENESAS RH850U2A
- ZC.QingLong SecureBoot Product for NXP S32K344
- ZC.QINGLONG FOTA PRODUCT MANUAL BASED ON INFINEON TLE9893
- ZC.QingLong BootLoader Based on Infineon TC213 SMTC
- ZC.QingLong BootLoader Product Manual Based on STSPC58NN for GEELY GEEA2.0
- ZC.Qinglong Bootloader Product Manual Based On NXP NCJ29D5
- ZC.QingLong FOTA Product Manual Based on Infineon TC3xx
- ZC.QingLong FOTA
- ZC.QingLong Secureboot Based on NXP S32K1XX
The RH850/U2A MCU is the first member of Renesas’ cross-domain MCUs, with featuring architectural design that supports EVITA Full-level cybersecurity functions, enabling the device to support safe and rapid Full No-Wait Over-the-Air (OTA) software updates as security requirements evolve. This automotive control microcontroller adopts a dual-core lockstep architecture and can be configured with up to four groups of CPU cores with a main frequency of up to 400 MHz. Each core integrates hardware virtualization assistance functions, supporting multiple software systems with different ISO 26262 functional safety levels to operate independently without interference in a high - performance running state. At the same time, it effectively reduces the performance loss caused by virtualization and ensures real - time computing efficiency. The RH850/U2A MCU integrates a multi-protocol network interface array, enabling efficient processing of massive heterogeneous data streams generated by diverse sensors in ADAS and autonomous driving systems. This architecture provides forward-looking support for system design, meeting next-generation high-speed network transmission standards and rigorous communication bandwidth requirements.
Ethernet OTA overview
The evolution of Ethernet OTA directly responds to the transformation needs of the automotive industry towards "software-defined vehicles". With the Ethernet-based OTA solution, the vehicle-level software refresh time can be reduced from 7.2 hours in the CAN era to 18 minutes. Meanwhile, it supports security mechanisms such as A/B partition verification and digital signature verification, meeting the mandatory certification requirements of the UNECE R156 regulation for software update management systems.
As the core support for the evolution of the intelligent vehicle electronic architecture, the necessity of Ethernet OTA technology is mainly reflected in three aspects: First, in the face of the exponential growth of the complexity of in-vehicle software, the traditional offline flashing method can no longer meet the requirements of high-frequency ECU firmware updates. Second, the ISO 21434 network security standard mandates that vehicles should have the ability to perform hot-fixes for security vulnerabilities within 72 hours. Third, the iteration of autonomous driving algorithms requires reliable transmission of 50 - 100GB-level data packets, far exceeding the carrying capacity of traditional CAN/LIN buses.
OTA architecture overview
The Qinglong Ethernet FOTA system architecture supports the FOTA function in Ethernet communication scenarios. It realizes the UDS diagnostic flashing for Ethernet communication through the TCP/IP, DoIP, SoAd, and Dcm modules, and meets the Cybersecurity requirements of various OEM specifications by adapting to the Crypto Library. The following are the function descriptions of each module:
Ø Bootloader
The BootManager module provides FOTA startup management functions and supports the adaptation of hardware and software SecureBoot functions. It stores the expected MAC values of the Bootloader and Application through programming and flashing. During the startup phase, SecureBoot performs software integrity verification by calculating and comparing the MACs of the Bootloader and Application to ensure software security requirements.
Ø Ethernet Com
The DoIP module realizes the Ethernet communication sending and receiving functions based on the TCP/IP protocol, meeting the definition of the ISO 13400 standard. It implements the UDS flashing process through vehicle identification, routing activation, and diagnostic message functions, thereby achieving the Ethernet OTA function.
Ø Crypto, HSM
The Ethernet OTA supports the adaptation of the Muniu encryption library functions. It combines asymmetric encryption algorithms with other encryption algorithms to achieve the secure flashing function. It adapts to the certificate authentication function to meet the security diagnostic requirements and adapts to the HSM to improve the stability and verification speed of the Cybersecurity function.
Ethernet Reprogramming Process Introduction
The external diagnostic device and the in-vehicle DoIP entity complete the communication connection through vehicle identification, connection establishment, and routing activation, and execute the diagnostic flashing function of Ethernet OTA by sending diagnostic services. The process of establishing communication between the external diagnostic device and the in-vehicle DoIP entity is shown in the following figure.
The purpose of the vehicle discovery process is to inform other DoIP nodes in the current local area network of the DoIP attributes of a node. Other DoIP nodes can decide whether to establish a communication connection with it based on the communication requirements of the current node:
a) After power - on, the Client actively sends a Vehicle Announcement Message / Vehicle Identification Request in a broadcast manner, carrying information such as logical address, VIN, and EID in the message.
b) The Server that receives this message replies with a Vehicle Identification Response message in a unicast form, which also carries information such as logical address, VIN, and EID.
After the Client and the Server complete vehicle identification, they conduct UDS communication by establishing a TCP connection:
a) The Client actively establishes a TCP connection with the Server through a three - way handshake:
l First handshake: The client sends a data packet with the SYN (Synchronize) flag to the server. This packet contains the initial sequence number selected by the client, indicating that the client wishes to establish a connection with the server.
l Second handshake: After receiving the client's SYN packet, the server sends a data packet with both SYN and ACK (Acknowledgment) flags to the client. The sequence number in this packet is the initial sequence number selected by the server, and the acknowledgment number is the client's sequence number plus 1. This indicates that the server has received the client's connection request and is ready to establish a connection with the client.
l Third handshake: After receiving the server's SYN + ACK packet, the client sends a data packet with the ACK flag to the server. The acknowledgment number is the server's sequence number plus 1, indicating that the client has received the server's response and the connection is successfully established. At this point, the TCP connection is officially established, and the client and the server can start data transmission.
b) The Client sends a Routing Activation Request message to request route activation. The Server either approves or rejects the activation request based on the actual situation and informs the Client of the activation result by sending a Routing Activation Response message.
After the routing activation is completed, the upper computer sends a diagnostic flashing request via the DoIP protocol. It interacts using payload types such as diagnostic messages (0x8001), diagnostic confirmation messages (0x8002), and negative diagnostic confirmation messages (0x8003), and sends the specified diagnostic message data according to the flashing process. There is no significant difference between the diagnostic flashing process and the CAN flashing process.
Compared with CAN flashing, Ethernet flashing mainly features much higher communication rates of Ethernet. Common rates are 100Mbps, 1000Mbps or even higher, which enables data to be transmitted at a much faster speed and greatly shortens the flashing time. At the same time, since Ethernet communication adopts a star topology, all nodes are connected through devices such as switches. The diagnostic device is connected to the target ECU via an Ethernet interface and network cable, and the Ethernet switch is used to realize data exchange and forwarding. It can support the connection of more devices, has better network scalability, and can better support concurrent flashing of multiple nodes.
The network management function of Ethernet is quite powerful. Functions such as VLAN division, traffic control, and port binding can be achieved through switches. In terms of security, multiple security mechanisms such as IP address filtering, MAC address binding, and SSL/TLS encryption can be adopted to better protect data security and network security during the flashing process.
ZC Xuanwu Reprogramming Tool supports automated Boot testing, including diagnostic service testing, DID testing, robustness testing, and stress testing. It can freely configure DoIP communication settings such as logical addresses, VINs, and EIDs, as well as the diagnostic flashing process for different flashing scenarios. The following is the configuration interface of the ZC Xuanwu Reprogramming Tool:
Click to download the product manual