Author | Li Wei Director of Security Evaluation Department of Shanghai Control Security
Source | Jianyuan Lab
Introduction: In the previous article, we took the car Tbox as an example to introduce the relevant performance test (the performance test of the car TBOX embedded device software). In this article, we introduce another special test of an important function: OTA (Over the air) test. The OTA test will vary due to the different OTA implementation solutions selected by different manufacturers. Everyone should pay attention to this point. Even if it is the same OEM, different OTA solutions selected by different models will have different test methods.
01Before the official start
Vehicle OTA upgrades are now very popular, and we will not repeat the conceptual description in this article. SOTA (software OTA) is mainly aimed at the upgrade of customer application software, which is usually implemented by users downloading, installing, and upgrading from the application store. Compared with FOTA (Firmware OTA), technical implementation and testing are relatively simple. We will not analyze it this time. This article is mainly about FOTA.
The complexity of the FOTA upgrade of the vehicle is closely related to the number of equipment involved in the upgrade. The complexity of the upgrade of two components is completely different from that of the 20 components of the vehicle. It is more obvious in the time spent. In particular, testers are reminded that for test design in similar scenarios, the issue of test efficiency must be taken into consideration, and multiple individual test design points should be completed in one upgrade process as much as possible without affecting the accuracy and effectiveness of the test.
Different OEMs have different technical solutions for vehicle FOTA. Generally speaking, the components in the vehicle upgrade can be divided into three categories. For the first type of parts , the upgrade process can be completely completed by the parts themselves (without considering the back-end FOTA upgrade server), including independently completing the network connection, actively checking whether there is available upgrade software, actively downloading and storing software packages, and actively completing Package upgrades, such as Tbox. The second type of components has a relatively strong independent control function, such as independent upgrade package download storage and package upgrade, but requires the cooperation of other components, such as entertainment host system and smart driving computer, etc., which can independently download Upgrade the package and check the storage, you can complete the package upgrade and update independently, but Tbox needs to cooperate to provide an Internet access channel. The third type of components cannot complete the program upgrade independently, and requires the vehicle's FOTA upgrade master control device to control its own software upgrade, such as wiper controller, air conditioning system controller, seat controller, etc.
The topology diagram of the vehicle FOTA upgrade is as follows:
figure 1
02 The process of vehicle FOTA upgrade
The business process of vehicle FOTA upgrade can be roughly divided into the following four steps:
The first step is to create tasks on the FOTA background server, and create upgrade strategies and upgrade tasks based on vehicle models, vehicles, and upgraded ECU software packages. In this process, the software package of the test piece, the test vehicle, and the model and vehicle-related information of the test vehicle should be prepared.
In the second step , the car end automatically triggers or manually triggers the upgrade process, downloads the FOTA upgrade package to the local car end, and performs inspection, calibration and storage of the upgrade package. Different OEMs adopt different FOTA solutions, and the upgraded main control equipment is different, and everyone needs to treat them differently according to the actual situation in the specific project.
In the third step , the ECU performs an upgrade of the software package.
Step 4 : After the upgrade is completed, the main control device controls to exit the FOTA state of the vehicle, restore the communication of the vehicle, diagnose and update the configuration word, clear the fault code, upload the upgrade record to the FOTA server, etc.
The flowchart of the FOTA function business is as follows:
figure 2
03 Interaction of FOTA upgrade parts
The whole process of vehicle FOTA is relatively complicated. When we do test design, we usually compile it according to the requirements document, and logically divide the FOTA test according to the upgrade steps. The test design of functional requirements points in each step usually refers to the requirements document. Verify the upgrade information interaction in this step with the FOTA technical specification of the current project.
The following figure is a simple FOTA upgrade interaction diagram. The main control ECU is required to control the FOTA upgrade process as shown in the figure below. The parts that do not rely on the main control to control the upgrade are not applicable to the following figure. There may be differences between specific projects and this example. , everyone needs to adapt according to the actual situation.
Figure 3 FOTA upgrade interaction diagram
The steps of interaction are roughly as follows:
(1) After the vehicle is started and certain conditions are met, the ICC (Intelligent Computing Controller) triggers the inspection of the vehicle OTA version upgrade by default, and through the network service of the IAM (Intelligent Networking Controller), it is connected to the OTA upgrade service backend for task query , compare the version records in the local and OTA background services to confirm whether the ECU software is updated and needs to be upgraded.
(2) If there is a new version of the software and it conforms to the upgrade strategy of the server, the download of the upgrade package will start. During this process, there will be various pre-download judgment settings, and some upgrade plans also stipulate the version download. Interrupt and resume, after the software download is complete, it will perform a calibration check of the software package to confirm the correctness and integrity of the package.
(3) After the new version is downloaded and confirmed, the ICC main control will check the status of the vehicle to confirm whether it meets the current upgrade requirements, such as the vehicle gear is in P gear, the vehicle battery power is greater than 70%, etc., if the upgrade conditions are met, The main control parts will control the vehicle or parts to enter the firmware flashing state, and then the ICC main control parts will execute the flashing process, and the progress of the flashing process will be reported synchronously until the upgrade is completed.
(4) After the software version upgrade is completed, the ICC main control will perform corresponding checks and update configuration information after flashing, such as updating the software version in the logistics information of the upgraded part, clearing the fault code, and restoring the vehicle status from the FOTA upgrade status To the normal state, report the process records and results of this FOAT upgrade, etc.
The trigger conditions for the upgrade process node steps are as follows:
Figure 4
04 Test points
The FOTA test of the whole vehicle is more complicated, and usually the OEM will carry out special test tasks. When there are dozens of spare parts for the whole vehicle upgrade, the testers will feel that they have no way to start, and the time to perform a single complete upgrade at the same time may take 1 day or even more from the preparation work to the completion of the execution. time. We sorted out the main points of FOTA test, hoping to help everyone.
(1) FOTA upgrade involves a lot of spare parts, complex scenarios, and lengthy whole process and steps. Therefore, the test design usually classifies FOTA tests in stages and steps.
(2) Starting from a small number of spare parts, gradually increase the number of spare parts participating in the upgrade until all parts are involved.
(3) The order of adding spare parts testing is usually in accordance with the description in Chapter 1 of this article, from completely independent and self-upgrading spare parts such as Tbox to semi-independent and self-upgrading spare parts such as entertainment hosts, and finally expanded to require ICC master control To control self-upgrading without independent self-upgrading parts.
(4) The upgrade process of FOTA is usually divided into four stages in Chapter 2 of this article, and observable conditions are established at the beginning and end of each stage, and testers verify and confirm the input and output of each stage.
(5) In the integration test phase, especially the integration test phase of spare parts, the test needs to go deep into the message interaction of the FOTA upgrade protocol, which needs to go further into the Interaction steps, through the communication protocol to confirm whether each interaction step of the upgraded spare parts is correct.
(6) The scene of the abnormal test is usually designed in reverse according to the trigger conditions of each stage or step given in the technical specification, such as the vehicle power status, gear status, battery power, vehicle speed and other abnormal conditions one by one and Portfolio design.