[go: up one dir, main page]

WO1993013966A1 - Motor vehicle start-up control - Google Patents

Motor vehicle start-up control Download PDF

Info

Publication number
WO1993013966A1
WO1993013966A1 PCT/GB1993/000014 GB9300014W WO9313966A1 WO 1993013966 A1 WO1993013966 A1 WO 1993013966A1 GB 9300014 W GB9300014 W GB 9300014W WO 9313966 A1 WO9313966 A1 WO 9313966A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
security system
electronic security
accessing
storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/GB1993/000014
Other languages
French (fr)
Inventor
David Alan Collier
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
OCEAN SOFTWARE Ltd
Original Assignee
OCEAN SOFTWARE Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB929200313A external-priority patent/GB9200313D0/en
Priority claimed from GB929211067A external-priority patent/GB9211067D0/en
Application filed by OCEAN SOFTWARE Ltd filed Critical OCEAN SOFTWARE Ltd
Publication of WO1993013966A1 publication Critical patent/WO1993013966A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/20Means to switch the anti-theft system on or off
    • B60R25/24Means to switch the anti-theft system on or off using electronic identifiers containing a code not memorised by the user
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C5/00Registering or indicating the working of vehicles
    • G07C5/08Registering or indicating performance data other than driving, working, idle, or waiting time, with or without registering driving, working, idle or waiting time
    • G07C5/0841Registering performance data
    • G07C5/085Registering performance data using electronic data carriers
    • G07C5/0858Registering performance data using electronic data carriers wherein the data carrier is removable
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass

Definitions

  • This invention relates to electronic security systems for controlling access to or operation or not of associated means or equipment, and has particular but not exclusive application to preventing unauthorised starting of motor vehicles having electronic engine management systems.
  • Modern motor vehicles increasingly have electronic engine management systems comprising integrated semiconductor electronic circuitry including a data processing or computing chip, typically a microprocessor chip (CPU) .
  • a data processing or computing chip typically a microprocessor chip (CPU) .
  • CPU central processing unit
  • programmable microprocessor chips including RAM (random access memory) , ROM (read-only memory) and EEPROM (electronically erasable programmable read-only memory) facilities on the same chip are of interest here, though not necessarily exclusively.
  • an electronic security system comprises programmable data storage means and program storage means, both associated with data processing means; one user-related accessing means having storage for machine-readable data individual to its intended user; and access means for reading said data individual to a user so that, at a first reading thereof, at least some of that data is written to said programmable storage means, which data from the programmable storage means and accessing means will be used by the data processing means at subsequent readings to deny access to and/or some sought operation of said data processing means except for the one user-related accessing means or a copy thereof.
  • Microprocessor chips as above-mentioned can afford integral association of all or part of each of the data processing means, the programmable data storage means and the program storage means, say all on a one semiconductor integrated circuit, or with only parts of programmable data storage and/or program storage elsewhere; and can effect the denying of access thus control thereof in conjunction with the access means, particularly where the latter is controlled by the microprocessor as is preferred.
  • the accessing means can be a card having semiconductor integrated circuit type data storage means (whether simply as a programmable memory chip, say of EEPROM type as will be described, to produce the data individual to intended user directly from storage, or as a programmable logic chip configured to generate the data individual to intended user, or otherwise) , and the access means can be a card reader (whether locally timed and controlled or operated by the data processing means even if remote therefrom) .
  • semiconductor integrated circuit type data storage means whether simply as a programmable memory chip, say of EEPROM type as will be described, to produce the data individual to intended user directly from storage, or as a programmable logic chip configured to generate the data individual to intended user, or otherwise
  • the access means can be a card reader (whether locally timed and controlled or operated by the data processing means even if remote therefrom) .
  • key or jack type accessing means and socket type reading means but still with the former preferably incorporating embedded integrated storage for the data individual to the intended user.
  • the data individual to intended user be of substantial amount, typically of the order of 128 bits or more.
  • data can include more than some PIN characters, preferably of a personal and/or point -of-sale nature conveniently including relevance to the data processing means and its host system, say relating to purchase/supply, even registration details (as applies to a motor vehicle) , further preferably written to the accessing means and thence to the programmable storage means at point-of-sale.
  • Overall check data typically of a summing results nature, is particularly useful, say in normal reading and comparison of all personal data first and including recalculation by the data processing means for comparison with the check data stored and read from the accessing means.
  • Doing so for the same data increases resistance to data corruption, at least where multiple reads are provided for before denying access etc, then say up to the number of possible sets. Doing so for different sets of data allows controlled limited extension of access, say by a vehicle fleet manager without requiring an undue multiplicity of individual accessing means.
  • the other way is to ensure that manufacturer-originating data is not present on the accessing means and is entered to the programmable storage means associated with the data processing means separately and previously, though conveniently by means of an essentially similar nature to the accessing means, say in association with setting up manufacturers' testing of security provisions hereof before final configuration by intended user related data.
  • a security mode (of access to and/or operation of data processing means and a host or controlled system by way of accessing means and access means relative to comparison of data from the accessing means and stored in programmable data storage means associated with the data processing means) is preceded by an other mode or modes, particularly a mode permitting access to and operation of the data processing means without any entry of data individual to a user; and further preferred that such other mode (called herein a “manufactures" or “base” mode) cannot be re ⁇ established at least once the security mode has been entered, or can be re-entered only in special circumstances also involving use of a currently valid accessing means.
  • Such provision is of particular value in manufacture of a motor vehicle having a microcomputer controlled engine management system, so as to permit all normal manufacturing procedures, including testing of the vehicle and its parts; and in effecting change of personal data, say at a second sale of the host system for said data processing means; and constitutes another aspect of this invention: whether viewed as requirement for at least two types of accessing means, one usable itself to afford access etc only before first use of a second and preferably itself, but feasibly yet another, usable only in conjunction with the second, say sequentially in order to configure to another and different accessing means typically of the second type, further preferably then with additional dependence on inducing a prescribed state of the host system.
  • a further useful provision and further aspect of this invention is that data processing means with associated access control means and accessing means and a base mode of operation independent of access control and accessing means required for a security mode of operation has a further mode of operation (herein called a 'test' mode) that could be by way of further accessing means for checking that the data processing and access control are operative.
  • a 'test' mode a further mode of operation
  • test mode can be considered as part of the base mode, at least if any such further accessing means causes at least effective reversion to the base mode at its removal from the access means.
  • test mode even the base mode itself, involve some data entry, say as a number and a related check-sum.
  • the test mode could usefully be, or be followed by, a stage at which any manufacturer-originating data is inserted.
  • a 'test' card as the further accessing means could be the same card as may be required for the base mode itself, even a card that ultimately becomes the user's card, say by having pre-storage of manufacturer's information at some other stage of production, and post- storage of user/owner's data at point-of-sale, though that is only one option (as the security-mode accessing means may preferably be limited to personal data only) .
  • Specific implementation can involve detecting and responding to an unused state of microprocessor chips which, at first supply with power after production of a system employing same, have no deliberately entered contents of its EEPROM part, with that unused state being detected as not corresponding to any enabling state, and suitable for response by initialising to a state where the EEPROM part receives and stores some predetermined data content that can, at that stage, be the same for all units, i.e. as a 'base' mode state applicable during manufacture/ assembly of the host or controlled system.
  • a 'base' mode state applicable during manufacture/ assembly of the host or controlled system.
  • Such 'base' mode can permit any operation of all or part of the host or controlled system, effectively with transparency of security provision as though not present at all.
  • transition to any 'test' mode, or even enabling of operation or further operation of the host or controlled system can involve accessing means presenting access control data corresponding to the predetermined initialising data, say comprising a manufacturer's 'master' or "pass" or “test” card; and further enabling basic testing of the microprocessor controlling system for freedom from faults and thus readiness to respond to a user/owner's accessing means to go into "security" mode.
  • accessing means presenting access control data corresponding to the predetermined initialising data, say comprising a manufacturer's 'master' or "pass” or “test” card; and further enabling basic testing of the microprocessor controlling system for freedom from faults and thus readiness to respond to a user/owner's accessing means to go into "security" mode.
  • the use of stored check sums for EEPROM data contents, and thus that must change at least from initialising data to customising data (of user/owner's accessing means) facilitates implementation. Once there is a change of check sum to that for the security state,
  • Accessing means for base or test modes may advantageously differ from user/owner's accessing means in that only the former stores the initialising data or something related thereto.
  • microprocessor system itself to be able to reset at least partially to 'base' or 'test' mode, but preferably only in the event of detecting corrupted or faulty data as stored on its own EEPROM part, thus allowing re-reading of the owner/user's accessing means, even automatic reprogramming its own EEPROM to correspond. That is feasible on a basis where faulty data detection does not extend to or include data input from accessing means, say limited to check data related problems internally of the data processing system; and may well be unnecessary given present estimates of EEPROM data life of at least 20, even 40, years.
  • a particularly preferred feature is for internal checking to repeat for a sufficient time to span any likely noise, such as spikes from air- conditioning equipment if fitted to a motor vehicle.
  • One approach hereof is to require a first access and actual start-up using the current user/owner's accessing means and then further require its removal and replacement by a base mode accessing means before inducing a particular condition, say stalling a motor vehicle engine (which may be preferred to normal switch-off) . Then, a new user/owner's accessing means can be programmed, but only in those circumstances.
  • 'blank' accessing means can have any specifically manufacturer's data pre-recorded, or wholly or partly inserted by special accessing means, e.g all or parts of engine and/or chassis numbers; and its "blank" filled by data all available from the owner/user, e.g. date(s) of sale and/or registration, registration details, and PIN number. Then, only inexpensive card writing means, conveniently to an EEPROM of the cards, is required even for roadside replacement of lost accessing means without requiring significant skills to operate.
  • Protection against full replacement of a system such as a vehicle engine management unit, having security as aforesaid can be achieved by effectively repeating the EEPROM storage, or at least part of it, somewhere in the controlled equipment or communications therewith, for example in the so-called wiring loom or a polling type of communication, or at individual units of the controlled equipment, or combinations thereof.
  • Such storage devices, or at least one of them separate from ancillary electronic equipment can be installed so as to be extremely difficult if not impossible to remove without disabling damage thereto.
  • said at least one EEPROM-based unit to be considered primary and to cause the data processing system to deny said access etc if there is no match, but for other units in ancillary equipment (e.g.
  • radio, CD player, telephone to be used only for enabling the associated ancillary equipment. Even so, there is useful deterrent security in that the ancillary equipment will not work without the intended user's accessing means, indeed without being in the host system. Only minor additional program/gating provisions would be required for ancillary equipment that is microprocessor- based.
  • Security systems hereof find particularly advantageous application along with alarm systems and may interact therewith to indicate unauthorised attempts to start a vehicle, even where the alarm system is primarily functional as a warning of unauthorised actual or attempted entry to the vehicle itself.
  • Another aspect of this invention arises from storage in a microprocessor of information which, at least for motor vehicles, is or can be, of interest in itself, for example in control relative to limited-access areas or places, or in the event of seeking to locate or identify a particular vehicle (say if stolen) , or to authorities as may be represented by police.
  • transponder means associated with the microprocessor and its storage means for response to a received signal to transmit at least some signals representing stored information.
  • the received signal(s) might further include identification information that could result in the microprocessor disabling the protected/ controlled system when received and matched with at least part of its stored information.
  • Figure l is a blank circuit diagram of electronics for a vehicle with security and alarm provision
  • Figure 2 shows data structure and progression through modes of operation of security provision
  • FIG. 3 is a flow diagram for operation of such security provisions.
  • Figure 4 shows an alternative accessing means in combination with an ignition key.
  • a microprocessor control chip 10 has various parts all on a single semiconductor chip including for data processing at 12, for input/output at 14, for program storage at 16 and for programmable data at 18. It will be appreciated there will normally be other integral parts (such as RAM) , and that external clock crystal will be required, the chip including appropriate timing signal generation and other logic etc as may be required. Access control means is shown by way of a card reader 20 and one or more cards 22A,B read under control ' of the microprocessor chip 10 over communication bus 30 which can most economically be of a polled two-line type operating serially for data bits.
  • accessing means other than a card and related access control means could be used, conveniently of key or jack type with required contacts made along its stem in a suitable socket type entry of related access control means.
  • key or jack device A particular preferred key or jack device will be described with reference to Figure 4.
  • the communication bus 30 is shown going also to an alarm system 40, specifically control unit 42 thereof shown supplied with entry or attempted entry sensor signals at inputs 44 and operating an alarm unit 46 that will usually give audible and/or visual indication of actual or attempted unauthorised entry.
  • An alarm enabling/disabling device 48 is shown, say as a key-operated switch in power supply thereto, and a further switch type device could be included for specifically cutting off communications from the microprocessor control, see dashed at 49.
  • the communication bus 30 also extends, via control circuitry 50, shown as gating circuitry, to take inputs from various signal sources 52 as required for engine management, for example at least ignition timing, oil pressure and water temperature problem conditions; and to various controlled units 54, for example at least ignition operation, fuel supply, and fuel/air mixture control etc.
  • a two-wire serial communication bus 30 is accessed with appropriate polling and interrupt capabilities controlled by the microprocessor unit 10.
  • any communication system could be used, including individually from each input signal source and/or to each controlled unit.
  • the control circuitry 50 if of a gating nature, should be in at least one vital communication, probably usually ignition or fuel supply.
  • control circuitry 50 could simply interact with the microprocessor unit 10 so that operation is disabled if the control circuitry does not produce matching information when accessed by the microprocessor unit 10. That alternative is indicated dashed (50') as another unit polled by the microprocessor unit 10 over the communication bus 30.
  • Preferred control circuitry 50 is a replication of at least part, further preferably only a part, of security data stored at 18 in microprocessor unit 10. Such data, as preferred herein, is stored in EEPROM, whether in the microprocessor 10 (at 18) or in the control circuitry 50.
  • Normal overall data structure includes both of specifically vehicle (or other controlled system)-related data, and specifically user/owner-related data.
  • control circuitry 50 (or 50') not containing all of any or each item of information, whether controlled system related or user/owner related. Indeed, it may well be preferred for the control circuitry 50 (or 50') to contain only parts of each item of only user/owner related information (including check sum, see last line of Figure 2) as such information is particularly individual in its nature.
  • the control circuitry 50 could be installed in a manner aimed at irretrievable damage occurring if removal is attempted (say “potted” to or in a panel or on or embedded in a wiring carrier such as a busboard) , or within any component equipment, including ancillary equipment (whether “potted” or otherwise) .
  • ancillary equipment whether “potted” or otherwise.
  • microprocessor-controlled ancillary equipment could be programmed to be operable only after successful matching between data on an accessing means and in the EEPROM 18 and in control circuitry 50", see branching 51 from bus 30 and ancillary equipments 53 hosting control circuitry 50".
  • the first line (A) of Figure 2 shows division of data stored in EEPROM 18 between manufacturer's data, for example name of manufacturer, vehicle model, chassis and/or engine number, place of manufacture etc, or some or parts thereof; and other data some of which is also related to the vehicle but has owner/sale connotations, for example registration number, date of sale and/or registration, but part is truly personal only to the owner and/or intended user, specifically indicated as a personal identification number (PIN) .
  • PIN personal identification number
  • a check sum (or other computed check data) is also incorporated so that integrity of stored data (at 18), specifically freedom from corruption, can be checked, say basically as a house-keeping task by the microprocessor unit 10.
  • Sensing of such conditions can be used herein, specifically during vehicle manufacture/testing prior to sale, or if security provisions hereof are not to be actuated simply to permit any and all desired or required access to controlled units of the vehicle system whenever required.
  • An alternative would be to set the contents of EEPROM 18 to states that specifically indicate a manufacturer's or base mode of operation whether as supplied or as a first stage in setting those contents.
  • FIG. 2 shows all data storage cells, including for manufacturers' data, set to hex-FF.
  • the fourth line (12) of Figure 2 shows some more significant data at M.N. for manufacturer's or base mode, together with a related check ⁇ sum CSB, the microprocessor 10 conveniently doing check data computations for whatever are the contents of the EEPROM 18 (other than indeterminate if that is permitted) .
  • the looped sequence I of Figure 3 will go to the sequence of operations marked II involving setting up whatever is required by the central data processing part of the microprocessor 10, and reading any accessing means (e.g. card 22A or 22B) that is present, followed by comparison with EEPROM contents to ascertain whether there is a match to the card in the card reader 20 (or an adequate match in the case of card 22B) .
  • accessing means e.g. card 22A or 22B
  • EEPROM contents to ascertain whether there is a match to the card in the card reader 20 (or an adequate match in the case of card 22B) .
  • the controlled system specifically engine management system and any ancillary equipment controlled by (or in any way enabled by) the microprocessor 10 (e.g. radio/cassette, air conditioning, trip computer display, general instrument display) will be enabled and thus operative.
  • Branching from the Sequence II will occur should there be no match for the card read in Sequence II, including no complete match where the manufacturers' card 22B contains manufacturers' data to be input to the EEPROM 18 of the microprocessor 10, but not (yet) ultimate user/owner's data.
  • the fact of being a manufacturers' card 22B will, of course, be detectable from all its user/owner's data fields being set to binary 'l's or hex-FF, see (D) in Figure 2.
  • Such branching is shown in Figure 3 as going into a first Sequence III if the system is in base or manufacturers' mode, i.e.
  • the card is a manufacturers card (except usually for basic manufacturers' data M.N. and related check data/sum, i.e. being at least user/owner fields at hex-FF; and culminating in enabling manufacturers' testing of the microprocessor unit 10 itself and its related system.
  • This 'test' mode will normally, of course, include writing manufacturers' data to the EEPROM part 18 of the microprocessor 10, conveniently from data pre-recorded on the manufacturers' card 22A, though that could conceivably be otherwise or automatic once the microprocessor has derived M.N. from the card data and checked the check sum CSB.
  • Sequence IV First comes reading the card again and comparing to see if it is the same, including check sum related thereto, i.e. for integrity of card and its stored contents. At least one failure is allowed, up to N being indicated as permitted, but, thereafter, one actuation/ sounding of the alarm or another warning device results to indicate a defective card.
  • re-reading can be of the same stored data, i.e. at the same location in the card's EEPROM, effectively as a simple re-try by the microprocessor 10.
  • substantial advantage arises if the re-reading is from another location of the card's EEPROM, which can contain intendedly the same data. There is then increased protection against data corruption.
  • the possibility is available (without increased protection against corruption, the user being more or totally responsible for real re-try, e.g. by starting again) for effectively incorporating into an intended user/owner's card of a copy of another card altogether, then, of course, for another microprocessor and host system.
  • microprocessor chip has many advantages, including a stand-by mode with extremely low power consumption but capability still to monitor such things as alarm systems, central locking, etc, and be brought back into full operation at any authorised or unauthorised use or attempted use, also inherent capacity to control systems additional to engine management in itself. Costs are not excessive, maybe particularly for multiple system control, and implementation is highly flexible, compact and economic - one of the major configuration exercises being development of a mask-defined ROM that can be largely if not wholly the same or similar for each if not every vehicle manufacturer.
  • a transponder 60 is also shown with access to the input/output section 14 of the microprocessor chip 10, also over lines 30, and is shown with an aerial system 62, though any form of transducer suited to received signals could be used, at least additionally, see at 64 for indications of inductive loop, sonic, or "magic eye" (light) sensors.
  • the transponder 60 can be polled along with other input and controlled system units 52,54, or it can be operative on an interrupt or separate mode basis requiring it to be serviced whether or not the microprocessor system is operational following a successful card-reader access, and without interfering with such operation unless that is called for by the received signal(s).
  • the response of the microprocessor 10 to such received signal(s) can be to transmit all or part of the data stored at its EEPROM section 18 or even to close down all or selected parts of microprocessor operation, thus the or some of the controlled system units 54.
  • the transponder itself may have locally associated storage for the data it is to be able to transmit, then usually by way of further EEPROM-type provision (though it is feasible for the transponder to utilise the control circuitry 50, or part thereof) .
  • the data to be transmitted by the transponder would not include the user/owner's PIN data (which encourages use of separate transponder storage or selective access to the microprocessor's EEPROM section 18) .
  • microprocessor chip represents highly advantageous deployment of the teachings of this invention in its various aspects. However, it is functionally viable to operate by way of adding storage as a separate chip or chips associated with a microprocessor chip of lesser capabilities.
  • Figure 4 shows a key or jack type device 70 as alternative to a card type of accessing means.
  • Its stem 72 has contact shells or segments 74A,B,C,D separated by insulation rings 76A,B,C.
  • the contacts 74A-D serve typically for power, data, clock and chip select energisations or signals, actually respectively for one embodiment (but not necessarily) .
  • Connections are shown dashed therefrom to an EEPROM chip 80 within head 82, conveniently potted therein to make disassembly difficult if not impossible.
  • a suitable reader or access means for such a device 70 will have a socket to accept the stem 72 and contacts along the socket to make connections with bussing to/from the microprocessor 10.
  • the right hand side of Figure 4 is a vehicle ignition key 90 with a conventional stem 92 having appropriate mechanical lock-release teeth (not shown) and a head 94 with a bore 96 to take the stem 72 and a face 98 to be abutted by the head 82 of the accessing device 70.
  • Such a combination device is as readily carried as a single ignition key.
  • accessing means there can be two types of accessing means, both typically machine-readable cards or key/jack devices, preferably having EEPROM data storage chips.
  • One type of accessing means can, and generally is, free of any owner-specific data (such as PIN), or even host system (e.g. vehicle)-specific data (at least if to be entered otherwise) , though it may well be made effectively generic to a particular manufacturer's vehicles or vehicle models.
  • the fifth line of Figure 2 shows (at D) contents for such accessing means with some or all of MFR DATA considered optional.
  • the other type of card can and generally does, contain data specific to the owner of the vehicle concerned and may well further contain vehicle-specific data.
  • the sixth line of Figure 2 shows (at E) contents of such accessing means, including space free for any other data a manufacturer might choose.
  • a preferred use for said one type of accessing means is in testing vehicle mobilising/immobilising provision in itself.
  • the vehicle manufacturer will need to do that before delivery of the vehicle after manufacture if it has an electronic security system hereof, or at least one that is to be actuated as definite sales feature of the vehicle, and the vehicle dealer may also need to do so before sale to a customer and programming the owner's accessing means of said other type.
  • Said one type of accessing means will leave the engine management control system in a state where said other type of accessing means will "customise" the system so that mobilisation/immobilisation provision reflects data written to specific accessing means of said other type.
  • a particularly preferred feature is that an intended user/owner's accessing means can be removed after starting the vehicle concerned and that vehicle will continue to run until the engine is turned off, even, if desired, until ignition is turned off, or some other condition applies that is definite as to a particular use or journey being over.
  • Such preferred feature protects against accidental removal of enabling accessory means, and can protect against problems should the vehicle's engine be stalled and require swift re-starting.
  • mobilisation/ immobilisation provisions hereof respond to presentation of an accessing means of said one type, after starting by a card of the other type (perhaps preferably stopping or stalling the engine too) by clearing the mobilisation/immobilisation provision of data specific to the particular one type accessing means required for enablement; and further to require presentation of an owner-specific accessing means again to write, or re-write, owner-specific data to the mobilisation/immobilisation provision.
  • This is a variation on resale preferences previously described and can be useful in permitting servicing of a vehicle.
  • Check data can be a means whereby the types of accessing means are distinguished, whether by presence or absence of the check sum or number or by accessing means of said one type having a prescribed check sum or number (if not some other characteristic data) . As previously indicated, further self-checking arise from use of check date in the EEPROM 18.
  • a mobilisation/immobilisation provision hereof is not of necessity applicable only to a vehicle with a sophisticated computerised engine management system, and incorporated into the microprocessor of such a system.
  • the mobilisation/immobilisation provision can be a unit associated with some lesser engine control system, say for ignition timing or even fuel metering only.
  • Security is, of course, significantly enhanced if the provision and system are effectively merged, say mainly physically by deployment on a single printed circuit board and in a unit that is necessarily irreparably damaged in any attempt to disassemble or remove it.
  • EEPROM based control circuitry as above indicated for further control provision 50 has further implications and capabilities, for example enabling a replacement engine management unit to be programmed automatically into security mode, specifically have all comparison data entered automatically after its replacement with a 'virgin' unit, and have that done simply by programmed interaction between the unit and the control circuitry but only when a valid user's card (matching data in the control circuitry) is presented.
  • a useful alternative is for part of such reprogramming to take place from control circuitry 50 (or 50'), but require completion by the intended user/owner's card. Such provision will obviate any need for specific programming by the installer of a replacement engine management unit.
  • any replacement unit say a radio or compact disc player or even an access security system controller, that is to have some or all of the security data matched for operation, say at least the user's PIN number. Implications will be evident for simply and effectively rejecting any new or replacement unit that does not have valid PIN data matching a 'true' user's card. It is further useful and advantageous to combine such control circuitry with a transmitter or transponder so that enabling data can be sent to external equipment, for example to control vehicle access to sites such as car parks, or leaving same (say if requiring user's card present for transmit mode) , or to disable any vehicle presence sensing alarm system if having provision for receiving signals from the transmitter/transponder. It is even feasible for instructions to be sent from external equipment via a receiver so as to impose control, such as vehicle speed limitation or even disabling entirely, by external equipment.
  • a useful variation on provisions for modifying a vehicle mobilisation/immobilisation system hereof to operate relative to a new accessing means (as required or desirable at second sale of the vehicle concerned) avoids stalling the engine, even starting and stopping the engine, and may find particular application for vehicles with automatic transmissions.
  • the owner's accessing means to be replaced is still required to be used first, but only for switching ignition on after which a suitable short time period, say up to about ten seconds, is allowed for its removal and replacement by a manufacturer's accessing means, after which the system will permit, perhaps again with a time constraint modification in accordance with a new owner's accessing means.
  • a suitable short time period say up to about ten seconds

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Mechanical Engineering (AREA)
  • Lock And Its Accessories (AREA)

Abstract

Electronic security system comprises programmable data storage means (18) and program storage means (16), both associated with data processing means (12), typically in an integrated circuit microprocessor (10). One user-related accessing means (22A) has storage for machine-readable data individual to its intended user. Access means (20) serves to read said data individual to intended user, so that, at a first reading thereof, at least some of that data is written to said programmable storage means (18), which data will be used at subsequent readings of the accessing means (22A) to deny access to and/or some sought operation of the data processing means (12) except for the one user-related accessing means (or a copy thereof). The one accessing means (22A) can be written to at point of sale. Another type of accessing means (22B) can be used prior to the one accessing means and/or in prescribed association therewith either to store and transfer other data to the programmable data storage means (18) or to re-write said data individual to intended user.

Description

TITLE : MOTOR VEHICULE START-UP CONTROL
DESCRIPTION
This invention relates to electronic security systems for controlling access to or operation or not of associated means or equipment, and has particular but not exclusive application to preventing unauthorised starting of motor vehicles having electronic engine management systems.
Modern motor vehicles increasingly have electronic engine management systems comprising integrated semiconductor electronic circuitry including a data processing or computing chip, typically a microprocessor chip (CPU) . Recent developments of programmable microprocessor chips including RAM (random access memory) , ROM (read-only memory) and EEPROM (electronically erasable programmable read-only memory) facilities on the same chip are of interest here, though not necessarily exclusively.
According to one aspect of this invention, an electronic security system comprises programmable data storage means and program storage means, both associated with data processing means; one user-related accessing means having storage for machine-readable data individual to its intended user; and access means for reading said data individual to a user so that, at a first reading thereof, at least some of that data is written to said programmable storage means, which data from the programmable storage means and accessing means will be used by the data processing means at subsequent readings to deny access to and/or some sought operation of said data processing means except for the one user-related accessing means or a copy thereof.
Microprocessor chips as above-mentioned can afford integral association of all or part of each of the data processing means, the programmable data storage means and the program storage means, say all on a one semiconductor integrated circuit, or with only parts of programmable data storage and/or program storage elsewhere; and can effect the denying of access thus control thereof in conjunction with the access means, particularly where the latter is controlled by the microprocessor as is preferred.
The accessing means can be a card having semiconductor integrated circuit type data storage means (whether simply as a programmable memory chip, say of EEPROM type as will be described, to produce the data individual to intended user directly from storage, or as a programmable logic chip configured to generate the data individual to intended user, or otherwise) , and the access means can be a card reader (whether locally timed and controlled or operated by the data processing means even if remote therefrom) . However, alternatives are feasible, for example key or jack type accessing means and socket type reading means, but still with the former preferably incorporating embedded integrated storage for the data individual to the intended user.
It is preferred that the data individual to intended user be of substantial amount, typically of the order of 128 bits or more. Then, such data can include more than some PIN characters, preferably of a personal and/or point -of-sale nature conveniently including relevance to the data processing means and its host system, say relating to purchase/supply, even registration details (as applies to a motor vehicle) , further preferably written to the accessing means and thence to the programmable storage means at point-of-sale. Overall check data, typically of a summing results nature, is particularly useful, say in normal reading and comparison of all personal data first and including recalculation by the data processing means for comparison with the check data stored and read from the accessing means.
Operation in accordance with this first aspect of the invention is herein termed a "security mode", and configuration at first use by the user is preferred as there need then be no other record of PIN (personal identification number) type data beyond whatever the user may decide to keep. Security is then inherently greater than if such PIN type data was entered before first use and the accessing means configured accordingly, even with a re¬ configuration capability as presently permitted for so- called cash cards used for obtaining money from card- controlled dispensers at banks or elsewhere. However, such operation, as a variation on the first aspect, is not to be considered as necessarily outside the scope of aspects of the present invention. Even though not preferred herein, the important distinction would remain that there is intended one-to-one correspondence between operation of the data processing means and the accessing means of the intended user (no matter how many duplicates that user may hold or otherwise allow to be made) . There is of course, also other basic distinction relative to configuring data processing systems for access by entry of pass-word data, which is normally from a keyboard or keypad. Relevance to controlling access/operation for motor vehicles should be apparent, but other applications are clearly not ruled out. In terms of copies of access means and one-to-one correspondence, an aspect of this invention envisages at least some accessing means capable of storing more than one set of data individual to intended user. Doing so for the same data increases resistance to data corruption, at least where multiple reads are provided for before denying access etc, then say up to the number of possible sets. Doing so for different sets of data allows controlled limited extension of access, say by a vehicle fleet manager without requiring an undue multiplicity of individual accessing means.
These distinctions, particularly one-to-one correspondence and its limited extension can be enhanced considerably, though in different senses, in two ways. One is by incorporation into total stored data in the programmable data storage means and in the accessing means of data particular to the data processing means concerned, especially by reference to a host or controlled system, for example a motor vehicle, say by way of manufacturer's identification, vehicle model identification, engine and/or chassis number(s) or parts thereof, place of manufacture, and date of sale whether by the manufacturer or by a supplying dealer, even supplying dealer information and vehicle registration number, etc. Obviously, some of such data additional to user/owner's PIN type data could be entered prior to leaving the manufacturer, and it may well be desirable to limit point-of-sale data to customer's PIN type data, date of sale and registration number and/or date. In preferred implementations there will generally be identification and access controlling data that goes beyond specifically user/owner-related data and is not even essentially dependent thereto (unlike bank account or bank branch sort coding for 'cash' cards) . The other way is to ensure that manufacturer-originating data is not present on the accessing means and is entered to the programmable storage means associated with the data processing means separately and previously, though conveniently by means of an essentially similar nature to the accessing means, say in association with setting up manufacturers' testing of security provisions hereof before final configuration by intended user related data.
In implementing this invention, it is preferred that a security mode (of access to and/or operation of data processing means and a host or controlled system by way of accessing means and access means relative to comparison of data from the accessing means and stored in programmable data storage means associated with the data processing means) is preceded by an other mode or modes, particularly a mode permitting access to and operation of the data processing means without any entry of data individual to a user; and further preferred that such other mode (called herein a "manufactures" or "base" mode) cannot be re¬ established at least once the security mode has been entered, or can be re-entered only in special circumstances also involving use of a currently valid accessing means.
Such provision is of particular value in manufacture of a motor vehicle having a microcomputer controlled engine management system, so as to permit all normal manufacturing procedures, including testing of the vehicle and its parts; and in effecting change of personal data, say at a second sale of the host system for said data processing means; and constitutes another aspect of this invention: whether viewed as requirement for at least two types of accessing means, one usable itself to afford access etc only before first use of a second and preferably itself, but feasibly yet another, usable only in conjunction with the second, say sequentially in order to configure to another and different accessing means typically of the second type, further preferably then with additional dependence on inducing a prescribed state of the host system.
A further useful provision and further aspect of this invention is that data processing means with associated access control means and accessing means and a base mode of operation independent of access control and accessing means required for a security mode of operation has a further mode of operation (herein called a 'test' mode) that could be by way of further accessing means for checking that the data processing and access control are operative.
In practice, such test mode can be considered as part of the base mode, at least if any such further accessing means causes at least effective reversion to the base mode at its removal from the access means. However, it is preferred that the test mode, even the base mode itself, involve some data entry, say as a number and a related check-sum. The test mode could usefully be, or be followed by, a stage at which any manufacturer-originating data is inserted. Indeed, a 'test' card as the further accessing means could be the same card as may be required for the base mode itself, even a card that ultimately becomes the user's card, say by having pre-storage of manufacturer's information at some other stage of production, and post- storage of user/owner's data at point-of-sale, though that is only one option (as the security-mode accessing means may preferably be limited to personal data only) .
Specific implementation can involve detecting and responding to an unused state of microprocessor chips which, at first supply with power after production of a system employing same, have no deliberately entered contents of its EEPROM part, with that unused state being detected as not corresponding to any enabling state, and suitable for response by initialising to a state where the EEPROM part receives and stores some predetermined data content that can, at that stage, be the same for all units, i.e. as a 'base' mode state applicable during manufacture/ assembly of the host or controlled system. Such 'base' mode can permit any operation of all or part of the host or controlled system, effectively with transparency of security provision as though not present at all. Additionally or alternatively, transition to any 'test' mode, or even enabling of operation or further operation of the host or controlled system, can involve accessing means presenting access control data corresponding to the predetermined initialising data, say comprising a manufacturer's 'master' or "pass" or "test" card; and further enabling basic testing of the microprocessor controlling system for freedom from faults and thus readiness to respond to a user/owner's accessing means to go into "security" mode. The use of stored check sums for EEPROM data contents, and thus that must change at least from initialising data to customising data (of user/owner's accessing means) , facilitates implementation. Once there is a change of check sum to that for the security state, reversion to previous check sum(s) for the base and/or test mode(s) can be made impossible, whether by overwriting or otherwise.
Accessing means for base or test modes may advantageously differ from user/owner's accessing means in that only the former stores the initialising data or something related thereto.
It can be useful for the microprocessor system itself to be able to reset at least partially to 'base' or 'test' mode, but preferably only in the event of detecting corrupted or faulty data as stored on its own EEPROM part, thus allowing re-reading of the owner/user's accessing means, even automatic reprogramming its own EEPROM to correspond. That is feasible on a basis where faulty data detection does not extend to or include data input from accessing means, say limited to check data related problems internally of the data processing system; and may well be unnecessary given present estimates of EEPROM data life of at least 20, even 40, years. A particularly preferred feature is for internal checking to repeat for a sufficient time to span any likely noise, such as spikes from air- conditioning equipment if fitted to a motor vehicle.
One other circumstance in which resetting the microprocessor system at least partially to base mode is useful, is at subsequent sales of protected equipment, typically motor vehicles. Doing so without unacceptable loss of security can be problematic. One approach hereof is to require a first access and actual start-up using the current user/owner's accessing means and then further require its removal and replacement by a base mode accessing means before inducing a particular condition, say stalling a motor vehicle engine (which may be preferred to normal switch-off) . Then, a new user/owner's accessing means can be programmed, but only in those circumstances. Implementation is conveniently such that 'blank' accessing means can have any specifically manufacturer's data pre-recorded, or wholly or partly inserted by special accessing means, e.g all or parts of engine and/or chassis numbers; and its "blank" filled by data all available from the owner/user, e.g. date(s) of sale and/or registration, registration details, and PIN number. Then, only inexpensive card writing means, conveniently to an EEPROM of the cards, is required even for roadside replacement of lost accessing means without requiring significant skills to operate.
Protection against full replacement of a system, such as a vehicle engine management unit, having security as aforesaid can be achieved by effectively repeating the EEPROM storage, or at least part of it, somewhere in the controlled equipment or communications therewith, for example in the so-called wiring loom or a polling type of communication, or at individual units of the controlled equipment, or combinations thereof. Such storage devices, or at least one of them separate from ancillary electronic equipment, can be installed so as to be extremely difficult if not impossible to remove without disabling damage thereto. We have particular preference for said at least one EEPROM-based unit to be considered primary and to cause the data processing system to deny said access etc if there is no match, but for other units in ancillary equipment (e.g. radio, CD player, telephone) to be used only for enabling the associated ancillary equipment. Even so, there is useful deterrent security in that the ancillary equipment will not work without the intended user's accessing means, indeed without being in the host system. Only minor additional program/gating provisions would be required for ancillary equipment that is microprocessor- based.
Security systems hereof find particularly advantageous application along with alarm systems and may interact therewith to indicate unauthorised attempts to start a vehicle, even where the alarm system is primarily functional as a warning of unauthorised actual or attempted entry to the vehicle itself.
Another aspect of this invention arises from storage in a microprocessor of information which, at least for motor vehicles, is or can be, of interest in itself, for example in control relative to limited-access areas or places, or in the event of seeking to locate or identify a particular vehicle (say if stolen) , or to authorities as may be represented by police. Accordingly, where stored information only is concerned, rather than access to operation of a protected/controlled system, provision is envisaged of transponder means associated with the microprocessor and its storage means for response to a received signal to transmit at least some signals representing stored information. The received signal(s) might further include identification information that could result in the microprocessor disabling the protected/ controlled system when received and matched with at least part of its stored information.
Specific implementation will now be described by way of example with reference to the accompanying drawings, in which: Figure l is a blank circuit diagram of electronics for a vehicle with security and alarm provision;
Figure 2 shows data structure and progression through modes of operation of security provision;
Figure 3 is a flow diagram for operation of such security provisions; and
Figure 4 shows an alternative accessing means in combination with an ignition key.
In Figure 1, a microprocessor control chip 10 has various parts all on a single semiconductor chip including for data processing at 12, for input/output at 14, for program storage at 16 and for programmable data at 18. It will be appreciated there will normally be other integral parts (such as RAM) , and that external clock crystal will be required, the chip including appropriate timing signal generation and other logic etc as may be required. Access control means is shown by way of a card reader 20 and one or more cards 22A,B read under control ' of the microprocessor chip 10 over communication bus 30 which can most economically be of a polled two-line type operating serially for data bits. It will be appreciated that accessing means other than a card and related access control means could be used, conveniently of key or jack type with required contacts made along its stem in a suitable socket type entry of related access control means. A particular preferred key or jack device will be described with reference to Figure 4.
The communication bus 30 is shown going also to an alarm system 40, specifically control unit 42 thereof shown supplied with entry or attempted entry sensor signals at inputs 44 and operating an alarm unit 46 that will usually give audible and/or visual indication of actual or attempted unauthorised entry. An alarm enabling/disabling device 48 is shown, say as a key-operated switch in power supply thereto, and a further switch type device could be included for specifically cutting off communications from the microprocessor control, see dashed at 49.
The communication bus 30 also extends, via control circuitry 50, shown as gating circuitry, to take inputs from various signal sources 52 as required for engine management, for example at least ignition timing, oil pressure and water temperature problem conditions; and to various controlled units 54, for example at least ignition operation, fuel supply, and fuel/air mixture control etc. A two-wire serial communication bus 30 is accessed with appropriate polling and interrupt capabilities controlled by the microprocessor unit 10. However, any communication system could be used, including individually from each input signal source and/or to each controlled unit. Then, however, the control circuitry 50, if of a gating nature, should be in at least one vital communication, probably usually ignition or fuel supply. Alternative control circuitry 50 could simply interact with the microprocessor unit 10 so that operation is disabled if the control circuitry does not produce matching information when accessed by the microprocessor unit 10. That alternative is indicated dashed (50') as another unit polled by the microprocessor unit 10 over the communication bus 30.
Preferred control circuitry 50 is a replication of at least part, further preferably only a part, of security data stored at 18 in microprocessor unit 10. Such data, as preferred herein, is stored in EEPROM, whether in the microprocessor 10 (at 18) or in the control circuitry 50. Normal overall data structure includes both of specifically vehicle (or other controlled system)-related data, and specifically user/owner-related data. There is security advantage in the control circuitry 50 (or 50') not containing all of any or each item of information, whether controlled system related or user/owner related. Indeed, it may well be preferred for the control circuitry 50 (or 50') to contain only parts of each item of only user/owner related information (including check sum, see last line of Figure 2) as such information is particularly individual in its nature.
The control circuitry 50 (perhaps most likely as at 50') could be installed in a manner aimed at irretrievable damage occurring if removal is attempted (say "potted" to or in a panel or on or embedded in a wiring carrier such as a busboard) , or within any component equipment, including ancillary equipment (whether "potted" or otherwise) . There may be plural such control circuitry 50 (or 50'), and association/incorporation into ancillary equipment has further security connotations for the ancillary equipment itself. Thus, microprocessor-controlled ancillary equipment could be programmed to be operable only after successful matching between data on an accessing means and in the EEPROM 18 and in control circuitry 50", see branching 51 from bus 30 and ancillary equipments 53 hosting control circuitry 50".
The first line (A) of Figure 2 shows division of data stored in EEPROM 18 between manufacturer's data, for example name of manufacturer, vehicle model, chassis and/or engine number, place of manufacture etc, or some or parts thereof; and other data some of which is also related to the vehicle but has owner/sale connotations, for example registration number, date of sale and/or registration, but part is truly personal only to the owner and/or intended user, specifically indicated as a personal identification number (PIN) . A check sum (or other computed check data) is also incorporated so that integrity of stored data (at 18), specifically freedom from corruption, can be checked, say basically as a house-keeping task by the microprocessor unit 10.
It will be appreciated that, for conventional word- organised EEPROM storage 18 (or 50) , say of 16-bit width, the aforesaid data will extend over many words, say eight or sixteen or more, basically as may be desired, but with greater storage capacity for the microprocessor or EEPROM than at the control circuitry 50 (or 50' or 50") .
It is characteristic of such storage provisions of a semiconductor type that, after manufacture and until specifically set to desired or required values (i.e. used as a memory) , the contents are either indeterminate or random, and not satisfying any criteria applicable to storage of generated check data (such as sums) as envisaged for the purposes hereof. This characteristic can, of course, be sensed at powering up the microprocessor unit, effectively simply by a read operation that produces a result not satisfying check sum criteria or otherwise revealing indeterminate states of storage bits/cells, and is indicated at the second line (B) of Figure 2. Sensing of such conditions can be used herein, specifically during vehicle manufacture/testing prior to sale, or if security provisions hereof are not to be actuated simply to permit any and all desired or required access to controlled units of the vehicle system whenever required. An alternative would be to set the contents of EEPROM 18 to states that specifically indicate a manufacturer's or base mode of operation whether as supplied or as a first stage in setting those contents.
In practice, it is advantageous to rely upon presence or absence of specific stored data at specific bit positions of the EEPROM 18, say to indicate at least readiness and intention for the security system to be deployed. Such specific stored data may be unique to a vehicle manufacturer, even a model or range of that manufacturer, and could be installed in the as-supplied state of the microprocessor 10, particularly as it is normal to buy-in engine management units. A particular preference herein is for all of at least point-of-sale and ultimate owner/user data bits/cells to be set to predetermined values that will never be used for their ultimate intended security purpose, say all bits to binary '1' or all cells to hex-FF. The third line (Cl) of Figure
2 shows all data storage cells, including for manufacturers' data, set to hex-FF. The fourth line (12) of Figure 2 shows some more significant data at M.N. for manufacturer's or base mode, together with a related check¬ sum CSB, the microprocessor 10 conveniently doing check data computations for whatever are the contents of the EEPROM 18 (other than indeterminate if that is permitted) . The looped sequence marked I of the flow diagram of Figure
3 shows such operation as an automatic reaction to powering up a virgin microprocessor, though the microprocessor could be supplied in this state or have it so set by the vehicle manufacturer. Presence of the data M.N. in the EEPROM 18 represents proof of the microprocessor EEPROM having left its virgin state and been put (or a start made on putting it) at least into manufacturers' or base mode.
Once the base or manufacturers' mode is set, the looped sequence I of Figure 3 will go to the sequence of operations marked II involving setting up whatever is required by the central data processing part of the microprocessor 10, and reading any accessing means (e.g. card 22A or 22B) that is present, followed by comparison with EEPROM contents to ascertain whether there is a match to the card in the card reader 20 (or an adequate match in the case of card 22B) . There would, of course, normally be parallel or sequential reading and comparison with contents of the EEPROM gating circuitry 50 and requiring a match there also (in the case of a card 22A) . If so, the controlled system, specifically engine management system and any ancillary equipment controlled by (or in any way enabled by) the microprocessor 10 (e.g. radio/cassette, air conditioning, trip computer display, general instrument display) will be enabled and thus operative.
It will be appreciated that, at least if EEPROM contents are sufficiently resistant to ever being randomised or rendered indeterminate once they have been deliberately set, the above enabling could be done without reading of a card and comparison as aforesaid, say in response to sensing absence of any card at all. Moreover, there would then be no strict need for setting the EEPROM to manufacturers' or base mode, at least by way of a manufacturers' accessing means. However, it is preferred to require use of a manufacturers' card, as shown dashed at 22B in Figure 1, specifically a card that contains the specific data M.N. or related data, say as an inversion or other scramble thereof, but otherwise as at (D) in the fifth line of Figure 2.
Branching from the Sequence II will occur should there be no match for the card read in Sequence II, including no complete match where the manufacturers' card 22B contains manufacturers' data to be input to the EEPROM 18 of the microprocessor 10, but not (yet) ultimate user/owner's data. The fact of being a manufacturers' card 22B will, of course, be detectable from all its user/owner's data fields being set to binary 'l's or hex-FF, see (D) in Figure 2. Such branching is shown in Figure 3 as going into a first Sequence III if the system is in base or manufacturers' mode, i.e. according to all-'l's or hex-FF in the EEPROM; and the card is a manufacturers card (except usually for basic manufacturers' data M.N. and related check data/sum, i.e. being at least user/owner fields at hex-FF; and culminating in enabling manufacturers' testing of the microprocessor unit 10 itself and its related system.
This 'test' mode will normally, of course, include writing manufacturers' data to the EEPROM part 18 of the microprocessor 10, conveniently from data pre-recorded on the manufacturers' card 22A, though that could conceivably be otherwise or automatic once the microprocessor has derived M.N. from the card data and checked the check sum CSB.
If manufacturers' or base mode applies and the card is not the manufacturer's card, there will be customising to the first use of an intended user/owner's card, see Sequence IV. First comes reading the card again and comparing to see if it is the same, including check sum related thereto, i.e. for integrity of card and its stored contents. At least one failure is allowed, up to N being indicated as permitted, but, thereafter, one actuation/ sounding of the alarm or another warning device results to indicate a defective card.
For an intended user/owner's card (22A) , re-reading can be of the same stored data, i.e. at the same location in the card's EEPROM, effectively as a simple re-try by the microprocessor 10. However, substantial advantage arises if the re-reading is from another location of the card's EEPROM, which can contain intendedly the same data. There is then increased protection against data corruption. In addition. However, the possibility is available (without increased protection against corruption, the user being more or totally responsible for real re-try, e.g. by starting again) for effectively incorporating into an intended user/owner's card of a copy of another card altogether, then, of course, for another microprocessor and host system.
Next, if the card's integrity or validity is established, a similar procedure applies, for a manufactures' card or an intended user/owner's card presented while the system is in manufacturers' or base mode, to writing the card contents to the EEPROM 18 or actuating/sounding the alarm or other warning device twice to indicate a different defect.
Should there be no match for the card read in the reader 20, and the microprocessor 10 is not in its base or manufacturers' mode, another Sequence V is entered, as circumstances correspond to attempting access with the wrong card, i.e. unauthorised access. That is shown leading to actuating the main alarm, blocking the microprocessor 10 from all other operation, and to a time-out for the alarm (as is most often provided for vehicle alarm systems to avoid complete vehicle battery draining) . It will be appreciated that alarm actuation and blocking of any further microprocessor operation can be simultaneous rather than sequential.
It will be appreciated that the whole of the above can add to security by operation relative to check data, such as sums, particularly for an intended user/owner's card
(22A) by way of the microprocessor 10 recalculating check data before comparing with that on the card (22A) , and generally by the check data in the EEPROM 18 being for its contents taken overall. Also, using the operations described relative to Figure 3, a manufacturers' card could become a first intended user/owners card by addition thereto of only point-of-sale data and personal data.
However, it is by no means essential for an intended user/owner's card to contain more than point-of-sale and personal data and a related check sum, i.e. not the manufacturer's data.
The preferred type of microprocessor chip referred to above has many advantages, including a stand-by mode with extremely low power consumption but capability still to monitor such things as alarm systems, central locking, etc, and be brought back into full operation at any authorised or unauthorised use or attempted use, also inherent capacity to control systems additional to engine management in itself. Costs are not excessive, maybe particularly for multiple system control, and implementation is highly flexible, compact and economic - one of the major configuration exercises being development of a mask-defined ROM that can be largely if not wholly the same or similar for each if not every vehicle manufacturer.
It is further foreseen that advantage could be perceived from capability to change PIN numbers, say at subsequent sales of a vehicle concerned. One feasible way to do so would be by requiring use together of both of the previous owner's card and a manufacturers' card, or a further card for the specific required purpose. For a motor vehicle, a practical scheme and provision involves making entry to the microprocessor using the still-valid user's card and starting the engine, then inserting the manufacturers' (or further) card while the engine remains running) and stalling the engine, to which the microprocessor is responsive to revert to manufacturer's or base mode and allow reconfiguration in accordance with the new user's card. Requirement for simultaneous use of three cards is seen as affording satisfactorily high security.
Reverting to Figure l, a transponder 60 is also shown with access to the input/output section 14 of the microprocessor chip 10, also over lines 30, and is shown with an aerial system 62, though any form of transducer suited to received signals could be used, at least additionally, see at 64 for indications of inductive loop, sonic, or "magic eye" (light) sensors. The transponder 60 can be polled along with other input and controlled system units 52,54, or it can be operative on an interrupt or separate mode basis requiring it to be serviced whether or not the microprocessor system is operational following a successful card-reader access, and without interfering with such operation unless that is called for by the received signal(s). The response of the microprocessor 10 to such received signal(s) can be to transmit all or part of the data stored at its EEPROM section 18 or even to close down all or selected parts of microprocessor operation, thus the or some of the controlled system units 54. It will be appreciated that the transponder itself may have locally associated storage for the data it is to be able to transmit, then usually by way of further EEPROM-type provision (though it is feasible for the transponder to utilise the control circuitry 50, or part thereof) . It will also be appreciated that the data to be transmitted by the transponder would not include the user/owner's PIN data (which encourages use of separate transponder storage or selective access to the microprocessor's EEPROM section 18) .
The above-indicated preference for a single microprocessor chip represents highly advantageous deployment of the teachings of this invention in its various aspects. However, it is functionally viable to operate by way of adding storage as a separate chip or chips associated with a microprocessor chip of lesser capabilities.
Figure 4 shows a key or jack type device 70 as alternative to a card type of accessing means. Its stem 72 has contact shells or segments 74A,B,C,D separated by insulation rings 76A,B,C. The contacts 74A-D serve typically for power, data, clock and chip select energisations or signals, actually respectively for one embodiment (but not necessarily) . Connections are shown dashed therefrom to an EEPROM chip 80 within head 82, conveniently potted therein to make disassembly difficult if not impossible. A suitable reader or access means for such a device 70 will have a socket to accept the stem 72 and contacts along the socket to make connections with bussing to/from the microprocessor 10.
In fact, the right hand side of Figure 4 is a vehicle ignition key 90 with a conventional stem 92 having appropriate mechanical lock-release teeth (not shown) and a head 94 with a bore 96 to take the stem 72 and a face 98 to be abutted by the head 82 of the accessing device 70. There can be at least a light interference or snap fit between formations to or in the abutting faces or the stem 72 and the bore 96. Such a combination device is as readily carried as a single ignition key.
It is to be appreciated that a key or jack type device of Figure 4, together with a suitable socket type reader (which could appear in section very much as the card reader 20 of Figure 1) , is to be taken as wholly equivalent to everything said functionally herein relation to a card or cards.
In summary, or as advantageous implementation, or independent aspects of the invention, there can be two types of accessing means, both typically machine-readable cards or key/jack devices, preferably having EEPROM data storage chips. One type of accessing means can, and generally is, free of any owner-specific data (such as PIN), or even host system (e.g. vehicle)-specific data (at least if to be entered otherwise) , though it may well be made effectively generic to a particular manufacturer's vehicles or vehicle models. The fifth line of Figure 2 shows (at D) contents for such accessing means with some or all of MFR DATA considered optional. The other type of card can and generally does, contain data specific to the owner of the vehicle concerned and may well further contain vehicle-specific data. The sixth line of Figure 2 shows (at E) contents of such accessing means, including space free for any other data a manufacturer might choose.
A preferred use for said one type of accessing means is in testing vehicle mobilising/immobilising provision in itself. The vehicle manufacturer will need to do that before delivery of the vehicle after manufacture if it has an electronic security system hereof, or at least one that is to be actuated as definite sales feature of the vehicle, and the vehicle dealer may also need to do so before sale to a customer and programming the owner's accessing means of said other type. Said one type of accessing means will leave the engine management control system in a state where said other type of accessing means will "customise" the system so that mobilisation/immobilisation provision reflects data written to specific accessing means of said other type. Once customising has been done (at first use of a valid card of said other type normally set and written to at point of sale) , only that particular accessing means of said other type will enable starting of the vehicle concerned. However, if no such (other type of) accessing means, i.e. with owner specific data, is presented for copying into the vehicle system, the mobilisation/ immobilisation provision will have no effect, i.e. the vehicle can be started without use of any accessing means at all, and the mobilisation/immobilisation provisions are effectively dormant.
A particularly preferred feature is that an intended user/owner's accessing means can be removed after starting the vehicle concerned and that vehicle will continue to run until the engine is turned off, even, if desired, until ignition is turned off, or some other condition applies that is definite as to a particular use or journey being over. Such preferred feature protects against accidental removal of enabling accessory means, and can protect against problems should the vehicle's engine be stalled and require swift re-starting.
It is preferred that mobilisation/ immobilisation provisions hereof respond to presentation of an accessing means of said one type, after starting by a card of the other type (perhaps preferably stopping or stalling the engine too) by clearing the mobilisation/immobilisation provision of data specific to the particular one type accessing means required for enablement; and further to require presentation of an owner-specific accessing means again to write, or re-write, owner-specific data to the mobilisation/immobilisation provision. This is a variation on resale preferences previously described and can be useful in permitting servicing of a vehicle.
Check data can be a means whereby the types of accessing means are distinguished, whether by presence or absence of the check sum or number or by accessing means of said one type having a prescribed check sum or number (if not some other characteristic data) . As previously indicated, further self-checking arise from use of check date in the EEPROM 18.
A mobilisation/immobilisation provision hereof is not of necessity applicable only to a vehicle with a sophisticated computerised engine management system, and incorporated into the microprocessor of such a system. Instead, the mobilisation/immobilisation provision can be a unit associated with some lesser engine control system, say for ignition timing or even fuel metering only. Security is, of course, significantly enhanced if the provision and system are effectively merged, say mainly physically by deployment on a single printed circuit board and in a unit that is necessarily irreparably damaged in any attempt to disassemble or remove it.
Use of EEPROM based control circuitry as above indicated for further control provision 50 has further implications and capabilities, for example enabling a replacement engine management unit to be programmed automatically into security mode, specifically have all comparison data entered automatically after its replacement with a 'virgin' unit, and have that done simply by programmed interaction between the unit and the control circuitry but only when a valid user's card (matching data in the control circuitry) is presented. A useful alternative is for part of such reprogramming to take place from control circuitry 50 (or 50'), but require completion by the intended user/owner's card. Such provision will obviate any need for specific programming by the installer of a replacement engine management unit. Clearly, similar action is feasible automatically for any replacement unit, say a radio or compact disc player or even an access security system controller, that is to have some or all of the security data matched for operation, say at least the user's PIN number. Implications will be evident for simply and effectively rejecting any new or replacement unit that does not have valid PIN data matching a 'true' user's card. It is further useful and advantageous to combine such control circuitry with a transmitter or transponder so that enabling data can be sent to external equipment, for example to control vehicle access to sites such as car parks, or leaving same (say if requiring user's card present for transmit mode) , or to disable any vehicle presence sensing alarm system if having provision for receiving signals from the transmitter/transponder. It is even feasible for instructions to be sent from external equipment via a receiver so as to impose control, such as vehicle speed limitation or even disabling entirely, by external equipment.
A useful variation on provisions for modifying a vehicle mobilisation/immobilisation system hereof to operate relative to a new accessing means (as required or desirable at second sale of the vehicle concerned) , avoids stalling the engine, even starting and stopping the engine, and may find particular application for vehicles with automatic transmissions. In this variation, the owner's accessing means to be replaced is still required to be used first, but only for switching ignition on after which a suitable short time period, say up to about ten seconds, is allowed for its removal and replacement by a manufacturer's accessing means, after which the system will permit, perhaps again with a time constraint modification in accordance with a new owner's accessing means. Again, of course, there is a requirement for availability together of three different accessing means, thus security against all but authorised modification as before.

Claims

CLAIMS 1. Electronic security system comprising programmable data storage means and program storage means, both associated with data processing means; one user-related accessing means having storage for machine-readable data individual to its intended user; and access means for reading said data individual to intended user, so that, at a first reading thereof, at least some of that data is written to said programmable storage means, which data will be used at subsequent readings of the accessing means to deny access to and/or some sought operation of said data processing means except for the one user-related accessing means (or a copy thereof) .
2. Electronic security system according to claim 1, wherein the access means is controlled by the data processing means.
3. Electronic security system according to claim 1 or claim 2, wherein all or part of each of the data processing means, the programmable data storage means and the program means are embodied in one semiconductor integrated circuit.
4. Electronic security system according to claim 3, wherein the single semiconductor integrated circuit is the microprocessor of an engine management unit for a vehicle.
5. Electronic security system according to any preceding claim, wherein the accessing means includes semiconductor integrated circuit type data storage means.
6. Electronic security system according to any preceding claim, wherein the programable data storage means and/or storage means of the accessing means is/are of EEPROM semiconductor type.
7. Electronic security system according to any preceding claim, wherein the said data individual to intended user includes both of PIN data and point-of-sale/ownership data.
8. Electronic security system according to any preceding claim, wherein said storage of the accessing means further includes check data computed from said data individual to intended user.
9. Electronic security system according to claim 8, wherein the data processing means uses the check data at each reading of said accessing means by recalculation of check data from rest of said data individual to intended user followed by comparison with check data from the accessing means.
10. Electronic security system according to any preceding claim, wherein said accessing means has storage for two or more sets of data individual to intended user, and the data processing means causes reading of those sets sequentially before denying access and/or some sought operation.
11. Electronic security system according to claim 10, wherein the sets are different.
12. Electronic security system according to any preceding claim, wherein the programmable data storage means serves also to store data particular to the data processor means and any host system.
13. Electronic security system according to claim 12, wherein the data processing means serves to generate and the associated programmable data storage means serves to store check data for all other contents of the latter.
14. Electronic security system according to claim 12 or claim 13, wherein said particular data includes any or all of manufacturer identification, vehicle model or range identification, place of manufacture, engine and/or chassis numbers or parts thereof.
15. Electronic security system according to claim 12, 13 or 14, wherein said particular data is read for first storage to said programmable data storage means by said access means from storage of means other than said accessing means.
16. Electronic security system according to claim 15, wherein said other means is used prior to first use of said accessing means, particularly during manufacture/testing.
17. Electronic security system according to claim 15 or claim 16, wherein said other means also stores specific data, or a scrambled version thereof, related to actuating the security system in a host system for said data processing means.
18. Electronic security system according to claim 17, wherein said programmable data storage means contains said specific data and related check data before first use of said other means and storage to said programmable data storage means of said particular data.
19. Electronic security system according to any preceding claim, wherein a succeeding and different user-related accessing means can be used, but only after use of its predecessor and of further means readable by said access means.
20. Electronic security system according to claim 19 with any one of claims 12 to 18, wherein said further means is the same as said other means.
21. Electronic security system according to claim 19 or claim 20, wherein the data processing means must first be accessed and its host system operated by the current predecessor access means, then the latter replaced by said further means followed by stopping operation of the host system before replacing the further means by the successor user-related accessing means for replacement of said data individual to intended change of user.
22. Electronic security system according to claim 21 with claim 20, wherein the programmable data storage means reverts to its state before its first storage of said data individual to intended user before replacement thereof.
23. Electronic security system according to any preceding claim, wherein reading of the programmable data storage by the data processing means can repeat for a long enough time to span any likely host system noise or interference signals.
24. Electronic security system according to any preceding claim, wherein said accessing means and/or said other means and/or said further means is/are of card type and said access means is of card-reader type.
25. Electronic security system according to any one of claims 1 to 23, wherein card accessing means and/or said other means and/or said further means is/are of key or jack type, and said access means is of reading socket type.
26. Electronic security system according to claim 25 with claim 4, wherein said key or jack comprises a removable insert for an ignition key.
27. Electronic security system arranged and adapted to operate substantially as herein described with reference to and as shown in the accompanying drawings.
PCT/GB1993/000014 1992-01-08 1993-01-07 Motor vehicle start-up control Ceased WO1993013966A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB929200313A GB9200313D0 (en) 1992-01-08 1992-01-08 Motor vehicle etc start up control
GB9200313.6 1992-01-08
GB929211067A GB9211067D0 (en) 1992-05-23 1992-05-23 Motor vehicle etc.start up control
GB9211067.5 1992-05-23

Publications (1)

Publication Number Publication Date
WO1993013966A1 true WO1993013966A1 (en) 1993-07-22

Family

ID=26300123

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB1993/000014 Ceased WO1993013966A1 (en) 1992-01-08 1993-01-07 Motor vehicle start-up control

Country Status (2)

Country Link
AU (1) AU3261693A (en)
WO (1) WO1993013966A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1994021498A1 (en) * 1993-03-23 1994-09-29 Raivo Kask Theft-impairing device
DE4338033A1 (en) * 1993-11-08 1995-05-11 Telefunken Microelectron Anti-theft system for motor vehicles
DE19531279C1 (en) * 1995-08-25 1996-09-12 Daimler Benz Ag Electronic immobiliser for automobile
WO1997005577A1 (en) * 1995-07-31 1997-02-13 Siemens Aktiengesellschaft Product data management system
WO1997011440A3 (en) * 1995-09-14 1997-04-24 Elsdale Ltd Method and system for faciliting the administration and management of a large number of vehicles
ES2116926A1 (en) * 1996-09-20 1998-07-16 Sanchez Valero Francisco Total-control system for vehicles and drivers
EP0667597A3 (en) * 1994-02-14 1998-08-19 Texas Instruments Deutschland Gmbh Integrated vehicle communications system
DE10021733A1 (en) * 2000-05-04 2001-11-29 Siemens Ag Integrated, database-supported documentation and management system for motor vehicles has data storage device operating from ordering vehicle to end of its life with external interface
EP2570309A1 (en) * 2011-09-16 2013-03-20 Gemalto SA Vehicle providing a secured access to security data

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU690335B2 (en) * 1995-01-20 1998-04-23 Coms21 Limited Vehicle security system
JPH11502576A (en) * 1995-01-20 1999-03-02 コムズ21・リミテッド Vehicle anti-theft system
AU658557B3 (en) * 1995-01-20 1995-04-13 Coms21 Limited Vehicle security system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2451848A1 (en) * 1979-03-22 1980-10-17 Daimler Benz Ag DEVICE FOR PREVENTING UNAUTHORIZED STARTING OF VEHICLES
DE3544934A1 (en) * 1985-05-09 1986-11-13 Klaus 4200 Oberhausen Dederle Computer-controlled theft protection in motor vehicles
DE3613605A1 (en) * 1986-04-22 1987-11-05 Reinhard Hergert ANTI-THEFT SECURITY FOR MOTOR VEHICLES
WO1988003884A1 (en) * 1986-11-26 1988-06-02 Ove Andersson An anti-theft device for a motor vehicle
FR2619065A1 (en) * 1987-08-06 1989-02-10 Garages Multiservices Francais Method for identifying and verifying the ownership of a vehicle
EP0456916A1 (en) * 1990-05-11 1991-11-21 Telettra Espana, S.A. Integral protection system for vehicles

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2451848A1 (en) * 1979-03-22 1980-10-17 Daimler Benz Ag DEVICE FOR PREVENTING UNAUTHORIZED STARTING OF VEHICLES
DE3544934A1 (en) * 1985-05-09 1986-11-13 Klaus 4200 Oberhausen Dederle Computer-controlled theft protection in motor vehicles
DE3613605A1 (en) * 1986-04-22 1987-11-05 Reinhard Hergert ANTI-THEFT SECURITY FOR MOTOR VEHICLES
WO1988003884A1 (en) * 1986-11-26 1988-06-02 Ove Andersson An anti-theft device for a motor vehicle
FR2619065A1 (en) * 1987-08-06 1989-02-10 Garages Multiservices Francais Method for identifying and verifying the ownership of a vehicle
EP0456916A1 (en) * 1990-05-11 1991-11-21 Telettra Espana, S.A. Integral protection system for vehicles

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1994021498A1 (en) * 1993-03-23 1994-09-29 Raivo Kask Theft-impairing device
DE4338033A1 (en) * 1993-11-08 1995-05-11 Telefunken Microelectron Anti-theft system for motor vehicles
DE4338033C2 (en) * 1993-11-08 2000-05-18 Telefunken Microelectron Anti-theft system for motor vehicles
EP0667597A3 (en) * 1994-02-14 1998-08-19 Texas Instruments Deutschland Gmbh Integrated vehicle communications system
WO1997005577A1 (en) * 1995-07-31 1997-02-13 Siemens Aktiengesellschaft Product data management system
US6246919B1 (en) 1995-07-31 2001-06-12 Siemens Ag Product data management system
DE19531279C1 (en) * 1995-08-25 1996-09-12 Daimler Benz Ag Electronic immobiliser for automobile
WO1997011440A3 (en) * 1995-09-14 1997-04-24 Elsdale Ltd Method and system for faciliting the administration and management of a large number of vehicles
ES2116926A1 (en) * 1996-09-20 1998-07-16 Sanchez Valero Francisco Total-control system for vehicles and drivers
DE10021733A1 (en) * 2000-05-04 2001-11-29 Siemens Ag Integrated, database-supported documentation and management system for motor vehicles has data storage device operating from ordering vehicle to end of its life with external interface
EP2570309A1 (en) * 2011-09-16 2013-03-20 Gemalto SA Vehicle providing a secured access to security data
WO2013037996A1 (en) * 2011-09-16 2013-03-21 Gemalto S.A. Vehicle providing a secured access to security data
CN103796882A (en) * 2011-09-16 2014-05-14 金雅拓股份有限公司 Vehicle providing a secured access to security data
US9718418B2 (en) 2011-09-16 2017-08-01 Gemalto Sa Vehicle providing a secured access to security data

Also Published As

Publication number Publication date
AU3261693A (en) 1993-08-03

Similar Documents

Publication Publication Date Title
US4982072A (en) Driver license check system with IC card and method therefor
US5519260A (en) Vehicle security system using drivers license, time of day and passive tag
US5513105A (en) Vehicle security system
US4591823A (en) Traffic speed surveillance system
US5469363A (en) Electronic tag with source certification capability
US5812762A (en) Personal computer having card read/write controller
EP0145405B1 (en) Security arrangement for microprecessor-controlled electronic equipment
US5675490A (en) Immobilizer for preventing unauthorized starting of a motor vehicle and method for operating the same
US6501369B1 (en) Vehicle security system having unlimited key programming
EP0835790B1 (en) Anti-theft device using code type transponder
WO1993013966A1 (en) Motor vehicle start-up control
KR100382251B1 (en) Anti-theft device
US6107933A (en) Security system for vehicle navigation system and method of detecting identification code
EP0586192A1 (en) Electronic identification system with anti-tampering protection
WO2001094165A2 (en) A method and apparatus for securing a machine
KR20030091791A (en) Anti-Theft System for Construction Machines and Method for Managing Construction Machines
CA2285848C (en) Method and apparatus for an integrated security device for providing for automatic disablement
JP2830302B2 (en) Automotive control device
JP2004237814A (en) Electronic license plate recognizing system
WO1999008910A1 (en) Device for indicating unauthorized use of an automobile
JP2002066073A (en) GAME MACHINE AND CONTROL METHOD FOR GAME MACHINE MANUFACTURING METHOD
JP3198500B2 (en) Anti-theft device
JPH1024682A (en) License card and device using thereof
JPH0449154B2 (en)
JP3120359B2 (en) In-vehicle device replacement use prevention device

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AT AU BB BG BR CA CH DE DK ES FI GB HU JP KP KR LK LU MG MN MW NL NO NZ PL PT RO RU SD SE US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN ML MR SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: CA