DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
1.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/03/2020 has been entered.
 				
Status of Claims
2.    Applicant’s amendment dated November 3rd, 2020 responding to the Office Action September 28th, 2020 provided in the rejection of claims 1, 3-11 and 13-21.
3.    Claims 1, 4-5, 11, 14-15 and 21 have been amended.
4.    Claims 1, 3-11 and 13-21 are pending in the application, of which claims 1, 11 and 21 are in independent form and which have been fully considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


5.	Claims 1, 3-11, 13-21 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential elements, such omission amounting to a gap between the elements.  See MPEP § 2172.01.  The omitted elements are: 
Claims 1, 11 and 21 recite the limitation “receiving, at the domain controller, a software update package”.  The domain controller receiving a software update package from where? Server or an original equipment manufacturer?
Claims 6 and 16 recite the limitation “sending, prior to the receiving a request for the software update package…” appears to be mis-descriptive.  Sending/receiving to/from where?
Claims 3-10 and 13-20 are also rejected under 35 U.S.C 112(b), since they are dependent on claims 1 and 11.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 

6.	Claims 1, 3-6, 10-11, 13-16 and 20-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over McCauley et al. (US Pub. No. 2018/0145991 A1 –art of record –herein after McCauley) in view of Kawabata et al. (US Pub. No. 2018/0183605 A1 – IDS filed on 1/6/2021 – herein after Kawabata) and in view of Philipp Mundhenk (Security in Automotive Networks: Lightweight Authentication and Authorization, 2016 – herein after Mundhenk –new art made of record – herein after Mundhenk).

Regarding claim 1. 
McCauley discloses
A method at a domain controller for software update control (Figs. 2A-2B), the method comprising: 
receiving, at the domain controller (Fig. 2A, receiving at Secure ECU 212), a software update package (receive firmware and store firmware at secure electronic control unit (ECU) - See Fig. 2B, step 252 and 254. A firmware update can include a package with a plurality of firmware updates, each update designated for one or more of the plurality of ECUs 114 included in vehicle 110 - See paragraph [0020]);
verifying, at the domain controller (verify the package with a secure ECU -See paragraph [0035]. It can be advantageous for a secure ECU to first verify the firmware update package before each firmware update is transmitted to the respective one or more target ECUs – See paragraph [0044]), a source of the software update package (authenticate firmware and checking whether authenticate firmware success – See Fig. 2B, steps 256 and 258), 
unbundling the software update package into at least one software update (decrypt firmware package - See Fig. 5B, step 552 and 554. Upon receiving a firmware update, secure ECU 212 can store the updated firmware in storage 220 and decrypt (e.g., if the updated firmware is encrypted) and/or authenticate it using processor 218 — see paragraph [0025]), each of the at least one software update being destined for a control unit managed by the domain controller (transmit firmware to target ECUs -See Fig. 5B, step 558); 
forwarding each [signed] software update to the control unit for which the software update is destined (firmware updates for each ECU 114 can be received one at a time in series, or simultaneously in a parallel operation - See paragraph [0020]. When authentication is successful, the updated firmware can be transmitted (e.g., from untrusted ECU 412) to each target ECU 414 (step 462 of process 450). Target ECUs 412 can install the firmware to operate with updated firmware (step 464 of process 450) - See paragraph [0041]);
 wherein the domain controller is installed on a vehicle and manages a plurality of control units of the vehicle (secure ECU 212 is installed on a vehicle 210 and manages/controls a plurality of ECU 214 – See Fig. 2A and paragraphs [0024-0026]).
McCauley does not disclose
the verifying comprising checking that the software update package is associated with a certificate signed by an original equipment manufacturer (OEM); 
signing each of the at least one software update with a cryptographic key associated to the domain controller;

	Kawabata discloses 
	signing each of the at least one software update with a cryptographic key associated to the domain controller (re-signed updating firmware with a key associated with key management device – See Fig. 4 and paragraphs [0046]);
	forwarding each signed software update to the control unit for which the software update is destined (transmit re-signed updating firmware to ECU 30 – See Fig. 4 and paragraph [0050]).
	It would have been obvious to one ordinary skill in the art before the effective filing date of claimed invention to use Kawabata’s teaching into McCauley’s invention because incorporating Kawabata’s teaching would enhance McCauley to enable to re-sign update firmware in order to discriminate it from the updating firmware attached with an electronic signature received from the management server equipment as suggested by Kawabata (paragraph [0041]).
McCauley and Kawabata do not disclose
the verifying comprising checking that the software update package is associated with a certificate signed by an original equipment manufacturer (OEM); 
	Mundhenk discloses
	the verifying comprising checking that the software update package is associated with a certificate signed by an original equipment manufacturer (OEM) (All participants are certified by the central Certificate Authority (CA) of the Original Equipment Manufacturer (OEM) – See Fig. 3, page 13); 
	Mundhenk also discloses
signing each of the at least one software update with a cryptographic key associated to the domain controller (All firmware updates are run via the security module, which in turn verifies the identity of the sender and the validity of the firmware signature for the ECU. The firmware is signed with the private key of the sending instance, which is certified by an appropriate CA (see Section 4.1) – See page 14, 4.5 Firmware updates and Fig. 3);
	forwarding each signed software update to the control unit for which the software update is destined (the update is installed on the ECU – See page 14, 4.5 Firmware update and Fig. 3).
	It would have been obvious to one ordinary skill in the art before the effective filing date of claimed invention to use Mundhenk’s teaching into McCauley’s and Kawabata’s inventions because incorporating Mundhenk’s teaching would enhance McCauley and Kawabata to enable to generate the list of data/firmware/message streams by the configuration management of the Original Equipment Manufacturer (OEM) and must be signed with the corresponding certificate and ensure that the firmware update is authenticated all the way to the ECU as suggested by Mundhendk (page 12 and page 14).

Regarding claim 3, the method of claim 1, 
McCauley discloses 
wherein the software update package is encrypted (a vehicle can include a receiver configured to receive one or more firmware updates in an encrypted package from a server - See paragraph [0004]), and wherein the unbundling comprises decrypting the software update package (Upon receiving a firmware update, secure ECU 212 can store the updated firmware in storage 220 and decrypt (e.g., if the updated firmware is encrypted) and/or authenticate it using processor 218 - See paragraph [0025]. Secure ECU 212 can authenticate (e.g., by verifying a signed key and/or via a decrypting operation) the updated firmware (e.g., using processor 218) (step 256 of process 250) - See paragraph [0027]).

Regarding claim 4, the method of claim 3, 
McCauley discloses
wherein the software update package is encrypted with a public key for the domain controller (server 501 can encrypt the firmware package using a first public key - See paragraph [0047]).

Regarding claim 5, the method of claim 3, 
McCauley does not disclose
wherein the software update package is encrypted using a symmetric key shared between the domain controller and the OEM.
Mundhenk discloses 
	wherein the software update package is encrypted using a symmetric key shared between the domain controller and the OEM (To allow real-time behavior, these protection mechanisms are based on symmetric cryptography, requiring pre-shared keys. Pre-programming these keys opens another attack vector, especially if the 
	It would have been obvious to one ordinary skill in the art before the effective filing date of claimed invention to use Mundhenk’s teaching into McCauley and Kawabata’s inventions because incorporating Mundhenk’s teaching would enhance McCauley and Kawabata to enable to protect mechanisms that are based on symmetric cryptography requiring pre-shared keys as suggested by Mundhenk (pages 2 and pages 19)

Regarding claim 6, the method of claim 1, 
McCauley discloses
further comprising sending, prior to the receiving, a request for the software update package, the request being signed by the domain controller (Secure ECU 522 can decrypt and/or authenticate the request to determine whether the firmware package and the request are authentic. If the firmware package and the request are authentic, authentication at secure ECU 522 can be successful (step 556 of process 550). If authentication is successful, untrusted ECU 512 can receive a signed distribution command from secure ECU 522 and, in response to the received distribution command, transmit one or more firmware updates of the plurality of firmware updates to the appropriate target ECUs 514 (step 558 of process 550) - See paragraph [0051]).

Regarding claim 10, the method of claim 1, 

further comprising: receiving confirmation that the at least one software update was installed (firmware updating process and gateway ECU receive the updating completion notifications – See Fig. 4); and 
forwarding the confirmation to a network element (forward updating completion notifications to management server equipment – See Fig. 4).
	It would have been obvious to one ordinary skill in the art before the effective filing date of claimed invention to use Kawabata’s teaching into McCauley’s invention because incorporating Kawabata’s teaching would enhance McCauley to enable to notify the completed updating as suggested by Kawabata (See Fig. 4).

Regarding claim 11.
McCauley and Kawabata and Mundhenk disclose
A domain controller configured for software update control (Secure ECU 212 - Fig. 2A (McCauley) and vehicle domain package object - Fig. 20 (Buga)), the domain controller comprising:
a processor (processor 218 - Fig. 2A (McCauley)); and
	a communications subsystem (Receiver 216 can be communicatively coupled to server 201 via a wireless network connection (e.g., via Wi-Fi, Bluetooth, a cellular network, or other network connection) - See paragraph [0025]), wherein the domain controller is configured to:
Regarding claim 11, recites the same limitations as rejected claim 1 above.
Regarding claim 13, recites the same limitations as rejected claim 3 above.
Regarding claim 14, recites the same limitations as rejected claim 4 above.
Regarding claim 15, recites the same limitations as rejected claim 5 above.
Regarding claim 16, recites the same limitations as rejected claim 6 above.
	Regarding claim 20, recites the same limitations as rejected claim 10 above.

Regarding claim 21.
McCauley and Kawabata and Mundhenk disclose
A non-transitory computer readable medium for storing instruction code, which when executed by a processor of a domain controller cause the domain controller to:
Regarding claim 21, recites the same limitations as rejected claim 1 above.

7.	Claims 7-9 and 17-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over McCauley and Kawabata and Mundhenk as applied to claims 1 and 11 respectively above, and further in view of Maeda et al. (US Pub. No. 2018/0152341 A1—art of record -herein after Maeda).

Regarding claim 7, the method of claim 1, 
Maeda discloses
further comprising maintaining, at the domain controller (maintain at vehicle ECU manager - See Fig. 7), a list of all control units managed by the domain controller, and a software version of software installed on each of the control units (The system configuration information in this example is a list of ECU information for each ECU. The ECU information is configured to include an ECU-ID, an ECU class that indicates the 
It would have been obvious to one ordinary skill in the art before the effective filing date of claimed invention to use Maeda’s teaching into McCauley’s and Kawabata’s and Mundhenk’s inventions because incorporating Maeda’s teaching would enhance McCauley and Kawabata and Mundhenk to enable to generate a list of all ECUs used by the vehicle model provided with the ECU that requires a firmware update as suggested by Maeda (paragraph [0174]).

Regarding claim 8, the method of claim 7, 
Maeda discloses further comprising:
receiving a request to add a control unit (the sequences may also be executed when it is sensed that a new ECU has been added to the on-board network, or may be executed in correspondence with an operation by the driver or the like on any ECU inside the vehicle. Also, step S2306 and the steps thereafter are started in the case in which the server 500a receives a firmware registration request, for example -See paragraph [0197]),
verifying the request to add the control unit (an operation verification request is issued to the server 500a - See paragraph [0226]); and
based on the verifying, adding the control unit to the list of control units (in cases such as when an ECU provided on-board a vehicle experiences trouble and is replaced with a different ECU, or when an ECU is newly added, the gateway 300a is 
It would have been obvious to one ordinary skill in the art before the effective filing date of claimed invention to use Maeda’s teaching into McCauley’s and Kawabata’s and Mundhenk’s inventions because incorporating Maeda’s teaching would enhance McCauley and Kawabata and Mundhenk to enable to update firmware in an electronic control unit that communicates on an on-board network as suggested by Maeda (paragraph [0001]).

Regarding claim 9, the method of claim 8, 
Maeda discloses
wherein the verifying comprises sending the request to a server and receiving a response from the server (Information specifying the firmware that was being attempted to update is added to the operation verification request, for example.In the case in which an operation verification is performed on the server 500a in response to the operation verification request, and FW update information including verified ECU configuration information satisfying the certain condition described above is transmitted from the server 500a - See paragraph [0163])
It would have been obvious to one ordinary skill in the art before the effective filing date of claimed invention to use Maeda’s teaching into McCauley’s and Kawabata’s and Mundhenk’s inventions because incorporating Maeda’s teaching would enhance McCauley and Kawabata and Mundhenk to enable to store keys for signature 

Regarding claim 17, recites the same limitations as rejected claim 7 above.
Regarding claim 18, recites the same limitations as rejected claim 8 above.
Regarding claim 19, recites the same limitations as rejected claim 9 above.

Conclusion
8.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Chirstopher King (Vehicle Cybersecurity:  The Jeep Hack and Beyond), 2016 discloses sign and encrypt firmware updates – See page 3
Wang Tao (CN106886424) discloses the automobile main control comprises the following steps: communicating with an intelligent device through an automobile main control device interface, receiving an update package, decrypting and splitting and updating, and communicating and updating with the vehicle-mounted device through an automobile information interface – See pages 1 of description.
Ye et al. (US Pub. No. 2017/0060559 A1) software updates 116 may include a single section, while in other cases a software updates 116 may be organized into multiple subsections, partitions, or chunks, where all the subsections may be downloaded to complete the overall software update 116 to be installed.  In some examples, the software updates 116 may be originated by a vendor (e.g., of the vehicle ECU 104) or originated by the vehicle manufacturer.  In some cases, the software 
9.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MONGBAO NGUYEN whose telephone number is (571)270-7180.  The examiner can normally be reached on Monday-Friday 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hyung S. Sough can be reached on 571-272-6799.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MONGBAO NGUYEN/Examiner, Art Unit 2192