DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the filing date of 4/27/2020.
Claims 1-20 are pending and have been considered below.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 4/27/2020 is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 3, 4, 11-13, 15, 18 and 19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by U.S. Patent No. 8,000,735 to Barclay.


receiving an encrypted and digitally signed firmware image (see at least col.6, lines 43-45 “…the patching mechanism updates the firmware by downloading the patch data or code from the host unit 60 at system startup, reset or initialization…”; see also at least col.7, lines 6-9 “…patches that are downloaded so that the baseband processor unit includes software for decrypting and authenticating patches that have been encrypted and/or authenticated at the host unit…”);
generating a verification result by verifying the firmware image by using a public key (see at least col.7, lines 5-9 “…the patch mechanism may provide for encryption and authentication of patches that are downloaded so that the baseband processor unit 50 includes software for decrypting and authenticating patches that have been encrypted and/or authenticated at the host unit 60…”);
decrypting the firmware image by using a secret key depending on the verification result (see at least col.7, lines 5-9 “…the patch mechanism may provide for encryption and authentication of patches that are downloaded so that the baseband processor unit 50 includes software for decrypting and authenticating patches that have been encrypted and/or authenticated at the host unit 60…”); 
the baseband processor 50 may provide a patching mechanism which includes an on-chip patch RAM 53 for storing patch code or data that is used to patch or change the software stored in the BBP ROM memory 54 by using the patch code or data in place of the code which previously existed in the BBP ROM memory 54…”); and 
running a replacement function corresponding to an identifier of the patchable function included in the firmware, when the patchable function is called (see at least col.6, lines 35-67 “…the baseband processor 50 may provide a patching mechanism which includes an on-chip patch RAM 53 for storing patch code or data that is used to patch or change the software stored in the BBP ROM memory 54…a mechanism that will write the data supplied in a patch to the address supplied in a patch so that all or part of every function stored in the ROM 54 may be replaced by new code supplied in a patch that is copied into the patch RAM 53…Each patch signal may include a patch consisting of the patch ID (PID), the patch address (PA), the patch length (PL) and the patch data (PD).  The patch ID may be used to identify a patch for tracking and description purpose…”).

Per claims 3 and 12, Barclay further teaches
wherein the firmware includes: a replacement function for replacing the patchable function; and a look-up table for mapping the patchable function and the replacement function (see at least col.6, lines 58-62 “…patches may be downloaded as one or more patch signals from the host unit 60 over a link 59.  Each patch signal may include a patch consisting of the patch ID (PID) 53a, the patch address (PA) 53b, the patch length (PL) 53c and the patch data (PD) 53d.  The patch ID 53a may be used to identify a patch for tracking and description purposes…”).

Per claim 4, Barclay further teaches
wherein the look-up table includes a replacement flag indicating whether replacement of the patchable function with the 26Atty. Dkt. No. 8947-001499-US replacement function is possible, and an address of the replacement function on the first memory, and the first memory is a random access memory (RAM) (see at least col.6, lines 58-67 “…patches may be downloaded as one or more patch signals from the host unit 60 over a link 59.  Each patch signal may include a patch consisting of the patch ID (PID) 53a, the patch address (PA) 53b, the patch length (PL) 53c and the patch data (PD) 53d.  The patch ID 53a may be used to identify a patch for tracking and description purposes (e.g., identifying a patch as experimental or final).  The patch address 53b may be used to specify the first memory address (e.g., the address in ROM 54) that the patch is to be applied to using a software memory address for any location in the BBP memory or I/O space…”).

Per claim 11, Barclay teaches a semiconductor device comprising:
FIG. 2 - “On-Chip ROM 54”);
a RAM onto which firmware having a replacement function for replacing the at least one patchable function is loaded (see at least FIG. 2 - “On-Chip Patch RAM 53”);
a central processing unit (CPU) configured to perform user authentication on the firmware by running a firmware verification and decryption function programmed in the ROM and to run the replacement function by using the firmware when the at least one patchable function is called (see at least FIG. 2 - “Baseband Processor 50”; see at least col.7, lines 5-9 “…the patch mechanism may provide for encryption and authentication of patches that are downloaded so that the baseband processor unit 50 includes software for decrypting and authenticating patches that have been encrypted and/or authenticated at the host unit 60…”);
secured storage configured to store a public key and an electronic signature for the user authentication, and a secret key for decrypting the firmware (see at least col.6, lines 37-39 “…the baseband processor 50 may provide a patching mechanism which includes an on-chip patch RAM 53 (i.e. secured storage) for storing patch code or data that is used to patch…”; see also col.7, lines 5-9 “…the patch mechanism may provide for encryption and authentication of patches that are downloaded so that the baseband processor unit 50 includes software for decrypting and authenticating patches that have been encrypted and/or authenticated at the host unit 60…”); and 
a verification result register configured to store a result of the user authentication (see at least col.6, lines 37-47 “…the baseband processor 50 may provide a patching mechanism which includes an on-chip patch RAM 53 (i.e. register) for storing patch code or data that is used to patch…the baseband processor unit 50 sends an acknowledge signal (i.e. verification result) to the host unit 60 if the patch is accepted…”), wherein the firmware includes a look-up table for mapping the at least one patchable function and the replacement function (see at least col.6, lines 55-57 “…it is not required that every function stored in ROM 54 be patched, and the patching mechanism may maintain a list of patchable functions that is specifiable at the build time of the ROM software…”).

Per claims 13 and 19, Barclay further teaches
wherein, when the result of the user authentication stored in the verification result register corresponds to a fail or when the replacement flag is disabled, the replacement function is inhibited from being run, and the at least one patchable function is run (see at least col.6, lines 43-57 “…the patching mechanism updates the firmware by downloading the patch data or code from the host unit 60 at system startup, reset or initialization.  Once the patch data is stored in the patch RAM 53, the baseband processor unit 50 sends an acknowledge signal to the host unit 60 if the patch is accepted.  Of course, other implementation details are contemplated.  For example, the software stored in the BBP ROM memory 54 may include a mechanism that will write the data supplied in a patch to the address supplied in a patch so that all or part of every function stored in the ROM 54 may be replaced by new code supplied in a patch…as will be appreciated, it is not required that every function stored in ROM 54 be patched…” [Note, when the patch is not accepted in other words the authentication and/or decryption processes failed, the old functions stored in ROM 54 run]).

Per claim 15, Barclay further teaches 
wherein the look-up table further includes authority level information of a user for each function identifier see also col.7, lines 5-9 “…the patch mechanism may provide for encryption and authentication of patches that are downloaded so that the baseband processor unit 50 includes software for decrypting and authenticating patches that have been encrypted and/or authenticated at the host unit 60…”).

Per claim 18, Barclay teaches a patch method of a semiconductor device which runs a first function programmed in a ROM, the method comprising: 
receiving an encrypted and digitally signed firmware image to be loaded onto a RAM to replace the first function see at least col.6, lines 43-45 “…the patching mechanism updates the firmware by downloading the patch data or code from the host unit 60 at system startup, reset or initialization…”; …patches that are downloaded so that the baseband processor unit includes software for decrypting and authenticating patches that have been encrypted and/or authenticated at the host unit…”); 
performing user authentication on the firmware image see at least col.6, lines 43-45 “…the patching mechanism updates the firmware by downloading the patch data or code from the host unit 60 at system startup, reset or initialization…”; see also at least col.7, lines 6-9 “…patches that are downloaded so that the baseband processor unit includes software for decrypting and authenticating patches that have been encrypted and/or authenticated at the host unit…”); 
decrypting the firmware image and loading the decrypted firmware image onto the RAM, depending on a result of the user authentication see at least col.6, lines 43-45 “…the patching mechanism updates the firmware by downloading the patch data or code from the host unit 60 at system startup, reset or initialization…”; see also at least col.7, lines 6-9 “…patches that are downloaded so that the baseband processor unit includes software for decrypting and authenticating patches that have been encrypted and/or authenticated at the host unit…”); and 
running a second function included in the firmware depending on the result of the user authentication, when the first function is called (see at least col.6, lines 35-67 “…the baseband processor 50 may provide a patching mechanism which includes an on-chip patch RAM 53 for storing patch code or data that is used to patch or change the software stored in the BBP ROM memory 54…a mechanism that will write the data supplied in a patch to the address supplied in a patch so that all or part of every function stored in the ROM 54 may be replaced by new code supplied in a patch that is copied into the patch RAM 53…Each patch signal may include a patch consisting of the patch ID (PID), the patch address (PA), the patch length (PL) and the patch data (PD).  The patch ID may be used to identify a patch for tracking and description purpose…”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 8,000,735 to Barclay in view of U.S. Patent No. 6,138,236 to Mirov.

Per claims 2 and 20, Barclay does not explicitly teach
wherein the ROM stores a firmware verification and decryption function for authenticating the firmware image by using the public key and decrypting the encrypted firmware image by using the secret key.


ROM stores a firmware verification and decryption function for authenticating firmware image by using public key and decrypting encrypted firmware image by using secret key (see at least FIG. 2; see also at least col.5, lines 15-33 “A flash PROM 18 having an authentication section 45 and a programmable section 55 affords ease in updating the flash PROM 18 with new micro-code without compromising security.  Implementing public-key cryptography having a private key and a public key to verify the programmable section 55 with the authentication section 45 assures that the programmable section of the micro-code is proper and authentic.  The integrity of the unsecured micro-code 58 of the programmable section 55 is also verified when the verification hash matches the data hash…”).
	It would have been obvious for a person of an ordinary skill in the art as of the effective filing date of the claimed invention to modify the teaching of Barclay to incorporate the teaching of Mirov to allow the ROM 54 to store the authentication and decryption functions.  One would have been motivated to do so in order to perform authentication of firmware and other code in the start-up of device.

Claims 9, 10, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 8,000,735 to Barclay in view of U.S. Pub. No. 20170010881 to Kawazu.


wherein, the semiconductor device further includes a rollback counter for storing patch version information of the patchable function, and the method further comprises: comparing version information stored in the firmware image and the rollback counter.  

	Kawazu teaches an analogous art relates to updating a firmware, comprising:
a rollback counter for storing patch version information of the patchable function, and the method further comprises: comparing version information stored in the firmware image and the rollback counter (see at least paragraph [0031] “…A rollback detection unit 202 detects whether the version of the downloaded delivered firmware is older.  If the version is older, the update of the firmware is canceled.  More specifically, comparison between the delivered firmware version number 701 included in the delivered firmware information 700 verified by the first verification unit 201 and the version number of the current firmware managed by a counter unit 204 (corresponding to the monotonically increasing counter 117) of the TPM 103 (to be described later) is performed.  If the delivered firmware version number 701 is smaller than the version number of the current firmware managed by the counter unit 204, it is determined that the version of the delivered firmware is older, and the update is canceled.  Note that the version number of the current firmware managed by the counter unit 204 is acquired via a version management unit 203 (to be described later)”).  


Per claims 10 and 17, Kawazu further teaches
terminating an execution of the patchable function in response to the rollback counter and the version information not being matched (see at least paragraph [0031] “…A rollback detection unit 202 detects whether the version of the downloaded delivered firmware is older.  If the version is older, the update of the firmware is canceled…”).

Allowable Subject Matter
Claims 5 and 14 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
U.S. Pub. No. 20080313627 relates to updating firmware of a system.
	U.S. Pub. No. 20080313627 relates to updating firmware of a system.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PHILLIP H NGUYEN whose telephone number is (571)270-1070.  The examiner can normally be reached on Monday-Friday 9:00AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wei Zhen can be reached on (571) 272-3708.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.