DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Amendment filed 04/21/21 has been received and considered.
Claims 1-5, 7-15 and 17-19 are pending.
This action is Final.
Response to Arguments
2.	Applicant's arguments filed 04/21/21 have been fully considered but they are not persuasive. Applicant argues that regarding independent claims 1, 10 and 11, Haga in view of Ujiie and in further view of Lee fails to teach “transmitting, by the firmware integrated management apparatus, corresponding encrypted firmware among the plurality of encrypted firmwares along with a corresponding encryption key generated by the firmware integrated management apparatus to each of the plurality of target controllers.”
	With respect to this argument, as disclosed below, Lee in paragraph [0032] discloses adding an electronic signature to the firmware where the server encrypts a hash value of firmware. The firmware is authenticated by comparing a hashed value of the received firmware to a value acquired by decrypting the received encrypted hash value using the public key. In paragraph [0033], once the authentication of firmwares are completed, the gateway transmits respective different firmware included in the firmware group to the corresponding controllers. 
Therefore, Haga in view of Ujiie and Lee teaches the claimed limitations of amended claims 1, 10 and 11, and thereby the dependent claims. 



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


3.	Claims 1-5, 7-15 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub. No. US 2017/0134164 A1 to Haga, (hereinafter “Haga”) in view of US Pub. No. US 2017/0192770 A1 to Ujiie, (hereinafter, “Ujiie”) and in further view of US Pub. No. US 2015/0200804 A1 to Lee, (hereinafter, “Lee”).

As per claims 1, 10 and 11, Haga teaches a reprogramming method of a vehicle, a non-transitory computer readable recording medium, and a vehicle, respectively, the vehicle comprising: a plurality of controllers (Haga, para. [0053] “The onboard network system 10 is an example of a network communication system where communication is performed following the CAN protocol, and is a network communication system in an automobile (vehicle) to which various types of devices, such as control devices, sensors, and so forth, have been installed.”), the method comprising: 
authenticating, by a gateway, a diagnostor (Haga, para. [0053] “in FIG. 1, the onboard network system 10 is configured including a diagnostic port 600, busses 500a through 500d, and various nodes connected to busses, such as the master ECU (update management device) 100, a head unit 200, a gateway 300, ECUs 400a through 400f and the like connected to various types of devices, and so forth.” And para. [0141] “in a case where an external tool 30 is connected to the diagnostic port 600, the master ECU 100 authenticates the external tool 30, and only in a case where an update message from the external tool 30 is within the range of authority (level) that update authority information indicates is the external tool 30 permitted to update data within ECUs by that update message.”);
authenticating, by the firmware integrated management apparatus, the integrated firmware (Haga, para. [0036] “the update authority information identifies one or a plurality of function types out of a plurality of function types for classifying the electronic control units, and the external tool has authority to cause the electronic control unit, classified to any of the identified one or plurality of function types, to perform the update, and in a case where the update message is transmitted from the external tool, the determination is performed by determining, based on the message ID of this update message, whether or not the function type of the electronic control unit set to receive this message ID matches any of the one or plurality of function types identified by the update authority information. Accordingly, operation can be performed where external tools are certified with authority for updating having been distinguished, for each function type classifying ECUs by function. This certification is performed by giving verifiable update authority information, for example.”); 
encrypting and storing, by the firmware integrated management apparatus, the plurality of firmwares included in the integrated firmware (Haga, para. [0042] “the electronic control units other than the update management device and the update management device store a shared key that is mutually shared, to be used for transfer of a session key of encryption processing relating to content of communication, and the update of data that the electronic control unit stores, instructed by the update message, is updating of the shared key. Accordingly, shared keys shared between the master ECU and other ECUs can be updated by the external tool.”); and 
generating, by the firmware integrated management apparatus, encryption keys that corresponds the plurality of target controllers, respectively apparatus, wherein the encrypting and storing comprises encrypting and storing the plurality of firmwares to the encryption keys that correspond to the plurality of firmwares, respectively (Haga, para. [0071] “FIG. 3 is a diagram illustrating a key issuing system relating to the above-described ECUs and external tool. A key issuing authority 20 distributes public key certificates 40a through 40c, secret keys 50a through 50c, and a shared key 60, to a manufacturer 21. The distributed keys and certificates are written to the external tools 30a and 30b, the master ECU 100, and the ECUs 400a through 400f at the manufacturing stage or the like by the manufacturer 21. The manufacturer 21 is, for example, an OEM maker (Original Equipment Manufacturer), an ECU vendor, or the like. The public key certificate describing the public key, and the secret key, are used in a public key infrastructure (PKI), and the public key and secret key are a key pair in elliptic curve cryptography, RSA cryptography, or the like. The secret key and public key certificate are used for authentication between the master ECU 100 and external tools 30a and 30b. The shared key 60 representatively represents individual shared keys. This shared key 60 is an AES (Advanced Encryption Standard) key in shared-key cryptography, that is shared between the master ECU 100 and the ECUs, and is used for transmitting session keys for encryption processing regarding frames.”). 

Haga teaches all the limitations of claims 1, 10 and 11 above, however fails to explicitly teach, but Ujiie teaches:
receiving, by a firmware integrated management apparatus, integrated firmware comprising a plurality of firmwares that correspond to a plurality of target controllers, respectively, from the diagnostor that is completely authenticated (Ujiie, para. [0051] “a firmware update method according to an aspect of the present disclosure is a method used in an in-vehicle network system provided with a plurality of electronic controllers that communicate over one or more buses, the method comprising: receiving firmware update information from an external device external to the vehicle in which the plurality of electronic controllers is installed on-board, the firmware update information including updated firmware to be applied to a first electronic controller from among the plurality of electronic controllers” and para. [0116] “The data transmitting and receiving unit 510 communicates with the gateway 300 to transmit and receive data. The data transmitting and receiving unit 510 delivers data reported from the delivery data generating unit 570 (FW update information including firmware to update) to the gateway 300. In addition, in the case of receiving a firmware update result from the gateway 300, the data transmitting and receiving unit 510 updates vehicle ECU management information stored by the ECU management information storing unit 572.”); 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ujiie’s firmware update method into Haga’s update management method and system with a motivation to execute a firmware update at a suitable (for example, a safe) timing (Ujiie, para. [0038]). 
The combination of Haga and Ujiie teach all the limitations of claims 1, 10 and 11 above, however fail to explicitly teach, but Lee teaches:
transmitting, by the firmware integrated management apparatus, corresponding encrypted firmware among the plurality of encrypted firmwares along with a corresponding encryption key generated by the firmware integrated management apparatus to each of the plurality of target controllers (Lee, para. [0032] “an electronic signature (e.g., symmetric key or asymmetric key) may be added to the firmware and whether firmware is modulated may be determined by verifying the electronic signature through an authentication medium (i.e., a gateway). A private key in a server and a public key that corresponds to the private key in a controller may be used as an electronic signature method. When the server encrypts a hash value of firmware using the private key and adds the encrypted hash value to the firmware, the authentication medium may be configured to authenticate the firmware by comparing a hashed value of the received firmware to a value acquired by decrypting the received encrypted hash value using the public key.” And para. [0033] “When authentication of the firmware group has been completed, the gateway may be configured to transmit respective different firmware included in the firmware group to the corresponding controllers (S380). Transmission of the individual piece of firmware may be repeated as many times as the number of different firmware, or transmission of the respective different firmware may be performed simultaneously. The respective controllers having received the corresponding firmware may be configured to update the corresponding firmware without a separate authentication process (S390).”);
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lee’s efficient reprograming and control method into Ujiie’s firmware update method and Haga’s update management method and system with a motivation for authentication of a plurality of different firmware completed in a reduced amount of time (Lee, para. [0034]). 
As per claims 2 and 12, the combination of Haga, Ujiie and Lee teach the method according to claim 1 and the vehicle according to claim 11, respectively, wherein the integrated firmware comprises one authentication information item about all the plurality of firmwares (Haga, para. [0054] The diagnostic port 600 is a port for connecting the external tool 30 to, in a case of performing maintenance of the ECUs making up the onboard network system 10, and is connected to the master ECU 100 by the bus 500d. The diagnostic port 600 is a connector compliant with OBD2, for example. The external tool 30 can transmit frames following the CAN protocol to the onboard network system 10 by connecting to the diagnostic port 600. For example, the external tool 30 can transmit messages including message IDs of a predetermined certain range in the onboard network system 10, such as an update message to update firmware of an ECU, a diagnostic message for malfunction diagnosis of an ECU, or the like. Description will be made here with particular focus on the external tool transmitting an update message (i.e., an update requesting frame) including a message ID within the certain range determined beforehand, for updating each of firmware and shared keys of an ECU.). 

As per claims 3 and 13, the combination of Haga, Ujiie and Lee teach the method according to claim 2 and the vehicle according to claim 12, respectively, wherein the integrated firmware is transmitted through the diagnostor in the form of update message; and 
wherein the update message comprises a header (Haga, para. [0126] “the external tool 30a generates an update message for updating the shared key 60d with the message ID "0x102" attached, and performs encryption processing of the update message using the session key (step S1009). An example of encryption processing of the update message is, for example, to store in the data field data necessary for updating the shared key 60d for example (e.g., in a case of performing updating at the ECU 400a by a keyed hash function or the like, data serving as the key), and encrypting that data or adding a MAC to that data. A MAC corresponding to all or part of the update message, for example, may be stored in the data field even if data is not necessary for updating of the shared key 60d. For example, predetermined encryption processing to be performed (i.e., predetermined encryption processing using a session key) is stipulated beforehand, regarding sort of processing to perform as encryption processing corresponding to an update message in the onboard network system 10. Each ECU performs updating in accordance with update messages that have been appropriately (i.e., so that verification using a session key will be successful) subjected to predetermined encryption processing (e.g., addition of a MAC), following the stipulations. If the predetermined encryption processing has not been appropriately performed, updating is inhibited regarding that update message.” And para. [0127] “The external tool 30a transmits the update message generated in step S1009 to the master ECU 100 (step S1010).”)

As per claims 4 and 14, the combination of Haga, Ujiie and Lee teach the method according to claim 3 and the vehicle according to claim 13, respectively, wherein the header comprises at least one of a header version, integrated firmware identification information, firmware number information indicating the number of the plurality of firmwares, corresponding controller identification information for each firmware, message length information, and separate firmware version information (Ujiie, para. [0125] “The FW update information includes a FW count F1 indicating the number of pieces of FW data, one or more pieces of FW data (in the example of FIG. 13, two pieces of individual FW data F10 and F20), and a FW update information signature F30, which is a signature for the FW update information (delivery data) as a whole. The FW data F10 and F20 respectively includes updated firmware (FW) F13 and F23, ECU-IDs F11 and F21 that identify the target ECU, FW versions F12 and F22 that indicate the version number or the like of the firmware, and FW data signatures F14 and F24 which are respective signatures for these data. The firmware F13 and F23 is the firmware itself, or in other words, binary data.”).

As per claims 5 and 15, the combination of Haga, Ujiie and Lee teach the method according to claim 1 and the vehicle according to claim 11, respectively, wherein the encryption keys for the controllers that correspond to the plurality of firmwares, respectively, are stored in a security module of the firmware integrated management apparatus (Ujiie, para. [0105] “The key storing unit 164 stores a key for signature verification of FW data used to update the firmware.” And para. [0185] “The gateway 1300, based on the list of ECU information stored by the ECU information storing unit 372 (see FIG. 6), selects an ECU which is different from the ECU whose firmware is to be updated, and which includes a function of executing a process related to the firmware update, as the ECU to execute that process by proxy (proxy ECU) (step S2200). Specifically, in the signature verification ECU proxy process, an ECU that includes the signature verification function (for example, an ECU that includes a key used to verify a signature) is selected as the proxy ECU to execute by proxy a process related to the signature verification function.”). 

As per claims 7 and 17, the combination of Haga, Ujiie and Lee teach the method according to claim 1 and the vehicle according to claim 11, respectively, further comprising, when each of the plurality of target controllers encrypts the firmware transmitted to each of the plurality of target controllers, decrypting the encrypted firmware by using the encryption key transmitted to each of the plurality of target controllers and then performing reprogramming (Haga, para. [0131] “the frame generating unit 120 uses the session key for communication with the external tool 30a for decryption if the encryption processing that the original update message has been subjected to is encryption, and subjects the results of the processing to encryption using a session key used for communication with the other ECUs, thereby generating a new update message. If the encryption processing that the original update message has been subjected to is addition of a MAC, the frame generating unit 120 generates a MAC using the session key used for communication with the other ECUs and replaces the MAC of the original update message with the generated MAC, thereby generating a new update message.”). 

As per claims 8 and 18, the combination of Haga, Ujiie and Lee teach the method according to claim 1 and the vehicle according to claim 11, respectively, further comprising periodically checking, by the firmware integrated management apparatus, firmware integrity of each of the plurality of target controllers (Haga, para. [0139] “the processing of step S1009 and thereafter is repeated each time the external tool 30a transmits the update messages. An update message for updating firmware within the ECUs includes information for identifying the content of the firmware after updating, for example, and the ECUs that are the object of the update message rewrite the firmware based on the information for identifying the content of the firmware after updating. The firmware includes, for example, software such as programs within the ECUs, and data used by the programs, and may include microcode at processors within the ECUs. In a case where an ECU includes an FPGA (Field Programmable Gate Array) or the like for example, the firmware may include circuit configuration data. Further, although shared keys and firmware have been handled separately here for the sake of description, firmware may be handled as including shared keys.” And Ujiie, para. [0205] “the gateway 300 or 1300 determines, based on the list of ECU information stored by the ECU information storing unit 372, whether to perform control causing an ECU other than the ECU to update or the gateway itself to execute a process for the ECU whose firmware is to be updated, or cause the ECU to update to execute the process (in other words, the gateway 300 or 1300 determines whether or not execution by proxy is necessary)…Whether or not an ECU includes a function of executing a certain process may be, for example, whether or not the ECU includes the signature verification function and/or the FW cache function. The FW update processing unit 370 (control unit) of the gateway 300 or 1300 may determine that the certain condition is satisfied if the ECU on which to apply the updated firmware (in other words, the ECU to update) includes a function of executing a certain process, and determine that the certain condition is not satisfied if the ECU to update does not include the function of executing the certain process.”). 

As per claims 9 and 19, the combination of Haga, Ujiie and Lee teach the method according to claim 8 and the vehicle according to claim 18, respectively, further comprising re-transmitting, by the firmware integrated management apparatus, firmware corresponding to a controller with a problem in terms of check of the firmware integrity among the plurality of encrypted firmwares, to the controller with the problem among the plurality of target controllers (Haga, para. [0090] “The frame generating unit 120 configures an error frame in accordance with an error frame transmission request notified from the frame interpreting unit 150, and transmits the error frame to notify the frame transmission/reception unit 160. Upon receiving an instruction to generate a frame from the determining unit 103, the frame generating unit 120 subjects data to encryption processing (e.g., adding a MAC or the like corresponding to the session key or the like) and configures a frame, and transmits to notify the frame transmission/reception unit 160.” And Ujiie, para. [0087] “The frame generating unit 380 reports and transmits to the frame transmitting and receiving unit 310 an error frame in accordance with a request to transmit an error frame reported from the frame interpreting unit 320. In addition, the frame generating unit 380 constructs a frame using the message ID and data reported by the frame processing unit 350, and passes the frame together with bus information to the frame transmitting and receiving unit 310. In addition, the frame generating unit 380 constructs a frame using FW data related to updated firmware reported by the FW update processing unit 370, and passes the frame together with bus information to the frame transmitting and receiving unit 310.”). 

Conclusion
4.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20160013934 A1- Vehicle software update verification.
US 9215228 B1- Authentication of in-vehicle electronic devices.

	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Ali Abyaneh can be reached on (571) 272-7961. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ZOHA PIYADEHGHIBI TAFAGHODI/Examiner, Art Unit 2437      

/SAMSON B LEMMA/Primary Examiner, Art Unit 2498