DETAILED ACTION
This Action is a response to the reply received 6 July 2022. Claims 1 and 11 are amended; no claims are cancelled or newly added. Claims 1, 3-5, 7-11, 13-15 and 17-20 remain pending for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1, 3-5, 7-11, 13-15 and 17-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claims 1 and 11 have been amended to recite “wherein the controller performs a security access for security test after transition to a programming session” (see claim 1, lines 24-25 and claim 11, lines 19-20). The claim limitation does not itself provide definition or explanation for the meaning and/or scope of the terms “security access,” “security test” and “programming session.” Applicants have identified paragraph 0096 of the Specification as providing support for the amended limitation. The Specification recites: “The controller performs an update procedure in 550. In this connection, (a) a Security Access is executed for security test after transition to a Programming session …” However, this disclosure does not provide sufficient description of this procedure to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention.
More particularly, it is not clear, for example: (a) what the controller is accessing in executing the “security access”; (b) how the access is secured; (c) what is being tested in the “security test”; (d) how the test determines some aspect of the security of the item, object or logic being tested; (e) what a “programming session” is; and/or (f) what any other sessions may be and how the controller transitions to a programming session. In the absence of a description of the acts being performed by, for example, logic, and the object(s) on which said acts operate to accomplish the functions claimed, it is found that the claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention. Additional limitations of claims 3-5, 7-10, 13-15 and 17-20 do not cure these deficiencies, and these claims are therefore also rejected for failing to meet the written description requirement.
Claims 1, 3-5, 7-11, 13-15 and 17-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention.
Claims 1 and 11 have been amended to recite “wherein the controller performs a security access for security test after transition to a programming session” (see claim 1, lines 24-25 and claim 11, lines 19-20). To determine whether these limitations are supported by the disclosure, it must be determined whether undue experimentation is required in order for a person of ordinary skill in the relevant art to practice the invention. The factors set forth in In re Wands, 858 F.2d 731, 737, 8 USPQ2d 1400, 1404 (Fed. Cir. 1998) and MPEP § 2164.01(a) must be considered.
(A) The breadth of the claims: “security access”, “security test” and “programming session” are broad claims encompassing many possibilities. See analysis above with respect to the written description requirement for questions regarding the scope. This factor accordingly weighs against enablement.
(B) The nature of the invention: the invention is directed to performing OTA vehicle software updates (see title and Spec. ¶2). Accordingly, the methods are generally carried out through the use of software in combination with a hardware system. In computer programing cases, some description is required as to how a processor (or here, a controller) would perform required operations and/or coordinate other system components to perform the required operations (see MPEP § 2164.06(c)(I)). Here, the program, algorithm, or sequence of events needed to perform the “security access”, “security test” or “transition to a programming session” is not described. This factor therefore weighs against enablement.
(C) The state of the prior art: the prior art contains numerous examples of means for securely accessing one or more hardware or software elements, means for performing a security test, and means for providing a programming session. This factor therefore weighs against enablement.
(D) The level of one of ordinary skill: Examiner makes no precise assessment of the level of skill, but estimates that a person holding a computer science or programming degree and having some experience with software development, would have the requisite level of ordinary skill in this art. This factor therefore may weigh either for or against enablement.
(E) The level of predictability in the art: with some description of the algorithm or acts to perform the claimed functions, the level of predictability in the art would be considered high. In the absence of any such disclosure, the level of predictability cannot be ascertained. This factor therefore does not weigh either for or against enablement.
(F) The amount of direction provided by the inventor: very little direction is provided regarding acts, steps or operations to be performed to carry out the identified claim limitations. As such, this factor weighs against enablement.
(G) The existence of working examples: while FIGs. 4-7 provide examples of the process for performing the OTA updates as a whole, neither the figures nor the description provide any working example of the steps, acts, or operations to be carried out to implement the referenced claim limitation. This factor therefore weighs against enablement.
(H) The quantity of experimentation needed to make or use the invention based on the content of the disclosure: as discussed above, the nature of the invention and the field of art provide numerous possibilities for performing “security access”, “security test” and “transition to programming session,” but the description is essentially silent regarding how such functions are to be implemented. Accordingly, the quantity of experimentation is high. This factor therefore weighs against enablement.
In view of the foregoing, a majority of Wands factors weigh against a finding of enablement. Claims 1 and 11 are therefore found to lack enablement. The additional limitations provided in claims 3-5, 7-10, 13-15 and 17-20 do not cure these deficiencies, and these claims are therefore likewise rejected as lacking enablement.
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 3-5, 7-11, 13-15 and 17-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
	Claims 1 and 11 have been amended to recite “wherein the controller performs a security access for security test after transition to a programming session” (see claim 1, lines 24-25 and claim 11, lines 19-20). 
“The essential inquiry pertaining to this requirement is whether the claims set out and circumscribe a particular subject matter with a reasonable degree of clarity and particularity … definiteness of claim language must be analyzed, not in a vacuum, but in light of: (A) The content of the particular application disclosure; (B) The teachings of the prior art; and (C) The claim interpretation that would be given by one possessing the ordinary level of skill in the pertinent art at the time the invention was made” (MPEP § 2173.02(II)).
	Some of these considerations have been analyzed above with respect to the requirements under 35 U.S.C. § 102(a). For example, the content of the particular application disclosure is generally insufficient to provide a person of ordinary skill in the relevant art with the tools and information necessary to practice the invention – or even to determine the nature of the security access, security test and transition to programming session. Teachings of the prior art in the relevant field include numerous examples and types of secure accesses, security tests, and means for providing programming sessions. In the absence of more information in the claim, the claim interpretation herein would include: a security access including an access by one or more elements of the controller to one or more elements of the apparatus (or system or apparatus capable of performing the method) as claimed, wherein said access is done in a secure manner or is to or of a secure element or portion; a security test being any test of an element of the apparatus or system and/or a step of a method that provides an indication regarding a security factor of said element; and a transition to a programming session being any act or series of acts that provides a programming session corresponding to one or more elements or acts of the apparatus or method as claimed. Given this BRI, and the lack of corresponding support for the structure and/or acts for implementing these features, the conclusion necessitated by consideration of the above-indicated factors is that the claim limitations recited in the amended portion of claims 1 and 11 are indefinite.
	The claim terms “perform a security access for security test after transition to a programing session” can be considered functional in nature (see discussion at MPEP § 2173.05(g)). The following factors must be considered “when examining claims that contain functional language to determine whether the language is ambiguous: (1) whether there is a clear cut indication of the scope of the subject matter covered by the claim; (2) whether the language sets forth well-defined boundaries of the invention or only states a problem solved or a result obtained; and (3) whether one of ordinary skill in the art would know from the claim terms what structure or steps are encompassed by the claim” (MPEP § 2173.05(g)).
	As discussed more fully above, neither the Specification nor the claims themselves provide “a clear cut indication of the scope of the subject matter covered by the claim.” The language sets forth “a problem solved or result obtained” by the recited terms (i.e., a “security access” is a result; no steps are recited to perform the security access). Finally, in the absence of disclosure in the Specification or the claims themselves the structure and/or steps to be performed to carry out the recited functions, it cannot be said in this case that one of ordinary skill in the relevant art would know the structure or steps encompassed by the claim.
	In view of the foregoing, claims 1 and 11 are rejected as indefinite. The additional limitations in claims 3-5, 7-10, 13-15 and 17-20 do not cure these deficiencies, and these claims are therefore likewise rejected as indefinite.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 3-8, 11 and 13-18 are rejected under 35 U.S.C. 103 as being unpatentable over Sakurai et al., U.S. 2020/0050378 A1 (hereinafter referred to as “Sakurai”) in view of Tschache, Alexander, U.S. 10,423,401 B2 (hereinafter referred to as “Tschache”).

Regarding claim 1, Sakurai teaches: An over the air update apparatus of a vehicle (Sakurai, e.g., ¶30, “for providing and rewriting programs (software) of ECUs through an over the-air (OTA) …”), the over the air update apparatus comprising: a communication circuit configured to receive data for over the air update of vehicle software from an external server (Sakurai, e.g., FIG. 1 elements 2 and 12; see also, e.g., ¶45, “center-device communication unit 7 wirelessly communicates the packaged data to the vehicle device 5 …” and ¶46, “DCM 12 is an on-vehicle communication unit that performs data communication with the center device 3 through the communication network 2 …”); and a controller (Sakurai, e.g., FIG. 1, element 13; see also, e.g., ¶47, “CGW 13 serves as a vehicle central gateway unit having a data relaying function, and upon receiving the updating data from the DCM 12, transmits the updating data to at least one target ECU 19 which is the target for rewriting its application programs …”) configured to: 
store ROMs (Sakurai, e.g., ¶47, “upon receiving the updating data from the DCM 12 … controls updating … of the application programs of the at least one target ECU 19 based on the specification data (and the specification data table 52) …” Examiner’s note: see FIGs. 2A-C and 3 for description of the specification data table, included in the packaged data, which includes the update data (repro data) and information about the memory structure of each ECU (as part of the specification data table). Note that by sending the specification data table and package comprising the updating data said information is stored at least temporarily for the purpose of performing the distributed software update for the one or more ECUs. This is supported by FIG. 13 and ¶¶77-83, discussing the data stored and analyzed in order to perform update operations) and update-schedules for the over the air update (Sakurai, e.g., ¶36, “ECU information DB further stores override information 9 that allows OEMs to control or set the timing of rewriting application programs of ECUs 19 … rewrite timing of ECUs 19 can be flexibly set by OEMs …” See also, e.g., FIGs. 2A-C and 3, showing that the override information is included in the specification data table); and 
perform each update using each diagnostic command (Sakurai, e.g., ¶38, “specification data 50 is information defining the processing of program updates (program rewrites) of each ECU 19 controlled by the vehicle device 4 …” See also at least FIG. 16 providing at least one example embodiment comprising performing the update(s)) based on a safety state of the vehicle (Sakurai, e.g., ¶36, “when the override information 9 is set, the rewriting of the application program for the ECU 19 is restricted to when the vehicle is parked …”), and
wherein the controller comprises: a management control device (Sakurai, e.g., FIG. 1, element 12, DCM (vehicle-device communication unit) in combination with element 13 (vehicle computer); see also, e.g., ¶46, “DCM is an on-vehicle communication unit that performs data communication with center device 3 … DCM extracts updating data … transmits them to the CGW 13.” See also, e.g., ¶47, “CGW 13 serves as a vehicle central gateway unit … transmits the updating unit to at least one target ECU 19 … controls updating of the application programs based at least on the specification data 50 …”) comprising: 
a scheme determining device configured to determine a scheme of an update target control device (Sakurai, e.g., ¶35, “ECU information DB 5 … stores memory structure information 8 that specifies the memory configuration of each of the plurality of ECUs 19 …”); and 
a master logic configured to transfer ROM data in a sequence distinguished based on the determined scheme (Sakurai, e.g., FIG. 14, teaching arranging ECU target data based on a type or combination of ECU types); and 
the update target control device configured to receive the data from the management control device to perform the over the air update using each diagnostic command based on a scheme determined for each control device (Sakurai, e.g., FIG. 16, teaching the updating of each ECU based on a rewrite order and an ECU type for each ECU in the update), and
wherein the update target control device comprises at least one of target control devices distinguished based on a default scheme, a differential scheme, a memory dualization scheme, or a scheme for combining the differential scheme and the memory dualization scheme with each other (Sakurai, e.g., ¶47, “upon receiving the updating data from the DCM 12 … controls updating … of the application programs of the at least one target ECU 19 based on the specification data (and the specification data table 52) …” Examiner’s note: see FIGs. 2A-C and 3 for description of the specification data table, included in the packaged data, which includes the update data (repro data) and information about the memory structure of each ECU (as part of the specification data table). Note that by sending the specification data table and package comprising the updating data said information is stored at least temporarily for the purpose of performing the distributed software update for the one or more ECUs. This is supported by FIG. 13 and ¶¶77-83, discussing the data stored and analyzed in order to perform update operations. Finally, see also, e.g., FIGs. 2A-2C and 3, wherein a default scheme could comprise a single type without override, a differential scheme could comprise a single type with override, a memory dualization scheme can relate to a memory having two or more regions, and a combination type could comprise a situation comprising updates to a heterogeneous set of ECUs. See also, e.g., ¶¶35-36 and 38-44, describing generating the package comprising the update data and the specification data, wherein said specification data includes information regarding the memory configuration of each ECU and the update is performed consistent with that specification (see, e.g., ¶47)), and 
wherein the at least one of target control devices respectively include update execution logics or memories distinguished based on the schemes (Sakurai, e.g., ¶35, “ECU information DB 5 stores memory structure information 8 of a flash memory (memory) 28d included in each of the plurality of ECUs 19 mounted on vehicles …” Examiner’s note: as discussed above, this information is additionally included in a specification data / table included as part of the update package transferred to and stored on the vehicle CGW (controller), wherein said controller includes functionality for determining said structure types during update operations (see, e.g., FIG. 13 and ¶¶77-83).
Sakurai does not teach that the controller performs a security access for security test after transition to a programming session. However, Tschache does teach: wherein the controller performs a security access for security test after transition to a programming session (Tschache, e.g., 3:45-53, “test data block can be stored in a secure memory of the control unit … [or] in a secure memory outside the control unit, the control unit having access rights … Optionally, the data stored in the secure memory, and thus also the test data block, are secured against modification and reading out by unauthorized persons. In this way, the security level is increased again during execution of the software updating …” See also, e.g., 6:11-15, “By exchanging individual and not all data blocks 30a-30f, a partial updating of the software of the control unit 18 is carried out. The data blocks 30a-30f can be, for example, flash blocks which are rewritten for recording a software update in the control unit 18 …” See also, e.g., 6:46-53, “verifying the consistency of the hash values, stored in the test data block 32, of all data blocks 30a-30f of the software by matching the hash values stored in the test data block 32 with a cryptographic signature over the hash values, to be expected in the test data block 32, for all data blocks 30a-30f after the updating …” Examiner’s note: any determination to begin an update, and the update process itself, is interpreted as a programming session and a transition thereto. The security access is the authorized access by the controller to the test data block, and the security test is the ensuring of a match of expected cryptographic values. In the absence of a more precise definition of “security access,” “security test,” and “programing session” in the Specification, these disclosures of Tschache are considered to teach the claim limitation under its broadest reasonable interpretation) for the purpose of securely accessing test data to verify secure update of one or more flash blocks of a vehicle controller software update in an efficient manner by only calculating and comparing hash values of updated segments (Tschache, ibid.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the over-the-air vehicle software updating system and method of Sakurai to provide that the controller performs a security access for security test after transition to a programming session because the disclosure of Tschache shows that it was known to those of ordinary skill in the pertinent art to improve an over-the-air software updating system and method to provide that the controller performs a security access for security test after transition to a programming session for the purpose of securely accessing test data to verify secure update of one or more flash blocks of a vehicle controller software update in an efficient manner by only calculating and comparing hash values of updated segments (Tschache, Id.).

Regarding claim 11, Sakurai teaches: An over the air update method of a vehicle (Sakurai, e.g., ¶30, “for providing and rewriting programs (software) of ECUs through an over the-air (OTA) …”), the over the air update method comprising: 
receiving data for over the air update of vehicle software from an external server (Sakurai, e.g., FIG. 1 elements 2 and 12; see also, e.g., ¶45, “center-device communication unit 7 wirelessly communicates the packaged data to the vehicle device 5 …” and ¶46, “DCM 12 is an on-vehicle communication unit that performs data communication with the center device 3 through the communication network 2 …”); 
storing ROMs (Sakurai, e.g., ¶47, “upon receiving the updating data from the DCM 12 … controls updating … of the application programs of the at least one target ECU 19 based on the specification data (and the specification data table 52) …” Examiner’s note: see FIGs. 2A-C and 3 for description of the specification data table, included in the packaged data, which includes the update data (repro data) and information about the memory structure of each ECU (as part of the specification data table). Note that by sending the specification data table and package comprising the updating data said information is stored at least temporarily for the purpose of performing the distributed software update for the one or more ECUs. This is supported by FIG. 13 and ¶¶77-83, discussing the data stored and analyzed in order to perform update operations) and update-schedules for the over the air update (Sakurai, e.g., ¶36, “ECU information DB further stores override information 9 that allows OEMs to control or set the timing of rewriting application programs of ECUs 19 … rewrite timing of ECUs 19 can be flexibly set by OEMs …” See also, e.g., FIGs. 2A-C and 3, showing that the override information is included in the specification data table); and 
performing each update using each diagnostic command distinguished for each update schedule (Sakurai, e.g., ¶38, “specification data 50 is information defining the processing of program updates (program rewrites) of each ECU 19 controlled by the vehicle device 4 …” See also at least FIG. 16 providing at least one example embodiment comprising performing the update(s)) based on a safety state of the vehicle (Sakurai, e.g., ¶36, “when the override information 9 is set, the rewriting of the application program for the ECU 19 is restricted to when the vehicle is parked …”), and
wherein performing each update includes: a management control device (Sakurai, e.g., FIG. 1, element 12, DCM (vehicle-device communication unit) in combination with element 13 (vehicle computer); see also, e.g., ¶46, “DCM is an on-vehicle communication unit that performs data communication with center device 3 … DCM extracts updating data … transmits them to the CGW 13.” See also, e.g., ¶47, “CGW 13 serves as a vehicle central gateway unit … transmits the updating unit to at least one target ECU 19 … controls updating of the application programs based at least on the specification data 50 …”) comprising: 
determining a scheme of an update target control device (Sakurai, e.g., ¶35, “ECU information DB 5 … stores memory structure information 8 that specifies the memory configuration of each of the plurality of ECUs 19 …”), and 
controlling to transfer ROM data in a sequence distinguished based on the determined scheme (Sakurai, e.g., FIG. 14, teaching arranging ECU target data based on a type or combination of ECU types); and 
performing the over the air update using each diagnostic command based on a scheme determined based on the received ROM data (Sakurai, e.g., FIG. 16, teaching the updating of each ECU based on a rewrite order and an ECU type for each ECU in the update pursuant to the received ROMs), and
wherein performing each update further includes: configuring at least one of target control devices distinguished based on a default scheme, a differential scheme, a memory dualization scheme, or a scheme for combining the differential scheme or the memory dualization scheme with each other (Sakurai, e.g., ¶47, “upon receiving the updating data from the DCM 12 … controls updating … of the application programs of the at least one target ECU 19 based on the specification data (and the specification data table 52) …” Examiner’s note: see FIGs. 2A-C and 3 for description of the specification data table, included in the packaged data, which includes the update data (repro data) and information about the memory structure of each ECU (as part of the specification data table). Note that by sending the specification data table and package comprising the updating data said information is stored at least temporarily for the purpose of performing the distributed software update for the one or more ECUs. This is supported by FIG. 13 and ¶¶77-83, discussing the data stored and analyzed in order to perform update operations. Finally, see also, e.g., FIGs. 2A-2C and 3, wherein a default scheme could comprise a single type without override, a differential scheme could comprise a single type with override, a memory dualization scheme can relate to a memory having two or more regions, and a combination type could comprise a situation comprising updates to a heterogeneous set of ECUs. See also, e.g., ¶¶35-36 and 38-44, describing generating the package comprising the update data and the specification data, wherein said specification data includes information regarding the memory configuration of each ECU and the update is performed consistent with that specification (see, e.g., ¶47)), and 
performing each update based on a corresponding scheme for each of a plurality of distinguished target control devices (Sakurai, e.g., ¶35, “ECU information DB 5 stores memory structure information 8 of a flash memory (memory) 28d included in each of the plurality of ECUs 19 mounted on vehicles …” Examiner’s note: as discussed above, this information is additionally included in a specification data / table included as part of the update package transferred to and stored on the vehicle CGW (controller), wherein said controller includes functionality for determining said structure types during update operations (see, e.g., FIG. 13 and ¶¶77-83).
Sakurai does not teach that the controller performs a security access for security test after transition to a programming session. However, Tschache does teach: wherein the controller performs a security access for security test after transition to a programming session (Tschache, e.g., 3:45-53, “test data block can be stored in a secure memory of the control unit … [or] in a secure memory outside the control unit, the control unit having access rights … Optionally, the data stored in the secure memory, and thus also the test data block, are secured against modification and reading out by unauthorized persons. In this way, the security level is increased again during execution of the software updating …” See also, e.g., 6:11-15, “By exchanging individual and not all data blocks 30a-30f, a partial updating of the software of the control unit 18 is carried out. The data blocks 30a-30f can be, for example, flash blocks which are rewritten for recording a software update in the control unit 18 …” See also, e.g., 6:46-53, “verifying the consistency of the hash values, stored in the test data block 32, of all data blocks 30a-30f of the software by matching the hash values stored in the test data block 32 with a cryptographic signature over the hash values, to be expected in the test data block 32, for all data blocks 30a-30f after the updating …” Examiner’s note: any determination to begin an update, and the update process itself, is interpreted as a programming session and a transition thereto. The security access is the authorized access by the controller to the test data block, and the security test is the ensuring of a match of expected cryptographic values. In the absence of a more precise definition of “security access,” “security test,” and “programing session” in the Specification, these disclosures of Tschache are considered to teach the claim limitation under its broadest reasonable interpretation) for the purpose of securely accessing test data to verify secure update of one or more flash blocks of a vehicle controller software update in an efficient manner by only calculating and comparing hash values of updated segments (Tschache, ibid.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the over-the-air vehicle software updating system and method of Sakurai to provide that the controller performs a security access for security test after transition to a programming session because the disclosure of Tschache shows that it was known to those of ordinary skill in the pertinent art to improve an over-the-air software updating system and method to provide that the controller performs a security access for security test after transition to a programming session for the purpose of securely accessing test data to verify secure update of one or more flash blocks of a vehicle controller software update in an efficient manner by only calculating and comparing hash values of updated segments (Tschache, Id.).

Regarding claim 3, the rejection of claim 1 is incorporated, and Sakurai further teaches: wherein the controller further comprises: a safety determining device configured to determine whether to perform the update based on a condition determined to perform the over the air update in the safe state of the vehicle, wherein the safety determining device is included in the management control device (Sakurai, e.g., ¶81, “rewrite condition determining unit 56d determines whether the rewrite condition for each of the target ECUs 19 matches the current state of the vehicle (i.e. parked or in operation) …”).

Regarding claim 4, the rejection of claim 1 is incorporated, and Sakurai further teaches: wherein the controller is configured to: perform each update based on at least one of the default scheme, the differential scheme, the memory dualization scheme, or the scheme combining the differential scheme with the memory dualization scheme (Sakurai, e.g., FIGs. 2A-2C and 3, wherein a default scheme could comprise a single type without override, a differential scheme could comprise a single type with override, a memory dualization scheme can relate to a memory having two or more regions, and a combination type could comprise a situation comprising updates to a heterogeneous set of ECUs. See also, e.g., ¶¶35-36 and 38-44, describing generating the package comprising the update data and the specification data, wherein said specification data includes information regarding the memory configuration of each ECU and the update is performed consistent with that specification (see, e.g., ¶47)).

Regarding claim 5, the rejection of claim 1 is incorporated, and Sakurai further teaches: wherein the controller further comprises: a memory configured to store data based on the default scheme, the differential scheme, the memory dualization scheme, and the scheme combining the differential scheme and the memory dualization scheme with each other, and wherein the memory is included in the management control device (Sakurai, e.g., ¶47, “upon receiving the updating data from the DCM 12 … controls updating … of the application programs of the at least one target ECU 19 based on the specification data (and the specification data table 52) …” Examiner’s note: see FIGs. 2A-C and 3 for description of the specification data table, included in the packaged data, which includes the update data (repro data) and information about the memory structure of each ECU (as part of the specification data table). Note that by sending the specification data table and package comprising the updating data said information is stored at least temporarily for the purpose of performing the distributed software update for the one or more ECUs. This is supported by FIG. 13 and ¶¶77-83, discussing the data stored and analyzed in order to perform update operations).

Claims 13-15 are rejected for the reasons given in the rejections of claims 3-5 above.

Regarding claim 7, the rejection of claim 1 is incorporated, and Sakurai further teaches: wherein the server comprises: data storage configured to store each ROM and each update schedule for each control device (Sakurai, e.g., FIG. 1, center computer 10a in communicative operation with ECU repro. DB 6 (storing ROMs) and ECU info DB (storing update schedule info such as override data determining whether a parking or other schedule applies to each update). See also, e.g., ¶¶33-36 discussing the contents of the ECU reprogramming data DB 6 and ECU information DB 5).

Regarding claim 8, the rejection of claim 1 is incorporated, and Sakurai further teaches: wherein the controller is configured to perform each update using at least one of a command (ReadActiveArea) for controlling to read a memory area currently operating (Sakurai, e.g., ¶¶75-76, “During normal operation … in which application processing such as vehicle control processing and diagnosis is being executed, the microprocessor 28 … judges which region is an operation region … microprocessor 28 temporarily saves the application in the difference engine work area …” Examiner’s note: to save a copy of the application or a portion thereof, read and write operations must both be executed, the read to the operative area, and the write to a non-operative working area), a command (EraseTargetArea) for controlling to erase a memory area not operating, a command (CopyActiveAreaTo) for controlling to copy the operating memory area to an unoperating memory area (Sakurai, e.g., ¶¶75-76, “During normal operation … in which application processing such as vehicle control processing and diagnosis is being executed, the microprocessor 28 … judges which region is an operation region … microprocessor 28 temporarily saves the application in the difference engine work area …” Examiner’s note: to save a copy of the application or a portion thereof, read and write operations must both be executed, the read to the operative area, and the write to a non-operative working area), and a command (WriteDeltaPatch) for controlling to create a ROM inside the control device based on Delta (Sakurai, e.g., ¶76, “microprocessor 28 generates the new data from the old data and the rewrite difference data …” Examiner’s note: the rewrite difference data is the delta).

Claims 17-18 are rejected for the reasons given in the rejections of claims 7-8 above.

Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Sakurai in view of Tschache, and in further view of Ingerman et al., U.S. 2019/0386923 A1 (hereinafter referred to as “Ingerman”).

Regarding claim 9, the rejection of claim 1 is incorporated, but Sakurai in view of Tschache does not more particularly teach that the controller is configured to control background transfer of the update based on at least one of a network load. However, Ingerman does teach: wherein the controller is configured to: control background transfer for the over the air update based on at least one of a network load, a vehicle power state1, a battery state2, or an estimated remaining ROM data transfer time3 (Ingerman, e.g., ¶¶36-38, “cellular congestion and download management entity (CCMM 200) collects information about congestion in the mobile network … congestion information gathered from vehicle head units can be collected and aggregated into a data feed to the CCMM service 200 … policies typically provide conditions and more generally the logic and settings to determine whether to invoke congestion mitigation … CCMM 200 can interact with the campaign server and/or a vehicle 106 to suspend/prioritize lower priority campaigns … Mitigation directives can be transmitted from the CCMM 200 down to the head unit of the vehicle … causes the head unit to temporarily delay or suspend the download, or to throttle it.” Examiner’s note: the head unit of the vehicle (controller) provides both congestion information data collection and throttling functions based on that information) for the purpose of preventing over-congestion of the network (Ingerman, ibid.).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the over-the-air vehicle software updating system and method of Sakurai in view of Tschache to provide that the controller is configured to control background transfer of the update based on at least one of a network load because the disclosure of Ingerman shows that it was known to those of ordinary skill in the pertinent art to improve an over-the-air software updating system and method to provide that the controller is configured to control background transfer of the update based on at least one of a network load for the purpose of preventing over-congestion of the network (Ingerman, Id.).

Claim 19 is rejected for the reasons given in the rejection of claim 9 above.

Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sakurai in view of Tschache, and in further view of Morley et al., U.S. 2016/0162275 A1 (hereinafter referred to as “Morley”).

Regarding claim 10, the rejection of claim 1 is incorporated, but Sakurai in view of Tschache does not more particularly teach completing reprogramming, reading versions of devices after update, and reporting success to the server. However, Morley does teach: wherein the controller is configured to:  complete reprogramming through a command (ReadDataByIdentifier); read a software (SW) version of each control device after each update; and report update success to the server (Morley, e.g., ¶51, “after installation of a target platform has completed … report is generated and sent to the Update Server 35 … report includes the platform version number … and application identifying information, including app ID, build number, and version number …” Examiner’s note: while the reports are malfunction reports, the reporting of information occurs (1) after “installation … has completed” (and therefore occurs via at least one command) and includes version information (which therefore must have been read); note also that ¶¶52-55 discuss whitelists as well as blacklists, indicating consideration of “successful” updates of a particular success definition. Examiner further notes that a complete installation has been “successfully” completed, regardless of other subsequently observed errors) for the purpose of reporting successful and unsuccessful installations to whitelist or blacklist particular versions based on errors or lack thereof (Morley, ibid.).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the over-the-air vehicle software updating system and method of Sakurai in view of Tschache to provide for completing reprogramming, reading versions of devices after update, and reporting success to the server because the disclosure of Morley shows that it was known to those of ordinary skill in the pertinent art to improve an over-the-air software updating system and method to provide for completing reprogramming, reading versions of devices after update, and reporting success to the server for the purpose of reporting successful and unsuccessful installations to whitelist or blacklist particular versions based on errors or lack thereof (Morley, Id.).

Claim 20 is rejected for the reasons given in the rejection of claim 10 above.

Response to Arguments
In the Remarks, Applicant Argues: The amendments to independent claims 1 and 11 distinguish over the previously cited prior art of record, and the claims are accordingly in condition for allowance.

Examiner’s Response: In view of the amendments, Examiner newly cites to Tschache. Further, the amendments present issues under 35 U.S.C. 112(a) and (b), and rejections have been made accordingly. As such, the rejections are maintained under the new grounds presented in full above.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Examiner has identified particular references contained in the prior art of record within the body of this action for the convenience of Applicant.  Although the citations made are representative of the teachings in the art and are applied to the specific limitations within the enumerated claims, the teaching of the cited art as a whole is not limited to the cited passages.  Other passages and figures may apply.  Applicant, in preparing the response, should consider fully the entire reference as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art and/or disclosed by Examiner.
Examiner respectfully requests that, in response to this Office Action, support be shown for language added to any original claims on amendment and any new claims.  That is, indicate support for newly added claim language by specifically pointing to page(s) and line number(s) in the specification and/or drawing figure(s).  This will assist Examiner in prosecuting the application.
When responding to this Office Action, Applicant is advised to clearly point out the patentable novelty which he or she thinks the claims present, in view of the state of the art disclosed by the references cited or the objections made.  He or she must also show how the amendments avoid such references or objections.  See 37 C.F.R. 1.111(c).
Examiner interviews are available via telephone and video conferencing using a USPTO-supplied web-based collaboration tool. Applicant is encouraged to submit an Automated Interview Request (AIR) which may be done via https://www.uspto.gov/patent/uspto-automated-interview-request-air-form, or may contact Examiner directly via the methods below.
Any inquiry concerning this communication or earlier communication from Examiner should be directed to Andrew M. Lyons, whose telephone number is (571) 270-3529, and whose fax number is (571) 270-4529.  The examiner can normally be reached Monday to Friday from 10:00 AM to 6:00 PM EST.            If attempts to reach Examiner by telephone are unsuccessful, Examiner’s supervisor, Wei Zhen, can be reached at (571) 272-3708.  The fax number for the organization where this application or proceeding is assigned is (571) 273-8300.            Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (in USA or Canada) or (571) 272-1000.
/Andrew M. Lyons/Examiner, Art Unit 2191  


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 See, e.g., Bahar et al., U.S. 2019/0014026 A1, ¶¶30-31, discussing consideration of ignition (i.e. vehicle power) state in determining when to download and/or install updates
        2 See, e.g., Sakurai et al., U.S. 2020/0050442 A1, ¶167, discussing consideration of remaining battery level for determining when / whether to download or install an update
        3 See, e.g., Miura, Masashi, U.S. 2020/0065087 A1, e.g., FIG. 9 and ¶¶90-91, discussing determining a download time required to complete a firmware download in combination with other factors