大公司的不地道

大公司由于过往的口碑，不惜有时说谎，不知道狼来了的故事何时使那个说谎的孩子受到惩罚?举四个例子：

1。前不久EETIME 专栏独家报道了丰田突然加速在Oklahoma案中败诉的技术原因（Toyota Case: Single Bit Flip That Killed Junko Yoshida 10/25/2013 03:35 PM EDT ），在二位技术专家的证言中说明丰田节气门软件存在许多不合理的地方，并用软件故障注入实验重现了程序失控的可能性，虽然还不是直接重现突然加速，但已经能说服陪审团丰田有疏忽之责。丰田一看处于下风，立马同意赔偿而逃避进一步的追责。这个故事是很有看点的，我看了庭审记录公开的部分，可以看到控方律师如何谆谆诱导证人讲要点，辨方律师如何找机会为难证人，法官又时时提醒陪审员在休庭时不要交换意见，相互影响。对美国的陪审团制度我一无所知，后来又找了罗胖子的“罗辑思维“有个专辑看了一下，才知道陪审团才是关键。看来专家间的质证只是第一步，说服大众才是关键。大公司的力量太大了，它们可以以各种明的暗的力量左右事态，在2010年我收到的电邮中可以感受到那些认为丰田突然加速是节气门有问题的人受到的压力。所以eetime能作此报道是要有勇气的，向你们致敬！

2。大公司可以编个理由忽悠人，又如ww在去年2013的dsg召回事件中给出的理由是中国天太热，路太堵造成变速箱切换太频繁，所以才出故障。但是别人也用双离合变速箱，他们自己还在推出10档的双离合的变速箱，更多档位显然会使变速箱切换更频繁。所以那个理由如何能说服人？

3。我在找a380失压事件有关资料时查到2005年美国工程师J Mangans 对TTP芯片质疑的故事，这也是个个人对抗强大公司的例子。美国工程师Joseph Mangans在TTP中担任芯片设计的主任工程师，它认为有隐患：

Mangan said he found serious flaws early last year （注：2004年）in TTTech's computer chips and the software for the A380's cabin-pressurization system, according to legal documents. The system wa5 executing "unpredictable" commands when it received certain data, possibly causing the pressure valves to open accidentally.

Because all four motors in the A380's cabin-pressurization system use the same type of flawed TTTech chip, Mangan says, "if one fails, they all fail."

多方反映没有结果，于是他在网上以博客方式公布了他认为的证据，TTP开除了他并民事及刑事控告他泄密，法官判他在奥地利禁言此事，并罚款到破产，并可能入狱，TTP和解的条件是他收回他的言论，但是他不接受。网上没有后续报道。

Joseph Mangans没有细说技术细节，他的博客网页没法连到，发现有另一位安全专家的博客，在讨论中有Joseph Mangans的贴。

Schneier on Security: Potential Airbus Flaw and Coverup

从该贴可见Joseph Mangans认为有如下几个问题：我直接考贝。

1．系统设计的多样性冗余未作

The Boeing 787 Cabin Pressurization System, is to also be provided by Nord Micro, however Boeing demanded that the traditional 3 motor Outflow Valve Design be used, instead of the AIRBUS A380 single motor design. The system implements the “dissimilar redundancy��? required by the regulations to assure that the system is “fail safe��?, and the outflow valve control is redesigned to contain 2 equally functional redundant controllers, (primary and secondary).

2．TTP/C协议发现有安全问题，且当时各车厂已否定

The FLEXRAY consortium, formed in 2001 by a split, which formed in the TTA Consortium with the departure of BMW, Bosch, Daimler Chrysler, and Motorola, over the refusal of Dr Hermann Kopetz to modify TTP/C to correct serious safety defects（注：这个说法似牵强，2001年时没有人说过TTP/C协议的问题，但有关各方内部可能早有讨论，只是尚未公开） in the technology. TTP/C was therefore determined by the world’s Automotive manufactures not to be safe for use in Automobiles.

3．为Boeing而修改的工作是Honeywell改，并非原TTP/C协议的东西，它们未经严格的安全认证

However, Honeywell, chosen to provide the Boeing 787 Fly by Wire Flight Control System, is using the TTP/C controller as the exclusive communications element for each of the redundant channels of the system. Honeywell had demanded changes to the TTP/C controller and Protocol to eliminate safety critical defects in October 2003.  TTTech Chairman of the Board, TU Vienna Professor Dr. Hermann Kopetz grudgingly agreed to make the changes, in order to win the “exclusive contract��? in the use of the TTP/C chip in the fly by wire proposal to Boeing. TTTech’s CEO and CFO failed to make the investments to comply with the agreement, and in July of 2004 Honeywell was awarded the Fly By Wire contract. In August, Honeywell asked for the new chip and protocol with the as agreed corrections. In the period between October 2003 and August 2004, TTTech CFO and his sales staff communicated to Honeywell that work was on schedule and proceeding. In September of 2004, I informed the management at Honeywell that TTTech had not performed the work, which it had promised, and no work would be performed without a contract, (with a likely cost of several million dollars). Honeywell was furious, and began a desperate attempt to configure the chip in a way to cause the safety defects to be disabled, with the end result that the behavior of the chip and the software no longer conformed to documented behavior and tests.
Boeing, still intends to use the chip in the Honeywell provided Fly By Wire system.

Mangan的下场很悲惨，一个雇员出于良心要改却无能为力，出于怕几年之后追责任不能签字（他提到过In addition, as Chief Engineer, I have personal liability for the systems which are approved under my signature authority. The Chief Engineer of the Concorde in 1969, is, this week, being charged with manslaughter in 2005, 36 years later, for the accident which ruptured the fuel tank, resulting in a crash which took the lives of 113 passengers.），提前离职恐又有合同惩罚。他如何是好？同情他而觉得公司可恶。

4。现在在车辆控制中Bosch新推出的CAN FD总线有了些改进，但是仍然认为CAN是没有问题的，在CAN FD Specication 1.0 开卷第一页中有一段话：New CRC polynomials are introduced to secure the longer CAN FD frames with the same Hamming distance as in the proven CAN protocol. 我对CAN错帧漏检的分析早在2010年就发到过CiA. 看来只有让更多的人知道才是唯一的办法。

这是我准备向国外送的材料：

Performance of Error Detection of CAN is doubtful!!!

1          CAN 2.0 claims its HD=6. It is invalid. In Figure 1 the 2 bit flips cause an error code of Ec=U*G= (1001,1010,0110,1010,0101). That is HD=2.

Figure 1 CAN 2.0 HD=2 example. U=x⁴+x³+x²+1

2          CAN 2.0 claims any odd number error can be detected. It is invalid. In Figure2 there are 3 bit flips the error code is also multiple of CRC generator.

Figure2. 3 bit flips in Tx. U=x⁶+x⁴+x³+1 and Ec=U*G=(1110，1111，0101，1010，0000，01).

3          CAN 2.0 claims "burst errors of length less than CRC Sequence in a message are detected". If burst error is defined by the length between the first error and last error, it is correct. Because the burst error length is error code length that is shorter than the power of the CRC generator, error code will not be a multiple of CRC generator. That guarantees there is no undetected case. Thus it says nothing. If it is understood in engineering meaning, burst error means a contiguous error bit flow. Then the Figure3 can be thought as a 6 bit long burst error. This Tx is also a susceptive Tx. In burst error situation it produces an undetected erroneous Rx. That shows "burst errors of length less than CRC Sequence in a message are detected" is invalid.

Figure3 multi bit flips in Tx. U=x⁶+x⁴+x³+1 and Ec=U*G=(1110，1111，0101，1010，0000，01)

4          CAN2.0 gives undetected error rate of 4.7*10^-11. It is underestimated. Take example figure1 alone, the suspected Tx can have 4 start patterns: Tx=100000 to Rx=100100; Tx=100100 to Rx=100000; Tx=011111 to Rx=011011; and Tx=011011 to Rx=011111. There are 2²³ possible Tx patterns. Thus the suspected Tx take a portion of 2^-21. The Tx can be in any place in 64 bit DATA field. Hence there are 65-23=42 different frames which has suspected Tx. For basic CAN frame format the frame length is 107 bit. If one stuff bit is considered the frame length is 108 bit. The probability of 2 bit flips occur at Tx relevant specific position is 2/108/107. This gives the undetected frame error rate Pun=2^-21*42*2/108/107=3.4*10^-9 with only one example Tx.

技术的发展本来就有阶段性，后来发现以前的不足是正常的，不正常的是为了商业利润拒绝改正，继续忽悠，好像是能骗一个就再骗一个。所以扫帚不到灰尘照例不会自己跑掉。

在这里那些掌控着车辆安全性验证审批大权的汽车公司有关部门，行业有关主管单位，第三方独立认证机构，你们是不是还在放水？

各位看官，你们认为如何才能止制大公司的忽悠?

抽出你20%的精力，解决你竞争对手忽悠别人同时也是忽悠自己的问题，你会得到80%的效果！