View previous topic :: View next topic |
Author |
Message |
hmmpic
Joined: 09 Mar 2010 Posts: 314 Location: Denmark
|
Looking for a encrypted programmer? |
Posted: Tue Feb 07, 2012 12:39 pm |
|
|
Hi
My customer want to make update to the hardware by them self. But i don't want to give the code to them! Looking for a solution.
I'm looking for a encrypted ISP. I know CCS have one, but I normally use PIC-KIT2 programmer and this is the best tools i have used! I can load the hex file to the unit and then send it to production.
A clever one can read the program out again (ISP), therefore it is not a way for the customer.
I have only the normally pin from the ISP I/F.
On my PIC's ISP, two of the pin is RX/TX.
There must be smart and easy way? |
|
|
bkamen
Joined: 07 Jan 2004 Posts: 1615 Location: Central Illinois, USA
|
|
Posted: Tue Feb 07, 2012 12:56 pm |
|
|
You could install a bootloader... and the bootloader does decryption.
That's what I've done...
Via serial, USB and Ethernet.
-Ben _________________ Dazed and confused? I don't think so. Just "plain lost" will do. :D |
|
|
hmmpic
Joined: 09 Mar 2010 Posts: 314 Location: Denmark
|
|
Posted: Tue Feb 07, 2012 2:46 pm |
|
|
Hi
Yes a bootloader can be the solution, if there is a out of the box solution. Maybe a paid solution will be ok. Do you know any?
The other problem will be the software part, it may load a encrypted hex file, end first in the pic it may decrypt it (in the BL). The encryption is not a problem on the PC but in the pic it can be a problem. Therefore simple stuff will not work. A hash table will be ok! It may then be same in both ends.
Any working solution, any can come up with? |
|
|
bkamen
Joined: 07 Jan 2004 Posts: 1615 Location: Central Illinois, USA
|
|
Posted: Tue Feb 07, 2012 4:07 pm |
|
|
hmmpic wrote: | Hi
Yes a bootloader can be the solution, if there is a out of the box solution. Maybe a paid solution will be ok. Do you know any?
The other problem will be the software part, it may load a encrypted hex file, end first in the pic it may decrypt it (in the BL). The encryption is not a problem on the PC but in the pic it can be a problem. Therefore simple stuff will not work. A hash table will be ok! It may then be same in both ends.
Any working solution, any can come up with? |
It's not a problem. The bootloader decrypting the hex file only slows it down.
Like I said, I've used MCHP's USB and Ethernet Bootloaders and just added encryption to both of them with no problem.
-Ben
p.s. There's no such thing as an "out of box" solution -- you'll 99% chance want to modify SOMETHING to suit your needs. _________________ Dazed and confused? I don't think so. Just "plain lost" will do. :D |
|
|
newguy
Joined: 24 Jun 2004 Posts: 1912
|
|
|
asmallri
Joined: 12 Aug 2004 Posts: 1638 Location: Perth, Australia
|
|
Posted: Tue Feb 07, 2012 4:51 pm |
|
|
hmmpic wrote: | Hi
Yes a bootloader can be the solution, if there is a out of the box solution. Maybe a paid solution will be ok. Do you know any?
The other problem will be the software part, it may load a encrypted hex file, end first in the pic it may decrypt it (in the BL). The encryption is not a problem on the PC but in the pic it can be a problem. Therefore simple stuff will not work. A hash table will be ok! It may then be same in both ends.
Any working solution, any can come up with? |
I sell the source code for a range of encrypted bootloaders that can be used. _________________ Regards, Andrew
http://www.brushelectronics.com/software
Home of Ethernet, SD card and Encrypted Serial Bootloaders for PICs!! |
|
|
bkamen
Joined: 07 Jan 2004 Posts: 1615 Location: Central Illinois, USA
|
|
Posted: Tue Feb 07, 2012 5:08 pm |
|
|
That's weird.
So a user can't disassemble the TEAclipper, but they can build a sniffer for the MCHP programming lines and watch the data go by there -- unencrypted. (as it would seem)
bleah.
Using your own bootloader, the data is decrypted in the PIC... while the bootloader disallows sniffing and using a programmer yields program protection bits blocking read-backs. _________________ Dazed and confused? I don't think so. Just "plain lost" will do. :D |
|
|
newguy
Joined: 24 Jun 2004 Posts: 1912
|
|
Posted: Tue Feb 07, 2012 5:50 pm |
|
|
I agree.
However, there's a chance that the first update can be "snuck in"...the customer may just be concerned about the update and extracting the code may be a secondary concern. By the time they get around to trying to extract it, the device has shut itself down and they won't be able to extract anything.
Here's the sneaky bit....rework the code in the program-once device to incorporate an encrypted bootloader. Any further updates can be completely encrypted and very secure - no worries about how to program the devices in situ anymore. |
|
|
bkamen
Joined: 07 Jan 2004 Posts: 1615 Location: Central Illinois, USA
|
|
Posted: Tue Feb 07, 2012 6:06 pm |
|
|
newguy wrote: |
I agree.
However, there's a chance that the first update can be "snuck in"...the customer may just be concerned about the update and extracting the code may be a secondary concern. By the time they get around to trying to extract it, the device has shut itself down and they won't be able to extract anything.
Here's the sneaky bit....rework the code in the program-once device to incorporate an encrypted bootloader. Any further updates can be completely encrypted and very secure - no worries about how to program the devices in situ anymore. |
True and True.
-Ben _________________ Dazed and confused? I don't think so. Just "plain lost" will do. :D |
|
|
hmmpic
Joined: 09 Mar 2010 Posts: 314 Location: Denmark
|
|
Posted: Wed Feb 08, 2012 9:12 am |
|
|
Hi
Thanks all for feedback:-)
Look like bootloader is the only secure solution...
The "TEAclipper" is like Pic-Kit2. OK in production, but not secure in hand of a customer ("hacker", ISP pin can be read out) I miss the max programming cycle on PicKit2 it will be nice to set max program limit to ex 500pcs. in a production line.
:-) |
|
|
dpechman
Joined: 04 Dec 2007 Posts: 43
|
|
Posted: Sun Feb 12, 2012 5:09 pm |
|
|
One solution that I found for a client that ask me the same:
http://www.fabulatech.com/usb-over-network.html
Perhaps create some web interface to interact with the programmer over command line and increase your license counter.
For me, the only negative is that if your client runs some man in the middle the code can be sniffed.
Just an idea |
|
|
|