Post by thread:[PIC] protected code

Setting the code protect config bits is supposed to give you a layer of protection, when at least trying to read back from the actual device. I wont get into the discussion about how that can be gotten around. My question is...when you generate a hex file with these set, can it be dissassembled..ie..is the code protect only valid for reading back from the device. The basis for the question is a client wants to put code updates for a product on his website, so anyone can download but doesnt want someone to easily able to reverse engineer it. I wasnt sure if this protects the hex file.

On Wed, May 20, 2009 at 10:09 PM, alan smith <spam_OUTmicro_eng2TakeThisOuTyahoo.com> wrote: > My question is...when you generate a hex file with these set, >can it be dissassembled..ie..is the code protect only valid for >reading back from the device. Of course it can be disassembled if you post the hex file. You may have to encrypt the hex file with certain method. -- Xiaofan http://mcuee.blogspot.com

> -----Original Message----- > From: .....piclist-bouncesKILLspam@spam@mit.edu [piclist-bouncesKILLspammit.edu] On Behalf > Of alan smith > Sent: 20 May 2009 15:09 > To: Microcontroller discussion list - Public. > Subject: [PIC] protected code > > > Setting the code protect config bits is supposed to give you a layer of > protection, when at least trying to read back from the actual device. I > wont get into the discussion about how that can be gotten around. > > My question is...when you generate a hex file with these set, can it be > dissassembled..ie..is the code protect only valid for reading back from > the device. > > The basis for the question is a client wants to put code updates for a > product on his website, so anyone can download but doesnt want someone to > easily able to reverse engineer it. I wasnt sure if this protects the hex > file. > The code protect bits purely relate to the PIC micro, and prevent useful code being read out via the programming pins. They have nothing to do with the hex file generated by your assembler/compiler. If you feel you need to protect the hex file, you will need to encrypt it in some manner and give legitimate owners the ability to decrypt it through e.g. a custom programming tool or via a special bootloader pre-programmed into the product. Regards Mike ======================================================================= This e-mail is intended for the person it is addressed to only. The information contained in it may be confidential and/or protected by law. If you are not the intended recipient of this message, you must not make any use of this information, or copy or show it to any person. Please contact us immediately to tell us that you have received this e-mail, and return the original to us. Any use, forwarding, printing or copying of this message is strictly prohibited. No part of this message can be considered a request for goods or services. =======================================================================

alan smith wrote: > My question is...when you generate a hex file with these set, can it > be dissassembled..ie..is the code protect only valid for reading back > from the device. Take two deep breaths and try to actually *think* a little. How do you expect specific data in the HEX file to keep people from reading it? And if it did, how would the programmer software know how to read it? And even if programmer software had a means to decrypt a encrypted HEX file, what would prevent others from using the same decryption means, considering there are plenty of third party open source programmer applications out there that work fine whether you set the code protect bits or not. ******************************************************************** Embed Inc, Littleton Massachusetts, http://www.embedinc.com/products (978) 742-9014. Gold level PIC consultants since 2000.

>The basis for the question is a client wants to put code updates >for a product on his website, so anyone can download but doesnt >want someone to easily able to reverse engineer it. I wasnt sure >if this protects the hex file. No it doesn't, it only protects against readback from the device. To be able to do what your client wants to do, you need a bootloader on the PIC that can deal with encrypted download files. Microchip have a number of app notes on bootloaders, and it would be possible to add decryption to them. XTEA seems to be popular because it is compact and fast, while being suitably secure. You don't say what device your client is using, but you do need to note that not all mid-range devices can use a bootloader. I believe all current 18F and larger devices can use a bootloader - but check first.

One could encrypt a formula or a function inside a assembly file and then generate the hex file. This way everybody could use the code without knowing exactly how it do the things, but someone else always could do a reverse engineering... [ ]s --------------------------------- Ricardo de Azambuja http://www.azamec.com.br On Wed, May 20, 2009 at 11:43 AM, Olin Lathrop <.....olin_piclistKILLspam.....embedinc.com> wrote: {Quote hidden}> alan smith wrote: >> My question is...when you generate a hex file with these set, can it >> be dissassembled..ie..is the code protect only valid for reading back >> from the device. > > Take two deep breaths and try to actually *think* a little. How do you > expect specific data in the HEX file to keep people from reading it? And if > it did, how would the programmer software know how to read it? And even if > programmer software had a means to decrypt a encrypted HEX file, what would > prevent others from using the same decryption means, considering there are > plenty of third party open source programmer applications out there that > work fine whether you set the code protect bits or not. > > > ******************************************************************** > Embed Inc, Littleton Massachusetts, http://www.embedinc.com/products > (978) 742-9014. Gold level PIC consultants since 2000. >

On Wed, 20 May 2009 07:09:29 -0700 (PDT) alan smith <EraseMEmicro_eng2spam_OUTTakeThisOuTyahoo.com> wrote: > My question is...when you generate a hex file with these set, can it be > dissassembled..ie..is the code protect only valid for reading back from > the device. > > The basis for the question is a client wants to put code updates for a > product on his website, so anyone can download but doesnt want someone > to easily able to reverse engineer it. I wasnt sure if this protects > the hex file. Easiest solution: Compress the HEX file with RAR, ZIP or whatever, and use a password. Publish on the 'net, and give the password only to the correct users. John

Well thats what I figured...but now and then the obvious isnt so...and I told this to the client but he was.."but its code protected". So figured I would simply ask, making sure I didnt overlook something. The conversation will go..."like I told you"..."did you ask anyone?"..."Yes".. --- On Wed, 5/20/09, Olin Lathrop <olin_piclistspam_OUTembedinc.com> wrote: {Quote hidden}> From: Olin Lathrop <@spam@olin_piclistKILLspamembedinc.com> > Subject: Re: [PIC] protected code > To: "Microcontroller discussion list - Public." <KILLspampiclistKILLspammit.edu> > Date: Wednesday, May 20, 2009, 7:43 AM > alan smith wrote: > > My question is...when you generate a hex file with > these set, can it > > be dissassembled..ie..is the code protect only valid > for reading back > > from the device. > > Take two deep breaths and try to actually *think* a > little. How do you > expect specific data in the HEX file to keep people from > reading it? And if > it did, how would the programmer software know how to read > it? And even if > programmer software had a means to decrypt a encrypted HEX > file, what would > prevent others from using the same decryption means, > considering there are > plenty of third party open source programmer applications > out there that > work fine whether you set the code protect bits or not. > > > ******************************************************************** > Embed Inc, Littleton Massachusetts, http://www.embedinc.com/products > (978) 742-9014. Gold level PIC consultants since > 2000. > -

John Coppens wrote: > Easiest solution: Compress the HEX file with RAR, ZIP or whatever, and > use a password. Publish on the 'net, and give the password only to the > correct users. Who will the post it on the web. ******************************************************************** Embed Inc, Littleton Massachusetts, http://www.embedinc.com/products (978) 742-9014. Gold level PIC consultants since 2000.

You can use TEA for example http://en.wikipedia.org/wiki/Tiny_Encryption_Algorithm ...and I remember somebody was talking about encrypted bootloader here in a while ago so if you search on PicList archive you will find it for sure. Sorry for my short memory. Tamas On Wed, May 20, 2009 at 4:01 PM, alan smith <RemoveMEmicro_eng2TakeThisOuTyahoo.com> wrote: {Quote hidden}> > Well thats what I figured...but now and then the obvious isnt so...and I > told this to the client but he was.."but its code protected". So figured I > would simply ask, making sure I didnt overlook something. The conversation > will go..."like I told you"..."did you ask anyone?"..."Yes".. > > --- On Wed, 5/20/09, Olin Lathrop <spamBeGoneolin_piclistspamBeGoneembedinc.com> wrote: > > > From: Olin Lathrop <TakeThisOuTolin_piclistEraseMEspam_OUTembedinc.com> > > Subject: Re: [PIC] protected code > > To: "Microcontroller discussion list - Public." <RemoveMEpiclistTakeThisOuTmit.edu> > > Date: Wednesday, May 20, 2009, 7:43 AM > > alan smith wrote: > > > My question is...when you generate a hex file with > > these set, can it > > > be dissassembled..ie..is the code protect only valid > > for reading back > > > from the device. > > > > Take two deep breaths and try to actually *think* a > > little. How do you > > expect specific data in the HEX file to keep people from > > reading it? And if > > it did, how would the programmer software know how to read > > it? And even if > > programmer software had a means to decrypt a encrypted HEX > > file, what would > > prevent others from using the same decryption means, > > considering there are > > plenty of third party open source programmer applications > > out there that > > work fine whether you set the code protect bits or not. > > > > > > ******************************************************************** > > Embed Inc, Littleton Massachusetts, http://www.embedinc.com/products > > (978) 742-9014. Gold level PIC consultants since > > 2000. > > --

> John Coppens wrote: >> Easiest solution: Compress the HEX file with RAR, ZIP or whatever, and >> use a password. Publish on the 'net, and give the password only to the >> correct users. > > Who will the[n] post it on the web. To be secure, I think the decryption has to happen in the bootloader with the key in the code protected bootloader. Harold -- FCC Rules Updated Daily at http://www.hallikainen.com - Advertising opportunities available!

On Wed, May 20, 2009 at 9:57 AM, John Coppens <johnEraseME.....jcoppens.com> wrote: > On Wed, 20 May 2009 07:09:29 -0700 (PDT) > alan smith <EraseMEmicro_eng2yahoo.com> wrote: > > > My question is...when you generate a hex file with these set, can it be > > dissassembled..ie..is the code protect only valid for reading back from > > the device. > > > > The basis for the question is a client wants to put code updates for a > > product on his website, so anyone can download but doesnt want someone > > to easily able to reverse engineer it. I wasnt sure if this protects > > the hex file. > > Easiest solution: Compress the HEX file with RAR, ZIP or whatever, and > use a password. Publish on the 'net, and give the password only to the > correct users. > This is probably the best answer, but hex files are so small that you could just give the hex file to the correct users and have similar security with less hassle. Zip encryption is subject to a plaintext attack if you include a known or guessable file in the archive. I wouldn't use it for serious encryption. I know nothing about RAR encryption. Regards, Mark markrages@gmail -- Mark Rages, Engineer Midwest Telecine LLC RemoveMEmarkragesEraseMEEraseMEmidwesttelecine.com

On Wed, 2009-05-20 at 07:09 -0700, alan smith wrote: > Setting the code protect config bits is supposed to give you a layer of protection, when at least trying to read back from the actual device. I wont get into the discussion about how that can be gotten around. > > My question is...when you generate a hex file with these set, can it be dissassembled..ie..is the code protect only valid for reading back from the device. > > The basis for the question is a client wants to put code updates for a product on his website, so anyone can download but doesnt want someone to easily able to reverse engineer it. I wasnt sure if this protects the hex file. The code protect bit is just a setting in the PIC's config space, aside from that bit being flipped in the hex file there is no difference in the hex file. TTYL

If the client is determined that his clients have web access to the hex file, why not get him to setup a password secured web page? RP 2009/5/21 Herbert Graf <RemoveMEhkgrafspam_OUTKILLspamgmail.com>: {Quote hidden}> On Wed, 2009-05-20 at 07:09 -0700, alan smith wrote: >> Setting the code protect config bits is supposed to give you a layer of protection, when at least trying to read back from the actual device. I wont get into the discussion about how that can be gotten around. >> >> My question is...when you generate a hex file with these set, can it be dissassembled..ie..is the code protect only valid for reading back from the device. >> >> The basis for the question is a client wants to put code updates for a product on his website, so anyone can download but doesnt want someone to easily able to reverse engineer it. I wasnt sure if this protects the hex file. > > The code protect bit is just a setting in the PIC's config space, aside > from that bit being flipped in the hex file there is no difference in > the hex file. > > TTYL > >