2 posts / 0 new
Last post
sfullam
Offline
Last seen:1 year 5 months ago
加入:2015-09-15 01:51
Flash Locking Possible?

is it possible to restrict Read access to the built-in flash after programming to prevent unauthorized duplication?

Keywords:
Device:
MT_dialog
Offline
Last seen:2 months 2 weeks ago
工作人员
加入:2015-06-08 34
Hi sfullam,

Hi sfullam,

I am not sure if i get the question correctly, i suppose that you would like to prevent anyone from getting your binary from the embedded flash.

In that case since there isn't any specific mechanism to do that please check some options you have in order not to make your flash not steal proof but to make it more difficult to hack.

I suppose that you can encrypt your code, burn it in the flash, and use the advanced bootloader that you will burn it on the 583's OTP. When the 583 boots up eventually the advanced bootloader will execute and perform the decryption of your image in flash.

The secondary bootloader supports the decryption of an image when its builded for SUOTA (multi image) operation but you could tweak the normal operation (the one that supports the AN-B-001 header in order to support decryption as well).

You can even leave the secondary bootloader as is (support the multi boot) and always have one active image on your flash, and always boot from the same encrypted image. You can also avoid burning the secondary bootloader in the OTP (in the case of the 583 is considered an advanced bootloader) and burn it on your flash (unencrypted offcourse). So when the device boots up will try to download the image from the flash and get the secondary bootloader, the secondary bootloader will find the active image decrypt it and download it on the 583.

The downside of the above is the fact that the key is going to be visible and someone could extract it by reading your flash or OTP so if somebody wants to get your code, he will be able to do some digging and extract it. For making it difficult for someone to access the flash or OTP you can do the following.

You could use the secondary bootloader (as an advanced bootloader in the OTP), diable the JTAG in the OTP and modify it by disabling the UART, so when the 583 boots up will check the advanced bootloader option before checking anything else, so it will boot with the advanced bootloader on which you will ONLY enable the SPI option and directly boot from the internal SPI.

Of course this solution is not again steal proof, since by powering of the embedded flash and booting from a flash that has a fw like the uart_programmer can again access your code, in any case, since you are booting from external serial device, there is no way to make the access to your flash tottaly secure but at least you will be able to make it more difficult to hack.

Thanks MT_dialog