hide main.py and boot.py

The official pyboard running MicroPython.
This is the reference design and main target board for MicroPython.
You can buy one at the store.
Target audience: Users with a pyboard.
Post Reply
lymo
Posts: 3
Joined: Tue Jan 03, 2017 10:39 am

hide main.py and boot.py

Post by lymo » Tue Jan 03, 2017 10:48 am

Hello,
is there a possibility to hide the main.py and the boot.py if i dont want somebody to see the code when they plug in the board with usb to a computer? Did someone think about security meassures against counterfeit? I would be happy to get some information about the topic.

thanks.

torwag
Posts: 220
Joined: Fri Dec 13, 2013 9:25 am

Re: hide main.py and boot.py

Post by torwag » Tue Jan 03, 2017 11:15 am

Hi,
there was some discussions but as far as i know no real solutions like encryption or something like that.
I guess in principle it should be possible to generate byte-code and execute this. That would add one level of security. However, if someone really wants, he still could get the code.
Another would be, if you have no need for the USB to make the USB-port inactive (physically, or by software).

I guess you want to put this in some sort of production and if so, you might go finally with a modified version of a pyboard.
Some other boards have a separation between the USB to Serial converter unit and the chip itself. You can simply snap the usb controller of for the final product. Even then, someone with (rather basic) skills could attach a serial converter again. However, it might be sufficient depending on the level of security you need.

Nevertheless, as in every other software-based system, there is no 100% security, take those Iphones, Playstations, etc. at one point or the other people will find an exploit to access your device. Another strategy therefore might be to play completely open and sell the service instead of the binary blob. It is a harder way and most likely does not make you rich, but a possible way.
It pretty much depends on your business model. If you plan to sell a micropython-based device with a lot of hardware needs in a speciality field locally in your area, you might be good to simply remove the USB to "protect" your customers from accidentally playing with the code. If you want to sell millions of devices (like many esp8266 boards) and the price is the only argument you have, I would worry about counterfeit popping up very soon.

Hope that helps a bit

lymo
Posts: 3
Joined: Tue Jan 03, 2017 10:39 am

Re: hide main.py and boot.py

Post by lymo » Tue Jan 03, 2017 12:02 pm

thanks torwag,

what you wrote makes sense. it answered all of my questions.
It would be some kind of protection if I run byte code on the mcu. Is there a way to compile the python source code for the microcontroller on a PC? What i mean: is it possible to use the advantage of fast prototyping on the micropython plattform + getting a bytecode at the end of a developement so i would be able to use it on a stm32f4 without micropython firmware?
Its not about a specific product. Its about understanding how i could protect code if the compiler is part of the MCU.

torwag
Posts: 220
Joined: Fri Dec 13, 2013 9:25 am

Re: hide main.py and boot.py

Post by torwag » Tue Jan 03, 2017 12:17 pm

Hi,

@Roberthh mentioned already how to do that.
As said, it has limitations. Please be aware, you have to run always micropython. It is (with normal measures) not possible to convert python code into C-code or Assembler to run it directly on the controller.
However, you can turn of the usb functionality, and you can turn of the interactive python prompt (REPL) for the final version of your product. That means even if people connect the unit to a PC they will not be able to access it by the usual methods.
It is however still accessible if you people investigate further and deeper, e.g. by reading out the flash memory and analyse it.

This is the usual cat and mouse game. The above method makes it difficult enough for lets say 99% of the users. For the remaining 1% you would have to investigate much much more time and effort. E.g. your program could check the ID of the controller chip and only if it matches the code would run. That would prevent that someone copies the entire flash memory to another unit.

You could increase it further by adding even more methods up to real encryption, authentication via network, etc. . But every method will only keep away another 50% of possible "attackers" and comes with more and more costs (performance and man-power like). However, somewhere in the world there will be someone with enough skills and technology to get down to the code. The question for an attacker is always, is it worth the time and money (take away white hat crackers, who are doing it for a living to proof technologies concepts and push limitations).

User avatar
Roberthh
Posts: 3667
Joined: Sat May 09, 2015 4:13 pm
Location: Rhineland, Europe

Re: hide main.py and boot.py

Post by Roberthh » Tue Jan 03, 2017 3:14 pm

Hello @lymo,
sorry for the confusion. I made a reply and deleted it, since I had not tested my suggestion before.. I was thinking about putting boot.py and main.py into frozen bytecode. Unfortunately, that does not work. But, you can put your code into a separate module, which is imported from main.py. This module can be placed into frozen bytecode. That's what I'm doing all the time. It will then be in the flash image and not as source code. So decoding it is somewhat harder then just opening a file in an editor. As a side effect, it saves RAM during runtime, the code starts much faster and can be larger, since the compilation is done on the PC.

You can put code into frozen bytecode by placing it in a subdirectory of micropython/stmhal, like "modules", and then build a new image:

Code: Select all

make FROZEN_MPY_DIR=modules BOARD=PYBV11
You have to build mpy-cross in micropython/mpy-cross first (that is the upython compiler).

lymo
Posts: 3
Joined: Tue Jan 03, 2017 10:39 am

Re: hide main.py and boot.py

Post by lymo » Tue Jan 03, 2017 3:32 pm

Hello @Roberthh
I will try this. Sounds like a good idea.
Thanks.

User avatar
pythoncoder
Posts: 5956
Joined: Fri Jul 18, 2014 8:01 am
Location: UK
Contact:

Re: hide main.py and boot.py

Post by pythoncoder » Thu Jan 05, 2017 7:30 am

@lymo you might want to look at this thread http://forum.micropython.org/viewtopic.php?f=3&t=2842.
Peter Hinch
Index to my micropython libraries.

jiXO
Posts: 4
Joined: Fri Oct 13, 2017 11:32 am

Re: hide main.py and boot.py

Post by jiXO » Tue Feb 13, 2018 8:17 am

What is the way to disable REPL for security reasons?

User avatar
dhylands
Posts: 3821
Joined: Mon Jan 06, 2014 6:08 pm
Location: Peachland, BC, Canada
Contact:

Re: hide main.py and boot.py

Post by dhylands » Tue Feb 13, 2018 10:14 pm

By putting the code

Code: Select all

pyb.usb_mode(None)
in your boot.py file.
See: http://docs.micropython.org/en/latest/p ... b.usb_mode

Of course, there are still ways to undo that via DFU, they just aren't convenient, so it's only a mild form of protection.

And if you have a USR switch, you can boot up in safe mode:
http://docs.micropython.org/en/latest/p ... #safe-mode
which doesn't execute boot.py

Post Reply