Is it possible to sign the application on a Cerberus board?

Ninja · November 16, 2013, 12:33pm

Hi,

I am ready to deploy my NETMF applicaiton to several cerberus boards, I require to sign the application to protect from updates.

Up to now I am able to create the Hex file from MFDeploy using the “Target -> Application Deployment -> Create Application Deployment” option and copy the hex file to the other boards, but the key pair seems to have no effect on the cloned boards, because the app always runs even without the keys being installed on the new boards.

I really could not find a tutorial with the steps required to sign the application and the use of key pairs for the cerberus. Can someone point me in the right direction to sign the application in the cerberus boards?

Kind regards.

Mr_John_Smith · November 16, 2013, 10:51pm

@ Ninja, Is your objective to prevent people from updating the firmware whatsoever? If so then ultimately that’s not possible. Once they can get to the JTAG headers they can flash over the entire micro framework. You can only really prevent them from copying the program off the device.

Ninja · November 17, 2013, 12:18pm

@ Mr. John Smith - I want to protect the application IP. I require to avoid the boards to be cloned.

Maybe GHI can confirm if the application protection using keys is available on the cerb-family?

If not, is it a workaround to protect the application from being easily copied and cloned?

Regards.

Gus_Issa · November 17, 2013, 2:29pm

This should be a built in feature in NETMF, which we did not disable. However this was not tested so it is possible it is not working?

Also, this feature does not stop cloning, it stops users from loading Software on your device.

Mr_John_Smith · November 17, 2013, 2:31pm

So it does not stop them from downloading the application from the device. I know the micro controllers have that feature; Gus, how do you keep people from cloning the GHI.Premium Libraries?

Gus_Issa · November 17, 2013, 2:41pm

We can’t protect them but they are useless without the firmware.

By the way, we are looking into adding a protection feature to our premium offerings.

Mr_John_Smith · November 17, 2013, 4:38pm

@ Gus, right so you’re saying that the end user can obtain the GHI.Premium firmware and copy it to another device?

Gus_Issa · November 17, 2013, 5:18pm

No they can’t but they can get the managed DLLs. They are provided anyways.

On any level, nothing is 100% secure. There is always a way, it is about how difficult it can be.

Ninja · November 17, 2013, 5:35pm

@ Gus - Do you suggest a workaround to protect IP from a cerb-family board?

Would it be possible to setup FLASH_OPTCR register inside the application using the managed GHI.OSHW.Hardware.LowLevel register write function, to try to inhibit the chip from being copied, setting up write protection only if application is compiled in release mode?

Regards.

Gus_Issa · November 17, 2013, 6:02pm

All my ideas require a custom firmware and decent amount of work.

Ninja · November 17, 2013, 6:11pm

@ Gus - Thank you.