Preventing manufacturing service from copying hex code

[matbob]

Hello All,

I have a product with a Microchip PIC microcontroller in it. The components and PCB will be sourced, assembled and tested by an EMS (Electronics Manufacturing Service) which is located far from my facility. I have to give them the hex code for programming the microcontroller, may be as a PIC kit "Programmer To Go".

I will be making all the legal agreements to prevent them from cloning my design but I know it is useless. Is there any way to prevent the EMS from copying my code and make clones of the product? I have the following constraints:

1) I cannot be physically there at the EMS facility to do the programming myself.

2) I cannot have the microcontrollers pre-programmed from Microchip because the EMS might have a preferred vendor.

3) I cannot have the micro controllers shipped to my facility and then program it and send it back because this is a volume manufacturing and the EMS might prefer tape and reel packaging (the microcontroller is in SOIC package). So if I take out the microcontroller for programming, I cannot re-pack it.

Is there a way out?

Thanks for your help.

[Kjelt]

Only with an indirect customer unfriendly activation scheme that also requires an interface to a gui or pc. 

What you would like to have and no cheap microcontroller has is a small secured area of rom where you can let the manufacturer custom program your special bootcode in. But alas that is expensive and some high iq hacker will eventually gain access to it anyway.

[SiliconWizard]

I don't see one. If you're giving them means of programming the chips, whatever means you choose, they'll be able to do the same behind your back.
So count on the legal agreements, and make sure you can defend them in case they are infringed.

One possibility would be to add a final step that only your company can handle, like an activation step of some kind. So just producing the device, even with the full firmware, would not be enough to make it function (unless of course the activation system is cracked, but that would be more than just copying...) Downside is, adding a service to handle activations would have a cost.

[langwadt]

Hello All,

I have a product with a Microchip PIC microcontroller in it. The components and PCB will be sourced, assembled and tested by an EMS (Electronics Manufacturing Service) which is located far from my facility. I have to give them the hex code for programming the microcontroller, may be as a PIC kit "Programmer To Go".

I will be making all the legal agreements to prevent them from cloning my design but I know it is useless. Is there any way to prevent the EMS from copying my code and make clones of the product? I have the following constraints:

1) I cannot be physically there at the EMS facility to do the programming myself.

2) I cannot have the microcontrollers pre-programmed from Microchip because the EMS might have a preferred vendor.

3) I cannot have the micro controllers shipped to my facility and then program it and send it back because this is a volume manufacturing and the EMS might prefer tape and reel packaging (the microcontroller is in SOIC package). So if I take out the microcontroller for programming, I cannot re-pack it.

Is there a way out?

Thanks for your help.

since the part you want use (preprogrammed PIC) isn't available from their preferred vendor, you buy it and supply them?

[matbob]

@Kjelt,
@SiliconWizard,

The microcontroller is a cheap one and unfortunately all the pins have been used and I am close to 98% flash memory usage.

@langwadt,

This seems to be the only option. But, what if I find a bug on my code and want to change the code in between the production run. And also, I will have to deduct the extra cost of the microcontroller from my profit margin.

Thanks for your replies.

[Kjelt]

@Kjelt,
@SiliconWizard,

The microcontroller is a cheap one and unfortunately all the pins have been used and I am close to 98% flash memory usage.

Then you are out of options.
What you learned today is what I told professionals for years:
Security should be designed in from the start, it can (almost) never be added at the end.

[langwadt]

@Kjelt,
@SiliconWizard,

The microcontroller is a cheap one and unfortunately all the pins have been used and I am close to 98% flash memory usage.

@langwadt,

This seems to be the only option. But, what if I find a bug on my code and want to change the code in between the production run. And also, I will have to deduct the extra cost of the microcontroller from my profit margin.

Thanks for your replies.

can you give the EMS a software that only has what is needed to do the test and then reprogram them later yourself?

[SiliconWizard]

One idea, close to the "activation" thing, but easier to deal with IMO, would be to write your own programming software and have EMS use it to program your devices instead of using Microchip tools. It's some work for sure, but definitely doable. There are open source projects for doing just that AFAIK that could serve as basis, and anyway, I think the programming protocols are documented.

Said software could contain the object code for the firmware itself, so you wouldn't need to provide a hex file, and retrieving the code could be made at least significantly harder than just copying a file.
Additionally, this software could add the functionality to generate (and program) a different serial number for each device. Make the software able to only generate unique serial numbers, and only for a predefined range. Once the total number of programmed devices has been reached, the software would not allow programming any further device, so you'd keep control over the number of "manufacturable" products.

In the firmware, you could just add a basic check that the SN has been programmed - probably just a few more bytes of code - (so even if someone manages to somehow extract the code from your programming software, they would still have to understand this additional thing with the SN.) That step would be optional, just a simple additional roadblock. Some PICs can be configured at program time to prevent reading back Flash content as well, so enable this in the config bits.

This way, the object code itself is never provided directly. If you ever need to update the firmware, just send EMS a new version of your programming software; likewise if the predefined number of devices has been reached. It would take a reasonably skilled software guy to do this, but it seems largely doable, and many manufacturing plants will accept using client-provided tools and software (sometimes you don't even have a choice when you use very specific/custom parts.)

[ataradov]

There is no point in making a custom software. All they will have to do is put a logic analyzer on the programming pins and extract the firmware and any additional programming steps from that.

[coppice]

Who is testing the completed boards? If its you, have you considered programming the parts after the board has been assembled?

A lot of big production runs at EMS places use pre-programmed MCUs, and its a huge pain. Not only is it messy unpacking parts, programming them in jigs, and then repacking them suitable for the PnP machines on the EMS line, you also get a higher defect rate if the device has legs. There will always be some rate of leg bending with all that extra handling. QFNs might be a boon here.

[SiliconWizard]

The whole point is to make things harder. Just like locking your door. Those manufacturing services must see hundreds of different products per year, they won't go into any effort getting to clone yours unless it's either VERY easy to do so (just copying a file for instance), or your device is hugely interesting and sells by the million.

[james_s]

I'm of the opinion that unless it's doing something really, really unique, there's no point. If the widget is worth copying then someone will invest a bit of time in writing their own firmware that does the same thing. If someone releases a commercial product that is running your own firmware then there are ways you can find this out and go after them legally.

In the classic arcade game days it was common to implement easter eggs in the code that could be used to demonstrate that a competitor had copied it.

[NorthGuy]

Given your constrains, there's absolutely no way you can prevent them from stealing your code.

The only way is to put an ICSP header on the board and program only after you receive them from your manufacturer.

You can give your manufacturer an alternative firmware which is only good for tests, but is harmless if stolen. They will do all the tests, and you will then re-program with real firmware in-house. Alternatively,  you can move testing (or part of it) in-house too.

At any rate, having an ability to re-program it at any time later is a good thing.

On the positive note, how much code can you really have in a small PIC which cannot be re-written with relatively small effort? So, what's the point of protecting it?

[matbob]

@Kjelt,
@SiliconWizard,

The microcontroller is a cheap one and unfortunately all the pins have been used and I am close to 98% flash memory usage.

Then you are out of options.
What you learned today is what I told professionals for years:
Security should be designed in from the start, it can (almost) never be added at the end.

@Kjelt,
The initial plan was to do the production within our facility. So I did not think of any extra security measures other than setting the flash memory read lock bits. But now, our reseller/buyer wants a better quality and cost control and therefore we have to shift to their preferred EMS service.

[matbob]

There is no point in making a custom software. All they will have to do is put a logic analyzer on the programming pins and extract the firmware and any additional programming steps from that.

@ataradov

Yes, I agree to this. All you need is to monitor the programming pins.

[matbob]

@coppice
@NorthGuy

The testing has to be done by the EMS. If there are rejects, they are responsible. If the board comes to my facility and if I find rejects, the EMS could blame the transportation or handling at my facility. And again, the rejects have to be send back to EMS for repair which is too much work and money. Also, after testing, the boards have to go directly to a reseller instead of me.

@james_s

I did consult a lawyer regarding IP protection and stuff. Their advice is to do something technical to avoid the software getting leaked at the first place. In the part of the world I plan to sell this product, it is too difficult to get a favourable judgement from court.

[thm_w]

A lot of big production runs at EMS places use pre-programmed MCUs, and its a huge pain. Not only is it messy unpacking parts, programming them in jigs, and then repacking them suitable for the PnP machines on the EMS line, you also get a higher defect rate if the device has legs. There will always be some rate of leg bending with all that extra handling. QFNs might be a boon here.

microchip programs the parts for you, they aren't going to screw anything up..

https://www.microchipdirect.com/programming/

[coppice]

A lot of big production runs at EMS places use pre-programmed MCUs, and its a huge pain. Not only is it messy unpacking parts, programming them in jigs, and then repacking them suitable for the PnP machines on the EMS line, you also get a higher defect rate if the device has legs. There will always be some rate of leg bending with all that extra handling. QFNs might be a boon here.

microchip programs the parts for you, they aren't going to screw anything up..

https://www.microchipdirect.com/programming/

Various vendors will do the programming for you at the factory, and mark the chips with a customer specific code. They don't all mention this. You have to talk to the sales people, and you may need to be buying in considerable volume. However, this usually requires considerable setup time, and most people are trying to churn out some boards the moment they are happy with the design. The time issues means programming before the chip leaves the factory is not for everyone.

[Bud]

Digikey does it. In fact i can see a note added right under the microcontroller line item when i add one to the shopping cart, offering custom programming.

[ejeffrey]

This seems to be the only option. But, what if I find a bug on my code and want to change the code in between the production run. And also, I will have to deduct the extra cost of the microcontroller from my profit margin.

In volume, pre-programmed microcontrollers shouldn't cost much more.

If you only buy enough for one production run at a time you don't have to worry as much about having a reel of useless parts.  If the firmware changes during the manufacturing process then I guess you are screwed.

[james_s]

Like I said before, unless the code is doing something very clever and unique, if it's worth trying to steal then someone will either reverse engineer it and write new firmware that does the same thing, or they'll find a way to crack the chip and dump the code. If you use a reputable manufacture they're not going to risk stealing your code.

[AG6QR]

Perhaps you could hide some form of Easter Egg in your code that does something like blink your name in Morse code when a certain sequence of buttons is pressed.  The idea is to make it easy to discover if a device in the field is using your pirated firmware, and make it so that nobody can plausibly claim that the firmware in question was not a copy but instead independently written to perform the same function as yours.

That doesn't prevent copying, but at least gives you some chance of detecting and proving it after the fact.  For whatever that's worth.

[ejeffrey]

Like I said before, unless the code is doing something very clever and unique, if it's worth trying to steal then someone will either reverse engineer it and write new firmware that does the same thing, or they'll find a way to crack the chip and dump the code. If you use a reputable manufacture they're not going to risk stealing your code.

That's a good point, although even a moderate cost to reverse engineer and replicate your software creates an upfront fixed cost which they have to expect on recouping via sales.  Whereas just producing extra units in exactly the same way and selling them has almost no fixed costs, so any margin they can get is essentially free money.

[mikeselectricstuff]

Get the parts preprogrammed by Microchipdirect & direct shipped to the EMS Usually only a few cents to program, mark and re-reel.

Also, put some hidden functionality in your code, to prove that a device is a copy and not a re-creation of the same functionality.

[mikeselectricstuff]

This seems to be the only option. But, what if I find a bug on my code and want to change the code in between the production run. And also, I will have to deduct the extra cost of the microcontroller from my profit margin.

In volume, pre-programmed microcontrollers shouldn't cost much more.

If you only buy enough for one production run at a time you don't have to worry as much about having a reel of useless parts.  If the firmware changes during the manufacturing process then I guess you are screwed.

Not necessarily - your code can include a bootloader to allow subsequent reprogramming.