Code Read Protection for ESP8266 Module.

Raghu G S
Posts: 4
Joined: Tue Aug 11, 2015 3:32 pm

Code Read Protection for ESP8266 Module.

Postby Raghu G S » Tue Aug 11, 2015 3:37 pm

Hi Everyone,
I developed a application based on ESP8266 module, I need this application to be safe and secure in the module itself, means no other intruder should read the application, there is no support feature to enable code read protection for this module. But I found that, to read any flash memory, the bootloader and the flash memory reader should communicate, verify and then proceeds for reading the flash memory contents, Is there any way to intrude or stop this communication ?. Or Is there any way to detect this communication? so that I can erase the contents of Flash memory itself.

eriksl
Posts: 157
Joined: Fri May 22, 2015 6:22 pm

Re: Code Read Protection for ESP8266 Module.

Postby eriksl » Tue Aug 11, 2015 6:16 pm

It's a piece of cake to desolder the flash and read it without any help of the esp8266.

User avatar
rudi
Posts: 197
Joined: Fri Oct 24, 2014 7:55 pm

Re: Code Read Protection for ESP8266 Module.

Postby rudi » Tue Aug 11, 2015 7:47 pm

Raghu G S wrote:Hi Everyone,
I developed a application based on ESP8266 module, I need this application to be safe and secure in the module itself,
means no other intruder should read the application, there is no support feature to enable code read protection for
this module. But I found that, to read any flash memory, .


hi Raghu,

a word before i describe a possible way, have a look in the thread:
viewtopic.php?f=7&t=911#p3086

try to understand the basics.

until as time as espressif do not opensource the bootloader code, you must write your own.
the bootloader must can do:

a) read extendeds securyty tags example read from bootmedium own register
thats example in sdhc card protected register
thats example in spi flash own unique id mac! ( not manufacturer id spi_flash_get_id ) that is not the same!

example arduino spiflash library:
morte info https://lowpowerlab.com/forum/index.php?topic=498.0

Code: Select all


 Serial.print("SPI Flash Init OK ... UniqueID: ");
    flash.readUniqueId();
    for (byte i=0;i<8;i++)
    {
      Serial.print(flash.UNIQUEID[i], HEX);
      Serial.print(' ');
    }



or

Code: Select all


byte* MAC = flash.readUniqueId();
    for (byte i=0;i<8;i++)
    {
      Serial.print(MAC[i], HEX);
      Serial.print(' ');
    }


this is the unique id of flash chip, each winbond have own unique id, so if you write firmware for this spi flash, so you can't start your bootcode from other ( one step of copy protected )

b) read extendeds security tags from the esp8266, example the chip id, this id is in the esp8266 and can not overwrite, so each esp8266 have own unique id, ( system_get_chip_id )

..
.. more steps possible
..
c) decrypt firmware parts that is aes256 encrypted with parts of security tags and signed with certifikate the firmware and put encrypted seeds in the firmware

try to understand this basic:


signing
https://www.youtube.com/watch?v=bvaHLp1BXaM

storage encrypted files
https://www.youtube.com/watch?v=K2jtYLVJZtM

https://www.youtube.com/watch?v=_WNxFtI5A9E


after this you will understand the doings
better later; the basics are here from
atmel ATSHA204 -


please feel free and have a view to the aes256 lib that you can encrypt and decrypt in 16 byte block size ECB

viewtopic.php?f=15&t=665

there are examples how you can make a simply at command for use in encrypting and decrypting the firmware!



Raghu G S wrote:the bootloader and the flash memory reader should communicate, verify and then proceeds for reading the flash memory contents,
Is there any way to intrude or stop this communication ?.
Or Is there any way to detect this communication?
so that I can erase the contents of Flash memory itself


this question better answered espressif itself.

best wishes
rudi;-)


eriksl wrote:It's a piece of cake to desolder the flash and read it without any help of the esp8266.


eriksl, with all respect to your crypto inside knowledge..
that is not need to desolder the flash, simply connect the pins for read.
with extendeds security tags like describe here, you will get a

- signed bootloader
- signed firmware
- encrypted firmware without cleartext key

if you can break the signed bootloader
you must break the signed firmware
if you have break the signed firmware
you must break encrypted firmware ( AES256 )
if you have break the AES256
you must debug the firmware
if you can debug the firmware
you must simulate the security tags
because:
if you copy this firmware to an other flash
it would be not run, because original unique mac id != destination unique mac id
if you can emulate the uid
you must emulate the esp8266 chip id
because
if you run this firmware in an other esp8266
it would be not run, because original unique chip id != destination unique chip id
if you can emulate the uid

respekt!

you have it done

;-)


btw:
there are more as 12 parts of ways to make protection,
here only
- signed bootloader
- signed firmware
- encrypted firmware
- check id mac of flash / check protected sdhc register
- check id esp8266
------
5 parts - the other more as 7 parts are not describe here,
for good reason.


have phun with this ;-)

edit:


@eriksl - begin here
eagle.rom.addr.v6.ld

what you mean, how this hw function to be use?

aes_decrypt = 0x400092d4
aes_decrypt_deinit = 0x400092e4
aes_decrypt_init = 0x40008ea4
aes_unwrap = 0x40009410

_rom_store = 0x4000e388
_rom_store_table = 0x4000e328

there are MD5, SHA and more availabel...

we have more protection availabel!?
are there api function ;-) ;-) ;-)

-------------------------------------
love it, change it or leave it.
-------------------------------------
問候飛出去的朋友遍全球魯迪

User avatar
rudi
Posts: 197
Joined: Fri Oct 24, 2014 7:55 pm

Re: Code Read Protection for ESP8266 Module.

Postby rudi » Fri Aug 28, 2015 10:26 pm


-------------------------------------
love it, change it or leave it.
-------------------------------------
問候飛出去的朋友遍全球魯迪

Who is online

Users browsing this forum: Majestic-12 [Bot] and 8 guests