nRF51/52 ROM Protection : Prevent Someone Else From Dumping the Hex File
来源:互联网 发布:网络推广赚钱吗 编辑:程序博客网 时间:2024/05/29 14:27
To avoid piracy is very important for software and firmware development. Of course, you should protect your source code would not be spread out. But from firmware prospect, it is a way to piracy your intelligence: he might clone your WHOLE device, including the mechanism, circuit and firmware. It is not necessary to get your source code.
In nRF51822 and 52832, There is a mechanism to prevent that happens. I will demonstrate that:
My SDK versions are 10 for nRF51, and 11 for nRF52.
To Simplify the demonstration. I copy the peripheral\uicr_config\uicr_config.h to my project folder, and the main.c include the file.
Open the uicr_config.h, you could read that there is many address listed, you could modify the values on those addresses. The values I changing be :
// const uint32_t UICR_CLENR0 __attribute__((at(0x10001000))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_RBPCONF __attribute__((at(0x10001004))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_XTALFREQ __attribute__((at(0x10001008))) __attribute__((used)) = 0xFFFFFFFF;const uint32_t UICR_ADDR_0x80 __attribute__((at(0x10001080))) __attribute__((used)) = 0x12345678;// const uint32_t UICR_ADDR_0x84 __attribute__((at(0x10001084))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0x88 __attribute__((at(0x10001088))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0x8C __attribute__((at(0x1000108C))) __attribute__((used)) = 0xFFFFFFFF; const uint32_t UICR_ADDR_0x90 __attribute__((at(0x10001090))) __attribute__((used)) = 0x11223344; const uint32_t UICR_ADDR_0x94 __attribute__((at(0x10001094))) __attribute__((used)) = 0x55667788;// const uint32_t UICR_ADDR_0x98 __attribute__((at(0x10001098))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0x9C __attribute__((at(0x1000109C))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0xA0 __attribute__((at(0x100010A0))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0xA4 __attribute__((at(0x100010A4))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0xA8 __attribute__((at(0x100010A8))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0xAC __attribute__((at(0x100010AC))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0xB0 __attribute__((at(0x100010B0))) __attribute__((used)) = 0xFFFFFFFF; const uint32_t UICR_ADDR_0xB4 __attribute__((at(0x100010B4))) __attribute__((used)) = 0xAABBCCDD;// const uint32_t UICR_ADDR_0xB8 __attribute__((at(0x100010B8))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0xBC __attribute__((at(0x100010BC))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0xC0 __attribute__((at(0x100010C0))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0xC4 __attribute__((at(0x100010C4))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0xC8 __attribute__((at(0x100010C8))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0xCC __attribute__((at(0x100010CC))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0xD0 __attribute__((at(0x100010D0))) __attribute__((used)) = 0xFFFFFFFF;// const uint32_t UICR_ADDR_0xD4 __attribute__((at(0x100010D4))) __attribute__((used)) = 0xFFFFFFFF;
By the way, What is UICR ? UICR is the short for User Information Configuration Registers, where the values are non-alterable. The purpose for UICR is to make a space for manufacturer signing.
Build and download the hex to your device, and type the command line (I use nRF52832 as my target device):
> nrfjprog --family NRF52 --memrd 0x10001080 --n 1280x10001080: 12345678 FFFFFFFF FFFFFFFF FFFFFFFF |xV4.............|0x10001090: 11223344 55667788 FFFFFFFF FFFFFFFF |D3"..wfU........|0x100010A0: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF |................|0x100010B0: FFFFFFFF AABBCCDD FFFFFFFF FFFFFFFF |................|0x100010C0: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF |................|0x100010D0: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF |................|0x100010E0: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF |................|0x100010F0: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF |................|
The address values have been changed.
You could use the command the dump the whole hex :
> nrfjprog --family NRF52 --readcode output.hex
That is what I prevent from.
To avoid the dumping, Add below code in the beginning of main function :
#include "ble_flash.h"/**@brief Function for application main entry. */int main(void){#if(1) if(UICR_RBPCONF_PALL_Enabled != (uint32_t)((NRF_UICR->RBPCONF & UICR_RBPCONF_PALL_Msk) >> UICR_RBPCONF_PALL_Pos)) { ble_flash_word_write((uint32_t *)&NRF_UICR->RBPCONF, (NRF_UICR->RBPCONF & ~UICR_RBPCONF_PALL_Msk)); }/*if */#endif uint32_t err_code; bool erase_bonds;
and you should include folder SDK_ROOT\components\drivers_nrf\ble_flash and the fileSDK_ROOT\components\drivers_nrf\ble_flash\ble_flash.c in your working porject.
Take Keil C as the project modification example:
After download to the device, you could find the readback command would not work:
> nrfjprog --family NRF52 --memrd 0x10001080 --n 128ERROR: The operation attempted is unavailable due to readback protection inERROR: your device. Please use --recover to unlock the device.
That is, the SWD (Serial Wired Debug) function has been forbidden, the SWD could accept recover request from now.
NOTE :If you use Keil C, the IDE would not reset the device after the downloading. but you could press the download button twice to make sure the SWD has been disabled:
* JLink Info: Found SWD-DP with ID 0x2BA01477* JLink Info: Found Cortex-M4 r0p1, Little endian.* JLink Info: FPUnit: 6 code (BP) slots and 2 literal slots* JLink Info: CoreSight components:* JLink Info: ROMTbl 0 @ E00FF000* JLink Info: ROMTbl 0 [0]: FFF0F000, CID: B105E00D, PID: 000BB00C SCS* JLink Info: ROMTbl 0 [1]: FFF02000, CID: B105E00D, PID: 003BB002 DWT* JLink Info: ROMTbl 0 [2]: FFF03000, CID: B105E00D, PID: 002BB003 FPB* JLink Info: ROMTbl 0 [3]: FFF01000, CID: B105E00D, PID: 003BB001 ITM* JLink Info: ROMTbl 0 [4]: FFF41000, CID: B105900D, PID: 000BB9A1 TPIU* JLink Info: ROMTbl 0 [5]: FFF42000, CID: B105900D, PID: 000BB925 ETMROMTableAddr = 0xE00FF000* JLink Info: SYSRESETREQ has confused core. Trying to reconnect and use VECTRESET.* JLink Info: Found SWD-DP with ID 0x2BA01477**JLink Warning: Failed to reset CPU. VECTRESET has confused core.* JLink Info: Core is locked-up, trying to disable WDT.**JLink Warning: Could not set S_RESET_ST* JLink Info: Found SWD-DP with ID 0x2BA01477* JLink Info: SYSRESETREQ has confused core. Trying to reconnect and use VECTRESET.* JLink Info: Found SWD-DP with ID 0x2BA01477**JLink Warning: Failed to reset CPU. VECTRESET has confused core.* JLink Info: Core is locked-up, trying to disable WDT.**JLink Warning: Could not set S_RESET_ST
Now you could see, the dumping has not been permitted, the only way to manipulate the storage (ROM) is to recover whole space: it is, erase all.
0 0
- nRF51/52 ROM Protection : Prevent Someone Else From Dumping the Hex File
- Cracking the Windows File Protection
- install gcc-4.1.2 on ubuntu 12.04 (from someone else but add something)
- save the file in unicode format to prevent data loss.
- Why Did Someone Else Get YOUR Promotion?
- System File Protection
- The convenient way for converting from dec to hex
- howto dump ROM file from MTK 657* phone or pad?
- Safely Dumping Hashes from Live Domain Controllers
- SmartRF04Prog 显示“Could not open the hex-file” 解决方法
- IAR SmartRF04Prog 显示“Could not open the hex-file” 解决方法
- How to prevent the Program Compatibility Assistant from appearing on Windows Vista
- Turn off cache of Thumdbs.db to prevent the move blocking from it in automation
- Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate en
- Spark 2.1 , Method used to prevent multiple SparkContexts from being active at the same time
- Digital Data Integrity: The Evolution from Passive Protection to Active Management
- nRF51 : Make the Printf Work Well
- someone
- oracle数据库操作语句
- 迷宫出口以及迷宫最短路径的求解
- python二叉查找树
- html5移动场景网站
- ResultFul web service
- nRF51/52 ROM Protection : Prevent Someone Else From Dumping the Hex File
- php内置服务器
- 编写一个ORM框架
- 自定义控件经验总结
- jenkins+maven+svn实现简单的一键发布
- 二层交换机,三层交换机及四层交换机的区别
- ObjectMapper响应json数据异常的一种原因
- mysql优化
- 【OpenCV】将单通道的Mat对象转换为三通道的Mat