Code protection? May be?

Posted on
  • Is it possible to protect the source code of the project uploaded to the board?

  • Protect from what? being lost? read back? modified or completely replaced? executed?
    you can start with stuff mentioned here
    And BTW the code can be minified and tokenized on upload so it is not that easy to read.
    The more secure low level stuff also depends on hardware platform that Espruino runs on.

  • As @fanoush says - you can lock down the device in a few ways, but I'd suggest ensuring minification is turned on for production as not only will the code run a bit quicker, but the minified version of it will be much harder for anyone to do anything with even if they can get it off.

    You could also run your code through a third party obfuscator first if you really want.

  • Thanks. I meant that if someone gets their hands on a device, for example, I use Esp8266. Then he can connect to it and see the code being executed with his own.

    I am considering using Espruino to develop my control programs and don't want them to be copied so easily.

  • Thank you so much. I really consider Espruino as a means to develop something big and even commercial use of the resulting products is possible. So I would like to understand whether it is possible to implement the security of your code inside the device. Since the code inside is an executable script, it can be read and downloaded. After learning all about him. I would like to have protection tools.

  • do you think my idea is strange?

  • In embedded systems you've often got a bit of an issue with people downloading your code - even if you're using compiled code. While some chips do have readout protection (STM32, nRF52) sometimes it can be circumvented with the right tools, and any firmware updates tend to be sent unencrypted too.

    With ESP8266 that is especially the case since the SPI flash is separate - and regardless of what you do on the CPU, someone could just unsolder the chip, read the entire contents and clone it.

    Personally, my advice is assume that someone could read out your code, and design accordingly. For instance don't include global private keys in the firmware.

    That advice isn't specifically for Espruino, but literally any embedded target

  • Thank you so much. I'll tell you from myself. I really want to have a tool to protect my code at least at the level of a simple connection and reading it from memory using the Espruino IDE.

    Thanks for the help, I will think about how to implement this for myself.

  • I really want to have a tool to protect my code at least at the level of a simple connection and reading it from memory using the Espruino IDE.

    @fanoush linked and while that's Bluetooth it does give some advice that applies to ESP8266 too.

    Specifically hiding the console or using E.setPassword("password")

  • In addition to already mentioned minification and pretokenisation I guess it wouldn't be hard to have custom build with randomly generated token codes here¬≠b/master/src/jslex.h#L23 (same table is in the IDE) as some sort of obfuscation. This would not prevent cloning but could make dumping js code harder. Also as mentioned in that tutorial there are some builtin methods that could dump stuff to console, convert tokenized code back to source or tokenize new source when executed (so you would guess the tokens from newly entered code) so those could perhaps be removed in custom build. I guess that if the requirement would be to only run fixed set of preloaded code, the interpreter could be made more restricted regarding possibility of adding new code or doing 'dangerous' stuff via interactive console. But I guess nobody will do that for you (for free at least).

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview

Code protection? May be?

Posted by Avatar for ZeoNish @ZeoNish