• hi,
    i am completely new to the MCUs.

    just wanna ask are things at this level, are usually not encrypted?
    because several years ago, some made a smart gun that help you to shoot.
    it runs on android unencrypted.
    someone found that one can take out the IC, and flash evil roms so that you think you are shooting the bad guy, indeep shoots the good guy.
    their solution is to encrypt the rom.

    i understand that NOT everything should/will be encrypted,
    like i dont expect a CASIO calculator be encrypted (but it wont hurt if it is).
    i am still exploring what espruino/bangle could do in my life
    so i wanna ask this at the beginning.

    yah, i am new to this world where 256KB RAM means a lot of RAM.



  • In the use case you described it is not about encryption but about signed firmware updates or what is called 'secure boot' on PCs - system will not run unsigned kernel or drivers.

    Nordic dfu bootloader can do signed firmware updates but we have it turned off, also it can prevent modification of bootloader by setting some part of flash memory read only before the application is started. It can also verify the application at each reboot that it was not modified.

    If you would enable this you could sign your builds with your private key and only such signed builds could be uploaded to the device

  • good to know that,

    if nordic dfu could provide some "secure boot"function,
    then may be for processing sensitive information, i could handle it like
    the bangle app "2fa auth watch" and "pin lock"?

    then the situation just be similar to android before v4,
    that the OS is ensured to be authenic by the boot lock,
    and only the sensitive data is encrypted and handled by the app?


  • that the OS is ensured to be authenic by the boot lock,
    and only the sensitive data is encrypted and handled by the app?

    Well I see those two as unrelated but yes.

    Anyway, to have the whole system 'authentic' you'd also need to check the bangleApps layer, Either the app install/upload needs to be restricted too (to some verified source) or every piece of javascript needs to be signed (like e.g in powershell).and checked on upload (or execution, but upload should be enough too - that would save storage and execution speed)

    No mater how 'authentic' the system is some apps could support encrypted data, however I am not sure how practical it is in daily use.

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview

Are micro controllers like espruino or others usually unencrypted? thanks

Posted by Avatar for ccchan @ccchan