How to lock ATMEGA328p-au to disable sketch read

atmegaatmega328patmelavr

  1. How to lock ATMEGA328p-au to disable sketch read from Arduino IDE?
  2. Is there a hardware way too?
  3. What are the chances it can go wrong?
  4. What will happen if it goes wrong?

Notice: I am a computer science guy and new to electronics. So please explain your answer in detail 🙂

—-More Info—-

The chip in consideration is a new commercial product.

It is being given to people, who have highly technical staff at the back, for a few days, for some purposes of business opportunity evaluation.

Best Answer

Here is my personal advice. Please note that I'm not a real expert in this kind of things (especially on Atmel), so forgive me for any mistake. Most of the knowledge here comes from this and this posts.

You can access the flash memory (and so read the binary) from the outside (with a ISP programmer) or the inside (with some code).

As for the outside "attacks", the atmega has some fuse bits (read this answer for more info). Particularly the Lock Bit Protection ones can prevent anyone from reading and writing the flash and eeprom. Just program both LB1 and LB2 (IMPORTANT: the note on the datasheet says "Program the Fuse bits and Boot Lock bits before programming the LB1 and LB2."). From the moment you program them, nobody (not even you) will be allowed to read or write a new program on the microcontroller; the only way to write it back again is to perform a Chip Erase routine, which destroys the program on the uC.

As for inside "attacks", even with this protection an internal bootloader has access to the flash contents. You cannot prevent anything which programs from reading the memory, since at least once it needs to read back what was written (also the lock bits allow you to restrict write or write+read, but not only read). For this reason there is no way to prevent it in hardware. You can modify the bootloader to reject read requests, then program BLB10 to prevent reflashing a bootloader. But, in the end, do these product really need a bootloader? Do you really think that you will need to ask your customers to reprogram them? And if the answer is yes, how will you protect the binary files you will send them to be programmed? Anyway, I think that there is a high probability that in your application you can remove the bootloader and be more safe.

IN ANY CASE:

According to my experience, nobody will ever try to "steal" your work, because 50% of times it is easier to rewrite it from scratch because it is simple (and disassembling your code will be much more difficult than rewriting it), and 50% of times it is easier to rewrite it from scratch because it is complicated (and disassembling it will be a PITA and take ages, so better to start again from scratch). Have you ever tried to read code written by someone else? Well, now increase that difficulty by 1000x because it is generated automatically, and...

Ok, don't you believe me? I wrote a program for arduino, compiled, then disassembled the binary (following the procedure here). Can you understand what it does?

Disassembly of section .sec1:

00000000 <.sec1>:
   0:   0c 94 5c 00     jmp 0xb8    ;  0xb8
   4:   0c 94 6e 00     jmp 0xdc    ;  0xdc
   8:   0c 94 6e 00     jmp 0xdc    ;  0xdc
   c:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  10:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  14:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  18:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  1c:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  20:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  24:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  28:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  2c:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  30:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  34:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  38:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  3c:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  40:   0c 94 15 01     jmp 0x22a   ;  0x22a
  44:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  48:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  4c:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  50:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  54:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  58:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  5c:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  60:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  64:   0c 94 6e 00     jmp 0xdc    ;  0xdc
  68:   00 00           nop
  6a:   00 00           nop
  6c:   24 00           .word   0x0024  ; ????
  6e:   27 00           .word   0x0027  ; ????
  70:   2a 00           .word   0x002a  ; ????
  72:   00 00           nop
  74:   00 00           nop
  76:   25 00           .word   0x0025  ; ????
  78:   28 00           .word   0x0028  ; ????
  7a:   2b 00           .word   0x002b  ; ????
  7c:   04 04           cpc r0, r4
  7e:   04 04           cpc r0, r4
  80:   04 04           cpc r0, r4
  82:   04 04           cpc r0, r4
  84:   02 02           muls    r16, r18
  86:   02 02           muls    r16, r18
  88:   02 02           muls    r16, r18
  8a:   03 03           mulsu   r16, r19
  8c:   03 03           mulsu   r16, r19
  8e:   03 03           mulsu   r16, r19
  90:   01 02           muls    r16, r17
  92:   04 08           sbc r0, r4
  94:   10 20           and r1, r0
  96:   40 80           ld  r4, Z
  98:   01 02           muls    r16, r17
  9a:   04 08           sbc r0, r4
  9c:   10 20           and r1, r0
  9e:   01 02           muls    r16, r17
  a0:   04 08           sbc r0, r4
  a2:   10 20           and r1, r0
  a4:   00 00           nop
  a6:   00 08           sbc r0, r0
  a8:   00 02           muls    r16, r16
  aa:   01 00           .word   0x0001  ; ????
  ac:   00 03           mulsu   r16, r16
  ae:   04 07           cpc r16, r20
    ...
  b8:   11 24           eor r1, r1
  ba:   1f be           out 0x3f, r1    ; 63
  bc:   cf ef           ldi r28, 0xFF   ; 255
  be:   d8 e0           ldi r29, 0x08   ; 8
  c0:   de bf           out 0x3e, r29   ; 62
  c2:   cd bf           out 0x3d, r28   ; 61
  c4:   21 e0           ldi r18, 0x01   ; 1
  c6:   a0 e0           ldi r26, 0x00   ; 0
  c8:   b1 e0           ldi r27, 0x01   ; 1
  ca:   01 c0           rjmp    .+2         ;  0xce
  cc:   1d 92           st  X+, r1
  ce:   a9 30           cpi r26, 0x09   ; 9
  d0:   b2 07           cpc r27, r18
  d2:   e1 f7           brne    .-8         ;  0xcc
  d4:   0e 94 5f 01     call    0x2be   ;  0x2be
  d8:   0c 94 ce 01     jmp 0x39c   ;  0x39c
  dc:   0c 94 00 00     jmp 0   ;  0x0
  e0:   e1 eb           ldi r30, 0xB1   ; 177
  e2:   f0 e0           ldi r31, 0x00   ; 0
  e4:   24 91           lpm r18, Z
  e6:   ed e9           ldi r30, 0x9D   ; 157
  e8:   f0 e0           ldi r31, 0x00   ; 0
  ea:   94 91           lpm r25, Z
  ec:   e9 e8           ldi r30, 0x89   ; 137
  ee:   f0 e0           ldi r31, 0x00   ; 0
  f0:   e4 91           lpm r30, Z
  f2:   ee 23           and r30, r30
  f4:   09 f4           brne    .+2         ;  0xf8
  f6:   3b c0           rjmp    .+118       ;  0x16e
  f8:   22 23           and r18, r18
  fa:   39 f1           breq    .+78        ;  0x14a
  fc:   23 30           cpi r18, 0x03   ; 3
  fe:   91 f0           breq    .+36        ;  0x124
 100:   38 f4           brcc    .+14        ;  0x110
 102:   21 30           cpi r18, 0x01   ; 1
 104:   a9 f0           breq    .+42        ;  0x130
 106:   22 30           cpi r18, 0x02   ; 2
 108:   01 f5           brne    .+64        ;  0x14a
 10a:   24 b5           in  r18, 0x24   ; 36
 10c:   2f 7d           andi    r18, 0xDF   ; 223
 10e:   12 c0           rjmp    .+36        ;  0x134
 110:   27 30           cpi r18, 0x07   ; 7
 112:   91 f0           breq    .+36        ;  0x138
 114:   28 30           cpi r18, 0x08   ; 8
 116:   a1 f0           breq    .+40        ;  0x140
 118:   24 30           cpi r18, 0x04   ; 4
 11a:   b9 f4           brne    .+46        ;  0x14a
 11c:   20 91 80 00     lds r18, 0x0080 ;  0x800080
 120:   2f 7d           andi    r18, 0xDF   ; 223
 122:   03 c0           rjmp    .+6         ;  0x12a
 124:   20 91 80 00     lds r18, 0x0080 ;  0x800080
 128:   2f 77           andi    r18, 0x7F   ; 127
 12a:   20 93 80 00     sts 0x0080, r18 ;  0x800080
 12e:   0d c0           rjmp    .+26        ;  0x14a
 130:   24 b5           in  r18, 0x24   ; 36
 132:   2f 77           andi    r18, 0x7F   ; 127
 134:   24 bd           out 0x24, r18   ; 36
 136:   09 c0           rjmp    .+18        ;  0x14a
 138:   20 91 b0 00     lds r18, 0x00B0 ;  0x8000b0
 13c:   2f 77           andi    r18, 0x7F   ; 127
 13e:   03 c0           rjmp    .+6         ;  0x146
 140:   20 91 b0 00     lds r18, 0x00B0 ;  0x8000b0
 144:   2f 7d           andi    r18, 0xDF   ; 223
 146:   20 93 b0 00     sts 0x00B0, r18 ;  0x8000b0
 14a:   f0 e0           ldi r31, 0x00   ; 0
 14c:   ee 0f           add r30, r30
 14e:   ff 1f           adc r31, r31
 150:   ee 58           subi    r30, 0x8E   ; 142
 152:   ff 4f           sbci    r31, 0xFF   ; 255
 154:   a5 91           lpm r26, Z+
 156:   b4 91           lpm r27, Z
 158:   2f b7           in  r18, 0x3f   ; 63
 15a:   f8 94           cli
 15c:   ec 91           ld  r30, X
 15e:   81 11           cpse    r24, r1
 160:   03 c0           rjmp    .+6         ;  0x168
 162:   90 95           com r25
 164:   9e 23           and r25, r30
 166:   01 c0           rjmp    .+2         ;  0x16a
 168:   9e 2b           or  r25, r30
 16a:   9c 93           st  X, r25
 16c:   2f bf           out 0x3f, r18   ; 63
 16e:   08 95           ret
 170:   3f b7           in  r19, 0x3f   ; 63
 172:   f8 94           cli
 174:   80 91 05 01     lds r24, 0x0105 ;  0x800105
 178:   90 91 06 01     lds r25, 0x0106 ;  0x800106
 17c:   a0 91 07 01     lds r26, 0x0107 ;  0x800107
 180:   b0 91 08 01     lds r27, 0x0108 ;  0x800108
 184:   26 b5           in  r18, 0x26   ; 38
 186:   a8 9b           sbis    0x15, 0 ; 21
 188:   05 c0           rjmp    .+10        ;  0x194
 18a:   2f 3f           cpi r18, 0xFF   ; 255
 18c:   19 f0           breq    .+6         ;  0x194
 18e:   01 96           adiw    r24, 0x01   ; 1
 190:   a1 1d           adc r26, r1
 192:   b1 1d           adc r27, r1
 194:   3f bf           out 0x3f, r19   ; 63
 196:   ba 2f           mov r27, r26
 198:   a9 2f           mov r26, r25
 19a:   98 2f           mov r25, r24
 19c:   88 27           eor r24, r24
 19e:   82 0f           add r24, r18
 1a0:   91 1d           adc r25, r1
 1a2:   a1 1d           adc r26, r1
 1a4:   b1 1d           adc r27, r1
 1a6:   bc 01           movw    r22, r24
 1a8:   cd 01           movw    r24, r26
 1aa:   42 e0           ldi r20, 0x02   ; 2
 1ac:   66 0f           add r22, r22
 1ae:   77 1f           adc r23, r23
 1b0:   88 1f           adc r24, r24
 1b2:   99 1f           adc r25, r25
 1b4:   4a 95           dec r20
 1b6:   d1 f7           brne    .-12        ;  0x1ac
 1b8:   08 95           ret
 1ba:   8f 92           push    r8
 1bc:   9f 92           push    r9
 1be:   af 92           push    r10
 1c0:   bf 92           push    r11
 1c2:   cf 92           push    r12
 1c4:   df 92           push    r13
 1c6:   ef 92           push    r14
 1c8:   ff 92           push    r15
 1ca:   0e 94 b8 00     call    0x170   ;  0x170
 1ce:   4b 01           movw    r8, r22
 1d0:   5c 01           movw    r10, r24
 1d2:   88 ee           ldi r24, 0xE8   ; 232
 1d4:   c8 2e           mov r12, r24
 1d6:   83 e0           ldi r24, 0x03   ; 3
 1d8:   d8 2e           mov r13, r24
 1da:   e1 2c           mov r14, r1
 1dc:   f1 2c           mov r15, r1
 1de:   0e 94 b8 00     call    0x170   ;  0x170
 1e2:   dc 01           movw    r26, r24
 1e4:   cb 01           movw    r24, r22
 1e6:   88 19           sub r24, r8
 1e8:   99 09           sbc r25, r9
 1ea:   aa 09           sbc r26, r10
 1ec:   bb 09           sbc r27, r11
 1ee:   88 3e           cpi r24, 0xE8   ; 232
 1f0:   93 40           sbci    r25, 0x03   ; 3
 1f2:   a1 05           cpc r26, r1
 1f4:   b1 05           cpc r27, r1
 1f6:   58 f0           brcs    .+22        ;  0x20e
 1f8:   21 e0           ldi r18, 0x01   ; 1
 1fa:   c2 1a           sub r12, r18
 1fc:   d1 08           sbc r13, r1
 1fe:   e1 08           sbc r14, r1
 200:   f1 08           sbc r15, r1
 202:   88 ee           ldi r24, 0xE8   ; 232
 204:   88 0e           add r8, r24
 206:   83 e0           ldi r24, 0x03   ; 3
 208:   98 1e           adc r9, r24
 20a:   a1 1c           adc r10, r1
 20c:   b1 1c           adc r11, r1
 20e:   c1 14           cp  r12, r1
 210:   d1 04           cpc r13, r1
 212:   e1 04           cpc r14, r1
 214:   f1 04           cpc r15, r1
 216:   19 f7           brne    .-58        ;  0x1de
 218:   ff 90           pop r15
 21a:   ef 90           pop r14
 21c:   df 90           pop r13
 21e:   cf 90           pop r12
 220:   bf 90           pop r11
 222:   af 90           pop r10
 224:   9f 90           pop r9
 226:   8f 90           pop r8
 228:   08 95           ret
 22a:   1f 92           push    r1
 22c:   0f 92           push    r0
 22e:   0f b6           in  r0, 0x3f    ; 63
 230:   0f 92           push    r0
 232:   11 24           eor r1, r1
 234:   2f 93           push    r18
 236:   3f 93           push    r19
 238:   8f 93           push    r24
 23a:   9f 93           push    r25
 23c:   af 93           push    r26
 23e:   bf 93           push    r27
 240:   80 91 01 01     lds r24, 0x0101 ;  0x800101
 244:   90 91 02 01     lds r25, 0x0102 ;  0x800102
 248:   a0 91 03 01     lds r26, 0x0103 ;  0x800103
 24c:   b0 91 04 01     lds r27, 0x0104 ;  0x800104
 250:   30 91 00 01     lds r19, 0x0100 ;  0x800100
 254:   23 e0           ldi r18, 0x03   ; 3
 256:   23 0f           add r18, r19
 258:   2d 37           cpi r18, 0x7D   ; 125
 25a:   20 f4           brcc    .+8         ;  0x264
 25c:   01 96           adiw    r24, 0x01   ; 1
 25e:   a1 1d           adc r26, r1
 260:   b1 1d           adc r27, r1
 262:   05 c0           rjmp    .+10        ;  0x26e
 264:   26 e8           ldi r18, 0x86   ; 134
 266:   23 0f           add r18, r19
 268:   02 96           adiw    r24, 0x02   ; 2
 26a:   a1 1d           adc r26, r1
 26c:   b1 1d           adc r27, r1
 26e:   20 93 00 01     sts 0x0100, r18 ;  0x800100
 272:   80 93 01 01     sts 0x0101, r24 ;  0x800101
 276:   90 93 02 01     sts 0x0102, r25 ;  0x800102
 27a:   a0 93 03 01     sts 0x0103, r26 ;  0x800103
 27e:   b0 93 04 01     sts 0x0104, r27 ;  0x800104
 282:   80 91 05 01     lds r24, 0x0105 ;  0x800105
 286:   90 91 06 01     lds r25, 0x0106 ;  0x800106
 28a:   a0 91 07 01     lds r26, 0x0107 ;  0x800107
 28e:   b0 91 08 01     lds r27, 0x0108 ;  0x800108
 292:   01 96           adiw    r24, 0x01   ; 1
 294:   a1 1d           adc r26, r1
 296:   b1 1d           adc r27, r1
 298:   80 93 05 01     sts 0x0105, r24 ;  0x800105
 29c:   90 93 06 01     sts 0x0106, r25 ;  0x800106
 2a0:   a0 93 07 01     sts 0x0107, r26 ;  0x800107
 2a4:   b0 93 08 01     sts 0x0108, r27 ;  0x800108
 2a8:   bf 91           pop r27
 2aa:   af 91           pop r26
 2ac:   9f 91           pop r25
 2ae:   8f 91           pop r24
 2b0:   3f 91           pop r19
 2b2:   2f 91           pop r18
 2b4:   0f 90           pop r0
 2b6:   0f be           out 0x3f, r0    ; 63
 2b8:   0f 90           pop r0
 2ba:   1f 90           pop r1
 2bc:   18 95           reti
 2be:   78 94           sei
 2c0:   84 b5           in  r24, 0x24   ; 36
 2c2:   82 60           ori r24, 0x02   ; 2
 2c4:   84 bd           out 0x24, r24   ; 36
 2c6:   84 b5           in  r24, 0x24   ; 36
 2c8:   81 60           ori r24, 0x01   ; 1
 2ca:   84 bd           out 0x24, r24   ; 36
 2cc:   85 b5           in  r24, 0x25   ; 37
 2ce:   82 60           ori r24, 0x02   ; 2
 2d0:   85 bd           out 0x25, r24   ; 37
 2d2:   85 b5           in  r24, 0x25   ; 37
 2d4:   81 60           ori r24, 0x01   ; 1
 2d6:   85 bd           out 0x25, r24   ; 37
 2d8:   80 91 6e 00     lds r24, 0x006E ;  0x80006e
 2dc:   81 60           ori r24, 0x01   ; 1
 2de:   80 93 6e 00     sts 0x006E, r24 ;  0x80006e
 2e2:   10 92 81 00     sts 0x0081, r1  ;  0x800081
 2e6:   80 91 81 00     lds r24, 0x0081 ;  0x800081
 2ea:   82 60           ori r24, 0x02   ; 2
 2ec:   80 93 81 00     sts 0x0081, r24 ;  0x800081
 2f0:   80 91 81 00     lds r24, 0x0081 ;  0x800081
 2f4:   81 60           ori r24, 0x01   ; 1
 2f6:   80 93 81 00     sts 0x0081, r24 ;  0x800081
 2fa:   80 91 80 00     lds r24, 0x0080 ;  0x800080
 2fe:   81 60           ori r24, 0x01   ; 1
 300:   80 93 80 00     sts 0x0080, r24 ;  0x800080
 304:   80 91 b1 00     lds r24, 0x00B1 ;  0x8000b1
 308:   84 60           ori r24, 0x04   ; 4
 30a:   80 93 b1 00     sts 0x00B1, r24 ;  0x8000b1
 30e:   80 91 b0 00     lds r24, 0x00B0 ;  0x8000b0
 312:   81 60           ori r24, 0x01   ; 1
 314:   80 93 b0 00     sts 0x00B0, r24 ;  0x8000b0
 318:   80 91 7a 00     lds r24, 0x007A ;  0x80007a
 31c:   84 60           ori r24, 0x04   ; 4
 31e:   80 93 7a 00     sts 0x007A, r24 ;  0x80007a
 322:   80 91 7a 00     lds r24, 0x007A ;  0x80007a
 326:   82 60           ori r24, 0x02   ; 2
 328:   80 93 7a 00     sts 0x007A, r24 ;  0x80007a
 32c:   80 91 7a 00     lds r24, 0x007A ;  0x80007a
 330:   81 60           ori r24, 0x01   ; 1
 332:   80 93 7a 00     sts 0x007A, r24 ;  0x80007a
 336:   80 91 7a 00     lds r24, 0x007A ;  0x80007a
 33a:   80 68           ori r24, 0x80   ; 128
 33c:   80 93 7a 00     sts 0x007A, r24 ;  0x80007a
 340:   10 92 c1 00     sts 0x00C1, r1  ;  0x8000c1
 344:   ed e9           ldi r30, 0x9D   ; 157
 346:   f0 e0           ldi r31, 0x00   ; 0
 348:   24 91           lpm r18, Z
 34a:   e9 e8           ldi r30, 0x89   ; 137
 34c:   f0 e0           ldi r31, 0x00   ; 0
 34e:   84 91           lpm r24, Z
 350:   88 23           and r24, r24
 352:   99 f0           breq    .+38        ;  0x37a
 354:   90 e0           ldi r25, 0x00   ; 0
 356:   88 0f           add r24, r24
 358:   99 1f           adc r25, r25
 35a:   fc 01           movw    r30, r24
 35c:   e8 59           subi    r30, 0x98   ; 152
 35e:   ff 4f           sbci    r31, 0xFF   ; 255
 360:   a5 91           lpm r26, Z+
 362:   b4 91           lpm r27, Z
 364:   fc 01           movw    r30, r24
 366:   ee 58           subi    r30, 0x8E   ; 142
 368:   ff 4f           sbci    r31, 0xFF   ; 255
 36a:   85 91           lpm r24, Z+
 36c:   94 91           lpm r25, Z
 36e:   8f b7           in  r24, 0x3f   ; 63
 370:   f8 94           cli
 372:   ec 91           ld  r30, X
 374:   e2 2b           or  r30, r18
 376:   ec 93           st  X, r30
 378:   8f bf           out 0x3f, r24   ; 63
 37a:   c0 e0           ldi r28, 0x00   ; 0
 37c:   d0 e0           ldi r29, 0x00   ; 0
 37e:   81 e0           ldi r24, 0x01   ; 1
 380:   0e 94 70 00     call    0xe0    ;  0xe0
 384:   0e 94 dd 00     call    0x1ba   ;  0x1ba
 388:   80 e0           ldi r24, 0x00   ; 0
 38a:   0e 94 70 00     call    0xe0    ;  0xe0
 38e:   0e 94 dd 00     call    0x1ba   ;  0x1ba
 392:   20 97           sbiw    r28, 0x00   ; 0
 394:   a1 f3           breq    .-24        ;  0x37e
 396:   0e 94 00 00     call    0   ;  0x0
 39a:   f1 cf           rjmp    .-30        ;  0x37e
 39c:   f8 94           cli
 39e:   ff cf           rjmp    .-2         ;  0x39e

Will it be easier to reverse-engineer the code above or to write from scratch a program that (spoiler alert)

turns on and off a LED with a period of 2 seconds

?

Just to be more clear, this file is generated

starting from the blink example, compile, then take the "Blink.ino.with_bootloader.hex" file (the one you'll get by reading the memory from the atmega) and disassembled with the command avr-objdump -j .sec1 -d -m avr5 "Blink.ino.with_bootloader.hex" > "Blink.ino.with_bootloader.txt"

Related Topic