Can anyone steal my code from an Arduino?

Hey all,

Bit of a security related question here...

Let's say I create a little machine which uses an Arduino to control it. Someone steals the machine in order to copy it. It's one thing to copy the hardware (not a lot you can do about that) but what's stopping someone from downloading the program from my Arduino/the AVR uC?

If this is possible, how would/do they do it?
Is there anything we can do to stop this?

I'm interested to hear your thoughts.

Cheers,
Scott.

I don't think the AVR security bits are set, and even if they were, there are ways to get around it and download the raw machine code.

But further than that, unless you spend months writing thousands of lines of code, the odds are that someone could easily reverse engineer your hardware and then write their own code.

Additionally, the Arduino development environment and GCC are under the GNU open source license. You can use code you've written and not have to release the source code, but if you transfer the programmed device to someone else I believe the GNU license requires you to include source code. This is because any code developed with the Arduino environment includes entire libraries and other components in the final assembly, which were GNU licensed.

Someone with more authority on this please feel free to chime in....

I believe the GNU license requires you to include source code.

Not quite. If you modified GCC itself and released it in some way, you'd have to provide your source. The executables you make with GCC are under no such restriction.

I'm not sure how the Creative Commons license and the Arduino libraries would come in to play here. IIRC, the arduino is under a non-commercial restriction, so it is conceivable that you couldn't sell your code if it was based on the Arduino library. Someone who knows more about the CC license can jump in here and fill in the blanks.

-j

You would need to provide a means for the end users to get the code for the included libraries, but you are free to license your own code however you wish.

I believe saying "we used these libs, you can get them here..." would cover that.

The Arduino core and libraries (the code that's linked into your sketch and runs on the board) are licensed under the LGPL. That means you can create proprietary (closed) works based on them and sell them commercially. You are only required to provide your .o (object) files so that people can relink them against updated versions of the libraries.

The hardware designs are licensed under a Creative Commons Attribution Share-Alike license, which allows for commercial use but not proprietary (closed) derivatives.

The code for the Arduino environment (IDE) is under the GPL, which has more or less the same conditions as the Creative Commons Attribution Share-Alike license.

I'm new to AVR chips, but what I thought the original poster was asking is if the AVR can be put into a mode (fuse option) that prevents the embedded program from being read back by a programmer device? It seems to me that many of the newer PIC chips have a fuse option such that you are only able to erase an existing program in flash and reload a new program, but not read it back. Does the AVR chips provide this feature?

Lefty

If anyone wants your code badly enough they can get it out of the chip. Even if they have to decapsulate the IC and overwrite the fuses with a UV lamp and a careful mask, it can be done.

It's always a tradeoff of how much effort do you want to go to to make it how hard for somebody to get your code.

It seems to me that many of the newer PIC chips have a fuse option ...

The earliest PIC chips had this facility.

However, there were companies offering a service to extract code from locked PICs. I have heard different versions of ways this was done:

  • grinding the top off the package to reveal the chip;
  • jetting acid at the package to reveal the chip; amd
  • spliting the package open to get at the chip.

The idea is, as Oracle suggests, if that you then selectively erase only the code security fuse with UV light.

I tried the first, unsuccessfully, with a file. The second seems unlikely, but worked like this: the PIC was held upside down and the acid jetted at it. The PIC pins were connected to a circuit as was the stream of acid. When the chip was exposed a circuit would complete and the acid was replaced with a jet of water.

Seems like a lot of trouble to go to.

There were some PIC applications which could make some money for someone selling hacked chips. IIRC, one of them was satellite TV decoders. Virtually impossible to reverse engineer based on looking at the pin signals, but a potential market of millions, small investiment and highish markup.

Mike