Can people reverse-engineer hex updates?

Hi, everyone. If I make a device with a Mega and send people hex files to update those devices, can someone decode that hex file to understand the original sketch?

It’s not a piracy concern, it’s an Easter egg concern. I want to be able to hide cool things in the code that appear on the device’s screen without people finding them by digging through code.

Thanks a lot for your help!

1 Like

With sufficient motivation the hex file will reveal all secrets, except things like the actual variable names you use…

Easter Egg hunting will probably not be enough motivation.

That said, there are things you can do to make it a bit harder. For example, if it is to say “Happy Easter” or whatever, don’t code that as a character literal, it would be easier to spot. If it’s little graphic items, code them in a non obvious way, like have the rendering section decode a secret format.

But in the end, give up.

a7

Won’t the HEX file be composed of the compiled code rather than the source code?

It’s binary but it’s still assembly language... so someone with enough skills can read through what’s going on. All char text segments will appear unencrypted in that binary too, so just a dump of the binary can already reveal a lot.

jackduino:
Hi, everyone. If I make a device with a Mega and send people hex files to update those devices, can someone decode that hex file to understand the original sketch?

It's not a piracy concern, it's an Easter egg concern. I want to be able to hide cool things in the code that appear on the device's screen without people finding them by digging through code.

Thanks a lot for your help!

That used to be done by swapping the nibbles in each byte of a text. The swapping them back before displaying.
Paul

if i understood right the hex files are just encoded assembler, intel flavor if i remember right. i might be wrong so maybe someone here knows much more about this in detail.

for the theoretical background: pretty much everything can be reverse engineered and that can't be prevented. even if you print a circuit which rips apart when you open the device you can still reverse engineer this, either by observing, like radiation, xrays and things or you can try side channel attacks like measuring current while messing with inputs.

no one would try that with some arduino thing, which brings us to the solution: mitigation. the question is how much time is your target audience likely to be willing to spend to reverse engineer it and how big would the actual loss be? there is not much difference between hacking and cracking, DRM, malware, "easter eggs", cheats, "security" and "remote forensic software", and so on. guess for arduino projects simple obfuscation might be enough already.

if you want to go deeper into hiding code you might want to start with the underhanded c contest. next would be some simple malware like DRM systems or "remote forensic software" like the german "Staatstrojaner" - and yes, thanks to the ccc it's open source. and yes, it is such a ... "piece" of software that it is simple enough to use it as a starting point to learn about that kind of stuff. some nicknamed it "my first malware" :smiley:
this staatstrojaner uses some simple techniques to hide stuff like simply cutting a string apart and concatenating it later when it's needed.

the deeper you dig the more you find, i just doubt an arduino has the power for much harder stuff. if you want to give it a try anyway, you want to look for "IT security research", pentesting and such. just be aware, while science is free, this field of science is not so free or legal at all in some countries. universities already got in trouble for their research because of "copyright infringement" and such *** excuses. so depending on which country you are in, better don't talk too loud about your findings.

alto777:
Easter Egg hunting will probably not be enough motivation.

i dare to object. if people enjoy digging in binary files they might have the tool chain already set up. so it's just a few clicks to bring it to kind of readable c code. the tools for reverse engineering became quite easy to use over the years. so just "decompiling" some encoded assembler isn't even enough to get distracted while breakfast anymore.

the linux strings command will extract a sequence of printable characters

a colleague would plot binary dsp code looking for waveform tables

these are basic techniques. how industrious are the people you're trying to hide things from?

gcjr:
how industrious are the people you're trying to hide things from?

Industrious.
Bummer. This platform is in all other ways perfect for me. Thank you for the responses, though.
If I do not send hex files, and all they ever get is what I have already uploaded to the Arduino, can the most industrious of these people still pull the code off of the chip and see what is what?

obfuscate enough for your participants to give up...

Text can be scrambled with a simple XOR function and a key of, say, 64 bytes or so.

Make it Open Source. Show everybody that you're as clever as you think you are.

“… can the most industrious of these people still pull the code off of the chip and see what is what?”

Yes, yes they can. Sounds a bit like you are trying to protect more than Easter Eggs.

Consider using a microprocessor that can be deployed in an unreadable condition.

a7

Haha @gfvalvo, I agree. I have rarely seen a secret worth protecting. People be clever.

a7

alto777:
Consider using a microprocessor that can be deployed in an unreadable condition.

He would need to send them new arduino MEGAs with fuse burnt in the right way for each new version

OP said that he wants to

send people hex files to update those devices

In the early to mid 90s I made a hobby of taking General Motors' ECMs (engine control modules), reading the EPROMs (in their P4 ECMs they used 27C256s) and running the contents through a disassembler I'd written in Borland C and then walking through the resulting assembler listing and calibration tables reverse engineering the various utility functions (e.g. lag filters), sensor reading and diagnostics, fuel, spark, EVAP, EGR, idle and myriad other things the ECM controlled. I repeated this for a number of cars and motorcycles.

Those were fun days because GM and Denso etc didn't really bother to protect their IP and their hardware was relatively simple.

Point being unless your hex files are encrypted and the contents of memory are read-protected someone, somewhere will probably have the skills to read your files and/or flash contents and reverse engineer what you are doing. The risk of that happening depends on the number of people to whom the product is exposed and what type of product it is. If it's something aimed at Arduino hobbyists figure a good chance someone will snoop :slight_smile:

jackduino:
If I do not send hex files, and all they ever get is what I have already uploaded to the Arduino, can the most industrious of these people still pull the code off of the chip and see what is what?

If you set the fuses on AVR chips correctly, one can not directly read the flash. Reasonably sure that something like the FBI (or whatever) will have the capabilties to work around that.

A friend of mine asked me to protect the code that I wrote for him for a humidity and temperature control device; nothing really special but seems to have been in a highly competetive environment. A potential customer asked for a test device that was given to him. Three days later my friend got a call that the device could not be read :smiley: Clearly not a customer but competition.

Your are limiting your description of what reverse engineering actually is. All you are thinking of is converting the hex code to assembly.
Reverse engineering is usually examining in minute detail the output response from something when the input is tweeked a bit. Any device can be considered a "black box" and reverse engineered, even your project and you never need to look at the code.
Paul

gfvalvo:
Make it Open Source. Show everybody that you're as clever as you think you are.

What do you mean?

Blackfin:
If it's something aimed at Arduino hobbyists figure a good chance someone will snoop :slight_smile:

Haha yeah no there is very little overlap between people who care at all about my work and people who mess around with Arduino stuff. Otherwise I would assume the worst (full access to all of the buried stuff) would be immediate for all practical purposes.
But there are always people with hidden talents and experience who pop up as soon as it becomes clear that a poorly locked door exists. :slight_smile:
Work cited: All the times I locked doors and had them flicked open by some tween in Sweden who can't sleep so he spends all night working this stuff because video games are too easy.
I guess the trick will be to make more doors and hope the new herbal tea they are trying to help them sleep does its job before they can do theirs.