hi friends!
im trying to develop an iot project and im worried about my code !
because modules are accessible by any one and can read code or change it!
is there any way to obfuscate arduino code ?
or is there a way to lock the module so that no one other than myself can program it?
thank you
Perhaps you've misunderstood the concept "open source"?
i know the concept of 'open source'.
but im new in arduino!
im a web programmer and in javascript we can obfuscate our code to make it hard to understand our codes.
i think maybe there is something like that in the arduino. because hardware modules are accessible and its dangerous in security
"because modules are accessible by any one and can read code or change it!"
So just how do you do this?
You can obfuscate high level language code, but not machine code, which is what is stored in the Arduino flash.
There are code protect bits that you can set to prevent the average user from reading out the machine code.
im sorry I didn't understand what you mean
im a web programmer and in javascript we can obfuscate our code
I see your JavaScript, and raise you a Duff's Device
Arduino programming language is C/C++, but the Arduino MCU executes machine code, produced by the compiler/linker/loader package.
The human-readable code that you write is translated by the compiler into binary machine code. And the machine code is all that is on the Arduino. For anyone to get hold of it and do anything with it would need an unusual level of skill. It's not impossible but it is pretty unlikely that anyone with that skill set would bother with your IoT project.
Steve
mahdiAkhi:
im sorry I didn't understand what you mean
A Javascript program is text that a human can read. Obfuscating makes it harder for a human to figure it out. However, for an Open Source project one would wish to leave it in an accessible form.
A C++ program is compiled into machine code before it is uploaded to an Arduino. Even if someone were to download the machine code from the Arduino (and most people don't know how to do that) they would be very unlikely to be able to make sense of it. Obfuscated Javascript would be a great deal easier to figure out than machine code.
Of course, in the Open Source spirit you should make your C++ source code available.
...R
You can distribute an Arduino library without the source code. This is more common in C libraries in commercial programming. I've never seen an Arduino library like this.
If you don't want people stealing your code then don't give it to them. Sell them hardware that is already programmed.
While this reply is 7 months late let me expand on it as I am faced with the same situation.
I have written a program. I need to furnish the source code to the client as there some variables that need changing now and then.
For example, an IP address / WiFi password. Rather than have me make a tiny change and them have to goof around with the AVRDude to download, and me to make changes & ship, I'd like to let them have the code but show where to make changes that I allow. I stay out of the loop.
Ok? So does anyone know of any gotcha's for using an obfuscate tool for Arduino IDE?
Can't you put the variables in EEPROM?
MorganS:
You can distribute an Arduino library without the source code. This is more common in C libraries in commercial programming. I've never seen an Arduino library like this.If you don't want people stealing your code then don't give it to them. Sell them hardware that is already programmed.
Not so fast....
Even if you sell a h/w type device with a pre-loaded f/w image. That doesn't necessarily allow you to close all your source code if you are using other open source in your project.
If you used Arduino and arduino libraries to develop your f/w image, you are still subject to all the licensing terms of all the other code and libraries used by the sketch in the linked image.
Some Arduino library code it licensed GPL 3.0 which precludes you from using any closed source in the project/product.
Even when using LGPL 2.1 (which is what most of the Arduino library code is), there are still some hefty restrictions.
Sure LGPL 2.1 does not mandate opening your own source, but it you must still conform to section 6 of the LGPL license agreement for all the LGPL 2.1 code used in the linked image.
Yes you can provide objects only for your sources rather than the source code; however,
due to Arduino being a f/w environment without shared libraries, you will have to conform to 6a
a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)
The most important thing to take note of is that if you choose to not provide all the source code and instead provide only pre-compiled objects, you must still provide a way for the user to be able to update/replace/modify any of the LGPL 2.1 code that was used in the image.
This is next to impossible to comply with in the Arduino environment unless you release all the source code so that the user can rebuild and upload the new image to the device.
Even if you don't use any Arduino libraries, or even totally avoid Arduino all together and just wrote all your own code using gcc, you would still likely have 6a requirements since the compiler would end up pulling in some amount of gcc LGPL library code like the startup code or some isr wrappers, or stack frame code, math code, etc...
So you would still have to provide a way for user to be able to rebuild the image, using your pre-compiled objects and update the device.
--- bill
LGPL is particularly ill-suited to embedded systems. Do you know of any proprietary SW vendor who has been called out and forced to provide linkable versions based on using an LGPL library?
pulling in some amount of gcc LGPL library code like the startup code or some isr wrappers, or stack frame code, math code, etc...
libgcc currently uses the exception for runtime libraries. GCC Runtime Library Exception - GNU Project - Free Software Foundation
avr-libc (includes the startup and ISR wrappers, all the floating point stuff, and etc) doesn't use GPL licenses. It used a modified BSD license. http://svn.savannah.gnu.org/viewvc/avr-libc/trunk/avr-libc/LICENSE?revision=2170
versions of gcc are used as the primary chip-vendor-provided compiler for many architectures. If people were unable to build proprietary applications, that would be a BIG problem. (I worked with gcc back before LGPL. We had our own implementations of all the libgcc functions, so as not to run into copyleft. It was a pain, but not impossible.)
All that said, I think obfuscating your source code before giving it to a customer is an awful idea.
westfw:
LGPL is particularly ill-suited to embedded systems. Do you know of any proprietary SW vendor who has been called out and forced to provide linkable versions based on using an LGPL library
Yes. I've personally been involved with several h/w vendors that used some LGPL based code in their devices.
Note: this was around 10 years ago.
Here are 3 well known vendors that I contacted and called out for GPL & LGPL violations and worked with to get into compliance.
Samsung for their Galaxy phones, GoPro for their cameras, TomTom for their GPS devices.
All them setup and provided a web location where you could download all the files needed to build their f/w.
They provided a full development tree that you could download. (tar image)
It included all the pre-compiled objects for their proprietary source modules, various open source modules that might be LGPL, GPL or BSD, and then makefiles and scripts for building the images.
They all also had ways to update the f/w code in the device with the image you built.
They were all very interested in being compliance and very cooperative.
Most of them were close to compliance before I got in touch with them.
So yes, there are real-world cases out there in the wild.
--- bill