Protecting flash memory from being extracted - how?

A customer I'm making a simple Arduino-based appliance for has requested that it should not be possible to extract the software from the device, as it will contain sensitive account information. I know almost nothing about the function of bootloaders or the functions of the native ICSP portion on the Atmega chips - I'm just a programmer - so forgive me for the noobie questions.

I am aiming to deploy on USB-less Atmega328p boards that only offer ICSP header. Does the Atmega328 ICSP natively allow reading the flash memory using avrdude or similar, or does it require the presence of a bootloader that offers this function? Is there some kind of dedicated locking mechanism for disallowing this? Will it affect my own software's ability to read from flash memory?

Thankful for any advice on how to "lock down" the device after flashing it.

There are two sets of lock bits, the bootloader lock bits and the memory lock bits.

The bootloader lock bits provide different levels of access read/write the bootloader section and application sections. Since you are not using a bootloader then you can ignore these bits.

The memory lock bits provide read or write access via external Parallel or Serial ICSP programming. This is the one to use to prevent reading from ICSP. Setting these bits do not prevent your application from reading from Flash.

Note once you set the lock bits you can only clear them by erasing the chip.

So the quick steps are: 1. Erase the chip (avrdude will generally do this automatically when writing to flash). This will also clear any lock bits. 2. Write your program to the chip via ICSP. 3. Write the lock bits, for the m328p, lock bits = 0x3C. This will prevent further read/write access to flash via ICSP.

hiduino: ...

So the quick steps are: 1. Erase the chip (avrdude will generally do this automatically when writing to flash). This will also clear any lock bits. 2. Write your program to the chip via ICSP. 3. Write the lock bits, for the m328p, lock bits = 0x3C. This will prevent further read/write access to flash via ICSP.

I will try this out, thanks!

Can I make a modification in avrdude.conf to automatically lock the read bits during programming?

Can't it be set in boards.txt?

avrdude.conf isn't the place where you'd set that - avrdude.conf doesn't tell it what to do, only how to do them.

In boards.txt there´s only options for bootloader. I´m using USBasp, no bootloader.

Look here

For us 'noobs' out here...

How would one go about doing this:

"3. Write the lock bits, for the m328p, lock bits = 0x3C. This will prevent further read/write access to flash via ICSP."

I do not use avrdude directly, only the Arduino IDE.. (with some light mods to files when I follow instructions)

but this seems like a nice feature to learn..

in the file platform.txt located at "C:\Program Files (x86)\Arduino\hardware\arduino\avr", look for the line that look like this:

tools.avrdude.program.pattern="{cmd.path}" "-C{config.path}" {program.verbose} -p{build.mcu} -c{protocol} {program.extra_params} "-Uflash:w:{build.path}/{build.project_name}.hex:i" "-Ulock:w:0x3c:m"

change to the red modification

xl97:
<…>
I do not use avrdude directly, only the Arduino IDE… (with some light mods to files when I follow instructions) but this seems like a nice feature to learn…

AVRDUDE from the command line is powerful.

Ray