batrashish
Posts: 26
Joined: Sat Feb 08, 2014 6:17 am

How to lock SD card with the device

Sat Feb 08, 2014 8:05 am

I want to Lock/Bind the SD card with a particular Device and make sure that the card does not work with any other device..

Is there a way to do it?

Regards,
Ashish

User avatar
DougieLawson
Posts: 36528
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: How to lock SD card with the device

Sat Feb 08, 2014 12:43 pm

No. I don't think that can be done. On PC's it's usually done by the BIOS (especially with UEFI). There is no BIOS on a RPi. If I pull your SDCard there's nothing that will stop me booting that on my RPi.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

drgeoff
Posts: 9912
Joined: Wed Jan 25, 2012 6:39 pm

Re: How to lock SD card with the device

Sat Feb 08, 2014 3:28 pm

Liberal application of Araldite(*) will do the trick.

* other epoxy adhesives are available.

(When the software guys can't provide a solution, ask a hardware man. :lol: )

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 24129
Joined: Sat Jul 30, 2011 7:41 pm

Re: How to lock SD card with the device

Sat Feb 08, 2014 7:50 pm

Each raspi has a unique serial number so you could write that into the start up and refuse to boot Linux of the wind number is detected. Not failsafe though, but depends on your use case. Raspi expert could easily get round it.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
“I think it’s wrong that only one company makes the game Monopoly.” – Steven Wright

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: How to lock SD card with the device

Sat Feb 08, 2014 8:06 pm

Hi,
batrashish wrote:I want to Lock/Bind the SD card with a particular Device and make sure that the card does not work with any other device.
Try to explain your requirement from another perspective... what would be the purpose of this protection.

If you'd like to have control over number of copies of your RasPi application (that somebody cannot clone SD card you're planning to sell pre-installed with your app), then you could consider hardware authenticators. By using them (USB dongle or GPIO add-on card) you're sure that a cloned SD card is useless without this hardware. Actually, you could advise the customers to clone it to have a backup. ;-)


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

User avatar
ragnarjensen
Posts: 332
Joined: Wed May 15, 2013 6:13 pm
Location: Stockholm, Sweden
Contact: Website

Re: How to lock SD card with the device

Sat Feb 08, 2014 8:25 pm

Each SD card has a unique serial number. It is a part of the Card Identification Register

Code: Select all

cat /sys/block/mmcblk0/device/cid
Maybe in some combination with the raspi serial number?

http://blog.bones-embedded.ch/read-sd-c ... -from-cid/

---
Ragnar

ame
Posts: 3172
Joined: Sat Aug 18, 2012 1:21 am
Location: Korea

Re: How to lock SD card with the device

Sun Feb 09, 2014 12:08 am

Also, the MAC address for each Pi is unique.

Unless it's a model A. :)

However, as others have said, you can't really enforce this protection. If someone has physical access to the device all bets are off.

batrashish
Posts: 26
Joined: Sat Feb 08, 2014 6:17 am

Re: How to lock SD card with the device

Sun Feb 09, 2014 4:33 am

What if I write a C code which runs on startup as root. (user can not kill the application)
This application has hardcoded the serial number of the device. It will read the serial number of the device and compare it with the hardcoded number, If it does not match it will force a shutdown of the device.

What is your Idea, will it work?
If yes, then Could you guide me how to run the application as root on startup?

ame
Posts: 3172
Joined: Sat Aug 18, 2012 1:21 am
Location: Korea

Re: How to lock SD card with the device

Sun Feb 09, 2014 5:59 am

It doesn't matter. If I have physical access to the Pi I can become root easily. I could also take out the SD card and read it on another computer, and alter it so that it bypasses your security feature.

If the thing you are trying to protect is very valuable, then you will spend a lot of time and effort protecting it. However, if it's a very desirable thing then someone else will spend a lot of time and effort figuring out how to remove your restrictions. Even if it's not desirable, someone might think it's an interesting and/or fun challenge.

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: How to lock SD card with the device

Sun Feb 09, 2014 11:43 am

Hi Ashish,

What is a "real goal" of your protection ?
Are you planning to develop an application and you'd like to prevent it to be freely copied by cloning the SD card ?


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

User avatar
DougieLawson
Posts: 36528
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: How to lock SD card with the device

Sun Feb 09, 2014 11:58 am

The only way to sensibly protect your RPi is to enclose it in a locked cage (then the only risk is physical tampering of the wires coming out of it).

If I can touch your RPi then I can pull the SDCard & I can steal all of your data. You will slow me down by encrypting the filesystem with Luks but then you will need physical access to boot the machine up, no headless remote operation is possible.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: How to lock SD card with the device

Sun Feb 09, 2014 1:55 pm

It really sounds like the "glue" solution, suggested earlier (probably with tongue-in-cheek), is the only real solution.

To the OP: Any reason *not* to do the "glue solution"?
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

User avatar
rpdom
Posts: 15572
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: How to lock SD card with the device

Sun Feb 09, 2014 2:42 pm

The glue option could be a problem if the card fails and needs to be replaced, or if it needs to be removed or updates.

Another alternative along the same lines is to desolder the SD slot and solder wires to link the SD card directly to the connections. The additional solder on the SD card connections would make it difficult to read/update in a standard card reader.

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: How to lock SD card with the device

Sun Feb 09, 2014 2:56 pm

Right - any solution involving glue (or solder, as you suggest) will make the SD card "part" of the board - no longer removable.

If it fails, you would have to replace the whole board. But I think that's the goal, and, at $35 per, replacing it is not such a big deal.

Heck, (many) people replace their iPhones every year - and that's a lot more than $35 a clip...

Some people used to get a new car every year, but then prices went way up and that became unfashionable.
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

batrashish
Posts: 26
Joined: Sat Feb 08, 2014 6:17 am

Re: How to lock SD card with the device

Sun Feb 09, 2014 11:57 pm

You are right, My intention is to protect my program code , even if someone tries to clone the SD card.

What I want to achieve is 2 things:
a) My code is in Python, which needs to be protected. So I want that user should be able to execute the code but should not be able to read it.
b) Make sure that even If someone clones the card, he is not able to use the card on any other device.

I am able to achieve the first part successfully. I have made sure that even if the code is a python script, the user who logs in as "pi" is able to only execute it and not able to read it. Also, I have made sure that he cannot ever login as root if he does not have the root password, not even with "sudo".

In the second part, I can write a script or a C code, which will make sure that the card will never function on any other device, by comparing it with the serial number of the device. Which is unique to the device.

Now the only thing remaining is to execute that script on bootup as "root" in the background, so that the user"pi" is not able to kill the task of script. And since "pi" cannot login as "root" he will never be able to see that background process and will not be able to kill it.

So please let me know how to run the script as "root" in the background on startup.

Regards,
Ashish

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: How to lock SD card with the device

Mon Feb 10, 2014 1:05 am

Hi,
batrashish wrote:You are right, My intention is to protect my program code , even if someone tries to clone the SD card.
Ok, good to know what are we talking about... ;-)
batrashish wrote:I have made sure that even if the code is a python script, the user who logs in as "pi" is able to only execute it and not able to read it. Also, I have made sure that he cannot ever login as root if he does not have the root password, not even with "sudo".
Don't forget that somebody can take your SD card, put it into the cards reader (eg. USB reader), mount it with this SD card on another system and read/modify its content, eg. read the Python script and/or change its permissions.
batrashish wrote:In the second part, I can write a script or a C code, which will make sure that the card will never function on any other device, by comparing it with the serial number of the device. Which is unique to the device.
This is not the solution. You need to solve the case when the SD card is mounted on another system (not as a main storage).
batrashish wrote:Now the only thing remaining is to execute that script on bootup as "root" in the background,
Call the script from /etc/rc.local


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

batrashish
Posts: 26
Joined: Sat Feb 08, 2014 6:17 am

Re: How to lock SD card with the device

Mon Feb 10, 2014 6:42 am

FLYFISH TECHNOLOGIES wrote:Hi,
batrashish wrote:You are right, My intention is to protect my program code , even if someone tries to clone the SD card.
Ok, good to know what are we talking about... ;-)
batrashish wrote:I have made sure that even if the code is a python script, the user who logs in as "pi" is able to only execute it and not able to read it. Also, I have made sure that he cannot ever login as root if he does not have the root password, not even with "sudo".
Don't forget that somebody can take your SD card, put it into the cards reader (eg. USB reader), mount it with this SD card on another system and read/modify its content, eg. read the Python script and/or change its permissions.

Got your point. It is valuable. I need to think from this perspective also.
To make sure what people can see in the card contents, I tried to read the card in the SD card reader to see the python files in the home directory of "pi". But I was not able to see these files in the SD Card when read in Windows machine. I believe that home directory is not Fat32 Partition that is why, I am not able to see it in the card reader of Windows 7 Machine.

I am not sure if that will be the case If i read the card with Debian OS?
Need to check that. I will check it now.
batrashish wrote:In the second part, I can write a script or a C code, which will make sure that the card will never function on any other device, by comparing it with the serial number of the device. Which is unique to the device.
This is not the solution. You need to solve the case when the SD card is mounted on another system (not as a main storage).
batrashish wrote:Now the only thing remaining is to execute that script on bootup as "root" in the background,
Call the script from /etc/rc.local


Best wishes, Ivan Zilic.

User avatar
rpdom
Posts: 15572
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: How to lock SD card with the device

Mon Feb 10, 2014 7:09 am

batrashish wrote:To make sure what people can see in the card contents, I tried to read the card in the SD card reader to see the python files in the home directory of "pi". But I was not able to see these files in the SD Card when read in Windows machine. I believe that home directory is not Fat32 Partition that is why, I am not able to see it in the card reader of Windows 7 Machine.

I am not sure if that will be the case If i read the card with Debian OS?
You are correct that Windows cannot (easily) read ext4 partitions. It also can't understand more than one partition on an SD card. But there is third party software that can get around that.

Debian will easily be able to read and write to all partitions on the card.

batrashish
Posts: 26
Joined: Sat Feb 08, 2014 6:17 am

Re: How to lock SD card with the device

Mon Feb 10, 2014 7:12 am

rpdom wrote:
batrashish wrote:To make sure what people can see in the card contents, I tried to read the card in the SD card reader to see the python files in the home directory of "pi". But I was not able to see these files in the SD Card when read in Windows machine. I believe that home directory is not Fat32 Partition that is why, I am not able to see it in the card reader of Windows 7 Machine.

I am not sure if that will be the case If i read the card with Debian OS?
You are correct that Windows cannot (easily) read ext4 partitions. It also can't understand more than one partition on an SD card. But there is third party software that can get around that.

Debian will easily be able to read and write to all partitions on the card.

Thank you for your Inputs. I will have to think about the encryption of the files. :)

User avatar
DougieLawson
Posts: 36528
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: How to lock SD card with the device

Tue Feb 11, 2014 1:26 am

batrashish wrote:Thank you for your Inputs. I will have to think about the encryption of the files. :)
But that needs decryption to run the programs. How do you protect that?

You are able to obfuscate the code by only supplying the *.pyc (python byte code) files. That doesn't stop someone who's determined to reverse engineer it.

If I physically pull the card I can read it on my Ubuntu system. I can easily find and bypass your "encryption" system. If the code is going to run the key is going to be clearly available (unless you require the user to type it in every time the system boots). All bets are off at that point. It becomes no more valuable than ROT13.

On a machine with a BIOS you may be able to have a secure password stored in the hardware. The RPi doesn't have a BIOS.
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: How to lock SD card with the device

Tue Feb 11, 2014 1:58 am

Hi,
DougieLawson wrote:On a machine with a BIOS you may be able to have a secure password stored in the hardware. The RPi doesn't have a BIOS.
Earlier in this discussion I mentioned a hardware dongle to overcome this issue... it seems that nobody noticed it and it is still believed that BIOS is the only place to store hardware password...

It might be a proper moment to provide out-of-the-box hardware decryption engine tailored to the RasPi... ;-)


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

batrashish
Posts: 26
Joined: Sat Feb 08, 2014 6:17 am

Re: How to lock SD card with the device

Tue Feb 11, 2014 4:50 am

FLYFISH TECHNOLOGIES wrote:Hi,
DougieLawson wrote:On a machine with a BIOS you may be able to have a secure password stored in the hardware. The RPi doesn't have a BIOS.
Earlier in this discussion I mentioned a hardware dongle to overcome this issue... it seems that nobody noticed it and it is still believed that BIOS is the only place to store hardware password...

It might be a proper moment to provide out-of-the-box hardware decryption engine tailored to the RasPi... ;-)


Best wishes, Ivan Zilic.
I have found out a way.
It is as follows:
a) Hard code the serial number of the device in the python code and compare it with the device serial number before execution of actual code.
b) encrypt the python file using base64encryption. I know, that this code can be decrypted (Hold on to see the next few steps)
c) After you get the encrypted code, Encrypt it further by witing a simple C code in which this encrypted Python file is passed as input. Now this encryption is only known to you since you have written the algorithm for it. After this step you get further encrypted code which you only can decrypt. This encrypted file will be useless for Others. This encrypted file will be given to the customer.
d) Write another C code to do the following:
i. Read the doble encrypted file as input, which was produced in step C
ii. Decrypt it internally to get the Original Python Base64 encrypted code, in a variable.
iii. Pass this variable as input to Python command with "-c" option, which is called from inside the C code using System command of C language.

You are going to give only 2 files to the customer
A file which you produced in step C, With double encryption.
A file which your produced in Step D (The binary file of the c code, which cannot be decrypted)

Now the customer has the files which he needs for execution. But can not get the source code of the python file since both decryption and execution of the code source code are happening inside "C" binary file.

Please let me know if there is any loophole in the idea.?

Regards,
Ashish

Regards,
Ashish

ame
Posts: 3172
Joined: Sat Aug 18, 2012 1:21 am
Location: Korea

Re: How to lock SD card with the device

Tue Feb 11, 2014 5:56 am

batrashish wrote: I have found out a way.
It is as follows:
a) Hard code the serial number of the device in the python code and compare it with the device serial number before execution of actual code.
b) encrypt the python file using base64encryption. I know, that this code can be decrypted (Hold on to see the next few steps)
c) After you get the encrypted code, Encrypt it further by witing a simple C code in which this encrypted Python file is passed as input. Now this encryption is only known to you since you have written the algorithm for it. After this step you get further encrypted code which you only can decrypt. This encrypted file will be useless for Others. This encrypted file will be given to the customer.
d) Write another C code to do the following:
i. Read the doble encrypted file as input, which was produced in step C
ii. Decrypt it internally to get the Original Python Base64 encrypted code, in a variable.
iii. Pass this variable as input to Python command with "-c" option, which is called from inside the C code using System command of C language.

You are going to give only 2 files to the customer
A file which you produced in step C, With double encryption.
A file which your produced in Step D (The binary file of the c code, which cannot be decrypted)

Now the customer has the files which he needs for execution. But can not get the source code of the python file since both decryption and execution of the code source code are happening inside "C" binary file.

Please let me know if there is any loophole in the idea.?

Regards,
Ashish

Regards,
Ashish
The first loophole is in step a). You are relying on the OS not to lie to you about the serial number.

batrashish
Posts: 26
Joined: Sat Feb 08, 2014 6:17 am

Re: How to lock SD card with the device

Tue Feb 11, 2014 6:27 am

How about MAC ID instead of Serial number?

User avatar
rpdom
Posts: 15572
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: How to lock SD card with the device

Tue Feb 11, 2014 6:32 am

ame wrote:The first loophole is in step a). You are relying on the OS not to lie to you about the serial number.
That isn't a real problem. It is fairly trivial to bypass the OS and get the serial number direct from the system using a mailbox call.

However, it isn't hard to examine the code of a compiled C routine and work out what it is doing, especially a simple "read file, decrypt, write data" one.

[edit]MAC id isn't a good one to choose. It is based on the serial number, but can be overridden by an option in cmdline.txt

Return to “Advanced users”