patakye
Posts: 24
Joined: Thu May 22, 2014 5:52 am

protection

Fri May 23, 2014 8:25 am

i have an new device i want to make using the PI as the base .. once i setup all the software on the SD card, how can i prevent someone from just copying the SD card and using it on another PI? ... can i encrypt and lock the SD card for use only with one specific PI? ... how can i protect the IP in the software on the SD card?

eltrasimaco
Posts: 20
Joined: Fri Apr 25, 2014 10:50 am

Re: protection

Fri May 23, 2014 8:42 am

A quick& dirty way could be getting the serial and shutting down; something like this can be put in rc.local

serialno=`cat /proc/cpuinfo |grep Serial|cut -d' ' -f2`
if [ "$serialno" != "some string" ]
then
halt
fi

ghans
Posts: 7871
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany

Re: protection

Fri May 23, 2014 8:44 am

Wait till the compute module is released and design your device
with that instead. Needless to say , the approaches to copy
protection are the same for the Pi and any PC software ,
so designing an appliance with strong physical security
would be your best bet.

ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org

patakye
Posts: 24
Joined: Thu May 22, 2014 5:52 am

Re: protection

Fri May 23, 2014 9:04 am

awesome thanks ... i think combined with the serial number of the SD card, this can provide some good protection if all code is encrypted and compiled with the serial numbers

User avatar
DougieLawson
Posts: 35823
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: protection

Fri May 23, 2014 1:58 pm

patakye wrote:i have an new device i want to make using the PI as the base .. once i setup all the software on the SD card, how can i prevent someone from just copying the SD card and using it on another PI? ... can i encrypt and lock the SD card for use only with one specific PI? ... how can i protect the IP in the software on the SD card?
If I can get physical access to the Pi I can pull the card from that point all bets are off.

I can spoof the serial with four lines of code

Code: Select all

#!/bin/sh
cat /proc/cpuinfo | sed -e 's/Serial.*/Serial\t\t: 00000000deadbeef/g'  > /tmp/cpuinfo_fake
mount -o bind /tmp/cpuinfo_fake /proc/cpuinfo
mount -o remount,ro,bind /proc/cpuinfo
There's nowhere you can store a safe and secure key without needing human interaction (to type it in).

It's harder for me to spoof the ethernet MAC address (because I'd have to have a special kernel module to do that).
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

User avatar
Cancelor
Posts: 757
Joined: Wed Aug 28, 2013 4:09 pm
Location: UK

Re: protection

Fri May 23, 2014 2:22 pm

Is this, in the very least, against the spirit of all the software that is on the RPi? As far as I know it might even be in breach of some licence?
Can't find the thread you want? Try googling : YourSearchHere site:raspberrypi.org

ghans
Posts: 7871
Joined: Mon Dec 12, 2011 8:30 pm
Location: Germany

Re: protection

Fri May 23, 2014 3:20 pm

Nope , look at the TiVO (the TiVO is often cited as one reason
why the GPLv3 was written). As long as you don't incorporate
viral (i.e. GPLv2) code into your own software codebase,
you can keep everything you wrote yourself closed. You just
have to provide the source for all GPLv2 tools which are
used to get your software to run in the first place ,
including modifications.

That said , you could come down hard on GPLv2 compliance
(very relevant for the kernel) and require that whoever
distributes something based on GPL code must run their own
source servers instead of cheaply linking to e.g. raspbian.org +
the foundation github. I think plugwash himself had favoured
that position.

The rest of the licenses relevant to Raspberry Pi software are
more leninent AFAIK and therefore esier to follow from a
commercial perspective.
If in doubt , ask your lawyer.

ghans
• Don't like the board ? Missing features ? Change to the prosilver theme ! You can find it in your settings.
• Don't like to search the forum BEFORE posting 'cos it's useless ? Try googling : yoursearchtermshere site:raspberrypi.org

patakye
Posts: 24
Joined: Thu May 22, 2014 5:52 am

Re: protection

Fri May 23, 2014 10:49 pm

Oh I see, so let's say this is my strategy ...

1) user downloads/buys my product and software license
2) i compile my code which will check for a specific value which it will check at runtime
3) this value is a combination of the processor id, SD card id, and a random key the user gets after purchasing

If I do all this, even if someone pulls the card and such, at least one of these things will not match .... this would be some level of protection right?

If you can fake the SD card serial, ok, but what about the processor id, can that be faked too?

i suppose if someone fakes the processor serial, sd card serial, and they know the random user code, then they could steal the software ... so maybe it depends on whether they can fake the processor serial ..

patakye
Posts: 24
Joined: Thu May 22, 2014 5:52 am

Re: protection

Fri May 23, 2014 10:51 pm

i would hate to have to make the user have a usb dongle, but that may be the only solution ... that is the only thing they cannot duplicate if i understand correcty

User avatar
Douglas6
Posts: 4740
Joined: Sat Mar 16, 2013 5:34 am
Location: Chicago, IL

Re: protection

Fri May 23, 2014 11:34 pm

The (additional) video codecs are of course tied to the s/n. I have a sense it was difficult, and revealing the secret counterproductive (the terms 'lawyers' and 'ton of bricks' come to mind)

klricks
Posts: 6550
Joined: Sat Jan 12, 2013 3:01 am
Location: Grants Pass, OR, USA
Contact: Website

Re: protection

Sat May 24, 2014 2:15 am

patakye wrote:Oh I see, so let's say this is my strategy ...

1) user downloads/buys my product and software license
2) i compile my code which will check for a specific value which it will check at runtime
3) this value is a combination of the processor id, SD card id, and a random key the user gets after purchasing

If I do all this, even if someone pulls the card and such, at least one of these things will not match .... this would be some level of protection right?

If you can fake the SD card serial, ok, but what about the processor id, can that be faked too?

i suppose if someone fakes the processor serial, sd card serial, and they know the random user code, then they could steal the software ... so maybe it depends on whether they can fake the processor serial ..
It's not about protections built into your code. It's about pulling the card and putting it in any Linux computer and browsing your files or whatever.
Locks only keep honest people out.......... The thief will bash down the back door.....
Short of 'potting' the whole RPi in epoxy or dongle key, it won't be that secure from those who can really hurt you.
Unless specified otherwise my response is based on the latest and fully updated Raspbian Buster w/ Desktop OS.

User avatar
Cancelor
Posts: 757
Joined: Wed Aug 28, 2013 4:09 pm
Location: UK

Re: protection

Sat May 24, 2014 7:54 am

klricks wrote:........ those who can really hurt you.
in this context means ripping of your product and then selling it for vast amounts of money ... this is where and when the lawyers come in handy ;-)

If you just want to prevent accidental corruption by nosey customers then that's different.
Can't find the thread you want? Try googling : YourSearchHere site:raspberrypi.org

Tarcas
Posts: 740
Joined: Thu Jan 09, 2014 5:38 am
Location: USA

Re: protection

Sun May 25, 2014 2:38 pm

DougieLawson wrote:
patakye wrote:i have an new device i want to make using the PI as the base .. once i setup all the software on the SD card, how can i prevent someone from just copying the SD card and using it on another PI? ... can i encrypt and lock the SD card for use only with one specific PI? ... how can i protect the IP in the software on the SD card?
If I can get physical access to the Pi I can pull the card from that point all bets are off.

I can spoof the serial with four lines of code

Code: Select all

#!/bin/sh
cat /proc/cpuinfo | sed -e 's/Serial.*/Serial\t\t: 00000000deadbeef/g'  > /tmp/cpuinfo_fake
mount -o bind /tmp/cpuinfo_fake /proc/cpuinfo
mount -o remount,ro,bind /proc/cpuinfo
There's nowhere you can store a safe and secure key without needing human interaction (to type it in).

It's harder for me to spoof the ethernet MAC address (because I'd have to have a special kernel module to do that).
You don't need to spoof it. With a hex editor, it's fairly commonplace to find the part of the compiled program that looks at that sort of thing and just reverse the if.
If all these things match then run.
becomes
if all of these things DON'T match then run.

As has been stated, if a hacker has physical access to the equipment then all bets are off. Put your legal protections in place (copyright, trademark, and patent as applicable) then use a best effort to keep lazy cheap people from easily using cloned software, and move on. You'll never make your fortune if you spend all your time worrying about someone stealing part of your fortune. :-D

technion
Posts: 238
Joined: Sun Dec 02, 2012 9:49 am

Re: protection

Tue May 27, 2014 9:27 am

patakye wrote:i would hate to have to make the user have a usb dongle, but that may be the only solution ... that is the only thing they cannot duplicate if i understand correcty
Honestly I hate these sorts of questions. There's no easy answer because it's the question that's wrong. Here are two facts:
  • Those stupid Sentinel USB dongles are easily beaten
  • I don't see those dongles in enterprises any more. I see them in ten year old legacy applications we're trying to get rid of
I know what you're trying to do and I can appreciate that you think you're preventing piracy, but pirates still pirate, and end users end up with broken dongles and an inability to use a product they've paid for.

These "solutions" are a hangover from 1990 when they operated over a serial port and presented a viable alternative to that dark brown "photocopy proof" paper you had read keys off every time you started a game from a floppy disk.

Return to “Advanced users”