Hi folks,
I am a biologist working substantially outside my area of competency so please bear that in mind.
I am building a set of benchtop bioreactors to control conditions for a particular culture. Budget is tight, and typical off-the-shelf gear is inappropriate for my application, so I decided to roll my own using as much open-source, cheap hardware as possible. I went with a lower-cost manufacturer of sensors, transmitters, etc. as it looked like hobbyists were getting good results from their kit and the manufacturer appears to also be targeting the low end of industrial production (ie. people who can't afford to have Honeywell come and build them their control system).
Things looked ok with my first reactor so I recently ordered a second set of sensors and PIC-based sensor circuits from the manufacturer. Between-sensor error seemed too high even after calibrating a couple of times, and there looked like some weird temp-dependent drift in the amount of between-sensor error, so I started to look at the circuit firmware. I noted that the mfr. had recently added a command allowing the exporting/importing of a calibration string from one circuit to another, which seemed like a possible solution, but I realised that the first set of circuits had older firmware without said command.
Having recently learned how to flash an atmega8 with an AVR programmer (reprogramming some Chinese ESCs to convert some drone rotors into low-RPM magnetic mixers), I thought this should be a snap- hook up a PICkit to the circuit and flash the thing with the newest firmware. I was very taken aback when the mfr.'s rep insisted that I either had to disassemble the circuits and send them back to them (internationally) for a firmware update, or buy new hardware, even after I explained that the circuits are in use in a continuous culture system that does not readily permit me taking a reactor offline for days/weeks any time I want to update the firmware. This seemed to me to utterly defeat the point of firmware updates in an embedded system.
After the rep mentioned that a "custom programmer" was required to flash the PIC (18F25K22- normal 8bit PIC), I pressed a bit and they mentioned that the PICs are programmed with encrypted hex files and that their programmer does some of this decryption. I couldn't understand what the point of this could possibly be until I searched around here a bit and found mention of "lock bits"- looking at the 18F25K22 datasheet it does seem that there are program memory protection bits. My guess is that these are enabled, and in conjunction with the custom decrypting PIC programmer, Shenzhen is prevented from directly knocking off what would otherwise be an easily cloned PCB.
The circuits that I have are smaller, Arduino-compatible ones that look to be aimed at the hobbyist market- ie. they're great for the kind of prototype benchtop reactor system I'm building, but they're probably not going to be adequate for scale-up once we get to that point. I mentioned above that the mfr. has some hardware that is apparently aimed at the industrial market- eg. sensor transmitters with DIN mounts. When I asked whether these also needed to be sent back for firmware updates, they indicated that this is indeed the case. I'm not an industrial control engineer, but I find the idea that someone should dismantle a control cabinet for an active production line in a commercial context, and mail the components back to the mfr, to get a
firmware update, mind boggling. I've looked at other control manufacturers and the ones that I saw mostly seemed to have credentialled logins to firmware sections on their public websites where the user could go grab the latest firmware and deal with the problem themselves.
I have questions following from this that I hope I could get some input on:
1) I have a PICkit clone in the mail that I ordered before understanding the situation. Although I believe the mfr. when they say I can't just copy the newer firmware from the new circuits to the old ones, I would like to hook up the PICkit anyway just to have a look before I send anything back to them. Is it possible that there are any "security features" above and beyond the program memory protection bits that could cause me some trouble here?
2) A simple google search turned up a fairly detailed paper describing a method for breaking PIC18F copy protection. As annoyed as I am, it looks like more work than it's worth to avoid freezing down a culture and paying a couple of courier bills to get a firmware update
. I assume, however, that industrious young engineers in low-income countries are aware of this kind of thing- is this type of security more a deterrent to eat into the profit margin of the would-be cloner just enough to make it not worth the trouble? Or is this harder than it sounds?
3) Is there any way of securely delivering PIC firmware to an end user that would allow them to flash the PIC themselves with a standard programmer, without risking every mook being able to decompile it?
4) The mfr. mentioned that they could not let users update firmware themselves without changing the CPU on the circuit. Does this imply that there are MCUs that are significantly more secure than a PIC?
5) Related to 3&4, how is it that most automation/industrial process control mfrs seem to be able to offer firmware downloads online without worrying about clones popping up on ebay, and without needing this "Encrypted Firmware Must Be Uploaded By Custom Programmer In Secure Facility" technique? Or am I wrong and this firmware-upgrade-by-snailmail thing is actually more common than I imagine?