What potting compound to use to protect from reverse engineering ?

[Ice-Tea]

Final comment from me: you're giving a prospectice counterfeiter a free bonus feature compared to your product. You can service theirs.

[RogerThat]

Arte, I'm developing a product in France as well....with some innovation in it. You can protect your invention, in France, cheap by using a "Enveloppe Soleau": https://fr.wikipedia.org/wiki/Enveloppe_Soleau
I've been recommended it but not done it yet so don't know the exact details.

If you sell directly to customers you need only to conform to the 2014/30/EU (it's up to you to make sure it OK, it's called self declaration) and/or RED if it contains a radio transmitter. Google around on similar equipment and check their user manual, should be written which standard they conform to. EMC houses charges you roughly 1200€ per day for use of their facility including one engineer. If you product is well built it's one or two visits.

Forget potting as others have said. Honestly it is a bit paranoid to think someone would hack your product and steal the IP. I mean, someone with the equipment and knowledge to do it would probably find it easier to just copy the way it works with their own code. If you are first to release the product with your IP it will anyway be know as the "original product" and the others as clones...no one wants a clone unless it's the only thing they can afford.

[JuniorJack]

Hey,

STM32 chips at least have backup domain that keep RTC and small chunk of RAM on. You can keep you 'algorithm' in there, not in flash, and copy to executable RAM when you chip is on. All you need is small CR2032 battery to keep RAM alive. There is no known method to dump battery backed SRAM if the debug interface is disabled.

But with your chip choice, you will need to do some digging in the horrible datasheet to see if you can execute in one of the RAM banks, low power mode not drain your battery and hold the RAM contents.

And off course this solution will be support nightmare and huge problem for your customers. As other posters suggested, best security is no security - e.g. Open Source or excellent customer support.

Good luck, K.

[ejeffrey]

Arte, I'm developing a product in France as well....with some innovation in it. You can protect your invention, in France, cheap by using a "Enveloppe Soleau": https://fr.wikipedia.org/wiki/Enveloppe_Soleau
I've been recommended it but not done it yet so don't know the exact details.

Legal IP protection is of very little use for small manufacturers serving niche markets.  The total $$$ available in those markets are just not high enough to warrant enforcement action.  This sort of tool is useful if you are a small company that is worried that a big company is going to steal your invention where if they do you could potentially win a very large judgement against them.  The Enveloppe Soleau in particular seems like it only establishes priority date and right to use, not any sort of exclusivity.  So it prevents someone from finding out about your idea, but patenting it first and then suing you for infringement.

Forget potting as others have said. Honestly it is a bit paranoid to think someone would hack your product and steal the IP. I mean, someone with the equipment and knowledge to do it would probably find it easier to just copy the way it works with their own code. If you are first to release the product with your IP it will anyway be know as the "original product" and the others as clones...no one wants a clone unless it's the only thing they can afford.

It definitely happens.  Take a look at the Saleae logic analyzer and the Jlink programmer for some examples in the DIY electronics space, although in these cases it isn't so much an instance of cloners dumping the firmware to copy it (although they do), but that they are making compatible devices that work with the original client software.  Both products are sold at prices far above their hardware cost in order to include a license for the client software which is far more development cost than the hardware which is basically trivial.  Also to your point of "no one wants a clone unless its the only thing they can afford" -- both products are sold well above the price that hobbyists and even many small businesses are willing to pay, so there is a clear market for clones.

It also is possible to make reasonably secure hardware.  I don't think anyone here is claiming otherwise.  There are tamper resistance processors and security chips, there are devices that allow encrypted firmware with secure key storage and so on.  It is quite complicated to design a product like this, easy to screw up, has a number of downsides, and even then it is not foolproof but it can stop a lot of reverse engineering.  It's rarely worth the effort for the type of product the OP seems to be working on but it is possible.  Filing the markings off of chips and epoxy potting are just not effective ways to do this.

[SiliconWizard]

I mean, someone with the equipment and knowledge to do it would probably find it easier to just copy the way it works with their own code. If you are first to release the product with your IP it will anyway be know as the "original product" and the others as clones...no one wants a clone unless it's the only thing they can afford.

I do not agree with that. You need to consider your audience there, and as the OP mentioned, worried about the average "audience" copying the product if it's too easy to do, while the audience probably has no means of doing anything a bit too involved, even if that bit looks trivial to the seasoned engineers here. And if it's that easy to implement without even needing to copy it, then so be it, but I don't buy this either. You're largely overestimating the capabilities of people in general, and probably of the OP's audience in particular.

As I got it, it's a bit of a "niche" product. Niche products do not have the same appeal nor are the same targets for cloning/copying as more "mainstream" products. Just my 2 cents.

Other than that, I would agree with the fact the RP2040, or any MCU with external code memory for that matter, would not be the ideal choice, but I can understand the rationale if it fits the requirements otherwise, as it's cheap and reasonably available as of now, as opposed to many other MCUs out there.

An idea would be to encrypt the ciritical Flash content, and decrypt it at boot time. That would imply running most of the code (at least the "critical parts") from RAM, but given the RP2040 has a comfortable amount of it, that should be doable.

The encryption could be using a key unique to each product. See if the RP2040 has some kind of unique ID or serial number, I don't remember that. If so, you could devise an encryption scheme based on this. That would imply encrypting the Flash content at programming time, during production. That's also largely doable. While not hacker-proof much, this scheme would probably make it hard enough for your average joe to figure out, to be a better protection than potting.

Again, we are talking about making it tough for the average joe here, not about making the device impossible to hack. No approach can do that anyway.

[free_electron]

Three key elements to not getting screwed immediately by clones:

1. Don't choose a dishonest Contract Manufacturer. If you choose the wrong one, they'll start undercutting you with your own design! This is bad. It is hard to audit a CM and ensure they're honest, but, believe it or not, most of them are. (It's often the subcontractors that are trouble.)

2. Price your product fairly. No one wants to manufacture it themselves. We'd rather buy it! So price it such that we can justify just buying it. That might mean tiered pricing or all those other horrid schemes. They're awful, but if they keep your product afloat, we all win.

3. Have some key value-add that's difficult to copy, but not in the design itself. Like how it's tested or adjusted/calibrated. Or simply a (believable) guarantee of reliability. This is huge! If I can get the Chinese clone working with 10 hours of labor, that will mean nothing to hobbyists, but everything to professionals who have the money to pay for better.

And if anyone reading this thread still thinks epoxy potting compound actually does anything useful to solve this problem, I have one product name for you: Dynasolve 185.

<- this.

think about it .. What gets copied ? stuff that is way overpriced for what it is. Things with enormous profit margins and high volume

What is there to gain by copying a product if you can make only 5$ a piece with a TAM (total accessible market) of 1000 pieces ?
making 1$ per piece with a TAM of 1 million starts getting attractive...(you need to look at the investment of time and money to do the legwork. )

Note that there is a difference between copying a physical product (hardware needs to be built and sold) and immaterial stuff (software). Copying software is a different can of worms.
Know your product and its place in the market. Who would copy it , in what quantity and what can they make in terms of profit ?

That being said : why on earth do you use a processor where the firmware can be copied by just plonking the external flash in a cheapo programmer ? at least use a processor with on board flash that is locked.
that's giving it away...

[mikeselectricstuff]

I'm going to guess that your code will use only a small fraction of the available flash. You could obfuscate it by filling the remaining available memory with complex code that never gets called. That won't stop anyone from simply copying the entire mess, but it can make it more trouble than it's worth to uncover whatever it is you're trying to hide.

And if necessary provide proof that someone has copied it.

[Simon]

oh and warning, if this is how you plan to do designs don't even think of anything that has to pass EMC testing or your products will all be 90% hacked on bits after to fix the mess you made in the first place to get it past regulatory testing! I take it you have thought about that bit too as you plan to sell it?

However surprising as that may be, I did. I looked into the regulations I had to comply with for the EU market, and as far as I understand, that would be CE and its EMC and RoHS components; and I saw that the CE specifications were... non quantitative. Which on one side I find baffling, and the other, not surprising.

I read the 2014/30/EU directive, and took away that I had to respect the following, write a document and add CE/RoHS on my devices:

1. General requirements
Equipment shall be so designed and manufactured, having regard to the state of the art, as to ensure that:
(a) the electromagnetic disturbance generated does not exceed the level above which radio and telecommunications equipment or other equipment cannot operate as intended;
(b) it has a level of immunity to the electromagnetic disturbance to be expected in its intended use which allows it to operate without unacceptable degradation of its intended use.

2. Specific requirements for fixed installations
A fixed installation shall be installed applying good engineering practices and respecting the information on the intended use of its components, with a view to meeting the essential requirements set out in point 1.

That's it. No seriously that's it.
What to take away from this ? What level qualifies as the one above which radio and telecommunications equipment or other equipment cannot operate as intended ? What electromagnetic disturbance can I expect in the context of its intended use (some guy's bedroom) ? How am I qualified to judge that with a background in mathematics and software engineering ?

From there I see two paths:
- Buy a 100$ EMC tester, test and go "well clearly the level are so low it's not a problem, also it still works when I run it next to my microwave and my CRT, must be good lmao. Also all my components are RoHS, Farnell and JLC said so"
- Respect a harmonized standard. Having looked at previous versions (the 2015 iirc) it's utterly impossible to verify them without highly specialized equipment and asking a lab to test for you costs an arm - by an arm I mean a significant % of the projected gross sales for the lifetime of the device. Oh yeah and, if I understood this correctly, YOU HAVE TO BUY THE LATEST HARMONIZED STANDARD TO EVEN KNOW WHAT YOU'RE SUPPOSED TO COMPLY WITH.

So, yeah. I'm going with the first option so far. I am in good faith doing all I reasonably can to ensure this device is compliant, and the (self-certified) directive - I was previously mentionning I wasn't that surprised - seems to be written to... allow people to do this. I guess the fact you buy what you have to comply with really highlights the fact major companies and individuals aren't held to the same standards.
For comparison, my peers don't even bother with compliance and have been selling to the EU without it (one has self certified the NA equivalent)
As far as I understand, the CE compliance is an obligation of results - also you have to write something to demonstrate you tried. You don't get fined until there's a problem and it's shown your device was not, in fact, CE, and you claimed it was. If you know your device is so basic EMC worries are out of the question (because it's litterally a mcu, a flash, a crystal, basic components and contacts), then you hardly care.

If anyone wants to pitch in on that - though it's not the initial subject - I would welcome it. I've been extremely confused learning about compliance, and I'm trying my best to play by the rules as much as a one man operation allows.

Simple answer: "get a lawyer", that is why test houses exist. They will tell you what the law means and what you need to do, it will cost, and you do it. Yes regulations are a pain in the ass, they never tell you how to do it, only what the outcome should be.

[Simon]

Right, it's not sensitive, and I should've been more precise in saying I would get rid specifically of the part that says how exactly I'm making it harder. Or rather, used a fake username so people don't just stumble on this post. My mistake I guess. I didn't think this would cause such a reaction; also, I don't find it very mature to set such a description in stone when I ask how good is [doing exactly this and that to make it harder to hack a device] is before even letting me reply to how I'm not supposed to remove information from others. Figuring out how a device's encryption in place works once you've reached the firmware can be difficult and is a lot less difficult if there's a description of how exactly it works... with these messages this exchange may have caused me more harm than good 

Well that explains it all.... no seriously, I have no idea what that says.

I know damn well security is the RP2040's weakness, but if anyone has a microcontroller with 2 cores at this speed, 2 PIOs with 4 SMs (or equivalent - I make use of all of them) a usb device/host capabilities, that's widely available and was available for the past 2 years, for ~1$, then please enlighten me. A STM32F405 is $11 on JLC and is in stock every now and then.
An atmega32u4 is $10 and is almost out of stock. I'm by no means a professional, I'm a software developer and I've been learning the basics of all the tangential stuff that goes into making a commercial product to be able to turn a better algorithm (that can hardly be inferred from looking at the IO as it's a matter of prediction) in a niche field into a product that will probably only sell a few thousands. And from however little understanding I have, the RP2040 is currently for small fish like me not only a good option, it's virtually the only option and is litterally 5x better than other options I've looked into. I'm dead serious, if you have better proposals, I'm all ears, I'm not happy at all with having to use it. I was dreading the security aspects from day one.

So an atmega32u4 will do it but you picked a 2x133MHz M0+ over an 8 bitter at 16MHz? The new series of AVR are quite nice, PM me if you want some, I have stock.

Also frankly, I think you're nice merely hiding shit in the epoxy.
My previous ideas involved having the device recognize it's being messed with and have it spoof a keyboard+mouse on plug-in, having it attempt to escape whichever virtual machine it's into by clicking in the common places to do that, and then attempt to do fun things in the terminal such as submitting web searches about the crimes of the CCP.

err, while you ended up boardering on madness the idea or pretending to be another device is not bad at all.

Anyway I'm sorry this is causing a fight. Call me incompetent because I am, but I didn't find a suitable alternative to the RP2040 in terms of capabilities vs price point and I'm trying to make the best of a bad situation.

No fight, we are just trying to educate you, everyone has to start somewhere, you seem to have bitten off more than you can chew.

[Arte]

I know damn well security is the RP2040's weakness, but if anyone has a microcontroller with 2 cores at this speed, 2 PIOs with 4 SMs (or equivalent - I make use of all of them) a usb device/host capabilities, that's widely available and was available for the past 2 years, for ~1$, then please enlighten me. A STM32F405 is $11 on JLC and is in stock every now and then.
An atmega32u4 is $10 and is almost out of stock. I'm by no means a professional, I'm a software developer and I've been learning the basics of all the tangential stuff that goes into making a commercial product to be able to turn a better algorithm (that can hardly be inferred from looking at the IO as it's a matter of prediction) in a niche field into a product that will probably only sell a few thousands. And from however little understanding I have, the RP2040 is currently for small fish like me not only a good option, it's virtually the only option and is litterally 5x better than other options I've looked into. I'm dead serious, if you have better proposals, I'm all ears, I'm not happy at all with having to use it. I was dreading the security aspects from day one.

So an atmega32u4 will do it but you picked a 2x133MHz M0+ over an 8 bitter at 16MHz? The new series of AVR are quite nice, PM me if you want some, I have stock.

No, it won't do. I'm using both cores and all 4 PIOs, though I might be able to make do with one core at least as fast with some more complicated orchestration of tasks if I give up on some features (particularly dreading the loss of the PIOs - it's almost like I have 6 real time threads right now which lets me not mind interrupts whatsoever...) . I was just pointing out how fucked the situation was while I was developing this, that the MCU in the Arduino Micro would be $10. My first go at it used a STM32F407VET6, and I was dreading having to do what I ended up doing very easily and reliably with the PIOs, and at that point, it cost $3 on JLC.
Now it costs $14. And it wasn't in supply for the longest time anyway.

For context the whole board now costs a few dollars. So, someone was mentionning business 101 earlier, when looking at my options, the RP2040 just blew all the others extremely bad. Yes, I lose on security, but I had to lose on something, and between no internal flash and several dollars extra per board for a niche product, the decision was very quickly made. Now just because I've gave up on good security doesn't mean I wouldn't like to try to make it harder for the potentially malicious average joe to mess with it. I thought potting was a good addition; most people here say it's not and I thank you for your input.
I'm not hellbent on security or I wouldn't have given up conventional (internal flash, security bit, etc) security in the first place. I always knew and accepted this was the huge downside of the RP2040. Doesn't mean I don't want to make it as hard as I can reasonably make it given the circumstances.

[Simon]

well yes things are hard right now supply chain wise. I went for an MCU that was definitely not used on the arduino and didn't seem to have a great following, why try to compete with the masses for stock? and still I would not get any more for 18 months if I ordered today.

[SiliconWizard]

Times are tough indeed when it comes to getting ahold of semiconductors.
And with the uncertainties and rampant inflation, the incentive for people to just counterfeit products is getting IMO higher than usual, so I can understand the OP's concerns.