- Wed Aug 19, 2015 3:19 pm
#26509
First of all, with a few exceptions (like SD library), Arduino
libraries are LGPL, not GPL. See [code="https://www.arduino.cc/en/Main/FAQ"]Arduino FAQ[/code], section "Can I build a commercial product based on Arduino?". Basically, you must release object code of your sketch, but there is no requirement to release the source code.
This may be tricky in some cases (i.e. when you use header-only libraries), but overall this is possible.
Now regarding code protection... I have done some work in this direction, not enough to release anything yet though. The problem with 8266 is that since the ROM bootloader doesn't do any signature verification against the loaded firmware, "perfect" (i.e. provable) protection is not possible. Even if you do some decryption while loading stuff from flash to RAM, attacker can reverse engineer your code and modify it to dump plaintext decryption keys to Serial, for instance. So the only possible protection for 8266 is obfuscation.
I have written a piece of code which generates a key at runtime from 8266 chip ID, flash chip ID, and some user-defined salt. This piece of code should be resilient to reverse engineering: i made sure one will not be able to run it in Qemu or step through using a JTAG debugger. Disassembling it will also not be really helpful. But I am not a security specialist, so i wouldn't bet money on it without some kind of third-party review. This piece of code could be used either to decrypt some part of firmware (few critical functions and some data to be protected), or to verify firmware signature to prevent running it on clones with different chip ID/ flash ID combination.
I'll post more info when I make more progress...