Lockable T4.0 Single Key with Different Sketches?

D

Dink1000

Member
I'm looking to make an item to Transmit some CAN data but not until it reads certain CAN data.

But when programming each teensy the sketch will be altered to suit the read data.

So will i be able to use the same Encryption key for every teensy even though the sketch changes?

I'd like to be able to keep a copy of one key rather than trying to keep track of every key for each teensy.
 
As long as the key that the sketch is compiled with matches the key that you locked the teensy with, you can use any sketch.
 
Yes, a single key.pem file used for every Teensy you program is the normal / default way. It works quite well that way.

But do keep in mind this way allows cloning the encrypted code between any boards you've made with the same key. It's explained on the code security page under "Firmware Cloning Between Boards"

https://www.pjrc.com/teensy/td_code_security.html

If an attacker were to get 2 of your products, each which responds to specific CAN data, unless you go to extra effort they could desolder the flash chips and copy the encrypted code from either board to the other. While they can't get your original code nor give their own Lockable Teensy the ability to run your code, they could copy your encrypted code between the boards you have shipped with the same key to make either board able to respond to either CAN message.

If you wanted to restrict each board to never run the other code, you could create a different key for each variant of your product. Or you could write info about which message is allowed into the fuse memory, and of course have your code check that info and only work with the allowed message. If you go that route, it's important to use the fuse memory which is completely inside the IMXRT chip. Do not use the EEPROM memory or LittleFS_Program, because those use a portion of the flash memory which is not encrypted. The code security only encrypts the portion of the flash memory used for your code.
 
PaulStoffregen said:
If you wanted to restrict each board to never run the other code, you could create a different key for each variant of your product. Or you could write info about which message is allowed into the fuse memory, and of course have your code check that info and only work with the allowed message. If you go that route, it's important to use the fuse memory which is completely inside the IMXRT chip. Do not use the EEPROM memory or LittleFS_Program, because those use a portion of the flash memory which is not encrypted. The code security only encrypts the portion of the flash memory used for your code.
Click to expand...

If i was to fuse the the Read CAN data (This would be unique per teensy) to the fuse memory, i guess that it could not be Re-programmed if it was to be re-used to read different CAN data? (the output data is always the same)

i.e Only run code once can id 0x415 msg.buf[0] = 0x50 & msg.buf[7] = 0xBC

I'd look to offer a Reprogamming service so the unit can be reused.
 
The fuse memory is permanent write-once memory. Every bit starts at 0 and can be changed to 1, but once written as a 1 it can never be turned back to 0.
 
You must log in or register to reply here.
Back
Top