Really great work! This was probably the simplest yet coolest insight from this write-up.
Flipping this on it's head, anybody can recommend a reading list on more robust strategies to obfuscate this sort of breadcrumbs?
- Laser off the part marking. Not knowing what a part is makes the job much more difficult
- One time programmable chips: can't modify or read off firmware if the JTAG bus is disabled
- Encrypted firmware: helps if someone is able to fuzz the chip to dump the firmware
- BGA parts: hide the pins, bury the traces. It makes the job harder but not impossible
- Programming before soldering: you can leave the programming pins disconnected so someone would have to remove the chip before attempting anything on it
- Use more advanced features of the chip: some chips offer secure memory locations that can contain decryption keys, magic numbers, whatever you want. You could have a magic number that you XOR with every literal. It would certainly make things more difficult to determine what is what in the assembly code if you could decrypt it
- Pour some epoxy over the chip or board: makes repairs impossible but also can screw over the reverse engineer.
- Work with a manufacturer to build a custom chip. You could do crazy things like move the programming pins around and hide them as other things. Like the JTAG test points would be random decoupling caps hidden in the board.
- Finally, threaten to sue anyone that publishes anything
That said, there actually is one nasty  workaround: run some critical functionality on a custom USB dongle that the user has to have connected in order to use the software. It could be a calculation in a critical path that's not compute bound but without which the software is unusable. It could even be a JIT engine that consumes encrypted code and returns polymorphic executable code designed to be near impossible to assemble back into a static binary. Some fabs can make tamper-resistant ASICs with a specialized packaging process that couples the on chip memory to the package so that opening the package makes the memory unrecoverable for extra security. This level of protection would be effective against all but the most determined and well funded nation state or competitor.
 Nasty for the user, the developer, and the investor all in one!
It seems that many have interpreted the idea that security by obscurity means that any obscurity is completely useless. But I'm sure whoever coined that phrase simply meant that if your only security is obscurity, then you are going to have a bad time.
The reality is, obscurity can be a great additional wall of defense. Something that the real world has known since forever (think hidden safes or unmarked money trucks that rotate their schedules on random intervals).
Did you maybe mean to de-obfuscate?
In this conversation, it was used to mean "flipping the script", to change or reverse something dramatically
The grandparent comment wanted to ask "the opposite question", not "how to make it easier to reverse engineer something", but "how to make it harder to reverse engineer something".
Just a small suggestion, for the image "segmentTagBig", I think it's better to orientate the side-by-side image the same way (i.e. flipping by longer side/central line, instead of shorter side). It took me a while to understand the layout.
A quick photoshop: https://i.imgur.com/ForiIkY.jpg (you can go further and mirror one of the side so every component's location is exactly the same; but that may cause confusion.)
That was an epic read. I loved that. So much knowledge, so much experience brought to bear on the problem.
Large model. SDCC v 4.1 or 4.0.4.
Place two sequential (do not declare anything between them) uint16 vars in __idata
Use both in some math statements
Eventually (after 4-5 statements, once compiler has to start spilling intermediates to RAM), on a read access, SDCC will access the first one when you intend to access the second. (emits two unneeded "dec R0" instructions for no reason)
Declaring the vars as "volatile" helps sometimes, but changing code shape sometimes brings the bugs back. not placing two u16s in a row into idata seems to avoid it
That way I could code from the comfort of my home and watch the axes (this was for a CAT scanner big enough for a horse) move and make sure I didn't ram anything against the physical stops. Plus it was helpful to make sure no one had their hands in the mechanism before I started telling large servomotors to move around.
It worked really well as long as they remembered to leave the lights on before they went home for the day.
The fun I had almost made up for my ridiculously low bid!
Eager to read about it here on HN top in a few months Dmitry!
It's been a long time since I've done this kind of thing. It's almost nostalgic, to read this.
Why didn't the makers of this price label just use a little 10 cent off the shelf microcontroller? I doubt price tags are made in sufficient volume to ever get the engineering costs of a custom microcontroller low enough to go below 10 cents...
Are you sure about that? As a hypothetical example, imagine that Walmart is switching all of their stores over to eInk price tags. I found some numbers from 2005 for number of stores and SKUs per store at https://corporate.walmart.com/newsroom/2005/01/06/our-retail...: multiplying out the number of stores with the average number of items carried gives you 500 million price tags.
I work on the main chip of a gadget that cost thousands of dollars with high margins on the end product, and our customers don’t like it one bit when we require an additional external component that increase the BOM cost by $0.5.
There’s a person somewhere in the supply chain who’s job it is to question the cost and necessity of everything. If you don’t have that, engineers get frivolous quickly.
(It reminds me of the case, many years ago, where they asked me if we could swap a crypto chip with dedicated keys by a cheaper generic version that cost 1 cent less.)
10c is about the BOM cost for each of this price tag.
Is there any evidence for this? what volume do you mean by "mass production gadget"?
What has your experience been with the very cheap parts?