To satisfy the differing requirements of different customers, it is often desirable for manufacturers of radio communications devices to offer several different configurations for each "model" of communications product manufactured. A particular model of mobile radio transceiver may have a "basic" or minimal configuration but may optionally be provided with additional or enhanced features at additional cost.
For example, a basic transceiver configuration may provide communications over a limited number of communications channels for basic radio transmitting and receiving functions required by all users. Some users may, however, have additional requirements requiring additional features and capabilities--such as additional communications channels, receiver channel scanning, telephone access (DTMF) capability, etc. The ability of a manufacturer to provide such additional or enhanced features increases the flexibility, versatility, desirability and range of product applications. Since the additional/enhanced features involve additional development cost and provide added value, it is fair to charge customers more for the configurations with enhanced or increased capabilities. Purchasers of the basic model pay a lower price for a more minimal configuration, while users wanting additional features pay an increased price. Several different "enhanced" configurations may be offered to give customers more choices regarding cost and associated value.
In the past, additional features were generally provided by incorporating additional (or different) components and circuitry. For example, channel scanning capability or additional operating channels were sometimes added by installing additional frequency selection circuitry. Transceiver designers conventionally used modular architectures to accommodate additional plug-in modules.
While older radio transceivers required additional circuitry to perform additional, optional functions such as channel scanning, tone activated squelch and the like, modern digital microprocessor controlled transceivers are capable of performing such additional functions under software control with little or no additional circuitry. For example, receiver channel scanning can be implemented by providing an enhanced receiver program control routine controlling the microprocessor to periodically monitor activity on various channels--and additional frequency data can be stored in a "personality PROM" memory device to provide additional transceiver operating channels. Additional tone generating, decoding and control algorithms performed by the microprocessor under control of additional program control software can provide advanced squelch control functions, DTMF and other tone signalling functions, and the like. Other enhancements and capabilities can similarly be implemented with additional software only--so long as the basic configuration includes sufficient necessary supporting functionality.
It would be unfair (and also poor marketing strategy) to require users needing only a minimal transceiver configuration to pay for the high development cost of advanced features and enhancements. Accordingly, for various reasons it is still very much advantageous to offer the purchaser a "basic" lower cost transceiver configuration while permitting him or her to select additional features at higher cost--even though the main (and sometimes the only) difference between the basic and the enhanced transceivers may be the specific program control routines they execute. This strategy allows the manufacturer to offer an "entry level" basic unit at reduced cost, and requires purchasers desiring enhanced operation to bear the additional costs associated with developing and providing the additional features. A still further benefit achieved by this strategy is that overall development, manufacturing and inventory costs are reduced substantially--since the same basic hardware configuration can be used for all models of the product. This cost efficiency can result in lower overall costs to all customers.
For this strategy to be successful, however, purchasers of low cost basic transceiver configurations must not be able to easily modify their units to obtain more expensive features. Otherwise, most purchasers would simply buy the "bottom-of-the-line" model and then modify it to obtain additional features (thereby unfairly obtaining the benefit of features they did not pay for). Thus, an extremely difficult problem arises as to how to prevent unauthorized field upgrading of "lower tier" products (having fewer features) to higher tier products (having more features).
One possible way to prevent purchasers from modifying transceiver units to obtain features they have not paid for is to provide different transceiver configurations, these configurations all having essentially the same hardware but including different program store PROMs (programmable read only memories). This technique provides, in each transceiver configuration, a PROM storing only the subset of the program control instructions and transceiver parameter data associated with the specific configuration. This approach has several disadvantages, however. A major disadvantage is the increased cost of developing, maintaining and supporting the various different versions of the software. Another important disadvantage is that authorized in-the-field transceiver "upgrading" becomes very difficult and time consuming. Ultra-miniaturization provided by modern manufacturing and packaging techniques now make it possible to inexpensively "pack" hundreds or thousands of components into a very small physical volume (e.g., the interior volume of a hand-held digital radio transceiver). Such assemblies are often extremely difficult, however, to disassemble after they have been assembled at the factory--requiring the appropriate program store memory to be installed at time of manufacture. In addition, a large inventory of various different versions of the program store memory must be maintained, and the final configuration of a particular transceiver must be determined at the time of manufacture.
It would be highly desirable to somehow defer the time particular units are configured (and also allow reconfiguration at a later time). If configuration could occur at or near time of purchase, for example, distributors would only need to keep one model in inventory. This would allow enhanced marketing flexibility in that different tiers of feature combinations could be offered, while maintaining identical hardware and software across the different tiers. It would also be desirable to provide an arrangement such that an "authorized" upgrading of features could be accomplished quickly and easily in the field without necessitating disassembly of the product. Moreover, it would be desirable to provide the manufacturer with the ability to sell operational software and functional feature upgrades on a per radio product (transceiver) basis without requiring the establishment and maintenance of a customer-product data base.
It is also known in certain prior art devices to enable or disable functions by substantially irreversibly modifying circuitry. For example, electronic equipment circuit boards can be designed such that the cutting of specific conductive traces will activate or deactivate various features. Besides the obvious disadvantages of being difficult, inconvenient and time consuming for the vendor or distributor to implement (e.g., a soldering iron or razor blade is needed to change the configuration), the arrangement provides no protection against unauthorized modifications by an unscrupulous customer
Likewise, it is also generally known to set configurations by selecting continuity/discontinuity between processor-readable connections. For example, it is common for manufacturers of boards for personal computers to include so-called DIP (dual in-line package) switches or jumpers on their boards to allow the user to set parameters (e.g., bus address, interrupt, or the like) associated with the hardware. Such switches/jumpers may in some cases be used to provide information (e.g., "my address is" or "my hardware configuration is") to the processor communicating with the hardware (thus allowing the system to automatically "configure" itself under software control upon power up, for example). Of course, jumpers and DIP switches are designed such that it is easy to change the configurations they select. As a cost-saving measure, some manufacturers may in the past have eliminated the jumpers and/or DIP switches altogether and, instead, provided PC board pathways the user or installer must cut or scrape off to provide bus address information or the like. These arrangements are often troublesome to implement, as discussed above, and are therefore typically reserved for the cheapest of devices. Moreover, it is unclear how jumpers or DIP switches could be used to specify radio configuration on the hardware level at time of radio purchase while preventing users from later changing the specified configuration.
The following is a by no means exhaustive list of possibly "relevant" prior patents and publications:
U.S. Pat. No. 4,525,865--Mears PA0 U.S. Pat. No. 4,658,093--Hellman PA0 U.S. Pat. No. 4,862,156--Westberg et al PA0 U.S. Pat. No. 5,023,936--Szczutkowski et al PA0 U.S. Pat. No. 4,941,174--Ingham PA0 U.S. Pat. No. 5,062,132--Yasuda PA0 U.S. Pat. No. 5,153,919--Reeds, III et al PA0 U.S. Pat. No. 5,068,894--Hoppe PA0 U.S. Pat. No. 5,109,403--Sutphin PA0 U.S. Pat. No. 4,799,635--Nakagawa PA0 U.S. Pat. No. 3,959,610--Finnegan et al PA0 U.S. Pat. No. 4,378,551--Drapac PA0 U.S. Pat. No. 4,392,135--Ohyagi PA0 U.S. Pat. No. 4,247,951--Hattori et al PA0 U.S. Pat. No. 4,254,504--Lewis et al PA0 U.S. Pat. No. 4,510,623--Bonneau et al PA0 U.S. Pat. No. 4,688,261--Killoway et al PA0 U.S. Pat. No. 4,618,997--Imazeki et al PA0 U.S. Pat. No. 4,771,399--Snowden et al PA0 U.S. Pat. No. 4,484,355--Henke et al PA0 U.S. Pat. No. 4,555,805--Talbot PA0 U.S. Pat. No. 4,670,857--Rackman PA0 U.S. Pat. No. 4,446,519--Thomas PA0 U.S. Pat. No. 4,246,638--Thomas PA0 U.S. Pat. No. 4,638,120--Herve PA0 U.S. Pat. No. 4,621,373--Hodson PA0 U.S. Pat. No. 4,593,155--Hawkins PA0 U.S. Pat. No. 4,864,599--Saegusa et al. PA0 U.S. Pat. No. 5,029,207--Gammie PA0 U.S. Pat. No. 4,811,377--Krolopp et al. PA0 U.S. Pat. No. 5,077,790--D'Amico et al. PA0 U.S. Pat. No. 5,091,942--Dent PA0 U.S. Pat. No. 5,120,939--Claus et al. PA0 U.S. Pat. No. 5,132,729--Matsushita et al. PA0 U.S. Pat. No. 5,148,485--Dent PA0 U.S. Pat. No. 5,150,412--Maru PA0 U.S. Pat. No. 4,633,036--Hellman PA0 U.S. Pat. No. 4,633,036--Hellman et al. PA0 U.S. Pat. No. 4,424,414--Hellman et al. PA0 U.S. Pat. No. 4,218,582--Hellman et al. PA0 U.S. Pat. No. 4,200,770--Hellman et al. PA0 U.S. Pat. No. 4,897,875--Pollard et al. PA0 "DYNA T-A-C 6000X Universal Mobile Telephone", Motorola (1984) PA0 Groh, "The .mu.P: The Key to an Advanced Frequency Synthesized HF SSB Amateur Radio Transceiver", IEEE Transactions on Consumer Electronics Vol. CE-26 (1980). PA0 U.S. Pat. No. 4,525,865 to Mears discloses an arrangement whereby a non-volatile memory within a mobile radio transceiver can be reprogrammed without physical entry into the transceiver or removal of components to provide the radio with additional operational options (e.g., tone or digital addresses, carrier control timers, or the like). However, if such reprogramming were used to provide optional advanced features, there may be nothing (other than the copyright laws) preventing an intelligent purchaser from downloading upgrade information into the internal non-volatile memory of another transceiver of identical or compatible hardware (thus effectively obtaining non-purchased benefits of the upgrade for another transceiver). Accordingly, the Mears solution is highly effective to permit customization of transceiver "personality" information (i.e., transceiver operating parameters), but may have a somewhat more limited utility in selecting the basic set of operational features to be provided in particular transceivers.
U.S. Pat. No. 4,941,174 to Ingham, mentioned in the preceding list above, provides a highly suitable and successful solution to the problem of configuring a digital radio transceiver subsequent to time of manufacture. In that arrangement, a single "base" transceiver unit is manufactured, this transceiver base unit being common to all of several different transceiver configurations. Different transceiver front panel "escutcheon plates" carrying different control configurations (e.g., buttons and other controls) are provided for the different transceiver configurations. The escutcheon plate modules corresponding to all but the "basic" configuration also carry a "security circuit" which communicates with the transceiver microprocessor within the base unit at certain times (e.g., during transceiver "power up "). Different security circuits are provided for the different escutcheon plate configurations, each of the different security circuits permutating signals sent to them in a different way. The purchaser cannot obtain additional functionality by merely providing additional controls--he must also provide the security circuit corresponding to the new control configuration. Great security is provided against tampering with or defeating of the security circuit because the permutation function performed by the circuit is complex and emulation would require sophisticated techniques and/or a physically large circuit.
While the Ingham arrangement is highly successful in its own right, further improvements are possible. In particular, the escutcheon plates used in the Ingham arrangement are somewhat expensive to manufacture, since they may carry entire electromechanical switch assemblies, electrical connectors, and (for units having "optional" features) an electronic security circuit.
Another approach is found in U.S. Pat. No. 5,023,936 to Szczutkowski et al. In this approach, the same basic transceiver unit is used for several different transceiver feature configurations. This "basic" transceiver unit includes all of the software controlled features and functions of the "top of the line" transceiver feature configuration and thus provides a superset of the features and functions provided by the other transceiver "models." In addition, this basic transceiver unit is also provided with a mechanism for irreversibly selecting a subset of the total software controlled features provided in the basic transceiver unit--this selection mechanism being operable from outside of the transceiver case. Once made, the selection is difficult or impossible to reverse--preventing a purchaser from defeating the selection in an attempt to enable additional transceiver functions. While this technique is also highly advantageous, reconfiguration of an already configured unit is not possible due to the irreversibility of the selection.
The method and apparatus for feature authorization encryption and software copy protection in accordance the present invention overcomes these problems while providing additional benefits.
Briefly, the present invention provides digital radio communications device security arrangements that permit an authorized user to access standard communications functions (as well as additional functions the user requests at time of purchase of the radio or subsequently requested as an upgrade at a later time) while preventing unauthorized users from accessing the additional functions. The invention also provides software copy protection arrangements in program controlled digital radio transceivers of the type that perform various functions under control of internally stored program control instructions, and arrangements for allowing RF communications products that have identical hardware to be efficiently field upgraded with different combinations of "optional" features, while preventing unauthorized copying and/or downloading of upgraded program control information.
In accordance with one aspect of the present invention, each individual radio transceiver is provided with a read-only storage device having (e.g., storing) an associated unique identifying bit pattern (e.g., a "serial number" ROM). A value is uniquely computed for each individual transceiver unit based on a "feature enabling code" bit pattern specifying the particular functional features purchased by the customer; and the unit-identifying bit pattern. This value (which corresponds uniquely to a particular transceiver unit and indicates a particular feature list or level authorized for that unit) is computed based on a predetermined "secret" (albeit conventional) data transformation known only to the manufacturer. The feature enabling code specifying the features to be enabled and the unique computed value are then preferably encrypted using a randomly chosen "shrouding seed." The unique computed value is loaded (along with the "shrouding seed") into a Feature Authorization Table stored in a non-volatile memory (e.g., "Personality PROM") within the radio transceiver.
On transceiver power-up, a feature authorization routine decrypts the contents of the Feature Authorization Table to obtain a "clear" version of the feature enabling code; and also generates its own version of the unique computed value from the identifying bit pattern (e.g., serial number) stored in ROM, and from the decrypted feature enabling code from the Feature Authorization Table. The feature authorization routine uses the same "secret" data transformation operation used to calculate the computed value originally. The value computed by the transceiver is then compared to the previously computed value stored in the Feature Authorization Table. If the values are identical, transceiver operations are permitted to use the designated features. However, if the transceiver computed value does not match the stored value, the transceiver operates with only the most basic functions and disables all advanced and enhanced features.
The provision of a serial number ROM which effectively "embeds" a unique identifying bit pattern into the hardware of each transceiver unit allows the data transformation operation to uniquely identify individual radio transceivers while effectively preventing tampering with this identification. Providing the unique identifying bit pattern in hardware ("firmware") is desirable to protect against the copying (downloading) of the software or the "personality" code of one radio into another radio thereby defeating the protection. Since the computed value is a function of both the feature enabling code and the unique device specific identifying bit pattern, changing even a single bit of the feature enabling code will cause the comparison to fail. Accordingly, any change in the feature enabling code requires a new computed value, which is only available from the manufacturer. This arrangement effectively prevents unauthorized modifications to the feature enabling code (for example, to obtain additional non-purchased features) and allows the manufacturer to provide various combinations of features on a "per product" basis. Moreover, encrypting the computed data and the feature enabling code provides additional protection against unscrupulous "hacking" or reverse engineering of the proprietary datatransformation algorithm used to compute the value for comparison.