Electronic devices having embedded computer systems are now part of everyday life. Examples of such devices include automatic teller machines (ATMs), mobile telephones, printers, photocopiers, handheld calculators, microwave ovens, televisions, DVD players, washing machines, handheld game consoles etc. Broadly speaking, embedded computer systems are characterized by providing a function (or functions) that is not itself a computer.
Generally, an embedded system contains special-purpose hardware and a processor (CPU) supporting a real-time operating system (RTOS). The system is programmed with special-purpose software tailored to meet the requirements for that particular system. Typically, software written for an embedded system is referred to as ‘firmware’. Since electronic devices are expected to run continuously for many years without errors, firmware is usually developed and tested more rigorously than software for computers.
Aside from the obvious operational advantages of an embedded computer system, there is a considerable advantage offered in terms of the manufacture and distribution of various product lines. When a new product is released onto the market, it is often desirable to release the product in different versions, each version having a price commensurate with that particular version. For example, a first product may have Feature X, while a second product may have Features X, Y and Z.
In terms of manufacturing, it is relatively expensive to have one production line dedicated to a first product and another production line dedicated to a second product. It is cheaper to manufacture a single product type that includes the necessary hardware for supporting Features X, Y and Z in all products. In this scenario, various product lines may be differentiated via their embedded firmware. The firmware provides a much cheaper means for differentiating between a range of products, compared to the hardware. Moreover, the firmware allows users to upgrade their devices without having to buy a new device. For example, an authorized Internet download via a personal computer may be used to provide an upgrade, which enables Features Y and Z in a product purchased originally with only Feature X.
However, an inherent problem with embedded firmware is that it is susceptible to malicious attack from hackers or willful copyright infringers offering unauthorized firmware upgrades. For example, an unauthorized firmware upgrade may be freely distributed over the Internet, allowing users to upgrade their devices free of charge.
One way of circumventing this problem is to provide upgrades not via the firmware itself, but via an authentication chip in the device. The use of an authentication chip (‘QA chip’) in a printer environment was described in our earlier applications listed below, the contents of which are herein incorporated by reference:
10/727,25110/727,15910/727,18010/727,17910/727,19210/727,27410/727,16410/727,16110/727,19810/727,15810/754,53610/754,93810/727,22710/727,16010/296,5226,795,21510/296,53509/575,1096,805,4196,859,2896,977,7516,398,3326,394,5736,622,9236,747,7606,921,14410/884,88110/943,94110/949,29411/039,86611/123,0116,986,5607,008,03311/148,23711/248,43511/248,42611/298,63009/517,5396,566,8586,331,9466,246,9706,442,52509/517,38409/505,9516,374,35409/517,60809/505,1476,757,8326,334,1906,745,33109/517,54110/203,55910/203,56010/203,56410/636,26310/636,28310/866,60810/902,88910/902,83310/940,65310/942,85810/854,51410/854,51910/854,51310/854,49910/854,50110/854,50010/854,50210/854,51810/854,517
As described in our earlier applications, QA chip(s) in a printer perform an array of functions in a secure environment. A QA chip in a print cartridge may be used to allow operation of the printer only in a licensed manner. For example, a printer A may be licensed to print at 10 pages per minute, while a printer B may be licensed to print at 30 pages per minute. The hardware in each printer is identical, but the QA chip allows each printer to be differentiated. Moreover, since the QA chip stores its data in a secure, authenticated fashion, it can only be upgraded or replaced by an authentic source. Hence, the QA chip provides protection against attack from unlicensed users.
A QA chip mounted on an ink cartridge may be used to guarantee that the ink contained in the cartridge is from a particular source or of a particular quality, thereby ensuring that incorrect ink, which may damage the printhead, cannot be used. The same QA chip may similarly be used to store dynamically in its memory a quantity of ‘virtual ink’ remaining in the cartridge, determined with reference to the initial quantity of ink in the cartridge and the number of dots printed using that ink. The quantity of ‘virtual ink’ provides a security mechanism for the printer and prevents unauthorized refilling of ink cartridges—the firmware in the printer communicates with the ink cartridge QA chip before printing and if the amount of ‘virtual ink’ is insufficient, the printer will not print. In this way, the quality of ink can be assured and risk of damaging the printhead using low quality ink from an unauthorized refill is minimized.
QA chips provide an excellent means for preventing unauthorized uses of electronic devices. However, the security of QA chips relies on firmware in the embedded system communicating with the chip. It is conceivable that the most determined hacker may be able to modify the firmware and override its communication with QA chip(s) in the device. In this scenario, the security provided by the QA chip would be compromised. In the above example, unauthorized refills of ink cartridges would be possible, irrespective of the presence of a QA chip on the ink cartridge.
It may seem unlikely that such a determined attack on an embedded computer system would be made. However, in the printer market, sales of unauthorized ink refills is becoming a multimillion dollar industry and provides considerable motivation for a malicious attack on any security systems built in to a printer. From the point of view of a printer manufacturer, the use of low quality ink in its printers, resulting in poor print quality and shortened printhead lifetime, has the potential to do incalculable damage to its goodwill and reputation in the printer market.
It would therefore be desirable to provide an electronic device, having an embedded computer system, with improved security from malicious attack.
It would further be desirable to provide such an electronic device, which still allows flexibility for firmware upgrades or even installation of an alternative core RTOS downstream of the device manufacturer.
It would further be desirable to provide a simple means for upgrading firmware in PictBridge printers.