Share via

Azure Sphere: can I offer a product with a developer mode?

Peter Senna Tschudin 6 Reputation points
2021-07-13T12:12:33.087+00:00

I want to make an Azure Sphere 3D printer based on the MT3620. The value proposition is to offer a professional printing experience with updates and some pretty cool cloud capabilities.

However I also want to empower the printer owner to flash their own firmware, so that they can hack the printer to their own liking. How can I do that with Azure Sphere? How can I offer the printer owner the supported, but locked-in experience and a developer mode in which the owner has control over the software stack?

Thank you!

Azure Sphere
Azure Sphere
An Azure internet of things security solution including hardware, operating system, and cloud components.
171 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chandranmsft 856 Reputation points
    2021-07-14T18:04:51.07+00:00

    Hello @Peter Senna Tschudin , Theoretically, this can be achieved by creating a generic account with atleast contributor permissions and sharing the account with all printer owners. This would enable the owners to enable development mode and manage the individual devices. This is NOT recommended and is against the security principles of Azure Sphere as any rogue user can use the same account to access other user's devices and cause disruption.

    azsphere-role

    2 people found this answer helpful.
    0 comments
  2. QuantumCache 20,366 Reputation points Moderator
    2021-07-14T07:13:37.013+00:00

    Hello @Peter Senna Tschudin This is a great question!

    I hope you have already visited this element14 page: Bringing Intelligence to 3D Printers! A Hitchhiker's guide to Predictive Maintenance through Azure Sphere..
    Credit: @AshokPeddakotla-MSFT

    How can we secure devices and make sure they stay secure?

    That's where Azure Sphere -- Microsoft's defense-in-depth IoT platform that mixes hardware, software, and the cloud to protect your devices and your network -- comes in. Ref

    However I also want to empower the printer owner to flash their own firmware, so that they can hack the printer to their own liking. How can I do that with Azure Sphere?

    I am assuming, Azure Sphere customers can choose from your company's portal to install the compatible firmware or the extensions on the printer. Once the request is submitted on the company's portal, then the firmware or the piece of code can be pushed to the device via OTA via Azure Sphere secure connectivity. (In this scenario assuming the actual IoT Device is receiving all OTA updates via Azure Sphere device.) let me know if my understanding is correct?

    The Azure Sphere-certified microcontrollers are available from various silicon manufacturers and vendors.

    To keep the device secure, there's no general-purpose file access and no shell. You can only interact with your device through the Azure components of the Azure Sphere service or through debugging services on a device that's connected to a developer's PC.

    Also, see this Hackster page to get inspiration on various scenarios.

    Secure Everything with Azure Sphere with Avnet and Microsoft

    What is Azure Sphere?

    114491-image.png

    Azure Sphere scenario

    114360-image.png

    Also, give a read on this below blog is written by "Daniel Krzyczkowski" on Azure Sphere.

    https://www.predicagroup.com/blog/azure-sphere-iot/

    114428-image.png

    Please comment in the below section, if you need further help in this matter.

    If the response is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments
  3. Chandranmsft 856 Reputation points
    2021-07-27T17:49:53.54+00:00

    Hi @Peter Senna Tschudin -Thank you for your patience while we explore a potential solution for you. Azure Sphere product team is looking for ways to help customers claim devices across multiple tenants or transfer ownership effortlessly. Unfortunately, we don't have a solution currently that can help with your scenario. I have forwarded your feedback/scenario to the team and am happy to share additional information once I have additional information on resolution.

    Regards,
    Chandra

    1 person found this answer helpful.
    0 comments
  4. Peter Senna Tschudin 6 Reputation points
    2021-07-14T09:02:03.867+00:00

    Hi @QuantumCache , thank you for the prompt answer. About the element14 article, it is interesting, but not what I have in mind. In the article the architecture is something like:

    MT3620 board -> Rpi -> printer MCU

    While the architecture I have in mind is:

    MT3620 board

    I want to use the Cortex-M of the MT3620 to drive the printer, so it is an elegant single chip design.

    But back to my question about the developer mode. I want to empower the printer owner full control of the printer without me being on the way. I want the owner to start visual studio, and be able to reprogram the printer without any restrictions(with the exception of the restrictions inherent of the Azure Sphere itself). So out of the box, the printer offers a professional experience with updates and security. But for those who want to hack the printer I want them to have full control over the MT3620. Then if in the future they want to get back to that professional experience, they could do so as well.

    Another way to ask the same question is: Can I allow the owner to claim his printer? And then can I allow the owner to ask me to claim it back?

    Thank you!

  5. Peter Senna Tschudin 6 Reputation points
    2021-07-15T13:21:40.33+00:00

    @Anonymous thank you! One generic account for all printers do not seem to be a viable alternative.

    I see a few ways to move forward:
    1 - Sell the printer without software, and have all owners to flash the firmware themselves. This has the downsides that each user will require an MS account, and the first time experience will be compromised. This can also lead to problems related to transfer of ownership of the printer, and to issues caused by loss of access to the MS account. This can also be an issue in corporate environments as the MS account associated to the printer should not be of an employee.

    2 - Sell a separate board for development. The printer comes out of the box with the professional experience, and the owner can buy an extra board for development. This creates logistics challenges, as guaranteeing the availability of the dev board is complex and likely expensive.

    3 - Ship two boards with all printers(or design the PCB with two MT3620 and some multiplexer wizardly). The board that goes installed with the printer offers the professional and supported experience. But if the user wants to hack the printer, the development board is always at hand. This feels like the best option, but there are obvious cost considerations.

    4 - Find the proper way to allow different entities to claim the printer during the printer lifetime.

    The fourth option is the one that I am looking for help to sort out. Can you help me coming up with a proposal that empowers the user to switch back and forth between supported and development mode?

    Thank you!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.