Enable readout protection using system memory bootloader

HMont.12 · ‎2019-05-20

I have been using the STM32 serial bootloader, instead of coding my own bootloader, for a while now. But lately I wanted to protect my code, so I tried to enable readout protection (RDP) level 1. This is meant to prevent the user to read the flash.

However, after a few attempts, it seems that it is not possible to use this sytem memory bootloader to enable RDP, then start running the code that I put in the flash.

From what I understand, running the flash is considered "debugging" access, and is prevented when RDP is active. Is there a way to get around this ? I would like to protect my code from "basic" read access (like JTAG) without coding my own bootloader

Thanks

Tesla DeLorean · ‎2019-05-20

The system loader should be able to write the options bytes. You might have to power cycle for RDP.

And you could always have your own code, check the options bytes, and write the locked setting if required.

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..

Bob S · ‎2019-05-20

> You might have to power cycle for RDP.

This. Once RDP level 1 is set, any debugger (JTAG/SWI) access effectively halts the CPU. I don't have experience using the built-in bootloader to enable that feature, but I wouldn't be surprised if it enforced the same behavior.

[EDIT] Crud - just re-read @Community member 's response as I hit reply. So I basically duplicated his answer with my answer below. Sorry. My first read I thought he meant "user your own [bootloader] code". Need... more.... coffee...

Another option is to have your firmware change the setting itself on startup. It can read the option bytes and check if RDP 0 is active, and if not, set RDP level 1 and then reboot the CPU. This is how ST's SBSFU (secure boot , secure firmware update) code works. Hopefully obviously, you will need to disable that feature for debug versions of the code.