FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

STM32F429ZIT6 reports wrong bootloader version 3.1 (only 7.x and 9.x should be possible according to AN2606 datasheet)

reversiverse
Associate II

‎2019-12-12 08:20 AM

I'm trying to make communication with bootloader according to AN2606 and AN3155 datasheets.

This small python program sends the Get command (0x00 0xFF) to get available commands and the bootloader version: (starts with 0x7f to select UART bootloader first, so it works just after reboot into bootloader) :

https://pastebin.com/9SUMQrVC

The result is (returns values for "Get" command), but NACK (causing exception) for "Get Version and Read Protection":

(N)ACK:  b'y'
UART selection ACKed
XOR checksum: b'\xff'
Command Acked
Result: 14 bytes, 0xb 0x31 0x0 0x1 0x2 0x11 0x21 0x31 0x44 0x63 0x73 0x82 0x92 0x79
XOR checksum: b'\xff'
Command Nacked
Traceback (most recent call last):
  File "./boot_serial/request_version.py", line 58, in <module>
    s = send_command_print(ser, b"\x01\xfe")
  File "./boot_serial/request_version.py", line 50, in send_command_print
    s = send_command(ser, cmd_bin, expected)
  File "./boot_serial/request_version.py", line 37, in send_command
    raise RuntimeError("Command failed")
RuntimeError: Command failed

The second byte in result (starting with 0xb 0x31) is the 3.1 bootloader version. Strange thing that it reports the number of bytes wrong (0xb == 11), but there are actually 12 bytes not including the ACK at end (strange that datasheet also shows 11 in example while having extra byte.

The following bytes in response means though command like 0x01 (Get version and RDP) is available. The MCU has RDP 0, so all commands should be allowed. However no matter what I try, the Get version and RDP always returns NACK.

If the bootloader version does not match version described in datasheet, there is something weird, but it seems the other commands should be available (NACK for the 0x01 Get version and RDP returns NACK also if is sent first, so order does not matter).

Quite confused by this behavior right now.

Labels:
0 Kudos
2 REPLIES 2
reversiverse
Associate II

‎2019-12-12 02:32 PM

I have now STM32F03F4P6 connected over USB-serial to its serial port in bootloader mode and the strangest thing is that the result of "Get" command is exactly the same as the F429 above, claims same bootloader version 3.1 (0x31 in Get output) which shouldn't exist for that MCU according to AN2606. "Get version & RDP" has the same error, although the F0 is unlocked and has RDP0:

XOR checksum: b'\xff'
Command Acked
Result: 14 bytes, 0xb 0x31 0x0 0x1 0x2 0x11 0x21 0x31 0x44 0x63 0x73 0x82 0x92 0x79
XOR checksum: b'\xff'
Command Nacked
Traceback (most recent call last):
  File "./boot_serial/request_version_stm32f0_chipwhisperer.py", line 58, in <module>
    s = send_command_print(ser, b"\x01\xfe")
  File "./boot_serial/request_version_stm32f0_chipwhisperer.py", line 50, in send_command_print
    s = send_command(ser, cmd_bin, expected)
  File "./boot_serial/request_version_stm32f0_chipwhisperer.py", line 37, in send_command
    raise RuntimeError("Command failed")
RuntimeError: Command failed

0 Kudos
reversiverse
Associate II

‎2019-12-14 01:45 PM

The STM32F serial programmer from Chipwhisperer doesn't write the extra XOR checksum, yet somehow works without it. When I write the commands to the serial port, it doesn't work without the extra checksum. But only "Get" works for me.

Chipwhisperer STM32F serial source: https://github.com/newaetech/chipwhisperer/blob/develop/software/chipwhisperer/hardware/naeusb/programmer_stm32fserial.py

Captured trace from logic analyzer for the Chipwhisperer STM32F serial programmer (you can see there is no extra XOR checksum that would make the XOR of all bytes == 0; channel 1 is TX, channel 0 is RX) :

0690X00000BucfDQAR.png

0 Kudos
Top