Can I implement STM32F7 bank switch via option bytes and Level2, chip protection?

ASiem.3 · ‎2022-09-19

Hi,

we are using dual bank mode for stable firmware update. We simply set bootaddr0 in option bytes to the opposite bank and reboot the new firmware. Everything works fine.

Now we want to enable Level2 chip protection for security reasons. Now I read that one cannot change option bytes in Level2 protection mode.

The question is if this still works in Level2 protection mode? And if not how do you implement bank switch in Level2 protection mode.

Here the current code:

// Check current setup and toggle boot address

if( flash_getBankInfo() != 1 ){

obInit.BootAddr0 = BANK1_ADDR;

}

else {

obInit.BootAddr0 = BANK2_ADDR;

}

// Program new boot address

obInit.OptionType = OPTIONBYTE_BOOTADDR_0;

rc = HAL_FLASHEx_OBProgram(&obInit);

GLASS · ‎2022-09-19

I think that option bytes update for each update is not a good idea.

What can happen if power lost or unexpected event during this critical write?

Combined with RDP2 level if you lost dualbankmode option you can brick the board...

On F4 we use remap to swap bank from our bootloader

Use ram function is necessary to avoid bad fetch during bank swap.

See an4767 (not for f7 so you need to give a look in RM to adapt...)

Piranha · ‎2022-09-19

> we are using dual bank mode for stable firmware update.

Not only you don't need dual bank and dual boot feature for reliable firmware update, but it's actually harder to do that with dual boot.

The reference manual shows it very clearly that at RDP level 2 option bytes cannot be modified. And, as GLASS already said, it's a bad idea in general, because it is dangerous and also wears out flash for option bytes uselessly.

https://community.st.com/s/question/0D53W00000LeYBeSAN/booting-with-dual-flash-banks-vs-bank-swap

Just implement a normal bootloader:

https://community.st.com/s/question/0D50X0000AFpTmUSQV/using-nvicsystemreset-in-bootloaderapplication-jumps

ASiem.3 · ‎2022-09-20

Thanks GLASS, yes I was mainly looking for some sample code as all application notes I read just explained what to do but never how. Now I found some sample code that uses remapping. Since we use HAL I discovered that there even is a HAL function for swapping banks.

ASiem.3 · ‎2022-09-20

Thanks Piranha, yes I'm aware of the drawbacks of using option byte rewrite.

And yes, we have a bootloader in place that works just fine. And we swap only if we update firmware which is not happening often.

johnny3 · ‎2024-12-18

Hi, where is your bootloader allocated and is it only one independent one, with IVT and everything, or just bootloader code (identical) per bank included in the actual application?

When using bank swap, i understand this happens immediately according to AN4767 rev. 3 chapter 3.1.1:

"Depending on the flag setting, either Bank1 or Bank2 is mapped to start at address
0x0800 0000 and aliased on address 0x0000 0000. Because the operation does not affect
the PC and other CPU registers, the CPU will simply fetch the next instruction from the other
bank when the bit is flipped."

So if i were to swap from bank 1 to bank 2 from RAM code (as you suggested) after writing a new Application to Bank 2, will the swap "survive" a Reset or power-down, or do i need to actively decide which bank is active on every boot?

If the latter is true, a standalone bootloader would be necessary, but if i put it in either bank, will the swap not mess up its execution, because it is just in one bank?

I thought about putting a bootloader in the OTP memory area, to get away from the swap, but i guess it´s way too small.

Any help is greatly appreciated! Thanks!

I am using STM32427VG btw.