Jumping to internal bootloader while Option Byte set to Read out protection (RDP Level 1)

Abhishek4 · ‎2023-12-17

Board: Custom board with STM32F105RCT6

At first, I am able to Jump to internal bootloader while running the application code from SRAM and further able to connect STM programmer using UART interface. At this time the RDP flash protection was not enabled.

void JumpToBootloader(void) {

void (*SysMemBootJump)(void);

volatile uint32_t addr = 0x1FFFB000;

HAL_RCC_DeInit();

SysTick->CTRL = 0;

SysTick->LOAD = 0;

SysTick->VAL = 0;

__disable_irq();

SysMemBootJump = (void (*)(void)) (*((uint32_t *)(addr + 4)));

__set_MSP(*(uint32_t *)addr);

SysMemBootJump();

}

Now when RDP protection is enabled and I execute the same piece of code, I get the following warning.

So, I need to disable RDP protection from the application code before jumping to internal boot loader. For this, I use the below function.

void __attribute__((section(".RamFunc"))) JumpToBootloader(void) {

FLASH_OBProgramInitTypeDef OptionsBytesStruct;

while(HAL_FLASH_Unlock() != HAL_OK);

while(HAL_FLASH_OB_Unlock() != HAL_OK);

HAL_RCC_DeInit();

__disable_irq();

OptionsBytesStruct.OptionType = OPTIONBYTE_RDP ;

OptionsBytesStruct.RDPLevel = OB_RDP_LEVEL_0;

while(HAL_FLASHEx_OBProgram(&OptionsBytesStruct) != HAL_OK);

void (*SysMemBootJump)(void);

volatile uint32_t addr = 0x1FFFB000;

SysTick->CTRL = 0;

SysTick->LOAD = 0;

SysTick->VAL = 0;

SysMemBootJump = (void (*)(void)) (*((uint32_t *)(addr + 4)));

__set_MSP(*(uint32_t *)addr);

SysMemBootJump();

}

In this JumpToBootloader function, I am unlocking the flash and option byte and making the RDP level 0, it’s not jumping to the bootloader and then it’s showing the error: Activating device KO.

So, please help me out in this how to properly configure the option bytes for the STM32F105 and change the Read-Out Protection feature.

TDK · ‎2023-12-18

> volatile uint32_t addr = 0x1FFFB000;

After flash is erased, this value doesn't exist in flash anymore. When the CPU reads it, it is 0xFFFFFFFF. Loading this value prior to erasing flash will probably work.

When you connect with SWD after this, is RDP=0?

I don't think you can reprogram the first few pages with a reset, regardless. See:

https://community.st.com/t5/stm32-mcus-security/stm32f103-unlock-rdp-without-reset/td-p/332355

If you feel a post has answered your question, please click "Accept as Solution".

A_K · ‎2023-12-19

The code shared here (the function) is executing from RAM. so, even if the flash gets erased, the jump to internal bootloader should still happen or not ?

void __attribute__((section(".RamFunc"))) JumpToBootloader(void) {

TDK · ‎2023-12-20

The code yes, however the constants that it uses may be stored and retrieved from flash. For example if you use a string, it will definitely be in flash and not RAM. Not sure about uint32_t values.

Debug, step through, find out.

If you feel a post has answered your question, please click "Accept as Solution".

Roger SHIVELY · ‎2024-01-03

Hello @Abhishek4 ,

There has been a case created to resolve this question and we will be reaching out to you directly.

Regards,
Roger