Boot pin with RDP level

MA4 · ‎2026-05-04

Hello,

I am working on the boot process and security of the STM32H757.

For my tests, I have placed the two boot addresses for the two cores (ADD0 and ADD1 for CM7 and CM4) in the internal flash memory, with an ISR vector at each boot address :
ADD0: standard ISR vector calling the standard Reset_Handler, which in turn calls the main function

g_pfnVectors:
.word __initial_spTop /* Use internal RAM for stack for calling SystemInit. */
.word Reset_Handler

.word NMI_Handler
.word HardFault_Handler
.word MemManage_Handler
.word BusFault_Handler
.word UsageFault_Handler
...

and ADD1: virtually the same ISR vector but calling BootPin_Handler instead of Reset_Handler

g_bootPinVectors:
  .word  __initial_spTop
  .word  BootPin_Handler

  .word  NMI_Handler
  .word  HardFault_Handler
  .word  MemManage_Handler
  .word  BusFault_Handler
  .word  UsageFault_Handler
...

Everything seems to be working properly, at least up until the security test.

When RDP is set to level 0 or 1, everything is fine and everything seems to work, but when I set the RDP level to 2, it no longer works; the programme still launches at ADD0.

I’ve tried to find a link between the two in the documentation, but either I can’t find it or I don’t understand it.

Can anyone help me?

To set level 2, I download the program in the device and then switch to level 1 then to level 2. In option byte I only changed boot address and RDP level. Maybe I have missed a step ?

AScha.3 · ‎2026-05-04

Hi,

RDP2 closes the chip against any external access - irreversible.

...read in rm.

..from RM0433.

If you feel a post has answered your question, please click "Accept as Solution".

MA4 · ‎2026-05-04

@AScha.3

Ok, I don't think I quite understand that sentence. I thought we could still boot from internal flash (that’s why I put two addresses in the internal flash (all BOOT address are between 0x08000000 and 0x08100000). So It's note RAM neither ST system Flash (which is between 0x1FF00000 and 0x1FF1FFFF)

Does that mean the BOOT Pin feature can’t be used at all on RDP at level 2?

AScha.3 · ‎2026-05-04

So maybe you accept what Ai is telling (sidekick here):

Function of the BOOT Pin in RDP Level 2

The BOOT pin is typically used to select the boot target (main flash, system bootloader, or SRAM) by latching its value on the fourth rising edge of SYSCLK after reset release. However, when RDP level 2 is active, the BOOT pin has no effect on the boot source:

The device will always boot from main flash memory, regardless of the BOOT pin configuration.
The built-in system bootloader is permanently disabled, and you cannot use the BOOT pin to access it or SRAM.

Irreversibility and Firmware Updates

Setting RDP level 2 is an irreversible action. Once set:

The system bootloader is permanently disabled.
If you require firmware updates, you must implement your own bootloader within the user flash, as the built-in one cannot be accessed anymore.

Summary

Booting by using the BOOT pin to access the bootloader or SRAM is not possible in RDP2.
Only boot from main flash memory is allowed, regardless of BOOT pin state.
System bootloader and SRAM boot are permanently disabled in RDP2.

If you feel a post has answered your question, please click "Accept as Solution".

Onizuka09 · ‎2026-05-04

Hello @MA4

In RDP level 2, on boot for user flash is allowed so booting from System memory and RAM is disabled.

The Boot pin feature enables the selection of 2 boot areas :

1- you are using RDP level 2, setting BOOT_PIN = 1 is no more possible ( CM7 boots to TCM-RAM or system bootloader and CM4 boots to SRAM1) only BOOT_PIN = 0 is possible (boot to user flash ).

2- When changing the default starting boot address in linker script, you should have also to update the option bytes (BCM7_ADD0 and BCM7_ADD0 ) with the new addresses, or you can setup in the linker script with the default boot address that is already set for both cores.
Please check RM0399 section 2.6 Boot Configuration for more information.
Best Regards