Flash protection. Usage of stm32f10x_flash.c

morpeh89 · ‎2010-05-03

Posted on May 04, 2010 at 08:39

morpeh89 · ‎2011-05-17

Posted on May 17, 2011 at 13:49

I have already found answer to third question, experimentally. My ''spy''-application failed to read protected data. Hard fault exception was the result of this attempt :)

But, i assume, it is possible to create another spy-program, that will rewrite part of executable code. New one will also try to read protected data from the rest of program code. Is it really possible?

chikos332 · ‎2011-05-17

Posted on May 17, 2011 at 13:49

Hi Alexey,

1)You can use the functions of Standard Peirpheral Library provided by ST in order to program/erase the write protection bytes:

- FLASH_EraseOptionBytes()

- FLASH_ProgramOptionByteData()

(if you don't have the link: http://www.st.com/stonline/products/support/micro/files/stm32f10x_stdperiph_lib.zip Then look into file: STM32F10x_StdPeriph_Lib_V3.3.0\Libraries\STM32F10x_StdPeriph_Driver\src)

2) As far as I know and very much experienced, the write protection protect you flash memory pages against Write and Erase operations. It works by sector of pages (sector size depends on the product).

3) When you are in RAM you cannot read the Flash memory if it is read protected, all what you will have is a simple HardFault error. I don't think it is possible to ''spy'' the read protected flash so easilly ;)

chikos332 · ‎2011-05-17

Posted on May 17, 2011 at 13:49

Thanks Clive for the precision.

I think you're right for this point (I'm doing some tests).

That's really interesting.

Maybe the best way to avoid all this is to physically ''burn'' the JTAG pins and the bootloader pins ? Is it right ?

Tesla DeLorean · ‎2011-05-17

Posted on May 17, 2011 at 13:49

3) When you are in RAM you cannot read the Flash memory if it is read protected, all what you will have is a simple HardFault error. I don't think it is possible to ''spy'' the read protected flash so easilly ;)

It just means you don't have the right equipment.

Code can be copied from Flash into RAM and be executed without problem. Code in Flash can dump the entire memory space. Code downloaded (via serial and other means) in RAM via an application running in Flash can also be run and has full visibility. There is an inheritance of access rights.

Code JTAG'd into RAM in a ROP device will Hard Fault if you touch Flash/ROM, code in Flash/ROM can be called and will execute. If that code touches literals in Flash/ROM it will also Hard Fault

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..

htp · ‎2011-05-17

Posted on May 17, 2011 at 13:49

I try to burn JTAG pin/pins and test in over 10pcs of MCUs, result is always same MCU have big resistance for ''burn'' and when you get burn value the whole MCU going into 'popcorn mode' I think there are no any additional protection fuses which you can burn and you only can directly damage core.

About protection one trick... you must care when you have protected flash memory about RAM usage as don't use routines copied into RAM to update flash content etc. RAM content can be very easy readed even when you have disabled jtag by software remap.