2022-05-01 02:55 PM
Is it somehow possible to turn on ETM trace while STM32F4xx is running in bootROM? So far I wasn't much successful. I don't know if it's due timing (correct frequency) or that MCU uses internal HSI oscillator by default.
ETM in "normal" programs is no problem, but we would need to investigate an attack where ETM trace of bootROM would really help.
I asked on Segger forums (for JTrace) and was told to ask here. From experimenting I know STLink and JLink/JTrace seem to work differently when dealing with bootROM.
Maybe some trick like running a "normal" program, then jump to bootROM? Though from the docs (AN2606) I have no idea what is the clock bootROM normally when you start with BOOT0 and BOOT1 set. Also no idea if long jump from flash code to bootROM would work and what would happen with clock.
I am mostly interested in STM32F427, STM32F4x5.
2022-05-01 04:02 PM
Should be possible to start trace with a script.
ROM starts with HSI, likely brings up PLL from there, needs HSE for CAN/USB protocols
You can disassemble the ROM, do a static analysis of that.
You can call into the ROM, the reset entry point is going to alter clocks and GPIOs as it would normally do. You can map the ROM to zero address space. Demonstrated with USB DFU loads.
Also possible to patch the ROM