STM32U5: impossible regression from RDP1 to RDP 0?

OliM · ‎2024-07-31

I am trying to get application level RDP progression into my bootloader to kind of self protect my firmware once it has started. I have set level 1 and the firmware still runs and I can no longer read out flash or debug, so that's the positive side.
But now I want to continue debugging the board, so I want to get back to level 0.
I already found out that (for whatever reason) the only way to at least start a connection is now to use Hotplug and only release the reset of the board by hand once Hotplug is selected.
But I can not read or write the option bytes or use the specific downgrade command.

What I tried and didn't work via CLI:

./STM32_Programmer_CLI.exe -c port=swd mode=HOTPLUG -rdu
- Disabling memory Read Protection...
  Error: Disabling memory Read Protection failed
./STM32_Programmer_CLI.exe -c port=swd mode=HOTPLUG -ob rdp=0xAA
- UPLOADING OPTION BYTES DATA ...
  Bank : 0x00
  Address : 0x40022040
  Size : 36 Bytes
  ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ 0%
  Error: Uploading Option Bytes bank: 0 failed
  Error: Initializing the Option Bytes failed
./STM32_Programmer_CLI.exe -c port=swd mode=HOTPLUG -ob rdp=0x55
- UPLOADING OPTION BYTES DATA ...
  Bank : 0x00
  Address : 0x40022040
  Size : 36 Bytes
  ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ 0%
  Error: Uploading Option Bytes bank: 0 failed
  Error: Initializing the Option Bytes failed
./STM32_Programmer_CLI.exe -c port=swd mode=HOTPLUG -ob OptByte=0x8BEFF0AA
- UPLOADING OPTION BYTES DATA ...
  Bank : 0x00
  Address : 0x40022040
  Size : 36 Bytes
  ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ 0%
  Error: Uploading Option Bytes bank: 0 failed
  Error: Initializing the Option Bytes failed
./STM32_Programmer_CLI.exe -c port=swd mode=HOTPLUG -w32 0x50022040 0x8BEFF0AA
- Downloading...
  ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ 0%
  Error: Failed to download data! If it's a Flash memory, it may be not erased or protected
./STM32_Programmer_CLI.exe -c port=swd mode=HOTPLUG -r32 0x50022040 0x04
- Error: failed to read the requested memory content

The board is an B-U585I-IOT02A and I have boot_lock on, so some ways using Boot0 are probably blocked. TZEN is set and no password were set up for RDP1 or RDP2 downgrade.

Any pointers what to try next are appreciated.

OliM · ‎2024-08-08

To finish this for someone looking at the thread later. My solution was that i still had an Input pin in the application which lead to no longer going into stop mode (the USB power detection). Once I routed a signal (3V+ in my case) to that pin, the MCU was accessible through hotplug and option bytes could be written.

View solution in original post

Imen.D · ‎2024-08-07

Hello @OliM ,

Are using latest version of STM32CubeProgrammer (2.17) and recent version of ST-Link firmware?

Is PH3-BOOT0 pin of the board connected to VDD?

Check that the system boots from the RSS.

Try power on/off the MCU before regressing the part.

When your question is answered, please close this topic by clicking "Accept as Solution".
Thanks
Imen

OliM · ‎2024-08-07

Boot lock is on and points to the start of flash, so I can not switch to RSS. ☹️
Looking through AN5347 chapter 7.1, I am pretty sure I have a brick now. The only remaining possibility I have to connect is to halt the non secure application, but because that one goes into stop mode, the halt will happen with unpowered flash.

OliM · ‎2024-08-08

To finish this for someone looking at the thread later. My solution was that i still had an Input pin in the application which lead to no longer going into stop mode (the USB power detection). Once I routed a signal (3V+ in my case) to that pin, the MCU was accessible through hotplug and option bytes could be written.