Flashing SBSFU combined binary to STM32H755 with STM32_Programmer_CLI

tstokes · ‎2025-09-04

I am trying to write a .bat script to reliably flash my combined sbsfu and application binary to a stm32h755.

set cube_programmer_cli="C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin\STM32_Programmer_CLI.exe"
set fw_bin="combined_sbsfu_cm7_cm4.bin"
set fw_base=0x08000000

if not exist %fw_bin% (
    echo Firmware binary not found. Exiting
    exit /b)

if not exist %cube_programmer_cli% (
    echo Cube Programmer CLI not found. Exiting
    exit /b)

@REM Load the combined binary
echo Installing combined_sbsfu_cm7_cm4.bin
%cube_programmer_cli% -c port=SWD -w %fw_bin% %fw_base%

%cube_programmer_cli% -c port=SWD -ob displ

echo Setting option bytes...

echo Setting WRP protection...
@REM Ensures the bootloader application is under write protection
@REM 0 is protected, 1 is unprotected
%cube_programmer_cli% -c port=SWD -ob nWRP0=0

echo Disabling CM4 boot and SWAP_BANK...
@REM Swap bank is unset by default but it is explicitly checked in the bootloader so disabled here
%cube_programmer_cli% -c port=SWD -ob BCM4=0x0 SWAP_BANK=0x0

echo Setting PCROP protection...
@REM Protect the keys from readout over SWD
@REM 0x08000600                        __ICFEDIT_SE_Key_region_ROM_start__ = (__ICFEDIT_SE_CallGate_region_ROM_end__ + 0x1)
@REM 0x080008ff                        __ICFEDIT_SE_Key_region_ROM_end__ = (__ICFEDIT_SE_Key_region_ROM_start__ + 0x2ff)
%cube_programmer_cli% -c port=SWD -ob PROT_AREA_START1=0x06 PROT_AREA_END1=0x08

@REM Only enable under final secure lock this is the point of no return
echo Setting the secure user memory area...
@REM 0x800000000....#0x080203FF
%cube_programmer_cli% -c port=SWD -ob SEC_AREA_START1=0x000 SEC_AREA_END1=0x203 SECURITY=0x01 RDP=0xCC

%cube_programmer_cli% -c port=SWD -g %fw_base%

@REM Wait 15 seconds
echo Please wait 15 seconds for the changes to take effect. Don't touch anything!
timeout /t 15

echo Installation complete. Please power cycle the device.
exit /b

The first attempt does not appear to be reliable, I've had some boards remain available on JTAG after I've run this script against them. It's not clear what state they are in.

For my second attempt, I am wondering if the option bytes should be written in one go

set cube_programmer_cli="C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin\STM32_Programmer_CLI.exe"
set fw_bin="combined_sbsfu_cm7_cm4.bin"
set fw_base=0x08000000

if not exist %fw_bin% (
    echo Firmware binary not found. Exiting
    exit /b)

if not exist %cube_programmer_cli% (
    echo Cube Programmer CLI not found. Exiting
    exit /b)

@REM Load the combined binary
echo Installing combined_sbsfu_cm7_cm4.bin
%cube_programmer_cli% -c port=SWD -w %fw_bin% %fw_base%

%cube_programmer_cli% -c port=SWD -ob displ

echo Setting option bytes...

echo Setting WRP protection...
@REM Ensures the bootloader application is under write protection
@REM 0 is protected, 1 is unprotected
%cube_programmer_cli% -c port=SWD ^
    -ob nWRP0=0 ^
    BCM4=0x0 ^
    SWAP_BANK=0x0 ^
    PROT_AREA_START1=0x06 ^
    PROT_AREA_END1=0x08 ^
    SEC_AREA_START1=0x000 ^
    SEC_AREA_END1=0x203 ^
    SECURITY=0x01 ^
    RDP=0xCC ^
    SEC_AREA_START1=0x000 ^
    SEC_AREA_END1=0x203 ^
    SECURITY=0x01 ^
    RDP=0xCC

%cube_programmer_cli% -c port=SWD -g %fw_base%

@REM Wait 15 seconds
echo Please wait 15 seconds for the changes to take effect. Don't touch anything!
timeout /t 15

echo Installation complete. Please power cycle the device.
exit /b

Given the cost of locking hardware I'd like some community input on this process before I move ahead with it.

Has anyone succesfully written a similar script or found a reliable sequence of operations to get the firmware flashed and the option bytes set?