FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to read the FLASH_SIZE register (0x08FFF80C) of the STM32H563 in OEMiROT_Boot?

Go to solution
Snaku
Associate III

‎2025-12-01 3:23 AM

Hi,
I am using STM32H563 with OEMiROT_Boot example project, I got a problem to read the FLASH_SIZE register (0x08FFF80C).
I found two issues,
(1) the value of this register is 0 at begining of OEMiROT_Boot main() function.
(2) the register become not accessable after sau_init_cfg(). 

Snaku_0-1764587724212.png

Snaku

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Jocelyn RICARD
ST Employee

‎2025-12-05 10:23 AM

Hello @Snaku ,

The access to this region requires:

1) be accessed through non secure transaction. This means this is declared as non secure in SAU or SAU is disabled but with ALLNS flag set.

2) be non cacheable

* If MPU is enabled, region should be declared as non cacheable (you have an example for that in the CubeH5:

STM32Cube_FW_H5_V1.5.1\Projects\NUCLEO-H563ZI\Examples_LL\UTILS\UTILS_ReadDeviceInfo\

* if MPU is disabled, ICACHE should be disabled.

In the context of OEMiROT, ICache is enabled by OEMiROT and not disabled.

So, this is very probably the issue you have.

Just reuse original configuration without all trials you made, add HAL_ICACHE_Disable(); in the main.c of secure application (you will need to add the driver),

You should be able to read the content of the system flash in the secure and in the non secure application.

Best regards

Jocelyn 

View solution in original post

8 REPLIES 8
Go to solution
Bubbles
ST Employee

‎2025-12-01 5:30 AM

Hi @Snaku,

it's not a register, it's a dedicated remapping of flash memory page that contains manufacturing and calibration data. It's not restricted by HW, so I assume it's the MPU settings that got in the way this time.

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

0 Kudos
Go to solution
Snaku
Associate III
In response to Bubbles

‎2025-12-01 7:09 PM - edited ‎2025-12-01 7:15 PM

Hi J,
I find this link which talk about the memory region at 0x08FF_F800 should disable cacheability.
https://community.st.com/t5/stm32-mcus/how-to-obtain-and-use-the-stm32-96-bit-uid/ta-p/621443

And the OEMiROT_Boot example project has a MPU initial setting for the UID data region,
the region configuration as below, does it mean the MPU setting can let me read FLASH_SIZE data? 

/* Engi bits */
#define ENGI_BASE_NS                        (0x08FFF800U)
#define ENGI_SIZE                           (0x40U)

// in OEMiROT_Boot low_level_security.c region_cfg_init_s[]
/* Region 8: Allows read access to Engi bytes */
  {
    8,
    ENGI_BASE_NS,
    ENGI_BASE_NS + ENGI_SIZE - 1,
    MPU_ARMV8M_MAIR_ATTR_DATANOCACHE_IDX,
    MPU_ARMV8M_XN_EXEC_NEVER,
    MPU_ARMV8M_AP_RO_PRIV_ONLY,
    MPU_ARMV8M_SH_NONE,
#ifdef FLOW_CONTROL
    FLOW_STEP_MPU_I_EN_R8,
    FLOW_CTRL_MPU_I_EN_R8,
    FLOW_STEP_MPU_I_CH_R8,
    FLOW_CTRL_MPU_I_CH_R8,
#endif /* FLOW_CONTROL */
  },

 

0 Kudos
Go to solution
Bubbles
ST Employee

‎2025-12-02 12:54 AM

Hi @Snaku,

I noticed the region is set as privilege only. Could this be the issue?

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

0 Kudos
Go to solution
Snaku
Associate III
In response to Bubbles

‎2025-12-02 10:33 PM

Hi J,

After I change the MPU setting to MPU_ARMV8M_AP_RO_PRIV_UNPRIV,
and change the SAU setting for 0x08FF_F800 region, 
I can see the data of 0x08FF_F800 region, but thier vaule are all zero.

// MPU setting of region_cfg_init_s[ ] 

 

  {
    8,
    ENGI_BASE_NS,
    ENGI_BASE_NS + ENGI_SIZE - 1,
    MPU_ARMV8M_MAIR_ATTR_DATANOCACHE_IDX,
    MPU_ARMV8M_XN_EXEC_NEVER,
    MPU_ARMV8M_AP_RO_PRIV_UNPRIV, // origin is MPU_ARMV8M_AP_RO_PRIV_ONLY
    MPU_ARMV8M_SH_NONE,
#ifdef FLOW_CONTROL
    FLOW_STEP_MPU_I_EN_R8,
    FLOW_CTRL_MPU_I_EN_R8,
    FLOW_STEP_MPU_I_CH_R8,
    FLOW_CTRL_MPU_I_CH_R8,
#endif /* FLOW_CONTROL */
  },

 


// SAU setting of region_sau_init_cfg[ ]

 

  /* Region 2: Allows non secure access to Engi bits for RSS */
  {
    2,
    ENGI_BASE_NS,
    (ENGI_BASE_NS + ENGI_SIZE - 1U),
    OEMIROT_TRUE, // origin is OEMIROT_FALSE
#ifdef FLOW_CONTROL
    FLOW_STEP_SAU_I_EN_R2,
    FLOW_CTRL_SAU_I_EN_R2,
    FLOW_STEP_SAU_I_CH_R2,
    FLOW_CTRL_SAU_I_CH_R2,
#endif /* FLOW_CONTROL */
  },

 


// all data are zero

Snaku_0-1764743091112.png

Snaku_1-1764743220134.png

Regards,

Snaku

0 Kudos
Go to solution
Bubbles
ST Employee

‎2025-12-03 6:48 AM

Hello @Snaku ,

looks like you are still having problems with some security setting. On STM32H5, some memory protection mechanism will not raise an error, but will simply return all zeroes when attempting to read the memory.

Try reading it in separate program that's configured without any security and progressively add the protections to see which one which one is causing it.

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

0 Kudos
Go to solution
Snaku
Associate III
In response to Bubbles

‎2025-12-05 1:49 AM

I find after I disable the TrustZone of the Option Bytes, the memory region at 0x08FF_FF00 can be read correctly,
so, I think my problem is that how to read 0x08FF_FF00 memory region when TrustZone is enabled?

Snaku_0-1764928025904.png

Regards,

Snaku

0 Kudos
Go to solution
Jocelyn RICARD
ST Employee

‎2025-12-05 10:23 AM

Hello @Snaku ,

The access to this region requires:

1) be accessed through non secure transaction. This means this is declared as non secure in SAU or SAU is disabled but with ALLNS flag set.

2) be non cacheable

* If MPU is enabled, region should be declared as non cacheable (you have an example for that in the CubeH5:

STM32Cube_FW_H5_V1.5.1\Projects\NUCLEO-H563ZI\Examples_LL\UTILS\UTILS_ReadDeviceInfo\

* if MPU is disabled, ICACHE should be disabled.

In the context of OEMiROT, ICache is enabled by OEMiROT and not disabled.

So, this is very probably the issue you have.

Just reuse original configuration without all trials you made, add HAL_ICACHE_Disable(); in the main.c of secure application (you will need to add the driver),

You should be able to read the content of the system flash in the secure and in the non secure application.

Best regards

Jocelyn 

Go to solution
Snaku
Associate III
In response to Jocelyn RICARD

‎2025-12-07 6:16 PM

Hi Jocelyn,


After I disable the ICache, I can read the memory region at 0x08FF_F800 now.

Snaku_0-1765159653441.png

I follow your instruction, 
(1) reuse original configuration for MCU and SAU initial settings in the OEMiROT_Boot Project (i.e., no change in the region_cfg_init_s[ ] and region_sau_init_cfg[ ] array).
(2) I just add 'HAL_ICACHE_Disable();' at line 639.

then the data of the memory 0x08FF_F800 can be read correctly when the CPU run to the line 652.

Thanks for your support.
Snaku

0 Kudos
Top