cancel
Showing results for 
Search instead for 
Did you mean: 

How to recover nucleoh563zi from Debug authentication error caused by improper initialised OMEiRoT

eva1000
Associate

For context , i was trying to testout  OMEiRoT and DA ,
i successfully managed to lock , and regress using the password method and i tried to replicate the STiRot method shown in the STiRot handson video to try the OMEiRoT example project in the nucleoH563 projects  
 but some where along the way my dumb ass missed some information and when i flashed the project , the previous application is running howwever the DA got turned on and i got locked out and i have tried all the key and certificate combo but couldnt connect to the board, 
 if there by chance any way i can recover this nucleo board , its my second bricked nucleo and i really hope i can some how manage to regress it 
and sadly as i was just testing LED blinking i havnt implemented any bootloader ,and i would appreciate any links to a good example for adding bootloader before i try to continue my learning journey any further so i have atleast one more way to recover the device if anything goes wrong
following are the info i receive
when runninig discovery:

-------------------------------------------------------------------
STM32CubeProgrammer v2.19.0
-------------------------------------------------------------------


Start Debug Authentication Sequence

Open SDM Lib
SDMOpen : 624 : open : SDM API v1.0

SDMOpen : 625 : open : SDM Library version v1.2.0

open_comms : 513 : open : Asserting target reset

open_comms : 517 : open : Writing magic number

open_comms : 537 : open : De-asserting target reset

open_comms : 584 : open : Communication with the target established successfully

response_packet_lock
discovery: target ID.......................:0x484
discovery: SoC ID..........................:0x00000000_00000000_00000000_00000000
discovery: SDA version.....................:2.1.0
discovery: Vendor ID.......................:STMicroelectronics
discovery: PSA lifecycle...................:ST_LIFECYCLE_CLOSED
discovery: PSA auth version................:1.0
discovery: ST HDPL1 status.................:0xffffffff
discovery: ST HDPL2 status.................:0xffffffff
discovery: ST HDPL3 status.................:0xffffffff
discovery: Token Formats...................:0x200
discovery: Certificate Formats.............:0x201
discovery: cryptosystems...................:Ecdsa-P256 SHA256
discovery: ST provisioning integrity status:0xeaeaeaea
discovery: permission if authorized...........:(a/14) ==> Full Regression
discovery: permission if authorized...........:(b/12) ==> To TZ Regression
discovery: permission if authorized...........:(c/6) ==> Level 3 Intrusive Debug
discovery: permission if authorized...........:(d/5) ==> Level 2 Intrusive Debug
discovery: permission if authorized...........:(e/4) ==> Level 1 Intrusive Debug
discovery: permission if authorized...........:(f/2) ==> Level 3 Intrusive Non Secure Debug
discovery: permission if authorized...........:(g/1) ==> Level 2 Intrusive Non Secure Debug
discovery: permission if authorized...........:(h/0) ==> Level 1 Intrusive Non Secure Debug
To select multiple permission/actions:
Using numerical values: List the needed bit numbers, separated by commas without spaces.
Using symbolic letters: List the needed letters by concatenating them without separators.

Debug Authentication: Discovery Success
"discovery script success"


when running regression :

-------------------------------------------------------------------
STM32CubeProgrammer v2.19.0
-------------------------------------------------------------------

Permission request submitted : a

Key file path submitted : .\Keys\key_3_leaf.pem

Certificate file path submitted : .\Certificates\cert_leaf_chain.b64

Password file path submitted : .\Binary\password.bin


Start Debug Authentication Sequence

Open SDM Lib
SDMOpen : 624 : open : SDM API v1.0

SDMOpen : 625 : open : SDM Library version v1.2.0

open_comms : 513 : open : Asserting target reset

open_comms : 517 : open : Writing magic number

open_comms : 537 : open : De-asserting target reset

open_comms : 584 : open : Communication with the target established successfully

response_packet_lock
discovery: permission if authorized...........:(a/14) ==> Full Regression
discovery: permission if authorized...........:(b/12) ==> To TZ Regression
discovery: permission if authorized...........:(c/6) ==> Level 3 Intrusive Debug
discovery: permission if authorized...........:(d/5) ==> Level 2 Intrusive Debug
discovery: permission if authorized...........:(e/4) ==> Level 1 Intrusive Debug
discovery: permission if authorized...........:(f/2) ==> Level 3 Intrusive Non Secure Debug
discovery: permission if authorized...........:(g/1) ==> Level 2 Intrusive Non Secure Debug
discovery: permission if authorized...........:(h/0) ==> Level 1 Intrusive Non Secure Debug
SDMOpen : 624 : open : SDM API v1.0

SDMOpen : 625 : open : SDM Library version v1.2.0

open_comms : 513 : open : Asserting target reset

open_comms : 517 : open : Writing magic number

open_comms : 537 : open : De-asserting target reset

open_comms : 584 : open : Communication with the target established successfully

[00%] discovery command
[10%] sending discovery command
[20%] receiving discovery
response_packet_lock
[40%] loading credentials

.\Keys\key_3_leaf.pem

.\Certificates\cert_leaf_chain.b64
[50%] sending challenge request
[60%] receiving challenge
response_packet_lock
[70%] signing token

the submitted permissions are : a
SDMAuthenticate : 1391 : client : Found 3 certificates

response_packet_lock
Timeout while receiving response...
Error:
Debug Authentication Failed
"regression script failed"




2 REPLIES 2
Jocelyn RICARD
ST Employee

Hello @eva1000 ,

Not sure what you have done exactly, but what is displayed looks good especially:

ST provisioning integrity status:0xeaeaeaea

Besides, cryptosystems...................:Ecdsa-P256 SHA256 means that you have enabled TrustZone.

So, if you have provisioned a password instead of the public key this will not work, and you have no way to recover.

 

What you can do is to implement a way to trigger the regression inside your application.

You don't really need a bootloader for that.

For other purpose I made an example on the hotspot github here that is for STM32H573 but it provides the code to trigger the regression which is not dependent on crypto availability.

Best regards

Jocelyn

Jocelyn RICARD
ST Employee

And one last thing.

When testing DA provisioning, just stay in PROVISIONING state.

You can launch the regression also in this state. So, if the DA_Config.obk provisioned does not work for any reason, you can provision again another one until you get a working setup.

Normally you don't need this if you follow the right instructions but it allows you to do it without any fear of bricking your device.

Best regards

Jocelyn