Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- STMicroelectronics Community
- STM32 MCUs
- STM32 MCUs Security
- How to recover nucleoh563zi from Debug authenticat...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to recover nucleoh563zi from Debug authentication error caused by improper initialised OMEiRoT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-05-28 2:05 AM
For context , i was trying to testout OMEiRoT and DA ,
i successfully managed to lock , and regress using the password method and i tried to replicate the STiRot method shown in the STiRot handson video to try the OMEiRoT example project in the nucleoH563 projects
but some where along the way my dumb ass missed some information and when i flashed the project , the previous application is running howwever the DA got turned on and i got locked out and i have tried all the key and certificate combo but couldnt connect to the board,
if there by chance any way i can recover this nucleo board , its my second bricked nucleo and i really hope i can some how manage to regress it
and sadly as i was just testing LED blinking i havnt implemented any bootloader ,and i would appreciate any links to a good example for adding bootloader before i try to continue my learning journey any further so i have atleast one more way to recover the device if anything goes wrong
following are the info i receive
when runninig discovery:
-------------------------------------------------------------------
STM32CubeProgrammer v2.19.0
-------------------------------------------------------------------
Start Debug Authentication Sequence
Open SDM Lib
SDMOpen : 624 : open : SDM API v1.0
SDMOpen : 625 : open : SDM Library version v1.2.0
open_comms : 513 : open : Asserting target reset
open_comms : 517 : open : Writing magic number
open_comms : 537 : open : De-asserting target reset
open_comms : 584 : open : Communication with the target established successfully
response_packet_lock
discovery: target ID.......................:0x484
discovery: SoC ID..........................:0x00000000_00000000_00000000_00000000
discovery: SDA version.....................:2.1.0
discovery: Vendor ID.......................:STMicroelectronics
discovery: PSA lifecycle...................:ST_LIFECYCLE_CLOSED
discovery: PSA auth version................:1.0
discovery: ST HDPL1 status.................:0xffffffff
discovery: ST HDPL2 status.................:0xffffffff
discovery: ST HDPL3 status.................:0xffffffff
discovery: Token Formats...................:0x200
discovery: Certificate Formats.............:0x201
discovery: cryptosystems...................:Ecdsa-P256 SHA256
discovery: ST provisioning integrity status:0xeaeaeaea
discovery: permission if authorized...........:(a/14) ==> Full Regression
discovery: permission if authorized...........:(b/12) ==> To TZ Regression
discovery: permission if authorized...........:(c/6) ==> Level 3 Intrusive Debug
discovery: permission if authorized...........:(d/5) ==> Level 2 Intrusive Debug
discovery: permission if authorized...........:(e/4) ==> Level 1 Intrusive Debug
discovery: permission if authorized...........:(f/2) ==> Level 3 Intrusive Non Secure Debug
discovery: permission if authorized...........:(g/1) ==> Level 2 Intrusive Non Secure Debug
discovery: permission if authorized...........:(h/0) ==> Level 1 Intrusive Non Secure Debug
To select multiple permission/actions:
Using numerical values: List the needed bit numbers, separated by commas without spaces.
Using symbolic letters: List the needed letters by concatenating them without separators.
Debug Authentication: Discovery Success
"discovery script success"
when running regression :
-------------------------------------------------------------------
STM32CubeProgrammer v2.19.0
-------------------------------------------------------------------
Permission request submitted : a
Key file path submitted : .\Keys\key_3_leaf.pem
Certificate file path submitted : .\Certificates\cert_leaf_chain.b64
Password file path submitted : .\Binary\password.bin
Start Debug Authentication Sequence
Open SDM Lib
SDMOpen : 624 : open : SDM API v1.0
SDMOpen : 625 : open : SDM Library version v1.2.0
open_comms : 513 : open : Asserting target reset
open_comms : 517 : open : Writing magic number
open_comms : 537 : open : De-asserting target reset
open_comms : 584 : open : Communication with the target established successfully
response_packet_lock
discovery: permission if authorized...........:(a/14) ==> Full Regression
discovery: permission if authorized...........:(b/12) ==> To TZ Regression
discovery: permission if authorized...........:(c/6) ==> Level 3 Intrusive Debug
discovery: permission if authorized...........:(d/5) ==> Level 2 Intrusive Debug
discovery: permission if authorized...........:(e/4) ==> Level 1 Intrusive Debug
discovery: permission if authorized...........:(f/2) ==> Level 3 Intrusive Non Secure Debug
discovery: permission if authorized...........:(g/1) ==> Level 2 Intrusive Non Secure Debug
discovery: permission if authorized...........:(h/0) ==> Level 1 Intrusive Non Secure Debug
SDMOpen : 624 : open : SDM API v1.0
SDMOpen : 625 : open : SDM Library version v1.2.0
open_comms : 513 : open : Asserting target reset
open_comms : 517 : open : Writing magic number
open_comms : 537 : open : De-asserting target reset
open_comms : 584 : open : Communication with the target established successfully
[00%] discovery command
[10%] sending discovery command
[20%] receiving discovery
response_packet_lock
[40%] loading credentials
.\Keys\key_3_leaf.pem
.\Certificates\cert_leaf_chain.b64
[50%] sending challenge request
[60%] receiving challenge
response_packet_lock
[70%] signing token
the submitted permissions are : a
SDMAuthenticate : 1391 : client : Found 3 certificates
response_packet_lock
Timeout while receiving response...
Error:
Debug Authentication Failed
"regression script failed"
Labels:
- Labels:
-
RDP
-
Secure Manager
-
STM32 Security
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-06-25 10:06 AM
Hello @eva1000 ,
Not sure what you have done exactly, but what is displayed looks good especially:
ST provisioning integrity status:0xeaeaeaea
Besides, cryptosystems...................:Ecdsa-P256 SHA256 means that you have enabled TrustZone.
So, if you have provisioned a password instead of the public key this will not work, and you have no way to recover.
What you can do is to implement a way to trigger the regression inside your application.
You don't really need a bootloader for that.
For other purpose I made an example on the hotspot github here that is for STM32H573 but it provides the code to trigger the regression which is not dependent on crypto availability.
Best regards
Jocelyn
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-06-25 10:09 AM
And one last thing.
When testing DA provisioning, just stay in PROVISIONING state.
You can launch the regression also in this state. So, if the DA_Config.obk provisioned does not work for any reason, you can provision again another one until you get a working setup.
Normally you don't need this if you follow the right instructions but it allows you to do it without any fear of bricking your device.
Best regards
Jocelyn
