FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to replace .obk for STM32H523

hakeila
Associate III

‎2025-03-04 2:15 PM

Hi,

 

I have locked out my MCU. I generated a Debug Authentication file with certificate (DA_Config.obk) and provisioned that into the MCU. However, I think I have regenerated a private key without regenerating a certificate.

 

I am no longer able to do a regression on the MCU for DA authentication. I have tried multiple of certificates and regenerated certificates based on the root private key I used for generating the .obk file but nothing works.

 

Also I don't quite understand the difference between the root, intermediate and leaf keys/certificates pairs. Which ones is used in regression?

 

Any help would be appreciated.

 

Thanks in advance :)

Labels:
0 Kudos
7 REPLIES 7
Jocelyn RICARD
ST Employee

‎2025-03-05 4:44 AM

Hello @hakeila,

First, if you have lost the private key associated to public key provisioned in your device (in obk), you will not be able to use DA anymore.

Now, if you have some firmware in the device that can be update, you may be able to launch a regression from firmware. But this can only be done of the code executing the regression is in HDP Level1.

If you lost the private key of your leaf certificate, that is not an issue, you can either regress the device with the root private key and root certificate.

The leaf certificate is useful when you want to keep your root private key safe and avoid any leak.

Best regards

Jocelyn

 

0 Kudos
hakeila
Associate III

‎2025-03-05 1:02 PM

Hello @Jocelyn RICARD,

 

I can't even connect the MCU as it is product state is CLOSED. I tried to regenerate certificates from all of the private root keys I generated but nothing works to regress the MCU.

 

How would I add the regression in my firmware if I can't update it?

 

Also, my firmware is not even running on my MCU. I think my flash memory could be corrupted. Is there a way to verify the key/certificate pairs from the previously generated .obk file? I know this is not ideal, but I am trying to find a way to unlock the MCU somehow.

 

Also I noticed in the STM32TrustedPackageCreator tool that I can regenerate the private root key and generate an obk file without regenerating a root certificate. Is that an issue with TPC software?

 

Kind Regards,

Hani

0 Kudos
Jocelyn RICARD
ST Employee

‎2025-03-06 9:06 AM

Hello @hakeila ,

To be able to perform the regression, the certificate you use should be signed by your private key.

All need to be consistent otherwise there wouldn't be any security.

If you have lost the private key corresponding to the public key provisioned in DA_Config.obk, you will not be able to re-open the device.

If you are in such situation and you can't update your firmware, you device is bricked.

When generating a new private key using TPC, you have a backup of the old private key. Please check.

Then if you generate a new private key you also need to generate a new root certificate. This is not automatic.

 

Best regards

Jocelyn

0 Kudos
hakeila
Associate III
In response to Jocelyn RICARD

‎2025-03-06 2:17 PM

Hi @Jocelyn RICARD ,

 

Thank you so much for the clarification. I guess this was part of my learning process with STM32 security :)

 

Ok, Can I hold BOOT0 to High while reseting the MCU to force the originally downloaded STM bootloader is system flash memory to run? I don't really care if I have to erase the flash as I am still prototyping.

 

Cheers,

Hani

0 Kudos
hakeila
Associate III

‎2025-03-06 2:26 PM

Hi @Jocelyn RICARD 

I also would like to ask:

When regenerating private key, under OBkey generation in TPC, does it regenerate the private key based on the original public key?

 

Or Is it the best practice to regenerate the private key via another method under TPC? (like the Secure Boot WB0x/WL3x tab, but this is for STM32WB0x/WL3x MCUs, am I right?)

 

Kind Regards,

Hani

 

 

0 Kudos
hakeila
Associate III

‎2025-03-17 1:06 PM

Hi @Jocelyn RICARD 

I would like to follow-up with you regarding my question on un-breaking the STM32H523 MCU 

I would be appreciated to know if it is possible to activate the system bootloader somehow or reconfigure the option bytes and convert the MCU to OPEN state. I tried doing so via STM32CubeProgrammer by shorting the BOOT0 to VDD and reset the MCU (I am using STM32 Nucleo board with H523 populated instead of H533 MCU 

Cheers,

Hani

 

0 Kudos
Jocelyn RICARD
ST Employee

‎2025-03-18 11:54 AM

Hello @hakeila ,

There is no way to enable the bootloader if you closed the device. You can check the boot modes in reference manual

Best regards

Jocelyn

0 Kudos
Top