Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- STMicroelectronics Community
- STM32 MCUs
- STM32 MCUs Security
- How to revert from TZEN to non secure mode
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to revert from TZEN to non secure mode
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-11-10 8:42 AM - edited 2025-11-10 8:46 AM
Hi
I am using STM32L562 and sampled and flashed the Zephyr OS example for TrustMode.
I could not revert back the TrustZone therefore followed the information from the link https://community.st.com/t5/stm32-mcus-security/reverting-option-byte-configuration-after-tf-m-testing-in/m-p/584225/highlight/true#M5879
However, after executing the first two commands the board doesn't respond to the command. Even with the hotplug mode, I can't set RDP level back to 0
STM32_Programmer_CLI -c port=SWD mode=hotplug reset=SWrst -ob RDP=0xAA UNLOCK_1A=1 UNLOCK_1B=1 UNLOCK_2A=1 UNLOCK_2B=1
-------------------------------------------------------------------
STM32CubeProgrammer v2.20.0
-------------------------------------------------------------------
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.27V
SWD freq : 8000 KHz
Connect mode: Hot Plug
Reset mode : Software reset
Device ID : 0x472
Revision ID : Rev Z
Device name : STM32L5xx
Flash size : 512 KBytes (default)
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0x0
UPLOADING OPTION BYTES DATA ...
Bank : 0x00
Address : 0x40022040
Size : 32 Bytes
Error: Uploading Option Bytes bank: 0 failed
Error: Initializing the Option Bytes failed
STM32_Programmer_CLI -c port=SWD mode=hotplug reset=SWrst -ob RDP=0xAA UNLOCK_1A=1 UNLOCK_1B=1 UNLOCK_2A=1 UNLOCK_2B=1
-------------------------------------------------------------------
STM32CubeProgrammer v2.20.0
-------------------------------------------------------------------
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.27V
SWD freq : 8000 KHz
Connect mode: Hot Plug
Reset mode : Software reset
Device ID : 0x472
Revision ID : Rev Z
Device name : STM32L5xx
Flash size : 512 KBytes (default)
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0x0
UPLOADING OPTION BYTES DATA ...
Bank : 0x00
Address : 0x40022040
Size : 32 Bytes
Error: Uploading Option Bytes bank: 0 failed
Error: Initializing the Option Bytes failed
I can connect to the device
STM32_Programmer_CLI -c port=SWD mode=hotplug reset=SWrst
-------------------------------------------------------------------
STM32CubeProgrammer v2.20.0
-------------------------------------------------------------------
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.27V
SWD freq : 8000 KHz
Connect mode: Hot Plug
Reset mode : Software reset
Device ID : 0x472
Revision ID : Rev Z
Device name : STM32L5xx
Flash size : 512 KBytes (default)
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0x0Would you kindly help me to revert back?
Labels:
- Labels:
-
RDP
-
STM32 Security
-
TFM
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-11-11 1:15 AM - edited 2025-11-11 1:17 AM
Hi
Thanks for the reply. However, following command doesn't work. I tried with UI app as well which fail even to connect
STM32_Programmer_CLI -c port=SWD mode=UR reset=HWrst --erase all
-------------------------------------------------------------------
STM32CubeProgrammer v2.20.0
-------------------------------------------------------------------
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.28V
Error: ST-LINK error (DEV_TARGET_NOT_HALTED)
2nd connect tentative with frequency (8MHz)
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.28V
Error: ST-LINK error (DEV_TARGET_NOT_HALTED)
I tried to run following command but no success.
STM32_Programmer_CLI -c port=SWD mode=HOTPLUG -halt -c port=SWD mode=UR --erase all
-------------------------------------------------------------------
STM32CubeProgrammer v2.20.0
-------------------------------------------------------------------
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.28V
SWD freq : 8000 KHz
Connect mode: Hot Plug
Reset mode : Software reset
Device ID : 0x472
Revision ID : Rev Z
Device name : STM32L5xx
Flash size : 512 KBytes (default)
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0x0
Core halted
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.28V
Error: ST-LINK error (DEV_TARGET_NOT_HALTED)
2nd connect tentative with frequency (8MHz)
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.28V
Error: ST-LINK error (DEV_TARGET_NOT_HALTED)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-11-11 7:11 AM
Hello @SAMINA ,
On STM32L5 you can do this regression in RDP 0.5.
In any case, if your firmware is not running in non secure you will not be able to do the regression.
What you can do is to connect your BOOT0 pin to VDD. After reset, if you don't have forced anything in option bytes, you should jump to the embedded system bootloader which runs in non secure.
From that, you will be able to attach in hotplug (you don't need "reset=HWrst" ) and perform the regression
Best regards
Jocelyn
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-11-13 5:22 AM
Hi Jocelyn
Thanks for the reply. I pulled BOOT0 to VDD. CLI app was not able to connect to the processor
STM32_Programmer_CLI -c port=SWD mode=UR
-------------------------------------------------------------------
STM32CubeProgrammer v2.20.0
-------------------------------------------------------------------
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.27V
Error: ST-LINK error (DEV_CONNECT_ERR)
2nd connect tentative with frequency (8MHz)
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.27V
Error: Unable to get core ID
Error: ST-LINK error (DEV_CONNECT_ERR)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-11-13 9:17 AM
Hello Jocelyn,
I believe the original poster also has TZEN = 1 (Samir said "I could not revert back the TrustZone") -- so am I correct that when TZEN = 1 and RDP = 1, pulling BOOT0 high will boot into RSS and not system bootloader, and there is no way to connect debugger for regression?
The reason I ask is because I am in a (somewhat) similar situation. Maybe I should start a new thread... my situation:
- STM32U5A5 Nucleo
- Flash is erased / empty
- All option bytes default except RDP =1 and TZEN = 1
No matter what I try, I cannot regress (RDP = 0, TZEN = 0). when BOOT0 = 0, it tries to boot from secure flash (empty); when BOOT0 = 1, it boots into RSS. (Please let me know if any of this is incorrect). And I believe that from RSS, no matter what I try via CLI or GUI, I've tried all sorts of hotplug and reset variations, I cannot regress. I believe the moral of the story is: "Do not set TZEN = 1 and RDP = 1 unless you have good code in flash (secure AND non-secure) because the only way to connect SWD when TZEN = 1 and RDP = 1 is when CPU is running non-secure code". Is that correct?
If so I would like to understand why ST App Note 5347 section 9.1.2 says "TZEN/RDP regression with a boot from RSS" when I don't think this works. At start of section 9 the app note says "The TrustZone deactivation must be done in parallel to an RDP regression (see Section 7.2). This assumes that the system is already in RDP level 1 or RDP level 0.5". OK fine, my RDP is already in RDP level 1 and TrustZone is indeed activated...
So again ultimately my question is "IS my board locked forever?" and if "Y", then why does AN5347 indicate it should be recoverable from RSS, and if "N", then why don't any of the prescribed steps (GUI or CLI) work.
Note: none of the boot bits have been changed, there is no OEM1KEY, etc. - it's really the simple case of TZEN = 1, RDP = 1, and all 4MB flash = 0xFF (empty)
THank you Jocelyn!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-11-19 9:44 AM
Just to add to this...
On a 2nd Nucleo U5A5 board that I have, with empty flash, TZEN = 1, RDP = 1, by pulling BOOT0 pin high and booting into RSS, I was able to regress back to TZEN = 0 RDP = 0 (I used the CubeProgrammer CLI but I assume it could be done via GUI too)
So I don't understand why it doesn't work on my first U5A5 Nucleo.
Note: I am 100% sure that on the first U5A5 board:
- RDP is NOT Level 2
- OEM1KEY and OEM2KEY are NOT set
- None of the boot option bits or boot address fields in Option bytes have been changed
- Pulling BOOT0 Pin high really works (measured with oscilliscope, line is really high)
One other interesting thing is that when I boot into RSS (TZEN = 1 and BOOT0 is pulled HIGH) the Blue LED (LED 2 I think?) is turned on, that must be code in the RSS Bootloader doing that, correct? If so:
- Isn't this weird? What if my custom board wants to use that GPIO for something else? Or is the RSS ROM on a Nucleo STM32U5A5 a tiny bit different with custom instructions to light the LED?
On my first U5A5 board, the one that cannot be reverted, I see the blue LED flicker dimly for 1/100 of a second, or sometimes not at all, when I (try to) boot into RSS, if this provides any more insight.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-11-24 9:14 AM
Hello @Doug Barnes ,
When setting BOOT0 pin high you boot in RSS which is a system secure application. The RSS will then jump to non secure system bootloader. This is reason why you can attach in hotplug in this setup and are able to launch the regression. (@SAMINA )
This behaviour may be "perturbated" by other option bytes such as swBoot0 and boot_lock enabled.
Regarding your Nucleo, I don't don't know what could be the issue if all your option bytes are set correctly.
Best regards
Jocelyn
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-11-30 6:19 PM
Thank you Jocelyn for always providing consistently helpful replies.
Related Content
- STM32WB1MMC Capabilities Question(s) in STM32 MCUs Wireless
- Unable to Pair: STM32WB05KN1 running as transparent mode with Host + Controller. in STM32 MCUs Wireless
- STM32U585: Unable to Revert RDP Level 2 to Level 0 Using STM32CubeProgrammer (TrustZone Enabled) in STM32 MCUs Security
- STM32U585: Unable to Revert RDP Level 2 to Level 0 Using STM32CubeProgrammer (TrustZone Enabled) in STM32 MCUs Products
- STMU575ZI-Q TFM Port attempt: DEV TARGET NOT HALTED / The interface firmware FAILED to reset/halt the target MCU in STM32 MCUs Security