is there any X-cube-SBSFU examples that are compatible with STM32-H755 series

Domy_ST · ‎2026-05-06

this thread is split from this thread
hello

Last question, I just saw the example but it's not for the STM32H755ZI-Q series, are the examples still compatible with this STM32H755 series? Thanks

Domy_ST · ‎2026-05-13

Hello @Onizuka09,

I had to download and extract the package again. STM32CubeIDe seems to have somehow deleted some missing files.

Now it compiles and gives me no errors for the NUCLEO-H755ZI_aws_demos project, while the NUCLEO-H755ZI_aws_tests project gives me an error during compilation when I run "prepareImage.exe," as follows:

make -j20 all 
rm -f NUCLEO-H755ZI_aws_tests_CM7.elf
 
arm-none-eabi-gcc -o "NUCLEO-H755ZI_aws_tests_CM7.elf" @"objects.list"   -mcpu=cortex-m7 -T"../stm32h755xx_flash_CM7.ld" --specs=nosys.specs -Wl,-Map="NUCLEO-H755ZI_aws_tests_CM7.map" -Wl,--gc-sections -static -Xlinker -L ../../../../BootLoader_OSC/Linker_Common/STM32CubeIDE --specs=nano.specs -mfpu=fpv5-d16 -mfloat-abi=hard -mthumb -Wl,--start-group -lc -lm -Wl,--end-group
C:/ST/STM32CubeIDE_2.0.0/STM32CubeIDE/plugins/com.st.stm32cube.ide.mcu.externaltools.gnu-tools-for-stm32.13.3.rel1.win32_1.0.100.202509120712/tools/bin/../lib/gcc/arm-none-eabi/13.3.1/../../../../arm-none-eabi/bin/ld.exe: warning: NUCLEO-H755ZI_aws_tests_CM7.elf has a LOAD segment with RWX permissions
Finished building target: NUCLEO-H755ZI_aws_tests_CM7.elf
 
arm-none-eabi-size  NUCLEO-H755ZI_aws_tests_CM7.elf 
arm-none-eabi-objdump -h -S NUCLEO-H755ZI_aws_tests_CM7.elf  > "NUCLEO-H755ZI_aws_tests_CM7.list"
   text	   data	    bss	    dec	    hex	filename
 334368	    896	 378608	 713872	  ae490	NUCLEO-H755ZI_aws_tests_CM7.elf
arm-none-eabi-objcopy  -O ihex NUCLEO-H755ZI_aws_tests_CM7.elf  "NUCLEO-H755ZI_aws_tests_CM7.hex"
Finished building: default.size.stdout
arm-none-eabi-objcopy  -O binary NUCLEO-H755ZI_aws_tests_CM7.elf  "NUCLEO-H755ZI_aws_tests_CM7.bin"
 
Finished building: NUCLEO-H755ZI_aws_tests_CM7.hex
Finished building: NUCLEO-H755ZI_aws_tests_CM7.bin
 
 
Finished building: NUCLEO-H755ZI_aws_tests_CM7.list
 
sh ../../../../BootLoader_OSC/2_Images_SECoreBin/STM32CubeIDE/postbuild.sh .. ./NUCLEO-H755ZI_aws_tests_CM7.elf ./NUCLEO-H755ZI_aws_tests_CM7.bin 1 1
prepareimage with windows executable
[2000] Failed to execute script prepareimage
Traceback (most recent call last):
  File "prepareimage.py", line 861, in <module>
  File "prepareimage.py", line 858, in args
  File "prepareimage.py", line 124, in do_encrypt
  File "keys.py", line 262, in load
FileNotFoundError: [Errno 2] No such file or directory: '../../../../BootLoader_OSC/2_Images_SECoreBin/STM32CubeIDE/../Binary/OEM_KEY_COMPANY1_key_AES_CBC.bin'
../../../../BootLoader_OSC/2_Images_SECoreBin/STM32CubeIDE/postbuild.sh: line 70: prepareimage.exe: No error
prepareimage.exe enc -k ../../../../BootLoader_OSC/2_Images_SECoreBin/STM32CubeIDE/../Binary/OEM_KEY_COMPANY1_key_AES_CBC.bin -i ../../../../BootLoader_OSC/2_Images_SECoreBin/STM32CubeIDE/../Binary/iv.bin ./NUCLEO-H755ZI_aws_tests_CM7.bin ../PostBuild/NUCLEO-H755ZI_aws_tests_CM7.sfu : failed
make[1]: *** [makefile:152: post-build] Error 1
make: *** [makefile:111: all] Error 2
"make -j20 all" terminated with exit code 2. Build might be incomplete.

What could be the cause?
Thanks for your valuable support.

Onizuka09 · ‎2026-05-14

Hello @Domy_ST ,

Try to run that prepareimage.exe from the Powershell windows terminal and see if that issue persists.

First some modification to the postbuild.sh script needs to be made, locate the file

BootLoader_OSC\2_Images_SECoreBin\STM32CubeIDE\postbuild.sh

go to the bottom of the file and comment these lines

if [ $ret -eq 0 ]; then
  rm $sign
  rm $sfu
  rm $headerbin
  if [ -e "$ref_userapp" ]; then
    rm $partialbin
    rm $partialsfu
    rm $partialsign
    rm $partialoffset
  fi  
  exit 0
else 
  echo "$command : failed" >> $projectdir"/output.txt"
  # comment start here 
  # if [ -e  "$elf" ]; then
  #   # rm  $elf
  # fi
  # if [ -e "$elfbackup" ]; then 
  #   # rm  $elfbackup
  # fi
  # comment ends here
  echo $command : failed
  read -n 1 -s
  exit 1
fi

and rebuild the aws_tests project

Now open Powershell terminal and follow these steps
1- open Powershell and then, change this {YOUR BASE BATH} with your base path

cd {YOUR BASE BATH}\x-cube-aws\STM32CubeExpansion_Cloud_AWS_V2.2.1\Projects\NUCLEO-H755ZI\Applications\Cloud\aws_tests\STM32CubeIDE\Debug_CM7

2- then export the path of the executable prepareimage.exe,

$env:PATH +=";{YOUR BASE BATH}\x-cube-aws\STM32CubeExpansion_Cloud_AWS_V2.2.1\Middlewares\ST\STM32_Secure_Engine\Utilities\KeysAndImages\win\prepareimage"

3- run the command

prepareimage.exe enc -k ../../../../BootLoader_OSC/2_Images_SECoreBin/STM32CubeIDE/../Binary/OEM_KEY_COMPANY1_key_AES_CBC.bin -i ../../../../BootLoader_OSC/2_Images_SECoreBin/STM32CubeIDE/../Binary/iv.bin ./NUCLEO-H755ZI_aws_tests_CM7.bin ../PostBuild/NUCLEO-H755ZI_aws_tests_CM7.sfu

Domy_ST · ‎2026-05-14

Hello @Onizuka09,

I followed the steps as you suggested. Now it compiles without errors. Your support was very helpful and sensible. Thank you very much.

I've done a thorough study of SBSFU as described in this package. It's very useful for writing data to flash memory from a binary file with an encryption key, just to ensure a certain level of security against data tampering. For me, it works well for my purpose at a certain point after bootloading with SBSFU and setting RDP = 1. What I don't like is that after the regression from RDP = 1 to RDP = 0, the entire flash memory is erased, and this is the point that wouldn't work for my purpose, which must never erase the area from 0x08000000 to 0x08020000 (where the first software is located), and the rest of flash memory bank1 (where the second software is located) can also be erased. This is the disadvantage for me.

After various developments, there's no way to avoid deleting just the area from 0x08000000 to 0x08020000 during the regression from RDP = 1 to RDP = 0, not even the PCROP option.

I'm confident you have more experience than I. Is there any way to avoid deleting just that memory area during the RDP regression from 1 to 0?

Onizuka09 · ‎2026-05-14

hello @Domy_ST ,

It is possible to avoid erasing a specific flash memory area (such as 0x08000000 to 0x08020000) during RDP regression from level 1 to level 0 on STM32 devices, but only under certain conditions. You must:

Configure the PCROP (Proprietary Code ReadOut Protection) area to cover your desired region.
Ensure that the corresponding DMEP bits are both cleared to 0 in the FLASH_PRAR_CUR and FLASH_PRAR_PRG registers.
- DMEP = 1 (checked) the PCROP region is erased when an RDP regression is performed.
- DMEP = 0 (unchecked) the PCROP region is kept when RDP regression is performed.

If both DMEP bits are set to 0, the PCROP area content is preserved during RDP regression. If either is set to 1, the area will be erased.
B.R

Domy_ST · ‎2026-05-14

Hello @Onizuka09,

Ok, I'll make this change and hope it works for PCROP by setting DMEP for both registers.

My question is, after setting PCROP for that memory area from 0x08000000 to 0x08020000, does the software for this area still start working for the user during RDP regression?

Onizuka09 · ‎2026-05-14

hello @Domy_ST
After setting PCROP for your desired memory area and ensuring both DMEP bits are cleared, the software in that area will continue to execute for the user during and after RDP regression. Only instruction fetches are allowed; all other access types are blocked, maintaining the security of your proprietary code.
the workflow to configure PCROP region:

Define a dedicated executable section in the linker script.
Place the code you want to protect into that section.
Compile with the required flag: -mslow-flash-data
Program the firmware.
Activate the PCROP region using the flash protection configuration (STM32CubeProgrammer).
make sure the DMEP bit is configured to 0 (unchecked)

PCROP Activation Rules

If START > END, PCROP is deactivated
If START < END, PCROP is activated

I would sugget to you to take a look at these references:

Security Part 3: STM32 security features MOOC: link

ST provides an expansion package for PCROP (X-CUBE_PCROP): link

B.R

Domy_ST · ‎2026-05-14

Hello @Onizuka09,

Thanks for the valuable support. I'll try to get it to work on STM32H755, otherwise I have no other options.

Domy_ST · ‎2026-05-14

ciao @Onizuka09,

I tried setting up pcrop with DMEP = 0 for both registers, but I don't see the software running for that area protected by pcrop for the user.

The software simply prints a character string with printf, so you can see via serial that the software should run by printing strings... while without pcrop protection, the software runs.

Onizuka09 · ‎2026-05-14

Helllo @Domy_ST,

Could you share a few more details to help narrow this down?

the PCROP address range
whether any fault handler is triggered
the linkerfile setup and how did you setup the region of PCROP

B.R