Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- STMicroelectronics Community
- STM32 MCUs
- STM32 MCUs Security
- Locked H503 - unable to degug
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Locked H503 - unable to degug
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2026-04-02 2:43 AM
Hello,
I have managed to lock a couple of Nucleo H503 boards and, while they are not very expensive, I would like to try and understand the problem so we can avoid it on production boards.
Although I have been experimenting with setting security options (to provisioning and closed, with a password), I don't think the problem is with security as the programmer Discovery mode is unable to even detect the device.
My code checks the security setting and changes it if not closed, so would normally only run on the first pass.
First, it checks if the password data is in the OTP memory and if not, writes it and locks the block. Since reading unwritten OTP memory causes a bus fault, I use the block lock bit setting as an indication that the OTP has been written.
I then compare the OTP data with the expected values and, if correct, set the state to Provisioning then Closed.
I have stumbled across a few things that seem to help or cause problems during this process:
- The password data is 32 bytes but I pad it to 64 so there is no unwritten data in the OTP block.
- When single stepping with the debugger, examining OTP memory seems to sometimes trigger an NMI after the next step.
- Confirming the OTP data with single byte reads triggers a bus fault. It seems it must be read as at least half-words.
- I have added a reset after locking the option bytes so, on the seconds pass, it finds the OPT written and moves on to checking the data and setting the state.
With these measures, it seems to work although it is hard to test the OTP write as you only get 1 go per chip on the H503. I have written to some of the other 31 OTP blocks, just to check the writing process.
I am able to Discover a locked H5 with the ST Programmer, supply the password, and perform a full regression.
My current process seems to work but is a little hard to be sure because it can only be fully tested once on each H503. I have 2 locked boards and I would like to try and unlock them so I can see what went wrong and it would be good to know we could unlock production boards if it happens again.
On a working board, I can perform a regression to Open with:
STM32_Programmer_CLI.exe -c port=SWD mode=HotPlug pwd=C:\temp\da_password.bin debugauth=2
-------------------------------------------------------------------
STM32CubeProgrammer v2.20.0
-------------------------------------------------------------------
Password file path submitted : C:\temp\da_password.bin
Start Debug Authentication Sequence
Open SDM Lib
SDMOpen : 624 : open : SDM API v1.0
SDMOpen : 625 : open : SDM Library version v1.2.0
open_comms : 513 : open : Asserting target reset
open_comms : 517 : open : Writing magic number
open_comms : 537 : open : De-asserting target reset
open_comms : 584 : open : Communication with the target established successfully
response_packet_lock
discovery: target ID.......................:0x474
discovery: SoC ID..........................:0x00000000_35343637_30325101_003A0043
discovery: SDA version.....................:1.2.0
discovery: Vendor ID.......................:STMicroelectronics
discovery: PSA lifecycle...................:ST_LIFECYCLE_CLOSED
discovery: PSA auth version................:1.0
discovery: ST HDPL1 status.................:0x11111111
discovery: ST HDPL2 status.................:0x22222222
discovery: ST HDPL3 status.................:0x33333333
discovery: Token Formats...................:0x200
discovery: Certificate Formats.............:0x201
discovery: cryptosystems...................:ST Password
discovery: ST provisioning integrity status:0xffffffff
discovery: permission if authorized...........:(a/14) ==> Full Regression
To select multiple permission/actions:
Using numerical values: List the needed bit numbers, separated by commas without spaces.
Using symbolic letters: List the needed letters by concatenating them without separators.
Debug Authentication: Discovery SuccessIf I try this on one of the locked boards, I get;
STM32_Programmer_CLI.exe -c port=SWD mode=HotPlug pwd=C:\temp\da_password.bin debugauth=2
-------------------------------------------------------------------
STM32CubeProgrammer v2.20.0
-------------------------------------------------------------------
Password file path submitted : C:\temp\da_password.bin
Start Debug Authentication Sequence
Open SDM Lib
SDMOpen : 624 : open : SDM API v1.0
SDMOpen : 625 : open : SDM Library version v1.2.0
open_comms : 513 : open : Asserting target reset
open_comms : 517 : open : Writing magic number
open_comms : 537 : open : De-asserting target reset
open_comms : 573 : open : No response from the target
open_comms : 574 : open : The target is unable to boot on RSS_DA or is in OPEN mode
open_comms : 575 : open : Failed to open communication with the target
Error:
Debug Authentication: Discovery FailedIf I try to erase a locked board, I get:
STM32_Programmer_CLI.exe -c port=swd -e ALL
-------------------------------------------------------------------
STM32CubeProgrammer v2.20.0
-------------------------------------------------------------------
ST-LINK SN : 003E00413132511138363431
ST-LINK FW : V3J16M8
Board : NUCLEO-H503RB
Voltage : 3.29V
Error: Unable to get core ID
Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication
2nd connect tentative with frequency (8MHz)
ST-LINK SN : 003E00413132511138363431
ST-LINK FW : V3J16M8
Board : NUCLEO-H503RB
Voltage : 3.29V
Error: Unable to get core ID
Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication
Any suggestions for how to get in, or what is wrong would be welcome.
Thanks
Labels:
- Labels:
-
Flash
-
STM32H5 series
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2026-04-08 4:42 AM
Update.
I have discovered
STM32H503CB/EB/KB/RB
Errata sheet
2.2.23 Debug authentication services unavailable after direct transition from OPEN to CLOSED
This appears to be related to my problem although the suggested workaround is a little confusing - it suggests setting PRODUCT_STATE = REGRESSION but this state is not available - it is shown in the RM Table 37. PRODUCT_STATE transitions, but not in the programmer pull down.
I have been trying to go through the states from firmware, with a sw reset after each step
If OPEN, OPEN -> PROVIDIONING, reset
If OTP not written, write and lock it, reset
PROVISIONING -> CLOSED, reset
This is hard to debug as the IDE disconnects after the first reset! It never seems to make the change to closed but I can then do it from the programmer.
Related Content
- Debug Authentication stuck at "SDM Library version v1.3.0" in CLOSED state in STM32 MCUs Security
- STM32N6570-DK - Unable to debug with Cube IAR template project in STM32 MCUs Products
- STM32H755XIH6 PCROP Recovery - Almost Entire Flash Protected, Cannot Modify Option Bytes in STM32 MCUs Security
- "Cannot connect to access port 0!" error while programming STM32U575VIT6Q in STM32CubeProgrammer (MCUs)