RDP regression from Level 1 to level 0

Akhil0812 · ‎2025-09-15

Hi teams,
CPU: STM32U0
Current RDP level: Level 1
OEM1 RDP lock: Enabled.
I had set the 128bit OEM1 key to the OEM key registers [FLASH_OEM1KEYWyR ]accordingly, and the written OEM1 key values was verified using their CRC values by reading OEM1KEYCRC register.
Now I am trying to make the regression from level 1 to level 0 according to the user manual description [section: 3.5.1 FLASH read protection (RDP)].

But the operation was failed using my source code. Which is attached below

#define STM32U0_DBGMCU_BASE 0x40015800 // Accessible to the software via the APB access port AP0
#define STM32U0_DBGMCU_DBG_AUTH_HOST (STM32U0_DBGMCU_BASE + 0x100) // Debug authentication mailbox host register

Could you please clarify the following doubts,
1. The unlock sequence says, debug access port 1 has to be used for programming the 128-bit OEM1 key in the DBGMCU_DBG_AUTH_HOST register,

but when I checked the DBGMCU_DBG_AUTH_HOST register base, it says

So, what is the base address for DBGMCU_DBG_AUTH_HOST register and which AP should be selected during OEM key write process.
2. After connecting the target from the following settings via STM32 Cube programmer. I have tried to change RDP level using secure programming page.

What could be the reason behind this?
3. If I select the AP to 1, target connection is not feasible and the following error prompt was occurred.

Right now the flash memory is not accessible, please let me know how can I recover from this issue.

Thanks
Akhil

Jocelyn RICARD · ‎2025-11-13

Hello,

I made a test on a Nucleo U083RC.

It looks like you need to use ap=1 to provide the key.

Then to set RDP=0xAA, you need to use ap=0

Providing the password:. Here ap=0 and ap=1 both work

C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD mode=HOTPLUG ap=0 -lockRDP1 0x12345678 0x12345678 0x12345678 0x12345678
      -------------------------------------------------------------------
                       STM32CubeProgrammer v2.20.0
      -------------------------------------------------------------------

ST-LINK SN  : 066FFF373857343143073059
ST-LINK FW  : V2J46M31
Board       : NUCLEO-U083RC
Voltage     : 3.23V
SWD freq    : 4000 KHz
Connect mode: Hot Plug
Reset mode  : Software reset
Device ID   : 0x489
Revision ID : Rev A
Device name : STM32U0xx
Flash size  : 256 KBytes (default)
Device type : MCU
Device CPU  : Cortex-M0+
BL Version  : 0xD0
Debug in Low Power mode enabled


Lock RDP1 password successfully done

Set RDP=0xBB:

C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD  mode=HOTPLUG -ob RDP=0xBB
      -------------------------------------------------------------------
                       STM32CubeProgrammer v2.20.0
      -------------------------------------------------------------------

ST-LINK SN  : 066FFF373857343143073059
ST-LINK FW  : V2J46M31
Board       : NUCLEO-U083RC
Voltage     : 3.23V
SWD freq    : 4000 KHz
Connect mode: Hot Plug
Reset mode  : Software reset
Device ID   : 0x489
Revision ID : Rev A
Device name : STM32U0xx
Flash size  : 256 KBytes (default)
Device type : MCU
Device CPU  : Cortex-M0+
BL Version  : 0xD0
Debug in Low Power mode enabled


UPLOADING OPTION BYTES DATA ...

  Bank          : 0x00
  Address       : 0x40022020
  Size          : 100 Bytes

██████████████████████████████████████████████████ 100%


PROGRAMMING OPTION BYTES AREA ...

  Bank          : 0x00
  Address       : 0x40022020
  Size          : 100 Bytes

██████████████████████████████████████████████████ 100%



Reconnecting...
Reconnected !


UPLOADING OPTION BYTES DATA ...

  Bank          : 0x00
  Address       : 0x40022020
  Size          : 100 Bytes

██████████████████████████████████████████████████ 100%

OPTION BYTE PROGRAMMING VERIFICATION:

Option Bytes successfully programmed
Time elapsed during option Bytes configuration: 00:00:02.215

RDP 1 unlock with ap=1:

C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD mode=HOTPLUG ap=1 -unlockRDP1 0x12345678 0x12345678 0x12345678 0x12345678
      -------------------------------------------------------------------
                       STM32CubeProgrammer v2.20.0
      -------------------------------------------------------------------

ST-LINK SN  : 066FFF373857343143073059
ST-LINK FW  : V2J46M31
Board       : NUCLEO-U083RC
Voltage     : 3.23V
SWD freq    : 4000 KHz
Connect mode: Hot Plug
Reset mode  : Software reset
Device ID   : 0x489
Revision ID : Rev A
ST-LINK SN  : 066FFF373857343143073059
ST-LINK FW  : V2J46M31
Board       : NUCLEO-U083RC
Voltage     : 3.23V

Unlock RDP1 password successfully done
SWD freq    : 1800 KHz
Connect mode: Hot Plug
Reset mode  : Software reset
Device ID   : 0x489
Revision ID : Rev A
Device name : STM32U0xx
Flash size  : 256 KBytes (default)
Device type : MCU
Device CPU  : Cortex-M0+
BL Version  : 0x0
Debug in Low Power mode enabled

Regression with ap=0 or without specifying ap:

STM32_Programmer_CLI.exe -c port=SWD  mode=HOTPLUG -ob RDP=0xAA
      -------------------------------------------------------------------
                       STM32CubeProgrammer v2.20.0
      -------------------------------------------------------------------

ST-LINK SN  : 066FFF373857343143073059
ST-LINK FW  : V2J46M31
Board       : NUCLEO-U083RC
Voltage     : 3.23V
SWD freq    : 4000 KHz
Connect mode: Hot Plug
Reset mode  : Software reset
Device ID   : 0x489
Revision ID : Rev A
Device name : STM32U0xx
Flash size  : 256 KBytes (default)
Device type : MCU
Device CPU  : Cortex-M0+
BL Version  : 0xD0
Debug in Low Power mode enabled


UPLOADING OPTION BYTES DATA ...

  Bank          : 0x00
  Address       : 0x40022020
  Size          : 100 Bytes

██████████████████████████████████████████████████ 100%


PROGRAMMING OPTION BYTES AREA ...

  Bank          : 0x00
  Address       : 0x40022020
  Size          : 100 Bytes

██████████████████████████████████████████████████ 100%



Reconnecting...
Reconnected !


UPLOADING OPTION BYTES DATA ...

  Bank          : 0x00
  Address       : 0x40022020
  Size          : 100 Bytes

██████████████████████████████████████████████████ 100%

OPTION BYTE PROGRAMMING VERIFICATION:

Option Bytes successfully programmed
Time elapsed during option Bytes configuration: 00:00:02.222

I hope this will help

Best regards

Jocelyn

Corentin · ‎2025-11-14

Many thanks Jocelyn for the quick feedback!

On a new board, following the steps you described is so far OK. Back at level 0, I can neither flash nor erase the board any more, even though I see "RDP=AA", "OEM1 lock not active" and the memory contents can be read out normally. Can you reproduce this on the Nucleo? This is not systematic, it also works sometimes!

Other thoughts:

- At step 3 (RDP 1 unlock with ap=1), provisioning a wrong password yields "Unlock RDP1 password successfully done". Is this normal?

- Repeating step 1 (Providing the password) to a board with "RDP=BB" also seems to work! I'd expect an error in this case. Is this normal?

- Changing level may fail (even though I executed several time the exact same script), in this case RDP=0, which seems to indicate an option byte corruption. Is there any way to save the board in this case?

The whole thing looks rather unstable to me. Does ST have for example a kind of unit test with a batch repeating the whole process (flash / verify / set PW / set RDP1 / unlock / set RDP0 / read / re-flash, etc.) ?

Thanks again!