Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- STMicroelectronics Community
- STM32 MCUs
- STM32 MCUs Security
- STM32H533 unable to do a full regression with newe...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
STM32H533 unable to do a full regression with newest STMCubeProgrammer V2.18 and V2.19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-04-02 1:29 AM - edited 2025-04-02 2:23 AM
Hello.
With a STM32H563, i can change the product state to 0x17 (provisoring), reconnect with HotPlug,
start provisoring with my OBK-File and change the production state to closed (0x72) without any problems.
I don't use TrustZone.
A full regression after this with STMCubeProgrammer and the password.bin file is possible without problems.
I use the explanation from the knowledge base here: https://community.st.com/t5/stm32-mcus/how-to-enable-rdp-like-product-state-flash-protection-in-stm32h5/ta-p/708082
If I try the same thing with an STM32H533 and with the same OBK file i used on the STM32H563 ( <DoEncryption>0</DoEncryption> in XML-File : just as stated in the knowledge base for all STM32H5, because the STM32H533 has crypto), i can do the provisoring, can change product state to closed.
But after this a full regression is not more possible.
Testet with 2 eval boards and with STMCubeProgrammer V2.18 and STMCubeProgrammer V2.19
If i read out the OBK-Key's @ FLASH_OBK_BASE_S with offset 0x100 length 0x60, the correct key values from my OBK-File are present.
If i read out the product state, it is 0x72.
So all are ok, but no full regression is possible.
Is this a known chip bug or a known bug in STMCubeProgrammer ?
If i do the change of product state to provisoring and to closed, writing the obk-key's, with my user software (activate self - readout-protection), this is working correct on a STM32H563 and on a STMH533.
But a full regresssion after this is only possible on a STM32H563, not on a STM32H533!
As a workaround: does anyone knows how to do a full regression by user software?
A erase of the OBK by user software is not possible: HAL_FLASHEx_Erase(&EraseInitStruct, &ulTemp) gives a 0x0FFD0900 in ulTemp and nothing changed.
Rewriting the product state with HAL_FLASHEx_OBProgram(&sOBInit); to Open isn't possible.
So all STM32H533 are locked forever.
Any idea??
Labels:
- Labels:
-
STM32 Security
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-04-02 5:01 AM - edited 2025-04-02 5:13 AM
Hello.
Update: The explanation from the knowledge base to enable rdp like flash protection (product state = 0x72) is wrong. It is only correct for devices without encryption !!!!
On every STMH5-device, which has the crypt option (STM32H533, STMH573), the encryption in the XML file must be set to 1 -> <DoEncryption>1</DoEncryption>
Than create the OBK file, start provisoring, close the device and a full regression is possible.
Now my question to the specialists:
Can I read the encrypted OBK key from the processor and use it in any other processor from the same series
(as I can do it with the devices: STM32H563, STMH523, STM32H503)?
Or is the encryption of the OBK key unique for each individual processor because it uses its own internal unique key?
The reason is that we have to activate debug protection (closed) via our software, since the STMCubeProgrammer software unfortunately doesn't support a Segger J-Link with a network interface, and ST doesn't offer an STLink that can be accessed via the network. :(
However, we will need this in production to program each individual processor. And this means we have no chance of activating debug protection for each individual processor with the STMCubeProgrammer.
Or alternatively the question: does anyone knows how to do a full regression by user software on a closed device?
Or alternatively the question: does anyone knows how to crypt the OBK keys from the obk-file for each unique prozessor by user software (inside the prozessor with himself or outside on a pc)? Is there a sample source code available?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-04-03 8:32 AM
Hello @Heinz_Baumer ,
Can I read the encrypted OBK key from the processor and use it in any other processor from the same series
(as I can do it with the devices: STM32H563, STMH523, STM32H503)?
You can read it but it is encrypted. Can only be used by the device on which is was encrypted
Or is the encryption of the OBK key unique for each individual processor because it uses its own internal unique key?
Exactly. Encryption used DHUK (Derived Hardware Unique Key): This is unique per device.
Regarding other questions, please check the example I provided on hotspot. here
This example is providing the code to encrypt the OBK.
BUT, this is ONLY usable with TrustZone enabled.
When TrustZone is disabled, this is not working because we cannot select the right DHUK. This is a limitation that will be solved in next chip release. But right now, there is no solution, except provisioning the DA using provisioning mechanism. This mechanism should be implemented by Segger already.
Regarding your question about regression, you can find the code in the hotspot example in Helpers directory in product_state.c
Best regards
Jocelyn
