Does this also work with keyed RDP level 1?

Hello @RCana.2,

The process is the same for RDP Level 1.

Just be sure your password has been defined in OEM1KEY.

Regards

DianeP 

<Just be sure your password has been defined in OEM1KEY>

What about if I forget the OEM1KEY? Is there some recovery for that chip (fully erased, of course) or I should throw it in the bin?

Hello @Manuel Ferrero 

By default you can always regress from RDP Level 1 to Level 0. The interest of defining the OEM1KEY is to add additional protection to the part by preventing regression (in the event of an attack for example). This is the difference with level 2 regression where simple regression is blocked if you do not have the key.If you have activated RDP Level 2 without having defined OEM2KEY, you will no longer be able to do the regression because Device Closed.

Regards

Diane

So if I lose the OEM2KEY I can throw the chip in the trash?

@Manuel Ferrero What do you mean by losing the OEM2KEY? you haven't defined it?

I was under the impression I did it, but at the moment I can't unlock the chip, so I assume I did something wrong in the process.

So now I cannot perform the regression and I can't understand if this chip is bricked or there is something I can to to recover it.

I am experimenting on the whole process and it's not a big deal if I have to trash one chip, the important thing for me is to really understand how this works and be able to reproduce a precise list of steps to achive protection after production phase.

@Manuel Ferrero 

I understand. This article gives the procedure to be sure to correctly configure our part in order to be able to do the regression. It was reproduced on our side on several pieces before publication. By following all the steps in order you should be able to have a part that can do the regression.

Regards

Diane

@Diane POMABIA can you confirm that now I don't have any chance to recover the chip? Even by some hardware pin and even by factory restoring the chip?

I don't care to loose all the memory, I would like to recover the whole board without unsoldering the micro and replace it.

@Manuel Ferrero Once your part in RDP 2 without OEM2KEY. you can no longer reprogram or regress either by hardware or software.

Regards

Diane

@Diane POMABIA

In this how-to I read:

"After clicking on "ok" you will lose your connection with STLINK. This is normal behavior."

Then in step 3 I should go back to the "secure programming" menu and Click on "Unlock RDP2" and after on "Apply unlock RDP2."

But I was disconnected, should I connect again before this step? With what configuration: JTAG or SWD? Which mode? Which Reset mode?

I followed the procedure, but I bricked another chip: at the moment if I try to conect to the chip I get the following error:

Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication

How can I regress from RDP2 to RDP0 if I can't connect to the chip?

Errata: I did connect the STLINK wrong. Now I fixed the connection, but still getting an error, this is the log:

13:10:01:707 : UR connection mode is defined with the HWrst reset mode
13:10:01:935 : ST-LINK SN : REDACTED
13:10:01:936 : ST-LINK FW : V2J40S7
13:10:01:936 : Board : --
13:10:01:936 : Voltage : 3.35V
13:10:01:936 : ST-LINK error (DEV_UNKNOWN_MCU_TARGET)
13:10:01:936 : ST-LINK SN : REDACTED
13:10:01:937 : ST-LINK FW : V2J40S7
13:10:01:937 : Board : --
13:10:01:937 : Voltage : 3.38V
13:10:01:937 : Error: ST-LINK error (DEV_UNKNOWN_MCU_TARGET)
13:10:01:957 : Disconnected
13:10:01:962 : halt ap 0
13:10:01:963 : ST-LINK SN :
13:10:01:964 : ST-LINK FW :
13:10:01:964 : Board : --
13:10:01:965 : Voltage : 3.38V

@Manuel Ferrero The error (DEV_UNKNOWN_MCU_TARGET) usually goes away if I disconnect the st-link usb connector

@RCana.2 I tried, but no luck

Hello @Manuel Ferrero @RCana.2 

This is a tool bug where step 1 has to be done twice.
Workaround :

Can you retest on your two boards by doing step 1 <<Go back to the "secure programming" menu and Click on "Unlock RDP2" and after on "Apply unlock RDP2">> 2 times before moving on to step 2?

if you have correctly defined your password, no worries, go back directly from this step, you can regress to level 0.

Internal ticket has been created to solve this bug.

Internal ticket number: 157559 (This is an internal tracking number and is not accessible or usable by customers).

Regards

Diane

Hello Diane.
At the moment the issue is that I cannot connect to the board anymore. If I try to connect I get an error.

This log is when I tried to connect with the following connection settings:
Port: JTAG
Frequencyt: 9000
Mode: Under reset
Reset mode: Hardware reset

09:19:35:487 : UR connection mode is defined with the HWrst reset mode
09:19:35:507 : ST-LINK SN : 53FF71068389505253152567
09:19:35:507 : ST-LINK FW : V2J40S7
09:19:35:507 : Board : --
09:19:35:508 : Voltage : 3.36V
09:19:35:508 : ST-LINK error (DEV_UNKNOWN_MCU_TARGET)
09:19:35:508 : ST-LINK SN : 53FF71068389505253152567
09:19:35:508 : ST-LINK FW : V2J40S7
09:19:35:508 : Board : --
09:19:35:509 : Voltage : 3.39V
09:19:35:509 : Error: ST-LINK error (DEV_UNKNOWN_MCU_TARGET)
09:19:35:526 : Disconnected

I also tried to change Mode and Reset mode to all the available values and I still got the same result.

And this one is with the following settings:
Port: SWD
Frequencyt: 4000
Mode: Under reset
Reset mode: Hardware reset

09:20:23:518 : UR connection mode is defined with the HWrst reset mode
09:20:23:540 : ST-LINK SN : 53FF71068389505253152567
09:20:23:540 : ST-LINK FW : V2J40S7
09:20:23:540 : Board : --
09:20:23:540 : Voltage : 3.35V
09:20:23:540 : Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication
09:20:23:565 : Disconnected

I tried to change Mode and Reset mode settings with the same result.

If I try to follow your procedure and press "Unlock RDP2" and then "Apply unlock RDP2", I get the same error.

@Diane POMABIA , @Jocelyn RICARD  hello, I'm working on a STM32U595 and I encountered the same issue (not being able to do the regression from RDP2 to RDP1 even with my OEMKEY1 and 2 set etc.

First of all I configured OEMKEY1 and 2 : 

Then I followed the full process using Reference Manual + a nice tutorial by ST

:https://www.youtube.com/watch?v=B3l6iuA7U8Q&list=PLnMKNibPkDnEkeKd_fytwc_9x2Ht2gRUn&index=2&ab_channel=STMicroelectronics

However, it doesn't work, I have two weird behavior :

If I use STM32CubeProgrammer I can read the Auth device ID :

But I can't unlock RDP2 (By the way I tried twice as you answered above): 

I tried in command line and what a surprise to see " Unlock RDP2 password failed!"

At some point, I was like "oh it's me, I typed the wrong password", so I tried on an other STM32U595, we were two doing it, so double check. Same issue happened.

Could you help me regarding this issue. By the way I was using STM32CubeProgrammer 2.14 (last version), I was Under Reset for unlock sequence, and hotplug mode to get auth device. I also tried to save my chip by putting 3.3V on BOOT0 pin, but looks like I can't connect to debugger or do anything more.

Kind regards

@Diane POMABIA 

I am having some progress on this topic using only the command line, but I still have regular issues when trying to make the process repeatable: quite often I have errors in writing the option bytes, typically in the reading back the expected values:  

      -------------------------------------------------------------------
                       STM32CubeProgrammer v2.14.0
      -------------------------------------------------------------------

 

ST-LINK SN  : 36FF70065648343817460843
ST-LINK FW  : V2J40S7
Board       : --
Voltage     : 3.36V
SWD freq    : 4000 KHz
Connect mode: Hot Plug
Reset mode  : Software reset
Device ID   : 0x482
Revision ID : Rev W
Device name : STM32U575/STM32U585
Flash size  : 2 MBytes (default)
Device type : MCU
Device CPU  : Cortex-M33
BL Version  : 0x0
Debug in Low Power mode enabled

 

 

UPLOADING OPTION BYTES DATA ...

 

  Bank          : 0x00
  Address       : 0x40022040
  Size          : 36 Bytes

 

▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
Error: Uploading Option Bytes bank: 0 failed
Error: Initializing the Option Bytes failed

And right after that I get a connection error:

      -------------------------------------------------------------------
                       STM32CubeProgrammer v2.14.0
      -------------------------------------------------------------------

 

ST-LINK SN  : REDACTED
ST-LINK FW  : V3J8M3B5S1
Board       : STLINK-V3SET
Voltage     : 3.49V
Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication
2nd connect tentative with frequency (8MHz)
ST-LINK SN  : REDACTED
ST-LINK FW  : V3J8M3B5S1
Board       : STLINK-V3SET
Voltage     : 3.49V
Error: ST-LINK error (DEV_TARGET_NOT_HALTED)

Please note that those are the output of two different commands sent on the command line by my script.

At this point I cannot write option bytes anymore, via the script or the cube programmer.

Hello @Manuel Ferrero 

Can you try this little test by using STM32_Programmer_CLi and share with me your result ?

@ECHO OFF

SETLOCAL
SET TOOLDIR=c:\Program Files\STMicroelectronics\STM32Cube\CubeProgrammer1.14\bin
SET TOOL=%TOOLDIR%\STM32_Programmer_CLI.exe

SET MY_CURR_DIR=%cd%

@ECHO ON
cd %TOOLDIR%
"%TOOL%" -c port=SWD mode=HOTPLUG -ob displ
"%TOOL%" -c port=SWD mode=HOTPLUG -lockRDP2 0x12345678 0xABCDEFAB
"%TOOL%" -c port=SWD mode=HOTPLUG -lockRDP1 0x12345678 0xABCDEFAB
"%TOOL%" -c port=SWD mode=HOTPLUG -ob RDP=0xCC
"%TOOL%" -c port=SWD mode=UR -unlockRDP2 0x12345678 0xABCDEFAB
"%TOOL%" -c port=SWD mode=UR -unlockRDP1 0x12345678 0xABCDEFAB
"%TOOL%" -c port=SWD mode=UR -ob RDP=0xAA
"%TOOL%" -c port=SWD mode=UR -unlockRDP1 0xFFFFFFFF 0xFFFFFFFF
"%TOOL%" -c port=SWD mode=UR -ob displ
cd %MY_CURR_DIR%

@ENDLOCAL
@PAUSE

Regards

Diane

Thanks to @Diane POMABIA  I solved my issue. The problem was just my STLink version not up-to-date, you must have at least V2J38 STLink FW Version to process regression! Now with V2J42S7 everything is fine!

@eSenKaa  as discussed in inbox, your problem was related to your version of STLINK.

To perform a regression, your STLINK FW version Must be at least V2J38 for ST-Link/V2 and V3J8M3 for ST-Link/V3.

We recommend that you always use the latest version of STLINK.

Pleased to be able to help you.

Regards

Diane

Hello @Diane POMABIA.

I run the script after some minor modifications, and these are the results:

C:\Users\mfferrero\Desktop>cd "C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin"

C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD mode=HOTPLUG -ob displ 
-------------------------------------------------------------------
STM32CubeProgrammer v2.13.0 
-------------------------------------------------------------------

ST-LINK SN : 53FF71068389505253152567
ST-LINK FW : V2J40S7
Board : --
Voltage : 3.39V
SWD freq : 4000 KHz
Connect mode: Hot Plug
Reset mode : Software reset
Device ID : 0x482
Revision ID : Rev W
Device name : STM32U575/STM32U585
Flash size : 2 MBytes
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0x93
Debug in Low Power mode enabled


UPLOADING OPTION BYTES DATA ...

Bank : 0x00
Address : 0x40022040
Size : 36 Bytes

北北北北北北北北北北北北北北北北北北北北北北北北北 0% 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 100%北北北北北北北北北北北北北北北北北北北北北北北北北 50% 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 100%

Bank : 0x01
Address : 0x40022068
Size : 8 Bytes





OPTION BYTES BANK: 0

Read Out Protection:

RDP : 0xAA (Level 0, no protection)

BOR Level:

BOR_LEV : 0x0 (BOR Level 0, reset level threshold is around 1.7 V)

User Configuration:

TZEN : 0x0 (Global TrustZone security disabled) 
nRST_STOP : 0x1 (No reset generated when entering Stop mode) 
nRST_STDBY : 0x1 (No reset generated when entering Standby mode) 
nRST_SHDW : 0x1 (No reset generated when entering the Shutdown mode) 
SRAM134_RST : 0x1 (SRAM1, SRAM3 and SRAM4 not erased when a system reset occurs) 
IWDG_SW : 0x1 (Software independent watchdog) 
IWDG_STOP : 0x1 (IWDG counter active in stop mode) 
IWDG_STDBY : 0x1 (IWDG counter active in standby mode) 
WWDG_SW : 0x1 (Software window watchdog) 
SWAP_BANK : 0x0 (Bank 1 and bank 2 address are not swapped) 
DBANK : 0x1 (Dual-bank Flash with contiguous addresses) 
BKPRAM_ECC : 0x1 (Backup RAM ECC check disabled) 
SRAM3_ECC : 0x1 (SRAM3 ECC check disabled) 
SRAM2_ECC : 0x1 (SRAM2 ECC check disabled) 
SRAM2_RST : 0x0 (SRAM2 erased when a system reset occurs) 
nSWBOOT0 : 0x1 (BOOT0 taken from PH3/BOOT0 pin) 
nBOOT0 : 0x1 (nBOOT0 = 1) 
PA15_PUPEN : 0x1 (USB power delivery dead-battery disabled/ TDI pull-up activated) 
IO_VDD_HSLV : 0x0 (High-speed IO at low VDD voltage feature disabled (VDD can exceed 2.5 V)) 
IO_VDDIO2_HSLV: 0x0 (High-speed IO at low VDDIO2 voltage feature disabled (VDDIO2 can exceed 2.5 V))

Boot Configuration:

NSBOOTADD0 : 0x100000 (0x8000000) 
NSBOOTADD1 : 0x17F200 (0xBF90000)

Write Protection 1:

WRP1A_PSTRT : 0x7F (0x80FE000) 
WRP1A_PEND : 0x0 (0x8000000) 
UNLOCK_1A : 0x1 (WRP1A start and end pages unlocked) 
WRP1B_PSTRT : 0x7F (0x80FE000) 
WRP1B_PEND : 0x0 (0x8000000) 
UNLOCK_1B : 0x1 (WRP1B start and end pages unlocked) 
OPTION BYTES BANK: 1

Write Protection 2:

WRP2A_PSTRT : 0x7F (0x81FE000) 
WRP2A_PEND : 0x0 (0x8100000) 
UNLOCK_2A : 0x1 (WRP2A start and end pages unlocked) 
WRP2B_PSTRT : 0x7F (0x81FE000) 
WRP2B_PEND : 0x0 (0x8100000) 
UNLOCK_2B : 0x1 (WRP2B start and end pages unlocked)

C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD mode=HOTPLUG -lockRDP2 0x12345678 0xABCDEFAB 
-------------------------------------------------------------------
STM32CubeProgrammer v2.13.0 
-------------------------------------------------------------------

ST-LINK SN : 53FF71068389505253152567
ST-LINK FW : V2J40S7
Board : --
Voltage : 3.39V
SWD freq : 4000 KHz
Connect mode: Hot Plug
Reset mode : Software reset
Device ID : 0x482
Revision ID : Rev W
Device name : STM32U575/STM32U585
Flash size : 2 MBytes
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0x93
Debug in Low Power mode enabled


Lock RDP2 password successfully done

C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD mode=HOTPLUG -lockRDP1 0x12345678 0xABCDEFAB 
-------------------------------------------------------------------
STM32CubeProgrammer v2.13.0 
-------------------------------------------------------------------

ST-LINK SN : 53FF71068389505253152567
ST-LINK FW : V2J40S7
Board : --
Voltage : 3.39V
SWD freq : 4000 KHz
Connect mode: Hot Plug
Reset mode : Software reset
Device ID : 0x482
Revision ID : Rev W
Device name : STM32U575/STM32U585
Flash size : 2 MBytes
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0x93
Debug in Low Power mode enabled


Lock RDP1 password successfully done

C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD mode=HOTPLUG -ob RDP=0xCC 
-------------------------------------------------------------------
STM32CubeProgrammer v2.13.0 
-------------------------------------------------------------------

ST-LINK SN : 53FF71068389505253152567
ST-LINK FW : V2J40S7
Board : --
Voltage : 3.39V
SWD freq : 4000 KHz
Connect mode: Hot Plug
Reset mode : Software reset
Device ID : 0x482
Revision ID : Rev W
Device name : STM32U575/STM32U585
Flash size : 2 MBytes
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0x93
Debug in Low Power mode enabled


UPLOADING OPTION BYTES DATA ...

Bank : 0x00
Address : 0x40022040
Size : 36 Bytes

北北北北北北北北北北北北北北北北北北北北北北北北北 0% 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 100%北北北北北北北北北北北北北北北北北北北北北北北北北 50% 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 100%

Bank : 0x01
Address : 0x40022068
Size : 8 Bytes





PROGRAMMING OPTION BYTES AREA ...
北北北北北北北北北北北北北北北北北北北北北北北北北 50% 北北北北北北北北北北北北北北北北北北北北北北北北北 0% 
Bank : 0x00
Address : 0x40022040
Size : 36 Bytes




Reconnecting...
Error: failed to reconnect after reset !


UPLOADING OPTION BYTES DATA ...

Bank : 0x00
Address : 0x40022040
Size : 36 Bytes


Error: Uploading Option Bytes bank: 0 failed
Error: Reloading Option Bytes Data failed

Time elapsed during option Bytes configuration: 00:00:07.030

C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD mode=UR -unlockRDP2 0x12345678 0xABCDEFAB 
-------------------------------------------------------------------
STM32CubeProgrammer v2.13.0 
-------------------------------------------------------------------

ST-LINK SN : 53FF71068389505253152567
ST-LINK FW : V2J40S7
Board : --
Voltage : 3.39V
Unlock RDP2 password succefully done!
Error: Cannot connect to access port 0! 
If you are trying to connect to a device with TrustZone enabled please try to connect with HotPlug mode. 
If you are trying to connect to H5 device and your target is already locked with password or certificate, please open your device using Debug Authentication.


C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD mode=UR -unlockRDP1 0x12345678 0xABCDEFAB 
-------------------------------------------------------------------
STM32CubeProgrammer v2.13.0 
-------------------------------------------------------------------

ST-LINK SN : 53FF71068389505253152567
ST-LINK FW : V2J40S7
Board : --
Voltage : 3.39V
Error: Cannot connect to access port 0 
If you are trying to connet to a device with TrustZone enabled please try to connect with HotPlug mode


C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD mode=UR -ob RDP=0xAA 
-------------------------------------------------------------------
STM32CubeProgrammer v2.13.0 
-------------------------------------------------------------------

ST-LINK SN : 53FF71068389505253152567
ST-LINK FW : V2J40S7
Board : --
Voltage : 3.39V
Error: Cannot connect to access port 0! 
If you are trying to connect to a device with TrustZone enabled please try to connect with HotPlug mode. 
If you are trying to connect to H5 device and your target is already locked with password or certificate, please open your device using Debug Authentication.


C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD mode=UR -unlockRDP1 0xFFFFFFFF 0xFFFFFFFF 
-------------------------------------------------------------------
STM32CubeProgrammer v2.13.0 
-------------------------------------------------------------------

ST-LINK SN : 53FF71068389505253152567
ST-LINK FW : V2J40S7
Board : --
Voltage : 3.38V
Error: Cannot connect to access port 0 
If you are trying to connet to a device with TrustZone enabled please try to connect with HotPlug mode


C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD mode=UR -ob displ 
-------------------------------------------------------------------
STM32CubeProgrammer v2.13.0 
-------------------------------------------------------------------

ST-LINK SN : 53FF71068389505253152567
ST-LINK FW : V2J40S7
Board : --
Voltage : 3.39V
Error: Cannot connect to access port 0! 
If you are trying to connect to a device with TrustZone enabled please try to connect with HotPlug mode. 
If you are trying to connect to H5 device and your target is already locked with password or certificate, please open your device using Debug Authentication.


C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>cd C:\Users\mfferrero\Desktop 
Premere un tasto per continuare . . .

great ,  Now can you do power off/on on your board with your modif ? and after that retest this code 

@Echo OFF

SETLOCAL
SET TOOLDIR=c:\Program Files\STMicroelectronics\STM32Cube\CubeProgrammer1.14\bin
SET TOOL=%TOOLDIR%\STM32_Programmer_CLI.exe

SET MY_CURR_DIR=%cd%

@Echo ON
cd %TOOLDIR%
"%TOOL%" -c port=SWD mode=HOTPLUG -ob displ
"%TOOL%" -c port=SWD mode=UR -unlockRDP2 0x12345678 0xABCDEFAB
"%TOOL%" -c port=SWD mode=UR -unlockRDP1 0x12345678 0xABCDEFAB
"%TOOL%" -c port=SWD mode=UR -ob RDP=0xAA
"%TOOL%" -c port=SWD mode=UR -unlockRDP1 0xFFFFFFFF 0xFFFFFFFF
"%TOOL%" -c port=SWD mode=UR -ob displ
cd %MY_CURR_DIR%

@ENDLOCAL
@PAUSE

The aim here is to send the regression command after.

Regards

Diane