Regarding RDP regression with password in STM32U0 CPU via STM32Cube programmer

Akhil0812 · ‎2025-09-19

Hi teams,
Board: Nucleo-U083RC
CPU: STM32U083R
Today, I faced a problem with my new board while performing RDP regression using the STM32 Cube programmer.
The condition of the board prior to the issue,
* Option bytes value: At default level.
* Flash data: Default data [LED sample].
Step that I followed,
1.Initially, I have configured the OEM1 key values with a password, resulting in the transition of the OEM lock bit status from "not active" to "active".

2. I then configured only the RDP level in the Option bytes tab, changing it from Level 0[0xAA] to Level 1[0xBB], while the other OB values remained in their default state.
3. I disconnected the programmer and subsequently reconnected it, allowing the changes to be reflected shortly thereafter.

4. To perform the regression in the STM32Cube programmer, I adhered to the procedures outlined in UM2237 User Manual [section: 2.9.2 RDP regression with password].

4.1. STM programmer connection settings

4.2. I have written the OEM1 password and pressed on "unlock RDP" button“
The following status was observed

4.3. Changed the Option bytes values [ changed the RDP level to 0], and performed OB write by "apply" button
4.4. The following error was noticed

Questions:
1) Should I modify any settings of STM32 programmer prior to connecting the target, aside from those specified procedures which is specified in section 4.1 of the STM programmer connection settings?
2) In the UM2237 User Manual [section: 2.9.2 RDP regression with password], it states, "write the OEM1 password, and press the 'RDP regression' button," yet there was no 'RDP regression' button available. Does this imply that 'Unlock RDP 1' is meant instead?
3) When the target is connected in hotplug mode on access port 1, the OB data was not read, and everything was recorded as 0. Therefore, I believe this is the cause of the OB write failure.
Is this a bug, or did I execute the RDP regression incorrectly?

4) Even if I enter an incorrect OEM1 password, the operation still succeeds, indicating that "Unlock RDP password successfully done." Does it not verify whether the provided password matches or not?

Aziz BRIGUI · ‎2025-10-07

Hello @Akhil0812,

Could you try using the CLI:

>STM32_Programmer_CLI -c port=SWD mode=hotplug ap=1 -unlockRDP1 0xAAAAAAAA 0xAAAAAAAA 0xAAAAAAAA 0xAAAAAAAA

Aziz

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

AScha.3 · ‎2025-10-07

Hi,

just this:

>4.3. Changed the Option bytes values [ changed the RDP level to 0],

Did you write 0 or 0xAA to it , to set it RDP = 0 ???

Because it complains: option byte now : 0x0 .

If you feel a post has answered your question, please click "Accept as Solution".

Akhil0812 · ‎2025-10-07

Written 0xAA, to make the regression

Aziz BRIGUI · ‎2025-10-09

Hello @Akhil0812,

Did you find the time to try via CLI. Do you need me to walk you through the steps?

Aziz

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

Akhil0812 · ‎2025-10-09

When I attempted to conduct the regression using the STM32 Cube programmer, I encountered difficulties. Consequently, I have developed the source code to facilitate the regression, which is now functioning properly.
Now I can make the regression from RDP level 2-1-0.

Additionally, I have no idea about the reasons for the failure of the STM programmer in executing the regression.

Aziz BRIGUI · ‎2025-10-10

Hello @Akhil0812,

What source code are you referring to? Can you share the steps you followed to get it working ?

Aziz

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

Akhil0812 · ‎2025-10-15

According to the steps mentioned in the section 3.5.1 OEM1 RDP lock mechanism in the CPU user manual,
Eg: OEM 1 regression

To execute this procedure, the OEM key must be written to the DBGMCU_DBG_AUTH_HOST register [also referred to as mail box registers], which can only be done through an external debugger in AP1. Therefore, to carry out the mail box write operation, I have adhered to the following steps:
1. Before the external debugger can connect to an access port, the debugger must first request the device to

power up through CxxxPWRUPREQ in the SWJ-DP [Optional]
2. By default AP (access port) will be 0, so change it to 1.

3. [Optional] Verify the OEM1 key

OEM1KEY and OEM2KEY cannot be read, they are always read as zero.

However, to verify the keys, their CRC can be accessed through OEM1KEYCRC and

OEM2KEYCRC of the FLASH_OEMKEYSR register.

4. To write the OEM key to the mail box registers, certain AP registers must be utilized.
4.1 - Assign the DBGMCU_DBG_AUTH_HOST register address to the AP1_TAR [transfer address register].
4.2- Sequentially program the OEM1 key [OEM key 1 to 4]in the DBGMCU_DBG_AUTH_HOST register via AP1_DRW (read/write register).
5. Program all the option bytes registers with valid configuration, including FLASH_OPTR with RDP level to 0 (0xAA).
6. If this key (previous written OEM key) matches with the the OEM1KEY value, the RDP regression can be launched by setting the OPTSTRT bit of the FLASH_CR register.
If the key does not match the OEM1KEY value, the RDP regression and any access to the flash memory are blocked until the next power-on reset.
7. If the written OEM key to the DBGMCU_DBG_AUTH_HOST doesn't match with the OEM1KEY value then OEMOPTWERR bit is set in the status register

Lee42 · ‎2025-10-22

The

STM32_Programmer_CLI -c port=SWD mode=hotplug ap=0 -lockRDP1 0x11111111 0x22222222 0x33333333 0x44444444

STM32_Programmer_CLI -c port=SWD mode=hotplug ap=1 -unlockRDP1 0x11111111 0x22222222 0x33333333 0x44444444

Works as expected. But if the password is more random byte for a real password then this does not work.