Difference between revisions of "STM32 Readout Protection (RDP)"
Line 1: | Line 1: | ||
[[Category:STM32]][[Category:STM32 Hardware]][[Category:STM32 Development]]{{metadesc|STM32 Read Out Protection}} | [[Category:STM32]][[Category:STM32 Hardware]][[Category:STM32 Development]]{{metadesc|STM32 Read Out Protection}} | ||
− | All [[STM32]] [[MCU]]s feature something known as [[STM32 Read Out Protection (RDP)|Read Out Protection]]. It is probably a feature of the ARM Cortex core, since [[ST]] also provide something known as [[STM32 Proprietary Read Out Protection (PCROP)|Proprietary Read Out Protection]] which is only available on certain [[STM32]] models. | + | All [[STM32]] [[MCU]]s feature something known as [[STM32 Read Out Protection (RDP)|Read Out Protection]]. It is probably a feature of the ARM Cortex core, since [[ST]] also provide something known as [[STM32 Proprietary Read Out Protection (PCROP)|Proprietary Read Out Protection]] which is only available on certain [[STM32]] models. |
+ | |||
+ | In this document we will take a brief look at the basic Read Out Protection of the [[MCU]] used on the [[Black Pill]] board, which is an [[STM32F411]]. From the [https://ipfs.subutai.io/ipfs/QmUGduV94vdwiX5FpM5uAbNPBNw48gFXgJZyFJFeLJrbws/dm00119316-stm32f411xc-e-advanced-arm-based-32-bit-mcus-stmicroelectronics.pdf Reference Manual] (pg. 53) | ||
== Test Example == | == Test Example == |
Revision as of 03:20, 4 July 2021
All STM32 MCUs feature something known as Read Out Protection. It is probably a feature of the ARM Cortex core, since ST also provide something known as Proprietary Read Out Protection which is only available on certain STM32 models.
In this document we will take a brief look at the basic Read Out Protection of the MCU used on the Black Pill board, which is an STM32F411. From the Reference Manual (pg. 53)
Test Example
Using the STM32CubeProgrammer we can read out the code (flash) of a STM32 MCU (in this case a Black Pill board).
As can be seen, the internal flash content can be readily read out using the SWD.
Switching to the Option Byte tab, the following is shown:
The RDP Open Byte contains "AA" which means Level 0 protection (or no protection at all).
We can now change the option byte to "BB" (Level 1 protection) and Apply the change.
Switching back to the Memory and File viewer we now get:
We can no longer read the content of the Internal flash.
At this point, attempting to flash the device result in an error:
st-flash 1.7.0-dirty 2021-07-04T09:56:00 INFO common.c: stm32f411re: 128 KiB SRAM, 4096 KiB flash in at least 16 KiB pages. file blink.bin md5 checksum: 5fe5dd3e71839b5f8a08866109a59f3, stlink checksum: 0x002fe983 2021-07-04T09:56:00 INFO common.c: Attempting to write 31268 (0x7a24) bytes to stm32 address: 134250496 (0x8008000) EraseFlash - Sector:0x2 Size:0x4000 2021-07-04T09:56:00 ERROR common.c: Flash memory is write protected 2021-07-04T09:56:00 ERROR common.c: Failed to erase_flash_page(0x8008000) == -1 stlink_fwrite_flash() == -1
While Level 2 Read Out Protection is irreversible, the Level 1 Protection, which we activated, should be reversible, so going back to the Option Bytes tab we can attempt to change the value back to "AA" (Level 0). We notice that this time it takes a lot longer than before (5-10 seconds perhaps) but the result is the same:
Trying to read out the flash contents now show:
In other words, as stated by ST Level 1 protection can be changed back to Level 0, but this result in a total loss of data.