STM32 Readout Protection (RDP)

From Stm32World Wiki
Revision as of 04:20, 4 July 2021 by Lth (talk | contribs)
Jump to navigation Jump to search

All STM32 MCUs feature something known as Read Out Protection. It is probably a feature of the ARM Cortex core, since ST also provide something known as Proprietary Read Out Protection which is only available on certain STM32 models.

In this document we will take a brief look at the basic Read Out Protection of the MCU used on the Black Pill board, which is an STM32F411. From the Reference Manual (pg. 53)

Test Example

Using the STM32CubeProgrammer we can read out the code (flash) of a STM32 MCU (in this case a Black Pill board).

Code Read.png

As can be seen, the internal flash content can be readily read out using the SWD.

Switching to the Option Byte tab, the following is shown:

Option Bytes Before.png

The RDP Open Byte contains "AA" which means Level 0 protection (or no protection at all).

We can now change the option byte to "BB" (Level 1 protection) and Apply the change.

Success.png

Switching back to the Memory and File viewer we now get:

Error.png

We can no longer read the content of the Internal flash.

At this point, attempting to flash the device result in an error: 

st-flash 1.7.0-dirty
2021-07-04T09:56:00 INFO common.c: stm32f411re: 128 KiB SRAM, 4096 KiB flash in at least 16 KiB pages.
file blink.bin md5 checksum: 5fe5dd3e71839b5f8a08866109a59f3, stlink checksum: 0x002fe983
2021-07-04T09:56:00 INFO common.c: Attempting to write 31268 (0x7a24) bytes to stm32 address: 134250496 (0x8008000)
EraseFlash - Sector:0x2 Size:0x4000 2021-07-04T09:56:00 ERROR common.c: Flash memory is write protected
2021-07-04T09:56:00 ERROR common.c: Failed to erase_flash_page(0x8008000) == -1
stlink_fwrite_flash() == -1

While Level 2 Read Out Protection is irreversible, the Level 1 Protection, which we activated, should be reversible, so going back to the Option Bytes tab we can attempt to change the value back to "AA" (Level 0). We notice that this time it takes a lot longer than before (5-10 seconds perhaps) but the result is the same:

Option byte back.png

Trying to read out the flash contents now show:

Empty Flash.png

In other words, as stated by ST Level 1 protection can be changed back to Level 0, but this result in a total loss of data.

Retrieved from "https://stm32world.com/w/index.php?title=STM32_Readout_Protection_(RDP)&oldid=1429"