STM32F2 removal of readout protection

c flash security microcontroller stm32

13,895

Solution 1

This is because before the clearing the protection flag, and in the middle of mass flash erase, you restart the chip.

The only way to recover the chip is to use the system bootloader.

Force boot0 pin to be 1 and force boot1 pin to be 0 at power up, start bootloader then connect USB and program the chip with DFU programmer. You can download the DFU programmer here.

Solution 2

I used the library as follows (it was not working without FLASH_Unlock();):

// Flash Readout Protection Level 1
if (FLASH_OB_GetRDP() != SET) {
    FLASH_Unlock();                           // this line is critical!
    FLASH_OB_Unlock();
    FLASH_OB_RDPConfig(OB_RDP_Level_1);
    FLASH_OB_Launch();                        // Option Bytes programming
    FLASH_OB_Lock();
    FLASH_Lock();
}

No need for NVIC_SystemReset();.

Checking functionality worked best with STM32 ST-LINK utility CLI for me:

> "C:\Program Files (x86)\STMicroelectronics\STM32 ST-LINK Utility\ST-LINK Utility\ST-LINK_CLI.exe" -c SWD -rOB
STM32 ST-LINK CLI v3.0.0.0
STM32 ST-LINK Command Line Interface

ST-LINK SN : 51FF6D064989525019422287
ST-LINK Firmware version : V2J27S0
Connected via SWD.
SWD Frequency = 4000K.
Target voltage = 2.9 V.
Connection mode : Normal.
Device ID:0x422
Device flash Size : 256 Kbytes
Device family :STM32F302xB-xC/F303xB-xC/F358xx

Option bytes:
RDP         : Level 1
IWDG_SW     : 1
nRST_STOP   : 1
nRST_STDBY  : 1
nBoot1      : 1
VDDA        : 1
Data0       : 0xFF
Data1       : 0xFF
nSRAM_Parity: 1
WRP         : 0xFFFFFFFF

Not really a solution, but I hope this saves someone some time.

13,895

Author by

Admin

Updated on June 04, 2022

Comments

Admin almost 2 years
The STM32F2 micro-controller has build in capabilities to prevent readout of application code using a debug interface. It works fine and is accomplished pretty easily by configuring the read protection(RDP) level to '1' (!0xAA || !0xCC) or '2' (0xCC which is irreversible). Except trying to turn it off is where i run in to issues.

The expected behavior when the RDP level is lowered back to 0:
- The chip will perform a mass flash erase.
- Followed by clearing the protection flag.
- System reset
Except after a power cycle the flash has been successfully erased but the protection flag remains on level '1' (0x55) keeping the debug interface disabled. And thus preventing me from writing any new application code. It is possible to fiddle around with the debugger and force the flag to level 0 (0xAA) manually though..

Is there anyone who have had the same or similar issues with the STM32F2xx series that can help me out? I'm using the STM32 standard peripheral drivers for programming the flash.

Enable
```
// Enable read out protection
FLASH_OB_Unlock();
FLASH_OB_RDPConfig(OB_RDP_Level_1);
FLASH_OB_Launch();
FLASH_OB_Lock();

// Restart platform
NVIC_SystemReset();
```
Disable
```
// Disable read out protection
FLASH_OB_Unlock();
FLASH_OB_RDPConfig(OB_RDP_Level_0);
FLASH_OB_Launch();
FLASH_OB_Lock();

// Restart platform
NVIC_SystemReset();
```