ST STM32U3 Option Bytes Programming
Jump to navigation
Jump to search
STM32U3 Option bytes programming and RDP locking/unlocking features are supported by Device Provisioner commandline tool. In order to use it, PCode_DevPro_ST_STM32U3.pex script file must be specified as a comandline argument.
Important notes
- Performing RDP level 1 unlocking starts regression sequence. Flash memory is completely erased in this case.
- Setting RDP to level 2 without OEM 2 password(OEM2 Key) provided permanently locks the device. No unlock/regression possible.
- After performing RDP 2 to RDP 1 unlock sequence, the target device must be power-cycled.
- If a device does not have a firmware programmed and TrustZone is active, it is not possible to access devices memory. In this case the BOOT0 pin must be tied HIGH to boot from RSS firmware.
Usage
DevPro -operation [operation_name] -if SWD -speed 4000 [-SetConfigVal "parameter_name=value"] -ScriptFile PCode_DevPro_ST_STM32U3.pex
| Operation | Parameters | Values | Description |
|---|---|---|---|
| ReadOptionBytes | OptionName | FLASH_OPTR | Read FLASH option register. |
| FLASH_NSBOOTADD0R | Read FLASH nonsecure boot address 0 register. | ||
| FLASH_NSBOOTADD1R | Read FLASH nonsecure boot address 1 register. | ||
| FLASH_SECBOOTADD0R | Read FLASH secure boot address 0 register. | ||
| FLASH_WRP1AR | Read FLASH WRP1 area A address register. | ||
| FLASH_WRP1BR | Read FLASH WRP1 area B address register. | ||
| FLASH_WRP2AR | Read FLASH WRP2 area A address register. | ||
| FLASH_WRP2BR | Read FLASH WRP2 area B address register. | ||
| FLASH_SECWM1R1 | Read FLASH secure watermark 1 register 1. | ||
| FLASH_SECWM1R2 | Read FLASH secure watermark 1 register 2. | ||
| FLASH_SECWM2R1 | Read FLASH secure watermark 2 register 1. | ||
| FLASH_SECWM2R2 | Read FLASH secure watermark 2 register 2. | ||
| FLASH_SECBB1R1 | Read FLASH secure block based bank 1 register 1. | ||
| FLASH_SECBB1R2 | Read FLASH secure block based bank 1 register 2. | ||
| FLASH_SECBB1R3 | Read FLASH secure block based bank 1 register 3. | ||
| FLASH_SECBB1R4 | Read FLASH secure block based bank 1 register 4. | ||
| FLASH_SECBB2R1 | Read FLASH secure block based bank 2 register 1. | ||
| FLASH_SECBB2R2 | Read FLASH secure block based bank 2 register 2. | ||
| FLASH_SECBB2R3 | Read FLASH secure block based bank 2 register 3. | ||
| FLASH_SECBB2R4 | Read FLASH secure block based bank 2 register 4. | ||
| WriteOptionBytes | OptionName | FLASH_OPTR | Write FLASH option register. Warning: see Important Notes to avoid unreachable devices. |
| FLASH_NSBOOTADD0R | Write FLASH nonsecure boot address 0 register. | ||
| FLASH_NSBOOTADD1R | Write FLASH nonsecure boot address 1 register. | ||
| FLASH_SECBOOTADD0R | Write FLASH secure boot address 0 register. | ||
| FLASH_WRP1AR | Write FLASH WRP1 area A address register. | ||
| FLASH_WRP1BR | Write FLASH WRP1 area B address register. | ||
| FLASH_WRP2AR | Write FLASH WRP2 area A address register. | ||
| FLASH_WRP2BR | Write FLASH WRP2 area B address register. | ||
| FLASH_SECWM1R1 | Write FLASH secure watermark 1 register 1. | ||
| FLASH_SECWM1R2 | Write FLASH secure watermark 1 register 2. | ||
| FLASH_SECWM2R1 | Write FLASH secure watermark 2 register 1. | ||
| FLASH_SECWM2R2 | Write FLASH secure watermark 2 register 2. | ||
| FLASH_SECBB1R1 | Write FLASH secure block based bank 1 register 1. | ||
| FLASH_SECBB1R2 | Write FLASH secure block based bank 1 register 2. | ||
| FLASH_SECBB1R3 | Write FLASH secure block based bank 1 register 3. | ||
| FLASH_SECBB1R4 | Write FLASH secure block based bank 1 register 4. | ||
| FLASH_SECBB2R1 | Write FLASH secure block based bank 2 register 1. | ||
| FLASH_SECBB2R2 | Write FLASH secure block based bank 2 register 2. | ||
| FLASH_SECBB2R3 | Write FLASH secure block based bank 2 register 3. | ||
| FLASH_SECBB2R4 | Write FLASH secure block based bank 2 register 4. | ||
| Value | 0xXXXXXXXX | 32-bit value to be written to the register specified in "OptionName" parameter. | |
| UnlockDevice | Level | RDP1 | Performes RDP regression from level 1 to level 0. |
| RDP2 | Performes RDP regression from level 2 to level 1. | ||
| TZ | 0 | Optional. Disable TrustZone. Only possible during RDP regression from level 1 to level 0. | |
| Password | XXXXXXXXYYYYYYYYKKKKKKKKLLLLLLLL | Optional for RDP 1. 128 bit password to unlock the device. Where: XXXXXXXX - 1st hex word value, YYYYYYYY - 2nd hex word value, KKKKKKKK - 3rd hex word value, LLLLLLLL - 4th hex word value | |
| SetPassword | Level | RDP1 | Sets RDP1 128-bit password (OEM1 Key). |
| RDP2 | Sets RDP2 128-bit password (OEM2 Key). | ||
| Password | XXXXXXXXYYYYYYYYKKKKKKKKLLLLLLLL | Password to unlock the device. Where: XXXXXXXX - 1st hex word value, YYYYYYYY - 2nd hex word value, KKKKKKKK - 3rd hex word value, LLLLLLLL - 4th hex word value | |
| CheckPassword | - | - | Prints status of the passwords. |
| GetAuthId | - | - | Prints device authentication id. Not possible in RDP Level 0. |
Detailed description
ReadOptionBytes
- Reads and prints out description of the selected option-byte register.
WriteOptionBytes
- Writes selected option-byte register. Using hex value is recommended.
Note:
Writing FLASH_OPTR register is used to lock device. The last 8-bits represent device locking level:
Value 0xAA - Device not locked
Value other than 0xAA or 0xCC - Level 1 protection
Value 0xCC - Level 2 protection
Writing FLASH_OPTR register is used to lock device. The last 8-bits represent device locking level:
Value 0xAA - Device not locked
Value other than 0xAA or 0xCC - Level 1 protection
Value 0xCC - Level 2 protection
UnlockDevice
- Unlocks device with the password. Unlocking sequence is as follows: from Level 2 to Level 1, from Level 1 to Level 0.
During regression from RDP Level 1 to Level 0 the password is optional, the UNLOCK bit in WRPx registers are also cleared and optionally TrustZone can get disabled.
Note:
Operation does not report if the password match, only result of writing it to device.
If the password is wrong, all successive operations will fail.
SetPassword
Sets one of the two passwords for subsequent authentication.
To verify the password was set successfully, its CRC checksum is calculated and compared with the value of the corresponding OEMxKEYCRC register.
Once set, the password can be modified, but not removed.
Password must contain at least five zeros.
CheckPassword
Used to check if the passwords are already set. Also prints CRC8 check sums.
GetAuthId
Prints device authentication id.
If called when in RDP level 0 just prints a warning.
That is because when in RDP level 0, the DBGMCU_DBG_AUT_DEVICE register
would always be read as 0x0 and not as the actual device-specific authentication ID.
Examples
Reading option bytes register
Example
DevPro -operation ReadOptionBytes -if SWD -speed 4000 -SetConfigVal OptionName=FLASH_OPTR -ScriptFile PCode_DevPro_ST_STM32U3.pex
SEGGER Device Provisioner V8.46
Compiled Jun 26 2025 07:48:01
Command line: -operation ReadOptionBytes -if SWD -speed 4000 -SetConfigVal OptionName=FLASH_OPTR -ScriptFile PCode_DevPro_ST_STM32U3.pex
Firmware: J-Link V12 compiled Jun 24 2025 16:09:46
S/N: 602009588
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: FLASH_OPTR value: 0x1FEFF0AA
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: RDP
J-Link log: Value: 0x000000AA
J-Link log: |-> Level 0, read protection not active
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: BOR_LEV
J-Link log: Value: 0x00000000
J-Link log: |-> BOR level 0, reset level threshold around 1.7 V
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: _BDRST_POR
J-Link log: Value: 0x00000000
J-Link log: |-> The backup domain is not reset after a VDD domain brownout reset (BOR).
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: NRST_STOP
J-Link log: Value: 0x00000001
J-Link log: |-> No reset generated when entering the Stop mode
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: NRST_STDBY
J-Link log: Value: 0x00000001
J-Link log: |-> No reset generate when entering the Standby mode
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: NRST_SHDW
J-Link log: Value: 0x00000001
J-Link log: |-> No reset generated when entering the Shutdown mode
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SRAM1_RST
J-Link log: Value: 0x00000001
J-Link log: |-> SRAM1 not erased when a system reset occurs
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: IWDG_SW
J-Link log: Value: 0x00000001
J-Link log: |-> Software independent watchdog selected
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: IWDG_STOP
J-Link log: Value: 0x00000001
J-Link log: |-> Independent watchdog counter is running in Stop mode
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: IWDG_STDBY
J-Link log: Value: 0x00000001
J-Link log: |-> Independent watchdog counter is running in Standby mode
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: WWDG_SW
J-Link log: Value: 0x00000001
J-Link log: |-> Software window watchdog selected
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SWAP_BANK
J-Link log: Value: 0x00000000
J-Link log: |-> Bank 1 and bank 2 addresses not swapped
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: DUALBANK
J-Link log: Value: 0x00000001
J-Link log: |-> Dual-bank flash memory with contiguous addresses
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: BL_IO_VDDIO2_HSLV
J-Link log: Value: 0x00000003
J-Link log: |-> High-speed I/O at low VDDIO2 voltage feature disabled (VDDIO2 can exceed 2.5 V)
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SRAM2_PE
J-Link log: Value: 0x00000001
J-Link log: |-> SRAM2 parity check disabled
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SRAM2_RST
J-Link log: Value: 0x00000001
J-Link log: |-> SRAM2 not erased when a system reset occurs
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: NSWBOOT0
J-Link log: Value: 0x00000001
J-Link log: |-> BOOT0 taken from PH3/BOOT0 pin
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: NBOOT0
J-Link log: Value: 0x00000001
J-Link log: |-> NBOOT0 = 1
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: IO_VDD_HSLV
J-Link log: Value: 0x00000000
J-Link log: |-> High-speed IO at low VDD voltage feature disabled (VDD can exceed 2.5 V)
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: IO_VDDIO2_HSLV
J-Link log: Value: 0x00000000
J-Link log: |-> High-speed IO at low VDDIO2 voltage feature disabled (VDDIO2 can exceed 2.5 V)
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: TZEN
J-Link log: Value: 0x00000000
J-Link log: |-> Global TrustZone security disabled
J-Link log: -----------------------------------------------------------------------------------------------
Writing option bytes register (setting RDP level 1 protection)
Example
DevPro -operation WriteOptionBytes -if SWD -speed 4000 -SetConfigVal "OptionName=FLASH_OPTR" -SetConfigVal "Value=0x1FEFF0BB" -ScriptFile PCode_DevPro_ST_STM32U3.pex
SEGGER Device Provisioner V8.46
Compiled Jun 26 2025 07:48:01
Command line: -operation WriteOptionBytes -if SWD -speed 4000 -SetConfigVal OptionName=FLASH_OPTR -SetConfigVal Value=0x1FEFF0BB -ScriptFile PCode_DevPro_ST_STM32U3.pex
Firmware: J-Link V12 compiled Jun 24 2025 16:09:46
S/N: 602009588
J-Link log: Option bytes programmed successfully.
Setting password (OEM Key)
Example
DevPro -operation SetPassword -SetConfigVal "Level=RDP1" -SetConfigVal "Password=deadbeefdeadbeefdeadbeefdeadbeef" -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32U3.pex
SEGGER Device Provisioner V8.46
Compiled Jun 26 2025 07:48:01
Command line: -operation SetPassword -SetConfigVal Level=RDP1 -SetConfigVal Password=deadbeefdeadbeefdeadbeefdeadbeef -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32U3.pex
Firmware: J-Link V12 compiled Jun 24 2025 16:09:46
S/N: 602009588
J-Link log: RDP password has been set successfully.
Checking passwords status
Example
DevPro -operation CheckPassword -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32U3.pex
SEGGER Device Provisioner V8.46
Compiled Jun 26 2025 07:48:01
Command line: -operation CheckPassword -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32U3.pex
Firmware: J-Link V12 compiled Jun 24 2025 16:09:46
S/N: 602009588
J-Link log: RDP 1 password is set. CRC8: 0x00000027
J-Link log: RDP 2 password is not set.
Unlocking device with password
Example
DevPro -operation UnlockDevice -if SWD -speed 4000 -SetConfigVal "Level=RDP1" -SetConfigVal "Password=deadbeefdeadbeefdeadbeefdeadbeef" -ScriptFile PCode_DevPro_ST_STM32U3.pex
SEGGER Device Provisioner V8.46
Compiled Jun 26 2025 07:48:01
Command line: -operation UnlockDevice -if SWD -speed 4000 -SetConfigVal Level=RDP1 -SetConfigVal Password=deadbeefdeadbeefdeadbeefdeadbeef -ScriptFile PCode_DevPro_ST_STM32U3.pex
Firmware: J-Link V12 compiled Jun 24 2025 16:09:46
S/N: 602009588
J-Link log: RDP password has been written successfully.
J-Link log: Device was unlocked successfully.
Disabling TrustZone security
Example
DevPro -operation UnlockDevice -if SWD -speed 4000 -SetConfigVal "Level=RDP1" -SetConfigVal "Password=deadbeefdeadbeefdeadbeefdeadbeef" -SetConfigVal "TZ=0" -ScriptFile PCode_DevPro_ST_STM32U3.pex
SEGGER Device Provisioner V8.46
Compiled Jun 26 2025 07:48:01
Command line: -operation UnlockDevice -if SWD -speed 4000 -SetConfigVal Level=RDP1 -SetConfigVal Password=deadbeefdeadbeefdeadbeefdeadbeef -SetConfigVal TZ=0 -ScriptFile PCode_DevPro_ST_STM32U3.pex
Firmware: J-Link V12 compiled Jun 24 2025 16:09:46
S/N: 602009588
J-Link log: RDP password has been written successfully.
J-Link log: Device was unlocked successfully.
Get device authentication Id
Example
DevPro -operation GetAuthId -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32U3.pex
SEGGER Device Provisioner V8.46
Compiled Jun 26 2025 07:48:01
Command line: -operation GetAuthId -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32U3.pex
Firmware: J-Link V12 compiled Jun 24 2025 16:09:46
S/N: 602009588
J-Link log: Device authentication id: 0x7A7333AA