ST STM32WBA Option Bytes Programming
Jump to navigation
Jump to search
STM32WBA Option bytes programming and RDP locking/unlocking features are supported by Device Provisioner commandline tool. In order to use it, PCode_DevPro_ST_STM32WBA.pex script file must be specified as a commandline argument.
Important notes
- Performing RDP level 1 unlocking starts regression sequence. Flash memory is completely erased in this case.
- Setting RDP to level 2 without OEM 2 password(OEM2 Key) provided permanently locks the device. No unlock/regression possible.
- Performing RDP 2 to RDP 1 unlock sequence, the target device must be power-cycled.
- If a device does not have a firmware programmed and TrustZone is active, it is not possible to access devices memory. In this case the BOOT0 pin must be tied HIGH to boot from RSS firmware.
Usage
DevPro -operation [operation_name] -if SWD -speed 4000 [parameter_name=value] -ScriptFile PCode_DevPro_ST_STM32WBA.pex
| Operation | Parameters | Values | Description |
|---|---|---|---|
| ReadOptionBytes | OptionName | FLASH_OPTR | Read FLASH option register. |
| FLASH_NSBOOTADD0R | Read FLASH nonsecure boot address 0 register. | ||
| FLASH_NSBOOTADD1R | Read FLASH nonsecure boot address 1 register. | ||
| FLASH_SECBOOTADD0R | Read FLASH secure boot address 0 register. | ||
| FLASH_SECWM1R1 | Read FLASH secure watermark 1 register 1. | ||
| FLASH_SECWM1R2 | Read FLASH secure watermark 1 register 2. | ||
| FLASH_SECWM2R1 | Read FLASH secure watermark 2 register 1. | ||
| FLASH_SECWM2R2 | Read FLASH secure watermark 2 register 2. | ||
| FLASH_WRP1AR | Read FLASH WRP1 area A address register. | ||
| FLASH_WRP1BR | Read FLASH WRP1 area B address register. | ||
| FLASH_WRP2AR | Read FLASH WRP2 area A address register. | ||
| FLASH_WRP2BR | Read FLASH WRP2 area B address register. | ||
| FLASH_SECBB1R1 | Read FLASH bank 1 secure block based register 1. | ||
| FLASH_SECBB1R2 | Read FLASH bank 1 secure block based register 2. | ||
| FLASH_SECBB1R3 | Read FLASH bank 1 secure block based register 3. | ||
| FLASH_SECBB1R4 | Read FLASH bank 1 secure block based register 4. | ||
| FLASH_SECBB2R1 | Read FLASH bank 2 secure block based register 1. | ||
| FLASH_SECBB2R2 | Read FLASH bank 2 secure block based register 2. | ||
| FLASH_SECBB2R3 | Read FLASH bank 2 secure block based register 3. | ||
| FLASH_SECBB2R4 | Read FLASH bank 2 secure block based register 4. | ||
| FLASH_SECHDPCR | Read FLASH secure HDP control register. | ||
| FLASH_PRIFCFGR | Read FLASH privilege configuration register. | ||
| FLASH_PRIVBB1R1 | Read FLASH bank 1 privilege block based register 1. | ||
| FLASH_PRIVBB1R2 | Read FLASH bank 1 privilege block based register 2. | ||
| FLASH_PRIVBB1R3 | Read FLASH bank 1 privilege block based register 3. | ||
| FLASH_PRIVBB1R4 | Read FLASH bank 1 privilege block based register 4. | ||
| FLASH_PRIVBB2R1 | Read FLASH bank 2 privilege block based register 1. | ||
| FLASH_PRIVBB2R2 | Read FLASH bank 2 privilege block based register 2. | ||
| FLASH_PRIVBB2R3 | Read FLASH bank 2 privilege block based register 3. | ||
| FLASH_PRIVBB2R4 | Read FLASH bank 2 privilege block based register 4. | ||
| WriteOptionBytes | OptionName | FLASH_OPTR | Write FLASH option register. |
| FLASH_NSBOOTADD0R | Write FLASH nonsecure boot address 0 register. | ||
| FLASH_NSBOOTADD1R | Write FLASH nonsecure boot address 1 register. | ||
| FLASH_SECBOOTADD0R | Write FLASH secure boot address 0 register. | ||
| FLASH_SECWM1R1 | Write FLASH secure watermark 1 register 1. | ||
| FLASH_SECWM1R2 | Write FLASH secure watermark 1 register 2. | ||
| FLASH_SECWM2R1 | Write FLASH secure watermark 2 register 1. | ||
| FLASH_SECWM2R2 | Write FLASH secure watermark 2 register 2. | ||
| FLASH_WRP1AR | Write FLASH WRP1 area A address register. | ||
| FLASH_WRP1BR | Write FLASH WRP1 area B address register. | ||
| FLASH_WRP2AR | Write FLASH WRP2 area A address register. | ||
| FLASH_WRP2BR | Write FLASH WRP2 area B address register. | ||
| FLASH_SECBB1R1 | Write FLASH bank 1 secure block based register 1. | ||
| FLASH_SECBB1R2 | Write FLASH bank 1 secure block based register 2. | ||
| FLASH_SECBB1R3 | Write FLASH bank 1 secure block based register 3. | ||
| FLASH_SECBB1R4 | Write FLASH bank 1 secure block based register 4. | ||
| FLASH_SECBB2R1 | Write FLASH bank 2 secure block based register 1. | ||
| FLASH_SECBB2R2 | Write FLASH bank 2 secure block based register 2. | ||
| FLASH_SECBB2R3 | Write FLASH bank 2 secure block based register 3. | ||
| FLASH_SECBB2R4 | Write FLASH bank 2 secure block based register 4. | ||
| FLASH_SECHDPCR | Write FLASH secure HDP control register. | ||
| FLASH_PRIFCFGR | Write FLASH privilege configuration register. | ||
| FLASH_PRIVBB1R1 | Write FLASH bank 1 privilege block based register 1. | ||
| FLASH_PRIVBB1R2 | Write FLASH bank 1 privilege block based register 2. | ||
| FLASH_PRIVBB1R3 | Write FLASH bank 1 privilege block based register 3. | ||
| FLASH_PRIVBB1R4 | Write FLASH bank 1 privilege block based register 4. | ||
| FLASH_PRIVBB2R1 | Write FLASH bank 2 privilege block based register 1. | ||
| FLASH_PRIVBB2R2 | Write FLASH bank 2 privilege block based register 2. | ||
| FLASH_PRIVBB2R3 | Write FLASH bank 2 privilege block based register 3. | ||
| FLASH_PRIVBB2R4 | Write FLASH bank 2 privilege block based register 4. | ||
| Value | 0xXXXXXXXX | 32-bit value to be written to the register specified in "OptionName" parameter. | |
| UnlockDevice | Level | RDP1 | Performes RDP regression from level 1 to level 0. |
| RDP2 | Performes RDP regression from level 2 to level 1. | ||
| TZ | 0 | Optional. Disable TrustZone. | |
| Password | XXXXXXXXYYYYYYYY | Optional for RDP 1. Password to unlock the device. Where: XXXXXXXX - 1st hex word value, YYYYYYYY - 2nd hex word value | |
| SetPassword | Level | RDP1 | Sets RDP1 128-bit password (OEM1 Key). |
| RDP2 | Sets RDP2 128-bit password (OEM2 Key). | ||
| Password | XXXXXXXXYYYYYYYY | Password to be written to FLASH_OEMxKEYRx registers. Where: XXXXXXXX - 1st hex word value, YYYYYYYY - 2nd hex word value | |
| RemovePassword | Level | RDP1 | Removes RDP level 1 password. |
| RDP2 | Removes RDP level 2 password. | ||
| CheckPassword | - | - | Prints status of the passwords. |
| GetAuthId | - | - | Prints device authentication id. |
Detailed description
ReadOptionBytes
- Reads and prints out description of the selected option-byte register.
WriteOptionBytes
- Writes selected option-byte register. Using hex value is recommended.
Note:
Writing FLASH_OPTR register is used to lock device. The least 8-bits represent device locking level:
Value 0xAA - Device not locked
Value 0x55 - Level 0.5 protection
Value other than 0xAA or 0xCC - Level 1 protection
Value 0xCC - Level 2 protection
Writing FLASH_OPTR register is used to lock device. The least 8-bits represent device locking level:
Value 0xAA - Device not locked
Value 0x55 - Level 0.5 protection
Value other than 0xAA or 0xCC - Level 1 protection
Value 0xCC - Level 2 protection
UnlockDevice
- Unlocks device with the password. Unlocking sequence is as follows: from Level 2 to Level 1, from Level 1 to Level 0. Also resets UNLOCK bit in WRPx registers.
Note:
Operation does not report if the password match, only result of writing it to device.
If the password is wrong, all successive operations will fail.
Operation does not report if the password match, only result of writing it to device.
If the password is wrong, all successive operations will fail.
SetPassword
Sets one of the 2 password for subsequent authentication.
For compatibility with STs STM32_Programmer_CLI the password value has the same format, except "0x" prefix and whitespaces. For example:
STM32_Programmer_CLI.exe -c port=SWD mode=hotplug -lockRDP1 0x00010203 0x04050607
DevPro.exe -operation SetPassword -if SWD -speed 4000 -SetConfigVal "Level=RDP1" -SetConfigVal "Password=0001020304050607" -ScriptFile PCode_DevPro_ST_STM32WBA.pex
RemovePassword
Removes the selected password. Using SetPassword operation with all 1s will also remove the password.
Passwords can be removed when Level 0 protection is set.
CheckPassword
Used to check if the passwords are already set.
Examples
Reading option bytes register
Example
DevPro.exe -operation ReadOptionBytes -if SWD -speed 4000 -SetConfigVal "OptionName=FLASH_OPTR" -ScriptFile PCode_DevPro_ST_STM32WBA.pex
SEGGER Device Provisioner V8.52
Compiled Jul 16 2025 12:04:53
Command line: -operation ReadOptionBytes -if SWD -speed 4000 -SetConfigVal OptionName=FLASH_OPTR -ScriptFile PCode_DevPro_ST_STM32WBA.pex
J-Link log: Device ID: 0x100164B0
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: FLASH_OPTR value: 0x1FEFF8BB
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: RDP
J-Link log: Value: 0x000000BB
J-Link log: |-> Level 1, memories read protection active
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: BOR_LEV
J-Link log: Value: 0x00000000
J-Link log: |-> BOR level 0, reset level threshold around 1.7 V
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: NRST_STOP
J-Link log: Value: 0x00000001
J-Link log: |-> No reset generated when entering the Stop mode
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: NRST_STDBY
J-Link log: Value: 0x00000001
J-Link log: |-> No reset generate when entering the Standby mode
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: NRST_SHDW
J-Link log: Value: 0x00000001
J-Link log: |-> No reset generated when entering the Shutdown mode
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SRAM_RST
J-Link log: Value: 0x00000001
J-Link log: |-> All SRAMs (except SRAM2 and BKPSRAM) not erased when a system reset occurs
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: IWDG_SW
J-Link log: Value: 0x00000001
J-Link log: |-> Software independent watchdog selected
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: IWDG_STOP
J-Link log: Value: 0x00000001
J-Link log: |-> Independent watchdog counter is running in Stop mode
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: IWDG_STDBY
J-Link log: Value: 0x00000001
J-Link log: |-> Independent watchdog counter is running in Standby mode
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: WWDG_SW
J-Link log: Value: 0x00000001
J-Link log: |-> Software window watchdog selected
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SWAP_BANK
J-Link log: Value: 0x00000000
J-Link log: |-> Bank 1 and bank 2 addresses not swapped
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: DUALBANK
J-Link log: Value: 0x00000001
J-Link log: |-> Dual-bank flash memory with contiguous addresses
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: BKPRAM_ECC
J-Link log: Value: 0x00000001
J-Link log: |-> Backup RAM ECC check disabled
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SRAM3_ECC
J-Link log: Value: 0x00000001
J-Link log: |-> SRAM3 ECC check disabled
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SRAM2_ECC
J-Link log: Value: 0x00000001
J-Link log: |-> SRAM2 ECC check disabled
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SRAM2_RST
J-Link log: Value: 0x00000001
J-Link log: |-> SRAM2 not erased when a system reset occurs
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: NSWBOOT0
J-Link log: Value: 0x00000001
J-Link log: |-> BOOT0 taken from PH3/BOOT0 pin
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: PA15_PUPEN
J-Link log: Value: 0x00000001
J-Link log: |-> USB power delivery dead-battery disabled/TDI pull-up activated
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: IO_VDD_HSLV
J-Link log: Value: 0x00000000
J-Link log: |-> High-speed IO at low VDD voltage feature disabled (VDD can exceed 2.5 V)
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: IO_VDDIO2_HSLV
J-Link log: Value: 0x00000000
J-Link log: |-> High-speed IO at low VDDIO2 voltage feature disabled (VDDIO2 can exceed 2.5 V)
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: TZEN
J-Link log: Value: 0x00000000
J-Link log: |-> Global TrustZone security disabled
J-Link log: -----------------------------------------------------------------------------------------------
Writing option bytes register (setting RDP level 1 protection)
Example
DevPro.exe -operation WriteOptionBytes -if SWD -speed 4000 -SetConfigVal "OptionName=FLASH_OPTR" -SetConfigVal "Value=0x1FEFF8BB" -ScriptFile PCode_DevPro_ST_STM32WBA.pex
SEGGER Device Provisioner V8.52
Compiled Jul 16 2025 12:04:53
'q' to quit '?' for help
Command line: -operation WriteOptionBytes -if SWD -speed 4000 -SetConfigVal OptionName=FLASH_OPTR -SetConfigVal Value=0x1FEFF8BB -ScriptFile PCode_DevPro_ST_STM32WBA.pex
Opened script file: 'PCode_DevPro_ST_STM32WBA.pex'
J-Link log: Option bytes programmed successfully
Setting password (OEM Key)
Example
DevPro.exe -operation SetPassword -if SWD -speed 4000 -SetConfigVal "Level=RDP1" -SetConfigVal "Password=deadbeefdeadbeef" -ScriptFile PCode_DevPro_ST_STM32WBA.pex
SEGGER Device Provisioner V8.52
Compiled Jul 16 2025 12:04:53
'q' to quit '?' for help
Command line: -operation SetPassword -if SWD -speed 4000 -SetConfigVal Level=RDP1 -SetConfigVal Password=deadbeefdeadbeef -ScriptFile PCode_DevPro_ST_STM32WBA.pex
Opened script file: 'PCode_DevPro_ST_STM32WBA.pex'
J-Link log: RDP password has been set successfully
Checking passwords status
Example
DevPro.exe -operation CheckPassword -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32WBA.pex
SEGGER Device Provisioner V8.52
Compiled Jul 16 2025 12:04:53
Command line: -operation CheckPassword -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32WBA.pex
J-Link log: Device ID: 0x100164B0
J-Link log: RDP 1 password is set
J-Link log: RDP 2 password is not set
Removing password
Example
DevPro.exe -operation RemovePassword -if SWD -speed 4000 -SetConfigVal "Level=RDP1" -ScriptFile PCode_DevPro_ST_STM32WBA.pex
SEGGER Device Provisioner V8.52
Compiled Jul 16 2025 12:04:53
'q' to quit '?' for help
Command line: -operation RemovePassword -if SWD -speed 4000 -SetConfigVal Level=RDP1 -ScriptFile PCode_DevPro_ST_STM32WBA.pex
Opened script file: 'PCode_DevPro_ST_STM32WBA.pex'
J-Link log: RDP password has been removed successfully
Unlocking device with password
Example
DevPro.exe -operation UnlockDevice -if SWD -speed 4000 -SetConfigVal "Level=RDP1" -SetConfigVal "Password=deadbeefdeadbeef" -ScriptFile PCode_DevPro_ST_STM32WBA.pex
SEGGER Device Provisioner V8.52
Compiled Jul 16 2025 12:04:53
'q' to quit '?' for help
Command line: -operation UnlockDevice -if SWD -speed 4000 -SetConfigVal Level=RDP1 -SetConfigVal Password=deadbeefdeadbeef -ScriptFile PCode_DevPro_ST_STM32WBA.pex
Opened script file: 'PCode_DevPro_ST_STM32WBA.pex'
J-Link log: RDP password has been written successfully
Disabling TrustZone security
Example
DevPro.exe -operation UnlockDevice -if SWD -speed 4000 -SetConfigVal "Level=RDP1" -SetConfigVal "TZ=0" -SetConfigVal "Password=deadbeefdeadbeef" -ScriptFile PCode_DevPro_ST_STM32WBA.pex
SEGGER Device Provisioner V8.52
Compiled Jul 16 2025 12:04:53
'q' to quit '?' for help
Command line: -operation UnlockDevice -if SWD -speed 4000 -SetConfigVal Level=RDP1 -SetConfigVal TZ=0 -SetConfigVal Password=deadbeefdeadbeef -ScriptFile PCode_DevPro_ST_STM32WBA.pex
Opened script file: 'PCode_DevPro_ST_STM32WBA.pex'
J-Link log: RDP password has been written successfully
Get device authentication Id
Example
DevPro.exe -operation GetAuthId -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32WBA.pex
SEGGER Device Provisioner V8.52
Compiled Jul 16 2025 12:04:53
'q' to quit '?' for help
Command line: -operation GetAuthId -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32WBA.pex
Opened script file: 'C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32WBA.pex'
J-Link log: Device authentication id: 0x5FE05546