Skip to main content
S
SAMINA
Associate II
November 10, 2025
Question

How to revert from TZEN to non secure mode

  • November 10, 2025
  • 3 replies
  • 343 views

Hi

I am using STM32L562 and sampled and flashed the Zephyr OS example for TrustMode. 

I could not revert back the TrustZone therefore followed the information from the link https://community.st.com/t5/stm32-mcus-security/reverting-option-byte-configuration-after-tf-m-testing-in/m-p/584225/highlight/true#M5879

However, after executing the first two commands the board doesn't respond to the command.  Even with the hotplug  mode, I can't set RDP level back to 0

 STM32_Programmer_CLI -c port=SWD mode=hotplug reset=SWrst -ob RDP=0xAA UNLOCK_1A=1 UNLOCK_1B=1 UNLOCK_2A=1 UNLOCK_2B=1
 -------------------------------------------------------------------
 STM32CubeProgrammer v2.20.0 
 -------------------------------------------------------------------

ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.27V
SWD freq : 8000 KHz
Connect mode: Hot Plug
Reset mode : Software reset
Device ID : 0x472
Revision ID : Rev Z
Device name : STM32L5xx
Flash size : 512 KBytes (default)
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0x0


UPLOADING OPTION BYTES DATA ...

 Bank : 0x00
 Address : 0x40022040
 Size : 32 Bytes


Error: Uploading Option Bytes bank: 0 failed
Error: Initializing the Option Bytes failed
STM32_Programmer_CLI -c port=SWD mode=hotplug reset=SWrst -ob RDP=0xAA UNLOCK_1A=1 UNLOCK_1B=1 UNLOCK_2A=1 UNLOCK_2B=1 
 -------------------------------------------------------------------
 STM32CubeProgrammer v2.20.0 
 -------------------------------------------------------------------

ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.27V
SWD freq : 8000 KHz
Connect mode: Hot Plug
Reset mode : Software reset
Device ID : 0x472
Revision ID : Rev Z
Device name : STM32L5xx
Flash size : 512 KBytes (default)
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0x0


UPLOADING OPTION BYTES DATA ...

 Bank : 0x00
 Address : 0x40022040
 Size : 32 Bytes


Error: Uploading Option Bytes bank: 0 failed
Error: Initializing the Option Bytes failed


I can connect to the device 

STM32_Programmer_CLI -c port=SWD mode=hotplug reset=SWrst 
 -------------------------------------------------------------------
 STM32CubeProgrammer v2.20.0 
 -------------------------------------------------------------------

ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.27V
SWD freq : 8000 KHz
Connect mode: Hot Plug
Reset mode : Software reset
Device ID : 0x472
Revision ID : Rev Z
Device name : STM32L5xx
Flash size : 512 KBytes (default)
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0x0

Would you kindly help me to revert back?

 

3 replies

S
SAMINAAuthor
Associate II
November 11, 2025

Hi

Thanks for the reply. However, following command doesn't work. I tried with UI app as well which fail even to connect

STM32_Programmer_CLI -c port=SWD mode=UR reset=HWrst --erase all
 -------------------------------------------------------------------
 STM32CubeProgrammer v2.20.0 
 -------------------------------------------------------------------

ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.28V
Error: ST-LINK error (DEV_TARGET_NOT_HALTED)
2nd connect tentative with frequency (8MHz)
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.28V
Error: ST-LINK error (DEV_TARGET_NOT_HALTED)

 

I tried to run following command but no success. 

STM32_Programmer_CLI -c port=SWD mode=HOTPLUG -halt -c port=SWD mode=UR --erase all
 -------------------------------------------------------------------
 STM32CubeProgrammer v2.20.0 
 -------------------------------------------------------------------

ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.28V
SWD freq : 8000 KHz
Connect mode: Hot Plug
Reset mode : Software reset
Device ID : 0x472
Revision ID : Rev Z
Device name : STM32L5xx
Flash size : 512 KBytes (default)
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0x0

Core halted
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.28V
Error: ST-LINK error (DEV_TARGET_NOT_HALTED)
2nd connect tentative with frequency (8MHz)
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.28V
Error: ST-LINK error (DEV_TARGET_NOT_HALTED)

 

Jocelyn RICARD
Jocelyn RICARD
ST Employee
November 11, 2025

Hello @SAMINA ,

On STM32L5 you can do this regression in RDP 0.5.

In any case, if your firmware is not running in non secure you will not be able to do the regression.

What you can do is to connect your BOOT0 pin to VDD. After reset, if you don't have forced anything in option bytes, you should jump to the embedded system bootloader which runs in non secure.

From that, you will be able to attach in hotplug (you don't need "reset=HWrst" ) and perform the regression

Best regards

Jocelyn

S
SAMINAAuthor
Associate II
November 13, 2025

Hi Jocelyn

Thanks for the reply. I pulled BOOT0 to VDD. CLI app was not able to connect to the processor

STM32_Programmer_CLI -c port=SWD mode=UR
 -------------------------------------------------------------------
 STM32CubeProgrammer v2.20.0 
 -------------------------------------------------------------------

ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.27V
Error: ST-LINK error (DEV_CONNECT_ERR)
2nd connect tentative with frequency (8MHz)
ST-LINK SN : 0046003F3137510C33333639
ST-LINK FW : V3J16M8
Board : STM32L562E-DK
Voltage : 3.27V
Error: Unable to get core ID
Error: ST-LINK error (DEV_CONNECT_ERR)

 

Doug Barnes
Doug Barnes
Associate II
November 19, 2025

Just to add to this...

On a 2nd Nucleo U5A5 board that I have, with empty flash, TZEN = 1, RDP = 1, by pulling BOOT0 pin high and booting into RSS, I was able to regress back to TZEN = 0 RDP = 0 (I used the CubeProgrammer CLI but I assume it could be done via GUI too)

So I don't understand why it doesn't work on my first U5A5 Nucleo.

Note: I am 100% sure that on the first U5A5 board:

  • RDP is NOT Level 2
  • OEM1KEY and OEM2KEY are NOT set
  • None of the boot option bits or boot address fields in Option bytes have been changed
  • Pulling BOOT0 Pin high really works (measured with oscilliscope, line is really high)

One other interesting thing is that when I boot into RSS (TZEN = 1 and BOOT0 is pulled HIGH) the Blue LED (LED 2 I think?) is turned on, that must be code in the RSS Bootloader doing that, correct?  If so:

  • Isn't this weird?  What if my custom board wants to use that GPIO for something else?  Or is the RSS ROM on a Nucleo STM32U5A5 a tiny bit different with custom instructions to light the LED?

On my first U5A5 board, the one that cannot be reverted, I see the blue LED flicker dimly for 1/100 of a second, or sometimes not at all, when I (try to) boot into RSS, if this provides any more insight.

Jocelyn RICARD
Jocelyn RICARD
ST Employee
November 24, 2025

Hello @Doug Barnes ,

When setting BOOT0 pin high you boot in RSS which is a system secure application. The RSS will then jump to non secure system bootloader. This is reason why you can attach in hotplug in this setup and are able to launch the regression. (@SAMINA )

This behaviour may be "perturbated" by other option bytes such as swBoot0 and boot_lock enabled.

Regarding your Nucleo, I don't don't know what could be the issue if all your option bytes are set correctly.

Best regards

Jocelyn

Doug Barnes
Doug Barnes
Associate II
December 1, 2025

Thank you Jocelyn for always providing consistently helpful replies.

    Terms & ConditionsAccessibility statement