Skip to main content
M
Mike1992
Associate III
May 5, 2025
Solved

STM32H503 RDP

  • May 5, 2025
  • 3 replies
  • 792 views

Hello, I am asking for help from the community. My application is completely written, but I can't set read protection. I tried to do all the steps in this guide, but it led to bricking one of my boards. The second board is still in product state = 17? but I can't install the obk file or remove protection, returning it to the ED state. Cube programmer did not give me the choice "Change the PRODUCT_STATE option to 17, then press [Apply]. A window appears asking if the default DA-Config should be applied, press [NO]." it just set the state to 17 without asking.
I did not find any sensible information on the network on how to set or remove protection. Maybe it is possible to do this directly from the application? in state 17 I can flash h503, but I can't switch to debugging.
I really ask for help, my project is completely ready, but it needs to be protected.

Best answer by Mike1992

Hi everyone, I found the answer, I think it will be useful for those who encounter this question:

INSTALLING PROTECTION:
The key is written to h503 in the OTP memory, at the address 0x08FFF000 Mike1992_0-1746685107620.png (specify this address in DA_ConfigWithPassword.xml in the file in the <ObDestAddress> field when preparing the password), so it must be clean and never written before.

In the xml file set:
<ObDestAddress>0x08FFF000</ObDestAddress> - record address
<DoEncryption>0</DoEncryption> - no cryptography
<GlobalAlign>8</GlobalAlign> - number of characters in the password (I have 8 = 12345678 (password))
<Name>Password</Name>

<Value>12345678</Value> - set the password
then save the xml file and standardize the OBK file and password.bin files in STM32TrustedPackageCreator.
then in the Cube Programmer, PROV tab, in the Enter Password field, you enter your password, and in the Select Path field, specify the path where the generated OBK file is located and click Start Provisioning.

Mike1992_2-1746685672379.png

You can program a password into the processor in the ED or 17 state, it makes no difference. After programming, you can view the encrypted password at 0x08FFF000.

Mike1992_1-1746685165342.png

After that, set the Product state == 17 and press disconnect(to set the state to closed, you must first transfer it to state 17 or 2E).


Removing protection (transition to the open state == ED)
1- the processor reset pin MUST be connected to the RESET stlink pin, otherwise you will not be able to remove the protection.
2- without pressing connect, go to the Secure Programming tab, open the DA tab, press the Disk button there and a description of the state of your processor and its ID will appear.
3- press Full regression

Mike1992_3-1746685782773.png

4- done, you have set the password, set and removed the protection.

SEVERAL TIPS:
1- you can use part of the OTP memory for your needs
2- I did it this way: the first time I set the password through the standard tools of the Cuba Programmer, then copied the cells responsible for the password and created a structure with these values, then on serial MK I simply write these values ​​at one time along with programming user values ​​in memory.
3- installing the product state from the application using standard HAL methods(MAKE SURE THAT YOU HAVE A PASSWORD INTO THE DEVICE MEMORY 0x08FFF000 ADRESS) :
/* USER CODE BEGIN PTD */
FLASH_OBProgramInitTypeDef OptionsBytesStruct;//create the OB structure
__HAL_RCC_GET_FLAG(RCC_FLAG_IWDGRST);
__HAL_RCC_CLEAR_RESET_FLAGS();

HAL_FLASHEx_OBGetConfig(&OptionsBytesStruct);
HAL_FLASH_Unlock();
HAL_FLASH_OB_Unlock();
OptionsBytesStruct.ProductState = OB_PROD_STATE_IROT_PROVISIONED; // SET THE PRODUCTION STATE
HAL_FLASHEx_OBProgram(&OptionsBytesStruct);
HAL_FLASH_OB_Launch();HAL_FLASH_OB_Lock();HAL_FLASH_Lock();

HAL_FLASH_Unlock();
HAL_FLASH_OB_Unlock();
OptionsBytesStruct.ProductState = OB_PROD_STATE_CLOSED; // SET THE CLOSED STATE
HAL_FLASHEx_OBProgram(&OptionsBytesStruct);
HAL_FLASH_OB_Launch();HAL_FLASH_OB_Lock();HAL_FLASH_Lock();
NVIC_SystemReset(); // reboot for changes to take effect

4- remove protection (product state == ED )
Attention, this will completely erase the user flash memory of the processor!
HAL_FLASHEx_OBGetConfig(&OptionsBytesStruct);
HAL_FLASH_Unlock();
HAL_FLASH_OB_Unlock();
OptionsBytesStruct.ProductState = OB_PROD_STATE_REGRESSION;// full regression
HAL_FLASHEx_OBProgram(&OptionsBytesStruct);
HAL_FLASH_OB_Launch();HAL_FLASH_OB_Lock();HAL_FLASH_Lock();
NVIC_SystemReset();

That's all, I hope my article will be useful!

3 replies

M
Mike1992Author
Associate III
May 5, 2025

Do I understand correctly that for the protection level to work correctly, a clean, unwritten OTP memory is required? I have already tested OTP recording on this processor, could this interfere?

I also do not understand the password entry field in the cube programmer, are the password field and the .passw.pngobk file selection field mutually exclusive?

M
Mike1992AuthorBest answer
Associate III
May 8, 2025

Hi everyone, I found the answer, I think it will be useful for those who encounter this question:

INSTALLING PROTECTION:
The key is written to h503 in the OTP memory, at the address 0x08FFF000 Mike1992_0-1746685107620.png (specify this address in DA_ConfigWithPassword.xml in the file in the <ObDestAddress> field when preparing the password), so it must be clean and never written before.

In the xml file set:
<ObDestAddress>0x08FFF000</ObDestAddress> - record address
<DoEncryption>0</DoEncryption> - no cryptography
<GlobalAlign>8</GlobalAlign> - number of characters in the password (I have 8 = 12345678 (password))
<Name>Password</Name>

<Value>12345678</Value> - set the password
then save the xml file and standardize the OBK file and password.bin files in STM32TrustedPackageCreator.
then in the Cube Programmer, PROV tab, in the Enter Password field, you enter your password, and in the Select Path field, specify the path where the generated OBK file is located and click Start Provisioning.

Mike1992_2-1746685672379.png

You can program a password into the processor in the ED or 17 state, it makes no difference. After programming, you can view the encrypted password at 0x08FFF000.

Mike1992_1-1746685165342.png

After that, set the Product state == 17 and press disconnect(to set the state to closed, you must first transfer it to state 17 or 2E).


Removing protection (transition to the open state == ED)
1- the processor reset pin MUST be connected to the RESET stlink pin, otherwise you will not be able to remove the protection.
2- without pressing connect, go to the Secure Programming tab, open the DA tab, press the Disk button there and a description of the state of your processor and its ID will appear.
3- press Full regression

Mike1992_3-1746685782773.png

4- done, you have set the password, set and removed the protection.

SEVERAL TIPS:
1- you can use part of the OTP memory for your needs
2- I did it this way: the first time I set the password through the standard tools of the Cuba Programmer, then copied the cells responsible for the password and created a structure with these values, then on serial MK I simply write these values ​​at one time along with programming user values ​​in memory.
3- installing the product state from the application using standard HAL methods(MAKE SURE THAT YOU HAVE A PASSWORD INTO THE DEVICE MEMORY 0x08FFF000 ADRESS) :
/* USER CODE BEGIN PTD */
FLASH_OBProgramInitTypeDef OptionsBytesStruct;//create the OB structure
__HAL_RCC_GET_FLAG(RCC_FLAG_IWDGRST);
__HAL_RCC_CLEAR_RESET_FLAGS();

HAL_FLASHEx_OBGetConfig(&OptionsBytesStruct);
HAL_FLASH_Unlock();
HAL_FLASH_OB_Unlock();
OptionsBytesStruct.ProductState = OB_PROD_STATE_IROT_PROVISIONED; // SET THE PRODUCTION STATE
HAL_FLASHEx_OBProgram(&OptionsBytesStruct);
HAL_FLASH_OB_Launch();HAL_FLASH_OB_Lock();HAL_FLASH_Lock();

HAL_FLASH_Unlock();
HAL_FLASH_OB_Unlock();
OptionsBytesStruct.ProductState = OB_PROD_STATE_CLOSED; // SET THE CLOSED STATE
HAL_FLASHEx_OBProgram(&OptionsBytesStruct);
HAL_FLASH_OB_Launch();HAL_FLASH_OB_Lock();HAL_FLASH_Lock();
NVIC_SystemReset(); // reboot for changes to take effect

4- remove protection (product state == ED )
Attention, this will completely erase the user flash memory of the processor!
HAL_FLASHEx_OBGetConfig(&OptionsBytesStruct);
HAL_FLASH_Unlock();
HAL_FLASH_OB_Unlock();
OptionsBytesStruct.ProductState = OB_PROD_STATE_REGRESSION;// full regression
HAL_FLASHEx_OBProgram(&OptionsBytesStruct);
HAL_FLASH_OB_Launch();HAL_FLASH_OB_Lock();HAL_FLASH_Lock();
NVIC_SystemReset();

That's all, I hope my article will be useful!

Terms & ConditionsAccessibility statement