Skip to main content
Robmar
Robmar
Senior II
May 30, 2024
Question

Looking for an open source USB DFU protocol programmer application

  • May 30, 2024
  • 3 replies
  • 3693 views

I'd like to be able to distribute secure code updates (encrypted) to clients along with an application that can program the STM32H743 over USB.

The STM32CubeProgrammer works well with our board, but does not provide any security as far as I know for the code files, .elf or others.

The idea is to have an application in which we can add code to decode our encrypted source and program the MCU over the USB link in boot mode.

I am sure this would be useful to other developers needing to securely distribute code updates to clients or remote machines.

3 replies

Amine_Jridi
Amine_Jridi
Technical Moderator
June 3, 2024

Hello @Robmar,

To establish a USB_DFU connection with your MCU via application, you can refer to the application example located in the STM32Cube repository. You'll find it under the following path:

....\STM32Cube\Repository\STM32Cube_FW_H7_V1.11.2\Projects\"Your_Board"\Applications\USB_Device\DFU_Standalone

You can use this example  as a starting point for creating a secure application tailored to program your STM32H7 over USB.

Thanks.
Amine.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
Robmar
RobmarAuthor
Senior II
June 3, 2024

Thanks I've found the sample application you reference, but the application is to run on the ST MCU, and we need an application that will run on Windows 10 to download the code to the standard H743V MCU when its on boot mode, boot pulled high.

So we intend to use the default MCU DFU code, but we need to have a windows app like Cube Programmer that can decrypt our binary files - which is were we need to add our decoder routine.

MM..1
MM..1
Chief III
June 4, 2024

You completely miss how programming differ from security. You prepare secure bin file and use it in classic Programmer. Flash to some address. When you plan stay on MCU DFU internal boot , any mini hacker download your image from MCU without trouble. Exist many ways, but all is based on own used bootloader code placed into start flash area and some protection this part of flash. For example read about SBSFU...

Try explain what you need protect and we can provide info maybe

Amine_Jridi
Amine_Jridi
Technical Moderator
June 4, 2024

I understand, in this case I suggest exploring the SFI (Secure Firmware Installation) mechanism offered by ST with STM32CubeProgrammer, which should serve your needs.

For further information, you can refer to the AN4992 Application Note available on ST.com.

Thanks,

Amine.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
Robmar
RobmarAuthor
Senior II
June 4, 2024

Thanks, I looked at the SFI web page, its really not very user-friendly, I came away with more doubts that answers. STM32Trust - STMicroelectronics

For example it states "The STM32CubeProgrammer includes the STM32TrustedPackage Creator tool which allows the generation of SFI and SMI encrypted images" but the SFI tab is greyed-out, and it states the tab feature only "supports STM32U5 series!"

It looks like it was all written by someone who was paid by the word.

This is not the first time STM docs do not tally with STM software.

Do you know of a clear guidance on how to get STMCubeProgrammer encoding our files?  Ideally without us needing to use memory cards, we just want to send an encrypted firmware update to a client and give them a link to download the CubeProgrammer.

Looking at Ap Note AN4992 the H743 is not in the supported list (Table 1) which is surprising given that its a new device.  Encoding data does not need special encryption hardware and is easy to do, but we really would expect STM to support the H743.

Tesla DeLorean
Tesla DeLorean
Guru
June 7, 2024

Why'd you want to decrypt it on the host system? And then send over the wire in plain-text? Especially if you're bound to release/disclose the source.

End-to-End would work a lot better if you decrypt in the target itself. Encrypted at rest would also be good.

Tips, Buy me a coffee, or three.. PayPal VenmoUp vote any posts that you find helpful, it shows what's working..
    Terms & ConditionsAccessibility statement