1. What is the Firmawre Upgrade Services (FUS)
FUS (Firmware Upgrade Services) is a firmware running on STM32WB Cortex®-M0+ and offering multiples features for user.
1.1. FUS Features
• Install, upgrade or delete STM32WB Cortex®-M0+ wireless stack:
- Only encrypted and signed by STMicroelectronics - Optionally, additionally double signed by customer if needed
• FUS self-upgrade:
- Only encrypted and signed by STMicroelectronics - Optionally, additionally double signed by customer if needed
• Customer authentication key management:
- Used for images double signature - Install, update and lock the customer authentication key
• User key management:
- Load and Store customer keys (Simple clear key & Encrypted key by Master key) in secure area accessible only by Cortex®-M0+ code. - Write stored key (simple or encrypted) into AES1 (advanced encryption standard) in secure mode. - Lock a stored key to prevent its usage until next system reset. - Unload a previously loaded key from AES to prevent its usage by other applications.
• Communication with Cortex®-M4 (FUSOperator or bootloader):
- Through IPCC commands and response model. - Commands already supported by STM32WB bootloader (in ROM) and FUSOperator (in User FLASH).
1.2. Acronyms definitions
Acronym | Definition |
---|---|
FUS | Firmware Upgrade Services |
WS | Wireless Stack |
UFB | Unique Firmware Boot entry |
Safeboot | Safeboot module |
2. General Design Aspects
2.1. Context
The FUS is a firmware located in the secure flash memory of STM32WB and allowing mainly to update the Wireless stack located in the same memory. It can be running only by CM0 and offers a defined level of protection and authentication for the wireless stack upgrade.
When STM32WBxx leaves ST’s production site, it has FUS (and its necessary components) programmed, but Wireless Stack is not programmed. It has to be programmed on the field by customer, using FUS services (communication used may be Bootloader or JTAG or user application (local loader)).
The FUS does not communicate with outside directly. It uses mailbox to get services requests. In addition to allowing Wireless Stack upgrade, it also allows additional services related to keys management.
The UFB is a nonvolatile memory (NVM) space used to store the FUS state machine.
The SafeBoot is a code allowing to manage the case when option bytes are corrupted, it allows to restore option bytes and boot on the right part of the CM0 code (FUS or wireless stack).
The FUS uses following resources:
• CPU2: CM0+
• Secure Flash Memory and options bytes
o 2x Banks allocated for FUS code
o UFB for storing FUS state machine
o Key storage allocated space
• Secure part of SRAM2b + Secure part of SRAM2a (if no other option)
• Interrupts
• RCC and Power
• AES (secure part)
• ST Symmetric Key (fixed location in secure Flash, must not be modified or removed)
• Authentication Key (fixed location in secure Flash, can be modified by user request or locked)
• The FUS uses following interfaces to communicate with outside:
• Non-Secure part of SRAM2a
• Mailbox IPCC (coupled with shared SRAM)
• Image headers (Wireless stack, keys, FUS image)
The FUS parses the user flash (non-secure) or shared SRAM to identify and extract upgrade images requested by user (upgrade of Wireless Stack, FUS or keys)
2.2. Resources
2.2.1. CPU Core
FUS runs exclusively on CM0+ core.
The boot address of the CM0+ must be configured to FUS start address in order to start FUS services. This setting is done through option bytes (SBRV) and requires a system reset to be effective. This operation can be done only by a code running on CM0+ (ie. Wireless stack, SafeBoot, or configure from production).
2.2.2. Flash mapping
The Flash memory is shared between CM4 and CM0+.
CM0+ allocates a secure area from Flash that is dedicated for CM0+ execution and cannot be accessed by any CM4 code. CM0+ can access, in read, all the flash memory (secure and non-secure).
Secure Flash boundary is defined by secure option bytes and can be set only by code running on CM0+.
Only FUS or Wireless stack or Safeboot may be running on CM0+ core.
The address mapping for each module for stm32wb5x is as following:
Module | Start Address | Size | Comments |
---|---|---|---|
ST Symmetric Key | 0x080FFFA0 | 256 Bits | Signle Key of 256 bits |
Safeboot | 0x080FF000 | 4KB | 1 sector |
UFB Bank1 | 0x080FB000 | 4KB | Includes Authentication key |
UFB Bank2 | 0x080FC000 | 4KB | Includes Authentication key |
User Keys | 0x080FA000 | 4KB | 125 Keys + Master Key + Keys table |
The address mapping for each module for stm32wb1x is as following:
Module | Start Address | Size | Comments |
---|---|---|---|
ST Symmetric Key | 0x0804F7A0 | 256 Bits | Signle Key of 256 bits |
Safeboot | 0x0804F000 | 2KB | 1 sector |
UFB Bank1 | 0x0804C000 | 2KB | Includes Authentication key |
UFB Bank2 | 0x0804C800 | 2KB | Includes Authentication key |
User Keys | - | - | No User Keys for stm32wb1x FUS |
3. FUS versioning and identification
3.1. FUS Identification
The user needs to read the shared table memory in SRAM2a to identify the FUS version. The first word in SRAM2a pointed by IPCCDBA Option Bytes is the "Device info table" address. The device information table contains the FUS version at offset 0xC which is encoded on four bytes. Typically, if IPCCDBA=0x0000 and @0x20030000 contains 0x20030024, then the FUS version is @0x20030030. Installation of a FUS image must follow the conditions stated in the image binary release notes
When using the SWD interface with the STM32CubeProgrammer older than V2.7.0, the address of the device information table is located at 0x20030890. For STM32CubeProgrammer V2.7.0 and higher, the device information table is located at 0x20030024.
3.2. stm32wb5x FUS Versions
FUS version | Description |
---|---|
V0.5.3 | Default version programmed in production for all STM32WB5xx devices. Must be upgraded to V1.0.1 on STM32WB5xG devices or to V1.0.2 on STM32WB5xE/5xC devices. This version is not available for download on www.st.com and cannot be installed by users |
V1.0.1 | First official release available on www.st.com and dedicated to STM32WB5xG devices only (1-MBytes Flash memory size) This version must not be installed on STM32WB5xE/5xC devices, otherwise the device enters a locked state and no further updates are possible. |
V1.0.2 | First official release available on www.st.com and dedicated to STM32WB5xE/5xC devices (512-KBytes and 256-KBytes Flash memory size) Use the V1.0.2 on the STM32WB5xG devices if the devices present FUS V0.5.3. If an STM32WB5xG device has FUS V1.0.1, then there is no need to upgrade to V1.0.2, since it does not bring any new feature/change vs. V1.0.1. In case FUS V1.0.2 installation is started by user on an STM32WB5xG device with FUS V1.0.1, FUS returns FUS_STATE_IMG_NOT_AUTHENTIC error and discard the upgrade |
V1.1.0 | FUS update to support following features: • Add FUS_ACTIVATE_ANTIROLLBACK command that allows activating Anti-rollback on wireless stack by user. User can activate this feature in order to prevent any installation of older wireless stack. |
V1.1.1 | Add management of 640KB parts, full compatible with V1.1.0 |
V1.1.2 | FUS update to: • Optimize Flash usage: this allows the installation of a stack, maintaining one sector separation below a previously installed stack (instead of stack size space constraint |
V1.2.0 RC1 | FUS update to: • Includes V1.1.2 FUS updates in production |
V1.2.0 RC2 | Add Safeboot security enhancement, no changes on FUS features. |
3.3. FUS versions compatibility
The table below details the FUS versions compatibility options (when it is possible to upgrade from a version to another). FUS V1.2.0 is the version that allows the upgrade from any previous version. It is released in two binaries:
• stm32wb5x_fus_fw_V1.2.0.bin : for upgrades from any FUS version V1.x.y
• stm32wb5x_fus_fw_V1.2.0_for_V0.5.3.bin: upgrades from FUS version V0.5.3
Upgrade to -> from | V0.5.3 | V1.0.2 | V1.1.0 | V1.1.1 | V1.1.2 | V1.2.0 |
---|---|---|---|---|---|---|
V.0.5.3 | X | ✔ | X | X | X | ✔ |
V.1.0.2 | X | X | ✔ | X | ✔ | ✔ |
V.1.1.0 | X | X | X* | X | ✔** | ✔ |
V.1.1.1 | X | X | X | X | ✔ | ✔ |
V.1.1.2 | X | X | X | X | ✔ | ✔ |
V.1.1.2 | X | X | X | X | X | ✔ |
Legend:
• X: Cannot upgrade
• √: Upgradable
• *: Must not upgrade, otherwise encryption keys are lost
• **: Upgradable but a BLE stack needs to be installed first and enable Anti-rollback
3.4. FUS versions availability
FUS versions availability can be resumed by the table below:
FUS Version | Production | Binary on www.st.com | ||||
---|---|---|---|---|---|---|
V.0.5.3 | ✔ | X | style="text-align:center;" | |||
V.1.0.2 | ✔ | ✔ | ||||
V.1.1.0 | X | X | X* | X | ✔** | ✔ |
V.1.1.1 | X | X | X | X | ✔ | ✔ |
V.1.1.2 | X | X | X | X | ✔ | ✔ |
V.1.1.2 | X | X | X | X | X | ✔ |