How to start with DA access on STM32H7RS

Revision as of 10:27, 16 January 2024 by Registered User (→‎Debug Opening (intrusive debug))

How to start with DA access on STM32H7S



Through this practical example you will learn:

  • How to perform a debug authentication and reopen the debugger.
  • How to read the installed user application firmware using the STM32CubeProgrammer
  • How to attach an IDE on a running target and execute step by step, the secure user application
  • How to make a Firmware Update of a closed device
  • How to perform a regression to retrieve an empty board.


  • Hardware
    • STM32H7S discovery board: the STM32H7S devices have all the available security features, including the HW crypto accelerator (the HW cryptographic acceleration is not support for STM327R devices).
    • Discovery MB1736- STM32H7S (need USBC cable)
Figure 1 STM32H7S DK MB1736
  • Required tools
    • STM32Cube_FW_H7RS_V1.0.0RC3 or later
    • STM32CubeProgrammer_rev0.0.7-H7RS-B01 or more recent (with trusted package creator (TPC) selected at installation).
    • IAR Embedded Workbench® rev 9.20.1 or later.
    • IAR Patch EWARMv9_STM32H7R-Sxx_V0.10.0 or later
    • Tera Term / Putty or equivalent terminal emulator.
Info white.png Information
The TPC installed together with CubeProgrammer in the bin folder located in default STM32CubeProgrammer path : C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin You can pin this tool to the taskbar to simplify the "STiRoT Getting started" process :
Security PinToTask.png

  • STM32Cube Firmware
    • Download the STM32Cube_FW_H7RS Cube firmware (advise is to place it close form the C: in order to avoid long windows paths)
    • A directory STM32H7S78-DK is included in "STM32Cube_FW_H7RS\Projects"
Figure 2: STM32Cube_FW_H7RS
  • Open the env.bat file
  • If the STM32CubeProgrammer has not been installed in the default folder:C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer, the customized installation path needs to be updated.
  • Update the COM port to be aligned with your COM port number.
File:env.bat General setting.png
Figure 3 env.bat general setting
  • Use the Windows device manager to find out your COM port number, as shown in figure below
Figure 4 Find out the COM Port number

1. Debug Opening (intrusive debug)

For a device in closed state the debugger is no open and you have an error message if you try to connect STM32CubeProgrammer.

To open the debug it is mandatory that the device has been provisioned in closed state with Certificate Debug Authentication.

Warning white.png Warning
If the device has been provisioned with Password Debug Authentication, only a full regression is possible and a debug opening is not allowed.
Info white.png Information
Only the owner of the key and certificate can open the debugger.

To follow the procedure described bellow the device must be provisioned in closed state with OEMiRoT or STiRoT.

1.1. Debug Opening procedure - OEMiRoT usecase

  • Please follow OEMiRoT example with CERTIFICATE configuration until 2.7 OEMiRoT application execution. Don't perform a full regression, the device must be in closed state.
  • Open STM32CubeProgrammer
  • Select the shield
  • Click on "Discover" -> the product state "Closed" is displayed
  • Browse the paths for the root key and the certificate, as indicated in the figure below.
  • Click on continue -> the permission window is open
  • Select "Level 3 Intrusive Debug" (the OEMiRoT application is execute in HDPL3, see Secure Boot for STM32H7RS article)
  • Click Execute -> A Debug Authentication Success message is displayed.

  • The debugger is open and the content of the flash can be readout, as shown in figure below

The debugger will stay open until the next hardware reset.

  • Disconnect STM32CubeProgrammer

1.2. IAR connection, step by step user application execution - OEMiRoT usecase

  • Launch IAR
  • Select Project -> Attach to Running Target (see figure below) (the STM32CubeProgrammer must be disconnected first)

Some trials you can do are indicated in the figure below

  1. Set a break point
  2. Click on "break"
  3. Click on "Reset"
  4. Try out some step by step executions
  5. Click on "Go" -> the execution will stop at the break point.

  • Make a modification of the user application code, for instance as proposed in the figure below
  • Project -> Rebuild All
  • The new application image created through the postbuild command, will be used in the firmware update example described in next chapter.

1.3. Debug Opening procedure - STiRoT usecase

  • Perform STiRoT example with CERTIFICATE configuration until 2.4 STiRoT application execution.
  • Open STM32CubeProgrammer
  • Select the shield
  • Click on "Discover" -> the product state "Closed" is displayed
  • Browse the paths for the root key and the certificate, as indicated in the figure below.
  • Click on continue -> the permission window is open
  • Select "Level 2 Intrusive Debug" (the STiRoT application is execute in HDPL2, see Secure Boot for STM32H7RS article)
  • Click Execute -> A Debug Authentication Success message is displayed.

Figure 46 Debugger Opening
  • The debugger is open and the content of the flash can be readout, as shown in figure below
Figure 47 Flash readout , debugger reopened

The debugger will stay open until the next hardware reset.

  • Disconnect STM32CubeProgrammer

1.4. IAR connection, step by step user application execution - STiRoT usecase

  • Launch IAR
  • Select Project -> Attach to Running Target (see figure below) (the STM32CubeProgrammer must be disconnected first)
Figure 48 Debugger reopened, IAR connection

Some trials you can do are indicated in the figure below

  1. Set a break point
  2. Click on "break"
  3. Click on "Reset"
  4. Try out some step by step executions
  5. Click on "Go" -> the execution will stop at the break point.
Figure 49 User application execution step by step using IAR
  • Make a modification of the user application code, for instance as proposed in the figure below
  • Project -> Rebuild All
  • The new application image created through the postbuild command, will be used in the firmware update example described in next chapter.
Figure 50 User application modifications

2. Firmware Update for a Closed device

The following description shows how to perform a Firmware Update.
At the date of writing this article, the GUI graphical interface is not yet functional to perform a firmware update.

The following example shows how to proceed using the debug authentication script and updating the firmware through command line.
To follow the procedure described bellow the device must be provisioned in closed state with OEMiRoT or STiRoT.
For OEMiRoT please follow OEMiRoT example with CERTIFICATE configuration until 2.7 OEMiRoT application execution. Don't perform a full regression, the device must be in closed state.

For STiRoT perform STiRoT example with CERTIFICATE configuration until 2.4 STiRoT application execution.

2.1. Debug Authentification

  • In the previous section the encrypted and signed image has been created for a the modified firmware. If it's not the case, open the STiRoT_Appli, make some modifications and rebuild all the file -> image creation through postbuild command.
  • If applicable: close IAR or Disconnect STM32CubeProgrammer
  • Unplug/ replug the Discovery board USB cable to make a hardawre reset. If the debugger was open, it will be closed again.
  • Launch the dbg_auth.bat script
Figure 51 Debug authentication script
  • Type "e" to select the Forced Download. (See the permission set during the certificate generation, DA setting using TPC)
  • The script will indicate an error. Ignore it, this will be fixed in later script version

Figure 52 Debug authentication script execution

2.2. New application code image download

  • In a command prompt: execute the command indicated below
  • Depending on your PC administrator rights, you need to run it from the STM32CubeProgrammer installation directory: C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer_revx.x.x-H7RS-xxx\bin
  • Command to execute: STM32_Programmer_CLI.exe -c port=COMxx br=921600 -elbl "ExternalLoader\MX66UW1G45G_STM32H7S78-DK_XSPIM1-SFIx.stldr" -d C:\Users\xxxxx\STM32Cube_FW_H7RS_Vx.x.x\Projects\STM32H7S78-DK\Applications\ROT\STiROT_Appli\Binary\appli_enc_sign.hex
Note:the xxx needs to be adapted for your configuration.
  • The new image of the application code is downloaded in the external flash donwload area defined during the STiRoT configuration defined previously.
  • At next reset the STiRoT will detect that a new firmware needs to be installed and perform automatically the installation (this is transparent for a user).

Figure 53 Firmware upgrade example, command line execution

2.3. New installed application code execution

  • Launch the Teraterm (or equivalent)
  • Reminder:
    • File => New connection
    • The COM port number should be the same as indicated by your Windows device manager and also written in the env.bat file (see Prerequisites chapter)
    • Setup => Serial port -> update to 115200 (and see the figure below for other configurations) -> New Setting
  • Press the reset button (black button of the discovery board)
  • The new STiRoT application is executed as shown in the figure below
Figure 54 New STiRoT application execution

2.4. Full regression using graphic interface

Previously the regression script has been used.
Following an example showing how to proceed using the graphic interface of STM32CubeProgrammer.

  • Close Teraterm
  • Start STM32CubeProgrammer
  • Select the shield
  • Click on "Discover" -> the product state "Closed" is displayed
  • Browse the paths for the root key and the certificate, as indicated in the figure below.
  • Click on continue -> the permission window is open
  • Select Full Regression
  • Click Execute -> A Debug Authentication Success message is displayed.
Figure 55 Full regression using STM32CubeProgrammer graphic interface
  • Using STM32CubeProgrammer, you can verify that the flash is empty and that the device is back in "Open" state.
Note: it's a good habit to make a full regression after completing trials. Reminder that it's important if you have regenerated the root key, to not loose this key in ordrer to be able to make a regression or a debugger opening.