STM32WB Firmware Upgrade Service

1. What is the Firmware Upgrade Services (FUS)

FUS (Firmware Upgrade Services) is a firmware running on STM32WB Cortex®-M0+ and offering multiples features for user.
FUS is programmed by ST on all STM32WB devices and can be upgraded by user.
The AN5185 is the main reference document for FUS subject.

FUS Features :

• Install, upgrade or delete STM32WB Cortex®-M0+ wireless stack : Only encrypted and signed by STMicroelectronics, Optionally, additionally double signed by customer if needed
• FUS self-upgrade: Only encrypted and signed by STMicroelectronics, Optionally, additionally double signed by customer if needed
• Customer authentication key management: Used for images double signature, Install, update and lock the customer authentication key
• User key management: Load and Store customer keys (Simple clear key & Encrypted key by Master key) in secure area accessible only by Cortex®-M0+ code.
• Write stored key (simple or encrypted) into AES1 (advanced encryption standard) in secure mode.
• Lock a stored key to prevent its usage until next system reset.
• Unload a previously loaded key from AES to prevent its usage by other applications.
• Communication with Cortex®-M4 (FUS Operator or bootloader): Through IPCC commands and response model, Commands already supported by STM32WB bootloader (in ROM) and FUSOperator (in User FLASH).

Acronyms definitions

2. How FUS Work

2.1. Context

The FUS is a firmware located in the secure flash memory of STM32WB and allowing mainly to update the Wireless stack located in the same memory. It can be running only by CM0 and offers a defined level of protection and authentication for the wireless stack upgrade.
When STM32WBxx leaves ST’s production site, it has FUS (and its necessary components) programmed, but Wireless Stack is not programmed. It has to be programmed on the field by customer, using FUS services (communication used may be Bootloader or JTAG or user application (local loader)).

The FUS does not communicate with outside directly. It uses mailbox to get services requests. In addition to allowing Wireless Stack upgrade, it also allows additional services related to keys management.
The UFB is a nonvolatile memory (NVM) space used to store the FUS state machine. The SafeBoot is a code allowing to manage the case when option bytes are corrupted, it allows to restore option bytes and boot on the right part of the CM0 code (FUS or wireless stack).
The FUS uses following resources:

• CPU2: CM0+
  
• Secure Flash Memory and options bytes
  
• 2x Banks allocated for FUS code
  
• UFB for storing FUS state machine
  
• Key storage allocated space
  
• Secure part of SRAM2b + Secure part of SRAM2a (if no other option)
  
• Interrupts
  
• RCC and Power
  
• AES (secure part)
  
• ST Symmetric Key (fixed location in secure Flash, must not be modified or removed)
  
• Authentication Key (fixed location in secure Flash, can be modified by user request or locked)
  
• The FUS uses following interfaces to communicate with outside:
  
• Non-Secure part of SRAM2a
  
• Mailbox IPCC (coupled with shared SRAM)
  
• Image headers (Wireless stack, keys, FUS image)
  

The FUS parses the user flash (non-secure) or shared SRAM to identify and extract upgrade images requested by user (upgrade of Wireless Stack, FUS or keys)

2.2. Resources

CPU Core
FUS runs exclusively on CM0+ core.
The boot address of the CM0+ must be configured to FUS start address in order to start FUS services. This setting is done through option bytes (SBRV : Secure Boot Reset Vector, the M0+ boot address) and requires a system reset to be effective. This operation can be done only by a code running on CM0+ (ie. Wireless stack, SafeBoot, or configure from production).
Flash mapping
The Flash memory is shared between CM4 and CM0+.
CM0+ allocates a secure area from Flash that is dedicated for CM0+ execution and cannot be accessed by any CM4 code. CM0+ can access, in read, all the flash memory (secure and non-secure).
Secure Flash boundary is defined by secure option bytes and can be set only by code running on CM0+. Only FUS or Wireless stack or Safeboot may be running on CM0+ core.
The address mapping for each module for stm32wb5x is as following:

3. FUS versioning and identification

3.1. FUS Identification

The user needs to read the shared table memory in SRAM2a to identify the FUS version. The first word in SRAM2a pointed by IPCCDBA Option Bytes is the "Device info table" address. The device information table contains the FUS version at offset 0xC which is encoded on four bytes. Typically, if IPCCDBA=0x0000 and @0x20030000 contains 0x20030024, then the FUS version is @0x20030030. Installation of a FUS image must follow the conditions stated in the image binary release notes

When using the SWD interface with the STM32CubeProgrammer older than V2.7.0, the address of the device information table is located at 0x20030890. For STM32CubeProgrammer V2.7.0 and higher, the device information table is located at 0x20030024 (the device must be connected under Hot Plug mode).
It is possible to read FUS version only when it is running and to ensure that the FUS is correctly running we can send 2 GET_FUS_STATE commands

3.2. stm32wb5x FUS Versions

Please note that FUS is programmed by ST on all STM32WB devices and that it can be upgraded by user on the field.

3.3. FUS versions compatibility

The table below details the FUS versions compatibility options (when it is possible to upgrade from a version to another). FUS V1.2.0 is the version that allows the upgrade from any previous version. It is released in two binaries:
• stm32wb5x_fus_fw_V1.2.0.bin : for upgrades from any FUS version V1.x.y
• stm32wb5x_fus_fw_V1.2.0_for_V0.5.3.bin: upgrades from FUS version V0.5.3

Legend: • X: Cannot upgrade
• √: Upgradable
• *: Must not upgrade, otherwise encryption keys are lost
• **: Upgradable but a Bluetooth® LE stack needs to be installed first and enable Anti-rollback
FUS versions availability
FUS versions availability can be resumed by the table below:

Legend:
• X: Not available
• √: Available

3.4. Differences between STM32WB5x & STM32WB1x

• Expect FUS V0.5.3 where SFSA is 0xF6

4. FUS activation and Upgrade

4.1. FUS activation

The FUS runs on Cortex®-M0+ and on the protected Flash memory zone dedicated for FUS and wireless stack. There are two possible situations:

In order to check if FUS is running or not, the following options are available:

• Send a single FUS_GET_STATE command and check the return status.
  
• If it is FUS_STATE_NOT_RUNNING then FUS is not running.
  
• Check the SBRV Option Bytes value:
  
• if it is 0x3D800 (for FUS V0.5.3) or 0x3D000 (for FUS V1.x.z) then FUS must be running – If it is different
  from 0x3D800 (for FUS V0.5.3) and from 0x3D000 (for FUS V1.x.z) then FUS is not running
  
• Send a wireless stack command:
  
• If it is acknowledged, then FUS is not running
  
• If it is not acknowledged, then FUS is running
  
• Read the shared table information:
  
• Read IPCCDBA (in Option Bytes) to get the shared tables start address in SRAM2a – Get the device information table address
  
• Read the field “Last FUS active state” ◦ 0x04 means that stack must be running ◦ Other values mean that FUS must be running – Read the "Async Ready" event that is sent by FUS at startup.
  

Interfaces that can be used to communicate with FUS are:

1. System Bootloader (USB DFU and USART): provide ready to use commands
   
2. SWD (FUS_Opeartor): provided by ST inside the STM32CubeProgrammer tool and offers ready to use commands.
   
3. User Application on CM4: can be developed by user based on STM32WB CubeFW examples (and in the future using Open Bootloader integrating FUS_Operator)
   

4.2. FUS self-Upgrade

The FUS is capable of self-upgrade in the same way as wireless stack upgrade. Deleting FUS is not possible In order to perform a FUS upgrade, perform the following steps:
1. Download the FUS image from www.st.com or from the STM32CubeMx repository.
2. Write the FUS image in the user Flash memory at the address indicated in the FUS image directory Release_Notes.html file.
3. Ensure FUS is running.
4. Send FUS_FW_UPGRADE command through IPCC mechanism (explained in sections below).
5. Send FUS_GET_STATE till getting state equal to FUS_STATE_NOT_RUNNING (this means that the wireless stack has been installed and is now running).
During the installation process, expect multiple system resets to occur. These system resets are performed by FUS and are necessary for the modification of dedicated memory parameters and to make Cortex®-M0+ run the installed wireless tack. The number of system resets depends on the configuration and the location of new and old images.
FUS identifies the image as FUS upgrade image and launches the FUS upgrade accordingly. This operation might result in a relocation of the firmware stack if it is already installed and if the size of the new FUS is larger than the size of the current FUS. This information and any relative constraints are detailed in the FUS image release note.
The FUS upgrade requires no specific memory conditions. But if the new FUS image size is larger than existing FUS size, the upgrade may result in moving the wireless stack lower in Flash memory in order to grant sufficient space for FUS upgrade. This means that:
• Less Flash memory is available for the Cortex®-M4 user application.
• The wireless stack is moved from its current address to another address defined by FUS. • If a user code is written in the sectors neighboring wireless stack start sector, there is a risk of it being erased during this operation.
The size of the FUS and results of its upgrade are detailed in its Release_Notes.html file. The image start address must be aligned to a sector start (ie. multiple of 4 Kbytes) and the image size must be a multiple of 4 bytes, otherwise, FUS rejects the installation procedure.

5. FAQ