0

i am trying to back up the firmware of an STM32F030 sitting on a PCB being the operating panel a lawnmover robot as in https://openmower.de/ , a new model (SA900ECO) and later to flash it .

It worked with openocd like a charm to Backup an STM32F1X sitting on the lawnmovers's mainboard.

When starting my script

backup_firmware_panel.sh

openocd -f yardforce500_panel.cfg -c "init" -c "reset halt" -c " dump_image panel_controller_backup.bin 0x08000000 0x10000" -c "reset" -c shutdown

i get the following error:

Open On-Chip Debugger 0.10.0+dev-01145-g2dfc1ed7 (2023-06-24-13:09)
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.org/doc/doxygen/bugs.html
Info : only one transport option; autoselect 'swd'
Info : BCM2835 SPI SWD driver
Info : SWD only mode enabled
Info : clock speed 31200 kHz
Info : SWD DPIDR 0x0bb11477
Error: Could not find MEM-AP to control the core
Info : Listening on port 3333 for gdb connections
Error: Could not find MEM-AP to control the core
Error: Target not examined, reset NOT asserted!

A community member on discord pointed me into the direction of unlocking the RDP, i have also found this post:

STM32 Read-out protection via OpenOCD

My setup is a forked version of openocd that works with the bcm2835spi of a rasppberry pi. I have connected the relevant pins on the GPIO of the raspi with the same on the mainboard holding the chip. It has been tested succesfully by dumping the firmware of an STM32F1X, so the wiring should be OK.

My yardforce500_panel.cfg file looks as following:

#source [find interface/stlink.cfg]

interface bcm2835spi

source [find target/stm32f0x.cfg]

#transport select hla_swd

#reset_config srst_only srst_nogate

#program "firmware.bin" 0x08000000 verify reset; shutdown;

I have then opened a connection via openocd -f yardforce500_panel.cfg 

Open On-Chip Debugger 0.10.0+dev-01145-g2dfc1ed7 (2023-06-24-13:09)
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.org/doc/doxygen/bugs.html
Info : only one transport option; autoselect 'swd'
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : BCM2835 SPI SWD driver
Info : SWD only mode enabled
Info : clock speed 31200 kHz
Info : SWD DPIDR 0x0bb11477
Error: Could not find MEM-AP to control the core
Info : Listening on port 3333 for gdb connections

Then on another terminal i open a telnet session:

telnet 127.0.0.1 4444

In the telnet terminal i tried:


Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Open On-Chip Debugger
> init
> reset init
Could not find MEM-AP to control the core
Target not examined, reset NOT asserted!

> reset halt
Could not find MEM-AP to control the core
Target not examined, reset NOT asserted!

>

I have read some guides like https://blog.dbrgn.ch/2020/5/16/nrf52-unprotect-flash-jlink-openocd/, where someone changes a register value, but i do not have a clue how to execute it on the STM32F03x chip.

I have found the section in the reference manual for the Read Protection

i have also tried in the telnet terminal:

> flash list
{name stm32f1x base 134217728 size 0 bus_width 0 chip_width 0}
> flash banks
#0 : stm32f0x.flash (stm32f1x) at 0x08000000, size 0x00000000, buswidth 0, chipwidth 0

> stm32f0x unlock
  stm32f1x unlock bank_id

> stm32f0x unlock 0x08000000
flash bank 134217728 does not exist

> stm32f0x unlock #0        
Invalid command argument
bank_num option value ('#0') is not valid
> 
> stm32f0x unlock 0 
Target not examined yet
auto_probe failed

> stm32f1x unlock 0
Target not examined yet
auto_probe failed

But i lack the knowledge how to set this RDP byte ... and before i brick my chip, i wanted to ask :)

jak83
  • 1
  • 1
  • If this device has readout protection enabled, then you will not be able to read its firmware. Disabling readout protection will cause the flash to be erased - so not only will you not be able to read it, but it will now be erased and non-functional. – pmacfarlane Jul 09 '23 at 08:34
  • @pmacfarlane thank you for pointing this out ! Is there any way to circumvent this in order to backup the firmware? If not i would take the risk, as long as i can reflash it with the modified firmware [last resort]. – jak83 Jul 09 '23 at 08:55
  • No, there's no practical way of backing up firmware from a device with readout protection enabled. That's the whole point of it. If you could just switch off readout protection and read the contents, what would be the point of that? – pmacfarlane Jul 09 '23 at 09:17
  • @pmacfarlane I guess that ... you have a valid point here :) would you know how to disable the read protection though - i could then just pray and see if that might work after flashing the custom fimware? – jak83 Jul 09 '23 at 11:25
  • I don't know anything about OpenOCD, but you can use STM32CubeProgrammer to change the RDP setting. It's a free download from ST Micro's website. – pmacfarlane Jul 09 '23 at 12:03
  • 1
    Note that there are three RDP levels: 0 = no protection, 1 = flash protected but can be changed to 0 (and erase flash), and 2 = no JTAG/SWD enabled at all. If it is at level 2 you are doomed, you can't do anything with it. – pmacfarlane Jul 09 '23 at 12:05

0 Answers0