Cheat Sheet[edit | edit source]

For a comprehensive list of commands, see:

Command Description
init initalize
halt halt the processor
reset halt reset device and halt
reset run reset device and start execution
flash list lists detected flash devices
flash read_bank <bank> <outputfile>

flash read_bank 0 firmware.bin 0 0x8000

Reads the entire bank of flash memory into an output file.

Eg. read the first 32KB of flash memory

reg shows all registers
reg <register> Shows a specific register. Eg. reg r0.
md{d,w,h,b} <address> Memory access (d = double/64 bit, w = word/32 bit, h = half/16 bit, b = byte/8 bit)
mw{d,w,h,b} <address> Memory write (same units above).

Interfacing with STM32F100[edit | edit source]

The STM32 like many ARM Cortex processors can be debugged using a Serial Wire Debug (SWD) interface which consists of two signals: SWDCLK (clock) and SWDIO (for bi-directional data). The SWD uses an interface called a Debug Access Port (DAP) which defines a master (the Debug Port or DP) and one or more slaves (the target, referred to as Access Ports or AP). You can read more about the details on this article "SWD – ARM’S ALTERNATIVE TO JTAG".

To begin interfacing with a STM32, use a STLink USB dongle and connect the clock line to SWCLK, the data line to SWDIO, and ground to ground. Run OpenOCD with the following command using the interface and target files that comes with OpenOCD:

# openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg

You may use the commands listed in the cheat sheet above and also the STM32 specific commands below.

Command Description
stm32f1x mass_erase 0 Erase
stm32f1x options_read 0 Check set options, such as if readout protection is enabled.
stm32f1x unlock 0 Unlock the readout protection (Warning: erases existing contents!)

STM32's readout protection[edit | edit source]

When running the options_read command, you will see whether there is readout protection enabled:

> stm32f1x options_read 0
Option Byte: 0x3fffffe
Readout Protection On
Software Watchdog
Stop: No reset generated
Standby: No reset generated
User Option0: 0xff
User Option1: 0xff

When enabled, the JTAG device will not be able to access the flash memory directly. It can however still access and interact with the CPU.

There are 3 levels or RDP:

  • 0: No read protection.
  • 1: Read protection enabled.
  • 2: Debug/chip read protection disabled. Will disable JTAG, which is bad for our case.

Changing the RDP levels with the stm32f1x unlock command will erase the contents on the device. You may try to readout the contents through the CPU using the stm32f1-firmware-extractor project, but this is imperfect and leaves many gaps in the dump. It's probably still better than nothing.