Cheat Sheet[edit | edit source]
For a comprehensive list of commands, see: http://www.openocd.org/doc/html/General-Commands.html
||halt the processor|
||reset device and halt|
||reset device and start execution|
||lists detected flash devices|
||Reads the entire bank of flash memory into an output file.
Eg. read the first 32KB of flash memory
||shows all registers|
||Shows a specific register. Eg. |
||Memory access (d = double/64 bit, w = word/32 bit, h = half/16 bit, b = byte/8 bit)|
||Memory write (same units above).|
Interfacing with STM32F100[edit | edit source]
The STM32 like many ARM Cortex processors can be debugged using a Serial Wire Debug (SWD) interface which consists of two signals: SWDCLK (clock) and SWDIO (for bi-directional data). The SWD uses an interface called a Debug Access Port (DAP) which defines a master (the Debug Port or DP) and one or more slaves (the target, referred to as Access Ports or AP). You can read more about the details on this article "SWD – ARM’S ALTERNATIVE TO JTAG".
To begin interfacing with a STM32, use a STLink USB dongle and connect the clock line to SWCLK, the data line to SWDIO, and ground to ground. Run OpenOCD with the following command using the interface and target files that comes with OpenOCD:
# openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg
You may use the commands listed in the cheat sheet above and also the STM32 specific commands below.
||Check set options, such as if readout protection is enabled.|
||Unlock the readout protection (Warning: erases existing contents!)|
STM32's readout protection[edit | edit source]
When running the options_read command, you will see whether there is readout protection enabled:
> stm32f1x options_read 0 Option Byte: 0x3fffffe Readout Protection On Software Watchdog Stop: No reset generated Standby: No reset generated User Option0: 0xff User Option1: 0xff
When enabled, the JTAG device will not be able to access the flash memory directly. It can however still access and interact with the CPU.
There are 3 levels or RDP:
- 0: No read protection.
- 1: Read protection enabled.
- 2: Debug/chip read protection disabled. Will disable JTAG, which is bad for our case.
Changing the RDP levels with the stm32f1x unlock command will erase the contents on the device. You may try to readout the contents through the CPU using the stm32f1-firmware-extractor project, but this is imperfect and leaves many gaps in the dump. It's probably still better than nothing.