Openocd
Cheat Sheet[edit | edit source]
For a comprehensive list of commands, see: http://www.openocd.org/doc/html/General-Commands.html
| Command | Description |
|---|---|
init
|
initalize |
halt
|
halt the processor |
reset halt
|
reset device and halt |
reset run
|
reset device and start execution |
flash list
|
lists detected flash devices |
flash read_bank <bank> <outputfile>
|
Reads the entire bank of flash memory into an output file.
Eg. read the first 32KB of flash memory |
reg
|
shows all registers |
reg <register>
|
Shows a specific register. Eg. reg r0.
|
md{d,w,h,b} <address>
|
Memory access (d = double/64 bit, w = word/32 bit, h = half/16 bit, b = byte/8 bit) |
mw{d,w,h,b} <address>
|
Memory write (same units above). |
Interfacing with STM32F100[edit | edit source]
The STM32 like many ARM Cortex processors can be debugged using a Serial Wire Debug (SWD) interface which consists of two signals: SWDCLK (clock) and SWDIO (for bi-directional data). The SWD uses an interface called a Debug Access Port (DAP) which defines a master (the Debug Port or DP) and one or more slaves (the target, referred to as Access Ports or AP). You can read more about the details on this article "SWD – ARM’S ALTERNATIVE TO JTAG".
To begin interfacing with a STM32, use a STLink USB dongle and connect the clock line to SWCLK, the data line to SWDIO, and ground to ground. Run OpenOCD with the following command using the interface and target files that comes with OpenOCD:
# openocd -f interface/stlink-v2.cfg -f target/stm32f1x.cfg
You may use the commands listed in the cheat sheet above and also the STM32 specific commands below.
| Command | Description |
|---|---|
stm32f1x mass_erase 0
|
Erase |
stm32f1x options_read 0
|
Check set options, such as if readout protection is enabled. |
stm32f1x unlock 0
|
Unlock the readout protection (Warning: erases existing contents!) |
STM32's readout protection[edit | edit source]
When running the options_read command, you will see whether there is readout protection enabled:
> stm32f1x options_read 0
Option Byte: 0x3fffffe
Readout Protection On
Software Watchdog
Stop: No reset generated
Standby: No reset generated
User Option0: 0xff
User Option1: 0xff
When enabled, the JTAG device will not be able to access the flash memory directly. It can however still access and interact with the CPU.
There are 3 levels or RDP:
- 0: No read protection.
- 1: Read protection enabled.
- 2: Debug/chip read protection disabled. Will disable JTAG, which is bad for our case.
Changing the RDP levels with the stm32f1x unlock command will erase the contents on the device. You may try to readout the contents through the CPU using the stm32f1-firmware-extractor project, but this is imperfect and leaves many gaps in the dump. It's probably still better than nothing.