在分析ST-LINK/V2-1固件时，我们是无法从当前的ST-LINK/V2-1调试器中读取相关的固件内容的。同时我们也无法往调试器中写入新的固件，这是由于调试器中的MCU做了读保护。如果我们需要往芯片中写入新的固件，就需要去除芯片的写保护，可以通过ST提供的STLINK utililty来实现，当然我们也可以通过openocd命令来实现。

• 原理

具体请参考：http://www.st.com/content/ccc/resource/technical/document/programming_manual/10/98/e8/d4/2b/51/4b/f5/CD00283419.pdf/files/CD00283419.pdf/jcr:content/translations/en.CD00283419.pdf

Read protection

The read protection is activated by setting the RDP option byte and then, by applying a system reset to reload the new RDP option byte.

Note: If the read protection is set while the debugger is still connected through JTAG/SWD, apply a POR (power-on reset) instead of a system reset (without debugger connection). Once the protection byte has been programmed:

● Main Flash memory read access is not allowed except for the user code (when booting from main Flash memory itself with the debug mode not active).

● Pages 0-3 (for low- and medium-density devices), or pages 0-1 (for high-density and connectivity line devices) are automatically write-protected. The rest of the memory can be programmed by the code executed from the main Flash memory (for IAP, constant storage, etc.), but it is protected against write/erase (but not against mass erase) in debug mode or when booting from the embedded SRAM. Reading/programming the embedded Flash memory PM0075 18/31 Doc ID 17863 Rev 2

● All features linked to loading code into and executing code from the embedded SRAM are still active (JTAG/SWD and boot from embedded SRAM) and this can be used to disable the read protection. When the read protection option byte is altered to a memory-unprotect value, a mass erase is performed.

● When booting from the embedded SRAM, Flash memory accesses through the code and through data read using DMA1 and DMA2 are not allowed.

● Flash memory access through data read using JTAG, SWV (serial wire viewer), SWD (serial wire debug), ETM and boundary scan are not allowed.

 

Unprotection

To disable the read protection from the embedded SRAM:

● Erase the entire option byte area. As a result, the read protection code (RDP) will be 0xFF. At this stage the read protection is still enabled.

● Program the correct RDP code 0x00A5 to unprotect the memory. This operation first forces a Mass Erase of the main Flash memory.

● Reset the device (POR Reset) to reload the option bytes (and the new RDP code) and, to disable the read protection. Note: The read protection can be disabled using the boot loader (in this case only a System Reset is necessary to reload the option bytes). For more details refer to AN2606.

• 读保护设置

调试器使用的是ST-LINK/V2-1,  使用openocd去设置STM32F103CBT6芯片的读保护：

$ /usr/local/bin/openocd -f interface/stlink-v2-1.cfg -f target/stm32f1x.cfg -c init -c "reset halt" -c "stm32f1x lock 0" -c "reset halt" -c "exit"
Open On-Chip Debugger 0.10.0-dev-00288-g060e9c3 (2016-05-14-22:52)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "hla_swd". To override use 'transport select <transport>'.
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD
adapter speed: 1000 kHz
adapter_nsrst_delay: 100
none separate
Info : Unable to match requested speed 1000 kHz, using 950 kHz
Info : Unable to match requested speed 1000 kHz, using 950 kHz
Info : clock speed 950 kHz
Info : STLINK v2 JTAG v23 API v2 SWIM v9 VID 0x0483 PID 0x374B
Info : using stlink api v2
Info : Target voltage: 0.000000
Error: target voltage may be too low for reliable debugging
Info : stm32f1x.cpu: hardware has 6 breakpoints, 4 watchpoints
stm32f1x.cpu: target state: halted
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x0800016c msp: 0x20005000
Info : device id = 0x20036410
Info : flash size = 128kbytes
stm32f1x.cpu: target state: halted
target halted due to breakpoint, current mode: Thread 
xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000
stm32x locked
stm32f1x.cpu: target state: halted
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x0800016c msp: 0x20005000

NOTE：

执行这个命令之后，芯片中原有的程序貌似被清除了，这是怎么回事？原来是ST-LINK/V2-1的局限性（en.DM00105823_411.pdf）：

Embedded ST-LINK/V2-1

The ST-LINK/V2-1 programming and debugging tool is integrated in the STM32 Nucleo boards.

The ST-LINK/V2-1 makes the STM32 Nucleo boards mbed enabled.

The embedded ST-LINK/V2-1 supports only SWD for STM32 devices. For information about debugging and programming features refer to ST-LINK/V2 in-circuit debugger/programmer for STM8 and STM32 User manual (UM1075), which describes in details all the ST-LINK/V2 features.

The changes versus ST-LINK/V2 version are listed below.

• New features supported on ST-LINK/V2-1:
  • –  USB software re-enumeration
  • –  Virtual com port interface on USB
  • –  Mass storage interface on USB
  • –  USB power management request for more than 100 mA power on USB
• Features not supported on ST-LINK/V2-1:
  • –  SWIM interface
  • –  Minimum supported application voltage limited to 3 V
• Known limitation:

– Activating the readout protection on ST-LINK/V2-1 target prevents the target application from running afterwards. The target readout protection must be kept disabled on ST-LINK/V2-1 boards.

执行完读保护之后，再去写入固件就会报错：

$ /usr/local/bin/openocd -f interface/stlink-v2-1.cfg -f target/stm32f1x.cfg -c init -c "reset halt" -c "flash write_image erase build/maple_boot.bin 0x08000000 bin" -c "verify_image build/maple_boot.bin 0x08000000 bin" -c "reset run" -c shutdown
Open On-Chip Debugger 0.10.0-dev-00288-g060e9c3 (2016-05-14-22:52)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "hla_swd". To override use 'transport select <transport>'.
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD
adapter speed: 1000 kHz
adapter_nsrst_delay: 100
none separate
Info : Unable to match requested speed 1000 kHz, using 950 kHz
Info : Unable to match requested speed 1000 kHz, using 950 kHz
Info : clock speed 950 kHz
Info : STLINK v2 JTAG v23 API v2 SWIM v9 VID 0x0483 PID 0x374B
Info : using stlink api v2
Info : Target voltage: 0.000000
Error: target voltage may be too low for reliable debugging
Info : stm32f1x.cpu: hardware has 6 breakpoints, 4 watchpoints
stm32f1x.cpu: target state: halted
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x0800016c msp: 0x20005000
auto erase enabled
Info : device id = 0x20036410
Warn : STM32 flash size failed, probe inaccurate - assuming 128k flash
Info : flash size = 128kbytes
Error: stm32x device protected
Error: failed erasing sectors 0 to 12

可以看到在擦除flash时报错了。

• 读保护擦除

擦除读保护的方法也很简单，只需执行”stm32f1x unlock 0″即可：

$ /usr/local/bin/openocd -f interface/stlink-v2-1.cfg -f target/stm32f1x.cfg -c init -c "reset halt" -c "stm32f1x unlock 0" -c "reset halt" -c "exit"
Open On-Chip Debugger 0.10.0-dev-00288-g060e9c3 (2016-05-14-22:52)
Licensed under GNU GPL v2
For bug reports, read
	http://openocd.org/doc/doxygen/bugs.html
Info : auto-selecting first available session transport "hla_swd". To override use 'transport select <transport>'.
Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD
adapter speed: 1000 kHz
adapter_nsrst_delay: 100
none separate
Info : Unable to match requested speed 1000 kHz, using 950 kHz
Info : Unable to match requested speed 1000 kHz, using 950 kHz
Info : clock speed 950 kHz
Info : STLINK v2 JTAG v23 API v2 SWIM v9 VID 0x0483 PID 0x374B
Info : using stlink api v2
Info : Target voltage: 0.000000
Error: target voltage may be too low for reliable debugging
Info : stm32f1x.cpu: hardware has 6 breakpoints, 4 watchpoints
stm32f1x.cpu: target state: halted
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0x0800016c msp: 0x20005000
Info : device id = 0x20036410
Warn : STM32 flash size failed, probe inaccurate - assuming 128k flash
Info : flash size = 128kbytes
Info : Device Security Bit Set
stm32f1x.cpu: target state: halted
target halted due to breakpoint, current mode: Thread 
xPSR: 0x61000000 pc: 0x2000003a msp: 0x20005000
stm32x unlocked.
INFO: a reset or power cycle is required for the new settings to take effect.
stm32f1x.cpu: target state: halted
target halted due to debug-request, current mode: Thread 
xPSR: 0x01000000 pc: 0xfffffffe msp: 0xfffffffc

• 相关的参考文档：

1. http://www.st.com/content/ccc/resource/technical/document/programming_manual/10/98/e8/d4/2b/51/4b/f5/CD00283419.pdf/files/CD00283419.pdf/jcr:content/translations/en.CD00283419.pdf
2. http://stackoverflow.com/questions/32509747/stm32-read-out-protection-via-openocd