Secure Patching Bootloader and Firmware Update System for STM32 MCUs
A Secure Patching Bootloader and Firmware Update System for all STM32 MCUs.
The only bootloader and firmware update system you may ever need. Works with almost any STM32 MCU family using the STM32CubeIDE development environment.
This unique solution is an easy way to get a secure and robust bootloader that offers multiple firmware update methods built-in, including delta patching. It is a plug'n'play system that requires no configuration and just works!
Features:
This secure patching bootloader and firmware update system is licensed according to STMicroelectronics' Ultimate Liberty Software License Agreement (see LICENSE) and free to use on any NUCLEO, DISCO or EVAL board we support here. If your NUCLEO, DISCO or EVAL board is missing, post an issue and we'll add it.
The stm32-secure-patching-bootloader reserves between 40 - 80 KB at the beginning of internal flash, depending on MCU and feature selected (support for USB flash loader, external flash / multisegment add to size). The bootloader also reserves about 5 KB at the start of SRAM for the secure patching engine's stack and state, fully indepdenent of the application. This allows the application to perform in-application firmware updates and make other runtime requests of the bootloader (get firmware version, etc).
Check out the FAQ here in the wiki.
Refer to details in Product Documentation.
This list will grow over time as we work to support key STM32 NUCLEO, DISCO, EVAL and 3rd-party boards. Note that we group -DISCO, -Discovery and -DK as just DISCO
.
Family | Boards | Board Config | Reference Projects |
---|---|---|---|
STM32G0 | NUCLEO-G0B1RE | README | |
STM32L0 | NUCLEO-L073RZ | README | |
B-L072Z-LRWAN1 | README | ||
STM32L4 | NUCLEO-L412KB | README | |
NUCLEO-L452RE | README | ||
NUCLEO-L476RG | README | ||
NUCLEO-L496ZG | README | ||
DISCO-L476G | README | ||
DISCO-L496G | README | ||
STM32L4+ | DISCO-L4R9I | README | FreeRTOS_LowPower IAP |
B-L4S5I-IOT01A | README | ||
STM32L5 | DISCO-L562E | README | |
STM32WL | NUCLEO-WL55JC | README | |
LORA-E5-DEV | README | ||
LORA-E5-MINI (use DEV libs) | |||
STM32F4 | NUCLEO-F429ZI | README | Web Server IAP Update |
DISCO-F469I | README | TouchGFX Demo | |
STM32F7 | DISCO-F769I | README | |
STM32H7 | DISCO-H745I | README |
Please post an issue if you'd like a particular board supported.
List of IAP (In-Application Programming) firmware update open source reference designs using the stm32-secure-patching-bootloder.
These reference designs can be adapted to any board that the stm32-secure-patching-bootloader supports. Of course, the bootloader itself always has capability for secure YMODEM/UART and/or USB flash drive firmware update even if the application has failed or become unavailable.
Reference Project | Reference Board | Technique |
---|---|---|
FreeRTOS_LowPower IAP | DISCO-L4R9I | YMODEM/UART interrupt mode |
Web Server IAP Update | NUCLEO-F429ZI | Ethernet / TCPIP/ multipart forms file upload |
TouchGFX Demo | DISCO-F469I | Bootloader integration with a real TouchGFX app |
The Delta Patch Engine is built into the bootloader and ready to be accessed by your application at runtime or by the bootloader through UART or USB flash drive updates. The Delta Patch Engine features:
SE_PATCH_Init
, SE_PATCH_Data
) described in one header file and bound at link time through a linker include script.Yes! With the STM32 Secure Patching Bootloader you can deploy and update your TouchGFX application with assets on external flash as easily as any other. We call this capability MultiSegment.
The MultiSegment feature solves the problem of how to update monolithic applications that are larger than the device's internal flash, or equivalently, applications that that are linked to be executed in two disjoint flash regions - for example internal and external flash.
This problem is common with GUI systems where you might find a 300 KB firmware application coupled with 4 MB of GUI assets like images and videos and fonts etc. In advanced GUI systems like TouchGFx, these assets are accessed through regular MCU memory read instructions and must therefore be available in a program-readable memory region. Since internal flash (at 0x0800 0000) is not large enough to hold all of these assets, a memory region dedicated to an external flash through the Q/OSPI peripheral on STM32 devices is used. This region is typically assigned to 0x9000 0000.
The application's linker script contains a section definition located at 0x9000 0000 to which all GUI assets are placed at link time. The resultant .hex file remains compact because it contains just the data along with addresses to be written. Loading this .hex file with an external-flash-aware programmer like STM32CubeProgrammer works fine, but you do not have a bootloader nor capability to update your application and GUI assets in the field.
The stm32-secure-patching-bootloader with the MultiSegment feature abstracts away this low-level complexity from the bootloader and firmware update engines. From their point of view, SLOT0 is a contiguous memory region of arbitrary size - it can be much larger than internal flash (i.e. 16 MB) - and will hold the entire application image including GUI assets.
So what does MultiSegment mean to you? It means you can build and deploy your 4 or 8 or 16 or 24 MB GUI application as easily and seamlessly as if it was a regular small 300 KB application that fits entirely and neatly in your MCUs internal flash. Furthermore, the delta patching feature built into the stm32-secure-patching-bootloader offers a huge benefit for large applications. Imagine changing only functionality or fixing a bug in your 16 MB combined application. With delta patching, only the difference - the .sfbp patch file - needs to be distributed to your customers and/or devices in the field, potentially a few hundred to few thousand bytes. If you had to distribute this over a wireless link think of the savings in bandwidth and cost and time you would realize! The stm32-secure-patching-bootloader's USB flash drive update feature is also a great way to update devices in the field with patches or full images - after all, GUI devices are built for human interaction and often don't necessarily have wireless links but may have an exposed USB port.
See this MultiSegment Graphic illustrating slot placement.
Since you've read this far:
I will happily generate a made-to-order registered version of the stm32-secure-patching-bootloader to support commercial projects on custom hardware. Please head over to my store to get pricing details. Contact me to get the ball rolling.
Commercial, registered users optionally get an additional production version of the bootloader binary that checks and enforces RDP Level 2 to help mitigate chip-level attacks such as RDP regression. Your use of the production version is optional. When utilized, it will automatically set RDP Level 2 and write protect the bootloader flash area at startup.
v1.4.0 - Mar 2023
v1.3.0 - Nov 2022
v1.2.0 - Aug 2022
stm32_secure_patching_bootloader_interface_v1.2.0.h
Test/<BOARD>
directory. Allows for quick validation of bootloader board support and evaluation of the firmware update process.v1.1.0 - May 2022
v1.0.0 - Dec 2021