manualshive.com logo in svg

ST STM32F105 series, Application Note, Page: 15 / 83

Share
Download
ST STM32F105 series Application Note Download Page 15

AN2662

USART bootloader

Doc ID 14156 Rev 1

15/83

   

   

   

Communication safety

All communications from the programming tool (PC) to the device are verified by:

1.

checksum: all received bytes are XORed. A byte containing the computed XOR of all 
previous bytes is added to the end of each communication (checksum byte). By 
XORing all received bytes, data + checksum, the result at the end of the packet must 
be 0x00.

2. 

for each command the host sends a byte and its complement (XOR = 0x00)

3. 

UART: parity check active (even parity)

Each packet is either accepted (ACK answer) or discarded (NACK answer):

ACK = 0x79

NACK = 0x1F

2.6 Get 

command

The Get command allows the user to get the version of the bootloader and the supported 
commands. When the bootloader receives the Get command, it transmits the bootloader 
version and the supported command codes to the host, as described in 

Figure 3

.

Readout Protect

(2)

0x82

Enables the read protection

Readout Unprotect

(2)

0x92

Disables the read protection

1.

If a denied command is received or an error occurs during the command execution, the bootloader sends 
NACK byte and goes back to command checking.

2.

Read protection – When the RDP (read protection) option is active, only this limited subset of commands is 
available. All other commands are NACKed and have no effect on the device. Once the RDP has been 
removed, the other commands become active.

3.

On the STM32F105xx and STM32F107xx , the sector size is 4 KBytes (2 pages) for the Write Protect and 
Write Unprotect commands.

Table 3.

Bootloader commands (continued)

Command

(1)

Command 

code

Command description

Summary of Contents for STM32F105 series

Page 1: ... production rev Z include the bootloader detailed in this application note The bootloader is used to program the application into the internal Flash memory For more information about the Flash module organization refer to the STM32F10xxx Flash programming manual PM0042 The specifications cover the architectural model of the bootloader for the STM32F105xx and STM32F107xx family but the low level co...

Page 2: ... 4 Maximum baud rate 14 2 5 Bootloader command set 14 2 6 Get command 15 2 7 Get Version Read Protection Status command 17 2 8 Get ID command 19 2 9 Read Memory command 21 2 10 Go command 23 2 11 Write Memory command 25 2 12 Erase Memory command 29 2 13 Write Protect command 32 2 14 Write Unprotect command 33 2 15 Readout Protect command 35 2 16 Readout Unprotect command 36 3 CAN bootloader 38 3 1...

Page 3: ...ommand 60 3 14 Readout Protect command 62 3 15 Readout Unprotect command 64 4 DFU bootloader 67 4 1 Bootloader code sequence 67 4 2 USB DFU Bootloader requests 68 4 3 DFU bootloader commands 69 4 4 DFU_UPLOAD request commands 69 4 4 1 Read memory 69 4 4 2 Get commands 70 4 5 DFU_DNLOAD request commands 72 4 5 1 Write memory 75 4 5 2 Set Address Pointer command 76 4 5 3 Erase command 77 4 5 4 Read ...

Page 4: ...in configuration 7 Table 2 STM32F105xx and STM32F107xx configuration in System memory boot mode 8 Table 3 Bootloader commands 14 Table 4 Bootloader commands 41 Table 5 DFU Class requests 68 Table 6 Summary of DFU Class Specific requests 69 Table 7 Document revision history 82 ...

Page 5: ...re 23 Readout Unprotect command host side 37 Figure 24 Readout Unprotect command device side 37 Figure 25 Bootloader for STM32F105xx and STM32F107xx withCAN2 38 Figure 26 Check HSE frequency value 39 Figure 27 CAN frame 40 Figure 28 Get command via CAN Host side 43 Figure 29 Get command via CAN Device side 44 Figure 30 Get Version Read Protection Status command Host side 45 Figure 31 Get Version R...

Page 6: ...r for STM32F105xx and STM32F107xx with USB DFU 67 Figure 53 DFU_UPLOAD request Device side 71 Figure 54 DFU_UPLOAD request Host side 71 Figure 55 Download request Device side 73 Figure 56 Download request Host side 74 Figure 57 Write Memory Device side 76 Figure 58 Set Address Pointer Command Device side 77 Figure 59 Erase Command Device side 78 Figure 60 Read Unprotect Command Device side 79 Figu...

Page 7: ... for the USART1 bootloader in STM32 Low Medium and High density devices as described in AN2606 1 2 Bootloader activation The bootloader is automatically activated by configuring the BOOT0 and BOOT1 pins in the specific System memory configuration see Table 1 and then by applying a reset Depending on the used pin configuration the Flash memory system memory or SRAM is selected as the boot space as ...

Page 8: ... USART1 bootloader USART1 Enabled Once initialized the USART1 configuration is 8 bits even parity and 1 Stop bit USART1_RX pin Input PA10 pin USART1 receive USART1_TX pin Output PA9 pin USART1 transmit USART1 and USART2 bootloaders SysTick timer Enabled Used to automatically detect the serial baud rate from the host for USARTx bootloader USART2 bootloader USART2 Enabled Once initialized the USART2...

Page 9: ...o the STM32F105xx and STM32F107xx during System memory boot mode user use An RS232 serial interface example ST3232 RS232 transceiver has to be directly connected to the USART1_RX PA10 and USART1_TX PA9 pins when USART1 is used or connected to the USART2_RX PD6 and USART2_TX PD5 pins when USART2 is used A CAN interface CAN transceiver has to be directly connected to the CAN2_RX PB5 and CAN2_TX PB6 ...

Page 10: ...ects a falling edge on the CAN2_RX pin PB5 the bootloader firmware enters a CAN loop and starts to check the external clock frequency value if the HSE is 8 MHz 14 7456 MHz or 25 MHz CAN bootloader firmware enters an infinite loop and waits until it receives a message otherwise a system reset is generated If a USB cable is plugged into the microcontroller s USB interface at any time during the boot...

Page 11: ...ure USART2 Configure USART1 and USART2 pins Configure CAN2 Configure USB CAN2_RX pin is low level No Execute BL_USART_Loop for USART1 Execute BL_USART_Loop for USART2 Yes Execute BL_CAN_Loop for CAN2 USB cable detection No Yes Reconfigure system clock to 48 MHz and USB clock to 48 MHz Execute DFU boot loader using USB interrupts HSE 8 MHz 14 7456 MHz or 25 MHz Yes No HSE 8 MHz 14 7456 MHz or 25 MH...

Page 12: ...execution of the application program This can be done by applying a hardware reset During reset the BOOT pins BOOT0 and BOOT1 must be set at the proper levels to select the desired boot mode see Table 1 Following the reset the CPU starts code execution from the boot memory located at the bottom of the memory address space starting from 0x0000 0000 ...

Page 13: ...acknowledge byte 0x79 is returned to the host which signals that the STM32F105xx and STM32F107xx is ready to receive user commands 2 2 Choosing the USARTx baud rate The calculation of the serial baud rate for USARTx from the length of the first byte that is received is used to operate the bootloader within a wide range of baud rates However the upper and lower limits have to be kept in order to en...

Page 14: ...5 Bootloader command set The supported commands are listed in Table 3 below Each command is further described in this section fB STM32Fxxx baud rate Host baud rate STM32Fxxx baud rate 100 Table 3 Bootloader commands Command 1 Command code Command description Get 2 0x00 Gets the version and the allowed commands supported by the current version of the bootloader Get Version Read Protection Status 2 ...

Page 15: ...and the supported commands When the bootloader receives the Get command it transmits the bootloader version and the supported command codes to the host as described in Figure 3 Readout Protect 2 0x82 Enables the read protection Readout Unprotect 2 0x92 Disables the read protection 1 If a denied command is received or an error occurs during the command execution the bootloader sends NACK byte and g...

Page 16: ...ceive the number of bytes version commands Receive the bootloader version Receive the supported commands Wait for ACK or NACK End of Get NACK ACK ai14631 NACK ACK Send ACK byte Start Get Received byte 0x00 0xFF Send the number of bytes version commands Send the bootloader version Send the supported commands End of Get No Yes ai14632 Send NACK byte Send ACK byte ...

Page 17: ...otection number of times it was enabled and disabled to the host Byte 1 ACK Byte 2 N 11 the number of bytes to follow 1 except current and ACKs Byte 3 Bootloader version 0 Version 255 0x10 Version 1 0 Byte 4 0x00 Get command Byte 5 0x01 Get Version and Read Protection Status Byte 6 0x02 Get ID Byte 7 0x11 Read Memory command Byte 8 0x21 Go command Byte 9 0x31 Write Memory command Byte 10 0x43 Eras...

Page 18: ...st side 1 GV Get Version Read Protection Status Wait for ACK or NACK Receive the number of times the read protection was disabled Receive the bootloader version Wait for ACK or NACK End of GV 1 NACK ACK ai14633 Send 0x01 0xFE Start GV 1 Receive the number of times the read protection was enabled NACK ACK ...

Page 19: ...on of the bootloader 0 Version 255 0x10 Version 1 0 Byte 3 Option byte 1 0x00 to keep the compatibility with generic bootloader protocol Byte 4 Option byte 2 0x00 to keep the compatibility with generic bootloader protocol Byte 5 ACK Send ACK byte Start GV 1 Received byte 0x01 0xFE Send the bootloader version Option byte 2 End of GV 1 No Yes ai14634 Send NACK byte Send ACK byte Option byte 1 Byte 1...

Page 20: ... device side 1 GID Get ID Wait for ACK or NACK Receive N number of bytes 1 Wait for ACK or NACK End of GID 1 NACK ACK ai14633 Send 0x02 0xFD Start GID 1 Receive PID NACK ACK Send ACK byte Start GID 1 Received byte 0x02 0xFD Send N number of bytes 1 End of GID 1 No Yes ai14636 Send NACK byte Send ACK byte Send product ID ...

Page 21: ...is correct the bootloader transmits an ACK byte otherwise it transmits a NACK byte and aborts the command When the address is valid and the checksum is correct the bootloader waits for the number of bytes to be transmitted N bytes and for its complemented byte checksum If the checksum is correct it then transmits the needed data N 1 bytes to the user starting from the received address If the check...

Page 22: ... 1 RM Read Memory Wait for ACK or NACK Send the start address 4 bytes with checksum Wait for ACK or NACK End of RM 1 NACK ACK ai14637 Send 0x11 0xEE Start RM 1 Send the number of bytes to be read 1 byte and a checksum 1 byte Wait for ACK or NACK Receive data from the BL NACK ACK NACK ACK ...

Page 23: ...an address 4 bytes byte 1 is the address MSB and byte 4 is LSB and a checksum byte then it checks the received address If the address is valid and the checksum is correct the bootloader transmits an ACK byte otherwise it transmits a NACK byte and aborts the command ROP active Receive the start address 4 bytes with checksum Checksum OK End of RM 1 ai14638 Start RM 1 Receive the number of bytes to b...

Page 24: ...ootloader firmware 3 The Go command must be used after loading an application into RAM or user Flash memory It will initialize the main stack pointer and jump to the loaded code 4 The Jump to the application works only if the user application sets the vector table correctly to point to the application address 5 When performing a jump from the Bootloader to a loaded application code which uses the ...

Page 25: ...ommand it transmits the ACK byte to the user After the transmission of the ACK byte the bootloader waits for an address 4 bytes byte 1 is the address MSB and byte 4 is the LSB and a checksum byte it then checks the received address For the Option byte area the Byte 1 0x21 Byte 2 0xDE Wait for ACK Byte 3 to Byte 6 start address byte3 MSB byte6 LSB Byte 7 checksum XOR byte 3 byte 4 byte 5 byte 6 ai1...

Page 26: ...s successful the bootloader transmits the ACK byte otherwise it transmits a NACK byte to the user and aborts the command The maximum length of the block to be written for the STM32F105xx and STM32F107xx is 256 bytes If the Write Memory command is issued to the Option byte area all options are erased before writing the new values and at the end of the command the bootloader generates a system Reset...

Page 27: ...f the start address is invalid the command is NACKed by the device Wait for ACK or NACK Wait for ACK or NACK End of WM 1 NACK ACK ai14641 Send 0x31 0xCE Start WM 1 Wait for ACK or NACK Send the start address 4 bytes checksum Send the number of bytes to be written 1 byte the data N 1 bytes checksum NACK ACK NACK ACK ...

Page 28: ...the checksum Checksum OK No Yes Received byte 0x31 0xCE Send ACK byte Send ACK byte Write the received data to Flash memory from the start address Send ACK byte End of WM 1 No Yes No Yes Checksum OK No Yes RAM address Write the received data to RAM from the start address Yes Yes Option byte address address 0x1FFF F800 Write the received data to Option byte area from start address Yes Yes Write the...

Page 29: ... and sends an ACK byte to the host otherwise it sends a NACK byte to the host and the command is aborted Erase Memory command specifications 1 the bootloader receives one byte that contains N the number of pages to be erased 1 N 255 is reserved for global erase requests For 0 N 254 N 1 pages are erased 2 the bootloader receives N 1 bytes each byte containing a page number Note No error is returned...

Page 30: ...mory command host side 1 ER Erase Memory Wait for ACK or NACK Wait for ACK or NACK End of ER 1 NACK ACK ai14643b Send 0x43 0xBC Start ER 1 Global Erase No Yes Send 0xFF Send 0x00 Send the number of pages to be erased 1 byte Send the page numbers Send checksum NACK ACK ...

Page 31: ...be erased 0 N maximum number of pages Byte 0x00 or N 1 bytes page numbers and then the checksum for byte 3 and the following bytes ROP active Receive the number of pages to be erased 1 byte No Yes ai14642b Start ER 1 No Received bytes 0x43 0xBC Send ACK byte Receive the page codes Checksum OK Send NACK byte End of ER 1 No Yes No Yes 0xFF received Receive the checksum Erase the corresponding pages ...

Page 32: ...ommand The Write Protect command sequence is as follows the bootloader receives one byte that contains N the number of sectors to be write protected 1 0 N 255 the bootloader receives N 1 bytes each byte contains a sector code Note The total number of sectors and the sector number to be protected are not checked this means that no error is returned when a command is passed with a wrong number of se...

Page 33: ...es the write protection of all the Flash memory sectors After the unprotection operation the bootloader transmits the ACK byte At the end of the Write Unprotect command the bootloader transmits the ACK byte and generates a system Reset to take into account the new configuration of the option byte ROP active Receive the number of sectors to be protected 1 byte No Yes ai14646b Start WP 1 No Received...

Page 34: ...nd device side 1 WPUN Write Unprotect Wait for ACK or NACK Wait for ACK or NACK End of WPUN 1 NACK ACK ai14647 Send 0x73 0x8C Start WPUN 1 NACK ACK ROP active Remove the protection for the entire Flash memory No Yes ai14648b Start WPUN 1 Received bytes 0x73 0x8C Send ACK byte Send NACK byte End of WPUN 1 No Yes Send ACK byte Generate system reset ...

Page 35: ...er the transmission of the ACK byte the bootloader enables the read protection for the Flash memory At the end of the Readout Protect command the bootloader transmits the ACK byte and generates a system Reset to take into account the new configuration of the option byte Figure 21 Readout Protect command host side 1 RDP_PRM Readout Protect Wait for ACK or NACK Wait for ACK or NACK End of RDP_PRM 1 ...

Page 36: ...ctors and it disables the read protection for the entire Flash memory If the erase operation is successful the bootloader deactivates the RDP If the erase operation is unsuccessful the bootloader transmits a NACK and the read protection remains active At the end of the Readout Unprotect command the bootloader transmits an ACK and generates a system Reset to take into account the new configuration ...

Page 37: ...Figure 24 Readout Unprotect command device side 1 RDU_PRM Readout Unprotect Wait for ACK or NACK Wait for ACK or NACK End of RDU_PRM 1 NACK ACK ai14651 Send 0x92 0x6D Start RDU_PRM 1 NACK ACK 2ECEIVED BYTES X X ND OF 2 5 02 O 9ES AI ISABLE 2 0 3TART 2 5 02 3END BYTE 3END BYTE LEAR ALL 2 MEMORY ENERATE SYSTEM RESET 3END BYTE ...

Page 38: ...configured as described above the bootloader code waits for a falling edge on the CAN2_Rx pin When a detection occurs the CAN Bootloader firmware starts to check the external clock frequency Figure 26 shows the flowchart of the frequency check ALLING EDGE DETECTED ON 2X PIN 0 7AIT FOR A COMMAND 4 CMD ROUTINE AI HECK 3 FREQUENCY 2 CMD ROUTINE OPTIONAL 2OUTINES FOR LOADING INTO 2 CMD ROUTINE 0 TO DD...

Page 39: ...T AT MS ECREMENT 4IME UT 4IME UT X ONFIGURE BAUDRATE AT KBPS ASSUMING THAT 3 Z NITIALIZE 4IME UT AT MS O 9ES ESSAGE RECEIVED WITH STD X AND WITHOUT FRAME ERROR O 9ES ONFIGURE BAUDRATE AT KBPS ASSUMING THAT 3 Z NITIALIZE 4IME UT AT MS ESSAGE RECEIVED WITH STD X AND WITHOUT FRAME ERROR ECREMENT 4IME UT 4IME UT X O 9ES NTER AN INFINITE LOOP WAITING FOR ANY BOOTLOADER COMMAND ND CHECK 3 FREQUENCY ECRE...

Page 40: ...gs from STM32F105xx and STM32F107xx to the host are Tx mailbox0 On Tx mailbox1 and Tx mailbox2 Off Tx identifier 0x00 0x01 0x02 v03 0x11 0x21 0x31 0x43 0x63 0x73 0x82 0x92 The receive settings from the host to STM32F105xx and STM32F107xx are Synchronization byte 0x79 is in the RX identifier and not in the data field RX identifier depends on the command 0x00 0x01 0x02 0x03 0x11 0x21 0x31 0x43 0x63 ...

Page 41: ...orted by the current version of the bootloader Get Version Read Protection Status 2 0x01 Gets the bootloader version and the Read Protection status of the Flash memory Get ID 2 0x02 Gets the chip ID Speed 0x03 The speed command allows the baud rate for CAN run time to be changed Read Memory 0x11 Reads up to 256 bytes of memory starting from an address specified by the user Go 0x21 Jumps to an addr...

Page 42: ...Rev 1 3 4 Get command The get command allows the host to get the version of the bootloader and the supported commands When the bootloader receives the get command it transmits the bootloader version and the supported command codes to the host ...

Page 43: ...ON 7AIT FOR OR 2ECEIVE MESSAGE ET COMMAND 2ECEIVE MESSAGE 3PEED COMMAND 2ECEIVE MESSAGE 2EAD COMMAND 2ECEIVE MESSAGE O COMMAND 2ECEIVE MESSAGE 7RITE MEMORY COMMAND 2ECEIVE MESSAGE RASE MEMORY COMMAND 2ECEIVE MESSAGE ET 6ERSION 2EAD 0ROTECTION STATUS COMMAND 2ECEIVE MESSAGE ET COMMAND 2ECEIVE MESSAGE 7RITE 0ROTECT COMMAND 2ECEIVE MESSAGE 7RITE 5NPROTECT COMMAND 2ECEIVE MESSAGE 2EADOUT 0ROTECT COMMA...

Page 44: ...x00 DLC 1 data 0x00 Get command Message 5 Std ID 0x00 DLC 1 data 0x01 Get Version Read Protection Status command Message 6 Std ID 0x00 DLC 1 data 0x02 Get ID command Message 7 Std ID 0x00 DLC 1 data 0x03 Speed command Message 8 Std ID 0x00 DLC 1 data 0x11 Read memory command Message 9 Std ID 0x00 DLC 1 data 0x21 Go command Message 10 Std ID 0x00 DLC 1 data 0x31 Write memory command Message 11 Std ...

Page 45: ...en the bootloader receives the command it transmits the information described below version read protection number of times it was enabled and disabled to the host Figure 30 Get Version Read Protection Status command Host side 1 GV Get Version Read Protection Status The host sends the messages as follows Command message Std ID 0x01 data length code DLC not important ACK Message contain Std ID 0x01...

Page 46: ...s the messages as follows Message 1 Std ID 0x01 DLC 1 data ACK Message 2 Std ID 0x01 DLC 1 data 0 bootloader version 0 version 255 0x10 Version 1 0 Message 3 Option message 1 Std ID 0x01 DLC 2 data 0x00 byte1 and byte2 Message 4 Std ID 0x01 DLC 1 data ACK 3END BYTE 3TART 6 2ECEIVED MESSAGE 3END MESSAGE BOOTLOADER VERSION ND OF 6 O 9ES AI 3END MESSAGE 3END MESSAGE PTION MESSAGE X WITH STD ...

Page 47: ...st side 1 GID Get ID 2 PID is the product ID which may be 0x0410 0x0412 0x0414 or 0x0418 according to the STM32F105xx and STM32F107xx product byte 1 is the MSB and byte 2 is LSB of the address The host sends the messages as follows Command message Std ID 0x02 data length code DLC not important ACK Message contain Std ID 0x02 DLC 1 data 0x79 ACK 7AIT FOR OR 7AIT FOR OR ND OF AI 3END MESSAGE WITH ST...

Page 48: ...ged It can be used only if CAN is the peripheral being used A system reset is generated if CAN2 receives the correct message but the operation to set the new baudrate fails which prevents it from entering or leaving initialization mode Message 1 Std ID 0x02 DLC 1 data ACK with DLC except for current message and ACKs Message 2 Std ID 0x02 DLC N the number of bytes 1 For STM32F105xx and STM32F107xx ...

Page 49: ...e waiting for the ACK The host sends the message as follows Command message Std ID 0x03 DLC 0x01 data 0 XXh where XXh takes the following values depending on the baud rate to be set 0x01 baud rate 125 kbps 0x02 baud rate 250 kbps 0x03 baud rate 500 kbps 0x04 baud rate 1 Mbps ND OF SPEED 3END SPEED MESSAGE STD X 3TART SPEED COMMAND AI 7AIT FOR OR HANGES THE BAUD RATE ACCORDING TO COMMAND SENT 7AIT ...

Page 50: ...rrect or not ReadOutProtection is disabled or enabled Address to be read is valid or not If the message content is correct it transmits an ACK message otherwise it transmits a NACK message Message 1 Std ID 0x03 DLC 1 data 0 ACK 0x79 with old baudrate if the receive message is correct else data 0 NACK 0x1F Message 2 Std ID 0x02 DLC 1 data 0 ACK 0x79 with new baudrate 2ECEIVED A MESSAGE WITH STD X A...

Page 51: ...ssages as follows Command message Std ID 0x11 DLC 0x05 data 0 0xXX MSB of the address data 3 0xYY LSB of the address data 4 N number of bytes to be read where 0 N 255 Figure 37 Read memory command via CAN Device side 3TART 2EAD MEMORY ND OF 2EAD MEMORY 3END READ MESSAGE STD X 2ECEIVE MESSAGES FROM BOOTLOADER 7AIT FOR OR 3END MESSAGE AI 3TART 2EAD MEMORY ND OF 2EAD MEMORY 2ECEIVED MESSAGE WITH STD ...

Page 52: ...is correct it transmits an ACK message otherwise it transmits a NACK message After sending an ACK message to the user the CPU program counter automatically jumps to the address Note 1 The Jump to the application works only if the user application sets the vector table correctly to point to the application address 2 When performing a jump from the Bootloader to a loaded application code which uses ...

Page 53: ... the received address is valid the bootloader transmits an ACK message otherwise it transmits a NACK message and aborts the command When the address is valid the bootloader Receives the user data N 1 bytes so the device receive N 1 8 messages each message contains 8 data bytes Programs the user data into memory starting from the received address At the end of the command if the write operation was...

Page 54: ...n write protected sectors Write operations to FLASH SRAM must be word aligned if less data are written the remaining bytes must be filled with 0xFF Figure 40 Write Memory command via CAN Host side Note If the start address is invalid the command is NACKed by the device ND OF 7RITE MEMORY 3END 7RITE MESSAGE STD X 3TART 7RITE MEMORY 3END THE DATA MESSAGES T SAME TIME THE HOST CHECKS WHETHER IT RECEI...

Page 55: ...itten 0 N 255 then the host send N 8 message Data message Std ID 0x31 DLC_1 to 8 data byte_11 byte_18 Data message_M Std ID 0x04 DLC_M 1 to 8 data byte_m1 byte_M8 Note 1 DLC_1 DLC_2 DLC_M 256 maximum 2 After each message the host receives the ACK or NACK message from the device 3 The bootloader does not check the standard ID of the data so any ID from 0h to 0xFF can be used It is recommended to us...

Page 56: ...TE MEMORY O 9ES 3END MESSAGE F A MESSAGE IS CORRUPTED 7RITE THE RECEIVED DATA TO 2 FROM THE START ADDRESS 7RITE THE RECEIVED DATA TO 2 FROM THE START ADDRESS 7RITE THE RECEIVED DATA TO 2 FROM THE START ADDRESS AI DDRESS IN LASH DDRESS VALID 7RITE THE RECEIVED DATA TO THE MEMORY FROM THE START ADDRESS 9ES O DDRESS IN 2 7RITE THE RECEIVED DATA TO 2 FROM THE START ADDRESS 7RITE THE RECEIVED DATA TO 2...

Page 57: ...global erase requests For 0 N 254 N 1 pages are erased 2 The bootloader receives N 1 bytes each byte containing a page number Note No error is returned when performing erase operations on write protected sectors Figure 42 Erase Memory command via CAN Host side The host sends the message as follows The ID contains the command type 0x43 Total erase message Std ID 0x43 DLC 0x01 data 0xFF Erase sector...

Page 58: ... host if ROP is disabled else it transmits NACK After the transmission of the ACK byte the bootloader waits to receive the Flash memory sector codes from the user At the end of the Write Protect command the bootloader transmits the ACK message and generates a system Reset to take into account the new configuration of the option byte Note On the STM32F105xx and STM32F107xx the sector size is 4 Kbyt...

Page 59: ...tors that were protected by the first command become unprotected and only the sectors passed within the second Write Protect command become protected Figure 44 Write Protect command via CAN Host side 1 WP Write Protect The host sends the messages as follows Command message Std ID 0x63 DLC 0x01 data 0 N where 0 N 255 Command message Std ID 0x63 DLC 0x01 08 data 0 N where 0 N 255 7AIT FOR OR 7AIT FO...

Page 60: ...r receives the Write Unprotect command it transmits the ACK message to the host if ROP is disabled else it transmits NACK After the transmission of the ACK message the bootloader disables the write protection of all the Flash memory sectors At the end of the Write Unprotect command the bootloader transmits the ACK message and generates a system Reset to take into account the new configuration of t...

Page 61: ...1 61 83 Figure 46 Write Unprotect command Host side 1 WPUN Write Unprotect The host sends the messages as follows Command message Std ID 0x73 DLC 0x01 data 00 7AIT FOR OR 7AIT FOR OR ND OF 705 AI 3END 7RITE UNPROTECT MESSAGE STD X 3TART 705 ...

Page 62: ...d protection When the bootloader receives the Readout Protect command it transmits the ACK message to the host if ROP is disabled else it transmits NACK After the transmission of the ACK message the bootloader enables the read protection for the Flash memory At the end of the Readout Protect command the bootloader transmits the ACK message and generates a system Reset to take into account the new ...

Page 63: ...igure 48 Readout Protect command via CAN Host side 1 RDP_PRM Readout Protect The host sends the messages as follows Command message Std ID 0x82 DLC 0x01 data 0 00 7AIT FOR OR 7AIT FOR OR ND OF 2 0 02 AI 3END 2EADOUT 0ROTECT MESSAGE STD X 3TART 2 0 02 ...

Page 64: ... receives the Readout Unprotect command it transmits the ACK message to the host After the transmission of the ACK message the bootloader erases all the Flash memory sectors and it disables the read protection for the entire Flash memory If the erase operation is successful the bootloader deactivates the RDP At the end of the Readout Unprotect command the bootloader transmits an ACK message and ge...

Page 65: ...ure 50 Readout Unprotect command via CAN Host side 1 RDU_PRM Readout Unprotect The host sends the messages as follows Command message Std ID 0x92 DLC 0x01 data 00 7AIT FOR OR 7AIT FOR OR ND OF 2 5 02 AI 3END 2EADOUT 5NPROTECT MESSAGE STD X 3TART 2 5 02 ...

Page 66: ...Unprotect The STM32F105xx and STM32F107xx sends the messages as follows ACK message Std ID 0x92 DLC 1 data 0 ACK if the content of the command is correct and ROP is not active else data 0 NACK O AI 3TART 2 5 02 2ECEIVED 3END MESSAGE 3END MESSAGE ND OF 2 5 02 9ES 3END MESSAGE ISABLE 2 0 ENERATE SYSTEM RESET MESSAGE WITH X ...

Page 67: ...tStatus request and Device Reset 3 After six trials the three clock configurations are tested twice a System Reset is generated BL_DFU Received correct Packet No Timeout Yes Configure external oscillator mode and re initialize USB Enumeration Phase Enter DFU Mode Wait for Host commands DFU Request routines DFU requests Jump to Leave DFU routine Leave DFU Generate System and exit DFU mode Need rese...

Page 68: ...ication the USB cable has to be unplugged before reset 4 2 USB DFU Bootloader requests USB DFU Bootloader supports DFU protocol and requests compliant with the Universal Serial Bus Device Upgrade Specification for Device Firmware Upgrade Version 1 1 Aug 5 2004 For more details concerning these requests refer to this specification document Table 5 and Table 6 enumerate the DFU Class Specific reques...

Page 69: ...structure If wValue 0 then the data sent by the Host after the request is a bootloader command code The first byte is the command code and the other bytes if any are the data related to this command The selection of a command through the DFU upload request is done through the wValue parameter in the USB request structure If wValue 0 then Get Command is selected and performed 4 4 DFU_UPLOAD request...

Page 70: ...ddress Pointer should have been previously specified through a Set Address Pointer command using a DFU_DNLOAD request Otherwise if no address is previously specified the device assumes that it will be the internal Flash start address 0x08000000 If the Flash Read Protection is enabled the Read operation is not performed and the device status returned is Status dfuERROR State errVENDOR whatever the ...

Page 71: ...lockNum 0 ROP Active No Yes Status errVENDOR Send the requested number of data bytes No Yes wBlockNum 1 command codes Stall State dfuERROR Current status is dfuIDLE or dfuUPLOAD IDLE Stall No Acknowledge the request Yes DFU_UPLOAD request No Yes Get Device Status Request acknowledged Read Protection Read the requested number of data bytes No Status errVENDOR Is active Error ...

Page 72: ...DFU_CLRSTATUS request and get the new status till the Device returns to dfuIDLE state 4 5 DFU_DNLOAD request commands The download request allows to perform different commands The command selection is done through the value of parameter wValue in the USB request structure The following operations are supported Write Memory wValue 1 Set Address Pointer wValue 0 and First Byte 0x21 Erase wValue 0 an...

Page 73: ...t byte of the received buffer Set Address Pointer routine Read Unprotect wBlockNum 0 Pointer command Unsupported command Erase routine State dfuERROR Status errSTALLEDPKT Read Unprotect routine command Write Memory routine No Yes wBlockNum 1 Stall Wait for data stage Return Status dfuDNBUSY Current status is dfuIDLE or dfuDNLOAD IDLE Stall No Acknowledge the request Yes Receive data buffer Wait fo...

Page 74: ...tion Note Before issuing a Download request the host has to check that the device is in a correct state dfuIDLE or dfuDNLOD IDLE and that there is no error reported in the status If the Download request No Error Send Data Buffer Packet Acked Yes Packet Acked Yes Error Get Status State dfuDNBUSY Yes Get Status State dfuDNLOAD IDLE No Error Yes Status errVENDOR No Yes ROP Active Download Status errT...

Page 75: ..._GETSTATUS request is needed to check if the command has been correctly executed except when the destination is the Option Bytes area in this case the device will immediately reset after write operation completion If the received address is wrong or unsupported the device status will then be Status dfuERROR State errTARGET The address to which the Host requests to write data is computed using the ...

Page 76: ...After sending Set Address Pointer command the host has to send DFU_GETSTATUS request The Set AddressPointer command is effectively executed only when a DFU_GETSTATUS request is issued by the Host If the status returned by the device is other than dfuDNBUSY then an error has occurred Write Memory No Yes Write the received buffer to the destination address Address allowed ROP active Yes No State dfu...

Page 77: ... buffer sent by the Host is 0x41 The Buffer length may be 5 bytes the four remaining bytes are the address bytes LSB first for the page erase operation or only 1 byte only the command byte for the Mass erase operation The Host sends a DFU_DNLOAD request with the above parameters to erase one page of the internal Flash memory or to perform a mass erase of this Flash The STM32F105xx and STM32F107xx ...

Page 78: ...h Read Protection is active then the device returns the status Status dfuERROR State errVENDOR and the erase operation is ignored by the device The allowed values for Erase page address are Internal Flash memory addresses Note No error is returned when performing erase operations on write protected sectors Figure 59 Erase Command Device side 4 5 4 Read Unprotect command The Read Unprotect command ...

Page 79: ...nd to a second Get Status request And the Host may wait till the Device is enumerated again A second DFU_GETSTATUS request may also be issued if the device is still connected to check if the command has been correctly executed If the device fails to execute the command it will return an error status depending on the error type Figure 60 Read Unprotect Command Device side 4 5 5 Leave DFU mode It is...

Page 80: ...address that doesn t contain executable code then the device will be reset and depending on the state of the boot pins may re enter bootloader mode Since the Bootloader DFU application is not manifestation tolerant the device will not be able to respond to Host requests after a manifestation phase is completed A second DFU_GETSTATUS request may also be issued if the device is still connected to ch...

Page 81: ... operation Device side 1 This status depends on the error origin and the current status DFU Leave routine Wait for Get Status Return state dfuMANIFEST Free resources and disconnect device Manifestation initiated Jump to application address Return error status1 Yes No ...

Page 82: ...Revision history AN2662 82 83 Doc ID 14156 Rev 1 Revision history Table 7 Document revision history Date Revision Changes 08 Jul 2009 1 Initial release ...

Page 83: ...WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND THEIR EQUIVALENTS UNDER THE LAWS OF ANY JURISDICTION OR INFRINGEMENT OF ANY PATENT COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT UNLESS EXPRESSLY APPROVED IN WRITING BY AN AUTHORIZED ST REPRESENTATIVE ST PRODUCTS ARE NOT RECOMMENDED AUTHORIZED OR WARRANTED FOR USE IN MILITARY AIR CRAFT SPACE LIFE SAVING OR LIFE SUSTAINING APPLICAT...

Reviews:

No comments