AN3155

Application note
USART protocol used in the STM32 bootloader

Introduction
This application note describes the USART protocol used in the STM32 microcontroller
bootloader, providing details on each supported command.
This document applies to STM32 products embedding any bootloader version, as specified
in AN2606 STM32 system memory boot mode, available on www.st.com. These products
are listed in Table 1, and are referred to as STM32 throughout the document.
For more information about the USART hardware resources and requirements for your
device bootloader, refer to the already mentioned AN2606.

Table 1. Applicable products

Type Product series

STM32C0 Series
STM32F0 Series
STM32F1 Series
STM32F2 Series
STM32F3 Series
STM32F4 Series
STM32F7 Series
STM32G0 Series
STM32G4 Series
Microcontrollers
STM32H5 Series
STM32H7 Series
STM32L0 Series
STM32L1 Series
STM32L4 Series
STM32L5 Series
STM32U5 Series
STM32WB Series
STM32WL Series

February 2023 AN3155 Rev 16 1/50

www.st.com 1
Contents AN3155

Contents

1 USART bootloader code sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Choosing the USARTx baud rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1 Minimum baud rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 Maximum baud rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Bootloader command set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.1 Get command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Get Version command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.3 Get ID command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.4 Read Memory command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.5 Go command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.6 Write Memory command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.7 Erase Memory command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.8 Extended Erase Memory command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.9 Write Protect command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.10 Write Unprotect command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.11 Readout Protect command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.12 Readout Unprotect command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.13 Get Checksum command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.14 Special command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.15 Extended Special command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

4 Bootloader protocol version evolution . . . . . . . . . . . . . . . . . . . . . . . . . 47

5 Revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

2/50 AN3155 Rev 16

AN3155 List of tables

List of tables

Table 1. Applicable products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Table 2. USART bootloader commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Table 3. Bootloader protocol versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Table 4. Document revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

AN3155 Rev 16 3/50

3
List of figures AN3155

List of figures

Figure 1. Bootloader for STM32 with USART . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Figure 2. Get command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 3. Get command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Figure 4. Get Version command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 5. Get Version command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 6. Get ID command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 7. Get ID command: device side. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 8. Read Memory command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 9. Read Memory command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 10. Go command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 11. Go command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 12. Write Memory command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 13. Write Memory command: device side. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 14. Erase Memory command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 15. Erase Memory command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 16. Extended Erase Memory command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Figure 17. Extended Erase Memory command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 18. Write Protect command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 19. Write Protect command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 20. Write Unprotect command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure 21. Write Unprotect command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 22. Readout Protect command: host side. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 23. Readout Protect command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 24. Readout Unprotect command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Figure 25. Readout Unprotect command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 26. Get Checksum command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Figure 27. Get Checksum command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Figure 28. Special command: host side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Figure 29. Special command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Figure 30. Extended Special command: host side. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Figure 31. Extended Special command: device side . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

4/50 AN3155 Rev 16

AN3155 USART bootloader code sequence

1 USART bootloader code sequence

Figure 1. Bootloader for STM32 with USART

0x7F received on
USARTx Rx pin

USARTx selected

Auto-baud rate sequence

send ACK byte & disable
unused peripherals

Wait for a
command
Command
GET cmd received GO cmd

GET cmd RD cmd (optional) GO cmd

routine routine Routines for routine
loading
into RAM

JP to_Address

ai15702

Once the system memory boot mode is entered and the STM32 microcontroller (based on
Arm®(a) cores) has been configured (for more details refer to AN2606), the bootloader code
begins to scan the USARTx_RX line pin, waiting to receive the 0x7F data frame: a start bit,
0x7F data bits, even parity bit, and a stop bit.
Depending on the implementation, the baud rate detection is based on the HW (IP
supporting auto baud rate), or on the SW. The following paragraphs explain the SW
detection mode.
The duration of this data frame is measured using the Systick timer. The count value of the
timer is then used to calculate the corresponding baud rate factor respect to the current
system clock. Then, the code initializes the serial interface accordingly. Using this calculated
baud rate, an acknowledge byte (0x79) is returned to the host, who signals that the STM32
is ready to receive commands.

a. Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.

AN3155 Rev 16 5/50

49
Choosing the USARTx baud rate AN3155

2 Choosing the USARTx baud rate

The calculation of the serial baud rate for USARTx, from the length of the first received byte,
is used to operate the bootloader within a wide range of baud rates. However, the upper and
lower limits have to be kept, to ensure proper data transfer.
For a correct data transfer from the host to the microcontroller, the maximum deviation
between the internal initialized baud rate for USARTx and the real baud rate of the host
must be below 2.5%. The deviation (fB, in percent) between the host baud rate and the
microcontroller baud rate can be calculated using the formula below:

f B = STM32 baud rate – Host baud rate

------------------------------------------------------------------------------------------- × 100% , where fB ≤2.5%.
STM32 baud rate

This baud rate deviation is a nonlinear function, depending upon the CPU clock and the
baud rate of the host. The maximum of the function (fB) increases with the host baud rate.
This is due to the smaller baud rate prescaler factors, and the implied higher quantization
error.

2.1 Minimum baud rate

The lowest tested baud rate (BLow) is 1200. Baud rates below BLow cause SysTick timer
overflow. In this event, USARTx is not correctly initialized.

2.2 Maximum baud rate

BHigh is the highest baud rate for which the deviation does not exceed the limit. All baud
rates between BLow and BHigh are below the deviation limit.
The highest tested baud rate (BHigh) is 115200.

6/50 AN3155 Rev 16

AN3155 Bootloader command set

3 Bootloader command set

The supported commands are listed in Table 2, all of them are described in this section.

Table 2. USART bootloader commands

Command(1) Code Description

Gets the version and the allowed commands supported by the current
Get(2) 0x00
version of the protocol.
Get Version(2) 0x01 Gets the protocol version.
Get ID(2) 0x02 Gets the chip ID.
Reads up to 256 bytes of memory starting from an address specified
Read Memory(3) 0x11
by the application.
Jumps to user application code located in the internal flash memory or
Go(3) 0x21
in the SRAM.
Writes up to 256 bytes to the RAM or flash memory starting from an
Write Memory(3) 0x31
address specified by the application.
Erase(3)(4) 0x43 Erases from one to all the flash memory pages.
Erases from one to all the flash memory pages using two-byte
Extended Erase(3)(4) 0x44 addressing mode (available only for USART bootloader v3.0 and
higher).
Generic command that allows to add new features depending on the
Special 0x50
product constraints, without adding a new command for every feature.
Generic command that allows the user to send more data compared to
Extended Special 0x51
the Special command.
Write Protect 0x63 Enables the write protection for some sectors.
Write Unprotect 0x73 Disables the write protection for all flash memory sectors.
Readout Protect 0x82 Enables the read protection.
Readout
0x92 Disables the read protection.
Unprotect(2)
Computes a CRC value on a given memory area with a size multiple of
Get Checksum 0xA1
4 bytes.
1. If a denied command is received or an error occurs during the command execution, the bootloader sends
an NACK byte, and goes back to command checking.
2. Protection. When active, only this limited subset of commands is available, all others are NACK-ed, and
have no effect on the device. The protection depends upon the product.
3. Refer to STM32 product datasheets and to AN2606 to know the valid memory areas for these commands.
4. Erase (x043) and Extended Erase (0x44) are exclusive. A device can support either the Erase command or
the Extended Erase command, but not both.

AN3155 Rev 16 7/50

49
Bootloader command set AN3155

Protection
The protection used on the bootloader SW depends upon the MCU and its requirements.
Protection is active means
• for the STM32H5 Series: Trust zone (TZEN) = 0 and Product state ≥ Provisioning and
HiDeProtection Level(HDPL) = 3
• for the other products listed in Table 1: Read protection set

Communication safety
The communication from the programming tool (PC) to the device is verified by:
1. checksum: received blocks of data bytes are XOR-ed. A byte containing the computed
XOR of all previous bytes is added to the end of each communication (checksum byte).
By XOR-ing all received bytes (data plus checksum), the result at the end of the packet
must be 0x00.
2. for each command, the host sends a byte and its complement (XOR = 0x00)
3. UART: parity check active (even parity).
Each packet is either accepted (ACK answer), or discarded (NACK answer):
• ACK = 0x79
• NACK = 0x1F

8/50 AN3155 Rev 16

AN3155 Bootloader command set

3.1 Get command

This command allows the user to get the protocol version and the supported commands.
When the bootloader receives the command, it transmits the protocol version and the
supported command codes to the host, as shown in Figure 2.

Figure 2. Get command: host side

Start Get

Send 0x00 + 0xFF

Wait for ACK NACK

or NACK

ACK

Receive the number of bytes

(version and commands)

Receive the protocol version

Receive the supported commands

Wait for ACK NACK

or NACK

ACK

End of Get
ai14631b

AN3155 Rev 16 9/50

49
Bootloader command set AN3155

Figure 3. Get command: device side

Start Get

Received byte = No
0x00 + 0xFF? Send NACK byte

Yes

Send ACK byte

Send the number of bytes

(version and commands)

Send the protocol version

Send the supported commands

Send ACK byte

End of Get
ai14632b

The STM32 sends the bytes as follows:

Byte 1: ACK
Byte 2: N = 11 = the number of bytes to follow – 1, except current and ACKs
Byte 3: Protocol version (0 < version < 255), example: 0x10 = version 1.0
Byte 4: 0x00 Get command
Byte 5: 0x01 Get Version command
Byte 6: 0x02 Get ID command
Byte 7: 0x11 Read Memory command
Byte 8: 0x21 Go command
Byte 9: 0x31 Write Memory command
Byte 10: 0x43 or 0x44 Erase command or Extended Erase command
(exclusive commands)
Byte 11: 0x63 Write Protect command
Byte 12: 0x73 Write Unprotect command
Byte 13: 0x82 Readout Protect command

10/50 AN3155 Rev 16

AN3155 Bootloader command set

Byte 14: 0x92 Readout Unprotect command

Byte 15: 0xA1 Get Checksum command (only for version V3.3)

Commands depend upon the HW features. Beginning from the USART BL version V4.0, the
number of commands is no more fixed, and can change from one product to the other.
As an example, for the STM32H5 Series there is no RDP HW feature. The scheme is:
Byte 1: ACK
Byte 2: N = 10 = the number of bytes to follow – 1, except current and ACKs
Byte 3: Protocol version 0x40 = v4.0
Byte 4: 0x00 Get command
Byte 5: 0x01 Get Version command
Byte 6: 0x02 Get ID command
Byte 7: 0x11 Read Memory command
Byte 8: 0x21 Go command
Byte 9: 0x31 Write Memory command
Byte 10: 0x44 Extended Erase command
Byte 11: 0x50 Special command
Byte 12: 0x63 Write Protect command
Byte 13: 0x73 Write command

AN3155 Rev 16 11/50

49
Bootloader command set AN3155

3.2 Get Version command

This command is used to get the protocol version. After receiving the command, the
bootloader transmits the version, and two bytes (for legacy compatibility, both bytes are 0).

Figure 4. Get Version command: host side

Start GV(1)

Send 0x01+0xFE

NACK
Wait for
ACK or NACK

ACK

Receive the protocol version

Option byte 1

Option byte 2

NACK
Wait for
ACK or NACK

ACK

End of GV(1)
MS45406V2

1. GV = Get Version.

12/50 AN3155 Rev 16

AN3155 Bootloader command set

Figure 5. Get Version command: device side

Start GV(1)

Received byte No Send NACK byte

= 0x01+0xFE?

Yes
Send ACK byte

Send the protocol version

Option byte 1

Option byte 2

Send ACK byte

End of GV(1)
MS35428V2

1. GV = Get Version.

The STM32 sends the bytes as follows:

Byte 1: ACK
Byte 2: Protocol version (0 < version ≤ 255), example: 0x10 = version 1.0
Byte 3: Option byte 1: 0x00 to keep the compatibility with generic bootloader protocol
Byte 4: Option byte 2: 0x00 to keep the compatibility with generic bootloader protocol
Byte 5: ACK

AN3155 Rev 16 13/50

49
Bootloader command set AN3155

3.3 Get ID command

This command is used to get the version of the chip ID (identification). When the bootloader
receives the command, it transmits the product ID to the host.
The STM32 device sends the bytes as follows:
Byte 1: ACK
Byte 2: N = the number of bytes – 1 (N = 1 for STM32), except for current byte and ACKs
Bytes 3-4: PID(1) byte 3 = 0x04, byte 4 = 0xXX
Byte 5: ACK
1. PID stands for product ID. Byte 1 and 2 are, respectively, the MSB and the LSB of the ID.

Figure 6. Get ID command: host side

Start GID(1)

Send 0x02+0xFD

Wait for ACK NACK

or NACK

ACK

Receive N = number of bytes – 1

Receive PID

Wait for ACK NACK

or NACK

ACK

End of GID(1)
ai14633

1. GID = Get ID.

14/50 AN3155 Rev 16

AN3155 Bootloader command set

Figure 7. Get ID command: device side

Start GID(1)

Received No
byte = 0x02+0xFD? Send NACK byte

Yes

Send ACK byte

Send N = number of bytes – 1

Send product ID

Send ACK byte

End of GID(1)
ai14636

1. GID = Get ID.

3.4 Read Memory command

This command is used to read data from any valid memory address (refer to the product
datasheets and to AN2606 for more details) in RAM, flash memory, and in the information
block (system memory or option byte areas).
When the bootloader receives the command, it transmits the ACK byte to the application.
After the transmission of the ACK byte, the bootloader waits for an address (four bytes, byte
1 is the address MSB and byte 4 is the LSB) and a checksum byte, then it checks the
received address. If the address is valid and the checksum is correct, the bootloader
transmits an ACK byte, otherwise it transmits an NACK byte, and aborts the command.
When the address is valid and the checksum is correct, the bootloader waits for the number
of bytes to be transmitted – 1 (N bytes) and for its complemented byte (checksum). If the
checksum is correct it then transmits the needed data ((N + 1) bytes) to the application,
starting from the received address. If the checksum is not correct, it sends an NACK before
aborting the command.
The host sends bytes to the STM32 as follows:
Bytes 1-2: 0x11 + 0xEE
Wait for ACK
Bytes 3 to 6 Start address byte 3: MSB, byte 6: LSB
Byte 7: Checksum: XOR (byte 3, byte 4, byte 5, byte 6)
Wait for ACK
Byte 8: The number of bytes to be read – 1 (0 < N ≤255);
Byte 9: Checksum: XOR byte 8 (complement of byte 8)

AN3155 Rev 16 15/50

49
Bootloader command set AN3155

Figure 8. Read Memory command: host side

Start RM(1)

Send 0x11+0xEE

Wait for ACK NACK

or NACK

ACK

Send the start address (4 bytes) with

checksum

Wait for ACK NACK

or NACK

ACK

Send the number of bytes to be read (1 byte)

and a checksum (1 byte)

Wait for ACK NACK

or NACK

ACK

Receive data from the BL

End of RM(1)
ai14637

1. RM = Read Memory.

16/50 AN3155 Rev 16

AN3155 Bootloader command set

Note: Some products can return two NACKs instead of one when Read protection (RDP) is active
(or Read protection level 1 is active). To know if a given product returns one or two NACKs,
refer to the known limitations section relative to that product in AN2606.

Figure 9. Read Memory command: device side

Start RM(1)

Received byte No
= 0x11+0xEE?

Yes

Protection Yes
active?

No

Send ACK byte

Receive the start address

(4 bytes) with checksum

Address valid & No

checksum OK?

Yes

Send ACK byte

Receive the number of bytes to be read

(1 byte) and a checksum (1 byte)

No
Checksum OK?

Yes

Send ACK byte Send NACK byte

Send data to the host

End of RM(1)
ai14638c

1. RM = Read Memory.

AN3155 Rev 16 17/50

49
Bootloader command set AN3155

3.5 Go command
This command is used to execute the downloaded code or any other code by branching to
an address specified by the application. When the bootloader receives the command, it
transmits the ACK byte to the application. After the transmission of the ACK byte, the
bootloader waits for an address (four bytes, byte 1 is the address MSB and byte 4 is LSB)
and a checksum byte, then it checks the received address. If the address is valid and the
checksum is correct, the bootloader transmits an ACK byte, otherwise it transmits an NACK
byte, and aborts the command.
When the address is valid and the checksum is correct, the bootloader firmware:
• initializes the registers of the peripherals used by the bootloader to their default reset
values
• initializes the main stack pointer of the user application
• jumps to the memory location programmed in the received address + 4 (corresponding
to the address of the application reset handler). For example, if the received address is
0x0800 0000, the bootloader jumps to the memory location programmed at address
0x0800 0004.
In general, the host must send the base address where the application to jump to is
programmed.

Figure 10. Go command: host side

Start Go

Send 0x21 + 0xDE

Wait for ACK NACK

or NACK
ACK

Send the Start Address

(4 bytes + checksum)

Wait for ACK NACK

or NACK

ACK

End of Go

ai14639d

18/50 AN3155 Rev 16

AN3155 Bootloader command set

Note: Valid addresses for the Go command are in RAM or flash memory (refer to STM32 product
datasheets and to AN2606 for more details about the valid memory addresses for the used
device). All other addresses are considered not valid and are NACK-ed by the device.
When an application is loaded into RAM and then a jump is made to it, the program must be
configured to run with an offset to avoid overlapping with the first area used by the
bootloader firmware (refer to STM32 product datasheets and to AN2606 for more details
about the RAM offset for the used device).
The Jump to the application works only if the user application sets the vector table correctly
to point to the application address.
Some products can return two NACKs instead of one when Read protection (RDP) is active
(or Read protection level 1 is active). To know if a given product returns one or two NACKs,
refer to the known limitations section relative to that product in AN2606.

Figure 11. Go command: device side

Start Go

Received bytes No
= 0x21+0xDE?

Yes

Protection Yes
active?

No

Send ACK byte

Receive the start address

(4 bytes) and the checksum

Address valid & No

Send NACK byte
checksum OK?

Send ACK byte

End of Go

Jump to user application

ai14640e

AN3155 Rev 16 19/50

49
Bootloader command set AN3155

The host sends bytes to the STM32 as follows:

Byte 1: 0x21
Byte 2: 0xDE
Wait for ACK
Bytes 3 to 6: Start address (byte 3: MSB, byte 6: LSB)
Byte 7: Checksum: XOR (byte 3, byte 4, byte 5, byte 6)

3.6 Write Memory command

This command is used to write data to any valid memory address (see note below), such as
RAM, flash memory, or option byte area.
When the bootloader receives the command, it transmits the ACK byte to the application.
After the transmission of the ACK byte, the bootloader waits for an address (four bytes, byte
1 is the address MSB and byte 4 is the LSB) and a checksum byte, it then checks the
received address. For the option byte area, the start address must be the base address of
the option byte area (see note below) to avoid writing inopportunely in this area.
If the received address is valid and the checksum is correct, the bootloader transmits an
ACK byte, otherwise it transmits an NACK byte, and aborts the command. When the
address is valid and the checksum is correct, the bootloader
• gets a byte, N, which contains the number of data bytes to be received
• receives the user data ((N + 1) bytes) and the checksum (XOR of N and of all data
bytes)
• programs the user data to memory starting from the received address
• at the end of the command, if the write operation was successful, the bootloader
transmits the ACK byte; otherwise it transmits an NACK byte to the application and
aborts the command.
The maximum length of the block to be written for the STM32 is 256 bytes.
If the Write Memory command is issued to the option byte area, all bytes are erased before
writing the new values, and at the end of the command the bootloader generates a system
reset to take into account the new configuration of the option bytes.
Note: When writing to the RAM, user must not overlap the first area used by the bootloader
firmware.
No error is returned when performing write operations on write-protected sectors. No error is
returned when the start address is invalid.

20/50 AN3155 Rev 16

AN3155 Bootloader command set

Figure 12. Write Memory command: host side

Start WM(1)

Send 0x31+0xCE

Wait for ACK NACK

or NACK

ACK
Send the start address (4 bytes)
and the checksum

Wait for ACK NACK

or NACK
ACK

Send the number of bytes to be written

(1 byte), the data (N + 1 bytes)(2) and checksum

Wait for ACK NACK

or NACK
ACK

End of WM(1)

ai14641c

1. WM = Write Memory.
2. N+1 must be a multiple of 4.

Note: Some products can return two NACKs instead of one when Read protection (RDP) is active
(or Read protection level 1 is active). To know if a given product returns one or two NACKs ,
refer to the known limitations section relative to that product in AN2606.

AN3155 Rev 16 21/50

49
Bootloader command set AN3155

Figure 13. Write Memory command: device side

Start WM(1)

Received byte = No
0x31+0xCE?

Yes
Protection No
inactive?

Yes

Send ACK byte

Receive the start address (4 bytes)

and checksum

No
Checksum OK?

Yes
Send ACK byte

Receive the number of bytes to be written (1 byte),

the data (N + 1 bytes)(2) and the checksum

No
Checksum OK?

Yes

Supported Yes
memory and not Write to destination memory
option bytes?

No

Option Yes Write the keys for option byte

byte address? area access

Write the received data to

option byte area from start address
No Send Send
ACK NACK
Send ACK byte byte byte

Generate system reset(3)

End of WM(1)
ai14642f
ai14642g

1. WM = Write Memory.
2. N+1 must be a multiple of 4.
3. System reset is called only for some STM32 BL (STM32F0/F2/F4/F7) and some STM32L4
(STM32L412xx/422xx, STM32L43xxx/44xxx, STM32L45xxx/46xxx) products.

22/50 AN3155 Rev 16

AN3155 Bootloader command set

The host sends the bytes to the STM32 as follows:

Byte 1: 0x31
Byte 2: 0xCE
Wait for ACK
Bytes 3 to 6: Start address (byte 3: MSB, byte 6: LSB)
Byte 7: Checksum: XOR (byte3, byte4, byte5, byte6)
Wait for ACK
Byte 8: Number of bytes to be received (0 < N ≤255)
N +1 data bytes: Max 256 bytes
Checksum byte: XOR (N, N+1 data bytes)

3.7 Erase Memory command

This command allows the host to erase flash memory pages. When the bootloader receives
the command, it transmits the ACK byte to the host. After the transmission of the ACK byte,
the bootloader receives one byte (number of pages to be erased), the flash memory page
codes, and a checksum byte. If the checksum is correct, the bootloader erases the memory
and sends an ACK byte to the host, otherwise it sends an NACK byte to the host ,and the
command is aborted.
Erase Memory command specifications:
1. The bootloader receives a byte that contains N, the number of pages to be erased – 1.
N = 255 is reserved for global erase requests. For 0 ≤N ≤254, N + 1 pages are erased.
2. The bootloader receives (N + 1) bytes, each byte containing a page number.
Note: No error is returned when performing erase operations on write protected sectors.

AN3155 Rev 16 23/50

49
Bootloader command set AN3155

Figure 14. Erase Memory command: host side

Start ER(1)

Send 0x43+0xBC

Wait for ACK NACK

or NACK

ACK

Yes Global No
Erase?

Send 0xFF Send the number of pages

to be erased (1 byte)

Send 0x00
Send the page numbers

Send checksum

Wait for ACK NACK

or NACK

ACK

End of ER(1)
ai14643b

1. ER = Erase Memory.

24/50 AN3155 Rev 16

AN3155 Bootloader command set

Figure 15. Erase Memory command: device side

Start ER(1)

Received bytes = No
0x43+0xBC?

Yes

Protection Yes
active?

No

Send ACK byte

Receive the number of pages

to be erased (1 byte)

Yes
0xFF received?

No

Receive the page codes

No
Yes
Start global erase Receive the checksum
(mass erase)

Checksum No
OK?

Yes
Erase the corresponding pages

Send ACK byte Send NACK byte

End of ER(1)
ai14644d

1. ER = Erase Memory.

Note: After sending the command and its checksum, if the host sends 0xFF followed by data
different from 0x00, the mass erase is not performed, and an ACK is sent by the device.
The host sends bytes to the STM32 as follows:
Byte 1: 0x43
Byte 2: 0xBC
Wait for ACK

AN3155 Rev 16 25/50

49
Bootloader command set AN3155

Byte 3: 0xFF or number of pages to be erased – 1 (0 ≤N ≤maximum number of pages)

Byte 4: 0x00 (in case of global erase) or ((N + 1 bytes (page numbers) and then checksum
XOR (N, N+1 bytes))

3.8 Extended Erase Memory command

This command allows the host to erase flash memory pages using two bytes addressing
mode. When the bootloader receives the command, it transmits the ACK byte to the host.
After the transmission of the ACK byte, the bootloader receives two bytes (number of pages
to be erased), the fl/ash memory page codes (each one coded on two bytes, MSB first) and
a checksum byte (XOR of the sent bytes); if the checksum is correct, the bootloader erases
the memory and sends an ACK byte to the host. Otherwise, it sends an NACK byte to the
host, and the command is aborted.
Extended Erase Memory command specifications:
1. The bootloader receives one half-word (two bytes) that contains N, the number of
pages to be erased:
a) For N = 0xFFFY (where Y is from 0 to F) special erase is performed:
- 0xFFFF for global mass erase
- 0xFFFE for bank 1 mass erase
- 0xFFFD for bank 2 mass erase
- Codes from 0xFFFC to 0xFFF0 are reserved
b) For other values, where 0 ≤ N < maximum number of pages: N + 1 pages are
erased.
2. The bootloader receives:
a) In the case of a special erase, one byte: checksum of the previous bytes:
- 0x00 for 0xFFFF
- 0x01 for 0xFFFE
- 0x02 for 0xFFFD
a) In the case of N+1 page erase, the bootloader receives (2 x (N + 1)) bytes, each
half-word containing a page number (coded on two bytes, MSB first). Then all
previous byte checksums (in one byte).
Note: No error is returned when performing erase operations on write-protected sectors.
The maximum number of pages is relative to the product and must be respected.

26/50 AN3155 Rev 16

AN3155 Bootloader command set

Figure 16. Extended Erase Memory command: host side

Start EER

Send 0x44 + 0xBB

NACK
Wait for ACK or NACK

ACK

YES NO
Special Erase ?

Send the number of pages

to be erased N (on two
Send Special Erase cmd: bytes) MSB first
0xFFFF = Mass erase
0xFFFE = Bank1 erase
Send the page numbers
0xFFFD = Bank2 erase
(0xFFF0 to 0xFFFC are reserved)
(each on two bytes, MSB
first)

Send the checksum of the two Send byte checksum of all

bytes sent bytes (N (2 bytes),
2x(N+1) bytes)

NACK
Wait for ACK or NACK

ACK

End of EER

ai17460

1. EER = Extended Erase Memory.

AN3155 Rev 16 27/50

49
Bootloader command set AN3155

Figure 17. Extended Erase Memory command: device side

Start EER(1)

Received bytes = No
0x44 + 0xBB ?

Yes

Yes
Protection active?

No

Send ACK byte

Receive number of pages to

erase N (2 bytes, MSB first)

Yes 0xFFFY received?

(Y can be F, E, or D)

Start Special Erase:

0xFFFF = Mass erase
0xFFFE = Bank1 erase
0xFFFD = Bank2 erase
(0xFFF0 to 0xFFFC: reserved)
Receive checksum of the two
bytes (0x00, 0x01 or 0x02)
No
Receive the page codes
(on 2 bytes each, MSB first)
Receive the checksum of
all received bytes (N (on
2 x (N+1) bytes)
2 bytes),

Checksum of all No
No Checksum of two ?
bytes OK and command received bytes OK?
supported?
Yes
Yes
Erase the
Perform the corresponding pages
requested erase

Send NACK byte Send ACK byte Send NACK byte

End of EER(1)
ai17461d

1. EER = Extended Erase Memory.

28/50 AN3155 Rev 16

AN3155 Bootloader command set

The host sends the bytes to the STM32 as follows:

Byte 1: 0x44
Byte 2: 0xBB
Wait for ACK
Bytes 3-4: Special erase (0xFFFF, 0xFFFE, or 0xFFFD)
or
Number of pages to be erased (N+1 where 0 ≤ N < Maximum number of
pages).
Remaining Checksum of bytes 3-4 in case of special erase (0x00 if 0xFFFF or 0x01 if
bytes: 0xFFFE, or 0x02 if 0xFFFD)
or
(2 x (N + 1)) bytes (page numbers coded on two bytes MSB first) and then
the checksum for bytes 3-4 and all the following bytes

3.9 Write Protect command

This command is used to enable the write protection for some or all flash memory sectors.
When the bootloader receives the command, it transmits the ACK byte to the host. After the
transmission of the ACK byte, the bootloader waits for the number of bytes to be received
(sectors to be protected), and then receives the flash memory sector codes from the
application.
At the end of the command, the bootloader transmits the ACK byte, and generates a system
reset to take into account the new configuration of the option byte.
Note: Refer to STM32 product datasheets and to AN2606 for more details about the sector size
for the used device.
The Write Protect command sequence is as follows:
• the bootloader receives one byte that contains N, the number of sectors to be
write-protected – 1 (0 ≤ N ≤ 255)
• the bootloader receives (N + 1) bytes, each byte contains a sector code
Note: The total number of sectors and the sector number to be protected are not checked, this
means that no error is returned when a command is passed with a wrong number of sectors
to be protected or a wrong sector number.
If a second Write Protect command is executed, the flash memory sectors been protected
by the first command become unprotected, and only the sectors passed within the second
Write Protect command become protected.

AN3155 Rev 16 29/50

49
Bootloader command set AN3155

Figure 18. Write Protect command: host side

Start WP(1)

Send 0x63+0x9C

Wait for ACK NACK

or NACK

ACK

Send the number of sectors

to be protected (1 byte)

Send the sector codes

Send checksum

Wait for ACK NACK

or NACK

ACK

End of WP(1)
ai14645b

1. WP = Write Protect.

30/50 AN3155 Rev 16

AN3155 Bootloader command set

Figure 19. Write Protect command: device side

Start WP(1)

Received bytes = No
0x63+0x9C?

Yes

Protection Yes
active?

No

Send ACK byte

Receive the number of sectors

to be protected (1 byte)

Receive the sector codes

Receive the checksum

Checksum No
OK?

Yes
Write-protect the requested sectors

Send ACK byte Send NACK byte

Generate system reset(2)

End of WP(1)
ai14646e

1. WP = Write Protect.
2. System reset is called only for some STM32 BL (STM32F0/F2/F4/F7) and some STM32L4
(STM32L412xx/422xx, STM32L43xxx/44xxx, STM32L45xxx/46xxx) products.

AN3155 Rev 16 31/50

49
Bootloader command set AN3155

3.10 Write Unprotect command

This command is used to disable the write protection of all the flash memory sectors. When
the bootloader receives the command, it transmits the ACK byte to the host. After the
transmission of the ACK byte, the bootloader disables the write protection of all the flash
memory sectors. After the unprotection operation, the bootloader transmits the ACK byte.
At the end of the Write Unprotect command, the bootloader transmits the ACK byte, and
generates a system reset to take into account the new configuration of the option byte.

Figure 20. Write Unprotect command: host side

Start WPUN(1)

Send 0x73+0x8C

Wait for ACK NACK

or NACK

ACK

Wait for ACK NACK

or NACK

ACK

End of WPUN(1)
ai14647

1. WPUN = Write Unprotect.

32/50 AN3155 Rev 16

AN3155 Bootloader command set

Figure 21. Write Unprotect command: device side

Start WPUN(1)

Received bytes = No
0x73+0x8C?

Yes

Protection Yes
active?

No

Send ACK byte

Remove the protection for the

whole flash memory

Send ACK byte Send NACK byte

Generate system reset(2)

End of WPUN(1)
ai14648e

1. WPUN = Write Unprotect.

2. System reset is called only for some STM32 BL (STM32F0/F2/F4/F7) and some STM32L4
(STM32L412xx/422xx, STM32L43xxx/44xxx, STM32L45xxx/46xxx) products.

3.11 Readout Protect command

This command is used to enable the flash memory read protection. When the bootloader
receives the command, it transmits the ACK byte to the host. After the transmission of the
ACK byte, the bootloader enables the read protection for the flash memory.
At the end of the Readout Protect command, the bootloader transmits the ACK byte and
generates a system reset to take into account the new configuration of the option byte.

AN3155 Rev 16 33/50

49
Bootloader command set AN3155

Figure 22. Readout Protect command: host side

Start RDP_PRM(1)

Send 0x82+0x7D

Wait for ACK NACK

or NACK

ACK

Wait for ACK NACK

or NACK

ACK

End of RDP_PRM(1)

ai14649

1. RDP_PRM = Readout Protect.

Figure 23. Readout Protect command: device side

Start RDP_PRM(1)

Received bytes = No
0x82+0x7D?

Yes

Yes
RDP active?

No

Send ACK byte

Activate Read protection for

Flash memory

Send ACK byte Send NACK byte

Generate system reset(2)

End of RDP_PRM(1)
ai14650d

1. RDP_PRM = Readout Protect.

2. System reset is called only for some STM32 BL (STM32F0/F2/F4/F7) and some STM32L4
(STM32L412xx/422xx, STM32L43xxx/44xxx, STM32L45xxx/46xxx) products.

34/50 AN3155 Rev 16

AN3155 Bootloader command set

3.12 Readout Unprotect command

This command is used to disable the flash memory read protection. When the bootloader
receives the command, it transmits the ACK byte to the host. After the transmission of the
ACK byte, the bootloader erases all the flash memory sectors and disables the read
protection for the whole memory. If the erase operation is successful, the bootloader
deactivates the RDP.
If the erase operation is unsuccessful, the bootloader transmits an NACK and the read
protection remains active.
At the end of the Readout Unprotect command, the bootloader transmits an ACK and
generates a system reset to take into account the new configuration of the option byte.
Note: For most STM32 products, the readout unprotect operation induces a mass erase of the
flash memory, so the host must wait sufficient time after the second ACK and before
restarting connection. To know how much time this operation takes, refer to the mass erase
time (when specified) in the product datasheet.

Figure 24. Readout Unprotect command: host side

Start RDU_PRM(1)

Send 0x92+0x6D

Wait for ACK NACK

or NACK

ACK

Wait for ACK NACK

or NACK

ACK

End of RDU_PRM(1)
ai14651

1. RDU_PRM = Readout Unprotect.

AN3155 Rev 16 35/50

49
Bootloader command set AN3155

Figure 25. Readout Unprotect command: device side

Start RDU_PRM(1)

Received bytes No
0x92+0x6D?

Yes

Send ACK byte

Disable RDP

Send ACK byte

Clear all RAM

Generate system reset(2) Send NACK byte

End of RDU_PRM(1) ai15709c

1. RDU_PRM = Readout Unprotect.

2. System reset is called only for some STM32 BL (STM32F0/F2/F4/F7) and some STM32L4
(STM32L412xx/422xx, STM32L43xxx/44xxx, STM32L45xxx/46xxx) products.

36/50 AN3155 Rev 16

AN3155 Bootloader command set

3.13 Get Checksum command

This command is used to compute a CRC value on a given memory area.
The memory area size must be a multiple of 32 bits (4 bytes).
When the bootloader receives the command, it transmits the ACK byte to the application.
After the transmission of the ACK byte, the bootloader waits for an address (four bytes,
byte 1 is the MSB and byte 4 is the LSB) with a checksum byte, then it checks the received
address.
If the address is valid and the checksum is correct, the bootloader transmits an ACK byte,
otherwise it transmits an NACK byte, and aborts the command.
When the address is valid and the checksum is correct, the bootloader waits for the size of
the memory area that is expressed in 32-bit words (4 bytes) number and their complement
byte (checksum).
If the checksum is not correct, the bootloader sends an NACK before aborting the
command.
If the checksum is correct, the bootloader checks that the area size is different than 0 and
that it does not exceed the size of the memory.
If the memory size is correct, the bootloader sends ACK byte to the application.
When the memory size is valid and the checksum is correct, the bootloader waits for the
CRC polynomial value and its complement byte (checksum).
If the checksum is correct, the bootloader transmits an ACK byte, otherwise it transmits an
NACK byte, and aborts the command. If a product does not support polynomial value
change, the value is ignored, but the device still sends ACK.
When the checksum is valid, the bootloader waits for the CRC initialization value and its
complement byte (checksum).
If the checksum is correct, the bootloader transmits an ACK byte, otherwise it transmits an
NACK byte, and aborts the command. If a product does not support CRCR initialization
value change, the value is ignored but the device still sends ACK.
If the checksum is correct, the bootloader computes the CRC of the given memory, then
sends an ACK to the application, followed by the CRC value and its complement byte
(checksum).

AN3155 Rev 16 37/50

49
Bootloader command set AN3155

The host sends the bytes to the STM32 as follows:

Byte 1: 0xA1 + 0x5E
Wait for ACK
Bytes 3 to 6: Start address (byte 3: MSB, byte 6: LSB)
Byte 7: Checksum: XOR (byte 3, byte 4, byte 5, byte 6)
Wait for ACK
Bytes 8 to 11 Memory area size (number of 32-bit words) (byte 8: MSB, byte 11: LSB)
Byte 12: Checksum: XOR (byte 8, byte 9, byte 10, byte 11)
Wait for ACK
Byte 13 to 16: CRC polynomial (byte 13: MSB, byte 16: LSB)
Wait for ACK
Byte 17: Checksum: XOR (byte 13, byte 14, byte 15, byte 16)
Wait for ACK
Bytes 18 to 21 CRC initialization value (byte 18: MSB, byte 21: LSB)
Wait for ACK
Byte 22: Checksum: XOR (byte 18, byte 19, byte 20, byte 21)
Wait for ACK

38/50 AN3155 Rev 16

AN3155 Bootloader command set

Figure 26. Get Checksum command: host side

Start Get Checksum command

Send command 0xA1 + 0x5E

Wait for ACK NACK

or NACK frame

ACK

Send start address (4 bytes)

with checksum (1 byte)

Wait for ACK NACK

or NACK frame

ACK

Send number of 32-bit words

(4 bytes) with checksum (1 byte)

Wait for ACK NACK

or NACK frame

ACK

Send CRC polynomial

(4 bytes) with checksum (1 byte)

Wait for ACK NACK

or NACK frame

ACK

Send CRC initial value (4 bytes)

with checksum (1 byte)
ACK

Wait for ACK NACK

or NACK frame

ACK

Receive ACK byte + CRC value

(4 bytes) + checksum (1 byte)

End Get Checksum command

MS54095V2

AN3155 Rev 16 39/50

49
Bootloader command set AN3155

Figure 27. Get Checksum command: device side

Start Get Checksum command Receive bytes 0xA1 + 0x5E

Yes
Protection active?

No

Send ACK byte

Receive start address (4 bytes)

with checksum (1 byte)

Address valid & No

Checksum OK?

Yes

Send ACK byte

Receive number of 32-bit words

(4 bytes) with checksum (1 byte)

Number of No
received bytes OK?

Yes

Send ACK byte

Receive CRC polynomial

(4 bytes) with checksum (1 byte)

Received CRC No
polynomial OK?

Yes

Send ACK byte

Receive CRC initial value

(4 bytes) with checksum (1 byte)

Received CRC No
initial value OK?

Yes

Send ACK byte

Compute CRC Send NACK byte

Send ACK byte

Send data to the host

CRC value (4 bytes) End Get Checksum command
with checksum (1 byte)
MS54095V2

40/50 AN3155 Rev 16

AN3155 Bootloader command set

3.14 Special command

New bootloader commands are needed to support new STM32 features and to fulfill
customers needs. To avoid specific commands for a single project, the Special command
has been created, to be as generic as possible.

Figure 28. Special command: host side

Start Special command Send command (0x50 + 0xAF)

NACK
Wait for ACK or NACK

ACK

Send sub-command code

(2 bytes) with checksum

NACK
Wait for ACK or NACK

ACK

Send number of bytes

(2 bytes, MSB first), packet data
(up to 128 bytes) with checksum

NACK
Wait for ACK or NACK

ACK

Get number of bytes to receive

(2 bytes, MSB first)

No
Get data packet (N bytes) Number of bytes N = 0?

Yes

Get number of bytes to receive

(2 bytes, MSB first)

No
Get status packet (N bytes) Number of bytes N = 0?

Yes

Receive ACK

End Special command

MS55467

AN3155 Rev 16 41/50

49
Bootloader command set AN3155

Figure 29. Special command: device side

No
Start Special command Received byte = 0x50+0xAF?

Yes

Send ACK byte

Receive sub-command opcode

(2 bytes, MSB first)

Command valid No
and checksum OK?

Yes

Send ACK byte

Receive number of data (2 bytes,

MSB first), data + checksum

Number of data > 128 No

and checksum OK?

Yes

Send ACK byte

Internal processing (1)

Receive number of data N

(2 bytes, MSB first)

No
Send data (N bytes) Number of data N = 0?

Yes

Send number of status data N

(2 bytes, MSB first)

No
Send status data (N bytes) Number of status data N = 0?

Yes

Send ACK byte Send NACK byte

End Special command

MS55461V1

1. The internal processing depends upon the project.

When the bootloader receives the Special command, it transmits the ACK byte to the host.
Once the ACK is transmitted, the bootloader waits for a sub-command opcode (two bytes,
MSB first) and a checksum byte. If the sub-command is supported by the STM32 bootloader
and its checksum is correct, the bootloader transmits an ACK byte, otherwise it transmits an
NACK byte, and aborts the command.
To keep the command generic, the data packet received by the bootloader can have
different sizes, depending upon the sub-command needs.

42/50 AN3155 Rev 16

AN3155 Bootloader command set

Therefore, the packet is split in two parts:

• Size of the data (two bytes, MSB first)
• N bytes of data
– If N = 0, no data is transmitted
– N must be inferior to 128.
If all conditions are satisfied (N ≤ 128 and checksum is correct), the bootloader transmits an
ACK, otherwise, it transmits an NACK byte, and aborts the command.
Once the Sub-Command is executed using the received data, the bootloader sends a
response that consist of two consecutive packets:
• Data packet
– Size of the data (two bytes, MSB first)
– N bytes of data
– If N = 0, no data is transmitted
• Status packet
– Size of the status data (two bytes, MSB first)
– N bytes of data
– If N = 0, no status data is transmitted
Finally, an ACK byte closes the special command interaction between bootloader and the
host.

3.15 Extended Special command

This command is slightly different the Special command. It allows the user to send more
data with the addition of a new buffer of 1024 bytes< and as response it only returns the
commands status.

AN3155 Rev 16 43/50

49
Bootloader command set AN3155

Figure 30. Extended Special command: host side

Start Extended Special command Send command (0x51 + 0xAF)

NACK
Wait for ACK or NACK

ACK

Send sub-command code

(2 bytes) with checksum

NACK
Wait for ACK or NACK

ACK

Send the number of bytes

(2 bytes, MSB first), address packet
(up to 128 bytes) with checksum

NACK
Wait for ACK or NACK

ACK
Send the number of bytes
(2 bytes, MSB first), packet data
(up to 1024 bytes) with checksum

NACK
Wait for ACK or NACK

ACK

Get number of bytes to receive

(2 bytes, MSB first)

No
Get status packet (N bytes) Number of bytes N = 0?

Yes

Receive ACK

End Extended Special command

MS5546

44/50 AN3155 Rev 16

AN3155 Bootloader command set

Figure 31. Extended Special command: device side

No
Start Extended Special command Received byte = 0x51+0xA?

Yes

Send ACK byte

Receive sub-command opcode

(2 bytes, MSB first)

Command valid No
and checksum OK?

Yes

Send ACK byte

Receive address packet:

number of data (2 bytes,
MSB first), data + checksum

Number of data > 128 No

and checksum OK?

Yes

Receive data packet:

number of data (2 bytes,
MSB first), data + checksum

Number of data > 1024 No

and checksum OK?

Yes

Send ACK byte

Internal processing (1)

Send number of data N

(2 bytes, MSB first)

No
Send data (N bytes) Number of data N = 0?

Yes

Send number of status data N

(2 bytes, MSB first)

No
Send status data (N bytes) Number of status data N = 0?

Yes

Send ACK byte Send NACK byte

End Extended Special command

MS55466V1

1. The internal processing depends on the project needs.

When the bootloader receives this command, it transmits the ACK byte to the host. Once
the ACK is transmitted, the bootloader waits for a sub-command opcode (two bytes, MSB
first) and a checksum byte. If the sub-command is supported by the STM32 bootloader and

AN3155 Rev 16 45/50

49
Bootloader command set AN3155

its checksum is correct, the bootloader transmits an ACK byte, otherwise it transmits an
NACK byte, and aborts the command.
The two packets can be received depending upon the sub-command needs:
• Packet1: Data 1 packet, where number of bytes is limited to 128 bytes
• Packet2: Data2 packet, where number of bytes is limited to 1024 bytes
If all conditions are satisfied (Packet1: N ≤ 128 and checksum is correct, and Packet2:
N ≤ 128 and checksum is correct), the bootloader transmits an ACK. otherwise, it transmits
an NACK byte, and aborts the command.
Once the sub-command is executed using received data, the bootloader sends a response
consisting in one packet:
• Size of the data (two bytes, MSB first)
• N bytes of data (If N = 0, no data is transmitted)
Finally, an ACK byte closes the command interaction between bootloader and the host.

46/50 AN3155 Rev 16

AN3155 Bootloader protocol version evolution

4 Bootloader protocol version evolution

Table 3 lists the bootloader versions.

Table 3. Bootloader protocol versions

Version Description

V2.0 Initial bootloader version.

– Update Go command to initialize the main stack pointer
– Update Go command to return NACK when jump address is in the option byte
V2.1 area or system memory area
– Update Get ID command to return the device ID on two bytes
– Update the bootloader version to V2.1
– Update Read Memory, Write Memory and Go commands to deny access, with an
NACK response, to the first bytes of RAM used by the bootloader
V2.2
– Update Readout Unprotect command to initialize the whole RAM content to 0x0
before RDP disable operation
– Extended Erase command added to support number of pages larger than 256 and
separate bank mass erase
V3.0 – Erase command has not been modified in this version but, due to addition of the
Extended Erase command, it is no longer supported (Erase and Extended Erase
commands are exclusive)
– Limitation fix of:
When a Read Memory command or Write Memory command is issued with an
unsupported memory address and a correct address checksum (i.e. address
0x6000 0000), the command is aborted by the bootloader device, but the NACK
V3.1
(0x1F) is not sent to the host. As a result, the next two bytes (that is, the number of
bytes to be read/written and its checksum) are considered as a new command and
its checksum (1).
– No changes in specification, the product implementation has been corrected
– Added support for Get Checksum command
V3.3 – Updated Get Command command to return the opcode of the Get Checksum
command
– Number of commands can vary from device to device with the same protocol. To
V4.0
know supported commands, use Get command
1. If the “number of data - 1” (N-1) to be read/written is not equal to a valid command code (0x00, 0x01, 0x02,
0x11, 0x21, 0x31, 0x43, 0x44, 0x63, 0x73, 0x82 or 0x92), the limitation is not perceived from the host as
the command is NACK-ed anyway (as an unsupported new command).

AN3155 Rev 16 47/50

49
Revision history AN3155

5 Revision history

Table 4. Document revision history

Date Revision Changes

09-Mar-2010 1 Initial release.

Table 2: USART bootloader commands: added Extended Erase
command; removed footnote 2 concerning read protection from the
Readout Protect command.
Communication safety: amended Note 1.
Section 3.1: Get command: updated byte 10.
20-Apr-2010 2
Updated Figure 10: Go command: host side for missing ACK state.
Section 3.7: Write Memory command: added Note 1 and Note 2.
Figure 12, and Figure 13: added notes regarding N+1.
Added Section 3.8: Extended Erase Memory command.
Table 3: Bootloader protocol versions: added v3.0.
Added Note:, Note and Note:.
Changed all occurrences of “ROP” by “RDP” including in figures: Figure
12-Feb-2013 3 9., Figure 11., Figure 13., Figure 15., Figure 17., Figure 19., Figure 21.,
Figure 23., Figure 25..
Added Table 1: Applicable products.
Added Version 3.1 in Table 3: Bootloader protocol versions.
Updated “byte 4” value in Section 3.3: Get ID command.
Replaced “address” by “ID” in this Note 1.
Replaced “End of EER” by “End of Go” in Figure 10: Go command: host
side.
26-Mar-2013 4 Updated first sentence in Section 3.7: Write Memory command.
Removed “& address=0x1FFF F800” and replaced the two tests “Flash
memory address?” and “RAM address?” by a single test in Figure 13:
Write Memory command: device side.
Precised missing “Y” values in the third test of Figure 17: Extended Erase
Memory command: device side.
Added Note: above Figure 24: Readout Unprotect command: host side.
Replaced “STM32L151xx, STM32L152xx and STM32L162xx” by
22-May-2013 5
“STM32L1 Series” in Table 1: Applicable products.
Updated Table 1: Applicable products.
Removed footnote 4 and added footnote 3.in Table 2: USART bootloader
commands.
20-Jun-2014 6 Removed section 3.1 Device-dependent bootloader parameters.
Updated Figure 10: Go command: host side and Figure 11: Go command:
device side.
Updated Section 3.6: Write Memory command.
Introduced STM32L4 and STM32F7 Series, hence updated Introduction
21-Oct-2016 7
and Table 1: Applicable products.

48/50 AN3155 Rev 16

AN3155 Revision history

Table 4. Document revision history (continued)

Date Revision Changes

Added STM32H7 Series, hence updated Table 1: Applicable products.

Updated Section 1: USART bootloader code sequence.
14-Feb-2019 8
Updated Figure 4: Get Version command: host side.
Minor text edits across the whole document.
21-Feb-2019 9 Added STM32WB Series, hence updated Table 1: Applicable products.
Added STM32G0 and STM32G4 Series, hence updated Table 1:
09-Apr-2019 10
Applicable products.
23-Sep-2019 11 Added STM32L5 Series, hence updated Table 1: Applicable products.
04-Dec-2019 12 Added STM32WL Series, hence updated Table 1: Applicable products.
Updated Section 3.1: Get command.
Added Section 3.13: Get Checksum command.
30-Oct-2020 13 Updated Table 2: USART bootloader commands and Table 3: Bootloader
protocol versions.
Minor text edits across the whole document.
Updated Section 1: USART bootloader code sequence and Section 3.13:
Get Checksum command.
Updated Table 2: USART bootloader commands.
Updated Figure 13: Write Memory command: device side, Figure 19:
Write Protect command: device side, Figure 21: Write Unprotect
08-Jun-2021 14 command: device side, Figure 23: Readout Protect command: device side
and Figure 25: Readout Unprotect command: device side, and added
footnotes to them.
Updated Figure 26: Get Checksum command: host side.
Added Section 3.14: Special command and Section 3.15: Extended
Special command.
08-Feb-2022 15 Added STM32U5 Series, hence updated Table 1: Applicable products.
Added STM32C0 and STM32H5 Series.
Updated Table 1: Applicable products, Table 2: USART bootloader
commands, and Table 3: Bootloader protocol versions.
Updated Section 3: Bootloader command set, Section 3.1: Get command
and Section 3.2: Get Version command.
Updated Figure 2: Get command: host side, Figure 3: Get command:
device side, Figure 4: Get Version command: host side, Figure 5: Get
06-Feb-2023 16 Version command: device side, Figure 9: Read Memory command: device
side, Figure 11: Go command: device side, Figure 12: Write Memory
command: host side, Figure 13: Write Memory command: device side,
Figure 15: Erase Memory command: device side, Figure 17: Extended
Erase Memory command: device side, Figure 19: Write Protect
command: device side, Figure 21: Write Unprotect command: device side,
and Figure 27: Get Checksum command: device side.
Minor text edits across the whole document.

AN3155 Rev 16 49/50

49
 AN3155

IMPORTANT NOTICE – READ CAREFULLY

STMicroelectronics NV and its subsidiaries (“ST”) reserve the right to make changes, corrections, enhancements, modifications, and
improvements to ST products and/or to this document at any time without notice. Purchasers should obtain the latest relevant information on
ST products before placing orders. ST products are sold pursuant to ST’s terms and conditions of sale in place at the time of order
acknowledgment.

Purchasers are solely responsible for the choice, selection, and use of ST products and ST assumes no liability for application assistance or
the design of purchasers’ products.

No license, express or implied, to any intellectual property right is granted by ST herein.

Resale of ST products with provisions different from the information set forth herein shall void any warranty granted by ST for such product.

ST and the ST logo are trademarks of ST. For additional information about ST trademarks, refer to www.st.com/trademarks. All other product
or service names are the property of their respective owners.

Information in this document supersedes and replaces information previously supplied in any prior versions of this document.

© 2023 STMicroelectronics – All rights reserved

50/50 AN3155 Rev 16