An3155 Usart Protocol Used in The stm32 Bootloader Stmicroelectronics PDF
An3155 Usart Protocol Used in The stm32 Bootloader Stmicroelectronics PDF
Application note
USART protocol used in the STM32 bootloader
Introduction
This application note describes the USART protocol used in the STM32 microcontroller
bootloader, providing details on each supported command.
This document applies to STM32 products embedding any bootloader version, as specified
in AN2606 STM32 system memory boot mode, available on www.st.com. These products
are listed in Table 1, and are referred to as STM32 throughout the document.
For more information about the USART hardware resources and requirements for your
device bootloader, refer to the already mentioned AN2606.
STM32C0 Series
STM32F0 Series
STM32F1 Series
STM32F2 Series
STM32F3 Series
STM32F4 Series
STM32F7 Series
STM32G0 Series
STM32G4 Series
Microcontrollers
STM32H5 Series
STM32H7 Series
STM32L0 Series
STM32L1 Series
STM32L4 Series
STM32L5 Series
STM32U5 Series
STM32WB Series
STM32WL Series
Contents
5 Revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
List of tables
List of figures
USARTx selected
Wait for a
command
Command
GET cmd received GO cmd
JP to_Address
ai15702
Once the system memory boot mode is entered and the STM32 microcontroller (based on
Arm®(a) cores) has been configured (for more details refer to AN2606), the bootloader code
begins to scan the USARTx_RX line pin, waiting to receive the 0x7F data frame: a start bit,
0x7F data bits, even parity bit, and a stop bit.
Depending on the implementation, the baud rate detection is based on the HW (IP
supporting auto baud rate), or on the SW. The following paragraphs explain the SW
detection mode.
The duration of this data frame is measured using the Systick timer. The count value of the
timer is then used to calculate the corresponding baud rate factor respect to the current
system clock. Then, the code initializes the serial interface accordingly. Using this calculated
baud rate, an acknowledge byte (0x79) is returned to the host, who signals that the STM32
is ready to receive commands.
a. Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.
The calculation of the serial baud rate for USARTx, from the length of the first received byte,
is used to operate the bootloader within a wide range of baud rates. However, the upper and
lower limits have to be kept, to ensure proper data transfer.
For a correct data transfer from the host to the microcontroller, the maximum deviation
between the internal initialized baud rate for USARTx and the real baud rate of the host
must be below 2.5%. The deviation (fB, in percent) between the host baud rate and the
microcontroller baud rate can be calculated using the formula below:
This baud rate deviation is a nonlinear function, depending upon the CPU clock and the
baud rate of the host. The maximum of the function (fB) increases with the host baud rate.
This is due to the smaller baud rate prescaler factors, and the implied higher quantization
error.
The supported commands are listed in Table 2, all of them are described in this section.
Gets the version and the allowed commands supported by the current
Get(2) 0x00
version of the protocol.
Get Version(2) 0x01 Gets the protocol version.
Get ID(2) 0x02 Gets the chip ID.
Reads up to 256 bytes of memory starting from an address specified
Read Memory(3) 0x11
by the application.
Jumps to user application code located in the internal flash memory or
Go(3) 0x21
in the SRAM.
Writes up to 256 bytes to the RAM or flash memory starting from an
Write Memory(3) 0x31
address specified by the application.
Erase(3)(4) 0x43 Erases from one to all the flash memory pages.
Erases from one to all the flash memory pages using two-byte
Extended Erase(3)(4) 0x44 addressing mode (available only for USART bootloader v3.0 and
higher).
Generic command that allows to add new features depending on the
Special 0x50
product constraints, without adding a new command for every feature.
Generic command that allows the user to send more data compared to
Extended Special 0x51
the Special command.
Write Protect 0x63 Enables the write protection for some sectors.
Write Unprotect 0x73 Disables the write protection for all flash memory sectors.
Readout Protect 0x82 Enables the read protection.
Readout
0x92 Disables the read protection.
Unprotect(2)
Computes a CRC value on a given memory area with a size multiple of
Get Checksum 0xA1
4 bytes.
1. If a denied command is received or an error occurs during the command execution, the bootloader sends
an NACK byte, and goes back to command checking.
2. Protection. When active, only this limited subset of commands is available, all others are NACK-ed, and
have no effect on the device. The protection depends upon the product.
3. Refer to STM32 product datasheets and to AN2606 to know the valid memory areas for these commands.
4. Erase (x043) and Extended Erase (0x44) are exclusive. A device can support either the Erase command or
the Extended Erase command, but not both.
Protection
The protection used on the bootloader SW depends upon the MCU and its requirements.
Protection is active means
• for the STM32H5 Series: Trust zone (TZEN) = 0 and Product state ≥ Provisioning and
HiDeProtection Level(HDPL) = 3
• for the other products listed in Table 1: Read protection set
Communication safety
The communication from the programming tool (PC) to the device is verified by:
1. checksum: received blocks of data bytes are XOR-ed. A byte containing the computed
XOR of all previous bytes is added to the end of each communication (checksum byte).
By XOR-ing all received bytes (data plus checksum), the result at the end of the packet
must be 0x00.
2. for each command, the host sends a byte and its complement (XOR = 0x00)
3. UART: parity check active (even parity).
Each packet is either accepted (ACK answer), or discarded (NACK answer):
• ACK = 0x79
• NACK = 0x1F
Start Get
ACK
ACK
End of Get
ai14631b
Start Get
Received byte = No
0x00 + 0xFF? Send NACK byte
Yes
End of Get
ai14632b
Commands depend upon the HW features. Beginning from the USART BL version V4.0, the
number of commands is no more fixed, and can change from one product to the other.
As an example, for the STM32H5 Series there is no RDP HW feature. The scheme is:
Byte 1: ACK
Byte 2: N = 10 = the number of bytes to follow – 1, except current and ACKs
Byte 3: Protocol version 0x40 = v4.0
Byte 4: 0x00 Get command
Byte 5: 0x01 Get Version command
Byte 6: 0x02 Get ID command
Byte 7: 0x11 Read Memory command
Byte 8: 0x21 Go command
Byte 9: 0x31 Write Memory command
Byte 10: 0x44 Extended Erase command
Byte 11: 0x50 Special command
Byte 12: 0x63 Write Protect command
Byte 13: 0x73 Write command
Start GV(1)
Send 0x01+0xFE
NACK
Wait for
ACK or NACK
ACK
Option byte 1
Option byte 2
NACK
Wait for
ACK or NACK
ACK
End of GV(1)
MS45406V2
1. GV = Get Version.
Start GV(1)
Yes
Send ACK byte
Option byte 1
Option byte 2
End of GV(1)
MS35428V2
1. GV = Get Version.
Start GID(1)
Send 0x02+0xFD
ACK
Receive PID
ACK
End of GID(1)
ai14633
Start GID(1)
Received No
byte = 0x02+0xFD? Send NACK byte
Yes
Send product ID
End of GID(1)
ai14636
Start RM(1)
Send 0x11+0xEE
ACK
ACK
ACK
End of RM(1)
ai14637
1. RM = Read Memory.
Note: Some products can return two NACKs instead of one when Read protection (RDP) is active
(or Read protection level 1 is active). To know if a given product returns one or two NACKs,
refer to the known limitations section relative to that product in AN2606.
Start RM(1)
Received byte No
= 0x11+0xEE?
Yes
Protection Yes
active?
No
Yes
No
Checksum OK?
Yes
End of RM(1)
ai14638c
1. RM = Read Memory.
3.5 Go command
This command is used to execute the downloaded code or any other code by branching to
an address specified by the application. When the bootloader receives the command, it
transmits the ACK byte to the application. After the transmission of the ACK byte, the
bootloader waits for an address (four bytes, byte 1 is the address MSB and byte 4 is LSB)
and a checksum byte, then it checks the received address. If the address is valid and the
checksum is correct, the bootloader transmits an ACK byte, otherwise it transmits an NACK
byte, and aborts the command.
When the address is valid and the checksum is correct, the bootloader firmware:
• initializes the registers of the peripherals used by the bootloader to their default reset
values
• initializes the main stack pointer of the user application
• jumps to the memory location programmed in the received address + 4 (corresponding
to the address of the application reset handler). For example, if the received address is
0x0800 0000, the bootloader jumps to the memory location programmed at address
0x0800 0004.
In general, the host must send the base address where the application to jump to is
programmed.
Start Go
ACK
End of Go
ai14639d
Note: Valid addresses for the Go command are in RAM or flash memory (refer to STM32 product
datasheets and to AN2606 for more details about the valid memory addresses for the used
device). All other addresses are considered not valid and are NACK-ed by the device.
When an application is loaded into RAM and then a jump is made to it, the program must be
configured to run with an offset to avoid overlapping with the first area used by the
bootloader firmware (refer to STM32 product datasheets and to AN2606 for more details
about the RAM offset for the used device).
The Jump to the application works only if the user application sets the vector table correctly
to point to the application address.
Some products can return two NACKs instead of one when Read protection (RDP) is active
(or Read protection level 1 is active). To know if a given product returns one or two NACKs,
refer to the known limitations section relative to that product in AN2606.
Received bytes No
= 0x21+0xDE?
Yes
Protection Yes
active?
No
Start WM(1)
Send 0x31+0xCE
ACK
Send the start address (4 bytes)
and the checksum
End of WM(1)
ai14641c
1. WM = Write Memory.
2. N+1 must be a multiple of 4.
Note: Some products can return two NACKs instead of one when Read protection (RDP) is active
(or Read protection level 1 is active). To know if a given product returns one or two NACKs ,
refer to the known limitations section relative to that product in AN2606.
Start WM(1)
Received byte = No
0x31+0xCE?
Yes
Protection No
inactive?
Yes
No
Checksum OK?
Yes
Send ACK byte
No
Checksum OK?
Yes
Supported Yes
memory and not Write to destination memory
option bytes?
No
End of WM(1)
ai14642f
ai14642g
1. WM = Write Memory.
2. N+1 must be a multiple of 4.
3. System reset is called only for some STM32 BL (STM32F0/F2/F4/F7) and some STM32L4
(STM32L412xx/422xx, STM32L43xxx/44xxx, STM32L45xxx/46xxx) products.
Start ER(1)
Send 0x43+0xBC
ACK
Yes Global No
Erase?
Send 0x00
Send the page numbers
Send checksum
ACK
End of ER(1)
ai14643b
1. ER = Erase Memory.
Start ER(1)
Received bytes = No
0x43+0xBC?
Yes
Protection Yes
active?
No
Yes
0xFF received?
No
Checksum No
OK?
Yes
Erase the corresponding pages
End of ER(1)
ai14644d
1. ER = Erase Memory.
Note: After sending the command and its checksum, if the host sends 0xFF followed by data
different from 0x00, the mass erase is not performed, and an ACK is sent by the device.
The host sends bytes to the STM32 as follows:
Byte 1: 0x43
Byte 2: 0xBC
Wait for ACK
Start EER
NACK
Wait for ACK or NACK
ACK
YES NO
Special Erase ?
NACK
Wait for ACK or NACK
ACK
End of EER
ai17460
Start EER(1)
Received bytes = No
0x44 + 0xBB ?
Yes
Yes
Protection active?
No
Checksum of all No
No Checksum of two ?
bytes OK and command received bytes OK?
supported?
Yes
Yes
Erase the
Perform the corresponding pages
requested erase
End of EER(1)
ai17461d
Start WP(1)
Send 0x63+0x9C
ACK
Send checksum
ACK
End of WP(1)
ai14645b
1. WP = Write Protect.
Start WP(1)
Received bytes = No
0x63+0x9C?
Yes
Protection Yes
active?
No
Checksum No
OK?
Yes
Write-protect the requested sectors
End of WP(1)
ai14646e
1. WP = Write Protect.
2. System reset is called only for some STM32 BL (STM32F0/F2/F4/F7) and some STM32L4
(STM32L412xx/422xx, STM32L43xxx/44xxx, STM32L45xxx/46xxx) products.
Start WPUN(1)
Send 0x73+0x8C
ACK
ACK
End of WPUN(1)
ai14647
Start WPUN(1)
Received bytes = No
0x73+0x8C?
Yes
Protection Yes
active?
No
End of WPUN(1)
ai14648e
Start RDP_PRM(1)
Send 0x82+0x7D
ACK
ACK
End of RDP_PRM(1)
ai14649
Received bytes = No
0x82+0x7D?
Yes
Yes
RDP active?
No
End of RDP_PRM(1)
ai14650d
Start RDU_PRM(1)
Send 0x92+0x6D
ACK
ACK
End of RDU_PRM(1)
ai14651
Start RDU_PRM(1)
Received bytes No
0x92+0x6D?
Yes
Disable RDP
ACK
ACK
ACK
ACK
ACK
MS54095V2
Yes
Protection active?
No
Yes
Number of No
received bytes OK?
Yes
Received CRC No
polynomial OK?
Yes
Received CRC No
initial value OK?
Yes
NACK
Wait for ACK or NACK
ACK
NACK
Wait for ACK or NACK
ACK
NACK
Wait for ACK or NACK
ACK
No
Get data packet (N bytes) Number of bytes N = 0?
Yes
No
Get status packet (N bytes) Number of bytes N = 0?
Yes
Receive ACK
No
Start Special command Received byte = 0x50+0xAF?
Yes
Command valid No
and checksum OK?
Yes
Yes
No
Send data (N bytes) Number of data N = 0?
Yes
No
Send status data (N bytes) Number of status data N = 0?
Yes
NACK
Wait for ACK or NACK
ACK
NACK
Wait for ACK or NACK
ACK
NACK
Wait for ACK or NACK
ACK
Send the number of bytes
(2 bytes, MSB first), packet data
(up to 1024 bytes) with checksum
NACK
Wait for ACK or NACK
ACK
No
Get status packet (N bytes) Number of bytes N = 0?
Yes
Receive ACK
No
Start Extended Special command Received byte = 0x51+0xA?
Yes
Command valid No
and checksum OK?
Yes
Yes
Yes
No
Send data (N bytes) Number of data N = 0?
Yes
No
Send status data (N bytes) Number of status data N = 0?
Yes
its checksum is correct, the bootloader transmits an ACK byte, otherwise it transmits an
NACK byte, and aborts the command.
The two packets can be received depending upon the sub-command needs:
• Packet1: Data 1 packet, where number of bytes is limited to 128 bytes
• Packet2: Data2 packet, where number of bytes is limited to 1024 bytes
If all conditions are satisfied (Packet1: N ≤ 128 and checksum is correct, and Packet2:
N ≤ 128 and checksum is correct), the bootloader transmits an ACK. otherwise, it transmits
an NACK byte, and aborts the command.
Once the sub-command is executed using received data, the bootloader sends a response
consisting in one packet:
• Size of the data (two bytes, MSB first)
• N bytes of data (If N = 0, no data is transmitted)
Finally, an ACK byte closes the command interaction between bootloader and the host.
5 Revision history
STMicroelectronics NV and its subsidiaries (“ST”) reserve the right to make changes, corrections, enhancements, modifications, and
improvements to ST products and/or to this document at any time without notice. Purchasers should obtain the latest relevant information on
ST products before placing orders. ST products are sold pursuant to ST’s terms and conditions of sale in place at the time of order
acknowledgment.
Purchasers are solely responsible for the choice, selection, and use of ST products and ST assumes no liability for application assistance or
the design of purchasers’ products.
Resale of ST products with provisions different from the information set forth herein shall void any warranty granted by ST for such product.
ST and the ST logo are trademarks of ST. For additional information about ST trademarks, refer to www.st.com/trademarks. All other product
or service names are the property of their respective owners.
Information in this document supersedes and replaces information previously supplied in any prior versions of this document.