• Stars
    star
    100
  • Rank 340,703 (Top 7 %)
  • Language
    C
  • License
    GNU General Publi...
  • Created over 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A DFU bootloader targeting STM32F103 in just 4KB

STM32F103 DFU bootloader

This is a tiny bootloader (under 4KB) for STM32F103 (although it probably works for similar devices). It enables user to flash devices over USB with any arbitrary payloads. It features some minimal payload checking to ensure use apps are valid before booting them.

Features

  • Small size, ideally under 4KB to fit on the first four pages.
  • RDP protection configurable at build time.
  • Reboot into DFU mode support (by writing tag to RAM + reset).
  • Watchdog support for failsafe.
  • Total wipe on DFU downloads (avoid partial FW updates).
  • Optional upload enable (to prevent firmware/data reads).
  • Firmware checksum checking.

Reboot into bootloader

One can reboot into bootloader (in DFU mode) by simply writing the magic 0xDEADBEEFCC00FFEE value to the last 8 bytes of RAM and triggering a full system reset. This will make the bootloader start DFU mode instead of loading the (valid) payload present in flash.

Protections

Bootloader might enable RDP (Readout protection) that will prevent debugger over SWIO from reading data. This protection can be removed but will cause all user flash (except the DFU bootloader) to be deleted, that's cause the first 4KB are always write protected. It can also disable SWIO GPIOs to prevent any debuggers from attaching to the device once booted. The booloader also features some DFU proectections. It is possible to disable firmware read by disabling UPLOAD commands. In order to prevent data read it is possible to prevent partial writes, since what could allow a small firmware being uploaded to extract data from flash. With this protection enabled the bootloader will wipe all the blocks as soon as an erase/write command is issued.

Force DFU mode

The bootloader can be configured to detect a GPIO condition on boot and abort boot to go into DFU mode. The pin will be configured as an internal pulldown and the user will need to pull it up to force DFU mode, which will be read right after reset (there's some small delay to ensure the pin is read correctly).

The firmware can optionally enable the Internal Watchdog on a configurable period of 1 to 26 seconds. If the user app does not reset the watchdog before the period is due it will reset the system and enter DFU mode.

Firmware format and checksum

The use firmware should be build and linked at an offset of 0x1000 (4KB) so it can safely boot as a payload. The bootloader will check some stuff before declaring the payload valid:

  • Stack points to somewhere in the RAM range (0x20000000).
  • The firmware contains its size at offset 0x20 (as a LE uint32).
  • The firmware 32bit XOR checksum is zero (can use offset 0x1C for that).

If these conditions are met, provided no other triggers to boot into DFU are present, the bootloader will point VTOR to the user app and boot it.

Config flags

  • ENABLE_DFU_UPLOAD: Enables DFU upload commands, this is, enables reading flash memory (only within the user app boundaries) via DFU.
  • ENABLE_SAFEWRITE: Ensures the user flash is completely erased before any DFU write/erase command is executed, to ensure no payloads are written that could lead to user data exfiltration.
  • ENABLE_CHECKSUM: Forces the user app image to have a valid checksum to boot it, on failure it will fallback to DFU mode.
  • ENABLE_WRITEPROT: Protects the first 4KB of flash against writes. Essentially prevents any user app from overwriting the bootloader area.
  • ENABLE_PROTECTIONS: Disables JTAG at startup before jumping to user code and also ensures RDP protection is enabled before booting. It will update option bytes if that is not met and force a reset (should only happen the first time, after that RDP is enabled and can only be disabled via JTAG). This also protects the bootloader (first 4KB) like ENABLE_WRITEPROT does, making these two options incompatible.
  • ENABLE_GPIO_DFU_BOOT: Enables DFU mode on pulling up a certain GPIO. You need to define GPIO_DFU_BOOT_PORT and GPIO_DFU_BOOT_PIN to either GPIOA, GPIOB, .. GPIOE and 0 .. 15 to indicate which port to enable and what pin to read from.
  • ENABLE_PINRST_DFU_BOOT: Enables DFU mode when a reset from the NRST pin occurs.

By default all flags are set except for DFU upload, so it's most secure.

More Repositories

1

whatsapp-purple

WhatsApp protocol implementation for libpurple (pidgin)
C++
855
star
2

wifi_display

E-ink wireless display
C
243
star
3

wireshark-whatsapp

Whatsapp dissector plugin for wireshark
C
200
star
4

whatsapp-tools

Some app to activate WA using SMS, multiplatform and with GUI
C++
31
star
5

opengx

OpenGL-like wrapper for Nintendo Wii/GameCube
C
25
star
6

fpga-wpa-psk-bruteforcer

WPA-PSK cracking for FPGA devices
Verilog
18
star
7

miniretro

A minimal CLI libretro frontend for testing and development purposes
C
14
star
8

psp-vfpu-docs

Unofficial PSP VFPU documentation
C
14
star
9

card-cap-authenticator-android

Android App that genereates passcode authentication codes for Postfinance cards
Java
10
star
10

domain-crawler

Domain cralwer for various sites/databases
Python
9
star
11

supersonic-cpp

C++ implementation of a subsonic server & music scanner
C
9
star
12

nginx_totp_auth

TOTP based NGINX http request authenticator
C++
8
star
13

net-tools

Network Tools for hacking purposes
C++
7
star
14

micro-web-server

Small HTTP server for serving static websites and files
C
6
star
15

sgdk-linux

Scripts to build SGDK for linux
C++
5
star
16

tadns

Asynchronous DNS iterative resolver
C++
5
star
17

whatsapp-pidgin-plugin

Plugin for Pidgin to enable enhanced features for WhatsApp
C
4
star
18

fpga-hash-bruteforcer

MD5 bruteforcer for FPGA devices
Verilog
4
star
19

fat-driver-uc

Small FAT16/32 driver for uP
C
3
star
20

dns-db

DNS database system inteded for small systems yet with as much performance as possible
C++
2
star
21

bsbackup

BS Backup! As in Backup-Slave service. A minuscule C++ server, a simple CLI client.
C++
2
star
22

little-scripts

Little scripts repo ;)
Shell
2
star
23

exec-analysis

Executable analysis tool
C
2
star
24

home_automaton

Home automation system with a web interface for MQTT devices
C++
2
star
25

naxa68k

Little cute project for Megadrive for a lucky couple :)
C
1
star
26

cancap

CANCAPture from SBACOM to PCAP format
Shell
1
star
27

memebot

A Telegram bot to create captioned memes
C++
1
star
28

icarus-testing

Icarus verilog FPGA testing files
Verilog
1
star
29

gnuk

Fork of Gnuk (fsij.org/gnuk)
C
1
star
30

blackjack-sim

Blackjack simulator (aka Vegas Trip Project)
C++
1
star
31

ufoinvasion

Very old project (Dec 2005) insipired on Chicken Invaders, VB6 and Direct Draw 7
VBA
1
star
32

test-rom-suite

Some test ROMs targeting emulator testing
Assembly
1
star
33

pidgin-scripts

Some scripts to build pidgin & friends for Windows
C
1
star
34

tarraco-tdr-archive

Archive of Tarraco game (source and assets)
C++
1
star
35

async-mqtt-client

Async MQTT client implementation. Os agnostic, just appplication layer.
C++
1
star
36

gallery-generator

A python script which generates an HTML gallery given a path full of pictures
Python
1
star
37

supersonic-py

Music server with Subsonic API frontend
Python
1
star
38

math-evaluator

Simple math expression evaluator
C
1
star
39

msgbot

Simple Telegram Bot that just replies with a message
C++
1
star