On STM32, “locking the MCU” usually means enabling Readout Protection (RDP) via Option Bytes so other people can’t read or reflash your firmware easily. You do this directly in STM32CubeProgrammer.
I’ll go step by step.
1. Important warnings before you lock it
RDP Level 1:
- Flash content cannot be read out via debug/programming tools.
- You can still erase and reprogram the chip, but any full erase will wipe your firmware.
- Debugging is restricted/blocked depending on family.
RDP Level 2 (if available):
- Permanently locks the device.
- Cannot be reversed. You cannot bring it back to Level 0 or 1.
- Usually no debug, no erase, no reprogram (depends on series, but in general: effectively fused).
Most of the time, you want RDP Level 1, not Level 2.
2. Connect STM32CubeProgrammer to your MCU
Open STM32CubeProgrammer on your PC.
In the top-right, select your interface:
ST-LINK, J-LINK, or UART, etc.
- Click Connect.
If it fails, check wiring (SWDIO, SWCLK, GND, VCC, NRST) and power.
Once connected, you should see device info and memory map.
3. Open the Option Bytes window
- In the left sidebar, click “OB” or “Option Bytes”.
On some versions: “OB” button near the top toolbar or in the “Device memory & option bytes” area.
- STM32CubeProgrammer will read the existing option bytes and show something like:
- RDP
- BOR Level
- nBOOT0 / nBOOT1
- Write protection (WRP)
- … and other series-specific bits.
We care about the RDP field.
4. Set Readout Protection (RDP) level
4.1 Check current RDP level
In the Option Bytes page, look for RDP:
- 0xAA → RDP Level 0 (no protection)
- 0xBB or other value depending on family → RDP Level 1 (protected)
- In some datasheets: Level 2 uses another special value (e.g. 0xCC); check your specific STM32 family reference manual.
STM32CubeProgrammer usually shows a dropdown:
- Level 0 – no readout protection
- Level 1 – readout protection enabled
- Level 2 – chip fully locked (irreversible)
4.2 Change to Level 1
- In the RDP dropdown, select Level 1.
- Double-check you did not select Level 2 by mistake.
- Click Apply or Program (button near the bottom or top of Option Bytes view).
- STM32CubeProgrammer will:
- Modify the RDP field in option bytes.
- Reset the MCU.
After reset, your MCU is readout protected.
5. Verify that the MCU is locked
After the reset:
- Click Read (memory) or try to dump Flash contents.
- On RDP Level 1, STM32CubeProgrammer should refuse to read Flash (or show all zeros/invalid).
- It should still allow:
- Erasing the chip (which erases your firmware).
- Programming new firmware.
To double check:
Go back to Option Bytes → RDP; it should show Level 1.
6. How to unlock later (back to Level 0)
Only for RDP Level 1. RDP Level 2 is permanent.
To revert to Level 0:
- Connect with STM32CubeProgrammer again (it should still connect, but not read Flash).
- Open Option Bytes.
- Change RDP from Level 1 → Level 0.
- Click Apply/Program.
Important:
Most STM32 families will mass erase Flash when you move from Level 1 back to Level 0. That means:
- Your existing firmware and data in Flash are wiped.
- You’ll need to reprogram your application afterwards.
7. Typical “secure production” flow
For a simple production setup:
Develop & debug with RDP Level 0.
When firmware is stable:
- Program the final firmware into devices.
- Use STM32CubeProgrammer script or manual operations to:
- Set RDP Level 1.
- Optionally set write protections (WRP) for critical regions.
- Verify:
- Attempting to read out via ST-LINK yields nothing.
- Device still runs your application normally.
8. Quick checklist
When you say “lock the MCU” using STM32CubeProgrammer, in practice you:
- Connect via ST-LINK (SWD).
- Open Option Bytes (OB).
- Change RDP to Level 1 (never Level 2 unless you really know what you’re doing).
- Click Apply/Program and let the MCU reset.
- Confirm:
- RDP shows Level 1.
- Flash cannot be read anymore via tools.
Top comments (0)