Dumping and reverse-engineering ST-Link v2/2-1 bootloader

[DWiskow]

Would anybody be interested in a PCB that can turn an STM32 Maple Mini (readily available for under $5 from China) into an unencrypted ST-Link V2.1?

• This exploits the processes explained in this thread (and my post above with links to the necessary files) to load an unencrypted bootloader onto the Maple Mini and then flash/update it with the latest ST-Link V2.1 firmware

• The resulting ‘ST-Link 2.1’ equivalent device will have SWD flash and debug functionality, plus serial wire viewer and Virtual COM Port (VCP) over USB, AND Mass Storage Interface (MSD) for simple ‘copy file to virtual USB drive’ flashing

[DavidAlfa]

Why? When you can do that with the $3 stlink mini

[DWiskow]

Why? When you can do that with the $3 stlink mini

A few  reasons

• the resulting ST-LinkV2.1 incorporates a Virtual Com Port enabling UART input/output between computer and the target device (and also supports drag & drop programming of the target over virtual USB drive on windows/mac/linux)
• an exercise in learning KiCAD for schematic/PCB design
• I happen to have a few Maple Mini boards going spare, so $3.70 (unit price per PCB delivered in qty of 3 from OSHpark) to turn one into a ST-Link V2.1 seems quite reasonable
• It is significantly less fiddly than cutting tracks and having to solder directly to the pins of an STM32F103 LQFP-48 package on a Chinese clone of an ST-Link V2
• Not all Chinese clone ST-Link V2 incorporate the 128k flash STM32F103CBT6 required to flash the latest release of the V2.1 ST-Link firmware
• All of the connections to the target device are properly labeled
• I wanted to have an “unencrypted/unprotected” ST-Link that I could disassemble/debug over its own SWD interface

Finally, I though others who already had an STM32F103CB based Maple Mini could benefit from sharing the PCB (easily and inexpensively purchased and shipped worldwide from OSHpark). The PCB(s) can be obtained here https://oshpark.com/shared_projects/mtkoCb6c $11.30 for 3 (including shipping).

[robca]

Nice job, @DWiskow

Just to provide more options, I recently bought an STLINK-V3MINI (roughly $10 from Mouser/Digikey). Got a 14 pin header at the same time (one of these, depending where you order from https://www.mouser.com/_/?Keyword=20021311-00014T4LF&bws=1 https://www.digikey.com/en/products/detail/20021311-00014T4LF/609-3756-ND/2209089) and a $2.25 PCB adapter I designed from OSHPark. Actually the $2.35 are for 3 adapters (shared here https://oshpark.com/shared_projects/zOLm9ezB). The STDC14 cable is not a standard yet and pretty hard to find adapters at the moment. That's why I hacked together an adapter that uses standard 2.54 headers

The header I got is not keyed, but it's easy enough to insert it correctly (the "USB ->" points towards the USB). For around $15 you can get a much better STLink 3, with VCP, drag and drop and much faster than the older devices. Also guaranteed to work in the future

Definitely the hacked solution are cheaper, but the STLink V3Mini is not much more and a really nice/small device

[DWiskow]

@robca, I created an almost identical board for the ST-Link V3mini I have . . . I found that you can ‘key’ the female connector by supergluing a small piece of black plastic to the connector 

[I do this with the 10 pin connector on ST-Link V2 Chinese clones too]

[peter-h]

May I ask a stupid question:

Why does anybody bother reverse engineering the STLINK when you can buy the latest 24MHz one (V3) for about 30 quid?

[robca]

May I ask a stupid question:

Why does anybody bother reverse engineering the STLINK when you can buy the latest 24MHz one (V3) for about 30 quid?

For a variety of reasons:

To learn by using something a person already has (Blue Pill, Maple or a clone)
Because a V2 clone can be flashed into a J-Link, much more powerful than even the STLink V3
Because the price of a STLink V3 depends on where you live, and in some places price+shipping is 10x the cost of a clone
Because for most debugging purposes, especially on a low end processor (STMF1-F4), the speed of the debugging probe is irrelevant
Because until recently, the V3 was not available, and a V2 clone was by far the best way to get started
Because, apart from the VCP (which you can anyway simulate using a separate FTDI USB Serial), the V3 doesn't offer anything more than a V2

A V3Mini is even cheaper, but once again only recently became available. These days I would probably recommend a V3 over any V2 clone

For someone developing professionally, clearly the hacked V2 clone was never a good option. But for a hobbyist that was not sure about STM32 development, the V2 clone and a Blue Pill was the cheapest way to get into STM32 coding, for around $5 all included

[deesh94]

Hi, I am a newbie,

I managed to modify a Blue Pill that I had into a ST-Link v2 (JTAG+SWIM) with the instruction given.
But my Target MCU is a STM8S. Could you also provide a connection list for target STM8S, where I have only SWIM on pin PD1 for Flashing/Debugging?

TIA.

[maelgrum]

Greetings, lujji !
I just finished writing a utility that does the injection attack of STLINK firmware on-the-fly, in RAM. This utility installs small 'USB custom hid' server in stlink memory, which can execute various external commands.
Attack is done this way - using standard DFU protocol of STLINK, download specially prepared (and AES encrypted) packet in SRAM, overwritting stack and redirecting execution flow. Then run tiny USB custom hid server in STLINK RAM.
So, all flash memory of STLINK can be dumped without writting anything in STLINK flash. And i did this with all my STLINK V2.0 probes and NUCLEO V2.1 boards  )))))))))

[maelgrum]

If anyone interested, binary with source code:
https://drive.google.com/file/d/1SyGFnJYLaO0W8CTyD5nXvqGD5WPhDI4-/view?usp=sharing

[coromonadalix]

noob question

is it possible on actual nucleo xxx boards when we snip out the st-link board to re-write their  id's

when connected  they declare themselves like nucleo board models where they came from    witch is confusing

i had to use st-link v3 minie to get rid of this confusion  ... but it does not work the same as v2 v2.1 in windows device manager, it is not a vcp device

[maelgrum]

Try:
java -jar STLinkUpgrade.jar -volume NEW-NAME -force_prog
(STLinkUpgrade.jar is from STSW-LINK007)