As of August 2020 the site you are on ( is deprecated, and content is now at


From ChipWhisperer Wiki
Revision as of 09:05, 29 November 2018 by Hakonp (Talk | contribs)

Jump to: navigation, search
Target Device ST STM32F
Target Architecture Cortex M7, H7
Hardware Crypto Possible
Design Files GITHub Link
Status Beta


Supported Devices

The STM32X7 board supports several STM32X7 devices in the UFBGA-176 package. The devices have the same pinout. Various header jumpers can be set different positions to select appropriate power supply for the different power dominans of the device, and different measurements points. The devices in the following table shows two compatible devices:

STM32X7 Series Package Device Hardware AES TRNG Tested Process node Flash SRAM OTP
F7 UFBGA-176 STM32F746IEK6 No Yes Yes 90 nm 1MB 320KB 1KB
H7 UFBGA-176 STM32H743IIK6 No Yes Yes 40 nm 1MB 320KB 1KB

There are other flavors of the devices with the same pinout, which makes them compatible with this target board. E.g.

Power supply

The device must be supplied 3v3, since the device's I/O logic uses 3v3. The logic core uses 1v2.

Internal regulators

The device contains an internal regulator regulating the input voltage down to 1v2. This can however be bypassed by supplying a slightly higher voltage to the target board's 1v2 pin.

Measuring power consumption =

The target board contains headers which lets the hacker select where to measure. It is possible to select to measure power on the 3v3 input and the 1v2 input/decoupling.

Hardware AES

The STM32F21x, and STM32F41x/43x have hardware crypto modules (AES, DES, TDES) along with hardware hash (SHA1, MD5). Hardware crypto for the STM32F4 has been integrated into the Hal build system on the develop branch. To use the hardware crypto, call HW_AES128_Init() at the beginning of your program. You can update the key with HW_AES128_LoadKey(), encrypt plaintext with HW_AES128_Enc(), and decrypt data with HW_AES128_Dec().

CAN Connection

A 6-pin header is present for devices which have CAN hardware support (not all devices have this). A CANoodler can be plugged in to provide the physical transceiver. This header is not normally mounted, unless the board is part of an 'automotive bundle'. The header is left unmounted as it can impede sweeping a probe over the surface of the chip.

Programming Connection

ChipWhisperer Programmer via Bootloader

See further down this wiki page for details.

JTAG Programmer

The 20-pin JTAG port (J6 on CW308 Board) can be used with the ST-LINK/V2 which is a low-cost JTAG programmer.

It is also possible to use other JTAG programmers such as OpenOCD. The following command worked with an Olimex OpenOCD programmer and their OpenOCD for Windows software:

  -f path/to/board/files/cw308.cfg 
  -c init 
  -c targets 
  -c "halt" 
  -c "flash write_image erase path/to/firmware.hex"       
  -c "verify_image path/to/firmware.hex"        
  -c "reset run" 
  -c shutdown

where the contents of cw308.cfg are

source [find interface/olimex-arm-usb-ocd-h.cfg]
source [find target/stm32f4x.cfg]
reset_config srst_only

Example Projects

SimpleSerial builds for each of the STM32Fx Devices. Each device is a separate HAL. These HAL modules have been copied from ST's HAL (not the CUBE) and greatly reduced in size by deleting unused files (such as headers for unused devices), and combining several C-source files into a single low-level C-file.

Building ST Example on Command Line

The regular firmware build process works with the STM32 devices. For example, to build `simpleserial-aes`, navigate to the folder `chipwhisperer\hardware\victims\firmware\simpleserial-aes` and run the following command on the command line:


If all goes well, this command will finish by printing the output file size and the platform:


Programming via ChipWhisperer Bootloader

These instructions have been updated for ChipWhisperer 5. If you're using and earlier version, see

The STM32Fx devices have a built-in bootloader, and the ChipWhisperer software as of 3.5.2 includes support for this bootloader.

Important notes before we begin:

  • You MUST setup a clock and the serial lines for the chip. This is easily done by connecting to the scope and target, then running default_setup():
import chipwhisperer as cw
scope = cw.scope
target =
  • On the STM32F1, you MUST adjust the clock frequency to 8MHz. The bootloader does not work with our usual 7.37 MHz clock frequency. This 8MHz frequency does not apply to the code that you're running on the device. Once you're done programming, you'll need to set the frequency back to F_CPU (likely 7.37MHz) For example:
scope.clock.clkgen_freq = 8E6
#program target...
scope.clock.clkgen_freq = 7.37E6
#reset and run as usual

To access the bootloader you can perform these steps. They vary based on if you have a "Rev 02" board or a "Rev 03 or Later" board. The revision number is printed on the bottom side as part of the PCB part number (STM32F-03 is Rev -03 for example).

Rev -03 or Later

Run the following python code once you have the scope and target set up:

prog = cw.programmers.STM32FProgrammer
cw.program_target(scope, prog, "<path to fw hex file>")

If you get errors during the programming process:

  • Retry the programming process with a lower baud rate:
prog = cw.programmers.STM32FProgrammer
cw.program_target(scope, prog, "<path to fw hex file>", baud=38400)
  • If using a CW308 based STM, try mounting a jumper between the "SH-" and "SH+" pins at J16 (to the left of the SMA connector) on the UFO board. Retry programming with the jumper mounted.

Rev -02 Boards

The Rev -02 boards did not have all programming connections present. They require some additional steps:

  1. Setup the device as usual:
    scope = cw.scope()
    target =
  2. Mount a jumper between the H1 and PDIC pins (again this is ONLY for the -02 rev).
    STMF32F-02 programmer jumper.jpg
  3. Reset the ARM device either by pressing the reset button (newer UFO boards only), or by toggling power:
    import time = False
    time.sleep(1) = True
  4. Program the device:
    prog = cw.programmers.STM32FProgrammer
    cw.program_target(scope, prog, "<path to fw hex file>")
  5. The device should program, it may take a moment to fully program/verify on larger devices.
  6. Remove the jumper between the H1/H2 pins.
  7. Reset the ARM device either by pressing the reset button (newer UFO boards only), or by toggling power:
    import time = False
    time.sleep(1) = True

Running ST Example with ST-Link

If instead of using the bootloader, you want to use a ST-Link you can instead plug your programmer into the 20 pin JTAG connector (J6 on the UFO board):


Then, the details of this step will depend on your programmer. If you're using an ST-Link programmer, open the ST-Link utility and connect to the device:


Load your `.hex` file and program the device with the Program and Verify button:


After this, you're ready to go - you can use the ChipWhisperer terminal to talk to your target. You might need to reset the target before you do anything else.

Building and Debugging via ST's System Workbench

It's also possible to work on the example projects using ST's System Workbench IDE. This IDE also supports debugging, which is helpful for working out all the kinks in your firmware.

To build the ChipWhisperer examples in System Workbench:

1. Create a new Mcu project by going to File > New > C Project and selecting 'Ac6 STM32 MCU Project'. When you get to Target Configuration, click the Mcu tab and select the microcontroller that you want to target:

STM32 New Project.PNG

STM32 MCU-Selection.PNG

2. Link the external files into the project. To do this, under File > Import, select File System. In the `chipwhisperer\hardware\victims\firmware` directory, select all of the relevant files and folders (Makefile in base folder, Makefile in HAL folder, STM32Fx HAL folder).:

STM32 Import.PNG

3. Set up the build command. In File > Properties, go to C/C++ Build > Behavior and remove 'all' from 'Build' and deselect 'Enable parallel build'. Next, click the Builder Settings tab and deselect 'Use default build command' and 'Generate Makefiles Automatically'. Enter the command you would normally enter on the command line and change 'Build directory' to the folder you want to build in:

STM32 Behaviour.PNG

STM32 Build-Settings.PNG

4. Build the project and confirm that the build works from the output in the IDE console.

Then, if you want to set up debugging:

1. Go to in File > Properties select Run/Debug Settings and create a new debug configuration. Under Debugger, click 'Show generator options...' and setup your Connection Setup based on your debugger. Change 'Reset Mode' to 'Software System reset':

STM32 Debugging.PNG

2. Click Apply and enter debugging mode.

Caveat: the I/O register map in the debugger appears to use the last known device (ie: if you debugged an STM32F4 project before your Makefile project, it sticks with F4's registers). Check that the registers' addresses are correct before you trust them!


The following variants are possible, see the table above for SRAM/FLASH/HW-Crypto status:

Variant U1 R3 (VCC-Shunt) R4 (Clock)
F0 STM32F071RBT6  33-ohm 120-ohm
F1 STM32F100RBT6 22-ohm 51-ohm
F2HWC STM32F215RET6 10-ohm 51-ohm
F3 STM32F303RCT7 12-ohm 51-ohm
F4 STM32F405RGT6 10-ohm 51-ohm
F4HWC STM32F415RGT6 10-ohm 51-ohm

Rev -03 Schematic

The current revision of the target is -03. The following shows this schematic:

CW308T STM32F 03.png

Rev -02 Schematic

The original board sold was the -02 revision. The revision is part of the part number, for example these boards will be marked STM32F-02. The -02 revision also does not have the CAN connector: Cw308 stm32f.jpg

CW308T STM32F 02.png