Recently while browsing Xianyu (闲鱼) looking for BYK-series chips (Sinowealth 8051 MCUs) for another project I'm working on, I stumbled across something peculiar: a device claiming to bypass STM32 RDP1 (Read-Out Protection Level 1) on F0, F1, F2 and F4 series chips. As it turns out, there's a whole market for these if you search for "STM32解密" (STM32 decryption). a picture from one of the many STM32 decryptor listings on Xianyu
At about 150 yuan, roughly 19 EUR plus shipping and forwarding on top, I decided to bite the bullet and just buy one to see if it actually works.
What arrived§
The package contained a blue USB dongle (the programmer), two green adapter PCBs, a row of double and a row of single 2.54mm pin headers and a couple of 10K resistors. everything that came in the package
The adapter boards have footprints for the various packages of F0, F1 and F2/F4 chips, along with pads for decoupling capacitors on the necessary VCAP pins and a resistor pulling BOOT1 down. I had to supply the 0.1uF caps for the VCAP pads myself.
Testing with an STM32F205RBT6§
I had an STM32F205RBT6 lying around, so I desoldered it and placed it on the adapter board. STM32F205RBT6 soldered onto the adapter board and plugged into the dongle
The device comes with a Windows utility. Before I could even get it running, I had to deal with a couple of hurdles. First, the software immediately triggers Windows Defender, probably for good reason. Since I was running this in a throwaway VM anyway, I just turned it off. Second, the application wouldn't launch until I changed the system encoding for non-Unicode programs to Chinese Simplified in the Windows 11 regional settings ( Settings > Time & language > Language & region > Language for non-Unicode programs > Chinese (Simplified, Mainland China) ).
The instructions that came with the device recommended using freeze spray on the chip during the read process. I was ready for that, but it turned out to be unnecessary in my case. It read just fine at room temperature. the host Windows application showing a successful flash readout. The failed validation message at the bottom is probably related to the overshoot and can be ignored.
One quirk: the software would always overshoot when reading. A STM32F205RB has 128KB of flash, but the tool would happily read past that boundary, padding everything beyond it with 0xFF . The actual flash contents within the valid 128KB region were correct though, so it's easy enough to just trim the output to the right size.
... continue reading