 Welcome to the hands-on about PC-ROP. For this hands-on, we will try to hide a call to the latest linking API in a PC-ROP region. The different steps to achieve this, we will create a C file with the code we want to protect. Here it's a simple call to the AsserHL GPIO toggle pin. Then we will modify the linker script to ensure that we put all this code in a specific region of the flash. Then we will modify the compilation option to ensure that in this portion of code we only have execute on no-data access. Step after, activate the PC-ROP. We will do this thanks STM32Q programmer. Then we will check the protection with connection with Q programmer for example. And then we will remove the PC-ROP with STM32Q programmer. And that's it. So I propose now we switch to Q video. So the first step will be to create a project for this NL476ergy. Okay, I create a new STM32 project in the board selector. 476, I want a NL1, PC-ROP, LED. By default, I initialize the peripheral. So we've got our pinout by default. What interests us? Either LED that we will use. Nothing else, frankly speaking, except the type of gig link. Now let's create the code we want to protect. So I will create a new source file. Let's call it LEDblinking.c With a G, it will be better. Finish. Then we will put here what we want to protect. So first I need to include the main.h with some definition on access to the HL. I will put also a variable. So you remember PC-ROP only protect, yeah, execute only region. So any data that I will put here will be in the SRAM or somewhere else, but not in the flash. So it won't be protected. So let's define our secret LEDblinking function. No arguments. What we will do here? We increment one counter. And after, I will do. Okay, if you don't remember what is the name of HL, or you want to do some completion with the STM32Q video, you can press control space. Then you can have the toggle pin. Exactly the same here. I remember it was led to, but not sure about syntax. This one will be the correct one. Space and the pin. Okay, so here we write what we want to protect. It will be this code. Or I will say this one on this code. Because this one is outside of the region that we will protect. But just a tiny one. So I have it. Now I just need to call this function from my main. So if I go in the main.c, I've got the main. Here the wild one loop. And I will just add the code to my secret LEDblinking. Put some HL LED. Okay. So I think the code is okay now. The next step was to modify the linker script we are using to put the execute code that is here at a specific location. But sorry, before modifying the script, what I want to do is to modify the compiler option for this file. Here properties. So it's already configured. But I would say it should be in resources, CC build settings. Then you've got optimization. Here you need to select this option. Assumes loading data from a flash is slower than fetching instruction. That's true. This wording is not really in line with what the purpose of this. But you have to do this. Apply and close. As you can see there is something modified here for this one. So now I modify the linker script. So for the linker script, first I have to declare a new region. And it will be the region that we will protect it. Let's call it PCROP for example. But you can call it as you want. It was the execute only region. Then, okay, we will locate it at... What could I do? Okay. 16k here. And here for the region, okay. Sorry. Okay, let's do it that way, for example. And define a length of 16k should be enough. Okay, so now we've got the region where we can put the code we want to protect. So to do that here, we will define a new section. So it's the PCROP. PCROP region. So first we should align it as it's done here. Oh, sorry. I just copy and paste. Little lady with such kind of syntax. Then what I want to put there is everything which is coming from the linker. Okay, I want to put here only the execute code. That's mean to text. Sorry. Let blanking, okay. So it should be exactly the same name because it's an object file that is corresponding to this one. And then I choose alignment also after to ensure everything is fine. I close this. And then I will put all this stuff in the PCROP region. So exactly this name. Okay. So here I really do the basics just to put all the execute code at this location. Okay, let's check this. So remember the PCROP region start is 8800. Let's compile. Okay, just a warning because I don't create either file associated. But it's just a warning. I propose to debug this stuff by default. It should be okay. We connect. Download successful. Now we can start debugging. So first things, let's see if it's functional or not. I run the code. If we check on the board, that is blanking. Now I propose to put a breakpoint just on the lead blinking function. So it was on the lead blinking. See if I put a breakpoint here. So it stopped and you can see the location of the code. So we are in my future PCROP region. So perfect. Everything is ready. We can activate the PCROP protection. So I propose we stop this debugging. We will use the STM32Q programmer to activate this and thanks the option byte. Okay. So here the debugging link is closed. I propose we launch Q programmer. So it's still blinking. Now I see my number. If I connect, it will stop blinking because the code is out. And I can check the option byte. So here you've got the different option bytes. We're interested in the PCROP protection on the bank one. Because here we have only one bank activated or single bank configuration. And now let's define our region. So we want to say 8 and 8,000. So here we just have to put 1000. And we just put it one until this one. Okay. So here it will be protected. So on that say we can't access anymore. Okay. I forget nothing. Let's apply it. As you can see on the play, the lens seems not blinking anymore. If I reset it, it started. Okay. So now we have activated the protection. And I propose that we connect again with the Q programmer and try to dump. So I was with the code. So if I disconnect, if I reconnect, I could see the memory here. So we can still see the beginning of the application. So what is not secure. And let's check if we can see the code at this location now. As you can see, you only see the same pattern. So you don't see any code anymore. Okay. We have seen when we break before with QBDE that at this location we were able to see the code. Okay. So what we can do, we can also try to connect with QBDE without flashing. So if I disconnect this one, come back to my QBDE. Now I want to debug my main program. I've got the region PCROP. So I can flash this region. I can modify it for the moment. So what I will do, I will modify the debugging configuration. So here I will do it. Debugging configuration for my PCROP at the startup. As you can see, I download and I load the temple. So what I will do, I will prevent the download because it's already flashed. Okay. And apply. And now if I launch the debug. So it was working. If I remove, I want to remove this break point first. I launch. And if I check my targets, ledges blinking. Fine. Now let's put a break point here. Stop. You can see this code is protected from. So it's possible to stop here. In fact, we stop at one address because we just reached this address. But if you look at the disassembly code, move A0. And in fact, this one is just a pattern you've seen together. It's not really the instructions that are executed because if you try to execute this, it's not at all a toggle pin or a code to the toggle pin. It's really just this strange pattern, which is an assembly here. Okay. So our protection is effective. So now go with protected this circuit led blinking. Fine. So the protection is active. Now let's learn how to remove this protection. And to do this, it will be thanks option bite. I first close the debugging. Terminate and removed. Okay. And I come back with my Q programmer. So here, I connect again. As you can see, we have all the code here, the code protected. And let's go back in the option bite. First, there is this PC Rope RDP. If I do a regression of RDP without this one set, the PC Rope region will be kept. The rest of the flash will be erased, but not the PC Rope. Here, we want to remove the PC Rope. So I will select it and I will activate this flag. Okay. Now I need to do a readout protection transition from the RDP level 1 to RDP level 0. But I'm in RDP level 0. So first I have to switch to RDP level 1. Doing this, that's me. As soon as you have a debugging access to the target, the flash is locked. So your code is not running with debugging. But here it's not the purpose. This will be seen in the readout chapter. So now I do a new transition to RDP level 0. Doing this, there will be a mass eras of the flash and also it will remove the PC Rope region. So it takes a while because it's eras of the flash. You can see that the option bite of the PC Rope has been reset. And if I look in the flash content, everything has been erased. If I check also the protected region, everything has been erased. So now you can go on with your board. I think we have seen what I want to show you in this hands-on. And I hope this clarifies for you the usage of PC Rope. Please have a look in the application note I put in reference in the theory before. And you've got all the details about Lingerscript because it's not an easy topic frankly speaking.