 I propose you another secure memory hands-on. This time, we will activate or lock the secure memory thanks to bookloader services. So this is, I would say, the right way to do it in a secure way. I hope you have understand this from the theory part before. So we will create a relocated standalone tumbling load binary that we will put in a location and it will be our unsecured binary. Then we will create the main binary which is located in the secure memory that will close the secure memory on load the tumbling load binary that is in the non-secure part. Thanks to system bookloader services. The different steps to achieve this. First we need to have a binary with blanking led with vector table relocation. So it's important because when you close the secure memory, the base of the flash is not accessible anymore. So if you forget to relocate the vector table of your binary, it won't work. I choose this address for the non-secure parts. Then we will modify or we will implement the code of the RSS services. So here I put you the information because it's a little bit tricky for my point of view and not well documented today. So for the g0.071, I found this information mainly in the sbsfu package you can find on our site. It should be available in the reference manual also. So I will just give you some explanation at this point. In fact, to call these services, you need to have in the register 0 the vector table of these services and how to find this. We've got the address of these services and it will be a pointer or the address that is located at this address plus four. Then in this register one, we should have the magic number, this one. And then in the register two, the application where we would like to jump just after closing the memory. So I will do this. I create a tip of pointer function with three arguments. Then it was my jump to application. It's what I will call. Then I will compute my jump address. And my jump address, as I said before, is just address pointed by this address plus four. So I take superxqt plus four, I take the content and I've got my jump address. Then I initialize my pointer of function to this address. I jump it with the three arguments to ensure that in L0, I've got the jump address, the magic number in error one and the application in error two. Not easy, but once you have done it, you will see it works. This tip after will be to configure this exercise as before. And then you can check the status after pushing the button. If I remember, I don't know if I push a button here, but okay, it's not so important. I think you've got the step in mind now. So let's switch to QBD. So for the first step, we will create this lead blinking application that will be relocated at the end of the flash. So it will be put at the end of the flash and it will be considered as our unsecure application firmware. Okay, let's start a new project. And the board selectors G0, 7G1, okay. Then this time, I won't initialize all the peripherals because I just need the lead and I've got really tiny space 8k to put my binary. So not this time. Thank you. I need to configure my lead pin, which is P5. So this could be fine in the documentation of the nuclear and we put this one as GPIO output. Nice. Let's save. We generate the code. Then let's write the toggling of the lead now. So my men will just initialize GPIO in the white one. I will just toggle the lead. It's on the port A and the pin 5. Then we will add a hash ale delay. It's nearly down. What we should not forget, we need to relocate our vector table at the beginning of this code. If we don't do such kind of thing, when we will have an interrupt, it will jump to the base of the flash to execute the vector table, which was not what we want to do. So here we need to modify the SBC. We will put this one at the address where we want to put our binary. Sorry. 8, 0, 8, 0, 1, we can't. Yes. Okay. Here we have done the relocation of the vector table. That way we are sure that our vector table will be in our insecure part. Okay. Let me double check. No, I've missed 1, 0. 1, 2, okay. It's not it. Better that way, I think. Sorry about this. So we prepare our binary. We need now to relocate it. So for this, we will modify the location in the linker script. Let's just say that this flash, for it, it started at this location. Okay. Now the size is only 8k. So I think everything is in line. Let's build this. Sorry. SBC. So compilation is okay. So just to remind you for the relocation of the vector table, you need to do this at the beginning before any interrupt. Then here we just modify the origin of the flash in the linker script. We can test this application. It is okay. So now it's flash on our target. If I resume and show you the result, LED is blinking. Okay. If I reset the board, obviously it won't start again this program because it's located at the end of the flash and the nuclear will put at the beginning of the flash. So it was just to show you, we could check just the interruption where we are located when we've got an interrupt, for example. So if I go in the interrupt, let's put a break point in the timer as a SysTick one. When we stop, we can check the PC and here we are in the SysTick handler and we're really in the insecure part. So everything is fine. I propose we just close and terminate and remove this one. So this was the first step of this hands-on. We've got the LED blinking. We already flashed it. So now we'll create a second project where we will call this one thanks to bootloader services. Unlock the security at the same time. So I close this one for the moment. Project to close, close project. So create a new project. Okay, 32, selected, the board, the G0, 71, secure, finished. We can initialize by default. And this time, what I want to do is to have a push button. The idea is that when I push on the button that I jump to the LED blinking area. Okay, so it was pretty certain, which is already configured for the wake-up by default, but we can change this and say it's a GPIO input. Okay, that's all. So remember just to be fully clean here, we will change the linker file because we keep the last AK for, I would say, the insecure parts. So let's keep with 120K. And now let's code it. What do we want to do? So this could be a little bit tricky. And it's not well documented today, frankly speaking. It's why I decided to do it as hands-on. I find information in reference manual and cross-check with the SPSFU packages where you can find some example of such kind of code. So first, I will just copy and paste source defined value. I will explain the exam. When we want to jump to these services, we've got the address where these services are. Okay, then we've got a magic number that we will need to pass. And also we need to pass the address where we want to jump in finally. So this is really I would say the happy eye. And the way it was expated by these services is to have. In the register zero, you should have the services vector table address. And this one could be found by this address plus four is pointing to the address of the vector table. Okay, so I will show you how to compute these parameters. So in the register one, we need the magic number and the register two, you will need the application address when you want to jump to. So for us, it was the location of our little blinking and secure. So I try to find a syntax in C. You can code this in assembly code, but okay, see it's maybe more easier. So first, we will define a pointer on a function. So we do a type def. And then it was a function. And I want to have a type of pointer on function. Okay, this function will have three arguments, the three we've got here for the zero one. So 32 bit value. Okay. And now I will use this type def after pointer function. And I will call jump to application. So I'm declaring this pointer on function. Okay, then I will need to compute this famous vector table address. So here, I will call it jump address. In fact, it's on three points of this opinion or these services. Okay. So now we will compute just the jump address. The jump address will be this first argument. Then we will put the magic numbers and the application address. The jump address will be equal to what it would be this address plus four. And we're looking what is the value is pointed by this address also. I hope it's clear or when I will write it, you will better understand. So in my main loop, we are in the secure world. What I will do, I will test if we push a button. That way I can trigger I will say the jump outside the secure mem. So with the pin, it wasn't in C. So if this one called to zero, that's been that has been press. And now I will start it to play with my different value. So my jump address equal to what? So here I will need to cast because in fact, it was the pl exit sticky. Okay. Plus four, as I said, I want and I want the content of this. Okay. This is exactly what I would like. The problem will be some cast. So let's push some additional cast to ensure we don't have any issue to type. And it's a pointer. Okay. So now we can just initialize the function where we want to jump in to a jump to application. And in fact, this is a pointer function type. So I need also to cast the value and it will be jump to this address. I hope for you it's clear. And now I will call this function because it's a pointer function, but just call that way. And I will put the different arguments. So first in the zero, I want the vector table address or the entry point of the services. Then I would like my magic number, then my application. And that's it. It seems to be okay. So let's build this. Okay. I made some error. Okay. Sorry for the miss of this underscore type. So compilation is okay. Now let's try to experiment it. So we will flash it. So we remember here we will activate, but frankly speaking, we haven't activate the secure memory. So it should not work. But let's flash it at least. Okay. Specific here. So I'll launch. If I press the button, I'm stopped. Then I will call an application somewhere. And in fact, my little blinking, the problem is that the memory is not locked. I mean, I can still put a breakpoint here. Okay. I'm stuck in the other application, but I would say I can access it. We can just check it with Q programmer. If I take Q programmer, first I will disconnect. Sorry. So I terminate and remove. If I take Q programmer now, if I connect in onplug, so I can see my secure memory. No, my insecure pad, sorry. But if I go to this location, I can also read the code. So my secure memory haven't have not been, I would say removed. The next step is to modify the option byte. Okay. So here I will put two, three C. So now I really declare that the secure sex size is this one. And when I close it, I can't see anymore all the first part of the memory. Let's apply it. It was programmed successfully. First, let's say functional. So I just reset. If I push a button, my light is blinking. So I will jump in. I would say my insecure part. And now let's try to access the first part of the memory. So here, if I read the memory again, it's not possible. Okay. And if I just check here, I still can see I will take the insecure part of my memory. So this is a really example how to use this functionality in a secure way. In the meaning that you can't interrupt when you call these services, you can break in. So really interesting if you added the functionality, or if you deactivate the debugging link, or if you are using the boot lock, remember this, with really a lot of careful because you can break your device, but it's a really way to secure this first part of the secure execution for a secure boot.