We could have a winner for the $20,000 Raspberry Pi and Hextree RP2350 Hacking Challenge. Engineer Aedan Cullen went public together with his Hacking the RP2350 presentation on the latest thirty eighth Chaos Communication Congress (38C3), and there’s a GitHub repo now printed to accompany the video here. Cullen studied the RP2350 intimately earlier than going for a voltage injection glitch assault on pin 53 of the RP2350 chip, which managed to activate the ‘completely disabled’ RISC-V cores and their debug entry port, enabling him to learn the key.
Raspberry Pi introduced the RP2350 by way of the Raspberry Pi Pico 2 as a successor to the RP2040 – with added security options to enchantment to business and industrial prospects. To publicize the brand new microcontroller it teamed up with Hextree to plan the RP2350 Hacking Problem, announced at DEF CON in August. This problem concluded on 31 Dec 2024, however we should wait till January 14 for the official winner announcement. Cullen made his presentation at 38C3 on Dec 27 and likewise shared a GitHub repo with a top level view of his hacking course of and Python code. Nevertheless, we do not know if Cullen is the winner, so this will not be the $20K profitable hack methodology.
Particularly, the RP2350 comes with a quartet of recent security measures, that Raspberry Pi was eager to spotlight. These are Safe Boot, TrustZone, Redundancy Coprocessor (RCP), and Glitch Detectors. The setters of the problem hid a secret on one among these ‘totally secured’ chips, which might be equipped to hackers who utilized, and the primary demonstrable success story would get $20,000 and the kudos of being the winner of the problem. Assaults utilizing {hardware} and/or software program means have been permissible by the competitors guidelines, so it was virtually an anything-goes scenario.
Raspberry Pi and Hextree would cover the key within the RP2350’s OTP (One Time Programmable) reminiscence on the chip, stated to be a once-set however never-forget binary code. Picotool was used to write down the covert code to the OTP. Then the RP2350’s OTP reminiscence was locked behind the Web page Locks {hardware} safety function, set to an ‘inaccessible’ state ’13:12′ as per the desk above. Firmware was additionally signed, with Safe Boot enabled, and so they disabled the chip debug function, so prying eyes could not get to the key by way of a Serial Wire Debug (SWD) interface. Moreover, all different bootkeys have been disabled, the RP2350 Glitch Detector was turned on after which set to its highest sensitivity. It definitely sounds prefer it was locked down.
Cullen says he began his hacking course of by learning the RP2350 information sheet and the dependencies outlined within the documentation. Then Cullen drilled down on how the RP2350 boots and establishes its safety settings, with explicit consideration to the OTP.
Cullen’s first thought was to get the OTP to misinterpret its crucial bit settings, you may get the chip to work in a non-secure manner. Cullen even X-rayed the RP2350 as a part of his investigations and annotated the chip blocks. Nevertheless, he stresses that this was only a pursuit of curiosity and not likely instrumental to beating the problem.
Analysis compelled Cullen to give attention to Pin 53, labeled USB-OTP_VDD, as it’s related to OTP (and USB) features. Maybe a hacker might “mess with this energy provide externally” to have an effect on these features, he contemplated. So he took off the chip and remoted Pin 53 (bodily slicing PCB hint), so it was able to be electrically tampered with individually on a reassembled board.
Picture 1 of 3
With this hardware-modified setup, Cullen probed Pin 53 to “inject no matter voltages I would like” and checked what occurred. An unprotected RP2350 board was stored readily available for side-by-side comparisons. As soon as the {hardware} was arrange he watched what usually happens when a secured and a non-secured RP2350 began up – in accordance with the probe readout on an oscilloscope.
16 teams of spikes have been seen, corresponding with 16 preliminary OTP reads on startup. Cullen then examined injecting energy glitches to Pin 53 at sure factors within the boot course of. Disappointingly, the debug remained locked down. Subsequent, a Python script was used to comb the place of a glitch energy enter by means of the whole 600-microsecond vary of OTP reads throughout startup. The debug performance was checked however by no means turned accessible. So Cullen appeared on the unlocked RP2350 board once more, with debugging enabled, for clues.
Then, one thing fascinating was noticed, because the RISC-V cores confirmed up by way of the glitch on the unsecured RP2350. Cullen then used one other script to examine the place the RISC-V debug entry port exhibits up. This system may be triggered on the secured RP2350 – and a debugger might now be related to the secured RP2350 and the key learn from the OTP!
Secret will get busted
The ‘completely disabled’ RISC-V cores had been woken by the glitch to allow this entry. Cullen explains the odd underlying motive that the glitch 0x00030033 works is that it disables each Arm and RISC-V cores however, the Arm disable instruction has greater precedence, leaving RISC-V turned on. Importantly the glitch efficiently clears Debug_Disable.
Picture 1 of 2
For extra details about the background to this hack, significantly bypassing the guard learn mechanism, we advise watching the video recorded throughout the 38c3 (linked prime). There’s additionally an fascinating Q&A on the finish of the session. You may discover attendees ask comparable inquiries to these you’ll have.
Cullen concluded his presentation with three pithy factors:
- Human communication elements are large. Sidense [the company behind OTP NV memory tech used] knew the right way to do guards correctly, and RPi missed out.
- “Everlasting” is just not a factor except it entails chip destruction. There’s some copper someplace with every sign…
- Bear in mind to glitch within the locations they don’t inform you.
