It looks like the Raspberry Pi RP2350 Hacking Challenge may have been beaten — Hacker gains access to the OTP secret by glitching the RISC-V cores to enable debugging

RP2350 Hacking Challenge
(Image credit: Aedan Cullen)

We may have a winner for the $20,000 Raspberry Pi and Hextree RP2350 Hacking Challenge, but we won't officially find out who the winner is until January 14. Engineer Aedan Cullen went public with his Hacking the RP2350 presentation at the recent 38th Chaos Communication Congress (38C3), and there is a GitHub repo now published to accompany the video here. Cullen studied the RP2350 in detail before going for a voltage injection glitch attack on pin 53 of the RP2350 chip, which managed to turn on the 'permanently disabled' RISC-V cores and their debug access port, enabling him to read the secret.

Raspberry Pi introduced the RP2350 via the Raspberry Pi Pico 2 as a successor to the RP2040 – with added security features to appeal to commercial and industrial customers. To publicize the new microcontroller it teamed up with Hextree to devise the RP2350 Hacking Challenge, announced at DEF CON in August. This challenge concluded on 31 Dec 2024, but we must wait until January 14 for the official winner announcement. Cullen made his presentation at 38C3 on Dec 27 and also shared a GitHub repo with an outline of his hacking process and Python code. However, we don't know if Cullen is the winner, so this may not be the $20K winning hack method.

RP2350 Hacking Challenge

(Image credit: Aedan Cullen)

Specifically, the RP2350 comes with a quartet of new security features, that Raspberry Pi was keen to highlight. These are Secure Boot, TrustZone, Redundancy Coprocessor (RCP), and Glitch Detectors. The setters of the challenge hid a secret on one of these 'fully secured' chips, which would be supplied to hackers who applied, and the first demonstrable success story would get $20,000 and the kudos of being the winner of the challenge. Attacks using hardware and/or software means were permissible by the competition rules, so it was almost an anything-goes situation.

RP2350 Hacking Challenge

(Image credit: Aedan Cullen)

Raspberry Pi and Hextree would hide the secret in the RP2350's OTP (One Time Programmable) memory on the chip, said to be a once-set but never-forget binary code. Picotool was used to write the covert code to the OTP. Then the RP2350's OTP memory was locked behind the Page Locks hardware protection feature, set to an 'inaccessible' state '13:12' as per the table above. Firmware was also signed, with Secure Boot enabled, and they disabled the chip debug feature, so prying eyes couldn't get to the secret via a Serial Wire Debug (SWD) interface. Furthermore, all other bootkeys were disabled, the RP2350 Glitch Detector was turned on and then set to its highest sensitivity. It certainly sounds like it was locked down.

Cullen says he started his hacking process by studying the RP2350 data sheet and the dependencies outlined in the documentation. Then Cullen drilled down on how the RP2350 boots and establishes its security settings, with particular attention to the OTP.

Cullen's first idea was to get the OTP to misread its critical bit settings, you could get the chip to work in a non-secure way. Cullen even X-rayed the RP2350 as part of his investigations and annotated the chip blocks. However, he stresses that this was just a pursuit of interest and not really instrumental to beating the challenge.

Research compelled Cullen to focus on Pin 53, labeled USB-OTP_VDD, as it is connected to OTP (and USB) functions. Perhaps a hacker could "mess with this power supply externally" to affect these functions, he pondered. So he took off the chip and isolated Pin 53 (physically cutting PCB trace), so it was ready to be electrically tampered with separately on a reassembled board.

With this hardware-modified setup, Cullen probed Pin 53 to "inject whatever voltages I want" and checked what happened. An unprotected RP2350 board was kept on hand for side-by-side comparisons. Once the hardware was set up he watched what normally occurs when a secured and a non-secured RP2350 started up – according to the probe readout on an oscilloscope.

16 groups of spikes were seen, corresponding with 16 initial OTP reads on startup. Cullen then tested injecting power glitches to Pin 53 at certain points in the boot process. Disappointingly, the debug remained locked down. Next, a Python script was used to sweep the position of a glitch power input through the entire 600-microsecond range of OTP reads during startup. The debug functionality was checked but never became available. So Cullen looked at the unlocked RP2350 board again, with debugging enabled, for clues.

Then, something interesting was observed, as the RISC-V cores showed up via the glitch on the unsecured RP2350. Cullen then used another script to check where the RISC-V debug access port shows up. This technique could also be triggered on the secured RP2350 – and a debugger could now be connected to the secured RP2350 and the secret read from the OTP!

Secret gets busted

The 'permanently disabled' RISC-V cores had been woken by the glitch to enable this access. Cullen explains the odd underlying reason that the glitch 0x00030033 works is that it disables both Arm and RISC-V cores but, the Arm disable instruction has higher priority, leaving RISC-V turned on. Importantly the glitch successfully clears Debug_Disable.

For more information about the background to this hack, particularly bypassing the guard read mechanism, we advise watching the video recorded during the 38c3 (linked top). There's also an interesting Q&A at the end of the session. You might find attendees ask similar questions to those you may have.

Cullen concluded his presentation with three pithy points:

  • Human communication factors are huge. Sidense [the company behind OTP NV memory tech used] knew how to do guards properly, and RPi missed out.
  • “Permanent” is not a thing unless it involves chip destruction. There is some copper somewhere with each signal…
  • Remember to glitch in the places they don’t tell you.
TOPICS
Mark Tyson
News Editor

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.

  • thisisaname
    With physical access all bets are off!
    Reply
  • bit_user
    thisisaname said:
    With physical access all bets are off!
    If it were easy, they wouldn't have offered a $20k reward.
    Reply
  • drajitsh
    the lesson is not to include vanity items in a secure envoirment. that increases the attack surface.
    That caused them to lose this challenge
    Reply
  • bit_user
    drajitsh said:
    the lesson is not to include vanity items in a secure envoirment. that increases the attack surface.
    That caused them to lose this challenge
    How is the OTP (One Time Programmable memory) a vanity feature?
    Reply
  • thisisaname
    bit_user said:
    If it were easy, they wouldn't have offered a $20k reward.
    Did not say it was going to be easy but with physical access it does become a lot easier.
    Reply
  • drajitsh
    bit_user said:
    How is the OTP (One Time Programmable memory) a vanity feature?
    I was talking about the "disabled" Risc V cores
    Reply