-2.3 C
Bucharest
Tuesday, January 14, 2025

It looks like the Raspberry Pi RP2350 Hacking Challenge has been beaten

We may have a winner for the $20,000 Raspberry Pi and Hextree RP2350 Hacking Challenge, but we won’t officially find out who the winner is until January 14. Engineer Aedan Cullen went public with his Hacking the RP2350 presentation at the recent 38th Chaos Communication Congress (38C3), and there is a GitHub repo now published to accompany the video here. Cullen studied the RP2350 in detail before going for a voltage injection glitch attack on pin 53 of the RP2350 chip, which managed to turn on the ‘permanently disabled’ RISC-V cores and their debug access port, enabling him to read the secret.

Raspberry Pi introduced the RP2350 via the Raspberry Pi Pico 2 as a successor to the RP2040 – with added security features to appeal to commercial and industrial customers. To publicize the new microcontroller it teamed up with Hextree to devise the RP2350 Hacking Challenge, announced at DEF CON in August. This challenge concluded on 31 Dec 2024, but we must wait until January 14 for the official winner announcement. Cullen made his presentation at 38C3 on Dec 27 and also shared a GitHub repo with an outline of his hacking process and Python code. However, we don’t know if Cullen is the winner, so this may not be the $20K winning hack method.

RP2350 Hacking Challenge

(Image credit: Aedan Cullen)

Specifically, the RP2350 comes with a quartet of new security features, that Raspberry Pi was keen to highlight. These are Secure Boot, TrustZone, Redundancy Coprocessor (RCP), and Glitch Detectors. The setters of the challenge hid a secret on one of these ‘fully secured’ chips, which would be supplied to hackers who applied, and the first demonstrable success story would get $20,000 and the kudos of being the winner of the challenge. Attacks using hardware and/or software means were permissible by the competition rules, so it was almost an anything-goes situation.

RP2350 Hacking Challenge

(Image credit: Aedan Cullen)

Raspberry Pi and Hextree would hide the secret in the RP2350’s OTP (One Time Programmable) memory on the chip, said to be a once-set but never-forget binary code. Picotool was used to write the covert code to the OTP. Then the RP2350’s OTP memory was locked behind the Page Locks hardware protection feature, set to an ‘inaccessible’ state ’13:12′ as per the table above. Firmware was also signed, with Secure Boot enabled, and they disabled the chip debug feature, so prying eyes couldn’t get to the secret via a Serial Wire Debug (SWD) interface. Furthermore, all other bootkeys were disabled, the RP2350 Glitch Detector was turned on and then set to its highest sensitivity. It certainly sounds like it was locked down.

Link

- Advertisement -
Latest
- Advertisement -spot_img

More Articles

- Advertisement -spot_img