In August 2024, Raspberry Pi unveiled the RP2350 microcontroller. This chip was designed with a strong emphasis on security, incorporating features such as Arm TrustZone and antifuse-based One-Time Programmable (OTP) memory to safeguard sensitive operations. To assess and demonstrate the robustness of these security measures, Raspberry Pi adopted an open approach, publishing ROM code on Github and inviting external scrutiny through initiatives like the RP2350 Hacking Challenge.
The RP2350 Hacking Challenge
The RP2350 Hacking Challenge encourages security researchers to identify and exploit potential vulnerabilities. Raspberry Pi partnered with Hextree.io to create the security hacking challenge, creating a test PCB that makes it easier to access voltage rails or clock input and put a $10,000 (later $20,000) award for recovering a 128-bit secret stored in a specific row of OTP, protected by secure boot and an OTP read lock.
This initiative led to the discovery of notable attacks, each employing distinct methods to breach the microcontroller’s protections (https://www.raspberrypi.com/news/security-through-transparency-rp2350-hacking-challenge-results-are-in/).
1. Voltage Glitching Attack on OTP security configuration
The RP2350’s antifuse OTP memory plays a crucial role in security by storing configuration bits that dictate boot-time settings. These bits are read early in the reset process by a state machine called the OTP PSM. It is common for chips to read and shadow OTP values during boot, and therefore also a common point to attack using Fault Injection.
To prevent faults from corrupting critical reads, the system employs a guard mechanism that first reads a section of OTP with a known value (0x333333). Only if the correct value is read the system continues with the security-sensitive reads.
Aedan Cullen figured out, through optical reverse engineering and sleuthing datasheets and patents, that the OTP block is powered separately on a pin called USB_OTP_VDD. If the power to the OTP is dropped immediately after reading the guard value, the system will continue returning 0x333333 even for subsequent reads of security-critical bits, allowing an attacker to overwrite these values. Specifically, the RISCV_DISABLE and ARM_DISABLE bits will be set, while DEBUG_DISABLE is cleared—forcing the chip to boot with RISC-V cores active and debugging enabled, regardless of the intended configuration. This makes extracting secret data from OTP trivial. This attack uses simple voltage glitching equipment and should be reproducible with well less than $1000 in equipment.
2. Voltage Glitching Attack on Reboot Type
Marius Muench discovered a critical vulnerability in RP2350’s secure boot feature. The weakness lies in the boot ROM’s reboot API, specifically the REBOOT_TYPE_PC_SP mode, which allows the chip to reboot with a specific program counter and stack pointer. This mode is intended to be accessible only by signed, verified firmware. However, by exploiting supply-voltage glitches an attacker can bypass the normal boot sequence. When the voltage glitch causes the chip to corrupt a crucial instruction, the system erroneously enters the REBOOT_TYPE_PC_SP mode, allowing the attacker to execute malicious code from RAM without verification.
The article states: “Due to an unlucky arrangement of instructions emitted by the compiler, injecting a fault which skips one out of two very specific instructions confuses the chip into rebooting to the hazardous boot type”.
Though this is unlucky, it is not uncommon. When simulating faults, we often see that even small pieces of code, say 20 lines of C, can have an equal number of ‘unlucky’ fault injection possibilities. Though some of them may be of the ‘skip an instruction’ model, many will be more complicated ways to achieve falling into the happy flow.
3. Laser Fault Injection on Signature Verification
Kévin Courdesses uncovered a vulnerability in RP2350’s secure boot path, exploiting a timing window between the firmware being loaded into RAM and the computation of the hash function for signature verification. The high-level idea of the attack is to have the ROM compute the signature over valid firmware but boot an attack-modified firmware. By analyzing the code and disassembly of the ROM, he identified a way to avoid loading the correct pointer into a CPU register, which then retained an old address pointing to the QPSI bus – which an attacker controls. By corrupting the right instruction, the old address is used for signature verification, and at that address the attacker provides a correct image. After verification is completed, the ROM continues booting the attacker image.
Though this is a nice primitive, the more impressive part of the work is that Kévin built his own laser fault injection system from scratch, and detailed the entire build (https://courk.cc/rp2350-challenge-laser). This is another example of low-cost Laser FI systems we are starting to see in the field, reducing the cost to less than €1000.
The final attack focused on extracting secrets from the RP2350’s antifuse-based OTP memory. A team at IOActive demonstrates how the Passive Voltage Contrast (PVC) technique, combined with a Focused Ion Beam (FIB), can be used to extract information from antifuse memory arrays. Antifuse memory cells are designed for one-time programming, where a permanent conductive path is created by applying voltage to induce dielectric breakdown. Prior to this research, antifuse technology was considered highly secure against extraction techniques. The PVC technique exploits voltage contrast seen under a scanning electron microscope when an ion beam charges the memory array, revealing the programmed state of the antifuses.
The technique extracts the bitwise OR of two adjacent bits rather than their individual values due to shared metal contacts between adjacent antifuse cells. The study notes that the technique’s current limitation is its inability to differentiate between the individual bits, but the authors are exploring ways to improve resolution and enable precise data extraction, such as adjusting beam parameters or using FIB metal deposition.
This attack requires significant expertise and equipment, though a qualified operator plus machine can be rented for $400-$600 per hour. With the attack taking several days per chip, this is well within a sophisticated attacker’s budget.
5. Glitch detector evaluation and double EMFI fault bypassing OTP protection
The Hextree team was commissioned to evaluate the RP2350’s secure boot process, focusing on the effectiveness of its redundancy coprocessor (RCP) and glitch detectors. Their findings revealed that while the glitch detectors at the highest sensitivity setting can detect many voltage glitches, there remains a significant rate of undetected glitches, leaving the system vulnerable to attacks with enough effort. Most of their research centered on electromagnetic fault injection (EMFI).
The team also identified a double fault attack that bypassed the OTP protection mechanism. The attack involves disturbing two instructions in this function with precisely timed faults, preventing the OTP page from being correctly locked, thereby allowing the attacker to read and write to the OTP despite the chip’s security settings.
Conclusion: Key Takeaways
Per Chris Boross of Raspberry Pi: “We think RP2350, our new high-performance, secure microcontroller, is pretty safe and sturdy. Care to test that theory? (We fully admit that everything is hackable given enough time and resources.)”
Having assisted numerous chip designers on this journey, it’s clear that many start with the belief that hardware attacks can be mitigated through a few well-intentioned countermeasures. However, this is just the beginning of the path to creating a secure microcontroller. Initial countermeasures often fall short, failing to address all potential attack vectors. It’s crucial to rigorously test all layers of defense, both in simulation and in real-world practice.
On a positive note, all the attacks discussed rely on hardware-based methods, which suggests that there are no obvious software vulnerabilities. However, the two voltage-based attacks reveal that such attacks can be mounted with relatively inexpensive equipment. These attacks are also viable in a modchip scenario, where a custom chip could be developed to precisely inject faults and bypass security measures. Given that modchips typically cost under $100, they are easily accessible to electronics enthusiasts and can pose a serious threat.
Raspberry Pi’s decision to open their boot ROM binaries and offer an affordable product is commendable, as it enables widespread study of fault injection characteristics, a rare move in an otherwise opaque industry. We look forward to seeing more research on this chip in the future.