A security researcher has successfully breached the supposedly "fully secured" RP2350 microcontroller chip by exploiting a power supply vulnerability, potentially winning a $20,000 hacking challenge.
Engineer Aedan Cullen revealed his breakthrough at the 38th Chaos Communication Congress, demonstrating how he accessed protected memory by manipulating the chip's power delivery system.
The RP2350, Raspberry Pi's latest microcontroller featuring enhanced security measures like Secure Boot and Glitch Detectors, was the target of a hacking challenge announced at DEF CON in August. The challenge involved retrieving a secret code stored in the chip's One Time Programmable (OTP) memory, which was protected by multiple security layers.
Cullen's innovative approach focused on Pin 53 of the chip, which connects to both OTP and USB functions. After physically isolating this pin, he injected precise voltage glitches during the chip's boot process. This manipulation unexpectedly activated the supposedly disabled RISC-V processor cores and their debug access port, allowing him to extract the protected secret.
The hack exposed a peculiar weakness where a specific glitch command (0x00030033) could selectively disable security features while keeping the RISC-V cores operational, bypassing the chip's protection mechanisms.
This security breach raises questions about the effectiveness of hardware-based security measures. As Cullen noted in his presentation, "'Permanent' is not a thing unless it involves chip destruction."
While Cullen has publicly shared his findings and methodology, the official winner of the $20,000 challenge will not be announced until January 14.
This breakthrough highlights the ongoing challenges in hardware security design and demonstrates that even sophisticated protection mechanisms can be vulnerable to creative attack methods.