Aedan Cullen Cracks the Raspberry Pi RP2350's Security Subsystem Wide Open

Engineer Aedan Cullen has come up with a way to break through the security subsystem on Raspberry Pi's latest RP2350 microcontroller — and looks to be in with a shot at winning the company's capture the flag competition as a result.

"Raspberry Pi's RP2350 microcontroller introduced a multitude of new hardware security features over the RP2040, and included a Hacking Challenge which began at DEF CON to encourage researchers to find bugs," Cullen explains. "The challenge has been defeated and the chip is indeed vulnerable (in at least one way)."

Officially launched by Raspberry Pi back in August last year, alongside the Raspberry Pi Pico 2 development board, the RP2350 is the company's second-generation microcontroller. The chip offers a range of improvements over the first-generation RP2040, including almost twice the memory and faster Arm Cortex-M33 cores alongside free and open source RISC-V-based Hazard3 cores. It also includes a security subsystem that the company hopes will make it a tempting part for use in commercial designs where higher levels of protection is required — and to highlight the feature Raspberry Pi made it the subject of a $10,000 capture the flag competition, later raised to $20,000.

"The RP2350 security architecture involves several interconnected mechanisms which together provide authentication of code running on the chip, protected one-time-programmable storage, fine-grained control of debug features, and so on," Cullen explains. "An antifuse-based OTP memory serves as the root of trust of the system, and informs the configuration of ARM TrustZone as well as additional attack mitigations such as glitch detectors. Raspberry Pi even constructs an impressive, bespoke Redundancy Coprocessor (RCP), which hardens execution of boot ROM code on the Cortex-M33 cores with stack protection, data validation, and instruction latency randomization."

Unfortunately for Raspberry Pi, Cullen claims that these protections can be beaten. In a presentation at the 38th Chaos Communications Congress, Cullen demonstrates what he claims to be an attack that unveils the protected secret at the heart of Raspberry Pi's capture the flag contest — which, if validated, will earn him the prize money.

"I think one notable thing about this [is] it's not a very difficult attack at all," Cullen claims during his presentation. "It's just a normal power glitch. Just drop USB_OTP_VDD for 50μs or so across the CRIT0 and CRIT1OTP PSM reads, which on my chips are around 220-250μs from the characteristic current spike that marks the beginning of the OTP PSM sequence."

Cullen's presentation is available to stream and download on the CCC website and is embedded in full above; supporting source code and high-resolution annotated die shots of the RP2350 have been published to GitHub under the reciprocal GNU General Public License 3 and Creative Commons Attribution 4.0 respectively.

At the time of writing, Raspberry Pi had not commented on whether or not Cullen's attack constitutes a winning entry to its capture the flag contest — nor if it plans any mitigations to protect against it.