Of Boot Vectors and Double Glitches: Bypassing RP2350's Secure Boot
stacksmashing, nsr
39th Chaos Communication Congress (39C3): Power Cycles · Day 1 · Saal Ground
In an engaging and highly technical presentation at 39C3, security researchers Marius Muench (NNSA) and Thomas Roth (stacksmashing) unveiled their findings from the Raspberry Pi RP2350 hacking challenge. Their talk, "Of Boot Vectors and Double Glitches: Bypassing RP2350's Secure Boot," detailed two distinct and sophisticated fault injection attacks that successfully circumvented the secure boot mechanisms of the RP2350 microcontroller. This chip, known for its low cost ($1) and extensive security features like **TrustZone-M**, **glitch detectors**, a **redundancy coprocessor (RCP)**, **secure boot**, and **One-Time Programmable (OTP)** memory, was designed with a "security through transparency" philosophy, openly releasing its datasheet and boot ROM source code.