Raspberry Pi Shows Confidence in the RP2350's Security Features — with a $10,000 Competition Prize

Capture the protected flag hidden in a custom firmware and win the cash — but your Raspberry Pi Pico 2 will lose its RISC-V cores.

Gareth Halfacree
2 months agoSecurity / HW101

Raspberry Pi is putting its money where its mouth is when it comes to the new security features of its RP2350 microcontroller — launching the RP2350 Hacking Challenge, which offers a $10,000 reward for anyone who can capture a flag secured in a custom RP2350 firmware.

"The goal is easy: find an attack that lets you dump a secret hidden in OTP [One-Time Programmable memory] ROW 0xc08," Raspberry Pi explains of the contest, launched in partnership with hextree.io. "The secret is 128 bit[s] long, and protected by OTP_DATA_PAGE48_LOCK1 and RP2350's secure boot!"

Raspberry Pi launched the RP2350, its next-generation in-house microcontroller, late last week, coinciding with the distribution of a divisive RP2350-based badge at DEF CON 32. The new chip, a successor to the RP2040, boasts more powerful and faster Arm Cortex-M33 cores, new free and open source Hazard3 RISC-V cores which can be used in place of or in a 1+1 mixture with the Cortex-M33 cores, almost double the memory, and support for up to 16MB of pseudo-static RAM (PSRAM) alongside 16MB of flash — but it's the new security features that sit at the focus of the company's competition.

The RP2350, Raspberry Pi explained at the launch, implements Arm's TrustZone for Cortex-M trusted computing platform, with support for signed boot, 8kB of one-time programmable (OTP) memory designed primarily with secure key storage in mind, a hardware true random number generation (TRNG), an SHA-256 accelerator, and hardware mitigations designed to prevent exploitation via fault injection attacks.

The RP2350 Hacking Challenge, announced at DEF CON 32 but open to all, uses a Raspberry Pi Pico 2 development board that has been flashed with a specific firmware — one which sets the OTP memory and adds a 128-bit-long secret flag, protected by the chip's secure boot system. Booting unsigned code and accessing this flag, then, should be theoretically near-impossible — but for those who achieve it, the company has $10,000 available as a prize.

Those interested in competing, though, should be warned that — unless you find a particularly nasty security hole — the process of getting a Pico 2 board ready for the contest is irreversible, and comes at a cost: all firmware loaded onto the board from that moment on needs to be signed or it will not boot, and the act of turning the security subsystem on disables access to the Hazard3 RISC-V cores entirely.

If that hasn't put you off, information on entering the competition — which closes on 7 September 2024 — is available on the official GitHub repository; a list of rules can be found on the Raspberry Pi website.

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles