Info
This document is part of an original submission for the RP2350 Hacking Challenge.
For more detailed and up-to-date content, refer to “Laser Fault Injection on a Budget: RP2350 Edition”.
RP2350 Hacking Challenge Submission
These pages detail the techniques and hardware that have been used to bypass the secure boot feature of the RP2350. This is a submission for the official RP2350 Hacking Challenge.
Introduction
Considering that the Boot ROM of the RP2350 has been audited before the opening of the challenge, I did not attempt to find logic bugs in it and quickly considered a hardware attack, such as a fault injection attack.
However, online comments tend to show that the glitch detector system implemented in the RP2350 was rather efficient in mitigating simple voltage fault injection attacks.
Hence, I quickly decided to tackle the challenge with laser fault injection, assuming that focusing a laser beam away from the glitch detector circuits could allow for injecting faults without triggering them.
Now, the thing is, while I did have some experience with “classic” voltage fault injection attacks, I knew nothing about laser fault injections.
This challenge was then used as an opportunity to build a fully custom, cheap laser fault injection platform.
This fault injection setup is detailed in the corresponding pages, and I’d like to make all design files open source after the challenge’s deadline. The Laser Fault Injection Platform, designed for this challenge
Last update: November 24, 2024