Of Boot Vectors and Double Glitches: Bypassing RP2350's Secure Boot

Posted by aberoham 12/27/2025

Of Boot Vectors and Double Glitches: Bypassing RP2350's Secure Boot(streaming.media.ccc.de)

139 points | 22 comments

londons_explore 2 days ago|

Real security processors never give big bounties because when bugs are discovered all the buyers immediately cancel their orders of the 'faulty' secure chips.

They'd prefer to live in ignorance.

compsciphd 1 day ago|

really big bounties would then be appropriate, as they would come with NDAs. Small bounties would just encourage others to make them public / sell them to more malicious actors.

Thorrez 1 day ago||

What if multiple people discover the same vulnerability. What do you do?

Do you pay out to all of them? Do you make them sign an NDA without guaranteeing you'll pay them? Do you tell the 2nd etc discoverers to go away and hope they don't reveal it?

If you pay out to all of them, there's a strong incentive to leak info and collect multiple bounties for the same vulnerability.

londons_explore 1 day ago||

You hire a salaried security researcher and forget the idea of bounties.

lll-o-lll 2 days ago||

What an interesting talk, and an interesting concept also. Open source hardware security; get the security researchers interested and fix the security defects.

The “read the data out with a super expensive microscope” remained. Is there any way to defeat that attack I wonder? I suppose the hsm model of “destructive tamper detection” is one way.

regularfry 2 days ago||

I patented something that had a countermeasure for this, which was a bit impractical but fun to think about. Basically you put the sensitive data in an eeprom layered with a chemical that emits UV when exposed to air or, optionally, visible light - chemically more entertaining, hard to manufacture. But it's a just an arms race at that point.

klysm 1 day ago||

Cool idea, but seems pretty straightforward to bypass and definitely an arms race

jnwatson 1 day ago|||

The current solution is obfuscation. They make the mapping from physical state to actual key complicated enough that you have to reverse engineer a lot of the logic.

avidiax 1 day ago|||

You can also bury the fuse array inside the chip. So in addition to the microscope, you will also have to non-destructively etch or mill the chip to expose the fuses. This also renders the chip non-functional, so if the secret is unique per chip, then the leaked secret can't be used to bootstrap to other secrets on the die.

michaelt 1 day ago||

> The “read the data out with a super expensive microscope” remained. Is there any way to defeat that attack I wonder?

Get your chip made with the latest TSMC process and get features so small nobody else, even superpowers and trillion-dollar tech companies working together, can manipulate them :)

rcxdude 1 day ago|||

Manipulating features smaller than what TSMC manufacture is possible in many places (just at great expense), TSMC's special sauce is being able to manufacture it in quantity and economically. Ultimately it's always going to be difficult to completely protect storage at rest, because it is possible to take something apart atom by atom, but it does raise the cost of the attack substantially.

shash 1 day ago|||

A good scanning electron microscope costs at most a few million? And is pretty common in a decently funded lab pretty much anywhere? Resolutions of 5nm is not uncommon. A scanning tunnelling microscope can go much lower (single atom types) and isn’t all that much more expensive either (comparatively I mean).

I think it’s common knowledge by now that the smallest feature in a 5nm chip isn’t really 5nm. So that’s not (yet?) a viable strategy.

IlikeKitties 1 day ago||

There's a lot of people that believe that hardware remote attestation will be the end of computational freedom. I'm glad to see that bypasses are still quite possible.

lysace 1 day ago||

I've had a bit of a difficulty of understanding the actual benefits of proper secure boot vs zero protection.

I've arrived at this understanding: secure boot sometimes allows you to recover a compromised fleet without recalls. Instruct the customer to disconnect the device, reboot it and then somehow reflash it before getting infected again? Seems fraught with errors though.

When I worked with IoT HW companies in Taiwan their understanding tended to be along the lines of: "it makes the device secure" or "it prevents the firmware from being used by clone devices".

(It's been a while since I worked in this area.)

avidiax 1 day ago|

It also prevents "contempt of business model". Makes a SW or HW bypass for ink cartridge pairing or game piracy or monthly widget subscription difficult or impossible. May also make any vulnerability patchable.

If you depend on your firmware remaining secret, however, you have to contend with the black hat version of the presenters. They are expert at extracting firmware and cloning. Some applications choose FPGAs in part because the equivalent of their firmware (the bitstream) is itself nearly impossible to reverse engineer. That means that a one-for-one clone is possible, but you can't alter the design, and have to use the exact same part.

michaelt 2 days ago|

Seems a bit of a strange feature to even want on a product targeting the education market. In a classroom setting you don't really want students to be able to set fuse bits so the device can't be re-programmed.

Presumably this is a sign RPi are deliberately aiming to straddle the hobby and light commercial markets?

rcxdude 2 days ago||

They have absolutely been aiming at industrial customers already. It would be hard for them to justify the cost of a custom die without having some volume to businesses. (And the previous raspbarry pis have absolutely been popular in industry as well, I would be surprised if hobbyists and learners are even half of their volume)

SequoiaHope 2 days ago|||

They have been serving enterprise markets for a long time. Back in 2020-2021 when there was a chip shortage, Raspberry Pi shorted their consumer availability to make sure enterprise customers could still get compute modules. The fusible bits on the RP2350 are very much an enterprise feature.

Tharre 2 days ago|||

If that's a concern, you can lock the OTP either permanently or with a password, before you hand them out. Or just use the older RP2040.

But I don't think that "targeting the education market" is accurate in the first place. They certainly make sure to serve that market with their very nicely priced Pico boards but it hardly seems to be their only goal. You don't go through the effort of spinning up a new revision to fix security holes if there aren't at least some industry customers.

JayHLee77 2 days ago|||

Security is an essential feature for everyone, not just Enterprise. Can you trust the code your device is running? Can your device keep a secret? These capabilities are needed universally.

As to students being able to set the efuse so the device can't be reprogrammed, sure but they're $5 each so it's not like they're destroying a $500 Chromebook (which they do, look on YouTube). That risk is the cost of attempting to educate though (and it's worth it).

Retr0id 1 day ago|||

Seems like a small risk compared to students creating a trivial short-circuit and letting out the magic smoke, and at $1/part it's not a big deal even if they do.

guenthert 2 days ago||

Are you perhaps confusing the Raspberry Pi Foundation with the Raspberry Pi Holdings?