{"id":15172708,"url":"https://github.com/raspberrypi/rp2350_hacking_challenge","last_synced_at":"2025-10-19T16:32:35.354Z","repository":{"id":252257938,"uuid":"839523309","full_name":"raspberrypi/rp2350_hacking_challenge","owner":"raspberrypi","description":null,"archived":false,"fork":false,"pushed_at":"2025-01-14T15:11:28.000Z","size":193,"stargazers_count":147,"open_issues_count":2,"forks_count":9,"subscribers_count":21,"default_branch":"main","last_synced_at":"2025-01-29T21:43:33.828Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"CMake","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/raspberrypi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-07T19:33:41.000Z","updated_at":"2025-01-28T11:24:08.000Z","dependencies_parsed_at":"2024-09-23T02:40:33.888Z","dependency_job_id":null,"html_url":"https://github.com/raspberrypi/rp2350_hacking_challenge","commit_stats":null,"previous_names":["raspberrypi/rp2350_hacking_challenge"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raspberrypi%2Frp2350_hacking_challenge","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raspberrypi%2Frp2350_hacking_challenge/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raspberrypi%2Frp2350_hacking_challenge/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raspberrypi%2Frp2350_hacking_challenge/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/raspberrypi","download_url":"https://codeload.github.com/raspberrypi/rp2350_hacking_challenge/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237172203,"owners_count":19266630,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-09-27T10:03:48.502Z","updated_at":"2025-10-19T16:32:34.984Z","avatar_url":"https://github.com/raspberrypi.png","language":"CMake","funding_links":[],"categories":[],"sub_categories":[],"readme":"# RP2350 Hacking Challenge\n\nWelcome to the Raspberry Pi RP2350 hacking challenge and bug bounty!\n\nWatch our quick explainer video:\n[![](assets/hacking-challenge-thumbnail-play.png)](https://hextree.io/rp2350-hacking-challenge)\n## Update Jan 14th 2025\n**Congatulations to the 4 winners! Read about them all [here](https://www.raspberrypi.com/news/security-through-transparency-rp2350-hacking-challenge-results-are-in/).**  \nA huge thank you to Thomas Roth and the team at Hextree.io for helping us develop and launch this challenge back in 2024!\n\n\n## Update Jan 1st 2025\n**The RP2350 Hacking Challenge has concluded.**  \nThere have been some fantastic submissions! We'll announce winners and publish details on Jan 14th 2025.\n\n## Update Sept 5th 2024\nNo breaks have been reported yet.  \nWe are doubling the prize to $20,000!  \nWe've extended the term of the challenge, it now runs until midnight on December 31st 2024 (UK time)\n\nThe goal is easy: Find an attack that lets you dump a secret hidden in OTP ROW 0xc08 - the secret is 128-bit long, and protected by `OTP_DATA_PAGE48_LOCK1` and RP2350's secure boot!\n\nIf you think you have found a break email us at [doh@raspberrypi.com](mailto:doh@raspberrypi.com) with details - we will ship you a Pico2 with a custom secret hidden in it. If you manage to extract it, you win the $20,000!\n\nGood luck!\n\n## Disclaimer\n\nFor this challenge we will do the following persistent \u0026 irreversible changes to your RP2350:\n\n- Writing bootkey0 (with a public key - or you can generate your own \u0026 build your own firmware)\n- Enabling secure-boot via `crit1.secure_boot_enable` (but with public keys)\n- Disable debug via `crit1.debug_disable`\n- Overwrite \u0026 lock data in OTP ROW 0xc08\n- *Enabling security will permanently disable both Hazard3 RISC-V cores (M33 cores will still be operable)*\n\n## Setup - Pico 2 board\n\n- Connect an RP2350 in BOOTSEL mode to your computer via USB\n- The repository already contains signing keys: `ec_private_key.pem` and `ec_public_key.pem`. If you want to generate your own keys you can run `keygen.sh` to generate new ones using openSSL.\n- Next we write the secret that we want to hide using: `./write_otp_secret.sh` - this is irreversible, as we can't \"erase\" OTP.\n- You can check whether this write was successful by running `./read_otp_secret.sh`\n- Next we build our project:\n    - `mkdir build`\n    - `cd build`\n    - `cmake -DPICO_PLATFORM=rp2350 -DPICO_BOARD=pico2 ..`\n    - `make`\n    - `cd ..`\n- Next we enable secure-boot on the chip by running `enable_secureboot.sh` (This irreversibly enables secure-boot! Make sure you keep a backup of your keys!)\n    - To fully lock down the chip including disabling debugging and enabling the glitch detectors, please run `lock_chip.sh`\n- And now we are ready to install the firmware:\n    - Either copy `rp2350_hacking_challenge_debug_version.uf2` or `rp2350_hacking_challenge_secure_version.uf2`\n\n## What's the difference between the debug and the secure version?\n\nThe debug version shows how to read the OTP secret that you need to extract, and also gives\nsome debug output on what's going on in the chip.\n\nAs the printfs etc. might be susceptible to fault-injection attacks we have disabled them in\nthe secure version.\n\nOur \"golden\" challenge Pico 2 will run the secure-version of the firmware, with the binary copied to RAM.\n\n## Using the chip in the future\n\nBy participating in this challenge you are permanently enabling secure-boot on your device.\nAny firmware you want to install in the firmware you need to sign yourself. You can enable\nsigning for other projects by simply adding this to the CMakeLists.txt (this needs to be above the `pico_add_extra_outputs`) and copying the\n`ec_private_key.pem` to your source directoy.\n\n```\n# Signing and hashing\npico_sign_binary(project_name ${CMAKE_CURRENT_SOURCE_DIR}/ec_private_key.pem)\npico_hash_binary(project_name)\npico_set_otp_key_output_file(project_name ${CMAKE_CURRENT_LIST_DIR}/otp.json)\n```\n## Rules, Terms and Conditions\n\nPlease see [here](https://www.raspberrypi.com/def-con-2024-challenge/) for terms, conditions and rules for this challenge.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fraspberrypi%2Frp2350_hacking_challenge","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fraspberrypi%2Frp2350_hacking_challenge","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fraspberrypi%2Frp2350_hacking_challenge/lists"}