Lennert

I am excited to announce that our talk "Glitched on Earth by humans" will be presented at @BlackHatEvents! I will cover how we glitched the Starlink User Terminal SoC bootrom using a modchip to obtain root. This might be the first tweet sent through a rooted Starlink UT! #BHUSA

Your earbuds are supposed to pair only when you tell them to. Our research shows that, for many Fast Pair devices, this assumption is wrong. We demonstrate silent hijacking, microphone access, and covert tracking at scale, without even touching your device. #WhisperPair 1/n

@PinkDraconian @aniziki @nmatt0 Please consider buying the @nostarch books instead of pirating them. I'd like to see more of their books in the future and they currently have a 40% discount going for the holidays. The hardware hacking handbook is great!

@aniziki @nmatt0 Wow! Thanks a lot. I've got some reading to do now! Cheers!

I want to get into IoT penetration testing. Where do I start?🤔

😃 Already counting down the days to host our amazing #hardwarecommunity at #hw_ioUSA2025! ✍️💡 If you’re passionate about hardware security, don’t miss your chance to speak—CFP (Call For Papers) is OPEN! YouTube Link: youtu.be/mkTp016QidU?si… #hardwaresecurity #CFP

Security through transparency: all chips have vulnerabilities, and most vendors' strategy is not to talk about them. In contrast, we aim to find and fix them. Read the results of our RP2350 Hacking Challenge: rpltd.co/rp2350-challen…

New writeup from @_specters_ and I: we're finally allowed to disclose a vulnerability reported to Kia which would've allowed an attacker to remotely control almost all vehicles made after 2013 using only the license plate. Full disclosure: samcurry.net/hacking-kia

@kwiens @ghidraninja @iFixit Is there any information on what selection of soldering tips will be available?

@ghidraninja @iFixit Let me know what you think! We designed this exactly with use cases like yours in mind.

Wow, @iFixit/@kwiens launched a soldering iron! Might finally be a mobile/travel iron I actually like :) theverge.com/2024/9/12/2424…

Challenge… extended? At this year’s #DEFCON, we got to work with the brilliant teams over at @defcon and @hextreeio to create 30,000 gaming badges using our brand new chip, RP2350. Still in the gaming spirit, we challenged anyone with an RP2350 to try and hack around our security features to unlock the secret programmed into the secure on-chip storage. Currently, the security is still unbroken, and the $10,000 prize uncollected. Now, we've decided to goad the bounty hunters by doubling the prize money and extending the deadline to the end of the year. Think you’ve got what it takes? raspberrypi.com/news/30000-bad…

@sundhaug92 @ghidraninja @barsteward There are two main indicators. The sensitive location is near the pins for the internal regulator (thus likely hitting the bond wires, or the regulator on die). The chip is much less sensitive to EMFI when supplying DVDD from an external power supply.

@ghidraninja @barsteward How was that found out?

Pi Pico2 EMFI update: Not enough time; no chance of the $10k bounty, but fun testing glitch detection (spoiler: it’s good). Pics: 1. Glitch detection disabled 2. Detection enabled Red=Successful loop corruption Green=No effect Blue=Reboot Yellow=Caught by detector (1mm coil@200V)

We are very excited to share our last research work: 𝐄𝐔𝐂𝐋𝐄𝐀𝐊, authored by Thomas Roche. An electromagnetic Side-Channel Vulnerability in the ECDSA implementation of all Infineon security microcontrollers, notably impacting all YubiKey 5 Series. ninjalab.io/eucleak/

In April, @samwcyo and I discovered a way to bypass airport security via SQL injection in a database of crewmembers. Unfortunately, DHS ghosted us after we disclosed the issue, and the TSA attempted to cover up what we found. Here is our writeup: ian.sh/tsa

@CedHon @matthewvenn @Raspberry_Pi @bunniestudios Yes the picture was made with a similar approach, Bunnie has a much fancier LED positioning setup though! Generally speaking I think chip backside imaging methods have been in use since the 1990s!

@LennertWo @matthewvenn @Raspberry_Pi Nice!! Is it made with a similar approach as in the IRIS project by @bunniestudios? bunniestudios.com/blog/2024/iris…

The new @Raspberry_Pi RP2350, as seen through the backside of the die.

@wren6991 That's amazing, thanks for sharing!

@LennertWo This is what I can label from memory. The std cell region is all a bit more wobbly, but here are the recognisable blocks.

Recognised the image before I saw the caption! It's upside down as well as back to front.

@mangeurdpommes @Raspberry_Pi Ha in this case the white spots are just specks of dust on the substrate. Not planned, but maybe we should try shooting the laser at it!

@LennertWo @Raspberry_Pi ⚡️I though seeing Laser Fault Injection with illuminated spots on the die… Is it planned?

@overduedelta No, this picture is taken through the silicon substrate of the die (so the backside). I did have to remove some of the chip packaging to reach the backside.

@chriva404 @Raspberry_Pi This was specifically the RP2350B, but I assume all 4 options will have the same main die. The ones with flash included in the package probably have a separate flash die stacked inside the same package.

@LennertWo @Raspberry_Pi That's a LOT of memory cells. Is it the one with built-in flash?

Let's talk about some of the security features of the new @Raspberry_Pi RP2350, because they are 🔥🧵

The new @Raspberry_Pi RP2350 is here - and it comes with a ton of security features. We teamed up with @Raspberry_Pi to create the RP2350 Hacking Challenge: A microcontroller bug-bounty. Bypass secure-boot on the RP2350 and win $10,000. hextree.io/rp2350-hacking…