stacksmashing
@stacksmashing.bsky.social
Security researcher with a focus on hardware & firmware. I occasionally publish stuff on YouTube. Co-founder of
hextree.io. Contact: [email protected]
hextree.io. Contact: [email protected]
Yep, just a very simple nRF52840 BLE sniffer :)
February 5, 2026 at 10:50 PM
Yep, just a very simple nRF52840 BLE sniffer :)
Fancy, the board-house sent me x-rays of my PCBs!
February 5, 2026 at 6:03 PM
Fancy, the board-house sent me x-rays of my PCBs!
We were able to find some minor correlations, but by far not enough to leak the key successfully.
If you think you found something - even if it's not a full attack - send an e-mail, it's about making the implementation more secure, not about building the best attack.🛡️
If you think you found something - even if it's not a full attack - send an e-mail, it's about making the implementation more secure, not about building the best attack.🛡️
February 3, 2026 at 5:54 PM
We were able to find some minor correlations, but by far not enough to leak the key successfully.
If you think you found something - even if it's not a full attack - send an e-mail, it's about making the implementation more secure, not about building the best attack.🛡️
If you think you found something - even if it's not a full attack - send an e-mail, it's about making the implementation more secure, not about building the best attack.🛡️
My first post on the RaspberryPi Blog 😍
We've extended the RP2350 side-channel hacking challenge to April 30 - and even better: To make attacks for the challenge easier, we decided to disable the random chaffing and some more mitigations!
www.raspberrypi.com/news/rp2350-...
We've extended the RP2350 side-channel hacking challenge to April 30 - and even better: To make attacks for the challenge easier, we decided to disable the random chaffing and some more mitigations!
www.raspberrypi.com/news/rp2350-...
RP2350 Hacking Challenge 2: Less randomisation, more correlation - Raspberry Pi
Our second RP2350 Hacking Challenge has evolved, with prize money still up for grabs.
www.raspberrypi.com
February 3, 2026 at 5:53 PM
My first post on the RaspberryPi Blog 😍
We've extended the RP2350 side-channel hacking challenge to April 30 - and even better: To make attacks for the challenge easier, we decided to disable the random chaffing and some more mitigations!
www.raspberrypi.com/news/rp2350-...
We've extended the RP2350 side-channel hacking challenge to April 30 - and even better: To make attacks for the challenge easier, we decided to disable the random chaffing and some more mitigations!
www.raspberrypi.com/news/rp2350-...
The one on the stands is just a random QFP carrier i had on my desk - the one on the bottom is my PCBite plate :)
February 1, 2026 at 1:12 PM
The one on the stands is just a random QFP carrier i had on my desk - the one on the bottom is my PCBite plate :)
Yeah I have a script that takes multiple dumps and then creates one "true" dump with the most likely bytes from multiple dumps.
It also logs out outliers which is helpful!
It also logs out outliers which is helpful!
January 29, 2026 at 8:40 AM
Yeah I have a script that takes multiple dumps and then creates one "true" dump with the most likely bytes from multiple dumps.
It also logs out outliers which is helpful!
It also logs out outliers which is helpful!
The PCB is suuuper sensitive. I ripped off three pads so far... To get to chip-select I had to solder onto the tiny tiny tiny via barrel😵💫
January 28, 2026 at 8:25 PM
The PCB is suuuper sensitive. I ripped off three pads so far... To get to chip-select I had to solder onto the tiny tiny tiny via barrel😵💫
9d3e36fc632d77f24c810cb89892dd1959dfb05b output.bin
(Created from multiple dumps, something is messing with the signal)
(Created from multiple dumps, something is messing with the signal)
January 28, 2026 at 8:01 PM
9d3e36fc632d77f24c810cb89892dd1959dfb05b output.bin
(Created from multiple dumps, something is messing with the signal)
(Created from multiple dumps, something is messing with the signal)
For those playing along at home: Preliminary flash pin-out!
13 - SPI Flash CLK
16 - SPI Flash DI / MOSI
18 - SPI Flash DO / MISO
19 - SPI Flash VCC
20 - SPI Flash CS
13 - SPI Flash CLK
16 - SPI Flash DI / MOSI
18 - SPI Flash DO / MISO
19 - SPI Flash VCC
20 - SPI Flash CS
January 28, 2026 at 1:23 PM
For those playing along at home: Preliminary flash pin-out!
13 - SPI Flash CLK
16 - SPI Flash DI / MOSI
18 - SPI Flash DO / MISO
19 - SPI Flash VCC
20 - SPI Flash CS
13 - SPI Flash CLK
16 - SPI Flash DI / MOSI
18 - SPI Flash DO / MISO
19 - SPI Flash VCC
20 - SPI Flash CS
Pulled off the flash and soldered on some magnet-wire on all of the pins to get a decent pin-out. This stuff is smol! 🤏
January 28, 2026 at 1:22 PM
Pulled off the flash and soldered on some magnet-wire on all of the pins to get a decent pin-out. This stuff is smol! 🤏
Numbered the test-pins on the back of the device - let's try to document the signals!
January 28, 2026 at 12:11 PM
Numbered the test-pins on the back of the device - let's try to document the signals!
But there's at least something to dump - the SPI flash chip seems to be a Winbond W25Q64
January 28, 2026 at 12:03 PM
But there's at least something to dump - the SPI flash chip seems to be a Winbond W25Q64
Apple proprietary 339M00340
January 28, 2026 at 12:00 PM
Apple proprietary 339M00340
Now interestingly this chip variant - CKABD0 - does not appear in the official datasheet.
Package variant: CK (WLCSP)
Function variant: AB - not listed in the datasheet
Hardware revision: D
Production device identifier: 0
Likely that this version has enhanced AP protection 😭
Package variant: CK (WLCSP)
Function variant: AB - not listed in the datasheet
Hardware revision: D
Production device identifier: 0
Likely that this version has enhanced AP protection 😭
January 28, 2026 at 11:58 AM
Now interestingly this chip variant - CKABD0 - does not appear in the official datasheet.
Package variant: CK (WLCSP)
Function variant: AB - not listed in the datasheet
Hardware revision: D
Production device identifier: 0
Likely that this version has enhanced AP protection 😭
Package variant: CK (WLCSP)
Function variant: AB - not listed in the datasheet
Hardware revision: D
Production device identifier: 0
Likely that this version has enhanced AP protection 😭
Now, the question we've all been wondering: Which microcontroller did they use this time?
It's the NRF52840 - a chip very similar to the one in the first AirTag - and that, at least in earlier revisions, is vulnerable to the same fault-injection attack!
Time to dive in!
It's the NRF52840 - a chip very similar to the one in the first AirTag - and that, at least in earlier revisions, is vulnerable to the same fault-injection attack!
Time to dive in!
January 28, 2026 at 11:45 AM
Now, the question we've all been wondering: Which microcontroller did they use this time?
It's the NRF52840 - a chip very similar to the one in the first AirTag - and that, at least in earlier revisions, is vulnerable to the same fault-injection attack!
Time to dive in!
It's the NRF52840 - a chip very similar to the one in the first AirTag - and that, at least in earlier revisions, is vulnerable to the same fault-injection attack!
Time to dive in!
On the other side we have again have a plastic cover - and we can already see the UWB shine through (the silver thing) and a nice antenna connection!
January 28, 2026 at 11:41 AM
On the other side we have again have a plastic cover - and we can already see the UWB shine through (the silver thing) and a nice antenna connection!
Not much new on the backside! The accelerometer (black blob on top) seems to still be there, and otherwise just caps.. And a lot of test-points that look quite similar to the ones from the first AirTag (see second picture of the first generation by Colin O'Flynn)
January 28, 2026 at 11:39 AM
Not much new on the backside! The accelerometer (black blob on top) seems to still be there, and otherwise just caps.. And a lot of test-points that look quite similar to the ones from the first AirTag (see second picture of the first generation by Colin O'Flynn)
The new AirTags 2 just arrived!
Time to take them apart 🧵
Time to take them apart 🧵
January 28, 2026 at 11:34 AM
The new AirTags 2 just arrived!
Time to take them apart 🧵
Time to take them apart 🧵
The last thing the chip sees before JTAG gets re-enabled
a young boy with curly hair is wearing sunglasses and a striped shirt .
ALT: a young boy with curly hair is wearing sunglasses and a striped shirt .
media.tenor.com
December 28, 2025 at 2:25 PM
The last thing the chip sees before JTAG gets re-enabled
Laser fault-injection drip just dropped
December 28, 2025 at 2:21 PM
Laser fault-injection drip just dropped
Also, if you are interested in trying the second @Raspberry_Pi Hacking Challenge hit me up - I have some target boards with me!
www.hextree.io/rp2350-hacki...
www.hextree.io/rp2350-hacki...
RP2350 Hacking Challenge 2
The RP2350 Security Playground allows testing hardware attacks against the RP2350, and demonstrates security features such as the Glitch Detector, OTP security, the RCP and more...
www.hextree.io
December 27, 2025 at 12:07 PM
Also, if you are interested in trying the second @Raspberry_Pi Hacking Challenge hit me up - I have some target boards with me!
www.hextree.io/rp2350-hacki...
www.hextree.io/rp2350-hacki...