stacksmashing @stacksmashing

Yep, just a very simple nRF52840 BLE sniffer :)

05.02.2026 22:50 — 👍 1 🔁 0 💬 0 📌 0

Fancy, the board-house sent me x-rays of my PCBs!

05.02.2026 18:03 — 👍 22 🔁 0 💬 1 📌 0

We were able to find some minor correlations, but by far not enough to leak the key successfully.

If you think you found something - even if it's not a full attack - send an e-mail, it's about making the implementation more secure, not about building the best attack.🛡️

03.02.2026 17:54 — 👍 8 🔁 0 💬 0 📌 0

RP2350 Hacking Challenge 2: Less randomisation, more correlation - Raspberry Pi Our second RP2350 Hacking Challenge has evolved, with prize money still up for grabs.

My first post on the RaspberryPi Blog 😍

We've extended the RP2350 side-channel hacking challenge to April 30 - and even better: To make attacks for the challenge easier, we decided to disable the random chaffing and some more mitigations!

www.raspberrypi.com/news/rp2350-...

03.02.2026 17:53 — 👍 20 🔁 1 💬 1 📌 0

The one on the stands is just a random QFP carrier i had on my desk - the one on the bottom is my PCBite plate :)

01.02.2026 13:12 — 👍 2 🔁 0 💬 0 📌 0

flashfixer.py GitHub Gist: instantly share code, notes, and snippets.

gist.github.com/nezza/3841f9...

29.01.2026 11:27 — 👍 2 🔁 1 💬 0 📌 0

Yeah I have a script that takes multiple dumps and then creates one "true" dump with the most likely bytes from multiple dumps.

It also logs out outliers which is helpful!

29.01.2026 08:40 — 👍 3 🔁 0 💬 1 📌 0

The PCB is suuuper sensitive. I ripped off three pads so far... To get to chip-select I had to solder onto the tiny tiny tiny via barrel😵‍💫

28.01.2026 20:25 — 👍 9 🔁 0 💬 0 📌 0

9d3e36fc632d77f24c810cb89892dd1959dfb05b output.bin

(Created from multiple dumps, something is messing with the signal)

28.01.2026 20:01 — 👍 19 🔁 2 💬 5 📌 0

lfg

28.01.2026 17:25 — 👍 17 🔁 0 💬 1 📌 0

Pokey dokey

28.01.2026 17:24 — 👍 15 🔁 0 💬 2 📌 0

For those playing along at home: Preliminary flash pin-out!

13 - SPI Flash CLK
16 - SPI Flash DI / MOSI
18 - SPI Flash DO / MISO
19 - SPI Flash VCC
20 - SPI Flash CS

28.01.2026 13:23 — 👍 26 🔁 1 💬 2 📌 1

Pulled off the flash and soldered on some magnet-wire on all of the pins to get a decent pin-out. This stuff is smol! 🤏

28.01.2026 13:22 — 👍 20 🔁 0 💬 1 📌 0

Numbered the test-pins on the back of the device - let's try to document the signals!

28.01.2026 12:11 — 👍 19 🔁 0 💬 1 📌 0

But there's at least something to dump - the SPI flash chip seems to be a Winbond W25Q64

28.01.2026 12:03 — 👍 21 🔁 0 💬 2 📌 0

Apple proprietary 339M00340

28.01.2026 12:00 — 👍 2 🔁 0 💬 0 📌 0

Now interestingly this chip variant - CKABD0 - does not appear in the official datasheet.

Package variant: CK (WLCSP)
Function variant: AB - not listed in the datasheet
Hardware revision: D
Production device identifier: 0

Likely that this version has enhanced AP protection 😭

28.01.2026 11:57 — 👍 18 🔁 0 💬 1 📌 0

Now, the question we've all been wondering: Which microcontroller did they use this time?

It's the NRF52840 - a chip very similar to the one in the first AirTag - and that, at least in earlier revisions, is vulnerable to the same fault-injection attack!

Time to dive in!

28.01.2026 11:45 — 👍 29 🔁 3 💬 4 📌 0

On the other side we have again have a plastic cover - and we can already see the UWB shine through (the silver thing) and a nice antenna connection!

28.01.2026 11:41 — 👍 17 🔁 0 💬 2 📌 0

Not much new on the backside! The accelerometer (black blob on top) seems to still be there, and otherwise just caps.. And a lot of test-points that look quite similar to the ones from the first AirTag (see second picture of the first generation by Colin O'Flynn)

28.01.2026 11:38 — 👍 20 🔁 0 💬 1 📌 0

28.01.2026 11:36 — 👍 14 🔁 0 💬 1 📌 0

The new AirTags 2 just arrived!

Time to take them apart 🧵

28.01.2026 11:34 — 👍 145 🔁 30 💬 4 📌 1

a young boy with curly hair is wearing sunglasses and a striped shirt . ALT: a young boy with curly hair is wearing sunglasses and a striped shirt .

The last thing the chip sees before JTAG gets re-enabled

28.12.2025 14:25 — 👍 8 🔁 0 💬 0 📌 0

Pink laser safety glasses

Laser fault-injection drip just dropped

28.12.2025 14:21 — 👍 11 🔁 0 💬 3 📌 0

RP2350 Hacking Challenge 2 The RP2350 Security Playground allows testing hardware attacks against the RP2350, and demonstrates security features such as the Glitch Detector, OTP security, the RCP and more...

Also, if you are interested in trying the second @Raspberry_Pi Hacking Challenge hit me up - I have some target boards with me!
www.hextree.io/rp2350-hacki...

27.12.2025 12:07 — 👍 4 🔁 0 💬 0 📌 0

En route to #39c3 - come to our talk at 4pm!

I will only be there today and tomorrow, but happy to meet-up & chat.

Also, if you are at #39c3 and often dump SPI flash-chips please let me know, I might have something for you that I'm looking for feedback on 🙂

27.12.2025 12:07 — 👍 18 🔁 0 💬 1 📌 0

Rust removal on Oldtimer

Work: Fix rust issues 🦀

Hobby: Fix rust issues 👨‍🏭

😭

18.12.2025 11:30 — 👍 21 🔁 0 💬 0 📌 0

Should be pushed :) thanks

17.09.2025 15:44 — 👍 0 🔁 0 💬 1 📌 0

Call for flash-chips at DEF CON!

If you have leftover or rare SPI flash-chips that I can have for testing some tooling I’m building I’d be very thankful.

Also if you have devices where you had trouble dumping in-system I’d love to give it a try. I’ll be at Embedded Systems Village :)

05.08.2025 20:49 — 👍 8 🔁 1 💬 0 📌 0

DigiKey goes brrrrrrrt

05.08.2025 20:38 — 👍 46 🔁 1 💬 2 📌 0

stacksmashing

Latest posts by stacksmashing.bsky.social on Bluesky

@stacksmashing is following 20 prominent accounts