For anyone who enjoys hardware CTFs and low-level reversing/exploitation, we’ve published the first public challenge from HC0N CTF 2026. It focuses on RP2350 (RISC-V) firmware exploitation (think classic stuff like stack buffer overflows, etc.).
Write-ups are here:
We even had to add Ghidra support since the firmware wouldn’t disassemble out of the box 
By the way, @ian I’m working on something similar for the Bus Pirate v5 & v6! I’ll keep you posted on the forum it’s going to be super cool.
Wow, very cool! You’ve been busy!
thx @ian , that’s been one of the reasons I’ve been a bit absent lately. Now I finally have some free time and I can wrap up pending things I want to do with the Bus Pirate. Honestly, prepping, soldering, and doing QA on hundreds of CTF boards has been a pain in the ass.
We could have done that for you guys. No markup beyond transfer fees, maybe a logo on the board if everyone agrees. Let us know if you want batch assembly of small devices. Quantity not important other than impact on unit cost.
I flashed onto an RP2350 (Pico2). Lowest-difficulty challenge worked fine, but the second-lowest made me wonder. Did the boards at the conference have LEDs and switches hooked up somewhere, or is it expected that folks will hookup scope / logic analyzers / their own resistor+LED (Yes, I’m making some assumptions about the second flag.)
Thanks!
How awesome! I didn’t expect anyone to actually go and do that hehe. It’s a challenge where reversing(ghidra/IDA) + exploiting is the most important part. On the CTF PCB there’s an SMD LED on GPIO 25, I’m going to add that to the GitHub…
@Dreg FYI … I’m also really appreciative of the writeup on how to get Ghidra to behave with the RP2350 / RISC-V, especially the SVD loader. That’s gold right there!
You know what’s funniest about this? I built the whole challenge, firmware, the CTF website… absolutely everything
I wrote the exploits, I wrote the payloads in RISC-V ASM to make sure everything was viable and actually worked… and then, when the contest was getting close, I opened the firmware in Ghidra with a friend to gauge the difficulty with someone who didn’t know what the challenge was about, and JESUS…
So many instructions couldn’t even be disassembled in Ghidra. Broken disassembly… insane.
And of course I’m not going to make people provide support for a brand-new microcontroller, so we decided to create the support ourselves so it could disassemble everything and also… decompile it (which is a whole other ordeal 
).
CTF web:
The NSA Ghidra contribution (b1n4ri0):
