write-up: Hardware/NAVI_I2C_Sniff/README.md

Hardware/NAVI_I2C_Sniff/README.md

@@ -1,69 +1,142 @@
-# NAVI I2C Sniff — Solution
+# NAVI I2C Sniff
 
-## Overview
+| Field | Value |
+|-------|-------|
+| Category | Hardware |
+| Difficulty | Medium-Hard |
+| Points | 500 |
+| Author | Eun0us |
+| CTF | Espilon 2026 |
 
-Simulated I2C bus with 3 devices on Lain's NAVI computer. The EEPROM holds an XOR-encrypted flag, the crypto IC holds the key (but is locked), and the temp sensor has a hint.
+---
 
-## Steps
+## Description
 
-1. Connect:
+You have gained access to the I2C bus inside Lain's NAVI computer.
+Multiple devices are connected: an EEPROM, a temperature sensor, and a cryptographic IC.
+
+Scan the bus, probe each device, and recover the encrypted secret.
+
+- I2C Bus: `tcp/<host>:3300`
+
+Format: **ESPILON{...}**
+
+---
+
+## TL;DR
+
+Scan the I2C bus to find three devices. A hidden register in the temperature sensor
+points to the crypto IC. The crypto IC is locked — send the unlock code to reveal the XOR key.
+Use the key to decrypt the EEPROM contents and recover the flag.
+
+---
+
+## Tools
+
+| Tool | Purpose |
+|------|---------|
+| `nc` | Connect to the I2C bus interface |
+| Python 3 | XOR decryption |
+
+---
+
+## Solution
+
+### Step 1 — Connect
 
 ```bash
 nc <host> 3300
 ```
 
-2. Scan the bus:
+> 📸 `[screenshot: I2C bus interface prompt]`
 
-```
+### Step 2 — Scan the bus
+
+```text
 scan
 ```
 
-Finds 3 devices: 0x50 (EEPROM), 0x48 (Temp), 0x60 (Crypto IC).
-
-3. Read the temp sensor's hidden register:
+Discovers three devices:
 
 ```
+I2C Address 0x50  [EEPROM]
+I2C Address 0x48  [Temperature Sensor]
+I2C Address 0x60  [Crypto IC]
+```
+
+> 📸 `[screenshot: scan output listing three I2C devices]`
+
+### Step 3 — Read the temperature sensor's hidden register
+
+```text
 read 0x48 0x07 16
 ```
 
-Returns `key@0x60:0x10` — hint pointing to crypto IC register 0x10.
+Returns: `key@0x60:0x10` — a hint pointing to register 0x10 of the crypto IC at address 0x60.
 
-4. Try reading the crypto key:
+### Step 4 — Try reading the crypto IC (locked)
 
-```
+```text
 read 0x60 0x10 32
 ```
 
 Returns all zeros — the IC is locked.
 
-5. Check lock status and unlock:
+Check the lock status register:
 
-```
-read 0x60 0x00 1       # Returns 0x01 (locked)
-write 0x60 0x00 0xA5   # Unlock code
+```text
+read 0x60 0x00 1
 ```
 
-6. Read the XOR key:
+Returns `0x01` (locked).
 
+### Step 5 — Unlock the crypto IC
+
+Send the unlock code `0xA5` to the control register:
+
+```text
+write 0x60 0x00 0xA5
 ```
+
+### Step 6 — Read the XOR key
+
+```text
 read 0x60 0x10 32
 ```
 
-Now returns the actual key: `NAVI_WIRED_I2C_CRYPTO_KEY_2024!!`
+Now returns the actual 32-byte key: `NAVI_WIRED_I2C_CRYPTO_KEY_2024!!`
 
-7. Read the EEPROM:
+> 📸 `[screenshot: crypto IC returning the key after unlock]`
 
-```
+### Step 7 — Read the EEPROM
+
+```text
 read 0x50 0x00 64
 ```
 
-Returns XOR-encrypted data.
+Returns XOR-encrypted data as a hex string.
 
-8. XOR decrypt EEPROM data with the key to get the flag.
+### Step 8 — Decrypt the flag
 
-## Key Concepts
+```python
+eeprom_hex = "..."  # hex from read 0x50
+key = b"NAVI_WIRED_I2C_CRYPTO_KEY_2024!!"
+enc = bytes.fromhex(eeprom_hex)
+flag = bytes(b ^ key[i % len(key)] for i, b in enumerate(enc))
+print(flag.rstrip(b'\x00').decode())
+```
 
-- **I2C bus scanning**: Enumerate devices by sending start conditions to all 7-bit addresses
-- **Multi-device interaction**: Information from one device unlocks another
-- **Access control**: The crypto IC requires an unlock sequence before revealing the key
+> 📸 `[screenshot: Python decryption script printing the flag]`
+
+### Key concepts
+
+- **I2C bus scanning**: Enumerate devices by probing every 7-bit address (0x00–0x7F)
+- **Multi-device interaction**: Data from one device (temp sensor hint) unlocks another (crypto IC)
+- **Access control**: The crypto IC requires an unlock sequence before revealing its key register
 - **XOR encryption**: Simple symmetric cipher used for data at rest in EEPROM
+
+---
+
+## Flag
+
+`ESPILON{n4v1_12c_bus_mast3r}`