diff --git a/Hardware/NAVI_I2C_Sniff/README.md b/Hardware/NAVI_I2C_Sniff/README.md index 128025b..a827645 100644 --- a/Hardware/NAVI_I2C_Sniff/README.md +++ b/Hardware/NAVI_I2C_Sniff/README.md @@ -1,69 +1,142 @@ -# NAVI I2C Sniff — Solution +# NAVI I2C Sniff -## Overview +| Field | Value | +|-------|-------| +| Category | Hardware | +| Difficulty | Medium-Hard | +| Points | 500 | +| Author | Eun0us | +| CTF | Espilon 2026 | -Simulated I2C bus with 3 devices on Lain's NAVI computer. The EEPROM holds an XOR-encrypted flag, the crypto IC holds the key (but is locked), and the temp sensor has a hint. +--- -## Steps +## Description -1. Connect: +You have gained access to the I2C bus inside Lain's NAVI computer. +Multiple devices are connected: an EEPROM, a temperature sensor, and a cryptographic IC. + +Scan the bus, probe each device, and recover the encrypted secret. + +- I2C Bus: `tcp/:3300` + +Format: **ESPILON{...}** + +--- + +## TL;DR + +Scan the I2C bus to find three devices. A hidden register in the temperature sensor +points to the crypto IC. The crypto IC is locked — send the unlock code to reveal the XOR key. +Use the key to decrypt the EEPROM contents and recover the flag. + +--- + +## Tools + +| Tool | Purpose | +|------|---------| +| `nc` | Connect to the I2C bus interface | +| Python 3 | XOR decryption | + +--- + +## Solution + +### Step 1 — Connect ```bash nc 3300 ``` -2. Scan the bus: +> 📸 `[screenshot: I2C bus interface prompt]` -``` +### Step 2 — Scan the bus + +```text scan ``` -Finds 3 devices: 0x50 (EEPROM), 0x48 (Temp), 0x60 (Crypto IC). - -3. Read the temp sensor's hidden register: +Discovers three devices: ``` +I2C Address 0x50 [EEPROM] +I2C Address 0x48 [Temperature Sensor] +I2C Address 0x60 [Crypto IC] +``` + +> 📸 `[screenshot: scan output listing three I2C devices]` + +### Step 3 — Read the temperature sensor's hidden register + +```text read 0x48 0x07 16 ``` -Returns `key@0x60:0x10` — hint pointing to crypto IC register 0x10. +Returns: `key@0x60:0x10` — a hint pointing to register 0x10 of the crypto IC at address 0x60. -4. Try reading the crypto key: +### Step 4 — Try reading the crypto IC (locked) -``` +```text read 0x60 0x10 32 ``` Returns all zeros — the IC is locked. -5. Check lock status and unlock: +Check the lock status register: -``` -read 0x60 0x00 1 # Returns 0x01 (locked) -write 0x60 0x00 0xA5 # Unlock code +```text +read 0x60 0x00 1 ``` -6. Read the XOR key: +Returns `0x01` (locked). +### Step 5 — Unlock the crypto IC + +Send the unlock code `0xA5` to the control register: + +```text +write 0x60 0x00 0xA5 ``` + +### Step 6 — Read the XOR key + +```text read 0x60 0x10 32 ``` -Now returns the actual key: `NAVI_WIRED_I2C_CRYPTO_KEY_2024!!` +Now returns the actual 32-byte key: `NAVI_WIRED_I2C_CRYPTO_KEY_2024!!` -7. Read the EEPROM: +> 📸 `[screenshot: crypto IC returning the key after unlock]` -``` +### Step 7 — Read the EEPROM + +```text read 0x50 0x00 64 ``` -Returns XOR-encrypted data. +Returns XOR-encrypted data as a hex string. -8. XOR decrypt EEPROM data with the key to get the flag. +### Step 8 — Decrypt the flag -## Key Concepts +```python +eeprom_hex = "..." # hex from read 0x50 +key = b"NAVI_WIRED_I2C_CRYPTO_KEY_2024!!" +enc = bytes.fromhex(eeprom_hex) +flag = bytes(b ^ key[i % len(key)] for i, b in enumerate(enc)) +print(flag.rstrip(b'\x00').decode()) +``` -- **I2C bus scanning**: Enumerate devices by sending start conditions to all 7-bit addresses -- **Multi-device interaction**: Information from one device unlocks another -- **Access control**: The crypto IC requires an unlock sequence before revealing the key +> 📸 `[screenshot: Python decryption script printing the flag]` + +### Key concepts + +- **I2C bus scanning**: Enumerate devices by probing every 7-bit address (0x00–0x7F) +- **Multi-device interaction**: Data from one device (temp sensor hint) unlocks another (crypto IC) +- **Access control**: The crypto IC requires an unlock sequence before revealing its key register - **XOR encryption**: Simple symmetric cipher used for data at rest in EEPROM + +--- + +## Flag + +`ESPILON{n4v1_12c_bus_mast3r}`