diff --git a/Hardware/Serial_Experimental_00/README.md b/Hardware/Serial_Experimental_00/README.md index 74d1825..a9cef55 100644 --- a/Hardware/Serial_Experimental_00/README.md +++ b/Hardware/Serial_Experimental_00/README.md @@ -1,24 +1,63 @@ -# Serial Experimental 00 -- Solution +# Serial Experimental 00 -## Overview +| Field | Value | +|-------|-------| +| Category | Hardware | +| Difficulty | Easy | +| Points | 150 | +| Author | Eun0us | +| CTF | Espilon 2026 | -The challenge provides a split UART interface: +--- -- TX (read): `1111` -- RX (write): `2222` +## Description -Goal: recover token and run `unlock `. +You gained access to a split UART debug interface from a WIRED-MED prototype. -## Steps +- TX (read): `tcp/:1111` +- RX (write): `tcp/:2222` -1. Open both channels: +Investigate serial diagnostics, recover the maintenance token, then unlock the node. + +Format: **ESPILON{...}** + +--- + +## TL;DR + +Connect to the split UART interface. Query `diag.uart`, `diag.eeprom`, and `diag.order` +on the RX port. Decode three fragments (one is plain hex, one is XOR-obfuscated, one is +ASCII-encoded) and concatenate them to form the token `LAIN-SERIAL-00`. Submit with +`unlock LAIN-SERIAL-00` to receive the flag. + +--- + +## Tools + +| Tool | Purpose | +|------|---------| +| `nc` | Connect to TX and RX ports | +| Python 3 | XOR decoding of fragment B | + +--- + +## Solution + +### Step 1 — Open both channels ```bash +# Terminal 1 — read output (TX) nc 1111 + +# Terminal 2 — send commands (RX) nc 2222 ``` -2. Query diagnostics from RX: +> 📸 `[screenshot: two terminals open, TX showing boot messages and RX ready for input]` + +### Step 2 — Query the diagnostic commands + +In the RX terminal: ```text diag.uart @@ -26,20 +65,76 @@ diag.eeprom diag.order ``` -3. Recover fragments: +Watch the TX terminal for responses. -- `frag_a_hex=4c41494e` -> `LAIN` -- `frag_b_xor_hex=4056415a525f` with `xor_key=0x13` -> `SERIAL` -- `frag_c_hex=3030` -> `00` +### Step 3 — Recover the fragments -4. Build token: +Each diagnostic command returns a fragment: -`LAIN-SERIAL-00` +**Fragment A** — from `diag.uart`: -5. Unlock: +``` +frag_a_hex=4c41494e +``` + +Decode: `bytes.fromhex("4c41494e").decode()` → `LAIN` + +**Fragment B** — from `diag.eeprom`: + +``` +frag_b_xor_hex=4056415a525f +xor_key=0x13 +``` + +Decode: + +```python +data = bytes.fromhex("4056415a525f") +key = 0x13 +result = bytes(b ^ key for b in data) +print(result.decode()) # SERIAL +``` + +**Fragment C** — from `diag.order`: + +``` +frag_c_hex=3030 +``` + +Decode: `bytes.fromhex("3030").decode()` → `00` + +> 📸 `[screenshot: TX output showing all three fragment values from diagnostics]` + +### Step 4 — Build the maintenance token + +Concatenate in the order specified by `diag.order`: + +``` +LAIN + "-" + SERIAL + "-" + 00 = LAIN-SERIAL-00 +``` + +### Step 5 — Unlock the node + +In the RX terminal: ```text unlock LAIN-SERIAL-00 ``` -6. Flag is returned on TX. +The flag is returned on the TX terminal. + +> 📸 `[screenshot: TX terminal printing the flag after successful unlock]` + +### Key concepts + +- **Split UART**: TX and RX are on separate TCP ports — mirrors real hardware where TX/RX + lines are physically separated. You must open both simultaneously. +- **Hex encoding**: Raw bytes presented as hex strings are common in serial diagnostic outputs. +- **XOR obfuscation**: Fragment B uses a single-byte XOR key; knowing the key is trivial + once you have the hint. + +--- + +## Flag + +`ESPILON{l41n_s3r14l_3xp_00}`