Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

write-up: Hardware/Glitch_The_Wired/README.md

Browse Source
This commit is contained in:
Eun0us 2026-03-26 17:33:21 +00:00
parent 81660da817
commit 29bf05b250
1 changed files with 99 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
Hardware/Glitch_The_Wired/README.md
View File

@ -1,54 +1,131 @@
# Glitch The Wired — Solution # Glitch The Wired
## Overview | Field | Value |
|-------|-------|
| Category | Hardware |
| Difficulty | Medium-Hard |
| Points | 500 |
| Author | Eun0us |
| CTF | Espilon 2026 |
Simulated voltage glitching attack on a WIRED-MED secure boot module. The goal is to inject a fault during the signature verification phase to bypass it and access the debug console. ---
## Steps ## Description
1. Connect to the glitch lab: A WIRED-MED secure boot module is exposed on the lab bench.
You have access to the power rail and can inject voltage glitches to disrupt the boot process.
Find the right timing window to bypass signature verification and access the hidden debug console.
- Glitch Lab: `tcp/<host>:3700`
Format: **ESPILON{...}**
---
## TL;DR
Simulate a voltage glitching attack against a secure boot module. Observe the boot sequence
to identify the SIG_VERIFY timing window (cycles 32003400), configure glitch delay and width,
arm and trigger, then read the maintenance token from the unlocked debug console.
---
## Tools
| Tool | Purpose |
|------|---------|
| `nc` | Connect to the glitch lab interface |
| Python 3 | Automation and parameter sweep |
---
## Solution
### Step 1 — Connect
```bash ```bash
nc <host> 3700 nc <host> 3700
``` ```
2. Observe the boot sequence: > 📸 `[screenshot: glitch lab banner and prompt]`
``` ### Step 2 — Observe the boot sequence
```text
observe observe
``` ```
Note the cycle ranges — SIG_VERIFY runs at cycles 3200-3400. The output lists boot phases with their cycle ranges:
3. Configure glitch parameters:
``` ```
ROM_INIT [0 1000]
BOOTLOADER [1000 2000]
LOAD_FIRMWARE [2000 3200]
SIG_VERIFY [3200 3400] <-- target
LAUNCH_KERNEL [3400 5000]
```
The signature verification phase runs between cycles 3200 and 3400.
> 📸 `[screenshot: observe output showing all boot phases and cycle ranges]`
### Step 3 — Configure glitch parameters
Target the middle of the SIG_VERIFY window with a width of 20 cycles:
```text
set_delay 3300 set_delay 3300
set_width 20 set_width 20
``` ```
The delay targets the middle of the SIG_VERIFY window. Width of 10-30 cycles works. The width must be in the range 1030 cycles:
- Too short: transient recovery, CPU resumes normally
- Too wide: brown-out, system crashes
4. Arm and trigger: ### Step 4 — Arm and trigger
``` ```text
arm arm
trigger trigger
``` ```
If successful, the boot log shows "SIG_VERIFY ....... SKIPPED" and a debug shell activates. If the timing is correct, the boot log shows:
5. Read the debug console:
``` ```
ROM_INIT ......... OK
BOOTLOADER ......... OK
LOAD_FIRMWARE ......... OK
SIG_VERIFY ......... SKIPPED <-- glitch worked
LAUNCH_KERNEL ......... OK
[DEBUG SHELL ACTIVATED]
```
> 📸 `[screenshot: boot log showing SIG_VERIFY SKIPPED and debug shell prompt]`
### Step 5 — Read the maintenance token
```text
read_console read_console
``` ```
The flag is in the maintenance token output. The debug console outputs the maintenance token containing the flag.
## Key Concepts > 📸 `[screenshot: read_console output displaying the flag]`
- **Voltage glitching**: Briefly disrupting power supply to cause CPU instruction skips ### Key concepts
- **Secure boot bypass**: Skipping signature verification allows unsigned code to run
- **Timing precision**: The glitch must overlap with the target operation's execution window - **Voltage glitching**: Briefly disrupting the power supply causes the CPU to skip one or
- **Width matters**: Too short = transient recovery, too wide = brown-out crash more instructions, potentially jumping over security checks
- **Secure boot bypass**: The signature verification function is skipped entirely when the
glitch lands in its execution window
- **Timing precision**: The glitch must overlap with the target operation. Too early or too
late misses the window. The SIG_VERIFY window is only 200 cycles wide.
- **Width matters**: The fault pulse must be long enough to corrupt execution but short enough
that the regulator does not detect a brown-out and reset the chip
---
## Flag
`ESPILON{gl1tch_byp4ss_s3cur3_b00t}`