# NAVI I2C Sniff — Solution

## Overview

Simulated I2C bus with 3 devices on Lain's NAVI computer. The EEPROM holds an XOR-encrypted flag, the crypto IC holds the key (but is locked), and the temp sensor has a hint.

## Steps

1. Connect:

```bash
nc <host> 3300
```

2. Scan the bus:

```
scan
```

Finds 3 devices: 0x50 (EEPROM), 0x48 (Temp), 0x60 (Crypto IC).

3. Read the temp sensor's hidden register:

```
read 0x48 0x07 16
```

Returns `key@0x60:0x10` — hint pointing to crypto IC register 0x10.

4. Try reading the crypto key:

```
read 0x60 0x10 32
```

Returns all zeros — the IC is locked.

5. Check lock status and unlock:

```
read 0x60 0x00 1       # Returns 0x01 (locked)
write 0x60 0x00 0xA5   # Unlock code
```

6. Read the XOR key:

```
read 0x60 0x10 32
```

Now returns the actual key: `NAVI_WIRED_I2C_CRYPTO_KEY_2024!!`

7. Read the EEPROM:

```
read 0x50 0x00 64
```

Returns XOR-encrypted data.

8. XOR decrypt EEPROM data with the key to get the flag.

## Key Concepts

- **I2C bus scanning**: Enumerate devices by sending start conditions to all 7-bit addresses
- **Multi-device interaction**: Information from one device unlocks another
- **Access control**: The crypto IC requires an unlock sequence before revealing the key
- **XOR encryption**: Simple symmetric cipher used for data at rest in EEPROM