# Wired SPI Exfil — Solution

## Overview

Simulated SPI flash chip from a WIRED-MED module. Standard SPI flash commands are used to read chip contents. A hidden partition not listed in the normal partition table contains the XOR-encrypted flag. The SFDP table has vendor-specific parameters that reveal the hidden sector.

## Steps

1. Connect and assert CS:

```bash
nc <host> 3500
cs 0
```

2. Read chip ID:

```
tx 9F
```

Returns `EF 40 18` = Winbond W25Q128.

3. Read the SFDP table to discover hidden sectors:

```
tx 5A 00 00 00 00
```

SFDP header shows 2 parameter tables. Read vendor table at offset 0x80:

```
tx 5A 00 00 80 00
```

Vendor data shows a hidden partition at `0x030000` labeled "HIDDEN".

4. Read the hidden partition:

```
tx 03 03 00 00
```

Data starts with `WIRED_HIDDEN_PARTITION` header, followed by encrypted bytes.

5. XOR the encrypted data with key `WIRED_SPI` to get the flag.

## Key Concepts

- **SPI flash commands**: Standard opcodes (RDID, READ, SFDP) work across most flash chips
- **SFDP**: Serial Flash Discoverable Parameters — a standardized way to query flash capabilities. Vendor extensions can hide extra information
- **Hidden partitions**: Not all storage areas appear in standard partition tables — manual probing or SFDP analysis reveals them
- **Data at rest encryption**: Simple XOR protection on stored secrets