6a0877384d
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1, Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/ - Sync 24 solve/ files from main CTF-Espilon repo - Update all READMEs with real CTFd final scores at freeze - Add git-header.png banner - Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards, 1344 solves), correct freeze date March 26 2026
55 lines
1.1 KiB
Markdown
55 lines
1.1 KiB
Markdown
# Glitch The Wired — Solution
|
|
|
|
## Overview
|
|
|
|
Simulated voltage glitching attack on a WIRED-MED secure boot module. The goal is to inject a fault during the signature verification phase to bypass it and access the debug console.
|
|
|
|
## Steps
|
|
|
|
1. Connect to the glitch lab:
|
|
|
|
```bash
|
|
nc <host> 3700
|
|
```
|
|
|
|
2. Observe the boot sequence:
|
|
|
|
```
|
|
observe
|
|
```
|
|
|
|
Note the cycle ranges — SIG_VERIFY runs at cycles 3200-3400.
|
|
|
|
3. Configure glitch parameters:
|
|
|
|
```
|
|
set_delay 3300
|
|
set_width 20
|
|
```
|
|
|
|
The delay targets the middle of the SIG_VERIFY window. Width of 10-30 cycles works.
|
|
|
|
4. Arm and trigger:
|
|
|
|
```
|
|
arm
|
|
trigger
|
|
```
|
|
|
|
If successful, the boot log shows "SIG_VERIFY ....... SKIPPED" and a debug shell activates.
|
|
|
|
5. Read the debug console:
|
|
|
|
```
|
|
read_console
|
|
```
|
|
|
|
The flag is in the maintenance token output.
|
|
|
|
## Key Concepts
|
|
|
|
- **Voltage glitching**: Briefly disrupting power supply to cause CPU instruction skips
|
|
- **Secure boot bypass**: Skipping signature verification allows unsigned code to run
|
|
- **Timing precision**: The glitch must overlap with the target operation's execution window
|
|
- **Width matters**: Too short = transient recovery, too wide = brown-out crash
|