6a0877384d
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1, Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/ - Sync 24 solve/ files from main CTF-Espilon repo - Update all READMEs with real CTFd final scores at freeze - Add git-header.png banner - Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards, 1344 solves), correct freeze date March 26 2026
1.3 KiB
1.3 KiB
Wired SPI Exfil — Solution
Overview
Simulated SPI flash chip from a WIRED-MED module. Standard SPI flash commands are used to read chip contents. A hidden partition not listed in the normal partition table contains the XOR-encrypted flag. The SFDP table has vendor-specific parameters that reveal the hidden sector.
Steps
- Connect and assert CS:
nc <host> 3500
cs 0
- Read chip ID:
tx 9F
Returns EF 40 18 = Winbond W25Q128.
- Read the SFDP table to discover hidden sectors:
tx 5A 00 00 00 00
SFDP header shows 2 parameter tables. Read vendor table at offset 0x80:
tx 5A 00 00 80 00
Vendor data shows a hidden partition at 0x030000 labeled "HIDDEN".
- Read the hidden partition:
tx 03 03 00 00
Data starts with WIRED_HIDDEN_PARTITION header, followed by encrypted bytes.
- XOR the encrypted data with key
WIRED_SPIto get the flag.
Key Concepts
- SPI flash commands: Standard opcodes (RDID, READ, SFDP) work across most flash chips
- SFDP: Serial Flash Discoverable Parameters — a standardized way to query flash capabilities. Vendor extensions can hide extra information
- Hidden partitions: Not all storage areas appear in standard partition tables — manual probing or SFDP analysis reveals them
- Data at rest encryption: Simple XOR protection on stored secrets