6a0877384d
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1, Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/ - Sync 24 solve/ files from main CTF-Espilon repo - Update all READMEs with real CTFd final scores at freeze - Add git-header.png banner - Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards, 1344 solves), correct freeze date March 26 2026
54 lines
1.3 KiB
Markdown
54 lines
1.3 KiB
Markdown
# Wired SPI Exfil — Solution
|
|
|
|
## Overview
|
|
|
|
Simulated SPI flash chip from a WIRED-MED module. Standard SPI flash commands are used to read chip contents. A hidden partition not listed in the normal partition table contains the XOR-encrypted flag. The SFDP table has vendor-specific parameters that reveal the hidden sector.
|
|
|
|
## Steps
|
|
|
|
1. Connect and assert CS:
|
|
|
|
```bash
|
|
nc <host> 3500
|
|
cs 0
|
|
```
|
|
|
|
2. Read chip ID:
|
|
|
|
```
|
|
tx 9F
|
|
```
|
|
|
|
Returns `EF 40 18` = Winbond W25Q128.
|
|
|
|
3. Read the SFDP table to discover hidden sectors:
|
|
|
|
```
|
|
tx 5A 00 00 00 00
|
|
```
|
|
|
|
SFDP header shows 2 parameter tables. Read vendor table at offset 0x80:
|
|
|
|
```
|
|
tx 5A 00 00 80 00
|
|
```
|
|
|
|
Vendor data shows a hidden partition at `0x030000` labeled "HIDDEN".
|
|
|
|
4. Read the hidden partition:
|
|
|
|
```
|
|
tx 03 03 00 00
|
|
```
|
|
|
|
Data starts with `WIRED_HIDDEN_PARTITION` header, followed by encrypted bytes.
|
|
|
|
5. XOR the encrypted data with key `WIRED_SPI` to get the flag.
|
|
|
|
## Key Concepts
|
|
|
|
- **SPI flash commands**: Standard opcodes (RDID, READ, SFDP) work across most flash chips
|
|
- **SFDP**: Serial Flash Discoverable Parameters — a standardized way to query flash capabilities. Vendor extensions can hide extra information
|
|
- **Hidden partitions**: Not all storage areas appear in standard partition tables — manual probing or SFDP analysis reveals them
|
|
- **Data at rest encryption**: Simple XOR protection on stored secrets
|