54 lines
1.3 KiB
Markdown
54 lines
1.3 KiB
Markdown
# Wired SPI Exfil — Solution
|
|
|
|
## Overview
|
|
|
|
Simulated SPI flash chip from a WIRED-MED module. Standard SPI flash commands are used to read chip contents. A hidden partition not listed in the normal partition table contains the XOR-encrypted flag. The SFDP table has vendor-specific parameters that reveal the hidden sector.
|
|
|
|
## Steps
|
|
|
|
1. Connect and assert CS:
|
|
|
|
```bash
|
|
nc <host> 3500
|
|
cs 0
|
|
```
|
|
|
|
2. Read chip ID:
|
|
|
|
```
|
|
tx 9F
|
|
```
|
|
|
|
Returns `EF 40 18` = Winbond W25Q128.
|
|
|
|
3. Read the SFDP table to discover hidden sectors:
|
|
|
|
```
|
|
tx 5A 00 00 00 00
|
|
```
|
|
|
|
SFDP header shows 2 parameter tables. Read vendor table at offset 0x80:
|
|
|
|
```
|
|
tx 5A 00 00 80 00
|
|
```
|
|
|
|
Vendor data shows a hidden partition at `0x030000` labeled "HIDDEN".
|
|
|
|
4. Read the hidden partition:
|
|
|
|
```
|
|
tx 03 03 00 00
|
|
```
|
|
|
|
Data starts with `WIRED_HIDDEN_PARTITION` header, followed by encrypted bytes.
|
|
|
|
5. XOR the encrypted data with key `WIRED_SPI` to get the flag.
|
|
|
|
## Key Concepts
|
|
|
|
- **SPI flash commands**: Standard opcodes (RDID, READ, SFDP) work across most flash chips
|
|
- **SFDP**: Serial Flash Discoverable Parameters — a standardized way to query flash capabilities. Vendor extensions can hide extra information
|
|
- **Hidden partitions**: Not all storage areas appear in standard partition tables — manual probing or SFDP analysis reveals them
|
|
- **Data at rest encryption**: Simple XOR protection on stored secrets
|