ESPILON-CTF-2026-Writeups/Hardware/NAVI_I2C_Sniff/README.md

NAVI I2C Sniff — Solution

Overview

Simulated I2C bus with 3 devices on Lain's NAVI computer. The EEPROM holds an XOR-encrypted flag, the crypto IC holds the key (but is locked), and the temp sensor has a hint.

Steps

1. Connect:

nc <host> 3300

2. Scan the bus:

scan

Finds 3 devices: 0x50 (EEPROM), 0x48 (Temp), 0x60 (Crypto IC).

3. Read the temp sensor's hidden register:

read 0x48 0x07 16

Returns key@0x60:0x10 — hint pointing to crypto IC register 0x10.

4. Try reading the crypto key:

read 0x60 0x10 32

Returns all zeros — the IC is locked.

5. Check lock status and unlock:

read 0x60 0x00 1       # Returns 0x01 (locked)
write 0x60 0x00 0xA5   # Unlock code

6. Read the XOR key:

read 0x60 0x10 32

Now returns the actual key: NAVI_WIRED_I2C_CRYPTO_KEY_2024!!

7. Read the EEPROM:

read 0x50 0x00 64

Returns XOR-encrypted data.

8. XOR decrypt EEPROM data with the key to get the flag.

Key Concepts

• I2C bus scanning: Enumerate devices by sending start conditions to all 7-bit addresses
• Multi-device interaction: Information from one device unlocks another
• Access control: The crypto IC requires an unlock sequence before revealing the key
• XOR encryption: Simple symmetric cipher used for data at rest in EEPROM