Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3a5f553a68
ESPILON-CTF-2026-Writeups/Hardware/Glitch_The_Wired/solve/solve.md
Eun0us 6a0877384d [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup 
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1,
  Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/
- Sync 24 solve/ files from main CTF-Espilon repo
- Update all READMEs with real CTFd final scores at freeze
- Add git-header.png banner
- Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards,
  1344 solves), correct freeze date March 26 2026
2026-03-27 21:27:45 +01:00

1.1 KiB
Raw Blame History

Glitch The Wired — Solution

Overview

Simulated voltage glitching attack on a WIRED-MED secure boot module. The goal is to inject a fault during the signature verification phase to bypass it and access the debug console.

Steps

  1. Connect to the glitch lab:
nc <host> 3700
  1. Observe the boot sequence:
observe

Note the cycle ranges — SIG_VERIFY runs at cycles 3200-3400.

  1. Configure glitch parameters:
set_delay 3300
set_width 20

The delay targets the middle of the SIG_VERIFY window. Width of 10-30 cycles works.

  1. Arm and trigger:
arm
trigger

If successful, the boot log shows "SIG_VERIFY ....... SKIPPED" and a debug shell activates.

  1. Read the debug console:
read_console

The flag is in the maintenance token output.

Key Concepts

  • Voltage glitching: Briefly disrupting power supply to cause CPU instruction skips
  • Secure boot bypass: Skipping signature verification allows unsigned code to run
  • Timing precision: The glitch must overlap with the target operation's execution window
  • Width matters: Too short = transient recovery, too wide = brown-out crash