Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3a5f553a68
ESPILON-CTF-2026-Writeups/Hardware/NAVI_I2C_Sniff/solve/solve.md
Eun0us 6a0877384d [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup 
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1,
  Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/
- Sync 24 solve/ files from main CTF-Espilon repo
- Update all READMEs with real CTFd final scores at freeze
- Add git-header.png banner
- Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards,
  1344 solves), correct freeze date March 26 2026
2026-03-27 21:27:45 +01:00

1.3 KiB
Raw Blame History

NAVI I2C Sniff — Solution

Overview

Simulated I2C bus with 3 devices on Lain's NAVI computer. The EEPROM holds an XOR-encrypted flag, the crypto IC holds the key (but is locked), and the temp sensor has a hint.

Steps

  1. Connect:
nc <host> 3300
  1. Scan the bus:
scan

Finds 3 devices: 0x50 (EEPROM), 0x48 (Temp), 0x60 (Crypto IC).

  1. Read the temp sensor's hidden register:
read 0x48 0x07 16

Returns key@0x60:0x10 — hint pointing to crypto IC register 0x10.

  1. Try reading the crypto key:
read 0x60 0x10 32

Returns all zeros — the IC is locked.

  1. Check lock status and unlock:
read 0x60 0x00 1       # Returns 0x01 (locked)
write 0x60 0x00 0xA5   # Unlock code
  1. Read the XOR key:
read 0x60 0x10 32

Now returns the actual key: NAVI_WIRED_I2C_CRYPTO_KEY_2024!!

  1. Read the EEPROM:
read 0x50 0x00 64

Returns XOR-encrypted data.

  1. XOR decrypt EEPROM data with the key to get the flag.

Key Concepts

  • I2C bus scanning: Enumerate devices by sending start conditions to all 7-bit addresses
  • Multi-device interaction: Information from one device unlocks another
  • Access control: The crypto IC requires an unlock sequence before revealing the key
  • XOR encryption: Simple symmetric cipher used for data at rest in EEPROM