Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3a5f553a68
ESPILON-CTF-2026-Writeups/Hardware/Wired_SPI_Exfil/solve/solve.md
Eun0us 6a0877384d [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup 
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1,
  Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/
- Sync 24 solve/ files from main CTF-Espilon repo
- Update all READMEs with real CTFd final scores at freeze
- Add git-header.png banner
- Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards,
  1344 solves), correct freeze date March 26 2026
2026-03-27 21:27:45 +01:00

1.3 KiB
Raw Blame History

Wired SPI Exfil — Solution

Overview

Simulated SPI flash chip from a WIRED-MED module. Standard SPI flash commands are used to read chip contents. A hidden partition not listed in the normal partition table contains the XOR-encrypted flag. The SFDP table has vendor-specific parameters that reveal the hidden sector.

Steps

  1. Connect and assert CS:
nc <host> 3500
cs 0
  1. Read chip ID:
tx 9F

Returns EF 40 18 = Winbond W25Q128.

  1. Read the SFDP table to discover hidden sectors:
tx 5A 00 00 00 00

SFDP header shows 2 parameter tables. Read vendor table at offset 0x80:

tx 5A 00 00 80 00

Vendor data shows a hidden partition at 0x030000 labeled "HIDDEN".

  1. Read the hidden partition:
tx 03 03 00 00

Data starts with WIRED_HIDDEN_PARTITION header, followed by encrypted bytes.

  1. XOR the encrypted data with key WIRED_SPI to get the flag.

Key Concepts

  • SPI flash commands: Standard opcodes (RDID, READ, SFDP) work across most flash chips
  • SFDP: Serial Flash Discoverable Parameters — a standardized way to query flash capabilities. Vendor extensions can hide extra information
  • Hidden partitions: Not all storage areas appear in standard partition tables — manual probing or SFDP analysis reveals them
  • Data at rest encryption: Simple XOR protection on stored secrets