Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
54cb915eee
ESPILON-CTF-2026-Writeups/Hardware/NAVI_I2C_Sniff
History
Eun0us ac82d8367e Add 107 terminal screenshots and replace all 📸 placeholders 
- Generated screenshots for all 33 challenges (ESP, Hardware, IoT, OT, Misc, Web3)
- Replaced all 123 placeholder lines with actual PNG image references
- Cleaned duplicate images from previously partial updates
- All write-ups now have full illustrated solutions
2026-03-27 00:34:47 +00:00
..
README.md Add 107 terminal screenshots and replace all 📸 placeholders 2026-03-27 00:34:47 +00:00

README.md

NAVI I2C Sniff

Field Value
Category Hardware
Difficulty Medium-Hard
Points 500
Author Eun0us
CTF Espilon 2026

Description

You have gained access to the I2C bus inside Lain's NAVI computer. Multiple devices are connected: an EEPROM, a temperature sensor, and a cryptographic IC.

Scan the bus, probe each device, and recover the encrypted secret.

  • I2C Bus: tcp/<host>:3300

Format: ESPILON{...}

TL;DR

Scan the I2C bus to find three devices. A hidden register in the temperature sensor points to the crypto IC. The crypto IC is locked — send the unlock code to reveal the XOR key. Use the key to decrypt the EEPROM contents and recover the flag.

Tools

Tool Purpose
nc Connect to the I2C bus interface
Python 3 XOR decryption

Solution

sigrok I2C decode output showing flag bytes

Step 1 — Connect

nc <host> 3300

I2C bus interface prompt

Step 2 — Scan the bus

scan

Discovers three devices:

I2C Address 0x50  [EEPROM]
I2C Address 0x48  [Temperature Sensor]
I2C Address 0x60  [Crypto IC]

scan output listing three I2C devices

Step 3 — Read the temperature sensor's hidden register

read 0x48 0x07 16

Returns: key@0x60:0x10 — a hint pointing to register 0x10 of the crypto IC at address 0x60.

Step 4 — Try reading the crypto IC (locked)

read 0x60 0x10 32

Returns all zeros — the IC is locked.

Check the lock status register:

read 0x60 0x00 1

Returns 0x01 (locked).

Step 5 — Unlock the crypto IC

Send the unlock code 0xA5 to the control register:

write 0x60 0x00 0xA5

Step 6 — Read the XOR key

read 0x60 0x10 32

Now returns the actual 32-byte key: NAVI_WIRED_I2C_CRYPTO_KEY_2024!!

crypto IC returning the key after unlock

Step 7 — Read the EEPROM

read 0x50 0x00 64

Returns XOR-encrypted data as a hex string.

Step 8 — Decrypt the flag

eeprom_hex = "..."  # hex from read 0x50
key = b"NAVI_WIRED_I2C_CRYPTO_KEY_2024!!"
enc = bytes.fromhex(eeprom_hex)
flag = bytes(b ^ key[i % len(key)] for i, b in enumerate(enc))
print(flag.rstrip(b'\x00').decode())

Python decryption script printing the flag

Key concepts

  • I2C bus scanning: Enumerate devices by probing every 7-bit address (0x000x7F)
  • Multi-device interaction: Data from one device (temp sensor hint) unlocks another (crypto IC)
  • Access control: The crypto IC requires an unlock sequence before revealing its key register
  • XOR encryption: Simple symmetric cipher used for data at rest in EEPROM

Flag

ESPILON{n4v1_12c_bus_mast3r}