ESPILON-CTF-2026-Writeups/Hardware/NAVI_I2C_Sniff/README.md

# NAVI I2C Sniff

| Field | Value |
|-------|-------|
| Category | Hardware |
| Difficulty | Medium-Hard |
| Points | 442 |
| Author | Eun0us |
| CTF | Espilon 2026 |

---

## Description

You have gained access to the I2C bus inside Lain's NAVI computer.
Multiple devices are connected: an EEPROM, a temperature sensor, and a cryptographic IC.

Scan the bus, probe each device, and recover the encrypted secret.

- I2C Bus: `tcp/<host>:3300`

Format: **ESPILON{...}**

---

## TL;DR

Scan the I2C bus to find three devices. A hidden register in the temperature sensor
points to the crypto IC. The crypto IC is locked — send the unlock code to reveal the XOR key.
Use the key to decrypt the EEPROM contents and recover the flag.

---

## Tools

| Tool | Purpose |
|------|---------|
| `nc` | Connect to the I2C bus interface |
| Python 3 | XOR decryption |

---

## Solution
![sigrok I2C decode output showing flag bytes](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/i2c_sniff.png)


### Step 1 — Connect

```bash
nc <host> 3300
```

![I2C bus interface prompt](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/i2c_prompt.png)

### Step 2 — Scan the bus

```text
scan
```

Discovers three devices:

```
I2C Address 0x50  [EEPROM]
I2C Address 0x48  [Temperature Sensor]
I2C Address 0x60  [Crypto IC]
```

![scan output listing three I2C devices](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/i2c_scan.png)

### Step 3 — Read the temperature sensor's hidden register

```text
read 0x48 0x07 16
```

Returns: `key@0x60:0x10` — a hint pointing to register 0x10 of the crypto IC at address 0x60.

### Step 4 — Try reading the crypto IC (locked)

```text
read 0x60 0x10 32
```

Returns all zeros — the IC is locked.

Check the lock status register:

```text
read 0x60 0x00 1
```

Returns `0x01` (locked).

### Step 5 — Unlock the crypto IC

Send the unlock code `0xA5` to the control register:

```text
write 0x60 0x00 0xA5
```

### Step 6 — Read the XOR key

```text
read 0x60 0x10 32
```

Now returns the actual 32-byte key: `NAVI_WIRED_I2C_CRYPTO_KEY_2024!!`

![crypto IC returning the key after unlock](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/i2c_key.png)

### Step 7 — Read the EEPROM

```text
read 0x50 0x00 64
```

Returns XOR-encrypted data as a hex string.

### Step 8 — Decrypt the flag

```python
eeprom_hex = "..."  # hex from read 0x50
key = b"NAVI_WIRED_I2C_CRYPTO_KEY_2024!!"
enc = bytes.fromhex(eeprom_hex)
flag = bytes(b ^ key[i % len(key)] for i, b in enumerate(enc))
print(flag.rstrip(b'\x00').decode())
```

![Python decryption script printing the flag](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/i2c_decrypt.png)

### Key concepts

- **I2C bus scanning**: Enumerate devices by probing every 7-bit address (0x00–0x7F)
- **Multi-device interaction**: Data from one device (temp sensor hint) unlocks another (crypto IC)
- **Access control**: The crypto IC requires an unlock sequence before revealing its key register
- **XOR encryption**: Simple symmetric cipher used for data at rest in EEPROM

---

## Flag

`ESPILON{n4v1_12c_bus_mast3r}`