Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cf7da4e7ec
ESPILON-CTF-2026-Writeups/Hardware/Phantom_JTAG
History
Eun0us b3553ba029 ESPILON CTF 2026 — Write-ups édition 1 (33 challenges)
2026-03-22 19:18:58 +01:00
..
README.md ESPILON CTF 2026 — Write-ups édition 1 (33 challenges) 2026-03-22 19:18:58 +01:00

README.md

Phantom JTAG — Solution

Overview

Simulated JTAG debug port with IEEE 1149.1 TAP state machine. The debug interface is locked and requires a key to unlock. Once unlocked, memory can be read to extract the flag.

Steps

  1. Connect:
nc <host> 3400
  1. Reset the TAP controller:
reset
  1. Read device IDCODE:
ir 1
dr 00000000 32

Returns 0x4BA00477 (ARM Cortex-M like device).

  1. Unlock debug interface — load IR instruction 0x5 and send key 0xDEAD:
ir 5
dr DEAD 16

Check with state — should show "Debug: UNLOCKED".

  1. Read memory — load MEM_READ instruction (IR 0x8):
ir 8
  1. Dump flag from memory at 0x1000:
dr 1000 16
dr 00000000 32

The first dr sends the address, the second reads the 32-bit word at that address. Repeat for addresses 0x1000, 0x1004, 0x1008... until the full flag is recovered.

  1. Convert the 32-bit little-endian words back to ASCII to reconstruct the flag.

Key Concepts

  • JTAG TAP state machine: IEEE 1149.1 defines a 16-state FSM controlled by TMS signal
  • IR/DR registers: Instruction Register selects the operation, Data Register carries parameters/results
  • Debug port locking: Many chips have a lock mechanism requiring a key to enable debug access
  • Memory dump via JTAG: Once debug is unlocked, arbitrary memory reads are possible