70 lines
1.3 KiB
Markdown
70 lines
1.3 KiB
Markdown
# NAVI I2C Sniff — Solution
|
|
|
|
## Overview
|
|
|
|
Simulated I2C bus with 3 devices on Lain's NAVI computer. The EEPROM holds an XOR-encrypted flag, the crypto IC holds the key (but is locked), and the temp sensor has a hint.
|
|
|
|
## Steps
|
|
|
|
1. Connect:
|
|
|
|
```bash
|
|
nc <host> 3300
|
|
```
|
|
|
|
2. Scan the bus:
|
|
|
|
```
|
|
scan
|
|
```
|
|
|
|
Finds 3 devices: 0x50 (EEPROM), 0x48 (Temp), 0x60 (Crypto IC).
|
|
|
|
3. Read the temp sensor's hidden register:
|
|
|
|
```
|
|
read 0x48 0x07 16
|
|
```
|
|
|
|
Returns `key@0x60:0x10` — hint pointing to crypto IC register 0x10.
|
|
|
|
4. Try reading the crypto key:
|
|
|
|
```
|
|
read 0x60 0x10 32
|
|
```
|
|
|
|
Returns all zeros — the IC is locked.
|
|
|
|
5. Check lock status and unlock:
|
|
|
|
```
|
|
read 0x60 0x00 1 # Returns 0x01 (locked)
|
|
write 0x60 0x00 0xA5 # Unlock code
|
|
```
|
|
|
|
6. Read the XOR key:
|
|
|
|
```
|
|
read 0x60 0x10 32
|
|
```
|
|
|
|
Now returns the actual key: `NAVI_WIRED_I2C_CRYPTO_KEY_2024!!`
|
|
|
|
7. Read the EEPROM:
|
|
|
|
```
|
|
read 0x50 0x00 64
|
|
```
|
|
|
|
Returns XOR-encrypted data.
|
|
|
|
8. XOR decrypt EEPROM data with the key to get the flag.
|
|
|
|
## Key Concepts
|
|
|
|
- **I2C bus scanning**: Enumerate devices by sending start conditions to all 7-bit addresses
|
|
- **Multi-device interaction**: Information from one device unlocks another
|
|
- **Access control**: The crypto IC requires an unlock sequence before revealing the key
|
|
- **XOR encryption**: Simple symmetric cipher used for data at rest in EEPROM
|