Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e4d2de9db2
ESPILON-CTF-2026-Writeups/Hardware/NAVI_I2C_Sniff/README.md

145 lines
2.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# NAVI I2C Sniff
| Field | Value |
|-------|-------|
| Category | Hardware |
| Difficulty | Medium-Hard |
| Points | 500 |
| Author | Eun0us |
| CTF | Espilon 2026 |
---
## Description
You have gained access to the I2C bus inside Lain's NAVI computer.
Multiple devices are connected: an EEPROM, a temperature sensor, and a cryptographic IC.
Scan the bus, probe each device, and recover the encrypted secret.
- I2C Bus: `tcp/<host>:3300`
Format: **ESPILON{...}**
---
## TL;DR
Scan the I2C bus to find three devices. A hidden register in the temperature sensor
points to the crypto IC. The crypto IC is locked — send the unlock code to reveal the XOR key.
Use the key to decrypt the EEPROM contents and recover the flag.
---
## Tools
| Tool | Purpose |
|------|---------|
| `nc` | Connect to the I2C bus interface |
| Python 3 | XOR decryption |
---
## Solution
![sigrok I2C decode output showing flag bytes](https://git.espilon.net/Eun0us/ESPILON-CTF-2026-Writeups/raw/branch/main/screens/i2c_sniff.png)
### Step 1 — Connect
```bash
nc <host> 3300
```
> 📸 `[screenshot: I2C bus interface prompt]`
### Step 2 — Scan the bus
```text
scan
```
Discovers three devices:
```
I2C Address 0x50 [EEPROM]
I2C Address 0x48 [Temperature Sensor]
I2C Address 0x60 [Crypto IC]
```
> 📸 `[screenshot: scan output listing three I2C devices]`
### Step 3 — Read the temperature sensor's hidden register
```text
read 0x48 0x07 16
```
Returns: `key@0x60:0x10` — a hint pointing to register 0x10 of the crypto IC at address 0x60.
### Step 4 — Try reading the crypto IC (locked)
```text
read 0x60 0x10 32
```
Returns all zeros — the IC is locked.
Check the lock status register:
```text
read 0x60 0x00 1
```
Returns `0x01` (locked).
### Step 5 — Unlock the crypto IC
Send the unlock code `0xA5` to the control register:
```text
write 0x60 0x00 0xA5
```
### Step 6 — Read the XOR key
```text
read 0x60 0x10 32
```
Now returns the actual 32-byte key: `NAVI_WIRED_I2C_CRYPTO_KEY_2024!!`
> 📸 `[screenshot: crypto IC returning the key after unlock]`
### Step 7 — Read the EEPROM
```text
read 0x50 0x00 64
```
Returns XOR-encrypted data as a hex string.
### Step 8 — Decrypt the flag
```python
eeprom_hex = "..." # hex from read 0x50
key = b"NAVI_WIRED_I2C_CRYPTO_KEY_2024!!"
enc = bytes.fromhex(eeprom_hex)
flag = bytes(b ^ key[i % len(key)] for i, b in enumerate(enc))
print(flag.rstrip(b'\x00').decode())
```
> 📸 `[screenshot: Python decryption script printing the flag]`
### Key concepts
- **I2C bus scanning**: Enumerate devices by probing every 7-bit address (0x000x7F)
- **Multi-device interaction**: Data from one device (temp sensor hint) unlocks another (crypto IC)
- **Access control**: The crypto IC requires an unlock sequence before revealing its key register
- **XOR encryption**: Simple symmetric cipher used for data at rest in EEPROM
---
## Flag
`ESPILON{n4v1_12c_bus_mast3r}`
Reference in New Issue View Git Blame Copy Permalink