| .. | ||
| README.md | ||
Wired SPI Exfil — Solution
Overview
Simulated SPI flash chip from a WIRED-MED module. Standard SPI flash commands are used to read chip contents. A hidden partition not listed in the normal partition table contains the XOR-encrypted flag. The SFDP table has vendor-specific parameters that reveal the hidden sector.
Steps
- Connect and assert CS:
nc <host> 3500
cs 0
- Read chip ID:
tx 9F
Returns EF 40 18 = Winbond W25Q128.
- Read the SFDP table to discover hidden sectors:
tx 5A 00 00 00 00
SFDP header shows 2 parameter tables. Read vendor table at offset 0x80:
tx 5A 00 00 80 00
Vendor data shows a hidden partition at 0x030000 labeled "HIDDEN".
- Read the hidden partition:
tx 03 03 00 00
Data starts with WIRED_HIDDEN_PARTITION header, followed by encrypted bytes.
- XOR the encrypted data with key
WIRED_SPIto get the flag.
Key Concepts
- SPI flash commands: Standard opcodes (RDID, READ, SFDP) work across most flash chips
- SFDP: Serial Flash Discoverable Parameters — a standardized way to query flash capabilities. Vendor extensions can hide extra information
- Hidden partitions: Not all storage areas appear in standard partition tables — manual probing or SFDP analysis reveals them
- Data at rest encryption: Simple XOR protection on stored secrets