> For the complete documentation index, see [llms.txt](https://shibudocs.gitbook.io/htb-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://shibudocs.gitbook.io/htb-writeups/cyber-apocalypse-2024-hacker-royale/rids.md).

# Rids

I did not solve this challenge myself, but another member of my CTF team did.

The device has this written on it: W25Q128

There is a flash memory chip that we need to get the flag out of

We have a Python script that has the purpose of interacting with the chip as it seems

Executing the Python script returns some numbers:

\[239, 64, 24]

Searching for the chip and the instructions it accepts, you come across this program, which contains a mapping of raw instructions to human readable ones:

{% embed url="<https://github.com/ErichStyger/mcuoneclipse/blob/master/Examples/KDS/tinyK20/tinyK20_LittleFS_W25Q128/Sources/W25Q128.c>" %}

<figure><img src="/files/ClEOOp3vjdaIlxM3OsOK" alt=""><figcaption></figcaption></figure>

```c
#define W25_CMD_PAGE_PROGRAM		0x02
#define W25_CMD_DATA_READ		0x03
#define W25_CMD_READ_STATUS1		0x05
#define W25_CMD_WRITE_ENABLE		0x06
#define W25_CMD_GET_ID			0x9F
#define W25_ID0_WINBOND			0xEF
#define W25_CMD_GET_SERIAL		0x4B
#define W25_CMD_SECTOR_ERASE_4K		0x20
#define W25_CMD_BLOCK_ERASE_32K		0x52
#define W25_CMD_BLOCK_ERASE_64K		0xD8
#define W25_CMD_CHIP_ERASE		0xC7
```

There you can see that the script seems to get the Chip ID. We also see that 0x03 seems to read data from the chip, which is what we want. Changing the script accordingly returns something:

<figure><img src="/files/fzDH1iq0SUgf5CydGCW3" alt=""><figcaption></figcaption></figure>

\[72, 84, 66]

I put this into the “Magic” Decryptor on CyberChef to find out that the numbers are ASCII values, in this case for HTB.

I edited the script again to include not 3, but increasingly more bytes and decrypted the output with cyberchef. This was the result:

jedec\_id = exchange(\[0x03], 49)

print(jedec\_id)

\[72, 84, 66, 123, 109, 51, 109, 48, 50, 49, 51, 53, 95, 53, 55, 48, 50, 51, 95, 53, 51, 99, 50, 51, 55, 53, 95, 102, 48, 50, 95, 51, 118, 51, 50, 121, 48, 110, 51, 95, 55, 48, 95, 53, 51, 51, 33, 64, 125]

`HTB{m3m02135_57023_53c2375_f02_3v32y0n3_70_533!@}`


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shibudocs.gitbook.io/htb-writeups/cyber-apocalypse-2024-hacker-royale/rids.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.