Rids

Personal Rating: Hard

I did not solve this challenge myself, but another member of my CTF team did.

The device has this written on it: W25Q128

There is a flash memory chip that we need to get the flag out of

We have a Python script that has the purpose of interacting with the chip as it seems

Executing the Python script returns some numbers:

[239, 64, 24]

Searching for the chip and the instructions it accepts, you come across this program, which contains a mapping of raw instructions to human readable ones:

mcuoneclipse/Examples/KDS/tinyK20/tinyK20_LittleFS_W25Q128/Sources/W25Q128.c at master · ErichStyger/mcuoneclipseGitHub

#define W25_CMD_PAGE_PROGRAM		0x02
#define W25_CMD_DATA_READ		0x03
#define W25_CMD_READ_STATUS1		0x05
#define W25_CMD_WRITE_ENABLE		0x06
#define W25_CMD_GET_ID			0x9F
#define W25_ID0_WINBOND			0xEF
#define W25_CMD_GET_SERIAL		0x4B
#define W25_CMD_SECTOR_ERASE_4K		0x20
#define W25_CMD_BLOCK_ERASE_32K		0x52
#define W25_CMD_BLOCK_ERASE_64K		0xD8
#define W25_CMD_CHIP_ERASE		0xC7

There you can see that the script seems to get the Chip ID. We also see that 0x03 seems to read data from the chip, which is what we want. Changing the script accordingly returns something:

[72, 84, 66]

I put this into the “Magic” Decryptor on CyberChef to find out that the numbers are ASCII values, in this case for HTB.

I edited the script again to include not 3, but increasingly more bytes and decrypted the output with cyberchef. This was the result:

jedec_id = exchange([0x03], 49)

print(jedec_id)

[72, 84, 66, 123, 109, 51, 109, 48, 50, 49, 51, 53, 95, 53, 55, 48, 50, 51, 95, 53, 51, 99, 50, 51, 55, 53, 95, 102, 48, 50, 95, 51, 118, 51, 50, 121, 48, 110, 51, 95, 55, 48, 95, 53, 51, 51, 33, 64, 125]

HTB{m3m02135_57023_53c2375_f02_3v32y0n3_70_533!@}