0xRoM / 12Sec_CTF_v1
Transfer to URL with SHA Find file
Newer
Older
12Sec_CTF_v1 / 12.md
root 12 days ago 3 KB formatting fixes
Raw Blame History

Challenge 12: "Chaos Chain: Timebomb"

In this final Black Box CTF challenge, the device steps up the difficulty:

  • The UART pins have been relocated, so you must manually identify the correct pins.
  • The UART communication runs at a non-common baud rate, adding an extra layer of complexity.
  • After establishing communication, you must perform a timing side-channel attack to extract the secret.

Only the most persistent and observant hackers will succeed.

Your mission is clear:

  1. Identify the relocated UART pins through careful probing.
  2. Determine the obscure UART baud rate used by the device.
  3. Perform a timing side-channel attack to retrieve the hidden flag via UART.

Setup

Challenge Setup

Notes

The first step was probing around until I found the correct UART pins, once I did, I then hooked up some clips to the logic analyzer:

UART pin clipped

This gave the following:

UART pin clipped

I then traced the chip pins to the header pins on the board and hooked up the board to look like the setup picture above.

Maths that pulse width:
Baud rate = 1 / bit time
Bit time = 833.75 microseconds = 833.75 × 10⁻⁶ seconds
Baud rate = 1 / (833.75 × 10⁻⁶) = 1 199.1004 baud

Answer: The UART baud rate is approximately 1 199 baud.

For this one I didnt use glitch-o-bolt, instead opting for a standalone python script: 12_solution.py
The full solution output can be read here: 12_solution.txt

But to summarize:

[INFO] Analysing position 6/8
[RESULT] Candidate '0' average LOW-delay: 1011.00 ms
[RESULT] Candidate '1' average LOW-delay: 1011.00 ms
[RESULT] Candidate '2' average LOW-delay: 1021.00 ms
[RESULT] Candidate '3' average LOW-delay: 1011.00 ms
[RESULT] Candidate '4' average LOW-delay: 1010.00 ms
[RESULT] Candidate '5' average LOW-delay: 1009.00 ms
[RESULT] Candidate '6' average LOW-delay: 1012.00 ms
[RESULT] Candidate '7' average LOW-delay: 1012.00 ms
[RESULT] Candidate '8' average LOW-delay: 1013.00 ms
[RESULT] Candidate '9' average LOW-delay: 1010.00 ms
[INFO] Position 6 selected: '2' (avg 1021.00 ms)

    ┌───────────────────────────────┐
    │ Progress: 253152   │
    └───────────────────────────────┘

[INFO] Analysing position 7/8
[RESULT] Candidate '0' average LOW-delay: 1020.00 ms
[RESULT] Candidate '1' average LOW-delay: 1020.00 ms
[RESULT] Candidate '2' average LOW-delay: 1022.00 ms
[RESULT] Candidate '3' average LOW-delay: 0.00 ms
[RESULT] Candidate '4' average LOW-delay: 1022.00 ms
[RESULT] Candidate '5' average LOW-delay: 1021.00 ms
[RESULT] Candidate '6' average LOW-delay: 1019.00 ms
[RESULT] Candidate '7' average LOW-delay: 1023.00 ms
[RESULT] Candidate '8' average LOW-delay: 1022.00 ms
[RESULT] Candidate '9' average LOW-delay: 1032.00 ms
[INFO] Position 7 selected: '9' (avg 1032.00 ms)

    ┌───────────────────────────────┐
    │ Progress: 2531529  │
    └───────────────────────────────┘

[INFO] Analysing position 8/8
[RESULT] Candidate '0' average LOW-delay: 1031.00 ms
[RESULT] Candidate '1' average LOW-delay: 1032.00 ms
[RESULT] Candidate '2' average LOW-delay: 1032.00 ms
[RESULT] Candidate '3' average LOW-delay: 1030.00 ms
[SUCCESS] Device accepted code via UART: TS{D0n7_M355_w17h_t1m3} -> 25315294
[SUCCESS] Discovered PIN: 25315294
[INFO] Connections closed