Debug - HackTheBox

Description

A satellite dish debugging interface captured a serial signal during boot. We need to decode the UART signal to find the flag.

Files provided:

• hw_debug.sal - Saleae Logic 2 capture file (ZIP archive containing digital-0.bin, digital-1.bin, meta.json)

Analysis

Initial Reconnaissance

The .sal file is a Saleae Logic 2 capture format. Despite appearing as a single file, it's actually a ZIP archive containing:

• digital-0.bin - TX channel data
• digital-1.bin - RX channel data
• meta.json - Capture metadata (sample rate: 25 MHz)

The challenge involves decoding UART (Universal Asynchronous Receiver-Transmitter) serial communication captured from a satellite dish debugging interface during boot.

Failed Approaches

1. Manual binary parsing - Found ASCII-like codes (AX, AY, C0, C1, etc.) embedded in the file but couldn't extract meaningful data
2. Bit mapping and frequency analysis - Various approaches didn't produce readable text
3. sigrok-cli - Got framing errors with different baud rates, indicating incorrect settings

Key Insight

For Saleae Logic 2 captures, using the official software is the most reliable approach. The proprietary format is best handled by the native application.

Solution

Step 1: Install Saleae Logic 2

brew install --cask saleae-logic

Step 2: Open and Configure Analyzer

1. Open hw_debug.sal in Saleae Logic 2 GUI
2. Add "Async Serial" analyzer with settings:
   • Baud Rate: 115200 (standard UART debug rate)
   • Bits per Frame: 8
   • Stop Bits: 1
   • Parity: None
   • Bit Order: LSB first

Step 3: Export and Parse Data

Export analyzer results to CSV, then convert hex values to ASCII:

#!/usr/bin/env python3
"""
Parse Saleae Logic 2 UART export CSV and convert to ASCII text.
"""
import csv

with open('115200.csv', 'r') as f:
    reader = csv.reader(f)
    next(reader)  # Skip header
    data = []
    for row in reader:
        if len(row) >= 3 and row[2].startswith('0x'):
            data.append(int(row[2], 16))

text = bytes(data).decode('latin-1')
print(text)

Step 4: Flag Extraction

The decoded output revealed a complete boot log from an embedded device (ARM TrustZone bootloader, U-Boot, Linux kernel). The flag was split across warning messages in the boot sequence:

WARNING: The deep space observatory is offline HTB{
INFO: Communication systems are offline reference code: 547311173_
WARNING: Unauthorized subroutines detected! reference code: n37w02k_
WARNING: The satellite dish can not sync with the swarm. reference code: c0mp20m153d}

Technical Details

UART Configuration

Parameter	Value
Baud Rate	115200
Data Bits	8
Stop Bits	1
Parity	None
Bit Order	LSB first

Boot Sequence

The captured boot sequence showed:

• BL1 -> BL2 -> BL31 -> U-Boot -> Linux kernel
• Device: "Galaxy Gateway" satellite dish controller
• ARM TrustZone secure boot chain

Common UART Baud Rates to Try

When encountering unknown UART signals, try these standard rates:

1. 115200 (most common for debug)
2. 9600 (legacy default)
3. 57600
4. 38400
5. 19200

Tip: Framing errors indicate wrong baud rate - adjust and retry.

Key Indicators

Use this technique when you see:

• .sal files (Saleae Logic captures)
• Logic analyzer captures with digital signals
• References to UART, serial, TX/RX
• Embedded device debugging scenarios
• Boot log or firmware analysis challenges

Lessons Learned

1. Use native tools - For proprietary formats like Saleae Logic 2, the official software is most reliable
2. Standard baud rates - Start with 115200 for debug interfaces
3. Framing errors = wrong baud - Adjust baud rate when you see framing errors
4. Boot logs contain secrets - Debug output often includes sensitive information in CTF challenges
5. Split flags - Flags may be distributed across multiple log messages

References

• Saleae Logic 2 Documentation
• UART Protocol Basics
• sigrok - Open Source Signal Analysis