It's Oops PM — HackTheBox

Description

This challenge presents VHDL source code for a Trusted Platform Module (TPM) chip. The goal is to analyze the hardware description, find the backdoor, and understand how to extract the secret key.

Analysis

tpm.vhdl

This is the main entity that combines the following components:

• ckey: Component that provides the secret key.
• encryption: Data encryption module.
• backdoor: Module that checks input data for a backdoor trigger.

The tpm.vhdl architecture implements a process that controls the Output signal:

process(Key, Encrypted, B)
begin
    case B is
        when '1' =>
            for i in 0 to 15 loop
                Output(i) <= Key(i);
            end loop;
        when others =>
            for i in 0 to 15 loop
                Output(i) <= Encrypted(i);
            end loop;
    end case;
end process;

If signal B (output of the backdoor module) equals '1', the device outputs the raw secret key Key. Otherwise, it outputs encrypted data.

backdoor.vhdl

This module is responsible for activating signal B. It defines a constant pattern:

constant pattern : STD_LOGIC_VECTOR(15 downto 0) := "1111111111101001";

The activation logic is simple:

if D = pattern then
    B <= '1';
else
    B <= '0';
end if;

The backdoor triggers when input data D exactly matches the pattern 1111111111101001 (in hexadecimal: 0xFFE9).

key.vhdl

This file contains the hardcoded secret key that the TPM is supposed to protect:

constant key : STD_LOGIC_VECTOR(15 downto 0) := "0110001111100001";

Key value in HEX: 0x63E1.

encryption.vhdl

The encryption module performs XOR between input data and the key, but contains intentional errors:

• Bits 0, 6, and 13 are forcibly set to NOT K(i), ignoring input data D. This makes encryption irreversible for some bits, but doesn't interfere with the backdoor operation.

...