$ cat writeup.md…
$ cat writeup.md…
hackthebox
Task: Recover password from I2C logic analyzer capture of LCD display. Solution: Decode PCF8574 I2C backpack protocol to HD44780 LCD in 4-bit mode, extract nibbles on EN pulse, group by sessions to recover each character as it was typed.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
Our field agent cannot access the enemy base due to the password-protected internal gates, but observed that the password seemed to be partially displayed as it was typed into the security keypad. Thanks to an audacious mission, we were able to implant an embedded device into the wiring for the keypad's monitor, and intercepted some data. Your mission is to recover the password from the collected data.
Provided files:
op_pinpossible.logicdata — Saleae Logic 1.x logic analyzer capture (I2C bus)security_keypad.jpeg — photo of a QAPASS 16x2 LCD display (HD44780) with PCF8574 I2C backpack, showing "Enter Password"The photo shows a standard Arduino setup:
.logicdata — proprietary Saleae Logic 1.x format (NOT compatible with Logic 2 or sigrok)PCF8574 outputs 8 bits to a parallel port connected to the LCD in 4-bit mode:
Bit 0: RS (Register Select: 0=command, 1=data/character)
Bit 1: RW (Read/Write: 0=write)
Bit 2: EN (Enable: HIGH→LOW pulse to latch data)
Bit 3: BL (Backlight)
Bits 4-7: D4-D7 (high nibble of data in 4-bit mode)
Each nibble is transmitted via three I2C writes:
Two nibbles (high first, low second) form one byte. RS=0 → LCD command, RS=1 → character to display.
...