hardwarefreemedium

Secret Treasures

HackTheBox

Task: ARM embedded system reads 8-digit passcode via UART, uses it as LCG seed to generate addresses into W25Q128 SPI flash, reads scattered flag bytes. Solution: reverse engineer LCG parameters from binary, brute-force 10^8 seed space with known-plaintext 'HTB{' prefix check against flash dump.

$ ls tags/ techniques/
brute_forceprnguartlcglogic_analyzersaleaeembeddedarmraspberry_pispi_flashw25q128wiringpi
known_plaintext_attackprng_state_recoveryarm_reverse_engineeringlcg_seed_bruteforcespi_flash_address_reconstruction

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Secret Treasures — HackTheBox

Description

Our years undercover in the art dealing world have paid off, and we have compromised the inner circle. The coordinates of the stolen treasures are contained within a mysterious device that we now have clearance to access. We managed to dump its flash memory and extract the embedded software running on it, and tap its input channel with a trigger-based capturing device in order to monitor passcode input. Its secrets must be retrieved!

Three files provided:

  1. embedded_software — ARM 32-bit ELF binary (Raspberry Pi), linked with wiringPi library, not stripped
  2. flash_memory_dump.bin — 16 MB W25Q128 SPI flash chip dump
  3. input_channel_trace.sal — Saleae Logic 8 capture of UART input channel (internal .sal format containing digital-0.bin and meta.json)

Goal: recover the secret (flag) stored scattered across the flash memory.

Analysis

1. Binary Reconnaissance

The embedded_software file is an ARM 32-bit ELF binary for Raspberry Pi. It imports functions from libwiringPi.so (SPI and serial I/O) and libc.so.6. Source file names visible in debug info: main2.c, memory_access.c.

2. Key Functions Identified via Radare2

...