Skip to main content

Mission Pinpossible

Our field agent cannot access the enemy base due to the password-protected internal gates, but observed that the password seemed to be partially displayed as it was typed into the security keypad. Thanks to an audacious mission, we were able to implant an embedded device into the wiring for the keypad's monitor, and intercepted some data. Your mission is to recover the password from the collected data.

Input files op_pinpossible.logicdata and security_keypad.jpeg

security_keypad.jpeg

Solution

This WriteUp Solution is password protected by the flag of the challenge.

In this challenge we are given .logicdata file and a image of a keypad. The .logicdata file is a logic analyzer capture file. We can open it in Logic1.After opening you can see 2 channels.So decode it add analyzer I2C change address display to 8bit-default. Now export the output to text/csv file. Now to decode this file use this code.

break.py
# Define the list of packets
packets = []
with open("out.txt", "rb") as f:
for i in f:
packets.append((i.split(b',')[3]).decode())
packets = packets[1:-1]
packets = [int(i, 16) for i in packets]

# Define the values of PCF_RS and PCF_EN
PCF_RS = 0x01
PCF_EN = 0x04

# Initialize an empty list to hold interesting packets
interesting_packets = []

# Loop through each packet in the packets list
for packet in packets:
# Check if the packet has both PCF_RS and PCF_EN bits set
if (packet & PCF_RS) and (packet & PCF_EN):
# If so, add it to the interesting_packets list
interesting_packets.append(packet)

# Split the interesting_packets list into pairs of packets
paired_packets = [interesting_packets[i:i + 2] for i in range(0, len(interesting_packets), 2)]

s=""
# Loop through each pair of packets
for upper_nibble, lower_nibble in paired_packets:
# Combine the upper and lower nibbles to get the final value
val = (upper_nibble & 0xF0) | (lower_nibble >> 4)
# Convert the value to a character and print it
s+=chr(val)

flag = s.split(" Enter Password")[1:-1]
flag = "".join(i[-1] for i in flag)
print(flag)

After running the above code you will get the flag HTB{84d_d3519n_c4n_134d_70_134k5!d@}