I sealed my master phassphrase on this device and protected it using my own TOTP algorithm. Can you recover it ?
Once ready, come to the organizers desk to validate your solution on the device. (No connection to the device allowed)
We are given a
First, let’s confirm it is an ELF file:
$ file challenge.elf
challenge.elf: ELF 32-bit LSB executable, Tensilica Xtensa, version 1 (SYSV), statically linked, with debug_info, not stripped
We note that it is not stripped and includes debug information. The architecture is unusual, it uses Tensilica Xtensa instructions set. We now look at some strings in the file:
$ strings -n10 challenge.elf
esp-idf: v4.4.3 6407ecb3f8
Dec 20 2022
axp: esp32 power voltage was set to 3.35v
The mysterious device
We get a look at the device near the organizers desk. There is no keyboard to enter the TOTP. After moving the device around, we notice that we can only enter 6 digits between 0 and 3 by rotating the device around two axes.
We start by opening the firmware in Ghidra, then we reverse the TOTP code computation and extract its HMAC key.
As of March 2023, Ghidra does not officially support Xtensa instruction set, but a community processor definition exists at https://github.com/Ebiroll/ghidra-xtensa. After installing this processor, Ghidra is able to import the firmware successfully.
As it is using the Arduino framework, we find a
The setup function initializes the M5Core2, an EEPROM, a MPU6886 inertial
measurement unit, a TFT screen and an RTC.
The loop function starts by getting a timestamp in seconds, then calls
It then transforms the output into a
The remaining of the function displays information on the screen and manage
the sequence input and verification.
TOTP HMAC key extraction
Using Ghidra and TOTP library source code, we reimplement
TOTP::getCode in Python.
Then we implement the same transformation to get a TOTP code with 6 digits between 0 and 3.
The TOTP library needs a HMAC key. By looking at
&totp structure references,
_GLOBAL__sub_I_prev_state function that sets the key to
eed2976a1dcb29e02e42 and the timestep to
We can now write the following Python script:
We then run this script and enter the sequence:
We get the following flag: