Here you can find my video write-ups for the Embedded Hardware CTF by Riscure (rhme.riscure.com/challenges). You can also take your own Arduino Nano and flash the challenges from their github repository here: https://github.com/Riscure/Rhme-2016 and follow along.
Newest videos are at the bottom.
Soldering the arduino board, installing drivers for OSX and flash challenges with avrdude. The CTF will run until the end of February, the other videos will come after that.
Explaining what serial is, debugging it with a Saleae Logic Analyzer and figuring out how to talk to the board.
The first challenge I solved for the embedded hardware CTF by riscure. It implements a Secure Filesystem which prevents you from readeing files without knowing the correct token for a file.
We are looking at the datasheet of the ATmega328p and learn about harvard architecture and how serial communication on an assembler level looks like.
We are using radare2 together with avr-gdb and simavr to reverse engineer the challenge "Jumpy" which implemets a password checking algorithm.
Solving "Photo Manager" from the riscure embedded hardware CTF by bypass a buffer overflow mitigation through bruteforcing a stack cookie.
Using the greatest common divisor (GCD) to factorize the public modulo into the secret primes, so we can forge a RSA signature.
Solving the casino challenge of rhme2 abusing a format string vulnerability.
We overflow a buffer and slowly figure out that we can control memory addresses to leak other data.
Whack the mole was a fun little challenge that was not so much about security, but to figure out how the game works, and then play it and win.
We are going to recover a ECDSA private key from bad signatures. Same issue the Playstation 3 had that allowed it to be hacked.
Preparing an arduino nano board to perform a power analysis side channel attack and explaining how that can be used to break RSA. Also proof I can't count.
Terrible DPA explanation and sharing my experience solving the side channel analysis challenge "piece of scake" from the rhme2 CTF.
Generating random numbers on computers is not easy. And while the intended solution was really hard, the challenge had a problem with the random number generation, which allowed me to solve it.
We perform a fault injection on an arduino board to break out of a endless loop. We drop the power for a very short amount of time so the microprocessor calculates something wrong. Skip to 0:56 if you don't want to see my cringy acting.
Exploitation challenge from the RHme3 qualification round. We use ltrace to understand what the binary does and then use gdbinit to create custom logging.
Part 2 of solving the exploitation challenge from RHme3. In the last video we found the bug and now we create the exploit.
part 1/2: https://www.youtube.com/watch?v=sJPhsE_XeKI
We start to reverse engineer a crypto binary with Hopper.
Long story short, we reverse more and more of the binary and with some hints we realize, it's AES afterall.
Exploring some of the notes and thoughts I had analyzing the whitebox crypto challenge.
Solving the AES whitebox crypto challenge without even touching crypto or AES.
Part 1 of reverse engineering another AVR firmware. Zeta Two shows us how to get started with reversing the code for the ATmega328P (AVR) chip. This was a challenge from the rhme2 competition. In this video we identify some I/O functions and the main() function.