# CTF Challenge Status Report

## 🎯 Challenge: RFID Access Door (Hardware/Crypto)

### ✅ Successfully Extracted:
1. **UID**: `04f6555b`
2. **Username**: `axel_outrun` (hex: `6178656c5f6f757472756e`)
3. **Sector Data** (from SPI MISO responses):
   - Region around line 68312: `cd335e314d4f8634cd1f` (10 bytes)
   - Region around line 69112: `5e4ce0a703078634cd1f` (10 bytes)
4. **Sector Data** (from MOSI filtered):
   - Full sequence: `0292640464020a820860081608cd0833085e0831084d084f0886083408cd081f`

### ❌ What We're Missing:
**The 6-byte authentication keys** (LCG outputs for keys[4] and keys[5])

These should be the last two 3-byte outputs from the LCG that get appended to `authorization_code`.

### 🔧 Attack Vector (LCG Weakness):
```python
# From ota_reader_update.py:
def random_key_gen():
    global next_in_seq
    next_in_seq = (next_in_seq * 0x52c6425d + 0xcc52c) % 2**32
    return next_in_seq % 0xffffff
```

This Linear Congruential Generator is cryptographically weak:
- If we extract 2 consecutive 3-byte outputs → can reverse to find seed (passcode)
- Once we have seed → can generate all keys → unlock door

### 📊 What We Tried:

#### ✅ Successful Extractions:
- Exported SPI data from Saleae `.sal` file
- Found `axel_outrun` username in MOSI stream (line ~68247)
- Extracted sector data patterns from MISO
- Verified data is correct (API returns `{'flag': 'HTB{}'}}` not error)

#### ❌ Unsuccessful Attempts:
1. **Direct key search**: No MIFARE AUTH commands (0x60/0x61) found in MOSI
2. **Pattern matching**: Couldn't find 6-byte sequences that reverse to valid LCG seed
3. **Format testing**: Tried multiple auth_code formats, all returned "Locked"
4. **Brute force**: Running at 14 tests/sec (currently at 5000/100000)

### 🚧 Current Blocker:
**API Server Down**: `Connection refused` on `http://154.57.164.61:31938/api`
- Started failing around test ~5000
- Challenge instance may have expired
- Need to restart instance or wait for server

### 📝 Data Format Question:
According to the Python code:
```python
auth_code = sector_22_data + key_gen  # where key_gen is 6 bytes
```

**Unknown**: What is the length of `sector_22_data`?
- Is it 10 bytes + 6 bytes of keys?
- Is it 16 bytes + 6 bytes of keys?
- Is it variable?

### 🎲 Next Steps:

#### Option 1: Wait for Server & Test
Once server is back:
```python
# Test these formats:
auth_codes = [
    '0292640464020a820860' + '<6_byte_keys>',  # 10 byte sector
    '0292640464020a820860081608cd0833' + '<6_byte_keys>',  # 16 byte sector  
]
```

#### Option 2: Properly Decode SPI in Saleae Logic 2
1. Open `access_reader_logic_data_analysed.sal`
2. Verify SPI analyzer settings:
   - CLK = Channel 3
   - MOSI = Channel 1
   - MISO = Channel 2
   - CS = Channel 0
3. Export decoded SPI transactions
4. Find 6-byte key sequences in auth commands

#### Option 3: Continue Brute Force
Current speed: ~14 passcodes/sec
- Time for 0-100k: ~2 hours
- Time for 0-1M: ~20 hours

### 💡 Key Insight from User:
> "The keys might already be in the data you extracted"

This suggests the extracted bytes:
```
0292640464020a820860 | 081608cd0833 | 085e0831084d084f0886083408cd081f
     Sector 22?      |  Keys 4-5?   |         Sector 34?
```

But LCG reversal didn't work on `081608cd0833`, suggesting this interpretation
is incorrect.

### 🔍 Alternative Theory:
The repeating `08` byte might be:
- A register address (MFRC522 uses 0x08-0x0F range)
- Part of a command sequence
- Status byte between data bytes

Possible filtering:
```
08 60 08 16 08 cd 08 33 → 60 16 cd 33 (4 bytes, not 6)
08 16 08 cd 08 33 08 5e → 16 cd 33 5e (4 bytes)
```

### 📌 Files Created:
- `extract_*.py` - Various SPI extraction attempts
- `crack_*.py` - LCG reversal attempts
- `test_formats.py` - API format testing
- `smart_brute.py` - Parallel brute force (running)
- `solution.py` - Attempted LCG crack from keys

### ✨ Solution Path (When Server Returns):
1. **Extract correct keys** from SPI capture
2. **Reverse LCG** to get passcode
3. **Submit**:
   ```json
   {
     "uid": "04f6555b",
     "username": "6178656c5f6f757472756e",
     "authorization_code": "[sector_22 + keys_4_5]",
     "access_level": "[sector_34]"
   }
   ```

---

**Status**: Waiting for API server or proper SPI decode
**Progress**: 80% (have all pieces except the 6-byte keys)
**Blocker**: Connection refused / potential timeout