Scattered throughout the world in locked warehouses are briefcases filled with Cy Yombinator bearer bonds that could be worth billions comma billions of dollars.

You will help steal the briefcases. - Embedded Security CTF / HN

Using the debugger, you’ll be able to single step the lock code, set breakpoints, and examine memory on your own test instance of the lock. You’ll use the debugger to find an input that unlocks the test lock, and then replay it to a real lock.

see also

• Convince me! - Your goal is to make Gandalf reveal the secret password for each level.

Lockitall                                            LOCKIT PRO r a.01
______________________________________________________________________

              User Manual: Lockitall LockIT Pro, rev a.01              
______________________________________________________________________


OVERVIEW

    - This is the first LockIT Pro Lock.
    - This lock is not attached to any hardware security module.


DETAILS

    The LockIT Pro a.01  is the first of a new series  of locks. It is
    controlled by a  MSP430 microcontroller, and is  the most advanced
    MCU-controlled lock available on the  market. The MSP430 is a very
    low-power device which allows the LockIT  Pro to run in almost any
    environment.

    The  LockIT  Pro   contains  a  Bluetooth  chip   allowing  it  to
    communiciate with the  LockIT Pro App, allowing the  LockIT Pro to
    be inaccessable from the exterior of the building.

    There is  no default password  on the LockIT  Pro---upon receiving
    the LockIT Pro, a new password must be set by connecting it to the
    LockIT Pro  App and  entering a password  when prompted,  and then
    restarting the LockIT Pro using the red button on the back.
    
    This is Hardware  Version A.  It contains  the Bluetooth connector
    built in, and one available port  to which the LockIT Pro Deadbolt
    should be connected.

    This is Software Revision 01.

    


(c) 2013 LOCKITALL                                            Page 1/1

Hints

Every number in the debugger is in base 16.

mov.b @r15, r14 - move whatever is at memory addressed by r15 in to r14

debugger action
let pc=4498 - change pc
solve - reolve puzzle outside debug mode

MSP430 - online (dis)assembly

• The instruction set
  • ref

• mspgcc - A port of the GNU tools to the Texas Instruments MSP430 microcontrollers

• ASCII Table

Levels

• Tutorial - follow tutorial. - every password of proper size work.

The engineers responsible have been sacked.

LockIT Pro rev A - No security module

• New Orleans - LockIT Pro rev a.01 - hardcoded password
• Sydney - LockIT Pro rev a.02 - hardcoded password
• Reykjavik - LockIT Pro rev a.03 - hardcoded password - yet code not visible in debugger view (executed from ram)

LockIT Pro rev B - with Security Module 1

• Hanoi - LockIT Pro rev b.01 - login flags next to input
• Cusco - LockIT Pro rev b.02 - input stored on the stack
• Addis Ababa - LockIT Pro rev b.03 - printf
• Johannesburg - LockIT Pro rev b.04 - overflow
• Santa Cruz - LockIT Pro rev b.05 - usr+pwd 3, 2, 1, 0
• Jakarta - LockIT Pro rev b.06 - detail bytes

LockIT Pro rev C - test & open door directly from security module

• Whitehorse - LockIT Pro rev c.01 - know your history
• Novosibirsk - LockIT Pro rev c.02 - back to bbb
• Montevideo - LockIT Pro rev c.03 - push your way through
• Lagos - LockIT Pro rev c.04 - r14 has no limit
• Vladivostok - LockIT Pro rev c.05 - ?

LockIT Pro rev D - with Account Manager.

• Algiers - LockIT Pro rev d.01 - free yourself

• Vancouver - LockIT 2 a.01 - ?
• Baku - SecurePlus rev a.01 - ?