Writeup 32c3 hd44780

While watching the 32c3 talks over the internet I also participated solo in the CTF and spent most of the time on the challenge hd44780. The files are here.

Note that there are not many hints given. Just some pictures, and the name hd44780. Searching for hd44780 I found a datasheet which describes a display controller chip.

DisplayThe first image shows a 4*20 character display and some pin numbers. Other images shows some soldering which can be used to figure out how the hd44780 is connected to the display.

A similar setup is described in this tutorial, but the pinouts are different. Together with the images are some text files named RSPI_GPIO_*.txt, wher star is 7, 8, 18, 23, 24 and 25. Each file contains two lines with a number of floats on both rows. After some guessing I figured out that the first line is measurement time and the second line is either a 1 or a 0 for the corresponding times.

The next guess is that each data file contains measurements for one pin and that the timing values can be used to synchronize the values from the different files.

After some guessing and irc-discussion with another CTF player I figured out that the pinout is as following:

7 – Select
8 – Enable
18 – db7 (data pin number 7)
23 – db6
24 – db5
25 – db4

Now I made a big mistake, trying to code up something without carefully studying the datasheet. So after some trial and error, and reading up on the datasheet I figured out how to approach the problem.

Loop through the datafile for the enable pin (pin 8). Each time this pin changes from a 0 to a 1, check the other data files and look what values they have at that corresponding time. Then use the information from the datasheet to figure out what the display would do.

It turns out that when the select pin is 0 the 4 data pins are used to send a special message to the display (like clear screen or move cursor) and when the select pin is 1 a character is output to the display at the current cursor position and the cursor is advanced one position.

If you look at the datasheet you see that each message is actually 8 bits. It turns out that the display can be operated in 4-bit mode and there is actually a special message sent near the beginning that sets the display in 4-bit mode. In this mode the high nibble and low nibble are sent separately, so one character is output using two writes (a write is done each time enable goes from 0 to 1).

Another strange behaviour is that the address space is kind of weird. Characters for the two first lines are at address 0 to 39. Nothing strange there. But then there is a gap and the third line starts at address 64. This needs to be handled when moving the cursor around.

Now when we know how everything works, take a look at the python code that emulates the display taking the values from the data pins as input.

Link to the code

The program is a bit buggy, but if you look at it you see that dump_display is called at every move cursor event, and that information can be used to figure out the flag.


Om albertveli

Grävande programmerare.
Det här inlägget postades i CTF. Bokmärk permalänken.


Fyll i dina uppgifter nedan eller klicka på en ikon för att logga in:

WordPress.com Logo

Du kommenterar med ditt WordPress.com-konto. Logga ut /  Ändra )


Du kommenterar med ditt Google+-konto. Logga ut /  Ändra )


Du kommenterar med ditt Twitter-konto. Logga ut /  Ändra )


Du kommenterar med ditt Facebook-konto. Logga ut /  Ändra )


Ansluter till %s