Daniel Henschel

Daniel Henschel

Random IT Solution Architect doing CTF challenges from time to time.

[HV22.17] Santa’s Sleigh

2 minute read

As everyone seems to modernize, Santa has bought a new E-Sleigh. Unfortunately, its speed is limited. Without the sleight’s full capabilities, Santa can’t manage to visit all kids… so he asked Rudolf to hack the sleigh for him.

I wonder if it worked.

Unfortunately, Rudolph is already on holiday. He seems to be in a strop because no one needs him to pull the sledge now. We only got this raw data file he sent us.

Hints

  • Rodolph is heavy on duty during his holiday trip, but he managed to send und at least a photo of his first step. image of some wires coming out of a plastic case

  • Rudolf finally wants some peace and quiet on vacation. But send us one last message together with a picture: “I thought they speak 8 or 7 N1” image of some signals

Solution

So, we got a file called SantasSleigh.raw, containing a single long line of numbers from 0 to 3.

The file ending doesn’t give anything away. file and binwalk neither, but that was expected.

The description sends us towards E Scooter hacking, which is quite a rabbit hole to go down. I did some static analysis but nothing made sense. I measured the length of the consecutive numbers and noticed that many of them were powers of 2, but a few sticked out but a big amount:

lengths of the consecutive characters

Didn’t get me anywhere. Slowly the hints began to come in. The first picture seemed familiar, I already saw that one during E Scooter hacking research. Went through my history and found it again on this article on how someone reverse engineered his scooter protocol: https://github.com/teixeluis/escooter-lcd-esc-decode

I read this before, but since the protocol had fixed bytes in the beginning of each frame, and I was not able to get from the long line to that fixed values, I put it away. Now, that this is a hint, I tried some more (went down a rabbit hole searching for an esoteric language like brainfuck but with only 4 instructions but didn’t find a valid compiler for it), failed and waited for another hint.

When the second hint came in it clicked. I remembered the tool (PulseView) and fired it up to load the file. To load it, I selected “Import Raw Binary Logic Data” (now the .raw makes sense) and selected a sample rate of 100 Hz. This looks promising!

data loaded to pulseview

Okay, we have two active channels, just like in the hint, and we assume it might be some protocol. If we look through the decoders in PulseView, I tried a lot and landed at UART which seemed valid. Playing around with the settings, I figured that a single 1 or 0 consists of 4 samples by looking closely at the sampled data:

close up of the data

We see 5 points, but this includes the raising / falling edge, so we need to set the baudrate of UART to 1/4 of our selected samplerate. So 25 it is. Selecting ascii as data format handily decodes the bytes to ascii instantly, showing a few letters ‘Hello’ which is quite promising.

first message

Opening the decoded bytes output view shows a text, which looks like one side of a conversation asking for the flag and receiving it. Strangely, the second dump doesn’t work.

rx good, tx not

Since the hint gives us information regarding bits, parity and stop bits, I played around with that and when changing from 8N1 to 7N1, both messages were displayed correctly and I got the flag HV22{H4ck1ng_S4nta's_3-Sleigh}

flag

Updated: