Permalink
Cannot retrieve contributors at this time
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
59 lines (50 sloc)
1.28 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Capture-The-Flag ShittyAddon Firmware | |
| * Copyright (C) 2019, Uri Shaked | |
| * Released under the MIT license. | |
| */ | |
| // LED is connected to PB1 | |
| #include <avr/boot.h> | |
| #include <TinyWire.h> | |
| uint16_t target = 0; | |
| uint16_t flash_addr = 0x400; | |
| uint16_t flash_value = 0x20; | |
| // SECRET will be replaced with the actual flag: | |
| const char flag[] PROGMEM = "$FLAG:SECRET"; | |
| void setup() { | |
| TinyWire.begin(0x23); | |
| TinyWire.onReceive(onI2CReceive); | |
| TinyWire.onRequest(onI2CRequest); | |
| for (uint8_t ch = 0; flag[ch]; ch++) { | |
| flash_value ^= flag[ch]; | |
| } | |
| } | |
| void loop() { | |
| bool erase = flash_addr & 0x8000; | |
| flash_addr &= 0x1fff; | |
| if (flash_addr >= 0x800) { | |
| cli(); | |
| if (erase) { | |
| boot_page_erase_safe(flash_addr); | |
| } else { | |
| for (uint8_t i = 0; i < SPM_PAGESIZE; i += 2, flash_value += 2) { | |
| boot_page_fill_safe(flash_addr + i, *(uint16_t*)flash_value); | |
| } | |
| boot_page_write(flash_addr); | |
| } | |
| boot_spm_busy_wait(); | |
| flash_addr = 0; | |
| sei(); | |
| } | |
| } | |
| void onI2CReceive(int cnt) { | |
| target = TinyWire.read(); | |
| while (TinyWire.available()) { | |
| *(uint8_t*)target++ = TinyWire.read(); | |
| } | |
| } | |
| void onI2CRequest() { | |
| TinyWire.send(target); | |
| uint8_t* addr = (uint8_t*)((target++) & 0x1fff); | |
| TinyWire.send((target & 0x8000) ? pgm_read_byte(addr): *addr); | |
| } | |