{"id":863,"date":"2025-12-05T17:20:38","date_gmt":"2025-12-05T09:20:38","guid":{"rendered":"http:\/\/39.104.51.85\/?p=863"},"modified":"2025-12-09T00:47:40","modified_gmt":"2025-12-08T16:47:40","slug":"bugku-iot%e5%88%b7%e9%a2%98%e6%97%a5%e5%bf%97","status":"publish","type":"post","link":"http:\/\/39.104.51.85\/index.php\/2025\/12\/05\/bugku-iot%e5%88%b7%e9%a2%98%e6%97%a5%e5%bf%97\/","title":{"rendered":"BugKu IOT\u5237\u9898\u65e5\u5fd7"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_69_1 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >\u5185\u5bb9<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/39.104.51.85\/index.php\/2025\/12\/05\/bugku-iot%e5%88%b7%e9%a2%98%e6%97%a5%e5%bf%97\/#reboot\" title=\"reboot\">reboot<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/39.104.51.85\/index.php\/2025\/12\/05\/bugku-iot%e5%88%b7%e9%a2%98%e6%97%a5%e5%bf%97\/#Sal\" title=\"Sal\">Sal<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/39.104.51.85\/index.php\/2025\/12\/05\/bugku-iot%e5%88%b7%e9%a2%98%e6%97%a5%e5%bf%97\/#UPnP\" title=\"UPnP\">UPnP<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/39.104.51.85\/index.php\/2025\/12\/05\/bugku-iot%e5%88%b7%e9%a2%98%e6%97%a5%e5%bf%97\/#%E5%A4%96%E6%98%9F%E4%BA%BA%E7%9A%84%E9%9F%B3%E6%B8%B8%E6%8E%8C%E6%9C%BA\" title=\"\u5916\u661f\u4eba\u7684\u97f3\u6e38\u638c\u673a\">\u5916\u661f\u4eba\u7684\u97f3\u6e38\u638c\u673a<\/a><\/li><\/ul><\/nav><\/div>\n<h1 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"reboot\"><\/span>reboot<span class=\"ez-toc-section-end\"><\/span><\/h1>\n\n\n\n<p><a href=\"https:\/\/github.com\/BYU-CSA\/BYUCTF-2024\">https:\/\/github.com\/BYU-CSA\/BYUCTF-2024<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-7-1024x602.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"1024\" height=\"602\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-7-1024x602.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-865\"  sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u9898\u76ee\u628aflag\u653e\u5728\u4e00\u4e2a\u968f\u673a\u76ee\u5f55\u4e0b<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-6-1024x691.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"1024\" height=\"691\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-6-1024x691.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-864\"  sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u7136\u540e\u9898\u76ee\u7684server\u5b58\u5728\u4e00\u4e2a\u547d\u4ee4\u62fc\u63a5\u6f0f\u6d1e\uff0c\u76f4\u63a5\u7b2c\u4e00\u6b21set hostname\u7684\u65f6\u5019\uff0c\u628ahostname\u8bbe\u7f6e\u6210;\/bin\/bash;\u7b2c\u4e8c\u6b21\u5373\u53ef\u62ff\u5230shell<\/p>\n\n\n\n<p>\u6709shell\u4e86\u60f3\u8981\u627e\u5230\u4e00\u4e2aflag\u8def\u5f84\u5c31\u4e0d\u591a\u8bf4\u4e86<\/p>\n\n\n\n<h1 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Sal\"><\/span>Sal<span class=\"ez-toc-section-end\"><\/span><\/h1>\n\n\n\n<p><a href=\"https:\/\/github.com\/BYU-CSA\/BYUCTF-2024\">https:\/\/github.com\/BYU-CSA\/BYUCTF-2024<\/a><\/p>\n\n\n\n<p>external flash memory chip(\u5916\u90e8\u5b58\u50a8\u82af\u7247) \u4e00\u822c\u7528\u6765\u5b58\u6570\u636e(\u6587\u4ef6\u7cfb\u7edf)\uff0c\u9700\u8981\u5206\u6790Saleae\u903b\u8f91\u5206\u6790\u4eea\u6355\u83b7\u7684\u4fe1\u53f7\uff0c\u6765\u8fd8\u539f\u8fd9\u4e2a\u6587\u4ef6\u7cfb\u7edf<\/p>\n\n\n\n<p>\u9700\u8981\u4ece\u5b98\u7f51\u4e0b\u8f7d\u4e00\u4e2a\u5206\u6790sal\u6587\u4ef6\u7684\u5de5\u5177<\/p>\n\n\n\n<p><a href=\"https:\/\/saleae.com\/downloads\">Download Logic 2 &#8211; Saleae<\/a><\/p>\n\n\n\n<p>\u7f51\u4e0a\u641c\u7d22\u4e00\u4e0b\uff0c\u53ef\u4ee5\u5f97\u77e5Winbond 25Q128JVSQ\u4f7f\u7528\u7684\u662fspi\u901a\u4fe1\u534f\u8bae<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-8-1024x513.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"1024\" height=\"513\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-8-1024x513.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-866\"  sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>SPI \u6709\u56db\u6761\u4fe1\u53f7\u7ebf\uff0c\u8fd9\u91cc\u4e3b\u8bbe\u5907\u662f\u6307\u63a7\u5236\u8005\uff0c\u4ece\u8bbe\u5907\u662f\u6307flash\u5b58\u50a8\u82af\u7247<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7247\u9009(CS)\uff1a\u7247\u9009\u4fe1\u53f7\uff0c\u4f4e\u7535\u5e73\u6709\u6548<\/li>\n\n\n\n<li>\u65f6\u949f(SPI CLK, SCLK)\uff1a\u65f6\u949f\u4fe1\u53f7\u7531\u4e3b\u673a\u4ea7\u751f<\/li>\n\n\n\n<li>MOSI\uff1a\u4e3b\u673a\u8f93\u51fa\uff0c\u4ece\u673a\u8f93\u5165<\/li>\n\n\n\n<li>MISO\u4e3b\u673a\u8f93\u5165\uff0c\u4ece\u673a\u8f93\u51fa<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pica.zhimg.com\/v2-216b805c15ad6a3cd667513021cd3bfa_1440w.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pica.zhimg.com\/v2-216b805c15ad6a3cd667513021cd3bfa_1440w.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<p>\u4e3b\u673a\u548c\u4ece\u673a\u4e4b\u95f4\u7684SPI\u8fde\u63a5<\/p>\n\n\n\n<p>\u8fd9\u91cc\u8981\u6ce8\u610f\u4e00\u4e0b\uff0c\u4e3b\u673a\u548c\u4ece\u673a\u7684MOSI\u548cMISO\u7684\u63a5\u7ebf\uff0c\u8fd9\u4e2a\u8ddf\u4e32\u53e3TX\uff0cRX\u4e0d\u4e00\u6837\uff0c\u5f88\u591a\u4eba\u5bb9\u6613\u641e\u9519\uff0c\u4e3b\u673a\u7684MISO\u63a5\u4ece\u673a\u7684MISO\uff0c\u4e3b\u673a\u7684MOSI\u63a5\u4ece\u673a\u7684MOSI\uff0c<strong>\u76f4\u8fde\u4e0d\u4ea4\u53c9\u3002<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-9.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"949\" height=\"815\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-9.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-867\"  sizes=\"(max-width: 949px) 100vw, 949px\" \/><\/div><\/figure>\n\n\n\n<p>\u5206\u6790\u5e76\u4e14\u5bfc\u51fa\u6570\u636e\uff0c\u5f97\u5148\u533a\u5206\u8fd9\u56db\u4e2a\u901a\u9053\u5206\u522b\u5bf9\u5e94\u54ea\u56db\u4e2a\u4fe1\u53f7\u7ebf\uff0c\u8bfb\u53d6\u6570\u636e\u7684\u65f6\u5019\uff0cCS\u7684\u7535\u5e73\u4f1a\u88ab\u62c9\u4f4e\uff0c\u7136\u540e\u901a\u8fc7DI\u4f9d\u6b21\u8f93\u51650x3h\u4ee5\u53ca\u4e00\u4e2a24\u4f4d\u7684\u5730\u5740\uff0c\u5730\u5740\u88ab\u63a5\u6536\u540e\uff0c\u4ece\u8bbe\u5907\u51c6\u5907\u597d\u8f93\u51fa\u6570\u636e\u65f6\uff0c\u65f6\u949f\u4fe1\u53f7\u4f1a\u4ece\u9ad8\u7535\u5e73\u53d8\u6210\u4f4e\u7535\u5e73\u89e6\u53d1\u6570\u636e\u8f93\u51fa<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-11-1024x463.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"1024\" height=\"463\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-11-1024x463.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-869\"  sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u5f88\u660e\u663echannel1\u662fCLK\uff0cchannel2\u662f\u7b26\u5408CS\u7684\u6ce2\u5f62\u7684\uff0cchannel3\u5bf9\u5e94DI\uff0c\u5148\u53d1\u6307\u4ee4\u518d\u53d1\u5730\u5740\uff0c\u90a3\u4e48channel4\u5bf9\u5e94\u7684\u5c31\u662fDO\u4e86<\/p>\n\n\n\n<p>\u9009\u62e9\u5206\u6790\u5de5\u5177\u91cc\u7684SPI<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-12-507x1024.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"507\" height=\"1024\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-12-507x1024.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-870\"  sizes=\"(max-width: 507px) 100vw, 507px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-13.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"782\" height=\"933\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-13.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-871\"  sizes=\"(max-width: 782px) 100vw, 782px\" \/><\/div><\/figure>\n\n\n\n<p>\u6839\u636e\u521a\u624d\u7684\u5206\u6790\u9009\u62e9\u901a\u9053<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-15.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"527\" height=\"728\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-15.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-873\"  sizes=\"(max-width: 527px) 100vw, 527px\" \/><\/div><\/figure>\n\n\n\n<p>\u5206\u6790\u5b8c\u540e\u5bfc\u51fa\u6570\u636e<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-16.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"424\" height=\"537\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-16.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-874\"  sizes=\"(max-width: 424px) 100vw, 424px\" \/><\/div><\/figure>\n\n\n\n<p>\u5bfc\u51fa\u4e4b\u540e\uff0c\u8f93\u5165\u547d\u4ee4<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>python saleae_parser.py -z spi --binary --device W25Q128JVSQ ~\/iot\/byuctf\/sal\/data.csv<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-17-1024x125.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"1024\" height=\"125\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-17-1024x125.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-875\"  sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>binwalk\u89e3\u538b\u4e00\u4e0b<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-18-1024x296.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"1024\" height=\"296\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-18-1024x296.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-876\"  sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u6700\u7ec8\u6210\u529f\u63d0\u53d6\u51fa\u56fa\u4ef6\uff0c\u5230etc\u76ee\u5f55\u4e0b\u627e\u5230passwd<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-19-1024x264.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"1024\" height=\"264\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-19-1024x264.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-877\"  sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u6700\u7ec8\u7b54\u6848\uff1abyuctf{c8ef3ad94c6eb97f4fa94a0f0ed33980}<\/p>\n\n\n\n<h1 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"UPnP\"><\/span>UPnP<span class=\"ez-toc-section-end\"><\/span><\/h1>\n\n\n\n<p>\u9898\u76ee\u63cf\u8ff0\uff08\u5df2\u7ffb\u8bd1\uff09\uff1a<\/p>\n\n\n\n<p>\u6211\u53d1\u73b0\u6211\u7684\u8def\u7531\u5668\u5728 52881 \u7aef\u53e3\u4e0a\u66b4\u9732\u4e86 UPnP \u670d\u52a1\uff0c\u5e76\u5f00\u59cb\u4e0e\u5176\u4ea4\u4e92\u3002\u4f7f\u7528\u4e00\u4e9b\u57fa\u672c\u7684\u679a\u4e3e\u5de5\u5177\uff0c\u6211\u83b7\u53d6\u4e86 UPnP \u64cd\u4f5c\u7684\u5217\u8868\u3002\u552f\u4e00\u4e00\u4e2a\u6211\u80fd\u4ece\u4e2d\u5f97\u5230\u5b9e\u9645\u56de\u5e94\u7684\u662f&nbsp;<code>GetDeviceInfo<\/code>&nbsp;\uff0c\u4f46\u6211\u5b8c\u5168\u65e0\u6cd5\u7406\u89e3\u5b83\u2026\u2026\u4f60\u80fd\u89e3\u91ca\u4e00\u4e0b\u5417\uff1f<\/p>\n\n\n\n<p><code>nonce<\/code>&nbsp;\u7684 base64 \u7f16\u7801\u503c\u662f\u4ec0\u4e48\uff1f<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-20-1024x170.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"1024\" height=\"170\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-20-1024x170.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-880\"  sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u68c0\u67e5\u4e00\u4e0b\u6587\u4ef6\u7c7b\u578b\uff0c\u662fdata<\/p>\n\n\n\n<p>actions.txt\u7684\u5185\u5bb9\u5982\u4e0b<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-21.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"310\" height=\"433\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-21.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-881\"  sizes=\"(max-width: 310px) 100vw, 310px\" \/><\/div><\/figure>\n\n\n\n<p>\u5728<a href=\"https:\/\/ndeflib.readthedocs.io\/en\/stable\/records\/wifi.html\" data-type=\"link\" data-id=\"https:\/\/ndeflib.readthedocs.io\/en\/stable\/records\/wifi.html\">\u8fd9\u91cc<\/a>\u6709\u5bf9\u4e8eactions\u7684\u4e00\u4e9b\u6570\u636e\u683c\u5f0f\u7684\u63cf\u8ff0<\/p>\n\n\n\n<p>\u7b80\u5355\u6765\u8bf4\uff0c\u5c31\u662f\u4e00\u6761\u6570\u636e\u7531ID\uff082\u5b57\u8282\uff09\uff1aLength\uff082\u5b57\u8282\uff09\uff1avalue\uff08Length\u5b57\u8282\uff09\u7ec4\u6210\uff0cID\u5b9a\u4e49\u5728<a href=\"https:\/\/android.googlesource.com\/kernel\/common.git\/+\/bcmdhd-3.10\/drivers\/net\/wireless\/bcmdhd\/include\/proto\/wps.h\">android.googlesource.com<\/a><\/p>\n\n\n\n<p>\u6839\u636e\u5b9a\u4e49\u53ef\u4ee5\u5f97\u5230solve\u811a\u672c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import sys\nimport base64\nimport struct\n\ninfo = open('.\/msg.bin', 'rb').read()\nprint(\"Device Info:\")\nwhile info:\n    try:\n        type, length = struct.unpack('!HH', info&#91;:4])\n        value = struct.unpack('!%is'%length, info&#91;4:4+length])&#91;0]\n        info = info&#91;4+length:]\n\n        if type == 0x1023:\n            print('\\tModel Name: %s' % value)\n        elif type == 0x1021:\n            print('\\tManufacturer: %s' % value)\n        elif type == 0x1011:\n            print('\\tDevice Name: %s' % value)\n        elif type == 0x1020:\n            pretty_mac = ':'.join('%02x' % v for v in value)\n            print('\\tMAC Address: %s' % pretty_mac)\n        elif type == 0x1032:\n            encoded_pk = base64.b64encode(value)\n            print('\\tPublic Key: %s' % encoded_pk)\n        elif type == 0x101a:\n            encoded_nonce = base64.b64encode(value)\n            print('\\tNonce: %s' % encoded_nonce)\n        elif type == 0x104a:\n            print('\\tVersion: %s' % value)\n        elif type == 0x1022:\n            print('\\tMessage Type: %s' % value)\n        elif type == 0x1047:\n            print('\\tUUID_E: %s' % value)\n        elif type == 0x1004:\n            print('\\tAuth Type Flags: %s' % value)\n        elif type == 0x1010:\n            print('\\tEncr Type Flags: %s' % value)\n        elif type == 0x100d:\n            print('\\tConn Type Flags: %s' % value)\n        elif type == 0x1008:\n            print('\\tConfig Methods: %s' % value)\n        elif type == 0x1044:\n            print('\\tSC State: %s' % value)\n        elif type == 0x1024:\n            print('\\tModel Number: %s' % value)\n        elif type == 0x1042:\n            print('\\tSerial Number: %s' % value)\n        elif type == 0x1054:\n            print('\\tPrim Dev Type: %s' % value)\n        elif type == 0x103c:\n            print('\\tRF Band: %s' % value)\n        elif type == 0x1002:\n            print('\\tAssoc State: %s' % value)\n        elif type == 0x1012:\n            print('\\tDevice Pwd ID: %s' % value)\n        elif type == 0x1009:\n            print('\\tConfig Error: %s' % value)\n        elif type == 0x102d:\n            print('\\tOS Version: %s' % value)\n        elif type == 0x1049:\n            print('\\tVendor Ext: %s' % value)\n        else:\n            print(hex(type),value)\n    except Exception as e:\n        print(\"Failed TLV parsing\",e)\n        print(info&#91;:20])\n        sys.exit(1)<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-22-1024x301.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"1024\" height=\"301\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2025\/12\/image-22-1024x301.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-882\"  sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%A4%96%E6%98%9F%E4%BA%BA%E7%9A%84%E9%9F%B3%E6%B8%B8%E6%8E%8C%E6%9C%BA\"><\/span>\u5916\u661f\u4eba\u7684\u97f3\u6e38\u638c\u673a<span class=\"ez-toc-section-end\"><\/span><\/h1>\n\n\n\n<p>\u63cf\u8ff0\uff1a\u4e00\u5757\u5e26\u7740\u56db\u4e2a\u5f00\u5173\u3001\u4e00\u4e2a LED\u3001\u4e00\u4e2a\u4e32\u53e3\u3001\u548c\u4e00\u5757 iCE40-HX1K-TQ144 FPGA \u82af\u7247\u7684\u7535\u8def\u677f\u3002\u4ee5\u7eb3\u79d2\u91cf\u7ea7\u7684\u901f\u5ea6\u6b63\u786e\u5730\u6309\u52a8\u5f00\u5173\uff0cLED \u4f1a\u4eae\u8d77\uff0c\u540c\u65f6\u4e32\u53e3\u4f1a\u8f93\u51fa flag\u3002<\/p>\n\n\n\n<p>\u4f60\u8bb0\u4e0b\u4e86\u5b58\u50a8\u5728 Flash \u4e2d FPGA \u7684\u6bd4\u7279\u6d41\uff08bitstream.bin\uff09\u548c\u7535\u8def\u677f\u7684\u63a5\u7ebf\uff08constraint.pcf\uff09\u3002<\/p>\n\n\n\n<p>\u5b8c\u6210\u672c\u9898\u5e76\u4e0d\u9700\u8981\u4efb\u4f55\u786c\u4ef6\u8bbe\u5907\u3002<\/p>\n\n\n\n<p>\u7167\u7740<a href=\"https:\/\/gitee.com\/Scripter_doge\/hackergame2021-writeups\/blob\/master\/official\/%E5%A4%96%E6%98%9F%E4%BA%BA%E7%9A%84%E9%9F%B3%E6%B8%B8%E6%8E%8C%E6%9C%BA\/README.md\">official\/\u5916\u661f\u4eba\u7684\u97f3\u6e38\u638c\u673a\/README.md \u00b7 Scripter_doge\/hackergame2021-writeups &#8211; Gitee.com<\/a>\u590d\u73b0\u7684\uff0c\u8fc7\u4e86~<\/p>\n\n\n\n<p>\u7528\u5230\u7684\u547d\u4ee4\uff1a<\/p>\n\n\n\n<p>\u6784\u5efa\u5de5\u5177<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>git clone https:\/\/github.com\/YosysHQ\/icestorm.git icestorm\ncd icestorm\nmake -j$(nproc)\nsudo make install<\/code><\/pre>\n\n\n\n<p>\u53cd\u7f16\u8bd1FPGA<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iceunpack bitstream.bin bitstream.asc\nicebox_vlog -p constraint.pcf -n top bitstream.asc > recovered.v<\/code><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>reboot https:\/\/github.com\/BYU-CSA\/BYUCTF-2024 \u9898\u76ee\u628aflag\u653e\u5728 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-863","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/863","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/comments?post=863"}],"version-history":[{"count":3,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/863\/revisions"}],"predecessor-version":[{"id":897,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/863\/revisions\/897"}],"wp:attachment":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/media?parent=863"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/categories?post=863"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/tags?post=863"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}