Home

Awesome

RHme+ 2015

License

This challenge has been published under the terms of the Reciprocal Public License 1.5. The terms of the license can be checked here: http://opensource.org/licenses/RPL-1.5

What is RHme+

The RHme+ (Riscure Hack me ) is a low level hardware challenge that comes in the form of an Arduino board. It was launched during BlackHat Amsterdam in 2015. The winners of the first edition were announced on 18th of January 2016. The writeups together with the interview of the winners can be found from March 1 at the official challenge website.

Use your weapon of choice to extract the flags. We have no preference and we are curious to see where your creativity and skill will take you! Just be sure to have fun! ;-) We estimate the difficulty level to be moderate. If you like these challenges and you would like more, let us know. Get in touch with us via twitter (#riscure #rhme+) or send us an email at challenge. at. riscure.com

Choosing the target

You need to install the RHme+ firmware into a target. The "official" target for the challenge is an Arduino nano 3.0. If you don't have one, you can buy a clone in ebay for few euros. Alternatively you can use any other development board based in the Atmel ATmega328. Many other Arduino and Arduino-based boards should work. The following is a list of Arduino targets:

Tested devices

Untested devices that should work

Untested devices that might work

For other Arduino-based targets, you can check the Wikipedia. Any board based in ATmega328P is potentially able to run the firmware unless that the UARTs or analog inputs of the ATmega are connected to another chip (e.g. a Bluetooth or Zigbee module).

Burning the firmware into the target

You need to burn the file binary\ctf.hex into the ATmega overwriting Arduino bootloader. For that you need an external AVR-ISP programmer. Is up to you to find a suitable programmer and the instructions to use it. You can even use another Arduino and use it as an AVR-ISP programmer. Follow this instructions to prepare another Arduino as a ISP programmer and follow this to burn the RHme+ firmware in your target.

Checking that your target is working

Connect the target to your computer through the USB (or the UART0 is you are not using a target with USB). Open the serial port with any terminal tool and press the reset bottom in the target. Do you see garbage being send? Congrats! It is very likely that you programmed correctly the firmware. Unfortunately the first challenge you have to solve is to find how to properly communicate with the target so that garbage you see now becomes something meaningful.# RHme+ 2015

Tips and tricks

During the Blackhat Europe 2015, Riscure gave away more than 150 Arduino boards prepared with the RHme+ challenge. The original challenge was a "black box" evaluation, so the participants had no access to the source code, binary or such. Today we are releasing the source and binary of the challenge so everybody can play and try it at home. We recommend you to try to solve the challenge without reading the source or reversing the binary.

The ultimate goal of the challenge is to recover the Admin Key stored in the hardware. In order to ease the challenge, we provide some information that could help you:

Admin Key = 000102030405060708090A0B0C0D0E0F

User Key = F0E0D0C0B0A090807060504030201000

Madmin= FFFFFFFF

Muser = 000FFFFF

Nonce = 0AEEB964

P = 0AEEB964000000000000000000000000

Radmin = AES(P,Admin Key) & Madmin = 2496faad

Ruser= AES(P,User Key) &Muser = 00033695

Solutions

The write-ups, scripts and setup photos of the challenge winners as well as the "official" solution proposed by the challenge designers are available in the solutions\ folder.