NSEC25 SolderinG - Fri, May 23, 2025 - Jean Privat
Burn electronic components! Burn! | Badge | Nsec25
- I’m sorry Mr. J, but the team is unanimous, you have to do it.
- But…
- You soldered an add-on on the badge last year! Someone saw you!
- I didn’t mean it, I was tired. It was a stupid lapse of judgment…
- When you agreed to the heist, you knew the RISC-V!
- Cannot Mr. L. do it? He is better than me for physical stuff and deception.
- No, he is currently on a challenge, gathering clues related to an alternative sexuality cult.
Prologue
I vaguely remember the electricity part of my high-school physics-chemistry curriculum. It was in the ’90s somewhere in the France countryside. What we did was mostly arithmetic to compute unknown values (watts, oms, amperes, volts, etc.) according to some other given values. That was boring and uneventful, I forgot most of it.
But, I still remember the basics of electricity and some key definitions, but alas nothing useful enough for any serious (or not serious) electronic hardware challenge.
- Electron. A popular JavaScript framework that binds together the worst of desktop and web applications.
- Résistance. An underground movement that fought against the Nazi occupation. Fighting Nazism was considered a good thing back then, except by the Nazis of course.
- Transistor. A portable radio cassette player used to share bad musical taste with honest people.
- Condensateur. Some device that reduces humidity.
- Pile. A portable energy supply combined with a LIFO abstract data structure combined with storage of the local variables of functions.
My first experience with soldering was at last year’s NorthSec CTF, circa 30 minutes before the final countdown (true story). I was tired and had nothing meaningful left to do, therefore, I… I did the thing. I went to an empty table, asked for an add-on and the basic instructions, and soldered some LEDs and resistances. Seriously, the guys at the desk should have seen I was unwell and warned me or something.
Since then, I have been clean. No relapse, no urge to melt tin alloy again. Oh, yeah, we did melt some metal years ago; it was for fun and flags. We were young, we thought there would be no consequences. We were stupid.
So here is my story, I hope it will prevent some from making the same mistakes as I did, and warn their loved ones to see the flags (and submit them).
From the trash bin
Friday 20:52, at Bonsecours, 2523 minutes before the final countdown.
It started from a trash bin, there was a sign, a symbol, like nested Perl necklaces. Some man’s trash is another man’s treasure, but some man’s trash can still be trash. It should have been a warning.
Mr. F., one of the smartest of the team (he did the school of life), recognized it. It was Cooper, the chemical. We should have ignored it.
There was a message, promises of beautifulness, promises to fix what’s broken, promises for a free sample. But there is nothing free in this world.
Documents were downloaded. Mostly gibberish. We did not know the words, we ignored the meaning, it should have remained that way.
There was a flag on the document. FLAG-ITS-RTFM-TIME!!
Mr. Q. submitted it.
We should have stopped here.
One flag is enough.
But, we were curious. We controlled the opacity and contrast of images to reveal concealed secrets.
Curiosity kills the cat.
Ea-nasir
Saturday 20:03, at Bonsecours, 1192 minutes before the final countdown.
We got a copper-clad laminated (or was it clay?) tablet. Two faces, some holes, some drawn lines, some extra plastic bits. We had to fix it. But, first, we had to learn it.
So, I was designated to learn. Learn, monkey learn. So, I did the training. I went upstairs, where live the junkies, high on their floor and fumes. And I asked for some shit(ty add-on). They looked at me. They wanted to ask me if I was lost, but they asked instead “do you know how to use it?” No, I didn’t; I was here to learn.
So, I did the training. My vision went blurry. Smoke makes me, makes me, makes me wanna cry. My hands went shaking. Take my hands, my dear, and look me in my eyes. But, I did the first training.
And when I was done, I did it all again.
And when I was done, I did it all again.
What I learned:
- Do not hold the iron by the hot part.
- The tweezers are insanely hard to manipulate. Not enough force and the component drops or moves. Too much force and the component flies off somewhere in the room. Sneezing also does that.
- With LEDs, the most important is the correct connection of the + and -. This is why each vendor uses different random colors, symbols, and conventions, and makes them as barely visible as possible.
- Fortunately, a multimeter has a setting “diode” (a triangle) that helps identify the + and -.
- There should be a resistor on a circuit with a LED (it’s not a cargo cult as I initially thought).
- Coffee might help the concentration, but too much coffee has bad tremor side effects.
- Metal conducts heat.
The Schema
Saturday 23:37, at home, 918 minutes before the final countdown.
We had to fix the tablet. That was the promise.
Eight LEDs, eight issues. And a scrambled code.
First, I tried to understand the existing layout and identify the defects. I aligned the photos of the two faces with Gimp with transparency to have a superimposed view of both faces at the same time. Then I drew over the wires to see the full circuits.
The Defects
Sunday 07:29, at Bonsecours, 446 minutes before the final countdown.
I forgot the plaque at our team table. When I came back after a couple of hours of poor sleep, it was time to test the circuits. Equipped with a multimeter, I had to find the issues hinted (and censured) in the documentation. I also used the phone flashlight to see through the material and the camera to zoom in on the small components.
Note: if you bring your own multimeter (as I did) ensure the 9V battery is not flat (as I did not). But Mr F. (a generous guy) also brought one, so I used his.
Electricity is easy: a source, a sink, and a path between; so just test each wire, each component, and each connection, until most defects are found.
So, I had a plan! Or the concept of a plan…
- All: Add a wire from the end of each circuit to the ground.
- D1: Fix the missing green wire connection.
- D2: Fix the blue wire to its pin.
- D3: Weird black component. What’s that?
- D4: LED is dead, change it.
- D5: Fix the green wire to the power. Maybe also change resistor R9?
- D6: Fix resistor R6 from 1RO to 75RO.
- D7 and D8: No issues right? right?
The Soldering
Sunday 09:41, 314 minutes before the final countdown.
I went upstairs, again. There were other people, some worked on SAOs, some on their tablets. There were men; there were women; some were obviously longtime addicts; the chest of a guy featured a tattoo of the full Bonsecours’ electrical wiring; but there was also that young guy that should have been in college instead; or that old guy that his family is surely missing. All were on their table, oblivious to their surrounding, breathing the toxic fumes, hands shaking, red eyes, despair.
Everything went downhill from here.
- “No components!”, only wire… but the resistors and LEDs I want to change?
- Not enough multimeters, we had to share, ask, and wait (but sharing is carrying diseases). Eventually, I got the multimeter I used downstairs (thanks Mr. F.)
- Mr. F.’s multimeter LED mode was, in fact, faulty and did not show some correct circuits. So most of my plans were unreliable. I have to test it all again.
- On the tablet, the ground is, in fact, connected to the end of each circuit. No need to add wires. Note: Either there are some magic wires in the 4th dimension or, in between the two faces, there is another wiring layer for the ground. I think it’s the second hypothesis as the first one could be too expensive to manufacture, even with mass production.
- If you plug the add-on on a powered badge, then VCC and GND are correctly provisioned, so you can give some power to the pin to simulate a signal activation (I discovered this way too late).
- When you re-solder a LED, because it was the other way around, put it in the correct position first. And when you try to fix this mistake, double-check that the LED is in actually the right position.
- Unsoldering an electronic component is annoying because the other leg is still fixed to the support.
LED 1
LED 1 was in fact the other way around. I unsolder it and put it back — three times because I did not check enough and the weekend was long. The next version of a soldering challenge should add an undo/redo feature or something. By the way, the green wire was correctly connected but had a weird shape to confuse people like me.
LED 2
I added a wire to its pin. I did plan this one correctly!
LED 3
What is the black thing? No visible marking, except with a high zoom.
L2L? I still had no idea. In doubt, let’s bypass it.
LED 4
The LED was faulty. The multimeter was inflexible. So I held my breath until the warders gave up and gave me some SAO components to fix my add-on.
But wait, there’s more!
There was also a shortcut. The pin was somehow connected to the ground.
Oh. It’s maybe here — I remembered my conjecture about a middle layer for ground wiring. So I just scratch the wire.
Still a shortcut? Maybe I did not scratch enough… Still a shortcut? Scratch until I removed parts of the plaque! Still a shortcut!
Oh, maybe it’s the passtrough hole to the other side that is faulty — there should be a better technical term, but “passtrough hole” is good enough for me and for this write-up.
Still a shortcut. So I cut everything. Still a shortcut.
That makes no sense. Pin 4 is now connected to nothing. How could it still be a shortcut?
Maybe here is where I fail, I will announce my full dishonor to my team and retire to a monastery where they make cheese (in France countryside, with ex-high school physic-chemistry teachers as other monks). My understanding of electronics is indeed too basic. I could not figure out the wiring and the universal laws of physics.
As a last resort, I asked a guy who seemed to understand what he was doing (or was faking better than me) if my (non-)understanding was correct. And he confirmed that the designer was the devil and made the hole of pin 4 a ground.
Oh.
No monastery then.
My fix here was radical: cut the hole! I (mis-)used the iron to burn through the pinhole and remove the metallic part. But I was afraid that was not enough so I just cut the pin on the support and added a direct wire from the badge to the beginning of the 4th circuit.
LED 5
As we learn in some computer science courses, a transistor is just a tripod.
More specifically, it is a switch actionable by a signal (like a smart switch of a home automaton).
There are two kinds of transistors, those that let the current pass if there is a signal, and the other that let the current pass if there is no signal,
The latter can be used to implement a not operation.
The joke of LED 5 is that because of a software bug, the signal on the pin is inverted, so there is a fix in hardware — the fun in the joke is that in the real world, software usually fixes hardware defects as software is way softer.
Anyway, the circuit does the inversion. Pin 5 is the signal that opens/closes the transistor, and the LED is directly powered by VCC (instead of the pin). So if pin 5 is off, then the transistor does not block the VCC signal and the LED is powered. If pin 5 is on, then the transistor blocks the VCC signal and the LED is not powered.
The issue? The wire from VCC was faulty. So I connected VCC to the + leg of the LED to complete the circuit.
By the way, the resistor R9 was fine. I have no idea of its precise role, but I had more serious concerns.
LED 6
I changed the R6 resistor.
LEDs 7 and 8
There is in fact a defect that was visible in my schema but that I did not realize at the time. The two circuits are mixed: pin 7 controls LED 8, and pin 8 controls LED 7.
I chose to do nothing at the moment, and will fix the wiring at the same time I do the unscrambling.
My Fixed Plaque
Here we are. I did my best. I felt dirty inside.
The Moment of Truth
Sunday 13:37, at Bonsecours, 78 minutes before the final countdown.
I put the plaque on the badge and tested it a last time. I also tried the plaque + badge on the dock, without soldering the support, but the pin connection where too loose and LEDs barely lighted.
So I took a deep breath, then cough because of the fumes, then started soldering the support. Then went to the dock to test the contraption.
A message was visible!
LEDs are mixed because of the scrambling (and the mixed LEDs 7 and 8), but each LED does its job. Two LEDs are also inverted because of the scrambling: the inverted circuit is on LED 5, but the real “software” inverted signal is on pin 8 (that lights up LED 7). Therefore both LEDs 5 and 7 are inverted.
Now it’s unscramble time!
The basic idea seems to be to associate each symbol in the upper part with each symbol on the lower part and add new wires.
So, let’s go: the sun with the sun, the triangle flag with the rectangle flag, the blood drop with… errr… The code is not obvious, and we had no idea of what to associate with what. And soldering is annoying to undo.
But we do not need to solder anything now. The unscrambling can be done in software by flipping or moving bits.
So we get the raw data of bits from the video. It was a collaborative work, I said the LED numbers and Mr. Q. transcribed the bits in a text editor.
10000101
00000111
00001100
10001101
00011011
00100101
00010110
00111000
10111100
10101100
10011100
00010110
10111000
00010101
00000100
00110101
00111000
10011100
00111000
10111000
00001111
00000100
00010101
10010111
10111000
10111100
00011000
Now we have to switch the columns according to the scramble code… Except that we still did not understand it.
The Decoding
Sunday 14:24, at Bonsecours, 31 minutes before the final countdown.
Another idea: guess the flag.
The first byte has three 1, like the F ASCII code.
The second byte has also three 1, like the L ASCII code.
The third byte has two 1 like the A ASCII code.
The fourth byte has four 1, like the G ASCII code.
The fifth byte has also four 1, like the - ASCII code.
So we just have to reorder each column to match the FLAG- bytes.
Note how conveniently each column has a unique pattern.
01000110 F
01001100 L
01000001 A
01000111 G
00101101 -
The column juggling can easily be done manually within Vim and the block selection mode (ctrl+v).
No need to program something, the clock is ticking.
We got the flag FLAG-Th1sSch3d@t1c13M@dn3s!
The Final Countdown
Sunday 14:55, at Bonsecours, the final countdown is starting to play.
$ askgod submit 'FLAG-Th1sSch3d@t1c13M@dn3s!'
error: Invalid flag submitted
…
$ askgod submit 'FLAG-Th1sSch3d@t1c13M@dn3s!'
error: Invalid flag submitted
…
AAAAAAaaaa!
We fumbled something. Hard.
Did we fail the transcription of the LEDs? Did we miss some letters or some repeated letters? Did we fail the column juggling?
Leetcode is a very robust code on a noisy medium: letters can often be off-by-one bit without causing any change in the transmitted message. A can become a or @, same meaning.
There could be also some voluntary spelling mistakes in the flag.
We had no time to retranscribe manually the LEDs, no time to program something and no time to look at the video for some missing letters. We had no time.
So, Mr. Q. and I only did what any reasonable person would do: panicking and manual fuzzing.
PINGBOT
Someone in your team submitted an invalid flag!
Someone in your team submitted an invalid flag!
Someone in your team submitted an invalid flag!
Someone in your team submitted an invalid flag!
Someone in your team submitted an invalid flag!
…
$ askgod submit 'FLAG-Th1sSch3m@t1c1sM@dn3ss!'
Congratulations, you score your team 10 points!
Message: [soldering-challenge] 2/2 Good job! You ate that spaghetti like a champ!
Sunday 14:58, at Bonsecours, the final countdown is finishing to play.