 # TPM Writeup

### Story

Umbrella Corporation has developed a new Trusted Platform Module for one of its unique weapons. Its backend code has been hacked by a hacker group and published on the dark web. Can you find what they are upto?

### Solution

For this challenge, you are provided with a short Verilog program and a password protected zip file, which means the verilog file is the key to find the password for the zip file.

We need to understand how data is being saved in the chip, so let’s take a closer look at TPM.sv.

reg [6:0] mem [9:0]; reg [5:0] indx = 0; reg [69:0] array;

There are 10 memory registers named mem , each one 7 bits wide, a single idx register, 6 bits wide and initially set to 0 and an array name array which is 70 bit wide.

Here which consists of 10 memory registers, 7 bit each, both which and signal are 70 bit arrays and are the same.

A consists of memory registers from 0 to 4 and B consists of memory registers from 5 to 9. Here which array is split into two arrays A and B which are 35 bit wide each. The first 7 bits of the data will be stored in mem and next 7 bits of data will be stored in mem and so on.

Now, the arrays are concatenated as BA (previously it was AB). Secret will be true if the output of the signal is equal to the decimal number 306741091925721928186, so we’ll need to figure this out.

At each positive cycle of the clock, the input data is saved to the indx index of memory and memory registers mem to mem ( A ), is left shifted by 1 bit.

So what this systemverilog code does is, here we have signal to be equal to decimal value 306741091925721928186 it is converted into binary which is

(a zero is added to have exactly 70 bits).

The first 7 bits of this signal correspond to mem , next 7 bit to mem and so on. The value in signal will be:

Then the signal is split into A and B which is 35 bits each, mem to mem is stored in A and mem to mem in B. Now A and B will be:

At every positive edge of clock cycle mem to mem which is A, is left shifted by one bit. Now A will be:

Then A and B are concatenated as BA and are stored in array.

This is how data is stored in the TPM chip. If we convert these 7 bit values to ASCII we get the password.

Now we can open the zip file using this password B@c#zB@b”z to get the flag: domectf{pBxzcgTxDY11KYMZAYskFNapMQjiw9MJ}

Also you can write a testbench program to solve this. A sample testbench code would be like the following: WRITTEN BY
Sooraj V Nair
Security Engineer

Related Articles