MicroCorruption/25-Halifax/notes.md

### Run # vs. Internal SRAM hash

| Run # | Internal SRAM Hash (sha256)                                        |
|------:|:-------------------------------------------------------------------|
|     1 | `C19684234B668225647FAF0ADC8103131C0E70489B3A548E9223853005FA1E68` |
|     2 | `2A43E7A0C3508BB96BCFAE927776BFBC9ECAD114C022593E524AB0461AD0338A` |
|     3 | `C6E4A567CFB88E05C6F04B9AC93E94BC7AEFCA745B60C4934C02430DAB613B16` |

Hash appears random each time
Hash is given prior to user input

### Approach:
Hash each individual byte of SRAM, and break the exfiltrated hashes
sha256(8 bit message) ~ identified by first 20 bits
smallest we can do on this mcu is 6 nybbles (24 bits)
Approach works!

```sh
$ ./halifax.py
> 4AE8158A8DE82D711694455E5A6E7A966C7CD12110B7D2526E340BA9253D383E5D279504A1FCE41F184F087D80594E518C2574E9B0C05C62E067C872EF2D12DF7E70D16BD262C66A19152D043A715A6E7A04D6C072DFCF4E0740E4FF5E4E0740AE3F46E52D9C7C5BD226E5BFA318C2EF6CBD4B68AB36A9E76DA43B8E35C2D4735E5FECEBA9253D98722E333E0A683257A9F515591B7CFFE679333E0A94455E2D31931F18D6FB95AA2D711667586E26E5BFEF2D128D33F544BD7A7CB7C4AE3F46
number of distinct values in all_hashes: 256

513f78eeaff2c4db005ccbdd799fab7a528950943542936dd973afb94c33c033c304c8bc2b0c58204a7132305cfc47bd45811f47ee8a1ddc7806bc35604816c3
00000000: 513f 78ee aff2 c4db 005c cbdd 799f ab7a  Q?x......\..y..z
00000010: 5289 5094 3542 936d d973 afb9 4c33 c033  R.P.5B.m.s..L3.3
00000020: c304 c8bc 2b0c 5820 4a71 3230 5cfc 47bd  ....+.X Jq20\.G.
00000030: 4581 1f47 ee8a 1ddc 7806 bc35 6048 16c3  E..G....x..5`H..
```

### Problems abound.
The payload doesn't work. I'm not sure how to find out what args 0x41 expects..?
Neither stuck_pixel nor Pokemod can either. This challenge is a doozy.
Upload what I've got on Halifax so far 2023-01-09 09:54:47 +00:00			`### Run # vs. Internal SRAM hash`

			`\| Run # \| Internal SRAM Hash (sha256) \|`
			`\|------:\|:-------------------------------------------------------------------\|`
			\| 1 \| `C19684234B668225647FAF0ADC8103131C0E70489B3A548E9223853005FA1E68` \|
			\| 2 \| `2A43E7A0C3508BB96BCFAE927776BFBC9ECAD114C022593E524AB0461AD0338A` \|
			\| 3 \| `C6E4A567CFB88E05C6F04B9AC93E94BC7AEFCA745B60C4934C02430DAB613B16` \|

			`Hash appears random each time`
			`Hash is given prior to user input`

Update halifax notes with notes. 2023-01-24 01:27:53 +00:00			`### Approach:`
Upload what I've got on Halifax so far 2023-01-09 09:54:47 +00:00			`Hash each individual byte of SRAM, and break the exfiltrated hashes`
			`sha256(8 bit message) ~ identified by first 20 bits`
			`smallest we can do on this mcu is 6 nybbles (24 bits)`
			`Approach works!`

			```sh
			`$ ./halifax.py`
			`> 4AE8158A8DE82D711694455E5A6E7A966C7CD12110B7D2526E340BA9253D383E5D279504A1FCE41F184F087D80594E518C2574E9B0C05C62E067C872EF2D12DF7E70D16BD262C66A19152D043A715A6E7A04D6C072DFCF4E0740E4FF5E4E0740AE3F46E52D9C7C5BD226E5BFA318C2EF6CBD4B68AB36A9E76DA43B8E35C2D4735E5FECEBA9253D98722E333E0A683257A9F515591B7CFFE679333E0A94455E2D31931F18D6FB95AA2D711667586E26E5BFEF2D128D33F544BD7A7CB7C4AE3F46`
			`number of distinct values in all_hashes: 256`

			`513f78eeaff2c4db005ccbdd799fab7a528950943542936dd973afb94c33c033c304c8bc2b0c58204a7132305cfc47bd45811f47ee8a1ddc7806bc35604816c3`
			`00000000: 513f 78ee aff2 c4db 005c cbdd 799f ab7a Q?x......\..y..z`
			`00000010: 5289 5094 3542 936d d973 afb9 4c33 c033 R.P.5B.m.s..L3.3`
			`00000020: c304 c8bc 2b0c 5820 4a71 3230 5cfc 47bd ....+.X Jq20\.G.`
			00000030: 4581 1f47 ee8a 1ddc 7806 bc35 6048 16c3 E..G....x..5`H..
			```
Update halifax notes with notes. 2023-01-24 01:27:53 +00:00
			`### Problems abound.`
			`The payload doesn't work. I'm not sure how to find out what args 0x41 expects..?`
			`Neither stuck_pixel nor Pokemod can either. This challenge is a doozy.`