 Welcome, everyone, to DEF CON 28 Hardware Hacking Village Challenge Solves. I'm Rare, a volunteer with the Hardware Hacking Village. In this talk, I'll be doing a walkthrough of one way to solve each of last year's DC28HHV challenges. With DEF CON being remote last year, I wanted to find a way attendees can still participate and learn from the Hardware Hacking Village. While hardware hacking has strong physical components, there are still some parts of it that don't require immediate access to hardware, so I wanted to focus on some of those topics. I released five challenges to introduce participants to tools and methods I use when hacking on hardware, and hopefully challenge those people to grow their knowledge of their hardware hacking space. At the end of the weekend, to my delight, we had three participants solve all five challenges. So, shoutouts to Nalcasa, MMDougie, and Kat and Sabertooth. Well done and congratulations again. So, the challenges are still hosted on the dchhv.org website, so if we navigate there and go to challenges, we can still find them in DEF CON28 challenge. There, we have an introduction. I'll read through it briefly. Welcome to this year's Hardware Hacking Village challenges. We tried to design them for maximum remote fun. Each challenge is a logic analyzer capture. We've taken care of the hard part of capturing signals from suspicious devices, and it will be your job to figure out what secret messages are being conveyed. Challenges are designed to range in difficulty, but difficulty can be relative, so feel free to ask questions in this channel and or join the various hhv challenge chats. Below are the challenges. Be sure to read the scenarios for the challenges, as they will likely give some clues. Additionally, you will need logic, which is software provided by Soleil, to open the challenge files. There may be additional files necessary to solve, and for those challenges, they will be zipped together. So, the first thing I want participants to do from here is download Soleil logic, so we'll go there. At the time of doing these challenges, Soleil logic 2 is not released, so these are all designed using Soleil logic 1. So, if you're looking to go through and retrace these, make sure you don't download Soleil logic 2, but you download Soleil logic 1. I do highly recommend Soleil logic 2, but for this talk, they were designed only for Soleil logic 1. So, after downloading that, we are pretty much ready to get started. So, let's dive into challenge 1. It's the first challenge. It's meant to be an introduction to both logic and serial communication. So, let's read through the prompt. We sniffed this capture between two communicating parties. We need help figuring out what was said. We believe a critical key was exchanged. Let's download the challenge and open it with Soleil. We immediately see two channels, and this kind of matches up with what we were prompted with, which is two communicating parties. If we zoom in a little bit further, we'll see there's definitely no, this is not a clocking signal, and there's no other clocking going on. So, it's safe to assume this is asynchronous. Our first guess would be this would just be two asynchronous serial channels, since that's pretty, pretty common and standard. So, let's zoom in even further to figure out what the bond rate might be. Since these are two bits and we're seeing it's 4.8 kilohertz, we would think that our bond rate would be double this speed. So, we'd have a single clock for one of these single bits, and that would put us at 96 kilohertz, and that's pretty standard for, or at least a common bond rate for serial communication. So, let's go ahead and use our async serial decoder. Since we're using channel zero initially right now, and we want our bit rate to be 9600, we'll leave the rest of this stuff standard and see what comes up. And it looks like we aligned pretty well. We see that all the data is getting clocked properly, and we're able to get some data out of it. Let's convert that over to ASCII, and we see hello. So, that seems to make sense so far. Let's go ahead to this next bit. Let's just try and see if the same analyzer settings will align with that one as well. So, this time we're going to do on channel one, and we'll convert that over to ASCII, and we see hey good to see you. So, we can start to go through the communication here. Did you bring that thing? Yes, but this frequency can't be trusted. Jump to this bond rate times 12. So, we know our bond rate is 9600. If we were to multiply that by 12, we get 11. We get 115, 200. So, we're going to see when it looks like this is where our bond rate speeds up. So, we can see the individual bits here, but all of a sudden it gets a lot faster here. So, let's zoom in there, and then let's change this bond rate. So, we'll edit its settings on this serial analyzer. And from 9600, we'll go to 115, 200, which would be 9600 times 12. And let's save it. We'll zoom in a little bit closer. And there we go. We have the secret is flag part of a balanced breakfast. And that would be the flag to the first challenge. Now, let's take a look at challenge two. We sniffed this capture between a microcontroller and various eProms. Unfortunately, the capture was cut off before we could see the result of the read. Could you figure out what would have been amount from the read? Let's go ahead and download that. And we'll open this challenge with logic. And here we see two channels again. Commonly for interfacing with eProms is to use SPI or I2C. Now, both of these could look the same where we would see a clock and a data line. But we can also see an extra thing where with I2C, we would see that data would be held low while a whole operation was happening between multiple bytes. We also would see the data line drop low and then remain low outside of when the clocking happened. So this looks a little bit more like I2C than it would be SPI. So we'll go ahead and try that first and see if that analyzes. So we have our data line, which would be channel one and our clock line, which would be channel zero. It recommends using 8-bit, but a lot more commonly, I2C uses 7-bit addressing, where the most significant 7-bits would be used for addressing and the least significant bit would be used to signify reading or writing. So let's go ahead and try 7-bit. Great. We see that we have some alignment and we're able to get some data back. Looking here at the side, we can see that we have a write to I2C address 7, 7, 6, 6, 9. And if we were to go through this, we would end up seeing that we are writing to 6, 7, 8, and 9. So our destination ePrompt would be on an I2C addresses 6, 7, 8, and 9. Let's figure out what the right they were talking about in the prompt was, or what the read was in the prompt. So we know there was a read that was being cut off at the end. And let's zoom in on that. Unfortunately, because this is an incomplete read, our parser is unable to tell us all the information about it. But we can go through and do this by hand. We know this least significant bit signifies the read or the write. With it being high, that signifies a read. If it was low, it would be a write. But we know this is a read because it's high. And then let's find the addressing on the most significant 7-bits. So we have a 0, a 0, a 0, and then a 1. That would signify that we are trying to read from address 8. What we could do, then, we could go through here and then look for every time that we would see a write to address, I2C address 8. And we can go ahead and change this to ASCII-HEC. So we can see what is being written to that address. So let's go down and find something to address 8 again. And here we see what is typical with writing to an ePrompt is you would first specify the index and what you want to write to on the ePrompt memory. And then you would see the value that you want to write or you want to store. So we would see a write to 9, index 9. And then we'd also see the character in which we want to write to index 9 would be a bracket or the hex address 7B. We could then see the next instance of this where we'd see, again, a write to address 11 or to index 11. And then we'd see the value being I. And notice these are out of a line. So what I would suspect then is that we are just writing two addresses in no particular order. And see here we have a 22. We're writing a W. So we'd have to go through if we were doing this by hand and then lay out we could do this in some kind of Excel file where we'd write out each character and make sure we keep track of which index it would go into and then read the flag out. We can also script this though. So if we go to here we can export our search results and we'll export them as channel 2.csv. We'll save that and then open it with a text editor. We can see that the data we have in here aligns very much or exactly with what we were seeing on the left with the exception of we just have a title that is add to the top to let us know if we were to open this in Excel or something like that which each of the columns pertain to. But we can also now take this script and since we can see the structure of it we have our writes every where we specify which I squared C address we're writing to every three lines we can end up scripting this where we look for where we're writing to address eight and then we can parse the index and the value that we want to store. So let's go ahead and look at the script that we'd write for this. And here we see we're creating a dummy buffer to act as our EEPROM buffer in which we can write to and store and specific store characters at specific indexes. We'll bring that bring this back up so that we can reference this and next we have we're skipping this the first line which is just the titles and then again I guess saying we're going to go through and look for every three lines where we have what we're specifying which I squared C index we want to interface with. So we can also go through and look for the first eight one so we end up finding this line eventually and we're using a regex or a regular expression to look for the 0x followed by some numeric value and then we can change that into an int and compare against that to figure out when we hit eight. When we do hit that we then look at the next line to parse the index again we use regex to find this value and we store that index to a temporary value and then we go down and we do the same thing on the following line where we'll parse that but in this time since we can split this string up based on the comma we will split this into three different sections and look for the first character of that third section which will be the character in which we're going to store. We then store it to our buffer flag and with the the index specified by what we found in the second line and the character from what we just found in the third line and then all that's left is to print out that flag so let's go ahead and run that script we'll run that and we see that the flag is flag II see you know your serial two down so far now let's take a look at challenge three we sniffed another capture between two communicating parties I think this one has more layers than the previous captures they must know we're listening see if you can capture what was exchanged go ahead and download capture three and we'll open it with logic wow so this time we see four channels instead of the two that we've seen in the previous two challenges let's zoom in a little bit this looks a lot more like SPI because we can see this channel three seems to be low whenever there's communication going on here which would point to it being a chip select let's zoom in a little bit further again we can see that we have channel zero being this clocking structure and we look to have another data line on channel two we can then look over to here it looks like we also have a data line on channel one as well and that would again point us towards this being SPI as we would have a master out slave in or a primary out secondary in and a as well as a master in slave out or primary in secondary out so let's go ahead and take a guess that this is SPI and see what our analyzer comes up with again if we're wrong we just would end up seeing garbage but let's go ahead and test it and see it's not it's always easy enough to test this so we have our clock on channel zero we would then have since this data since channel one is being followed up to what happens on channel two we'll guess that this is the secondary output and these are the primary outputs so we'll say master or primary out is going to be on channel two and the secondary out is going to be on channel one and then that leaves the chip select or the enable on channel three we'll leave all this stuff standard for now save that and see what we come up with and here we go we have what looks to be a lot of exchange from a primary and a secondary let's go ahead and export this actually no first let us switch this over to show ASCII and hex and we'll go ahead and export that just name this channel challenge three dot csv and I'll edit this with her we'll open this with her text editor all right now that we have our output in the text editor we can see again we have our title on the first line and then what we were seeing in this structure in the back we see three different bytes groups of three bytes together so we've got and that kind of follows here we see groups of three where we have two from the master where the primary or the primary and then we have a follow-up response from the secondary and as we go through these groups oftentimes we see a zero for the first byte being sent out but then we see a couple where there we see a one that's being sent out in the first byte we then see a large variety of numbers followed up in the second byte and it looks like the third byte that's coming from the secondary varies between four different digits here we have a f a f a f a f then we see a five c five f a f a f five c five f and if we keep scrolling down we end up seeing a two f as well and for the most part these also align with ASCII characters we see a slash there underscore and we see another backslash a forward slash so the only one that's not being represented is this af and that would be because we have a one in the most significant spot for the ASCII but that still does align with with ASCII characters it's just not your standard ASCII set so we'll go with that let's let's take a look at this script to start parsing this all right our script is very similar to what we had before we have a buffer a little bit bigger now to accommodate a larger index range we're skipping our first line because it's title and then because we have groups of three we're going to enumerate and go through every third we'll go through every third line to start so that way we can just parse the first line the second line the third line and each go for the first line we have we're going to guess is the most significant bit we'll go through parse that value it's either going to be a zero or one and we'll convert that to an integer we'll then do the same thing for the second for the second line we'll get the least significant byte and we'll go through and parse that again to an integer we'll then combine these so that we can create our 16 bit value which will be our index within the flag so we'll bring our most significant byte up by eight bits and then to make room for our least significant byte and combine those together we'll then go through and parse this third line which is the response from the secondary which should be whatever value will be saved in that flag index and one of the the four values and since we were seeing characters before we'll go ahead and we'll store this value as a character value we'll then take at the end we'll store at our flag our 16 bit flag index we'll store that character that we have and hopefully we'll have a flag maybe it's its ask yard or something like that let's take a look at that let's see Python chow three and this doesn't quite look like ASCII art but it does look like something we saw from challenge one this looks like it could be another serial structure similar to the the single line a certain serial we saw in challenge one so let's go ahead and pop that into a text document now let's go through and parse this and again I was hoping this would be some kind of ASCII art but as we change the width we don't really see much adjustment but if this does end up being a asynchronous serial let's go ahead and see we'd first have this being the start condition where we have a low and then it would be followed up by eight bits so we have the first second third fourth fifth sixth seventh eighth and then we'll go ahead and drop that down we'll also drop this down just to see if it aligns so again we've got our start condition and then we have one two three four five six seven eight and then we have our stop condition and this is looking like it it aligns pretty well to the same structure so this looks a lot like ASCII or like serial asynchronous serial so let's go through and parse one of these and remember that serial ends up sending the least significant bit first so this would be our least significant bit and this would be our most significant bit and since we're going to write it back in most of a bit or first we'll go through and parse it from right to left so here we have a zero and then we see a one a one a zero a zero a one a one and then finally a zero if we look this value if we go through and convert this to ASCII we end up with the value lowercase f so that's a good start especially if we're trying to spell out flag and we'll go through and do the second one zero one one zero one one zero zero goes through and do that went up in a all right this is still looking promising we'll go to the next one zero one one zero zero zero zero one it's an a and then we got this one zero one one zero zero one one one and that ends up being a g oops a g now if we were to go through and do all of these we would indeed end up with a flag and the flag is who needs fancy software or sw and that is a joke to saying that it is possible to parse this by hand and hopefully you went ahead and did that though it is possible to script this as well three challenges down two to go let's take a look at challenge four we found a strange random seven segment display laying around but it was flashing too fast for us to read it it looks like a controller was transmitting to a shift register and the shift register was connected to a seven segment display we were only able to capture the signals latch clock and data lines between the controller and the shift register before we heard someone coming can you help us to code what was being sent on the seven segment display let's go ahead and download that capture I have also gone ahead and found the data sheet for this shift register that we'll reference shortly let's open this capture we have three signals and three channels like the prompt told us I'll look at the start again we see this clock structure we also see something that looks like an enable which is likely the latch and then we see some data or some stuff that doesn't really have any pattern to it which is likely the data line and we can we can further confirm that by looking over at the next we see again we have the clock again we have some different highs and lows so probably still be data and then we have this low that's coming here which was likely our latch for a shift register but let's understand a little bit more of a shift register let's go jump back over to the data sheet so I've gone ahead and jump down to the detail description on page 12 of this ti data sheet and the important thing to take away from here is this line both the shift register clock sr clock and stored register clock our clock our positive edge triggered so that is pretty important to know because we want to know when when data is being stored or being when the clock is being triggered for a shift register and we learn here that it's positive edge triggered looks a little bit more of the structure of our shift register so here we have the serial line which we have we have the sr clock which is a shift register clock and the other thing we have and then we have our clock which is the register clock or the latch what happens with the shift register is we have serial data come in and so that serial data will be waiting here on 1d as soon as sr clock goes high that'll cause this first register to save that data to the register so if this is a zero it'll save the zero state if this is the one it'll save the one state and after that it'll be outputting that on its output down here that is then fed into the next register or the next level in the shift register and once again when another transition a positive edge trigger comes from the shift register clock if this was a zero that's previously saved we'll see a zero here that'll be saved if this is a one that was previously saved we'll see a one here and then this register the first register will now accept the the value of what is currently on the serial so that'll if we had a one coming on the serial we would then save that to the first register on the first clock trigger then we'd have a one out if it is zero coming in then on the next register this would save as a zero we then have a one here on the next clock say we have another zero coming in serial we end up with a zero here zero here and a third register the one so it just keeps getting pushed down whatever is happening just slowly trickles down through the shift register once the latch or the the register clock comes in that's when we take the value that was coming out and store that to our output register and that'll be then reflected on the output value so if we were then have this zero zero one come in and we finally get our latch pulse we would then see this one get carried over to the output register and we'd have a one on qc zero on qb and a zero on qa so let's jump back to our to our logic capture all right so back in our logic let's take a look at one of these communications again what we learned in the datasheet was that on a rising edge is where we're going to be having that trigger of saving so if this is our our shift register clock we would then be clocking as this comes up here and here and here so we'd have one zero zero one zero one one zero and then if this is our latch or we would see the latch would be saved here which would make sense so we're shifting eight bits in and then we're going to latch for our output a little trick that we can do for parsing this a little bit further is if you remember back to the previous challenge for spi we had a clock and we also had a data that aligned now we can kind of take we can take that and use that to parse this a lot faster instead of having to do it by hand so let's go ahead and take our analyzer for spi we'll say that our clock is on zero our oh it doesn't matter which one we use but we'll just use most see for now we don't have a miso and then coincidentally because our latch is low that also acts as a chip select so that works for advantage as well so we can set our chip select as two we don't care too much about the ordering of any of this because we don't know what is what the the hookup is for two of the seven segment display so let's go ahead and save that and just like that we are able to quickly get a lot of values and as we look through this we can see you know there's a bunch of values but what stands out immediately is the ff that means that we either have if this is running to a seven segment display that means that all of the segments are either on or they're off depending if it's common anode or common cathode what is unlikely is since seven segment display has seven segments and usually a dot to go with it it would be pretty uncommon to see that dot being eliminated so what this stands out to me is is this would be a common an or a common anode configuration so that and whenever we send a low that is when a segment would be on and whenever we send a high that is when a segment would be off so with ff all the segments would be off that also to signifies if the segments are off this is going to be likely a space if we're if we're doing some kind of text out on that seven segment display and so we can look through it we see we've got an f there and then go a little bit further we have an f there so we've got a space we've got another short amount and then a space and keep looking and that ends up being I think our last space so that's also fairly peculiar we have some short segments and then we have a long period of of signal being sent out that doesn't have a space and so if we make the assumption that this is this is kind of the end of the road and that whatever we're decoding is the flag it would make sense that the flag would follow after this since our flag has to be at least I guess seven characters that we have a single character flag we have the f l a g then we have the one bracket followed by the flag text which can be a single to however many long we want and then the ending bracket and so that would at minimum be seven which wouldn't fit any of these so without assumption we're going to go ahead and take a look at this hex nine five and we're going to pull it up in a little image editor that we can doodle it all right I've gone ahead and pulled up my image editor I've also brought in a seven segment display image to compare against and I've changed our hex values over here to binary so we can compare again so this first one would have been the hex 95 that we are referencing let's jump into this I mean so the first character we think is an f so let's go ahead and draw that out using segments a f e and g and now if we write that out to compare against we have f and then our hex our binary be one zero zero one zero one zero one and we know that uses a e f and g next up we would have the l and for the binary that we have one zero one one zero one one zero and if we go back to we get rid of the a and the g and then fill in the d we end up with the l character so here we're using d e and f and this is the first case where we can see that we're using the character we have an overlap of the e and f which we see with these two zeros and then we have this other character and remember the zeros since we're using a common anode configuration for our for our seven segment display the zeros are what is going to cause the segments to light up or a low and then we have this other one so we know these have to be e and f because they overlap and that means this character has to be a d so we can start filling this in if we do the position of the bit we would then we don't know the first one the second has to be e or it has to be f the third has to be an a or it has to be a g again because if we're we're going to go through and process out which ones we've already know we know these are e and f so this has to be a g or this has to be a g we don't know a bit four bit five has to be an e or an f then having an a and a g we don't know seven and then eight has to be d because that's the only difference now if we look at the next one which should be an a we would have one zero zero zero zero zero zero one and we can draw that out by using segments e f a b c and g so again all the segments except for d and the dot and if we write that a b c e f g now we know this is d so that means this other character has to be the dot now let's take a look at our next character which should be g go through and erase this then draw our g which would use segments a f e d and c and the binary representation for that would be one zero one one zero zero zero zero and just to keep checking ourselves we're using we have five zeros which match five segments so we're all good there we're using a c d e and f and now this is a chance where we have an a but we don't have a g so this is going to tell us which character is the a and which character is the g as well as we know which character is the d this would be the d we know we've got our e and our f and then that leaves us to know that this is going to be um oh oops i've got these shifted over one one this should be our a energy not that um so we know this then has to be the the seventh bit has to be our a which then tells us that the third bit has to be the g and the remaining bit that we don't know from this or that we do know is then we know this would be the the c value so the next character we don't know we suspect it's going to be some kind of bracket character but we'll go ahead and give it a question mark for now we then look over so we've got f l a g so now we're looking at this one be one zero one one zero one zero zero four characters let's go through clear this out and this time we're going to just use what we already know against this uh against what we want to know uh so we know dot this has to be an e or an f then have a g oh and then we can also say since we have a we know where all the characters are except for one this has to be a b so we have g b let's either an e or an f and then c ad luckily both of these are on so we know that both the e and the f are on and then we also have a d and an a that are on so that aligns looks like a bracket we'll then go on to our next character so f l a g bracket and then we have this next questionable character which is one zero one one zero one one zero that sounds familiar and we look up here and it is our l so if we keep doing this we'll then learn that we have an l an e a t a t an e and it's this next character that is going to tell us which is the the e which one is the f so if we trace down here again we'd end up with the character with the binary one zero zero one one one one one now this only uses two characters we know it has to be a letter we know it uses the g so let's let's draw that out we don't use the g and it either has to be the f or the e i don't know a character that looks like that would look like this configuration but i do know this looks a little bit like an r so i would make the guess that e is the is going to be our second bit here and that f would be the the fifth one so that we have an r here because that would also align with this where we'd spell out letter so we'll change that to an r and now we finally have our knowns we know what our alignment is for our for our bits to the seven-segment display and if we follow all of this we will end up with the flag that is flag letters are hard with seven segments last but at least we have the fifth challenge we found another one of those displays lying around but it seems this one is a bit more complex not only is it a 16 segment display it seems to have some extra ic's on the board to modify the signal coming out of the controller whatever it was displaying was flashing far too fast for us to read so we quickly did a signal capture a line and capture channel with the number marked on the pcb silkscreen and got out of there it seems whoever made that device had fabricated the pcb on a public site and we are able to retrieve the gerber files can you help us reverse engineer the circuit and recover what was being sent on the 16 segment display so here is this instance where we have a zip file we're giving the gerber files which is a vector representation of the board layout and we also have a capture as well let's first take a look at the gerber file that we're provided with so i'm going to go to an online gerber viewer site pcb way offers one and then i'm going to bring in my gerber still zipped up it will be able to load those and show what the circuit board looks like so this is a representation of what the circuit board looks like we can see a lot of traces coming out running to a few ic's and then going to this 16 segment display we also have a bottom view and we can view all the layers at the same time all right i've gone ahead and changed the color layer color so we can see them a little bit better red is for top and blue is for bottom looking at the ic's that our traces are going to we have two different kinds we have the 74ls86n and we have the 74al s04n i pulled the sheets for both of them and we can take a look at them the al s04 is a hex inverter and we can see for the chip we have an input which is a and we have an output which is y and this happens six times on the chip we also have power and ground that are provided to the the integrated circuit for the s86 we have a quad two input exclusive or gate and i really like this data sheet because it shows how you have the two in which pins the inputs come in and the output pins so we can see the structure for what we would expect for going in and out of the the different ic's on this board we also have our 16 segment display and we're lucky enough to have the numbers provided for that as well which if we do a little searching on the google we can end up finding a link to the footprint for this part and if we blow that up a little bit to read it better we can see this tells us which segment is on which pin so we know a is on pin one b is on pin 18 c is on pin 16 and so on and how that aligns to oops sorry and how that aligns to the segments around the display what we can do now is convert the pcb design to a script so just a series of logic operations we know the output level coming out we then know the logic that we need to do with these different ic's for the s04 we need to provide hex inversion and we know the inputs and outputs of those and where those go and then for the 86's we know that we need to do a two input xor and we know the inputs and outputs of where those go so let's jump over to the script what i've done here is start it basic and then kind of build it up from there so the first thing they did was i defined our xor function and i've defined our invert function from there i created simulations of the s04 six input inverter where we have each of our inputs and those would be correspond with the the different numbers that we hadn't saw in the datasheet one through six and we also get the outputs out from that as well as simulating the 86 our quad xor so we have our inputs in 1a in 1b 2a 2b so on and then we get our outputs as well from those that are our output would be 1y 2y 3y 4y with those basics of being able to simulate those logic ic's we can then run our decode function so coming in we're the way i have it set up is we'll enter our we'll enter the data that would be going we're coming out of the ic we just check that we've entered enough bits we can then decode it so we'll run that value that we entered in and the value coming in is going to be a 16 bit number and tracing through the tracing through the pcb we can look really quick back to that we'd see for instance we have data zero coming out and going into 1a of our xor and then coming out and then we'd see the 1y flow into the quad xor and we can do that with all of these where we can look at what each of these pins are where we're getting being provided a pin from and i've gone ahead and done that where i've just plugged all that in and created all the inner workings of what those logic would be for the pcb we then get our output unfortunately this is not in the same order that we would expect for the to align with the abc segments of the 16 segment display so i then plug this into a fixed pin order where we have this would be the order that we're getting out of this decode function amk and so on and then we align that to what i we would want to see which would be abcd so we know a is coming from the first value we then know b is coming from the last value so we have the 15 there c is coming from the third to last value so we've got the 13 there and so on so this corrects the whole order and what we're provided with is a printout of a through u for the segments and then underneath we have a 1 or a 0 to whether or not those will be on or off one mistake i noticed when i was doing this is that i have laid this out as if it was a common cathode but in fact this design is a common anode so i apologize for that i was not able to simulate this hardware but there was a mix up where the zeroes similar to challenge four zeroes should correspond to a zero should according to the part correspond to an on of the segment but in reality of this challenge a one corresponds to the to an on for the for the segment so let's run this script let's go ahead and run this script so the first thing we expect is our value i'm going ahead and use the annotation in sole to align a marker with the different data positions of the parallel data that we would expect coming out of our microcontroller so a one corresponds to the first the first parallel output and so we can go through and type that in so we have zero zero zero one one zero one zero one one one zero one do that and we end up with an output here here if we pull back up our image editor i've loaded in a new image for i've loaded loaded in an image or 16 segment display i'm going to go through and trace this out let's see we would have an a a b and then have e and f and then we have m and s so our first character is i if you were to go through and keep doing this for every parallel we would end up with the text i hope no one can see this followed by the flag flag so much room for alphanume activities thank you all for watching i hope you're able to follow along but if you have any questions please reach out in the hhv chat in the deafcon discord also all the scripts i've shown along with the challenge right of details can be found on the hhv's github account under the account dchhv again i'm rare and i hope to see you all again soon stay safe and happy hacking