Sword of Secrets Chat

henrygab · September 9, 2025, 1:13am

This is a thread to discuss the Sword of Secrets virtual challenges.

Please put anything that might be a spoiler into collapsing blocks!

<hr/><details><summary>Title of collapsed sections</summary><P/>

Blank line above required, and here is the content

</details><hr/>

Title of collapsed sections

Blank line above required, and here is the content

henrygab · September 9, 2025, 1:15am

Here’s a starting point: Enter the following into the prompt.

Starting point

DATA 99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999YOU WIN!

(Note: that is all a single, really long line)

That is a starting point.

Other things to try

DATA 0 1 2 3
MAGICLIB 0 1 2 3
SOLVE

Coupled with the source at the Github page, that should get you started.

The above should expose you to more than one interesting feature.

Oh, and the all-important: RESET

Note: Not all the “commands” I listed are actual commands… but you should deduce that from the result of SOLVE by itself.

henrygab · September 9, 2025, 2:08am

And if you want more structured reasoning on the why…

Where are the commands?

github.com/gili-yankovitch/SwordOfSecrets

src/main.c

a15a7117a


      
          static void parseCmd(char * data, size_t len)
          {
              size_t i;
          
              if (!memcmp(CMD_SOLVE, data, sizeof(CMD_SOLVE) - 1))
              {
                  challenges(data + sizeof(CMD_SOLVE));
              }
              if (!strcmp(CMD_ASSERT, data))
              {
                  funDigitalWrite(PIN_FLASH_CS, FUN_LOW);
              }
              else if (!strcmp(CMD_RELEASE, data))
              {
                  funDigitalWrite(PIN_FLASH_CS, FUN_HIGH);
              }
              else if (!strcmp(CMD_BEGIN, data))
              {
                  SPI_init();
                  SPI_begin_8();

This file has been truncated. show original

Example working command sequence (Major Spoiler!)

I would expect to be able to read the flash ID with the following sequence:

BEGIN
ASSERT
DATA 9F
DATA 0 0 0 0 0
RELEASE
END

This is based on the flash_read_id() in the Sword’s github repo.

References

BusPirate documentation on using SPI Flash Chips.

henrygab · September 9, 2025, 3:27pm

Major Steps Spoiler - Both Challenges

You can read from the (virtual) SPI EEPROM

Look at the source on github to discover the commands that are supported, and how they are processed.
The source on github will also show a sequence that can be used to read from the flash (in code … not the console).
Convert that into a a sequence of commands.

Precise command sequence to read from (virtual) SPI EEPROM

Let’s presume you want to start reading from the flash at address 0xAABBCC.

REM - `END` is optional, unless there was a prior command
END
REM - `RELEASE` is the opposite of `ASSERT` and ensures
REM - the SPI chip sees a transition from non-selected to selected
RELEASE
REM - `ASSERT` sets `/CS` low ... selecting the flash chip on the SPI bus
ASSERT
REM - `BEGIN` sends the start bit on the SPI bus
BEGIN
REM - `DATA` sends bytes over SPI
REM - First, send the four-byte command to read from the address
DATA 03 AA BB CC
REM - Then, read 32 bytes of data at a time
DATA 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
REM - and then the next 32 bytes of data ...
DATA 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
REM - Repeat ad nauseum as required

NOTE: REM is not a valid command, and used solely to comment the code

I used an AdaFruit MacroPad to generate a script that would dump all 128k of the (virtual) SPI EEPROM. Each run of the script took about an hour.

Then, I discovered I could not actually copy/paste from the text output. Luckily, the debug console had a copy of all the output, and could be copy/pasted into VSCode.

Couple that with a long sequence of search’n’replace, and I was able to find all locations in the (virtual) SPI EEPROM that stored data.

Major Steps Spoiler - Original Challenge

There is only data in one location:

( Address, ByteCount ) = 0x010000, 0x29

Actual Data at that location

0x010000 00 00 00 00 0e 05 13 07 36 0f 37 69 22 27 3f 65
0x010010 2e 20 36 69 2f 3b 3f 24 26 61 2c 21 24 3a 7b 65
0x010020 7d 39 6a 79 7d 79 6a 38 4d ff ff ff ff ff ff ff

Major Steps Spoiler - Golden Challenge

There is only data in one location:

( Address, ByteCount ) = 0x002000, 0xAA

Actual Data at that location

0x002000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x002010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x002020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x002030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x002040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x002050: 00 00 00 00 00 54 68 69 73 20 69 73 20 6e 6f 74
0x002060: 20 74 68 65 20 66 6c 61 67 2e 20 53 65 61 72 63
0x002070: 68 20 68 61 72 64 65 72 21 20 49 20 6b 6e 6f 77
0x002080: 20 79 6f 75 20 63 61 6e 20 64 6f 20 62 65 74 74
0x002090: 65 72 2e 2e 2e 20 54 72 75 73 74 20 69 6e 20 79
0x0020A0: 6f 75 72 73 65 6c 66 20 3a 29 ff ff ff ff ff ff

henrygab · January 14, 2026, 11:08pm

Update:

I’ve solved Stages 1 & 2 using the online emulator.

The decrypted message indicates the location
on the flash where the second stage’s data is.

But I’m blocked by what might be an emulator bug
(or misconfiguration).

I cannot get the emulator to allow me
to write to the flash chip, which appears
necessary to officially progress to the next stage.

Updated thoughts on Stage 2:

Stage 2 is much easier than I thought it would be.
Solving Stage 2 also requires writing to the flash chip.
I know the data to write, and am stuck due to inability
to write in the emulated version.

Initial thoughts on Stage 3:

This is where the cryptography portion gets interesting.
Unfortunately, to make progress, the ability to write
to the flash chip is required. Maybe it’s an emulator bug,
or maybe I’m just doing stuff incorrectly…

I’ve also noticed a nice “naked” hack, likely for the endgame / last challenge. Looking forward to confirming its use for final stage!