Tags: hardware kernel verilog risc-v risc pwn 


- reset simulator, which leaves rx_start set to 0 and overwrites firmware code
- corrupt result of strlen in fast_puts by accident due to an unalignment between server RAM and provided RAM file. 2 byte unalignment causes strlen in fast_puts to return its arg (a large number), causing kernel to dump all strings in memory.
- Could also write to start of memory before unalignment to dump all memory (REG32(LPT_REG_TX_BUFFER_END) = 0x10000; while(1);)
from pwn import *

data = open("firmware.hex", "rb").read()
data = data.replace(b'\n',b'')
firmware = b''
for i in range(0,len(data), 8):
firmware += struct.pack("

Original writeup (https://www.danbrodsky.me/writeups/chujowyctf2020-fordcpu/).