Oh, an architecture with branch delay slots. An instruction that follows `bl.d` in disassembly is actually executed before the call.

The binary starts with two checks for something, if any of them fails, prints `Error: self-test failed!` (which gives us the information that the function at 0x4A58 prints a zero-terminated string, and the address `0x90000000` is responsible for outputting data) and halts. If self-tests pass, the code asks for "unlock code", calls two functions at 0x4864 and 0x4900, then compares 16 bytes of a stack variable with values `53bae1efc06fe19759909e918a562ec2`. If bytes are different, the code prints `Error: invalid PIN code!` and halts. If bytes are equal, the code says welcome and that the first flag is 32 bytes of the same stack variable in hex wrapped in `CTF{}`. The function at 0x4864 reads from `0x90000000` and prints copy of fetched bytes, so this is presumably user input. The function at 0x4900 does something with a string `CTF 2021` and addresses around `0xa0000000`.

The function at 0x4900 is also used in the second self-test, it is called with the string `Ledger` and it's result is compared with 32-byte array `631e79e5...` A cursory glance at the function does not reveal anything more complex than some XORs, so some magic must be producted by addresses around `0xa0000000`.

For this task, investigating the organizer of CTF seems to be useless, unlike Braincool and nanovm. Let's return to the first self-test; the corresponding function is not used anywhere else, but it also deals with `0xa0000000`. The function is called with r0 pointing to some zero bytes, r1 being zero, r2 pointing to a stack variable and should fill r2 with 32 bytes `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`.

Internet knows about these bytes! These are sha256 of null input. So addresses around `0xa0000000` are responsible for sha256-hashing. Now, the function at 0x4900 does something with XOR, constants 0x36 and 0x6A and hashing... could it be HMAC? 0x6A can arise as 0x36^0x5C. Let's check:
```
>>> import hmac
>>> hmac.digest(msg=b'Ledger', key=b'CTF 2021', digest='sha256').hex()
'fcaf2eb7ec81dbbe9f0dc2f2928775b2623cdc29fbddb05e2c8e8d49559c9b68'
>>> hmac.digest(msg=b'CTF 2021', key=b'Ledger', digest='sha256').hex()
'631e79e5f00002e090a7c93a97ae60f871c60583281af5785dbb831cee46d43f'
```
The second variant matches what the self-test expects, so it is indeed HMAC. A less cursory glance reveals that key should have 6 bytes.

PIN codes are usually digits-only, let's try 6-digit codes:
```
import hmac

for i in range(1000000):
d = hmac.digest(msg=b'CTF 2021', key=('%06d' % i).encode('ascii'), digest='sha256')
if d.startswith(b'\x53\xBA\xE1\xEF'):
print(i, d.hex())
break
```
In a few seconds, the code finds `657037 53bae1efc06fe19759909e918a562ec2d1248411ce93caee03f028786225eab7`. The flag is `CTF{53bae1efc06fe19759909e918a562ec2d1248411ce93caee03f028786225eab7}`.