Mission PinPossible

Technical Walkthrough

Writeup

Challenge

• Name: Mission-PinPossible
• Category: Hardware
• Difficulty: Easy
• Mode: file

Summary

Mission PinPossible is a logic-analyzer decode challenge. The image identifies the target as a keypad display wired through a PCF8574T LCD backpack, and the capture contains a two-channel Saleae Logic 1 .logicdata file. The solve path is to export the old capture, decode I2C, reconstruct the HD44780 LCD writes, and recover the password from the display leakage.

Artifact Inventory

Relevant artifacts:

• files/a12c7342-4fc9-417a-813b-b166096de696.zip: original HTB archive.
• analysis/extracted/op_pinpossible.logicdata: old Saleae Logic 1 capture.
• analysis/extracted/security_keypad.jpeg: reference photo showing the LCD and PCF8574T backpack.
• analysis/extracted/logic1-export/old-separate.csv: Logic 1 CSV export used by the solver.
• analysis/decoded-lcd-redacted.txt: decoded LCD text with raw flag material omitted.

Analysis

The .logicdata format is a legacy Saleae Logic 1 save file. The useful path was not to reverse the private capture store by hand, but to export it through Logic 1.2.18 using the socket API. The resulting CSV contains rows per logic change with two digital channels.

The channel mapping is validated by protocol behavior:

1. Channel 1 as SCL and Channel 0 as SDA produces clean I2C transactions.
2. Every decoded transaction targets shifted I2C address 0x4e, consistent with a PCF8574 LCD backpack at unshifted address 0x27.
3. The second byte of each transaction is ACKed and follows the expected LCD backpack pattern: data nibble in bits 4-7, E on bit 2, backlight on bit 3, and RS on bit 0.

The LCD data is recovered on the falling edge of E. Pairing successive high/low nibbles with matching RS reconstructs HD44780 writes. The data stream repeatedly prints Enter Password, then displays the password as progressively masked text: first one visible character, then one more visible character while earlier characters become *.

The solver reconstructs the flag by taking the non-* leaked character from each repeated password display state. The final decoded stream also shows an access-granted message, confirming the recovered password was accepted.

Solve

Run:

python3 Hardware/Mission-PinPossible/solve/solve.py \
  --flag-out Hardware/Mission-PinPossible/loot/flag-candidate.txt \
  --redacted-transcript-out Hardware/Mission-PinPossible/analysis/decoded-lcd-redacted.txt

Then capture with the harness:

python3 scripts/challenge_harness.py capture-flag Hardware/Mission-PinPossible --from loot/flag-candidate.txt

The solver expects the Logic 1 CSV export at analysis/extracted/logic1-export/old-separate.csv. That export was produced from the original .logicdata file with Saleae Logic 1.2.18's socket API.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• The photo matters: the visible PCF8574T backpack narrows the problem to I2C LCD traffic immediately.
• Old Saleae .logicdata files are not directly supported by Sigrok; exporting through Logic 1.2.18 is the pragmatic route.
• For HD44780-over-PCF8574 captures, look for E falling edges and combine nibbles rather than trying to treat PCF8574 writes as text bytes.
• Keypad/display leakage can reveal a full password even when the UI masks prior characters.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Mission-PinPossible
• Category: Hardware
• Difficulty: Easy
• Mode: file
• Remote instance: none
• Start time: 2026-06-10T11:34:55Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The ZIP extracts to op_pinpossible.logicdata and security_keypad.jpeg.
• The JPEG shows a 16x2 LCD/keypad monitor with a PCF8574T I2C backpack, making a two-channel I2C LCD decode the strongest path.
• The old Saleae Logic 1 .logicdata file was exported through Logic 1.2.18's socket API to analysis/extracted/logic1-export/old-separate.csv.
• Exported channel mapping is validated as Channel 0 = SDA and Channel 1 = SCL.
• Direct I2C decode shows ACKed PCF8574 writes to shifted address 0x4e.
• HD44780 decode with common PCF8574 backpack mapping recovers repeated Enter Password display states.
• The keypad UI leaks one new visible character per refresh while masking prior characters with *; solve/solve.py reconstructs the HTB flag from those incremental states.
• Raw flag material is stored only in loot/flag.txt and loot/flag-candidate.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Hardware
• Challenge: Mission-PinPossible
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract the challenge archive and identify the provided .logicdata capture plus keypad/LCD reference image.
2. Use the image to identify a PCF8574T LCD backpack, implying I2C traffic to an HD44780-compatible LCD.
3. Export the legacy Saleae Logic 1 .logicdata through Logic 1.2.18's socket API into separate-channel CSV.
4. Decode Channel 1 as SCL and Channel 0 as SDA.
5. Validate ACKed PCF8574 writes at shifted address 0x4e.
6. Decode LCD writes from PCF8574 bytes using the common mapping P0=RS, P1=RW, P2=E, P3=backlight, P4-P7=data nibble.
7. Reconstruct the password/flag from repeated Enter Password display states where one new character remains visible while prior characters are masked.

Reusable Lessons

• Hardware challenge photos often contain protocol-critical clues such as adapter chips and bus labels.
• For HD44780 LCD backpacks, the PCF8574 byte stream is control/nibble data, not ASCII.
• Progressive masking UIs can leak complete secrets across multiple display refreshes.

Dead Ends

• Treating the .logicdata footer/index records as complete raw transition data produced noisy I2C-like output and was not reliable.
• Sigrok could decode exported VCD/CSV-style data, but it does not import the old Saleae .logicdata file directly.

Tool Quirks

• Saleae Logic 1.2.18 supports the legacy .logicdata format and has a -socket launch option for automation.
• The Python saleae package's newer <secret redacted> path did not create output for this capture, while deprecated <secret redacted> produced the needed CSV and VCD.
• sigrok-cli was installed during the solve and is now available for future logic-capture work.

Evidence Paths

• analysis/extracted/security_keypad.jpeg
• analysis/extracted/op_pinpossible.logicdata
• analysis/extracted/logic1-export/old-separate.csv
• analysis/decoded-lcd-redacted.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Hardware
• Challenge: Mission-PinPossible
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract the challenge archive and identify the provided .logicdata capture plus keypad/LCD reference image.
2. Use the image to identify a PCF8574T LCD backpack, implying I2C traffic to an HD44780-compatible LCD.
3. Export the legacy Saleae Logic 1 .logicdata through Logic 1.2.18's socket API into separate-channel CSV.
4. Decode Channel 1 as SCL and Channel 0 as SDA.
5. Validate ACKed PCF8574 writes at shifted address 0x4e.
6. Decode LCD writes from PCF8574 bytes using the common mapping P0=RS, P1=RW, P2=E, P3=backlight, P4-P7=data nibble.
7. Reconstruct the password/flag from repeated Enter Password display states where one new character remains visible while prior characters are masked.

Reusable Lessons

• Hardware challenge photos often contain protocol-critical clues such as adapter chips and bus labels.
• For HD44780 LCD backpacks, the PCF8574 byte stream is control/nibble data, not ASCII.
• Progressive masking UIs can leak complete secrets across multiple display refreshes.

Dead Ends

• Treating the .logicdata footer/index records as complete raw transition data produced noisy I2C-like output and was not reliable.
• Sigrok could decode exported VCD/CSV-style data, but it does not import the old Saleae .logicdata file directly.

Tool Quirks

• Saleae Logic 1.2.18 supports the legacy .logicdata format and has a -socket launch option for automation.
• The Python saleae package's newer <secret redacted> path did not create output for this capture, while deprecated <secret redacted> produced the needed CSV and VCD.
• sigrok-cli was installed during the solve and is now available for future logic-capture work.

Evidence Paths

• analysis/extracted/security_keypad.jpeg
• analysis/extracted/op_pinpossible.logicdata
• analysis/extracted/logic1-export/old-separate.csv
• analysis/decoded-lcd-redacted.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: Mission-PinPossible
• Category: Hardware
• Difficulty: Easy
• Mode: file
• Remote instance: none
• Start time: 2026-06-10T11:34:55Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The ZIP extracts to op_pinpossible.logicdata and security_keypad.jpeg.
• The JPEG shows a 16x2 LCD/keypad monitor with a PCF8574T I2C backpack, making a two-channel I2C LCD decode the strongest path.
• The old Saleae Logic 1 .logicdata file was exported through Logic 1.2.18's socket API to analysis/extracted/logic1-export/old-separate.csv.
• Exported channel mapping is validated as Channel 0 = SDA and Channel 1 = SCL.
• Direct I2C decode shows ACKed PCF8574 writes to shifted address 0x4e.
• HD44780 decode with common PCF8574 backpack mapping recovers repeated Enter Password display states.
• The keypad UI leaks one new visible character per refresh while masking prior characters with *; solve/solve.py reconstructs the HTB flag from those incremental states.
• Raw flag material is stored only in loot/flag.txt and loot/flag-candidate.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.