This challenge involves an attack on the DESFire protocol, when the random nonce generated by the reader is known. The random nonce in this case is generated using the hardware randomness of the RP2040. In the RP2040, if the CPU clock is a harmonic of the internal ring oscillator, the random number generator is entirely predictable (yielding either all 1s or all 0s).
We can then use the reader as an encryption primitive through its use of CBC encryption to forge a DESFire session key with the reader. We can thus communicate with the reader, which will write the flag to our card.
Category: Hardware / Crypto
Difficulty: Hard
Author: HexF