Key Card Addon: Binary LED Reader - 300 (BLR-300)
This write-up walks through the process of solving the hardware challenge in the NSEC 2025 CTF.
NOTE: This is a beginner-friendly challenge that mostly requires investigating traces and understanding the direction of current flow.
The official source code released by NSEC for the Badge and Dock is available at NSEC-Badge
The objectives of this challenge are:
- First, fix the existing issues on the provided board so it will properly blink the LEDs.
- Second, decipher the message output by the LEDs to obtain the flag.
Note: The board is attached to the badge, which is then connected to a dock available next to the soldering village to output the ciphered code. The badge by itself does not light up anything. The secret message resides on the dock. I saw one participant sniffing the pins on the badge to capture the ciphered message without fixing the board. While extremely clever, the board will reveal necessary facts about some of the pins.
Overview
I decided to write this guide because, after talking with participants of the competition, most were not familiar enough with the challenge to give it a try.
A PDF was provided: BLR-300-Reference-manual.pdf, which is a guide/datasheet and also provides clues about what to look for.
Read it carefully before making any modifications to the board. Make notes of the tips and clues in that document to explore.
Start by drawing a schematic of the circuit. KiCad (a free and open-source application) might help, but just pen and paper can get the job done.
NOTE: There is a checkered pattern printed on the board to make following the traces and reverse engineering more difficult.
Datasheet Notes Revealed
Datasheet Pinout Table
Pinout (see high resolution here: PCB Front and PCB Back).
Schematics (see high resolution here: PCB Schematics).
Basic steps:
- Visually inspect the board and all its features/components.
- Identify the 8 LEDs.
- Identify the resistors connected to each LED.
- Identify any other components and what they relate to.
- Use a flashlight to shine through the board. This allows you to see behind the printed obfuscation pattern.
See through paint with backlight (see high resolution here).
- Use a multimeter to:
- Test continuity between all 12 pins of the board (some might be shorted).
- Follow each trace on the board to test for connectivity (some might be broken).
- Test LEDs and other diodes for polarity (some might be inverted).
- Test the resistors (some might not be appropriately sized).
- Cross-reference the pinout table from the datasheet with the LEDs (some might be swapped).
By performing the inspections above, most, if not all, issues can be identified.
Testing the LED orientation with a multimeter will reveal it is incorrect.
It is necessary to desolder and solder it back. This process frequently destroys the LED because of the heat. If necessary, ask for another RED SMD LED from one of the organizers.
There is no connectivity between the header pin and the LED. A visual inspection may not reveal this issue because of the printed obfuscation pattern. Use the multimeter to check continuity.
It is easy to fix with an external wire to make the route.
Visually, it is not possible to see the polarity of the diode in series with this LED. Use the multimeter to check continuity through the components.
The highlighted diode is not necessary and can be bypassed or have its orientation inverted.
This LED appears to malfunction, but the circuit is shorted in multiple locations.
On the back, there is an odd trace to a hole right next to ground on the other side. Cut it with a utility knife or any sharp metal tool.
On the front, there are two other shorts right at the header pin. If the header is already soldered, it might be a bit trickier to cut them.
This was the trickiest issue in this challenge because it takes time to analyze what this extra circuit is doing: a PNP transistor with two 10K ohm resistors.
There is no issue with the transistor, after all. But the circuit that connects pin 3V3 to the LED does not work and needs to be re-routed.
I did not find any purpose for resistors 9 and 10, so I shorted 9 and removed 10. Maybe it was not necessary.
The manual has the note: "The LED has a tendency to die easily if lighted up for a long time." This comment implies that the resistor that protects the LED is too low or nonexistent.
A visual inspection might reveal that, while all the other LEDs have a 75-ohm resistor, this LED has a 1-ohm resistor. Just ask the challenge organizers for a replacement resistor.
These two work out of the box, which makes it easy to overlook that they are swapped. This issue will cause the encoded/ciphered message to be incorrect.
Open the bridges on the back and reroute the circuits, swapping the pins using any piece of wire.
This is how the changes look after all fixes have been applied.
At this point, the PCB can be connected to the badge and attached to the dock provided by the organizers of the challenge to capture the ciphered code.
From the video we got the following byte sequence.
Note: LEDs 7 and 8 were still inverted at the time of the recording.
00001010
00100111
11011000
11110101
00001010
11110101
00001010
10001111
00001101
00000110
10000111
00010001
00101111
00011100
00110010
10110110
10100110
10010110
00011100
10110010
00010101
00001110
00111111
00110010
10010110
00110010
10100110
00000101
00001110
00011111
10011101
10110010
10110110
00010010
11110101
00001010
11110101
00001010
11011010
11011000
00100111
11110101
00001010
11110101
00001010
11111111
11110101
00001010
11110101
00001010
...
The comment in the datasheet "Expected Communication Pattern on a non-rewired addon: 11110101 00001010 ..." indicates the begining of the message. We have a match!
There are two keys described in the datasheet as CLIENT DEFAULT KEY and SCRAMBLED KEY.
There is an old Windows font called Wingdings that contains the same symbols printed on the back of the board. Those keys were decoded with the chart below.
(to be continued)