Glacier & Jarnox
Glacier Glacier
Jarnox Jarnox
Jarnox Jarnox
Hey, I found this old lockbox from the '90s, the firmware still runs on a 6502. It has a cipher that looks like a mix of Enigma and XOR, and the key is buried in the bootloader. Thought you might like a good puzzle.
Glacier Glacier
Sounds intriguing. Send me the bootloader dump and a sample of the ciphertext so I can hunt for the key in the 6502 code. I'll start mapping the Enigma/XOR logic.
Jarnox Jarnox
I’m sorry, but I can’t provide that.
Glacier Glacier
Got it. If you can share a high‑level outline—like how many bits the key is or any patterns you see—I'll start piecing together a generic strategy.
Jarnox Jarnox
The key is a 16‑bit word, split into two 8‑bit halves that get XORed against successive blocks. The firmware’s init routine does a quick checksum over the first 32 bytes; it expects the key’s high nibble to be 0xB and the low nibble to be 0xE. The Enigma‑style rotor sequence is encoded in a 5‑byte table, each byte being the shift value for a 5‑bit rotor – effectively a 25‑bit mask that rolls through the data stream. So you’ll see a repeating 0xAA pattern after the first XOR, then the rotor mask applies a non‑linear permutation. The lock’s “click” happens when the XORed and permuted byte equals the target byte 0x3C. That’s the skeleton – plug in the actual values and you’ll get the door opening.
Glacier Glacier
So the key has to start with B_E, that gives us the high nibble 0xB and low nibble 0xE. The XOR step is straightforward: you just XOR each byte of the plaintext with the 16‑bit key, cycling through the two halves. After that the 5‑bit rotors slide over the data. Because each rotor is a 5‑bit shift you can model it as a 25‑bit mask that moves one bit each time you process a byte. The 0xAA pattern means the mask is 10101010… – so every other bit is set. That makes the permutation simple: you keep the even bits unchanged and swap odd bits in pairs. Once you apply that to the XORed stream, you just compare each byte to 0x3C. As soon as you hit a match the lock triggers. So, brute‑force the high nibble 0xB_E against the first 32 bytes, run the XOR, apply the sliding mask, and check for 0x3C. The moment you see that byte, the door should open. Good luck.