9 - MR18 Deep Dive: The Timing Attack
Catching a CPU in the dark with a 1.5 second flashlight
I been up for a long time, I ain’t get no sleep for it
Post 3 gave the high-level overview of the timing attack—power on, wait 1.5 seconds, halt the CPU before Cisco’s kernel murders the JTAG interface. This post rips open mr18_flash.py and walks through every halt strategy and the main retry loop in detail. None of this is elegant. It’s the kind of code you write at 2am when you’ve already power-cycled an access point forty times and you’re starting to take it personally.