9 - MR18 Deep Dive: The Timing Attack
Catching a CPU in the dark with a 1.5 second flashlight
The selfish are constantly profitin’ off the helpless — Denzel Curry, “Walking”
Post 3 gave the high-level overview of the timing attack—power on, wait 1.5 seconds, halt the CPU before Cisco’s kernel murders the JTAG interface. This post rips open mr18_flash.py and walks through every halt strategy and the main retry loop in detail. None of this is elegant. It’s the kind of code you write at 2am when you’ve already power-cycled an access point forty times and you’re starting to take it personally.