Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
30bd8dfd02
ESPILON-CTF-2026-Writeups/IoT/Wired_Airwave_013/README.md

1.1 KiB
Raw Blame History

Wired Airwave 013 -- Solution

Overview

The challenge exposes:

  • tcp/9001: raw interleaved int8 IQ stream (2-FSK bursts)
  • tcp/31337: maintenance console

Goal:

  1. Demodulate valid RF frames from IQ.
  2. Recover the maintenance token hidden in maintenance frames.
  3. Submit it with unlock <token> on the console.

Packet format

After preamble and sync, each frame carries 20 obfuscated bytes:

  • type (1 byte)
  • counter (1 byte)
  • data (16 bytes, text)
  • crc16-ccitt (2 bytes, big endian)

The 20-byte payload is XOR-obfuscated with repeating key WIREDMED13.

Decode path

  1. Convert stream to complex IQ (int8 interleaved).
  2. Differential FSK demod:
    • sign of imag(s[n] * conj(s[n-1]))
  3. Symbol slicing with 40 samples/symbol.
  4. Find preamble + sync marker.
  5. Parse payload, XOR-deobfuscate, verify CRC16.

Maintenance token

Valid decoded maintenance frames include:

  • P1:0BS3RV3
  • P2:-L41N-868

Token is:

0BS3RV3-L41N-868

Unlock

nc <host> 31337
unlock 0BS3RV3-L41N-868

Server returns the flag.

Automated solver

python3 solve.py --host <host>