Eun0us/ESPILON-CTF-2026-Writeups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6a0877384d
ESPILON-CTF-2026-Writeups/IoT/Wired_Airwave_013/solve/solve.md
Eun0us 6a0877384d [+] Writeups v2 — sync solves, real points, scoreboard stats, cleanup 
- Remove undeployed challenges: Phantom_Byte, Cr4cK_w1f1, Lain_Br34kC0r3 V1,
  Lain_VS_Knights, Lets_All_Love_UART, AETHER_NET, Last_Train_451, Web3/
- Sync 24 solve/ files from main CTF-Espilon repo
- Update all READMEs with real CTFd final scores at freeze
- Add git-header.png banner
- Rewrite README: scoreboard top 10, edition stats (1410 users, 264 boards,
  1344 solves), correct freeze date March 26 2026
2026-03-27 21:27:45 +01:00

1.1 KiB
Raw Blame History

Wired Airwave 013 -- Solution

Overview

The challenge exposes:

  • tcp/9001: raw interleaved int8 IQ stream (2-FSK bursts)
  • tcp/31337: maintenance console

Goal:

  1. Demodulate valid RF frames from IQ.
  2. Recover the maintenance token hidden in maintenance frames.
  3. Submit it with unlock <token> on the console.

Packet format

After preamble and sync, each frame carries 20 obfuscated bytes:

  • type (1 byte)
  • counter (1 byte)
  • data (16 bytes, text)
  • crc16-ccitt (2 bytes, big endian)

The 20-byte payload is XOR-obfuscated with repeating key WIREDMED13.

Decode path

  1. Convert stream to complex IQ (int8 interleaved).
  2. Differential FSK demod:
    • sign of imag(s[n] * conj(s[n-1]))
  3. Symbol slicing with 40 samples/symbol.
  4. Find preamble + sync marker.
  5. Parse payload, XOR-deobfuscate, verify CRC16.

Maintenance token

Valid decoded maintenance frames include:

  • P1:0BS3RV3
  • P2:-L41N-868

Token is:

0BS3RV3-L41N-868

Unlock

nc <host> 31337
unlock 0BS3RV3-L41N-868

Server returns the flag.

Automated solver

python3 solve.py --host <host>