61 lines
1.1 KiB
Markdown
61 lines
1.1 KiB
Markdown
# Wired Airwave 013 -- Solution
|
|
|
|
## Overview
|
|
|
|
The challenge exposes:
|
|
|
|
- `tcp/9001`: raw interleaved int8 IQ stream (2-FSK bursts)
|
|
- `tcp/31337`: maintenance console
|
|
|
|
Goal:
|
|
|
|
1. Demodulate valid RF frames from IQ.
|
|
2. Recover the maintenance token hidden in maintenance frames.
|
|
3. Submit it with `unlock <token>` on the console.
|
|
|
|
## Packet format
|
|
|
|
After preamble and sync, each frame carries 20 obfuscated bytes:
|
|
|
|
- `type` (1 byte)
|
|
- `counter` (1 byte)
|
|
- `data` (16 bytes, text)
|
|
- `crc16-ccitt` (2 bytes, big endian)
|
|
|
|
The 20-byte payload is XOR-obfuscated with repeating key `WIREDMED13`.
|
|
|
|
## Decode path
|
|
|
|
1. Convert stream to complex IQ (`int8` interleaved).
|
|
2. Differential FSK demod:
|
|
- sign of `imag(s[n] * conj(s[n-1]))`
|
|
3. Symbol slicing with `40` samples/symbol.
|
|
4. Find `preamble + sync` marker.
|
|
5. Parse payload, XOR-deobfuscate, verify CRC16.
|
|
|
|
## Maintenance token
|
|
|
|
Valid decoded maintenance frames include:
|
|
|
|
- `P1:0BS3RV3`
|
|
- `P2:-L41N-868`
|
|
|
|
Token is:
|
|
|
|
`0BS3RV3-L41N-868`
|
|
|
|
## Unlock
|
|
|
|
```bash
|
|
nc <host> 31337
|
|
unlock 0BS3RV3-L41N-868
|
|
```
|
|
|
|
Server returns the flag.
|
|
|
|
## Automated solver
|
|
|
|
```bash
|
|
python3 solve.py --host <host>
|
|
```
|