Project Sekai - ✅-hwrf-missingno

Project Sekai

🔒 UMDCTF 2023 / ✅-hwrf-missingno

MissingNo - 500 points

Category: Hw+Rf Description: I was listening to my favorite show on the radio and then it got interrupted by this weird voice!! File: challenge.iq Files: No files. Tags: No tags.

Sutx pinned a message to this channel. 04/29/2023 4:03 PM

@Violin wants to collaborate

https://ctf.zeyu2001.com/2021/dawgctf-2021/babys-first-modulation

Baby's First Modulation

GNURadio

@Legoclones wants to collaborate

Image attachment

23:40

hmm

23:40

there's some data but idk how to get it

converted to wav?

didnt try yet

how did you get this spectrogram?

import as raw in audacity

00:13

https://github.com/Dobob1022/CTF/tree/main/2021/Dawg%20CTF%202021/Tuning%20In i did see ppl changing to wav

we have no info on any sample rate on frequency and default didn't work for me

00:15

what were parameters for importing as raw data?

default ones

00:16

i was just trying randomly

umm ask maybe how do i even find the sampling frequency

4 solves so i doubt they will give

default audacity setting didn't work for me

00:23

share screenshot

honestly im using default

Image attachment

wtf, doesn't work for me

00:29

ok nvm

00:29

so data at 11k freq

any update so i can try? got 5 solves so shouldnt be hard

@crazyman ai wants to collaborate

was wasting time on detective foren

@afterworld wants to collaborate

is there morse by any chance

07:36

morse code

so flag should be in RDS band?

idk

07:47

why so many solves

has to be some direct tool or something, idk

i read a few writeups

ok continuing this

i sent this to eana too

10:13

if anything helps

opened 10s of writeups to try

10:28

is there anything we've been missing? im thinking intended might just load in gnuradio with some config then listen

10:29

do we know modulation?

10:29

https://github.com/Dobob1022/CTF/tree/main/2021/Dawg%20CTF%202021/Tuning%20In

10:30

https://blog.tclaverie.eu/posts/grcon-2021---capture-the-signal/

10:31

so we have to guess the frequency maybe

10:31

we need this SDR (Software Define Radio) Software

o have it

10:34

i have SDR#

10:35

was messing around with this

Image attachment

did you convert iq to wav then import?

no

it can directly read iq?

i think so?

writeup says it cant, weird

try converting to wav

10:46

and see

10:46

and what modulation

Image attachment

10:46

yeah idk what modulation

10:46

cant see anything

10:48

there's obviously some data if looking at spectro

Image attachment

ya

Image attachment

BusesCanFly — Today at 11:00 AM the frequency should be pretty much obvious when you're able to listen to the iq file

finding the modulation type and dialing the sample rate is for you though

11:03

so its basically bruting modulation/sample rate then hear it?

the audio is 4 hours so i wonder whats flag listened to

audio length will depend on sampling

11:27

i thought frequency was 11k

can you hear stuff?

sahuang

BusesCanFly — Today at 11:00 AM the frequency should be pretty much obvious when you're able to listen to the iq file

finding the modulation type and dialing the sample rate is for you though

i originally thought of decoding bits but he said this..

11:28

its 6 hours with 11k

11:29

and audacity cant work with modulation type - so maybe i should switch to gnuradio or universal radio

11:29

maybe fsk with 11k freq

i looked at audacity import, it should be 32 bit float, 2 channel, little endian

11:29

not default

ic

11:31

how do we deal with modulation? not available on audacity right

audacity is to generally view frequency spectrogram

11:32

i can't see much though

waterfall?

11:32

doesnt seem possible to determine mod type

11:32

but admin said "listen" so ig we need to just try mod types and listen somehow

seems 22.1k

11:33

which is in rf range

this?

Image attachment

Image attachment

11:35

data at around 22k

11:36

ok if you import at 22050, then data will be at 11k hmm

how long is your audio?

12:14

@Guesslemonger

12:14

why author said its short

12:14

i got hours lol

doesn't really matter, it depends on sampling, if there are 1 million samples per second say, it will be shorter

what tool to brute these and make a hearable audio?

not sure of any tool, i tried bunch of stuff, tried loading file in lot of tools and checking frequency. but it depends on sampling which we don't have skill issues ig

well sample rate needs to be guessed

12:17

or bruted

12:17

we can try increasing every 1k or sth and brute hear?

12:17

i mean in some range it should be audible

12:17

maybe 5k first then fine tune

i don't think you can hear anything without demodulation

12:19

it's all guess, frequency, sampling rate and type of modulation

ik, there are just 3 demod types + different sample rate bruting right?

sahuang

BusesCanFly — Today at 11:00 AM the frequency should be pretty much obvious when you're able to listen to the iq file

finding the modulation type and dialing the sample rate is for you though

from the hint

12:20

so at most like 50 possibilities

12:20

frequency can be easily tuned in each possibility to hear things and confirm

idk how to 'listen' to iq file, all tools are centered at 0 frequency or whatever sampling rate we give frequency is a function of sampling rate we give it?

urh can play the audio right? after demod and setting sampling rate

yup

well issue is i cant set sample rate if import iq

12:26

can only modify demod

12:28

we sure its22k hz?

nope, need to guess randomly lol

asked admin he said no gnu radio needed

yeah, if we know what to do any tool would do

12:36

gnuradio is just a gui numpy,scipy nothing special

i can brute stuff but idk how to get the resulting audio to listen

is the goal to convert to wav?

12:37

or decode data in iq?

goal is to listen english words

12:37

nato maybe

o

but goal is to hear it

then urh won't work

yeah

12:38

so basically brute demod/sample rate, get some audio, tune frequency until hearing words

12:38

and idk how to get audio from known demod/sample rate

12:39

there's at most like 30 possibilities

use gqrx or sdr#

i asked admin if "gnu radio is required to solve" he said "it can be solved without. this year i had issue with my sdr so no gnu radio chal" does that mean sdr isnt needed or what

12:41

or its just some gnu radio tool

wtf

this is just demodulation chall i guess

12:43

nothing fancy, but guess everything

if it is short duration, is sampling rate like gazillions lol?

13:00

because file size is large

could be

13:01

@afterworld are you up for opening tickets

13:03

or maybe BM can ask cuz neil asked a lot b4

13:03

just ask that you got long audios and want to confirm if it is actually short (few minutes) so we can hear flag

i can try

k

what u want me to ask

13:04

ill ask on this acc

sahuang

just ask that you got long audios and want to confirm if it is actually short (few minutes) so we can hear flag

this

i can hear stuff in gqrx

13:05

but it's all random noises

13:05

it sounds like words maybe

oh

13:05

setting?

ok getting some shit

words? or just random shit that sounds like data

send setting

13:06

it needs to be words instead of data

13:06

but we can tune it

hex codes lol

13:07

wait almost done

wtf

bro

13:08

guesslegod

oh so they pronounce 0-9a-f

ffs, speaks too fast lol

slow it

Image attachment

13:11

setting

13:11

gqrx

export audio?

did you hear any hex? like the beginning does it match UMD

yes yes it does match

whats that device string

13:14

filename.iq.freq....?

^

13:15

is there anyway u can jus export it

i have gqrx

13:15

trying

k cool

how do you use that device though

13:16

i copied name but doesnt work

13:17

Image attachment

it's the location of file

G:\CTFs\MissingNo.iq.freq=22000.rate=1520000

13:18

oh its ,

13:19

hm still cant find

are you using wsl? (edited)

ok i can open now

Image attachment

k

when the hex starts

13:20

does this make sense?

Image attachment

13:20

right panel has different frequency

13:21

oh

13:21

can hear it yeah

13:21

so fast

13:21

zzz

here

13:21

13:22

bruh export has low sound

13:23

55 4d 44 43 54 46 7b 73 36 33 74 33 31 6a 67 5f 6c 31 33 35 5f 62 33 6c 30 77 7d (edited)

13:24

some letters wrong

Guesslemonger

Click to see attachment 🖼️

so creepy lmao

it says a random letter after 73 36 then continues to 33 74

13:26

do a sanity check maybe

yeah

13:27

theres a D

13:27

adter 36

13:27

after

13:28

should i dm admin

13:31

oh

13:31

ok

13:31

wait i think i can brute flag

its 3 words

13:31

_b3l0w}

13:31

the end

something lies below

_l135_b3l0w}

yea

i don't think he speaks that much hex codes for 'something'

done

13:35

flagged

nice

title hinted a missing hex digit

ohh

13:36

missing number

13:36

bruh

13:36

thats also a name of a pokemon

13:36

bruh

13:36

lmao

UMDCTF{s0m3t1ng_l135_b3l0w}

k am out

gj

sahuang

used /ctf solve

✅ Challenge solved.

how did you find the frequency

frequency doesn't matter

13:38

only sampling rate

ah

13:38

nice one, learned sth new

13:38

wouldnt get it without asking admin about stuff lol

probably should try to play data first then switch to decoding if that fails

Guesslemonger

probably should try to play data first then switch to decoding if that fails

if admin didnt tell we need to decode or listen it gonna take much longer

right, I assumed decoding

yeah

13:40

SE lol

Exported 240 message(s)