From a3f496f677993ea38bf568f5c92249b094ed4cc1 Mon Sep 17 00:00:00 2001
From: Erin Moon <erin@hecke.rs>
Date: Wed, 3 Jun 2020 14:43:07 -0500
Subject: [PATCH] can-you-hear-me-now

---
 README.md                                    |   1 +
 fonts.tex                                    |   1 +
 ground-segment/can-you-hear-me-now/README.md | 111 +++++++++++++++++++
 space/1201-alarm/README.md                   |   3 +-
 4 files changed, 115 insertions(+), 1 deletion(-)
 create mode 100644 ground-segment/can-you-hear-me-now/README.md

diff --git a/README.md b/README.md
index 04b61d6..97e0709 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,7 @@
 - [aaaa/spacebook](aaaa/spacebook)
 - [comms/56k](comms/56k)
 - [comms/phasors-to-stun](comms/phasors-to-stun)
+- [ground-segment/can-you-hear-me-now](ground-segment/can-you-hear-me-now)
 - [ground-segment/i-see-what-you-did-there](ground-segment/i-see-what-you-did-there)
 - [payload/calendar](payload/calendar)
 - [payload/leakycrypto](payload/leakycrypto)
diff --git a/fonts.tex b/fonts.tex
index 1bd026f..9a029a8 100644
--- a/fonts.tex
+++ b/fonts.tex
@@ -15,5 +15,6 @@
 \DeclareTextFontCommand{\textsymbol}{\symbolfont}
 \newunicodechar{⬡}{\textsymbol{⬡}}
 \newunicodechar{⊕}{\textsymbol{⊕}}
+\newunicodechar{↩}{\textsymbol{↩}}
 
 \setmonofont{Noto Sans Mono}[Scale=0.9]
diff --git a/ground-segment/can-you-hear-me-now/README.md b/ground-segment/can-you-hear-me-now/README.md
new file mode 100644
index 0000000..00d8339
--- /dev/null
+++ b/ground-segment/can-you-hear-me-now/README.md
@@ -0,0 +1,111 @@
+# Can you hear me now?
+
+**Category**: Ground Segment
+**Points (final)**: 59 points
+**Solves**: 75
+
+> LaunchDotCom's ground station is streaming telemetry data from its Carnac 1.0 satellite on a TCP port. Implement a decoder from the XTCE definition.
+
+**Given files**: `telemetry.zip`
+
+
+## Write-up
+by [erin (`barzamin`)](https://imer.in).
+
+The provided zip file contains `telemetry.xcte`, an [XTCE](https://www.omg.org/xt) file defining the telemetry protocol streaming from the challenge server.
+
+XTCE is a XML-based protocol description format, used to provide a machine-readable definition of the bit layout in a telemetry stream. I could use COSMOS to load this XTCE definition, but instead I just figured out what the XTCE file meant (without really reading the XTCE specification, because nobody has time for that) and wrote a quick decoder by hand.
+
+I captured some telmetry data from the server by running
+```
+(cat THE_TICKET) | nc hearmenow.satellitesabove.me 5032 > data
+```
+
+`telemetry.xtce` describes every packet in the payload is headed by a header of the form (apparently, "abstract" things in XTCE are an instanceable template for a description of parameters; this one gets instanced in every packet as the header):
+```{.xml}
+<xtce:SequenceContainer name="AbstractTM Packet Header"
+                        shortDescription="CCSDS TM Packet Header"
+                        abstract="true">
+  <xtce:EntryList>
+    <xtce:ParameterRefEntry parameterRef="CCSDS_VERSION"/>
+    <xtce:ParameterRefEntry parameterRef="CCSDS_TYPE"/>
+    <xtce:ParameterRefEntry parameterRef="CCSDS_SEC_HD"/>
+    <xtce:ParameterRefEntry parameterRef="CCSDS_APID"/>
+    <xtce:ParameterRefEntry parameterRef="CCSDS_GP_FLAGS"/>
+    <xtce:ParameterRefEntry parameterRef="CCSDS_SSC"/>
+    <xtce:ParameterRefEntry parameterRef="CCSDS_PLENGTH"/>
+  </xtce:EntryList>
+</xtce:SequenceContainer>
+```
+
+The `parameterRef`s point to `xtce:Parameter`s in the `xtce:ParameterSet` nearer the top of the file; the parameters in the header are defined there as
+```{.xml}
+<!-- Parameters used by space packet primary header -->
+<xtce:Parameter parameterTypeRef="3BitInteger" name="CCSDS_VERSION"/>
+<xtce:Parameter parameterTypeRef="1BitInteger" name="CCSDS_TYPE"/>
+<xtce:Parameter parameterTypeRef="1BitInteger" name="CCSDS_SEC_HD"/>
+<xtce:Parameter parameterTypeRef="11BitInteger" name="CCSDS_APID"/>
+<xtce:Parameter parameterTypeRef="2BitInteger" name="CCSDS_GP_FLAGS"/>
+<xtce:Parameter parameterTypeRef="14BitInteger" name="CCSDS_SSC"/>
+<xtce:Parameter parameterTypeRef="2ByteInteger" name="CCSDS_PLENGTH"/>
+```
+
+The `{n}BitInteger` parameter types are defined further up in the file as exactly what you'd expect them to be. We now know what packet headers look like; let's look for something flag related. A `Flag Packet` is defined in several places in the file (once as an "abstract" packet, which I don't really understand the significance of); it contains a body of parameters `FLAG1` through `FLAG120`, all defined upfile as 7-bit integers
+```{.xml}
+<xtce:Parameter parameterTypeRef="7BitInteger" name="FLAGxxx"/>
+```
+
+The header associated with the flag packet is
+```{.xml}
+<xtce:BaseContainer containerRef="AbstractTM Packet Header">
+    <xtce:RestrictionCriteria>
+        <xtce:ComparisonList>
+            <xtce:Comparison parameterRef="CCSDS_VERSION" value="0"/>
+            <xtce:Comparison parameterRef="CCSDS_TYPE" value="0"/>
+            <xtce:Comparison parameterRef="CCSDS_SEC_HD" value="0"/>
+            <xtce:Comparison parameterRef="CCSDS_APID" value="102"/>
+        </xtce:ComparisonList>
+    </xtce:RestrictionCriteria>
+</xtce:BaseContainer>
+```
+
+The APID is specific to the flag packet; we can just search for it in the stream and decode from there. I threw together some python (using `bitflags`) to decode the flag from the data I recorded:
+
+```{.python}
+from bitstring import Bits, BitArray, ConstBitStream
+
+b = ConstBitStream(filename='./data')
+packetlocs = list(b.findall('0x0066'))
+print(f"found packets:  {packetlocs}")
+
+for loc in packetlocs:
+  b.pos = loc
+  ver = b.read(3).uint
+  ty = b.read(1).bin
+  sec_hd = b.read(1).bin
+  apid = b.read(11).uint
+  gp_flags = b.read(2).bin
+  ssc = b.read(14).uint
+  plength = b.read(16).uint
+
+  print(ver, ty, sec_hd, hex(apid), gp_flags, ssc, plength)
+
+  flag = []
+  for i in range(120):
+    flag.append(chr(b.read(7).uint))
+  print(''.join(flag))
+```
+
+Which produced the flag:
+```
+λ ~/has/cyhmn  
+» python decode.py
+found packets:  [600, 1904, 3208]
+0 0 0 0x66 11 1919 94
+flag{delta98823mike:GAFbfoYquKzWaSFdWeYHGMDosGaBTnMbwD_kqwuj↩
+MhhNPaA9t7Iay8GY6CdGUwrYVa_AetBJEqJ6XO1XHl0kbHA}OP`P<
+```
+
+## Resources and other writeups
+- https://www.omg.org/xt
+- https://bitstring.readthedocs.io/
diff --git a/space/1201-alarm/README.md b/space/1201-alarm/README.md
index 4160b93..03cb010 100644
--- a/space/1201-alarm/README.md
+++ b/space/1201-alarm/README.md
@@ -127,4 +127,5 @@ This gives `3.781315936823621`; pasting this into the contest, we got the flag.
 - https://www.ibiblio.org/apollo/listings/Comanche051/TIME_OF_FREE_FALL.agc.html#50492F3136
 - https://www.ibiblio.org/apollo/CMC_data_cards_15_Fabrizio_Bernardini.pdf
 - https://www.ibiblio.org/apollo/index.html#Playing_with_Colossus_
-- https://www.ibiblio.org/apollo/Documents/Apollo15_Colossus3_CMC_Data_Cards.pdf
\ No newline at end of file
+- https://www.ibiblio.org/apollo/Documents/Apollo15_Colossus3_CMC_Data_Cards.pdf
+- https://bitstring.readthedocs.io/
\ No newline at end of file