10
2
Fork 0

can-you-hear-me-now

This commit is contained in:
Erin Moon 2020-06-03 14:43:07 -05:00
parent f74e6e08cc
commit a3f496f677
4 changed files with 115 additions and 1 deletions

View File

@ -8,6 +8,7 @@
- [aaaa/spacebook](aaaa/spacebook)
- [comms/56k](comms/56k)
- [comms/phasors-to-stun](comms/phasors-to-stun)
- [ground-segment/can-you-hear-me-now](ground-segment/can-you-hear-me-now)
- [ground-segment/i-see-what-you-did-there](ground-segment/i-see-what-you-did-there)
- [payload/calendar](payload/calendar)
- [payload/leakycrypto](payload/leakycrypto)

View File

@ -15,5 +15,6 @@
\DeclareTextFontCommand{\textsymbol}{\symbolfont}
\newunicodechar{}{\textsymbol{}}
\newunicodechar{}{\textsymbol{}}
\newunicodechar{}{\textsymbol{}}
\setmonofont{Noto Sans Mono}[Scale=0.9]

View File

@ -0,0 +1,111 @@
# Can you hear me now?
**Category**: Ground Segment
**Points (final)**: 59 points
**Solves**: 75
> LaunchDotCom's ground station is streaming telemetry data from its Carnac 1.0 satellite on a TCP port. Implement a decoder from the XTCE definition.
**Given files**: `telemetry.zip`
## Write-up
by [erin (`barzamin`)](https://imer.in).
The provided zip file contains `telemetry.xcte`, an [XTCE](https://www.omg.org/xt) file defining the telemetry protocol streaming from the challenge server.
XTCE is a XML-based protocol description format, used to provide a machine-readable definition of the bit layout in a telemetry stream. I could use COSMOS to load this XTCE definition, but instead I just figured out what the XTCE file meant (without really reading the XTCE specification, because nobody has time for that) and wrote a quick decoder by hand.
I captured some telmetry data from the server by running
```
(cat THE_TICKET) | nc hearmenow.satellitesabove.me 5032 > data
```
`telemetry.xtce` describes every packet in the payload is headed by a header of the form (apparently, "abstract" things in XTCE are an instanceable template for a description of parameters; this one gets instanced in every packet as the header):
```{.xml}
<xtce:SequenceContainer name="AbstractTM Packet Header"
shortDescription="CCSDS TM Packet Header"
abstract="true">
<xtce:EntryList>
<xtce:ParameterRefEntry parameterRef="CCSDS_VERSION"/>
<xtce:ParameterRefEntry parameterRef="CCSDS_TYPE"/>
<xtce:ParameterRefEntry parameterRef="CCSDS_SEC_HD"/>
<xtce:ParameterRefEntry parameterRef="CCSDS_APID"/>
<xtce:ParameterRefEntry parameterRef="CCSDS_GP_FLAGS"/>
<xtce:ParameterRefEntry parameterRef="CCSDS_SSC"/>
<xtce:ParameterRefEntry parameterRef="CCSDS_PLENGTH"/>
</xtce:EntryList>
</xtce:SequenceContainer>
```
The `parameterRef`s point to `xtce:Parameter`s in the `xtce:ParameterSet` nearer the top of the file; the parameters in the header are defined there as
```{.xml}
<!-- Parameters used by space packet primary header -->
<xtce:Parameter parameterTypeRef="3BitInteger" name="CCSDS_VERSION"/>
<xtce:Parameter parameterTypeRef="1BitInteger" name="CCSDS_TYPE"/>
<xtce:Parameter parameterTypeRef="1BitInteger" name="CCSDS_SEC_HD"/>
<xtce:Parameter parameterTypeRef="11BitInteger" name="CCSDS_APID"/>
<xtce:Parameter parameterTypeRef="2BitInteger" name="CCSDS_GP_FLAGS"/>
<xtce:Parameter parameterTypeRef="14BitInteger" name="CCSDS_SSC"/>
<xtce:Parameter parameterTypeRef="2ByteInteger" name="CCSDS_PLENGTH"/>
```
The `{n}BitInteger` parameter types are defined further up in the file as exactly what you'd expect them to be. We now know what packet headers look like; let's look for something flag related. A `Flag Packet` is defined in several places in the file (once as an "abstract" packet, which I don't really understand the significance of); it contains a body of parameters `FLAG1` through `FLAG120`, all defined upfile as 7-bit integers
```{.xml}
<xtce:Parameter parameterTypeRef="7BitInteger" name="FLAGxxx"/>
```
The header associated with the flag packet is
```{.xml}
<xtce:BaseContainer containerRef="AbstractTM Packet Header">
<xtce:RestrictionCriteria>
<xtce:ComparisonList>
<xtce:Comparison parameterRef="CCSDS_VERSION" value="0"/>
<xtce:Comparison parameterRef="CCSDS_TYPE" value="0"/>
<xtce:Comparison parameterRef="CCSDS_SEC_HD" value="0"/>
<xtce:Comparison parameterRef="CCSDS_APID" value="102"/>
</xtce:ComparisonList>
</xtce:RestrictionCriteria>
</xtce:BaseContainer>
```
The APID is specific to the flag packet; we can just search for it in the stream and decode from there. I threw together some python (using `bitflags`) to decode the flag from the data I recorded:
```{.python}
from bitstring import Bits, BitArray, ConstBitStream
b = ConstBitStream(filename='./data')
packetlocs = list(b.findall('0x0066'))
print(f"found packets: {packetlocs}")
for loc in packetlocs:
b.pos = loc
ver = b.read(3).uint
ty = b.read(1).bin
sec_hd = b.read(1).bin
apid = b.read(11).uint
gp_flags = b.read(2).bin
ssc = b.read(14).uint
plength = b.read(16).uint
print(ver, ty, sec_hd, hex(apid), gp_flags, ssc, plength)
flag = []
for i in range(120):
flag.append(chr(b.read(7).uint))
print(''.join(flag))
```
Which produced the flag:
```
λ ~/has/cyhmn
» python decode.py
found packets: [600, 1904, 3208]
0 0 0 0x66 11 1919 94
flag{delta98823mike:GAFbfoYquKzWaSFdWeYHGMDosGaBTnMbwD_kqwuj↩
MhhNPaA9t7Iay8GY6CdGUwrYVa_AetBJEqJ6XO1XHl0kbHA}OP`P<
```
## Resources and other writeups
- https://www.omg.org/xt
- https://bitstring.readthedocs.io/

View File

@ -128,3 +128,4 @@ This gives `3.781315936823621`; pasting this into the contest, we got the flag.
- https://www.ibiblio.org/apollo/CMC_data_cards_15_Fabrizio_Bernardini.pdf
- https://www.ibiblio.org/apollo/index.html#Playing_with_Colossus_
- https://www.ibiblio.org/apollo/Documents/Apollo15_Colossus3_CMC_Data_Cards.pdf
- https://bitstring.readthedocs.io/