Reverse Engineering Radio Frequency Signals Solutions Walkthrough: Hack-A-Sat Capture the Flag 2023 (Part 3 of 3)

In the first post, I covered RF RE tools, trends in RF RE CTF challenge formats, a process for solving those challenges, and my solution for the starting HACK-A-SAT 4 RF RE challenge, “QAM”.

In the second post, I covered our teams solution for the “Dashing” challenge. I covered channel characterization, GRC and GRC out-of-tree modules, and how to use online tools with waveforms processed in array-processing tools.

In this final post, I will cover the last two parts of the solution pipeline: resampling and synchronization, as exemplified by my “Fauxy Lady” challenge solution.

The problem statement comes with the following hint:

To begin, we characterize the channel. In a frequency domain plot, we can see this mystery waveform is second-order modulated with either phase or frequency and a 1.2 khz separation. The data rate (Fs / BW) is a very strange 36.75 samples/symbol, so we’ll need to resample to an integer value if we’re going to demodulate.

Additionally, when we characterize the channel by plotting a constellation visual, we can see significant phase/frequency noise. For a second order modulation, we shouldn’t see a pattern such as the “before costas loop” scatter plot. By using a costas loop in GNU radio companion, we can synchronize the signal to prepare it for demodulation.

Brining together the resampler and the synchronizer, here is our solution:

Looking at rx.bin from the file sink in Python3, we see the following:

Referring back to our hint, we can see the flag!

In this final post, I covered the last two parts of the solution pipeline: resampling and synchronization, as exemplified by my “Fauxy Lady” challenge solution.

Thank you for reading this series on this unique capture the flag on the topic of radio frequency waveform reverse engineering. I hope you’ve learned something, and I hope to see more challenges like this in the future.