2019 Stonecutters - Radioactive Man

The Stonecutters have granted us permission to publish a solve from last year's secret competition. They provided a file named "radio_a_oh_activeman.wav" which was a 30 second clip of the Buggles song "Video Killed the Radio Star." The Stonecutters noted that Radioactive Man has been exhibiting signs of extreme paranoia and they believe that the file contains a secret message intended for Fallout Boy.

 Radioactive Man

Having intercepted the message, we looked at it in audacity and saw a digital signal hidden in the spectrogram:

Digital Signal

Though it is possible to solve this by hand, this was not the route we wanted to take. Using ultrasonic sound to transmit data is best suited for computers in our opinion. So, the problem is now: What tool(s) do we use in order to decode the signal?

We spent more time than we would like to admit playing "guess the tool." There are dozens of github projects and also mobile apps available for this purpose, but none of them seemed to work.

We knew we were on the right path but we were still missing a crucial piece of the puzzle.

The song title, "Video Killed the Radio Star," kept steering us back to when we first started learning about Software Defined Radios (SDR). One of the first things we attempted to do with our SDR was get it working with GNU radio. For those unfamiliar, GNU radio is a tool that is as powerful as it is esoteric and confusing. We really did not want to have to use it to solve this challenge so we hunted for alternatives. One result pointed us at a program called "minimodem."

Minimodem is a general purpose software audio FSK modem. A CLI program that decodes/generates audio modem tones at any specified baud rate, using various framing protocols. It sounded promising, but initially, we couldn't use the tool with the file as provided because there was more than one channel:

# minimodem --rx -f radio_a_oh_activeman.wav
E: *** Must specify {baudmode} (try "300") ***

# minimodem --rx -f radio_a_oh_activeman.wav 300
radio_a_oh_activeman.wav: input stream must be 1-channel (not 2)

Though we could have also fixed this problem using audacity, a quick google search told us that we could use Sound eXchange (SoX).

SoX is the Swiss army knife of sound processing programs. It can change formats, apply effects, and also convert the audio file to a single channel. We used the following command to do so:

# sox radio_a_oh_activeman.wav radio_a_oh_activeman.left.wav remix 1

Now that minimodem was running without errors, we needed to adjust the settings so it would only read the frequencies that held the signal. Based on what we saw in audacity, we knew that the signal started around 18000Hz, and the top end was somewhere around 20000Hz.

Our first run did not yield anything useful:

# minimodem --rx -f radio_a_oh_activeman.left.wav 300
### CARRIER 300 @ 1250.0 Hz ###

After some digging and guess work, we made some progress by running this command:

# minimodem -r 100 -M 18000 -S 2000 -f radio_a_oh_activeman.left.wav 
### CARRIER 100 @ 18000.0 Hz ###

### NOCARRIER ndata=28 confidence=17.343 ampl=0.082 bps=100.00 (rate perfect) ### 
Here are what the options mean:

--rx (or -r)  Read, rather than transmit.
100 is the baud rate. Set to 100 based something we read on stack exchange. 
-M sets the Mark Frequency.
-S sets the frequency space. 
-f specifies the single channel input file.

Taking a cue from the lyrics of the song, we changed the frequency space to 1952:

# minimodem -r 100 -M 18000 -S 1952 -f radio_a_oh_activeman.left.wav 
### CARRIER 100 @ 18000.0 Hz ###
### NOCARRIER ndata=31 confidence=30.205 ampl=0.085 bps=100.13 (0.1% fast) ###


If you are interested in applying this write-up to a similar challenge, here is a version of it that we put our own spin on for Eversec to use at BSidesRDU 2019.

Thanks for reading!

Find us on Twitter: @teamWTG 

Popular posts from this blog

DEF CON 27 - Our Car Hacking CTF Experience

A Primer for On-Site CTFs

The Audacity of Some CTFs