Skip to content

Latest commit

 

History

History

sralker

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
public
public
 
 
solve
solve
 
 
README.md
README.md
 
 

README.md

for | sralker

Information

I heard you were typing something on your phone?

Public

Provide 1 file: public/sms.wav

Writeup

The file sms.wav contains quadrature-amplitude modulation signal stored as a .wav file, sampled at 1083333Hz, GSM's symbol rate multiplied by 4. It is a partial recording of the SMS transmission process. There exist tools to decode GSM signal. The one I used is grgsm_decode. It's difficult to install on anything but Ubuntu 18.04, so I ran it in a Docker container. The following code can be used to convert the .wav into a format understood by grgsm_decode:

import numpy as np
from scipy.io.wavfile import read
rate, ar = read('sms.wav')
ar = ar.reshape((-1,))
ar = ar.astype(np.float32)
with open('cfile.bin', 'wb') as f:
    f.write(ar.tobytes())

Then run grgsm_decode -c cfile.bin -s 1.083333M -v. It prints a list of messages in hexadecimal:

1860726 2874698:  13 00 03 03 49 06 1d 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1860737 2873429:  59 06 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff e5 04 00
1860741 2873561:  03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860747 2873733:  15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860751 2873865:  15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860757 2874063:  01 73 35 06 27 07 03 53 19 92 05 f4 a4 93 56 31 2b 2b 2b 2b 2b 2b 2b
1860788 2873428:  49 06 1b 1b 39 24 f0 96 00 01 c9 03 05 27 53 40 e5 04 00 29 2b 2b 2b
1860792 2873560:  03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860798 2873732:  15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860802 2873864:  15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860808 2874062:  0f 3f 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860828 2874696:  13 00 03 03 2d 06 1e 1b 39 24 f0 96 00 01 27 ff 2b 2b 2b 2b 2b 2b 2b
1860839 2873427:  31 06 1c 24 f0 96 00 01 53 40 e5 04 00 29 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860843 2873559:  03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860849 2873731:  15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860853 2873863:  15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860859 2874061:  0f 00 53 09 01 32 01 00 07 91 44 77 58 10 06 50 00 26 00 04 80 31 73
1860890 2873426:  55 06 19 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 e5 04 00 2b
1860894 2873558:  03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860900 2873730:  25 06 21 00 05 f4 a4 93 56 31 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860904 2873862:  15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860910 2874060:  0f 02 53 00 00 32 80 52 02 64 72 21 1a 62 79 7a 3c 5f 6d 50 38 72 b8
1860930 2874694:  13 00 03 03 49 06 1d 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1860941 2873425:  59 06 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff e5 04 00
1860945 2873557:  03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860951 2873729:  15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860955 2873861:  15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1860961 2874059:  0f 04 35 86 2b 8b 69 35 b3 59 56 ce 99 63 9b 14 2b 2b 2b 2b 2b 2b 2b
1860992 2873424:  49 06 1b 1b 39 24 f0 96 00 01 c9 03 05 27 53 40 e5 04 00 29 2b 2b 2b
1860996 2873556:  03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1861002 2873728:  15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1861006 2873860:  15 06 21 00 01 f0 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1861012 2874058:  0d 21 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b
1861032 2874692:  13 00 03 03 2d 06 1e 1b 39 24 f0 96 00 01 27 ff 2b 2b 2b 2b 2b 2b 2b
1861043 2873423:  31 06 1c 24 f0 96 00 01 53 40 e5 04 00 29 2b 2b 2b 2b 2b 2b 2b 2b 2b
1861047 2873555:  03 03 01 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b

The relevant messages are those that start with 0f. They have 3-byte LAPDm headers, described in specification GSM 04.06. If these headers are discarded and the first control message is ignored, we obtain a standard L3 message, described in specification GSM 04.07. The message's first byte contains the protocol discriminator 9, which means SMS. The rest of the message is described in specification GSM 04.11. I did not decode this message fully, but somewhere inside it is the SMS content, encoded with the encoding specified in GSM 03.38 and the Wikipedia article https://en.wikipedia.org/wiki/GSM_03.38 . Fortunately, encryption is disabled. The script that extracts the SMS is in solve/solve.py.

Flag

brics+{8da58eb45ff2e9f1}