At Hack a Sat 2020 i managed to solve the challenge Talk to me, Goose with my team FluxRepeatRocket. Here you can find my writeup.
Table Of Contents
Challenge description and Files
The following description was provided with the challenge:
LaunchDotCom has a new satellite, the Carnac 2.0. What can you do with it from its design doc? We had given two zip files. One zip file was an XTCE file and the other was a 17 page pdf called LaunchDotCom Carnac 2.0. There was also a server to which we could connect via nc. After entering our ticket we got the info that a telemetry server was started. Telemetry Service running at
18.221.17.174:20787
Preparing Cosmos
Since we needed Cosmos for the task, we quickly set it up using Docker.
Converting XTCE Files
While googling how Cosmos can read XTCE files, we found an article in the Cosmos docs at ‘https://cosmosrb.com/docs/xtce/' that describes how to convert an XTCE file to a Cosmos configuration file. So we copied the XTCE file into the container and converted it:
xtce_converter --import cmd_telemetry_defs.xtce .
The conversion created the folder CHALLENGE1. There are 2 text files in a subfolder, challenge1_cmd.txt and challenge1_tlm.txt. The contents of the files and the PDF gave us information about what the files should be used for. In the PDF it says:
Telemetry frame definitions are specified in XML Telemetric and Command Exchange (XTCE) format…
and:
Specific commands and limits are documented in XML Telemetric and Command Exchange (XTCE) format…
Since one of the files has cmd and the other tlm in its name, the converted files are command and telemetry files readable by Cosmos.
Generating a target and import the files
To import the telemetry and command files we have created a separate target in Cosmos. For this we used the CLI:
cosmos generate target ctf
After we created the target we had to import the telemetry and command files for this target. We did this via the Cosmos user interface (the Config Editor), because here you can edit the corresponding files directly. In the cmd_tlm folder of the target CTF, the already existing files (cmd.txt and tlm.txt) got overwritten with the content of our files (challenge1_cmd.txt and challenge1_tlm.txt). Now the files looked like this:
cmd.txt:
COMMAND CHALLENGE1 LOW_PWR_THRES BIG_ENDIAN ""
ID_PARAMETER CCSDS_VERSION 0 3 UINT 0 7 0 ""
ID_PARAMETER CCSDS_TYPE 3 1 UINT 0 1 1 ""
ID_PARAMETER CCSDS_SEC_HD 4 1 UINT 0 1 0 ""
ID_PARAMETER CCSDS_APID 5 11 UINT 0 2047 103 ""
ID_PARAMETER CCSDS_GP_FLAGS 16 2 UINT 0 3 3 ""
PARAMETER CCSDS_SSC 18 14 UINT 0 16383 0 ""
ID_PARAMETER CCSDS_PLENGTH 32 16 UINT 0 65535 3 ""
ID_PARAMETER CMD 48 8 UINT 0 255 0 ""
ID_PARAMETER PARAM 56 8 UINT 0 255 12 ""
PARAMETER LW_PWR_THRES 64 16 UINT 0 65535 0 ""
UNITS V :V
POLY_WRITE_CONVERSION -90.0 100.0
COMMAND CHALLENGE1 ENABLERADIO2 BIG_ENDIAN ""
ID_PARAMETER CCSDS_VERSION 0 3 UINT 0 7 0 ""
ID_PARAMETER CCSDS_TYPE 3 1 UINT 0 1 1 ""
ID_PARAMETER CCSDS_SEC_HD 4 1 UINT 0 1 0 ""
ID_PARAMETER CCSDS_APID 5 11 UINT 0 2047 103 ""
ID_PARAMETER CCSDS_GP_FLAGS 16 2 UINT 0 3 3 ""
PARAMETER CCSDS_SSC 18 14 UINT 0 16383 0 ""
ID_PARAMETER CCSDS_PLENGTH 32 16 UINT 0 65535 2 ""
ID_PARAMETER CMD 48 8 UINT 0 255 0 ""
ID_PARAMETER PARAM 56 8 UINT 0 255 8 ""
PARAMETER POWERSTATE 64 8 UINT 0 255 1 ""
STATE ENABLE 1
STATE DISABLE 0
COMMAND CHALLENGE1 ENABLERADIO1 BIG_ENDIAN ""
ID_PARAMETER CCSDS_VERSION 0 3 UINT 0 7 0 ""
ID_PARAMETER CCSDS_TYPE 3 1 UINT 0 1 1 ""
ID_PARAMETER CCSDS_SEC_HD 4 1 UINT 0 1 0 ""
ID_PARAMETER CCSDS_APID 5 11 UINT 0 2047 103 ""
ID_PARAMETER CCSDS_GP_FLAGS 16 2 UINT 0 3 3 ""
PARAMETER CCSDS_SSC 18 14 UINT 0 16383 0 ""
ID_PARAMETER CCSDS_PLENGTH 32 16 UINT 0 65535 2 ""
ID_PARAMETER CMD 48 8 UINT 0 255 0 ""
ID_PARAMETER PARAM 56 8 UINT 0 255 5 ""
PARAMETER POWERSTATE 64 8 UINT 0 255 1 ""
STATE ENABLE 1
STATE DISABLE 0
COMMAND CHALLENGE1 ENABLEADCS BIG_ENDIAN ""
ID_PARAMETER CCSDS_VERSION 0 3 UINT 0 7 0 ""
ID_PARAMETER CCSDS_TYPE 3 1 UINT 0 1 1 ""
ID_PARAMETER CCSDS_SEC_HD 4 1 UINT 0 1 0 ""
ID_PARAMETER CCSDS_APID 5 11 UINT 0 2047 103 ""
ID_PARAMETER CCSDS_GP_FLAGS 16 2 UINT 0 3 3 ""
PARAMETER CCSDS_SSC 18 14 UINT 0 16383 0 ""
ID_PARAMETER CCSDS_PLENGTH 32 16 UINT 0 65535 2 ""
ID_PARAMETER CMD 48 8 UINT 0 255 0 ""
ID_PARAMETER PARAM 56 8 UINT 0 255 4 ""
PARAMETER POWERSTATE 64 8 UINT 0 255 1 ""
STATE ENABLE 1
STATE DISABLE 0
COMMAND CHALLENGE1 ENABLEPAYLOAD BIG_ENDIAN ""
ID_PARAMETER CCSDS_VERSION 0 3 UINT 0 7 0 ""
ID_PARAMETER CCSDS_TYPE 3 1 UINT 0 1 1 ""
ID_PARAMETER CCSDS_SEC_HD 4 1 UINT 0 1 0 ""
ID_PARAMETER CCSDS_APID 5 11 UINT 0 2047 103 ""
ID_PARAMETER CCSDS_GP_FLAGS 16 2 UINT 0 3 3 ""
PARAMETER CCSDS_SSC 18 14 UINT 0 16383 0 ""
ID_PARAMETER CCSDS_PLENGTH 32 16 UINT 0 65535 2 ""
ID_PARAMETER CMD 48 8 UINT 0 255 0 ""
ID_PARAMETER PARAM 56 8 UINT 0 255 0 ""
PARAMETER POWERSTATE 64 8 UINT 0 255 1 ""
STATE ENABLE 1
STATE DISABLE 0
COMMAND CHALLENGE1 ENABLEFLAG BIG_ENDIAN ""
ID_PARAMETER CCSDS_VERSION 0 3 UINT 0 7 0 ""
ID_PARAMETER CCSDS_TYPE 3 1 UINT 0 1 1 ""
ID_PARAMETER CCSDS_SEC_HD 4 1 UINT 0 1 0 ""
ID_PARAMETER CCSDS_APID 5 11 UINT 0 2047 103 ""
ID_PARAMETER CCSDS_GP_FLAGS 16 2 UINT 0 3 3 ""
PARAMETER CCSDS_SSC 18 14 UINT 0 16383 0 ""
ID_PARAMETER CCSDS_PLENGTH 32 16 UINT 0 65535 2 ""
ID_PARAMETER CMD 48 8 UINT 0 255 0 ""
ID_PARAMETER PARAM 56 8 UINT 0 255 2 ""
PARAMETER POWERSTATE 64 8 UINT 0 255 1 ""
STATE ENABLE 1
STATE DISABLE 0
tlm.txt
TELEMETRY CHALLENGE1 "FLAG PACKET" BIG_ENDIAN "packet of flag data"
ID_ITEM CCSDS_VERSION 0 3 UINT 0 ""
ID_ITEM CCSDS_TYPE 3 1 UINT 0 ""
ID_ITEM CCSDS_SEC_HD 4 1 UINT 0 ""
ID_ITEM CCSDS_APID 5 11 UINT 102 ""
ITEM CCSDS_GP_FLAGS 16 2 UINT ""
ITEM CCSDS_SSC 18 14 UINT ""
ITEM CCSDS_PLENGTH 32 16 UINT ""
ITEM FLAG1 48 7 UINT ""
ITEM FLAG2 55 7 UINT ""
ITEM FLAG3 62 7 UINT ""
ITEM FLAG4 69 7 UINT ""
ITEM FLAG5 76 7 UINT ""
ITEM FLAG6 83 7 UINT ""
ITEM FLAG7 90 7 UINT ""
ITEM FLAG8 97 7 UINT ""
ITEM FLAG9 104 7 UINT ""
ITEM FLAG10 111 7 UINT ""
ITEM FLAG11 118 7 UINT ""
ITEM FLAG12 125 7 UINT ""
ITEM FLAG13 132 7 UINT ""
ITEM FLAG14 139 7 UINT ""
ITEM FLAG15 146 7 UINT ""
ITEM FLAG16 153 7 UINT ""
ITEM FLAG17 160 7 UINT ""
ITEM FLAG18 167 7 UINT ""
ITEM FLAG19 174 7 UINT ""
ITEM FLAG20 181 7 UINT ""
ITEM FLAG21 188 7 UINT ""
ITEM FLAG22 195 7 UINT ""
ITEM FLAG23 202 7 UINT ""
ITEM FLAG24 209 7 UINT ""
ITEM FLAG25 216 7 UINT ""
ITEM FLAG26 223 7 UINT ""
ITEM FLAG27 230 7 UINT ""
ITEM FLAG28 237 7 UINT ""
ITEM FLAG29 244 7 UINT ""
ITEM FLAG30 251 7 UINT ""
ITEM FLAG31 258 7 UINT ""
ITEM FLAG32 265 7 UINT ""
ITEM FLAG33 272 7 UINT ""
ITEM FLAG34 279 7 UINT ""
ITEM FLAG35 286 7 UINT ""
ITEM FLAG36 293 7 UINT ""
ITEM FLAG37 300 7 UINT ""
ITEM FLAG38 307 7 UINT ""
ITEM FLAG39 314 7 UINT ""
ITEM FLAG40 321 7 UINT ""
ITEM FLAG41 328 7 UINT ""
ITEM FLAG42 335 7 UINT ""
ITEM FLAG43 342 7 UINT ""
ITEM FLAG44 349 7 UINT ""
ITEM FLAG45 356 7 UINT ""
ITEM FLAG46 363 7 UINT ""
ITEM FLAG47 370 7 UINT ""
ITEM FLAG48 377 7 UINT ""
ITEM FLAG49 384 7 UINT ""
ITEM FLAG50 391 7 UINT ""
ITEM FLAG51 398 7 UINT ""
ITEM FLAG52 405 7 UINT ""
ITEM FLAG53 412 7 UINT ""
ITEM FLAG54 419 7 UINT ""
ITEM FLAG55 426 7 UINT ""
ITEM FLAG56 433 7 UINT ""
ITEM FLAG57 440 7 UINT ""
ITEM FLAG58 447 7 UINT ""
ITEM FLAG59 454 7 UINT ""
ITEM FLAG60 461 7 UINT ""
ITEM FLAG61 468 7 UINT ""
ITEM FLAG62 475 7 UINT ""
ITEM FLAG63 482 7 UINT ""
ITEM FLAG64 489 7 UINT ""
ITEM FLAG65 496 7 UINT ""
ITEM FLAG66 503 7 UINT ""
ITEM FLAG67 510 7 UINT ""
ITEM FLAG68 517 7 UINT ""
ITEM FLAG69 524 7 UINT ""
ITEM FLAG70 531 7 UINT ""
ITEM FLAG71 538 7 UINT ""
ITEM FLAG72 545 7 UINT ""
ITEM FLAG73 552 7 UINT ""
ITEM FLAG74 559 7 UINT ""
ITEM FLAG75 566 7 UINT ""
ITEM FLAG76 573 7 UINT ""
ITEM FLAG77 580 7 UINT ""
ITEM FLAG78 587 7 UINT ""
ITEM FLAG79 594 7 UINT ""
ITEM FLAG80 601 7 UINT ""
ITEM FLAG81 608 7 UINT ""
ITEM FLAG82 615 7 UINT ""
ITEM FLAG83 622 7 UINT ""
ITEM FLAG84 629 7 UINT ""
ITEM FLAG85 636 7 UINT ""
ITEM FLAG86 643 7 UINT ""
ITEM FLAG87 650 7 UINT ""
ITEM FLAG88 657 7 UINT ""
ITEM FLAG89 664 7 UINT ""
ITEM FLAG90 671 7 UINT ""
ITEM FLAG91 678 7 UINT ""
ITEM FLAG92 685 7 UINT ""
ITEM FLAG93 692 7 UINT ""
ITEM FLAG94 699 7 UINT ""
ITEM FLAG95 706 7 UINT ""
ITEM FLAG96 713 7 UINT ""
ITEM FLAG97 720 7 UINT ""
ITEM FLAG98 727 7 UINT ""
ITEM FLAG99 734 7 UINT ""
ITEM FLAG100 741 7 UINT ""
ITEM FLAG101 748 7 UINT ""
ITEM FLAG102 755 7 UINT ""
ITEM FLAG103 762 7 UINT ""
ITEM FLAG104 769 7 UINT ""
ITEM FLAG105 776 7 UINT ""
ITEM FLAG106 783 7 UINT ""
ITEM FLAG107 790 7 UINT ""
ITEM FLAG108 797 7 UINT ""
ITEM FLAG109 804 7 UINT ""
ITEM FLAG110 811 7 UINT ""
ITEM FLAG111 818 7 UINT ""
ITEM FLAG112 825 7 UINT ""
ITEM FLAG113 832 7 UINT ""
ITEM FLAG114 839 7 UINT ""
ITEM FLAG115 846 7 UINT ""
ITEM FLAG116 853 7 UINT ""
ITEM FLAG117 860 7 UINT ""
ITEM FLAG118 867 7 UINT ""
ITEM FLAG119 874 7 UINT ""
ITEM FLAG120 881 7 UINT ""
TELEMETRY CHALLENGE1 "PAYLOAD PACKET" BIG_ENDIAN "packet of payload data"
ID_ITEM CCSDS_VERSION 0 3 UINT 0 ""
ID_ITEM CCSDS_TYPE 3 1 UINT 0 ""
ID_ITEM CCSDS_SEC_HD 4 1 UINT 0 ""
ID_ITEM CCSDS_APID 5 11 UINT 105 ""
ITEM CCSDS_GP_FLAGS 16 2 UINT ""
ITEM CCSDS_SSC 18 14 UINT ""
ITEM CCSDS_PLENGTH 32 16 UINT ""
ITEM PAYLOAD_DATA 48 96 BLOCK ""
TELEMETRY CHALLENGE1 "EPS PACKET" BIG_ENDIAN "packet of EPS data"
ID_ITEM CCSDS_VERSION 0 3 UINT 0 ""
ID_ITEM CCSDS_TYPE 3 1 UINT 0 ""
ID_ITEM CCSDS_SEC_HD 4 1 UINT 0 ""
ID_ITEM CCSDS_APID 5 11 UINT 103 ""
ITEM CCSDS_GP_FLAGS 16 2 UINT ""
ITEM CCSDS_SSC 18 14 UINT ""
ITEM CCSDS_PLENGTH 32 16 UINT ""
ITEM BATT_TEMP 48 16 INT ""
UNITS F :F
POLY_READ_CONVERSION 0.0 0.1
ITEM BATT_VOLTAGE 64 16 UINT ""
UNITS V :V
POLY_READ_CONVERSION 9.0 0.01
ITEM LOW_PWR_THRESH 80 16 UINT ""
UNITS V :V
POLY_READ_CONVERSION 9.0 0.01
ITEM LOW_PWR_MODE 96 1 INT ""
STATE ON 1
STATE OFF 0
ITEM BATT_HTR 97 1 INT ""
STATE PWR_ON 1
STATE PWR_OFF 0
ITEM PAYLOAD_PWR 98 1 INT ""
STATE PWR_ON 1
STATE PWR_OFF 0
ITEM FLAG_PWR 99 1 INT ""
STATE PWR_ON 1
STATE PWR_OFF 0
ITEM ADCS_PWR 100 1 INT ""
STATE PWR_ON 1
STATE PWR_OFF 0
ITEM RADIO1_PWR 101 1 INT ""
STATE PWR_ON 1
STATE PWR_OFF 0
ITEM RADIO2_PWR 102 1 INT ""
STATE PWR_ON 1
STATE PWR_OFF 0
ITEM UNUSED1 103 1 UINT ""
ITEM PAYLOAD_ENABLE 104 1 INT ""
STATE ENABLED 1
STATE DISABLED 0
ITEM FLAG_ENABLE 105 1 INT ""
STATE ENABLED 1
STATE DISABLED 0
ITEM ADCS_ENABLE 106 1 INT ""
STATE ENABLED 1
STATE DISABLED 0
ITEM RADIO1_ENABLE 107 1 INT ""
STATE ENABLED 1
STATE DISABLED 0
ITEM RADIO2_ENABLE 108 1 INT ""
STATE ENABLED 1
STATE DISABLED 0
ITEM UNUSED3 109 3 UINT ""
ITEM BAD_CMD_COUNT 112 32 UINT ""
Declaring the target
When we created the target, we were told by Cosmos that we had to ‘register’ the newly created target in the Cosmos configuration. We can disregard the second part about the interface:
Edit config/system/system.txt add add the line 'DECLARE_TARGET CTF'
You may also have to edit your config/tools/cmd_tlm_server/cmd_tlm_server.txt
and interface the target unless you're using AUTO_INTERFACE_TARGETS.
See the COSMOS System Configuration documentation for more details.
We have also used the Cosmos user interface to register the target. In the Config Editor we had to add the line DECLARE_TARGET CTF in the file config/system/system.txt, which we added under the other targets.
The telemetry extractor
Next we tried to use the Telemetry Extractor to read the telemetry file from our target. This didn’t work because it was allegedly corrupted. To fix the error we had to change the names of the telemetry packets because they contained a space. So we renamed the following packets in the file tlm.txt:
"FLAG PACKET" -> "FLAG_PACKET"
"PAYLOAD PACKET" -> "PAYLOAD_PACKET"
"EPS PACKET" -> "EPS_PACKET"
After renaming the packets we were able to add the whole target (or the 3 packets) to the file tlm_extractor.txt so that we were able to interpret the fields of the packets.
IP and Port of the telemetry server
Now our target is ready to connect to a telemetry server. For this we have to edit the file cmd_tlm_server.txt of our target with the Config Editor:
INTERFACE CTF_INT tcpip_client_interface.rb 18.221.17.174 20787 20787 10.0 nil BURST 0 nil false
We entered the Host (IP address), “Write Port” and “Read Port” that we got after connecting via the nc command. The optional fields were set as shown in the line above.
Connect the target to the telemetry server
In Cosmos we have started The Command and Telemetry Server and voila: the interface CTF_INT shows that we are connected. We also see in the tab Tlm Packets that EPS_PACKET packets arrive. This means that the server and our target are working correctly.
The Packet Viewer and Command Sender
In the Packet Viewer we took a closer look at the CTF target and the EPS_PACKET packets. We noticed that there is an item FLAG_ENABLE which is disabled. Another parameter which is important is FLAG_PWR which displays PWR_OFF. Our goal was to set the item FLAG_ENABLE to ENABLED and the Item FLAG_PWR to PWR_ON.
With the help of the Command Sender we can send commands to the telemetry server. For the CTF target we have 6 commands to choose from:
ENABLEADCSENABLEFLAGENABLEPAYLOADENABLERADIO1ENABLERADIO2LOW_PWR_THRES
For all ENABLE commands you can set a powerstate to ENABLE or DISABLE. For the LOW_PWR_THRES however, a parameter LOW_PWR_THRES can be set to set a threshold.
Finding out the command sequence
Of course we tried to send the command ENABLEFLAG with the powerstate ENABLE but FLAG_PWR was missing. Therefore we had to look in the PDF to see which command sequence would be appropriate. The PDF says:
The EPS provides safeguards to ensure at least one radio always remains powered to ensure errant commanding does not result in an irrecoverable loss of comms service."
First thing here is to poweroff one of the Radios. Furthermore in PDF it says:
The EPS also manages low battery conditions by removing power from non-essential subsystems once a low voltage threshold is reached.
So we have to make sure that the threshold is low enough that we don’t lose power on our flagengine.
Getting the flag
We thought that it was enough to turn off one device (Radio1), lower the threshold (to 10V) and turn on the Flag Service, which turned out to be correct.
With Command Sender (or Command Sequence) we have sent the commands ENABLERADIO1 with powerstate DISABLE, then LOW_PWR_THRES with a threshhold of 10V and then ENABLEFLAG with powerstate ENABLE to get a FLAG_PACKET packet from the Server.
In the Packet Viewer we quickly realized that the FLAG_PACKET packet contains single decimal ASCII bytes which we could simply decode:
flag{kilo59995golf:GJt8S2hhRKUgfjz9Q95YWvrXlFQM_MNgMhzKb16Kj4ZYyz2VV8GBNkbtHTueAUsPAbsM2FkX7SdjP9f54PxC9OE}