RFlag — HackTheBox

Description

We have found the garage where some cyber criminals have all their stuff. Using an SDR device, we captured the signal from the remote key that opens the garage. Can you help us to analyze it?

Files provided:

• signal.cf32 - A radio signal capture file (Complex Float 32-bit format, 3.8MB, 476160 samples)

Analysis

File Format

The .cf32 file is a Complex Float 32-bit format commonly used by SDR (Software Defined Radio) tools like GNU Radio. Each sample consists of two 32-bit floats representing:

• I (In-phase) component
• Q (Quadrature) component

This is the standard IQ format for representing radio signals in the digital domain.

Signal Characteristics

After loading the samples:

• Total samples: 476,160 complex samples
• Magnitude range: 0.0 to 1.414
• Mean magnitude: 0.66
• Median magnitude: 0.05

The bimodal distribution (low median, higher mean) immediately suggests OOK (On-Off Keying) modulation - the signal is either "on" (high amplitude) or "off" (low amplitude).

Modulation Identification

Applying a threshold of 0.5 to the magnitude revealed a clear binary pattern:

• 185 rising edges and 185 falling edges
• Two distinct pulse widths: ~900 samples (short) and ~1800 samples (long)
• The 1:2 ratio is characteristic of Manchester encoding

Solution

Step 1: Load and Demodulate

#!/usr/bin/env python3
import numpy as np

# Load complex samples
samples = np.fromfile('signal.cf32', dtype=np.complex64)
print(f"Loaded {len(samples)} samples")

# Convert to amplitude (OOK demodulation)
magnitude = np.abs(samples)

# Apply threshold for binary conversion
threshold = 0.5
binary_signal = (magnitude > threshold).astype(int)

Step 2: Extract Pulse Widths

# Find transitions
transitions = []
for i in range(1, len(binary_signal)):
    if binary_signal[i] != binary_signal[i-1]:
        transitions.append(i)

...