duksctf

Bunch of sec. enthusiasts who sometimes play CTF

Ph0wn 2018 - LoRa{1,2,3}

LoRa1: Use LoRa dev board to listen to the EU 868.1MHZ and received the flag LoRa2: Scan all the EU frequencies and SpreadFactor to get the flag LoRa3: Find the flag on the LoRa base station

Description

TODO ADD

Details

Points: ?

Category: network

Validations: ?

Solution

LoRa 1

The organizers tell us to use 868.1MHZ with SpreadFactor 10 in order to get the flag. The board is a devkit for LoRaWan based on arduino micro pro.

The organizers gave the name of the LoRa library to use: arduino-LoRa.

Using arduino IDE we wrote a simple program to listen to the given frequency:

#include <SPI.h>
#include <LoRa.h>

void setup() {
  Serial.begin(9600);
  while (!Serial);

  Serial.println("LoRa Receiver");

  if (!LoRa.begin(868.1E6)) {
    Serial.println("Starting LoRa failed!");
    while (1);
  }
  LoRa.setSpreadingFactor(10);
}

void onReceive(int packetSize) {

  Serial.print("packet recv\n");
  // read packet
  for (int i = 0; i < packetSize; i++) {
    Serial.print((char)LoRa.read());
  }
}

void loop() {
  
  LoRa.receive();
  LoRa.onReceive(onReceive);

 
}

LoRa 2

The program has been slightly modified in order to bruteforce all the EU frequencies and the SpreadFactor:

#include <SPI.h>
#include <LoRa.h>

float freq[5] = { 868.3E6, 868.5E6, 867.1E6, 867.5E6, 867.7E6, 867.9E6 }; 

void setup() {
  Serial.begin(9600);
  while (!Serial);

  Serial.println("LoRa Receiver");

  if (!LoRa.begin(868.1E6)) {
    Serial.println("Starting LoRa failed!");
    while (1);
  }
  LoRa.setSpreadingFactor(10);
}

void onReceive(int packetSize) {

  Serial.print("packet recv\n");
  // read packet
  for (int i = 0; i < packetSize; i++) {
    Serial.print((char)LoRa.read());
  }
}

void loop() {
  
  LoRa.receive();
  LoRa.onReceive(onReceive);
  delay(5000);
  While(1) {
    int i;
    for(i=0; i < 5 ; i++)
    {
      
      LoRa.setFrequency(freq[i]);
      int j;
      for(j=7; j <= 12; j++)
      {
      	
        // loop on spreading factor is finish, set new freq
        LoRa.setSpreadingFactor(i);
        delay(5000);
      }
    }
  }
}

LoRa 3

The program has been adapted in order to print the RSSI of the packet, we need to add a delay of 1s in order to not crash the arduino:

#include <SPI.h>
#include <LoRa.h>

void setup() {
  Serial.begin(9600);
  while (!Serial);

  Serial.println("LoRa Receiver");

  if (!LoRa.begin(867.1E6)) {
    Serial.println("Starting LoRa failed!");
    while (1);
  }
     LoRa.setSpreadingFactor(8);

}

void onReceive(int packetSize) {
 
 Serial.print("packet recv\n");
 int rssi = LoRa.packetRssi();
 Serial.print(rssi);
}

void loop() {
 
  LoRa.receive();
  LoRa.onReceive(onReceive);
  delay(1000);
}

And we found the flag on the LoRa BTS:

Challenges resources are available in the resources folder

Written on December 14, 2018