First, I want to express a big thank-you to all who participated in this weekend’s TAMUctf 2021 competition! I would also like to give a shout-out to all of the other admins and devs who put together this year’s challenges: it was a pleasure working on the team with you all! We hope you all had a lot of fun!

This is a write-up about the “Baud Etiquette” SIGINT¹ challenge that I authored for the competition. There were a few who managed to solve it, but do not feel bad if you were unable to solve it: it was a very difficult challenge! In any case, I hope that you were able to learn something along the way.

Challenge Description

I was on the 6m band (50.345 MHz to be exact) when the person I was chatting with was interrupted by a strange sound. It sounded something like this:

Someone definitely wasn’t using the right mode. See if you can figure out what they transmitted.

There is a signal.bin.zip attachment that we’re told has a sample rate of 1.8 MHz.

Hints

“Due to character set restrictions, this flag will be in a slightly different format.”
There was also an audio recording of a different signal that was sent in the same mode with the hope that it might be recognizable at some point.

Solution Outline

Here are the steps that I had anticipated would be taken by those who solved this challenge:

Identify the allocation for the frequency on which the signal was transmitted
Identify the signal transmission mode
Decode the signal transmission

Let’s jump in!

Frequency Allocation Identification

Note: in hindsight, it probably would have been helpful to our international participants to know that this signal was transmitted from within the United States. Many countries may have similar radio transmission regulations, but knowing this extra information may have helped to figure this part out.

The signal in question was transmitted on the “6m band” at a frequency we’re told is 50.345 MHz. A quick search for the phrase “6m band” brings up the following article on Wikipedia. The introductory paragraph has the information that we need:

The 6-meter band is the lowest portion of the very high frequency (VHF) radio spectrum allocated to amateur radio use. The term refers to the average signal wavelength of 6 meters. [emphasis added]

Alternatively, one could look up a “frequency allocation chart” for the United States and see that 50.345 MHz is within a section of the spectrum designated for “amateur” use.

In either case, we know that this signal has something to do with amateur radio—also called “ham radio”—signals.

Transmission Mode Identification

By listening carefully to the audio sample, one can hear that the signal switches back and forth very rapidly between two tones. It is not meant to be interpreted by humans; it is some type of digital transmission.

One might assume (correctly) that it contains some type of textual data based on the title of the challenge: the term baud refers to a measure of the number of symbols per second in a transmission. It is often confused with bitrate, which measures the number of bits per second. These two measures are the same only if each symbol is defined by only one bit, but this is seldom the case.

Wikipedia provides a nice enumeration of many text and data modes used by amateur radio operators. One could find sound samples of each one and identify the mode used, but we’ll dive into some of the details here.

Data transmissions use some form of “keying” to turn binary 0s and 1s into some type of modulated signal. The linked article has an interesting tidbit of information:

Most amateur digital modes are transmitted by inserting audio into the microphone input of a radio and using an analog scheme, such as amplitude modulation (AM), frequency modulation (FM), or single-sideband modulation (SSB).

Using audio as an intermediary between digital and analog signals used to be the way the Internet worked: vintage “acoustic coupler” modems had speaker and microphone “cups” in which a phone handset would be placed:

In this case, the switching of tones is indicative of frequency-shift keying (FSK). More specifically, it is audio frequency-shift keying since the signal is audible. Other types of keying include on-off keying (OOK)—i.e., Morse code—and phase-shift keying (PSK).

Bottom-line, the signal in the audio hint can be identified as radioteletype (RTTY) transmission mode. When used in amateur radio, RTTY:

is keyed using AFSK with:
- a frequency-shift of 170 Hz
- a baud rate of 45.45
is modulated and transmitted using single-sideband SSB
- upper or lower doesn’t matter as the result can be reversed on decode
- refer to the optional section below for more info
is encoded using the 5-bit ITA-2 encoding

Aside: Single-Sideband Modulation

Feel free to skip this section if you just want to get to the solution.

Most people are familiar with amplitude modulation (AM) and frequency modulation (FM) transmission methods: both are used by commercial radio stations that you can pick up, e.g., in your car. Both operate on what’s called a “carrier” frequency (or wave) which is a pure sine wave that oscillates at the desired transmission frequency. For example, the Texas A&M University radio station (callsign “KAMU”) that transmits on 90.9 FM has a carrier wave that oscillates at 90.9 MHz.

The carrier frequency is then mixed with a signal that carries the information to be transmitted: in our example, usually music or someone’s voice. AM uses the signal to adjust the amplitude of the carrier wave, making it oscillate with more or less energy; whereas FM uses the signal to adjust the frequency of the carrier wave, making it oscillate faster or slower.

Modulating the carrier has the effect of increasing the bandwidth used by a signal. In the case of AM, the Fourier transform reveals a spike centered at the carrier wave and two mirrored “sidebands”. Here is a great visualization by HFUnderground.com depicting this.

Single-Sideband (SSB) modulation effectively reduces the bandwidth (and power) used by AM transmissions by eliminating the carrier “spike” and using only one of the sidebands, hence the name. Either the “upper sideband” (USB) or the “lower sideband” (LSB) can be used, but the receiver has to know which. By convention, LSB is used on the 40, 80, and 160 meter bands (the low HF spectrum); and USB is used everywhere else (the high HF, VHF, and UHF spectrum).

Decoding the Signal

We now have all of the information we need to decode the signal. We just need the tools to do so. All of the tools used here are available for free and run natively in Linux.

The preferred method of decoding that I had in mind when authoring the challenge was to play back the radio signal, convert it to audio using a SSB decoder, and then feed that audio into a RTTY decoder.

First we need to open the signal file. I will use Gqrx, but one could use GNU Radio Companion or another similar software tool. In Gqrx, go to File > I/O Devices and use the following data to read the signal file as an input device:

Device:        Complex Sampled (IQ)
Device string: file=/path/to/signal.bin,freq=50.345e6,rate=1.8e6,repeat=true,throttle=true
Input Rate:    1800000
Decimation:    None
Sample Rate:   1.800 Msps (automatically calculated)
Bandwidth:     0 MHz
LNB LO:        0 MHz

Now we need to adjust the decoder to use single sideband (we can use lower for now and adjust later if necessary) and shift the tuned frequency down to be able to hear the signal properly. In the Receiver Options pane on the right of the main window, set the following:

Frequency: 1.5 kHz
Mode:      LSB

Feel free to play with the FFT Settings to adjust the frequency analyzer and waterfall visualizations if you want.

If everything is set up correctly, clicking the Start DSP button will play back the signal in a loop (click it again to stop). The two frequency-shifted tones should be audible, and the “hot spot” at the center frequency will indicate the signal’s presence. Note that there are regions of silence before and after the actual signal.

Next, we need to decode this audio signal into text. fldigi can do this for us using the output stream from Gqrx.² On initial launch, feel free to click through the initial setup wizard. Once the main window opens, open Configure > Config Dialog, and in the configuration window that opens, go to Soundcard > Devices to set up the audio input. I am using PulseAudio to do the routing on my machine, but you may have to set yours up differently.

Back in the main window, select the appropriate RTTY decoding mode by going to Op Mode > RTTY > RTTY-45. Also, select RTTY from the mode drop-down in the main window beneath the frequency display. If everything is set up properly, the audio signal from Gqrx should show up as a waterfall display in fldigi. Click on the region so that the two frequency markers line up with the two tones, and let fldigi do the decoding for you.

So the transmitted message is:

GIGEM(AMATEUR-PARTTY) DE KG5LYE K

The first is the flag (note the different format as mentioned by the hint; this is due to the limited ITA-2 character set), the DE KG5LYE part is my station ID, and K conventionally signifies “end of message.”

If the message was coming out as gibberish, we could try “reversing the polarity” of the shifted frequencies either by switching to upper sideband in Gqrx or selecting “RTTYR” in the mode menu in fldigi.

Alternate Method (More Work Required)

It is also possible to interpret the radio signal as FSK directly. This is because the Fourier transform of a SSB transmission closely resembles that of the modulating signal.³ Here are some relevant mathematics and additional details:

The two frequencies used by RTTY are called “space” and “mark:” the former represents 0 and the latter represents 1. Typically “space” is the lower frequency and “mark” is the higher
RTTY has a bitrate of (45.45 baud) × (5 bits per symbol) = 227.25 bits per second
According to the technical description on Wikipedia, all transmitted RTTY symbols are preceded by a “space” and followed by a “mark.” I have not verified this for myself with the signal in this challenge.
Messages typically begin and end with a long pause on the “mark” frequency (also called “idling on mark”). This gives clear separation between messages. This pattern seems to be clearly visible in the signal for this challenge.
Bits can be transmitted with either least-significant-first or most-significant-first bit ordering. I am unsure which method is typically used by amateur radio operators.

This will produce a stream of 1s and 0s that might look something like the following (assuming all of the above is correct and using most-significant-first bit ordering) that could be decoded according to ITA-2:

111...111  <idle on mark>
0 00010 1  <line feed>
0 11010 1  G
0 00110 1  I
0 11010 1  G
0 00001 1  E
0 11100 1  M
0 11011 1  <figure shift>
0 01111 1  (
0 11111 1  <letter shift>
0 00011 1  A
0 11100 1  M
0 00011 1  A
0 10000 1  T
0 00001 1  E
0 00111 1  U
0 01010 1  R
0 11011 1  <figure shift>
0 00011 1  -
0 11111 1  <letter shift>
0 10110 1  P
0 00011 1  A
0 01010 1  R
0 10000 1  T
0 10000 1  T
0 10101 1  Y
0 11011 1  <figure shift>
0 10010 1  )
0 11111 1  <letter shift>
0 00010 1  <line feed>
111...111  <idle on mark>

Conclusion

I hope this challenge was fun to follow, and that you learned something about amateur radio! If you’re interested in learning more about amateur radio or getting your own callsign, feel free to check out the following resources:

The American Radio Relay League (ARRL)
The International Amateur Radio Union (IARU), for our friends in the rest of the world

Until next year, 73 from KG5LYE!

When making this challenge, I learned that “SIGINT” in this case stands for “signals intelligence” category; not the UNIX “interrupt signal” :-) ↩︎
fldigi can decode many other types of radio transmissions, too; not just RTTY ↩︎
Proof of this statement is left as an exercise to the reader. ↩︎

TAMUctf - "Baud Etiquette"