NDIAS 2026 - D's Signpost | kudaliar's blog

Challenge Overview

Category: RF Files: dist-ds_signpost.7z (a SigMF capture)

SigMF metadata:

The waterfall shows five clean transmissions at roughly:

Each one has to be demodulated on its own. The last one carries the flag, but it’s password-protected.

After mixing the -180 kHz signal to baseband, taking the magnitude, and thresholding the envelope, the pulse timings are Morse code:

Decoded text:

THIS FILE HAS 5 WAVES

So all five visible transmissions are in play.

The -70 kHz signal is AM-like. Envelope demodulation gives a repeated voice clip:

DQPSK stores data in phase changes. Decode each symbol by comparing it with the previous.

That’s the hint for the final +170 kHz phase-encoded signal.

FM-demodulating the +45 kHz transmission gives another repeated voice clip:

Do you know APRS? APRS has a super secret password.

This points at the packet-like bursts at +115 kHz.

FM-demodulating the +115 kHz bursts gives Bell 202 AFSK. Decoding as 1200 baud AX.25 / APRS:

The valid APRS frame was:

N0CALL-1>APCTF:>The password is dWt4Wxm6Xfn1ot02

So the password is:

dWt4Wxm6Xfn1ot02

The +170 kHz signal is a four-state phase signal. After downconverting, the active burst has:

The hint from step 2 is exactly the trick: don’t use the absolute phases, diff them.

1
q = quantized_phase_symbols
2
d = (q[1:] - q[:-1]) % 4

With the natural two-bit mapping:

0 -> 00
1 -> 01
2 -> 10
3 -> 11

and prepending the first phase difference against a zero-phase reference, the recovered bytes start with:

50 4b 03 04

That’s a ZIP file header. The reconstructed ZIP contains flag.txt, but it is password-protected. Plugging in the APRS password:

1
import zipfile
2

3
with zipfile.ZipFile("sig5_payload.zip") as z:
4
    print(z.read("flag.txt", pwd=b"dWt4Wxm6Xfn1ot02"))

Output:

FLAG{R4D10_FR3Q_L1TTL3_M4Z3}

FLAG{R4D10_FR3Q_L1TTL3_M4Z3}