Blog

# Kernelcon Mario Phone Tap Writeup - Decoding Faxes For Kernelcon this year I wrote a fax machine challenge called Mario Phone Tap. I recorded the noises a fax machine makes when sending a fax and had participants decode the image I sent. This wasn't an original idea, back in 2012 I did a ctf challenge like this. Back then I was able to use a trial of `Duman Fax Demodulator`, however that company doesn't appear to be around. It would also vertically blank out 50% of the page with a black bar which made guessing the key faxed hard. There's some new commercial software out there that claims to do it now. https://vocal.com/fax-modem/fax-demodulator-fax-decoder/ and https://www.gl.com/telecom-test-solutions/ip-tdm-pstn-modem-fax-testing-solutions.html But I wasn't able to track down any trials. The challenge was solved by one team. ## Building the challenge For some reason I still have a physical scanner/fax machine (Canon PIXMA MX300). I also have a home phone using an obitalk with google voice. Google lets you record incoming phone calls by pressing #4 but faxes don't give you time to do that and I'm not confident they would record fax noises. I considered hardware options like holding my cell phone up to another phone on the line, but decided against because of quality concerns. I looked into various other hardware solutions like https://www.youtube.com/watch?v=LWdvpl8Q4fQ and this https://www.youtube.com/watch?v=az2KhjYKK2w, but didn't have time to wait around for things to come in the mail. With some googling I eventually found recording calls is really just as simple as logging into the web interface of my obitalk and selecting record from the Call Status page when a call is active. This seemed like the far easiest option. ![](images/fax/p1.JPG) The only problem is I can't just fax some random phone number like HP's Fax Test Service 1-888-HPFAXME as the fax is started before I can press record on my obitalk. I eventually found some recordings some guy made back in 2013. https://goughlui.com/2013/02/13/sounds-of-fax-modes-and-ecm/ I was really confused on how he recorded them. After talking to a friend I was informed most SIP protocols are entirely unencrypted and the audio stream can be pulled out of the RTP traffic with the built in wireshark tools. People are literally sending voice phone traffic over the internet largely unecrypted. ![](images/fax/blown.gif) I recorded the network traffic coming from obitalk and noticed with google voice it uses some sort diffie hellman key exchange, I guess google isn't like most SIP providers. So I paid $15 and made an account on voip.ms registering a fax and phone number. With some quick googling I found some free trial software that can send and receive faxes in analog mode over SIP at various speeds. http://www.t38faxvoip.com/phone/ It is also has a nice feature where it doesn't automatically answer on the first ring and I now have time to press record on my obitalk. I was also able to use wireshark on my computer to pull out the audio from the SIP traffic from this app very easily. With this software you could easiy record your own faxes without even using a physical machine. ## Solving the challenge While very poorly if at all documented, there's a free and open source software called `spandsp` which is used by [asterisk boxes](https://www.asterisk.org/) and it has a utility that can decode faxes from 8000hz audio recordings. https://superuser.com/questions/217785/how-to-convert-audio-file-of-fax-transmission-to-image-in-linux Compiling it is a little funky, on kali I needed to grab various dependencies ``` apt install build-essential make automake autoconf libtool libtiff-tools libxml2-dev libpcap-dev netpbmn libsndfile1-dev libfftw3-dev libtiff-dev sox git clone https://github.com/freeswitch/spandsp.git cd spandsp ./bootstrap.sh ./configure --enable-tests make cd tests/ fax_decoder file.wav ``` The audio file needed to be exported as 8000hz and only have the data transmission channel. I used audacity to do that. https://forum.audacityteam.org/t/how-to-delete-the-right-channel-of-an-mp3/31825/2 You could also have used the sox tool in linux. In my googlings I found this [neat tool](https://github.com/MayamaTakeshi/fax_decoder) which uses spandsp and generates html from it. Useful for debugging failed fax transmissions. Amazing how simple this challenge was after all these years. Here's an [audio capture](images/fax/mario.au) of the image I faxed Here's the image I faxed: ![](images/fax/faxme.png) And here's the spandsp decoded image: ![](images/fax/decoded.png)