Packets

Almost all network traffic is in the form of radio signals, more commonly referred to as packets. With the right tools, it is possible to intercept, craft, and forge your own signals for various purposes.

Rules

Hack responsibly!

Like mechanical hacking, the act of packet-hacking is not in of itself a violation of the rules or a crime Security could persecute you for. However, if you use packet-hacking to commit crime, e.g. using packets to break into Security, then crew are well within their right to try to stop you, and Security is allowed to punish you for it. In addition, there are some crimes that are technically within the rules but will get you yelled at by an Admin if you make a habit of doing it, e.g. breaking into sensitive places (e.g. AI Upload, Security in general, Armory specifically) or stealing vital job equipment (e.g. the Captain's spare ID).

Packet Tools

Software

SigCatcher

The best way to find signals to decipher is with the program SigCatcher, available on the Network Tools disk. SigCatcher will snag any packet that the computer can detect-- either wired packets sent directly to that computer, or wireless packets when the wireless card is in mode free. The program only has a buffer for one signal at a time though, so you may need to check it frequently. It can run as a program in the background while you mess with other things. SigCatcher has two modes:

on will display the last packet received.
auto will grab the first packet it receives, then stops monitoring traffic, ensuring the packet is not overwritten by subsequent network activity.
save will save the current signal as a file to your computer.
quit will get you out of the program, but keep it running in the background.
fquit will end the program entirely.

SigPal

Once you've started deciphering packets, you can begin to make your own using SigPal.

Add [Key] [Data] is the core to setting up your packets. You need to have the right keys for other machines to understand what you're sending them.
File lets you add a file to send.
Remove If you make a mistake, you can't simply overwrite a line, you need to delete it, then add it back.
New to clear the entire packet.
View to view your current packet in its entirety.
Save to save as a signal file.
Load to load a signal file.
Send to transmit the packet through the computer's network card.

FROG

Allows you to ping and connect to other terminals in a manner similar to DWAINE. Bear in mind that the Research Mainframe is on a physically separate network from the rest of the station. FROG will not recognize a wireless card.

Ping

Pings and records ping data. Also does not recognize a wireless card.

Hardware

Data Terminal

File:DataTerminal.png

This is the physical link to the wired network. A computer must be built on top of it to access that network. The most obvious and accessible data terminal is in Tech Storage, but many more can be found around the station, and they are under all of the existing ThinkDOS computers. The mechanics can make more, but must be able to properly wire them to the network.

Packet Sniffer

Found in Tech Storage. Capable of detecting all packets sent on the wired network it is attached to. Looks and functions like a powersink-- just screw it onto a data terminal and it will begin scanning. There is not much data on the main network of the station besides that which comes from the communications dish, but other interesting data may be found by setting up the sniffer on the Engineer or Research networks.

Network Diagnostics Cart

This cart can accomplish many of the same tasks as the network tools disk, but from your PDA. It features a ping tool, a packet sniffing tool, a packet sender, and a packet crafting tool. The range on the packet sniffer can be adjusted from close to far. The packet crafting tool does not have the 26 character string limit that SigPal does, allowing more complicated messaging.

Packet Formatting

A typical signal might look like this:

[command] [text_message]
[message] [What is your favorite pony]
[sender_name] [Weedgoku420]
[address_1] [02001921]
[sender] [02002276]

Each line of the signal consists of two items, the first item identifying the type of data, the second item identifying the actual data. This packet can be broken down as such:

[command] [text_message]
This tells the PDA that this command is a text message. This is just one of many commands available.

[message] [What is your favorite pony]
This is the text of the message. Note that a computer can handle a maximum of 26 characters.

[sender_name] [Weedgoku420]
This is what the sender's name will appear as in the message. No verification of this is done whatsoever, so the PDA will happily display whatever is written in the signal file. The limitation is again 26 characters.

[address_1] [02001841]
This is the network ID of the PDA the message will be going to.

[sender] [02002872]
This is the network ID of the PDA sending the message.

Creating packets

Packets can be created by using the following command:

echo field=value|nfield2=value2|nfield3=value3

To store the packet as a file on the mainframe:

echo ... ^ /home/pjones/filename

To send a file (like a packet!) to your terminal, so you can send it with file_send or print it with file_print, save the file to the /mnt/term directory:

cp /home/pjones/filename /mnt/term/x

If you just need to get the file right away, you can simply save the file in /mnt/term right away:

echo ... ^ /mnt/term/foo

Any packet you send must have both a sender ID and an address. In mode net and on wired networks, the sender ID must correspond to your network module's number-- you can check that using the periph view command. Other data can be spoofed-- for instance, in sending a text message, you could change the sender name to whatever you want and make security think a Blob is somehow messaging them.

Any and all packets typed into a terminal are formatted as the following: code=output; - they must always be ended with a semi-colon. For example, command=open;address_1=1234

Sending packets using the mainframe's radio

You can use DWAINE to send out packets over the air. The mainframe's radio has a limited range, though, so it won't reach everything.

Create a directory for the frequency you want to transmit on. Directories are the four numbers without the decimal point, e.g. /mnt/radio/1149 for 114.9, by using the command mkdir /mnt/radio/1149
- If the directory already exists for whatever reason, you can skip this step.
Craft your packet.
- Optional: Save it if you need to use it more than once. Otherwise, just use echo and pipe it directly.
Copy or move your crafted packet to the folder you created, e.g. copy packet /mnt/radio/1149 or echo ... ^ /mnt/radio/1149/packet

If it worked, the packet you crafted should automatically be sent out by the radio. You can use the Packet Sniffer program on your PDA to confirm.

Spoofing the login packet

Faking a login involves a few specific steps. You'll generally always need a valid ID of any kind to do the initial login, though.

Log into the mainframe (insert your card and term_login)
Craft a login packet
Send the crafted packet back to your terminal
Either enter su for admin rights, or disconnect and reconnect to log in as a completely different user
Instead of using term_login, use file_send to send the packet you saved earlier
You are now logged in with your forged user

The login packet looks like this:

registered=Pubbie Jones
assignment=Staff Assistant
access=, followed by a (semicolon? comma?)-separated list of rights — every access in the ID computer has a different one. The important one for su access is 34.

Applying all of the above to create the packet and register it for file_send:

echo registered=Pubbie Jones|nassignment=Staff Assistant|naccess=34 ^ /mnt/term/loginpacket

Keep in mind that you shouldn't use this to set the Guardbuddies to purge or other destructive things unless you're a traitor.

Authentication

There are a handful of authentication codes you may or may not need.

The first three are stored on the Authentication Disk, so if you ask nicely maybe the Captain will give it to you.

netpass_heads: Used for Guardbuddy management, shuttle (re)calling, etc.
netpass_security: Used for the Armory Authorization and hacking into lockers. You can also find it on the clone data disks every Security Officer and Head of Security starts with.
netpass_medical: Unused.
netpass_syndicate: Exclusively for the Detomatix cart.

Wired Network

Stuff on the station network connected by red power cables. Get a list of these by running term_ping on any TermOS computer that isn't currently connected to something. Not all devices can be connected to via TermOS, though, and some won't reply to pings either. Sneaky!

Important note for packet sniffers: The packet sniffer spaces out the various fields in a packet. If you want to copy them for your own use in, say, some Mechanics deathtrap, remove the spaces after the semicolons.

Mainframe (PNET_MAINFRAME)

The good ol' mainframe, usually hanging around the Computer Core. Connect to this to access DWAINE. Pretty much every terminal on the station starts out connected to this.

There are a few of these scattered around the universe, though a lot of them are broken and don't actually work.

AI (MAINFRAME_AI)

The AI. Connecting to this will make the AI see "Direct connection from (02001234)". You can chat with the AI by simply sending messages, and it will be able to reply as long as you're connected — your messages show up like PDA messages and the AI can respond in the same way.

Communications Dish (PNET_COM_ARRAY)

The communications dish, primarily used for calling (or recalling) the shuttle, as well as delivering the often completely inaccurate "threat report" at the start of a round.

Commands

Call or recall the Emergency Shuttle. Returns status = SHUTL_E_DIS (failed), SHUTL_E_SEN (called), or SHUTL_E_RET (recalled).
- command: call or recall (call or recall the shuttle; self-explanatory)
- shuttle_id: emergency (the only usable option)
- acc_code: The netpass_heads authentication code
- reason: optional reason for calling the shuttle

Transmit something to Centcom. Returns status = TRANSMIT_E_SUCCESS or TRANSMIT_E_COOLDOWN.
- command: transmit
- acc_code: The netpass_heads authentication code
- title: transmission title
- data: message to transmit
- user: user transmitting message

View / download Centcom messages (generally the "threat report" which is always wildly wrong, sometimes other things).
- Unlike the above commands, these are entered from a terminal connected directly to the array.
- command: term_message (automatically added if sending from a terminal)
- data: The text entered into the terminal, e.g. "command=download&message=1".
  - command: One of the following:
    - list: Lists available messages
    - download: Sends a message as a file that you can then file_print (etc)
  - message: If using download, a message number

Example raw packet dump:

(sent) address_1=020036fd; command=call; shuttle_id=emergency; acc_code=(Authentication code); sender=0200c069; 
(recv) command=device_reply; status=SHUTL_E_SEN; address_1=0200c069; sender=020036fd;

Terminals (PNET_ADAPTER)

Other terminals and data terminals on the network, generally. You can direct-connect two TermOS computers together if you want, but there's not much you can really do with that beyond chat back and forth and send files, maybe.

Telepad (PNET_S_TELEPAD)

The Telescience Telepad. There can be more than one of these; you specify which one you want with the -p [0-9] argument to teleman.

You can't change the coordinates with just packets. Coordinates are updated by the computer contacting the mainframe, which sends out the command to the telepad with an attached file.

Example raw packet dump:

[18:47:4]:command=term_message; data=command=teleman&args=-p 1 send; address_1=02002182; sender=02001ed4; 
[18:47:5]:command=term_message; data=command=send&session=746; render; address_1=02001cbd; sender=02002182; 
[18:47:5]:command=term_message; data=command=ack&session=746; address_1=02002182; sender=02001cbd; 
[18:48:1]:command=term_message; data=command=OK; render; address_1=02001ed4; sender=02002182; 
[19:10:1]:command=term_message; data=command=teleman&args=-p 1 receive; address_1=02002182; sender=02001ed4; 
[19:10:1]:command=term_message; data=command=receive&session=17; render; address_1=02001cbd; sender=02002182; 
[19:10:1]:command=term_message; data=command=nack&cause=recharge&session=17; address_1=02002182; sender=02001cbd; 
[19:10:7]:command=term_message; data=command=Telepad is recharging.; render; address_1=02001ed4; sender=02002182; 
[19:13:3]:command=term_message; data=command=teleman&args=-p 1 receive; address_1=02002182; sender=02001ed4; 
[19:13:4]:command=term_message; data=command=receive&session=333; render; address_1=02001cbd; sender=02002182; 
[19:13:4]:command=term_message; data=command=ack&session=333; address_1=02002182; sender=02001cbd; 
[19:14:0]:command=term_message; data=command=OK; render; address_1=02001ed4; sender=02002182;

Printers (PNET_PRINTDEVC)

Printers. Generally you just write to the /mnt/lp-whatever folders on the mainframe.

Databanks (PNET_DATA_BANK)

The data banks that contain all of the information on the mainframe.

GuardBuddy docking station (PNET_PR6_CHARG)

GuardBuddy chargers. These also communicate wirelessly to the buddies; see the section there for more.

Raw packets below. You can see the netpass_heads authentication code in here as well (3635 Bravo-51).

[37:25:5]:command=term_message; data=_command=add&_freq=1219; render; address_1=020020f4; sender=02002182; 
[37:25:5]:command=term_message; data=_freq=1219&acc_code=3635 Bravo-501;command=dock_return; render; address_1=020020f4; sender=02002182; 
[37:25:5]:command=term_message; data=command=status&status=success; address_1=02002182; sender=020020f4; 
[40:30:1]:address_1=02002182; data=prman upload 0200143B heckle name=titusgettemy; command=term_message; sender=0200b5ce; 
[49:37:5]:command=term_message; data=command=status&status=ejected&botid=020032dd; address_1=02002182; sender=0200143b;

Some of the commands you can use, as command=#######:

status: Gets the status of a buddy docked to this station as a reply:
- status=nobot: If you get "nobot", there's no buddy here. You'll get only this for every command.
- status=########: The buddy's network identifier.
- charge=###: Either nocell (no power cell) or a number from 0 to 100 representing the percent of power remaining in the buddy's cell.
- tool=#####: The current tool (weapon), or "NONE" if there's no tool installed.
- deftask=#####: The default task this buddy runs when it has nothing better to do, or "NONE" if it doesn't have one.
- curtask=#####: The current task this buddy is running, or "NONE" if it doesn't have one.

eject: Boots the buddy out of the docking station.
- No reply here. If you didn't get a nobot reply, it worked.

upload: Uploads a new task to the buddy. Optionally with overwrite=? and newmodel=?, which overwrite the current task or default task respectively. Requires a file to be sent along with the data, so good luck spoofing this.
- You'll get a reply with status=upload_success if the task has been uploaded.
- You'll get a reply with status=badtask if the task is bad (or missing).

download: Downloads a task from the buddy. Use model=? to download the default task, otherwise it'll download the current one.
- Replies with command=taskfile if it worked. In theory you'll get a file sent to your terminal with the task. What can you do with it?
- Replies with command=status&status=notask if there's no task to download.

taskinq: Gets the buddy's currently installed tasks.
- Replies with command=trep, with deftask=##### for the default task and curtask=##### for the current task, or "NONE" if there isn't one.

wipe: Erases the buddy's installed tasks and replaces them with nothing.
- Replies with command=status&status=wipe_success.

The chargers also occasionally report back to their host (i.e. the mainframe) when things happen. The format of these may not be 100% correct.

command=status&status=ejected&botid=########: Ejected a buddy.
command=status&status=connect&botid=########: A buddy docked itself or was docked by someone.

Mainframe Radio (PNET_PR6_RADIO)

The radio near the Mainframe. It's mostly used for talking to the GuardBuddy bots when they're away from chargers, but you can do some other stuff with it.

Capturing packets with the power of the mainframe:

Make a folder for the frequency you want to monitor, e.g. /mnt/radio/1149
Periodically ls /mnt/radio/1149 to see if any packets have appeared
cat /mnt/radio/1149/Q2158018 to view packets

The mainframe will capture any packet sent to a frequency that has a directory created.

Note: The actual mechanics behind this are a bit different (there's some communications going on between the mainframe and radio) but for the most part this will get you what you want.

Regardless, raw packet dump example:

[19:41:7]:command=term_message; data=_command=add&_freq=1149; render; address_1=02002303; sender=02002275; 
[20:03:3]:command=term_message; data=_freq=1149&command=text_message&message=butt&sender_name=fart; render; address_1=02002303; sender=02002275; 
[45:35:6]:address_1=02002275; data=echo test=butt ^ x; command=term_message; sender=02018e2a; 
[45:35:6]:command=term_message; data=command=status&status=success; address_1=02002275; sender=02002303; 
[45:35:6]:command=term_message; data=_freq=1149&test=butt; render; address_1=02002303; sender=02002275;

IR detectors (PNET_IR_DETECT)

IR detectors, usually placed around important things like the Armory and sometimes the AI core.

(Todo: update)

Artlab test apparatus (PNET_TEST_APPT)

The various testing apparatuses in the Artifact Lab. Also includes the "Gas Sensors" you see in places like Toxins.

[34:18:5]:command=term_message; data=command=deactivate; render; address_1=02000d04; sender=02000673;

[34:18:5]:command=term_message; data=OK; render; address_1=0200cbf2; sender=02000673;

[34:18:5]:address_1=02000673; data=gptio deactivate elec_box; command=term_message; sender=0200cbf2;

Terminals (SRV_TERMINAL)

The teleport computer for the Telescience telepad. It doesn't communicate directly with the teleport pad, but instead sends commands to the mainframe. If you want to learn to control the science teleporter remotely, these would be the packets you want to sniff out.

Note that a few other things also use this as a tag.

P: [020639b9]-TYPE: SRV_TERMINAL
P: [02002d0e]-TYPE: PNET_MAINFRAME

[58:26:4]:command=term_message; data=command=teleman&args=-p 2 coords x=50 y=50 z=4; address_1=02002d0e; sender=020639b9; 
[58:26:5]:command=term_message; data=command=ack&session=641; address_1=02002d0e; sender=020639b6; 
[58:26:5]:data=command=set_coords&session=641; address_1=020639b6; command=term_file; sender=02002d0e; 
[58:27:0]:command=term_message; data=command=teleman&args=-p 2 send; address_1=02002d0e; sender=020639b9; 
[58:27:1]:command=term_message; data=command=OK; render; address_1=020639b9; sender=02002d0e; 
[58:27:1]:command=term_message; data=command=send&session=708; render; address_1=020639b6; sender=02002d0e; 
[58:27:1]:command=term_message; data=command=ack&session=708; address_1=02002d0e; sender=020639b6; 
[58:27:7]:command=term_message; data=command=OK; render; address_1=020639b9; sender=02002d0e;

Nuclear charge (PNET_NUCCHARGE)

The nuclear charge. Authentication is easily spoofed by using the mainframe's built in nuke manager, nukeman. Just use the same packet you used to spoof superuser access when asked to login with an authorized ID, then repeat with two more login packets under two different names (the registered= field).

Hemera VII's main tape doesn't include this, so you'll have to bring a tape of your own with it or "borrow" one of the replacement Master Tapes on the station.

_{You can also scan the nuclear charge with a Syndicate device analyzer and deploy one elsewhere, if that's more your thing.}

Area Power Controllers (PNET_PWR_CNTRL)

The Area Power Controllers attached to the network. They have settings for the equipment, lights, and environmental controls, as well as control of the cover lock. The three power settings can be values from 0 to 3, which represent the following states:

0: Off
1: Auto (Off)
2: On
3: Auto (On)

APCs start off connected to the mainframe, and as such will only respond to packets they believe came from the mainframe. You'll need to override the sender field or disconnect it with a spoofed term_disconnect, the latter allowing you to connect directly with a DWAINE terminal. Some of the packets you can use to interact with them look like this:

sender=02003c12; address_1=02006754; command=term_message; data=command=setmode&light=0&environ=0;
sender=02003c12; address_1=02006754; command=term_message; data=command=status;

You can use the following commands with data=command=####### or simply command=####### if connected by terminal:

status: Returns the status of the APC, including all the following fields (but unfortunately not the area name):
- charge=###: A number from 0 to 100 representing the percent of power remaining in the APC's cell
- equip=#: A number from 0 to 3 representing the state of the equipment setting for the APC
- light=#: A number from 0 to 3 representing the state of the light setting for the APC
- environ=#: A number from 0 to 3 representing the state of the environmental control setting for the APC
- cover=#: A number representing the state of the cover lock, with 1 for engaged and 0 for disengaged
setmode: This command allows you to control the state of the APC, supplying any of the values you wish to change. You can include settings for any of:
- equip=#
- light=#
- environ=#
- cover=#

Please note that if you turn off equipment power to the computer core APC, you'll have a difficult time executing any more commands.

Supplementary Video