# EV3 Player A youtube video with EV3 playing an audio, and a pcap capture, is provided. So this is a "forensics" pcap question where you need to find the audio. Referening the last year's EV3 question, and i found we can see the data stream using wireshark display filter `btrfcomm.channel == 1`. I wrote a small script to dump all the filtered data, and two filename stand out to me: `fl.rsf` and `ag.rsf`. Apparently it is the flag audio. I search up the `.rsf` format. I looked up the format and I found [(Link)](https://forums.usfirst.org/forum/general-discussions/first-programs/first-lego-league/the-challenge/products-equipment/ev3-specific/12890-custom-sound-files-for-ev3) that it is just an alias for `.rso` files. And then I found an online conversion service for `.rso` to `.wav` [(Link)](https://conversionai.com/file/audio/rso-nxt-brick-audio-file/wav-waveform-audio). So whats left is to retrieve the `.rsf` / `.rso` files. With a little search I found a description [(Link)](https://wiki.multimedia.cx/index.php/RSO) of RSO file format and stated that it start with either `0x0100` for unsigned 8-bit PCM or `0x0101` for IMA ADPCM. As most audio is PCM so I searched `0x0100` on the data. And I founded that there is 14 bytes prefix before the actual file content in each packet. So I retrieve the files and convert it to `.wav` and played the flag :) {%gist harrier-lcc/643900fb859d005f9f7bf82b5dbfb517%} ###### tags: `HITCON CTF 2019 Quals`