HELIOS

From Game Detectives Wiki
Jump to: navigation, search


DSCS III A3
Active since 2021-12-05
Dscs.png
The Department of Defense has declassified access via uplink to the DSCS 3 satellite. Good Luck and Godspeed.
Type Official
Creator Alice & Smith
Discovered 2021-12-05

Main Page > List of Investigations > HELIOS

The DSCS III A3 ARG is an ongoing ARG by Alice & Smith. The initial trailhead notes that access that a US Department of Defense communications satellite has been authorized.

Day 1

At 03:24 UTC on 2021-12-05, the Alice & Smith (A&S) Twitter account tweeted "WARNING - DSCS III A3 access has been authorized. Good Luck and Godspeed." with a link to the A&S Discord.

This was followed up at 17:05 UTC with a second tweet stating "UPDATES | Dec 5th | - DSCS III A3 IRC TOR uplink and RTMP FEED updated to version 636f-rev1.". The reference to an RTMP feed led players to a Twitch stream titled HELIOS Task Force on the dscs_iii_a3 channel.

The stream contained an interactive terminal which users could enter commands into and get responses from. The initial terminal upon loading the stream was:

Setting hostid: 636f-rev1...
Entropy harvesting: interrupt ethernet
Fast boot: skipping disk checks
Mounting remote file systems
Starting network: DVB-TEXT DSCS-III-A3
Uplink Parameters: 7600 mhz - 7604 mhz
Additional TCP/IP options: .sgov=1
Starting IRC TOR PID
Manual: www.intelink.sgov.gov/wiki-ts/cmd-636f
Starting background file system check in 60 seconds

Clicking on the icon to the right of the stream for the Helios terminal popped up a Twitch window describing it. This included a note saying that the command HELP should be used to start. Entering this into the terminal resulted in:

Available commands:
  version
  coredump
  help
  <ACCESS DENIED>
  <ACCESS DENIED>
  <ACCESS DENIED>
Enter ‘help <command>’ for more information

Typing in help version and help coredump resulted in the following:

help version
Command help for: version
Displays the version details for DSCS_III_A3

help coredump
Command help for: coredump
Output a module's memory state
Enter ‘coredump <module>’ to execute

Players then ran the version command, which gave them a hexadecimal code output.

DSCS_III_A3 Version
63 6f 6d 6d 61 6e 64
20 27 71 75 65 72 79
27 20 73 75 70 70 6f
72 74 20 3d 20 31 00

Converting the hexadecimal code to text produced the message command 'query' support = 1. This new command could be confirmed by typing in help query

Command help for: query
Displays data relating to query subject
Enter ‘query <module>’ to check for system status
Latest system inventory: chks1029

By querying the latest system inventory noted on the last line of the output, players received info regarding several key systems:

ERROR: chks1029 format type table
  31575 | Factory Main Door
  25798 | Security Terminal
  75879 | Main Control Room
  59579 | Nuclear Blast Door
  99879 | Lights Out Factory
  65548 | Assembly Line Alpha
  65549 | Assembly Line Beta
  65550 | Assembly Line Delta
  65551 | Assembly Line Gamma
  75998 | Site Alpha
Invalid query for module 'chks1029'

Attempting to query most of the provided ID numbers would result in unknown commands, however entering query 31575 would output:

Query Module 31575
Status Request - Factory Main Door
Authorized commands:
  execute 31575 -open -<door access code>
  execute 31575 -close -<door access code>
Please stand by...
Module Status: Online

Players who ran the command coredump 31575 would be provided with a list of 9 pages of data to sort through.

WARNING: memory coredump for 31575
Generating files...
180 entries / GRID 20 by 9
  coredump -read 31575.page1
  coredump -read 31575.page2
  coredump -read 31575.page3
  coredump -read 31575.page4
  coredump -read 31575.page5
  coredump -read 31575.page6
  coredump -read 31575.page7
  coredump -read 31575.page8
  coredump -read 31575.page9
Process successful

Entering these commands into the terminal would provide the data detailed below.

Coredump 31575 Pages

Page 1 provided three "blocks" of three-number digits, each arranged in a 5x4 grid.

Memory Coredump PAGE 1
Module 31575
Block 1
  666 242 355 398 456
  576 483 559 374 416
  515 424 363 672 533
  273 482 302 216 484
Block 2
  105 101 497 171 408
  277 473 691 457 239
  607 368 971 450 528
  472 174 435 467 508
Block 3
  258 599 225 202 857
  519 447 317 206 614
  516 364 582 461 121
  279 476 383 123 526
[End of file]

Page 2 provided a list of colored books, seen below, with years as file extensions. The use of these "books" and years is currently unknown.

Memory Coredump PAGE 2
Module 31575
Blue book repo /repo/bb
 /1955
 /1958
 /1961
 /1969
Yellow book repo /repo/yb
 /1971
 /1976
 /1980
Red book repo /repo/rb
 /1982
 /1983
 /1985
 /1991
 /1993
 /1996
 /1997
Green book repo /repo/gb
  File access denied
[End of file]

Page 3 initially provided nothing, until some time estimated around 01:00 UTC, when it would update to read the following.

Memory Coredump PAGE 3
Module 31575
Audio Frenquency Render Completed
12-05-2021-16h17m28s
[End of file]

Page 4 provided another set of three number "blocks", just as Page 1 did.

Memory Coredump PAGE 4
Module 31575
Block 4
  303 631 747 421 333
  196 562 401 219 458
  170 711 134 644 307
  556 593 369 585 608
Block 5
  362 853 953 471 594
  404 422 643 809 863
  600 427 475 345 566
  677 124 445 496 418
Block 6
  145 757 448 659 394
  520 715 617 624 162
  500 361 265 532 518
  919 178 480 667 495
[End of file]

Page 5 provided a unique encrypted text detailed below.

Memory Coredump PAGE 5
Module 31575
Buffer Available
  7e 20 38
  20 64 61
  79 73 20
  74 6f 20
  45 4c 45
[End of file]

Decoded, the hexadecimal string read ~ 8 days to ELE . "ELE" is currently believed to stand for "Extinction Level Event".

Page 6 provided five IRC/RTMP addresses, detailed below. The purpose of these addresses are currently unknown.

Memory Coredump PAGE 6
Module 31575
OPEN SOCKET
  14321535.relay.nsa.sgov
  14154789.relay.defense.sgov
  14545787.relay.nevada.intelink.sgov
  14998541.relay.rtmp.twitch.tv
  14516555.relay--DVB-TEXT-IRC/.onion
[End of file]

Page 7 initially returned empty, but between the 100th and 200th command entry, updated to say the following.

Memory Coredump PAGE 7
Module 31575
Unable to terminate process
RTMP Feed interference
Calibration required
  CLIPID #1 : <url not found>
  CLIPID #2 : <url not found>
  CLIPID #3 : <url not found>
  CLIPID #4 : <url not found>
  CLIPID #5 : <url not found>
  CLIPID #6 : <url not found>
  CLIPID #7 : <url not found>
  CLIPID #8 : <url not found>
Query database 75998 via relay 75879 when ready
[End of file]

At the same time of Page 7 updating, the intro message updated to Revision 4, with a new warning:

WARNING: System status set to 'hibernate'
Restore Point: 12-07-2021 16:00 Local Time
All process still operational

Page 8 provided the third and final set of number boxes. These three sets of number boxes would soon be used to solve the first proper puzzle.

Memory Coredump PAGE 8
Module 31575
Block 7
  249 937 708 423 439
  184 474 701 650 712
  615 746 606 148 511
  563 567 713 132 635
Block 8
  260 137 381 255 696
  347 649 313 601 751
  353 459 228 580 574
  257 692 404 632 136
Block 9
  399 561 190 238 295
  116 512 545 375 454
  460 354 534 517 477
  308 725 430 540 999
[End of file]

Page 9 provided a status screen of the satellite, detailed below. As of the first ~10 hours of the ARG, it read the following.

 Memory Coredump PAGE 9
Module 31575
STATUS
  dscs_iii_a3   | access granted
  Control Door  | awaiting command
  Station 1     | booting ~ 24h
  Control Room  | access denied
[End of file]

Should this change, the changes will be documented.

Module 31575 - Factory Door Solve

Following some hours of nothingness, players began to notice quirks within the livestream's audio. A series of sharp and deep tones would continuously repeat, to which players began to document.

The series would play Sharp, Two Deep, Sharp, Three Deep, Sharp, Five Deep, Sharp, Seven Deep, Three Sharp. The series would then repeat.

A keen-eared player noticed the tones corresponded to the first four numerical prime numbers, Two, Three, Five, and Seven. Using the "blocks" provided by the coredump pages 1, 4, and 8, a central superblock was formed utilizing earlier information from the initial coredump command, stating a "20x9 grid". Within this grid, substituting all non-prime numbers for zeroes, and all prime numbers for ones, a grid of zeroes and ones was formed, and when turned to it's side, spelled the word KEY.

The substituted grid on it's side, forming the word KEY.









The solve led to the completion of the command execute 31575 -open -key, which, when entered, would return the following.

Accessing local PGP Key
/home/31337/.ssh/31575
Access authorized
Requests received so far: 0
Connecting to module 31575
TAK1 - Valid
TAK6 - Valid
BGD8 - Valid
DTB3 - Valid
SDD4 - Valid
Adding your entry, please wait...
Process completed.

Note the line which says Requests received so far: 0. This is what was returned upon the first entry of the command, with every subsequent unique entry counting up by one. At 25, 50, 75, and 100 entries, a routine camera check would be initiated, showing more of the facility to the livestream. These four camera checks each revealed new areas of the facility. When the final goal of 200 entries was reached at 11:35 UTC, the factory door seen on the livestream opened.

Day 3

On 2021-12-7, at 12:00 AM UTC, or 16:00 Local Time on the livestream, the second module, Module 25798 - Security Terminal became available, along with new commands relating to the new module, as well as updates to old commands.

Page 9 of the Factory Door coredump, the status page, had updated to read the following.

Module 31575
STATUS
  dscs_iii_a3   | access granted
  Control Door  | access granted
  Station 1     | access granted
  Control Room  | access denied
[End of file]

The first of the new commands was query 25798, which set the frame for the second puzzle. When entered, it would return a new set of available execute commands, seen below.

Query Module 25798
Status Request - Security Terminal
Authorized commands:
  execute 25798 -register -<UID>
  execute 25798 -commit -<branchid>
Please stand by...
Module Status: Online

The second of the new commands was 5 new pages of coredump information, accessed using coredump 25798, returning a new set of 5 pages, detailed below, and a line reading 5 entries / 10 digits ID. Players suspected this to be vital to the construction of the solution as it had been in the previous puzzle, relating to the grids.

Coredump 25798 Pages

Page 1 provided the first block fragments of cryptic information to be used in solving the second puzzle, detailed below.

Memory Coredump PAGE 1
Module 25798
Block Fragment
  -01: Aug
  -02: 134
  -03: data.dscsiii-a3.directory/31zCVhu
[End of file]

The link in this set of data is a valid image link, and leads to a classical painting of Thor's Fight with the Giants.


Page 2 returned the following.

Memory Coredump PAGE 2
Module 25798
Block Fragment
  -01: Little Arrow
[End of file]

Page 3 returned similarly little:

Memory Coredump PAGE 3
Module 25798
Block Fragment
  -01: 92 TJ
[End of file]

Page 4 provided links to two more images, the first, the logo for the Soviet space program Interkosmos, and the second, a crop of fresco The School of Athens.

Memory Coredump PAGE 4
Module 25798
Block Fragment
  -01: data.dscsiii-a3.directory/3dzEo9L
  -02: data.dscsiii-a3.directory/3y4KyIo
[End of file]

Page 5 ended the set of data with a seemingly ominous message, simply reading -01: 243 days [End of file]

Module 25798 - Security Terminal Solve

Following a set of hints from the Clippy Database, players learned the solution dealt with Satellite Catalog Numbers, or SATCATs for short, which were to be entered as the "UIDs", and would, when entered, give two characters and what order of sequence the characters were, leading to the second part of the puzzle, the "branchid".


The first satellite in the sequence was SATCAT number 00015, corresponding to the Explorer 6 satellite. This answer was gotten from page 1 of the coredump, with Explorer 6's serial number being "Thor 134". Entry of this UID returned the players with the first fifth of the branchid: "a4"


The second in the sequence was SATCAT number 00055, corresponding to the Sputnik 5 satellite. This answer was gotten from page 2 of the coredump, with "Little Arrow" being the translated name of Strelka, one of the two dogs aboard the Sputnik 5 satellite. Entry of this UID returned the players with the second fifth of the branchid: "g7"


The third in the sequence was SATCAT number 04382, corresponding to the DFH-1 satellite. This answer was gotten from page 3 of the coredump, with "92 TJ" meaning 92 Tera Joules, the explosive yield of China's Project 596, as part of the Two Bombs One Satellite project, of which DFH-1 was the first satellite launched by the project. Entry of this UID returned the players with the third fifth of the branchid: "x9"


The fourth in the sequence is unknown. Its part of the branchid, "c1", was bruteforced.


The fifth in the sequence was SATCAT number 04489, corresponding to the Venera-7 satellite. This answer was gotten from page 5 of the coredump, with "243 days" referring to the rotational period of the planet Venus, which is 243 days. The satellite itself was found by virtue of being the first satellite to ever return data about Venus to humanity. Entry of this UID returned the players with the final part of the branchid: "d7".


With all 5 parts of the branchid discovered, players put them together to complete the command execute 25798 -commit -a4g7x9c1d7. Entry of this command began a similar process to the factory door, requesting 100 unique entries of the command to continue.

As of 2021-12-08 9:30 PM UTC, this phase is ongoing.