NOTICE Notice: This is an old thread. The last post was 368 days ago. If your post is not directly related to this discussion please consider making a new thread.
Page 2 of 2 FirstFirst 12
Results 26 to 47 of 47

Thread: MotoTRBO Advanced Encryption Key Recovery

  1. #26
    Join Date
    Feb 2012
    Posts
    1,584
    Thanks
    14
    Thanked 33 Times in 27 Posts
    Thats what should be happening, Oh well it would have been nice if something had been missed in the creation routine for the report.



  2. #27
    Join Date
    Dec 2011
    Location
    Canada
    Posts
    3,546
    Thanks
    235
    Thanked 380 Times in 170 Posts
    I suspect the software WRITES ONLY to the Enhanced Key location. CPS does not read (then mask) the data on a read operation.

    I used HxD to snoop the program RAM and a known key variable could not be found. However, it was found if I entered it (plaintext) into the field in CPS, then searched for it in memory. This tells me the program (TRBO CPS) is not encrypting what's in RAM; it's just not reading the keys from the radio whatsoever. Again, WRITE ONLY. CPS also checks to make sure the keys are in the field(s) before allowing a write operation.

    If CPS could be modified to read the protected range, or there was a way to do a full s-record dump (besides a out-of-circuit hardware method) the Enhanced Keys could be recovered in plaintext. There's nothing secure about the way the keys are stored in memory. CPS isn't the tool to use to extract them.

  3. #28
    Join Date
    Dec 2011
    Location
    Canada
    Posts
    3,546
    Thanks
    235
    Thanked 380 Times in 170 Posts
    Here's how the keys will be extracted...

    'Nuff said. ImageUploadedByTapatalk1361988512.028466.jpg

  4. #29
    Join Date
    Feb 2013
    Location
    Sydney.au
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Help file copy & paste, hope thats ok to post.

    Key Value


    Description

    The Key Value is the encryption value used to scramble and unscramble voice calls and data transmissions on privacy-enabled channels when Privacy Type is set to Enhanced. Selecting a larger, multiple-digit value provides stronger scrambling protection. Each Key Value can be assigned a Key ID and Key Alias for easier recognition. A radio that has Privacy Type set to Enhanced supports a minimum of 1 to a maximum of 16 Keys. For security reasons, if the codeplug is read from a radio, the Key Value is shown as . This is a radio-wide feature.


    Range
    Maximum FFFFFFFFFE
    Minimum 1
    Increment 1

    Note

    • This feature is disabled if Privacy Type is set to None or Basic.
    • For security reasons when reading a radio, Key Value is shown as . Key Value needs to be set prior to cloning if the destination radio key needs to be changed.
    • When a Report is generated based on a saved archive file, the Key Value will be displayed. It is recommended to set a password on the archive to ensure that only authorized users can view the Key Value within the archive file as well as while generating the Reports.
    • This feature is applicable to MOTOTRBO Conventional radios in Digital mode only.

  5. #30
    Join Date
    Feb 2013
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    its already been said but keys are saved in the codeplug (as shown below) and displayed in the reports ONLY if its entered by the user into CPS. It will never be known to CPS , or the report, if you dont enter the key into CPS

    Code:
    <PRIVACY_SERVICE_CMP_TYPE_GRP SortType="NONE">
          <PRIVACY_SERVICE_CMP_TYPE Applicable="Enabled" ListID="0">
            <PRISVC_PKEYID Applicable="Enabled" ListID="0">0</PRISVC_PKEYID>
            <PRISVC_PKEY Applicable="Enabled" ListID="0">54545454</PRISVC_PKEY>
            <PRISVC_PKEYIND Applicable="Enabled" ListID="0">
            </PRISVC_PKEYIND>
            <PRISVC_PKEYALIAS Applicable="Enabled" ListID="0">Privacy Key 1</PRISVC_PKEYALIAS>
          </PRIVACY_SERVICE_CMP_TYPE>
    I am interested if anyone has looked into fudaly_usb.dll to see how CPS communicates with the device during flash updates? like mars said we should look for a low level read / write of the radio. A radio in flashzap mode will enumerate as a different USB device, looking at how the dll works should give a clue how to read write the radio.
    I am also investigating the following C++ DLL's from a older CPS version like 2.0 and see how they work.
    firmwareupgrade.dll , flashzap.dll, flashzapadapter.dll, fzap_com.dll, fzap_cpu.dll, and fzap_worker.dll


  6. #31
    Join Date
    Jan 2013
    Location
    Under a bridge.
    Posts
    1,593
    Thanks
    127
    Thanked 136 Times in 87 Posts
    Interesting to note that CPS won't allow a null value in the key field when you go to write the radio (after a read) if there was a key value in the radio to begin with. You either must know the existing key and type it in, or you must type in a new key ID to write the codeplug or it will fail to write. (at least in the last few versions)

  7. #32
    Join Date
    Feb 2012
    Posts
    1,584
    Thanks
    14
    Thanked 33 Times in 27 Posts
    It may be a CPS programming configuration oversight where there is no default value entered into the "active' slot when a radio with keys is read. Or it may be there to force the user to have to enter in a key so that the current value in the radio gets wiped.

  8. #33
    Join Date
    May 2012
    Location
    Neither here, nor there.
    Posts
    598
    Thanks
    83
    Thanked 55 Times in 40 Posts
    Quote Originally Posted by com501 View Post
    Interesting to note that CPS won't allow a null value in the key field when you go to write the radio (after a read) if there was a key value in the radio to begin with. You either must know the existing key and type it in, or you must type in a new key ID to write the codeplug or it will fail to write. (at least in the last few versions)
    The reason for this is so someone cannot take an encrypted radio, read it, and clone another unit off of it. Unless you have a saved codeplug that the keys were originally input into, you must re-enter key data when programming the radio after reading it.

    This is also the case for RAS keys. The restrictions/methods for privacy keys also apply to RAS keys.

  9. #34
    Join Date
    Jan 2013
    Location
    Under a bridge.
    Posts
    1,593
    Thanks
    127
    Thanked 136 Times in 87 Posts
    That is correct, much to the frustration of those who have tried to clone my system, I am sure.
    "The number you have reached, 9-1-1, has been changed, and there is no new number."

  10. #35
    Join Date
    Mar 2013
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts
    IIRC, previous to version 5.0 CPS, you could clone a radio and it would clone the enhanced key also.

    I have an old codeplug dating from 2009 that I read from a radio that had enhanced privacy. I think it was CPS 3.6 or 4.0 at that time. Would it be possible to recover the key somehow because it's pre-5.0 CPS?

  11. #36
    Join Date
    Aug 2012
    Location
    Ontario, Canada
    Posts
    370
    Thanks
    12
    Thanked 9 Times in 8 Posts
    I don't think privacy was introduced until around 4.0 or so.... but I still doubt very highly you would get the key. I'd think that would be the #1 thing Motorola would do when introducing an encryption method of any sort... make sure the key can't be read from the radio. It's been speculated before that the CPS doesn't even read the area of memory where the keys are stored...

  12. #37
    Join Date
    Jan 2013
    Location
    Under a bridge.
    Posts
    1,593
    Thanks
    127
    Thanked 136 Times in 87 Posts
    The factory depot cannot recover the key either. Whenever a radio is sent in with encryption and they replace the board, it is cloned, but the keys are always reset to 1, no matter whether it is basic or enhanced.
    "The number you have reached, 9-1-1, has been changed, and there is no new number."

  13. #38
    Join Date
    Jun 2013
    Location
    Melbourne, Aussieland
    Posts
    82
    Thanks
    1
    Thanked 11 Times in 3 Posts
    Do you have access to the firmware ? You could possibly disassemble that and mod it ...
    (I'm guessing that's what Mars was alluding to! )

  14. #39
    Join Date
    Feb 2012
    Posts
    1,584
    Thanks
    14
    Thanked 33 Times in 27 Posts
    Changing the firmware assuming it could be decompiled will not read the keys. the actual block where the data is saved is not even addressed in the read options. In theory it may be possible to pull the chip and read it directly from memory but this is not practical.

  15. #40
    Join Date
    Jun 2013
    Location
    Melbourne, Aussieland
    Posts
    82
    Thanks
    1
    Thanked 11 Times in 3 Posts
    Quote Originally Posted by Notarola View Post
    Changing the firmware assuming it could be decompiled will not read the keys. the actual block where the data is saved is not even addressed in the read options. In theory it may be possible to pull the chip and read it directly from memory but this is not practical.
    From my knowledge as an embedded programmer - there are nearly always "primitive" calls embedded in the code that will allow the developer to read/write any portion of the memory space. Even EFTPOS systems can do this - using their "secure" processors.

    Disassembly:- If the firmware is for a known processor - this may be trivial - if the processor is custom then maybe not so easily.

    Do the processors have a JTAG port ?
    Are the processors off the shelf or Motorola proprietary ?
    (In my youth Motorola used to make chips - I'm not sure if they still do ?)

  16. #41
    Join Date
    Jan 2013
    Location
    Under a bridge.
    Posts
    1,593
    Thanks
    127
    Thanked 136 Times in 87 Posts
    Get me 20-30 radios, a clean room, an electron microscope, some acid etch equipment and a couple of micro logic probes and a computer debugger and I can probably get you results in 6-9 months. Provided that Motorola doesn't get wind of the project. Pretty sure they have just as many lawyers as Dish Network and the Kudelski division....

    But for a lot less money, I can simply find out whose system you want to crack, and social engineer the details out of whomever is programming it. Everyone can be bought.
    "The number you have reached, 9-1-1, has been changed, and there is no new number."

  17. #42
    Join Date
    Jun 2013
    Location
    Melbourne, Aussieland
    Posts
    82
    Thanks
    1
    Thanked 11 Times in 3 Posts
    Quote Originally Posted by com501 View Post
    Get me 20-30 radios, a clean room, an electron microscope, some acid etch equipment and a couple of micro logic probes and a computer debugger and I can probably get you results in 6-9 months. Provided that Motorola doesn't get wind of the project. Pretty sure they have just as many lawyers as Dish Network and the Kudelski division....

    But for a lot less money, I can simply find out whose system you want to crack, and social engineer the details out of whomever is programming it. Everyone can be bought.
    Ha Ha Ha!

    I do have a mate who owns most of that stuff sans the lawyers

    As I have stated a few times - I'm not all that conversant with radios - so I assume from what you are saying - Motorola uses custom chips in the radios ?

  18. #43
    Join Date
    Feb 2012
    Posts
    1,584
    Thanks
    14
    Thanked 33 Times in 27 Posts
    Custom chips, custom programming routines and command tables along with custom algorithms all used to mask the data. Im not saying its not possible, I am saying that unless there is a loophole no-one has found reading the keys directly from a radio is just not practical and is effectivly impossible at the user level.

  19. #44
    Join Date
    Jun 2012
    Posts
    472
    Thanks
    1
    Thanked 9 Times in 7 Posts
    The processor in MOTOTRBO (and APX7000) radios is an off the shelf part. Nothing custom about it.

    http://www.ti.com/general/docs/wtbu/...data/omap_1710

  20. #45
    Join Date
    Jun 2013
    Location
    Melbourne, Aussieland
    Posts
    82
    Thanks
    1
    Thanked 11 Times in 3 Posts
    Quote Originally Posted by syntrx View Post
    The processor in MOTOTRBO (and APX7000) radios is an off the shelf part. Nothing custom about it.

    http://www.ti.com/general/docs/wtbu/...data/omap_1710
    Thanks for that syntrx.

    This bit would probably slow most of us down:-

    Additional enhancements include:

    • Superior software flexibility
    • Improved multimedia and graphics performance
    • Integrated hardware and software security features
    • High-performance camera interface
    • Enhanced peripherals
    • Ultra-low standby power consumption

    The OMAP1710 processor engines include an ARM processor, a TI DSP engine, as well as a range of software and hardware accelerators for video encode and decode, still picture compression, Java and security. TIs unique advanced security hardware provides a secure execution environment that enables developers to deliver more secure wireless devices required mobile operators. TIs security hardware also offers an ideal platform to address the security threats faced by phone manufacturers and carriers today such as preventing the loading of unauthorized software and protecting sensitive data such as the phones identity.
    cheers

  21. #46
    Join Date
    Jun 2012
    Posts
    472
    Thanks
    1
    Thanked 9 Times in 7 Posts
    Quote Originally Posted by oldfart View Post
    Thanks for that syntrx.

    This bit would probably slow most of us down:-



    cheers
    Maybe, but in practice (based on what I've seen of the evaluation of many "secure" products in general), probably not. Especially not on the TRBO series.

  22. #47
    Join Date
    Dec 2011
    Location
    Avalon
    Posts
    1,262
    Thanks
    45
    Thanked 60 Times in 43 Posts
    The processor in the APX is the same OMAP1710, I'm pretty sure they both Fastboot off of external nor flash attached to CS3 with the option checked for CS3 to be mapped to CS0. No security involved at that point, it only works when booted of internal flash.