Results 1 to 25 of 25

Thread: Mototrbo CTB coldeplug file format

  1. #1
    Join Date
    Feb 13, 2012
    Posts
    194
    Thanks
    23
    Thanked 59 Times in 19 Posts

    Default Mototrbo CTB coldeplug file format

    i believe i have extraced the source code of portions of trbo CPS that encodes and decodes the *.ctb codeplug files. Would posting the code and discussing it here be permitted?


  2. #2
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,201
    Thanks
    274
    Thanked 314 Times in 152 Posts
    Country: United States

    Default

    I will say yes, if our legal adviser disagrees we will handle it then.

  3. #3
    Join Date
    Feb 13, 2012
    Posts
    194
    Thanks
    23
    Thanked 59 Times in 19 Posts

    Default

    well .NET decompiling is by far the eaiset thing i have done this week.
    A quick howto for anyone interested.
    a .NET deobfuscator is needed to "deobfusciate" the code.
    https://github.com/0xd4d/de4dot
    de4dot-x64.exe -r "C:\program files\Motorola\MototrboCPS" -ro C:\trbo --onfile
    creates a new installation of mototrbocps and all the motorola and system DLLS into 1 directory C:\trbo
    the a program called dotnet reflector http://www.reflector.net/ i used to browse to deobfusciated code.
    browsing Common.Communication.ComminFile.dll i found alot of interesting data structures. Here are a couple.

    Serializable
    http://pastebin.com/1BZEefRV

    CompressFile
    http://pastebin.com/fptnifuJ

    the math and logic here is way over my head. I Wonder if this code is what we would need to start reading and writing our own codeplug files?

  4. #4
    dc2zp No Longer Registered

    Default I'm working on a similiar approach

    Hi kd8eyf!

    I am working on a similar approach. The mototrbo CPS has several shortcomings and in order to avoid these I am working on understanding the .ctb files.

    As first step I would like to able to add contacts to any give codeplug file. (BTW: this was a feature in the CPS for GM/GP3**)

    It will take me some days to dive into this code you revealed there, but I am optimistic about be possible outcome.

    so long and 73, dc2zp

  5. #5
    Join Date
    Dec 21, 2011
    Posts
    4,131
    Thanks
    2,781
    Thanked 4,933 Times in 1,470 Posts
    Country: Canada

    Default

    I have no problem with this. So long as none of the work was derived from proprietary Motorola software, like Depot, etc.

  6. #6
    Join Date
    Feb 13, 2012
    Posts
    194
    Thanks
    23
    Thanked 59 Times in 19 Posts

    Default

    http://pastebin.com/JfEe1QTq
    various methods of encrpyting and decrypting ctb files Line 266 3DES keys and IV's, variant is for an older ctb format tho..

  7. #7
    Join Date
    Feb 13, 2012
    Posts
    194
    Thanks
    23
    Thanked 59 Times in 19 Posts

    Default

    Sorry for the GIANT PICTURE

    http://i.imgur.com/7hAib.jpg


    i got a few CPS parameter files open and a firmware update file open.. Looks like everything is XML
    Some base64 stuff in the firmware, decoded it and didnt recognize any structure, may be encrypted again? not sure..
    I haven't cracked open the CTB yet. Unlike the below ascii files the ctb adds a layerg of gzipping which my decoder is chokin on.. still trying to figure it out.
    At the end of each XML is a HASH of the data in the format <DIGEST></DIGEST><RSAKeyValue><Modulus></Modulus><Exponent></Exponent></RSAKeyValue> that I need to figure out if I ever want to get data back into radio..
    Last edited by kd8eyf; Jan 04, 2013 at 11:40 PM. Reason: change pic to link

  8. #8
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,201
    Thanks
    274
    Thanked 314 Times in 152 Posts
    Country: United States

    Default

    Looks good, nice to see progress being made on this.

  9. #9
    Join Date
    Jun 12, 2012
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Hello! kd8eyf,MotoTRBO CTB/LMX Encrypt/Decryptor,This tool can share?

  10. #10
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,201
    Thanks
    274
    Thanked 314 Times in 152 Posts
    Country: United States

    Default

    Quote Originally Posted by QQMOTO View Post
    Hello! kd8eyf,MotoTRBO CTB/LMX Encrypt/Decryptor,This tool can share?
    I would imagine he would like to finish it first, before it gets posted to the radio warez sites...

  11. #11
    Join Date
    Feb 13, 2012
    Posts
    194
    Thanks
    23
    Thanked 59 Times in 19 Posts

    Default

    Quote Originally Posted by Magnus View Post
    I would imagine he would like to finish it first, before it gets posted to the radio warez sites...
    HA!

    Well im DONE!
    heres whats int the SampleXPR4580.ctb that comes with CPS
    http://pastebin.com/raw.php?i=YeMUfixf

    Its a bit of a MONSTER inside..
    Next step is to see if i can change values and calculate the new hash

  12. #12
    Join Date
    Feb 13, 2012
    Posts
    194
    Thanks
    23
    Thanked 59 Times in 19 Posts

    Default

    Im not a lawyer, but the question came up if a program that decodes CTB's is aginst the TOS?
    Chances are it is.. ?
    Are codeplugs intellectual property?
    I would think that the data comes from my radio its MY CODEPLUG!?
    I am sure motorola sees otherwise.

    So really its just sending data through from XML to a crypto stream into a gzip stream. Its a common way to store data.
    http://msdn.microsoft.com/en-us/magazine/cc163290.aspx

    The only thing that i think could be IP is the encryption keys?
    My friend Changed the unpacker program to require the user to manually get and load the encryption keys from somewhere. He uploaded the decoder here

    Moved see
    http://communications.support/thread...4951#post14951

    The src is included if your nervous about EXE's. He says he still has to add the signature creation to be able to save files. The thing is a DOTNET so you will need to install the VB.NET Studio 2010 turd if you wanna compile

    dave
    Last edited by Magnus; Jan 08, 2013 at 08:06 AM. Reason: Changed link per OP

  13. #13
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,201
    Thanks
    274
    Thanked 314 Times in 152 Posts
    Country: United States

    Default

    I would agree that if any of it was IP it would be the key. If the password is what I think it is, its easy enough to find and can be left for the end user to find.

  14. #14
    Join Date
    Feb 13, 2012
    Posts
    194
    Thanks
    23
    Thanked 59 Times in 19 Posts

    Default

    forget the previous link. Mods plz delete. I moved everything Here: https://bitbucket.org/KD8EYF/freecps

  15. #15
    Join Date
    Feb 13, 2012
    Posts
    194
    Thanks
    23
    Thanked 59 Times in 19 Posts

    Default

    Looking at wireshark traces between cps and the radio the structure is pretty simple. I think this is the XMCP protocol not sure. But i hit a major road block. It looks like to init communication / control the trbo radio sends some random bits to CPS and CPS has to encrypt them and send em back. The radio compares it with its own and if its the same it let comms continue. The only way to get the encrypt key is from mother moto. i imagine? Im guessing this way they only allow authorized software to communicate with OUR radios. From what i see in the packet captures its only 8bytes in and out... thats 18,446,744,073,709,551,616 Combinations / keyspace?! crap.. anyone have idea on a workaround? thoughts?

  16. #16
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,201
    Thanks
    274
    Thanked 314 Times in 152 Posts
    Country: United States

    Default

    Yes all communication to and from the radio via xcmp is verified with a signature.

  17. #17
    Join Date
    Apr 18, 2012
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by kd8eyf View Post
    Sorry for the GIANT PICTURE

    http://i.imgur.com/7hAib.jpg


    i got a few CPS parameter files open and a firmware update file open.. Looks like everything is XML
    Some base64 stuff in the firmware, decoded it and didnt recognize any structure, may be encrypted again? not sure..
    I haven't cracked open the CTB yet. Unlike the below ascii files the ctb adds a layerg of gzipping which my decoder is chokin on.. still trying to figure it out.
    At the end of each XML is a HASH of the data in the format <DIGEST></DIGEST><RSAKeyValue><Modulus></Modulus><Exponent></Exponent></RSAKeyValue> that I need to figure out if I ever want to get data back into radio..


    I can help you figure out the correct HASH and RSAKeyValue if you give me the XML file which is cracked by CTB.



    for example

    ------------------------------------------------------------------------------------------------------------------------

    Sorry for the GIANT PICTURE
    http://i.imgur.com/7hAib.jpg

    i got a few CPS parameter files open and a firmware update file open.. Looks like everything is XML
    Some base64 stuff in the firmware, decoded it and didnt recognize any structure, may be encrypted again? not sure..
    I haven't cracked open the CTB yet. Unlike the below ascii files the ctb adds a layerg of gzipping which my decoder is chokin on.. still trying to figure it out.
    At the end of each XML is a HASH of the data in the format <DIGEST></DIGEST><><Modulus></Modulus><Exponent></Exponent></RSAKeyValue> that I need to figure out if I ever want to get data back into radio..
    Last edited by kd8eyf; 01-04-2013 at 11:40 PM. Reason: change pic to link <SIGNATURE><VERSION>1.0</VERSION><DIGEST>CFCB41CEFEF07B2F2ACEADABCF6BD45CAF 57D867D226E03E88A5D111DDA46C6E8DA3DE096582474EA5B6 9C54020E1BED6D7526F086A065E9DC98A11072D83C4BD62CFE 39A3FE09BA524424BC648EF206C1F7CC918C549CB54AA3626E A7C9EA5A48242816D45A4A710FB7540E621D1D770FFDADCA99 6390A3B8167FF176BA1E73</DIGEST><RSAKeyValue><Modulus>5AaKT6Hvh9+QrPWr5wugc qFjZWe54yW4/2sn6KAHKIrvvpD7J2x+elfDTry9DEx0U5dplG0SAtMNlXNV4PX U72Ze/yoeD/gfsGBGlmhpVCxkd0WvfSnSl5xe/WcCVJnyrjIQjRI47Aok7H3tjtshvq/LLKUtWxpxy4iGupbtv20=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></SIGNATURE>

  18. #18
    user No Longer Registered

    Default

    Hello,
    there are some news about?

    I readed the whole thread but didn't find a real solution. Is this tool complete?

    Thanks for any news

    U.

  19. #19
    Join Date
    Feb 13, 2012
    Posts
    194
    Thanks
    23
    Thanked 59 Times in 19 Posts

    Default

    yes the tool as you say is complete PM me for the URL
    specializing in AES1056 encryption

  20. #20
    user No Longer Registered

    Default

    Quote Originally Posted by kd8eyf View Post
    yes the tool as you say is complete PM me for the URL
    Cannot, something refers to privilege stuff.
    Any ideas?

  21. #21
    Join Date
    Jun 14, 2013
    Location
    Melbourne, Aussieland
    Posts
    125
    Thanks
    17
    Thanked 97 Times in 29 Posts

    Default

    Quote Originally Posted by kd8eyf View Post
    Looking at wireshark traces between cps and the radio the structure is pretty simple. I think this is the XMCP protocol not sure. But i hit a major road block. It looks like to init communication / control the trbo radio sends some random bits to CPS and CPS has to encrypt them and send em back. The radio compares it with its own and if its the same it let comms continue. The only way to get the encrypt key is from mother moto. i imagine? Im guessing this way they only allow authorized software to communicate with OUR radios. From what i see in the packet captures its only 8bytes in and out... thats 18,446,744,073,709,551,616 Combinations / keyspace?! crap.. anyone have idea on a workaround? thoughts?
    Hi kd8eyf,

    Very exciting news.

    In the example of XCMP and XNL that Motorola gives developers (xcmp_contacts_demo_application.zip) the Initial connect conversation requires:-
    1. A request from the PC to the Radio requesting Authentication info
    2. The info returned by the radio is then encrypted using the Developer's keys (supplied by Motorola) or vice versa
    3. This encrypted result is then sent back to the Radio
    4. The radio responds with more data that must be decrypted using the Developer's Keys and
    5. If it matches what was originally sent then both the Radio and the App have verified each other.

    I think this is to ensure that the Application is validated with the Radio and also to ensure that the Radio is validated to the App.

    cheers

    P.S: I just remembered ... in the example project mentioned above - you must have a set of Developer Keys - as they must be entered each time - otherwise the demonstration won't work.
    Last edited by oldfart; Sep 07, 2013 at 05:39 AM. Reason: Oops ..

  22. #22
    Join Date
    Jun 14, 2013
    Location
    Melbourne, Aussieland
    Posts
    125
    Thanks
    17
    Thanked 97 Times in 29 Posts

    Default

    Apologies for the above post - I didn't realise how long this thread had been around - but I'm still glad it has resurfaced.

    cheers

  23. #23
    Join Date
    Feb 13, 2012
    Posts
    194
    Thanks
    23
    Thanked 59 Times in 19 Posts

    Default

    Its okay. I think your refering to XNL/XCMP, and this is about the encrypted codeplug files created by CPS. Here's a quick update on a program I'm working on that updates a encrypted CTB file contact lists.

    All the code is there to decrypt and encrypt a trbo codeplug. I have not included the decryption/encryption and signing keys. You will need to figure these out.

    https://github.com/KD8EYF/OpenIPSC/t...er/contactList

    I kinda need help with the XML if anyone is a XML pro msg me!
    specializing in AES1056 encryption

  24. #24
    Join Date
    Jun 14, 2013
    Location
    Melbourne, Aussieland
    Posts
    125
    Thanks
    17
    Thanked 97 Times in 29 Posts

    Default

    I'm not a pro but there was some free source I used for reading/writing XML while working on a Freeware Steam/Valve project a couple of years back ... brb .. I'll look it up ...

    Code:
    /*
    www.sourceforge.net/projects/tinyxml
    Original code by Lee Thomason (www.grinninglizard.com)
    
    This software is provided 'as-is', without any express or implied
    warranty. In no event will the authors be held liable for any
    damages arising from the use of this software.
    
    Permission is granted to anyone to use this software for any
    purpose, including commercial applications, and to alter it and
    redistribute it freely, subject to the following restrictions:
    
    1. The origin of this software must not be misrepresented; you must
    not claim that you wrote the original software. If you use this
    software in a product, an acknowledgment in the product documentation
    would be appreciated but is not required.
    
    2. Altered source versions must be plainly marked as such, and
    must not be misrepresented as being the original software.
    
    3. This notice may not be removed or altered from any source
    distribution.
    */
    
    
    #ifndef TINYXML_INCLUDED
    I found it pretty easy to work with ..

    cheers
    Will

  25. #25
    Mike No Longer Registered

    Default

    Thanks for the github link, too bad you had to scrape the data - it'd be nice if the DMR-MARC maintainers simply put a delimited file of some sort up for download.

    Re XML Python has some great tools for manipulating XML; that's where my experience is, not C# or PHP.