Results 1 to 16 of 16

Thread: The ASTRO 25 and APX TCP/IP stack

  1. #1
    syntrx No Longer Registered

    Default The ASTRO 25 and APX TCP/IP stack

    I'm working on home brewing some useful network services to talk to my ASTRO 25 radios via IP. This thread will be an ongoing brain dump of stuff I've figured out as my work progresses.

    Probably going to explore the attack surface presented by radios, KVLs, PCs and other infrastructure over IP, too...


    1. Auto Generate IP Address

    In case you ever need to figure out the IP address of a radio given a particular radio ID, an auto generated IP address on ASTRO 25 radios has the following format:

    dn nn nn ni

    where:

    d = 4 fixed bits with a value of 0xD
    n nn nn n == 24 bits representing the radio's ASTRO ID
    i = 4 bits representing the interface associated with the radio

    Values I know of for i include:

    1 == the RF interface
    2 == RNDIS (virtual ethernet over USB) interface, PC side
    3 == RNDIS interface, radio side

    From memory, other addresses are used when the PC (or KVL) to radio link is PPP. I have to hook my XTS 5000 up later to find these out as I haven't got an APX7000 serial cable.


    2. OTAR

    I can't afford a KVL 3000+, and I sure as hell can't afford a KMF

    I want to build my own basic OTAR service to allow me to fill AES256 keys on my radios.
    ASTRO 25 and APX radios support DLI OTAR (Data Link Independent OTAR), which is essentially just TIA-102 key management messages encapsulated in UDP datagrams.

    Should be easy to smash something basic out in Python when I have time to generate the most important KMMs.


    3. Other Radio Services

    With regards to the other services, the guys who developed the ASTRO 25 and MOTOTRBO platforms definitely talked to each other a lot. There are probably quite a few engineers who worked on both. The TMS protocol is the same between both platforms, and I'd expect to find that ARS and LRRP are similar, if not identical also. Should make life a bit easier with regards to implementing useful (for the hobbyist) services to take advantage of TMS, LRRP etc.

    You can read a description of the TMS protocol in U.S. patent 8,023,973:
    http://www.google.com/patents/US20080161026

    My APX listens on the following ports. I know what some of them are for, but not others.
    Any of you folks have more insight?

    TCP:
    23 == the telnet server for RadioDebugger
    8000 == ??
    8002 == ??
    8003 == ??
    8051 == ??


    UDP
    67 == DHCP (for the RNDIS link)
    161 == SNMP
    162 == SNMP
    4000 == ??
    4001 == LRRP (location) service, just like MOTOTRBO
    4005 == ARS, just like MOTOTRBO
    4007 == TMS, just like MOTOTRBO
    4011 == ??
    4012 == ??
    4055 == ??
    49165 == Authentication Service, for tactical OTAR et al
    49223 == Port where the radio expects to receive DLI OTAR KMMs from a KMF


  2. #2
    syntrx No Longer Registered

    Default

    [ Removed for now. There's a security issue on the APX, more to follow pending what Motorola has to say about it. ]
    Last edited by syntrx; Sep 08, 2012 at 05:08 PM.

  3. #3
    maxkelley No Longer Registered

    Default

    Did you discover the security issue? If so, that's awesome! Congrats!

  4. #4
    syntrx No Longer Registered

    Default

    8002/tcp = CPS programming

    Quote Originally Posted by maxkelley View Post
    Did you discover the security issue? If so, that's awesome! Congrats!
    Yep, it was kind of obvious though when I started poking the radio over the air from a packet data session initiated from my XTS5k. Bit worrying but I can see how it came to be.

  5. #5
    Join Date
    Apr 19, 2013
    Posts
    7
    Thanks
    0
    Thanked 2 Times in 1 Post

    Default

    First of all I want to say this is really nice work. I like where you're going with this.

    Quote Originally Posted by syntrx View Post
    when I started poking the radio over the air from a packet data session initiated from my XTS5k
    This may may sound like a stupid question but can you detail the steps to get a session going? As in, what is the procedure to setup a session from radio A and a PC to communicate with radio B over the air (where radios A and B are some ASTRO25 or APX series equipment).

  6. #6
    syntrx No Longer Registered

    Default

    Not that I've gone anywhere with this recently!

    Assuming the radio is set up correctly (if it's set up for TMS per the other instructions floating around and has W947/Q947 APCO Packet Data, you're good to go), all you need to do is create a dial up networking connection in Windows, and tell Windows that the serial port your radio is connected to has a modem.

    Use any old phone number, use any old username and password (I think), and hit dial.

  7. #7
    Join Date
    Apr 19, 2013
    Posts
    7
    Thanks
    0
    Thanked 2 Times in 1 Post

    Default

    Thanks for the guidance, I have it working now. So a serial cable is a requirement?

  8. #8
    syntrx No Longer Registered

    Default

    No idea, to be honest. I've only got a serial cable to test with; never tried it with USB, but I assume it'd work.

  9. #9
    GeForce No Longer Registered

    Default

    I'm curious. I work with XTL and XTS radios (p25 digital trunked system), but not much have been made on the data side. I know it's kind of a joke by design, but hey, I'm pretty sure some cool projects can be made around it.

    Do you know what kind of informations you can fetch from the radio using telnet or SNMP? Any way to get RSSI, or some other informations or statuses from the radio?

    Have you worked with radios in a p25 digital trunk, with the packet data gateway, etc? I think there is many things that could be done in this area.

  10. #10
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,732
    Thanks
    965
    Thanked 1,433 Times in 694 Posts
    Country: Christmas Island

    Default

    The radio can be interrogated by Telnet or a serial COM package, depending on whether it's the APX or XTS series, but those only invoke a very basic debugger-style monitor that has very limited functionality. Do some searching here for the thread on it but I did a write up of the earlier XTS series and the "modem" functionality therein.

    The Trbo radios have a data/ARS gateway and server that another user has written, again do a search and you will find that thread.

    Otherwise, the P25 stuff requires lots of expensive boxes to make them do the data stuff and it's VERY slow speed compared to other technologies, so unless you have a small city's infrastructure budget, forget about it. Also, the documentation/applications they run on those expensive boxes is nearly undocumented - they want you to go take expensive training classes to find out about them and how they work.

  11. #11
    GeForce No Longer Registered

    Default

    Quote Originally Posted by Alpha View Post
    Otherwise, the P25 stuff requires lots of expensive boxes to make them do the data stuff and it's VERY slow speed compared to other technologies, so unless you have a small city's infrastructure budget, forget about it. Also, the documentation/applications they run on those expensive boxes is nearly undocumented - they want you to go take expensive training classes to find out about them and how they work.
    I already have the expensives boxes (and the budgets), and yes, they are pretty much undocumented, but I'm working on getting all I possibly can from them. Even with a very slow link, there are amazing things to do (and I'm looking toward it)!

  12. #12
    Join Date
    Apr 19, 2013
    Posts
    7
    Thanks
    0
    Thanked 2 Times in 1 Post

    Default

    Quote Originally Posted by GeForce View Post
    Even with a very slow link, there are amazing things to do (and I'm looking toward it)!
    What kind of things do you have in mind?

  13. #13
    GeForce No Longer Registered

    Default

    Quote Originally Posted by mdodd View Post
    What kind of things do you have in mind?
    Well, from the network side, I want to do some bandwith accounting. Motorola tools sucks hard.
    Radio-side, I want to get all the technical data I can get out. RSSIs, BERs, sites in range, radio status, and whatnot. Name it, I want to get it.

    Might not actually use all these data all the time, but hell of a good debugging/monitoring/nameit tool it would be!

  14. #14
    Astro Spectra's Avatar
    Astro Spectra is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Nov 22, 2012
    Posts
    857
    Thanks
    304
    Thanked 540 Times in 273 Posts
    Country: Great Britain

    Default

    It is a fine thing to be honest, but it is also very important to be right

  15. #15
    syntrx No Longer Registered

    Default

    So, the security issue I mentioned earlier was that the Radio Debugger is accessible remotely, over the air without authentication. Just like it is when you telnet to an APX over USB, except slower. You can do things like crash the radio by messing around in there, or (much more interesting) obtain the radio's current GPS position using the GPS: DUMP command.

    Motorola didn't ever respond, as such; they just deleted/made invisible the MOL case I used to raise the issue with them. But about 6 months or so later, they did eventually fix the problem in firmware 9.

  16. #16
    Join Date
    Jun 09, 2012
    Posts
    42
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Default

    Wow that's terrible! Trust you to find it.