Results 1 to 11 of 11

Thread: Recovering ADP Keys from radio

  1. #1
    Join Date
    Feb 27, 2012
    Location
    Raven Rock
    Posts
    121
    Thanks
    87
    Thanked 10 Times in 9 Posts

    Default Recovering ADP Keys from radio

    Is there a way to recover an ADP key from a radio. Tried using a known key and winhex virtual memory editor to search for the key.

    Thanks


  2. #2
    Join Date
    Dec 21, 2011
    Posts
    4,064
    Thanks
    2,990
    Thanked 5,829 Times in 1,716 Posts
    Country: Canada

    Default

    Software ADP keys are stored in cleartext, within the codeplug partition. I'm unsure if they're read from the radio during a normal CPS codeplug read (a CPS "codeplug" is not the same as the "codeplug partition"), but they are definitely accessible with the right tools.

    As for hardware ADP (UCM), they are also recoverable, but not in cleartext. The key-database on the UCM is susceptible to cloning. I have personally verified this. The cloning weakness can be eliminated if FIPS 140-2 and "Radio Lock" are enabled before keys are loaded.

    ADP should not be considered secure. It's simply an easy way to get rid of scannerheads

  3. #3
    Neo No Longer Registered

    Default

    If the codeplug is saved as a unencrypted srec1, can the ADP keys be discovered? ADP is so lame, I've never even used it, but I bet it's in clear text in the srec1.

  4. #4
    Join Date
    Dec 21, 2011
    Posts
    4,064
    Thanks
    2,990
    Thanked 5,829 Times in 1,716 Posts
    Country: Canada

    Default

    Yah, Neo. You and I both know it. I only use ADP to communicate with lamers who are too cheap to invest in good encryption :-) Kind of like a "secret PL tone". LOL

  5. #5
    Join Date
    Feb 04, 2012
    Posts
    1,631
    Thanks
    72
    Thanked 335 Times in 169 Posts

    Default

    From my research I have found that the ADP keys are not read during a normal CPS read. The same applies to a s-rec. The only time they will be in a s-rec is if the user has loaded the keys into the CPS codeplug then saved the file as a s-rec. They are in clear text as Neo suspects.

    To discover unknown keys it would take a bit more work and require access to an encrypted unit. In most cases this would be difficult to impossible. The only other option would be to bruteforce decoding of an encrypted message. This site is not going to go on about the legalities of doing this (other sites can do that). There is no law that says you cant look at somethingl and learn what it is and how it works, this site is set up to do exactly that. We just wont help you endanger anyone or remove rightfull income from anyone.

  6. #6
    Join Date
    Feb 12, 2012
    Location
    Posts
    97
    Thanks
    15
    Thanked 1 Time in 1 Post
    Country: United States

    Default

    what program would you use to pull an Srec from a xtl/xts5000?
    Quote Originally Posted by Bigfella237 View Post
    I've never really bothered 'playing' with ADP (it's like owning a Harley but still riding a tricycle)

  7. #7
    Join Date
    Feb 27, 2012
    Location
    Raven Rock
    Posts
    121
    Thanks
    87
    Thanked 10 Times in 9 Posts

    Default

    I want to be able to get the keys out a issued radio that I have and put in another unit. Mainly I have a xts2500 issued and want to use my apx.

  8. #8
    Join Date
    Feb 04, 2012
    Posts
    1,631
    Thanks
    72
    Thanked 335 Times in 169 Posts

    Default

    Okie: there is rumored internal software that will make a srec of the codeplug under certain conditions. Dont bother asking I dont have it and am not interested in anything like that. I think you will find that just about everyone feels the same way. In fact the site rules state that such programs are not of interest here.

    medic: I would think that the system admin would be glad to load the keys for you. You may have to provide tham with APX CPS if they dont already have it. But to answer the question asked. You would have to perform "brain surgery" on the radio to dump the internal memory. This type of work is way beyond the average user. Just so no-one gets all exited almost any radio from any manufacturer can have its memory read by the "surgery" method. This is not a secret nor does it compromise security or patent thing. Bottom line is if its memory it can be read if you are determined enough.

  9. #9
    Join Date
    Aug 27, 2012
    Location
    Chicago, Illinois
    Posts
    15
    Thanks
    10
    Thanked 0 Times in 0 Posts

    Question

    Hi All,
    I emailed MARS first to see if it was OK to post my question and he said that I would be OK posting on the site so please take that into consideration when reading this.
    I am not very handy when it comes to computer hardware and program writing so I am having a bit of trouble tackling this my self. I understand that ADP keys are able to be recovered using the brute force method. I have scoured the net and found many programs designed to use the brute force method on the RC4 algorithm but for the most part are all for cracking computer and word document passwords/keys. What I would like to do is use the brute force method or a packet sniffer like wire-shark to recover the ADP key from recorded or live base band audio from a discriminator tap. My problem is that I really do not know where to start I have been doing extensive research on the Internet and have found vast amounts of information on the algorithm and ADP I just do not know how to apply it in a real world setting. I was hoping some one on this site would be kind enough to either share a program they may have created or come across, I am even willing to pay for it if need be. Or for someone to help me get going in the right direction and do a little hand holding while walking me through the process of recovering the keys again if need be I am more than happy to compensate anybody who can help me for their time and expenses(phone bills, software costs, etc) for any help acquiring the information I am seeking.

    Thank You All For Your Time,
    Robert Klamp

  10. #10
    Join Date
    Feb 04, 2012
    Posts
    1,631
    Thanks
    72
    Thanked 335 Times in 169 Posts

    Default

    There is no program to decode ADP. There are a few of us who are activly working on this project. In facty I think that we might start a forum dedicated to working on ADP.


    A bit of basic information on ADP. The key is 40 bits (10 bytes) but there is another 64 bits (16 bytes) added to the key this combined 40 + 64 bit "Master" key is then used to by the RC4 to encrypt the traffic. There are a few other details but what we need is a program that will bruteforce the keystream. I dont know how far your research has got you but I welcome someone else who is ready to put in some work either developing a program or modifying an existing program to work on a known ADP package.

  11. #11
    Join Date
    Dec 21, 2011
    Posts
    4,064
    Thanks
    2,990
    Thanked 5,829 Times in 1,716 Posts
    Country: Canada