Results 1 to 3 of 3

Thread: Thales 25: Enabling AES the easy way

  1. #1
    Join Date
    Aug 15, 2019
    Posts
    76
    Thanks
    57
    Thanked 160 Times in 58 Posts
    Country: Australia

    Default Thales 25: Enabling AES the easy way

    3d94om.jpg

    Thales got out of the civilian radio market several years ago. Thales 25 (aka Racal 25) portable radios are cheaply and easily available from eBay, and are no longer supported by the manufacturer. Software feature additions are therefore no longer available.

    A real shame, because despite its age it's a truly outstanding radio; you cannot buy a better conventional VHF P25 portable for the money.

    The T25 radio has a 32-bit feature mask, analogous to a flashcode in the Motorola world. The "/config" command will allow you to view the radio's feature mask; the meaning of each bit is given in the T25 Remote Commands document.

    Screenshot 2019-10-14 at 18.44.14.png

    To enable all of the radio's optional features we need to set all of those bits to 1, giving us a mask of 0x0000007f.

    Following a good 45 minutes' worth of poking in the firmware update tool with Ghidra, I've figured how to set the feature mask to whatever value you want. The following command, sent over the serial port will set the feature mask to 0x0000007f, giving you AES, GPS, OTAR and everything else.

    0xDB 0x1E 0x11 0x04 0x00 0x01 0x05 0x0F 0x15 0x04 0xBC

    I do not propose to do a detailed writeup of every possible message that can be exchanged between the PC and the radio. But using this as an example, commands to and from the radio are generally structured as follows:

    DB = Start of frame
    1E = Opcode
    11 = Command/response? (PC to radio is generally 0x11, responses generally 0x16)
    04 = Number of payload bytes to follow
    00 01 05 0F = Argument bytes
    15 04 = CRC-16-CCITT, XORed with 0xFFFF
    BC = End of frame

    The easiest way of sending this command to the radio from a Windows box is by using PowerShell. Change COM1 as appropriate for your own machine.

    Code:
    $port = New-Object System.IO.Ports.SerialPort COM1,9600,None,8,one
    $port.Open()
    $port.Write([Byte[]] (0xDB, 0x1E, 0x11, 0x04, 0x00, 0x01, 0x05, 0x0F, 0x15, 0x04, 0xBC), 0, 11)
    Write-Output "done!"
    $port.Close()
    I have tested this with four of my own radios. But as with anything posted here, don't blame me if it breaks yours.


  2. The Following 27 Users Say Thank You to syntrx For This Useful Post:

    AD0JA (Oct 17, 2019),Alpha (Oct 16, 2019),Blackwater (Oct 18, 2019),box (Oct 14, 2019),bsdam (Oct 14, 2019),c17lvfd (Oct 16, 2019),com501 (Oct 14, 2019),ffr58kk90 (Oct 18, 2019),Forts (Oct 14, 2019),foxtrotdelta (Oct 14, 2019),kondoros (Oct 14, 2019),Mars (Oct 14, 2019),Mototom (Oct 14, 2019),Navy_BOFH (Oct 16, 2019),NSPD (Oct 30, 2019),RFI-EMI-GUY (Oct 15, 2019),Rola (Oct 15, 2019),slim (Oct 14, 2019),SPECIAL_EYE (Oct 14, 2019),splinter34 (Oct 14, 2019),SwissMoto (Oct 18, 2019),tbiggums (Oct 14, 2019),TESTMODE (Oct 14, 2019),TRENT310 (Oct 19, 2019),Viper1-6 (Oct 14, 2019),wildbillx (Oct 14, 2019),wiredwrx (Oct 14, 2019)

  3. #2
    Join Date
    Jan 18, 2013
    Location
    In Your Network
    Posts
    2,625
    Thanks
    2,455
    Thanked 1,755 Times in 888 Posts
    Country: Holy See

    Default

    Quote Originally Posted by syntrx View Post
    3d94om.jpg

    Thales got out of the civilian radio market several years ago. Thales 25 (aka Racal 25) portable radios are cheaply and easily available from eBay, and are no longer supported by the manufacturer. Software feature additions are therefore no longer available.

    A real shame, because despite its age it's a truly outstanding radio; you cannot buy a better conventional VHF P25 portable for the money.

    The T25 radio has a 32-bit feature mask, analogous to a flashcode in the Motorola world. The "/config" command will allow you to view the radio's feature mask; the meaning of each bit is given in the T25 Remote Commands document.

    Screenshot 2019-10-14 at 18.44.14.png

    To enable all of the radio's optional features we need to set all of those bits to 1, giving us a mask of 0x0000007f.

    Following a good 45 minutes' worth of poking in the firmware update tool with Ghidra, I've figured how to set the feature mask to whatever value you want. The following command, sent over the serial port will set the feature mask to 0x0000007f, giving you AES, GPS, OTAR and everything else.

    0xDB 0x1E 0x11 0x04 0x00 0x01 0x05 0x0F 0x15 0x04 0xBC

    I do not propose to do a detailed writeup of every possible message that can be exchanged between the PC and the radio. But using this as an example, commands to and from the radio are generally structured as follows:

    DB = Start of frame
    1E = Opcode
    11 = Command/response? (PC to radio is generally 0x11, responses generally 0x16)
    04 = Number of payload bytes to follow
    00 01 05 0F = Argument bytes
    15 04 = CRC-16-CCITT, XORed with 0xFFFF
    BC = End of frame

    The easiest way of sending this command to the radio from a Windows box is by using PowerShell. Change COM1 as appropriate for your own machine.

    Code:
    $port = New-Object System.IO.Ports.SerialPort COM1,9600,None,8,one
    $port.Open()
    $port.Write([Byte[]] (0xDB, 0x1E, 0x11, 0x04, 0x00, 0x01, 0x05, 0x0F, 0x15, 0x04, 0xBC), 0, 11)
    Write-Output "done!"
    $port.Close()
    I have tested this with four of my own radios. But as with anything posted here, don't blame me if it breaks yours.
    This should be a sticky. GOOD JOB!!
    Apparently NOT a radio professional.

  4. The Following 3 Users Say Thank You to com501 For This Useful Post:

    Echo4Thirty (Oct 16, 2019),Navy_BOFH (Oct 16, 2019),syntrx (Oct 16, 2019)

  5. #3
    Join Date
    Aug 15, 2019
    Posts
    76
    Thanks
    57
    Thanked 160 Times in 58 Posts
    Country: Australia

    Default

    I don't think I was the first to come up with this, but I was the first to publish it.

    Someone else was asking the right questions to get the same point as I did

  6. The Following 3 Users Say Thank You to syntrx For This Useful Post:

    Navy_BOFH (Oct 16, 2019),NSPD (Oct 30, 2019),Phil (Nov 03, 2019)