Results 1 to 5 of 5

Thread: Sepura feature codes and RM info

  1. #1
    Join Date
    Feb 09, 2013
    Posts
    43
    Thanks
    23
    Thanked 10 Times in 8 Posts
    Country: Finland

    Default Sepura feature codes and RM info

    I've been fiddling around with Sepura terminals (STP8000-, STP8X-, STP9000- and SRG -series) for a year and a half.

    If this post, or a part of it, fails to comply with forum rules please let me know and I apologize. I read the rules and this might be leaning towards a gray area.

    This post concerns use in the radio amateur scope only, not professional, public safety or profitable use.
    Most of the time, they're great devices. The programming is somewhat different from Motorola CPS.
    The biggest drawback, is the inability to turn on features "for free". One feature to be had, is DMO repeater mode.
    First a bit of background on programming.
    Sepura radio manager (I'm using 2.0) is made of three pieces:
    1. Radio manager
    2. SQL database, where everything is stored
    3. Radio manager client, that updates data TO radio FROM SQL database


    1. Radio manager
    This uses TEMPLATES for;
    • Network
    • Talkgroups
    • Contact list
    • Profile
    • SDA (Short data Application)
    • Device
    • And optional custom template that can override desired (though not all) settings defined in previous templates.

    For each software version you intend to use, you must have a separate template.
    Templates can be upgraded, but not downgraded.

    This makes it quite easy for example to update TG:s to different model radios while still having distinctly different GUI on mobiles/portables.
    All data is stored on the SQL server that runs locally, or on a centralized MS SQL server.
    Before programming:
    • a terminal (mobile/portable), it must be listed in terminals, and is identified by TEI.
      • This can be done with the RM client, more on that later.

    • The terminal must be mapped to a subscribed identity ISSI/ITSI


    To program a radio, a programming batch has to be created:
    • Select the correct terminal family AND software version
    • Select the sub/terminal-mappings this batch affects
    • Select the required templates
    • Select which clients this affects
    • The RM will run a validation
    • Select a few options regarding the process, a few examples listed below:
      • Update PIN/PUK
      • Update contact list
      • Update feature code
      • Update tcp/ip-data
      • Define a timerange, when the programming is in effect (easy for migrations etc)


    The result is a "blob" that's stored in the SQL DD

    3. Radio Manager Client
    This is the software that does the programming and interfacing to the radio. This can installed standalone on a computer.
    Each radio manager client (device) has to be configured in the radio manager. Configuration parameters include, but are not limited to, client hostname, serial ports on client, port speed, allowed operations (RM toolbox etc)
    The radio manager client app shows each configured serial port, and the TEI for a possibly connected radio.
    Once batch data is updated to the client, it will start processing any terminal that has an update coming at that time.

    The client also has a Toolbox (separate app on RM1.8) that can:
    • Read info (xml blob)
      • This includes some sort of log of what has been done to the radio.
      • The log seems to reset when radio is wiped. It's in HEX (See attachment 28660.txt)

    • Read data to RMC
      • this is what could be described as a Codeplug
      • RMC data can be imported to a template
      • RMC data can not be directly cloned to another terminal
      • RMC size is about 20MB

    • Wipe radio.
      • Radio will show "Engineering mode" and is a clean slate.
      • Wiping radio does not by my testing wipe featured license codes.
      • Afaik, this has nothing to do with tuning data


    Feature codes
    Radios can be upgrade with different feature codes (line out, DMO repeater mode, gateway mode etc).
    These are inserted in RM per terminal, and updated while creating a batch. RM does not validate the feature code.
    The feature code validation is done at the end of transferring a programming batch to terminal and results in an ERROR.

    Now this is what would really be nice, to generate feature license codes.
    By opening up this discussion online, I will most probably be cut off from my present source of purchased, most likely bootlegged, feature codes (eBay).
    The other option (about the same price) is to purchase from a Sepura dealer.

    The third option would be to find out HOW they are calculated. A feature code request is done by sending the terminal TEI and desired feature.
    The returned feature license code is a hex string.
    Here are the product numbers for a few options:
    DMO repeater STP9000, STP8X 600-00004
    DMO repeater SRG3900 600-00005
    DMO power SC2, STP, SRG 600-00353
    Network by TG SC2, STP, SRG 600-00348
    DMO GW SRG3900 600-00006
    Virtual console 1st SRG 600-00026
    Virtual console 2nd SRG 600-00027
    Line-Out SRG3900 600-00033
    DMO/TMO by TG SC2, STP, SRG 600-00349

    And these will result in the following hashes/feature license codes:
    TEI Option feature code
    000109179027510 gw+rep 34A5DC53FA1CF7B9D8CFD3C9EAD442C6C000
    000109179028660 rep 988D33765CEE08CD5E3FD90ABC0FDBD94000
    000109179028660 rep+line out 98365298CD1081B2AD6AEF5A08554B674100

    I do not have the skillset to dwell into hex code, shifting bits or similar. I have seen people on this forum that are capable of finding distinct patterns.
    ​I'm looking for any input to help with this :-)
    I just might purchase one or two license codes just to add a bit of entropy.

    The funny thing is, if, and I must stress IF this gets solved, it's most probably possible to apply the findings to other areas as well.

    This, in addition to the FCC images should give some insight to the innards. Removing cans was new to me, do I didn't open them all up.
    Attached Files Attached Files
    Last edited by Astro Spectra; Jan 19, 2020 at 08:11 PM. Reason: One drive image link removed at OP's request


  2. #2
    Join Date
    Feb 09, 2013
    Posts
    43
    Thanks
    23
    Thanked 10 Times in 8 Posts
    Country: Finland

    Default

    I have a correction to make. The attached files (28660.txt) eventlog is not HEX as I remembered.
    It seems to be crypted data. No clue how to open it.

  3. #3
    Astro Spectra's Avatar
    Astro Spectra is online now T S - Moderator
    CS Forums $upporter
    Join Date
    Nov 22, 2012
    Posts
    910
    Thanks
    352
    Thanked 619 Times in 307 Posts
    Country: Great Britain

    Default

    MK, you realise your one drive link gives away your name?

    Reverse engineering the means to enable otherwise paid for feature codes is not something manufacturers like and in some countries it's against the law. While your present post doesn't break the rules regarding proprietary rights, the creation of a solution here, as you propose, or in PMs will.
    It is a fine thing to be honest, but it is also very important to be right

  4. #4
    Join Date
    Jan 22, 2020
    Posts
    1
    Thanks
    0
    Thanked 2 Times in 1 Post
    Country: Switzerland

    Default

    Hello there,

    First post here, and I'd try not to break the rules

    I can help you a bit on that, spent quite too much time trying to figure this out.

    First thing first, according to my testing, RM2 is not able to tell if a Feature code is valid or not ... but it knows whats feature are in a given license code. That's the part I "reversed".


    Features are contained in the last 4 digits of the key this way:


    | Gateway 8 | Repeater 4 | CoverTModem 2 | Premuim 1 |||| Console 1 8 | Console 2 4| Perm TX (Unusable,2) | Line In Out 1 ||| Man Down 8| Encryption 4| CallOut 2| GPS 1||| ? | ? | ? | ? ( All fours are unusable aswell)

    Ex:
    Rep + line out : 4100
    Gw + Rep + Lineout + man down : C1800


    Hope this helps.

  5. The Following 2 Users Say Thank You to Kwi For This Useful Post:

    hektik (Jan 23, 2020),Shuttle (Jan 23, 2020)

  6. #5
    Join Date
    Feb 09, 2013
    Posts
    43
    Thanks
    23
    Thanked 10 Times in 8 Posts
    Country: Finland

    Default

    It helps a bit. I'm wondering if the two first characters (98 and 34) are tei-dependent