Results 1 to 10 of 10

Thread: x-in-l and x-see-mp connections

  1. #1
    mtndew No Longer Registered

    Default x-in-l and x-see-mp connections

    I have followed this work done by other here with great interest and have some progress of my own to report. From what i can see there are 3 levels authenciation.

    CPS is authenticated at level 0, normal IP devices authenticate level 1, and IP devices with Clone Read / Write authenticate level 2.

    There are also different authentication level for repeater connections. The hanshake process uses the TEA encryption algorithm. The last 8 bytes of the handshake packet starting with 0x0016 are random numbers sent from the device to the PC.

    The the radio encrypts the same bytes and expect the PC to do the same. If the bytes encrypted by the PC do not match the bytes encrypted by the radio then the session fails. So this means there are encryption keys in every software package that makes XNL/XCMP network connections to trb0 radios and in every trb0 firmware image.

    Using the information from this site i have extracted the raw s-record firmware images from a mototrbo xpr6550. Decoding the srecrods show binary data, some strings, looks like ARM microcode. no encryption keys in the clear.

    The software side on the other hand is a different story. I traced the execution of the M0totrb0 CPS while reading a radio device. When execution reaches the point of encrypting the 8 bytes, the XnlAuthenticationD0tNet.dll if forked. This is not a normal C# dll. Its a C++ DLL embeded inside a C# DLL. This means that the process of decoding managed code into readable source code with dotnet reflector is not going to work like it does for the other CPS files.

    Additionally the DLL is obfuscated and will require someone with software like ida pro to somehow trace the execution and watch the registers for the encryption key, ( Or TEA delta 0x9e3779b9 which is the 32bit representation of the golden number in base 16. It is always used to generate the encrypted bytes, so looking or watching for this might be easier then looking for a unknown.) or find the dll function export and create a custom fork from that dll ? not sure this is some high level hacking. S1teSurv3y and M0t0trb0D3p0t both use this method of exeuciting the crypto process.

    As an alternative i went looking for the encryption keys inside some 3rd party programs. There are some 3rd party software programs with free demos / trials avail for download on the net that are all C#. Load it into your de4dot and load that into your .net reflector and you will have the encrytion keys for a m0t0trb0 IP device, as well as a XRT9OOO gateway.

    We have wrote a few programs in perl and C that initiates communication with a trb0 device and can send / recieve most commands, with the exception of radio clone. We need to find a level 2 or CPS level 0 encrytion key for that to work. We also need a repeater level access key. It is the holy grail of trb0 hacking! m0t0r0la does not want anyone doing anything to "THEIR" radios without them paying a royalty to them. The problem is this type of security is impossible. how do you store a secret key in code invisible to the user but visible to the program? u cant, it is impossible. Its just a matter of time before someone with the resources finds it, and is able to use "THEIR" radio to its full ability.


    [edited by Mars: Please use paragraphs!]

  2. #2
    brizey No Longer Registered


    Sweet work! Would like to see some of the code work to control the radio functions.

  3. #3
    mtndew No Longer Registered


    okay can someone recommend a free file host? i have .tar.gz of source and bin on sample program TIA

  4. #4
    mtndew No Longer Registered


    heres the rssi monitor to get u started

  5. #5
    Join Date
    Aug 06, 2012
    Ontario, Canada
    Thanked 341 Times in 164 Posts
    Country: Canada


    Great work! Really interested to see where this goes... Hopefully Mother M doesn't get pissy that you are poking around in her playground.

  6. #6
    brizey No Longer Registered


    You figure out anymore of the opcodes? Looking for TX for a project!

  7. #7
    mtndew No Longer Registered


    what specifically do u need? transmit control request is 0x0415 followed by 0x01 for keyup or 0x02 dekey, then followed by 0x00

  8. #8
    mtndew No Longer Registered


    BTW all opcodes are listed in the devel docs. PM for details

  9. #9
    brizey No Longer Registered


    You have PM's turned off. Just wanted to make a application that will key up a radio for about set amount of seconds while a message is being played through the back mic pins on the radio.

  10. #10
    mtndew No Longer Registered


    Someone in our group has made progress on this. Stay tuned for some new software soon