Results 1 to 23 of 23

Thread: Radio Debugger: TRBO 2.0 edition

  1. #1
    syntrx No Longer Registered

    Default Radio Debugger: TRBO 2.0 edition

    What else do you do when you get a new radio but than nmap it?

    My XPR7550 presents a radio debugger, similar to that found on the APX, on TCP port 8051.

    I haven't got a legacy TRBO radio to play with, but do they have a similar feature? What other commands are known? I tried a few from the APX (such as GPSUMP et al), but they're not recognised here. The APX debugger was crippled heavily in R09, so I wouldn't be surprised if the same happened to TRBO firmware around the same time.

    Code:
     (C) Copyright 2013 MOTOROLA SOLUTIONS, INC. ALL RIGHTS RESERVED
    
    
    Welcome to AT debug
    
    
    Welcome to Host radio debugger.
    
    
    
    
    
    
    ERROR: Unknown command
    
    
    AT_Debug>?
    
    
     ERR:DUMP                      Reports the status of Reset Capture's in FLASH
                                   and the current Arming configuration.
     ERR:RCARM                     Manually Arms reset capture.
     ERR:RCDISARM                  Manually DisArms reset capture
     ERR:CLEAR                     Clears out any previously captured image.
     ERR:CAPTURE                   This forces a reset capture.
     ERR:CAPTURE_DSP               This forces a reset capture.
     VER                            Display radio version info
    AT_Debug>
    AT_Debug>VER
    
    
    
    
    AT_Debug>
    
    
     (C) Copyright 2013 MOTOROLA SOLUTIONS, INC. ALL RIGHTS RESERVED
    
    
    ----------------------------------------------------------
    Radio firmware version
    ----------------------------------------------------------
    L2 boot loader : R02.06.00
    L3 boot loader : R02.06.01
    PSDT : 52020600 [R02.06.00]
    Configuration : 52020601 [R02.06.01]
    Kernel : R02.06.01
    Host : R02.06.04
    DSP : R02.06.04
    MBR : 52020600 [R02.06.00]
    Codeplug 1 (Tuning) : 00040012 [R04.00.12]
    Codeplug 2 (Security, App, Features) : 00040012 [R04.00.12]
    Control Head : R02.06.00
    Bluetooth/GPS : R02.06.04
    
    
    AT_Debug>


  2. #2
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,239
    Thanked 1,534 Times in 739 Posts
    Country: Christmas Island

    Default

    I have done some extensive research along those lines. Here's a thread related and a document I created that indexes most of the Hayes Smartmodem Emulation commands (the so-called "AT command set").

    Here 'tis: https://www.p25.ca/threads/776-ASTRO...ogging-feature

  3. #3
    Join Date
    Jun 13, 2012
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    How to debug?

  4. #4
    Join Date
    Jun 15, 2013
    Location
    Melbourne, Aussieland
    Posts
    129
    Thanks
    21
    Thanked 128 Times in 32 Posts
    Country: Australia

    Default

    Alpha has indicated that there may be a Telnet port available on the more recent MotoTRBO USB (NDIS) Radios.

    Can anyone else offer some more clues here please .. i.e. Telnet Port number etc ...

    cheers

  5. #5
    Join Date
    Jan 21, 2013
    Location
    74137
    Posts
    37
    Thanks
    16
    Thanked 15 Times in 8 Posts
    Country: Former Soviet Union

    Default

    You might try port 23. That is the standard port number for telnet.
    Poor planning leads to poor results-->Welcome to OKWIN.

  6. #6
    Join Date
    Jun 15, 2013
    Location
    Melbourne, Aussieland
    Posts
    129
    Thanks
    21
    Thanked 128 Times in 32 Posts
    Country: Australia

    Default

    Quote Originally Posted by sgtslaughter501 View Post
    You might try port 23. That is the standard port number for telnet.
    Thanks for that (too obvious for me to think off - I can't see the "forest for the trees" ).

    Well - I just tried on port 23 - but now joy for me - will anyone else give it a try and let us know please?

    cheers

  7. #7
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,239
    Thanked 1,534 Times in 739 Posts
    Country: Christmas Island

    Default

    You found thread, well done. Now read the first post. The port is mentioned therein.

  8. #8
    Join Date
    Jun 15, 2013
    Location
    Melbourne, Aussieland
    Posts
    129
    Thanks
    21
    Thanked 128 Times in 32 Posts
    Country: Australia

    Default

    Quote Originally Posted by Alpha View Post
    You found thread, well done. Now read the first post. The port is mentioned therein.
    Hi Alpha,
    I originally found your thread from this one

    Code:
    D:\Program Files\Apache Software Foundation\Apache2.2>ping 192.168.10.1
    
    Pinging 192.168.10.1 with 32 bytes of data:
    
    Reply from 192.168.10.1: bytes=32 time=4ms TTL=64
    Reply from 192.168.10.1: bytes=32 time=1ms TTL=64
    Reply from 192.168.10.1: bytes=32 time=1ms TTL=64
    Reply from 192.168.10.1: bytes=32 time=1ms TTL=64
    
    Ping statistics for 192.168.10.1:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 1ms, Maximum = 4ms, Average = 1ms
    Code:
    Microsoft Telnet> o 192.168.10.1 8051
    Connecting To 192.168.10.1...Could not open connection to the host, on port 8051
    : Connect failed
    Microsoft Telnet>
    But as you can see I had no joy on that port (and I'm not sure what an XPR7550 is ??).
    I have access to a DM 3600 (with USB cable) and a DP 3600 (without cable).

    I know networks reasonably well - Radios - hardly at all!

    cheers

  9. #9
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,239
    Thanked 1,534 Times in 739 Posts
    Country: Christmas Island

    Default

    Well, you now know about the debugger as I do. Perhaps Syntrx will clue us in on how he opened the port. I assumed it was Telnet, I could be incorrect - maybe an FTP client?

  10. #10
    Join Date
    Jun 15, 2013
    Location
    Melbourne, Aussieland
    Posts
    129
    Thanks
    21
    Thanked 128 Times in 32 Posts
    Country: Australia

    Default

    Quote Originally Posted by Alpha View Post
    Well, you now know about the debugger as I do. Perhaps Syntrx will clue us in on how he opened the port. I assumed it was Telnet, I could be incorrect - maybe an FTP client?
    Ha Ha thanks for that - I will do

    P.S. Is the XPR7550 a "MotoTRBO" radio please ?

    (I can Telnet into my Radio on port 8002 - it answers - non text 'cos it's the XNL Protocol port ).

  11. #11
    cyrus's Avatar
    cyrus is offline Trailer Park Superintendent
    Join Date
    Jan 06, 2012
    Location
    Moonbase Alpha
    Posts
    915
    Thanks
    396
    Thanked 480 Times in 214 Posts
    Country: Japan

    Default

    From reading other posts, it would appear the radio shows up as a COM port that can be accessed using a terminal program like Procomm.
    Cyrus

    Bubbles: I'd like to see that Red Blue Green c***sucker put one of those together, duct-tapin' it.

  12. #12
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,239
    Thanked 1,534 Times in 739 Posts
    Country: Christmas Island

    Default

    That is true of the Astro and XTS radios (that they emulate a Hayes-compatible modem on a COM: port), but then why the mention of the port #? That's what made me think Telnet or FTP client.

  13. #13
    syntrx No Longer Registered

    Default

    I have no idea how I opened the port; I can't reproduce this either.

    The radio had been read with CPS a minute or two before I posted the info above, and scanned with nmap before I went and hit 8051. One of those operations could have caused the port to be opened.

  14. #14
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,239
    Thanked 1,534 Times in 739 Posts
    Country: Christmas Island

    Default

    What tool did you use to talk on the port, is there an internal probe or telnet-type client within NMAP? IOW how did you get the display capture you show above?

  15. #15
    syntrx No Longer Registered

    Default

    Quote Originally Posted by Alpha View Post
    What tool did you use to talk on the port, is there an internal probe or telnet-type client within NMAP? IOW how did you get the display capture you show above?
    I just used telnet. nmap showed it as being open, so I connected to it with an ordinary telnet client and got the output you saw above.

    I'll play with it some more tomorrow night when I'm less jetlagged, and try and figure out what the hell I did.

  16. #16
    Join Date
    Feb 04, 2012
    Posts
    2,119
    Thanks
    302
    Thanked 1,068 Times in 484 Posts

    Default

    Its possible that the port remains active aslong as the porgramming cable is connected after programming with CPS. Eventhough the radio resets the port remains active as long as the cable is not removed?.

    oldfart - yes the XPR7550 is a TRBO v2.0 radio. it is the same as the DP4801 in the EMEA market.

  17. #17
    Join Date
    Jun 15, 2013
    Location
    Melbourne, Aussieland
    Posts
    129
    Thanks
    21
    Thanked 128 Times in 32 Posts
    Country: Australia

    Default

    Quote Originally Posted by Notarola View Post
    Its possible that the port remains active aslong as the porgramming cable is connected after programming with CPS. Eventhough the radio resets the port remains active as long as the cable is not removed?.

    oldfart - yes the XPR7550 is a TRBO v2.0 radio. it is the same as the DP4801 in the EMEA market.
    Thanks for that Notarola.

  18. #18
    syntrx No Longer Registered

    Default

    So I just discovered I had an idiot moment when I wrote down the port last time.

    It's not 8051; it's 8501.

  19. The Following User Says Thank You to syntrx For This Useful Post:


  20. #19
    Join Date
    Jun 15, 2013
    Location
    Melbourne, Aussieland
    Posts
    129
    Thanks
    21
    Thanked 128 Times in 32 Posts
    Country: Australia

    Default

    Quote Originally Posted by syntrx View Post
    So I just discovered I had an idiot moment when I wrote down the port last time.

    It's not 8051; it's 8501.
    Thanks syntrx,

    Thanks for that - I may give it a "whack" later today!

    cheers
    Will B aka OF

  21. #20
    x27 No Longer Registered

    Default

    found in unpacked firmware for xpr:

    DSPLOGDUMP Displays information about the lightweight logging.
    DSPLOGDUMP:ONCE DUMP DATA IN THE BUFFER ONCE AND EXIT.
    DSPLOGDUMP:FOEVER DUMP DATA IN THE BUFFER FOEVER, THIS COMMAND WILL NEVER RETURN!!!.
    DSPLOGDUMP:SECOND:0XAAAA, DUMP AAAA SECONDS DATA
    DSPLOGDUMP:RECORD:0XAAAA, DUMP AAAA RECORDS DATA

    CPUFREQ Displays information of CPU clock frequency.

    MEM:READ:<8 digit hex address>:<access size>:<optional hex num of bytes>
    <access size> = "B"=8 bits; "S"=16 bits; "L""=32 bits
    <optional hex num of bytes> = number of bytes to read.

    MEM:WRITE:<8 digit hex address>:<access size>:<raw data byte(s)>
    <raw data byte(s)> = String of hex byte pairs representing the exact
    data to be written.

    OS:HELP - displays a list of the available event filters
    OS:EVENT:FILTER:ADD:<16 bit hex number>
    OS:EVENT:FILTER:REMOVE:<16 bit hex number>
    OS:KERNEL - dumps the current snapshot of the OS kernel
    OSUMP - dumps the current log
    OS:ENABLE - enables OS event logging.
    OSISABLE - disables OS event logging.
    OS:LISR:FILTER:ADD:<32 bit vector number> - enables a filter on a specific vector number.
    OS:LISR:FILTER:REMOVE:<32 bit vector number> - disables a filter on a specific vector number.
    OS:TASK:FILTER:ALLOW:ADD:<Task name (8chars max)>
    OS:TASK:FILTER:ALLOW:REMOVE:<Task name (8chars max)>
    OS:TASK:FILTERISALLOW:ADD:<Task name (8chars max)>
    OS:TASK:FILTERISALLOW:REMOVE:<Task name (8chars max)>
    OS:TASK:FILTER:STATE:ALLOW - Use the ALLOW Task list when logging events (LOG Events in these Tasks).
    OS:TASK:FILTER:STATEISALLOW - Use the DISALLOW Task list when logging events (Dont LOG Events in these Tasks).
    and other commands.

    how it to enable I do not know (while).

  22. The Following User Says Thank You to x27 For This Useful Post:


  23. #21
    Alpha's Avatar
    Alpha is offline T S - Moderator
    CS Forums $upporter
    Join Date
    Feb 12, 2012
    Location
    Directly above the center of the earth.
    Posts
    2,780
    Thanks
    1,239
    Thanked 1,534 Times in 739 Posts
    Country: Christmas Island

    Default

    They dumbed down the debugger for the APX (or TRBO?) radios I recall, the early firmware had a better, much more complete debugger and they stripped out most of the functionality in later firmware revisions. They may have done the same for the TRBO line too, in which case you are seeing old help for the debugger which is no longer correct since they killed off most of those "features".

  24. #22
    x27 No Longer Registered

    Default

    code for supporting this commands also present (IDA shows).
    just developers could hide unsafe debug commands.
    and somewere the small key make their work

  25. #23
    syntrx No Longer Registered

    Default

    Found something else cool on an XPR6550 yesterday.

    Code:
    AT_Debug>?
     DSPERR:CAPTURE                Trigger a reset capture via the dsp.
     ERR:DUMP                      Reports the status of Reset Capture's in FLASH
                                   and the current ARMing configuration.
     ERR:RCARM                     Manually Arms reset capture.
                                   CAUTION: in RC_LAB_USE builds, manually arming
                                   reset capture will erase a portion of a previous-
                                   ly recorded reset capture data set.
     ERR:RCARM_TRAMPLE             Manually Arms reset capture for Trample Captures
                                   CAUTION: Upon a Reset Capture scenario, your
                                   Foreign Language Pack Data will be erased.
                                   CAUTION: in RC_LAB_USE builds, manually arming
                                   reset capture will erase a portion of a previous-
                                   ly recorded reset capture data set.
     ERR:RCDISARM                  Manually DisArms reset capture
                                   CAUTION: in released builds manually disarming
                                   reset capture will erase a portion of a previous-
                                   ly recorded reset capture data set.
     ERR:CLEAR                     Clears out any previously captured image. Used to
                                   guarantee an old image is not resident in radio
     ERR:CAPTURE                   This forces a reset capture. It will capture even
                                   if reset capture is disabled.
     ERR:CAPTURE_DSP               This forces a reset capture. It will capture even
                                   if reset capture is disabled. It will capture the
                                   DSP first.
     ERR:RESET                     This forces a reset, and will not trigger a reset
                                   capture.
     FLASH_GPS                     Reset GPSIC to internal boot mode
     GPS                           Change to GPS SIRF binary debug mode
     GPS:<SIRF|NMEA>               Change to GPS SIRF binary or NMEA debug mode
     GPS:SIRF:<Baudrate>           Change to GPS SIRF binary protocol with baudrate
                                   1200,2400,4800,9600,19200,38400,57600,115200
     GPS:NMEA:<Baudrate>           Change to GPS NMEA protocol with baudrate, 1200,
                                   2400,4800,9600,19200,38400,57600
     VERSION                       Display radio version info
    Telnet to port 8501, give it the GPS:NMEA command. Connect to port 8502, and the radio will dump out NMEA sentences from the GPS module.