Page 1 of 3 123 LastLast
Results 1 to 25 of 61

Thread: Tait Feature Keys - TM9100 series

  1. #1
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default Tait Feature Keys - TM9100 series

    Ok... Tait keys...

    I've been trying to figure out what the hell is going on with these keys - as I'd love to enable a few extra features.

    This is what I've come up with for the moment:
    http://www.austech.info/484178-post25.html

    On my site, I've got the firmware, programming software, and a few other little goodies that may help. -> http://www.crc.id.au/apco25/

    Would love to hear some thoughts....


  2. #2
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default Tait Feature Keys - TM9100 series

    I've been trying to figure out the method used to generate the SFE keys for Tait 9100 series radios. They have lots of features that are enabled by these codes - and there isn't a great deal to the code.

    I've documented my progress so far, but I'm starting to draw a blank. Wondering if someone can point me in the right direction...

    http://www.crc.id.au/apco25/

  3. The Following User Says Thank You to CRCinAU For This Useful Post:

    diablo47 (Jul 12, 2014)

  4. #3
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    CRCinAU I have read your posts at Austech although I have not replied because. I am tied up with several projects at this time. But since you have posted here. I think you are on the right track on much of what your doing. Exellent work.


    As far as the system keys are concerned. It looks like the keys are encrypted. It also is looking like the different manufacturers are using a differnet encryption key but most probably the same encrypton format. If you have a sample of a Tait key it would be interesting to see one. A dummy key like the one for the EFJ would be ideal. If you dont have a dummy key perhaps Tait will create either a 1234 (ideal) key or a 0000 key for "learning" how to populate and control the key dependant fields.

  5. #4
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    From my research the ZZZZZZZ will be the ESN and it has been encrypted using des. I could be wrong about it being the esn, encryption does not change the size of the data so if the esn is 7 hex charatures in size. that may be your answer.

  6. #5
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    I thought this - however I haven't managed to find a way to find out what the ESN is on the radios... The programming software doesn't seem to show it, and I can't find a way to check it on the radio

  7. #6
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    Here is a bunch of feature codes that I managed to swipe from a radio while nobody was looking :P

    Model Serial Number Feature ID Feature Set Status Seq Feature License Key
    TM9000 19605511 TxAS015 SFE GPS Display Disabled 0 36H2.B434.RJP8.93A8.NMVU.TT
    TxAS050 SFE P25 Common Air Interface Enabled 1 U46Y.ZU6T.MR5A.56T8.NMVU.TD
    TxAS051 SFE P25 Administrator Services Disabled 0 U7ZZ.LAM9.DXBZ.T6A8.NMVU.TT
    TMAS052 SFE P25 Graphical Head Operation Enabled 1 QFY9.NUZQ.P76C.N628.NMVU.TD
    TxAS053 SFE Single DES Encryption & Key Loader Disabled 0 X7BT.NBXC.5YS4.9698.NMVU.TT
    TxAS054 SFE P25 Base OTAR Re-Keying Disabled 0 N2A7.FKSL.SPSR.TWT8.NMVU.TT
    TxAS055 SFE P25 Trunking Services Disabled 0 LHEE.NCVD.H4AD.9WA8.NMVU.TT
    TxAS056 SFE P25 User IP Services Disabled 0 42NT.FJJA.E95K.SW28.NMVU.TT
    TxAS057 SFE P25 Base Encryption (DES) & Keyloader Disabled 0 BHXD.TB8Y.SZMU.GW98.NMVU.TT
    TxAS058 SFE P25 Encryption (AES) Disabled 0 YPBF.ZVMJ.PDHN.D8T8.NMVU.TT
    TxAS059 SFE MDC1200 Enabled 1 V586.58DP.UFBW.G8A8.NMVU.TD

    If you put those keys into my perl script from my site, you'll see the breakdown of what each part does.

    For example:
    $ ./key_to_hex.pl U46Y.ZU6T.MR5A.56T8.NMVU.TD
    Feature Key: U46YZU6TMR5A56T8NMVUTD
    Key Type: TxAS050 - SFE - P25 Common Air Interface
    Seq: 1 (00000001)


    Hex Output: 00BBCB69DCA0EEA88A140767637010
    Binary String: 00000000101110111100101101101001110111001010000011 10111010101000100010100001010000000111011001110110 001101110000000100
    Checksum: 10
    Complete String: 00BBCB69DCA0EEA88A14076763701010
    The Hex Output basically comes down to this:
    00XXXXXXXXXXXXXXXXYYZZZZZZZSS0CC

    This translates roughly to:
    X = Authentication code??
    Y = feature code (in HEX!)
    Z = serial number? ESN? Encoded somehow
    S = Sequence number
    C = Checksum

    Where to go from here is a bit of a mystery for me. I'm not quite sure what encoding is used - but welcome any suggestions...

  8. #7
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    Interestingly, I came across this documentation today... Shows a bit of insight into SFE key generation

    Part of the interesting text:
    What is Board Swapping?
    When the internal PCB assembly inside the product is removed and is replaced with another PCB assembly. This repair method is done because the original PCB assembly is deemed irreparable or the customer requires a very quick repair turn around.
    When this method of product repair is used, it is imperative that the CSO is notified of this repair. The following details need to be provided:
    - Radio Chassis Serial Number
    - New board Serial Number (7 digit number on the PCB assembly label)
    The CSO is required to enter this information into the SFE database.
    Why does the SFE database need to be updated when a Board Swap is performed?

    With products such as the TM8000 and TB8000 series, it is becoming more and more apparent that board swapping will soon become the most economical repair for a product. However, along with this comes a need to have better traceability of what board is actually inside the product. The SFE requirement compounds this as the SFE key is partly based on information supplied by the internal serial number of each individual board, not the chassis serial number.
    When a board is swapped, the SFE keys (if features are enabled) will need to be re-generated for the new boards, as the old keys will not function on a new board.
    I think this shows what the 7 digit serial number thingo is. Time to figure out how to pull this from the radio

    Attachment 792
    Last edited by CRCinAU; May 11, 2012 at 04:05 AM.

  9. #8
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    Ok, I've now got 2 different scripts to work with these keys...

    The first is key_to_hex. This takes a valid SFE key and translates it to the hex string that would represent it. This gets transferred over the wire via the RS232 protocol.

    Code:
    $ ./key_to_hex U46Y.ZU6T.MR5A.56T8.NMVU.TD
           Feature Key: U46YZU6TMR5A56T8NMVUTD
              Key Type: TxAS050 - SFE - P25 Common Air Interface
                   Seq: 1 (00000001)
    
    
            Hex Output: 00BBCB69DCA0EEA88A140767637010
         Binary String: 0000000010111011110010110110100111011100101000001110111010101000100010100001010000000111011001110110001101110000000100
              Checksum: 10
       Complete String: 00BBCB69DCA0EEA88A14076763701010
    The second script is hex_to_key that does the reverse. It takes the hex string, and works it backwards to get they Feature Key.
    Code:
    $ ./hex_to_key 00BBCB69DCA0EEA88A14076763701010
              Checksum: Valid
            Hex String: 00BBCB69DCA0EEA88A14076763701010
         Binary String: 000000001011101111001011011010011101110010100000111011101010100010001010000101000000011101100111011000110111000000010000
    
    
           Feature Key: U46Y.ZU6T.MR5A.56T8.NMVU.TD
              Key Type: TxAS050 - SFE - P25 Common Air Interface
                   Seq: 1 (00000001)
    Hopefully, this may help someone in getting test data....
    Last edited by CRCinAU; May 11, 2012 at 03:36 AM.

  10. #9
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    based on your post #7 the the esn is 7 digits. and I know from other documents that the ESN is coded using des. The only headache is what key was used to code up the esn.

  11. #10
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    I'm curious. Is this based on Tait specific radios or what other companies have done?

    I'm not quite sure this is how they have gone about it - but I'm keeping an open mind

  12. #11
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    The esn standards are contained in TIA TR45. I got the document from EFJ. From all my current research all P25 systems and infrastructure have to meet certain criteria. This means that what one company does so will another. There may be variations in how they do it but the general pricipals should crossover.

    In reading futher I found that the syskeys are using AES not DES (ugg).

  13. #12
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    Any chance of posting this? I wouldn't mind a read....

    I should also note that TR-45 is a VERY broad area and seems to apply more to mobile phones etc... Mostly CDMA2000 which is a completely different beast....
    Last edited by CRCinAU; May 12, 2012 at 10:27 PM.

  14. #13
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    I agree that it applies to mobile phones more than radios. I have attached the copy I have here. I reread it but cant find the section on encryption. I will have to go through and reread other documents i got arround the same time.

    This is one reason we are looking for the TIA 102 series documents pertaining to P25. If i remember correct, one mentioned ESN and the use of it for validation pruposes. Im sorry if this is all a bit vauge I dodnt know there would be a test LOL when you read as much as I am doing its hard to keep the source referances strait. Often it is something like the issue with the ESN in your updates that will trigger the memory.
    Attached Files Attached Files

  15. #14
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    Yeah - I know what you mean!

    There is something interesting in the Tait documents I found regarding the SFE keys. That part is that the keys are partly based on an internal serial number. I'm not sure if this is the ESN or not - however as part of my documenting the RS232 protocol, one of the known commands brings up the "Flash Serial Number" which returns a 16 digit hex value (8 bytes or 16 bytes?) which may give a few ideas...

    I have to wait until I can get my hands on a radio again to throw some more commands at it and see what I can pull out of it. The analysis I've been doing so far is from documentation and some captured read / writes of programming information using the Tait software and seeing what goes over the wire.

  16. #15
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    I have managed to get a whole bunch of sequential serial numbers & associated keys to try and figure out whats going on with these things. I'm happy to provide them to people who are interested in and have knowledge on trying to reverse the encoding done on these things.

    I do not want to put these out in the wild as such - as it may get unwanted attention as these radios may or may not still be in service and/or under warranty and get innocent parties in trouble.

    If you feel you can help out here, drop me a PM and I'll see if I can find a way to get them to you.

  17. #16
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    I would think that the internal serial number would be the ESN. The flash serial number is probaly a internal serial number for the flash chip itself. It would be interestting to do a swap of the flashchip and see what error the radio generates. In theory it shouldnt affect the radio provided the flash chips exchanged support the same models/features. Sometimes doing hardware work will reveal things not seen in the software.

  18. #17
    Join Date
    May 16, 2012
    Location
    New Zealand
    Posts
    98
    Thanks
    4
    Thanked 19 Times in 10 Posts
    Country: New Zealand

    Default

    Hey, very good work on this! I have seven TM/TP9100 radios and would love to get all the features enabled I can without paying enormous amounts of money to Tait. Let me know if you need some info from my set of radios in order to help you with your quest.

  19. #18
    Join Date
    Feb 04, 2012
    Posts
    1,675
    Thanks
    79
    Thanked 372 Times in 193 Posts

    Default

    p1350m, I am sure that any upgrade files etc you have for the radios will be of use for CRCinAU. His discression is above reproach the files will not be reposted. The more files and information available makes it easier to see patterns or the evolution of the way patches are applied.

  20. #19
    Join Date
    May 16, 2012
    Location
    New Zealand
    Posts
    98
    Thanks
    4
    Thanked 19 Times in 10 Posts
    Country: New Zealand

    Default

    For TM8255 radio serial number 19323583 MDC 1200 Encode SFE, the dealer supplied with the following feature license key:
    AEQS.SPFL.ANML.GT2W.2M93.TD
    The above key enabled MDC1200 on my TM8255.
    Unfortunately I did not pay any attention to what the key was prior to activation.
    Hope this helps.

  21. #20
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    Hmmm... Running that key though my script shows:

    Code:
    $ ./key_to_hex.pl AEQS.SPFL.ANML.GT2W.2M93.TD
           Feature Key: AEQSSPFLANMLGT2W2M93TD
              Key Type: TMAS012 - MDC1200 Encode (8xxx)
                   Seq: 1 (00000001)
    
    
            Hex Output: 00437F295459433B9702068770101034
    The translation for this being:
    Code:
    00437F295459433B9702068770101034
    00XXXXXXXXXXXXXXXXYYZZZZZZZSS0CC
    X = Authentication code??
    Y = feature code (in HEX!)
    Z = serial number? ESN? Encoded somehow
    S = Sequence number
    C = Checksum


    p1350m: I assume you have a serial cable to do stuff to the radio...

    Can you jump into the radio as a serial mode using instructions here:
    http://www.crc.id.au/apco25/rs232.html

    Use a terminal program that will let you talk directly to the serial port, enter CCTM mode and paste the output of:

    94
    96
    97
    98
    113
    134
    Last edited by CRCinAU; May 17, 2012 at 03:28 AM.

  22. #21
    Join Date
    May 16, 2012
    Location
    New Zealand
    Posts
    98
    Thanks
    4
    Thanked 19 Times in 10 Posts
    Country: New Zealand

    Default

    Here you go... I assumed you wanted 133 rather than 113?

    94 19323583
    96 QMA2F_std_4.02.00.0868
    97 QMA2B_std_1.07.00.0006
    98 QMA2G_std_1.12.00.0001
    133 TMAB22-B100_0111
    134 7908463EFFFF0756

  23. #22
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    Ok, sorry - I haven't had much time lately to work further on this stuff...

    p1350m: Are you interested in pulling your radio apart and seeing if you can locate any of the above numbers printed either on a label or screen printed onto the PCB?

  24. #23
    Join Date
    May 16, 2012
    Location
    New Zealand
    Posts
    98
    Thanks
    4
    Thanked 19 Times in 10 Posts
    Country: New Zealand

    Default

    photo.JPG

    Here is a photo of the sticker on the board can. I think the can over the digital chip.

  25. #24
    Join Date
    May 07, 2012
    Posts
    78
    Thanks
    4
    Thanked 2 Times in 2 Posts

    Default

    Great stuff. Is this the TM8200? Also, are there any more stickers on the PCB or numbers screen printed on there?

    My gut feeling says that the number on either J or S is used in generating part of the key. XMAB22-B105 is the part number of that board, R022 is the revision.

    Also, is this the same radio you pasted the key above from?

    If so, semi interesting:
    Code:
    00437F295459433B9702068770101034
    00XXXXXXXXXXXXXXXXYYZZZZZZZSS0CC
    The ZZZ Part: 0687701

    If we add a 0 on the end from the SS part, then convert that hex to decimal, we get: 06877010 Hex = 109539344 Decimal.

    While this isn't exactly the J value, its the right number of digits and is close. Might be a random coincidence - and I'd need more data to see if this is the same on all radios, but it is interesting...
    Last edited by CRCinAU; May 28, 2012 at 02:51 AM.

  26. #25
    Join Date
    May 16, 2012
    Location
    New Zealand
    Posts
    98
    Thanks
    4
    Thanked 19 Times in 10 Posts
    Country: New Zealand

    Default

    Other than "200-01700-12" on the PCB I cannot locate any other numbers.

    I believe that the "PL101" board interface pads (as shown in the pic) is used to programme the personaliity of the radio at the factory. I have read this in one of the manuals somewhere. I would bet money that the J and/or S numbers would have something to do with the SFE keys programmed into the chip.