Page 1 of 2 12 LastLast
Results 1 to 25 of 47

Thread: MotoTRBO Advanced Encryption Key Recovery

  1. #1
    brizey No Longer Registered

    Default MotoTRBO Advanced Encryption Key Recovery

    Anyone working on recovering the encryption keys by reading the radio?


  2. #2
    Join Date
    Feb 04, 2012
    Posts
    1,608
    Thanks
    65
    Thanked 300 Times in 150 Posts

    Default

    No noone has brought this up in any thread.

    Based on what is known about trbo radios and other Moto products its a safe bet that the keys are not readable via stock cps. They may be in a memory section that is not readable by anything other than a hardware method.

    if you want to post what you know about the encryption etc I am sure there are many who would be curious to learn more. I do know that TRBO radios are using RC4 40 bit (10h) keys.

  3. #3
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    745
    Thanks
    151
    Thanked 348 Times in 149 Posts
    Country: Australia

    Default

    Yep its definitely RC4 with an initialization vector (aka Message Indicator or MI in P25 speak)

  4. #4
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,198
    Thanks
    302
    Thanked 333 Times in 165 Posts
    Country: United States

    Default

    Money says the key is present in plain text when you read the codeplug and sniff the packets with wireshark.

  5. #5
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    745
    Thanks
    151
    Thanked 348 Times in 149 Posts
    Country: Australia

    Default

    Good thinking 99! Perhaps the same holds true for ASTRO25 radios programmed over the network using Software ADP...

  6. #6
    Join Date
    Feb 13, 2012
    Posts
    190
    Thanks
    23
    Thanked 59 Times in 20 Posts

    Default

    when writing to radio its viewable
    here is showing a enhacned privacy key of 69696969

    Code:
    00001686  ff ff 00 50 00 72 00 69  00 76 00 61 00 63 00 79 ...P.r.i .v.a.c.y
    00001696  00 20 00 4b 00 65 00 79                          . .K.e.y 
    0000169E  00 20 00 31 00 00 00 00  00 00 00 35 01 01 80 0f . .1.... ...5....
    000016AE  ab 00 00 00 28 00 00 00  28 01 69 69 69 69 69 00 ....(... (.iiiii.
    000016BE  50 00 72 00 69 00 76 00  61 00 63 00 79 00 20 00 P.r.i.v. a.c.y. .
    000016CE  4b 00 65 00 79 00 31 00  00 00 00 00 00 00 00 00 K.e.y.1. ........
    but when reading radio, i dont see it

  7. #7
    Join Date
    Feb 04, 2012
    Posts
    1,608
    Thanks
    65
    Thanked 300 Times in 150 Posts

    Default

    The software works the same way the ASTRO25 CPS does you can see a key you have loaded via the CPS but you cannot read it from the radio. It would take a hardware type hack to read the key from the copeplug flash memory.

  8. #8
    brizey No Longer Registered

    Default

    Yeah, guess its one thing down the road to explore. It would be nice since dealers are vendor locking radio systems by using enhanced privacy and not giving owners the key.

  9. #9
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,198
    Thanks
    302
    Thanked 333 Times in 165 Posts
    Country: United States

    Default

    Well that depends on the type of system. I run a capacity plus system for profit, the only way we control access to our repeaters is by forcing customers to let us program there radios, regardless of where they buy them. If they want on our system I program them with enhanced privacy and password protect the radios. If they cancel they bring them in for a free reprogram back to a default codeplug. Now if the customer owns the system as well they have a right to the key, if they are not getting it then they aren't asking loud enough.

  10. #10
    krc845 No Longer Registered

    Default

    Was this code viewed using wireshark? I have a codeplug that has three enhanced keys in it that are unviewable. Can I only see the key while writing or can I somehow use the saved codeplug I have on my computer without writing to the radio?

    Also, how do you know which set of numbers is the key(s)?

    Thanks guys!

    Quote Originally Posted by kd8eyf View Post
    when writing to radio its viewable
    here is showing a enhacned privacy key of 69696969

    Code:
    00001686  ff ff 00 50 00 72 00 69  00 76 00 61 00 63 00 79 ...P.r.i .v.a.c.y
    00001696  00 20 00 4b 00 65 00 79                          . .K.e.y 
    0000169E  00 20 00 31 00 00 00 00  00 00 00 35 01 01 80 0f . .1.... ...5....
    000016AE  ab 00 00 00 28 00 00 00  28 01 69 69 69 69 69 00 ....(... (.iiiii.
    000016BE  50 00 72 00 69 00 76 00  61 00 63 00 79 00 20 00 P.r.i.v. a.c.y. .
    000016CE  4b 00 65 00 79 00 31 00  00 00 00 00 00 00 00 00 K.e.y.1. ........
    but when reading radio, i dont see it

  11. #11
    Join Date
    May 30, 2012
    Posts
    222
    Thanks
    27
    Thanked 54 Times in 27 Posts

    Default

    Quote Originally Posted by krc845 View Post
    Was this code viewed using wireshark? I have a codeplug that has three enhanced keys in it that are unviewable. Can I only see the key while writing or can I somehow use the saved codeplug I have on my computer without writing to the radio?

    Also, how do you know which set of numbers is the key(s)?

    Thanks guys!
    You can only see the key(s) during the initial 'write' to the radio, since the CPS needs to transfer them into the radio. After that, the keys will not be 'read' by the CPS...this is why you do not see them in the privacy fields upon reading a radio.

    As far as how he knew which set of numbers was the key, I assume he simply did a search in winhex for his known number.

  12. #12
    Join Date
    Feb 04, 2012
    Posts
    1,608
    Thanks
    65
    Thanked 300 Times in 150 Posts

    Default

    Thats exactly what he did.

    TRBO does not read the keys from the radio. If you want a key you will need to do a lot more work to locate and decrypt it off air.

  13. #13
    krc845 No Longer Registered

    Default

    This is a long shot but by any chance if I provided a codeplug would anyone be able to decode/decrypt it??

  14. #14
    krc845 No Longer Registered

    Default

    OK so I played around some and put in my own enhanced privacy keys so I know what I was looking for and I was able to find it with no problem using HxD. My question is on a codeplug that I read and save to my computer with enhanced privacy codes in it that display a I wonder if the actual code will show up when I run the codeplug in HxD? The only thing is I cannot test this because the original codeplug I had I changed the keys on it. Would anyone have a codeplug with hidden keys I can try to decode???

  15. #15
    Join Date
    Feb 04, 2012
    Posts
    1,608
    Thanks
    65
    Thanked 300 Times in 150 Posts

    Default

    No there is no way to "monitor" the keys from reading a codeplug. The same applies to writing one. The key feild is only written to if there is a value inserted into them otherwise the CPS skips writing that block to the codeplug. The CPS never reads the key block so that rules out looking there.

    For what its worth the keys are only 10 digits long so it is possible to bruteforce the keys.

  16. #16
    nycap No Longer Registered

    Default

    Quote Originally Posted by Notarola View Post
    No there is no way to "monitor" the keys from reading a codeplug. The same applies to writing one. The key feild is only written to if there is a value inserted into them otherwise the CPS skips writing that block to the codeplug. The CPS never reads the key block so that rules out looking there.

    For what its worth the keys are only 10 digits long so it is possible to bruteforce the keys.
    i have seen a paper that demonstrates cracking 40bit rc4 in about a day with one 300$ fpga. but how exaclty would one implement a brute force attack in this case?

  17. #17
    Join Date
    Apr 09, 2012
    Location
    Australia
    Posts
    745
    Thanks
    151
    Thanked 348 Times in 149 Posts
    Country: Australia

    Default

    Quote Originally Posted by nycap View Post
    but how exaclty would one implement a brute force attack in this case?
    Theres plenty of information already published out there on this topic.

  18. #18
    Join Date
    Dec 12, 2011
    Location
    Avalon
    Posts
    1,198
    Thanks
    302
    Thanked 333 Times in 165 Posts
    Country: United States

    Default

    Right, you will not find a step by step guide to cracking encryption on this site.

  19. #19
    Join Date
    Feb 04, 2012
    Posts
    1,608
    Thanks
    65
    Thanked 300 Times in 150 Posts

    Default

    Although there is no information on doing this on the site. I can say that to do so will require a good understanding of both encryption, TRBO data format and software writing. This is not something that you are going to find a "off the shelf" routine.

    It is ok to discuss encryption systems here. It is ok to discuss the format and technical specs of encryption. It is ok to discuss the TRBO (or any) data formats or protocalls. However in the spirit of protecting the saftey and welfare of law enforcement and other agencies that use encryption for "legitimate reasons" we draw the line at actually posting decryption software or specific steps that may enable the average person to decrypt an encrypted transmission.

    I should mention that a large amount of services that have gone encryption is in part due to the abundance of audio feeds. At one time it required a scanner (or similar) and a basic understanding of radio system structure to be able to monitor a service. Now all you need do is listen on a phone. The services I maintain specifically went encryption for this exact reason. I personally feel that regular communications of publically funded services should be available to those who wish to monitor them (provided there is no ulterior motive) but I do not make policy. I think you get what I am saying I will now step off the soap box.

  20. #20
    nycap No Longer Registered

    Default

    i get it guys. nobody is going to post an encryption cracking handbook here. but with all due respect, i didnt open this clam.

  21. #21
    Join Date
    Dec 21, 2011
    Posts
    4,051
    Thanks
    2,964
    Thanked 5,774 Times in 1,707 Posts
    Country: Canada

    Default

    I agree, nycap. Personally I have no issues with cracking encryption, provided there's no law against it. Here in Canada, you can crack PS radio encryption all you want. It's not a crime. There's absolutely nothing on the books about it. The only law which exists pertains to encrypted subscription programming (satellite TV).

    If a PS agency chooses a crap algorithm such as ADP or DES-OFB, that's their problem, not ours. They should stop hiring morons to be in charge of their networks. 1977 called and wants its DES back.

  22. #22
    Join Date
    Feb 04, 2012
    Posts
    1,608
    Thanks
    65
    Thanked 300 Times in 150 Posts

    Default

    There may not be a handbook available, but I see no problems with creating a "service manual".


    The first step in looking at any encrypted signal is to determine the type of encryption used. The next step is to understand the basics of how the encrypting of the source signal works. Next is to duplicate the encryption methos but allow yourself the option of loading keys and chacking the output for valid decrypt.

    MotoTRBO used RC4 so does ADP. I have not looked too specifically at the TRBO version or RC4 so cannot say if it matches the protocal and configuration of ADP.

  23. #23
    lxth7 No Longer Registered

    Default

    Gday to the forum form downunder! After reciving the help/info i needed with a codeplug password from another thread. I thought Id register and post an answer to this thread. I dont know if all the versions of trbo cps are the same but, I use 7.0 on a radio with 1.8 firmware.
    Yes you cannot view the encryption key in the cps page , but if you generate a detiled report,using the report tab at the top ,it is displayed in the report.
    Each time you write to the radio you need to re enter the value.

  24. #24
    Join Date
    Feb 04, 2012
    Posts
    1,608
    Thanks
    65
    Thanked 300 Times in 150 Posts

    Default

    Does this report show the keys on a read & programmed radio or just the keys you loaded? The reports just display the info from the radio where you have programmed or entered keys in the CPS.This would be extremy interesting if the report shows the keys from a read radio where you did not enter in the keys.

  25. #25
    Join Date
    Apr 22, 2012
    Posts
    95
    Thanks
    14
    Thanked 7 Times in 6 Posts

    Default

    Just read my 7550 and checked for Basic and Enhanced Privacy, neither keys show up in the report....only show in the report if I re-enter them into the opened codeplug