• If posting about a radio issue: Include the HOST, DSP and UCM/secure firmware versions, flashcode and CPS version you're using along with the operating system info. This is critical information.

Mototrbo CTB coldeplug file format

Status

radio313

Prolific Contributor
Joined
Feb 13, 2012
Messages
194
i believe i have extraced the source code of portions of trbo CPS that encodes and decodes the *.ctb codeplug files. Would posting the code and discussing it here be permitted?
 

Magnus

Prolific Contributor
CS Forums $upporter
Joined
Dec 12, 2011
Messages
1,240
I will say yes, if our legal adviser disagrees we will handle it then.
 
OP
radio313

radio313

Prolific Contributor
Joined
Feb 13, 2012
Messages
194
well .NET decompiling is by far the eaiset thing i have done this week.
A quick howto for anyone interested.
a .NET deobfuscator is needed to "deobfusciate" the code.
https://github.com/0xd4d/de4dot
de4dot-x64.exe -r "C:\program files\Motorola\MototrboCPS" -ro C:\trbo --onfile
creates a new installation of mototrbocps and all the motorola and system DLLS into 1 directory C:\trbo
the a program called dotnet reflector http://www.reflector.net/ i used to browse to deobfusciated code.
browsing Common.Communication.ComminFile.dll i found alot of interesting data structures. Here are a couple.

Serializable
http://pastebin.com/1BZEefRV

CompressFile
http://pastebin.com/fptnifuJ

the math and logic here is way over my head. I Wonder if this code is what we would need to start reading and writing our own codeplug files?
 
D

dc2zp

Not Registered
I'm working on a similiar approach

Hi kd8eyf!

I am working on a similar approach. The mototrbo CPS has several shortcomings and in order to avoid these I am working on understanding the .ctb files.

As first step I would like to able to add contacts to any give codeplug file. (BTW: this was a feature in the CPS for GM/GP3**)

It will take me some days to dive into this code you revealed there, but I am optimistic about be possible outcome.

so long and 73, dc2zp
 

Mars

Prolific Contributor
CS Forums $upporter
Joined
Dec 21, 2011
Messages
5,020
I have no problem with this. So long as none of the work was derived from proprietary Motorola software, like Depot, etc.
 
OP
radio313

radio313

Prolific Contributor
Joined
Feb 13, 2012
Messages
194
Sorry for the GIANT PICTURE

http://i.imgur.com/7hAib.jpg


i got a few CPS parameter files open and a firmware update file open.. Looks like everything is XML
Some base64 stuff in the firmware, decoded it and didnt recognize any structure, may be encrypted again? not sure..
I haven't cracked open the CTB yet. Unlike the below ascii files the ctb adds a layerg of gzipping which my decoder is chokin on.. still trying to figure it out.
At the end of each XML is a HASH of the data in the format <DIGEST></DIGEST><RSAKeyValue><Modulus></Modulus><Exponent></Exponent></RSAKeyValue> that I need to figure out if I ever want to get data back into radio..
 
Last edited:

Magnus

Prolific Contributor
CS Forums $upporter
Joined
Dec 12, 2011
Messages
1,240
Looks good, nice to see progress being made on this.
 
OP
radio313

radio313

Prolific Contributor
Joined
Feb 13, 2012
Messages
194
Im not a lawyer, but the question came up if a program that decodes CTB's is aginst the TOS?
Chances are it is.. ?
Are codeplugs intellectual property?
I would think that the data comes from my radio its MY CODEPLUG!?
I am sure motorola sees otherwise.

So really its just sending data through from XML to a crypto stream into a gzip stream. Its a common way to store data.
http://msdn.microsoft.com/en-us/magazine/cc163290.aspx

The only thing that i think could be IP is the encryption keys?
My friend Changed the unpacker program to require the user to manually get and load the encryption keys from somewhere. He uploaded the decoder here

Moved see
http://communications.support/threads/1035-Mototrbo-CTB-coldeplug-file-format?p=14951#post14951

The src is included if your nervous about EXE's. He says he still has to add the signature creation to be able to save files. The thing is a DOTNET so you will need to install the VB.NET Studio 2010 turd if you wanna compile

dave
 
Last edited by a moderator:

Magnus

Prolific Contributor
CS Forums $upporter
Joined
Dec 12, 2011
Messages
1,240
I would agree that if any of it was IP it would be the key. If the password is what I think it is, its easy enough to find and can be left for the end user to find.
 
OP
radio313

radio313

Prolific Contributor
Joined
Feb 13, 2012
Messages
194
Looking at wireshark traces between cps and the radio the structure is pretty simple. I think this is the XMCP protocol not sure. But i hit a major road block. It looks like to init communication / control the trbo radio sends some random bits to CPS and CPS has to encrypt them and send em back. The radio compares it with its own and if its the same it let comms continue. The only way to get the encrypt key is from mother moto. i imagine? Im guessing this way they only allow authorized software to communicate with OUR radios. From what i see in the packet captures its only 8bytes in and out... thats 18,446,744,073,709,551,616 Combinations / keyspace?! crap.. anyone have idea on a workaround? thoughts?
 

Magnus

Prolific Contributor
CS Forums $upporter
Joined
Dec 12, 2011
Messages
1,240
Yes all communication to and from the radio via xcmp is verified with a signature.
 

bg4wsw

Regular Member
Joined
Apr 18, 2012
Messages
7
Sorry for the GIANT PICTURE

http://i.imgur.com/7hAib.jpg


i got a few CPS parameter files open and a firmware update file open.. Looks like everything is XML
Some base64 stuff in the firmware, decoded it and didnt recognize any structure, may be encrypted again? not sure..
I haven't cracked open the CTB yet. Unlike the below ascii files the ctb adds a layerg of gzipping which my decoder is chokin on.. still trying to figure it out.
At the end of each XML is a HASH of the data in the format <DIGEST></DIGEST><RSAKeyValue><Modulus></Modulus><Exponent></Exponent></RSAKeyValue> that I need to figure out if I ever want to get data back into radio..



I can help you figure out the correct HASH and RSAKeyValue if you give me the XML file which is cracked by CTB.



for example

------------------------------------------------------------------------------------------------------------------------

Sorry for the GIANT PICTURE
http://i.imgur.com/7hAib.jpg

i got a few CPS parameter files open and a firmware update file open.. Looks like everything is XML
Some base64 stuff in the firmware, decoded it and didnt recognize any structure, may be encrypted again? not sure..
I haven't cracked open the CTB yet. Unlike the below ascii files the ctb adds a layerg of gzipping which my decoder is chokin on.. still trying to figure it out.
At the end of each XML is a HASH of the data in the format <DIGEST></DIGEST><><Modulus></Modulus><Exponent></Exponent></RSAKeyValue> that I need to figure out if I ever want to get data back into radio..
Last edited by kd8eyf; 01-04-2013 at 11:40 PM. Reason: change pic to link <SIGNATURE><VERSION>1.0</VERSION><DIGEST>CFCB41CEFEF07B2F2ACEADABCF6BD45CAF57D867D226E03E88A5D111DDA46C6E8DA3DE096582474EA5B69C54020E1BED6D7526F086A065E9DC98A11072D83C4BD62CFE39A3FE09BA524424BC648EF206C1F7CC918C549CB54AA3626EA7C9EA5A48242816D45A4A710FB7540E621D1D770FFDADCA996390A3B8167FF176BA1E73</DIGEST><RSAKeyValue><Modulus>5AaKT6Hvh9+QrPWr5wugcqFjZWe54yW4/2sn6KAHKIrvvpD7J2x+elfDTry9DEx0U5dplG0SAtMNlXNV4PXU72Ze/yoeD/gfsGBGlmhpVCxkd0WvfSnSl5xe/WcCVJnyrjIQjRI47Aok7H3tjtshvq/LLKUtWxpxy4iGupbtv20=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></SIGNATURE>
 
U

user

Not Registered
Hello,
there are some news about?

I readed the whole thread but didn't find a real solution. Is this tool complete?

Thanks for any news

U.
 
OP
radio313

radio313

Prolific Contributor
Joined
Feb 13, 2012
Messages
194
yes the tool as you say is complete PM me for the URL
 
Status