M
mtndew
Guest
I have followed this work done by other here with great interest and have some progress of my own to report. From what i can see there are 3 levels authenciation.
CPS is authenticated at level 0, normal IP devices authenticate level 1, and IP devices with Clone Read / Write authenticate level 2.
There are also different authentication level for repeater connections. The hanshake process uses the TEA encryption algorithm. The last 8 bytes of the handshake packet starting with 0x0016 are random numbers sent from the device to the PC.
The the radio encrypts the same bytes and expect the PC to do the same. If the bytes encrypted by the PC do not match the bytes encrypted by the radio then the session fails. So this means there are encryption keys in every software package that makes XNL/XCMP network connections to trb0 radios and in every trb0 firmware image.
Using the information from this site i have extracted the raw s-record firmware images from a mototrbo xpr6550. Decoding the srecrods show binary data, some strings, looks like ARM microcode. no encryption keys in the clear.
The software side on the other hand is a different story. I traced the execution of the M0totrb0 CPS while reading a radio device. When execution reaches the point of encrypting the 8 bytes, the XnlAuthenticationD0tNet.dll if forked. This is not a normal C# dll. Its a C++ DLL embeded inside a C# DLL. This means that the process of decoding managed code into readable source code with dotnet reflector is not going to work like it does for the other CPS files.
Additionally the DLL is obfuscated and will require someone with software like ida pro to somehow trace the execution and watch the registers for the encryption key, ( Or TEA delta 0x9e3779b9 which is the 32bit representation of the golden number in base 16. It is always used to generate the encrypted bytes, so looking or watching for this might be easier then looking for a unknown.) or find the dll function export and create a custom fork from that dll ? not sure this is some high level hacking. S1teSurv3y and M0t0trb0D3p0t both use this method of exeuciting the crypto process.
As an alternative i went looking for the encryption keys inside some 3rd party programs. There are some 3rd party software programs with free demos / trials avail for download on the net that are all C#. Load it into your de4dot and load that into your .net reflector and you will have the encrytion keys for a m0t0trb0 IP device, as well as a XRT9OOO gateway.
We have wrote a few programs in perl and C that initiates communication with a trb0 device and can send / recieve most commands, with the exception of radio clone. We need to find a level 2 or CPS level 0 encrytion key for that to work. We also need a repeater level access key. It is the holy grail of trb0 hacking! m0t0r0la does not want anyone doing anything to "THEIR" radios without them paying a royalty to them. The problem is this type of security is impossible. how do you store a secret key in code invisible to the user but visible to the program? u cant, it is impossible. Its just a matter of time before someone with the resources finds it, and is able to use "THEIR" radio to its full ability.
mtnDew
[edited by Mars: Please use paragraphs!]
CPS is authenticated at level 0, normal IP devices authenticate level 1, and IP devices with Clone Read / Write authenticate level 2.
There are also different authentication level for repeater connections. The hanshake process uses the TEA encryption algorithm. The last 8 bytes of the handshake packet starting with 0x0016 are random numbers sent from the device to the PC.
The the radio encrypts the same bytes and expect the PC to do the same. If the bytes encrypted by the PC do not match the bytes encrypted by the radio then the session fails. So this means there are encryption keys in every software package that makes XNL/XCMP network connections to trb0 radios and in every trb0 firmware image.
Using the information from this site i have extracted the raw s-record firmware images from a mototrbo xpr6550. Decoding the srecrods show binary data, some strings, looks like ARM microcode. no encryption keys in the clear.
The software side on the other hand is a different story. I traced the execution of the M0totrb0 CPS while reading a radio device. When execution reaches the point of encrypting the 8 bytes, the XnlAuthenticationD0tNet.dll if forked. This is not a normal C# dll. Its a C++ DLL embeded inside a C# DLL. This means that the process of decoding managed code into readable source code with dotnet reflector is not going to work like it does for the other CPS files.
Additionally the DLL is obfuscated and will require someone with software like ida pro to somehow trace the execution and watch the registers for the encryption key, ( Or TEA delta 0x9e3779b9 which is the 32bit representation of the golden number in base 16. It is always used to generate the encrypted bytes, so looking or watching for this might be easier then looking for a unknown.) or find the dll function export and create a custom fork from that dll ? not sure this is some high level hacking. S1teSurv3y and M0t0trb0D3p0t both use this method of exeuciting the crypto process.
As an alternative i went looking for the encryption keys inside some 3rd party programs. There are some 3rd party software programs with free demos / trials avail for download on the net that are all C#. Load it into your de4dot and load that into your .net reflector and you will have the encrytion keys for a m0t0trb0 IP device, as well as a XRT9OOO gateway.
We have wrote a few programs in perl and C that initiates communication with a trb0 device and can send / recieve most commands, with the exception of radio clone. We need to find a level 2 or CPS level 0 encrytion key for that to work. We also need a repeater level access key. It is the holy grail of trb0 hacking! m0t0r0la does not want anyone doing anything to "THEIR" radios without them paying a royalty to them. The problem is this type of security is impossible. how do you store a secret key in code invisible to the user but visible to the program? u cant, it is impossible. Its just a matter of time before someone with the resources finds it, and is able to use "THEIR" radio to its full ability.
mtnDew
[edited by Mars: Please use paragraphs!]
