Reverse Engineering a Digital Two-Way Radio

In their talk “Reverse Engineering a Digital Two Way Radio” Travis Goodspeed and Christiane Ruetten presented the challenges they faced and overcame while reverse engineering “Tytera MD380”, a handheld transceiver for the Digital Mobile Radio (DMR) protocol.

“Tytera MD380” is based around two chips: STM32F405 CPU with an ARM Cortex M4F core and Readout Device Protection and a HRC5000 baseband processor which implements the actual digital radio. While STM32F405 is fully documented, there is no documentation for HRC5000 publicly available but with the help of the Chinese community they were able to obtain the Chinese documentation.

The first step was to jailbreak the device to allow the free extraction and modification of firmware. In ARM a null pointer dereferenced read with no index reads out address zero which dumps the bootloader and so the code that is responsible for locking RDP and decrypting the incoming firmware update. They were able to patch the bootloader in a way that disabled RDP. Afterwards, they erased the whole device and flashed the patched bootloader version. When they connected the altered device with the official firmware updating tool, the application was reinstalled but now without RDP locked, so they were able to read out the firmware and apply changes to it. This way they could enable for example promiscuous mode on the device. But for larger code injection to the firmware, space is needed and there was not much unused spaced on the device. Christiane and Travis used Vix, a visual tool for inspecting binary data, to search for space they could free up and they found it: deleting Chinese fonts freed up 210.1 KB.

As a further step, they wanted to patch firmware update images and flash them on the device so that no hardware modification is nessecary. The firmware updates are distributed as zip files and contain the firmware as a binary file. The firmware update binary is encrypted but by comparing two different update versions they found many similarities and concluded that the same key has been used for both encryptions and that probably streaming cipher was used for encryption. Because they already had a clear text version since they disabled the read out protection, they were able to do a clear text attack and get the encryption key.

Overall they were able to reverse engineer enough of the firmware to patch in new features and wrap this in a freely available toolset (see which grabs the official firmware decrypts it and applies the patches to it.

See you at TROOPERS17”!


Leave a Reply

Your email address will not be published. Required fields are marked *