|
|
|
|
| Harris / MA/COM / GE / Ericsson Forum For general discussion of MA/COM EDACS and ProVoice systems, including equipment. |
07-09-2009, 08:26 PM
|
|
|
Feature Encryption String - Reverse Engineering
Hot topic I know but i figured id stir the pot a little.
Trying to figure out just how these feature encryption strings A: Relate to the 40+ "feature codes" we all use, B: How the string is derived from the ESN, and C: If there is some other 3rd "key" needed to have it all make sense.
Over at BatLabs there has been some on-going research but i do not have the credentials to do any more reading on it over there.
I have experience in reverse-engineering software authorization and key-gen apps so this could be similar. M/A Com has been using this same technique for quite a while, which leads me to think the method or algorithm used to calculate it is probably an old standard of some sort.
Anyone have a bone they can throw my way?
 |
07-13-2009, 10:15 AM
|
|
Member
|
|
|
Join Date: May 2003
Location: Texas
Posts: 106
|
|
Quote:
Originally Posted by Radioman96p71
Hot topic I know but i figured id stir the pot a little.
Trying to figure out just how these feature encryption strings A: Relate to the 40+ "feature codes" we all use, B: How the string is derived from the ESN, and C: If there is some other 3rd "key" needed to have it all make sense.
Over at BatLabs there has been some on-going research but i do not have the credentials to do any more reading on it over there.
I have experience in reverse-engineering software authorization and key-gen apps so this could be similar. M/A Com has been using this same technique for quite a while, which leads me to think the method or algorithm used to calculate it is probably an old standard of some sort.
Anyone have a bone they can throw my way?
|
You might want to look at VGE - the oldest encryption that they did.  |
07-13-2009, 11:22 AM
|
|
|
Quote:
|
You might want to look at VGE - the oldest encryption that they did.
|
That's scary, i was JUST thinking that on the drive to work today. "Gee I wonder if they would have used one of their proprietary methods of voice encryption to make the FEC harder to crack..." I have a pretty good idea the breakdown of the FEC but not the exact cypher used to calculate it. Now I need to do some research on VGE and DES, the two most likely candidates.
Thank you for your input!
KCØGIK |
07-14-2009, 08:44 AM
|
|
Member
|
|
|
Join Date: Sep 2002
Posts: 1,072
|
|
You'd have to reverse engineer the feature encryption section of the radio firmware as it's all in the radio, not in ProGrammer.
But since you're dealing with an encryption system, I would advise against pursuing this as it seems likely to me that if Harris got wind of it, they'd pursue you to the ends of the earth. Harris would not take kindly to you peeing in their revenue stream and they have the clout to rain trouble upon thee.
My advice is to just back away slowly.
The feature encryption system is a two factor encryption engine where one factor is the ESN and the other is the feature string. The output activates any programmed combination of 40 (or 32 in the earlier radios) software switches.
There are some constants in the feature strings. The first and third byte pairs are always the same. 01 and 0B respectively.
Elroy
Last edited by ElroyJetson; 07-14-2009 at 08:49 AM..
|
07-14-2009, 06:03 PM
|
|
|
Quote:
Originally Posted by ElroyJetson
...The first and third byte pairs are always the same. 01 and 0B respectively.
|
Except when it is 01 and 09. No detectable system yet as to why some radios use 0B and some are 09. Tho all LPEs i've looked at are 0B and all MRKs are 09. Might be some kind of versioning or something.
Quote:
Originally Posted by ElroyJetson
My advice is to just back away slowly.
|
Nothing personal, I understand what you mean 100%. But I see nothing wrong with working on this in my own free time in my own house in private. If i disclosed the information for public (ab)use then that's a whole nother ball of wax. I simply want to know how it works. I'm no lawyer but i can't find any laws i am breaking. I'm not cracking encrypted comms, so that wouldn't apply here. It just happens to be a radio, not a computer. (although the line between the two is blurring more and more)
KCØGIK |
07-14-2009, 08:32 PM
|
|
|
Quote:
Originally Posted by Radioman96p71
Nothing personal, I understand what you mean 100%. But I see nothing wrong with working on this in my own free time in my own house in private. If i disclosed the information for public (ab)use then that's a whole nother ball of wax. I simply want to know how it works. I'm no lawyer but i can't find any laws i am breaking. I'm not cracking encrypted comms, so that wouldn't apply here. It just happens to be a radio, not a computer. (although the line between the two is blurring more and more)
KCØGIK
|
Good luck, it will be interesting and keep you out of the bars---  |
07-15-2009, 08:44 AM
|
|
Member
|
|
|
Join Date: Sep 2002
Posts: 1,072
|
|
Based on the collected ESN/FEC pairs I've got on file, the 32 max option radios all share a "signature" of 01 and 09 in the first and third pairs.
01 and 0B are the signature for every 40 max option set I've got.
By 32 and 40 max option, I don't mean that all those options are enabled, it's just that Orions, LPEs, MRKs, and Jaguar 700s and 700Ps all support options up to no. 32 in the option list. P5100s, P7100s, M7100s, etc. all can handle up to option 40.
The length of the feature strings is different, too. The 40 option radios have a longer feature string.
Elroy
|
07-15-2009, 05:42 PM
|
|
Member
|
|
|
Join Date: Nov 2005
Location: Home
Posts: 167
|
|
All the LPE200s I have seen share a 01 xx 0B triplet. I've got an ex-HYDRA M-RK that also has a 01 xx 0B triplet too. Just FYI.
The 32 avail option radios have a 16 octet feature string, Just out of interest, how many octets do the 40 avail option radios have (or is it just one nybble longer)?
|
07-15-2009, 07:34 PM
|
|
|
From what I have seen with the 01 xx 09/0B dilemma, from the radios I have seen and looked at, every radio that had feature 23, also had the third byte 0B, if feature 23 wasn't there it was always 09. The feature 23 is more hardware dependant than anything, and change a NB radio to byte 09 only causes the checksum to be invalid and i lose all the features. Only common denominator i have seen so far with the 09/0B
KCØGIK
|
07-16-2009, 12:16 PM
|
|
Member
|
|
|
Join Date: Jul 2006
Posts: 148
|
|
Quote:
Originally Posted by ElroyJetson
But since you're dealing with an encryption system, I would advise against pursuing this as it seems likely to me that if Harris got wind of it, they'd pursue you to the ends of the earth. Harris would not take kindly to you peeing in their revenue stream and they have the clout to rain trouble upon thee.
|
theres that /\/\oto speak again lol
thres nothing wrong with breaking encrpytion systems as long as its for "educational use"
look at the RC5 project for example
__________________
KI4IJQ
do you M/A-Com?
|
07-16-2009, 02:59 PM
|
|
Member
|
|
|
Join Date: Sep 2002
Posts: 1,072
|
|
Moto speak, as you call it, is aimed at keeping people safe. A little paranoia is a good idea when dealing with dragons.
|
07-16-2009, 03:16 PM
|
|
|
Quote:
Originally Posted by ElroyJetson
Moto speak, as you call it, is aimed at keeping people safe. A little paranoia is a good idea when dealing with dragons.
|
I agree, can't be too careful when you are playing with big babies toys! |
07-16-2009, 05:03 PM
|
|
Member
|
|
|
Join Date: Sep 2002
Posts: 1,072
|
|
People who deride "moto speak" probably never knew anyone who's been boned by the Batwings.
I know at least four people who've been visited by Count Dracula to date. They got their peepees slapped rather thoroughly.
I won't be one of them. Even if I learn something that's not for public consumption, I won't use that information for anything but the satisfaction of learning something new. If I had a magic feature generator for any kind of radio, I wouldn't use it to upgrade a radio that wasn't my own personal property and wouldn't sell that radio with the upgrade in it. I love to learn secrets but the profit potential involved
in turning the FEG inside out and selling low-cost upgrades to everyone does not in any way, shape,
or form outweigh the potential costs and penalties.
Arguably, all such hacking activities for your own personal non-financial satisfaction are legal per
"fair use" laws, but when you use it to make money or start handing out the results to other people,
you're heading in a dangerous direction.
Elroy
|
02-04-2010, 08:07 AM
|
|
Member
|
|
|
Join Date: Mar 2008
Posts: 182
|
|
Sharing information is not a problem, it's making profit from it that causes problems. But the big batwing got handed a big defeat in relation to NICK radio's. I also would love to understand the feature string.
|
02-06-2010, 01:58 AM
|
|
|
For a second there i thought i replied to my own post! Been bogged down a bit lately with work and other things, not much headway made yet... yet
__________________
KCØGIK
------------------
Adam K
Polk County, Iowa
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 12:54 PM.
|
|
|
|
| |
|
|
