Feature Encryption String - Reverse Engineering

[Radioman96p71]

Hot topic I know but i figured id stir the pot a little.

Trying to figure out just how these feature encryption strings A: Relate to the 40+ "feature codes" we all use, B: How the string is derived from the ESN, and C: If there is some other 3rd "key" needed to have it all make sense.

Over at BatLabs there has been some on-going research but i do not have the credentials to do any more reading on it over there.

I have experience in reverse-engineering software authorization and key-gen apps so this could be similar. M/A Com has been using this same technique for quite a while, which leads me to think the method or algorithm used to calculate it is probably an old standard of some sort.

Anyone have a bone they can throw my way?

[EnidPuceflange]

Quote:

Originally Posted by Radioman96p71

Hot topic I know but i figured id stir the pot a little.

Trying to figure out just how these feature encryption strings A: Relate to the 40+ "feature codes" we all use, B: How the string is derived from the ESN, and C: If there is some other 3rd "key" needed to have it all make sense.

Over at BatLabs there has been some on-going research but i do not have the credentials to do any more reading on it over there.

I have experience in reverse-engineering software authorization and key-gen apps so this could be similar. M/A Com has been using this same technique for quite a while, which leads me to think the method or algorithm used to calculate it is probably an old standard of some sort.

Anyone have a bone they can throw my way?

You might want to look at VGE - the oldest encryption that they did.

[Radioman96p71]

Quote:

You might want to look at VGE - the oldest encryption that they did.

That's scary, i was JUST thinking that on the drive to work today. "Gee I wonder if they would have used one of their proprietary methods of voice encryption to make the FEC harder to crack..." I have a pretty good idea the breakdown of the FEC but not the exact cypher used to calculate it. Now I need to do some research on VGE and DES, the two most likely candidates.

Thank you for your input!

KCØGIK

[ElroyJetson]

You'd have to reverse engineer the feature encryption section of the radio firmware as it's all in the radio, not in ProGrammer.

But since you're dealing with an encryption system, I would advise against pursuing this as it seems likely to me that if Harris got wind of it, they'd pursue you to the ends of the earth. Harris would not take kindly to you peeing in their revenue stream and they have the clout to rain trouble upon thee.

My advice is to just back away slowly.


The feature encryption system is a two factor encryption engine where one factor is the ESN and the other is the feature string. The output activates any programmed combination of 40 (or 32 in the earlier radios) software switches.

There are some constants in the feature strings. The first and third byte pairs are always the same. 01 and 0B respectively.





Elroy

[Radioman96p71]

Quote:

Originally Posted by ElroyJetson

...The first and third byte pairs are always the same. 01 and 0B respectively.

Except when it is 01 and 09. No detectable system yet as to why some radios use 0B and some are 09. Tho all LPEs i've looked at are 0B and all MRKs are 09. Might be some kind of versioning or something.

Quote:

Originally Posted by ElroyJetson

My advice is to just back away slowly.

Nothing personal, I understand what you mean 100%. But I see nothing wrong with working on this in my own free time in my own house in private. If i disclosed the information for public (ab)use then that's a whole nother ball of wax. I simply want to know how it works. I'm no lawyer but i can't find any laws i am breaking. I'm not cracking encrypted comms, so that wouldn't apply here. It just happens to be a radio, not a computer. (although the line between the two is blurring more and more)


KCØGIK

[Thayne]

Quote:

Originally Posted by Radioman96p71

Nothing personal, I understand what you mean 100%. But I see nothing wrong with working on this in my own free time in my own house in private. If i disclosed the information for public (ab)use then that's a whole nother ball of wax. I simply want to know how it works. I'm no lawyer but i can't find any laws i am breaking. I'm not cracking encrypted comms, so that wouldn't apply here. It just happens to be a radio, not a computer. (although the line between the two is blurring more and more)


KCØGIK

Good luck, it will be interesting and keep you out of the bars---

[ElroyJetson]

Based on the collected ESN/FEC pairs I've got on file, the 32 max option radios all share a "signature" of 01 and 09 in the first and third pairs.


01 and 0B are the signature for every 40 max option set I've got.

By 32 and 40 max option, I don't mean that all those options are enabled, it's just that Orions, LPEs, MRKs, and Jaguar 700s and 700Ps all support options up to no. 32 in the option list. P5100s, P7100s, M7100s, etc. all can handle up to option 40.

The length of the feature strings is different, too. The 40 option radios have a longer feature string.

Elroy

[mitaux8030]

All the LPE200s I have seen share a 01 xx 0B triplet. I've got an ex-HYDRA M-RK that also has a 01 xx 0B triplet too. Just FYI.

The 32 avail option radios have a 16 octet feature string, Just out of interest, how many octets do the 40 avail option radios have (or is it just one nybble longer)?

[Radioman96p71]

From what I have seen with the 01 xx 09/0B dilemma, from the radios I have seen and looked at, every radio that had feature 23, also had the third byte 0B, if feature 23 wasn't there it was always 09. The feature 23 is more hardware dependant than anything, and change a NB radio to byte 09 only causes the checksum to be invalid and i lose all the features. Only common denominator i have seen so far with the 09/0B

KCØGIK

[flecom]

Quote:

Originally Posted by ElroyJetson

But since you're dealing with an encryption system, I would advise against pursuing this as it seems likely to me that if Harris got wind of it, they'd pursue you to the ends of the earth. Harris would not take kindly to you peeing in their revenue stream and they have the clout to rain trouble upon thee.

theres that /\/\oto speak again lol

thres nothing wrong with breaking encrpytion systems as long as its for "educational use"

look at the RC5 project for example

[ElroyJetson]

Moto speak, as you call it, is aimed at keeping people safe. A little paranoia is a good idea when dealing with dragons.

[Radioman96p71]

Quote:

Originally Posted by ElroyJetson

Moto speak, as you call it, is aimed at keeping people safe. A little paranoia is a good idea when dealing with dragons.

I agree, can't be too careful when you are playing with big babies toys!

[ElroyJetson]

People who deride "moto speak" probably never knew anyone who's been boned by the Batwings.

I know at least four people who've been visited by Count Dracula to date. They got their peepees slapped rather thoroughly.

I won't be one of them. Even if I learn something that's not for public consumption, I won't use that information for anything but the satisfaction of learning something new. If I had a magic feature generator for any kind of radio, I wouldn't use it to upgrade a radio that wasn't my own personal property and wouldn't sell that radio with the upgrade in it. I love to learn secrets but the profit potential involved
in turning the FEG inside out and selling low-cost upgrades to everyone does not in any way, shape,
or form outweigh the potential costs and penalties.

Arguably, all such hacking activities for your own personal non-financial satisfaction are legal per
"fair use" laws, but when you use it to make money or start handing out the results to other people,
you're heading in a dangerous direction.

Elroy