Feature Encryption String - Reverse Engineering

Radioman96p71 · Jul 9, 2009

Hot topic I know but i figured id stir the pot a little.

Trying to figure out just how these feature encryption strings A: Relate to the 40+ "feature codes" we all use, B: How the string is derived from the ESN, and C: If there is some other 3rd "key" needed to have it all make sense.

Over at BatLabs there has been some on-going research but i do not have the credentials to do any more reading on it over there.

I have experience in reverse-engineering software authorization and key-gen apps so this could be similar. M/A Com has been using this same technique for quite a while, which leads me to think the method or algorithm used to calculate it is probably an old standard of some sort.

Anyone have a bone they can throw my way?

EnidPuceflange · Jul 13, 2009

Radioman96p71 said:
Hot topic I know but i figured id stir the pot a little.

Trying to figure out just how these feature encryption strings A: Relate to the 40+ "feature codes" we all use, B: How the string is derived from the ESN, and C: If there is some other 3rd "key" needed to have it all make sense.

Over at BatLabs there has been some on-going research but i do not have the credentials to do any more reading on it over there.

I have experience in reverse-engineering software authorization and key-gen apps so this could be similar. M/A Com has been using this same technique for quite a while, which leads me to think the method or algorithm used to calculate it is probably an old standard of some sort.

Anyone have a bone they can throw my way?

You might want to look at VGE - the oldest encryption that they did.

Radioman96p71 · Jul 13, 2009

You might want to look at VGE - the oldest encryption that they did.

That's scary, i was JUST thinking that on the drive to work today. "Gee I wonder if they would have used one of their proprietary methods of voice encryption to make the FEC harder to crack..." I have a pretty good idea the breakdown of the FEC but not the exact cypher used to calculate it. Now I need to do some research on VGE and DES, the two most likely candidates.

Thank you for your input!

KCØGIK

ElroyJetson · Jul 14, 2009

You'd have to reverse engineer the feature encryption section of the radio firmware as it's all in the radio, not in ProGrammer.

But since you're dealing with an encryption system, I would advise against pursuing this as it seems likely to me that if Harris got wind of it, they'd pursue you to the ends of the earth. Harris would not take kindly to you peeing in their revenue stream and they have the clout to rain trouble upon thee.

My advice is to just back away slowly.

The feature encryption system is a two factor encryption engine where one factor is the ESN and the other is the feature string. The output activates any programmed combination of 40 (or 32 in the earlier radios) software switches.

There are some constants in the feature strings. The first and third byte pairs are always the same. 01 and 0B respectively.

Elroy

Radioman96p71 · Jul 14, 2009

ElroyJetson said:
...The first and third byte pairs are always the same. 01 and 0B respectively.

Except when it is 01 and 09. No detectable system yet as to why some radios use 0B and some are 09. Tho all LPEs i've looked at are 0B and all MRKs are 09. Might be some kind of versioning or something.

ElroyJetson said:
My advice is to just back away slowly.

Nothing personal, I understand what you mean 100%. But I see nothing wrong with working on this in my own free time in my own house in private. If i disclosed the information for public (ab)use then that's a whole nother ball of wax. I simply want to know how it works. I'm no lawyer but i can't find any laws i am breaking. I'm not cracking encrypted comms, so that wouldn't apply here. It just happens to be a radio, not a computer. (although the line between the two is blurring more and more)

KCØGIK

Thayne · Jul 14, 2009

Radioman96p71 said:
Nothing personal, I understand what you mean 100%. But I see nothing wrong with working on this in my own free time in my own house in private. If i disclosed the information for public (ab)use then that's a whole nother ball of wax. I simply want to know how it works. I'm no lawyer but i can't find any laws i am breaking. I'm not cracking encrypted comms, so that wouldn't apply here. It just happens to be a radio, not a computer. (although the line between the two is blurring more and more)

KCØGIK

Good luck, it will be interesting and keep you out of the bars---

ElroyJetson · Jul 15, 2009

Based on the collected ESN/FEC pairs I've got on file, the 32 max option radios all share a "signature" of 01 and 09 in the first and third pairs.

01 and 0B are the signature for every 40 max option set I've got.

By 32 and 40 max option, I don't mean that all those options are enabled, it's just that Orions, LPEs, MRKs, and Jaguar 700s and 700Ps all support options up to no. 32 in the option list. P5100s, P7100s, M7100s, etc. all can handle up to option 40.

The length of the feature strings is different, too. The 40 option radios have a longer feature string.

Elroy

mitaux8030 · Jul 15, 2009

All the LPE200s I have seen share a 01 xx 0B triplet. I've got an ex-HYDRA M-RK that also has a 01 xx 0B triplet too. Just FYI.

The 32 avail option radios have a 16 octet feature string, Just out of interest, how many octets do the 40 avail option radios have (or is it just one nybble longer)?

Radioman96p71 · Jul 15, 2009

From what I have seen with the 01 xx 09/0B dilemma, from the radios I have seen and looked at, every radio that had feature 23, also had the third byte 0B, if feature 23 wasn't there it was always 09. The feature 23 is more hardware dependant than anything, and change a NB radio to byte 09 only causes the checksum to be invalid and i lose all the features. Only common denominator i have seen so far with the 09/0B

KCØGIK

flecom · Jul 16, 2009

ElroyJetson said:
But since you're dealing with an encryption system, I would advise against pursuing this as it seems likely to me that if Harris got wind of it, they'd pursue you to the ends of the earth. Harris would not take kindly to you peeing in their revenue stream and they have the clout to rain trouble upon thee.

theres that /\/\oto speak again lol

thres nothing wrong with breaking encrpytion systems as long as its for "educational use"

look at the RC5 project for example

ElroyJetson · Jul 16, 2009

Moto speak, as you call it, is aimed at keeping people safe. A little paranoia is a good idea when dealing with dragons.

Radioman96p71 · Jul 16, 2009

ElroyJetson said:
Moto speak, as you call it, is aimed at keeping people safe. A little paranoia is a good idea when dealing with dragons.

I agree, can't be too careful when you are playing with big babies toys!

ElroyJetson · Jul 16, 2009

People who deride "moto speak" probably never knew anyone who's been boned by the Batwings.

I know at least four people who've been visited by Count Dracula to date. They got their peepees slapped rather thoroughly.

I won't be one of them. Even if I learn something that's not for public consumption, I won't use that information for anything but the satisfaction of learning something new. If I had a magic feature generator for any kind of radio, I wouldn't use it to upgrade a radio that wasn't my own personal property and wouldn't sell that radio with the upgrade in it. I love to learn secrets but the profit potential involved
in turning the FEG inside out and selling low-cost upgrades to everyone does not in any way, shape,
or form outweigh the potential costs and penalties.

Arguably, all such hacking activities for your own personal non-financial satisfaction are legal per
"fair use" laws, but when you use it to make money or start handing out the results to other people,
you're heading in a dangerous direction.

Elroy

radioman2001 · Feb 4, 2010

Sharing information is not a problem, it's making profit from it that causes problems. But the big batwing got handed a big defeat in relation to NICK radio's. I also would love to understand the feature string.

Radioman96p71 · Feb 6, 2010

For a second there i thought i replied to my own post! Been bogged down a bit lately with work and other things, not much headway made yet... yet

SyntaxNero · Jan 5, 2017

Radioman96p71 said:
For a second there i thought i replied to my own post! Been bogged down a bit lately with work and other things, not much headway made yet... yet

Yes this is an old thread... But if you don't ask the answer is already no.

Any progress?

Radioman96p71 · Jan 6, 2017

Yes some, but nothing I can disclose on a public forum. There is always more work to be done but persistence is key. Sorry things have to be so vague but always watch out for #1.

rjschilder · Jul 21, 2018

Any further progress on this? I have good RE skills as well, wouldn't mind researching this further.

Sent from my SM-G960U using Tapatalk

radioman2001 · Jul 24, 2018

My understanding after conversations with Tac center in the past is the key is DES. That's about as old or older than VGE, and this is way before the Harris takeover.

mikewazowski · Jul 24, 2018

I don't think we really need a discussion on reverse engineering the feature string to add new features that you haven't paid for.

Might want to move the discussion over to Austech.

Feature Encryption String - Reverse Engineering

Member

Member

Member

I AM NOT YOUR TECH SUPPPORT.

Member

Member

I AM NOT YOUR TECH SUPPPORT.

Silent Key

Member

Member

I AM NOT YOUR TECH SUPPPORT.

Member

I AM NOT YOUR TECH SUPPPORT.

Member

Member

Member

Member

Member

Member

Forums Manager/Global DB Admin

Similar threads