nd5y
Member
I'm surprised nobody posted this yet.
Shmoocon 2016: Reverse Engineering Cheap Chinese Radio Firmware | Hackaday
Shmoocon 2016: Reverse Engineering Cheap Chinese Radio Firmware | Hackaday
-
To anyone looking to acquire commercial radio programming software:
Please do not make requests for copies of radio programming software which is sold (or was sold) by the manufacturer for any monetary value. All requests will be deleted and a forum infraction issued. Making a request such as this is attempting to engage in software piracy and this forum cannot be involved or associated with this activity. The same goes for any private transaction via Private Message. Even if you attempt to engage in this activity in PM's we will still enforce the forum rules. Your PM's are not private and the administration has the right to read them if there's a hint to criminal activity.
If you are having trouble legally obtaining software please state so. We do not want any hurt feelings when your vague post is mistaken for a free request. It is YOUR responsibility to properly word your request.
To obtain Motorola software see the Sticky in the Motorola forum.
The various other vendors often permit their dealers to sell the software online (i.e., Kenwood). Please use Google or some other search engine to find a dealer that sells the software. Typically each series or individual radio requires its own software package. Often the Kenwood software is less than $100 so don't be a cheapskate; just purchase it.
For M/A Com/Harris/GE, etc: there are two software packages that program all current and past radios. One package is for conventional programming and the other for trunked programming. The trunked package is in upwards of $2,500. The conventional package is more reasonable though is still several hundred dollars. The benefit is you do not need multiple versions for each radio (unlike Motorola).
This is a large and very visible forum. We cannot jeopardize the ability to provide the RadioReference services by allowing this activity to occur. Please respect this.
- Status
Tytera MD380 jailbreak turn into DMR scanner.
Last weekend at Shmoocon, Travis Goodspeed presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored at https://hackadaycom.files.wordpress.com/2016/01/pocorgtfo10.pdf ) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.
The Tytera MD380 (and the Retevis RT-3 clone/rebrand ) is a cheap DMR radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.
In Digital Mobile Radio, audio is sent through either a public talk group or a private contact. The radio is usually set to only one talk group, and so it’s not really possible to listen in on other talk groups without changing settings. A patch for promiscuous mode – a mode that puts all talk groups through the speaker – is just setting one JNE in the firmware to a NOP.
In the past few months Travis, (1) jailbroken the hardware to allow for free extraction and modification of firmware, (2) broken the hilarious crypto so that we can wrap and unwrap updates from the official tool, (3) reverse engineered enough of the firmware to patch in new features, (4) made room for large firmware modifications by creative abuse of Chinese fonts, and (5) wrapped all of this into a handy, freely available toolset.
Travis ( https://twitter.com/travisgoodspeed ) is looking for people who can add support for P25, D-Star, System Fusion, a proper scanner, or the ability to send and receive DMR frames over USB. All these things are possible, making this one of the most exciting radio hacks in recent memory.
https://github.com/travisgoodspeed/md380tools
https://github.com/pchickey/md380-re
Source: Hackaday
Last weekend at Shmoocon, Travis Goodspeed presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored at https://hackadaycom.files.wordpress.com/2016/01/pocorgtfo10.pdf ) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.
The Tytera MD380 (and the Retevis RT-3 clone/rebrand ) is a cheap DMR radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.
In Digital Mobile Radio, audio is sent through either a public talk group or a private contact. The radio is usually set to only one talk group, and so it’s not really possible to listen in on other talk groups without changing settings. A patch for promiscuous mode – a mode that puts all talk groups through the speaker – is just setting one JNE in the firmware to a NOP.
In the past few months Travis, (1) jailbroken the hardware to allow for free extraction and modification of firmware, (2) broken the hilarious crypto so that we can wrap and unwrap updates from the official tool, (3) reverse engineered enough of the firmware to patch in new features, (4) made room for large firmware modifications by creative abuse of Chinese fonts, and (5) wrapped all of this into a handy, freely available toolset.
Travis ( https://twitter.com/travisgoodspeed ) is looking for people who can add support for P25, D-Star, System Fusion, a proper scanner, or the ability to send and receive DMR frames over USB. All these things are possible, making this one of the most exciting radio hacks in recent memory.
https://github.com/travisgoodspeed/md380tools
https://github.com/pchickey/md380-re
Source: Hackaday
Last edited:
Turn MD380 into USB receiver
Last weekend at Shmoocon, Travis Goodspeed presented his reverse engineering of the Tytera MD380 digital handheld radio, a fairly cheap (140$) DMR radio.
See more at http://forums.radioreference.com/di...ra-md380-jailbreak-turn-into-dmr-scanner.html
Last weekend at Shmoocon, Travis Goodspeed presented his reverse engineering of the Tytera MD380 digital handheld radio, a fairly cheap (140$) DMR radio.
See more at http://forums.radioreference.com/di...ra-md380-jailbreak-turn-into-dmr-scanner.html
Last edited:
Hams Hack $110 DMR Radio To Allow Support For D-STAR, P25 And System Fusion
Hams hack $110 DMR radio to allow support for D-STAR, P25 and System Fusion - VA3XPR
One of the great things about the hams is their ability to find solutions to almost any communications related problem. This has been proven once again with a recent announcement that some resourceful hams have reverse engineered one of the most popular DMR radios on the market today, the Chinese made TYT MD-380, allowing for a fully open source firmware to be uploaded into the radio.
DON’T MISS: Tytera TYT MD-380 DMR portable radio review
By having the ability to add an open source firmware to the radio, hams would be able to completely redesign the operation of the radio, allowing for an improved user experience, support for multiple digital modes, such as D-STAR, P25, System Fusion, the ability to turn it into a multi-mode digital scanner, plus much more. Since the big name ham radio manufacturers, including Yaesu, ICOM, Kenwood and Alinco have been unwilling to standardize on a single digital mode or even offer a multi-mode digital radio to the ham radio community, hams have been forced to purchase separate radios for each digital mode, leaving them yearning for a single radio that would support all digital modes. In March 2014, Jerry Wanger of Connect System announced the CS7000, a multi-mode digital radio for the ham community, initially supporting DMR and D-STAR, however due to complications, the radio never made it to market. With this recent announcement, it is likely that the ham radio community will make the radio the ham radio manufacturers were unable to unwilling deliver upon, making the TYT MD-380 radio even more popular going forward.
For anyone looking to pick-up a TYT MD-380 with the anticipation of being able to convert it into a multi-mode digital radio, Connect Systems is currently offering the radio on its website for $110 USD.
Hams hack $110 DMR radio to allow support for D-STAR, P25 and System Fusion - VA3XPR
One of the great things about the hams is their ability to find solutions to almost any communications related problem. This has been proven once again with a recent announcement that some resourceful hams have reverse engineered one of the most popular DMR radios on the market today, the Chinese made TYT MD-380, allowing for a fully open source firmware to be uploaded into the radio.
DON’T MISS: Tytera TYT MD-380 DMR portable radio review
By having the ability to add an open source firmware to the radio, hams would be able to completely redesign the operation of the radio, allowing for an improved user experience, support for multiple digital modes, such as D-STAR, P25, System Fusion, the ability to turn it into a multi-mode digital scanner, plus much more. Since the big name ham radio manufacturers, including Yaesu, ICOM, Kenwood and Alinco have been unwilling to standardize on a single digital mode or even offer a multi-mode digital radio to the ham radio community, hams have been forced to purchase separate radios for each digital mode, leaving them yearning for a single radio that would support all digital modes. In March 2014, Jerry Wanger of Connect System announced the CS7000, a multi-mode digital radio for the ham community, initially supporting DMR and D-STAR, however due to complications, the radio never made it to market. With this recent announcement, it is likely that the ham radio community will make the radio the ham radio manufacturers were unable to unwilling deliver upon, making the TYT MD-380 radio even more popular going forward.
For anyone looking to pick-up a TYT MD-380 with the anticipation of being able to convert it into a multi-mode digital radio, Connect Systems is currently offering the radio on its website for $110 USD.
Funny how the price on the Connect Systems site has gone up to $165 since this article was published
There is no way I'll ever risk bricking my lovely MD-380 with such "iffy" hacks.
I believe they will be refined over time. The abilities of software used by SDRs were "iffy" at first, but are now mainstream.
How many times is this "news" going be announced? I've read this in at least three threads here already...
This is extremely interesting!
You know those DMR radios based on the C5000 demodulator chip (Tytera, Connect Systems) cannot receive systems with RAS implemented because the chip is programmed to reject bursts with bad CRCs (RAS would generate a bad CRC without a correct RAS key). It would be nice for someone to get into the firmware and re-program the C5000 it to ignore those CRC checks, if it's possible.
You know those DMR radios based on the C5000 demodulator chip (Tytera, Connect Systems) cannot receive systems with RAS implemented because the chip is programmed to reject bursts with bad CRCs (RAS would generate a bad CRC without a correct RAS key). It would be nice for someone to get into the firmware and re-program the C5000 it to ignore those CRC checks, if it's possible.
Last edited:
It's still available for $128.24 with Promo Code 5Deal
http://www.buytwowayradios.com/products/tytera/md-380.aspx
Connect Systems still showing $110.00 on the web store.
http://csi-radios.com
http://www.buytwowayradios.com/products/tytera/md-380.aspx
Connect Systems still showing $110.00 on the web store.
http://csi-radios.com
slicerwizard
Member
Sidestepping RAS would be as simple as the already-implemented promiscuous mode.
Well here is my attempt at using this software. It seems you need to build "ninja" based on this page.
https://github.com/pchickey/md380-re/tree/master/newfw
First you need build ninja:
https://ninja-build.org/
That part is easy:
$ git clone git://github.com/ninja-build/ninja.git && cd ninja
$ git checkout release
$ cat README
"Then, from this directory, run:
$ ./build.py"
I assume this means use the build.py from this page
https://github.com/pchickey/md380-re/blob/master/newfw/build.py
This is my attempt at running the script.
./build.py
Traceback (most recent call last):
File "./build.py", line 3, in <module>
from build.helpers import *
File "/usr/local/src/ninja/build.py", line 3, in <module>
from build.helpers import *
ImportError: No module named helpers
https://github.com/pchickey/md380-re/tree/master/newfw
First you need build ninja:
https://ninja-build.org/
That part is easy:
$ git clone git://github.com/ninja-build/ninja.git && cd ninja
$ git checkout release
$ cat README
"Then, from this directory, run:
$ ./build.py"
I assume this means use the build.py from this page
https://github.com/pchickey/md380-re/blob/master/newfw/build.py
This is my attempt at running the script.
./build.py
Traceback (most recent call last):
File "./build.py", line 3, in <module>
from build.helpers import *
File "/usr/local/src/ninja/build.py", line 3, in <module>
from build.helpers import *
ImportError: No module named helpers
Sorry for the duplicate.
http://forums.radioreference.com/di...27256-md-380-firmware-reverse-engineered.html
But thi is an incredible breakthrough.
This is exactly correct. While the news within itself is good, seems there's a way to go between it actually doing Fusion and DStar yet and saying it is "possible".
Seems like a good market though if someone actually gets it to do that and just sells them ready to go.
I'll go out on a limb and say it has more to do with him being an engineer than a ham.
Personally, I see nothing to get excited about... yet. Just because he has successfully reverse-engineered the firmware code it is still only a first step. No one knows what else might proceed from that breakthrough. He's asking for help in further exploiting his breakthrough, but it may be months - or never - before anything practical comes about.
- Status
Similar threads
