OP25 Add RC4 (ADP) decryption

[wgbecks]

For what it's worth, I had Plutonium94's ADP patch up and running months ago on an older commit of op25. Having a service monitor
at my disposal, I was able to generate a P25 ADP encoded signal and am happy to report that it worked! However, the code obtained from
the author back when first offered will no longer compile on newer commits of op25.

I have since tried to contact the author in an effort to explore possibilities of addressing compatibility issues of the newer releases
but haven't been able to reach him. Perhaps he's been busy with other activities in that the site indicates his last logon was back
on May 20, 2022.

Although the patch worked, it was necessary to enter the "Known" key into a library file prior to recompiling op25 with no provisions
for user key input when executing the application. I would have liked to have seen a fork of op25 by the author that he might
continue to development and expand functionality.

 

[boatbod]

The code was written against an earlier version of my repo before I refactored where the message decode takes place. It can be merged fairly easily, but considerably more effort will be needed to make the key configurable.

 

[reformedMhacker]

My understanding is that he has code to decrypt ADP, but you need to know the key in advance, much like programming a subscriber radio.

Yes, that’s fine. I’m not looking to crack anything, just to be able to monitor/ receive with a known key on computer hardware instead of with a radio or g-series pager. I’d be perfectly happy with that.

 

[mancow]

Yes, that’s fine. I’m not looking to crack anything, just to be able to monitor/ receive with a known key on computer hardware instead of with a radio or g-series pager. I’d be perfectly happy with that.

Yes this would be great. It would be very handy to set a few up for employees and not have to tie up an expensive radio.

 

[boatbod]

The OP's original work has been merged into my "dev" branch. As of now the key is hard coded and you'll have to modify p25p1_fdma.cc line 765 to set the adp_key to match your specific system.

        void p25p1_fdma::adp_keystream_gen() {
            uint8_t adp_key[13] = {0x00, 0x00, 0x00, 0x00, 0x00},
                    S[256], K[256];
            uint32_t i, j = 0, k;

 

[lwvmobile]

This should prove to be an interesting thread to watch, I'm honestly surprised nobody in the RR police has popped up yet to suggest the boogeyman will come to get them for even thinking about posting about encryption.

 

[Forts]

Tons of people here own a radio that is capable of doing decryption (and nobody cares about that), what's so different about software? Barring software copyright issues etc that I honestly wouldn't know the first thing about. But this discussion would best be held in its own thread likely.

 

[mikewazowski]

This should prove to be an interesting thread to watch, I'm honestly surprised nobody in the RR police has popped up yet to suggest the boogeyman will come to get them for even thinking about posting about encryption.

Why? There is no rule against encryption posts.

 

[lwvmobile]

Why? There is no rule against encryption posts.

No, I wasn't actually referring to the actual rules on the forum, but all the nay-sayers who always seem to come along and offer a strong opinion on why you can't or why you shouldn't provide code that does anything from displaying the de-intervleaved and demodulated AMBE or IMBE frames, to showing the message indicator or the IV, or decode BP and so on.

 

[mikewazowski]

No, I wasn't actually referring to the actual rules on the forum,

Fixed that for ya.

 

[lwvmobile]

Fixed that for ya.

Thanks for catching that for me

 

[mancow]

How does this work? Does it universally use the one key for all received traffic?

 

[boatbod]

How does this work? Does it universally use the one key for all received traffic?

Right now the code uses one pre-defined key to attempt to decrypt adp traffic. If the key isn't correct the audio is going to sound like garbage. No configuration files, no key selections... about as basic as it gets.

 

[lwvmobile]

How does this work? Does it universally use the one key for all received traffic?

That is the way the code is currently written, but I suppose somebody with a little bit of initiative and ingenuity wanted to, they could write in a few extra lines of their own, perhaps an array of known key values and have them switch in according to the ess_keyid variable value. That's the beauty of open source, you can change the source code to your liking.

 

[mancow]

That is the way the code is currently written, but I suppose somebody with a little bit of initiative and ingenuity wated to, they could write in a few extra lines of their own, perhaps an array of known key values and have them switch in according to the ess_keyid variable value. That's the beauty of open source, you can change the source code to your liking.

Excellent! Thank you.

 

[reformedMhacker]

If anyone decides to start coding on this project and feels froggy and *wants* to add in functionality for multiple keys, just keep in mind the need to add KID values so the software knows which key it needs to use to decode the traffic. There are many systems that use more than one key, so it would be nice to monitor more than one key group per system. Another great thing that could be helpful (especially if there was an rc4 encryption GUI) would be to have the ability to save a table of known keys and make them selectable and independent of KIDs. I wish I was more able on the coding side of things, but my experience in this was limited to hex editing back in the day to add function to older radios.

 

[reformedMhacker]

The OP's original work has been merged into my "dev" branch. As of now the key is hard coded and you'll have to modify p25p1_fdma.cc line 765 to set the adp_key to match your specific system.

        void p25p1_fdma::adp_keystream_gen() {
            uint8_t adp_key[13] = {0x00, 0x00, 0x00, 0x00, 0x00},
                    S[256], K[256];
            uint32_t i, j = 0, k;

In an imaginary system where the rc4 key is 1A2B3C4D5E, would the key be entered in the lines of code as {0x1A, 0x2B, 0x3C, 0x4D, 0x5E} or am I missing something. I've compiled with the code in the dev branch and can receive clear transmissions well, but when using my own known key for rc4 encrypted transmissions, I just get the digital "blurts and snorts" for a split second before the audio mutes and "encrypted" is displayed.

 

[boatbod]

In an imaginary system where the rc4 key is 1A2B3C4D5E, would the key be entered in the lines of code as {0x1A, 0x2B, 0x3C, 0x4D, 0x5E} or am I missing something. I've compiled with the code in the dev branch and can receive clear transmissions well, but when using my own known key for rc4 encrypted transmissions, I just get the digital "blurts and snorts" for a split second before the audio mutes and "encrypted" is displayed.

Yes, that's my understanding of how it is supposed to work. @wgbecks did validate that the code is working properly, at least for him.

 

[lwvmobile]

I just get the digital "blurts and snorts" for a split second before the audio mutes and "encrypted" is displayed.

I haven't tested out this branch personally, but I believe you may need to append --crypt-behavior 0 to your startup command.

 

[lwvmobile]

If anybody wanted to give this snippet a test, this should be the general gist of loading different keys values from a known value key array. May need some tweaking if any build errors occur.

//copy and paste this into p25p1_fdma.cc at line 768
//assign zeroes to all potential keyid values so we don't have a segfault
uint64_t key_array[0xFFFF] = {0};
//example known key value. purely fictional.
//key id and value in hex
key_array[0x1337] = 0x58AB912F9D;
//key id in decimal, value in hex
key_array[69] = 0x6969696969;
//add your own keys

//load keys from the key_array based on the value of ess_keyid
adp_key[0] = (key_array[ess_keyid] & 0xFF00000000) >> 32;
adp_key[1] = (key_array[ess_keyid] & 0xFF000000) >> 24;
adp_key[2] = (key_array[ess_keyid] & 0xFF0000) >> 16;
adp_key[3] = (key_array[ess_keyid] & 0xFF00) >> 8;
adp_key[4] = (key_array[ess_keyid] & 0xFF) >> 0;