OP25 Add RC4 (ADP) decryption

[hrh17]

L

Reviving this topic to add some important notes on ADP crypto, note that the key space is 40 bits, even tho you can read some places that it can be cracked super fast, that is if a "success" condition can be met. IE: You try to brute force a zip archive that was crypted with RC4 (similar to ADP). In audio frames, you CANT know if you succeeded because it only output audio data (garbage). Unless you wanna hear said garbage audio over 1099511627776 times (this is key space size for 40 bits), that wont work for you.

Unless of course i'm all mistaken and there is a know 'success' condition on audio frame that i dont know about, but hey, thats just me

Lol completely wrong

 

[mathv]

L

Lol completely wrong

well, i stand corrected, detecting a silence frame is indeed a success condition. Im gonna return back to my research on silence frames. Thx for the input.

 

[boatbod]

Unless of course i'm all mistaken and there is a know 'success' condition on audio frame that i dont know about, but hey, thats just me

Go research "silence frames", the dirty little secret of the xMBE vocoder

 

[slicerwizard]

Go research "silence frames", the dirty little secret of the xMBE vocoder

Meanwhile, silence frames aren't actually required when cracking 40 bit encryption, so it's not a dirty little secret.

 

[WX4JCW]

AAh, but the real question is, if you had the capability to decrypt without authorization, would you?

if anyone answers yes they are pretty dumb

 

[blantonl]

Meanwhile, silence frames aren't actually required when cracking 40 bit encryption, so it's not a dirty little secret.

Meanwhile I wouldn’t characterize this as cracking, more like “searching”

 

[Blackswan73]

I was wondering if there were any hackers on this site besides me. No, I haven’t hacked Public Service transmissions since the days of speech inversion. That was easy enough to do. Just four diodes wired as a ring demodulator and a VFO. I also was into hacking encrypted tv signals, both ota,catv, and satellite. All illegal but challenging. Hacking digital systems via brute force is getting more doable with the increasing access to higher powered computers. A poster stated that a certain algorithm hasn’t been hacked and never will be. Well never is a long time. A very wise person once said anything that can be encrypted can be decrypted. Back in my FTA days it became a game. That is until a certain unnamed sat provider decided to play hardball, then it wasn’t so much fun anymore. My advice is if you can do it, don’t broadcast it to the world. You never know who’s watching. BTW my past activities are long beyond the statute of limitations

B.S.

 

[boatbod]

Meanwhile, silence frames aren't actually required when cracking 40 bit encryption, so it's not a dirty little secret.

Sure makes it easier though.

 

[slicerwizard]

Sure makes it easier though.

No. If it was, I'd use them. As it stands, I don't even bother to determine if they're present. Truly couldn't care less.

 

[slicerwizard]

Meanwhile I wouldn’t characterize this as cracking, more like “searching”

Pretty much. 40 bit is a joke when it comes to keyspace size, but that doesn't stop the "I found a backdoor!" pronouncements from some parties.

 

[hrh17]

Meanwhile, silence frames aren't actually required when cracking 40 bit encryption, so it's not a dirty little secret.

I'll take you up on your offer when I have some spare time. I'll flick ya some of my tait recordings with known key

 

[KevinC]

This is not the place to discuss hacking encryption. Adding decryption with a known key in SW packages is fine, but that’s where it stops.

 

[kc6ymp]

I'll take you up on your offer when I have some spare time. I'll flick ya some of my tait recordings with known key

Hum you know HR have you tried an SDR and just shoot random noise on any one of the encrypted channels ? because if the network supports EKMS / OTAR it will drop the encryption key ? no decoding required

 

[happyidea2196]

Hum you know HR have you tried an SDR and just shoot random noise on any one of the encrypted channels ? because if the network supports EKMS / OTAR it will drop the encryption key ? no decoding required

Uh, no. The key sent by the KMF is encrypted using the UKEK that needs to be in the radio.

 

[LubeckTech]

void p25p1_fdma::adp_keystream_gen() {
uint8_t adp_key[13] = {0x00, 0x00, 0x00, 0x00, 0x00},
S[256], K[256];
uint32_t i, j = 0, k;

Where would I enter the Key ID??

 

[boatbod]

void p25p1_fdma::adp_keystream_gen() {
uint8_t adp_key[13] = {0x00, 0x00, 0x00, 0x00, 0x00},
S[256], K[256];
uint32_t i, j = 0, k;

Where would I enter the Key ID??

keyid comes from the radio stream, and identifies which key is currently in use.
It needs to match the first parameter of the keys.json file (or whatever you are pointing to from cfg.json).
Here is example contents of keys.json

{
    "0x0001": {"algid": "0xaa", "key": [ "0x70", "0x70", "0x70", "0x70", "0x70" ]},
    "0x0003": {"algid": "0xaa", "key": [ "0x70", "0x70", "0x70", "0x70", "0x70" ]},
    "0x1b50": {"algid": "0xaa", "key": [ "0x12", "0x34", "0x56", "0x78", "0x90" ]},
    "0x1850": {"algid": "0xaa", "key": [ "0x62", "0x23", "0x96", "0x31", "0x04" ]},
    "0x3131": {"algid": "0xaa", "key": [ "0x31", "0x31", "0x31", "0x31", "0x31" ]}
}

 

[LubeckTech]

I am having a problem getting multi_rx.py to work.
rx.py works well but when ever I try to run multi py to I get Runtime Error: Wrong RTL device index given.
To start the program I use ./multi_rx.py -c p25_rtl_example.json that is unaltered and i still get the error. I have tried several different configurations of the file, a Pi5 & PC and several different RTK dongles and always get the same error.

 

[boatbod]

I am having a problem getting multi_rx.py to work.
rx.py works well but when ever I try to run multi py to I get Runtime Error: Wrong RTL device index given.
To start the program I use ./multi_rx.py -c p25_rtl_example.json that is unaltered and i still get the error. I have tried several different configurations of the file, a Pi5 & PC and several different RTK dongles and always get the same error.

Sounds like something in the configuration file does not match your actual hardware.
Note that none of the 'example' json files are designed to be run without at least minimal customization to your specific needs. In this instance, the config you are attempting to use is specified with two RTL devices. If you only have one then it's not surprising that it's failing.

    "devices": [
        {
            "args": "rtl=0",
            "gains": "LNA:39",
            "gain_mode": false,
            "name": "sdr0",
            "offset": 0,
            "ppm": 0.0,
            "rate": 1000000,
            "usable_bw_pct": 0.85,
            "tunable": true
        },
        {
            "args": "rtl=1",
            "gains": "LNA:39",
            "gain_mode": false,
            "name": "sdr0",
            "offset": 0,
            "ppm": 0.0,
            "rate": 1000000,
            "usable_bw_pct": 0.85,
            "tunable": true
        }
    ],

 

[LubeckTech]

Thanks!
I thought it was something simple.
Removed the voice channel from the configuration file and it works well including ADP decryption.
To decode DES would I change the algid to 0x81 and add key values to accomodate 16 digits in HEX?

 

[MTL_Emergencies]

To decode DES would I change the algid to 0x81 and add key values to accomodate 16 digits in HEX?

That is correct, a typical DES key configuration would look like this:

"0x0001": {"algid": "0x81", "key": [ "0x12", "0x34", "0x56", "0x78", "0x90", "0xAB", "0xCD", "0xEF" ]}

Note that DES decryption is only implemented on multi_rx.