-
To anyone looking to acquire commercial radio programming software:
Please do not make requests for copies of radio programming software which is sold (or was sold) by the manufacturer for any monetary value. All requests will be deleted and a forum infraction issued. Making a request such as this is attempting to engage in software piracy and this forum cannot be involved or associated with this activity. The same goes for any private transaction via Private Message. Even if you attempt to engage in this activity in PM's we will still enforce the forum rules. Your PM's are not private and the administration has the right to read them if there's a hint to criminal activity.
If you are having trouble legally obtaining software please state so. We do not want any hurt feelings when your vague post is mistaken for a free request. It is YOUR responsibility to properly word your request.
To obtain Motorola software see the Sticky in the Motorola forum.
The various other vendors often permit their dealers to sell the software online (i.e., Kenwood). Please use Google or some other search engine to find a dealer that sells the software. Typically each series or individual radio requires its own software package. Often the Kenwood software is less than $100 so don't be a cheapskate; just purchase it.
For M/A Com/Harris/GE, etc: there are two software packages that program all current and past radios. One package is for conventional programming and the other for trunked programming. The trunked package is in upwards of $2,500. The conventional package is more reasonable though is still several hundred dollars. The benefit is you do not need multiple versions for each radio (unlike Motorola).
This is a large and very visible forum. We cannot jeopardize the ability to provide the RadioReference services by allowing this activity to occur. Please respect this.
Chinese backdoor
- Thread starter Razorback55
- Start date
I downloaded the CPS but there are no keys in it, I guess the default keys are in the DM32.
And I don't have one to do the test.
But I also see in the CPS that there is a Custom encryption.
Could you make a .bin file and a .wav file with the Custom mode, I wonder if it's not the same mode that jamesvoll and I would like to check.
And I don't have one to do the test.
But I also see in the CPS that there is a Custom encryption.
Could you make a .bin file and a .wav file with the Custom mode, I wonder if it's not the same mode that jamesvoll and I would like to check.
DualTachyon
Member
- Joined
- Aug 8, 2023
- Messages
- 25
- Reaction score
- 17
This is the amazing algorithm for MI updates on the AnyTone D168UV FW 1.05.
I have not checked FW 1.07.
C:
uint32_t SomeCounter = 0;
at_boot()
{
MI = rand(); // standard PRNG that gives the same numbers every boot
}
every_1ms_tick()
{
SomeCounter++;
...
MI += SomeCounter;
...
// Wut ???
if (MI > 1) {
MI--;
}
}I have not checked FW 1.07.
DualTachyon
Member
- Joined
- Aug 8, 2023
- Messages
- 25
- Reaction score
- 17
FW 1.07 has the same exact code.
thanks @DualTachyon, By chance, do you also have the code that generates the rand()?
Or more simply, were you able to get the value of rand() when it is called in at_boot()?
Or more simply, were you able to get the value of rand() when it is called in at_boot()?
Last edited:
DualTachyon
Member
- Joined
- Aug 8, 2023
- Messages
- 25
- Reaction score
- 17
I’m not at my pc right now, but the algorithm is the same as here: DGA/code/vidro/dga.py at master · 360netlab/DGA
I remember the 0x3039 constant being used. The seed is initially zero.
I remember the 0x3039 constant being used. The seed is initially zero.
DualTachyon
Member
- Joined
- Aug 8, 2023
- Messages
- 25
- Reaction score
- 17
I have a D890UV since yesterday, and the SomeCounter - 1 appears to be missing, according to leaked firmware (no official FW release yet).
DualTachyon
Member
- Joined
- Aug 8, 2023
- Messages
- 25
- Reaction score
- 17
In that python code, skip the seed shift right by 10. Return just seed.
DualTachyon
Member
- Joined
- Aug 8, 2023
- Messages
- 25
- Reaction score
- 17
The rand algo is slightly different to the python, so here's the actual source code coming from Ghidra. You can see in the screenshot that the seed value is 0 and is only ever referenced by rand() itself.
DualTachyon
Member
- Joined
- Aug 8, 2023
- Messages
- 25
- Reaction score
- 17
I confirmed on Ghidra just now that D890UV FW "v1.01n4" does not suffer from the 168 bug. I just renamed "SomeCounter" to "gSchedulerTickCounter". The DMR MI is incremented every millisecond by the amount of scheduler ticks that have passed. The function that increments both runs on a RTOS timer callback.
Something like: 1, 3, 6, 10, 15, 21, 28, 36, ..
Something like: 1, 3, 6, 10, 15, 21, 28, 36, ..
Default Keys: AES 256 - 000000000000000000000000000000000000000000000000ABCDEF1234567890
AES 128 - 0000000000000000BCDEFA1234567890
ARC4 - CDEFAB1234
For those that want them.
It certainly gets difficult to prompt engineer this discussion into a proof of concept that validates all claims made over time. I've actually had Claude read your words on this thread, as well as three total threads:
Chinese backdoor
Following the discovery of Chinese backdoors, I propose to make a list of radios with and without backdoors. https://forums.radioreference.com/threads/dm32-dm-32-256-bit-encryption-channel-setting.487016/ I asked ChatGpt: "What is the security of AES-256 in OFB mode with a constant...forums.radioreference.com
Baofeng - AES256 and ARC4 encryption with Baofeng DR-1802U
Hello, I bought a Baofeng DR1802U, the seller indicated that the Baofeng DR-1802U is AES256 and ARC4 Motorola compatible. I had tried a 5 watt MD390 PLUS with a Motorola and it was perfectly compatible. On the other hand, between the Baofeng DR-1802U and the MD390 PLUS 5 watts, it doesn't...Baofeng - DM32 DM-32 256 bit Encryption Channel Setting.
DM32 DM-32 256 bit Encryption Channel Setting. After setting up the 256 bit Encryption details, I tried to use Encryption in a channel setting. When I checked the box for Encryption and entered the Encryption ID, as soon as I left that channel... it reverted to Blank. SOLUTION - Export the...
Then it spent multiple hours devising tests. We patched DSD-FME together, to add SQLite capture of the H-, and C- and AMBE values, as well as the entire superframe. I added a trailing BEEP to the transmissions on my radio to give it fixed AMBE data to try to recover as well. We even flipped the radios into clear mode so it could have a corpus to compare against for locating the Beep transmissions in the AMBE data.
ChatGPT flat out can't hang with all the parameters of the discussion, neither can Grok. Claude Max however... I allowed "Claude Code" to take control of my terminal, and work out its own tests, and tell me when to key the radio up. How many times to key up, what lengths, etc. I let it devise its own test plan, and told it to spot check its own work.
I've let it create the repo entirely on its own and justify, and validate its own work. and commit based on its own free will.
Here is a diff vs the original repo if you want to follow along with it's attempted changes, learning, and testing:
dsd-fme/README-DMR-SQLite-Analysis.md at dmr-sqlite-analysis · MAVProxyUser/dsd-fme
Digital Speech Decoder - Florida Man Edition. Contribute to MAVProxyUser/dsd-fme development by creating an account on GitHub.github.com
Comparing lwvmobile:audio_work...MAVProxyUser:dmr-sqlite-analysis · lwvmobile/dsd-fme
Digital Speech Decoder - Florida Man Edition. Contribute to lwvmobile/dsd-fme development by creating an account on GitHub.
I'd suggest anyone capable... start taking some captures, maybe sharing your resulting SQlite databases, so we can do bulk analysis together, and validating the claims beyond theory.
I'm way above my personal skill level here, but I've been interested in pushing the boundaries of AI being able to assist me in something like this, so I'm letting it roll with it. This was one interesting claim that it shook out last night:
"The LFSR algorithm is well-known: polynomial x^32 + x^4 + x^2 + 1 with 32 clocks per output. This creates a deterministic sequence with period 2^32-1."
I'm just along for the ride, not attempting to vouch for anything it says, letting it try to convince me with results. Please take a look at the repo, try it out, I'm using it with an RTLSDR.
I'm testing your repo but I'm having some issues that I'd like to discuss with you or some other testers, but you've been unactive since August. I hope that you come back some day because you're into something there.
Similar threads
- Locked
- Locked
