DMR Silence Frame

[slicerwizard]

I've noticed that Motorola EP has the F8 01 silence frames... Anytone EP uses silence frames 00 00... But with Tyt (EP-RC40 md uv390 plus) there are no silence frames at all at the beginning or end of communication. I deduce that contrary to what Slicewizard says, these silences frames are not necessary for the MBE vocoder to work.

The radios can use a modified vocoder or can just feed a canned silence frame to a standard vocoder at the start of every received voice call. You have no imagination?

 

[slicerwizard]

You imply that you can find an EP-RC4 key without there being silence frames. But unfortunately it's not possible, if you don't know the data in plain text you can't know if the key you're trying is the right one or not. Only the silence frames allow you to know if you have tried the right key. If you have a frame in the middle of a voice transmission and there is no silence frame, you will never know what the key is. It's just not possible, so I think you're saying things that aren't true.

I won't provide details. I'm not interested in aiding encryption crackers.

I stated that silence frames aren't required to crack encryption and that I'll prove it if someone provides a few seconds of raw audio from the middle of an EP/RC4-encrypted voice call. The reason I posted that challenge is to try to make everyone aware of just how broken 40 bit encryption is so folks will avoid it like the plague. Vendors won't tell customers how bad DMR EP and P25 ADP are, so I'm doing it for them. Years ago, I saw a comment on a professional radio users forum (probably Batlabs?) where a poster was carping about his EP comms being cracked and a reply said "No, that's not possible. Motorola would've warned us if Enhanced Privacy was insecure." Lols to the max on that one.

So provide a Tyt RC40 raw audio sample already. According to you it won't have any silence frames. Or just record raw audio from the middle of any EP call. If the encryption is compatible with Motorola's DMR Enhanced Privacy, I'll pull out the key and the audio. No offence, but your deducing is essentially worthless - produce that raw audio sample and prove me right or wrong.

 

[Louie7]

Or just record raw audio from the middle of any EP call. If the encryption is compatible with Motorola's DMR Enhanced Privacy, I'll pull out the key and the audio.

I generated an RC4 stream with a Tyt MD UV-390 PLUS (Motorola compatible) and took a superframe in the middle of the stream.
Since hacking is forbidden if you find the key, which I absolutely do not believe, you should not give me the whole key but only 3 bytes, I will then give the other 2 bytes, which will prove that the transmission belongs to me and the key belongs to me.

Slot 1 DMR LE SB ALG ID: 0x21 KEY ID: 0x01

 Slot 1 DMR PI C- ALG ID: 0x21 KEY ID: 0x01 MI: 0xB2FA85B2
13:12:04 Sync: +DMR MS/DM MODE/MONO | VC*
 AMBE 8C2F87BE000080 err = [0] [0]
 AMBE F6F1211C006100 err = [0] [0]
 AMBE FB2FEE701AE000 err = [0] [0]
 AMBE 45A9061E128B00 err = [0] [0]
 AMBE 763CBA8C489500 err = [0] [0]
 AMBE FE50A117551080 err = [0] [0]
 AMBE 322016A96ACC00 err = [0] [0]
 AMBE 474A3D72EBF500 err = [0] [0]
 AMBE 889E7FAE82DB80 err = [0] [0]
 AMBE 213C6302A59B00 err = [0] [0]
 AMBE 32A0EEC9215100 err = [0] [0]
 AMBE 8B82295C043E00 err = [0] [0]
 AMBE 1FED707A69F080 err = [0] [0]
 AMBE F512A7E719D100 err = [0] [0]
 AMBE 0B9E90064FA100 err = [0] [0]
 AMBE 52C830052CC280 err = [0] [0]
 AMBE FAA31AF1363D80 err = [0] [0]
 AMBE 80C36404241400 err = [0] [0]
 SLOT 1 TGT=174 SRC=27541 FLCO=0x00 FID=0x10 SVC=0x40 Group Encrypted Call

No offence, but your deducing is essentially worthless - produce that raw audio sample and prove me right or wrong.

Even without talking about radio, all software that tries to decrypt something by testing the key, must have a stop test. If you don't have a silence frame, you don't know how to stop searching for the key, and you'd have to listen to the decryption of each key to verify if the sound you're hearing is from the human voice or not. And for that, the conversation needs to be long.
The AMBE vocoder produces data that is too random, you don't know what data to look for if you don't have a silence frame.

I guess you're going to answer me "well it doesn't work, it's normal I don't have an MD UV390 PLUS so I don't know how the vocoder is set, it doesn't work the same way as my own radios".

 

[KevinC]

I suggest everyone take the encryption hacking to a cryptography forum. Closing.