DMR Silence Frame

[EI9BAB]

Is there a reason why Motorola and other manufacturers add silence frames in the beginning of every transmission?
And also why isn't it the case with base radios (using TBROnet solutions i.e.)?

I don't think they necessarily insert them in - they just happen. I guess that after you press PTT there may be a gap between transmission and when audio processing kicks in or it may just be naturally quieter as people press the button and before they start talking. You will often see silence frames mid-conversation when people are not speaking. It's just the way the vocoder works.
Also, I think in some scenarios that the last superframes can get padded out with silence at the end if they are a few sub-frames short.

(However, I'm sure that some conspiracy theorists might conclude that they are added in on purpose to make it easier for state agencies to decrypt them.)

 

[ki4hyf]

I don't think they necessarily insert them in - they just happen.

I'm pretty sure it's on purpose. I do like your sense of humor.

(However, I'm sure that some conspiracy theorists might conclude that they are added in on purpose to make it easier for state agencies to decrypt them.)

Yes. Yes, it does...

 

[RayAir]

I have a some P25 Harris radios (p7200's and xg-75p's) and I noticed they do not send typical silence frames other than most frames beginning with an "18".

If I go into the FCC menu and select P25 SIL, then they do send the frames (04 0c fd 7b...)

Not sure why this is.

 

[jimmy9999]

It does actually seem that the Hytera silence frame is the same as the Motorola one. (Many thanks to Noah for supplying me with a sample file to determine this.)

Have you been able to test silence frames with and without encryption? I've heard that silence frames are present in Motorola without encryption or with basic encryption but that they are not present in ARC4 and AES, is it true or not?

 

[nokoa3116]

Have you been able to test silence frames with and without encryption? I've heard that silence frames are present in Motorola without encryption or with basic encryption but that they are not present in ARC4 and AES, is it true or not?

The purpose of silent frames is to pad a superframe if the transmission ends before the superframe ends. Or at the beginning of the transmission while the microphone is muted. I believe NXDN documents say that those frames are added whenever the input sound is less than -90db. I have however noticed that some manufacturers, and versions of the vocoder yield different silent frames. I have seen newer versions where the silent frames are not static.

Encryption and without should be very similar. However with DMR, ARC4 and AES, frames will contain the encryption IV, it will substitute the least significant bytes of the frame with parts of the IV. So the silent frames will also look just a bit differently

 

[EI9BAB]

Have you been able to test silence frames with and without encryption? I've heard that silence frames are present in Motorola without encryption or with basic encryption but that they are not present in ARC4 and AES, is it true or not?

In what I have seen, the silence frame exists in both unencrypted and encrypted comms. Obviously for encrypted comms the silence frame is XORed against the current keystream (generated from the key and the IV) and so the resulting encrypted subframe be different in every transmission even though the underlying cleartext silence frame value is still the same value (as above). I've observed this in EP/RC4 and I belive the same holds true for AES256.

 

[jimmy9999]

In what I have seen, the silence frame exists in both unencrypted and encrypted comms. Obviously for encrypted comms the silence frame is XORed against the current keystream (generated from the key and the IV) and so the resulting encrypted subframe be different in every transmission even though the underlying cleartext silence frame value is still the same value (as above). I've observed this in EP/RC4 and I belive the same holds true for AES256.

Isn't that a security flaw? at least for ADP and ARC4 40-bit? Because if there are always these silences, it can make an attack to try the 2^40 possible keys and stop as soon as we find patterns of silence frames (even incomplete).

 

[EI9BAB]

Isn't that a security flaw? at least for ADP and ARC4 40-bit? Because if there are always these silences, it can make an attack to try the 2^40 possible keys and stop as soon as we find patterns of silence frames (even incomplete).

Yes. I guess that's why they just call it Enhanced Privacy and charge more for AES256.

Let's presume this is already being done. However, I think we'd better not stray too much into the theoretical methods for doing these things or the mods will be displeased. 😉

 

[jimmy9999]

Yes. I guess that's why they just call it Enhanced Privacy and charge more for AES256.

Let's presume this is already being done. However, I think we'd better not stray too much into the theoretical methods for doing these things or the mods will be displeased. 😉

I'm new, I don't know all the prohibitions.
I thought we didn't have the right to distribute software to break encryption.
Aren't we allowed to discuss possible security flaws in encryption to find out if what we are buying is reliable or not?

 

[EI9BAB]

I'm new, I don't know all the prohibitions.
I thought we didn't have the right to distribute software to break encryption.
Aren't we allowed to discuss possible security flaws in encryption to find out if what we are buying is reliable or not?

I'm not criticising, just a word of caution. Some people get very wound up in here if they think there is a discussion around how encryption works on these radios. I've been slapped down for asking the wrong questions before.

There seems to be two schools of thought. The first is that fully understanding how encryption works and how it could be defeated informs the consumer and is interesting for educational purposes, especially for radio nerds like us. (I think of that as the Lock Picking Lawyer philosophy!)

The second is more conservative and points out that decrypting (rather than decoding) transmissions not intended for you is illegal in many countries, especially the USA, and if you talk about how you might overcome certain encryption then you are promoting illegal activity and might get the forum or even the whole site shut down forever. Plus you will end up with men in black vans pulling up outside your house to take you and all your radio equipment away.

Personality I'm not a big believer in security by obscurity and I have seen discussions about equipment and software that can do these kinds of things on this website and also one YouTube and Reddit and nobody went to jail.

However if it was my forum I would naturally be worried about the "radio police" kicking up a fuss and the safest and easiest thing to do is to ask people to have the conversations elsewhere or close the thread.

I do have a cynical suspicion that many of those who have been doing this for quite a while don't want the knowledge to become widespread in order to avoid "ruining it for everyone" when the agencies all switch to more secure systems as a result As I live in a country where all emergency government and municipal communications have been heavily encrypted for years I can see the logic of that argument too as it is not much fun...

 

[jimmy9999]

I'm not criticising, just a word of caution. Some people get very wound up in here if they think there is a discussion around how encryption works on these radios. I've been slapped down for asking the wrong questions before.

Thank you for your reply.
Have there been any cases in the U.S. where a forum has been shut down and people have been taken away in black vans? Or is it just a conspiracy theory?

 

[EI9BAB]

I saw some mention of a forum being closed before but I think that is just hearsay. I can't say I've heard of anyone being arrested for attempting to decrypt a radio signal but maybe that is because they were never seen again!

 

[iscottybotty]

Does anyone know the Silent Frame for NXDN? Is there one? Or knowledge how to extract an dPMR & NXDN key,

DM me please, happy to share in exchange methods for BP, HYT 16, 32 & 64 and Moto EP extraction.

 

[Red_Ice]

Does anyone know the Silent Frame for NXDN? Is there one? Or knowledge how to extract an dPMR & NXDN key,

DM me please, happy to share in exchange methods for BP, HYT 16, 32 & 64 and Moto EP extraction.

Thanks @iscottybotty, I have opened another thread (NXDN Silence Frame) with the same question, this topic is somewhat interesting.

 

[Red_Ice]

Does anyone know the Silent Frame for NXDN? Is there one? Or knowledge how to extract an dPMR & NXDN key,

DM me please, happy to share in exchange methods for BP, HYT 16, 32 & 64 and Moto EP extraction.

Thanks @iscottybotty, I have opened another thread (NXDN Silence Frame) with the same question, this topic is somewhat interesting.

 

[iscottybotty]

Perfect! Thank you.

 

[KevinC]

Thanks @iscottybotty, I have opened another thread (NXDN Silence Frame) with the same question, this topic is somewhat interesting.

Which of your 2 accounts would you like to keep? This one or @wildlynx?

 

[slicerwizard]

Hm, I see the usual nonsense is present.

MBE silence (not "silent") frames serve a purpose totally unrelated to encryption (Yes, I see that this has been mentioned); MBE voice frames build on previous frames; senders and receivers maintain similar state machines, so that not all data required to reproduce voice has to be sent in the limited MBE bitstream. Silence frames play a part by providing an initial machine state at the start of calls. It's how DVSI designed their digital voice product and they don't give two chits about encryption. That's a user problem.

And silence frames aren't a significant vulnerability - the TLAs never needed silence frames to crack small-keyspace encryption like DMR EP, P25 ADP or even 56 bit DES. Sure, there is software out there that does depend on silence frames, but that's just how some people roll. If silence frames disappeared tomorrow, I wouldn't even notice.

BTW, IIRC, I haven't seen silence frames used at the start of NXDN 15 bit scrambled calls, probably to prevent a simple xor plus lookup table key crack. Doesn't matter - I hear that various radios have 15 bit scramble cracking built in anyway. Because it's just that easy.

 

[Louie7]

I've noticed that Motorola EP has the F8 01 silence frames... Anytone EP uses silence frames 00 00... But with Tyt (EP-RC40 md uv390 plus) there are no silence frames at all at the beginning or end of communication. I deduce that contrary to what Slicewizard says, these silences frames are not necessary for the MBE vocoder to work.

 

[Louie7]

If silence frames disappeared tomorrow, I wouldn't even notice.

You imply that you can find an EP-RC4 key without there being silence frames. But unfortunately it's not possible, if you don't know the data in plain text you can't know if the key you're trying is the right one or not. Only the silence frames allow you to know if you have tried the right key. If you have a frame in the middle of a voice transmission and there is no silence frame, you will never know what the key is. It's just not possible, so I think you're saying things that aren't true.