OP25 RC4 (ADP) decryption

Plutonium94

Member
Joined
Sep 11, 2017
Messages
10
Location
Argentina
Hi everyone! Since I've received many messages asking about the implementation of ADP decryption in OP25 (Boatbod), I decided to post it publicly here. I also received some messages stating that my code didn't work in the latest versions of OP25, therefore it wasn't possible to rebuild the program. This was fixed and it should work correctly now.

So, here is the code. I've only edited three files (one source and two header files).

In order to work, you need to put your ADP key in "p25p1_fdma::adp_keystream_gen()" function (at the end of "p25p1_fdma.cc" file). You just edit "uint8_t adp_key[13] = {0x11, 0x11, 0x11, 0x11, 0x11}" (replace "ones" with your key, obviously in HEX format).

Then, you have to replace the files in their respective directories and rebuild the program. Also, you'll need to edit your launch commands adding "--crypt-behavior 0".

Please let me know if you have any questions.

Have a great day,
Ignacio.
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
10,933
Location
Carroll Co OH / EN90LN
ADP decrypt (with known key) has been natively integrated with boatbod op25 now for both phase 1 and phase 2. The keys are configurable and hopefully we'll add more crypt protocols such as DES-OFB soon.

ADP working pretty good. I know it garbles at the first of a transmission, but I read elsewhere that it was to be expected. Thanks for the additional work you guys have been putting into it.
 

KG7PBS

Member
Joined
Mar 19, 2015
Messages
599
Location
Sacramento CA
Question OP25 that’s a new Scanner right? So you guys saying it can now decode ADP Encryption? Like say Fallon Police ADP ? I am sorry I don’t know much about OP25. So be gentle with responses. Thanks.
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
10,933
Location
Carroll Co OH / EN90LN
Question OP25 that’s a new Scanner right? So you guys saying it can now decode ADP Encryption? Like say Fallon Police ADP ? I am sorry I don’t know much about OP25. So be gentle with responses. Thanks.

1. OP25 has been around for ages. It's not a physical scanner device. It's software that can decode all sorts of UNencrypted radio traffic.
2. It can decode lots of things. It can decrypt P25 with ADP -- if and ONLY IF you have the key. If you don't have the key you are SOL

No it's not just going to magically allow you to hear Fallon Police if they are encrypted.

When it comes to encryption/decryption talk, its nothing to be gentle about.
 

WX4JCW

Member
Premium Subscriber
Joined
Jun 26, 2006
Messages
3,408
Location
Stow, Ohio
1. OP25 has been around for ages. It's not a physical scanner device. It's software that can decode all sorts of UNencrypted radio traffic.
2. It can decode lots of things. It can decrypt P25 with ADP -- if and ONLY IF you have the key. If you don't have the key you are SOL

No it's not just going to magically allow you to hear Fallon Police if they are encrypted.

When it comes to encryption/decryption talk, its nothing to be gentle about.
also remember if you are not authorized to have the Key it is an absolute felony to monitor encryption, and they do not play with this
 

natedawg1604

Member
Premium Subscriber
Joined
Jun 29, 2013
Messages
2,733
Location
Colorado
also remember if you are not authorized to have the Key it is an absolute felony to monitor encryption, and they do not play with this
If someone had an Encryption key they weren't supposed to have, what they did with it afterwards is kinda irrelevant. I've never heard of anyone "stealing" an Encryption key for LMR radios, I'm sure it's happened once or twice.

If it did happen, I would imagine it would be from an insider who was compromising a lot more than ENC keys. Like if the Mafia had a mole in the FBI, compromised ENC keys would probably be the least concerning issue.
 
Last edited:

Reconrider

Inside the Galaxy
Joined
Sep 26, 2017
Messages
1,915
Location
Radio Galaxy
I haven't used OP25 in a little while, never had a good setup guide but I'll try again at some point.

Say I have access to 2+ talkgroups. Do I use the KeyID to define the encryption key in said file?
Edit to add: what if 1 talkgroup has more than one enc key? Can I define more than 1 encryption key for a KeyID?
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
10,933
Location
Carroll Co OH / EN90LN
I haven't used OP25 in a little while, never had a good setup guide but I'll try again at some point.

Say I have access to 2+ talkgroups. Do I use the KeyID to define the encryption key in said file?
Edit to add: what if 1 talkgroup has more than one enc key? Can I define more than 1 encryption key for a KeyID?

Example:

key: 1234567890
keyid:
0x1b50
algid: 0xaa

{
"0x1b50": {"algid": "0xaa", "key": [ "0x12", "0x34", "0x56", "0x78", "0x90" ]},
"0x3131": {"algid": "0xaa", "key": [ "0x31", "0x31", "0x31", "0x31", "0x31" ]}
}

I can't say if defining different keys with the same keyid works or not. But above is an example from the example_keys.json file in the /apps folder.
 
Last edited:

MTL_Emergencies

Member++
Database Admin
Joined
Sep 6, 2019
Messages
143
Location
Quebec, Canada
Can I define more than 1 encryption key for a KeyID?
I would assume not, because defining a second key for the same key ID will overwrite what was already defined. At the end you'll only have 1 key which is the key last read.
Usually a second key with a different key ID will be used instead of changing the value of the first key.
 

KE6UVW

Member
Joined
Dec 6, 2021
Messages
8
Location
Santa Paula
Hi everyone! Since I've received many messages asking about the implementation of ADP decryption in OP25 (Boatbod), I decided to post it publicly here. I also received some messages stating that my code didn't work in the latest versions of OP25, therefore it wasn't possible to rebuild the program. This was fixed and it should work correctly now.

So, here is the code. I've only edited three files (one source and two header files).

In order to work, you need to put your ADP key in "p25p1_fdma::adp_keystream_gen()" function (at the end of "p25p1_fdma.cc" file). You just edit "uint8_t adp_key[13] = {0x11, 0x11, 0x11, 0x11, 0x11}" (replace "ones" with your key, obviously in HEX format).

Then, you have to replace the files in their respective directories and rebuild the program. Also, you'll need to edit your launch commands adding "--crypt-behavior 0".

Please let me know if you have any questions.

Have a great day,
Ignacio.
ok but what about the initialization vector?
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
10,933
Location
Carroll Co OH / EN90LN
I had previously read that the garble during decrypt/decode of ADP signals is likely due to the SDR device not being able to switch from the control channel to the voice channel fast enough. Is this still the belief? Or is there a possibility that there is another reason why most transmissions are garbled at the beginning? I'd certainly expect at least some SDR devices to be able to switch to the voice channel fast enough.
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
10,933
Location
Carroll Co OH / EN90LN
The garbling is still present on Simplex (direct) channels.

So if you are parked on a single frequency and the SDR software (OP25 in this case) never has to retune the SDR device, you still get the garble? Ok. Well then maybe there is room for improvement. Of course, I don't know jack about coding so I can't complain or improve it. I'll just hope that something could be figured out in the future that would minimize that garbling.
 

hrh17

Member
Joined
Mar 4, 2015
Messages
147
Location
.
Reasons why your getting the grabbed transmissions at the start is probably because the SDR is not fast enough to lock onto the signal and you're missing the initial HDU MI
 

mtindor

OH/WV DB Admin
Database Admin
Joined
Dec 5, 2006
Messages
10,933
Location
Carroll Co OH / EN90LN
Reasons why your getting the grabbed transmissions at the start is probably because the SDR is not fast enough to lock onto the signal and you're missing the initial HDU MI

So it's an issue with latency within OP25? (And no I'm not picking on OP25 - It's just that it is the only software I'm aware of that you can do this with.) I mean if you are parked on one frequency and one frequency only, the only thing left to do is detect the sync / identify the type and start decoding. I guess that CPU resources could have something to do with that. Wonder if using an actual desktop computer vs a PI4 would make any difference. I'm not planning on testing that out though, since it would be a pain to go through the trouble to test it and then find out it didn't help. The PI4 doesn't seem overloaded. There is nothing going on 99% of the time, and it's only decoding one talkgroup at a time.

I'm using rx.py. Do you know if multi_rx.py is any more efficient?
 

boatbod

Member
Joined
Mar 3, 2007
Messages
3,409
Location
Talbot Co, MD
So it's an issue with latency within OP25? (And no I'm not picking on OP25 - It's just that it is the only software I'm aware of that you can do this with.) I mean if you are parked on one frequency and one frequency only, the only thing left to do is detect the sync / identify the type and start decoding. I guess that CPU resources could have something to do with that. Wonder if using an actual desktop computer vs a PI4 would make any difference. I'm not planning on testing that out though, since it would be a pain to go through the trouble to test it and then find out it didn't help. The PI4 doesn't seem overloaded. There is nothing going on 99% of the time, and it's only decoding one talkgroup at a time.

I'm using rx.py. Do you know if multi_rx.py is any more efficient?
It's not cpu, it's end-to-end latency primarily from the demodulator chain. Every "tap" in a digital FIR filter is a 1 sample delay, so daisy-chaining the series of filters required for down-sampling/channel selection and low-pass filtering of the result adds to latency. There is also lock time of the gardner & costas timing and phase stabilizing algorithms, and lastly the interval between sync sequences, all of which have to line up properly for a full frame to be received and sync established.

Empirically I've seen sync established in as little as 200msec when the SDR doesn't have to hardware tune (i.e. a relative shift), but if hardware tuning is involved, it's usually 500-700msec for sync establishment.
 
Top