TRX-2: TRX-2 CPU firmware decryptor

Status
Not open for further replies.

EricCottrell

Member
Database Admin
Joined
Nov 8, 2002
Messages
2,293
Location
Boston, Ma
Hello,

Interesting. I used a method that broke it down into more than one xor calculation so the key table is only 256 words. The same key table can be used for other scanner models with a simple adjustment.

73 Eric
 

n3617400

Member
Joined
Jun 28, 2013
Messages
216
i have see sources of your gretools and suggested that exist such methods
but don't have time for found them.
 

n3617400

Member
Joined
Jun 28, 2013
Messages
216
Interesting. I used a method that broke it down into more than one xor calculation so the key table is only 256 words. The same key table can be used for other scanner models with a simple adjustment.
trim key to 512 bytes and rewrite decrypt method.
thanks for hint
 

EricCottrell

Member
Database Admin
Joined
Nov 8, 2002
Messages
2,293
Location
Boston, Ma
So what is this for?
Hello,

For people who understand software, and have the right tools, it allows looking at the code that controls the scanner and understand how the scanner works. This obfuscation may be done to meet the FCC requirement that scanners cannot be easily modified to receive cellular.

73 Eric
 

EricCottrell

Member
Database Admin
Joined
Nov 8, 2002
Messages
2,293
Location
Boston, Ma
i have see sources of your gretools and suggested that exist such methods
but don't have time for found them.
Hello,

The method I used made it simpler to transcode firmware as all I had to do was calculate the xor difference between the two tables rather than completely decoding and encoding. Although I would have noticed the pattern repeating after 512 bytes.

The two bytes after the size (the first two obfuscated bytes) are a CRC-16 of the rest of the unobfuscated file. The bytes after the CRC are a straight binary image loaded at the base of the CPU flash memory. The bootloader jumps to the base of flash memory to run the app, and this location has another 2 byte jump instruction into the code. The byte following the jump instruction is the firmware version encoded as two nibbles in the byte. This is followed by a version text string.

The CRC-16 value is calculated using the ITU-T V.41 polynomial (x^16 + x^12 + x^15 + 1). HxD has a neat Custom CRC feature that allows specifying the polynomial that I used to check. The table generated to implement a table-based calculation of this CRC-16 is also used as part of the code obfuscation. Since a 512 byte repeat pattern is a little short, this is lengthen out to the longer pattern.

I noticed a couple of early GRE models used the same obfuscation, and that seemed to change when a Canadian version of firmware was released for the PSR-500/600. I suspect this was done to prevent the unblocked Canadian firmware from being loaded into the US model. It also prevents users from loading the wrong firmware. The CRC will not match if the wrong deobfuscation is used by the bootloader.

73 Eric
 

scotttish

Member
Premium Subscriber
Joined
Nov 14, 2011
Messages
87
Location
Little Rock, AR
Very interesting! I hope that you all will keep exploring this stuff! Everything is entirely too regulated and someone should sort it out! Thanks!!
 

n3617400

Member
Joined
Jun 28, 2013
Messages
216
The CRC-16 value is calculated using the ITU-T V.41 polynomial (x^16 + x^12 + x^15 + 1)
Big thanks for your comment.

I found 512 byte's key for TRX-1 and check both CPU FWs for CRC16. Passed.

A lot of people in my country are interested Whistler scanners but discourages wrong frequency plan. Want to correct this misunderstanding.
 

qlink

Newbie
Joined
Jan 25, 2017
Messages
3
Location
Poland
What options can give us decrypted firmware? It would be possible to change language or step in search mode and compile it again? I have the same problem with bandplan in my country (im not able to use my TRX-1 fully). Your post sounds like a hope :)
 

EricCottrell

Member
Database Admin
Joined
Nov 8, 2002
Messages
2,293
Location
Boston, Ma
Hello,

You would first need to recover the source code before you can change and compile it again. While there are tools to convert the binary to assembly source code, it is not complete and needs a good amount of manual editing. The tools tend to do a poor job figuring out data versus code.

It is easier to change limits and steps as it may be limited to a data table that can be patched. The major problem is figuring out where the data is located, the data format, and what changes are needed. The CRC-16 needs to be calculated and the image file obfuscated. You can run into problems with distributing copyrighted code if you want to share it.

Either way it is a lot of work.

73 Eric
 

Machria

Member
Premium Subscriber
Joined
Apr 24, 2014
Messages
373
Location
Long Island, NY
Wow, you guys just reminded me of why I "retired" from programming many years ago!!! Thanks for that!! ;)

And, nice hacking! ;)

I never understood the 800 block for the US, most if not all the 800 cell traffic today is encrypted or spread out anyway, no?
 

genealle

Member
Joined
Nov 4, 2006
Messages
52
If you KNOW the key and the key is not changed OTA, is there software that will decrypt?
 
Status
Not open for further replies.
Top