Tytera MD-380 Enhanced Privacy Recordings

[RayAir]

The behaviour when you listen a MD380 with BP on another radio without BP or DSD+ depends on the used key (try 0xFFFF and you will see) because it depends on the (garbage) bitstream delivered to the vocoder. This happens because MD380 does not indicates that is using encryption, so voice can't be muted at the receiver. Didn't test with EP.

Through repeater, both BP and EP works, i think is a Motorola repeater, but not 100% sure right now.

Thanks. I'll try that key out tonight.

 

[sycho]

Is it possible to set a button to enable encryption in digital format when pressed then pressing button turning it off and going back to normal analog comms like motorola p25 capable equipment?

You can turn encryption on and off with the programmable side buttons, but you can not switch between analog and digital.

 

[RayAir]

A quirk with the 380, if you have it set to Enhanced and you hit it with basic, you will lose the Enhanced and have to write it back in.

 

[RayAir]

Ran about 10 TRBO BP codes through 2 CS700's with 32 different 16 bit scramble codes and results were inconclusive.

A couple results showed they may be similar scrambling schemes. Maybe not interoperable though.

The FFFF key had the most affect on TRBO BP, results varying.

Also got the TRBO radio set to BP to decode a couple CS 700 BP keys with somewhat degraded voice. Tried those CS 700 BP keys against DSD and another radio with no key and got no results.

I would like to see a TRBO BP key get decoded by a CS 700 BP key.

 

[sycho]

TRBO and TYT BP looks similar, but it looks like TRBO keystream is initialized every DMR frame, while TYT initializes for every voice frame, that would definitely break compatibility.

It's normal that some keys are weaker than others in terms of speech scrambling, as it depends on the keystream xor'ing voice bits. Some bits are more important than others, some are protected by Golay FEC.

Maybe 0000 key generates a keystream with a low count of ones, so voice frames are not heavily modified and speech is more or less preserved.

0002 and 0008 keys generate very similar keystreams, starting with 10 zeros. 0004 generates 11 zeros before the first one. Long runs of zeros means that a long run of voice bits will be unmodified after xor'ing, and after bit interleaving and fec, it could still be able to recover a lot of valid information for the AMBE vocoder.

 

[7312345]

China produced DMR radios have two kinds of vocoder SELP AMBE and are not compatible and can not talk, but if it can publicize and Motorola calls it must be AMBE

 

[johnls7424]

China produced DMR radios have two kinds of vocoder SELP AMBE and are not compatible and can not talk, but if it can publicize and Motorola calls it must be AMBE

For all purposes here the Tytera MD280 and 380 series both contain the DMR AMBE 2 vocoder. Which by American standards for compatibility under the DMR association.

 

[RayAir]

Ran some MD380 BP and EP over an XPR8400 repeater earlier today and the results were good. Other radios in the field reported good decodes.

I used "FFFF" for BP and a random 128-bit key for EP.
The EP voice quality over the repeater may be slightly less quality than when using BP.

I made some recordings and the difference was not too noticeable.

 

[7312345]

We need decryption software！

 

[johnls7424]

We need decryption software！

(1) watch saying that. Gaurenteed to piss off a moderator for sure (2) lets all stay on topic (3) Encryption is there for a reason. Making and marketing decryption software is against the laws of this country.

 

[RayAir]

TYT basic privacy is not like Moto EP. Moto EP is 40bit RC4 with IV. TYT enhaced is meant to be AES-128, standard or not.

TYT BP does not use IV, and 0xFFFF key just inverts voice frame bits. It looks like Moto BP, which is, based on the little information published, a 8bit key and 16bit LFSR.
If LFSR feedback in Moto and TYT is the same, the 8bit Moto key could be translated into a 16bit key for TYT.

I'm just studying the TYT BP frames with modified dsd 1.7 code to fiable dumping to disk. Stucked in LFSR calculation, tried berlekamp massey algorithm with no success.
I can hear myself with 0xFFFF key. My intention is not to crack on-air keys, but to know how the TYT BP works and try to interoperate with Moto BP if possible (i'm in process of buying a DP3600).

If BCH-Massey Synthesis Algo couldn't determine the shortest linear shift register capable of generating a given sequence of bits do you think you could try a correlation attack against the ciphertext?

 

[BaofengScanner]

Love it. Can't wait for a cheap chinese P25 handheld now haha. Like DMR better but would still be interesting.

 

[balibago]

No one has the ability

It seems to me that no one out here seems to have the ability to crack even these 256 key encryptions. Let's face it buy a 500 dollar radio and spend days just to listen to a garbage truck or a paranoid small business owner. Really!! I'd love to see someone do it just to show it can be done but let's face it this is a radio community not a hacker community. The same goes for those people who are on batlabs. And by the way how many people bought AOR's DMR receiver. Was it worth it?

 

[johnls7424]

It seems to me that no one out here seems to have the ability to crack even these 256 key encryptions. Let's face it buy a 500 dollar radio and spend days just to listen to a garbage truck or a paranoid small business owner. Really!! I'd love to see someone do it just to show it can be done but let's face it this is a radio community not a hacker community. The same goes for those people who are on batlabs. And by the way how many people bought AOR's DMR receiver. Was it worth it?

Well first off, 256 bits and even higher have been cracked before with good super computers and brute force. Nobody here on RR has enough money, brains and time to successfully do it in any feasible time. Also.. this forum is about encryption, yes but not cracking it

 

[sycho]

Well first off, 256 bits and even higher have been cracked before with good super computers and brute force. Nobody here on RR has enough money, brains and time to successfully do it in any feasible time. Also.. this forum is about encryption, yes but not cracking it

That's right, we are not trying to find or crack the key, we only want to know how the system works, how the key and the voice data are combined before transmitting and vice versa. This would help us to know the limits in interoperability between different manufacturers, and the real security of the options we have available.

Finding the key from an on-air signal is a different issue, and will not be covered here as it's ilegal in most countries. However it's funny to know that some times this could be easier than finding how the full system works.

 

[johnls7424]

That's right, we are not trying to find or crack the key, we only want to know how the system works, how the key and the voice data are combined before transmitting and vice versa. This would help us to know the limits in interoperability between different manufacturers, and the real security of the options we have available.

Finding the key from an on-air signal is a different issue, and will not be covered here as it's ilegal in most countries. However it's funny to know that some times this could be easier than finding how the full system works.

Well.. The basic privacy is near proprietary on the MD-380. Motorola has their own solution and format and so does Hytera/Harris. As for enhanced encryption. The MD-380 utilizes I believe 128 bit encryption standard. Some do claim its 256 AES BIT. I cannot confirm that though. Anywho.. Either way that can be heard on MotoTRBO radios the enhanced encryption. As for Hytera/Harris and Connect Systems models I am not sure.

 

[RayAir]

That's right, we are not trying to find or crack the key, we only want to know how the system works, how the key and the voice data are combined before transmitting and vice versa. This would help us to know the limits in interoperability between different manufacturers, and the real security of the options we have available.

Finding the key from an on-air signal is a different issue, and will not be covered here as it's ilegal in most countries. However it's funny to know that some times this could be easier than finding how the full system works.

I was thinking it might be interesting to Wireshark a write to a TRBO radio and view how it writes a BP key.

Maybe we'd be lucky and it would write the BP key as a 4 digit hexadecimal?

 

[johnls7424]

I was thinking it might be interesting to Wireshark a write to a TRBO radio and view how it writes a BP key.

Maybe we'd be lucky and it would write the BP key as a 4 digit hexadecimal?

Yeah that would be cool Ray. Hey did you see the good deals on MD-380 from Connect Systems?

 

[RayAir]

Yes. $130 is a good deal. I already have 3 MD-380's.
I been buying Motorola lately, because I have four Capacity Plus systems by me and figured I program them in my XPR 6550. Capacity Plus programming is simple.

Looking to add a VHF XPR 7550.

 

[johnls7424]

Yes. $130 is a good deal. I already have 3 MD-380's.
I been buying Motorola lately, because I have four Capacity Plus systems by me and figured I program them in my XPR 6550. Capacity Plus programming is simple.

Looking to add a VHF XPR 7550.

Yes very nice. People ( including myself) are hoping for a upgrade or even a P25 format for the Tytera or Hytera radio line.