• To anyone looking to acquire commercial radio programming software:

    Please do not make requests for copies of radio programming software which is sold (or was sold) by the manufacturer for any monetary value. All requests will be deleted and a forum infraction issued. Making a request such as this is attempting to engage in software piracy and this forum cannot be involved or associated with this activity. The same goes for any private transaction via Private Message. Even if you attempt to engage in this activity in PM's we will still enforce the forum rules. Your PM's are not private and the administration has the right to read them if there's a hint to criminal activity.

    If you are having trouble legally obtaining software please state so. We do not want any hurt feelings when your vague post is mistaken for a free request. It is YOUR responsibility to properly word your request.

    To obtain Motorola software see the Sticky in the Motorola forum.

    The various other vendors often permit their dealers to sell the software online (i.e., Kenwood). Please use Google or some other search engine to find a dealer that sells the software. Typically each series or individual radio requires its own software package. Often the Kenwood software is less than $100 so don't be a cheapskate; just purchase it.

    For M/A Com/Harris/GE, etc: there are two software packages that program all current and past radios. One package is for conventional programming and the other for trunked programming. The trunked package is in upwards of $2,500. The conventional package is more reasonable though is still several hundred dollars. The benefit is you do not need multiple versions for each radio (unlike Motorola).

    This is a large and very visible forum. We cannot jeopardize the ability to provide the RadioReference services by allowing this activity to occur. Please respect this.

Tytera MD-380 Enhanced Privacy Recordings

Status
Not open for further replies.
RayAir

RayAir

Member
Joined
Dec 31, 2005
Messages
1,946
Wireshark captures the write to the radio just fine. Found where the privacy keys are written.
When I get home from work towards the end of the week I'll do a couple BP writes and the screenshot.

I tested it first using EP, but I'm more curious how the BP key is written,
 
J

johnls7424

Member
Premium Subscriber
Joined
Jul 22, 2012
Messages
1,324
Location
Somewhere in NJ
Ray_Air said:
Wireshark captures the write to the radio just fine. Found where the privacy keys are written.
When I get home from work towards the end of the week I'll do a couple BP writes and the screenshot.

I tested it first using EP, but I'm more curious how the BP key is written,
Click to expand...

Yeah, cool. Let us know how that works. I know people on here have figured out how the file is written for radio parameters and such. They are tinkering with that too. Unfortunately you cannot effectively transmit out of the range of 480mhz without the radio getting wonky and such, but still it's crazy. Anywho yeah let us still know how things work out for you
 
EricCottrell

EricCottrell

Member
Premium Subscriber
Joined
Nov 8, 2002
Messages
2,410
Location
Boston, Ma
Hello,

NXDN uses the same codec as DMR, so the encryption techniques might be similar. NXDN has a basic Scramble Encryption that uses a 15 bit shift register, 56 bit DES OFB, and 256 bit AES OFB encryption.

The encyption/decryption is done between the Vocoder and the FEC code processing. This makes sense as you want the FEC to correct the ciphertext. It also means you have to look at things at the vocoder level, after the FEC and bit-shifting is done.

73 Eric
 
RayAir

RayAir

Member
Joined
Dec 31, 2005
Messages
1,946
I captured a few writes with Wireshark and looked for my EP key. That was easy to find. I did a few BP writes with a known key and tried to find it. I couldn't determine how it wrote the BP key, but haven't had the opportunity to look more into.

I also made a capture writing a RAS key, but haven't look at the file yet.

I'm working on a Python program that might help.

Also purchased a Hytera PD782 to check its 128 bit Enc to the 128 bit Enc on the Tytera MD-380 for possible compatability.

I'm awaiting programming software.

Unfortunately I haven't had much spare time lately due to work and travel.
 
RayAir

RayAir

Member
Joined
Dec 31, 2005
Messages
1,946
Getting the AES-256 enabled on Hytera CPS and testing that is another project in the pipeline.
 
RayAir

RayAir

Member
Joined
Dec 31, 2005
Messages
1,946
No, the EP key was captured from MotoTRBO CPS while writing the Enc key to my TRBO radio.

Never tried to capture a write to my TYT.

Only issues I see with TYT 128 bit EP are hitting the radio with a BP signal forces the rx radio out of EP mode and the keys can be read from the radio.

You can't read an EP key from a Motorola using Wireshark or trying to read it with CPS.
 
Last edited:
J

johnls7424

Member
Premium Subscriber
Joined
Jul 22, 2012
Messages
1,324
Location
Somewhere in NJ
Ray_Air said:
No, the EP key was captured from MotoTRBO CPS while writing the Enc key to my TRBO radio.

Never tried to capture a write to my TYT.

Only issues I see with TYT 128 bit EP are hitting the radio with a BP signal forces the rx radio out of EP mode and the keys can be read from the radio.
Click to expand...

Oh okay. How do you like your Hytera PD782? I was thinking about investing in one. Someone on here was Selling a demo model for around 400 bucks with the programming software and cable. To my knowledge I do believe Hytera is pretty good about providing the software for its user for free. So I'm told at least
 
RayAir

RayAir

Member
Joined
Dec 31, 2005
Messages
1,946
johnls7424 said:
Oh okay. How do you like your Hytera PD782? I was thinking about investing in one. Someone on here was Selling a demo model for around 400 bucks with the programming software and cable. To my knowledge I do believe Hytera is pretty good about providing the software for its user for free. So I'm told at least
Click to expand...

Just got it today, but don't have the software. I emailed Hytera last week and received an email from likely a customer service rep overseas that had no idea what I was asking and told me to ask a Hytera dealer.

I don't know any but the guy I bought it from is sending me his disc. I already have a cable.

I will compare it to my 6550 once I get it programmed.

I'll also test all Hytera's Privacy features.

I found the radio slightly used with a charger and programming cable for $300 shipped. UHF (450-512MHz I believe). I was told it will do 70cm but that is not a big deal for me.

It looks good so far. It's a little smaller than my 6550 and of course has a better display.
 
J

johnls7424

Member
Premium Subscriber
Joined
Jul 22, 2012
Messages
1,324
Location
Somewhere in NJ
Ray_Air said:
Just got it today, but don't have the software. I emailed Hytera last week and received an email from likely a customer service rep overseas that had no idea what I was asking and told me to ask a Hytera dealer.

I don't know any but the guy I bought it from is sending me his disc. I already have a cable.

I will compare it to my 6550 once I get it programmed.

I'll also test all Hytera's Privacy features.

I found the radio slightly used with a charger and programming cable for $300 shipped. UHF (450-512MHz I believe). I was told it will do 70cm but that is not a big deal for me.

It looks good so far. It's a little smaller than my 6550 and of course has a better display.
Click to expand...


Exactly the same one I was looking for. The UHF 2 band. 500mhz is nice. Hopefully Hytera prices for used ones are favorable ( 300 dollar range) for the PD782. Motorola is nice for its trunking features, but it's the big M and prices never seem to drop to a reasonable price, plus they rape their customers with the price for CPS for even low end radios. It's redicious in my opinion. At least Chinese companies are free and Hytera I hear is good with getting its customers ( even if purchased through 3rd party) a copy of the CD. I know the CD is sold from dealers with the radio. However people resell the software cause I think on Hyteras you can download to more the one computer ( I maybe wrong on that though)

Good luck with it though.
 
S

sycho

Member
Joined
Apr 24, 2011
Messages
34
EricCottrell said:
Hello,

NXDN uses the same codec as DMR, so the encryption techniques might be similar. NXDN has a basic Scramble Encryption that uses a 15 bit shift register, 56 bit DES OFB, and 256 bit AES OFB encryption.

The encyption/decryption is done between the Vocoder and the FEC code processing. This makes sense as you want the FEC to correct the ciphertext. It also means you have to look at things at the vocoder level, after the FEC and bit-shifting is done.

73 Eric
Click to expand...

You mean encryption is done over u0..3 vocoder streams? I bet not because vocoder frames de/interleaving and FEC is done inside the ambe vocoder chip, so i expected it to work at c0..3 or even over the final 72bit frame when the ambe data is transfered to the phy layer for modulation. Could you point me to any documentation about this on NXDN or DMR?

http://patentimages.storage.googleapis.com/US7734982B2/US07734982-20100608-D00001.png
 
7312345

7312345

Member
Joined
Sep 22, 2015
Messages
127
Ray_Air said:
Just got it today, but don't have the software. I emailed Hytera last week and received an email from likely a customer service rep overseas that had no idea what I was asking and told me to ask a Hytera dealer.

I don't know any but the guy I bought it from is sending me his disc. I already have a cable.

I will compare it to my 6550 once I get it programmed.

I'll also test all Hytera's Privacy features.

I found the radio slightly used with a charger and programming cable for $300 shipped. UHF (450-512MHz I believe). I was told it will do 70cm but that is not a big deal for me.

It looks good so far. It's a little smaller than my 6550 and of course has a better display.
Click to expand...


I can provide the latest software free Hytera PD78X If you need to message to me
 
RayAir

RayAir

Member
Joined
Dec 31, 2005
Messages
1,946
7312345 said:
I can provide the latest software free Hytera PD78X If you need to message to me
Click to expand...

Thanks for offering, but I was able to get a copy today. Haven't installed it yet. I was able to FPP our t/a channel in the pd782.

I'm liking this radio already.
 
S

sycho

Member
Joined
Apr 24, 2011
Messages
34
EricCottrell said:
Hello,

NXDN uses the same codec as DMR, so the encryption techniques might be similar. NXDN has a basic Scramble Encryption that uses a 15 bit shift register, 56 bit DES OFB, and 256 bit AES OFB encryption.

The encyption/decryption is done between the Vocoder and the FEC code processing. This makes sense as you want the FEC to correct the ciphertext. It also means you have to look at things at the vocoder level, after the FEC and bit-shifting is done.

73 Eric
Click to expand...

You are right! In NXDN, scrambling is done inside the vocoder data path, just before FEC, and 15bit basic encryption LFSR feedback equation is public:

261nns3.png
 
7312345

7312345

Member
Joined
Sep 22, 2015
Messages
127
sycho said:
You are right! In NXDN, scrambling is done inside the vocoder data path, just before FEC, and 15bit basic encryption LFSR feedback equation is public:

261nns3.png
Click to expand...


This is a good news can decrypt NXDN? I hope that the software can do so decrypt its basic digital scrambler
 
S

sycho

Member
Joined
Apr 24, 2011
Messages
34
But i'm afraid that is different in MOTOTRBO BP, because DSD shows many FEC errors when receiving a basic privacy transmission. That means that FEC is not to be done over the cyphertext, but probably over the clear.

And that's good in terms of security (residual inteligibility and key distance) because a small diference in the key generates a lot of errors in FEC if cyphertext is not perfectly de-scambled.
 
Last edited:
7312345

7312345

Member
Joined
Sep 22, 2015
Messages
127
sycho said:
But i'm afraid that is different in MOTOTRBO BP, because DSD shows many FEC errors when receiving a basic privacy transmission. That means that FEC is not to be done over the cyphertext, but probably over the clear.
Click to expand...


If a software I can do the test
 
S

sycho

Member
Joined
Apr 24, 2011
Messages
34
7312345 said:
This is a good news can decrypt NXDN? I hope that the software can do so decrypt its basic digital scrambler
Click to expand...

Yes, with that (public) information you could implement decryption (different from cracking) on DSD to decode legit comms with the correct key. This is not different than having an NXDN radio and programming the key, so i don't see any ilegal in this.

I would like to do the same for TRBO and TYTERA basic, not really interested in NXDN as i don't use it in my network. But encryption method (scrambler location and LFSR) is not published and i have not been able to reverse eng. it.
 
Status
Not open for further replies.

Similar threads

N
Tytera MD-UV390 encryption issue
2 3
Replies
43
Views
3K
turdish
T
T
Hytera Basic Privacy - Recovering Key Value
Replies
7
Views
3K
Tarnish05
T
C
  • Locked
Tytera MD-380 Versus Powerwerx Tera TR-7400 DMR Portables
Replies
14
Views
7K
tbailey1712
T
S
  • Locked
Tytera MD-380 Privacy Settings
Replies
0
Views
3K
shellk1
S
wolverine
  • Locked
The Ohio DMR MARC Statewide Tytera MD-380 Codeplug Project
2
Replies
23
Views
14K
wqtz773
W
Top