Tytera MD-380 Enhanced Privacy Recordings

[sycho]

It seems getting TYT EP and Moto BP to work together might be possible. I just don't know how practical it will be unless someone can figure out which keys would be best to try without blind testing.

Give me some time to study TYT EP keystream generation algorithm. I found a way to generate known frames with TYT.

Thanks for the recordings. I wasn't able to understand a word, but english is not my mother language and that doesn't help.

About Hytera, i don't have any radio at hand. I thought last firmware versions included DMRA encryptions (40bit RC4 and 128/256 AES), didn't know that basic (propietary) flavour was maintained.

 

[billy1962]

How would anyone compare the TYT DMR to the Connect Systems DMR? Any opinions between the 2? The TYT is quite a bit cheaper - but the Connect systems seems like its better built? Does the Connect systems have the same security flaws as the TYT?

 

[RayAir]

Give me some time to study TYT EP keystream generation algorithm. I found a way to generate known frames with TYT.

Thanks for the recordings. I wasn't able to understand a word, but english is not my mother language and that doesn't help.

About Hytera, i don't have any radio at hand. I thought last firmware versions included DMRA encryptions (40bit RC4 and 128/256 AES), didn't know that basic (propietary) flavour was maintained.

Hytera issued a free upgrade a while back that allowed for ARC4 if you selected a 40 bit key and select "Full" for encrypt instead of basic. Full Encrypt 128, and, 256 (both AES) are a paid per radio upgrade.

They still have the basic encrypt options and you can use any privacy setting in the radio at the same time. Setting up encrypt is done on a per channel basis so if you wanted to run channel 1 voice inversion, channel 2 basic-128, channel 3 ARC4, ch 4 AES-128, and channel 5 AES-256 you could. Enc keys can be changed, created, or edited from the front panel but the key value is displayed as asterisks for security.

Looking forward to your work on the TYT EP.

 

[RayAir]

How would anyone compare the TYT DMR to the Connect Systems DMR? Any opinions between the 2? The TYT is quite a bit cheaper - but the Connect systems seems like its better built? Does the Connect systems have the same security flaws as the TYT?

I have used the MD-380 and CS-700. I've never used the CS-750, but neither of these radio are meant to offer "security". My opinion on the 380 is that it is a decent starter radio and a good DMR conventional scanner for local DMR business radio systems.

We're not looking at breaking the VS on these radios. We're just testing to see if TYT Enhanced Privacy mode will possibly work with MotoTRBO Basic Privacy.

 

[sycho]

How would anyone compare the TYT DMR to the Connect Systems DMR? Any opinions between the 2? The TYT is quite a bit cheaper - but the Connect systems seems like its better built? Does the Connect systems have the same security flaws as the TYT?

Same origin, very very similar PC software, same main chips, almost clone main PCB, compatible (propietary) basic privacy... figure yourself :roll:

 

[johnls7424]

Any updates?

 

[ranger44]

So, out of curiosity, how did you find the LFSR(s) in question? Berlekamp-Massey would be the standard recommendation but earlier you mentioned that didn't work for you.

I can confirm that it's a static encryption, over ambe frames before FEC, just like Moto Basic. Only difference is that Moto uses a keystream generated from the 8bit key (1-255 user selectable keys) and TYT use a 128bit key to generate the 49bit keystream to xor the ambe frame (nonsense). It's not a transposition cipher.

So there could be two or more different keys which result in the same keystream. And knowing how the TYT EP keystream algorithm works, i'm nearly sure that it could be made to interoperate with Moto Basic.

There is just one issue to investigate the TYT algorithm: the silence frames generated by the TYT Ambe vocoder are not consistent. There are silence frames as per the standard, but some bits changes from ptt to ptt. I would need to build a tone/noise generator to produce static and known Ambe frames continously.

 

[jonwienke]

Any updates on this?

 

[hamtrektng]

Basic Privacy compatibility with MD380 success

Recently discovered that inputting a hexadecimal key from BP decimal into one of the EP key value lists works

Try this for. e.g,

In the screenshot below enter an example key of 12 (which in hex is 000C)

Make sure you select your talkgorup in the 'Contact Name' dropdown

and test it with a motorola and voila!

The last key off the BP keystream is 255 (input this as 00FF)

 

[RayAir]

Recently discovered that inputting a hexadecimal key from BP decimal into one of the EP key value lists works

Try this for. e.g,

In the screenshot below enter an example key of 12 (which in hex is 000C)

Make sure you select your talkgorup in the 'Contact Name' dropdown

and test it with a motorola and voila!

The last key off the BP keystream is 255 (input this as 00FF)

Using your above data, I tried this and all I heard was garbled up demonic sounding voice, lol.

This doesn't work. At least with stock firmware.

 

[Your_account]

does the encryption work with other tyt products?

 

[oz1jua]

Using your above data, I tried this and all I heard was garbled up demonic sounding voice, lol.

This doesn't work. At least with stock firmware.

I get it to work one way. but it was when set this 000C in basic on MD-380.
Sending from MD-380 the Motorola hear it clear. ?

 

[lechu66n]

Here are some screenshots of MotoTRBO voice privacy for reference:
1st- DMR, no enc
2nd- MotoTRBO Basic Privacy (key:1)
3rd- MotoTRBO Enhanced Privacy (key: A356BB8D09)


TYT MD-380 EP and CS700 BP give no indications of being enc by DSD+

I warmly welcome. I have an MD-380 listening to MotoTRBO

And also gives some screenshots.

1- Without BP and EP, code color-1, no KeyID and

Decodes correctly, listening OK.

2- It is BP and EP, code color-14 and KeyID = 50. Lack

Listening, incomprehensible gibberish. Is it possible

Get key and listen to correspondence.

 

[morton1566]

Possible help provided?

So...

I have 2 MD380s. I can configure them to transmit in simplex to each other using non-protected DMR, BP and EP. I also do happen to have an SDR, so I can do a recording of their transmissions in raw .wav form using SDR#. Also, I can provide DSD+ logs for those recordings too.

Would that be helpful for you guys?

(Before you ask: Yes, I obviously know the keys (I configured them LOL) and can provide them. Yes, I can do "protected" transmissions where I live.)

 

[lechu66n]

Hi, regarding my previous post, please can you give the key to screen 2. event log is added now


##########################################################

DMR Decoder (Build 74)
You have selected only to display frames without errors
09:54:07 DMR Data Frame (MS)
Slot Type : Colour Code 14 Data Header
Response Packet
Destination Logical Link ID : 21216 Source Logical Link ID : 21500
0 blocks follow : ACK
09:54:08 DMR Data Frame (MS)
Slot Type : Colour Code 14 Rate ? Data Continuation
000000110000001011001111010000011110011010000001100100111110110111110100000111110010000010110101110000110001011010100111011101001101001101010101
09:54:08 DMR Data Frame (MS)
Slot Type : Colour Code 14 Rate ? Data Continuation
000010001001100111000101100110100101111111101101000000000000000000000000000000000000000000000000000000000000000010011110000011011110010011100001
09:54:08 DMR Data Frame (MS)
Slot Type : Colour Code 14 Terminator with LC
Terminator Data Link Control PDU
Destination Logical Link ID : 21500 Source Logical Link ID : 21210
09:54:24 DMR Data Frame (MS)
Slot Type : Colour Code 14 CSBK
Preamble CSBK : Data content 7 Blocks to follow
Target Address : 21500 Source Address : 21210
09:54:24 DMR Data Frame (MS)
Slot Type : Colour Code 14 Data Header
Proprietary Data : MFID=16 (Motorola)
0001000100110010000000000000000010111100010000001100001000001100
09:54:24 DMR Data Frame (MS)
Slot Type : Colour Code 14 Terminator with LC
Terminator Data Link Control PDU
Destination Logical Link ID : 21500 Source Logical Link ID : 21210
09:54:28 DMR Data Frame (MS)
Slot Type : Colour Code 14 Data Header
Unconfirmed Data
Destination Logical Link ID : 21500 Source Logical Link ID : 21570
3 blocks follow : FSN=0
09:54:28 DMR Data Frame (MS)
Slot Type : Colour Code 14 Data Header
Proprietary Data : MFID=16 (Motorola)
0001000100110010000000000000000010101101000110111100101001011110
09:54:28 DMR Data Frame (MS)
Slot Type : Colour Code 14 Data Header
Confirmed Data
Destination Logical Link ID : 21500 Source Logical Link ID : 21245
6 blocks follow : FSN=8 N(S)=5
09:54:38 DMR Data Frame (MS)
Slot Type : Colour Code 14 Rate ? Data Continuation
R_3_4_DATA (data block serial number=0)
01101101101111100001110100111010011110010100110000011000010001000110100001001101100110100111001000110001111111100000010110110010
09:54:38 DMR Data Frame (MS)
Slot Type : Colour Code 14 Rate ? Data Continuation
R_3_4_DATA (data block serial number=3)
01001100100001100111010111100110101110001011100010000100110001100111000011010000111011011011100111010000001101010110011101101011
09:54:40 DMR Data Frame (MS)

 

[Forts]

I warmly welcome. I have an MD-380 listening to MotoTRBO

And also gives some screenshots.

1- Without BP and EP, code color-1, no KeyID and

Decodes correctly, listening OK.

2- It is BP and EP, code color-14 and KeyID = 50. Lack

Listening, incomprehensible gibberish. Is it possible

Get key and listen to correspondence.

The MD-380 is 100% NOT compatible with Motorola EP. There was talk (as above) that BP may work but I've never seen or heard from anyone first hand that made it work.

 

[Marco192]

There is a lot of talk about this new dual band DMR radio, Radioddity GD-77
https://forums.radioreference.com/budget-entry-level-transceivers/356586-radioddity-gd-77-a.html

It would be great to know what kind of privacy options does this new radio have, and is it compatible with the EP or BP on TYT MD380 and all the other brands. Hoping that someone with both GD-77 and a TYT radio can do some testing

So far from looking at the programming software I found out that it has two privacy options ... a 32 or 64 bit key (no option for a 128 bit like on MD380).

 

[human8472]

So far from looking at the programming software I found out that it has two privacy options ... a 32 or 64 bit key (no option for a 128 bit like on MD380).

I am also interested in the encryption options for the GD-77. Are you saying that the software allows for 32-bit or 64-bit key? I have not been able to find out much information at all on the encryption capabilities of the GD-77 so this would be good news if 32-bit and 64-bit were supported. Thank you.

 

[Marco192]

I am also interested in the encryption options for the GD-77. Are you saying that the software allows for 32-bit or 64-bit key? I have not been able to find out much information at all on the encryption capabilities of the GD-77 so this would be good news if 32-bit and 64-bit were supported. Thank you.

My information on this subject is also very limited. The key length info can be found in the GD-77 CPS.
I have tried all the different combinations (basic and enhanced) to make the encryption on GD-77 work with the MD-380, but no luck. After that I have returned the GD-77

 

[Forts]

My information on this subject is also very limited. The key length info can be found in the GD-77 CPS.
I have tried all the different combinations (basic and enhanced) to make the encryption on GD-77 work with the MD-380, but no luck. After that I have returned the GD-77

The key size is irrelevant when the encryption scheme is proprietary unfortunately.... And most of the budget radios just do their own thing it seems. Also from what I've gathered these radios apply the encryption after the FEC resulting in somewhat poor decryption and and crappy audio quality.