• To anyone looking to acquire commercial radio programming software:

    Please do not make requests for copies of radio programming software which is sold (or was sold) by the manufacturer for any monetary value. All requests will be deleted and a forum infraction issued. Making a request such as this is attempting to engage in software piracy and this forum cannot be involved or associated with this activity. The same goes for any private transaction via Private Message. Even if you attempt to engage in this activity in PM's we will still enforce the forum rules. Your PM's are not private and the administration has the right to read them if there's a hint to criminal activity.

    If you are having trouble legally obtaining software please state so. We do not want any hurt feelings when your vague post is mistaken for a free request. It is YOUR responsibility to properly word your request.

    To obtain Motorola software see the Sticky in the Motorola forum.

    The various other vendors often permit their dealers to sell the software online (i.e., Kenwood). Please use Google or some other search engine to find a dealer that sells the software. Typically each series or individual radio requires its own software package. Often the Kenwood software is less than $100 so don't be a cheapskate; just purchase it.

    For M/A Com/Harris/GE, etc: there are two software packages that program all current and past radios. One package is for conventional programming and the other for trunked programming. The trunked package is in upwards of $2,500. The conventional package is more reasonable though is still several hundred dollars. The benefit is you do not need multiple versions for each radio (unlike Motorola).

    This is a large and very visible forum. We cannot jeopardize the ability to provide the RadioReference services by allowing this activity to occur. Please respect this.

WHCA Systems Sabers

FFPM571

Member
Premium Subscriber
Joined
Mar 11, 2003
Messages
1,980
Reaction score
957
Location
The Mid South
Saber and astro saber knobs have a history of disingrating over time. they are harder and harder to find unless someone is making them up. The antenna is the same as used on the XTS and Jedi series so OEM are still around if you look.
 

mbnv992

Also known as MT2000 man on Batlabs since 2001+
Joined
Apr 13, 2009
Messages
783
Reaction score
552
Location
AZ
Saber and astro saber knobs have a history of disingrating over time. they are harder and harder to find unless someone is making them up. The antenna is the same as used on the XTS and Jedi series so OEM are still around if you look.
Astro Saber knobs are very hard to find like you said. Standard Saber knobs are all over eBay and for the most part, fit great. I still have a bag full of them and they are fantastic.
As far as Astro Saber knobs, there’s only this one Chinese maker of them that I’ve found. Not sure if the quality but this is all I could find. OEM Saber and Astro Saber knobs are long since gone.

 

TDR-94

Member
Joined
Mar 30, 2014
Messages
1,443
Reaction score
458
There are many more type 1 VINSON encrypted radios in civilian hands so it makes sense to develop a keyloader for that. This would be for all the PRC-148s, PRC-152s and similar radios people seem to come up with.
There are many more type 1 VINSON encrypted radios in civilian hands so it makes sense to develop a keyloader for that. This would be for all the PRC-148s, PRC-152s and similar radios people seem to come up with.
Most of those devices are designed to meet requirements that make it difficult to reverse engineer.The keys aren't created by the key loaders either. They come from the EKMS (directly controlled by you know who) and are securely transferred to the keyfill/loader devices.

Finding anything other than useless training tapes, for the older tape keyfill devices, would be even more difficult.
 
Last edited:

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
8,394
Reaction score
5,757
Most of those devices are designed to meet requirements that make it difficult to reverse engineer.The keys aren't created by the key loaders either. They come from the EKMS (directly controlled by you know who) and are securely transferred to the keyfill/loader devices.

Finding anything other than useless training tapes, for the older tape keyfill devices, would be even more difficult.
The challenge is not in duplicating the paper tape process, it is in making a device the radio sees as a valid key-fill device. I have no idea what is on the paper tapes is it just the 128 bit(?) crypto key or does it have a CIK or some other qualifier it (radio) must see? Training tapes might be useful as they probably can be read by eye.
 

TDR-94

Member
Joined
Mar 30, 2014
Messages
1,443
Reaction score
458
The challenge is not in duplicating the paper tape process, it is in making a device the radio sees as a valid key-fill device. I have no idea what is on the paper tapes is it just the 128 bit(?) crypto key or does it have a CIK or some other qualifier it (radio) must see? Training tapes might be useful as they probably can be read by eye.
I could be wrong, but the training tapes were just used to train how to pull tape through the device and and go through the procedure. Nothing of any use was on them. The fill tapes would be destroyed once they were no longer needed. How would you create a key that has no specific public knowlege of it's inner workings for the radio to accept as valid?
 

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
8,394
Reaction score
5,757
I could be wrong, but the training tapes were just used to train how to pull tape through the device and and go through the procedure. Nothing of any use was on them. The fill tapes would be destroyed once they were no longer needed. How would you create a key that has no specific public knowlege of it's inner workings for the radio to accept as valid?
I guess one could start here.....


and here.......

 
Last edited:

prcguy

Member
Joined
Jun 30, 2006
Messages
18,714
Reaction score
14,934
Location
So Cal - Richardson, TX - Tewksbury, MA
Most of those devices are designed to meet requirements that make it difficult to reverse engineer.The keys aren't created by the key loaders either. They come from the EKMS (directly controlled by you know who) and are securely transferred to the keyfill/loader devices.

Finding anything other than useless training tapes, for the older tape keyfill devices, would be even more difficult.
If one had access to a KYK-13 or similar it should be easy these days to monitor the data flow while keyloading and see what a valid key is made of with timing, voltages, etc. Although that would probably be a criminal act if data sniffing on a valid Govt supplied key. I think its just a matter of time before someone, preferably outside the US, experiments and offers a Type 1 keyloader.
 
Last edited:

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
8,394
Reaction score
5,757
If one had access to a KYK-13 or similar it should be easy to monitor the data flow while keyloading and see what a valid key is made of with timing, voltages, etc. Although that would probably be a criminal act if data sniffing on a valid Govt supplied key. I think its just a matter of time before someone, preferably outside the US, experiments and offers a Type 1 keyloader.
I am sure one of our smart adversaries or "allies" has reverse engineered it. When they need cash then there is: TEMU ......
 

TDR-94

Member
Joined
Mar 30, 2014
Messages
1,443
Reaction score
458
Answering my own question.

The key generation procedure for SAVILLE begins with a 128‑bit master key. This key is passed through a key‑expansion routine that produces 80 round keys of 32 bits each. The routine uses a simple linear feedback shift register (LFSR) to generate the round keys. In the implementation, the LFSR has a 256‑bit state and the first 128 bits are seeded with the user key. Each subsequent round key is derived by shifting the state 4 bits to the left and XORing the output with a constant round counter. The resulting key schedule is considered linear and thus is regarded as a potential weakness in theory, but in practice it does not affect the cipher’s security
 

TDR-94

Member
Joined
Mar 30, 2014
Messages
1,443
Reaction score
458
If one had access to a KYK-13 or similar it should be easy these days to monitor the data flow while keyloading and see what a valid key is made of with timing, voltages, etc. Although that would probably be a criminal act if data sniffing on a valid Govt supplied key. I think its just a matter of time before someone, preferably outside the US, experiments and offers a Type 1 keyloader.
Still need the key first. TEMPEST requirements are there to prevent side channel attacks like that on more modern equipment.
 

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
8,394
Reaction score
5,757
Still need the key first. TEMPEST requirements are there to prevent side channel attacks like that on more modern equipment.
I am confused. Why can't you create your own key and make the encryption useful? Nobody is suggesting decrypting an agencies communications.
 

prcguy

Member
Joined
Jun 30, 2006
Messages
18,714
Reaction score
14,934
Location
So Cal - Richardson, TX - Tewksbury, MA
I am confused. Why can't you create your own key and make the encryption useful? Nobody is suggesting decrypting an agencies communications.
Once a valid key delivery to the radio is analyzed I would think with today's technology it would not be difficult to emulate. The problem is getting your hands on a KYK-13 which is rare and even rarer would be a valid paper punched key and reader for that to load the KYK-13. And in the US there would be serious legal issues doing that.

The KVL3000 was apparently hacked and emulated with several groups offering aftermarket keyloaders for AES and DES but the KVL3000 and keys are not controlled by the NSA like the Type 1 equipment is.
 

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
8,394
Reaction score
5,757
Maybe so. But it seems the KYK-13 (DS 102 protocol) relies heavily on all the physical components being physically accounted for. The tape being the most important part. It seems the encryption key is raw data, the DS 102 being transparent to raw data and perhaps the target COMSEC device having little in the way of a handshake.

The "AI" has this to say in summary.

The KYK-13 Electronic Transfer Device is a portable, battery-powered cryptographic fill device developed by the United States National Security Agency (NSA). First introduced in 1976, it was designed to safely store and transfer cryptographic keys—commonly referred to as Transmission Encryption Keys (TEK)—into compatible military communications security (COMSEC) equipment. [1, 2, 3]

Core Specifications​


  • Key Capacity: It can store up to six cryptographic keys at a time.
  • Maximum Key Length: 128 bits (including an 8-bit CRC checksum).
  • Data Protocol: It utilizes the synchronous serial DS-102 protocol for transferring key material.
  • Power Source: Operates on a 6V battery (such as the BA-1372 or BA-5372).
  • Physical Connections: Features standard 6-pin U-229 connectors at both ends (one male plug and one female socket connected in parallel) to interface directly with target hardware or fill cables.
  • National Stock Number (NSN): 5810-01-026-9618. [1, 2, 4, 5]

Operation and Compatibility​

To load a key, an operator aligns a rotary selector switch to the desired storage slot and presses an "Initiate" button. A blinking parity lamp flashes to signal a successful data transfer. It can receive keys from paper tape readers like the KOI-18 or other net control devices. It is widely used to "fill" secure tactical equipment, including: [4, 6, 7, 8]


Modern Status​

Due to its simple, rugged, and reliable design, the KYK-13 enjoyed wide user acceptance and remained in active military field service for over four decades. However, because it relies on legacy DS-102 infrastructure, it has largely been succeeded by more modern, programmable Data Transfer Devices (DTDs) that support newer DS-101 protocols, such as the AN/CYZ-10, the PYQ-10 Simple Key Loader (SKL), and the KIK-30 Really Simple Key Loader (RASKL). [1, 2, 12]
If you want, tell me:

  • Are you looking for the pinout schematics of the U-229 connectors?
  • Do you need the step-by-step procedure for clearing or zeroizing the device?
  • Are you looking for details on a specific successor device like the AN/CYZ-10?

[1] https://www.cryptomuseum.com
[2] https://en.wikipedia.org
[3] https://www.cryptomuseum.alibaba.sk
[4] https://jproc.ca
[5] https://www.cryptomuseum.com
[6] https://commons.wikimedia.org
[7] https://grokipedia.com
[8] https://www.cryptomuseum.com
[9] https://www.cryptomuseum.com
[10] https://en.wikipedia.org
[11] https://en.wikipedia.org
[12] https://en.wikipedia.org

Can you provide a simple logic table for communication between a KYK-13 and a target COMSEC Equipment?

The communication between a KYK-13 electronic transfer device and target COMSEC equipment (such as a SINCGARS radio or KY-57 encryptor) relies on the DS-102 synchronous serial protocol. [1, 2]
This 4-wire interface manages data transfers through a hardware handshake. The logic and signal interaction table below breaks down how these components communicate using the standard U-229 connector pinout: [1, 3, 4]

DS-102 Signal Pin Assignment​

The specific physical interface pins utilized during the handshake process are: [3]
Pin [1, 3, 5, 6, 7] Signal NameDirectionFunction
AGNDN/ACommon Ground reference.
CACK (Acknowledgment)Target → KYK-13Target crypto device pulls this line to request or confirm data readiness.
DDATA (Fill Data)KYK-13 → TargetSerial key data stream (128 bits total).
E or FCLK (Clock)Handshake-dependentSynchronizes bit transitions between devices.

Step-by-Step Communication Logic Table​

This sequential truth and state table illustrates the logical steps and signal transitions during a successful key transfer procedure:
Step [2, 5, 8, 9, 10] State / PhaseSwitch / Button StatusSignal States (Logic Level)Communication Behavior
1Idle / StandbyKYK-13 ON, Address SelectedACK: HIGH (Logic 1)
DATA: LOW (Logic 0)
CLK: Idle
Both devices are connected but resting. Target equipment is waiting in "Load" or "Fill" mode.
2InitiationOperator presses "Initiate" button on KYK-13ACK: Drops to LOW (Logic 0)
DATA: LOW (Logic 0)
CLK: Idle
Target device senses the connection hook/pull and drops the ACK line to signal it is ready to receive data.
3Clock SyncAutomatic Hardware ControlACK: LOW (Logic 0)
DATA: LOW (Logic 0)
CLK: Active Square Wave
The clock line begins pulsing to establish transmission speed and timing boundaries.
4Data TransferAutomatic Burst TransmissionACK: LOW (Logic 0)
DATA: Alternating (Data Bits)
CLK: Active Synchronous
KYK-13 serializes the 128-bit key packet (120 data bits + 8-bit CRC checksum) onto the DATA pin. Data bits transition on the clock edge.
5ValidationPost-Transfer CheckACK: Transitions to HIGH (Logic 1)
DATA: LOW (Logic 0)
CLK: Disables
Once all bits are captured, the target device processes the 8-bit checksum. If the CRC matches, the target releases the ACK line back to HIGH.
6Success IndicatorLED Feedback VisualParity Lamp: Flashes On/OffKYK-13 registers the HIGH ACK line recovery and flashes its red parity indicator lamp to signal a successful key load.
If you want, I can provide:
The exact wiring diagram for a U-229 fill cableThe physical zeroization logic when clearing the KYK-13 memoryHow this legacy logic compares to the newer DS-101 protocol

[1] https://grokipedia.com
[2] https://grokipedia.com
[3] https://www.cryptomuseum.com
[4] https://www.cryptomuseum.com
[5] https://www.cryptomuseum.com
[6] https://www.cryptomuseum.com
[7] https://grokipedia.com
[8] https://apps.dtic.mil
[9] https://www.allaboutcircuits.com
[10] https://en.wikipedia.org
 
Top