Reverse Engineering the Tytera MD380

Travis Goodspeed has been playing with Digital Mobile Radio (DMR) lately, a competitor to TETRA and P25 that is used for amateur radio, as well as trunked radio for businesses and cash-strapped police departments. Page 76 contains his notes for jailbreaking the Tytera MD380’s bootloader, dumping all of protected memory, then patching its application to enable promiscuous mode. These tricks should also work on the CS700, CS750, and a variety of other DMR handhelds. On page 88, the last and most important page, we pass around the collection plate. We don’t need your dimes, but we’d love some nifty proofs of concept.

Reverse Engineering the Tytera MD380

The following is an adventure of reverse engineering the Tytera MD380, a digital hand-held radio that can be had for barely more than a hundred bucks. In this article, I explain how to read and write the radio’s configuration over USB, and how to break the readout protection on its firmware, so that you fine readers can write your own strange and clever software for this nifty gizmo. I also present patches to promiscuously receive audio from unknown talkgroups, creating the first hardware scanner for DMR. Far more importantly, these notes will be handy when you attempt to reverse engineer something similar on your own.

This article does not go into the security problems of the DMR protocol, but those are sufficiently similar to P25 that I’ll just refer you to Why (Special Agent) Johnny (Still) Can’t Encrypt by Sandy Clark and Friends.

8.1 Hardware Overview

Speaker
Microphone
SP- D- SP+
D+ MIC

The MD380 is a hand-held digital voice radio that uses either analog FM or Digital Mobile Radio (DMR). It is very similar to other DMR radios, such as the CS700 and CS750 from Connect Systems.

DMR is a trunked radio protocol using two-slot TDMA, so a single repeater tower can be used by one user in Slot 1 while another user is having a completely different conversation on Slot 2. Just like GSM, the tower coordinates which radio should transmit when.

The CPU of this radio is an STM32F405 from STMicroelectronics. This contains a Cortex M4, so all instructions are Thumb and all function pointers are odd. The LQFP100 package of this chip is used. It has a megabyte of Flash and 192 kilobytes of RAM. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by a Readout Device Protection (RDP) feature. In Section 8.8, I’ll show you how to bypass these protections and jailbreak your radio.

There is also a radio baseband chip, the HR C5000. At first I was reconstructing the pinout of this chip from the CS700 Service Manual, but the full documentation can be had from DocIn, a Chinese PDF sharing website.

Aside from a bunch of support components that we can take for granted, there is an SPI Flash chip for storing the codeplug. “Codeplug” is a Motorola term for the radio settings, such as frequencies, contacts, and talk groups;
I use the term here to distinguish the radio configuration in SPI Flash from the code and data in CPU Flash



8.2 A Partial Dump

From lsusb -v on Linux, we can see that the device implements USB DFU, most likely as a fork of some STMicro example code. The MD380 appears as an STMicro DFU device with storage for Internal Flash and SPI Flash with a VID:PID of 0483:df11

Further, the .rdt codeplug files are SPI Flash images in the DMU format, which is pretty much just wrapper with a bare minimum of metadata around a flat, uncompressed memory image. These codeplug files contain the radio’s contact list, repeater frequencies, and other configuration info. We’ll get back to this later, as what we really want to do is dump and patch the firmware.

Unfortunately, dumping memory from the device by the standard DFU protocol doesn’t seem to yield useful results, just the same repeating binary string, regardless of the alternate we choose or the starting position.
In this brave new world, where folks break their bytes on the little side by order of Golbasto Momarem Evlame Gurdilo Shefin Mully Ully Gue, Tyrant of Lilliput and Eternal Enemy of Big Endians and Blefuscu, to break them on the little side, it’s handy to spot four byte sequences that could be interrupt handlers. In this case, what we’re looking at is the first few pointers of an interrupt vector table. This means that we are grabbing memory from the beginning of internal flash at 0x08000000!

Note that the data repeats every kilobyte, and also that dfu-util is reporting a transfer size of 1,024 bytes. The -t switch will order dfu-util to dump more than a kilobyte per transfer, but everything after the first transfer remains corrupted.

This is because dfu-util isn’t sending the proper commands to the radio firmware, and it’s getting the page as a bug rather than through proper use of the protocol. (There are lots of weird variants of DFU, created by folks only using DFU with their own tools and never testing for compatibility with each other. This variant is particularly weird, but manageable.)

8.3 Tapping USB with VMWare

Before going further, it was necessary to learn the radio’s custom dialect of DFU. Since my Total Phase USB sniffers weren’t nearby, I used VMWare to sniff the transactions of both the MD380’s firmware updater and codeplug configuration tools. I did this by changing a few lines of my VMWare .vmx configuration to dump USB transactions out to vmware.log, which I parsed with ugly regexes in Python. These are the additions to the .vmx file.

page 78
https://hackadaycom.files.wordpress.com/2016/01/pocorgtfo10.pdf

by Travis Goodspeed KK4VCZ,
with kind thanks to DD4CR and W7PCH

4 comments:

Anonymous said...

I love when people speculate about firmware hacks, there has been no proof @ all that the radio can do the so called modes with a firmware hack! DSTAR/P25/ECT Is it all talk just to sell radio's, who will write the firmware ?? if @ all possible! until you see something done then it's called speculation! LoL

Anonymous said...

No one has stated the the radio does all the modes yet. They have stated that this hack opens the possibility of being able to do the modes.

Bubbaearle said...

I bought a VHF version of the radio and within 30 minutes of unboxing I was listening to my county Sheriff's Dept. which had gone MotoTRBO in the last few years.

I don't know crap about hacking but the firmware I loaded in sure did the trick.

Anonymous said...

The firmware hacks that currently exist are very unimpressive.

Not impressed.