[TYT-TYTERA] MD-380 Firmware Hacked

Just read this on hackaday. 

Every once in a great while, a piece of radio gear catches the attention of a prolific hardware guru and is reverse engineered. A few years ago, it was the RTL-SDR, and since then, software defined radios became the next big thing. Last weekend at Shmoocon, [Travis Goodspeed] presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.

The Tytera MD380 is a fairly basic radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband.
The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.

The STM32 in the radio implements a USB Device Firmware Upgrade (DFU), probably because of some example code from ST. Dumping the memory from the standard DFU protocol just repeated the same binary string, but with a little bit of coaxing and investigating the terrible Windows-only official client application, [Travis] was able to find non-standard DFU commands, write a custom DFU client, and read and write the ‘codeplug’, an SPI Flash chip that stores radio settings, frequencies, and talk groups.


Opens up the possibility of some of the bugs Tytera don't seem bothered about being fixed in the future.

Full details are on page 76 of the PDF file.


Anonymous said...

I love when people speculate about firmware hacks, there has been no proof @ all that the radio can do the so called modes with a firmware hack! DSTAR/P25/ECT Is it all talk just to sell radio's, who will write the firmware ?? if @ all possible! until you see something done then it's called speculation! LoL

Anonymous said...

How would you like your "speculation" served :) Firmware released dumbass

