[TYT-TYTERA] MD-380 Firmware Hacked

Just read this on hackaday. 

Every once in a great while, a piece of radio gear catches the attention of a prolific hardware guru and is reverse engineered. A few years ago, it was the RTL-SDR, and since then, software defined radios became the next big thing. Last weekend at Shmoocon, [Travis Goodspeed] presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.

The Tytera MD380 is a fairly basic radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband.
The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.

The STM32 in the radio implements a USB Device Firmware Upgrade (DFU), probably because of some example code from ST. Dumping the memory from the standard DFU protocol just repeated the same binary string, but with a little bit of coaxing and investigating the terrible Windows-only official client application, [Travis] was able to find non-standard DFU commands, write a custom DFU client, and read and write the ‘codeplug’, an SPI Flash chip that stores radio settings, frequencies, and talk groups.

http://hackaday.com/2016/01/19/shmoocon-2016-reverse-engineering-cheap-chinese-radio-firmware/

Opens up the possibility of some of the bugs Tytera don't seem bothered about being fixed in the future.

Full details are on page 76 of the PDF file.
https://hackadaycom.files.wordpress.com/2016/01/pocorgtfo10.pdf

2 comments:

Anonymous said...

I love when people speculate about firmware hacks, there has been no proof @ all that the radio can do the so called modes with a firmware hack! DSTAR/P25/ECT Is it all talk just to sell radio's, who will write the firmware ?? if @ all possible! until you see something done then it's called speculation! LoL

Anonymous said...

How would you like your "speculation" served :) Firmware released dumbass

Post a Comment

Thanks for your comments, Comments may take a day to show up