Tytera MD380 jailbreak turn into DMR scanner

Last weekend at Shmoocon, Travis Goodspeed presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored at https://hackadaycom.files.wordpress....ocorgtfo10.pdf ) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.

The Tytera MD380 (and the Retevis RT-3 clone/rebrand ) is a cheap DMR radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.

In Digital Mobile Radio, audio is sent through either a public talk group or a private contact. The radio is usually set to only one talk group, and so it’s not really possible to listen in on other talk groups without changing settings. A patch for promiscuous mode – a mode that puts all talk groups through the speaker – is just setting one JNE in the firmware to a NOP.

In the past few months Travis, (1) jailbroken the hardware to allow for free extraction and modification of firmware, (2) broken the hilarious crypto so that we can wrap and unwrap updates from the official tool, (3) reverse engineered enough of the firmware to patch in new features, (4) made room for large firmware modifications by creative abuse of Chinese fonts, and (5) wrapped all of this into a handy, freely available toolset.


Travis ( https://twitter.com/travisgoodspeed ) is looking for people who can add support for P25, D-Star, System Fusion, a proper scanner, or the ability to send and receive DMR frames over USB. All these things are possible, making this one of the most exciting radio hacks in recent memory.

https://github.com/travisgoodspeed/md380tools
https://github.com/pchickey/md380-re