Last weekend at Shmoocon, Travis Goodspeed presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored at https://hackadaycom.files.wordpress....ocorgtfo10.pdf ) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.
The Tytera MD380 (and the Retevis RT-3 clone/rebrand ) is a cheap DMR
radio with two main chips: an STM32F405 with a megabyte of Flash and
192k of RAM, and an HR C5000 baseband. The STM32 has both JTAG and a ROM
bootloader, but both of these are protected by the Readout Device
Protection (RDP). Getting around the RDP is the very definition of a
jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it
is most certainly possible.
In Digital Mobile Radio, audio is sent through either a public talk
group or a private contact. The radio is usually set to only one talk
group, and so it’s not really possible to listen in on other talk groups
without changing settings. A patch for promiscuous mode – a mode that
puts all talk groups through the speaker – is just setting one JNE in
the firmware to a NOP.
In the past few months Travis, (1) jailbroken the hardware to allow for
free extraction and modification of firmware, (2) broken the hilarious
crypto so that we can wrap and unwrap updates from the official tool,
(3) reverse engineered enough of the firmware to patch in new features,
(4) made room for large firmware modifications by creative abuse of
Chinese fonts, and (5) wrapped all of this into a handy, freely
Travis ( https://twitter.com/travisgoodspeed
) is looking for people who can add support for P25, D-Star, System
Fusion, a proper scanner, or the ability to send and receive DMR frames
over USB. All these things are possible, making this one of the most
exciting radio hacks in recent memory.