reversing p25 radio scanners
play

Reversing P25 Radio Scanners Let's beat a dead horse. Super Quick - PowerPoint PPT Presentation

Nov 03, 2023 •35 likes •405 views

Reversing P25 Radio Scanners Let's beat a dead horse. Super Quick Presentation Founder of an obscurely named infosec company (see footer) founded at the end of 2011 infosec dev, pentests president, lead coder, chief janitor

  1. Reversing P25 Radio Scanners Let's beat a dead horse.

  2. Super Quick Presentation ● Founder of an obscurely named infosec company (see footer) ○ founded at the end of 2011 ○ infosec dev, pentests ○ president, lead coder, chief janitor ■ I promise it will change soon ;) ● President of northsec competition (nsec.io) ● Not particularly awesome in anything ● Twitter idling @etrangeca

  3. What it's all about ● Uniden BC296D ● Complete process from firmware update file to code execution ● Toolset presentation ● AES over P25 still stand ○ for how long... ;) ● A nice adventure!

  4. What is P25 anyway? ● Suite of standards for digital radio ● "Closed" open standards ○ You have to pay for the documentation ● Developed by a set of "trustworthy" organisations ○ NSA ○ DoD ● Large scale adoption in North America ○ Public services ○ Polices forces

  5. P25, isn't it more like "molesting" a dead horse? ● Well... maybe. ● Osmocom OP25 did a very good job ● multiple p25 support in sdr radios ● some attacks are starting to appear. ● Sorry, it was fun to be on stage for 5 minutes ● See you soon...

  6. P25, isn't it more like "molesting" a dead horse? ● This talk is not about the protocol ● There's still some cool things to reverse ○ Trunking algorithms ○ Fast searching ○ Proprietary tweaks ● SDR's are not what we can call ○ Portable ○ User friendly ● Re-purposing devices is good for the planet...

  7. The Beast ● Uniden BC296D ● Released in 2002 ● 9600bps APCO P25 Compatible ● Trunk Tracking ~14 types ● 25 mhz - 1.3ghz (not continuous) ● Many more features ● Still an amazing device ● http://wiki.radioreference.com/index.php/BC296D

  8. The Beast (2) ● Uniden BCi96D ● "Optional" P25 daughter board ● P25 Protocol implementation ● Audio Decoding -> C4FM/CQPSK DSP

  9. Why this model? ● Cheap P25 scanner (~350$ used) ● Firmware updates for both components ○ Radio ○ Daughter Board ● Old ○ ... so I don't care if I brick it.

  10. Adventure time!

  11. Hardware recon

  12. Interesting Hardware bits ● Main radio ○ Renesas m16c/62P (m16c/60 serie) ■ 256k ROM ■ 20k RAM ■ 15-32 mhz ■ 16 bits I/O ○ User config is stored in eeprom (as pictured) ● Daughter board ○ Renesas m16c/62N (cheaper 62P version) ○ Texas instruments TMS 160, 320VC5410APGE

  13. Now that we know that ● What should we do?

  14. Firmware file analysis ● Let's look at the firmware update file ● Yay! Not binary.

  15. Firmware file analysis ● Motorola S-Record ○ Nope IDA, intel s-record does not exists ● Stolen from Wikipedia ● Start code , one character, an S . ● Record type , one digit, 0 to 9 , defining the type of the data field. ● Byte count , two hex digits, indicating the number of bytes (hex digit pairs) that follow in the rest of the record (in the address, data and checksum fields). ● Address , four, six, or eight hex digits as determined by the record type for the memory location of the first data byte. The address bytes are arranged in big endian format. ● Data , a sequence of 2 n hex digits, for n bytes of the data. ● Checksum , two hex digits - the least significant byte of ones' complement of the sum of the values represented by the two hex digit pairs for the byte count, address and data fields. For example: S1137AF0 0A0A0D0000000000000000000000000061

  16. Tool #1: pysrec ● https://github.com/gabtremblay/pysrec ● Motorola s-record analysis tool ● Validate checksum, rebuild checksum ○ In fact, it will replace the checksum automatically if broken ● Show "ascii" representation ● Flip bytes (defeat the rot monster) ● Very bad python

  17. Firmware file analysis ● Let's take a record in our file ● S2240A0120DC22C330DE22C330E321C330E322C3E0EC21C3E0EC22 C3E0F121C3E0F122C33011 ● checksum(24+0A+01+20+...) != 11 ● Something smells fishy ○ Record correctly indexed and addressed (S20A0120) ○ Still, the checksum fails. ● Maybe the firmware update tool can explain some things.

  18. Firmware Updater

  19. Firmware Updater ● ~2 MB of pure Visual Basic 6 clusterfsck ● Supports about 10 different scanner protocol ○ in a "Copy-Paste" fashion. ● Not "hard" to reverse ○ Simply unpleasant ● Turns out the firmware file is "scramblencrypted" ● It leaves us with some choices

  20. Firmware Updater ● Plan A: Buy the Renesas hardware to dump the chip content ● (Edit) Plan A1: Buy a Die Datenkrake ● Plan B: Reverse the "scramblencryption" algorithm ● Plan C: ...

  21. Scramblencryption ● Firmware file is partly scrambled and partly weakly encrypted ● Most data blocks uses a position rot(x) scrambling algorithm ● Code blocks uses a rot(x) + XOR cipher ● Some parts are not scrambled at all ● There must be a least depressing way to tackle this problem...

  22. Plan C - As lazy as it gets ● The unscrambling is done at the updater level before the actual firmware update ● The update protocol *should* be much simpler to reverse ● In fact, it was!

  23. Tool #2: BearMock

  24. Tool #2: BearMock ● https://github.com/gabtremblay/Bearmock ● Fakes a BC296D (or a BCi96D) ● Use it with com0com or something similar ● Outputs a descrambled firmware in s-rec format

  25. Next ● We now have a descrambled s-record file ● Epic +- 2 year pause ○ Waiting for IDA to support Renesas m16c ● IDA 6.2: To the IDA cave!

  26. Inside IDA WUT!?

  27. Inside IDA ● The cpu is supported but it's not common renesas code ● Code analysis is broken :( ● Multiples entry points ○ Triggered by boot or keypress ● There must be an easy way to clean up...

  28. Tool #3: m16clean ● https://github.com/gabtremblay/idabearclean ● (Very) Simple helper IDA python script to help analysis This is a blatant lie! Consts are still not supported, do them manually! Code finding works well ;)

  29. Firmware code layout

  30. Firmware code structure ● System wide consts ○ Model number, version, regional tags ● Main radio program consts ○ Screen display, menus errors ● Smaller side programs are accessed at boot time (ex: hold l/o + 6) ● Note the updater aligned to the end of the file so it's hard to corrupt while updating

  31. The code is "signed" ● Some kind of checksum signature at runtime ● However you control the part of the code which tests it. ○ Locate the corrupted firmware error message ○ find the caller ○ flip the jump. ● We can upload anything we want as long as we don't corrupt the updater code at the end

  32. Tool #4-5: Bearflash/BciFlash ● https://github.com/gabtremblay/bearflash ● https://github.com/gabtremblay/bciflash ● Tools to flash your custom firmware to the radio and the daughter board ● Strongly inspired by the uniden updater (the two tools are almost identical ;)) ● Could be merged in a single one.

  33. Some differences ● Some protocol difference ● The daughter board has a fixed 9600 bps update speed ● The main radio updater uses a weird "speed dance" ○ Connects at 9600 ○ Sends "*SPD X" where X is a speed (115200) ○ Radio agrees or not ○ The port is closed ○ Updater speed is changed to the selected speed ○ Update can proceed.

  34. Proof of concept ● Just try to flash some modifications to the radio ● I am a kind of a science guy ● Small tribute to the internet famous "eight equals d minus" equation

  35. Eight Equals D Minus Equation ● I am quite funny.

  36. What about the newer models? ● BCD346T, BCD396XT, Home Patrol ● They still all uses s-record update files ● Files are UNSCRAMBLED ● Can't tell for the signature ● Firmware files are not distributed, they are fetched at flash time ● 396XT and Homepatrol have .net updaters ● I strongly suggest you "dotpeek" them ○ They had to put the ftp passwords somewhere ;) ○ Maybe you want to save 100$ on the extreme upgrade...

  37. Questions ?

Recommend

Stopping Scanners Early and Quickly Quick questions ... How many people here block scanners ?

Stopping Scanners Early and Quickly Quick questions ... How many people here block scanners ?

Stopping Scanners Early and Quickly Quick questions ... How many people here block scanners ? How many not block scanners ? Block other things ? No blocking at all ? Block everything ? Insight into some numbers - Meaningful or Not ? How

644 views • 33 slides
Scanners and parsers COMP 520 Fall 2010 Scanners and Parsers (2) A scanner or lexer transforms a

Scanners and parsers COMP 520 Fall 2010 Scanners and Parsers (2) A scanner or lexer transforms a

COMP 520 Fall 2010 Scanners and Parsers (1) Scanners and parsers COMP 520 Fall 2010 Scanners and Parsers (2) A scanner or lexer transforms a string of characters into a string of tokens: uses a combination of deterministic finite automata

1.08k views • 53 slides
Scanners for Security Screening and for Theft and Contraband Detection By Dr. Shengli Niu

Scanners for Security Screening and for Theft and Contraband Detection By Dr. Shengli Niu

Scanners for Security Screening and for Theft and Contraband Detection By Dr. Shengli Niu Senior Specialist on Occupational Health SafeWork/ILO 1 Personal Scanners Figure 1 Backscatter Systems and Sample Images (NCRP Commentary No. 16)

821 views • 33 slides
Chapter 5 Printers and Scanners Page 1 We Shall be Covering ... Usage of devices which

Chapter 5 Printers and Scanners Page 1 We Shall be Covering ... Usage of devices which

Chapter 5 Printers and Scanners Page 1 We Shall be Covering ... Usage of devices which facilitate the transfer of information to and from paper: printers scanners Page 2 Printers and Scanners Printer output device transfer

659 views • 14 slides
Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida Motivation Existing tools often not a good fit for the task at hand Creating a new tool usually takes too much effort Short feedback

1.17k views • 37 slides
Page 1 Remote Sensing Range Scanners Tilt-Shift Lens Examples Laser Range Scanners

Page 1 Remote Sensing Range Scanners Tilt-Shift Lens Examples Laser Range Scanners

Outline Controlled Illumination in Remote Sensing Range Scanners BRDF measurement Computational Illumination Display Systems Active Light - Devices and Techniques Projector Systems single camera - single projector systems

259 views • 13 slides
Reversing a firmware uploader & Others NFC stories 1

Reversing a firmware uploader & Others NFC stories 1

7/1/2019 Reversing a Firmware uploader & others NFC stories Reversing a firmware uploader & Others NFC stories 1 file:///D:/projects/pts2019/dist/index.html 1/41 7/1/2019 Reversing a Firmware uploader & others NFC stories

920 views • 41 slides
CS406: Compilers Spring 2020 Week 3: Scanners 1 Scanner - Overview Also called lexers,

CS406: Compilers Spring 2020 Week 3: Scanners 1 Scanner - Overview Also called lexers,

CS406: Compilers Spring 2020 Week 3: Scanners 1 Scanner - Overview Also called lexers, lexical analyzers Recall: scanners break input stream up into a set of tokens Identifiers, reserved words, literals, etc. \tif (a<4)

659 views • 41 slides
RADIO RADIO Ca Cate tegor gory y Br Breakdo eakdown wn Radio Radio Cr Crea eativity

RADIO RADIO Ca Cate tegor gory y Br Breakdo eakdown wn Radio Radio Cr Crea eativity

This i his is s your br our brain ain on on RADIO RADIO Ca Cate tegor gory y Br Breakdo eakdown wn Radio Radio Cr Crea eativity tivity Radio makes the difference Canadian Radio Study partnering with the largest companies

677 views • 51 slides
Z-axis geometric efficiency in CT Characterises the extent of the radiation beam that is used

Z-axis geometric efficiency in CT Characterises the extent of the radiation beam that is used

Comparison of Definitions of Geometric Efficiency in Computed Tomography Scanners Sue Edyvean, Nicholas Keat ImPACT* (Imaging Performance Assessment of CT Scanners) London UK *An MHRA Evaluation centre for the UK Department of Health

489 views • 12 slides
Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus Mannheim Centre for European Social Research (MZES) University of Mannheim www.mzes.uni-mannheim.de www.mzes.uni mannheim.de Overcoming early exit

380 views • 9 slides
3D SCANNING & 3D PRINTING 2/21/2019 GINGER CHICOS and JUAN PINTO TYPES OF 3D SCANNERS

3D SCANNING & 3D PRINTING 2/21/2019 GINGER CHICOS and JUAN PINTO TYPES OF 3D SCANNERS

3D SCANNING & 3D PRINTING 2/21/2019 GINGER CHICOS and JUAN PINTO TYPES OF 3D SCANNERS MOST COMMONLY USED IN CONSTRUCTION LASER PULSE (LIDAR) STRUCTURED LIGHT PHOTOGRAMMETRY 3D SCANNING TYPES OF 3D SCANNERS LASER

915 views • 56 slides
Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD Student Independent InfoSec Consultant/Contractor Overview Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win?

868 views • 66 slides
Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer

03/11/2017 Packet Radio Lee Maddox, N4HOK What is Packet Radio? Packet radio is the connection of a computer to a radio for the transmission of digital data via amateur radio. It is another mode of operation that has a multitude of uses, such as

571 views • 17 slides
Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as

Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as

Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as quickly as possible without having to read disassembled code Advantages Active Reversing reveals contextual relationships between user actions,

1.41k views • 91 slides
2010 When the internet came out, people resisted to putting their credit cards online. And then

2010 When the internet came out, people resisted to putting their credit cards online. And then

April 17, 2019 Canadian Institute of Forestry - RMS Getting Spatial Information from UAVs or Terrestrial Laser Scanners CIF RMS | Getting Spatial Information from UAVs or Terrestrial Laser Scanners Every

355 views • 6 slides
Make My Day Just Run A Web Scanner Countering the faults of typical web scanners through

Make My Day Just Run A Web Scanner Countering the faults of typical web scanners through

Make My Day Just Run A Web Scanner Countering the faults of typical web scanners through bytecode injection Toshinari Kureha, Fortify Software Agenda Problems With Black Box Testing Approaches To Finding Security Issues 4

761 views • 53 slides
RADIO 0294Y 2 - www.americanradiohistory.com HISTORICAL (CONTINUED) ARBITRON REVIEWED AGAIN

RADIO 0294Y 2 - www.americanradiohistory.com HISTORICAL (CONTINUED) ARBITRON REVIEWED AGAIN

PRESENTATION TO BLACK BROADCASTERS GROUP RADIO 1987 NAB CONVENTION ANAHEIM, CALIFORNIA RHODY BOSLEY - V.P. RADIO SALES & MARKETING ALAN TOBKES - V.P. RADIO SALES DEVELOPMENT ARBITRON RATINGS RADIO www.americanradiohistory.com AGENDA

648 views • 22 slides
Beam size measurements using Wire Scanners at Synchrotron Light Sources and FELs. or Wire

Beam size measurements using Wire Scanners at Synchrotron Light Sources and FELs. or Wire

Beam size measurements using Wire Scanners at Synchrotron Light Sources and FELs. or Wire scanners for Electron Beams (excluding Hadron Beams) Kay Wittenburg Topical Workshop on Emittance Measurements for Light Sources and FELs; ALBA

505 views • 32 slides
Scanners Divers Prefer a broad view Master specific details before general concepts

Scanners Divers Prefer a broad view Master specific details before general concepts

= Never Anywhere + Anytime Tackling the motivation challenges of continual learning Betha Gutsche, OCLC/WebJunction Elizabeth Iaukea, Washington State Library ALA Annual 2016, Orlando Scanners Divers Prefer a broad view Master

670 views • 28 slides
Dark Matter Radio (DM Radio) Kent Irwin for the DM Radio Collaboration DM Radio Pathfinder

Dark Matter Radio (DM Radio) Kent Irwin for the DM Radio Collaboration DM Radio Pathfinder

Dark Matter Radio (DM Radio) Kent Irwin for the DM Radio Collaboration DM Radio Pathfinder Particle-like and field-like dark matter Heavy Particles Light Fields Number density is large Number density is small (must be bosons)

529 views • 38 slides
Reversing Land Degrada.on in Landlocked Countries

Reversing Land Degrada.on in Landlocked Countries

Reversing Land Degrada.on in Landlocked Countries Magda Lovei Prac&ce Manager for Environment and Natural Resources, World Bank I. Present

461 views • 18 slides
Proposal for Your Radio Station! We help your RADIO Station compete against the 8 other

Proposal for Your Radio Station! We help your RADIO Station compete against the 8 other

Proposal for Your Radio Station! We help your RADIO Station compete against the 8 other competitive media types... 1. Commercial RADIO Stations 2. Telemarketing (inbound and outbound call centers) 3. Mobile & SMS Text Messaging

81 views • 7 slides
Reversing Hydraulic Fan Drives Stephen Frantz Staff Engineer Danfoss Power Solutions 1 1

Reversing Hydraulic Fan Drives Stephen Frantz Staff Engineer Danfoss Power Solutions 1 1

Reversing Hydraulic Fan Drives Stephen Frantz Staff Engineer Danfoss Power Solutions 1 1 Benefits/Requirements for a Reversing Hydraulic Fan Drive Requirements Benefits Returns to forward in the event of a control signal loss Increased

280 views • 15 slides

More recommend