Reversing P25 Radio Scanners

Presented at REcon 2013, June 21, 2013, 3 p.m. (30 minutes)

With the ongoing conversion of radio systems from traditional to digital P25 around the world the race is on to find out how to monitor, listen and abuse this technology. Some projects such as OP25 from Osmocom made very good progress enabling users to tune in and listen to them using software defined radios. However, many of the P25 features such as trunking remains to be understood and implemented. Many radio scanners made by Uniden or Grecom licensed the technologies behind P25 some years ago and produced convincing implementation. Up until now their secrets stayed protected under firmware encryption and, probably unwillingly, obscure cpu's. This talk is a story about the process of reversing such a radio, it covers: - Hardware analysis - Firmware file analysis - Format definition - Firmware updater reversing - Firmware encryption bypass (in a clever and utterly lazy way) - Firmware Flash protocol definition - Scanner code analysis - Running custom code (yes, it works)

Presenters:

  • Gabriel Tremblay
    Gabriel Tremblay is the president of Subatomic Security and Northsec Competition. He is a generalist with a background in software engineering and performs pentesting in tricky environments, gives advanced security training to developers and do a bit of research on various topics such as radios, web security and process integration. Being a long time player in the local scene, he is the leader of Northsec Competition, a 48h on-site CTF focused on increasing the technical skills of their participants. He's also a homebrewer and will glady accept any good free beer :).

Links:

Similar Presentations: