Mad Dog 380; or, Patching a Handheld Digital Radio

Presented at Summercon 2016, July 15, 2016, 4 p.m. (50 minutes)

The Tytera MD380 is a digital handheld radio that implements the DMR (Digital Mobile Radio) standard. Amateur and commercial DMR coverage is available all across Pizza Rat City, but packet sniffers and injectors were few and far between. So I jailbroke the firmware, then recruited a few good neighbors to reverse engineer and patch it. Six months later, we've built a proper toolchain for the platform, complete with packet sniffers and our own extensions to the USB protocol. This lecture will cover some of the reverse engineering tricks that were handing during the project. Among other things, you'll learn how to locate an audio compression codec in a firmware core dump, how to break the readout protection of a Cortex M4, and how to listen in on university police radio networks to find keg parties with the best beer.

Presenters:

• Travis Goodspeed
  Travis Goodspeed is a Southern Appalachian expat, trapped for the time being in the Godless North. His past projects include the Packet-in-Packet method of injecting raw radio frames from Layer 7, the Southern Appalachian Space Agency, and methods for steganography in PSK31, RTTY, and other shortwave radio protocols. You can reach him during the conference as KK4VCZ at 441MHz, TG99. @travisgoodspeed

Links:

• https://www.summercon.org/archives/2016/presentations.html#mad-dog

Similar Presentations:

• BruCON 0x07 (2015) / A Hands On Introduction To Software Defined Radio Workshop
• HOPE Number Six (2006) / IBOC vs. DAB-T: In-Band vs. Multiplexed Digital Radio
• TROOPERS16 (2016) / Reverse Engineering a Digital Two-Way Radio