Mad Dog 380; or, Patching a Handheld Digital Radio

Presented at Summercon 2016, July 15, 2016, 4 p.m. (50 minutes)

The Tytera MD380 is a digital handheld radio that implements the DMR (Digital Mobile Radio) standard. Amateur and commercial DMR coverage is available all across Pizza Rat City, but packet sniffers and injectors were few and far between. So I jailbroke the firmware, then recruited a few good neighbors to reverse engineer and patch it. Six months later, we've built a proper toolchain for the platform, complete with packet sniffers and our own extensions to the USB protocol. This lecture will cover some of the reverse engineering tricks that were handing during the project. Among other things, you'll learn how to locate an audio compression codec in a firmware core dump, how to break the readout protection of a Cortex M4, and how to listen in on university police radio networks to find keg parties with the best beer.