The Tytera MD380 is handheld transceiver for the Digital Mobile Radio (DMR) protocol, also known as MotoTRBO. It has an ARM CPU, a funky baseband that's only documented in Chinese, and a powerful transmitter that puts your wifi card to shame. In the past few months of weekends, we have (1) jailbroken the hardware to allow for free extraction and modification of firmware, (2) broken the hilarious crypto so that we can wrap and unwrap updates from the official tool, (3) reverse engineered enough of the firmware to patch in new features, (4) made room for large firmware modifications by creative abuse of Chinese fonts, and (5) wrapped all of this into a handy, freely available toolset. Soon enough, we hope this work will lead to new firmware, written from scratch to run on existing hardware.
This fun and fast-paced lecture describes the nifty tricks that we used in reverse engineering this radio, as well as what to look for in securing your own embedded systems against unwanted tampering.