Reverse Engineering a Digital Two-Way Radio

Presented at TROOPERS16 (2016), March 16, 2016, 5 p.m. (Unknown duration)

The Tytera MD380 is handheld transceiver for the Digital Mobile Radio (DMR) protocol, also known as MotoTRBO. It has an ARM CPU, a funky baseband that's only documented in Chinese, and a powerful transmitter that puts your wifi card to shame. In the past few months of weekends, we have (1) jailbroken the hardware to allow for free extraction and modification of firmware, (2) broken the hilarious crypto so that we can wrap and unwrap updates from the official tool, (3) reverse engineered enough of the firmware to patch in new features, (4) made room for large firmware modifications by creative abuse of Chinese fonts, and (5) wrapped all of this into a handy, freely available toolset. Soon enough, we hope this work will lead to new firmware, written from scratch to run on existing hardware. This fun and fast-paced lecture describes the nifty tricks that we used in reverse engineering this radio, as well as what to look for in securing your own embedded systems against unwanted tampering.

Presenters:

  • Christiane Ruetten
    DD4CR doesn't like her name, so she prefers to go by CR. You can also call her KK4CR. Besides hacking on amateur radio things, she's hacking the IoT at Mozilla for a living, with past journeys through Web security, malware analysis, mobile network security, journalism, mathematics and physics.
  • Travis Goodspeed
    Travis Goodspeed is a neighborly reverse engineer from Southern Appalachia. When he's not reverse engineering radio firmware, you can find him preaching on top of a milk crate at your local conference.

Links: