Page 10 of 22 FirstFirst 1234567891011121314151617181920 ... LastLast
Results 181 to 200 of 422

Thread: Hacking the Tait 9100 series mobiles

  1. #181
    Premium Member AntNZ's Avatar
    Join Date
    Mar 2015
    Posts
    57
    Thanks
    36
    Thanked 40 Times in 14 Posts
    Rep Power
    70
    Reputation
    1294

    Default

    Quote Originally Posted by AntNZ View Post
    Indeed... but I assume Tait will be catering to their target audience by default. At least there is a work around!

    A



  • #182
    Junior Member
    Join Date
    Jan 2010
    Posts
    39
    Thanks
    9
    Thanked 71 Times in 24 Posts
    Rep Power
    135
    Reputation
    1430

    Default

    Quote Originally Posted by Tait TM9155 View Post
    Just also of note, seeing we are on the subject of TM8200 SFE keys. The latest TM8200 firmware (version 6.2) writes the SFE key 'TPAS083 20/25kHz Unrestricted Wideband' into your radio. Meaning that if you upgrade your radio to firmware 6.2, you will not be able to program in 25 kHz channels into your radio. However, you can reverse your radio back to firmware 6.1 and it will remove this SFE key.

    The SFE key 'TPAS083 20/25kHz Unrestricted Wideband' is available free of charge from Tait dealers outside of the USA. I personally have had success getting this SFE key from a dealer in NZ, with no questions asked. Just don't be fooled into paying for it.
    Jut curious, but how available do Tait make their programming cable and software? Is it dealer only or will they sell it to "any legitimate customer" as I've read elsewhere?

  • #183
    Gordon Shumway technoweenie's Avatar
    Join Date
    Apr 2014
    Posts
    258
    Thanks
    84
    Thanked 90 Times in 60 Posts
    Rep Power
    98
    Reputation
    1810

    Default

    Last time I used Tait (10 Years ago?), they used to put their software on their website, free for anyone to download.. hah.

  • #184
    Junior Member CRCinAU's Avatar
    Join Date
    Nov 2009
    Posts
    113
    Thanks
    19
    Thanked 74 Times in 38 Posts
    Rep Power
    139
    Reputation
    1415

    Default

    If you want testing on the QT app, I run Fedora + KDE at home - so I can easily test it for you....

  • #185
    Premium Member AntNZ's Avatar
    Join Date
    Mar 2015
    Posts
    57
    Thanks
    36
    Thanked 40 Times in 14 Posts
    Rep Power
    70
    Reputation
    1294

    Default

    Quote Originally Posted by CRCinAU View Post
    If you want testing on the QT app, I run Fedora + KDE at home - so I can easily test it for you....
    Will upload the qt app later today... it loaded all the keys in a 8200 during testing. It has a load all button to make life simple... so put firmware in via tait rss, run app, load all keys, reload firmware vis tait rss

  • #186
    Junior Member
    Join Date
    Aug 2014
    Posts
    127
    Thanks
    94
    Thanked 45 Times in 29 Posts
    Rep Power
    74
    Reputation
    1008

    Default

    programming cables are easily enough to source from dealers. but not CPS or firmware though lol

  • #187
    Premium Member AntNZ's Avatar
    Join Date
    Mar 2015
    Posts
    57
    Thanks
    36
    Thanked 40 Times in 14 Posts
    Rep Power
    70
    Reputation
    1294

    Default

    Quote Originally Posted by diablo47 View Post
    programming cables are easily enough to source from dealers. but not CPS or firmware though lol

  • #188
    Premium Member Tait TM9155's Avatar
    Join Date
    Jun 2013
    Posts
    93
    Thanks
    71
    Thanked 57 Times in 36 Posts
    Rep Power
    90
    Reputation
    1150

    Default

    From my experience, Tait dealers will sell you programming hardware, but you do get the odd dealer that won't supply anything programming related. They will not sell or provide the software however.

  • #189
    Junior Member
    Join Date
    Jan 2010
    Posts
    39
    Thanks
    9
    Thanked 71 Times in 24 Posts
    Rep Power
    135
    Reputation
    1430

    Default

    Quote Originally Posted by Tait TM9155 View Post
    From my experience, Tait dealers will sell you programming hardware, but you do get the odd dealer that won't supply anything programming related. They will not sell or provide the software however.
    Understandable - the programming cable is used to access the data interface which can be done via the mic port if programmed that way so some customers will have a valid use for the cable.

  • #190
    Junior Member
    Join Date
    Jan 2018
    Posts
    30
    Thanks
    0
    Thanked 13 Times in 10 Posts
    Rep Power
    15
    Reputation
    270

    Default

    Quote Originally Posted by mnix View Post
    Understandable - the programming cable is used to access the data interface which can be done via the mic port if programmed that way so some customers will have a valid use for the cable.
    They seem to prefer people use the data cable at the back, rather than the mic port. I'm not sure on the hardware but the software isn't meant to be given out to anyone but dealers, it's part of the agreement with Logic when you get a Support account with them to gain access to the portal. Motorola are the same (at least with the TRBO stuff, the other stuffs pretty old, they probably don't care too much anymore)

    Wideband shouldn't be used on PRS anymore as naturally it will bleed into the adjacent channels (when they went from 40 to 80), SCADA is the only thing I can think of (in NZ) that is allowed wideband. Maybe marine too? As previously mentioned by AntNZ in his URL there are still licenses capable of running wideband channels, however all licenses issued since about 2011 are narrowband (but wideband radios are allowed to use.) Noone has made a wideband only radio in 10 years or more, really there's no excuse to still be running one.
    Last edited by Z-master; 13-01-18 at 01:26 PM.

  • #191
    Premium Member AntNZ's Avatar
    Join Date
    Mar 2015
    Posts
    57
    Thanks
    36
    Thanked 40 Times in 14 Posts
    Rep Power
    70
    Reputation
    1294

    Default

    Version 1


    What I have discovered is that it will enable keys - but not disable them. So I assume the disable code is different to the enable code, so need to dig through mnix's posts again.
    A

  • The Following User Says Thank You to AntNZ For This Useful Post:

    technoweenie (13-01-18)

  • #192
    Premium Member AntNZ's Avatar
    Join Date
    Mar 2015
    Posts
    57
    Thanks
    36
    Thanked 40 Times in 14 Posts
    Rep Power
    70
    Reputation
    1294

    Default

    Quote Originally Posted by AntNZ View Post
    Version 1


    What I have discovered is that it will enable keys - but not disable them. So I assume the disable code is different to the enable code, so need to dig through mnix's posts again.
    A
    When you compile it locally remove/comment out the DefaultTEA key entry in the taitGenerateSFE function otherwise it will not read for your body.

  • #193
    Premium Member
    Join Date
    May 2012
    Posts
    65
    Thanks
    27
    Thanked 14 Times in 9 Posts
    Rep Power
    85
    Reputation
    280

    Default

    Thanks AntNZ for compiling this GUI program for the Tait Tm8200 SFE keys. Excuse my ignorance, I'm a little retarded with QT, code and the likes. I know a bit about RF system engineering and captured on to a bit of perl adaption when CRCinAU first released this information but struggle with code and the likes. In a nutshell, and for the slower of us including myself, what's the best way to use what you have provided? I have QT installed but have never put it to use. A simple readme notepad file or likes of myself would help lots. Many thanks and keep up the awesome work!

  • The Following User Says Thank You to p1350m For This Useful Post:

    diablo47 (13-01-18)

  • #194
    Junior Member
    Join Date
    Jan 2010
    Posts
    39
    Thanks
    9
    Thanked 71 Times in 24 Posts
    Rep Power
    135
    Reputation
    1430

    Default

    As promised, the 9100 patch building version:

    Some notes:
    - Makefile is set for the 8200 by default (simple adjustment at the top to change).
    - The method is the same for 9100 and 8200, just the firmware names have changed.
    - The 9100 firmware build included has never been tested on hardware. It may crash your radio, thumb it's nose at you or fricassee your cat... it may even print out the SFE TEA key for your radio. @AntNT will already know where that fits into things from the GUI work.
    - actually I haven't tested the updated building of the 8200 firmware either, but I haven't changed anything in that code.
    - It's very likely the decrypted data from the SFE will be different to that in the 8200 series in the same way the v1 and v2 boot code required different data. We won't know how different until somebody decodes a 9100 SFE.
    - keygen.pl has 8200 boot code v1 and v2 support.


    Where to now?

    I'm going to step back - as mentioned before, I need to get things done.

    Having had some thinking time away from the rush of "yay I can hack this thing" I'm thinking that hacking Taits older model radios using the fact that they made no attempt to prevent non-tait issued firmware being loaded (other than trying to keep the firmware from escaping, and a checksum to make sure it had not been corrupted, which don't really count) is one thing, but hacking on their flagship digital radios (9300, 9400) using the same "open doorway" (I looked just enough to know it's probably there, and the SFE encryption is similar) might just get all the wrong attention.

    One major consideration is that the 9300/9400 radios run some fairly clever features that would be very tempting targets for people with malicious intent (Tait Unify, internet access over trunked network etc). Considering there is a simple way to load patched firmware that might intercept arbitrary functions, a radio patched to prevent attempts to register on the network, or announce itself differently to the network and output various data that it otherwise wouldn't, might be a means to cause a great deal of havoc. No idea if that's possible, but then I'm no expert on the protocols. It just doesn't sound like a good idea to release a toy the script kiddies might like... let them work it out for themselves.

    So I will not be doing anything on the 9300 or 9400 radios, however you have the starting point, if someone wants to carry on from there it's up to you, just consider where it may end up

    A note to Tait (given that one day they may well read this):
    Preventing exploitation of this is simple, and should have existed in the 8000 series from the start given your target customers (government, military, etc) - encrypt the firmware header (at least the checksum for the first block), and update the boot code to decrypt it in the radio either as part of the firmware load, or part of the verification at startup. Problem solved (if we can't get in, we can't get data out... and who knows what goodies lurk inside a 9300?).


    I will be considering how long to leave the zip file laying about... so get your copy while it's hot

    oh, and I'll still answer questions on the 8200 and 9100 for now....

  • #195
    Junior Member CRCinAU's Avatar
    Join Date
    Nov 2009
    Posts
    113
    Thanks
    19
    Thanked 74 Times in 38 Posts
    Rep Power
    139
    Reputation
    1415

    Default

    Good news is that it builds ok on Fedora 27... I commented out the DefaultTEA in mainwindow.cpp and rebuilt it - now I'm trying to remember how the hell to program these things - and more importantly - where the lead I made up lives these days lol

    EDIT: Damn, I found my lead, hooked up to a TM9154 (I think?) VHF unit - and it worked first go. Nice.
    Last edited by CRCinAU; 13-01-18 at 06:00 PM.

  • #196
    Premium Member AntNZ's Avatar
    Join Date
    Mar 2015
    Posts
    57
    Thanks
    36
    Thanked 40 Times in 14 Posts
    Rep Power
    70
    Reputation
    1294

    Default

    Quote Originally Posted by CRCinAU View Post
    Good news is that it builds ok on Fedora 27... I commented out the DefaultTEA in mainwindow.cpp and rebuilt it - now I'm trying to remember how the hell to program these things - and more importantly - where the lead I made up lives these days lol
    I am also a Fedora27 person.... being Qt you can run it on any platform using Qt.... I have run it successfully in QtCreator on WIN32 as well, just haven't made a compiled stand alone .exe that will work there (that is more tricky).
    To others: fire up QtCreator, open the project .pro file, then away you go - either to make a binary for your system (excl win32 at the moment) or just run it from within QtCreator (which will work for Win32)

    A

  • #197
    Junior Member CRCinAU's Avatar
    Join Date
    Nov 2009
    Posts
    113
    Thanks
    19
    Thanked 74 Times in 38 Posts
    Rep Power
    139
    Reputation
    1415

    Default

    I found something strange... the software reports an SFE key for TMAS018 - which is TDMA support - but I thought the TM9155 or similar didn't support TDMA?

  • #198
    Premium Member AntNZ's Avatar
    Join Date
    Mar 2015
    Posts
    57
    Thanks
    36
    Thanked 40 Times in 14 Posts
    Rep Power
    70
    Reputation
    1294

    Default

    Quote Originally Posted by CRCinAU View Post
    I found something strange... the software reports an SFE key for TMAS018 - which is TDMA support - but I thought the TM9155 or similar didn't support TDMA?
    Unsure - I have taken the list of all features and tested against all of them for all models to see what pops / radio has keys for. My 8200's do not support Wideband so the test in Inspect returns 01FF (Feature not support)

  • #199
    Junior Member CRCinAU's Avatar
    Join Date
    Nov 2009
    Posts
    113
    Thanks
    19
    Thanked 74 Times in 38 Posts
    Rep Power
    139
    Reputation
    1415

    Default

    Interesting. So the TM9155 certainly doesn't return a not supported then - as we get an actual key out....

    EDIT: I'm reading through the code - and it seems mostly sane - which is good. I think I could see why the perl code I wrote for the checksum didn't work when translated - perl does lots of magic with map and then pack / unpack - which would be difficult to implement in other languages... What you've got works, so eh....

    Also looks like you still need the custom firmware to return the TEA1 / TEA2 values. It would be nice to see them extracted cleanly... I wonder if there is a method for doing this - or if that is purely Tait's secret-sauce to control the keys - which wouldn't surprise me...

    I'm quite impressed all up - this is some good work
    Last edited by CRCinAU; 13-01-18 at 06:26 PM.

  • #200
    Premium Member AntNZ's Avatar
    Join Date
    Mar 2015
    Posts
    57
    Thanks
    36
    Thanked 40 Times in 14 Posts
    Rep Power
    70
    Reputation
    1294

    Default

    Quote Originally Posted by CRCinAU View Post
    Also looks like you still need the custom firmware to return the TEA1 / TEA2 values. It would be nice to see them extracted cleanly... I wonder if there is a method for doing this - or if that is purely Tait's secret-sauce to control the keys - which wouldn't surprise me...
    I am not much for assembly but am slowly learning a little bit.....
    In the meantime mnix, who has been very patient with my many stoopid questions, tells me that the code pulls SEED2 from a preloaded ROM variable -> which infers it is loaded during flash programming and thus can only be pulled via firmware hack. My hope is that SEED2 two is actually derived - or before loading is based on data we can otherwise pull via standard commands and thus derive, but working on that puzzle has taken second place to getting a nice GUI up and going. My priority at the moment is getting disable to work so a user can disable keys selectively in their radio (which would be handy for the wideband issue).

  • The Following User Says Thank You to AntNZ For This Useful Post:

    CRCinAU (13-01-18)

  • Page 10 of 22 FirstFirst 1234567891011121314151617181920 ... LastLast

    Bookmarks

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •