11-22-2016, 09:24 AM
I am looking for ideas on whether this idea will work. With Tait radio's every radio comes with the same special features. The startup routine will then go through and check the installed SFE keys and disable features as required. to enable the features you need the active SFE key which can be purchased from Tait at varying prices depending on the feature.
You can attempt to brute force and try find the active SFE key in the radio but this is ineffective as the radio only allows one try per 5 seconds. What I am wanting to know is there any possible way to figure out how the ESN is encode to the SFE and perform an offline attack using hashcat to speed up the process ? There has been bit of research into this topic already and I'll post the links below.
https://communications.support/threads/3...100-series
https://communications.support/threads/4...-of-radios
https://www.crc.id.au/apco25/
I will also post couple examples from my own radios that show the inactive and active SFE to help with any reverse engineering.
ESN_SFE Number_Status: 0 for deactivated, 1 for active
19927965_27_0
LFQS.H8QL.93G5.DW9N.8ZQH.TT
Feature Key: LFQSH8QL93G5DW9N8ZQHTT
Key Type: TxAS057 - SFE - P25 Base Encryption (DES) & Key Loading
Seq: 0 (00000000)
Hex Output: 00C8BF259FF9C05D421B0C3CFEB000
Binary String: 000000001100100010111111001001011001111111111001110000000101
1101010000100001101100001100001111001111111010110000000000
Checksum: 4C
Complete String: 00C8BF259FF9C05D421B0C3CFEB0004C
Checksum: Valid
Hex String: 00C8BF259FF9C05D421B0C3CFEB0004C
Binary String: 000000001100100010111111001001011001111111111001110000000101
110101000010000110110000110000111100111111101011000000000000
Feature Key: LFQS.H8QL.93G5.DW9N.8ZQH.TT
Key Type: TxAS057 - SFE - P25 Base Encryption (DES) & Key Loading
Seq: 0 (00000000)
19927965_27_1
UYXL.33DE.JNB4.TW9N.8ZQH.TD
Feature Key: UYXL33DEJNB4TW9N8ZQHTD
Key Type: TxAS057 - SFE - P25 Base Encryption (DES) & Key Loading
Seq: 1 (00000001)
Hex Output: 00BDBD90848D1B36F01B0C3CFEB010
Binary String: 000000001011110110111101100100001000010010001101000110110011
0110111100000001101100001100001111001111111010110000000100
Checksum: 83
Complete String: 00BDBD90848D1B36F01B0C3CFEB01083
Checksum: Valid
Hex String: 00BDBD90848D1B36F01B0C3CFEB01083
Binary String: 000000001011110110111101100100001000010010001101000110110011
011011110000000110110000110000111100111111101011000000010000
Feature Key: UYXL.33DE.JNB4.TW9N.8ZQH.TD
Key Type: TxAS057 - SFE - P25 Base Encryption (DES) & Key Loading
Seq: 1 (00000001)
19927965_28_0
RMLR.86MD.RRS8.N8TN.8ZQH.TT
Feature Key: RMLR86MDRRS8N8TN8ZQHTT
Key Type: TxAS058 - SFE - P25 Encryption (AES)
Seq: 0 (00000000)
Hex Output: 00D773A397A4D6A4761C0C3CFEB000
Binary String: 000000001101011101110011101000111001011110100100110101101010
0100011101100001110000001100001111001111111010110000000000
Checksum: D6
Complete String: 00D773A397A4D6A4761C0C3CFEB000D6
Checksum: Valid
Hex String: 00D773A397A4D6A4761C0C3CFEB000D6
Binary String: 000000001101011101110011101000111001011110100100110101101010
010001110110000111000000110000111100111111101011000000000000
Feature Key: RMLR.86MD.RRS8.N8TN.8ZQH.TT
Key Type: TxAS058 - SFE - P25 Encryption (AES)
Seq: 0 (00000000)
19927965_28_1
DF84.YLTN.MBXC.58TN.8ZQH.TD
Feature Key: DF84YLTNMBXC58TN8ZQHTD
Key Type: TxAS058 - SFE - P25 Encryption (AES)
Seq: 1 (00000001)
Hex Output: 00208EFB640CEEFC9A1C0C3CFEB010
Binary String: 000000000010000010001110111110110110010000001100111011101111
1100100110100001110000001100001111001111111010110000000100
Checksum: 41
Complete String: 00208EFB640CEEFC9A1C0C3CFEB01041
Checksum: Valid
Hex String: 00208EFB640CEEFC9A1C0C3CFEB01041
Binary String: 000000000010000010001110111110110110010000001100111011101111
110010011010000111000000110000111100111111101011000000010000
Feature Key: DF84.YLTN.MBXC.58TN.8ZQH.TD
Key Type: TxAS058 - SFE - P25 Encryption (AES)
Seq: 1 (00000001)
You can attempt to brute force and try find the active SFE key in the radio but this is ineffective as the radio only allows one try per 5 seconds. What I am wanting to know is there any possible way to figure out how the ESN is encode to the SFE and perform an offline attack using hashcat to speed up the process ? There has been bit of research into this topic already and I'll post the links below.
https://communications.support/threads/3...100-series
https://communications.support/threads/4...-of-radios
https://www.crc.id.au/apco25/
I will also post couple examples from my own radios that show the inactive and active SFE to help with any reverse engineering.
ESN_SFE Number_Status: 0 for deactivated, 1 for active
19927965_27_0
LFQS.H8QL.93G5.DW9N.8ZQH.TT
Feature Key: LFQSH8QL93G5DW9N8ZQHTT
Key Type: TxAS057 - SFE - P25 Base Encryption (DES) & Key Loading
Seq: 0 (00000000)
Hex Output: 00C8BF259FF9C05D421B0C3CFEB000
Binary String: 000000001100100010111111001001011001111111111001110000000101
1101010000100001101100001100001111001111111010110000000000
Checksum: 4C
Complete String: 00C8BF259FF9C05D421B0C3CFEB0004C
Checksum: Valid
Hex String: 00C8BF259FF9C05D421B0C3CFEB0004C
Binary String: 000000001100100010111111001001011001111111111001110000000101
110101000010000110110000110000111100111111101011000000000000
Feature Key: LFQS.H8QL.93G5.DW9N.8ZQH.TT
Key Type: TxAS057 - SFE - P25 Base Encryption (DES) & Key Loading
Seq: 0 (00000000)
19927965_27_1
UYXL.33DE.JNB4.TW9N.8ZQH.TD
Feature Key: UYXL33DEJNB4TW9N8ZQHTD
Key Type: TxAS057 - SFE - P25 Base Encryption (DES) & Key Loading
Seq: 1 (00000001)
Hex Output: 00BDBD90848D1B36F01B0C3CFEB010
Binary String: 000000001011110110111101100100001000010010001101000110110011
0110111100000001101100001100001111001111111010110000000100
Checksum: 83
Complete String: 00BDBD90848D1B36F01B0C3CFEB01083
Checksum: Valid
Hex String: 00BDBD90848D1B36F01B0C3CFEB01083
Binary String: 000000001011110110111101100100001000010010001101000110110011
011011110000000110110000110000111100111111101011000000010000
Feature Key: UYXL.33DE.JNB4.TW9N.8ZQH.TD
Key Type: TxAS057 - SFE - P25 Base Encryption (DES) & Key Loading
Seq: 1 (00000001)
19927965_28_0
RMLR.86MD.RRS8.N8TN.8ZQH.TT
Feature Key: RMLR86MDRRS8N8TN8ZQHTT
Key Type: TxAS058 - SFE - P25 Encryption (AES)
Seq: 0 (00000000)
Hex Output: 00D773A397A4D6A4761C0C3CFEB000
Binary String: 000000001101011101110011101000111001011110100100110101101010
0100011101100001110000001100001111001111111010110000000000
Checksum: D6
Complete String: 00D773A397A4D6A4761C0C3CFEB000D6
Checksum: Valid
Hex String: 00D773A397A4D6A4761C0C3CFEB000D6
Binary String: 000000001101011101110011101000111001011110100100110101101010
010001110110000111000000110000111100111111101011000000000000
Feature Key: RMLR.86MD.RRS8.N8TN.8ZQH.TT
Key Type: TxAS058 - SFE - P25 Encryption (AES)
Seq: 0 (00000000)
19927965_28_1
DF84.YLTN.MBXC.58TN.8ZQH.TD
Feature Key: DF84YLTNMBXC58TN8ZQHTD
Key Type: TxAS058 - SFE - P25 Encryption (AES)
Seq: 1 (00000001)
Hex Output: 00208EFB640CEEFC9A1C0C3CFEB010
Binary String: 000000000010000010001110111110110110010000001100111011101111
1100100110100001110000001100001111001111111010110000000100
Checksum: 41
Complete String: 00208EFB640CEEFC9A1C0C3CFEB01041
Checksum: Valid
Hex String: 00208EFB640CEEFC9A1C0C3CFEB01041
Binary String: 000000000010000010001110111110110110010000001100111011101111
110010011010000111000000110000111100111111101011000000010000
Feature Key: DF84.YLTN.MBXC.58TN.8ZQH.TD
Key Type: TxAS058 - SFE - P25 Encryption (AES)
Seq: 1 (00000001)