Tait SFE
#1
I am looking for ideas on whether this idea will work. With Tait radio's every radio comes with the same special features. The startup routine will then go through and check the installed SFE keys and disable features as required. to enable the features you need the active SFE key which can be purchased from Tait at varying prices depending on the feature.

You can attempt to brute force and try find the active SFE key in the radio but this is ineffective as the radio only allows one try per 5 seconds. What I am wanting to know is there any possible way to figure out how the ESN is encode to the SFE and perform an offline attack using hashcat to speed up the process ? There has been bit of research into this topic already and I'll post the links below.

https://communications.support/threads/3...100-series
https://communications.support/threads/4...-of-radios
https://www.crc.id.au/apco25/

I will also post couple examples from my own radios that show the inactive and active SFE to help with any reverse engineering.


ESN_SFE Number_Status: 0 for deactivated, 1 for active

19927965_27_0

LFQS.H8QL.93G5.DW9N.8ZQH.TT

Feature Key: LFQSH8QL93G5DW9N8ZQHTT
          Key Type: TxAS057 - SFE - P25 Base Encryption (DES) & Key Loading
               Seq: 0 (00000000)

        Hex Output: 00C8BF259FF9C05D421B0C3CFEB000
     Binary String: 000000001100100010111111001001011001111111111001110000000101
1101010000100001101100001100001111001111111010110000000000
          Checksum: 4C
   Complete String: 00C8BF259FF9C05D421B0C3CFEB0004C

    Checksum: Valid
        Hex String: 00C8BF259FF9C05D421B0C3CFEB0004C
     Binary String: 000000001100100010111111001001011001111111111001110000000101
110101000010000110110000110000111100111111101011000000000000

       Feature Key: LFQS.H8QL.93G5.DW9N.8ZQH.TT
          Key Type: TxAS057 - SFE - P25 Base Encryption (DES) & Key Loading
               Seq: 0 (00000000)


19927965_27_1

UYXL.33DE.JNB4.TW9N.8ZQH.TD

Feature Key: UYXL33DEJNB4TW9N8ZQHTD
          Key Type: TxAS057 - SFE - P25 Base Encryption (DES) & Key Loading
               Seq: 1 (00000001)

        Hex Output: 00BDBD90848D1B36F01B0C3CFEB010
     Binary String: 000000001011110110111101100100001000010010001101000110110011
0110111100000001101100001100001111001111111010110000000100
          Checksum: 83
   Complete String: 00BDBD90848D1B36F01B0C3CFEB01083


          Checksum: Valid
        Hex String: 00BDBD90848D1B36F01B0C3CFEB01083
     Binary String: 000000001011110110111101100100001000010010001101000110110011
011011110000000110110000110000111100111111101011000000010000

       Feature Key: UYXL.33DE.JNB4.TW9N.8ZQH.TD
          Key Type: TxAS057 - SFE - P25 Base Encryption (DES) & Key Loading
               Seq: 1 (00000001)


19927965_28_0

RMLR.86MD.RRS8.N8TN.8ZQH.TT

Feature Key: RMLR86MDRRS8N8TN8ZQHTT
          Key Type: TxAS058 - SFE - P25 Encryption (AES)
               Seq: 0 (00000000)

        Hex Output: 00D773A397A4D6A4761C0C3CFEB000
     Binary String: 000000001101011101110011101000111001011110100100110101101010
0100011101100001110000001100001111001111111010110000000000
          Checksum: D6
   Complete String: 00D773A397A4D6A4761C0C3CFEB000D6

          Checksum: Valid
        Hex String: 00D773A397A4D6A4761C0C3CFEB000D6
     Binary String: 000000001101011101110011101000111001011110100100110101101010
010001110110000111000000110000111100111111101011000000000000

       Feature Key: RMLR.86MD.RRS8.N8TN.8ZQH.TT
          Key Type: TxAS058 - SFE - P25 Encryption (AES)
               Seq: 0 (00000000)


19927965_28_1

DF84.YLTN.MBXC.58TN.8ZQH.TD

Feature Key: DF84YLTNMBXC58TN8ZQHTD
          Key Type: TxAS058 - SFE - P25 Encryption (AES)
               Seq: 1 (00000001)

        Hex Output: 00208EFB640CEEFC9A1C0C3CFEB010
     Binary String: 000000000010000010001110111110110110010000001100111011101111
1100100110100001110000001100001111001111111010110000000100
          Checksum: 41
   Complete String: 00208EFB640CEEFC9A1C0C3CFEB01041


          Checksum: Valid
        Hex String: 00208EFB640CEEFC9A1C0C3CFEB01041
     Binary String: 000000000010000010001110111110110110010000001100111011101111
110010011010000111000000110000111100111111101011000000010000

       Feature Key: DF84.YLTN.MBXC.58TN.8ZQH.TD
          Key Type: TxAS058 - SFE - P25 Encryption (AES)
               Seq: 1 (00000001)
#2
This is definitely a algo worth working out for the unlocking good features for these products. I personally would be keen to contribute to recognise someone's time and effort in solving this key formulation.