Great Ideas in Reversing the Tytera MD380

Travis Goodspeed KK4VCZ with thanks to

DD4CR and W7PCH

Tytera MD380• STM32F405 CPU

• 1MB Flash / 192K RAM

• Readout Device Protection (RDP)

• HRC5000 Baseband

• DMR/MotoTRBO or NarrowBand FM

•

DMR/MotoTRBO• Two-Slot TDMA

• Poor Man's GSM

• 4-FSK Modulation

• Baseband might be able to do P25.

• Internationally Trunked!

DMR MARC

CHIRP Plugin

HRC 5000 Baseband

Schematics!

DATE:Approve:Check:

ofPage:REV:

Model:

Filename:File NO.:

Designer:

3 6

PETER

1.0 2014.08.11

R314180R

LED3

03RE

D

R315220R

LED3

01GR

EEN

Q301DTC144EE

Q302DTC144EE

R31647K

C316

103

R31747K

C317

103

R31847K

C318

103

R31947K

C319

103

R320 0R

R321 10K

1EC12 G16EC0

7G0

4EC35 G2 3EC2

8G0

SW302CODE-SWITCH

C320

104

R3624K7

R3634K7

C362104

1 CSN2 SO6 SCK5 SI 4VSS

3WPN

7HOLDN

8VCC

U302W25Q128FVSIG

4 SDA

3 SCL

2 GND

5VPP

1RSTO

6VDD

U307HR_V3000S

C307

104

C305104 C306

104

C308

105

5PE

614

NRST

1PE

22

PE3

3PE

44

PE5

7PC

13_A

NTI_

TAM

P8

PC14

_OSC

32_I

N9

PC15

_OSC

32_O

UT12

OSC_

IN13

OSC_

OUT

73VC

AP_2

15PC

016

PC1

17PC

218

PC3

20VR

EF-

23PA

0_W

KUP

24PA

162

PD15

63PC

664

PC7

65PC

866

PC9

67PA

8

72 PA1325 PA226 PA329 PA430 PA531 PA632 PA733 PC434 PC535 PB036 PB137 PB238 PE739 PE840 PE941 PE1042 PE1143 PE1244 PE1345 PE1446 PE1547 PB1048 PB1168 PA969 PA10

51PB

1252

PB13

53PB

1454

PB15

55PD

856

PD9

57PD

1058

PD11

59PD

1260

PD13

61PD

1449

VCAP

_174

VSS_

210

VSS_

527

VSS_

499

VSS_

322

VDDA

21VR

EF+

19VD

D50

VDD_

111

VDD_

528

VDD_

410

0VD

D_3

75VD

D_2

6VB

AT

76PA14 77PA15 78PC10 79PC11 80PC12 81PD0 82PD1 83PD2 84PD3 85PD4 86PD5 87PD6 88PD7 89PB3 90PB4 91PB5 92PB6 93PB7 94BOOT0 95PB8 96PB9 97PE0 98PE1 70PA11 71PA12

U301STM32F405VGT6

C3038P

C3028P

R31310K

1

TP301JTAG_SWCLK

R30610K

R305NC

1 TP303BOOT0

C343

105

C345

103

R33622K

C332153

R33515K

C333183

C312

103

C313

103

3VEE2

2VEE1

1NC

4 OUT

5 VCC

U303PST9124

R34210KC338

104

C339103

R301

1K

R3394K7

C335392

R3384K7

C336183

R3412K2

1

TP305JTAG_RESET

C337105

R31010K

R304NC

R34022K

1

TP30

4JT

AG_S

WDI

O

R311 1KR312 1K

C352105

R303 10K

C344

105

C360

104

C361

104

R350

NC

R3911K

R3701K

R334 0R

13X301 8MHz

R308

1K

R309

1K

C301

10P

C304

10P

1 4

2 3

X30232.768KHz

D304 NCR3921K

R393220R

C340NC

Q303NC

R348

1K

R34947K C341

104

R352 1K

54321

67

FPC301PTT_PAD

R345 10K

R355

100R

R354

100R

R359 1KR358 1KR357 1KR356 1K

1 HOLD/IO32 VCC3 RESET#4 DNU5 DUN6 CS2#7 CS1#8 SO/IO1 9WP#/IO2

10VSS11DNU12DNU13NC14VIO/RFU15SI/IO016SCK

U305NC

C350NC

R364 NC

R367NC

R365 NCR366 NC

R347NC

C349NC

R360 1KR380 1K

R3021K

D305 KDS160E

BAT301MS412F-FL26E

BAT+

3V3

3V3

FLASH_SDO

FLASH_SCLK

FLASH_CS0

FLASH_SDI

ECN0ECN1ECN2ECN3

RX_LED TX_LED

3V3

3V3

BSHI

FT

LCD_

D1

APC/TVMOD2_BIAS

LCD_D4LCD_D5

VOX

BUSY5R

C

USB_D+

LCD_RD

SCL

3V3LCD_WR

K1

3V3

VOL_OUT

3V3

SAVE

5TC

ECN1ECN2ECN3

ECN0

LCD_

RSLC

D_RS

T

LCD_D2LCD_D3K2K3

USB_D-

PLL_

LDPL

L_CS

LCD_

D0

SDA

DMR_

SLEE

P

TIM

E_SL

OT_I

NTER

SYS_

INTE

RRF

_TX_

INTE

RRF

_RX_

INTE

RQT_DQT_IN

RSSI

LCD_D6

2T/5T/DTMF_OUT

BATT

LAM

P

FM_SW

CTC/DCS_OUT

POW_C

DMR_SWVCOVCC_SW

EXT_PTT

LCD_CS

FLASH_SCLKFLASH_SDOFLASH_SDI

I2S_FSI2S_CKI2S_RXI2S_TX

RF_APC_SW

2T/5

T

BEEP

W/N_SW

C500

0_RS

T

MICPWR_SW

32.7

68K_

OUT

32.7

68K_

IN

32.7

68K_

IN

TX_L

ED

BSHIFT

32.7

68K_

OUT

DMR_

SDO

DMR_

CSDM

R_SC

LK

DMR_

SDI

PTT_KEY3V3

K3LCD_D6LCD_D7

LCD_D7

3V3

PLL_

DAT

PLL_

CLK

FM_MUTE

V_CS

V_SC

LKV_

SDO

V_SD

IFL

ASH_

CS1

FLAS

H_CS

2SPK_CAFCO

RX_LED

SDA

SCL

3V3

3V3

FLASH_SDO

FLASH_CS2FLASH_CS1

FLASH_SCLKFLASH_SDI

BACK3V3

3V3

PTT_KEY

FLASH_CS0

Bootloader Dump

• Dumped Bootloader

• Null-Pointer Dereference

• Patched Bootloader

• Disable RDP

Bootloader Patch

Application Dump• Erase the whole device.

• Device is a brick!

• Flash the patched bootloader.

• Device is a blinking brick!

• Install Encrypted Update

Application Patching• Decrypted application can be freely read,

• because the bootloader was patched.

• Patch to:

• Enable promiscuous mode.

• Replace startup logo.

Sideloading an Applet• The DMR stack is too complicate to easily rewrite.

• So let's inject a lot of new code!

• Our main() runs before their main().

• Our .data avoids their .data.

• Hook any handy functions back to our code.

Free Flash• We could look for regions of FFFFFFFF

• Not much room, just ~5K.

•

• 200KB Chinese Font!

• All in executable flash!

main() calls main()

• Classy way:

• Hook RESET interrupt, and redirect the table.

• Cheap way:

• Let the MD380's RESET handler set its own interrupt table address.

Classy Way

Cheap Way

Avoid Overlapping Memory

• STM32F405 has 192K of RAM.

• 2*64K of general SRAM

• 64K of CCM--Core Coupled Memory

• Not Executable, Not DMA-able

• Fill memory with 0xDEADBEEF, then dump live.

Memory Dump over USB

Let's target a C Compiler!

• Write a linker script.

• Code in 200KB of Flash from the Chinese font.

• Data in 12KB of SRAM, 22KB of TCRAM.

• Could have a heap if we wanted one.

Linker Script to Match

Hooking Thumb Functions• Most functions are easy:

• Find the BL (Branch/Link) in the caller and patch it.

• Some functions are harder:

• USB handlers are passed as function pointers.

• A stub can branch to the new handler.

Calling Functions• ARM has a nice, consistent calling convention.

• It's easier to call existing drivers than to rewrite them.

• Just cast a function pointer:

Firmware Reversing

• IDA Pro, HexRays, and Radare2

• No symbol names!

• Not even for libc.

• But I/O registers, IVT are known.

µC/OS II

• Real Time Operating System

• Threading, Interrupt Handling

• Helpfully names the threads!

Threads

I/O Registers

• I/O Region at 0x40000000.

• SPI Ports for the Baseband and SPI Flash

• GPIO for LEDs and the Keypad

• All defined as structs in officially available headers.

Contacts, Groups, SMS

• Radio "codeplug" is stored in the SPI Flash.

• Reverse engineered by changing settings.

• spiflash_read() is called with item address

• Nice and easy to identify!

Reading a Contact• 36-byte entries, starting at 0x5F80.

• 1-indexing looks weird.

Graphics Reversing• Graphics functions take lots of parameters

• Two strings are displayed at startup:

• Known addresses in SPI Flash

• spiflash_read() reveals calls to gfx_drawtext().

• I don't know the raw protocol, don't need it.

DMR Protocol• Link Local Addresses

• 24-bits, masked by 0x00FFFFFF.

• Arrays read from SPI Flash

• listengroup[]

• dmr_myaddress

Old RX Logic• If the destination is my address; or,

If the destination is in one of listengroup[32]

• Then

• Play audio.

• Else

• Mute audio.

Patching RX Logic

• Promiscuous Receive

• Destination address is always accepted.

• First hardware scanner for DMR audio!

• Released in PoC||GTFO 10 at Shmoocon.

USB Reversing

• Tytera worked from STMicro's public examples.

• Original C code is available, but a bit tricky:

• Code uses tables of function pointers for handlers.

• Very nice to hook, external comms at last!

USB Reversing• Device Firmware Update Protocol

• Data UPLOAD or DNLOAD starts at Block 2.

• Block 0 is special

• DNLOAD applies settings.

• UPLOAD reads status.

• Let's hook Block 1!

Hooked UPLOAD

Hooked DNLOAD

Host Software

• Python tools are great for experimentation.

• They suck for deployment to amateurs.