Shmoocon 2016: Reverse Engineering Cheap Chinese Radio Firmware

Every once in a great while, a piece of radio gear catches the attention of a prolific hardware guru and is reverse engineered. A few years ago, it was the RTL-SDR, and since then, software defined radios became the next big thing. Last weekend at Shmoocon, [Travis Goodspeed] presented his reverse engineering of the Tytera MD380 digital handheld radio. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio.

The Tytera MD-380 digital radio

The Tytera MD380 is a fairly basic radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.

The STM32 in the radio implements a USB Device Firmware Upgrade (DFU), probably because of some example code from ST. Dumping the memory from the standard DFU protocol just repeated the same binary string, but with a little bit of coaxing and investigating the terrible Windows-only official client application, [Travis] was able to find non-standard DFU commands, write a custom DFU client, and read and write the ‘codeplug’, an SPI Flash chip that stores radio settings, frequencies, and talk groups.

Further efforts to dump all the firmware on the radio were a success, and with that began the actual reverse engineering of the radio. It runs an ARM port of MicroC/OS-II, a real-time embedded operating system. This OS is very well documented, with slightly more effort new functions and patches can be written.

In Digital Mobile Radio, audio is sent through either a public talk group or a private contact. The radio is usually set to only one talk group, and so it’s not really possible to listen in on other talk groups without changing settings. A patch for promiscuous mode – a mode that puts all talk groups through the speaker – is just setting one JNE in the firmware to a NOP.

The Tytera MD-830 ships with a terrible Windows app used for programming the radio
The Tytera MD-380 ships with a terrible Windows app used for programming the radio

With the help of [DD4CR] and [W7PCH], the entire radio has been reverse engineered with rewritten firmware that works with the official tools, the first attempts of scratch-built firmware built around FreeRTOS, and the beginnings of a very active development community for a $140 radio. [Travis] is looking for people who can add support for P25, D-Star, System Fusion, a proper scanner, or the ability to send and receive DMR frames over USB. All these things are possible, making this one of the most exciting radio hacks in recent memory.

Before [Travis] presented this hack at the Shmoocon fire talks, intuition guided me to look up this radio on Amazon. It was $140 with Prime, and the top vendor had 18 in stock. Immediately after the talk – 20 minutes later – the same vendor had 14 in stock. [Travis] sold four radios to members of the audience, and there weren’t that many people in attendance. Two hours later, the same vendor had four in stock. If you’re looking for the best hardware hack of the con, this is the one.

121 thoughts on “Shmoocon 2016: Reverse Engineering Cheap Chinese Radio Firmware

  1. Radio vendors need to take note. It would be like an open source option. Let customers and hackers give feedback and improve a product. I mean look at this. The radio could do a whole lot more than they were aware of. That or program it for your own needs. Of course invalidates warranty but not if there was some way to return back to original. At least get them to thinking it through.

    1. No they don’t, or rather, they can’t. modifying capabilities changes the FCC tests and certs. They literally won’t be able to sell these if this is touted as a ‘supported’ feature.

      1. Well they could but only towards licensed amature raio operators. We are allowed to modify / build our own transceivers without needing to get a cert from the FCC. I could sell kits of a build your own transceiver without needing an fcc part certification I just have to alert the user of the fact.

      1. Yep, HAMs can mod our radios all we want or build our own. The issue is that manufactures don’t have that flexibility. They also are bound by the DVIS licensing of the AMBE3000 chip that prevents them from a great many things. Once you read the article you understand the AMBE vocoder is mostly just accessed over a serial line. There are several ways to get an AMBE chip on a usb thumb stick (ThumbDV and DVDongle3k) but these Chinese radios are becoming cheaper than even those and you get the bonus of having the transceiver. The problem with most of them is they are single band not dual band.

      1. Big whoop, nothing in the STM32F4 is hardwired to need MicroC OS/II and there’s a big selection of kernels out there that could replace what is running.

        As for regulatory compliance, amateur radio licenses permit homebrew hardware in most¹ cases, how is this different? In addition, if the signal is clean, how would the ‘feds know?

        (1. Notable exception: Australian “Foundation” amateur radio license. I dare say some other parts of the world have similar entry-level licenses.)

        1. The UK foundation licence is the same, and unlike in the US I don’t think you can jump straight from no licence to the next level up in one session, plus they both have practical assessments here before you can even take the exams.

          1. Frankly, I’m a little surprised at how lax the FCC has become, here in the US. Years ago, the lowest-level license, Novice, allowed you to transmit in CW mode only, with crystal-controlled frequencies only, at a restricted power level. But even then, they allowed novice hams to build and operate their own gear without any proof that they could ensure their spurious outputs were within spec. It was just on the honor system that a designer/builder would find a spectrum analyzer or other appropriate equipment to borrow for the purpose. There is a self-policing system in place, but I don’t see how they can monitor everything and everybody. I just went from unlicensed to Extra-class in a single testing session last month, and it kind of amazes me what they trust me with, based only on a multiple-choice test from a pool of questions whose answers are freely available.

            My point is, if the UK and Australia are sensible enough to require proof of proficiency, that’s a good thing. If you’re allowed to design, build, and operate transmitters without all of the certifications and associated costs that commercial equipment makers have to deal with, you really SHOULD be able to prove within a reasonable doubt that you can ensure that you’re not going to be splattering all over the spectrum. That should be a part of RF hacking, just as amateur automobile driving in many parts of the world requires a proficiency test. Amateur radio operators use the shared spectrum just as drivers share the public roads. If you’re not willing to go through the process that licensing requires, then you really should be limited to using black boxes that are type-approved to operate in an unlicensed manner.

            I agree with others that it would be really, really nice for us if manufacturers of really cool radios could make their firmware available and modifiable by licensed radio operators so that we can add whatever features we like, but really, what’s their motivation to do so? Locking their code allows them to sell options that are enabled in software, and once they open up the source code, that opportunity flies out the window.

            This is why we hack. We choose to bounce signals off the Moon and do the the other things, not because they are easy, but because they are hard.

    1. Compliance with Type Acceptance has never been required of Radio Amateurs. Otherwise, how would we ever design and build new things? {Creating entirely new things is a primary purpose of amateur radio.}

  2. I wonder if the firmware works with the VHF version of the radio. If they get DStar working on these they will overnight upset Icom death grip on digital Ham Radio Voice.

    If they get it to work with Dstar and whatever Yaesu’s flavor is… they will sell faster than the manufacturer can build them.

      1. I’d be willing to bet Codec2 will work on this before D-Star does… Codec2 is open source software and already runs on the STM32F4.

        D-Star needs the AMBE codec which is only supplied by DVSI as a pre-programmed DSP chip that would need to be shoehorned in there somewhere. Unless the device already has that chip in there somewhere you’d need to shoehorn it in somehow.

          1. The price for the code is supposedly in the multi-$K region, which is fine for Icom incorporating into some of their radios, but definitely not open-source or redistributable.

    1. I wonder how much of a death grip Icom really has on DSTAR. There are several people that have home brewed a DSTAR repeater with analog radios, a Raspberry Pi, and a particular interface board. And they work MUCH better than the Icom DSTAR repeater

      1. Absolutely ZERO. Everyone is so confused about this. The JARL created and owns all the rights to D-Star. Icom is simply the only manufacture that has embraced it. They don’t control anything. There are a vast number of digital modes now and many of them use the AMB vocoder. Each has it’s pluses and minuses but D-Star and DMR are easily the most prevalent.

        1. There’s no real confusion here. D-STAR is technically an open specification from JARL, but to actually make it work with voice requires a patented digital voice codec called AMBE. Using that codec is what ties D-STAR and other digital voice formats up in legal knots and hampers its wider adoption. Since AMBE is proprietary technology, digital voice (especially D-STAR) adoption is effectively controlled by the company that holds the AMBE patent, Digital Voice Systems, Inc.

    2. I second the question :DOES THIS FIRMWARE WORK W/ THE VHF TYTERA? Where I now live UHF is virtually unused so if I want to play it’s either VHF or 800 (the latter obviously RX-only). If this works it’s a much better option than lugging a laptop and SDR device around…

  3. “…forgetful or lazy Chinese engineers”

    Can we please tone down the racism a bit? I don’t think the fact that it was engineered in China is relevant, as there are tons of “jailbreaked” posts that cover products engineered all over the world.

      1. Calling someone racist, as well as anything-phobic, has become such a common insult about anything or for anyone they don’t agree with, that people now use these words with the same eagerness as a child who just learned a fancy word and wants the entire world to know.

        1. It’s not insulting. The fact is that China is leading the way in the race to the bottom in terms of software quality. Their hyper-capitalistic companies normally deliver the first early alpha release that barely works, and maybe in the meantime all the workforce was changed. Ship early, save money, screw customers, competitors, employees. Capitalism at its best.
          Of course there are exceptions, but not so many.

          1. He’s not insulting all Chinese. Just the quality of their engineering. From bitter experience, I think most of us can see his point.

            It’s not innate to the genome of Chinese people that they make cheap shitty hacks. It’s a feature of their economy. They’ve moved from Diesel-age straight to late-era capitalism without dragging all of the history of the intermediate years behind them.

            It’s a social thing, not a racial one, and it’s valid to criticise societies.

        2. Get over yourself already. One of the biggest problems in the world these days is that there are too many people just clamoring to get offended over the silliest little things. Things would be so much better if people just forgot all about political correctness and just minded their own business instead.

          The only people that have any right to get the least bit offended by what was written in this excellent article are the specific Chinese engineers that worked on that specific radio. No one else in the world should be saying anything about it!

          1. @gerry:

            I’d rather someone be honest with me than lie to my face to make me “feel better” about myself. Sometimes the truth hurts, and if you feel the need to have your cockles massaged 24/7 rather than hear something that will help you improve your character, well, that’s your thing.

            These radios are designed in China: Fact. By Chinese engineers: Fact. Chinese engineering has a reputation for poor quality, especially regarding radio equipment: Fact. None of that makes the comment in the article racist, and if you see it as such you might want to do some soul searching and figure out whether you’re actually the one being racist here, since you hear the word “Chinese” and your brain immediately leaps to racism. Let me ask you this: Is it racist to say that American cars are poorly made? Because, compared to Japanese cars, it’s a fact, and I say that as an American driving an American made car. If your immediate reaction was “yes, American cars are poorly made compared to Asian makes”, congratulations, you’re not racist after all! You’re just a hypocrite.

    1. I doubt the intent was to imply that Chinese engineers are more lazy or forgetful than other engineers, but this irrelevant speculation could certainly have been omitted. My own idle speculation is that some Chinese engineers deliberately design hackability into their products, knowing that it appeals to a certain market segment.

    2. Racism is a worthless term here. The Chinese do make a lot of poor quality products. Often in the that they reverse engineered U.S. products without any honoring of patents. This happened for many years, a Chinese friend of mine told me this. He was in Hong Kong and all Microsoft products were available there for extremely low cost. Like $5-10 dollars, instead of $50 dollars.
      China is a Communist country, they allow some capitalism because it makes money and is good for China.
      Probably in our lifetimes we will have a war with them, remember they a tolerating some things now that won’t
      be tolerated in the future.
      Yes, the Chinese mostly are very competent in everything they do. However to say “…forgetful or lazy Chinese engineers”, is racism is just ignorant political correctness.

  4. You can get these radios for $125 now at GrapevineAmateurRadio DOT com – comes with a free programming cable and you can download the software for free. I’ve bought from Jason before, always good service.

  5. When it comes to radio I immediately feel overwhelmed with what all of this means. Can someone explain simply what the purpose of DMR is and why this device is any different than any of the other chinese radios out there. Why is the 400-480MHz range of this device better than a device like Baofeng UV-5R+ which is like $30 on ebay and does the VHF bands as well as receive regular FM bands and the 400-480 band.

    I need to finally take my technician test one of these days…

    1. Do like I do, hit Google. I end up on several rabbit chases though. lol DMR is Digital Mobile Radio. I have the UV-5R myself and just got my tech back in Oct. The UV5R is analog. Digital provides advantages over analog in many ways but the UV-5R only does analog. You can get easily overwhelmed. Take your time and read, read, read. Believe me you will never run out of questions. But luckily a lot of answers out there.

      1. Analog also has advantages over digital…. digital works – until it doesn’t – and it heavily tied to SNR, whereas analog has a tendency to have a curve into unintelligibly, and even signals in the noise floor can be heard with the discerning ear.

        All it really boils down to is another tool in the arsenal of getting information from one place to another.

        1. Certain digital modes work at SNR where the ear gives up, and then drop completely. It is called the Shannon Channel capacity, and some of the best codes are based on Low Density Parity Check.

        2. It also really boils down to one of the explicit purposes of amateur radio in the US: (Part 97, section 97.1(b) “Continuation and extension of the amateur’s proven ability to contribute to the advancement of the radio art.”

    2. The really interesting thing about amateur DMR is that it allows the linking of repeaters over the internet in new and interesting ways. Have a look at the DMR-MARC network for more info on that.

      It also has a number of other developments like allowing two conversations simultaneously on the same frequency amongst other things.

      As others have said, the proprietary nature of the existing systems has really hindered digital radio thus far. I’m surprised they’ve managed to get away with it given the generally DIY nature of amateur radio.
      I imagine something like this could force Yaesu, Icom et al. to open up a bit more.

  6. As a ham radio licensee & user of the Tytera; what does all this really mean to me? Will this allow code to be written so I can also use D-Star (or others)? Not a technical guy, so in plain English. Thanks, Greg

    1. Looking at the schematics, assuming that baseband chip exposes the raw audio from the receiver to the STM32 CPU, then it would be theoretically possible to implement APRS/packet radio software and/or Codec2-based digital voice.

      If there’s an AMBE chip somewhere that is CPU accessible, then D-Star is also a possibility.

    1. Damn, imagine the fun you could have with that WhiteBox and the US Navy’s UFO and FltComSat birds. But in reality I would love to program a radio to be able to do VOR, ADF, glideslope, localizer, DME, TACAN, ADS-B, and GPS, as well as able to transmit on 406mhz SARSat digital distress(clone a registered beacon encoding), transponder on marine radar, as well as regular analog AM air band and VHF marine ch16 as a Swiss army does-everything I could ask for backup radio in my flight bag, I could even take a break in the hotel to QRP a bit on HF if I had a wire antenna. I can do ADS-B already with dump1090 and the well known Realtek SDR DVB-T USB dongle on a laptop or tablet, but adding Tx changes the game for everyone even if we are fudging on FCC certification of the device outside of amateur freqs.

  7. Okay, I recall back in the 1990’s the FCC clamped down HARD on scanners that could access cell telephone conversations. Back then most(?) cell phones were analog. So modifying this radio will now allow eavesdropping digital cell phone conversations?

    Maybe it can not access those frequencies, I didn’t read far enough.

    1. There are all kinds of problems with your assumption. This doesn’t reach anywhere near the right frequencies for digital cellphones, but even if it did.. Those use an entirely different modem, an entirely different voice compression scheme and an entirely different networking stack all-together.

    2. Modern mobile phones encrypt the audio, so unless you know the codes, and nobody does, then you can’t eavesdrop. There’s also the problem of spread-spectrum, mobile phones switch frequency lots of times per second. You’d need to keep track of that, which is possible, but requires software this doesn’t have. It wouldn’t be a mod, you’d have to add it in. But even then you couldn’t decrypt the audio.

      There’s still the issue of police frequencies, but many of them have gone digital too.

  8. WTF Brian???? That was actually a good write up! None of your usual condescending jerkiness, useless fluff, incorrect information, or scam supporting. Just good solid information. It actually makes me want to get one of those radios and not stab my eyes out. Thanks!

    1. Meh. ” thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible. The STM32 in the radio implements a USB Device Firmware Upgrade (DFU), probably because of some example code from ST.”

      All STM32 devices come with a DFU built into the ROM. It is highly documented. Not just some example code, its a feature of the actual device. Anyone who has even looked at using these devices knows that.

  9. There is at least one alternative firmware with extra features for the cute little $30 UV-3Rs, of course that radio is analog and probably couldnt do digital with the small processor, but I would love to see these radios fully developed into easy to use FOSS radio-modems.

  10. Amazing how every single conversation online turns into a crap storm over every little thing. Everyone seems to find something to be offended about which ends all useful conversation… Can’t we just stick to the topic?

    1. I saw those Revetis radios on eBay, and they sure look identical. I would like to look into the battery compartment and compare the Revetis serial numbers with TYT/Tytera serial numbers. If they come from the same series, then they are probably identical. (But the Revetis radios were only a few dollars cheaper. Probably safer to pay a little more and go with Tytera.)

  11. > Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible.

    Why do you assume the engineers are incompetent? Maybe the product spec said RDP but the engineers think that is unethical, so they deliberately left a hole for people like us to find.

  12. AMBE+2 Vocoder runs on the STM32 CPU. The C5000 baseband IC has an audio codec with I2S connection to the CPU, and this one sends the vocoder frames back to the C5000 via the SPI interface. Implementing Codec2 should be straightforward, although voice frames should allways be 72bits long, but you could use the extra for some heavy FEC.

    Implementing DSTAR or FUSION is another story, as C5000 is a DMR baseband IC with a lot of hardcoded parameters. It’s probably impossible to use for other than TDMA DMR.

  13. If it if possible to manipulate the vocoded frames prior to transmission and after reception, It opens the door do non-standard encryption/decryption for (more) private conversations.. perhaps not over repeater/networks if payload checking, or fw version checking is performed when connecting to a repeater.. But certainly point to point , handheld to handheld, with pre-shared keys could be possible. of course the authorities would get terribly upset about that. ah bless.

  14. I notice that the TYT version of the MD380 (TYT on faceplate) has a FCC cert symbol in the battery compartment, but the Tytera version (Tytera on faceplate) does not. The Tytera radios are newer with higher serial numbers. Did they lose their certification?

  15. Justin, this radio is 400-480MHz only. I very much doubt it could be extended to 800-900MHz. Also, it does not receive P25 and is currently not set up for trunking. There are some $300+ scanners that will monitor this or you can get an app for your phone to monitor certain channels using someone else’s radio, more likely if you like in or near a big city. Alternatively, some SDRs can decode P25 if you want to go that route.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s