Closed Ham Radio Peripheral Reveals Its Windows Secrets

The student radio society in Trondhjem owns a Flex 6500-radio, with its associated Maestro panel peripheral. This is a software defined radio, and the Maestro is a computer containing just enough of an embedded version of Windows to run its front-end software. Unfortunately for our Norwegian radio amateur friends it runs very little else, even to the extent of being unable to connect to public WiFi that requires a web log-in. This was particularly annoying as the student network does this and they’d had to create their own hotspot, so they’ve provided some details on how they were able to open it up a little to do a bit more.

At first they were cagey about the exact nature of the exploit they used to penetrate the device’s defenses, but since then they’ve published a second installment with full details. It involved gaining access to the filesystem and a terminal through a right-click menu from a web browser screen within the Maestro software, then using that access to change configuration such that it could be exposed across the network. From there they were able to treat it much as they would a normal Windows installation, including putting other software such as SmartSDR onto it.

This piece of work provides a fascinating insight into an embedded Windows device, and leaves us as usual surprised by the ease of the exploit. We’d say it’s something of a brave move for a company to ship a feature-limited product to radio amateurs of all people, a community that has been experimenting and finding whatever means  to extend the capabilities of their equipment for over a hundred years. Perhaps Flexradio’s eyes are on greater things.

25 thoughts on “Closed Ham Radio Peripheral Reveals Its Windows Secrets

  1. The radio itself runs Linux, and has a little sandbox where Open Source software like Codec2 can run without encumbering their proprietary software. I explained to Flex how to do this without violating the GPL a few years ago. I’ve never looked at their implementation.

  2. For that kind of money, I’d expect them to apply all the Windows updates immediately so it doesn’t risk getting malware.

    Having an update dork up the radio and cause it to fail is one thing — I can stick a paper clip in the back to press the recessed “reload to factory settings” button; or I can contact the manufacturer and say “fix it.” Having an unpatched machine in my network fall victim to ransomware and spreading it to other machines in my network is more than a thousand times worse.

    1. A very complete set of API’s are published for the Flex Radios. I’ve been making use of them to control my home brew tuner among other monitoring and control systems using a raspberry pi and arduino devices. I’m pretty happy with their “openness” for my ham radio needs. It is an extremely fun, useful and well designed radio.

      1. API’s to control the radio, yes. But you can’t go in and fool with the signal processing algorithms, which was one of the first reasons people used SDRs (including the Flex). Remember that it significantly antedates things like gnuradio (and inexpensive FPGAs to do signal processing, for that matter). The early Flex was an interesting piece of gear to tinker with, and because all the code was in BASIC, and the code base wasn’t too big, it was reasonably accessible.

  3. I would love to see a rule made that closed hardware, software, and firmware were forbidden for use under amateur radio rules or at least for sale as such. I feel that like patent and copyright which is trading a short term legal monopoly in exchange for adding the IP to the public domain after expiration; so too with amateur radio which is among other things to educate the public and further the science and practice of radio applications; then a closed secret part or complete design of a permitted radio is worse for the public than encryption or using bandwidth to do for-profit things.
    In amateur radio unless it is a DIY rig there should be a requirement to publish everything except maybe the PCB files. I am not sure if down to the dream of opening secrets for ICs or recycled hardware is going too far or if that would just end with less designs on the air.

    1. Ham radio has always allowed YOU to build your own from scratch (and is unique that way, in terms of radio regulations) – but it has also always had closed design stuff you can buy. The vast majority of commercial radios purchased by hams do not have an open design – you might get a schematic, but even back in the 1980s, my Yaesu FT-757 had microcontrollers in it with no source provided.

      I can see requiring that “over the air” modulation and protocols be open (looking at you various and sundry FEC modes and digital voice encoding) but not the hardware.

      The Flex is an interesting history – it started out totally open source, and became closed. I think that’s somewhat unique.

      1. Yes I still don’t get that. Crypto not allowed, but secret sauce modulations and protocols are. If “anybody can buy them” is the excuse, ima just run encrypted and have the key posted on a website for digital download for $5,000,000

  4. These kinds of exploits have been common for decades. I found a similar exploit to bypass the Windows 98 login in the 90s… when my age was in the single digits! We found another similar exploit on the campus computers in the late 2000s that let you bypass the login screen there too. You’d think after, what, 25 years MS would figure out how to lock down their save dialogs, lol.

  5. Reminds me of bypassing the kid controls on Windows 95 back in high school.

    Seriously though, who builds a single-purpose embedded UI on Windows. It’s such a dumb move. Linux is perfect for that application, and it would have saved money in the licensing.

    1. Uh, it’s definitely not a dumb move. The Maestro runs SmartSDR under the covers. And it’s not just a UI. It’s the full blown SSDR app that runs under Windows. Any savings that would obtain from avoiding license fees would be swamped several times over by the never-ending support baggage of supporting parallel versions of SSDR. That’s probably why they don’t support it on Mac.

      1. In fact, that’s part of what I suspect led to Flex closing the source – the original Flex1K was a peripheral for a PC – you supplied the PC & sound card – and that led to a huge support problem because everyone’s versions of Windows, the sound card, and the configurations were all different. Flex didn’t really have the capability to provide (free) support to the wild and woolly world. So, first, there was a “we’ll put the sound card interface into the radio” and that meant that they had to supply a signed Windows driver. I believe the interface itself was also closed source (although functionally reverse engineerable). There was also a story that the FCC was getting nervous about selling a product which can tune out of the ham bands (early days for SDRs), and closed source, along with the proprietary sound interface, let them control that.

        Some day, someone on the inside at Flex may write a history.

  6. What I’m surprised at is that anyone is surprised at what the Maestro is. The Flex code runs on Windows. It’s pretty much the same thing between the Maestro and PC. The Maestro will have a USB board in it that allows all the controls to communicate with embedded Windows. Heck, you can sometimes even see the boot process.
    The way that the Maestro works with turning on and off screams that there’s actually a table in it.

  7. Instead of waste money on Flex stuff, they could have purchased HPSDR radios that are completely open source, included fpga firmware, and can be operated via multiple open source software .

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.