Hooks the AES crypto function, which converts an Enhanced Privacy key…

… into a 59-bit XOR keystream.
travisgoodspeed · Mar 26, 2016 · c18f6dd · c18f6dd
1 parent 5dd5842
commit c18f6dd
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 1 deletion.
diff --git a/applet/Makefile b/applet/Makefile
@@ -1,4 +1,4 @@
-SRCS = main.c usb.c gfx.c dmr.c printf.c dmesg.c stm32f4xx_it.c system_stm32f4xx.c os.c menu.c
+SRCS = main.c usb.c gfx.c dmr.c printf.c dmesg.c stm32f4xx_it.c system_stm32f4xx.c os.c menu.c aes.c
 PROJ_NAME=main
 
 

diff --git a/applet/merge.py b/applet/merge.py
@@ -292,6 +292,12 @@ def hookbl(self,adr,handler,oldhandler=None):
     merger.hookbl(0x0802e4b0,sapplet.getadr("print_DebugLine"),0);
     merger.hookbl(0x0802e582,sapplet.getadr("print_DebugLine"),0);
 
+    #Function that calls aes_cipher() twice.  When are these called?
+    merger.hookbl(0x0802177c,sapplet.getadr("aes_cipher_hook"),0);
+    merger.hookbl(0x0802182c,sapplet.getadr("aes_cipher_hook"),0);
+    #c5000_dmr_init() calls aes_cipher() once, with Enhanced Privacy Key as input.
+    merger.hookbl(0x0803df16,sapplet.getadr("aes_cipher_hook"),0);
+
     print "Hooking a menu call.";
     merger.setword(0x08039d98,
                    sapplet.getadr("main_menu_hook")+1);

diff --git a/applet/src/aes.c b/applet/src/aes.c
@@ -0,0 +1,31 @@
+
+#include <stdio.h>
+#include <string.h>
+
+#include "md380.h"
+#include "printf.h"
+#include "dmesg.h"
+#include "version.h"
+#include "tooldfu.h"
+#include "config.h"
+#include "gfx.h"
+
+
+/* This hook intercepts calls to aes_cipher(), which is used to turn
+   the 128-bit Enhanced Privacy Key into a 59-bit sequence that gets
+   XORed with the audio before transmission and after reception.
+   
+   By changing the output to match Motorola's Basic Privacy, we can
+   patch the MD380 to be compatible with a Motorola network.
+ */
+
+int *aes_cipher_hook(int *pkt){
+  int *res;
+  printf("aes_cipher(0x%08x);\nIN  :",pkt);
+  printhex((char*) pkt,16);       //Print the Enhanced Privacy Key
+  printf("\nOUT :");
+  res=aes_cipher(pkt);
+  printhex((char*) res,16);       //Print the keystream it produces. (First 59 bits are XOR'ed with the audio.)
+  printf("\n");
+  return res;
+}
diff --git a/applet/src/md380-2.032.c b/applet/src/md380-2.032.c
@@ -71,3 +71,6 @@ void (*OS_EXIT_CRITICAL)(int) = 0x08041e01;
 
 void (*c5000_spi0_readreg)(int reg, char*buf)=0x0803e2f5;
 void (*c5000_spi0_writereg)(int reg, int val)=0x0803e2a9;
+
+
+int* (*aes_cipher)(int *pkt)=0x080356b1;
diff --git a/applet/src/md380.h b/applet/src/md380.h
@@ -78,3 +78,7 @@ extern void (*c5000_spi0_readreg)(int reg, char *buf);
 
 //! Writes a register in the C5000.
 extern void (*c5000_spi0_writereg)(int reg, int val);
+
+
+//! Unknown AES function.
+extern int* (*aes_cipher)(int *pkt);