The STM32 in the radio implements a USB Device Firmware Upgrade (DFU), probably because of some example code from ST. Getting around the RDP is the very definition of a jailbreak, and thanks to a few forgetful or lazy Chinese engineers, it is most certainly possible. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). The Tytera MD380 is a fairly basic radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband. The hack has since been published in PoC||GTFO 0x10 (56MB PDF, mirrored) with all the gory details that turn a $140 radio into the first hardware scanner for digital mobile radio. Last weekend at Shmoocon, presented his reverse engineering of the Tytera MD380 digital handheld radio. A few years ago, it was the RTL-SDR, and since then, software defined radios became the next big thing. Every once in a great while, a piece of radio gear catches the attention of a prolific hardware guru and is reverse engineered.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |