lawprojectfoundation Posted August 24, 2018 Share Posted August 24, 2018 Not quite as into the dark side as most of the tribe, but here is my tale of woe: I was an avid ham and police scanner enthusiast . The Police Depart's have just about all gone over to the new 700 mhz AES encrypted truncated voice transmission. Anyone have any input on if it's possible to capture the transmission and try to pull some data out of the stream to reconstruct the voice pattern ? Quote Link to comment Share on other sites More sharing options...
NoExecute Posted August 24, 2018 Share Posted August 24, 2018 Practically, no it's not possible to crack the system keys on truncated radio. The simplest way, would simply be to get hands on a radio you know is operating within the radio group / organisation you want to monitor, or bribe someone who know what it is. Finding it with bruteforce will cost a lot of time and special / custom software. And even in situation one, most radios is locked / protected from reading and changing the encryption keys & channel info, so no luck there. Depending on what radio system it is, some radios also employ key / authentication services, so unkown devices will never be approved on the system, and lost systems will get locked out from the radio network, so no lock there either. I know it sounds fun, but i should mention it's illegal in most countries to monitor police / fire department radios when they are encrypted or try to crack the encryption. Some info on truncated radio security mechanisms. https://www.rrmediagroup.com/Features/FeaturesDetails/FID/812 I would imagine it's impossible to recreate the transmission without the encryption / scrambler key, the same radio model, running on the same frequencies, and with the correct keys programmed into the scrambler /encryption module. Sorry, didn't wanted to spoil your day, but from what i've found out, it's simply to costly and to much work, to bother with it ? /Kent Quote Link to comment Share on other sites More sharing options...
lawprojectfoundation Posted August 25, 2018 Author Share Posted August 25, 2018 Kent: Thanks for the feedback, it would seem that end to end encryption would be a major bear to get a handle on. What I was speculating on was the possibility of analyzing the wave form in that frequency with SDR then taking that output into something (Audacity)? that would show the waveform, IF THERE IS ANY after it's been scrambled. Now I know this is wishful thinking on my part, MAYBE DELUSIONAL, but I'm not that sure what encryption does to a sound file. It's not a major problem in my part of the state, S. Jersey, but up North it's SOP. This is a growing trend across the country, it has a lot of those who would monitor the traffic bummed out, and not doing it much anymore.....John Quote Link to comment Share on other sites More sharing options...
NoExecute Posted August 25, 2018 Share Posted August 25, 2018 Hmm, there would have to be a waveform of some sort. As i see it, it would be something like talkvoice ----> mic ---> Encryption PCB --->transmitter -------->AIR <------- Reciever ----> Decryption PCB --> speaker ---> Ear ? As far as I understand it, in some cases, the encryption function is just a base tone, some modulator function, and the transmission of the generated signal. It should / could be possible to reconstruct the signal from the base, and figure out what kind of modulation it is, apply it to the transmitted signal, and recover the clear voice signal.https://www.midians.com/specs/voice-scramblers-motorola-mototrbo-radios/vs-1000-mt1 Here is some encryption pcb's for Motorola truncated radios. They use, as far as i can tell, "just" some kind of filtration and modulation as encryption. I would imagine, as least theorethically, the encrypted voice from these can be recovered through trial and error, and massive computing power maybe ? If I understand the description of these correctly, they simply just run the base voice through some kind of known modulation filter, remove the sum, and transmit the difference in frequencies. If that's understood correctly, maybe it could be recovered by finding the base frequency, applying filters, until you have clear audio again. Just my thoughts on this. If I'm correct or not, I cant say ? Quote Link to comment Share on other sites More sharing options...
noncenz Posted August 25, 2018 Share Posted August 25, 2018 Unfortunately those inversion scramblers are a little more simplistic than today's state-of-the-art. Modern public safety radios are digital, so the signal path is more like: voice -->a/d converter -->AES encryption -->frequency modulation of data (transmitter) -->demodulation of data (receiver) -->AES decryption --> d/a converter -->sound. At the core of this is a data stream getting AES encryption so I suppose that part is as crackable as any other AES, but I think there is a long way to go to get there. Have a look at GNU Radio. There are a few AES plugins for it, ex https://github.com/sbmueller/gr-openssl Quote Link to comment Share on other sites More sharing options...
lawprojectfoundation Posted August 25, 2018 Author Share Posted August 25, 2018 What if your NOT cracking the Encryption ? Is there a distinction ? It's still going over the air, subject to capture ..... Quote Link to comment Share on other sites More sharing options...
noncenz Posted August 25, 2018 Share Posted August 25, 2018 Yes the encrypted digital signal is still going over the air so you should be able to capture it, even save it to disk I'd think..... Quote Link to comment Share on other sites More sharing options...
lawprojectfoundation Posted August 25, 2018 Author Share Posted August 25, 2018 Hey Folks: A lot of great feedback. I'll look into the GNU radio angle. SDR sounds like a better alternative than a P25 Scanner if you can get one... WHY do this ? Because I can....? Quote Link to comment Share on other sites More sharing options...
lawprojectfoundation Posted August 25, 2018 Author Share Posted August 25, 2018 I'm looking at this from two seperate viewpoints: Is the Information: Voice transmission a separate entity, or a hybrid due the Encryption process ? If you can recover the initial content from the Encryption, what due you have ? There is a civil liberties issue for me dealing with transparency and accountability. Not sure if this part is relevant to this forum though . Quote Link to comment Share on other sites More sharing options...
Bigbiz Posted August 26, 2018 Share Posted August 26, 2018 https://www.dsdplus.com/ Would do the trick Hard part would be getting it to work. Quote Link to comment Share on other sites More sharing options...
lawprojectfoundation Posted August 27, 2018 Author Share Posted August 27, 2018 Thanks for the additional feedback. I downloaded the files, and I'll see just what happens. This is basically one of those projects that you never really know just what you might discover after trying all the different approaches. This could just be a result that you never expected to get. Quote Link to comment Share on other sites More sharing options...
lawprojectfoundation Posted August 29, 2018 Author Share Posted August 29, 2018 Well, like any camping trip to uncharted terrain, need to buy the right gear. Ordered a SDR Dongle that picks up P25 digital signals. Been doing a little research and found out that people are decoding satellite video signals with SDR. Is this a heads up that there might be a work around for this ? Sems that you can even get the rig to work with a RaspPI, so it doesn't look like hardware issue. Locating a signal strong enough looks like the first barrier, right across the the river to PA or up North, which might be an antenna challenge....On to DEFCON 2019 ? Quote Link to comment Share on other sites More sharing options...
Bigbiz Posted October 7, 2018 Share Posted October 7, 2018 Hows it going. Best bet is looking for your control channel. This will get you your talk groups. Then youll need a second dongle for intercepting voice traffic Quote Link to comment Share on other sites More sharing options...
Scanner man Posted December 13, 2020 Share Posted December 13, 2020 Is it possible to transmit on the encrypted frequency and cause the encryption to be removed and the rest of the transmission to be sent in the clear at least temporarily? Quote Link to comment Share on other sites More sharing options...
IDNeon Posted April 17, 2021 Share Posted April 17, 2021 I'm pretty sure encrypted police radios will be deemed illegal soon enough. Police are not protected by national security acts that are the only thing that allows public property to be hidden from the public. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.