Taint

From wiki.N4VX.net
Jump to navigation Jump to search

Tait TB8100

Manuals

File:TB8100 Service Manual.pdf
File:TB8100 Installation Guide.pdf
File:TB8100 Inst and Ops Manual.pdf
File:TB8100 Service Kit User’s Manual.pdf
File:TB8100 Calibration Kit User’s Manual.pdf
File:Idiots Guide To Tait Base Station System S Numbering V3a.pdf
File:TB8100 S Numbering System V4.pdf
File:TN-999 SFE Programming Enabling & Disabling.pdf

Software Feature Enabling keys

The Tait TB8100 is a solid repeater, but a couple of the things you might want to do with it as a ham repeater are locked behind Software Feature Enabling keys (power saving mode, advanced tasks to enable >1 CTCSS tone, etc.). Here's a few notes that provide some background on how those work, for the technically inclined...

The SFE codes are displayed and entered as a base 32 alphabetic code. The alphabet for the base 32 decoding and encoding is: T3FJD6W8AC7HNEG42VSZ5PYU9LRBKMXQ

The 8 bits starting at bit position 100 are the sequence number. Even sequence numbers are "disabled" and odd sequence numbers are "enabled".

The 8 bits starting at bit position 64 are the feature code identifier.

The 28 bits starting at position 72 are the internal serial number (this may actually be including some reserved bits at the top), however this serial number should be shifted right by one bit, discarding the low bit, in order to get the true serial number that matches the sticker on the board (if present) and the serial number as used in the below calculations.

The first 64 bits are the result of a TEA (Tiny Encryption Algorithm) encryption of the following:

Byte 1: the second 8 bits of the (shifted) serial number (so shifted SN shifted right by 8) Byte 2: the bottom 8 bits of the (shifted) serial number Byte 3: the sequence number Byte 4: the feature code identifier

Byte 5: the top nibble is the bottom nibble of the sequence number, the bottom nibble is zero (or might come from something else that is zero in all the examples I have) Byte 6: bits 12-4 of the (shifted) serial number Byte 7: the feature code identifier, but the nibbles are swapped Byte 8: bits 24-16 of the (shifted) serial number

The TEA output is then swapped, so that the second word of output is the first 32 bits of the SFE key and the first word is the second 32 bits of the SFE key.

The key of the TEA encryption is 128 bits that must be obtained from the receiter. Since some of these bits cannot be obtained any other way, you must ask the receiter to provide them to you if for any reason you wanted to generate new keys with different parameters. The quickest way to get access to the TEA key is...

Obtain a 16-pin Micro-Match plug. (Mouser 571-2205066-3 is a cable with this plug already crimped on it)

Using the schematic of the receiter board, build a JTAG cable that matches the pinout described in the schematic.

Attach a JTAG debugger interface to the receiter. The receiter is using a Samsung S3C3410X 32-bit ARM-7 processor in big-endian mode.

The memory map of the receiter is: 

0x00000000 - 0x003fffff -- IC501 mm28W320FC 2Mb x 16 Flash
0x00800000 - 0x0080ffff -- HCMS interface to IC700 DSP
0x00810000 - 0x0081ffff -- HCIOMS interface to IC700 DSP
0x02000000 - 0x020fffff -- IC500 K6F8016 512k x 16 SRAM
0x02100000 - 0x021fffff -- IC502 K6F8016 512k x 16 SRAM

If you download and disassemble the contents of Flash via the JTAG interface (the downloadable firmware files are obfuscated, so you can't just dump from them trivially), you can identify TEA encryption and decryption implementations by their reference to the global constant TEA seed value(s) 0x9e3779b9. You should find 5 decrypt implementations and 2 encrypt implementations. The first decrypt implementation in the 3.27 firmware is at 0x002981e0.

If you are using the 3.27 firmware and set a breakpoint at 0x002981f8 and use the TB8100 Service Kit software to open the SFE page, you will break once for each SFE key displayed. Each time, register R2 and R4 contains the input to the TEA decryption from the SFE key (R2 is the first word to be decrypted but is the 2nd word from the SFE key, R4 is the second word to be decrypted but is the 1st word from the SFE key) and R1 points to the memory where the 4x 32 bit words of TEA key are located. If you set a breakpoint at 0x00298270 then R2 and R4 contain the output of the decryption (but R1 no longer points to the key).

And that's about all you need to know about TB8100 feature keys in order to play with them. 

Matthew Kaufman, KA6SQG
matthew@eeph.com
http://www.wb6ece.org
Retrieved from "https://wiki.n4vx.net/index.php?title=Taint&oldid=733"