Jailbreak firmware now available for cheap digital walkie-talkie allowing DMR scanning

In the last years, DMR and MOTOTRBO (a.k.a. TRBO a Motorola Solutions branded DMR Radios ) has become a very popular digital voice mode on the UHF and VHF bands and the MD380 radio is the latest cheap DMR walkie-talkie to come out of China.

The question is, is it any good? The longer answer is slightly more complicated, and involves discussing the difference in price between this radio and other more expensive, but higher quality, radios. But i can tell you that a group of hams here recently purchased the Beihaidao DMR radio (also sold under brands like Tytera, KERUIER or Retevis) and have been having excellent results with them.
Every once in a great while, a piece of radio gear catches the attention of a prolific hardware guru and is reverse engineered. A few years ago, it was the RTL-SDR, and since then, software defined radios became the next big thing. Last Shmoocon, Travis Goodspeed presented his reverse engineering of the MD380 digital handheld radio.

The hack has since been published in PoC||GTFO 0x10 (donwload site) with all the gory details that turn a radio under $200 into the first hardware scanner for digital mobile radio. For comparison, the cost of a Motorola MotoTRBO UHF XPR 7550 DMR radio can reach $800.

The MD380 is a fairly basic radio with two main chips: an STM32F405 with a megabyte of Flash and 192k of RAM, and an HR C5000 baseband. The STM32 has both JTAG and a ROM bootloader, but both of these are protected by the Readout Device Protection (RDP). Getting around the RDP is the very definition of a jailbreak.

In Digital Mobile Radio, audio is sent through either a public talk group or a private contact. The radio is usually set to only one talk group, and so it’s not really possible to listen in on other talk groups without changing settings. A patch for promiscuous mode – a mode that puts all talk groups through the speaker – is now out.

Here in the US Project 25 (P25 or APCO-25) is a suite of standards for digital radio communications for federal users,  but for state/county and local public safety organizations including police dispatch channels are using Mototrbo DMR digital standard.

How to install the Hacked Firmware for the MD380. ( Here is a YouTube Video on the Update Process to the Jailbreak of the Beihaidao Radio)

You need source code from this download  does not ship with firmware to avoid legal trouble. Instead it grabs firmware from the Internet, decrypts it, and applies patches to that revision. The output files have a .img extension when unencrypted, and a .bin extension when packaged for the official firmware updater.

Most radios use a serial interface for programming, however MD380 is native USB. Building a USB programming cable for your radio is  as easy as soldering on the proper cable adapter. Third party cables are available from ebay.

Files from this process include:

  • unwrapped.img: factory firmware after decrypting.

  • prom-public.img and prom-public.bin: patched to monitor all talk groups.

  • prom-private.img and prom-private.bin: patched to monitor all talk groups, private calls.

  • experiment.img and experiment.bin: patched to monitor all talk groups, private calls, and sideload alternate firmware.

You can install any of these patched firmware files into your MD380 by using the respective .bin file with the Tytera Windows firmware upgrade tool, "upgrade.exe", available inside their firmware upgrade downloads. Here are the steps:

  • Turn off your MD380 using the volume knob.

  • Attach the Tytera USB cable to the SP and MIC ports of your MD380.

  • Attach the Tytera USB cable to your host computer.

  • Hold down the PTT and the button above the PTT button (not the button with the "M" on it).

  • Turn on your MD380 using the volume knob.

  • Release the buttons on the radio.

  • The status LED should be on and alternating between red and green, indicating you're in flash upgrade mode.

  • Start the Tytera "Upgrade.exe" program.

  • Click "Open Update File" and choose one of the .bin files produced from the process above.

  • Click "Download Update File" and wait for the flash update process to finish. It takes less than a minute.

  • Turn off your MD380 using the volume knob.

  • Disconnect the USB cable from your MD380 and host computer.

  • Turn the MD380 back on, and you should see the "PoC||GTFO" welcome screen.

You're running patched firmware!
