Go easy on me now... system key question
Moderator: Global Moderator Team
- n3wrx
- 142490-000000-7
- Posts: 372
- Joined: Fri Apr 13, 2007 8:28 am
- Location: Jersey City, NJ
- Contact:
Go easy on me now... system key question
Hi guys, 
If you have [legal] possession of a radio (XTS series) programmed to a given P25 trunked system, is it possible to retrieve the system key for that trunked system from that radio (assuming you have software)?
Thanks.
-j
			
			
									
						
										
						If you have [legal] possession of a radio (XTS series) programmed to a given P25 trunked system, is it possible to retrieve the system key for that trunked system from that radio (assuming you have software)?
Thanks.
-j
- VE9MP
- 98247E-011480-1
- Posts: 1348
- Joined: Wed Oct 27, 2004 11:18 am
- Location: What ya lookin' at my gut fer?
- Contact:
Re: Go easy on me now... system key question
No, the system key is an actual computer file, that has to be in a certain folder on your computer, that your CPS looks for....
or alternatively, depending on how new the system is, it could be an Advanced System Key required, which is an actual hardware dongle that has to be connected to the computer, research ibuttons for more info, but essentially there is a single Master key, from Motorola, which daughter keys can be created, that customizes what the end user can program, like ranges of ID's, and they have expiry dates.... I did some research into ibuttons and what it would take to "make" one, but its way over my head, im sure other people have figured it out or found a loophole.....
			
			
									
						
							or alternatively, depending on how new the system is, it could be an Advanced System Key required, which is an actual hardware dongle that has to be connected to the computer, research ibuttons for more info, but essentially there is a single Master key, from Motorola, which daughter keys can be created, that customizes what the end user can program, like ranges of ID's, and they have expiry dates.... I did some research into ibuttons and what it would take to "make" one, but its way over my head, im sure other people have figured it out or found a loophole.....
Nick
			
						- n3wrx
- 142490-000000-7
- Posts: 372
- Joined: Fri Apr 13, 2007 8:28 am
- Location: Jersey City, NJ
- Contact:
Re: Go easy on me now... system key question
Can you add conventional stuff to a radio with a programmed trunked system without the system key?
			
			
									
						
										
						- VE9MP
- 98247E-011480-1
- Posts: 1348
- Joined: Wed Oct 27, 2004 11:18 am
- Location: What ya lookin' at my gut fer?
- Contact:
Re: Go easy on me now... system key question
Yes, as long as it wasnt programmed with an ASK....
			
			
									
						
							Nick
			
						- n3wrx
- 142490-000000-7
- Posts: 372
- Joined: Fri Apr 13, 2007 8:28 am
- Location: Jersey City, NJ
- Contact:
Re: Go easy on me now... system key question
Thanks man, appreciate the info. 
What about scan lists/scan priorities? Can those be changed with an existing trunked system without the key (assuming no ASK)?
Sorry about all the questions, trying to help someone out (really).
			
			
									
						
										
						What about scan lists/scan priorities? Can those be changed with an existing trunked system without the key (assuming no ASK)?
Sorry about all the questions, trying to help someone out (really).
- motorola_otaku
- Cock Block
- Posts: 6671
- Joined: Mon Nov 29, 2004 8:53 pm
- Location: Stinkadena, TX
Re: Go easy on me now... system key question
Scanlists can be added and deleted. You can add and remove trunked personalities from said scanlists. Zone/Channel assignments can be added, deleted, and renamed. Trunked talkgroup names can be edited. Conventional personalities can be added, deleted, and manipulated every way imaginable. What not having the system key does is locks you out of that particular system's settings AND the settings of any personality assigned to it. 
Now, as VE9MP pointed out, if your radio was touched by an Advanced System Key then you can write off doing anything to it ever again without one of two things:
-another Advanced System Key; caveat: if it is for a different SysID than the one in the radio, you won't be able to mess with that system's settings at all.
-(XTS3000 only) a DOS RSS codeplug or s-record of that radio with matching model number, serial number, and Flashcode.
Now, I am not the BATLABS TRUNKING POLICE nor do I necessarily agree with the tack they take on people asking similar questions, but I do have to throw this hypothetical at you as a caution: let's say you or a friend have a legitimately-programmed Motorola trunking/P25 radio and every right in the world to be operating on the systems in it, but you make some non-system-key-required changes to it with your own programming kit. When that radio goes back to its designated programmer for system updates or whatever, they are going to see the changes made to it (the Last Programmed Date among other things) and you or your friend may find some hard questions posed to you by gentlemen with badges. In that event it would be wise for you or your friend to have your asses appropriately covered, preferably in the form of written permissions on company or department letterheads. But that's just, like, my opinion, man.
			
			
									
						
							Now, as VE9MP pointed out, if your radio was touched by an Advanced System Key then you can write off doing anything to it ever again without one of two things:
-another Advanced System Key; caveat: if it is for a different SysID than the one in the radio, you won't be able to mess with that system's settings at all.
-(XTS3000 only) a DOS RSS codeplug or s-record of that radio with matching model number, serial number, and Flashcode.
Now, I am not the BATLABS TRUNKING POLICE nor do I necessarily agree with the tack they take on people asking similar questions, but I do have to throw this hypothetical at you as a caution: let's say you or a friend have a legitimately-programmed Motorola trunking/P25 radio and every right in the world to be operating on the systems in it, but you make some non-system-key-required changes to it with your own programming kit. When that radio goes back to its designated programmer for system updates or whatever, they are going to see the changes made to it (the Last Programmed Date among other things) and you or your friend may find some hard questions posed to you by gentlemen with badges. In that event it would be wise for you or your friend to have your asses appropriately covered, preferably in the form of written permissions on company or department letterheads. But that's just, like, my opinion, man.
And the sign says you got to have a membership card to get inside.
			
						- VE9MP
- 98247E-011480-1
- Posts: 1348
- Joined: Wed Oct 27, 2004 11:18 am
- Location: What ya lookin' at my gut fer?
- Contact:
Re: Go easy on me now... system key question
In another 5 years or so I can see ASK's being a major obstacle for us M nerds, once these new radios start hitting ebay or government surplus, we arnt going to be able to manipulate the programming in these radios at, like the APX radios for example that will only program with ASK's, legacy system keys arn't even supported in the CPS.....
			
			
									
						
							Nick
			
						- n3wrx
- 142490-000000-7
- Posts: 372
- Joined: Fri Apr 13, 2007 8:28 am
- Location: Jersey City, NJ
- Contact:
Re: Go easy on me now... system key question
Thanks again for the reply and the information. I also appreciate the warning, Josh (great name!), and it is good information to know, and useful food for thought. 
The friend is LE with many years on the force and more than a couple stripes on the sleeve. BUT, since s/he obviously doesn't have quite enough influence to just get the programming done "officially", I will be sure to discuss it with him/her before we start writing any codeplugs (assuming we are even able).
Based on the conversations we've had thus far, I believe that my name would not be mentioned, and s/he would probably just be chewed out... at worst. But I'll confirm. Assuming anyone even noticed... which based on my understanding of the less-than-organized environment there, is unlikely to begin with. We're talking about changing some scan lists and/or scan priorities - probably nothing beyond that.
			
			
									
						
										
						The friend is LE with many years on the force and more than a couple stripes on the sleeve. BUT, since s/he obviously doesn't have quite enough influence to just get the programming done "officially", I will be sure to discuss it with him/her before we start writing any codeplugs (assuming we are even able).
Based on the conversations we've had thus far, I believe that my name would not be mentioned, and s/he would probably just be chewed out... at worst. But I'll confirm. Assuming anyone even noticed... which based on my understanding of the less-than-organized environment there, is unlikely to begin with. We're talking about changing some scan lists and/or scan priorities - probably nothing beyond that.
- n3wrx
- 142490-000000-7
- Posts: 372
- Joined: Fri Apr 13, 2007 8:28 am
- Location: Jersey City, NJ
- Contact:
Re: Go easy on me now... system key question
I guess, then, that now is the time to get a xts/xls (before it's too late)... I've been mulling it over for awhile now. Being able to work with a couple of these radios should probably help me make up my mind.VE9MP wrote:In another 5 years or so I can see ASK's being a major obstacle for us M nerds, once these new radios start hitting ebay or government surplus, we arnt going to be able to manipulate the programming in these radios at, like the APX radios for example that will only program with ASK's, legacy system keys arn't even supported in the CPS.....
Re: Go easy on me now... system key question
My advise is don't do it.
Josh hit the nail on the head with his comments above regarding programming dates, etc. If you go into the radio and change settings then the Sys Admin sees this at a later time, get ready to ride the lightning. Like Josh, I am not the trunking police and can understand what you are trying to do. However, if changes are made outside the authorized shop, don't be surprised in the least if you get called on it. The tolerance for asshattery with trunked systems is at an all time low and odds are they will be looking for blood if the changes are detected.
Just saying...
			
			
									
						
							Josh hit the nail on the head with his comments above regarding programming dates, etc. If you go into the radio and change settings then the Sys Admin sees this at a later time, get ready to ride the lightning. Like Josh, I am not the trunking police and can understand what you are trying to do. However, if changes are made outside the authorized shop, don't be surprised in the least if you get called on it. The tolerance for asshattery with trunked systems is at an all time low and odds are they will be looking for blood if the changes are detected.
Just saying...
[R]eal men eat meat and potatoes and drop logs that would choke a donkey.
			
						- n3wrx
- 142490-000000-7
- Posts: 372
- Joined: Fri Apr 13, 2007 8:28 am
- Location: Jersey City, NJ
- Contact:
Re: Go easy on me now... system key question
Thanks guys, I appreciate the advice, and know that you are looking to keep me out of trouble. 
While I could just sit down and do it for them, maybe the safest way is to just sit with them and verbally guide them through it so that they do it themselves - they do everything, using all of their own equipment. That should keep me as 'in the clear' as possible.
Apparently the radio[s], as issued by the organization, power on with some sort of "bad system key" error already... it suggests that the PD's radio room, [apparently] lacking access to the [advanced?] system key, have been making "unauthorized" changes. Frankly, it wouldn't surprise me.
This may be moot anyway - it's a very recently implemented system, they might be using ASKs, in which case we're boned - I'll just help them program their personal radio for the hammy sh*t.
			
			
									
						
										
						While I could just sit down and do it for them, maybe the safest way is to just sit with them and verbally guide them through it so that they do it themselves - they do everything, using all of their own equipment. That should keep me as 'in the clear' as possible.
Apparently the radio[s], as issued by the organization, power on with some sort of "bad system key" error already... it suggests that the PD's radio room, [apparently] lacking access to the [advanced?] system key, have been making "unauthorized" changes. Frankly, it wouldn't surprise me.
This may be moot anyway - it's a very recently implemented system, they might be using ASKs, in which case we're boned - I'll just help them program their personal radio for the hammy sh*t.
- Victor Xray
- DAYTON 2006/2007 SUPPORTER
- Posts: 458
- Joined: Tue May 31, 2005 11:00 am
Re: Go easy on me now... system key question
If they power on with a KEYFAIL error, that has to do with the encryption module not having a valid authentication key programmed in it.
			
			
									
						
							There's nothing more permanent than a temporary solution.
			
						- motorola_otaku
- Cock Block
- Posts: 6671
- Joined: Mon Nov 29, 2004 8:53 pm
- Location: Stinkadena, TX
Re: Go easy on me now... system key question
Is this by chance the system in question? Given that it's a full-on Astro25 9600 system and very, very new, I can just about guarantee you it shipped with ASKs for subscriber unit programming.n3wrx wrote:This may be moot anyway - it's a very recently implemented system, they might be using ASKs, in which case we're boned - I'll just help them program their personal radio for the hammy sh*t.
On a related note, I spent some time this summer next door to you in Belleville/Bloomfield. God, never again.

And the sign says you got to have a membership card to get inside.
			
						- 
				spareparts
- Dayton 2005/2006/2007 Supporter
- Posts: 417
- Joined: Sun Feb 27, 2005 4:33 pm
Re: Go easy on me now... system key question
Side question on ASK:  At the end of useful life,   Is it possible to remove all programing and personalties (or restore the factory defaults) and provide a daughter ASK so you can sell or transfer the radio to another department? 
Failing that, can the original owner send the radio back to /\/\ to be wiped and defaulted?
			
			
									
						
										
						Failing that, can the original owner send the radio back to /\/\ to be wiped and defaulted?
- 
				slimbob
- 142490-000000-7
- Posts: 305
- Joined: Sun Jan 23, 2005 10:13 pm
- Location: I sold my soul for a Saber.
Re: Go easy on me now... system key question
iButtons are damn near impossible to take apart and keep working. The CIA/NSA has only managed it a few times.
			
			
									
						
							Pass me my Saber -- it's the one marked 'Bad Motherf***er'.
			
						- escomm
- professor of rectalingus
- Posts: 4409
- Joined: Thu Mar 30, 2006 1:54 am
- Location: Chief of the CAREPOLICE
Re: Go easy on me now... system key question
Why take them apart when the security holes are so big you can drive a mack truck through them? ASK means nothing.slimbob wrote:iButtons are damn near impossible to take apart and keep working. The CIA/NSA has only managed it a few times.
I'd hit it so hard you'd have to be to King of England to pull me out
			
						- n3wrx
- 142490-000000-7
- Posts: 372
- Joined: Fri Apr 13, 2007 8:28 am
- Location: Jersey City, NJ
- Contact:
Re: Go easy on me now... system key question
Uhhhhh... "I plead the fifth amendment" on the first question.motorola_otaku wrote:Is this by chance the system in question? Given that it's a full-on Astro25 9600 system and very, very new, I can just about guarantee you it shipped with ASKs for subscriber unit programming.n3wrx wrote:This may be moot anyway - it's a very recently implemented system, they might be using ASKs, in which case we're boned - I'll just help them program their personal radio for the hammy sh*t.
On a related note, I spent some time this summer next door to you in Belleville/Bloomfield. God, never again.
 As you have demonstrated (given I am not an anonymous user and even list my location with my user ID), the system/department in question are not hard to guess (even with the zillions of digi-trunky-flashy-whizbang systems (and LE departments) out this way. Let's just say I'm not denying your assertion just for the sake of being able to maintain plausible deniability.
  As you have demonstrated (given I am not an anonymous user and even list my location with my user ID), the system/department in question are not hard to guess (even with the zillions of digi-trunky-flashy-whizbang systems (and LE departments) out this way. Let's just say I'm not denying your assertion just for the sake of being able to maintain plausible deniability. Re: Astro25 9600bps brand-new fanciness... that's rather what I figured based on yours (and others') earlier posts - though they have been [VERY] slowly implementing this thing for at least the last year or thereabouts (they still haven't switched over yet, still fumbling around with issuing radios and squabbling about the new dispatch center that was supposed to have been finished several months ago).
Belleville? I've been there (there's a range/FFL just off of Rte. 7), I always thought it wasn't that bad for this area of the state (the parts I've seen anyway), kind of typical middle-of-the-road working class area... at least compared to the ghetto[s] in Jersey City anyway.
But God, abandon all hope, ye who enters here. Land of horrible corruption, astronomical taxation, abusive over-legislation, hippie wierdo gun-control liberal freaks. Someday I at least want to have a modest vacation crashpad that is OUTSIDE the fascist zone comprised of New York, New Jersey, Maryland. <channeling braveheart> FREEDOM!! </channeling braveheart>
- 
				High_Order1
- 102480-000000-3
- Posts: 159
- Joined: Mon Mar 20, 2006 8:08 pm
Re: Go easy on me now... system key question
Well....
Nothing like me to screw up an otherwise decent conversation, but since no one else seems to be able to get the thread locked....
While researching something entirely different, I found a website where this guy does nothing but create software 'virtual' dongles. Since the iButton is a dongle..............
just sayin'. Y'all probably are nineteen steps ahead, but hey, what do I know?
On the topic of anal retentive LEO radio shops (kinda redundant), I have had my share of battles with them. If, oh, say, you (theoretically) used lab to make a perfect copy of the codeplug before you started messing about, and when time came for Yearly Sniffing of the Equipment, you blew the original back in, couldn't Lab also be able to, uh, adjust the last programmed date/time/source/# of times flashed?
Oh, and just in case I haven't shit the bed enough, hey n3wrx, go ask The Googler about something called syskeygen.exe. (whistles and walks away like I've been cropdusting after Fajita Day at work)
Shawn
			
			
									
						
										
						Nothing like me to screw up an otherwise decent conversation, but since no one else seems to be able to get the thread locked....
While researching something entirely different, I found a website where this guy does nothing but create software 'virtual' dongles. Since the iButton is a dongle..............
just sayin'. Y'all probably are nineteen steps ahead, but hey, what do I know?
On the topic of anal retentive LEO radio shops (kinda redundant), I have had my share of battles with them. If, oh, say, you (theoretically) used lab to make a perfect copy of the codeplug before you started messing about, and when time came for Yearly Sniffing of the Equipment, you blew the original back in, couldn't Lab also be able to, uh, adjust the last programmed date/time/source/# of times flashed?
Oh, and just in case I haven't shit the bed enough, hey n3wrx, go ask The Googler about something called syskeygen.exe. (whistles and walks away like I've been cropdusting after Fajita Day at work)
Shawn
- n3wrx
- 142490-000000-7
- Posts: 372
- Joined: Fri Apr 13, 2007 8:28 am
- Location: Jersey City, NJ
- Contact:
Re: Go easy on me now... system key question
Does syskeygen work with ASKs?High_Order1 wrote:Well....
Nothing like me to screw up an otherwise decent conversation, but since no one else seems to be able to get the thread locked....
While researching something entirely different, I found a website where this guy does nothing but create software 'virtual' dongles. Since the iButton is a dongle..............
just sayin'. Y'all probably are nineteen steps ahead, but hey, what do I know?
On the topic of anal retentive LEO radio shops (kinda redundant), I have had my share of battles with them. If, oh, say, you (theoretically) used lab to make a perfect copy of the codeplug before you started messing about, and when time came for Yearly Sniffing of the Equipment, you blew the original back in, couldn't Lab also be able to, uh, adjust the last programmed date/time/source/# of times flashed?
Oh, and just in case I haven't shit the bed enough, hey n3wrx, go ask The Googler about something called syskeygen.exe. (whistles and walks away like I've been cropdusting after Fajita Day at work)
Shawn
- n3wrx
- 142490-000000-7
- Posts: 372
- Joined: Fri Apr 13, 2007 8:28 am
- Location: Jersey City, NJ
- Contact:
Re: Go easy on me now... system key question
This is like that guy who repeatedly posted on Batboard that he knew the Waris bandsplit hack - but won't respond to requests for details on how to do it. Why be such a prick tease? Either post it or don't.escomm wrote:Why take them apart when the security holes are so big you can drive a mack truck through them? ASK means nothing.slimbob wrote:iButtons are damn near impossible to take apart and keep working. The CIA/NSA has only managed it a few times.
If this is really true, why not post the details? Obviously no one else here seems to know what you claim to know... thus, the information could be quite useful to many.
- 
				spareparts
- Dayton 2005/2006/2007 Supporter
- Posts: 417
- Joined: Sun Feb 27, 2005 4:33 pm
Re: Go easy on me now... system key question
http://www.grandideastudio.com/wp-conte ... f_ch14.pdfn3wrx wrote:If this is really true, why not post the details? Obviously no one else here seems to know what you claim to know... thus, the information could be quite useful to many.
- escomm
- professor of rectalingus
- Posts: 4409
- Joined: Thu Mar 30, 2006 1:54 am
- Location: Chief of the CAREPOLICE
Re: Go easy on me now... system key question
/threadspareparts wrote:http://www.grandideastudio.com/wp-conte ... f_ch14.pdfn3wrx wrote:If this is really true, why not post the details? Obviously no one else here seems to know what you claim to know... thus, the information could be quite useful to many.
I'd hit it so hard you'd have to be to King of England to pull me out
			
						- n3wrx
- 142490-000000-7
- Posts: 372
- Joined: Fri Apr 13, 2007 8:28 am
- Location: Jersey City, NJ
- Contact:
Re: Go easy on me now... system key question
If I understand this document correctly, it discusses how to perform a dictionary attack against the passwords that protect the key(s) that reside in a Motorola ASK/ibutton/whatever-it's-called. 
That is quite different from syskeygen, which as I understand it (from the explanation here) can be used to access radios without bothering with the real system key or programming equipment at all.
In order to work with an existing ASK system, you would have to have prolonged access to the ASK/ibutton/whatever-it's-called device, no? Long enough to perform a dictionary attack.
			
			
									
						
										
						That is quite different from syskeygen, which as I understand it (from the explanation here) can be used to access radios without bothering with the real system key or programming equipment at all.
In order to work with an existing ASK system, you would have to have prolonged access to the ASK/ibutton/whatever-it's-called device, no? Long enough to perform a dictionary attack.
- escomm
- professor of rectalingus
- Posts: 4409
- Joined: Thu Mar 30, 2006 1:54 am
- Location: Chief of the CAREPOLICE
Re: Go easy on me now... system key question
No.n3wrx wrote: In order to work with an existing ASK system, you would have to have prolonged access to the ASK/ibutton/whatever-it's-called device, no?
I'd hit it so hard you'd have to be to King of England to pull me out
			
						- captlpol
- No post too old... no topic too irrelevant.... I'll bump them all...Formerly K0DEN
- Posts: 245
- Joined: Fri Nov 26, 2004 9:02 pm
Re: Go easy on me now... system key question
Would it not be easier to just get a scanner to listen to said talkgroups?
			
			
									
						
							Silence is golden, duct tape is silver.
			
						- smokeybehr
- 98247E-211491-4
- Posts: 3241
- Joined: Thu Apr 19, 2007 12:58 am
- Location: In the muthaf***in' forest, bitch! Where else?
- Contact:
Re: Go easy on me now... system key question
Holy Necropost, Batman!
Reread the thread carefully...
			
			
									
						
							Reread the thread carefully...
mong wrote: If you are a chick, show us your tits
If you're a dude, show rayray your tits







