Go easy on me now... system key question

[n3wrx]

Hi guys,

If you have [legal] possession of a radio (XTS series) programmed to a given P25 trunked system, is it possible to retrieve the system key for that trunked system from that radio (assuming you have software)?

Thanks.

-j

[VE9MP]

No, the system key is an actual computer file, that has to be in a certain folder on your computer, that your CPS looks for....

or alternatively, depending on how new the system is, it could be an Advanced System Key required, which is an actual hardware dongle that has to be connected to the computer, research ibuttons for more info, but essentially there is a single Master key, from Motorola, which daughter keys can be created, that customizes what the end user can program, like ranges of ID's, and they have expiry dates.... I did some research into ibuttons and what it would take to "make" one, but its way over my head, im sure other people have figured it out or found a loophole.....

[n3wrx]

Can you add conventional stuff to a radio with a programmed trunked system without the system key?

[VE9MP]

Yes, as long as it wasnt programmed with an ASK....

[n3wrx]

Thanks man, appreciate the info.

What about scan lists/scan priorities? Can those be changed with an existing trunked system without the key (assuming no ASK)?

Sorry about all the questions, trying to help someone out (really).

[motorola_otaku]

Scanlists can be added and deleted. You can add and remove trunked personalities from said scanlists. Zone/Channel assignments can be added, deleted, and renamed. Trunked talkgroup names can be edited. Conventional personalities can be added, deleted, and manipulated every way imaginable. What not having the system key does is locks you out of that particular system's settings AND the settings of any personality assigned to it.

Now, as VE9MP pointed out, if your radio was touched by an Advanced System Key then you can write off doing anything to it ever again without one of two things:
-another Advanced System Key; caveat: if it is for a different SysID than the one in the radio, you won't be able to mess with that system's settings at all.
-(XTS3000 only) a DOS RSS codeplug or s-record of that radio with matching model number, serial number, and Flashcode.

Now, I am not the BATLABS TRUNKING POLICE nor do I necessarily agree with the tack they take on people asking similar questions, but I do have to throw this hypothetical at you as a caution: let's say you or a friend have a legitimately-programmed Motorola trunking/P25 radio and every right in the world to be operating on the systems in it, but you make some non-system-key-required changes to it with your own programming kit. When that radio goes back to its designated programmer for system updates or whatever, they are going to see the changes made to it (the Last Programmed Date among other things) and you or your friend may find some hard questions posed to you by gentlemen with badges. In that event it would be wise for you or your friend to have your asses appropriately covered, preferably in the form of written permissions on company or department letterheads. But that's just, like, my opinion, man.

[VE9MP]

In another 5 years or so I can see ASK's being a major obstacle for us M nerds, once these new radios start hitting ebay or government surplus, we arnt going to be able to manipulate the programming in these radios at, like the APX radios for example that will only program with ASK's, legacy system keys arn't even supported in the CPS.....

[n3wrx]

Thanks again for the reply and the information. I also appreciate the warning, Josh (great name!), and it is good information to know, and useful food for thought.

The friend is LE with many years on the force and more than a couple stripes on the sleeve. BUT, since s/he obviously doesn't have quite enough influence to just get the programming done "officially", I will be sure to discuss it with him/her before we start writing any codeplugs (assuming we are even able).

Based on the conversations we've had thus far, I believe that my name would not be mentioned, and s/he would probably just be chewed out... at worst. But I'll confirm. Assuming anyone even noticed... which based on my understanding of the less-than-organized environment there, is unlikely to begin with. We're talking about changing some scan lists and/or scan priorities - probably nothing beyond that.

[n3wrx]

In another 5 years or so I can see ASK's being a major obstacle for us M nerds, once these new radios start hitting ebay or government surplus, we arnt going to be able to manipulate the programming in these radios at, like the APX radios for example that will only program with ASK's, legacy system keys arn't even supported in the CPS.....

I guess, then, that now is the time to get a xts/xls (before it's too late)... I've been mulling it over for awhile now. Being able to work with a couple of these radios should probably help me make up my mind.

[007]

My advise is don't do it.

Josh hit the nail on the head with his comments above regarding programming dates, etc. If you go into the radio and change settings then the Sys Admin sees this at a later time, get ready to ride the lightning. Like Josh, I am not the trunking police and can understand what you are trying to do. However, if changes are made outside the authorized shop, don't be surprised in the least if you get called on it. The tolerance for asshattery with trunked systems is at an all time low and odds are they will be looking for blood if the changes are detected.

Just saying...

[n3wrx]

Thanks guys, I appreciate the advice, and know that you are looking to keep me out of trouble.

While I could just sit down and do it for them, maybe the safest way is to just sit with them and verbally guide them through it so that they do it themselves - they do everything, using all of their own equipment. That should keep me as 'in the clear' as possible.

Apparently the radio[s], as issued by the organization, power on with some sort of "bad system key" error already... it suggests that the PD's radio room, [apparently] lacking access to the [advanced?] system key, have been making "unauthorized" changes. Frankly, it wouldn't surprise me.

This may be moot anyway - it's a very recently implemented system, they might be using ASKs, in which case we're boned - I'll just help them program their personal radio for the hammy sh*t.

[Victor Xray]

If they power on with a KEYFAIL error, that has to do with the encryption module not having a valid authentication key programmed in it.

[motorola_otaku]

This may be moot anyway - it's a very recently implemented system, they might be using ASKs, in which case we're boned - I'll just help them program their personal radio for the hammy sh*t.

Is this by chance the system in question? Given that it's a full-on Astro25 9600 system and very, very new, I can just about guarantee you it shipped with ASKs for subscriber unit programming.

On a related note, I spent some time this summer next door to you in Belleville/Bloomfield. God, never again.

[spareparts]

Side question on ASK: At the end of useful life, Is it possible to remove all programing and personalties (or restore the factory defaults) and provide a daughter ASK so you can sell or transfer the radio to another department?

Failing that, can the original owner send the radio back to /\/\ to be wiped and defaulted?

[slimbob]

iButtons are damn near impossible to take apart and keep working. The CIA/NSA has only managed it a few times.

[escomm]

iButtons are damn near impossible to take apart and keep working. The CIA/NSA has only managed it a few times.

Why take them apart when the security holes are so big you can drive a mack truck through them? ASK means nothing.

[n3wrx]

This may be moot anyway - it's a very recently implemented system, they might be using ASKs, in which case we're boned - I'll just help them program their personal radio for the hammy sh*t.

Is this by chance the system in question? Given that it's a full-on Astro25 9600 system and very, very new, I can just about guarantee you it shipped with ASKs for subscriber unit programming.

On a related note, I spent some time this summer next door to you in Belleville/Bloomfield. God, never again.

Uhhhhh... "I plead the fifth amendment" on the first question. As you have demonstrated (given I am not an anonymous user and even list my location with my user ID), the system/department in question are not hard to guess (even with the zillions of digi-trunky-flashy-whizbang systems (and LE departments) out this way. Let's just say I'm not denying your assertion just for the sake of being able to maintain plausible deniability.

Re: Astro25 9600bps brand-new fanciness... that's rather what I figured based on yours (and others') earlier posts - though they have been [VERY] slowly implementing this thing for at least the last year or thereabouts (they still haven't switched over yet, still fumbling around with issuing radios and squabbling about the new dispatch center that was supposed to have been finished several months ago).

Belleville? I've been there (there's a range/FFL just off of Rte. 7), I always thought it wasn't that bad for this area of the state (the parts I've seen anyway), kind of typical middle-of-the-road working class area... at least compared to the ghetto[s] in Jersey City anyway.

But God, abandon all hope, ye who enters here. Land of horrible corruption, astronomical taxation, abusive over-legislation, hippie wierdo gun-control liberal freaks. Someday I at least want to have a modest vacation crashpad that is OUTSIDE the fascist zone comprised of New York, New Jersey, Maryland. <channeling braveheart> FREEDOM!! </channeling braveheart>

[High_Order1]

Well....

Nothing like me to screw up an otherwise decent conversation, but since no one else seems to be able to get the thread locked....

While researching something entirely different, I found a website where this guy does nothing but create software 'virtual' dongles. Since the iButton is a dongle..............


just sayin'. Y'all probably are nineteen steps ahead, but hey, what do I know?


On the topic of anal retentive LEO radio shops (kinda redundant), I have had my share of battles with them. If, oh, say, you (theoretically) used lab to make a perfect copy of the codeplug before you started messing about, and when time came for Yearly Sniffing of the Equipment, you blew the original back in, couldn't Lab also be able to, uh, adjust the last programmed date/time/source/# of times flashed?


Oh, and just in case I haven't shit the bed enough, hey n3wrx, go ask The Googler about something called syskeygen.exe. (whistles and walks away like I've been cropdusting after Fajita Day at work)

Shawn

[n3wrx]

Well....

Nothing like me to screw up an otherwise decent conversation, but since no one else seems to be able to get the thread locked....

While researching something entirely different, I found a website where this guy does nothing but create software 'virtual' dongles. Since the iButton is a dongle..............


just sayin'. Y'all probably are nineteen steps ahead, but hey, what do I know?


On the topic of anal retentive LEO radio shops (kinda redundant), I have had my share of battles with them. If, oh, say, you (theoretically) used lab to make a perfect copy of the codeplug before you started messing about, and when time came for Yearly Sniffing of the Equipment, you blew the original back in, couldn't Lab also be able to, uh, adjust the last programmed date/time/source/# of times flashed?


Oh, and just in case I haven't shit the bed enough, hey n3wrx, go ask The Googler about something called syskeygen.exe. (whistles and walks away like I've been cropdusting after Fajita Day at work)

Shawn

Does syskeygen work with ASKs?

[VE9MP]

No

[n3wrx]

iButtons are damn near impossible to take apart and keep working. The CIA/NSA has only managed it a few times.

Why take them apart when the security holes are so big you can drive a mack truck through them? ASK means nothing.

This is like that guy who repeatedly posted on Batboard that he knew the Waris bandsplit hack - but won't respond to requests for details on how to do it. Why be such a prick tease? Either post it or don't.

If this is really true, why not post the details? Obviously no one else here seems to know what you claim to know... thus, the information could be quite useful to many.

[spareparts]

If this is really true, why not post the details? Obviously no one else here seems to know what you claim to know... thus, the information could be quite useful to many.

http://www.grandideastudio.com/wp-conte ... f_ch14.pdf

[escomm]

If this is really true, why not post the details? Obviously no one else here seems to know what you claim to know... thus, the information could be quite useful to many.

http://www.grandideastudio.com/wp-conte ... f_ch14.pdf

/thread

[n3wrx]

If I understand this document correctly, it discusses how to perform a dictionary attack against the passwords that protect the key(s) that reside in a Motorola ASK/ibutton/whatever-it's-called.

That is quite different from syskeygen, which as I understand it (from the explanation here) can be used to access radios without bothering with the real system key or programming equipment at all.

In order to work with an existing ASK system, you would have to have prolonged access to the ASK/ibutton/whatever-it's-called device, no? Long enough to perform a dictionary attack.

[escomm]

In order to work with an existing ASK system, you would have to have prolonged access to the ASK/ibutton/whatever-it's-called device, no?

No.

[captlpol]

Would it not be easier to just get a scanner to listen to said talkgroups?

[smokeybehr]

Holy Necropost, Batman!

Reread the thread carefully...