Motorola Advanced System Key hacking help

Medictrode · August 12, 2023, 8:57am

Hello all,

I got the Flipper Zero to try and see if I could copy and emulate the Motorola Advanced System Key(ASK). Said “key” uses an DS1996 iButton that goes into a USB reader. This key will allow the Motorola CPS(aka radio programming software) to program certain features into the radio, such as trunking radio systems and ID’s.

I am authorized to have such a key, and for fun wanted to see if I can copy and/or emulate it. I purchased another blank DS1996 iButton, and the Flipper will read the iButton, and it says it writes to the blank one, however the radio software doesn’t recognize it as a valid ASK. I am curious as to why, and if there are any other ways of doing this including different devices that may be more advanced and can handle such a job.

Again, this is just for experimental and curiosity purposes as I already have the key to program my radios with… Thank you for the time.

jmr · August 13, 2023, 8:40am

Make sure the “blanks” you bought can be written to. Sometime they can’t but it appear they were successfully written. After writing them try to read them so you know the data was written correctly.

I’m a ham radio operator so I find this very interesting. I didn’t know any radios used i-Button technology to protect them.

EDIT: I was reading more on these and found a funny story. Someone helpfully changed the “battery” in one guys i-button dongle. Of course they had removed the i-button and replaced it with a common coin cell.

Spildit · August 21, 2023, 6:41pm

Try to READ the “blank” after write to it and check if the data written is the intended one.

Can you share the data/key of the Motorola Advanced System Key(ASK) that you have ? It would be nice…

Also try to programm a blank with 0C FF FF FF FF FF FF 17 check if it works …

When you read your key does it start with 0C and checksum is correct ? If not flipper might be reading less data than intended …

Also … does emulation using the flipper works on your key/system ?

Spildit · August 21, 2023, 6:55pm

By the way …

DS1996 is an iButton with 64kbits (8KBytes) of EEPROM storage (256 pages, each 32 bytes).

Maybe you have a “larger” DS1996 and flipper is just reading/emulating the start of the content/key/data …

Medictrode · August 27, 2023, 10:00am

Sorry for taking so long to reply, It’s been a battle updating our fleet of Radios.

jmr: Motorola has used the iButton in some shape for many years now. The previous generation of radios, such as the Astro Saber and XTS-3000 used the iButton solely for feature and firmware updating. CPS wouldn’t allow you to do these functions without same, and it would plug into a special RIB box vs the normal one for general programming. The iButtons back then were hacked and people were able to flash any firmware they wanted, as well as any feature they wanted. I am not sure how that as achieved, but it would be cool to learn. Motorola doesn’t care much about those radios as they aren’t used or compatible with modern trunked radio systems.

The next generation of radios, such as the XTS-5000 used a “flash Zap” method as well as the iButton for firmware and feature upgrades. Although, the Depot CPS which was leaked from Motorola allowed you to make any codeplug for these types of radios, with literally any function. A popular one was FPP(Front panel programming) which was a Govt. only feature and make it like a typical HAM radio so you could directly punch in any frequency you wanted. As long as it was a type 3 radio(aka with a keypad).

The newest generation of Motorola radios, such as the APX series utilize the iButton as an Advanced System Key in a USB dongle. This allows the system admin to lock down the radio once it’s programmed. They can also make daughter keys with limited functionality to give to subscribers. It’s come a long was from the previous gen or radios that used a software system key, which was easily hackable with a simple DOS program.

Medictrode · August 27, 2023, 10:13am

I tried to upload the iButton dump here, but it said permission was denied. I uploaded it onto Google Drive, hopefully you can download it.

Thank you all for the replies. The extra knowledge on all of this is much appreciated.

(Ask.ibtn - Google Drive)

jmr · August 27, 2023, 4:25pm

Thanks for the reply! Life can get busy.

I have some Motorola radios but they are older models. When commercial was required to switch to narrow band most of their wide band radios ended up in the hands of Hams. If I remember correctly two of mine just needed a jumper moved to enable programming from the face. A couple other ones a friend programmed for me. I did get an old RIB box at a hamfest recently. The problem is serial to USB adapters aren’t very reliable to program those old radios. Most Hams I know keep ancient computers around to do the programming. Those old commercial radios are solid though and have a lot of life in them still.

OverClocked · January 7, 2024, 12:13pm

@Medictrode did you ever get anywhere with this? I am trying to do the same thing. I am wondering if there is a reset value in the Motorola iButtons that is throwing the emulation off.

I will be getting a reader soon to look at the raw files, but curious if you made any progress in this direction.

Medictrode · January 19, 2024, 2:27am

I haven’t made it much further, although I’ve been enjoying programming radios with the ASK I have and not worrying about the expiration date that was set on it. I just need to re write the ibutton file and change the date on my computer. I ld like to do what you’re doing though, and change the code so it’s unlimited. Please let me know if you figure anything out sir.

Jaasenjones · January 30, 2024, 3:00am

Does anyone actually know the specific type of ibutton used for apx?

Timjim · February 7, 2024, 4:56pm

i new to this… i was wandering what i need – hardware/software to do what you are trying. copy an ibutton motoro ask… could you elaborate on everything i need to do this.
thanks so much.
t

Spildit · February 7, 2024, 5:39pm

To start you would need at least one flipper zero…

Nbraves12 · February 9, 2024, 11:21pm

How are you able to change the expiration date? Is there a program that got leaked or are you physically changing code?

Medictrode · February 15, 2024, 3:52am

I haven’t been able to figure out how to actually change the date, so any help would be appreciated. I however have the iButton saved from a day where it wasn’t expired, and I load that onto the iButton, then change my computer to said date and it works. If you just change the date on the computer without loading that days iButton dump, it will wipe the iButton once it’s loaded into CPS.

ryanthomp · March 18, 2024, 7:19pm

Just curious have you been able to use the flipper as the One-Wire device to read the IButton for use in ASK Administator?

DarkFlip · April 2, 2024, 7:10pm

Hi Medictrode,
Open your iButton file in Notepad. In your SRAM Data, go to byte 97 (right after all the 55 55 55 …). Change the next 28 bytes to 17 B7 58 D4 5D 4C 57 99 40 A1 A2 88 77 CA FE 69 08 83 86 21 C6 38 E9 00 80 EB 55 55. This will make the expiration date 1/1/26.

Medictrode · April 3, 2024, 8:03pm

Wow! I really appreciate you looking into this. I did as instructed, however CPS isn’t recognizing it as a valid ASK. I will certainly keep tinkering though, as I am sure you’re onto something.