Author Topic: Identifying the MCU from RT85 handheld Radio  (Read 935 times)

andynvkz and 1 Guest are viewing this topic.

Offline Cassus

  • Contributor
  • Posts: 6
  • Country: be
Identifying the MCU from RT85 handheld Radio
« on: June 11, 2021, 03:36:29 pm »
Hello,

I am trying to reverse engineer a RT85 Retevis handheld radio in order to produce a custom firmware. The main problem I have is to figure out the microcontroller they are using. They went through the effort of grinding the top of the chip to make it harder for people to guess what it is.
The remains of a logo is still distinguishable on the bottom of the chip. Does anyone recognize a brand logo? I doubt it is an obscure Chinese manufacturer otherwise they would have tried to mask it.

Also, the programming port has only 4 pins so I guess VDD, VSS, Data and Reset. That already excludes some brands like Microchip which uses at least 5 pins.

I have access to a J-Link, ST-Link, ICD3, Oscilloscope and Logic Analyzer if that can help.


here are the pictures:









BTW, The TH-UV88 handheld radio from TYT uses the same PCB and doesn't erase the markings so if anyone has one lying around...
 

Offline geggi1

  • Regular Contributor
  • *
  • Posts: 168
Re: Identifying the MCU from RT85 handheld Radio
« Reply #1 on: June 11, 2021, 08:08:18 pm »
I guess this is a game of elimination.
Start finding possible candidates for MCU same packages is a good start.
Reverse engineer the circuit around the MCU to find pins that are detectable like power, gnd, databusses for cummunication to other devices and programming of the radio.
Do the elimination by checking datasheets for the possible candidates.
 

Offline Cassus

  • Contributor
  • Posts: 6
  • Country: be
Re: Identifying the MCU from RT85 handheld Radio
« Reply #2 on: June 12, 2021, 08:08:59 am »
the problem with the package is that there is an insane number of different MCU when you dig a little. There are the common brands like Microchip, Atmel and STM but tons of small ones too. that's like finding a needle in a hailstack.

+ the remains of the logo kinda looks familiar so that's even more frustrating
 

Offline Cassus

  • Contributor
  • Posts: 6
  • Country: be
Re: Identifying the MCU from RT85 handheld Radio
« Reply #3 on: June 12, 2021, 09:25:58 am »
I think I found the logo. it is similar to the one from another chip on the PCB. that make sense that they would use chips from the same manufacturer.
can't find any infos on any QFP 48 chip on Beken's website though

« Last Edit: June 12, 2021, 09:33:12 am by Cassus »
 

Online amyk

  • Super Contributor
  • ***
  • Posts: 7443
Re: Identifying the MCU from RT85 handheld Radio
« Reply #4 on: June 14, 2021, 01:25:30 pm »
That's because it's a QFN32...

http://antena.fe.uni-lj.si/literatura/Razno/BK4815/BK4815N_Datasheet_v1.0.1.pdf

But Beken don't make MCUs. I'd say the erased logo looks more like Silabs or Cypress.
 

Offline EOZ

  • Newbie
  • Posts: 4
  • Country: es
Re: Identifying the MCU from RT85 handheld Radio
« Reply #5 on: June 18, 2021, 04:16:56 pm »
It is a SC95F7617 from SinOne. A 8051 based microcontroller.



I have been trying to find the 32-bit block cipher used in the firmware with no success yet. Microcontroller is read protected, so no clean firmware reading is possible.

Good luck!
 

Offline DavidAlfa

  • Super Contributor
  • ***
  • Posts: 1063
  • Country: es
Hantek DSO2x1x            Drive        FAQ
Stm32 Soldering FW      Forum      Github      Donate      I need calibration reports!
 

Online andynvkz

  • Newbie
  • Posts: 3
  • Country: ru
Re: Identifying the MCU from RT85 handheld Radio
« Reply #7 on: June 22, 2021, 02:50:17 pm »
It is a SC95F7617 from SinOne. A 8051 based microcontroller.



I have been trying to find the 32-bit block cipher used in the firmware with no success yet. Microcontroller is read protected, so no clean firmware reading is possible.

Good luck!

TEA 32bit block 64bit key

https://vrtp.ru/index.php?showtopic=32228&st=0 - the most up-to-date information
« Last Edit: June 22, 2021, 03:14:52 pm by andynvkz »
 

Offline EOZ

  • Newbie
  • Posts: 4
  • Country: es
Re: Identifying the MCU from RT85 handheld Radio
« Reply #8 on: June 26, 2021, 10:58:19 pm »
Thank you for the info but I need some proof or at least a good clue before putting a computer to break the key, because It can be TEA, but it can be also Skip32, SkipJack, SPECK, RC5, or any other of the hundreds 32-bit block ciphers available out there.

Unfortunately I have only a few pairs plain text <--> cipher text so it is impossible to make any analysis to guess the cipher used.
 

Online andynvkz

  • Newbie
  • Posts: 3
  • Country: ru
Re: Identifying the MCU from RT85 handheld Radio
« Reply #9 on: June 29, 2021, 11:06:25 pm »
Forgot about keeloq, in fact, there are not so many algorithms suitable for this processor, I also wondered, but the documentation on SC contains descriptions of a bootloader working via UART with encryption, I asked SinOne for this information, they sent me the source codes of the bootloader and ready utilities for working with it, and lo and behold ... TEA is used there, I'm 90% sure that TYT did not change anything
 

Offline EOZ

  • Newbie
  • Posts: 4
  • Country: es
Re: Identifying the MCU from RT85 handheld Radio
« Reply #10 on: July 05, 2021, 03:53:28 pm »
Interesting... I have the SinOne bootloader tool, documentation and source codes but no encryption in any of these bootloaders or documents.

It would be nice to have a look to the source code of a bootloader supporting encryption.
 

Online andynvkz

  • Newbie
  • Posts: 3
  • Country: ru
 

Offline EOZ

  • Newbie
  • Posts: 4
  • Country: es
Re: Identifying the MCU from RT85 handheld Radio
« Reply #12 on: July 09, 2021, 07:44:55 pm »
Thank you!

You were right. They didn't modify a single bit of the TEA32 algorithm.

Time to crunch some keys.
« Last Edit: July 10, 2021, 07:06:45 pm by EOZ »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf