jladm – SQ5BPF notes

2026-01-23

Listening to TETRA encrypted communications

In 2014 i have released the first publicly available software that could monitor unencrypted voice calls on a TETRA network (and also some data: SDS, status etc). This software was called telive.

Previously the network operators intentionally did bother with encryption. This pushed network operators to use it. The world got more secure.

While better than nothing, this encryption was proprietary. The public could not audit it. Historically when the algorithm was not disclosed it was often found to be weak (such as A5/1 in GSM).

In 2023 Midnight Blue released their fantastic work on reverse engineering the TETRA encryption algorithms. They published an implementation of TEA1-4 and also found deliberate weakening of the TEA1 protocol.

So at the turn of 2025/2026 i have released an experimental version of my software which can monitor encrypted calls on a TETRA network. This is of course only if you know the encryption keys (see below on how to obtain them). Also i added support for the reduced keys for TEA1. And also released software to recover the reduced key from on-air traffic.

Hope this will further push operators to step up their security.

Continue reading “Listening to TETRA encrypted communications”

2020-12-05

Etherify 5

Another etherify article, this time transmitting via a covert channel from an air-gapped network by controlling switch ethernet interfaces via SNMP.

See:

Etherify 5 – switching the switches

2020-11-30

Linksys LGS318 serial console pinout

Linksys LGS318 serial console pinout:

Continue reading “Linksys LGS318 serial console pinout”

2020-11-272020-11-27

Etherify 3 and 4

I’ve added two etherify articles to the Soft TEMPEST series, one showing an exceptionally strong signal radiated from a raspberry pi 4b, and another showing that regular ethernet hardware can also be used.

Please see:

Etherify – bringing the ether back to ethernet

Etherify 3 – the PI 4’s dirty little secret

Etherify 4 – back to earth with “normal” ethernet hardware

2020-11-162020-11-16

Sonify

I’ve published Sonify. This is a script to transmit data via ultrasound Morse code. Please see: Sonify – transmitting data via ultrasound morse code

This is another article in the Soft TEMPEST series. Please see also:

Etherify – bringing the ether back to ethernet

2020-11-12

Moxon antenna for 125MHz

I’ve always wanted to make a Moxon antenna, but didn’t have an excuse to do so. Recently i needed a very lightweight directional antenna for Etherify with not so much gain, but considerable F/B, so i finally had the excuse i needed.

Continue reading “Moxon antenna for 125MHz”

2020-10-312020-11-10

TR-9000 CW semi-BK mod

To transmit CW on the Kenwood TR-9000, TR-9130, TR-9300, TR-9500 (and maybe other) transceivers one has to hold the PTT on the microphone (or on the optional BO-9 base) and only then transmit using the KEY. For some reason the Kenwood thought this would be an excellent idea.

This is a simple external semi-BK circuit implementation, so that you can just press the key to transmit. No modifications inside the radio are necessary.

The circuit is connected to the STBY (2.5mm jack) and KEY (3.5mm jack). Connect the key to the CW KEY terminals. To increase the time make the capacitor bigger, currently it is 3000uF (3x 1000uF in parallel). The diodes are any silicon diode like 1N4148, 1N914, 1N4001 etc.

Keep in mind that the capacitor is charged to 8V, so that the key has temporarlily 360mA flowing thorugh it. No problem for a straight key, but it might be an issue with some electronic keyers.

See the circuit in action here:

VY 73 de SQ5BPF