|
|
|
|
ETSI TETRA Motorola
The device is housed in a die-cast aluminium enclosure that measures
198 × 188 × 60 mm and weights 1500 grams. It has the form factor of a
standard car stereo, which makes it easier to install it in an empty
space at the dashboard.
The device is intended for use as part of the critical infrastructure
of a country, by services like police, fire and ambulance, and has a
built-in GPS receiver that regularly reports the user's position.
In case of distress, the user can press a red button at the left of the
front panel, after which assistence can be rushed to the scene.
|
|
|
When the device is used by public safety services, it is important that
conversations are protected against evesdropping. In such cases, it
will have TEA2 or TEA3 encryption.
Civil organisations and companies have to settle for the less secure
TEA1 encryption, or (in most cases) no encryption at all.
Encryption keys can be entered manuall by means of a key loading
device, but can also be updated remotely, using OTAR. 1
The MTM5400 was still available from Motorola in 2023.
|
-
Over The Air Re-keying (OTAR) on TETRA was first instroduced
with the MTM5400 series.
|
The MTM5000-series is available in a wide range of versions and
variants. Some (but not all) features can be deduced from the model number.
The following series are known:
|
MTM-5400 All-in-one transceiver MTM-5500 Like MTM5400 but with detached control head (front panel)
|
MTM-5400 is an all-in-one unit in the shape of a car stereo. It is
suitable for use in fixed setups, such as a control room, as well as
in a vehicle. In the latter case it can be fitted into the empty space
for a car stereo, or elsewhere by using a mounting bracket. All control
are at the front panel. A handheld microphone can be connected to the
microphone socket at the bottom left.
All other connections are at the rear. This includes the connections
to the 12V DC power source, an antenna and (optionally) a GPS receiver.
There is also a 26-bit expansion connector on which all analog and
digital signals are available. A speaker should be connected to this
connector.
|
For more complex setups, the MTM-5500 series can be used. In the
minimum configuration it comprises a 'blind' radio with a single
expansion head, a separate remote control head, and an ethernet-style
interconnection cable, as shown in the image below. The controls on
tbe remote control head and connections at the rear of the radio
are identical to those of the MTM-5400.
Other configurations are also available, such as a dual control head
that allows up to two control heads to be connected to a single radio,
or a setup in which two radios can be controlled from a single
remote control head. The standard remote control head could also be
replaced by a telephone-style control head.
|
The MTM5400 has the following modes of operation:
|
TMO Trunked Mode Operation DMO Direct Mode Operation DMGW Direct Mode Gaterway Mode DMOR DMO Repeater
|
By default, the device is used in TMO, which requires the presence
of a compatible base station (BS). In that case, all (encrypted)
conversations are routed via the base station. At short range, the
device can also be used in DMO for direct communication between
users, but in that case the conversation will not be encrypted.
In DMOR mode, the MTM5400 is used as a repeater for nearby DMO
stations. In DMGW mode, nearby DMO stations are relayed to the
TMO network.
|
There are differences in frequency
range and mounting variations, all with or without encryption.
Confusingly, the model number 'MTM5400' is not printed anywhere
on the body of the radio. Instead, a separate type number
is used – e.g. MT953C – along with a sales model number
– e.g. M83PFS6TZ5AN.
In addition, numerous variants are known, including:
|
- Clear
- Encrypted with TEA1, TEA2 or TEA3
- Dashboard mount (single unit)
- Enhanced control head
- Remote head
- Low, medium, high power
|
The radio is built around a Texas Instruments (TI) OMAP-L-138 System-on-Chip
(SoC), which contains an ARM9 processor core and a TI C6748
Digital Signal Processor (DSP) [a].
The software inside the radio runs in a
so-called Trusted Execution Environment (TEE), which makes it possible to
load and execute confidential code without revealing its
implementation. The encryption algorithms (TAA and TEA) –
which run on the embedded DSP – are protected this way, so that a
malicious party cannot extract the confidential code and encryption keys
from a working radio. 1
|
|
Air Interface Encryption
AIE
|
|
|
Voice and data traffic on a TETRA network can optionally be protected
against eavesdropping by means of encryption, subject to local regulations
and permissions. For Air Interface Encryption (AIE), the following
ETSI-developed algorithms 2 are available on the MTM5400:
|
- TAA1
A series of algorithms and functions for authentication and
Over The Air Re-keying (OTAR), based on the proprietary HURDLE II block
cipher, developed at the Royal Holloway University of London (UK)
and validated by ETSI-SAGE.
- TEA1
A (weak) algorithm for the encryption of voice and data traffic,
intended for civil use and export, based on a proprietary stream cipher
developed at Philips Crypto BV in Eindhoven (Netherlands).
The key length is internally reduced from 80 to 32 bits.
- TEA2
A strong algorithm for the encryption of voice and data traffic,
intended for use by public safety and emergency services (police, fire,
ambulance, etc.) within Europe, based on a proprietary stream cipher
developed at Philips Crypto BV in Eindhoven (Netherlands).
- TEA3
Similar to TEA2, but intended for emergency and public safety services
outside Europe.
|
Depending on the type of customer and the geographical location, a maximum of
one TEA algorithm would be assigned: TEA1, TEA2 or TEA3.
When the MTM5400 was used by a police force in, say, the Netherlands,
the TEA2 algorithm would be used. This is the case, for example,
on the Dutch public safety TETRA network C2000.
A similar network in, say, China would use the TEA3 algorithm.
All other services would either use TEA1 or no encryption at all (i.e. clear).
|
-
Compromised in 2023 by the Dutch cyber security firm Midnight Blue.
➤ More
-
ETSI also developed the TEA4 algorithm, but this is not
available on the Motorola MTM5400.
|
|
End-to-End Encryption
E2EE
|
|
|
In most cases, Air Interface Encryption (AIE, see above) offers sufficient
protection against eavesdropping, but in case AIE isn't trusted or when
radios are used without AIE are used, end-to-end encryption (E2EE)
can be added to the data stream by installing a SIM card at the left side
of the radio.
In most cases AES256 is used for E2EE, but this is a rather
expensive option.
The image on the right shows the position of the SIM card slot
at the left side of the radio, just behind the front panel.
It requires the black plastic case cover to be removed first.
|
|
|
On 24 July 2023, researchers from the Dutch cyber security firm
Midnight Blue revealed that they had
succeeded in extracting the firmware from a working MTM-5400
and had subsequently reverse-engineered and analysed the code [w].
To make this possible, they exploited several zero day
vulnerabilities in the implementation of the OMAP-L138 processor
inside the MTM5400.
➤ More about the TETRA:BURST revelations
|
The basic radio is available in two versions:
(1) with integrated front panel (MTM5400) or
(2) with remote control head (MTM5500). In addition there
are several installation and configuration options, such as
dual control heads, multiple radio control, data-only, etc.
The image on the right shows a standard MTM5400 (type MT953C).
The microphone should be connected at the bottom left of the
front panel. Other accessories are connected to the
expansion connector at the rear.
|
|
|
MTM5000 radios are supplied with the standard handheld
microphone shown in the image on the right. It has a non-standard
plug that should be connected to the socket at the front left of
the control head. Alternatively, the microphne can be connected
to the accessory socket by using a breakout cable.
Nearly identical unbranded replacement microphones are available
from various sources – including AliExpress – at competitive prices.
|
|
|
In a mobile setup, the radio should be connected to the 12V DC
power network of the vehicle, by means of the supplied power cable
shown in the image on the right. It must be connected to the
power socket at the rear of the radio.
Alternative power cables are available from various sources
– including AliExpress – at competitive prices.
|
|
|
The MTM-5500 is similar to the MTM-5400, but is intended to be operated
by one or two external control heads, each of which may be placed up to 40
metres from the radio. There are two types of control head: (1) the Remote
Ethernet Control Head (ReCH) and
(2) the Telephone Style Control Head (TSCH).
A remote control head can be used to control multiple radios.
The image on the right shows the ReCH.
|
|
|
If location services are required, an (optional) GPS antenna can be
connected at the rear of the radio. It allows
the position of a (mobile) station to be tracked from a command centre.
The supplied GPS unit is suitable for a range of positioning systems,
including GPS, GLONASS and BeiDou, as well as Satellite Based
Augmented Systems (SBAS), including WASS, EGNOS, MSASA, GAGAN and QZESS.
|
|
|
MTM5000 radios can be programmed from a Personal Computer (PC) on which the
Motorola TETRA Customer Programming Software (CPS) is installed.
The radio can be connected to the PC by means of the USB cable shown
in the image on the right. The cable should be connected to the microphone
socket at the front panel.
Alternatively, the radio can be programmed via the
accessory socket
at the rear, but this requires a different programming cable.
|
|
|
Below are some photographs of the interior of the MTM5400.
At present, no further information on this topic is available.
|
TETRA radios can legally be owned and oprated by licenced amateur radio
operators (HAMs) — it is an approvied amateur radio mode — as long
as they are used without encryption, on frequencies that have been assigned
by the International Telecommunication Union (ITU)
to the Amateur Radio Service.
Many countries, including The Netherlands, have HAM-operated TETRA networks.
|
At the rear of the radio is a 26-pin receptacle for connection of
accessories. This bus is also used for flashing firmware, programming
features, etc. It holds various interfaces for microphone, speaker and
push-to-talk (PTT), but also serial interfaces (RS232, USB) for
connection of external data equipment (e.g. computer terminal).
Below is the pinout when looking into the receptacle.
|
- UART1 TXD, USBx D(+)
- UART1 RXD, USBx D(-)
- UART1 RTS, USBx VBUS
- USB GND
- 1-WIRE
- KeyFail, Flash
- SWB+ (A+ voltage)
- Main GND
- Speaker (-) (do not ground)
- Speaker (+)
- TX Audio
- Audio ground
- MIC 1
- RX Audio
- MIC 2
- MIC GND
- PTT
- UART2 DTR, USBy ID
- HOOK_PA_EN (input)
- UART2 TXD, USBy TX
- UART2 RTS, USBy VBUS
- UART2 RXD, USBy RX
- Emergency
- UART CTS
- Ignition
- External alarm
|
|
The device is powered by a DC voltage between 12 and 15V, that should be
supplied to the power socket at the rear panel of the device. This is an
oval male/female receptacle with a blank contact (+12V) and an isolated
contact (0V, GND). Below is the pinout when looking into the receptacle.
Suitable power cables are available from a variety of sources, including
Motorola and AliExpress.
|
Device Mobile two-way trunking radio Standard TETRA Manufacturer Motorola Series MTM5000, MTM5400, MTM5500 Type MT953C Model M83PFS6TZ5AN (M1) Frequency 380-430 MHz Spacing 20/25 kHz Modulation Π/4 DQPSK CODEC ACELP Mode TMO/DMO Output 10 Watt Location GPS, GLONASS, BeiDou, SBAS (WASS, EGNOS, MSASA, GAGAN, QZESS) Power 10-15V DC Expansion Accessory socket Temperature -30 to +60°C (storage -40 to +85°C) Dimensions 198 × 188 × 60 mm Weight 1500 g
|
Series
|
Type
|
Model number
|
Model
|
Frequency
|
Description
|
|
MTM5400
|
MT953C
|
M83PFS6TZ5AN
|
M1
|
380-430 MHz
|
Dasboard
|
MTM5400
|
MT953C
|
M83PFS6TZ4AN
|
M2
|
380-430 MHz
|
Desktop
|
MTM5400
|
MT953C
|
M83PFS6TZ6AN
|
M3
|
380-430 MHz
|
Remote head
|
MTM5400
|
MT953C
|
M83PFS6TZ2AN
|
M4
|
380-430 MHz
|
Motorcycle
|
MTM5400
|
MT953C
|
M83PFA6TZ5AN
|
M5
|
380-430 MHz
|
Data
|
|
HKN6184 USB programming cable for micrphone socket PMKN4105 Serial RS232 programming cable for accessory socket PMKN4110 USB programming cable for accessory socket PMLN5072 Accessory plug kit
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Last changed: Tuesday, 11 June 2024 - 09:26 CET.
|
|
|
|
|
|