Click for homepage
ETSI
TETRA
Motorola
  
MTM-5400   MT953C
TETRA two-way trunking radio with encryption

MTM5400 is a mobile two-way digital trunking radio for TETRA networks, introduced in May 2010 by Motorola in Chicago (Illinois, USA) [1]. The device follows the TETRA standard, specified by the European Telecommunications Standards Institute (ETSI). It is suitable for voice and data communication, and can optionally be secured with digital encryption, developed by ETSI-SAGE.

The device is housed in a die-cast aluminium enclosure that measures 198 × 188 × 60 mm and weights 1500 grams. It has the form factor of a standard car stereo, which makes it easier to install it in an empty space at the dashboard.

The device is intended for use as part of the critical infrastructure of a country, by services like police, fire and ambulance, and has a built-in GPS receiver that regularly reports the user's position. In case of distress, the user can press a red button at the left of the front panel, after which assistence can be rushed to the scene.
  

When the device is used by public safety services, it is important that conversations are protected against evesdropping. In such cases, it will have TEA2 or TEA3 encryption. Civil organisations and companies have to settle for the less secure TEA1 encryption, or (in most cases) no encryption at all. Encryption keys can be entered manuall by means of a key loading device, but can also be updated remotely, using OTAR. 1 The MTM5400 was still available from Motorola in 2023.

  1. Over The Air Re-keying (OTAR) on TETRA was first instroduced with the MTM5400 series.

MTM-5400
Motorola MTM-5400 TETRA radio
MRM-5500 with control head and remote cable
Bottom side
Connections at the rear side
Accessory receptacle
A
×
A
1 / 6
MTM-5400
A
2 / 6
Motorola MTM-5400 TETRA radio
A
3 / 6
MRM-5500 with control head and remote cable
A
4 / 6
Bottom side
A
5 / 6
Connections at the rear side
A
6 / 6
Accessory receptacle

Features
The MTM5000-series is available in a wide range of versions and variants. Some (but not all) features can be deduced from the model number. The following series are known:

  • MTM-5400
    All-in-one transceiver
  • MTM-5500
    Like MTM5400 but with detached control head (front panel)
MTM-5400
MTM-5400 is an all-in-one unit in the shape of a car stereo. It is suitable for use in fixed setups, such as a control room, as well as in a vehicle. In the latter case it can be fitted into the empty space for a car stereo, or elsewhere by using a mounting bracket. All control are at the front panel. A handheld microphone can be connected to the microphone socket at the bottom left.


All other connections are at the rear. This includes the connections to the 12V DC power source, an antenna and (optionally) a GPS receiver. There is also a 26-bit expansion connector on which all analog and digital signals are available. A speaker should be connected to this connector.

MTM-5500
For more complex setups, the MTM-5500 series can be used. In the minimum configuration it comprises a 'blind' radio with a single expansion head, a separate remote control head, and an ethernet-style interconnection cable, as shown in the image below. The controls on tbe remote control head and connections at the rear of the radio are identical to those of the MTM-5400.


Other configurations are also available, such as a dual control head that allows up to two control heads to be connected to a single radio, or a setup in which two radios can be controlled from a single remote control head. The standard remote control head could also be replaced by a tele­phone-style control head.

Mode of operation
The MTM5400 has the following modes of operation:

  • TMO
    Trunked Mode Operation
  • DMO
    Direct Mode Operation
  • DMGW
    Direct Mode Gaterway Mode
  • DMOR
    DMO Repeater
By default, the device is used in TMO, which requires the presence of a compatible base station (BS). In that case, all (encrypted) conversations are routed via the base station. At short range, the device can also be used in DMO for direct communication between users, but in that case the conversation will not be encrypted. In DMOR mode, the MTM5400 is used as a repeater for nearby DMO stations. In DMGW mode, nearby DMO stations are relayed to the TMO network.

Versions
There are differences in frequency range and mounting variations, all with or without encryption. Confusingly, the model number 'MTM5400' is not printed anywhere on the body of the radio. Instead, a separate type number is used – e.g. MT953C – along with a sales model number – e.g. M83PFS6TZ5AN. In addition, numerous variants are known, including:

  • Clear
  • Encrypted with TEA1, TEA2 or TEA3
  • Dashboard mount (single unit)
  • Enhanced control head
  • Remote head
  • Low, medium, high power
Security
The radio is built around a Texas Instruments (TI) OMAP-L-138 System-on-Chip (SoC), which contains an ARM9 processor core and a TI C6748 Digital Signal Processor (DSP) [a]. The software inside the radio runs in a so-called Trusted Execution Environment (TEE), which makes it possible to load and execute confidential code without revealing its implementation. The encryption algorithms (TAA and TEA) – which run on the embedded DSP – are protected this way, so that a malicious party cannot extract the confidential code and encryption keys from a working radio. 1

Air Interface Encryption   AIE
Voice and data traffic on a TETRA network can optionally be protected against eavesdropping by means of encryption, subject to local regulations and permissions. For Air Interface Encryption (AIE), the following ETSI-developed algorithms 2 are available on the MTM5400:

  • TAA1
    A series of algorithms and functions for authentication and Over The Air Re-keying (OTAR), based on the proprietary HURDLE II block cipher, developed at the Royal Holloway University of London (UK) and validated by ETSI-SAGE.

  • TEA1
    A (weak) algorithm for the encryption of voice and data traffic, intended for civil use and export, based on a proprietary stream cipher developed at Philips Crypto BV in Eindhoven (Netherlands). The key length is internally reduced from 80 to 32 bits.

  • TEA2
    A strong algorithm for the encryption of voice and data traffic, intended for use by public safety and emergency services (police, fire, ambulance, etc.) within Europe, based on a proprietary stream cipher developed at Philips Crypto BV in Eindhoven (Netherlands).

  • TEA3
    Similar to TEA2, but intended for emergency and public safety services outside Europe.
Depending on the type of customer and the geographical location, a maximum of one TEA algorithm would be assigned: TEA1, TEA2 or TEA3. When the MTM5400 was used by a police force in, say, the Netherlands, the TEA2 algorithm would be used. This is the case, for example, on the Dutch public safety TETRA network C2000. A similar network in, say, China would use the TEA3 algorithm. All other services would either use TEA1 or no encryption at all (i.e. clear).

  1. Compromised in 2023 by the Dutch cyber security firm Midnight Blue.  More
  2. ETSI also developed the TEA4 algorithm, but this is not available on the Motorola MTM5400.

End-to-End Encryption   E2EE
In most cases, Air Interface Encryption (AIE, see above) offers sufficient protection against eaves­dropping, but in case AIE isn't trusted or when radios are used without AIE are used, end-to-end encryption (E2EE) can be added to the data stream by installing a SIM card at the left side of the radio. In most cases AES256 is used for E2EE, but this is a rather expensive option.

The image on the right shows the position of the SIM card slot at the left side of the radio, just be­hind the front panel. It requires the black plastic case cover to be removed first.

  

Compromise
On 24 July 2023, researchers from the Dutch cyber security firm Midnight Blue revealed that they had succeeded in extracting the firmware from a working MTM-5400 and had subsequently reverse-engineered and analysed the code [w]. To make this possible, they exploited several zero day vulnerabilities in the implementation of the OMAP-L138 processor inside the MTM5400.

 More about the TETRA:BURST revelations


Parts
MT953C radio
Microphone
Mic
Power cable
Remote control head
Remote control cables
Optional GPS antenna
GPS
USB programming cable
USB
Radio   MT953C
The basic radio is available in two versions: (1) with integrated front panel (MTM5400) or (2) with remote control head (MTM5500). In addition there are several installation and configuration options, such as dual control heads, multiple radio control, data-only, etc.

The image on the right shows a standard MTM5400 (type MT953C). The microphone should be connected at the bottom left of the front panel. Other accessories are connected to the expansion connector at the rear.

  

Microphone
MTM5000 radios are supplied with the standard handheld microphone shown in the image on the right. It has a non-standard plug that should be connected to the socket at the front left of the control head. Alternatively, the microphne can be connected to the accessory socket by using a breakout cable.

Nearly identical unbranded replacement micro­phones are available from various sources – including AliExpress – at competitive prices.

  

Power cable
In a mobile setup, the radio should be connected to the 12V DC power network of the vehicle, by means of the supplied power cable shown in the image on the right. It must be connected to the power socket at the rear of the radio.

Alternative power cables are available from various sources – including AliExpress – at competitive prices.

  

Remote control head
The MTM-5500 is similar to the MTM-5400, but is intended to be operated by one or two external control heads, each of which may be placed up to 40 metres from the radio. There are two types of control head: (1) the Remote Ether­net Control Head (ReCH) and (2) the Telephone Style Control Head (TSCH). A remote control head can be used to control multiple radios.

The image on the right shows the ReCH.

  

Remote cables
The MTM5500 is supplied with two inter­connection cables: (1) an ethernet-style cable for connection of the remote control head and (2) a breakout cable for connecting a microphone and a speaker remotely.

The image on the right shows the breakout cable for remote connection of a microphone and a speaker. It should be connected to the accessory socket at the rear of the radio.

  

GPS antenna
If location services are required, an (optional) GPS antenna can be connected at the rear of the radio. It allows the position of a (mobile) station to be tracked from a command centre.

The supplied GPS unit is suitable for a range of positioning systems, including GPS, GLONASS and BeiDou, as well as Satellite Based Augmen­ted Systems (SBAS), including WASS, EGNOS, MSASA, GAGAN and QZESS.

  

USB programming cable
MTM5000 radios can be programmed from a Personal Computer (PC) on which the Motorola TETRA Customer Programming Software (CPS) is installed. The radio can be connected to the PC by means of the USB cable shown in the image on the right. The cable should be connected to the microphone socket at the front panel.

Alternatively, the radio can be programmed via the accessory socket at the rear, but this requires a different programming cable.

  

Motorola MTM-5400 TETRA radio
MTM-5500 withoutd control head
MTM-5500 (top) and MTM-5400 (bottom)
Control head
Original power cable
Low-cost power cable obtained from AliExpress
Power plug
Original Motorola handheld microphone
Microphone
Operating the microphone
Original Motorola microphone (left) and Chinese copy
GPS unit
GPS antenna
Remote control head cable
Remote accessory cable
USB programming cable
Interior
Below are some photographs of the interior of the MTM5400. At present, no further information on this topic is available.

Interior - top
Interior - closeup
B
×
B
1 / 2
Interior - top
B
2 / 2
Interior - closeup

Ham radio use
TETRA radios can legally be owned and oprated by licenced amateur radio operators (HAMs) — it is an approvied amateur radio mode — as long as they are used without encryption, on frequen­cies that have been assigned by the International Telecommunication Union (ITU) to the Amateur Radio Service. Many countries, including The Netherlands, have HAM-operated TETRA networks.


Connections
Accessory socket
At the rear of the radio is a 26-pin receptacle for connection of accessories. This bus is also used for flashing firmware, programming features, etc. It holds various interfaces for microphone, speaker and push-to-talk (PTT), but also serial interfaces (RS232, USB) for connection of external data equipment (e.g. computer terminal). Below is the pinout when looking into the receptacle.

  1. UART1 TXD, USBx D(+)
  2. UART1 RXD, USBx D(-)
  3. UART1 RTS, USBx VBUS
  4. USB GND
  5. 1-WIRE
  6. KeyFail, Flash
  7. SWB+ (A+ voltage)
  8. Main GND
  9. Speaker (-) (do not ground)
  10. Speaker (+)
  11. TX Audio
  12. Audio ground
  13. MIC 1
  14. RX Audio
  15. MIC 2
  16. MIC GND
  17. PTT
  18. UART2 DTR, USBy ID
  19. HOOK_PA_EN (input)
  20. UART2 TXD, USBy TX
  21. UART2 RTS, USBy VBUS
  22. UART2 RXD, USBy RX
  23. Emergency
  24. UART CTS
  25. Ignition
  26. External alarm
Power
The device is powered by a DC voltage between 12 and 15V, that should be supplied to the power socket at the rear panel of the device. This is an oval male/female receptacle with a blank contact (+12V) and an isolated contact (0V, GND). Below is the pinout when looking into the receptacle. Suitable power cables are available from a variety of sources, including Motorola and AliExpress.



Specifications
  • Device
    Mobile two-way trunking radio
  • Standard
    TETRA
  • Manufacturer
    Motorola
  • Series
    MTM5000, MTM5400, MTM5500
  • Type
    MT953C
  • Model
    M83PFS6TZ5AN (M1)
  • Frequency
    380-430 MHz
  • Spacing
    20/25 kHz
  • Modulation
    Π/4 DQPSK
  • CODEC
    ACELP
  • Mode
    TMO/DMO
  • Output
    10 Watt
  • Location
    GPS, GLONASS, BeiDou, SBAS (WASS, EGNOS, MSASA, GAGAN, QZESS)
  • Power
    10-15V DC
  • Expansion
    Accessory socket
  • Temperature
    -30 to +60°C (storage -40 to +85°C)
  • Dimensions
    198 × 188 × 60 mm
  • Weight
    1500 g
Known Model numbers
Series Type Model number Model Frequency Description
MTM5400 MT953C M83PFS6TZ5AN M1 380-430 MHz Dasboard
MTM5400 MT953C M83PFS6TZ4AN M2 380-430 MHz Desktop
MTM5400 MT953C M83PFS6TZ6AN M3 380-430 MHz Remote head
MTM5400 MT953C M83PFS6TZ2AN M4 380-430 MHz Motorcycle
MTM5400 MT953C M83PFA6TZ5AN M5 380-430 MHz Data
Special parts
  • HKN6184
    USB programming cable for micrphone socket
  • PMKN4105
    Serial RS232 programming cable for accessory socket
  • PMKN4110
    USB programming cable for accessory socket
  • PMLN5072
    Accessory plug kit
Datasheets
  1. OMAP-L138 C5000 SoC datasheet
    Texas Instruments, June 2009, revised January 2017.

  2. TMS320C6748 DSP datasheet
    Texas Instruments, June 2009, revised January 2017.

  3. OMAP-L138, Technical Reference Manual
    Texas Instruments, April 2013, revised September 2016.
     Silicon Errata
Documentation
  1. MTM-5000 Brochure (English)
    Motorola Solutions Inc., 2021.

  2. MTM-5000 specifications sheet
    Motorola Solutions Inc., 2021.

  3. MTM5400 TETRA Mobile Terminal Instalation Manual
    68015000181-B. Motorola Inc., 2010.

  4. MTM5400 Feature User Guide
    6801500180-E. Motorola Solutions Inc., March 2012.

  5. MTM5000 Series TETRA Mobile Radios Product Information Manual
    38015000884-LU. Motorola Solutions Inc., January 2023.

  6. MTM800 FuG installation manual (German version)
    68015000553-J. Motorola Solutions Inc., December 2014.
References
  1. Motorola Launches Next Generation of Mission Critical Terminals
    with the MTM5400 TETRA Radio

    TCCA, 25 May 2010.

  2. TETRA:BURST
    Security vulnarabilities in TETRA protocols and algorithms.
    Midnight Blue, 24 July 2023.
     More
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
© Crypto Museum. Last changed: Tuesday, 11 June 2024 - 09:26 CET.
Click for homepage