Faulty Cleartone CM5000

Already quite some time Ive had a Cleartone CM5000 in my shack, waiting for some further investigation. The radio was sent to me by an OM because the radio showed an error on startup. After switching on the radio the gruesome message ‘Security (K) error’ appeared. It’s not completely sure, but it’s likely that somebody has tried to open the radio. But tetra radio are equiped with a ‘tamper protection’: a tiny switch which erases all programmed keys as soon as the casing of the radio is opened. Because tetra radio are sometimes used in encrypted networks, especially by governmental users, this protects the hardware for reverse engineering of the encryption. To get access to the hardware, the radio has to be opened. Therefore a kind of ‘tripwire’ has been built in which erases all sensitive information as soon as the lid is taken off.

It’s likely something like this has happened to this particular radio. Because the radio has been used in a private network it didn’t contain the highly secure TEA2 encryption. This is as radio with ‘clear’ software, so allowed to be owned by radio amateurs. Nevertheless the tamper protection erases all keys, not only encryption keys. Studying the manuals showed that the error message ‘Security (K)’ is related to the radio’s authentication in a network. Also the authentication settings the radio uses to get access to the network had been erased. And although there was no need for the radio to get access to any network, the missing authentication keys prevented the radio from booting.

After some research the was clear that:

  • the radio could start in so called ‘bootlink’ mode. This could be done by having the keys [menu] and [0] pressed while switching on the radio. In that mode the multicolored led will light green while the display is off;
  • the programming software can also be kicked into this ‘bootlink’ mode by adding the parameter /BOOTLINK to the executable.

The radio was connected by its accessoryconnector to a 3V3 FTDI module. For this connection a four wire serial connection was used: RxD, TxD, CTS and DTR. And of course a ground connection. Using this setup the radio could be read and programmed in the ‘bootlink’ mode mentioned above.

Because the error message was related to authentication all settings related to authentication were disabled in the codeplug. After writing the codeplug in the radio the set booted normally again. And then it was also possible again to read and write the codeplug in ‘normal’ operation mode of software and radio.