How does keyloading (technically) work?

[radio-link]

Hi!

I wonder how it could be possible that no one ever was able to trace the communication between KVL and radio to find out how they talk to each other. With some kind of logic analyzer it should be an easy task to monitor those few I/O lines.

Is something about this already known? Is there some kind of master key, used to encrypt the loading of the key to the radio? Maybe some challenge/response system, to allow verification both of the KVL to the radio and vice versa?!

Although I have no need for encryption I keep looking for an affordable KVL 3011dx, just for playing around, and when I am able to get one the first thing will be sniffing into the protocol.

Really would be a funny thing to do the whole job in software, without having to spend big $$ for the KVL. Imagine the possibility to use a true KVL to load a bunch of keys in some micro controller (Atmel, PIC, something like that) and then use this µC to be handed out as a cheap device with low security risk, used by the field people to load the keys into the radios. When it is lost, then a 50$ device gets lost, and a small number of keys, instead of a $$ KVL. Not to speak of a fully funtional KVL software on your computer...

[Wowbagger]

I'd be leery of trying to reverse engineer the Motorola ASN protocol - that is Motorola proprietary and Mary Pittman will come down with great fury upon anybody she feels is in violation of this.

The APCO-25 standard for key fill is NOT Motorola proprietary, and if you can get the APCO docs they describe what is going on pretty well.

(And I'm going to recuse myself on any more technical details, as I am under NDA from Motorola for ASN).