Before reading this post i recommend to read my previous posts about the mechanism used to program the Cougar: Program the Racal Cougar - Part 2 & Part 5
|MA4083(G) Fill gun|
Reverse engineering (again)
Two different PWM data streams:
- Racal Cougar control data
- Key fill data
The control data stream is described in the previous posts mentioned above, it uses PWM data modulated with a frequency of ~4 Khz. where one period takes 250 μS.
A logical '0' is send by pulling the F pin low for ~64 μS and high for 186 μS and a logical '1' is send by pulling it low for ~186 μS and high for 64 μS.
Control data takes 4 bytes (32 bit) and expect a echo to be returned from the Racal Cougar.
Key fill data:
A key fill PWM modulated bit has a period duration of ~700 μS where a logical '0' is send by pulling the F pin low for ~96 μsec and a logical '1' is made by pulling it low for ~224 μS.
Fill commands and data
- FTL command (HEX 7F8B)
- DSN command (HEX 7F03)
- ZA command (HEX 7F07)
After the ZA command, zeroise keys, is received the Cougar is generating a 1 Khz alarm tone on the audio line indicating the unit doesn't contain any crypto keys (you would get the same alarm when using the zeroise button on your Racal Cougar and select a crypto channel).
Next the 520 bits of key fill data are send which is handled directly by the crypto module. When no error's occurred the keys are stored in the crypto module which in turn disables the key alarm indicating a successful transfer.
|Simplified overview of key fill commands|
Key fill data
Information about the commands being send can be found in the technical manual of the MA-4073 and it tells you what in the previous paragraph but it doesn't tell you the actual structure of the key fill data. This is where the fun started :-)
|Key fill data|
Every transfer of key data starts with a fill instruction command, this command shouldn't be confused with the normal command structure, the fill instruction command are 8 bits preceding the actual key data and have the hexadecimal value of 30 (00110000).
Next there are 512 bits of key data, 128 bits for each key. 4 keys in total where the keys are stored in the following order: B, A, D, C.
Although the Racal Cougar can only handle 2 crypto keys, A & B, the crypto module can store 4 of them.
The 128 bits of a key contains the following data:
- 12 bits of a predefined value, this is value is hard wired in the programmer and can be changed on customer's request. In general these are 12 one (1) bits.
- 108 bits of actual key data, 36 octal (0...7) digits each using 3 bits.
- 8 bit CRC using a different CRC-polynomial value for the different crypto boards.
After the 12 predefined bits comes the actual key data, for every of the 36 digits 3 bits are added to the key data stream. The three digit bits are representing a binary value of 0 to 7 (octal) in Little Endian order (least significant bit first).
The bit (LE) values for the octal key digits:
To illustrate this, imagine we have a key made up of 8 digits with a value of '01234567'. The key data part of the stream would be the following 3 bytes:
Byte 1: 00010001
Byte 2: 01100011
Byte 3: 01011111
The last part of the 128 bit key data stream is used by a 8 bit CRC (cyclic redundancy check) value. This CRC value is used by the crypto module to check if all received bits are correct and the data hasn't been corrupted during communication between the programmer/ fill-in and the module.
CRC calculation is done by using a 8 bit CRC-checksum using a specific polynomial value. The crypto modules requiring a 'C' programmer/ fill gun are using a different polynomial value then the modules requiring the 'G' version.
C polynomial value: 1 11000000
G polynomial value: 1 01000010
By changing this polynomial value to match the target crypto module both can be programmed using the same Arduino programmer.