GPU-accelerated ARC4 key recovery for DMR Enhanced Privacy voice communications.
FSP.DMRCrack is a native Windows application that performs exhaustive 40-bit RC4 key search against captured DMR Enhanced Privacy voice frames. It integrates DSD-FME as the demodulation backend: select a WAV capture in the GUI and the app runs DSD-FME automatically to extract encrypted voice payloads.
DMR Enhanced Privacy (EP) uses ARC4 (RC4) with a 40-bit (5-byte) key. The 40-bit keyspace (2^40 ≈ 1 trillion keys) is tractable on a modern GPU in hours. FSP.DMRCrack exploits the structure of AMBE voice coding — valid speech produces predictable inter-frame parameter distributions — to identify the correct key with a statistical Z-score far above the noise floor (Z > 7 threshold).
Intended users: licensed radio operators performing authorized security audits of their own systems, researchers, and CTF participants.
| Requirement | Details |
|---|---|
| OS | Windows 10/11, 64-bit |
| GPU | NVIDIA sm_75+ (GTX 16xx / RTX 20xx or newer). A multi-threaded CPU fallback runs if no GPU is present, but expect a search to take days instead of hours — a GPU is strongly recommended. |
| Runtime | None — DSD-FME and all Cygwin DLLs are bundled by the installer |
| Python | 3.8+ (optional, for verify_decrypt.py and diag_decrypt.py) |
| CUDA Toolkit | 12.x (build-time only) |
| Visual Studio | 2022 with Desktop C++ workload (build-time only) |
- Download
FSP.DMRCrack-Setup.exefrom Releases. - Run the installer (requires Windows 10/11 x64, admin rights).
- Launch FSP.DMRCrack from the Start menu or desktop shortcut.
Everything is included: the GPU brute-force engine, the DSD-FME demodulator, and all required Cygwin runtime DLLs. No additional downloads or configuration needed.
Clone the repo and build with build.bat (requires CUDA Toolkit + Visual Studio). dsd-fme.exe and the Cygwin DLLs are already in tools/. If they are missing (e.g. on a clean CI checkout), run tools\get_runtime.bat to fetch them. See Building from source below.
- Record a WAV file of the DMR RF signal (discriminator audio, 48 kHz mono recommended).
- Open FSP.DMRCrack and select the WAV file in the Capture section.
- Click Demodulate — DSD-FME runs automatically, extracts encrypted voice payloads, and writes a
.binfile. - Click Start in the Brute-force section to begin the GPU search.
- Monitor progress: keys/sec graph, best-score evolution, ETA.
- The correct key produces a sharp score spike well above the noise floor.
If you already have a .bin payload file (e.g., generated by DSD-FME + dsdfme_dsp_to_bin.py):
- Select the
.binfile in the BRUTEFORCE section. - Configure the key range (default: full 40-bit space
0000000000–FFFFFFFFFF). - Click Start.
One payload per line, hex-encoded (33 bytes = 66 hex characters). Optional metadata after ;:
AABBCCDDEEFF112233...;ALG=21;KID=0F;MI=531699C4
| Tag | Meaning |
|---|---|
ALG=21 |
RC4 Enhanced Privacy algorithm |
KID=XX |
Key ID |
MI=XXXXXXXX |
Message Indicator (32-bit, hex) |
When all three tags are present, the KMI9 pipeline is used (key9 = key5 \|\| MI[4]). Without MI, the legacy 5-byte key mode is used.
Converts DSD-FME -Q DSP output + stderr log into a .bin payload file with correct per-frame MI assignment.
python tools\dsdfme_dsp_to_bin.py --dsp RC4.dsdsp.txt --out RC4.bin --log RC4.dslog.txtValidates a candidate key against a .bin file and prints Z-score metrics.
python tools\verify_decrypt.py --bin RC4.bin --key <YOUR_KEY_HEX>Expected output for a correct key on 126 payloads: Z ≈ 335 (bit-frequency), Z ≈ 38 (Hamming).
For each key candidate, the CUDA kernel runs the complete DSD-FME/mbelib pipeline per burst:
- Build
key9 = key5 || MI[4] - RC4 KSA with 9-byte key; discard
256 + burst_pos × 21bytes of keystream - For each sub-frame (0, 1, 2):
- De-interleave 33-byte payload →
ambe_fr[4][24] - mbelib demodulate (PRNG XOR on row 1)
- Extract 49 AMBE bits → pack to 7 bytes
- RC4 decrypt → unpack 24 bits
- De-interleave 33-byte payload →
- Score = Σ(24 − Hamming distance) across consecutive sub-frame pairs
Valid speech has slowly-varying AMBE parameters (HD ≈ 0–4). Random keys produce HD ≈ 12. At 126 payloads the correct key achieves Z ≈ 48.5 sigma (C/CPU path).
Between superframes (every 6 bursts), MI advances by 32 LFSR steps: taps {31,3,1}.
On an RTX 3080 (sm_86), expect ~2–5 billion key candidates per second. Full 40-bit space completes in a few hours.
- Other ciphers. Only DMR Enhanced Privacy (RC4 with a 40-bit key). No AES (Motorola DMR-AES), no Hytera proprietary, no Tytera DMRA.
- Captures without MI metadata. The strict pipeline needs the Message Indicator extracted from each superframe. Without it the legacy statistical scorer runs, which is much less reliable.
- Bad audio. If DSD-FME can't cleanly demodulate the WAV, the search will run but won't find the key. Garbage in, garbage out.
- Live SDR ingest. Capture is offline. Record to WAV first, then feed it in.
- Targeting third-party systems. This is for authorized auditing of systems you own or have written permission to test. See
LICENSE.
All build scripts auto-detect Visual Studio via vswhere.exe.
Open an x64 Native Tools Command Prompt for VS in the project root:
build.batOutput: bin\dmrcrack.exe
Or manually:
nvcc -O3 ^
-gencode arch=compute_75,code=sm_75 ^
-gencode arch=compute_86,code=sm_86 ^
-gencode arch=compute_89,code=sm_89 ^
-gencode arch=compute_75,code=compute_75 ^
-cudart static -Iinclude -Ivendor\winsparkle\include ^
-Xcompiler "/W4 /D_CRT_SECURE_NO_WARNINGS /DWIN32 /D_WINDOWS" ^
src\main.c src\gui.c src\bruteforce.cu src\payload_io.c src\rc4.c src\lang_en.c src\updater.c ^
-o bin\dmrcrack.exe ^
-luser32 -lgdi32 -lcomdlg32 -lkernel32 -ldwmapi -lshell32 -ladvapi32 ^
vendor\winsparkle\x64\WinSparkle.libThe default build targets sm_75/86/89 natively plus a PTX fallback for RTX 50xx and newer (JIT-compiled by the driver on first run). Supported GPUs: GTX 16xx, RTX 20xx–50xx.
build_test.bat # → bin\test_strict_score.exe- Install Inno Setup
- Open
installer\FSP.DMRCrack.iss - Build →
installer\output\FSP.DMRCrack-0.1.0-Setup.exe
FSP.DMRCrack/
src/
main.c Entry point (WinMain)
gui.c Win32 GUI, dark theme, progress graphs
bruteforce.cu CUDA GPU kernels + integrated CPU fallback
bruteforce.c Pure-CPU reference implementation (target: future headless CLI, see issue #11)
rc4.c RC4 KSA + PRGA (host-side)
payload_io.c .bin file loader/saver, ALG/KID/MI metadata parser
tests/
test_strict_score.c Per-burst scoring validation against known key
test_score_windows.c Score distribution analysis tool
test_bench.cu GPU kernel throughput micro-benchmark
include/ Headers
tools/
dsd-fme.exe DSD-FME demodulator (requires Cygwin DLLs alongside)
dsdfme_dsp_to_bin.py DSD-FME DSP output → .bin converter
verify_decrypt.py Key validation with Z-score output
diag_decrypt.py Decryption pipeline diagnostic
extract_encrypted_from_dsdfme.bat DSD-FME capture helper
build_bench.bat GPU kernel throughput benchmark build
build_ptxas.bat Register/occupancy diagnostic build
installer/
FSP.DMRCrack.iss Inno Setup script
bin/ Compiled executables (not tracked in git)
This is open source and actively developed. The roadmap lives in the issue tracker and PRs are welcome.
Good places to start:
good first issue— well-scoped tasks that don't need deep familiarity with the code (magic-number cleanup,__restrict__annotations on device helpers, i18n audit, etc.)help wanted— larger items where extra hands would unlock cross-platform work: CMake migration, POSIX HAL for the engine, headless CLI mode, Linux port
Setup, code style, and submission guidelines are in CONTRIBUTING.md. If you have an idea that doesn't fit any open issue, just open one — happy to discuss.
FSP.DMRCrack is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License version 3 as published by the Free Software Foundation. See LICENSE for the full text.
DSD-FME (required companion tool, distributed in tools/) is licensed under ISC + GPLv2. See NOTICE. The Cygwin runtime DLLs bundled alongside DSD-FME are LGPL-licensed.