Access Your Quantar Using a Cisco Router

The AUX port on Cisco routers is a asynchronous serial port configured as data terminal equipment (DTE). Adapters for connections to PC terminals, modems, or other external communications equipment are available, or can be DIYed. Sounds not to bad as a starting point to try if it is possible to get access to the serial port of the Quantar repeater. In most cases the AUX port is not used and no configuration is applied to the port, of course that needs to be changed, a few commands are added to the line aux 0:

no exec - only Incoming connections  
(modem InOut - allow incoming and outgoing connections on that line)
transport input all - allow all protocols on incoming calls
transport output all - allow all protocols on outgoing calls
stopbits 1

Now it’s time to build a cable between the router and repeater, nothing special RJ45 to D-SUB 9:

 

Next let us find out what is the right port number when the connection should go direct to the AUX port insed to the routers VTY line. It is 2000 plus the number that the AUX line has. We need to do a sh line and we will see something like this:

Lines

In this case the AUX port is line one which translates to port 2001, so if we want a connection to the AUX port we have to connect via telnet to the routers IP using port 2001. If we connect to a Quantar which is connected to the router, we should get the stations prompt: ]-O.  We can enter for example the commands dorap and then MTR TX_PA_P1, this gives us the status of the stations PA.

Quantar

 

It is a working connection utilizing a Cisco router. The next steps are trying to map this to a COM port and use the CPS to read/write the station. If we use the command FPM  insted of MTR TX_PA_P1 the station spit out a more general report, this can be used to build a status monitor. If the connection is refused, there might be a active connection, or old configuration interfering, do a clear line 1 and see if it helps. There are way more telnet commands for the Quantar, but that is outside the scope of this write-up. More research and experimentation needs to be done, but it is an interesting starting point. If you have additional information or even accomplished to read/write a repeater this way, or made your own status panel, it would be nice if you could drop us a line

P25NX Rasperry Pi Install

 

Update:

There is now a pre build ready to go image available, also based on Jessie Light, fits onto a 4GB SD card and has an auto updater. Read the P25NX Google group or check the P25NX website for contact information. The way below is still valid, but as of now more effort than needed.

I am using Raspian Jessie Light , after the image is written to a SD card, start the Pi and run sudo raspi-config and expand the file system, reboot. Then enter sudo nano /etc/dhcpcd.conf and give eth0 a static address:

interface eth0
static ip_address=192.168.1.2/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1

The address is only an example, use the right one acording to the P25NX setup instructions. After you changed the address reboot the Pi. After this enter the following commands:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install git
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
echo "deb http://download.mono-project.com/repo/debian wheezy main" | sudo tee /etc/apt/sources.list.d/mono-xamarin.list
sudo apt-get update
sudo apt-get install mono-complete
cd /opt
sudo git clone https://github.com/p25nx/pnx-mono.git
cd pnx-mono
sudo xbuild /p:configuration=Release
cd bin/Release
mono pnx-mono.exe

After that you should be able to access the web interface via the Pis IP address on port 8080.

To update the p25nx-mono program, go to the pnx-mono directory cd /home/pi/pnx-mono and do a git pull https://github.com/p25nx/pnx-mono.git and run the xbuild command. After it’s finished  use the last two commands to start the version that we compiled in the last steps.

For more information about the P25NX network visit the Homepage

Nport 5600 Serial Device Servers Security

After I heard a Maxon NPort 5600 server is used to remotely read/write a repeater, I did some research on the security and vulnerability of the Nport 5600 series.

At first everything looks Okish, the server is password protected, no one can get access neither through the browser nor through the command line interface. But does an intruder, who at long last would like to gain access to a RS232 device connected to the Nport really needs access to the server ? The answer is no, we can assume that if one is using a Nport server, that everything is working and configured just fine, otherwise it would not be in service. So let us focus on connecting to the server. Let us further assume we have no inside information and we don’t know the brand and model that is used, in this case for example the Hamnetdb only says RS232 Controller. If the IP address is accessed through a browser, only a password input field is shown, but over telnet there is way more :

Trying target.ip…

Connected to target.ip

Escape character is ‘^]’.

Model name : NPort 5610-16

MAC address : 00:90:E5:05:61:B5

Serial No. : 231

Firmware version : 3.5 Build 11080114

System uptime : 22 days, 06h:47m:28s

And this is, im my opinion, a first very weak point of the device, this is shown before the password promt, everyone gets the exact model, firmware and up-time, without authentication. This is not necessary and makes no sens to me. With this crumb, we can gain a lot more information, because we can download the manual, which gives us all information on how it works an what software tools are needed to access the RS232 ports. The software can also be loaded from the manufacturer without obstacles and for free, thank you very much. With the DSU the device search utility the server shows the same info as with a telnet connect, directly after entering a IP address. Same with the NPort Search Tool, the firmware upgrade ability is blocked, as it shut be. The admin tool is in my personal opinion just bat shit crazy, one has immediately access to the COM port mappings and they can be mapped to our local machine, without any password or other security mechanisms.NPort_Admin

Now that the ports are available on the remote machine, they can be used to access the connected RS232 devices, in this case a repeater. It’s possible for everyone to read/write and manipulate the repeater.

In this case it is “only” a repeater. I searched the intwebs and found the addresses of a few NPort 5610, all with the same behavior, only god and maybe the owners know what is connected to the ports, I hope for them that it’s nothing critical… random

A first workaround could be to restrict the IP addresses that are forwarded to the RS232 server, or shut down the port(s) via web-interface and only activate them when you need a connection. It should only be possible to map the remote ports and start using them after a password check. The current behavior is in my opinion not acceptable, every man and his dog can get access, the IP address is no barrier whatsoever, just a quick shodan.io search is enough to find a few NPorts…

P25.IO

P25-mini

The P25.IO team will post about modifications and repair related to older Astro, Astro25 and Quantar P25 equipment. This is a place to provide information to the P25 community and to prevent good information from being lost. If you have something to contribute, feel free to contact us.

Contact