GPU-accelerated ARC4 key recovery for DMR Enhanced Privacy voice communications.
FSP.DMRCrack is a native Windows application that performs exhaustive 40-bit RC4 key search against captured DMR Enhanced Privacy voice frames. It integrates DSD-FME as the demodulation backend: select a WAV capture in the GUI and the app runs DSD-FME automatically to extract encrypted voice payloads.
DMR Enhanced Privacy (EP) uses ARC4 (RC4) with a 40-bit (5-byte) key. The 40-bit keyspace (2^40 ≈ 1 trillion keys) is tractable on a modern GPU in hours. FSP.DMRCrack exploits the structure of AMBE voice coding — valid speech produces predictable inter-frame parameter distributions — to identify the correct key with a statistical Z-score far above the noise floor (Z > 7 threshold).
Intended users: licensed radio operators performing authorized security audits of their own systems, researchers, and CTF participants.
| Requirement | Details |
|---|---|
| OS | Windows 10/11, 64-bit |
| GPU | NVIDIA sm_75+ (GTX 16xx / RTX 20xx or newer); CPU fallback available |
| Runtime | None — DSD-FME and all Cygwin DLLs are bundled by the installer |
| Python | 3.8+ (optional, for verify_decrypt.py and diag_decrypt.py) |
| CUDA Toolkit | 12.x (build-time only) |
| Visual Studio | 2022 with Desktop C++ workload (build-time only) |
- Download
FSP.DMRCrack-Setup.exefrom Releases. - Run the installer (requires Windows 10/11 x64, admin rights).
- Launch FSP.DMRCrack from the Start menu or desktop shortcut.
Everything is included: the GPU brute-force engine, the DSD-FME demodulator, and all required Cygwin runtime DLLs. No additional downloads or configuration needed.
Clone the repo and build with build.bat (requires CUDA Toolkit + Visual Studio). dsd-fme.exe and the Cygwin DLLs are already in tools/. If they are missing (e.g. on a clean CI checkout), run tools\get_runtime.bat to fetch them. See Building from source below.
1. Record a WAV file of the DMR RF signal (discriminator audio, 48 kHz mono recommended).
2. Open FSP.DMRCrack and select the WAV file in the CAPTURE section.
3. Click Demodulate — DSD-FME runs automatically, extracts encrypted voice payloads,
and writes a .bin file.
4. Click Start in the BRUTEFORCE section to begin the GPU search.
5. Monitor progress: keys/sec graph, best-score evolution, ETA.
6. The correct key produces a sharp score spike well above the noise floor.
If you already have a .bin payload file (e.g., generated by DSD-FME + dsdfme_dsp_to_bin.py):
- Select the
.binfile in the BRUTEFORCE section. - Configure the key range (default: full 40-bit space
0000000000–FFFFFFFFFF). - Click Start.
One payload per line, hex-encoded (33 bytes = 66 hex characters). Optional metadata after ;:
AABBCCDDEEFF112233...;ALG=21;KID=0F;MI=531699C4
| Tag | Meaning |
|---|---|
ALG=21 |
RC4 Enhanced Privacy algorithm |
KID=XX |
Key ID |
MI=XXXXXXXX |
Message Indicator (32-bit, hex) |
When all three tags are present, the KMI9 pipeline is used (key9 = key5 \|\| MI[4]). Without MI, the legacy 5-byte key mode is used.
Converts DSD-FME -Q DSP output + stderr log into a .bin payload file with correct per-frame MI assignment.
python tools\dsdfme_dsp_to_bin.py --dsp RC4.dsdsp.txt --out RC4.bin --log RC4.dslog.txtValidates a candidate key against a .bin file and prints Z-score metrics.
python tools\verify_decrypt.py --bin RC4.bin --key <YOUR_KEY_HEX>Expected output for a correct key on 126 payloads: Z ≈ 335 (bit-frequency), Z ≈ 38 (Hamming).
For each key candidate, the CUDA kernel runs the complete DSD-FME/mbelib pipeline per burst:
- Build
key9 = key5 || MI[4] - RC4 KSA with 9-byte key; discard
256 + burst_pos × 21bytes of keystream - For each sub-frame (0, 1, 2):
- De-interleave 33-byte payload →
ambe_fr[4][24] - mbelib demodulate (PRNG XOR on row 1)
- Extract 49 AMBE bits → pack to 7 bytes
- RC4 decrypt → unpack 24 bits
- De-interleave 33-byte payload →
- Score = Σ(24 − Hamming distance) across consecutive sub-frame pairs
Valid speech has slowly-varying AMBE parameters (HD ≈ 0–4). Random keys produce HD ≈ 12. At 126 payloads the correct key achieves Z ≈ 48.5 sigma (C/CPU path).
Between superframes (every 6 bursts), MI advances by 32 LFSR steps: taps {31,3,1}.
On an RTX 3080 (sm_86), expect ~2–5 billion key candidates per second. Full 40-bit space completes in a few hours.
All build scripts auto-detect Visual Studio via vswhere.exe.
Open an x64 Native Tools Command Prompt for VS in the project root:
build.batOutput: bin\dmrcrack.exe
Or manually:
nvcc -O3 ^
-gencode arch=compute_75,code=sm_75 ^
-gencode arch=compute_86,code=sm_86 ^
-gencode arch=compute_89,code=sm_89 ^
-gencode arch=compute_75,code=compute_75 ^
-cudart static -Iinclude -Ivendor\winsparkle\include ^
-Xcompiler "/W4 /D_CRT_SECURE_NO_WARNINGS /DWIN32 /D_WINDOWS" ^
src\main.c src\gui.c src\bruteforce.cu src\payload_io.c src\rc4.c src\lang_en.c src\updater.c ^
-o bin\dmrcrack.exe ^
-luser32 -lgdi32 -lcomdlg32 -lkernel32 -ldwmapi -lshell32 -ladvapi32 ^
vendor\winsparkle\x64\WinSparkle.libThe default build targets sm_75/86/89 natively plus a PTX fallback for RTX 50xx and newer (JIT-compiled by the driver on first run). Supported GPUs: GTX 16xx, RTX 20xx–50xx.
build_test.bat # → bin\test_strict_score.exe- Install Inno Setup
- Open
installer\FSP.DMRCrack.iss - Build →
installer\output\FSP.DMRCrack-0.1.0-Setup.exe
FSP.DMRCrack/
src/
main.c Entry point (WinMain)
gui.c Win32 GUI, dark theme, progress graphs
bruteforce.cu CUDA GPU brute-force kernel
bruteforce.c CPU multi-threaded fallback
rc4.c RC4 KSA + PRGA (host-side)
payload_io.c .bin file loader/saver, ALG/KID/MI metadata parser
include/ Headers
tools/
dsd-fme.exe DSD-FME demodulator (requires Cygwin DLLs alongside)
dsdfme_dsp_to_bin.py DSD-FME DSP output → .bin converter
verify_decrypt.py Key validation with Z-score output
diag_decrypt.py Decryption pipeline diagnostic
extract_encrypted_from_dsdfme.bat DSD-FME capture helper
installer/
FSP.DMRCrack.iss Inno Setup script
bin/ Compiled executables (not tracked in git)
FSP.DMRCrack is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License version 3 as published by the Free Software Foundation. See LICENSE for the full text.
DSD-FME (required companion tool, distributed in tools/) is licensed under ISC + GPLv2. See NOTICE. The Cygwin runtime DLLs bundled alongside DSD-FME are LGPL-licensed.