Thank you to Matt Cheramie, who wrote in to let us know about his new software called GopherTrunk, a new RTL-SDR compatible radio scanner that follows digital trunked-radio voice calls and decodes them into audio. Gopher Trunk runs on a pool of RTL-SDR dongles and ships as a single ~10 MB static binary for Linux, macOS, and Windows. There are no C dependencies, so neither librtlsdr nor libusb are required at build or runtime, which makes deployment on a fresh machine or Raspberry Pi very straightforward.
On the protocol side, GopherTrunk handles control-channel decoding for P25 (Phase 1 and 2), DMR, TETRA, NXDN, Motorola Type II, EDACS, LTR, MPT 1327, dPMR, D-STAR, and YSF. The voice path is written in pure-Go and implements IMBE and AMBE+2 vocoders directly, removing the dependency on external DVSI or mbelib. The interface is terminal-based, but also includes a full browser-based operator console. There is also a configuration importer that parses RadioReference.com PDF exports and CSV bundles straight into the daemon config.
Matt notes that while the engine is running end-to-end, he is looking for SDR enthusiasts to test it against real-air captures to help refine the on-air FEC layers and vocoder audio levels. Prebuilt releases and the quick start guide are available at gophertrunk.org/downloads, and the full source is on GitHub. Feedback and bug reports are very welcome if you give it a try.
GopherTrunk: A New Digital Trunking Scanner for RTL-SDR written in Pure-Go
The Taipei Times has reported that a 23-year-old university student in Taiwan has been arrested after using a software-defined radio and hand held radio to hack into Taiwan High Speed Rail Corporation's (THSRC) internal radio communications and halt four trains mid-service.
Chinese-language coverage from UDN and Newtalk fills in some details omitted in the English Taipei Times article. The system the student compromised is TETRA, and at 23:23 on April 5, 2026, the student transmitted a "General Alarm" (GA) signal, the highest-priority TETRA alert, which automatically instructs trains in the area to switch to manual emergency braking. Four trains were stopped for 48 minutes. THSRC's radio system has reportedly been in service for 19 years with seven verification layers, but parameters were apparently never meaningfully rotated over that period.
Police describe the suspect as buying an SDR online, connecting it between an antenna and a laptop, capturing THSRC traffic, and decoding the relevant parameters in software, then programming those parameters into one of his eleven handheld radios. A 21-year-old friend also allegedly supplied some critical THSRC parameters. The actual details of the 'hack' aren't entirely clear from the news articles. We suspect that the THSRC TETRA system is simply unencrypted, and that the student was able to spoof a legitimate signal. It's also possible that the THSRC TETRA system used TEA1 encryption, which is known to be broken.
Police located the student through a combination of network-side TETRA logs and CCTV. When the THSRC control center called back to verify the alarm, the person on the other end gave contradictory answers and then powered the radio off, prompting THSRC to audit their handheld fleet, confirm every issued radio was accounted for in its storage locker, and report to police that the parameters had been cloned.
Base station logs from the THSRC TETRA infrastructure (which record which sites received the uplink, with multi-site signal strength narrowing the origin) were used to localize the transmission source, and CCTV from around the coverage area was then used to identify the student and trace him to his rental unit. Search warrants on 28 April seized 11 handheld radios, a laptop, and the SDR.
He is currently out on NT$100,000 (3,200 USD) bail and faces up to ten years under Taiwan's Railway Act and Criminal Code, with an unconvincing "had it in my pocket and accidentally pressed the button" defense.
Stories like this are a reminder that experimenting with operational safety-of-life radio systems carries serious legal consequences. Back in 2016, we covered the case of Dejan Ornig, a Slovenian university student who used an RTL-SDR and the open source Osmocom TETRA decoder to discover that his country's police TETRA terminals were running unauthenticated, despite official documents stating otherwise. After seven years of court hearings, he ended up with a seven-month suspended sentence. More recently, we posted on the End of Train (EoT) vulnerability, where a security researcher demonstrated that an SDR can replicate the unauthenticated braking command on US freight trains.
The Equipment Seized by Police
A Taiwanese High Speed Train (Source: https://en.wikipedia.org/wiki/File:THSR_700T_TR17_20130907.jpg)
Translated news graphic from https://udn.com/news/story/7315/9475450
Thank you to Jacek / SQ5BPF for letting us know that he's recently released a modified version of the Telive TETRA decoder for Linux. The modification allows the user to listen to TEAx-encrypted voice signals if they have the decryption key. Typically, if a TETRA signal is encrypted, there is no way to listen to it, unless you have obtained the decryption key from the network operator, or extracted it from TETRA keyloader hardware.
But because the TEA1 encryption was broken due to a backdoor being discovered in 2023, he has also added support for using the 32-bit short key directly, which can be automatically recovered from TETRA traffic using his other software called teatime. TEA1 encryption is being phased out, but many deployments still use it.
The software is designed for advanced users to compile and run, so very little documentation is provided. However, there is a blog post here that explains the overall steps. Some additional information can be found on SQ5BPF's RadioReference post here.
TETRA (Terrestrial Trunked Radio) is a digital voice and text radio communications protocol often used by authorities and industry in European and many countries other than the USA. A major advantage to a digital communications protocol like TETRA is it's ability to be secured via encryption.
Recently the security researchers at Midnight Blue in the Netherlands have discovered a collection of five vulnerabilities collectively called "TETRA:BURST" and most of the five vulnerabilities apply to almost every TETRA network in the world. These two most critical vulnerabilities allow TETRA to be easily decrypted or attacked by consumer hardware.
The first critical vulnerability is designated CVE-2022-24401 is described as decryption oracle attack.
The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.
The second vulnerability CVE-2022-24402 notes that a backdoor has been built into TEA1 encrypted TETRA, which allows for a very easy brute force decryption.
The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.
Midnight Blue are due to release more technical details about the vulnerabilities on August 9 during the BlackHat security conference. Due to the sensitivity of the findings, the team have also held back on their findings for over 1.5 years, notifying as many affected parties as possible, and releasing recommended mitigations. It's unclear at the moment how many TETRA providers have implemented mitigations already.
For more detail about the possible implications the team write:
The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.
The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic. By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.
The deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces.
Finally, the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality.
Below is a demonstration of the TEA1 CVE-2022-24402 attack on TETRA, and if you are interested the Midnight Blue YouTube channel also contains a video demonstration for the CVE-2022-24401 decryption oracle attack.
Currently, it is possible to decode unencrypted TETRA using an RTL-SDR with software like TETRA-Kit, SDR# TETRA Plugin, WinTelive, and Telive. In the video the research team appear to use Telive as part of their work.
We also note that in the past we've run several stories about Dejan Ornig, a Slovenian researcher who was almost jailed because of his research into TETRA. Dejan's research was much simpler, as he simply discovered that many Police radios in his country had authentication turned off, when it should have been on.
Back in May 2016 we posted about Dejan Ornig, a then 26 year old student at the University of Maribor's Faculty of Criminal Justice, Slovenia who was almost imprisoned for using an RTL-SDR and finding a security flaw in Police TETRA communications. Dejan's story was one of the first of several stories we presented over the years involving a person getting into legal or political trouble from the use of SDRs like the RTL-SDR in more authoritarian countries.
TETRA is a RF digital voice and text communications protocol often used by authorities in European and other countries due to its ability to be secured via encryption. By using an RTL-SDR and an open source TETRA decoder, Dejan discovered that despite official documents specifying that all Police TETRA terminals must be authenticated (we assume this refers to encryption), none actually were.
Dejan went ahead and ethically reported his findings to the Slovenian authorities, working together with Police officers to disclose all his findings. However, in the end no action was taken, and Dejan took his findings to the press. It was then that Dejan was prosecuted by Slovenian Police, his house raided, and he discovered that Police had been collecting evidence against him for more than a year.
To complicate matters further it appears that Dejan also worked as an intelligence informant for the Police and was illegally instructed and helped by two Police detectives to hack into e-mails, Facebook profiles and other online communications of people deemed suspicious.
After seven years of court hearings, his case on the TETRA hack ended in 2022 with Dejan subjected to a seven month suspended prison sentence . Although suspension means that Dejan will not physically reside in jail, his record still records him as a criminal.
The criminal trial and conviction has led to Dejan having problems securing a job and moving forward with his life. He is currently asking for donations online in order to help get his life back on track. Dejan's full story can be read at the funding site. Alternatively you can donate via PayPal.
NOTE: As donation requests can often be scams, we have independently verified that it is indeed Dejan Ornig who submitted this story to us, and that the donation site and PayPal link is legitimate.
NOTE 2: In the past we have had issues moderating comments with stories involving transgender and female contributors. Dejan's story contains info about his sexual orientation and we will not accept derogatory comments on this site regarding this. If desired, please discuss the technical and legal nature of Dejan's situation, any other comments will be removed.
Back in March we posted about the release of OpenEar, a standalone TETRA decoder for the RTL-SDR. Since then OpenEar has undergone massive developments, not only improving upon the TETRA decoder, but adding DMR, ADS-B and POCSAG decoders as well as a waterfall display.
Recently Tech Minds reviewed this software on his YouTube channel. In the video he shows how to download the software, install the rtlsdr.dll file, and run and use the software. He then demonstrates reception of an amateur radio DMR repeater, reception of POCSAG pager messages and finally reception of ADS-B aircraft messages.
OpenEar Digital Decoder - DMR TETRA P25 ADSB POCSAG RTL-SDR
Thank you to Larry for submitting information about his latest project called TETRA-Kit. TETRA-Kit is an extensible open source TETRA downlink decoder for Linux that makes use of GNU Radio as the first stage, so it should be compatible with any SDR supported by GNU Radio, including the RTL-SDR. Larry writes:
[TETRA-Kit] is inspired by a lot of existing stuff (see 'Previous work' in the project page) but started from scratch with those following ideas:
Stays as close as possible to TETRA specification layers defined in ETSI EN 300 392-2 v3.4.1 (2010-08)
Transmit downlink informations (including speech frames) in Json plain text format to be recorded or analyzed by an external program
Reassociate speech frames with a simple method based on associated caller id and usage marker (save messages transmitted simultaneously in separated files)
KISS
The decoder implements a soft synchronizer allowing missing frames (50 bursts) before loosing synchronization.
It consists in 3 parts:
A physical layer transforming PI/4 DQPSK rf signal to bits (RF frontend is NESDR at 2MBPS)
A decoder, which is the actual TETRA stack reading bits and transforming it to Json text
A recorder, which read Json stack output and reorder speech frames into separate files
The ETSI codec is also provided so unencrypted speech can be played.
Software is written in C++ and licensed under GPLv3 and use few external softwares with compatible licensing.
TETRA is a type of digital voice and trunked radio communications system that stands for “Terrestrial Trunked Radio”. It is used in many parts of the world, but not in the USA.
The RTL-SDR compatible multi-mode digital decoder OpenEar has recently been updated to version 1.6. The latest version currently supports the decoding of FM/AM, TETRA, DMR, Pocsag and ADS-B. New features include a zoomable waterfall and other GUI and functionality improvements. The changelog reads:
6/4/2020 version 1.6.0 - saving last settings - waterfall - zoom on spectrum and waterfall with mouse wheel - better list placement (pocsag & ads-b) - wav(I/Q) loading (only 1024000 Sample/sec) - voice volume & mute button - spectrum range and offset - rtl gain and correction (ppm) - top menu - frequency list - some DMR improvement on SYNC detection - solved center frequency issue (DC problem) - and other few UI improvements
