There’s a consistent question that I get, either in emails or in class, about whether the Baofeng radios have any sort of ‘exploitable flaw’: ie, a remote kill switch from the Chinese. This is something I addressed in Radio Contra Episode 41, stating in short that, no, there’s not.

I’ve got an OUTSTANDING post from a member over at the Brushbeater forum, diving much deeper into the issue than I did. And he’s spot on.

Evening all,
First, let me say that I truly enjoy RadioContra.  As I stated in my first thread, I don’t have the military background that many here do, so listening to the podcasts and reading through American Partisan is a learning opportunity for me for that.  I do enjoy the articles and podcasts, especially the communications topics around a military viewpoint or approach.
If I ramble, forgive me, I come from the technical above grammar side of life…
In Episode 41, around the 54 minute mark, NC Scout mentions a letter about the possibility of tracking and remotely killing the Baofeng radios.  I can shed some light on this topic, as I have not only done full teardowns of them, but also a full Reverse Engineering job on quite a few of them.  They do not have any “tracking” devices or even firmware in their radios, but they do have a few things in SOME of the models that could be a problem to users that want guaranteed control of their radios at all times.  The first of which is a “Stun, Kill, Revive” function that allows another person to remotely “Stun” (remove the ability to transmit, but the radio still can receive whatever channel it was on before the “Stun” code was sent.  They can also send a “Kill” command that stops the unit from transmitting OR receiving (at least putting any audio out, as the radio IS still listening for any different commands on that channel).  The last command in the normal threesome is “Revive” where the other person to put that radio back into normal operation.  These radios are actually used for commercial (business) use over in china, so they have a cloned (stole) a few of the major radio manufacturers “features” into their radios as almost everything in the radio is built into software instead of built as hardware in the radio.  As such, one of the features they cloned is the “Stun, Kill, Revive” function of a lot of the Japanese commercial radios.  And the commands are similar, grab the attention of the specific radio, or group of radios (DCS, CTCSS, DTMF Prefix…), and with one extra DTMF sequence, cause the remote radio(s) to “Stun, Kill, or Revive”.  Some of the radios, like the tri-band UV-3X5 also have a “Monitor” command that allows you to remotely key up the transmit for 15 seconds to turn the radio into a room microphone, definitely not an OPSEC feature most want in a radio.  Not to mention that 15 seconds of keying up that you cant control unless you pull the battery pack off, can lead to a quick DF fix on your position if your enemy is in your area, or flying around (think UAV based SDR).
Again, not all of the Baofengs have this (or some of the other interesting features, but many do, and it all depends on what firmware each radio was born with as to which features work and which ones don’t.  Honestly, your best option to see if your Baofeng has them is to try them from another radio.  I have at least a few dozen of most of the different versions of the Baofeng radios as well as most of the other chinese models that have come out.  My main (non-SDR) radios are usually the main Japanese brands, but I do have a few others.  Most of my equipment is SDR based, with most of that being my own designed and built equipment.  
A LOT of people, including myself, LOVE using CHIRP to program the different radios they have.  The issue is that Chirp does not get into all of the more “odd” features that most of these radios have, but sticks with the general features and programming the memory channels.  That is all well and good if that is all you need, and most times it is.  The issue is that you don’t get to see some of the more “interesting” features that are built into each specific radio.  And a LOT of the chinese radios have different features for the same radio all based on what version of firmware is that exact radio is built on.  Note:  The Baofeng CPUs have their firmware built in at their creation and don’t have an option to reload or upgrade the radio, which is why you can brick the Baofengs if you use the wrong settings on some models in CHIRP and not be able to get them back with the normal programming cable and even the factory programming system.  CHIRP IS getting better about a lot of these different firmware versions/revisions and CHIRP DOES have some of these features for the newer (more refined firmware) radios like the UV-3X5 (which does allow the modification of the Stun, Kill, Revive, Monitor (and other) remote functions).
A better description of the CHIRP UV-5X3 settings can be found here:  baofengtech.com/wp-content/uploads/2020/08/Remote-Commands.pdf
The second topic is one of the tracking issue with not just the Baofeng radios, but all transmitters.  While the Baofeng radios don’t have any designated “tracking” system in them, they DO have a rather “filthy” transmit, so transmitter fingerprinting is VERY effective with these radios, and should always be kept in mind if you are worried about SIGINT/ELINT being used against you.  While terrestrial reception and fingerprinting is limited by line of sight signal propagation to the user’s radio horizon, you all need to know that there are at least two dozen satellite systems that monitor the HF through SHF (and a few that do higher frequencies) around the world.  Most of these satellite constellations are military/government, but there are more than a few that are commercial and the data that they collect and the recordings and the True-Range Multilateration (TR-MLAT) data that they collect is available to ANYONE with a large checkbook. Information sells, but who is buying? 
Two of the bigger companies to look into are:
Hawkeye360 (and a few global users of Hawkeye360 also use the Carbonite and Capella visual satellites to get eyes on their targets QUICKLY)
Kleos (Works alongside Spire for Worldwide AIS and SAR beacon signals but is NOT limited to those frequencies)
(and you might want to study what the bolded companies and their satellites have the capability to do…)
Loup
Tons of top-tier information in there- a caliber of work you don’t find anywhere else. We’re in the genesis of the forum and already it’s crushing it. Come join us.
 Save as PDF
close

Welcome American Partisans!

Sign up to receive articles daily

We don’t spam! Read our privacy policy for more info.

Liked it? Take a second to support us on Patreon!