In fairness, the code Matt linked to above was the stuff I used to
recover the bit scheduling of the RC4 cipher. I'd forgotten that it was
even online :)
Turns out P25 adopts a really simple scheme and throws away RC4
ciphertext octets exactly where you'd expect it to (compare it with
DES/OFB which has a similar structure and throws away ciphertext octets
at the same position). The only difference is that P25 skips the first
256 octets of the ciphertext because of a known weakness in RC4.
Would be great to see auto-recovery; even manual key entry would be
cool. I'm unlikely to look at it soon as I'm up to my neck in GSM right now!