- Create an application to backup and restore the radio using the in-built cloning port – 90% Complete
- Probe the port and see if I can talk to it for the purpose of dumping firmware
Reprogram radio to support out of band ham frequencies to allow me to create a simple inexpensive radio for SKYWARN and ARES alerts… or you know, just fun shit like sending messages to a group. (radio uses SAME encoding which is well documented)Out of band not worth the effort, nor is getting hams to play with S.A.M.E.
- Attempt dump and flashing of internal memory, possibly installing a teensy to allow flashing on demand and possible firmware modifications.
Normally when working on any electronics project the first thing I do is grab the FCC ID. Something everything with some type of radio will generally have. Seeing as this one doesn’t transmit there was no ID to be found.
Nevertheless I started tearing into it and seeing what there was to this odd little radio.
Here is what I found
Unknown Chip With Test pads
Finally, something I can play with. A Winbond flash memory chip.
A UTC petw chip used as an audio amplifier for the Alerts
Possible JTAG Header
So how does our undocumented cloning port work?
First thing is first, what language does the port speak and can I talk to it without too much trouble.
Let’s Probe It!
The voltage of the port is actually about 3v, I was using the wrong attenuation when the screenshot was taken. I’m assuming serial communications at this point.
Let’s Sniff it!
I don’t expect any data on this port unless I’m trying to clone the radio, to do this remove the batteries and power the radio up via the cable while holding the < and > buttons. This should give you the following screen.
I used a 3.5mm break out cable and a UART to intercept communications while peering in with my oscilloscope.
Scope Capture, oh yeah I think we’ve got serial!
As I expected when the radio is powered we get a steady 3v on the tx pin and when I hit select to start the cloning process we see data as a square wave where the port is being pulled down to near 0v and and going back high to send data.
She speaks serial! it’s UART time.
Once I have the radio hooked up to a UART I attempt several times to capture data, unable to find the correct baudrate.
Alright maybe there is a better way….
I found this website online and it worked out quite nicely.. https://www.kumari.net/index.php/random/37-determing-unknown-baud-rate
Data obtained from clone
[17/07/2017 19:26:00] Read data (COM4) ee 07 90 03 85 90 03 35 90 03 55 90 03 55 91 03 î..….5.U.U‘. aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ªªªªªªªªªªªªªªªª aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ªªªªªªªªªªªªªªªª aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ªªªªªªªªªªªªªªªª aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ªªªªªªªªªªªªªªªª aa aa aa aa aa aa aa aa aa aa aa 2d 2d 2d 2d 2d ªªªªªªªªªªª----- 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 00 2d 2d 2d 2d 2d ----------.----- 2d 2d 2d 2d 2d 2d 00 2d 2d 2d 2d 2d 2d 2d 2d 2d ------.--------- 2d 2d 00 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 00 2d --.-----------.- 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 00 2d 2d 2d 2d 2d ----------.----- 2d 2d 2d 2d 2d 2d 00 67 f9 71 ff 3b fe f0 03 00 ------.gùqÿ;þð.. 02 02 02 02 02 02 ff ff 00 03 26 06 00 07 b2 b1 ......ÿÿ..&...²± ff c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ÿÀÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 64 ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿd 5a Z [17/07/2017 19:26:04] Read data (COM4) 05
Alright! We’re not off to a bad start.
Time to talk to the serial port!
After listen to what the serial port had to save I’ve put together enough to figure out what I need to say to the radio to get it to start entering LOAD mode.
Sending the hex bytes 0xEE get things started.
Below you’ll see a snip of code used to send our start bytes to get the radio to LOAD mode.
The radio does enter LOAD mode
A little problem
After successfully writing commands to enter LOAD mode (the first step to software based restoration of settings) I found that when I have the UART attached to the RX pin on the radio it no longer just spits out data but rather waits for me to send another command back, I’ll have to do some more digging.
I’ve been working on this project on and off for some time.
In the future I’ll post this here as well as my project page on Hackaday.io