Close
0%
0%

Retevis RT40 Reverse Engineering

The Retevis RT40 is a licence-free digital two-way handheld radio with lots of unused potential!

Similar projects worth following
Disclaimer: This project is for educational purpose only without any commercial intention, I don't own any rights on the hard/soft/firmware developed by the Retevis company.
As a licenced radio amateur I'm allowed to perform some experiments that you might not be legal for you to repeat without a licence. Be sure to follow local laws & regulations regarding the use of radio equipment and encryption.

The inspiration for this project came from the MD380 hack done by Travis Goodspeed but it was the following observations that sparked my interest regarding this specific radio:

1) The RT40 seems to be the cheapest available licence-free DMR radio at the moment.

2) The radio allows a primitive kind of encryption, which is nice. If one was able to modify the firmware, a more serious encryption could be implemented which would be even nicer.

3) The radio is sold in two versions: a PMR version for Europe and a FRS version for the US market. I'm pretty sure that the hardware is the same (except for a filter maybe) and that the different frequencies and transmission power settings are done in software.

I ordered two of the radios as well as a programming cable and was not only able to confirm my initial suspicions, I was already able to increased the transmission power, changed the frequency out of the PMR band to a local ham relay and successfully had a DMR conversation with another radio amateur!

Objectives, in order of priority:

1) [DONE] - Increase transmission power from 0.5W (max. for PMR) to 2W (max. for FRS) [config only]
2) [DONE] Enable full 70cm band DMR Tier-II compatibility and [TODO] promiscuous RX mode

Why would I want to do this, instead of just buying a DMR radio that is already able to utilize high power on all frequencies? Firstly because I can, secondly because this radio could be switched back and forth between licence-free and amateur mode and thirdly because the official tool has some annoying limitations.

What I know so far:

The MCU is a STM8S207 and there are pads for the SWIM debug interface available. I orderd a ST-LINK tool to poke around in its guts, I'll need to be careful though, attempting to disable flash readout protection might erase all flash contents, effectively bricking the radio.

The DMR baseband IC is a SCT3258 for which a full datasheet seems to be available, according to the which it is DMR Tier-II compatible.

Other ICs on the PCB:
AIC3204 - Audio Codec IC
24C64RP - 64k EEPROM
H2219 - 2ch 8bit DAC
AT1846S - Integrated FM Transceiver
LM4871 - Audio Power Amp
LM2904 - Dual OPA
LT05 - Power Management IC

There are two seperate applications available for PMR and FRS respectively to configure the channel settings of the radio via the programming cable. While the pre-loaded default configuration obviously differs, the program itself seems to be identical. Windows localisation needs to be set to US formats, for the software to show correct frequency values. Exporting the configuration from the official app, manually editing the power setting in the file and loading it back DOES actually work, which I only discovered after reverse engineering the whole thing and writing my own flash tool. Would have been too easy anyway, right? ;)

The cable is based on the PL2303 USB-to-UART IC and uses some additional transistors and resistors to merge the RX and TX lines of the IC to one single, level-shifted line (5V <-> 3.3V). Due to the circuit all transmitted characters are immediately echoed back.

The communication between the tool and the radio is sniffable and revealed that the firmware is identical for PMR and FRS while the channel configuration is obviously different and stored seperately. The data transmission format is byte-wise and very straight forward: R/W, adress, number of bytes, optional payload, XOR checksum.

By downloading the default configurations for PMR & FRS to the device and sniffing COM port and comparing the hex files I was able to locate the bytes that store the frequency and power setting of each channel. 

By downloading the same PMR configuration to both of my radios, I discovered that the bytes storing the frequencies are very different for the two radios. The settings seem to be deliberately obfuscated, possibly to prevent manipulation and out-of-band operation. The bytes are XORed with some magic value that seems to be unique to the device. I...

Read more »

SCT3258_datasheet_v2_0.pdf

Adobe Portable Document Format - 1.60 MB - 03/11/2019 at 18:05

Preview

CT3258_Packet_Interface.pdf

Adobe Portable Document Format - 526.16 kB - 03/11/2019 at 18:05

Preview

CT3258_datasheet.pdf

Adobe Portable Document Format - 409.43 kB - 03/11/2019 at 18:05

Preview

CT3258_Analog_Setup.pdf

Adobe Portable Document Format - 121.33 kB - 03/11/2019 at 18:05

Preview

  • Log 0x07 - HowTo

    0xCAFEAFFE02/09/2021 at 09:22 0 comments

    I initialy didn't want to upload the modified config file because I don't want to get into legal troubles with the Retevis Company. But since I got a few private messages recently, asking how to enable the high power mode or select different frequencies, here is how:

    Just download the official flash tools for both the PMR and the FRS version of the radio here, install and start both programms, export the default config files from each of both, diff/compare the files with diffchecker.com, NotePad++ or something and you'll easily spot the difference between both files. It's not just one bit though, the settings are kind of spread out across a few locations in the config file! Btw the flash tool is a little buggy, make sure to set your Windows Localisation Setting to US!  Have fun and let me know if it worked :)

  • Log 0x06

    0xCAFEAFFE03/30/2019 at 20:44 0 comments

    I just completed a first successful DMR call with a local radio amateur via the local relay :)
    Next thing to do: measure transmission power over frequency to estimate the bandwidth of the front end!

  • Log 0x05

    0xCAFEAFFE03/29/2019 at 18:51 0 comments

    GOOD NEWS EVERYONE!
    It is possible to change the reception frequency out of the PMR band and into the 70cm HAM band, I tuned the radio to a local DMR relay frequency and it successfully decoded the traffic of the radio amateurs talking on that relay! To transmit, I Need to register for the DMR network and figure out all necessary settings now..

  • Log 0x04

    0xCAFEAFFE03/26/2019 at 13:18 1 comment

    ROFL! Now that I actually reverse engineered the cable, the serial data transmission format, the config flash and after writing my custom flash tool, I discovered that it actually IS possible to just export the config file from the official app, edit it manually and load it back to achieve the same results! Lot's of time wasted but nevermind, who knows how the additional effort in understanding this will pay off in the future!

  • Log 0x03

    0xCAFEAFFE03/25/2019 at 20:59 1 comment

    Hack Level 1 successful, high TX power unlocked! :)
    I downloaded the flash configuration, changed one single bit, uploaded the modified content with my tool, and it read back ok!
    The led now turns red instead of orange if PTT is pressed and the official tool also shows the high power setting!
    4m 1 4 r34l h4xx0r n0w? ;)

  • Log 0x02

    0xCAFEAFFE03/25/2019 at 20:00 0 comments

    It took me long to understand how the channel frequency settings are stored in flash but now I do and I was able to write my own command line tool to read device flash data! By reading the complete content, I found:

    a) Flash content wraps at 0x2000
    b) Unknown content starting at 0x1A00, that is neither read nor written by the official app. Possibly relicts from developement?

  • Log 0x01

    0xCAFEAFFE03/11/2019 at 17:56 0 comments

    I reverse engineered the programmer cable, check out the schematics I uploaded. It does not use any of the handshake lines as I assumed at first, instead it uses a few transistors and resistors to combine the two seperate RX and TX lines to one single, level-shifted TRX line (5V <-> 3.3V). Due to this circuit, all transmitted characters are immediately echoed back.

View all 7 project logs

Enjoy this project?

Share

Discussions

Morten Freberg wrote 10/06/2023 at 15:03 point

It is actually quite simple to change the frequencies on the radio with the original programming software as long as you have the correct passwords (it exists 3 different passwords), the rt40's I have can tx and rx from 400 to 480 MHz. You can change the frequencies and power output in the channel tab in the software, if you enable the engineering mode first with the correct password under tool -> test.

  Are you sure? yes | no

cuginis wrote 05/18/2023 at 15:17 point

Pro tip: reverse eng and mod programming software

Simple tip: ask unlocked software to support ;)

  Are you sure? yes | no

davedewey wrote 11/21/2021 at 06:20 point

An interesting reasonably built radio and good value. Is the power adjust through the normal software downloaded code plug. Or is it through using US software

  Are you sure? yes | no

itchymart wrote 07/31/2021 at 14:37 point

Did you crack the obfuscation for the frequencies in the codeplug?  I've only just bought some RT40 radios and haven't yet had time to look at what the programming software allows you to do.  But from what I've read people have got the AT1846S to tune 130-178 MHz, 195-290 MHz, and 390-527 MHz in other radios by hacking the codeplug.  Sensitivity is often poor far outside the radios nominal operating bands, and transmitting will probably fry the PA, but there are possibilities.

  Are you sure? yes | no

olivier wrote 06/25/2020 at 14:41 point

Hello

thank you for your work, so how can change the TX power to 2W ? :) 

  Are you sure? yes | no

Digireo wrote 12/02/2019 at 11:03 point

Hey so how high were you able to get the TX power to?

  Are you sure? yes | no

marc wrote 03/25/2020 at 08:28 point

Yes, how high?

  Are you sure? yes | no

0xCAFEAFFE wrote 03/08/2019 at 08:34 point

Quite solid in my opinion! The PCB layout looks nice, ENIG finish, mostly western semiconductors that have actual datasheets. A bit of solder flux left on the board but nothing serious. No hot glue or atrocities like that. The case is made of a high density plastic that's a pleasure to touch, the whole device leaves a very compact and durable impression, nothing fiddly. I don't know how well their other radios are built but I would definitely recommend this one!

  Are you sure? yes | no

Dan Maloney wrote 03/05/2019 at 16:14 point

Interesting. I hadn't heard of this brand until just now. I'd be interested in your thoughts on build quality now that you've seen the guts.

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates