0xCAFEAFFE
The inspiration for this project came from the MD380 hack done by Travis Goodspeed but it was the following observations that sparked my interest regarding this specific radio:
1) The RT40 seems to be the cheapest available licence-free DMR radio at the moment.
2) The radio allows a primitive kind of encryption, which is nice. If one was able to modify the firmware, a more serious encryption could be implemented which would be even nicer.
3) The radio is sold in two versions: a PMR version for Europe and a FRS version for the US market. I'm pretty sure that the hardware is the same (except for a front end filter maybe) and that the different frequencies and transmission power settings are done in software.
I ordered two of the radios as well as a programming cable and was not only able to confirm my initial suspicions, I was already able to increased the transmission power, changed the frequency out of the PMR band to a local ham relay and successfully had a conversation with another radio amateur!
Objectives, in order of priority:
1) [DONE] - Increase transmission power from 0.5W (max. for PMR) to 2W (max. for FRS) [config only]
2) [PARTLY DONE] Enable full 70cm band DMR Tier-II compatibility and promiscuous RX mode [firmware/hardware?]
3) Implement stronger encryption or at least increase the key length [firmware]
Why would I want to do this, instead of just buying a DMR radio that is already able to utilize high power on all frequencies? Firstly because I can, secondly because this radio could be switched back and forth between licence-free and amateur mode and thirdly because the official tool has some annoying limitations.
What I know so far:
The MCU is a STM8S207 and there are pads for the SWIM debug interface available. I orderd a ST-LINK tool to poke around in its guts, I'll need to be careful though, attempting to disable flash readout protection will erase all flash contents, effectively bricking the radio.
The DMR baseband IC is a SCT3258 for which a datasheet is available, (see link) according to the which it is DMR Tier-II compatible. Implementation of promiscuous RX mode and relay access therefore theoretically possible.
Other ICs on the PCB:
AIC3204 - Audio Codec IC
24C64RP - 64k EEPROM
H2219 - 2ch 8bit DAC
AT1846S - Integrated Transceiver
LM4871 - Audio Power Amp
LM2904 - Dual OPA
LT05 - unknown
There are two seperate applications available for PMR and FRS respectively to configure the channel settings of the radio via the programming cable. While the pre-loaded default configuration obviously differs, the program itself seems to be identical. Windows localisation needs to be set to US formats, for the software to show correct frequency values. Exporting the configuration from the official app, manually editing the power setting in the file and loading it back DOES actually work, which I only discovered after reverse engineering the whole thing and writing my own flash tool. Would have been too easy anyway, right? ;)
The cable is based on the PL2303 USB-to-UART IC and uses some additional transistors and resistors to merge the RX and TX lines of the IC to one single, level-shifted line (5V <-> 3.3V). Due to the circuit all transmitted characters are immediately echoed back.
The communication between the tool and the radio is sniffable and revealed that the firmware is identical for PMR and FRS while the channel configuration is obviously different and stored seperately. The data transmission format is byte-wise and very straight forward: R/W, adress, number of bytes, optional payload, XOR checksum.
By downloading the default configurations for PMR & FRS to the device and sniffing COM port and comparing...
Read more »
Nathan Youngblood
Kevin Kessler
Hey so how high were you able to get the TX power to?