Close
0%
0%

Retevis RT40 Reverse Engineering & Extension

The Retevis RT40 is a licence-free digital two-way handheld radio with lots of unused potential!

0xCAFEAFFE0xCAFEAFFE
Following
Liked Like project

Just one more thing

To make the experience fit your profile, pick a username and tell us what interests you.

Pick an awesome username
hackaday.io/
Your profile's URL: hackaday.io/username. Max 25 alphanumeric characters.
Pick a few interests
Projects that share your interests
People that share your interests

We found and based on your interests.

Choose more interests.

OK, I'm done! Skip
Similar projects worth following
1k views
2 comments
44 followers
View Gallery
Disclaimer: This project is for educational purpose only without any commercial intention, I don't own any rights on the hard/soft/firmware developed by the Retevis company.
As a licenced radio amateur I'm allowed to perform some experiments that you might not be legal for you to repeat without a licence. Be sure to follow local laws & regulations regarding the use of radio equipment and encryption.

The inspiration for this project came from the MD380 hack done by Travis Goodspeed but it was the following observations that sparked my interest regarding this specific radio:

1) The RT40 seems to be the cheapest available licence-free DMR radio at the moment.

2) The radio allows a primitive kind of encryption, which is nice. If one was able to modify the firmware, a more serious encryption could be implemented which would be even nicer.

3) The radio is sold in two versions: a PMR version for Europe and a FRS version for the US market. I'm pretty sure that the hardware is the same (except for a front end filter maybe) and that the different frequencies and transmission power settings are done in software.

I ordered two of the radios as well as a programming cable and was not only able to confirm my initial suspicions, I was already able to increased the transmission power, changed the frequency out of the PMR band to a local ham relay and successfully had a conversation with another radio amateur!

Objectives, in order of priority:

1) [DONE] - Increase transmission power from 0.5W (max. for PMR) to 2W (max. for FRS) [config only]
2) [PARTLY DONE] Enable full 70cm band DMR Tier-II compatibility and promiscuous RX mode [firmware/hardware?]
3) Implement stronger encryption or at least increase the key length [firmware]

Why would I want to do this, instead of just buying a DMR radio that is already able to utilize high power on all frequencies? Firstly because I can, secondly because this radio could be switched back and forth between licence-free and amateur mode and thirdly because the official tool has some annoying limitations.

What I know so far:

The MCU is a STM8S207 and there are pads for the SWIM debug interface available. I orderd a ST-LINK tool to poke around in its guts, I'll need to be careful though, attempting to disable flash readout protection will erase all flash contents, effectively bricking the radio.

The DMR baseband IC is a SCT3258 for which a datasheet is available, (see link) according to the which it is DMR Tier-II compatible. Implementation of promiscuous RX mode and relay access therefore theoretically possible.

Other ICs on the PCB:
AIC3204 - Audio Codec IC
24C64RP - 64k EEPROM
H2219 - 2ch 8bit DAC
AT1846S - Integrated Transceiver
LM4871 - Audio Power Amp
LM2904 - Dual OPA
LT05 - unknown

There are two seperate applications available for PMR and FRS respectively to configure the channel settings of the radio via the programming cable. While the pre-loaded default configuration obviously differs, the program itself seems to be identical. Windows localisation needs to be set to US formats, for the software to show correct frequency values. Exporting the configuration from the official app, manually editing the power setting in the file and loading it back DOES actually work, which I only discovered after reverse engineering the whole thing and writing my own flash tool. Would have been too easy anyway, right? ;)

The cable is based on the PL2303 USB-to-UART IC and uses some additional transistors and resistors to merge the RX and TX lines of the IC to one single, level-shifted line (5V <-> 3.3V). Due to the circuit all transmitted characters are immediately echoed back.

The communication between the tool and the radio is sniffable and revealed that the firmware is identical for PMR and FRS while the channel configuration is obviously different and stored seperately. The data transmission format is byte-wise and very straight forward: R/W, adress, number of bytes, optional payload, XOR checksum.

By downloading the default configurations for PMR & FRS to the device and sniffing COM port and comparing...

Read more »

View all details

SCT3258_datasheet_v2_0.pdf

Adobe Portable Document Format - 1.60 MB - 03/11/2019 at 18:05

Preview
Download

CT3258_Packet_Interface.pdf

Adobe Portable Document Format - 526.16 kB - 03/11/2019 at 18:05

Preview
Download

CT3258_datasheet.pdf

Adobe Portable Document Format - 409.43 kB - 03/11/2019 at 18:05

Preview
Download

CT3258_Analog_Setup.pdf

Adobe Portable Document Format - 121.33 kB - 03/11/2019 at 18:05

Preview
Download

  • Log 0x06

    0xCAFEAFFE03/30/2019 at 20:44 0 comments

    I just completed a first successful DMR call with a local radio amateur via the local relay :)
    Next thing to do: measure transmission power over frequency to estimate the bandwidth of the front end!

  • Log 0x05

    0xCAFEAFFE03/29/2019 at 18:51 0 comments

    GOOD NEWS EVERYONE!
    It is possible to change the reception frequency out of the PMR band and into the 70cm HAM band, I tuned the radio to a local DMR relay frequency and it successfully decoded the traffic of the radio amateurs talking on that relay! To transmit, I Need to register for the DMR network and figure out all necessary settings now..

  • Log 0x04

    0xCAFEAFFE03/26/2019 at 13:18 0 comments

    ROFL! Now that I actually reverse engineered the cable, the serial data transmission format, the config flash and after writing my custom flash tool, I discovered that it actually IS possible to just export the config file from the official app, edit it manually and load it back to achieve the same results! Lot's of time wasted but nevermind, who knows how the additional effort in understanding this will pay off in the future!

  • Log 0x03

    0xCAFEAFFE03/25/2019 at 20:59 0 comments

    Hack Level 1 successful, high TX power unlocked! :)
    I downloaded the flash configuration, changed one single bit, uploaded the modified content with my tool, and it read back ok!
    The led now turns red instead of orange if PTT is pressed and the official tool also shows the high power setting!
    4m 1 4 r34l h4xx0r n0w? ;)

  • Log 0x02

    0xCAFEAFFE03/25/2019 at 20:00 0 comments

    It took me long to understand how the channel frequency settings are stored in flash but now I do and I was able to write my own command line tool to read device flash data! By reading the complete content, I found:

    a) Flash content wraps at 0x2000
    b) Unknown content starting at 0x1A00, that is neither read nor written by the official app. Possibly relicts from developement?

  • Log 0x01

    0xCAFEAFFE03/11/2019 at 17:56 0 comments

    I reverse engineered the programmer cable, check out the schematics I uploaded. It does not use any of the handshake lines as I assumed at first, instead it uses a few transistors and resistors to combine the two seperate RX and TX lines to one single, level-shifted TRX line (5V <-> 3.3V). Due to this circuit, all transmitted characters are immediately echoed back.

View all 6 project logs

Enjoy this project?

Share

Discussions

0xCAFEAFFE wrote 03/08/2019 at 08:34 point

Quite solid in my opinion! The PCB layout looks nice, ENIG finish, mostly western semiconductors that have actual datasheets. A bit of solder flux left on the board but nothing serious. No hot glue or atrocities like that. The case is made of a high density plastic that's a pleasure to touch, the whole device leaves a very compact and durable impression, nothing fiddly. I don't know how well their other radios are built but I would definitely recommend this one!

  Are you sure? yes | no

Dan Maloney wrote 03/05/2019 at 16:14 point

Interesting. I hadn't heard of this brand until just now. I'd be interested in your thoughts on build quality now that you've seen the guts.

  Are you sure? yes | no

Similar Projects

9.2k
13
13
That is, full teardown, analysis, and hacking.
Project Owner Contributor

Reverse-engineering JBL flip 4

DeepSOICDeepSOIC

1.1k
1k
4
Configure your light switches with Bluetooth LE
Project Owner Contributor

Software Defined Lighting

Kevin KesslerKevin Kessler

58.6k
311
158
Simple, cheap, easy to build and deploy, the IoT Power Meter provides accurate statistics on household power consumption.
Project Owner Contributor

Internet-of-Things Power Meter

SolenoidSolenoid

Does this project spark your interest?

Become a member to follow this project and never miss any updates

Going up?

About Us Contact Hackaday.io Give Feedback Terms of Use Privacy Policy Hackaday API

© 2019 Hackaday

Yes, delete it Cancel

Report project as inappropriate

You are about to report the project "Retevis RT40 Reverse Engineering & Extension", please tell us the reason.

Send message

Your application has been submitted.

Remove Member

Are you sure you want to remove yourself as a member for this project?

Project owner will be notified upon removal.