0xCAFEAFFEThe inspiration for this project came from the MD380 hack done by Travis Goodspeed but it was the following observations that sparked my interest regarding this specific radio:
1) The RT40 seems to be the cheapest available licence-free DMR radio at the moment.
2) The radio allows a primitive kind of encryption, which is nice. If one was able to modify the firmware, a more serious encryption could be implemented which would be even nicer.
3) The radio is sold in two versions: a PMR version for Europe and a FRS version for the US market. I'm pretty sure that the hardware is the same (except for a filter maybe) and that the different frequencies and transmission power settings are done in software.
I ordered two of the radios as well as a programming cable and was not only able to confirm my initial suspicions, I was already able to increased the transmission power, changed the frequency out of the PMR band to a local ham relay and successfully had a DMR conversation with another radio amateur!
Objectives, in order of priority:
1) [DONE] - Increase transmission power from 0.5W (max. for PMR) to 2W (max. for FRS) [config only]
2) [DONE] Enable full 70cm band DMR Tier-II compatibility and [TODO] promiscuous RX mode
Why would I want to do this, instead of just buying a DMR radio that is already able to utilize high power on all frequencies? Firstly because I can, secondly because this radio could be switched back and forth between licence-free and amateur mode and thirdly because the official tool has some annoying limitations.
What I know so far:
The MCU is a STM8S207 and there are pads for the SWIM debug interface available. I orderd a ST-LINK tool to poke around in its guts, I'll need to be careful though, attempting to disable flash readout protection might erase all flash contents, effectively bricking the radio.
The DMR baseband IC is a SCT3258 for which a full datasheet seems to be available, according to the which it is DMR Tier-II compatible.
Other ICs on the PCB:
AIC3204 - Audio Codec IC
24C64RP - 64k EEPROM
H2219 - 2ch 8bit DAC
AT1846S - Integrated FM Transceiver
LM4871 - Audio Power Amp
LM2904 - Dual OPA
LT05 - Power Management IC
There are two seperate applications available for PMR and FRS respectively to configure the channel settings of the radio via the programming cable. While the pre-loaded default configuration obviously differs, the program itself seems to be identical. Windows localisation needs to be set to US formats, for the software to show correct frequency values. Exporting the configuration from the official app, manually editing the power setting in the file and loading it back DOES actually work, which I only discovered after reverse engineering the whole thing and writing my own flash tool. Would have been too easy anyway, right? ;)
The cable is based on the PL2303 USB-to-UART IC and uses some additional transistors and resistors to merge the RX and TX lines of the IC to one single, level-shifted line (5V <-> 3.3V). Due to the circuit all transmitted characters are immediately echoed back.
The communication between the tool and the radio is sniffable and revealed that the firmware is identical for PMR and FRS while the channel configuration is obviously different and stored seperately. The data transmission format is byte-wise and very straight forward: R/W, adress, number of bytes, optional payload, XOR checksum.
By downloading the default configurations for PMR & FRS to the device and sniffing COM port and comparing the hex files I was able to locate the bytes that store the frequency and power setting of each channel.
By downloading the same PMR configuration to both of my radios, I discovered that the bytes storing the frequencies are very different for the two radios. The settings seem to be deliberately obfuscated, possibly to prevent manipulation and out-of-band operation. The bytes are XORed with some magic value that seems to be unique to the device. I don't know where or how exactly it is stored in the device and how the application calculates it but I found a way to extract it.
Up next:
1) Attempt to read out device firmware
2) Disassemble and reverse engineer the firmware
3) ???
4) Profit