Project Logs

Collapse

• Talking Back to That Port

  Signals Everywhere/KR0SIV • 07/20/2017 at 05:58 • 2 comments

  Time to talk to the serial port!

  After listen to what the serial port had to save I've put together enough to figure out what I need to say to the radio to get it to start entering LOAD mode.

  Sending the hex bytes 0xEE get things started.

  Serial port capture
  
  Python code snip
  

  The radio does enter LOAD mode

  
  

  A little problem
  

  After successfully writing commands to enter LOAD mode (the first step to software based restoration of settings) I found that when I have the UART attached to the RX pin on the radio it no longer just spits out data but rather waits for me to send another command back, I'll have to do some more digging.

  When the UART is connected to the radio's RX pin it doesn't like to talk as much.

  Next Time?

  The next update with any luck should be an opensource application to backup and restore these radios. Once I manage to decode the data (likely by making small setting changes or dumping the winbond chip I should be able to allow modification of saved settings from a computer, allowing you to program these alert radios without having punch everything in by hand.

• Determining Clone/Serial Port Baudrate

  Signals Everywhere/KR0SIV • 07/20/2017 at 03:37 • 0 comments

  She speaks serial! Let's hook it up to a UART.

  Once I have the radio hooked up to a UART I attempt several times to capture data, unable to find the correct baudrate.

  Having a hard time guessing the baudrate

  Alright maybe there is a better way....

  I found this website online and it worked out quite nicely.. https://www.kumari.net/index.php/random/37-determing-unknown-baud-rate

  
  Using my Oscilloscope I was able to measure the shortest burst as suggested in the above link/website. This gave me a reading of about 800.0us in width which should round out to about 1200 baud.
  
  

  Does she look good now?
  

  Captain, we haz data!
  
  
  Data obtained from clone

  [17/07/2017 19:26:00] Read data (COM4) 
      ee 07 90 03 85 90 03 35 90 03 55 90 03 55 91 03   î..….5.U.U‘. 
      aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa   ªªªªªªªªªªªªªªªª 
      aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa   ªªªªªªªªªªªªªªªª 
      aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa   ªªªªªªªªªªªªªªªª 
      aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa   ªªªªªªªªªªªªªªªª 
      aa aa aa aa aa aa aa aa aa aa aa 2d 2d 2d 2d 2d   ªªªªªªªªªªª----- 
      2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 00 2d 2d 2d 2d 2d   ----------.----- 
      2d 2d 2d 2d 2d 2d 00 2d 2d 2d 2d 2d 2d 2d 2d 2d   ------.--------- 
      2d 2d 00 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 00 2d   --.-----------.- 
      2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 00 2d 2d 2d 2d 2d   ----------.----- 
      2d 2d 2d 2d 2d 2d 00 67 f9 71 ff 3b fe f0 03 00   ------.gùqÿ;þð.. 
      02 02 02 02 02 02 ff ff 00 03 26 06 00 07 b2 b1   ......ÿÿ..&...²± 
      ff c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ÿÀÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 
      ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 
      ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 
      ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 64   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿd 
      5a                                                Z                
  [17/07/2017 19:26:04] Read data (COM4) 
      05                                     

  Alright! We're not off to a bad start.

  Stay tuned for more.

• Cloning Port/Confirmed Serial

  Signals Everywhere/KR0SIV • 07/20/2017 at 03:24 • 0 comments

  Hello cloning port, what language do you speak?

  First thing is first, what language does the port speak and can I talk to it without too much trouble.

  
  

  Let's Probe It!
  

  The voltage of the port is actually about 3v, I was using the wrong attenuation when the screenshot was taken. I'm assuming serial communications at this point.

  
  

  Let's Sniff it!

  I don't expect any data on this port unless I'm trying to clone the radio, to do this remove the batteries and power the radio up via the cable while holding the  < and  > buttons. This should give you the following screen.

  Press < > at the same time during boot, press select when ready to send.
  

  I used a 3.5mm break out cable and a UART to intercept communications while peering in with my oscilloscope.

  
  

  Scope Capture, oh yeah I think we've got serial!
  

  As I expected when the radio is powered we get a steady 3v on the tx pin and when I hit select to start the cloning process we see data as a square wave where the port is being pulled down to near 0v and and going back high to send data.

• Header Installation/Findings

  Signals Everywhere/KR0SIV • 07/20/2017 at 02:43 • 0 comments

  I installed a header onto what I had high hopes to be a 14 pin JTAG header, it turns out these pins actually go to each button and LED on the radio. So nothing super useful to me there. Just bridge a pin to ground and it'll trigger whatever button or LED.

• What's Inside/No FCC ID?

  Signals Everywhere/KR0SIV • 07/20/2017 at 02:38 • 3 comments

  Normally when working on any electronics project the first thing I do is grab the FCC ID. Something everything with some type of radio will have and nearly any electronic device as well. A company like Midland not having such an ID struck me as odd.

  Nevertheless I started tearing into it and seeing what there was to this odd little radio.

  Here is what I found

  Masked CPU

  Several Test Points but no other indications
  

  Unknown Chip With Test pads

  Test pads check voltage, no indication of data
  

  Finally, something I can play with. A Winbond flash memory chip.

  Winbond 25x40bvnig 8SOIC Chip : Click for datasheet
  

  A UTC petw chip used as an audio amplifier for the Alerts

  UTC MC34119L: Click for datasheet

  Possible JTAG Header
  

View all 5 project logs