07/20/2017 at 05:58 •
Time to talk to the serial port!
After listen to what the serial port had to save I've put together enough to figure out what I need to say to the radio to get it to start entering LOAD mode.
Sending the hex bytes 0xEE get things started.
Serial port capture
Python code snip
The radio does enter LOAD mode
A little problem
After successfully writing commands to enter LOAD mode (the first step to software based restoration of settings) I found that when I have the UART attached to the RX pin on the radio it no longer just spits out data but rather waits for me to send another command back, I'll have to do some more digging.When the UART is connected to the radio's RX pin it doesn't like to talk as much.
The next update with any luck should be an opensource application to backup and restore these radios. Once I manage to decode the data (likely by making small setting changes or dumping the winbond chip I should be able to allow modification of saved settings from a computer, allowing you to program these alert radios without having punch everything in by hand.
07/20/2017 at 03:37 •
She speaks serial! Let's hook it up to a UART.
Once I have the radio hooked up to a UART I attempt several times to capture data, unable to find the correct baudrate.
Having a hard time guessing the baudrate
Alright maybe there is a better way....
I found this website online and it worked out quite nicely.. https://www.kumari.net/index.php/random/37-determing-unknown-baud-rate
Using my Oscilloscope I was able to measure the shortest burst as suggested in the above link/website. This gave me a reading of about 800.0us in width which should round out to about 1200 baud.
Does she look good now?
Captain, we haz data!
Data obtained from clone
[17/07/2017 19:26:00] Read data (COM4) ee 07 90 03 85 90 03 35 90 03 55 90 03 55 91 03 î..….5.U.U‘. aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ªªªªªªªªªªªªªªªª aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ªªªªªªªªªªªªªªªª aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ªªªªªªªªªªªªªªªª aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ªªªªªªªªªªªªªªªª aa aa aa aa aa aa aa aa aa aa aa 2d 2d 2d 2d 2d ªªªªªªªªªªª----- 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 00 2d 2d 2d 2d 2d ----------.----- 2d 2d 2d 2d 2d 2d 00 2d 2d 2d 2d 2d 2d 2d 2d 2d ------.--------- 2d 2d 00 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 00 2d --.-----------.- 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 00 2d 2d 2d 2d 2d ----------.----- 2d 2d 2d 2d 2d 2d 00 67 f9 71 ff 3b fe f0 03 00 ------.gùqÿ;þð.. 02 02 02 02 02 02 ff ff 00 03 26 06 00 07 b2 b1 ......ÿÿ..&...²± ff c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ÿÀÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 64 ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿd 5a Z [17/07/2017 19:26:04] Read data (COM4) 05
Alright! We're not off to a bad start.
Stay tuned for more.
07/20/2017 at 03:24 •
Hello cloning port, what language do you speak?
First thing is first, what language does the port speak and can I talk to it without too much trouble.
Let's Probe It!
The voltage of the port is actually about 3v, I was using the wrong attenuation when the screenshot was taken. I'm assuming serial communications at this point.
Let's Sniff it!
I don't expect any data on this port unless I'm trying to clone the radio, to do this remove the batteries and power the radio up via the cable while holding the < and > buttons. This should give you the following screen.
Press < > at the same time during boot, press select when ready to send.
I used a 3.5mm break out cable and a UART to intercept communications while peering in with my oscilloscope.
Scope Capture, oh yeah I think we've got serial!
As I expected when the radio is powered we get a steady 3v on the tx pin and when I hit select to start the cloning process we see data as a square wave where the port is being pulled down to near 0v and and going back high to send data.
07/20/2017 at 02:43 •
I installed a header onto what I had high hopes to be a 14 pin JTAG header, it turns out these pins actually go to each button and LED on the radio. So nothing super useful to me there. Just bridge a pin to ground and it'll trigger whatever button or LED.
07/20/2017 at 02:38 •
Normally when working on any electronics project the first thing I do is grab the FCC ID. Something everything with some type of radio will have and nearly any electronic device as well. A company like Midland not having such an ID struck me as odd.
Nevertheless I started tearing into it and seeing what there was to this odd little radio.
Here is what I found
Several Test Points but no other indications
Unknown Chip With Test pads
Test pads check voltage, no indication of data
Finally, something I can play with. A Winbond flash memory chip.
A UTC petw chip used as an audio amplifier for the Alerts
Possible JTAG Header