Commercial Series Region Hack

This forum is for discussions regarding all aspects of Motorola radio programming, including hardware, computers, installation and use of RSS/CPS, firmware upgrades, and troubleshooting. There are subforums for discussions of codeplugs, and also for software/firmware release notes and issues.

Moderator: Queue Moderator

doughboy5100
Posts: 23
Joined: Thu May 05, 2005 12:33 pm

Commercial Series Region Hack

Post by doughboy5100 »

Has anyone figured out a way to modify the commercial series cps to work on all regions? I Found the Pro/Waris series mod.
slavik
Posts: 58
Joined: Thu Aug 25, 2005 9:27 pm

Re: Commercial Series Region Hack

Post by slavik »

commercial series CPS R05.07
general EMEA region
offset 5F2CEB (h) 7505 change to 9090
offset 62D255 (h) 7505 change to 9090
now cps support all region radios: cm200/300, pr400/pm400, cp150/200, ep450/em200/em400,
cp040/cp140/cp160/cp180, cm140/cm160 and AZ region radios.
cp200
New User
Posts: 1
Joined: Fri Jan 02, 2009 2:55 am

Re: Commercial Series Region Hack

Post by cp200 »

Where do you find the offset? 8)
slavik
Posts: 58
Joined: Thu Aug 25, 2005 9:27 pm

Re: Commercial Series Region Hack

Post by slavik »

in cps.exe
ICEMANTIM
Posts: 120
Joined: Mon Oct 29, 2001 4:00 pm

Re: Commercial Series Region Hack

Post by ICEMANTIM »

Hello My CPS.exe only has offsets up to 2ddfe3
any ideas i am using latin american version

Thanks
slavik
Posts: 58
Joined: Thu Aug 25, 2005 9:27 pm

Re: Commercial Series Region Hack

Post by slavik »

I'm sorry,

correct offset

5F2CEB - 400000 = 1f2ceb
62D255 - 400000 = 22d255

)400000 -offset Imagebase)
User avatar
eurecomx
Posts: 31
Joined: Fri Jan 23, 2004 7:56 pm

Re: Commercial Series Region Hack

Post by eurecomx »

Nice!!! tested

double play, Multiregion & password
CPS R05.07 from EMEA Region 6 Languages

Offset 1F2CEB(h) 7505 to 9090 (slavik)
Offset 22D255(h) 7505 to 9090 (slavik)

Offset 119BC1(h) 7505 to 9090 (Sergio MD)

triple play inside codeplug? o RAM edition (out band)

eulalio
Last edited by eurecomx on Fri Jan 23, 2009 7:21 pm, edited 1 time in total.
trentininelmondo
User avatar
eurecomx
Posts: 31
Joined: Fri Jan 23, 2004 7:56 pm

Re: Commercial Series Region Hack

Post by eurecomx »

double play, Multiregion & password

CPS R05.07 from LA Region 3 Languages

Offset 1F2BAB(h) 7505 to 9090
Offset 22D115(h) 7505 to 9090

Offset 119971(h) 7505 to 9090

the "LA" version is not complete. CM340 & CM360 no run.

now cps support: CP40, CP140, CP160, CP180, CP200, CM140,CM160 EM200, EM400, EP450 ETC.
Last edited by eurecomx on Fri Jan 23, 2009 7:23 pm, edited 1 time in total.
trentininelmondo
slavik
Posts: 58
Joined: Thu Aug 25, 2005 9:27 pm

Re: Commercial Series Region Hack

Post by slavik »

Yes, "LA" and "AA" ("FD" ???) versions not support
radios with SelV signalling: CM340/CM360/CP340/CP360/CP380.
ICEMANTIM
Posts: 120
Joined: Mon Oct 29, 2001 4:00 pm

Re: Commercial Series Region Hack

Post by ICEMANTIM »

Hello Thanks for all the help this group is great. I must be a Dumb A?? or something. I have hex edited raduis program to make a 2 channel into a 16 channel, but for some reason i can not find the 7505 @ the offsets listed here. What am i doing wrong??
Thanks
User avatar
smile@2006
Posts: 54
Joined: Thu Jan 26, 2006 7:51 pm
What radios do you own?: XTS2500 XTL2500 ATS2500

Re: Commercial Series Region Hack

Post by smile@2006 »

Disbale password & all region support CPS R05.07 (AZ) Region:

Offset 1155905 7505 to 9090

Offset 2045867 7505 to 9090

Offset 22DD75 7505 to 9090
Last edited by smile@2006 on Mon Feb 16, 2009 8:07 am, edited 1 time in total.
Sergio MD
Posts: 43
Joined: Fri Dec 07, 2007 1:51 am

Re: Commercial Series Region Hack

Post by Sergio MD »

My friend send me e-mail:

The task: Program CP040 H50KDC9AA1AN 146-174 at 145.500 MHz.
Read radio with CPS and save file codeplug.cps.
Open file codeplug.cps in HexWorkshop, find Hex "BBA5A5A5A5A5A5".
You will find it three times.
First entry is "A4A5A6BBA5A5A5A5A5A5". It is Motorola VHF Base frequency - 103.000000 MHz.
Second entry is "A4A1A3BBA5A5A5A5A5A5". It is lower limit - 146.000000 MHz.
Third entry is "A4A2A1BBA5A5A5A5A5A5". It is upper limit - 174.000000 MHz.
So alphabet seems as follows:
A1 = 4
A2 = 7
A3 = 6
A4 = 1
A5 = 0
A6 = 3
AD = 8
BB = "."
Change lower limit to "A4A1A1..." and save file.
Open file with CPS , enter frequences and program radio. Save codeplug on disk.

Problems: Radio possible to program ONLY ONCE.
Radio works orderly, but is not read and is not programmed by CPS.
Needed to save data from EEPROM IC and restore at need of reprogramming,
or use Radio Firmware Kit.

I hope it works for all Commercial_MDC radios. I read somewere CPS R05.07 can reset hacking codeplug to default.
User avatar
eurecomx
Posts: 31
Joined: Fri Jan 23, 2004 7:56 pm

Re: Commercial Series Region Hack

Post by eurecomx »

TriplePlayPlus

Thanks to Sergio MD

Nice!!!!

Tested in CPS R05.07 LA , (with EM200 codeplug.)


eurecomx
http://img248.imageshack.us/my.php?imag ... lushs8.png

Image
trentininelmondo
User avatar
eurecomx
Posts: 31
Joined: Fri Jan 23, 2004 7:56 pm

Re: Commercial Series Region Hack

Post by eurecomx »

The Rosetta Stone
A5 = 0
A4 = 1
A7 = 2
A6 = 3
A1 = 4
A0 = 5
A3 = 6
A2 = 7
AD = 8
AC = 9
BB = “.”

D4 = A... F4 = a
D7 = B... F7 = b
D6 = C... F6 = c
D1 = D... F1 = d
D0 = E... F0 = e
D3 = F... F3 = f
D2 = G... F2 = g
DD= H... FD = h
DC = I... FC = i
DF = J... FF = j
DE = K... FE = k
D9 = L... F9 = l
D8 = M... F8 = m
DB = N... FB = n
DA = O... FA = o
C5 = P... E5 = p
C4 = Q... E4 = q
C7 = R... E7 = r
C6 = S... E6 = s
C1 = T... E1 = t
C0 = U... E0 = u
C3 = V... E3 = v
C2 =W... E2 = w
CD = X... ED = x
CC = Y... EC = y
CF = Z... EF = z

eulalio
trentininelmondo
rmnalk2
Posts: 10
Joined: Thu Jan 04, 2007 12:45 pm

Re: Commercial Series Region Hack

Post by rmnalk2 »

To restore the codeplug, just clone with another radio with same firmware with clone cable.
And yes, sometimes CPS restore the original codeplug.
CFD_1534
Posts: 30
Joined: Mon May 31, 2004 9:26 pm
What radios do you own?: too many

Re: Commercial Series Region Hack

Post by CFD_1534 »

I hate to bring back a sort of old thread, but how do you edit the file? Some sort of program or something? I'm new at the "hacking" of radio software... Thanks,

-Ed
Ed
User avatar
wavetar
Administrator
Posts: 7340
Joined: Sun Sep 09, 2001 4:00 pm

Re: Commercial Series Region Hack

Post by wavetar »

CFD_1534 wrote:I hate to bring back a sort of old thread, but how do you edit the file? Some sort of program or something? I'm new at the "hacking" of radio software... Thanks,

-Ed
Sergio MD wrote: Open file codeplug.cps in HexWorkshop.
Most people use a free program called Hex Workshop, as Sergio mentioned in his post. You can read through some of the hacking information on Batlabs...the Maxtrac section contains a lot of useful info on how to use Hex Workshop. There are also various tutorials on the web.

Todd
No trees were harmed in the posting of this message...however an extraordinarily large number of electrons were horribly inconvenienced.

Welcome to the /\/\achine.
CFD_1534
Posts: 30
Joined: Mon May 31, 2004 9:26 pm
What radios do you own?: too many

Re: Commercial Series Region Hack

Post by CFD_1534 »

I was needing to check/change the region hex. My software when i read says region not supported. I searched the web and here for a tutorial, but i'm still lost. what is it i'm exactly looking for to change, and what does the character filter in hex workshop need to be set to? Thanks,

-Ed
Ed
Andreas
Posts: 626
Joined: Sun Sep 09, 2001 4:00 pm
What radios do you own?: radios

Re: Commercial Series Region Hack

Post by Andreas »

Change the regionalcode in the radio to fix the problem!

Andreas
CFD_1534
Posts: 30
Joined: Mon May 31, 2004 9:26 pm
What radios do you own?: too many

Re: Commercial Series Region Hack

Post by CFD_1534 »

How could I go about doing that?
Ed
User avatar
eurecomx
Posts: 31
Joined: Fri Jan 23, 2004 7:56 pm

Re: Commercial Series Region Hack

Post by eurecomx »

CFD_1534 wrote:How could I go about doing that?

CFD_1534 is in Kentucky US (AA REGION)
no offsets here, is the problem.

eulalio
trentininelmondo
slavik
Posts: 58
Joined: Thu Aug 25, 2005 9:27 pm

Re: Commercial Series Region Hack

Post by slavik »

CPS R05.08 EMEA

region check off
offset 1F5789 (h) 7505 change to 9090
offset 22FF95 (h) 7505 change to 9090

pass check off
offset 11B011 (h) 7505 change to 9090
User avatar
eurecomx
Posts: 31
Joined: Fri Jan 23, 2004 7:56 pm

Re: Commercial Series Region Hack

Post by eurecomx »

slavik wrote:CPS R05.08 EMEA

region check off
offset 1F5789 (h) 7505 change to 9090
offset 22FF95 (h) 7505 change to 9090

pass check off
offset 11B011 (h) 7505 change to 9090
slavik:

today cut a version R05.08 AA that just came in English (no more languages) and gave me the following offsets:
for: Motorola Commercial Series Customer Programming Software (CPS) for the CP040, CP140, CP160, CP180, CM140, CM160, CM340 and CM360 radios

Now Plus EM200, EM400, EP450 + ?

Region check off:
1F55DB (h) 7505 ==> 9090
22FDD5 (h) 7505 ==> 9090

pass check off:
11B2D1 (h) 7509 ==> 9090

eulalio
Last edited by eurecomx on Sat Jun 20, 2009 7:32 pm, edited 1 time in total.
trentininelmondo
slavik
Posts: 58
Joined: Thu Aug 25, 2005 9:27 pm

Re: Commercial Series Region Hack

Post by slavik »

I have got multi languages cps.

I did check up cps R0508 again and there is one correction

region check off
offset 1F578B (h)
offset 22FF95 (h)

pass check off
offset 11B011 (h)

Also I tested cps on sample files with other regions ID, all Ok.
coke
Posts: 28
Joined: Tue Jul 19, 2005 6:13 pm

Re: Commercial Series Region Hack

Post by coke »

Anyone have a region mod for 05.05?
User avatar
Iguana
Posts: 65
Joined: Wed Aug 31, 2005 5:03 am

Re: Commercial Series Region Hack

Post by Iguana »

TO ALL

Out of band tested on PM400 UHF 438-470 and CM200 438-470
Everything working good, but if you want to recover your radio do the following:
The software automatically prompts to recover the radio with the same model and writes the radio.
After recovery the radio configured with factory defaults.
Load the previously backed-up codeplug and write the radio.
I have used the CPS 05.08 (cracked)

Does anyone knows another way to out-of-band programming ?

Good Night!
Okeeco
New User
Posts: 1
Joined: Tue Nov 17, 2009 12:27 pm

Re: Commercial Series Region Hack

Post by Okeeco »

I am using Hex Workshop and have CPS R05.07
I can find these keys:

Offset 1F2BAB(h) 7505 to 9090
Offset 22D115(h) 7505 to 9090

Offset 119971(h) 7505 to 9090
but WHERE do I change the 7505 to 9090? I can't see WHERE you can change that value! Should i be using a different program? Can someone help me?
coling223
New User
Posts: 17
Joined: Thu Feb 19, 2009 5:48 pm

Re: Commercial Series Region Hack

Post by coling223 »

I've read through all of this and i still can't figure out how to find the hex in order to change it. I have a PR400 (AA) and the (LA) r.05.09
Any help would be appreciated!
Thanks,
Colin
coling223
New User
Posts: 17
Joined: Thu Feb 19, 2009 5:48 pm

Re: Commercial Series Region Hack

Post by coling223 »

ok, so i've found the offsets, but cannot find the "7505" that i am supposed to be changing to 9090... could this be because it's 05.09?
Thanks
Colin
JimCT
Posts: 9
Joined: Sun Sep 16, 2001 4:00 pm

Re: Commercial Series Region Hack

Post by JimCT »

Commercial Series Version 5.12 AA

Disable password check: 1232B1 Change 7509 to 9090.

We're still working on the region...
User avatar
eurecomx
Posts: 31
Joined: Fri Jan 23, 2004 7:56 pm

Re: Commercial Series Region Hack

Post by eurecomx »

JimCT wrote:Commercial Series Version 5.12 AA

Disable password check: 1232B1 Change 7509 to 9090.

We're still working on the region...
Password check off
String 75098BCEE8 ==> 90908BCEE8
------------------------------------------------
Region check off (Twice)
String 7505BF01000000 ==> 9090BF01000000
String 7505BF01000000 ==> 9090BF01000000

eulalio
trentininelmondo
RADIOMAN2002
Posts: 1102
Joined: Thu Apr 04, 2002 4:00 pm
What radios do you own?: More than I can count

Re: Commercial Series Region Hack

Post by RADIOMAN2002 »

Need string locations for region and password for CPS 5.05
mother
New User
Posts: 1
Joined: Wed Mar 03, 2010 2:26 pm

Re: Commercial Series Region Hack

Post by mother »

For reference, on CPS R05.09 LA, the offsets to change for region-free are:

20287B
23DD75

I prefer to change 7505 to 7405 (makes it jump if equal instead of not equal, je vs. jne for assembler freaks). This means the CPS won't work for LA radios, but the whole point of hacking this is to make it work elsewhere. Using noops (90) is fine, but can sometimes interfere or cause traps to trigger. Seems like Motorola programmers haven't changed the whole scheme in many versions, but it could eventually happen.

Cheers!
incognito
New User
Posts: 1
Joined: Sat Aug 18, 2007 1:59 am

Re: Commercial Series Region Hack

Post by incognito »

Well after having read the above hex edit post and jumping in and DOING the frequency mod, AND WRITING the radio, i can't reprogram it. I know, should have read the lines below it for more clarity. Anyhow, now i'm getting the error 2411 codeplug corrupted error and its not prompting to fix it. whats this i hear about a cloning cable and can I make one? I've got another CM200 sitting next to it. Also as a side note, I wonder if we were to make the checksum correct if it would prevent this error in the future and allow us to write/rewrite without this problem??
toshi x
New User
Posts: 6
Joined: Sat Apr 10, 2010 4:45 pm

Re: Commercial Series Region Hack

Post by toshi x »

Is a good job
I have one contribution:

CPS.EXE
x8C604 74 a EB
x8C61D 74 a EB

ELPELMCPSERVICES.DLL
x1BEBE 13 a 00
x1BED0 75 a EB

with this we have full range frequencies

greetings to all
slavik
Posts: 58
Joined: Thu Aug 25, 2005 9:27 pm

Re: Commercial Series Region Hack

Post by slavik »

toshi x wrote:Is a good job
I have one contribution:

CPS.EXE
x8C604 74 a EB
x8C61D 74 a EB

ELPELMCPSERVICES.DLL
x1BEBE 13 a 00
x1BED0 75 a EB

with this we have full range frequencies

greetings to all
x8C604 74 a EB / x8C61D 74 a EB
Is it for CPS R05.09 or for CPS R05.12?
toshi x
New User
Posts: 6
Joined: Sat Apr 10, 2010 4:45 pm

Re: Commercial Series Region Hack

Post by toshi x »

slavik wrote:
toshi x wrote:Is a good job
I have one contribution:

CPS.EXE
x8C604 74 a EB
x8C61D 74 a EB

ELPELMCPSERVICES.DLL
x1BEBE 13 a 00
x1BED0 75 a EB

with this we have full range frequencies

greetings to all
x8C604 74 a EB / x8C61D 74 a EB
Is it for CPS R05.09 or for CPS R05.12?

This is for R05.09LA

both files are in the same directory
slavik
Posts: 58
Joined: Thu Aug 25, 2005 9:27 pm

Re: Commercial Series Region Hack

Post by slavik »

CPS R05.09 EMEA multi languages

cps.exe
8c854 74 > EB
8c86d 75 > EB
1d1650 74 > EB
1d166b 75 > EB

ELPELMCPSERVICES.DLL
1BEBE 13 > 00
1BED0 75 > EB

for toshi x
this trick work only with MDC radio.
with Select V european radios this trick doesn't work
toshi x
New User
Posts: 6
Joined: Sat Apr 10, 2010 4:45 pm

Re: Commercial Series Region Hack

Post by toshi x »

version R05.09EMEA
For EMEA / AZ / LA radios

CPS.EXE

8C854 --- 74 to EB Full frecuency range
8C86D --- 75 to EB Full frecuency range

1CE9EF --- 74 to EB Full range frecuency
1CE9D4 --- 75 to EB Full range frecuency

1D1650 --- 74 to EB Full frecuency range
1D166B --- 75 to EB Full frecuency range

1D1808 --- 74 to EB Full frecuency range
1D1823 --- 75 to EB Full frecuency range



ELPELMCPSERVICES.DLL


1BEBE --- 13 to 00
1BED0 --- 75 to EB
ZS6JPL
Posts: 5
Joined: Tue Jan 16, 2007 12:47 am

Re: Commercial Series Region Hack

Post by ZS6JPL »

Any idea which addresses to change on the R05.09 EMEA CPS to open the region lock?
Johan Lehmann ZS6JPL
Tel: +27 12 8413648
Member of SARL, ARRL
toshi x
New User
Posts: 6
Joined: Sat Apr 10, 2010 4:45 pm

Re: Commercial Series Region Hack

Post by toshi x »

ZS6JPL wrote:Any idea which addresses to change on the R05.09 EMEA CPS to open the region lock?
This is not mine but works fine

CPS.EXE

1232A1 --- 7509 to 9090 Password off
20295B --- 7509 to 9090 Region off
23DEC5 --- 7509 to 9090 Region off


good luck
lucky644
New User
Posts: 1
Joined: Sun Jul 04, 2010 6:25 pm

Re: Commercial Series Region Hack

Post by lucky644 »

Is it possible to change the frequency range with my CP200 using 5.0 cps hex editing?
LuisG
New User
Posts: 2
Joined: Wed Jul 28, 2010 8:33 am

Re: Commercial Series Region Hack

Post by LuisG »

how do I change the version to 05.07.NA
for the new version

I like to modify the new version to other regions ie cp140uhf2
tk's
LuisG
New User
Posts: 2
Joined: Wed Jul 28, 2010 8:33 am

Re: Commercial Series Region Hack

Post by LuisG »

LuisG wrote:how do I change the version to 05.07.NA
for the new version

I like to modify the new version to other regions ie cp140uhf2
tk's
which addresses to change on the R05.09 LA CPS to open the region lock?
i need to use in CP140 UHF2 and CP200
cduda
Posts: 200
Joined: Sun May 21, 2006 9:39 am
What radios do you own?: GP300, HT1250, CDM1250

Re: Commercial Series Region Hack

Post by cduda »

Hello All. I have read through this and have a few questions hopefully someone can/will help me.

I have the CM300, using 05.07. I am not sure which A) version of the software I have and B) what region the radio is.

The information on the radio is as follows:

Model: AAM50KQF9AA1AN

KIT: PMUD1877CBNM

I am using Windows XP to program these. When I read it, I am getting the error 40040-Region Not Supported.

Can you please advise where at in regedit or where else I can change this to make my CPS work for these radios.

Thank you in advance.
motorola_otaku
Posts: 1854
Joined: Tue Jan 13, 2004 7:03 am

Re: Commercial Series Region Hack

Post by motorola_otaku »

AA in the radio's model number means it's a North American radio.

The instructions for unlocking the region in R05.07 CPS are in this thread, just scroll up.
vespan
New User
Posts: 1
Joined: Sat Dec 11, 2010 12:57 am

Re: Commercial Series Region Hack

Post by vespan »

Hello All!
I have problem with Programming Motorola CM160 Ver.R04.00.02 Tanapa PMUD 1894C. With CPS R05.07 Radio
can’t open. Another CPS. which I have is CPS NA R05.08. With that, give me Error 40040 – "Region not supported".
How is possible to remove that “Region”?
Thanks in advance!
User avatar
SD70MAC
Posts: 408
Joined: Mon Sep 10, 2001 4:00 pm

Re: Commercial Series Region Hack

Post by SD70MAC »

Anyone got the region/password hack for R5.15 yet ?
SD70MAC out

My collection;
XTS5000 VHF FPP,XTS3000 VHF M1&M3,XTVA,XTS2500 UHF Q FPP,Astro Spectra"s W3 VHF,W9 VHF,W7 800,HT1250 35-50,XPR4500 Q,2 CDM1550LS+ VHF 160ch,CDM1550 X 160ch VHF 25w,MAXTRAC 42-50 32ch,CDM1250 42-54
Al
Posts: 1045
Joined: Tue Sep 04, 2001 4:00 pm

Re: Commercial Series Region Hack

Post by Al »

I don't know what the region hack is, but the password bypass for R05.15 Commercial series is at 12B041h, 7509h --> 9090h.
yc5nbx
New User
Posts: 2
Joined: Wed Dec 03, 2008 12:00 am
What radios do you own?: GP2k.GP308.GM300.GM338.GM3188

Re: Commercial Series Region Hack

Post by yc5nbx »

Hello all ..!
Does anyone have an region or password offset for R05.13 ?
Post Reply

Return to “Radio Programming”