Commercial Series Region Hack

[doughboy5100]

Has anyone figured out a way to modify the commercial series cps to work on all regions? I Found the Pro/Waris series mod.

[slavik]

commercial series CPS R05.07
general EMEA region
offset 5F2CEB (h) 7505 change to 9090
offset 62D255 (h) 7505 change to 9090
now cps support all region radios: cm200/300, pr400/pm400, cp150/200, ep450/em200/em400,
cp040/cp140/cp160/cp180, cm140/cm160 and AZ region radios.

[cp200]

Where do you find the offset?

[slavik]

in cps.exe

[ICEMANTIM]

Hello My CPS.exe only has offsets up to 2ddfe3
any ideas i am using latin american version

Thanks

[slavik]

I'm sorry,

correct offset

5F2CEB - 400000 = 1f2ceb
62D255 - 400000 = 22d255

)400000 -offset Imagebase)

[eurecomx]

Nice!!! tested

double play, Multiregion & password
CPS R05.07 from EMEA Region 6 Languages

Offset 1F2CEB(h) 7505 to 9090 (slavik)
Offset 22D255(h) 7505 to 9090 (slavik)

Offset 119BC1(h) 7505 to 9090 (Sergio MD)

triple play inside codeplug? o RAM edition (out band)

eulalio

[eurecomx]

double play, Multiregion & password

CPS R05.07 from LA Region 3 Languages

Offset 1F2BAB(h) 7505 to 9090
Offset 22D115(h) 7505 to 9090

Offset 119971(h) 7505 to 9090

the "LA" version is not complete. CM340 & CM360 no run.

now cps support: CP40, CP140, CP160, CP180, CP200, CM140,CM160 EM200, EM400, EP450 ETC.

[slavik]

Yes, "LA" and "AA" ("FD" ???) versions not support
radios with SelV signalling: CM340/CM360/CP340/CP360/CP380.

[ICEMANTIM]

Hello Thanks for all the help this group is great. I must be a Dumb A?? or something. I have hex edited raduis program to make a 2 channel into a 16 channel, but for some reason i can not find the 7505 @ the offsets listed here. What am i doing wrong??
Thanks

[smile@2006]

Disbale password & all region support CPS R05.07 (AZ) Region:

Offset 1155905 7505 to 9090

Offset 2045867 7505 to 9090

Offset 22DD75 7505 to 9090

[Sergio MD]

My friend send me e-mail:

The task: Program CP040 H50KDC9AA1AN 146-174 at 145.500 MHz.
Read radio with CPS and save file codeplug.cps.
Open file codeplug.cps in HexWorkshop, find Hex "BBA5A5A5A5A5A5".
You will find it three times.
First entry is "A4A5A6BBA5A5A5A5A5A5". It is Motorola VHF Base frequency - 103.000000 MHz.
Second entry is "A4A1A3BBA5A5A5A5A5A5". It is lower limit - 146.000000 MHz.
Third entry is "A4A2A1BBA5A5A5A5A5A5". It is upper limit - 174.000000 MHz.
So alphabet seems as follows:
A1 = 4
A2 = 7
A3 = 6
A4 = 1
A5 = 0
A6 = 3
AD = 8
BB = "."
Change lower limit to "A4A1A1..." and save file.
Open file with CPS , enter frequences and program radio. Save codeplug on disk.

Problems: Radio possible to program ONLY ONCE.
Radio works orderly, but is not read and is not programmed by CPS.
Needed to save data from EEPROM IC and restore at need of reprogramming,
or use Radio Firmware Kit.

I hope it works for all Commercial_MDC radios. I read somewere CPS R05.07 can reset hacking codeplug to default.

[eurecomx]

TriplePlayPlus

Thanks to Sergio MD

Nice!!!!

Tested in CPS R05.07 LA , (with EM200 codeplug.)


eurecomx
http://img248.imageshack.us/my.php?imag ... lushs8.png

[eurecomx]

The Rosetta Stone
A5 = 0
A4 = 1
A7 = 2
A6 = 3
A1 = 4
A0 = 5
A3 = 6
A2 = 7
AD = 8
AC = 9
BB = “.”

D4 = A... F4 = a
D7 = B... F7 = b
D6 = C... F6 = c
D1 = D... F1 = d
D0 = E... F0 = e
D3 = F... F3 = f
D2 = G... F2 = g
DD= H... FD = h
DC = I... FC = i
DF = J... FF = j
DE = K... FE = k
D9 = L... F9 = l
D8 = M... F8 = m
DB = N... FB = n
DA = O... FA = o
C5 = P... E5 = p
C4 = Q... E4 = q
C7 = R... E7 = r
C6 = S... E6 = s
C1 = T... E1 = t
C0 = U... E0 = u
C3 = V... E3 = v
C2 =W... E2 = w
CD = X... ED = x
CC = Y... EC = y
CF = Z... EF = z

eulalio

[rmnalk2]

To restore the codeplug, just clone with another radio with same firmware with clone cable.
And yes, sometimes CPS restore the original codeplug.

[CFD_1534]

I hate to bring back a sort of old thread, but how do you edit the file? Some sort of program or something? I'm new at the "hacking" of radio software... Thanks,

-Ed

[wavetar]

I hate to bring back a sort of old thread, but how do you edit the file? Some sort of program or something? I'm new at the "hacking" of radio software... Thanks,

-Ed

Open file codeplug.cps in HexWorkshop.

Most people use a free program called Hex Workshop, as Sergio mentioned in his post. You can read through some of the hacking information on Batlabs...the Maxtrac section contains a lot of useful info on how to use Hex Workshop. There are also various tutorials on the web.

Todd

[CFD_1534]

I was needing to check/change the region hex. My software when i read says region not supported. I searched the web and here for a tutorial, but i'm still lost. what is it i'm exactly looking for to change, and what does the character filter in hex workshop need to be set to? Thanks,

-Ed

[Andreas]

Change the regionalcode in the radio to fix the problem!

Andreas

[CFD_1534]

How could I go about doing that?

[eurecomx]

How could I go about doing that?

CFD_1534 is in Kentucky US (AA REGION)
no offsets here, is the problem.

eulalio

[slavik]

CPS R05.08 EMEA

region check off
offset 1F5789 (h) 7505 change to 9090
offset 22FF95 (h) 7505 change to 9090

pass check off
offset 11B011 (h) 7505 change to 9090

[eurecomx]

CPS R05.08 EMEA

region check off
offset 1F5789 (h) 7505 change to 9090
offset 22FF95 (h) 7505 change to 9090

pass check off
offset 11B011 (h) 7505 change to 9090

slavik:

today cut a version R05.08 AA that just came in English (no more languages) and gave me the following offsets:
for: Motorola Commercial Series Customer Programming Software (CPS) for the CP040, CP140, CP160, CP180, CM140, CM160, CM340 and CM360 radios

Now Plus EM200, EM400, EP450 + ?

Region check off:
1F55DB (h) 7505 ==> 9090
22FDD5 (h) 7505 ==> 9090

pass check off:
11B2D1 (h) 7509 ==> 9090

eulalio

[slavik]

I have got multi languages cps.

I did check up cps R0508 again and there is one correction

region check off
offset 1F578B (h)
offset 22FF95 (h)

pass check off
offset 11B011 (h)

Also I tested cps on sample files with other regions ID, all Ok.

[coke]

Anyone have a region mod for 05.05?

[Iguana]

TO ALL

Out of band tested on PM400 UHF 438-470 and CM200 438-470
Everything working good, but if you want to recover your radio do the following:
The software automatically prompts to recover the radio with the same model and writes the radio.
After recovery the radio configured with factory defaults.
Load the previously backed-up codeplug and write the radio.
I have used the CPS 05.08 (cracked)

Does anyone knows another way to out-of-band programming ?

Good Night!

[Okeeco]

I am using Hex Workshop and have CPS R05.07
I can find these keys:

Offset 1F2BAB(h) 7505 to 9090
Offset 22D115(h) 7505 to 9090

Offset 119971(h) 7505 to 9090
but WHERE do I change the 7505 to 9090? I can't see WHERE you can change that value! Should i be using a different program? Can someone help me?

[coling223]

I've read through all of this and i still can't figure out how to find the hex in order to change it. I have a PR400 (AA) and the (LA) r.05.09
Any help would be appreciated!
Thanks,
Colin

[coling223]

ok, so i've found the offsets, but cannot find the "7505" that i am supposed to be changing to 9090... could this be because it's 05.09?
Thanks
Colin

[JimCT]

Commercial Series Version 5.12 AA

Disable password check: 1232B1 Change 7509 to 9090.

We're still working on the region...

[eurecomx]

Commercial Series Version 5.12 AA

Disable password check: 1232B1 Change 7509 to 9090.

We're still working on the region...

Password check off
String 75098BCEE8 ==> 90908BCEE8
------------------------------------------------
Region check off (Twice)
String 7505BF01000000 ==> 9090BF01000000
String 7505BF01000000 ==> 9090BF01000000

eulalio

[RADIOMAN2002]

Need string locations for region and password for CPS 5.05

[mother]

For reference, on CPS R05.09 LA, the offsets to change for region-free are:

20287B
23DD75

I prefer to change 7505 to 7405 (makes it jump if equal instead of not equal, je vs. jne for assembler freaks). This means the CPS won't work for LA radios, but the whole point of hacking this is to make it work elsewhere. Using noops (90) is fine, but can sometimes interfere or cause traps to trigger. Seems like Motorola programmers haven't changed the whole scheme in many versions, but it could eventually happen.

Cheers!

[incognito]

Well after having read the above hex edit post and jumping in and DOING the frequency mod, AND WRITING the radio, i can't reprogram it. I know, should have read the lines below it for more clarity. Anyhow, now i'm getting the error 2411 codeplug corrupted error and its not prompting to fix it. whats this i hear about a cloning cable and can I make one? I've got another CM200 sitting next to it. Also as a side note, I wonder if we were to make the checksum correct if it would prevent this error in the future and allow us to write/rewrite without this problem??

[toshi x]

Is a good job
I have one contribution:

CPS.EXE
x8C604 74 a EB
x8C61D 74 a EB

ELPELMCPSERVICES.DLL
x1BEBE 13 a 00
x1BED0 75 a EB

with this we have full range frequencies

greetings to all

[slavik]

Is a good job
I have one contribution:

CPS.EXE
x8C604 74 a EB
x8C61D 74 a EB

ELPELMCPSERVICES.DLL
x1BEBE 13 a 00
x1BED0 75 a EB

with this we have full range frequencies

greetings to all

x8C604 74 a EB / x8C61D 74 a EB
Is it for CPS R05.09 or for CPS R05.12?

[toshi x]

Is a good job
I have one contribution:

CPS.EXE
x8C604 74 a EB
x8C61D 74 a EB

ELPELMCPSERVICES.DLL
x1BEBE 13 a 00
x1BED0 75 a EB

with this we have full range frequencies

greetings to all

x8C604 74 a EB / x8C61D 74 a EB
Is it for CPS R05.09 or for CPS R05.12?

This is for R05.09LA

both files are in the same directory

[slavik]

CPS R05.09 EMEA multi languages

cps.exe
8c854 74 > EB
8c86d 75 > EB
1d1650 74 > EB
1d166b 75 > EB

ELPELMCPSERVICES.DLL
1BEBE 13 > 00
1BED0 75 > EB

for toshi x
this trick work only with MDC radio.
with Select V european radios this trick doesn't work

[toshi x]

version R05.09EMEA
For EMEA / AZ / LA radios

CPS.EXE

8C854 --- 74 to EB Full frecuency range
8C86D --- 75 to EB Full frecuency range

1CE9EF --- 74 to EB Full range frecuency
1CE9D4 --- 75 to EB Full range frecuency

1D1650 --- 74 to EB Full frecuency range
1D166B --- 75 to EB Full frecuency range

1D1808 --- 74 to EB Full frecuency range
1D1823 --- 75 to EB Full frecuency range



ELPELMCPSERVICES.DLL


1BEBE --- 13 to 00
1BED0 --- 75 to EB

[ZS6JPL]

Any idea which addresses to change on the R05.09 EMEA CPS to open the region lock?

[toshi x]

Any idea which addresses to change on the R05.09 EMEA CPS to open the region lock?

This is not mine but works fine

CPS.EXE

1232A1 --- 7509 to 9090 Password off
20295B --- 7509 to 9090 Region off
23DEC5 --- 7509 to 9090 Region off


good luck

[lucky644]

Is it possible to change the frequency range with my CP200 using 5.0 cps hex editing?

[LuisG]

how do I change the version to 05.07.NA
for the new version

I like to modify the new version to other regions ie cp140uhf2
tk's

[LuisG]

how do I change the version to 05.07.NA
for the new version

I like to modify the new version to other regions ie cp140uhf2
tk's

which addresses to change on the R05.09 LA CPS to open the region lock?
i need to use in CP140 UHF2 and CP200

[cduda]

Hello All. I have read through this and have a few questions hopefully someone can/will help me.

I have the CM300, using 05.07. I am not sure which A) version of the software I have and B) what region the radio is.

The information on the radio is as follows:

Model: AAM50KQF9AA1AN

KIT: PMUD1877CBNM

I am using Windows XP to program these. When I read it, I am getting the error 40040-Region Not Supported.

Can you please advise where at in regedit or where else I can change this to make my CPS work for these radios.

Thank you in advance.

[motorola_otaku]

AA in the radio's model number means it's a North American radio.

The instructions for unlocking the region in R05.07 CPS are in this thread, just scroll up.

[vespan]

Hello All!
I have problem with Programming Motorola CM160 Ver.R04.00.02 Tanapa PMUD 1894C. With CPS R05.07 Radio
can’t open. Another CPS. which I have is CPS NA R05.08. With that, give me Error 40040 – "Region not supported".
How is possible to remove that “Region”?
Thanks in advance!

[SD70MAC]

Anyone got the region/password hack for R5.15 yet ?

[Al]

I don't know what the region hack is, but the password bypass for R05.15 Commercial series is at 12B041h, 7509h --> 9090h.

[yc5nbx]

Hello all ..!
Does anyone have an region or password offset for R05.13 ?