I got the location range narrowed down in the command board that tells the radio all of its features so if you want to enable features or truly clone a radio this will really help you. ( Securenet / Zones / Trunked or Conv everything basically )
If you want to upgrade to a 6.00 and newer MLM to get zones in the radio this will allow you to read the radio and you will see the features there as you should reprogramming will no longer lose the feature.
1. No feature set is band specific as far as I can tell so far. So if you have a 800 Mhz ZXA series codeplug and want to make a UHF trunked secure smartnet radio out of a conventional one it should work.
2. Write down the old string of data before you change it because this is still very experimental. I am 5 for 5 radios but dont blame me if you break yours
. You can always revert it easily. PRINT OUT AN ALIGNMENT SUMMARY IN CASE YOU HAVE TO REINIT THE COMMAND BOARD FOR ANY REASON.3. Model number doesnt really make any difference. But if it makes you happy to change it like it does for me go for it. remember though if you clone in a radio its features should match yours. So be smart and change the model number so you can clone correctly also this prevents "weird" codelugs from appearing in the pool. Such as D43KMA7JA7AK codeplugs that are actually trunked securenet ZXA radios.
FYI : Moflags in lab4 only edits the codeplug and will "force" program features in but when you read the radio it will not be there because it doesnt reprogram the command board locations which is what the RSS uses to tell you what you can and cant do.
4. You MUST COPY and change the entire range I specify from your source radio or a string I give you. Part of the string is some weird checksum and I havent figured out how it is calculated. If you copy only part of it.... once you drop back out of the service menu the radio will revert the data back to what it was.
The magic location range is :
B681 - B693
Here are some strings for some different features ( my notes are a mess and I cant verify these will be correct right now so WRITE DOWN YOURS BEFORE YOU TRY THESE ) :
T44ZXA5JC9AK Smartnet Secure Trunking With Zones (Again should work on all bands for ZXA secure smartnet ) :
03 DF 58 0F 99 77 B1 F7 46 84 0C 1F 13 00 00 00 00 93 F0
Conventional Zones + Securenet ( This one may not allow internal securenet not sure try it and see. ) :
00 56 40 A3 18 F7 B1 F7 44 84 80 1F 53 00 00 00 8A 19 FF
Or this one may give you better results for Conv Zones + Securenet
00 56 40 A3 18 FF B1 F7 44 84 80 1F 53 00 00 00 8A 19 F0
I would advised that you clone in a codeplug from the source radio into the victim so that it the modification is complete 100%. But it works without cloning.
Moflags in Lab 4 is likely a very key element to breaking down the structure of this string because it labels features and corresponding bit numbers. Which may or may not be in the same order in this string.
You will also notice that there are 2 moflags that are unused in lab4 ( 14 and 15 I believe ) and the 14th and 15th bytes are all zeros.
The last 3 bytes are a checksum of sorts and I do not know how they are calculated. If we can decode this and learn how to recalc the checksum you could enable / disable features instantly by changing one bit and then the checksum.
I have noticed the following things.... take this string for example :
00 56 40 A3 18 FF B1 F7 44 84 80 1F 53 00 00 00 8A 19 F0
Somewhere in the 84 is zones I believe based on radios I have worked with If your radio is 80 you will not have zones. And the 53 has something to do with securenet. Remember you still have to change it all because of the checksum.
Good luck let me know how things go for you hackers using this usefull info. Also I will update my spreadsheet located at :
http://home.earthlink.net/~natedog224/s ... bangin.xls
If anyone can share usefull strings such as someone with a DUAL HEAD radio please send it out for everyone.
. I didnt even know Motorola had training programs although I should have... 