Batboard

Hi guys I have some updates on spectra hacking after spending some time doing what else.... more hacking. If you want features please read the whole thing to learn what I have learned.

I got the location range narrowed down in the command board that tells the radio all of its features so if you want to enable features or truly clone a radio this will really help you. ( Securenet / Zones / Trunked or Conv everything basically )

If you want to upgrade to a 6.00 and newer MLM to get zones in the radio this will allow you to read the radio and you will see the features there as you should reprogramming will no longer lose the feature.

1. No feature set is band specific as far as I can tell so far. So if you have a 800 Mhz ZXA series codeplug and want to make a UHF trunked secure smartnet radio out of a conventional one it should work.

2. Write down the old string of data before you change it because this is still very experimental. I am 5 for 5 radios but dont blame me if you break yours . You can always revert it easily. PRINT OUT AN ALIGNMENT SUMMARY IN CASE YOU HAVE TO REINIT THE COMMAND BOARD FOR ANY REASON.

3. Model number doesnt really make any difference. But if it makes you happy to change it like it does for me go for it. remember though if you clone in a radio its features should match yours. So be smart and change the model number so you can clone correctly also this prevents "weird" codelugs from appearing in the pool. Such as D43KMA7JA7AK codeplugs that are actually trunked securenet ZXA radios.


FYI : Moflags in lab4 only edits the codeplug and will "force" program features in but when you read the radio it will not be there because it doesnt reprogram the command board locations which is what the RSS uses to tell you what you can and cant do.

4. You MUST COPY and change the entire range I specify from your source radio or a string I give you. Part of the string is some weird checksum and I havent figured out how it is calculated. If you copy only part of it.... once you drop back out of the service menu the radio will revert the data back to what it was.

The magic location range is :

B681 - B693

Here are some strings for some different features ( my notes are a mess and I cant verify these will be correct right now so WRITE DOWN YOURS BEFORE YOU TRY THESE ) :

T44ZXA5JC9AK Smartnet Secure Trunking With Zones (Again should work on all bands for ZXA secure smartnet ) :

03 DF 58 0F 99 77 B1 F7 46 84 0C 1F 13 00 00 00 00 93 F0

Conventional Zones + Securenet ( This one may not allow internal securenet not sure try it and see. ) :

00 56 40 A3 18 F7 B1 F7 44 84 80 1F 53 00 00 00 8A 19 FF

Or this one may give you better results for Conv Zones + Securenet

00 56 40 A3 18 FF B1 F7 44 84 80 1F 53 00 00 00 8A 19 F0


I would advised that you clone in a codeplug from the source radio into the victim so that it the modification is complete 100%. But it works without cloning.


Moflags in Lab 4 is likely a very key element to breaking down the structure of this string because it labels features and corresponding bit numbers. Which may or may not be in the same order in this string.

You will also notice that there are 2 moflags that are unused in lab4 ( 14 and 15 I believe ) and the 14th and 15th bytes are all zeros.

The last 3 bytes are a checksum of sorts and I do not know how they are calculated. If we can decode this and learn how to recalc the checksum you could enable / disable features instantly by changing one bit and then the checksum.

I have noticed the following things.... take this string for example :

00 56 40 A3 18 FF B1 F7 44 84 80 1F 53 00 00 00 8A 19 F0

Somewhere in the 84 is zones I believe based on radios I have worked with If your radio is 80 you will not have zones. And the 53 has something to do with securenet. Remember you still have to change it all because of the checksum.

Good luck let me know how things go for you hackers using this usefull info. Also I will update my spreadsheet located at :

http://home.earthlink.net/~natedog224/s ... bangin.xls

If anyone can share usefull strings such as someone with a DUAL HEAD radio please send it out for everyone.

I might recommend that bitbang and checksum are 2 words you may not want to go near while at M school. They tend to get real excited. Just FYI.

SG

SG Maybe I'm just stupid but that made no sense to me?

M School?

Who gets excitied?

If you go to a Motorola training class it's not wise to mention either of those topics. Both are related to the LAB software which is not supposed to be in anyone but mother M's hands.

Yes Yes point taken. Sorry I am just ignorant . I didnt even know Motorola had training programs although I should have...

One of those pointless things I will never need or use .

Hey Nate, don't get upset. SG sometimes loses us all. Don't feel left out.

I'm wondering now when the thief is going to post here to let us know he did this years ago already. He probably actually has a better idea how to do this. Some magic gadget I'm sure.

Oh well, we decided he had deli disease. You know, full of baloney.

LOL, sorry, had to say it.

Good job Nate, enjoy the radio and good luck with continued success.

I lose you all? Now I am lost, WTFO.

SG

Great work!!!! I tried a couple, and it does work.

I've got a v 3. MLM with a 2864 EEPROM that I'd like to upgrade the firmware to v 6.+. What are the /\/\ part numbers for the two 27c512 EPROMs?

Also, I'm guessing that the EEPROM version 115 is the 28C64. There were some smaller EEPROMS, like a 28C16, as I recall. Are their versions 100, 112, 113, etc?


Lee

To upgrade an old MLM to v6 you will need the following :

-2 new 27C512 EPROMS ( Get them from DIGIKEY as motorola only sells new MLMs at very high pricetags)

-An EPROM programmer to program the new chips.

-A copy of the data images out of each of the 2 27C512 MLMs on a v6.00 or newer MLM.

-Soldering skill / equipment to unsolder / solder the 27C512s without destroying the MLM traces.
( I use a precut aluminum shield the protect the rest of the MLM from heat and heatgun to take the chips off. A good metcal soldering iron + no clean flux and no clean solder and a microscope to resolder new chips in).


Now you see why many people just buy v6 or newer MLMs off ebay. I prefer upgrading all my MLMs to the latest and greatest 6.16 though. If you got the stuff to do it why not.

Yes the EEPROM version number you mentioned lives in the 28C64. You should bitbang it to 115 after you upgrade to V6.00 or newer.

You also may have to reinitialize the command board because the radio may do funny things if you dont. Make shure you print out an alignment summary ( in the service menu ) before you even mess with the MLM and make sure you have a current archive saved. If for some reason you need to reinit the command board you will need that alignment summary.

hey Nate, great work. Do you know if there is a lower limit to the access time on the 27c512s'? Would 90nS be sufficient? I wouldn't imagine with a radio this old that a 45nS chip would be required

Will I'm not sure about that one. Mike B's site had some stuff about the access times in the X9000s but I do not know what will and won't work on the Spectra MLM. I do know the ones I got from Digikey ( Atmel ) are 70ns chips and they worked flawlessly. I would imagine 90 should work without a glitch.

The information submitted by Natedog is perfect. I have failed to turn my spectra into a doorstop and it works well.

Kudos Nate!

many of the MLM's ive had are the 200ns veriety NM27C512VE200 70 ns chip work great. its hard to find Eproms in the slow 200ms range.