Are you ready for this? : Spectra Moflags Cracked AND Hacked

[natedog224]

Hi Everyone. You may have read some of my posts in the past on Spectra hacking regarding a certain feature string on the command board.

I have taken that a step further and am on the virge of a major step forward to allow creation of custom hacked Spectras. But I need help figuring a tricky checksum. Please read.

Did some research and mapped out the moflags. The moflags are indeed stored on the command board in that string I originally found. They are very easy to break down.

B681 - B692

B681 corresponds to Moflag0 and so forth
B690 is the last (Moflag15)

If your radio for example reads hex 03 at address B681

This translates to 00000011 Binary

Which Corresponds to Moflag0 : Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0

Bit0 - Unused - Enabled
Bit1 - Unused - Enabled
Bit2 - Sys Search Lock - Not Avaliable
Bit3 - AMSS - Not Avaliable
Bit4 - Dynamic Regrouping - Not Avaliable
Bit5 - Emergency Call - Not Avaliable
Bit6 - Emergency Alarm - Not Avaliable
Bit7 - Emergency Trunk - Not Avaliable

In Lab 4 moflags can be changed to 3 settings ( Not avalible / Enabled / Disabled )

Enabled / Disabled will still give you a binary1 and just reflects whether its turned on in the RSS / Codeplug.

Not Avaliable is set with a 0.

Problem with Lab4 is it would let you edit the Moflags in the codeplug stored on the PC. You then could force the codeplug into the radio with new features. But when you read the radio again those features aren't avaliable.

That is because they do not write over the string in the command board ( which would be the ideal fix ).

B691 and/or B692 are checksum information of some type and I can't figure it out for the life of me. It only checks the Moflag string though.

I know this because it allows changes to the Model Number in the command board. Which is the address string just prior to the Moflags.

If you put in data in the Moflag string ( B681 - B692 ) and mess up just one digit.... It will revert back to the old data when you drop out of the service menu.

So you have to copy the entire string exactly from another radio or it will revert back due to checksum failure.

I need help figuring out this damn checksum. As a starter point the Maxtrac uses a checksum-8 with 1s Complimented set which would be one Byte of data. I think they got more crafty with the spectra though. Maybe they are using the one byte to encrypt the other somehow? No idea.

I have a spreadsheet that has a list of the moflags and what each bit turns on / off.

http://home.earthlink.net/~natedog224/moflags.xls

We are on the virge of creating custom spectras from scratch. Just need that damn checksum figured out and I will write a PC program to make a custom feature string based on checkboxes. And it will decode strings as well

Now I know you all want to make custom featured Spectras. And enable all kinds of goodies. If anyone comes up with how the checksum works please PM me or post it for the common good of Batlabbers everywhere.

[Code3Response]

Sweet! With being able to make "custom spectras" what features will that allow them to have?

[natedog224]

Download the spreadsheet. Tons of stuff.

[natedog224]

Ok I got this figured out.

Are you ready to add any feature you want to your Spectra?

Please read the first part of the post so you know what is going on.

There is truth to cowtheifs post. The only thing that is wrong is that the data is indeed stored in EEPROMs.

Ok so let me write sort of an article on this....

How the Moflags are stored in the Spectra (locations are bitbanger addresses) :

Command Board Range : B681 - B690 / B691=A Checksum
MLM Range : 6183 - 6192 / 6193 = Checksum

How I was hacking radios previously :

I was taking radios that had lots of features and cloning Command Board Location range B681 - B692 with the checksum and all and putting this data in crappy radios that had nothing and upgrading thier firmware to version 6.16 so zones would work ect. Then I would virtually have a clone of the original good radios features.

How the radio checks this data on POST :

The radio on POST checks the command board range B681 - B690 with some proprietary checksum algorithm and compares the result with B691.

If it doesnt match the radio grabs the entire range from 6183 - 6193 on the MLM and throws it in the Command Board.

So if I were hacking a radio and messed up on one character it would revert to what it was.

How the RSS reads what features you get and dont get :

Moflags are nothing more than single bits stored at those locations that tell the radio and RSS what features it gets to have and what ones it doesn't.

Some people in the past were forcing zones codeplugs in there radios which would allow zones to work but when you read the radio zones wouldn't appear in the RSS.

This is because the RSS reads the Moflag data off the command board. And since the command board isn't written to when you load a codeplug you don't truly correctly get Zones ect. enabled.

My first hack method worked around this by hacking the range with a copy from a better radio. The difference is now I figured out how to hack it to do anything you want.

You can now make your own string of data using the moflags as a referance and turn on whatever you want.

How to do it :

First create a string of data. You can use this string which came out of a very full featured conventional radio as a referance point to create your own. This string has Zones / Securenet / Dual Control Heads.

CB Range B681 - B690 / MLM Range 6183 - 6193 :
00 76 40 A3 19 FF F1 FF 64 84 90 1F 1F 00 00 00

Use my spreadsheet as a moflags referance :
http://home.earthlink.net/~natedog224/moflags.xls

Turns out if you hack the MLM Range 6183 - 6192 and CB B681 - B690 (Moflags 0 - 15) you can put any data you want in (any custom string). When you read the radio and rewrite it will create the checksum and put it at the end of the MLM string ( at 6194 ) then after it is done programming it will reboot the radio and then that checksum gets copied to the command board because the command board checksum fails. So it essentially calculates the checksum for us automatically and fixes the radio.

Please note the structure of the bits in the hex byte I will quote myself to reiterate this :

If your radio for example reads hex 03 at address B681

This translates to 00000011 Binary

Which Corresponds to Moflag0 : Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0

Bit0 - Unused - Enabled
Bit1 - Unused - Enabled
Bit2 - Sys Search Lock - Not Avaliable
Bit3 - AMSS - Not Avaliable
Bit4 - Dynamic Regrouping - Not Avaliable
Bit5 - Emergency Call - Not Avaliable
Bit6 - Emergency Alarm - Not Avaliable
Bit7 - Emergency Trunk - Not Avaliable

Have Fun!

Nate

[wavetar]

Wow. I stand humbled by your perseverence & end results. Excellent work.

Todd

[natedog224]

Thanks glad I can make a significant contribution to the continued goal of hacking the hell out of the spectra. Now maybe I'll have to move on to the Jedi radios.

On another topic....
It will probably be a while yet but...

Wait until Will B. and I reveal the next step with the Spectra which we have been working on. Everyones gonna piss thier diapers and drool like babies.

[willbartlett]

Damn, Good eye. I hadn't even gotten into it yet, and you're done. Great work, I nominate Nate here for a lifetime membership to MENSA.

Will

[xmo]

Nate,

I'll add my personal pat on the back for a job well done!

I have a little experience hacking things [like the Spectra RSS band limits] so I know all too well how much time it takes to figure these things out - but it sure feels good when you hit the jackpot.

Now, while you are on a roll, how about moving up to Astro Spectra & XTS Flashcodes.....

[nmfire10]

This is definately a thread to save in an archive of information somewhere. That is all another language to me since I haven't even started messing with hex editors. But I get the general idea and I have to say NICE work!

I don't think I could fit enough DEK's in my truck to handle all those options.

[natedog224]

I would love to move up to Astro Spectras and XTS radio flashcodes / feature hacking.

I just cant afford those radios.

Nate

[apco25]

I wonder the "algeria SP" option does....

Makes your spectra talk french ?

[60hzEE]

Nate: A great find. However, when I checked the CB offsets in one of mine, 6183h-6193h had a repeating string of C2 8B EE 94 00 11.....

I found the string in one of my CBs to begin at 61D1h and run through 61E2h. It exactly matches B681h-B692h. B693h and 61E3 differ, so those are apparently the check sums. But, why would they differ, if the preceding strings are exactly the same. B693h is F0, while 61E3 is 82. Go figure?????

The MLM version is 6.06, and everything wlse works just fine. Strange one.

Lee

[natedog224]

Lee I dont know what version of RSS you are using but that sounds very odd to me.

I have confirmed this data on a whole bunch of radios.

Is it a special radio of some sort?

Try another one and see what you find.

The checksum value at 6194 and B692 should match up also.

B681 through B692 and
6183 through 6194 should match each other.

[JAYMZ]

Nate I have been messing with my UHF Spectra with your chart and everything seems to match up, like you said it does. Very cool find.

None of those bit changes make it front panel programmable does it?

[60hzEE]

Nate: More weird stuff. Another radio. This one is a 900 conventional, using a 6.06v MLM borrowed from a UHF conventional.

B681h-B692h match exactly what is in 61F5h-6206h. And, I know I didn't change the 61F5h-6206h string. The last bytes differ, though.

B693h is F0, and 6207h is B1.

I think I'll call it a night. And try to think this through. You have multiple radios with exactly the same string position, which is as you would think it should be. And, I've got two that differ. I did change the string from B681h-B692 though.

Maybe it is the version. v6.06 for sure on one radio. I didn't pull the cover on the other, but I will. Somehow, the MLM must have been written to in order for the strings to match, though. And I sure didn't do it.

My guess would be that the different versions have different locations for the data.

[60hzEE]

Nope. Both the same version MLM. Got me.

[natedog224]

First off the 2 bytes that you are finding that different are not the checksum. They are the byte after.

There should be 16 Moflags then a checksum. So 17 Bytes total. The 18th byte is what you are refering to as the checksum and is different.

As far as the different locations you have found something very very important Lee.

It seems the Location of the Moflag data on the MLM varies from radio to radio and is not static like the Command Board Location ( B681 - B691 + B692 checksum )

All I can say is that it will match what is in the command board range so write that down first then find the MLM one and right down where "it lives".

It should be somewhere near location 6200 so scroll through the area until you find it .

All the same hacking tricks still apply. You just have to hunt for the MLM location.

[nmfire10]

None of those bit changes make it front panel programmable does it?

Even this hack couldn't make it that "special"

I somehow get the feeling that Big Mamma /\/\ is not going to be happy about this thread.

[xmo]

"I somehow get the feeling that Big Mamma /\/\ is not going to be happy about this thread."
------------------------------------------------------------------------------------

I have been thinking about that very issue since yesterday. I think it is a good idea to consider this carefully.

The very reason that 'feature enhancements' in these products is so difficult is that Motorola designed the process that way for protection of their intellectual property rights. That raises the question of just what rights does a radio owner have to modify his property.

Modification of your own radio based on information you discover by yourself - that ought to be pretty safe. At the other end of the spectrum - a dealer who would foolishly upgrade customer radios at a profit - that would definitely attract Motorola's attention.

Everything else falls into the grey middle ground. Most of the ideas that get discussed here deal with stuff Motorola doesn't make any more - R100s, Maxtracs, HT600s, Spectras, etc. The exposure there should be much less than hacks of current products. It would be much easier for a hotshot lawyer to show injury [lost revenue] to Motorola for hacks of products that are in the price book.

Accordingly, please disregard the suggestion to conquer Flashcodes. I wouldn't want to be the one to push you onto the radar screen!

[nmfire10]

You know, there is some Motorola corperate executive big-wig reading this thread and yealling

"CRAP!! THEY FIGURED IT OUT!!!"

[natedog224]

I feel this is no different than changing head types ect. on the spectra. Which information has been around for quite some time.

Since the Spectra is no longer a current Motorola product I did not take caution in bringing this topic up. Just as the Maxtrac section of the site has tons of good information this is no different.

We just have to ride the wave of the old and dead radios.

So if you hack radios that are 7 years behind the times who cares right? Since the spectra has been around since at least 88 ( oldest one I have ) and was discontinued some years ago it doesn't hurt Motorola a bit.

Since all the people who are hacking thier Spectras would never give Motorola a dime for the most part anyways it makes no difference. Its live without features or find a way to get them on your own right?

It seems also that most agencys are going to all that newest Astro stuff and the Spectras are being surplused like crazy all over the nation.

However at the request / advice of others I will not be so open and sharing about some other certain topics which I share the same great enthusiasm to work on as others im sure do. Rest assured you will be able to find out about wonderfull breakthroughs but there will definitely be a process to do so.

[ricciticcitembo]

Oh, I have complete faith in you Nate. And I second that lifetime
MENSA membership.

[k4wtf]

OK Nate. I've read this thread with great enthusiasm. I would like to do some hacking on one of my spectras now but, I would like to make sure I have this process down.

Can you possibly post a "Hacking the Spectra for Dummies" type instructional post for those of us who have not done it before?

IE;

(1) Read the radio
(2) save the codeplug to disk
(3) What we do next?

I realize that this is second hand for MENSA members but for those of us who haven't been nominated yet, I don't want to brick my Spectra. There are obviously a few steps getting lost in the translation for me. I've done some technical writing and know how easy it is to make assumptions about the experience and abilities of others (you can assume I've NEVER hacked a Spectra!) so, I realize this may take a little bit of effort (to dumb it down). I would truely appreciate it though!

Thanks,

John

[natedog224]

Funny you should mention that John. I plan on working on a "Spectra Toolkit" If you will.

With some very usefull utilities I am going to create + lots of Docs to walk people through it. Also I am going to get a website going to bring forth my projects to the people.

I will post when its released .

[nmfire10]

I might have to find some El-Cheapo Spectra just to play with this once a "how-to" is done.

[xmo]

"I might have to find some El-Cheapo Spectra just to play with"
------------------------------------------------------------------------

Exactly!

I have had a lot of fun with Maxtracs because the tools and procedures have been available. When I first started playing with them - I had that fear factor - what if I mess this thing up? Nobody wants to turn their radio into a brick. After you master the procedures you can take on any project worry free.

I have done a few little things with Spectras - moved MLMs around, cloned features, etc. - but I still had that fear factor. Now, thanks to Nate's work, I am looking forward to experimenting with them!

Thanks again for the hard work Nate!

[natedog224]

I have yet to make a brick out of a single spectra in my exploits. I am extremely impressed of its robustness. I have done some crazy stuff to these things and they come back to life with few problems.

I am positive it is very possible to kill the radio labhacking. But not overly easy.

As far as the toolkit + guide ect. I am gonna get started ASAP and try and get it out there by the end of the month.

[JAYMZ]

John,

Fairly simply... you know what you need for programming and hacking.. so I won't waste your time with that.

Read the radio, Save the good clean CP just in case for future restoration.

With worksheet in hand follow the bit schemes in the BitBanger to find the model numbers and moflags.

Using hex editor to get the appropriate binary for the options you want in each bit you then plug in the bits in their appropriate areas.

Write to the radio... then read and rewrite to clear up any checksum errors and you should be good to go.

That should get you on the right path, with some playing around and experimenting you'll pick it up. It's not to bad once you get used to it.

[jcobb]

AND - if you back up your archive file to a floppy you won't care if you accidently write over it with a bad file.


Just my 2 pesos worth.



Jack

[werdnuts]

so... the big question, when will you guys start hacking astro equipment! we all need whored out flashcodes!

[John]

I must be doing something wrong... I can change the Command Board location (location B681-B691) using the string previously listed and get it to work. However, I can't seem to find the same values (or the original values) anywhere in the MLM range mentioned. I have looked from 6170-62FF and can't find the same sequence. This is on both a T83 and D45 model spectras all with version 6.1X of the MLM.

Do you have to reinitialize the microprocessor or read write the codeplug to get it to copy the string to the MLM range? Is there somewhere else in the MLM range I should be looking?

This might have already been covered but it is hard to find in all the other comments on this thread.

John

[natedog224]

Go further back than 6170 its in there somewhere after the model number.

[jmathia]

I have a D45 series and found mine in the 6400 area. Also if you turn on the expanded data bit the locations will move on you and you have to hunt it down again. Mine started at 6300 now is in the 6400 area. It is there.

[willbartlett]

Just for reference, you may see a slight differentation in the values from CB to MLM ranges. THis only applies to one of the 4 radios I've fiddled with, but in playing with a d44 last night, I found the string starting partially at 6032 for 5 bits, and completely at 61d-something. The bit I was most interested in, moflag 7 (zones) was a different value there (e6) than at the mlm string. I had never looked at it before last night. Very odd.....

Oh well. loaded an old archive after the firmware surgery and all is well

Will

[natedog224]

Will that radio may have had a zones codeplug forced into it or maybe it was enabled using Moflag editor? Which will change the codeplug and likely the MLM value..... which is why the radio will work with zones but doesnt change the CB which is why the RSS says unavaliable if you read it again.

That is just my theory could do some tests to see.

Nate

[thedavecam]

Hey there
I seem to have had success adding multiple pl to the radio by way of
Moflags The function is now present in the cp and i made a 4 pl list
enabled it in the in the modes and assigned a button
But no function from the head not Evan a bonk
and when I press the button it kills the scan function on the radio
A7 head
hln6066a interconnect with the pins removed( tried without removing)
uhf d44kxa7ja7bk
Any thoughts
Thanks dave

[natedog224]

MPL should have been enabled factory from Motorola on just about every spectra. If you had to enable it using Moflags hacking then your spectra may be a very very old one?

It is possible that the firmware is too old to support the feature although I am not sure.

Sounds like that is the problem seeing how it wont function.

[thedavecam]

yes the v is 2.08 on the mlm
I doo have some newer mlm though like 5.xx

[thedavecam]

Did the trick
upgraded the MLM to a 5.10 version and all moflag changes are sticking and working
Thanks Natedog

[natedog224]

Just a note to everyone some of my info was slightly inaccurate especially in the most important part of the post ( the 2nd one where I write how to do it ).

It has been edited and fixed to provide more accurate info.

Nate

[olepro1]

just wondering if the transmit inhibit feature is for the total radio or can it be selective. some modes no xmit others could . when you get your web site up let me know. i need the how to for idiots..i'm one of them. thanks jimmy

[60hzEE]

I spent the better part of today looking at some 28C64 EEPROM contents, and the model/feature string is tacked on to the end of part of the mode data. I verified this on 5 different radios with different mode data.

It moved up and down as I added and removed mode data, for what it's worth, on a given radio.

The first string byte location varied from 61C0h to 61EFh.

Lee

[thedavecam]

Hey there
I was wandering if any of you have increased the number of modes the radio is capabe of
How you did it
and what firmware will it work with
thanks dave

[JAYMZ]

The regular analog Spectra can handle up to 128 modes. I wouldn't know about hacking for more modes than that. But I beleive the E series Spectras have 255 modes like the Astros. That was recently mentioned as well lately.

[k4wtf]

Well, tonight I moflag hacked three of my spectras. I thought I would share the results. There were a few things that kinda threw me for a loop but, I eventually figured them out and recovered my composure AND my radios.


Original D44KMA7JA5BK Spectra with A5 head. ( Originally programmed and working with freqs ranging from 442Mhz - 467Mhz )

Here is where I found the MOFLAG data:

B681 - B690
00 56 40 a3 18 f7 b1 f7 44 84 00 1f 11 00 00 00

61CB - 61DA
00 56 40 a3 18 f7 b1 f7 44 84 00 1f 11 00 00 00

I finally located the MOFLAGs in the MLM range of 61CB - 61DA

Changed MOFLAG 5 to FF to enable Securenet in both the CB and MLM locations.

Exited out of service mode and got the FL 01/82.

Read the codeplug and then wrote the codeplug and the FL 01/82 went away and I now had the flashing FAIL 001. WTF had just happened? My heart sunk. The radio worked fine above 450Mhz but it had stopped working on any modes below 450Mhz. I though, "oh well. I'll figure it out eventually. When I get a minute, I'll post a question to Batlabs. I'm sure someone has seen this before!"

So, I moved on to the next radio, crossing my fingers.


Original D44KMA7JA5BK Spectra with A7 head. ( Originally programmed and working with freqs ranging from 442Mhz - 467Mhz )

b681 - b690
00 56 40 a3 18 f7 b1 f7 44 84 00 1f 11 00 00 00

62b5 - 62c4
00 56 40 a3 18 f7 b1 f7 44 84 00 1f 11 00 00 00

Notice that the MLM is different on this one. I changed MOFLAG 5 to FF on this one as well in both the CB and MLM.

Exited out of service mode and got the FL 01/82.

Read the codeplug and then wrote the codeplug and the FL 01/82 went away and I now had the flashing FAIL 001 on this one too!!! Well, I decided that I would try to figure out what was going on. On a whim, I took a look at location 605F. It read 65 which indicates that the radio thinks it's a 450-482Mhz bandsplit. That isn't right! I changed that location to 64 to indicate 438-470Mhz. Exited out of service mode and again, FL 01/82. Read the codeplug, write the codeplug. No more FL 01/82 and HOT DAMN... No more FAIL 001. The radio TX/RX the local 442.600Mhz repeater just fine again.

I hooked up the first radio again, bitbanged location 605F to "64" from "65", exited, FL 01/82, read, write, no more FL 01/82 and no more FAIL 001 either and low and behold, the radio works on the 442.600Mhz repeater just fine again. Yippie!!!


Now for the last radio....

Original D43KXA7JA5BK Spectra with an A7 head operating in 146-174Mhz range.

b681 - b690
00 56 40 03 18 ff b1 e6 44 84 80 1f 00 00 00 00

626d - 627c
00 56 40 03 18 ff b1 e6 44 84 80 1f 00 00 00 00

Yet another location for the MOFLAGs in the MLM but, I eventually found it. On this one, I changed MOFLAG 7 to F7 to enable Zones. The radio has a version 5.23 MLM but, I figured "what the hell."

Exit service, FL 01/82, read, write, no FL 01/82 - radio works fine.

I go into CHG/VIEW:RADIO and yippie! I can enable Zones. I create a few zones and put the appropriate modes in each, go into CHG/VIEW:CNTRL HD:KEYPAD and change the 7 button from H/L to "ZnUP". Write the codeplug. The radio comes up just fine but, alas.... No zone operation still.

So, that's what I did last night. I figured I'd pass it along to everyone in case someone runs into the FAIL 001 problem I did and starts scratching their heads.

Now... How is it that I upgrade this D43 spectra's MLM version? I want zones in this radio!

John

[Rubicon1]

For zones you just need a ver 6.+ MLM. Either swap one out from another radio or have one of the capable forum members do the upgrade of your current MLM to ver 6.16. If you swap don't forgot to change the serial number in Lab Rss. Ether the MLM or CB. Both have to match. Also make sure your Moflags match the CB.

[John G]

I dumped a codeplug from a conventional into a trunked model. After changing everything that was needed to get rid of the fail messages, I don't have talkaround even though I set the moflags for it. I set both the talkaround and op sel t/a bits. The codeplug had this feature before I cloned it into the radio. What gives? I also noticed that I can pretty much make the model number what I want and it makes no difference in what features the radio is capable of. I thought it actually used the stored model number to decide what was allowed.

[k4wtf]

OK. This one I can't seem to figure out.

Honest to god A7 Spectra. MOFLAG 1 is set to "76" which should indicate "unlimited" phone. When I try to go in and edit the phone lists, it tells me that phone is disabled.

Some modes in the radio have phone enabled. If I try to disable them, it tells me phone is disabled. If I try to enable phone in a new mode, it tells me phone is disabled.

Pressing the phone button when in a mode that has phone enabled will let me use scratchpad, keypad, stored phone numbers, edit stored phone numbers, etc.

Does anyone know why RSS won't let me edit these settings or enable phone on more modes?

Thanks,

John

[olepro1]

a question for someone that understands spectra moflags. for band split change=605F, and control head change=6060, is this the only location that needs changes? looks like this is the MLM only thanks olepro1

[John G]

I noticed while trying to get MPL to work that changing just the bit indicated for MPL did nothing. I made the moflag FF, all 1's and MPL works. I haven't had time to try enabling the bits in combination to see which one it takes to work but just setting the MPL bit to a 1 doesn't do it.