Ideas on HT/CDM bandsplit hacking

[Rayjk110]

If anybody is interested/needs it.... I have a codeplug for a UHF CDM1550, the Codelpug is set for 128Ch, 403-470 but the radio model number is AAM25SKF9DU5AN wich decodes I believe to 450-512 trunking. The serial in my RSS also shows up as 1234567890 when the tag is obviously different than that. If anybody wants it, drop me an emal at Rayjk110 (at) yahoo (dot) com ; and I will be glad to send it.

[n5tbu]

Frustrated,I sent Moto an "estimate of upgrade" form asking to upgrade my 750 to have 40-54 mhz coverage.
Their answer was"unable to do upgrade"
Makes me ask the question...unable to do,or won't do!
mod

[wavetar]

Makes me ask the question...unable to do,or won't do!
mod

Won't do, of course. That is why there are so many pages on Batlabs dedicated to expanding bandsplits. It can obviously BE done, the manufacturer just WON'T do anything to help you with it.

Something the other day made me think of this thread again. I heard when viewing codeplug information in HT1000 LAB, the 403-470MHz model showed a "base" frequency of 375MHz...I wonder if this is the same "base" frequency for the 403-470MHz Waris portable? Referring to an earlier post I made, the bandsplit limits are referenced to this base in steps of *.**KHz and by changing the base frequency you can change the bandsplit limits. I don't know what the values of * are, but I was told that's how it works.

Todd

[Meridian]

Interesting topic.

Wish I could help.

[slavik]

(I’m sorry for my bad English)

"Wavetar wrote:
... I heard when viewing codeplug information in HT1000 LAB, the 403-470MHz model showed a "base" frequency of 375MHz...I wonder if this is the same "base" frequency for the 403-470MHz Waris portable? Referring to an earlier post I made, the bandsplit limits are referenced to this base in steps of *.**KHz and by changing the base frequency you can change the bandsplit limits. I don't know what the values of * are, but I was told that's how it works. "

It is not absolutely correct.
1. In Motorola WARIS Radio with signaling SelectV bandsplit limits it is defined only RSS, and depends on model of radio.
exm H25K.. - K - 136-174 MHz, H25E.. - E - 300-350 MHz
Model number is stored in codeplug radio.
Also see http://www.batlabs.com/htpro.html - Out of Band.

2. For Motorola WARIS Radio with signaling MDC/LTR bandsplit.....It is theme given topic.
See message N3IVK (26.02.2005 in this topic).
Bandsplit limits HT1250 can be changed from the keyboard of radio without use any software. Very strongly it is probable that bandsplit limits (TX max/TX min&RXmax/RX min) is stored in codeplug radio.

3 “.."base" frequency of 375MHz..” – yes, similar base frequencies exist for all band of frequencies.
20 MHz - LB
103 MHz - VHF
375 MHZ - UHF
285 MHZ - (300-350MHz)
325 MHz - (330-400 MHz)
These frequencies are used for management/control of work Fractional-N synthesizer of radio. It is base" frequency" specially defined under a required band of frequencies, but on bandsplit (those digits, that we see in RSS) does not influence.

On IC Fractional-N&VCO it is very-very-very difficult to find datasheet.
Motorola well protects the intellectual property.

[wavetar]

It is not absolutely correct.
1. In Motorola WARIS Radio with signaling SelectV bandsplit limits it is defined only RSS, and depends on model of radio.
exm H25K.. - K - 136-174 MHz, H25E.. - E - 300-350 MHz
Model number is stored in codeplug radio.
Also see http://www.batlabs.com/htpro.html - Out of Band.

I don't know about overseas radios...but in North America, the bandsplit information is not in the CPS (what you're calling the RSS). Yes, the bandsplit depends on the model number, which is defined in the CPS, but the actual physical bandsplit information is not in the CPS to be modified. The "GP300.exe" file referred to in the Batlabs link you provided does not exist in our CPS. If it were that easy, it would have been done long ago.

Todd

[n5tbu]

I think his point was that the bandsplits were stored in the codeplug.CPS tells us this when playing around with the bandsplit window help files.
I have been looking around the codeplug with Hex Workshop,and so far have found nothing.
mod

[wavetar]

The codeplug is encrypted by the CPS, so looking through it is pretty useless unless you can read it in it's 'raw' format. Some people apparently have developed programs which can extract the codeplug in this fashion.

Todd

[The Pager Geek]

Couple ways of defeating this:

Edit the codeplug and directly edit the freq's.
Edit the codeplug and directly change the bandsplit.
Edit the CPS to not care about the bandsplit, thus force whatever freq you put in.

I don't have the time... but I'd chase after #3.

tpg

[mr.syntrx]

If I had a Waris, I'd try watching the serial line to see what commands the CPS uses to read/write to the radio, and write a program to upload/download the codeplug independently of the CPS. You'd then be free to modify the codeplug without CPS intervention or encryption, and dump it straight back down to the rig.

[slavik]

In this forum there is one interesting Author. On his homepage the information is specified how to program codeplug in Waris Radio independently of the CPS. I checked this method repeatedly and it really works. Knowing this information, it is possible to pass a way back (that is from the binary data from IC EEPROM to restore an initial file codeplug).

[n5tbu]

How about a link to this Author"s homepage?
mod

[n5tbu]

I pulled this from a thread on disableing the password protection.....maybe this is a way to get rid of the error invalid fields??

Trick to dissable password:
1). Dis-assembler *.exe file to make *.txt file.
2). Locate StringData "INCORRECT PASSWORD" in *.txt
3). Locate 74xx "INCORRECT PASSWORD".
4). Write to paper the address of 74xx.
5). Open *.exe with HexWorkshop v4.23 or later.
6). Change command JE (Jump If Equal) to JMP (Jump).
JE = 74 , JMP = EB
7). Locate 74xx in *.exe, replace with EBxx.

mod

[n5tbu]

bump...

[kk6rq]

It works on my low split (403-470) 1550 as well. Receives the next county's control channel (488.9875) which is the highest
that at least I care about like a champ. Of course that system is digital, but that's beside the point......

[Jay]

Which program can you recommend as a dis-assembler?

Jay

[486dx4]

Can you elaborate better on how you got the low split UHF 1550 to listen on 488 Mhz (what exact steps, SW tools used, etc).

[kk6rq]

Can you elaborate better on how you got the low split UHF 1550 to listen on 488 Mhz (what exact steps, SW tools used, etc).

OK, not quite so tricky as I thought but basically here's what I did:

Prepare as many personalities as you need beforehand, putting the band edge in as the freqs (470.000) and your
alpha tags- you actually don't need to do the PLs ahead of time; mine took them later no problem.

The next part I did originally the way the high-split guy did at first, except nudging the window up. A few minutes later
when redoing it I noticed I neglected to do the bottom-up first before the top-up; it worked anyway!. So I just tested
403-495 and believe it or not, its working, too. It probably can go higher, but I never go near LA so 495 is more than
adequate.

go into the EDIT tab in RADIO CONFIGURATION; change the upper freq to 495.00; it turns RED. Change the lower to 404.00.
Now change it back to 403.00. Everything turns BLACK. You're DONE.

Actually I noticed later I didn't even need to prepare anything except the alpha tags beforehand. The freqs in the edit
window, as well as anything you entered OOB will be red when you re-read the radio in CPS, but just avoid putting
cursor focus on them and you'll be fine.

If I overlooked anything here, please point it out to everybody, but for now, I think that's it.

[Batwings21]

Sorry, but I must be missing something here... and I can't be the only one. Are you editing the CPS to do this?

[486dx4]

No - you are not the only one. A previous post on this thread mentioned this being done to an HT1550XLS which has the edit tab I gather while other models do not. When I heard "1550" I thought CDM but that's not the case from what I see.

[kk6rq]

Sorry, but I must be missing something here... and I can't be the only one. Are you editing the CPS to do this?

Not the 'CPS'; just the ordinary info in the codeplug. And I can't speak to CDM radio, only the HT1550 handpack I have.
Try manipulating the band edge entries in the EDIT MODE tab of the RADIO CONFIGURATION screen. This is simply a
matter of a loophole that the programmers obviously overlooked. Guaranteed that now that its been identified, they'll
screw us by locking it out in subsequent versions. I'm using v 6.06, BTW.

[ems46pa]

If anybody is interested/needs it.... I have a codeplug for a UHF CDM1550, the Codelpug is set for 128Ch, 403-470 but the radio model number is AAM25SKF9DU5AN wich decodes I believe to 450-512 trunking. The serial in my RSS also shows up as 1234567890 when the tag is obviously different than that. If anybody wants it, drop me an emal at Rayjk110 (at) yahoo (dot) com ; and I will be glad to send it.

does anyone have this codeplug still?, Rayjk110 does not have it anymore and I am looking for it

[n2meg]

Hi All,
I bought the CDM1550LS+ 200 Mhz thinking the band spread was in the 220 - 225 mhz range
it seems that it's in the 217-222 Mhz range, Does anyone have a mod to expand it to the HAM bands in the 223.000 range
I bought 5 of these radios to add on our packet network as backbone links. Anyone have a MOD or a CP
that can help???

Model# of radio is AAM25MHF4DP5AN

Thanks in advance!

n2meg...

[kk6rq]

Well, if its a full keypad model like what we've been talking about, I don't see any
reason why the same thing shouldn't work for you....try it and see..... or send me
your cp and I'll try it for you.

[wavetar]

Well, if its a full keypad model like what we've been talking about, I don't see any
reason why the same thing shouldn't work for you....try it and see..... or send me
your cp and I'll try it for you.

He has a CDM1550, not the HT1550...

[kk6rq]

Oops....speed reading; disregard. You're outta luck, chum.

[1585hp]

I'm trying to find a way to get the low-band and 220 MHz CDM's out of band.

I believe this can be done in the Srecords. I see a lot of information out there about Srecords, but no information, like a data dictionary, on how to interpret the data fields, or where the bandsplit information might be found in the Srecords.

Anyone out there looked at the Srecords for the CDM's for out of band operation?

[slavik]

You have soft-tool for direct read/write data from eeprom IC to file.mot and back?

If such tool at you is, I can help how to expand bandsplit ht/cdm radio.

[akardam]

I'm trying to find a way to get the low-band and 220 MHz CDM's out of band.

I believe this can be done in the Srecords. I see a lot of information out there about Srecords, but no information, like a data dictionary, on how to interpret the data fields, or where the bandsplit information might be found in the Srecords.

Anyone out there looked at the Srecords for the CDM's for out of band operation?

While the Pro series radios may use the SRecord format to manage data internally (and in CPS), there's no "lab" style tool that I know of for them that will let you rear/write with no pack/unpack, like there is on the MTSX and Astro lines.

[slavik]

Yes, s-rec really format used for read/write data
in regural CPS and Moto labtool.

However "non regural labtool" can contain internal
converter from s-rec to mot and back.
Besides, FLO protocol contains some commands/procedures
which can be passed at read/write eeprom.
It allows to make work with codeplug
more simple and convenient.

In any case for expand bandsplit radio it is necessary to get
data from eeprom IC. s-rec or mot format - not important, does not matter.

[Hightower]

There are depot tools for the waris line. These labtools are designed to fix/write good codeplugs when the radio goes whacky with CS errors and the like. I guess one could edit the unencrypted factory scres somehow.

[slavik]

I can show that it is necessary to change in codeplug (.mot) to expand bandsplit
and I can show on an example of VHF mobile radio (GM140/160 - CDM750/1250)
In my region radio 220MHz is not sale, but the technology of change codeplug will be identical.

[d119]

I can show that it is necessary to change in codeplug (.mot) to expand bandsplit
and I can show on an example of VHF mobile radio (GM140/160 - CDM750/1250)
In my region radio 220MHz is not sale, but the technology of change codeplug will be identical.

Great - can I send you the codeplug files to convert my 220MHz radios??

There are people on this board who have 220MHz HT1250LS+ radios working in the amateur bands, but my REPEATED REQUESTS for information on how to do it have gone unanswered.

The point of this board is sharing information, and nobody seems to want to do it. The information on how to out-of-band these radios is out there, in select peoples heads, but nobody's talking.

Open up and SHARE. PLEASE!

[slavik]

Ok, write in PM.

[Andreas]

I´m interested in the bandsplit edit too.It´s simple to force in a new codeplug with a new bandsplit,but you have to align the complete radio.Some people only want to go a few MHz out of band.

Andreas

[NSPD]

I can show that it is necessary to change in codeplug (.mot) to expand bandsplit
and I can show on an example of VHF mobile radio (GM140/160 - CDM750/1250)
In my region radio 220MHz is not sale, but the technology of change codeplug will be identical.

Great - can I send you the codeplug files to convert my 220MHz radios??

There are people on this board who have 220MHz HT1250LS+ radios working in the amateur bands, but my REPEATED REQUESTS for information on how to do it have gone unanswered.

The point of this board is sharing information, and nobody seems to want to do it. The information on how to out-of-band these radios is out there, in select peoples heads, but nobody's talking.

Open up and SHARE. PLEASE!

You do realize that they only do 12.5khz channel spacing right? There is no 20/25khz option for them, as in no 224.360/224.960, etc.

[Grog]

You do realize that they only do 12.5khz channel spacing right? There is no 20/25khz option for them, as in no 224.360/224.960, etc.

You can post that info up front so those who need 20/25khz can forget it, while those who can use 12.5khz channel spacing can use the information you may have.

[NSPD]

I don't have any information on how to modify them for 222-225, i'm just saying that through my experiences I have found that they only do 12.5khz channel spacing.

[d119]

I don't care about channel spacing - I'm still in the band, and can get "close enough".

[n9ihx]

Wondering if anyone has had any success with this yet? There are a lot of
these radios floating around and it would be nice to get them in the ham band
as there not to many decent choices for radios for 220.

Greg......

[n5tbu]

What is ridiculous is, we spent our money an a supposedly excellent piece of equipment,and we can't get tit o work on our freqs,WTF,Motorola? is it not my [I can't read the rules] radio? You will do the freqs I say you will,dammit! Get a fing clue you idiots.
mod

[Andreas]

There´s now a solution out, for the ham edit, on the 220MHz Waris radios!
You can find the hints in the latest unofficial US Waris lab upgradekit.
You find it in the Waris folder.

Andreas

[n5tbu]

Where??? insert a link,please!

[kk6rq]

Ditto, where is Waris .....[folder]?


(Brain and Brain; where is brain?)