Ideas on HT/CDM bandsplit hacking

[wavetar]

I'd be interested in hearing what others have tried so far. Maybe if we share thoughts, we can do it. Myself, I just started trying a few things this past weekend. I've seen the posts where others have been looking in the "proradio.exe" file & can't find anything there, neither could I. So, I used a little program called "DLL Show". There are no less than 29 DLLs called when the program starts up. Seventeen are Microsoft system DLLs, the other 12 are Motorola DLLs, which reside in the C:program filescommon filesmotorolardk folder. I've checked out most of the Motorola DLLs with Hex Workshop, nothing so far. I'm wondering if they are using some sort of numeric table residing in one of the Microsoft DLLs. It could also reside in an obscure OCX file or something. I disassembled the "proradio.exe" with Win32Disassembler, which normally allows me to run the programs & check what DLL is called when, but I can't get the proradio.exe to run for some reason, which sucks. I'm looking through it manually, but my assembly skills are sorely lacking. My next thought is to copy the 4 or 5 basic install floppy disks from the CD, and somehow disassemble them to see exactly what files the Install puts on the computer. That's all I've done so far, anybody else have any ideas?

Todd

[MicorRT]

I've been looking in the *.fts file the *.gid, and the *.exe With Hex workshop.... I also would like the thing to do MDC 1200 in convental mode as well (I know I got a thing for MDC 1200). Do only the LS models of the CDM have amature locked out? LS models are all we deal with down here.

[MicorRT]

By the way I have noticed that the *.fts file doesn't need to be checksum... I'm not to sure what it does but I have changed alot of stuff in there and it doesn't seem to affect the software much.

[FatBoy]

Here is what I got:
Do a search in proradio.exe in hexworkshop. The band limits I worked out are 403-470, and 450-512, which are the radios I work with search for 403, 450, 470, and 512 in intel unsigned long. You will see a patter show up, the band splits are 178 or 278 bytes apart. There seems to be a range where the limits show up, unfortunately, I changed all of the 450's to 44x and they still wouldnt go, I am mad I cant find my notes, Peace, FatBoy. PS make a chart with 403, 470, 450, and 512 across the top and the addresses where they show up down the paper, It stuck out to me.

[Nand]

[Chris]

Interesting! I guess now you would have to analyze what is being sent on the data lines to and from the computer. I've been through that software time and time again and can't find a thing.

[wavetar]

I'm beginning to think it may be easier to get the RSS to dump the codeplug into the radio regardless of whether there are invalid fields or not, since it does let you put the frequencies in, it just then marks them invalid. It comes up with a pop-up window if you try to program it with invalid fields, but if someone were savvy with a windows debugger such as SoftIce or similar, you could set it to break when the window pops up, and then change the JMP command or whatever it is that causes the window to pop-up. I've dabbled with it (Softice), but am no expert, perhaps someone else on the board is, or knows of someone who is. Just trying to get the ideas out there!

Todd

<font size=-1>[ This Message was edited by: wavetar on 2002-03-27 21:21 ]</font>

[Chris]

That seems reasonable. I am just wondering if the radio would work properly if you dumped such a codeplug to it. I remember reading somewhere that Motorola has bandsplit hacked CPS in the depot, so it can be done.

[wavetar]

Yeah, hard to say. I don't think out of band frequencies would cause problems, but other invalid fields certainly could. One would have to be very careful, if it indeed could be done that way.

Todd

[Will]

According to my sources at //, the band limits are in the flashed in firmware in each radio. The RSS just reads the radios limits.

[Chris]

Well that is a different issue, any comments.

[wavetar]

I've been thinking about that since Nand made the comment, but I really don't think so. Number one, we know the bandsplit resided in the "GP300.exe" file in earlier CPS versions, not in the radio. Number two, the CPS runs without interfacing to a radio, it lists an archive's bandsplit just fine, and I have been unable to find any bandsplit info in the archives. Any other thoughts?

Todd

[HumHead]

Two quick random thoughts:
1) I'm assuming that someone has tried to compare codeplugs from otherwise identical models in different ranges.

2) Is it possible that the range is simply noted by a simple value in the codeplug or firmware that refences a lookup table in the CPS containing the actual range values? It would be a different approach, but would make a lot of sense.

[Chris]

I have two identically programmed radios one being a high split and one a low as we speak. I'll have to take a look. The only thing different should be the serial # and bandsplit, correct?

Chris

[HumHead]

Any frequencies programmed will also be different. The best starting point would probably be only 1ch / 1 zone with a minimum of extra stuff enabled to keep it as simple as possible.

[Chris]

Some progress made!

I found where the serial # resides and was able to CHANGE it. I just haven't figured out the character map yet.

Offset 00000322 in the codeplug is where the serial begins approximately. I also noted that when I left the headers alone and cut and pasted the codeplug from an SDH radio to a RDH radio in Hex Workshop, the bandsplit of the radio CHANGED in the RSS - so we can be certain that our work is not fruitless. The radio takes the change and does not complain even though the header says one thing and the rest of the codeplug is saying something else. I did not run into any checksum errors.

So we now are able to change the split of the radio by changing out an RF board and making the codeplug change by cut and paste. Serial #'s may also be changed in the codeplug via this method if we can figure out the map. I remember someone saying a while ago about Intel Long Unsigned?

The work we need to do do is in the actual CPS. We need to find out where those limits are. They are there or in a DLL somewhere.

[Chris]

Something else to note.

The CPS uses the header info to fill in the blanks in the open dialog, but uses the codeplug info after it to fill in the blanks under the radio information tab once you open the codeplug.

[MicorRT]

Chris you helped me navigate the codeplug Thank you! I have a CDM 1550 LS (not a plus model) and located the bandsplit info in offset 00000359 , 0000035A , and in 0000035B. By lowering any one of these or raising their value by 1 decimal value you can change the bandsplit range. It will display the range in the Radio Info screen. However it will give you a model mismatch when tring to program the altered codeplug back into the same radio. I notice that the hex values at those ofset locations change with every change made in the codeplug... they aren't set values but are "relative" if I take the hex value at offset 00000359 and drop its value by one it will put the radio right where I want it... How ever the software now looks at that codeplug as a diffrent model run then it actually is... I hope this helps someone I guess it is back to the drawing board.

[MicorRT]

I'm currently trying to hack the site database to see if I can get a radio to take any 440 freq.s at all. Did anybody find anything more out?

[wavetar]

I know I haven't done anything since, hard to get the time. I'm hesitant to load SoftIce to try & trick the CPS into writing with invalid fields, as I have a dual-boot configuration on my home computer & it might mess it up. Anybody else out there with any SoftIce experience, drop me an e-mail.

Todd

[Edgar F Jr]

Are you getting anywhere MicorRt ?

[MicorRT]

Sorry Edgar I haven't put any more time in on it... I'll have to get back in the saddle again.
Very interesting web site you have there.

[FatBoy]

Ok,
I have been working on the software for a while and some things are starting to take form, however my hex workshop is not saving my edited file. For example, make changes, click save and it doesnt save the changes. It is in overwrite mode. Any help would be appreciated, FatBoy.

[Chris]

Fatboy,

If your hex editor is not saving the changes, then something is wrong. If you are using hex workshop, the software should give you the chance to make a backup on the original before saving the edited version. If this is not happening, I would consider reinstalling the software, it sounds like it may be corrupt. As far as being in overwrite mode, I believe the insert button turns that feature on and off.

[MicorRT]

Some progress made!

I found where the serial # resides and was able to CHANGE it. I just haven't figured out the character map yet.

Offset 00000322 in the codeplug is where the serial begins approximately. I also noted that when I left the headers alone and cut and pasted the codeplug from an SDH radio to a RDH radio in Hex Workshop, the bandsplit of the radio CHANGED in the RSS - so we can be certain that our work is not fruitless. The radio takes the change and does not complain even though the header says one thing and the rest of the codeplug is saying something else. I did not run into any checksum errors.

So we now are able to change the split of the radio by changing out an RF board and making the codeplug change by cut and paste. Serial #'s may also be changed in the codeplug via this method if we can figure out the map. I remember someone saying a while ago about Intel Long Unsigned?

The work we need to do do is in the actual CPS. We need to find out where those limits are. They are there or in a DLL somewhere.

Did you actually get the US version CDM 1550 LS to take the modified archive of the other lowersplit?

[kb9suy]

Not to sound dumb or anything but doesn'y someone have a friend who knows a friend that designed the radio that would know how to do it. Im sure someone at M knows we just need to hunt them down. just my 2 cents.

[wavetar]

Man, if it were that easy, I think it would've been done by now. I still think debugging it with SoftIce & tricking it into writing with invalid fields is the way to do it, especially since we can't even seem to find the bandsplit info. Actually, one could probably find what part of the software is accessed when marking a frequency invalid with a debugger as well. I might be picking up an older computer from a friend who's upgrading, and play around with it on that. I just don't want to mess up my computer right now, too much stuff on it, and SoftIce can crash it if you don't really know what you're doing (which I don't, but I'm learning!).

Todd

[MicorRT]

Chris you helped me navigate the codeplug Thank you! I have a CDM 1550 LS (not a plus model) and located the bandsplit info in offset 00000359 , 0000035A , and in 0000035B. By lowering any one of these or raising their value by 1 decimal value you can change the bandsplit range. It will display the range in the Radio Info screen. However it will give you a model mismatch when tring to program the altered codeplug back into the same radio. I notice that the hex values at those ofset locations change with every change made in the codeplug... they aren't set values but are "relative" if I take the hex value at offset 00000359 and drop its value by one it will put the radio right where I want it... How ever the software now looks at that codeplug as a diffrent model run then it actually is... I hope this helps someone I guess it is back to the drawing board.

Do you guys think that they are using channel numbers like SJI does? If so then 450.0000 could be channel 1 in this case there is no way to make a hex -1 or -2... that I know of.

[alex]

I have an interesting idea.

Recently there was a "patch" released to fix a couple of programming problems with CPS 6.02.03. These particular fixes had to do with models being able to be programmed, with according band splits.

These updates are free if you have a motorolaonline account, as they come up in the tech updates section. This isn't the software, but I guess they can release updates to whoever they want, so why not make it global...

I wonder if someone with some serious interest in hex editing, and a much better understanding (who also happens to have that version of the CPS from Motorola (prob. the limiting factor)) is willing to take a look at how the update performs it's task, since it directly edits what model numbers equate to what bandsplit.

I think the key as to what files to mess with are in that program.

Anyone???

-Alex

[Victor Xray]

I'm bringing to life an old thread. Any more progress being made here? Has anyone been able to successfuly change or extend the bandsplit of their HT/CDM?

How about the CPS for the new MTX series, such as the MTX8250. Has anyone been able to figure out how to program the control channels in the 866-870 range?

[wavetar]

How about the CPS for the new MTX series, such as the MTX8250. Has anyone been able to figure out how to program the control channels in the 866-870 range?

It's not hard. Just follow the instructions on Batlabs for searching bandsplit limits in Intel Unsigned long in the MTX8250 executable.

Example, 865987500 would come up as ACEB9D33...you may find approx 12 instances of this number. If so, change it to 870000000, which converts to 8025DB33 for all instances.

Whether the radio hardware can handle it, I don't know.

Todd

[Victor Xray]

Man Todd, this is awesome - it works! How come it took you over a year to reply?!


I still don't like the MTX8250 though



See, it's threads like these that never make it to Batlabs. Hopefully Bat is watching...

[wavetar]

Man Todd, this is awesome - it works! How come it took you over a year to reply?!
...

I don't experiment with radios a whole lot, can't seem to find the time. I assumed it couldn't be as easy as following the Batlabs info, since nobody ever posted as much. I just decided to try this today...it may get pulled even though it's based on current Batlabs info. I'll submit it to Bat & hopefully it'll make it's way to the main page.

Todd

[N9LLO]

The trunking CPS can also be modified to allow the MTX9250 to operate in
the 902-928 ham band. see

http://batboard.batlabs.com/viewtopic.p ... ht=mtx9250
Chris
N9LLO

[central150]

How about the CPS for the new MTX series, such as the MTX8250. Has anyone been able to figure out how to program the control channels in the 866-870 range?

It's not hard. Just follow the instructions on Batlabs for searching bandsplit limits in Intel Unsigned long in the MTX8250 executable.

Example, 865987500 would come up as ACEB9D33...you may find approx 12 instances of this number. If so, change it to 870000000, which converts to 8025DB33 for all instances.

Whether the radio hardware can handle it, I don't know.

Todd

Damnit Todd...you rock!! I tried it and it works too!!!

[central150]

Now if I could only get the MDC enabled on the conventional side... That would be the cats a$$.

-Tony

[tfr501]

I'd like to see priority scan enabled on conventional and trunking. To me, the scan feature is useless without a priority.

[central150]

I'd like to see priority scan enabled on conventional and trunking. To me, the scan feature is useless without a priority.

yeah, that too.

[thebigphish]

well, the cat's a$$-ness lies in the "7AN" model then.

as the MDC is there, or so it seems.

[central150]

Is that the MTX8250 LS version or just the MTX8250 plain jane?

[thebigphish]

well, the cat's a$$-ness lies in the "7AN" model then.

as the MDC is there, or so it seems.

eesh, replied to before i could clarify...sorry, i was back on the original topic there. my bad. i meant the HT/PRO series. That'll teach me to read the original post subject line!

[nmfire10]

You know, everytime I see a new post on this thread, I run here thinking "Maybe someone finally did it!!!"

[Victor Xray]

Evidentally, SOMEONE has figured out how to hack HT/PRO radios, they're just to chickensh-t to post their findings.

[wavetar]

Evidentally, SOMEONE has figured out how to hack HT/PRO radios, they're just to chickensh-t to post their findings.

Notice he only says they've converted a 403-470 to a 450-512 unit, NOT that they've figured out how to hack the bandsplit. They likely used the dual-ribless cable trick documented on Batlabs, or something very similar. It's not what we're looking for, really.

From what I've pieced together over the last couple of years, here's how it's done:

You need a program that can read the codeplug from the radio in it's 'raw' format...not encrypted like CPS. At least a couple of board members have written programs which can do this, apparently. Within the codeplug is the bandsplit info, but it's format is somewhat different than what we've seen before. They are in there in steps of *.**KHz from a 'base' frequency of ***.****MHz. The 'base' varies depending on the bandsplit, changing the base changes the frequencies allowed for programming. I have no idea what the magical values of * might be...but I figured this might help someone else out there.

[N3IVK]

HT1550 XLS 450-527 Ham Mod

Ok, here's the deal.

First off, thanks to Rich KC9FNM my co-worker for figuring this out...I am just posting what he found and I confirmed works.

Recently we bought some HT1550XLS's for the techs to use....all of them 450-527.....grrrrr !

Rich informed me he was able to get his to do ham, and actually have halfway decent performance.

First off you need the "programming battery"

Program in your ham channels into the radio. Program in the alpha tag, and everything else BUT DO NOT CHANGE THE DEFAULT FREQ. Also be sure to check the box for field programming. Again, leave the default freq at 52x.xxx MHZ !!!

Go into the radio configuration screen to the "EDIT" tab. Here's the magic...... follow carefully.

Lower the upper band limit from 527 to like 470 MHZ

THEN you can lower the LOWER limit from 450 to 442 or whatever.

The trick is to lower the window . So you want to go a few mhz down, then lower the upper split down. be sure to lower the UPPER limit first
Once you get a acceptable window, the INVALAD red colored freq will dissapper in the EDIT window.

Now....write the codeplug to the radio.....keeping in mind you have the default freq in you ham channels......this is ok....dont panic

Now that your radio is written, go into the front panel edit mode and enter in your ham freq's and PL's by hand. It will now accept the ham freq's.

I know it sounds odd, but it has worked with two HT1550's so far on the 450-527 split.

I havent went far enough to play with the RSS as far as reading then re-writing and stuff. i dont know if you have to re do the mod. But y'all are welcome to try and let us know.

Your mileage will vary.....film at 11....no warranty..."as is where is" and the usual legal disclaimers apply.

So yea, you can take a 450-527 HT and make it do ham....I got mine on the desk rigt now on ham, working just fine The rx sens is actually not too bad at all. As far as the CDM goes....can't help ya there

Again, credit goes to Rich KC9FNM for discovering this. I am just the author who cant spell too well

The only negative thing I have discovered with the HT1550's is the internal mic audio totally sucks compared to a speaker mic. I just sent mine into the depot (the vol control was flaky) and also noted that the internal mic was too "bassy".

It came back with a new vol control, a firmware update and some part they replaced that wasnt named. Still seems "bassy". Oh well.

73's and good luck, hope this helps someone....

Matt
N3IVK[/b]

[Chris]

Great News!

[Crimestopper]

Can you change regions as well, with the hex method.....

[mr.syntrx]

You can make the CPS do all regions easily enough anyway.

http://batboard.batlabs.com/viewtopic.php?t=27877

[lovemoto]

SOMEONE has figured out how to hack HT/PRO radios

Hi, guess I have to clarify. As what Todd has said, it is quite true that the "raw" form of the codeplug is quite different from the one CPS reads.

They likely used the dual-ribless cable trick documented on Batlabs, or something very similar

This is not what we did. We don't even know how to flash the radios. Just that we happened to be able to obtain the "raw" form of the data. We tried asking M indirectly and the information is classified as confidential.

We did not have time to analyse the "raw" data, but we think it is quite useless. The radios are different so the performance is way out, esp the harmonic filters.

[Jay]

I don't have a whole lot to add to the thread, but I decided I would try a rather random experiment today.

I took a HT750 low band 35-50 Mhz portable, and wrote two codeplugs to disk. Each had one channel, and the first 49.000 Mhz and the second 50.000 MHz.

My thought was to compare the two, note differences, establish a pattern and try to make hex changes to increase it to 51 MHz. No such luck, there is a ton of locations that are different. The codeplug with the 50.000 Mhz programmed in it was also 7 bytes longer than the other one.

Anyway, back to the hex editor...

Jay