Lior Elazary KK6BWA

...because this life is yours. Some of it was given to you, the rest you make yourself.

  • Increase font size
  • Default font size
  • Decrease font size
Home Ham Baofeng Radios Hacking the Baofeng UV5R - Hacking the Radio

Hacking the Baofeng UV5R - Hacking the Radio

E-mail Print PDF
Article Index
Hacking the Baofeng UV5R
Opening The Radio
Hacking the Radio
Interfacing with the voice chip
interfacing with the RDA5802
Interfacing with the RDA1846
Removing the MCU
Transmiting
All Pages

Hacking the radio

Before trying to change anything I posted on the baofeng_uv5r yahoo groups to see what I would need to insure that I will not radiate any RF energy. I found out that I could not just remove the antenna, and would need to place a dummy load. Per James Hall suggestion I ordered a dummy load from here qrpkits.

As soon as I got the radio, I signed up to take the license test. Unfortunately, the next one is on Jan 20. I can not wait to get licensed, so I can finally transmit and test this on the HAM frequencies. I also have not done anything with TX on this radio yet, which I am so attempted to try to see if that works.So for now I am just going to try to RX until I get my license.

Looking at the schematics, there are two main ICs on the radio. The first one is RDA1846 which does all the radio communications, and the other is an EM78P568 microcontroller which controls the RDA1846, LCD, keypad, etc.

I first tried to solder some wires directly onto the RDA1846 TX/RX pins and monitor them to see what the radio sends the chip.


First, I was hoping that the microcontroller will not communicate with the RDA1846 under various conditions (like switching to the  RDA5802 FM radio) so I can also send commands to it. However, I monitored the SCLK and SDIO and it looks like its under constant communication. Since P93 and P92 are shared with the LCD (DB6, and DB7) as well as the keypad, the uv5r MCU is constantly setting/reading these pins. So their code probably has a loop setting the LCD, reading the keypad, and then transmitting serial commands to the RDA1846.


To resolved this I lifted P93 and P92 legs from the MCU (SCLK and SDIO) and solder two wires to it. I also soldered another line to P77 which is the SEN line. From the schematics, it looks like the MODE pin is tied to V+, which means it's communicating via SPI instead of I2C and the SEN line is used for ~EN.
I hooked up an arduino to the pins and tried to communicate over SPI, with no success. However, I should have not rushed into things, and noticed that the chip is 3.3V and not 5V (I was looking in their programming manual the whole time, and should have read the datasheet first).



Another small setback happened when I tried to remove the SEN pin, and the pcb trace lifted right up. So much for communicating with SPI, but luckily the chip can communicate over I2C, so  I placed some solder on the RDA1946 chip to place it into I2C mode and remove the V+ tied to the MODE pin.


RDA1846 view



I also traced all the pins out of the cpu to insure that I know what each pin is doing. Here are the pins description:

Pin 1: PB5   keypad COL 1
Pin 2: PB6   keypad COL 2
Pin 3: PB7   keypad COL 3
Pin 4: P90   LCD DB4/keypad ROW 1/eeprom SDA
Pin 5: P91   LCD DB5/keypad ROW 2/
Pin 6: P92   LCD DB6/keypad ROW 3/RDA1846 SDIO
Pin 7: P93   LCD DB7/keypad ROW 4/RDA1846 SCLK
Pin 8: P94   RDA5802 DATA/keypad ROW 5
Pin 9: P95   LCD RS
Pin 10: P96   LCD CE
Pin 11: P97   Red LED on LCD

Pin 12: P57   The LED Flashlight
Pin 13: P56   VHF/UHF 1 UHF/ 0VHF
Pin 14: P55   Green LED on LCD
Pin 15: Analong VDD
Pin 16: No Connection
Pin 17: No Connection
Pin 18: No Connection
Pin 19: No Connection
Pin 20: TONE
Pin 21: PLCC
Pin 22: GND

Pin 23: P67  TX Power lever: 1.5V for LOW 1W and 2.67V for HIGH 4W
Pin 24: P66  TX power switch (low to activate TX)
Pin 25: P65  AURX Turn Speaker AMP on
Pin 26: P64  Low BAT input
Pin 27: P63  VOX from radio
Pin 28: P62  GPIO6 SQ on RDA1846
Pin 29: OSCI
Pin 30: OSCO
Pin 31: VSS
Pin 32: RESET
Pin 33: VDD

Pin 34: P77  SEN from RDA1846
Pin 35: P76  SDA for VOICE U5
Pin 36: P75  RX LED  (square light on the radio)
Pin 37: P74  SCK for EEPROM U10
Pin 38: P73  SCL for VOICE U5
Pin 39: P72  TXD Serial input for programmer/ TX LED (square light on the radio)
Pin 41: P70  GPIO0 on RDA1846
Pin 40: P71  RDX serial input for programmer/ PPT on
Pin 42: PC0  CLK on RDA5802 U1
Pin 43: PC1  RX Power (PWM for save mode)
Pin 44: PC2  Keypad Col 4


I used the MSO19 to capture the data and see what the radio was doing. The nice thing about the MSO19, is that it has a pattern generator, so I was able to replay the commands back to the radio.



Last Updated on Friday, 08 March 2013 20:01