Lior Elazary KK6BWA

...because this life is yours. Some of it was given to you, the rest you make yourself.

  • Increase font size
  • Default font size
  • Decrease font size
Home Ham Baofeng Radios Hacking the Baofeng UV5R - Interfacing with the RDA1846

Hacking the Baofeng UV5R - Interfacing with the RDA1846

E-mail Print PDF
Article Index
Hacking the Baofeng UV5R
Opening The Radio
Hacking the Radio
Interfacing with the voice chip
interfacing with the RDA5802
Interfacing with the RDA1846
Removing the MCU
Transmiting
All Pages

Interfacing with the RDA1846

I was able to captured some data for how the radio is setup when its first powers up. Here is the sequence that the radio is sending the RDA1846 at power on.

The first bit is for read/!write then address and lastly data

0 0110000(0x30)  0000000000000001      soft_reset
0 0110000(0x30)  0000000000000100   pdn_reg same as pdn   
0 0000100(0x04)  0000111111010000   clk_mode 24~28MHZ   
0 0001011(0x0B)  0001101000010000   Not in Manual
0 0101011(0x2B)  0011001011001000   xtal_freq (13000/1000)*2=26MHz
0 0101100(0x2C)  0001100101100100   Adc clk freq: (6500/1000)*4=26MHz
0 0110001(0x31)  0011111111000000   Not in Manual
0 0110010(0x32)  0110001001111110   Not in Manual
0 0110011(0x33)  0000101011110010   Not in Manual
0 1000111(0x47)  0011101111101100   Not in Manual
0 1001111(0x4F)  0001000001000000   Not in Manual
0 1001110(0x4E)  0010100100111010   Not in Manual
0 1010110(0x56)  0000011001010010   Not in Manual
0 1101110(0x6E) 0000011000101101   Not in Manual
0 1110000(0x70) 0001100000011011   Not in Manual
0 1110001(0x71) 0110110000011110   Not in Manual
0 1111111(0xFF) 0000000000000001   Not in Manual
0 0000101(0x05) 0000000000011111   Not in Manual
0 1111111(0xFF) 0000000000000000   Not in Manual
0 0111100(0x3C) 0000101001111000   Tx voice signal from MIC
0 0111101(0x3D) 0010000000001011   Not in Manual
0 0011111(0x1F) 0001000000000001   gpio6 sq out, gpio0 css out/in/cmp
0 0001010(0x0A) 0000001101000000   1.01V pabias voltage
0 0000010(0x02) 0000011010011000   Not in Manual
0 1010100(0x54) 0001110101000000   gpio6 is sq only


0 0101001 (0x29) 0000000000111000  Freq high value
0 0101010 (0x2A) 0111101111000100  Freq low value
1110000111101111000100 = 3701700 Dec
3701700/(8*1000) = 462.7125MHz
The radio was tuned to FRS ch 7
0 0001111 (0x0F) 0011110100100100  Band Select 400-520MHz


Finally I managed to interface with the RDA1846 over i2c (I changed the protocol from spi to i2c, since its simpler to interface with the arduino, and for the fact that I ripped up the PDN pad).  For a while I was able to interface with the RDA1846, but I was only receiving static when the sq was open. It took me a while, but then I remembered that they are switching the RX signal on an off to save on battery, and since I have uv5r mcu disabled, it did not turn on the RX circuit. I tied pin PC1 (RX POW) to 3.3v and everything seemed to work. I tested the radio by tuning it to a FRS channel 7 and using one of my FRS radio, I sent DTMF codes. I know this is not completely legit, but I think I am not technically doing anything wrong (the FRS radio I bought at radio shack does not need a license, and I am only using the UV5r as a receiver. Please let me know if I am correct about this).

I also wrote an arduino code to configure registers via the serial terminal. It looks like the UV5R mcu monitors the sq pin and when it is on, it sends a RX on to the RDA1846. So for now I was basically just turning on the RX and turning it off. Here is a video of the radio receiving the DTMF tones on the FRS radio service.

 


Here is the configuration sequence I was using for the chip (the format is register value, register value, ....)
0x30 0x0004, 0x04 0x0FD0, 0x0B 0x1A10, 0x2B 0x32C8, 0x2C 0x1964, 0x31 0x3FC0, 0x32 0x627E, 0x33 0x0AF2, 0x47 0x3BEC, 0x4F 0x1040, 0x4E 0x293A, 0x56 0x0652, 0x6E 0x062D, 0x70 0x181B, 0x71 0x6C1E, 0xFF 0x0001, 0x05 0x001F, 0xFF 0x0000, 0x3C 0x0A78, 0x3D 0x200B, 0x1F 0x1001, 0x0A 0x0340, 0x02 0x0698, 0x54 0x1D40, 0x29 0x0038, 0x2A 0x7BC4, 0x0F 0x3D24

To turn on the TX
0x30 0x3826
To turn off the TX
0x30 0x3806

Here is the arduino code

#include <Wire.h>
#define ADDRESS B1110001
void setup() {
 Wire.begin();
 Serial.begin(9600);
}
byte getVal(char c)
{
 if(c >= '0' && c <= '9')
 return (byte)(c - '0');
 else
 return (byte)(c-'A'+10);
}
void loop()
{
 if (Serial.available() > 0)
 {
 unsigned char d = Serial.read();
 if (d == 'S')
 {
 int i=0;
 char data[8];
 while(i < 8)
 if (Serial.available() > 0)
 data[i++] = Serial.read();
 unsigned char address = getVal(data[1]) + (getVal(data[0]) << 4);
 unsigned char dataU = getVal(data[4]) + (getVal(data[3]) << 4);
 unsigned char dataL = getVal(data[7]) + (getVal(data[6]) << 4);
 Serial.println(address, HEX);
 Serial.println(dataU, HEX);
 Serial.println(dataL, HEX);
 Serial.println();
 Wire.beginTransmission(ADDRESS);
 Wire.write(address);
 Wire.write(dataU);
 Wire.write(dataL);
 Wire.endTransmission(1);
 }
 }
}





To set the TX/RX circuitry, here is what is needed: I did not actually TX anything, just measured the voltage on the TX power circuit.
There are 3 pins that need to be controlled: PC1 for RX power (3.3 to RX), P66
for TX power (0 to TX), and P56 for UHF/VHF mode (0 for UHF and 3.3 for VHF).


Here is a video of the radio receiving the NOAA channel
 


There is a bit of static, but that is what I get with a new radio as well. I can
also set it to the police dispatch on UHF and it works as well.

 



Last Updated on Friday, 08 March 2013 20:01