Article Index |
---|
Hacking the UV3R |
Programmer Protocol |
DIY instructions for performing this hack |
All Pages |
Page 2 of 3
Programmer Protocol
The implementation of this protocol along with the arduino code and the ongoing firmware can be cloned from github.
https://github.com/lelazary/UV3RMod
Here is the protocol used to get into the chip and program it: A 9V is set on the reset pin (VPP) to enter programing mode.
Protocol sending over SPI LSB first. After almost every byte, the chip will pulse the data line to indicate ACK.
Get Chip ID: 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
Program fuse bits
Get Chip ID : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay
Set Mode : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for response should be 0x01
30ms delay
set 20FF to 0 : 0x55 0xAA 0x5A 0xA5 0x02 0x00 0x00 0x03 0x05 0x00 wait 1ms for response should be 0x55
Erase Chip :
Get Chip ID : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay
Erase : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x03 0x01 wait 1ms for response should be 0x55
2 sec delay
set 20FF to 0 : 0x55 0xAA 0x5A 0xA5 0x02 0x00 0x00 0x03 0x05 0x00 wait 1ms for response should be 0x55
Read Data:
Get Chip ID : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay30ms delay
Set Read range: 0x55 0xAA 0x5A 0xA5 0x05 0x00 0x00 0x04 0xC0 0x00 0xC0 0xFF 0x00 <wait for data to go high> read 255 bytes
30ms delay
Set Memory Mode: 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for 0x00
Program Data:
Get Chip ID : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay
Set Memory Mode : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for 0x00
30ms delay
Set program range and data : 0x55 0xAA 0x5A 0xA5 0x80 0xC0 0x00 0x00 <128 bytes> wait 1ms for 0x55
Set Memory Mode: 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for 0x00