Lior Elazary KK6BWA

...because this life is yours. Some of it was given to you, the rest you make yourself.

  • Increase font size
  • Default font size
  • Decrease font size
Home

Hacking the UV3R - Programmer Protocol

E-mail Print PDF
Article Index
Hacking the UV3R
Programmer Protocol
DIY instructions for performing this hack
All Pages

Programmer Protocol

The implementation of this protocol along with the arduino code and the ongoing firmware can be cloned from github.


https://github.com/lelazary/UV3RMod


Here is the protocol used to get into the chip and program it: A 9V is set on the reset pin (VPP) to enter programing mode.
Protocol sending over SPI LSB first. After almost every byte, the chip will pulse the data line to indicate ACK.

Get Chip ID: 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82

Program fuse bits

Get Chip ID   : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay
Set Mode      : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for response should be 0x01
30ms delay
set 20FF to 0 : 0x55 0xAA 0x5A 0xA5 0x02 0x00 0x00 0x03 0x05 0x00 wait 1ms for response should be 0x55


Erase Chip   :
Get Chip ID   : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay
Erase         : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x03 0x01 wait 1ms for response should be 0x55
2 sec delay
set 20FF to 0 : 0x55 0xAA 0x5A 0xA5 0x02 0x00 0x00 0x03 0x05 0x00 wait 1ms for response should be 0x55

Read Data:
Get Chip ID    : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay30ms delay
Set Read range: 0x55 0xAA 0x5A 0xA5 0x05 0x00 0x00 0x04 0xC0 0x00 0xC0 0xFF 0x00 <wait for data to go high> read 255 bytes
30ms delay
Set Memory Mode: 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for 0x00


Program Data:
Get Chip ID                 : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay
Set Memory Mode             : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for 0x00
30ms delay
Set program range and data  : 0x55 0xAA 0x5A 0xA5 0x80 0xC0 0x00 0x00 <128 bytes> wait 1ms for 0x55


Set Memory Mode: 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for 0x00



Last Updated on Friday, 03 January 2014 16:10