Lior Elazary KK6BWA

...because this life is yours. Some of it was given to you, the rest you make yourself.

  • Increase font size
  • Default font size
  • Decrease font size
Home Ham Baofeng Radios Hacking the UV3R

Hacking the UV3R

E-mail Print PDF
Article Index
Hacking the UV3R
Programmer Protocol
DIY instructions for performing this hack
All Pages

Introduction




While I was searching around for information for the UV5R hacking I have previously done, I came across some schematics for the UV3R. From a first glance it looked like the CPU could be flashed. In fact, in the schematics it looked like they even left the programming pads on the PCB. The UV3R is very similar to the UV5R, except for its lower power and lack of a good LCD and a keypad. Other then that, the two radios have the same RDA1846 chip that is controlled by a CPU.

If you want to perform this hack yourself and do not want to read on, you can skip to the DIY Instructions page

The CPU used on the UV3R is the MC81F8616 which is capable of being re-flashed many times. Better still, the manufacture of the the chip Abov has all the documentations, the compilers and the programmers for this chip.

Chip Documentation (MC81F8616):
http://www.abov.co.kr/eng/product/info/view.php?dev=mc81f8816
C Compiler: http://www.abov.co.kr/eng/tool/hms800_cc.php

This got me very encouraged since it would be much simpler to hack this radio then removing the CPU on the UV5R; I attempted before. I quickly ordered one from amazon, took it apart as soon as it arrived and traced the programming pads (I did not even use, just turn it on to make sure its not DOA).



After looking at the datasheets and their USB programmer program, I was able to trace the protocol and re flash the chip using an arduino. As expected, they had the security bit set, so I could not read the original firmware. However, I was able to erase the chip and upload new code. Fortunately it was not too difficult to figure out how everything functions thanks for the schematics and my previous experience hacking the uv5r. My biggest problem was getting the LCD to function properly since it was a bit mislabeled in the schematics.

As a proof of concept I had the radio tuned to 145.525MHz and listens to a signal. When a strong signal is received it played back 3 dtmf tones as can be seen in the video above.

 


Here is a video of the first version of my firmware. It is work in progress and still needs more work.
 



Anyone is welcome to help and you can start by checking out the code from here:

https://github.com/lelazary/UV3RMod

I also started a thread on the UV3R yahoo groups for anyone wanting to pitch in ideas for the firmware (given the limitations of the RDA1846 chip and 16K of memory). I am not going to promise to implement everything, but if its not to difficult, I will try to. However, since this is going to be open source firmware, you could always try to change it yourself (I will always be willing to help).

Here are my list (if the feature makes it to the repository at
https://github.com/lelazary/UV3RMod/blob/master/WISHLIST
then it would probably be implemented):


Mode 1) Quick interface to program rx freq, tx freq, power and PL code very quickly for repeaters. No offset, you just start with the rx freq and shift it by whichever amount you want. This will allow allow you to turn off the tx, or operate satellites.
At any point during this mode, you can hold the mem channel and it will ask you which number you want to save this to.

Mode 2) Memory mode will allow you to go through your saved memory. At any point you can press menu and change more details about the channel.  The details will include power with granular level, DTMF TX/RX, and other functions TBD. This mode will show the channel name and the freq underneath it.

Mode 4) Satellite Mode: Auto tuning of the frequency with response to the Doppler shift.

Mode 5) Digital mode. Hopefully I could add some text base digital data for rx and tx. You might need to tx the text using morse code since there is no alpha numeric keypad on the radio. The digital mode will also include a store and repeat message forwarding.

Mode 6) Computer mode: All the functions of the radio including the RDA1846 registers, TX, and RX will be controlled through the serial port on the radio.

Mode 7) Fox/Hunt  mode. Can be used to transmit a signal intermittently (like call sign morse code). Or send the RSSI signal into the audio, and with a directional antenna you can go hunting.

Mode 8) Advance mode: Any RDA 1846 register can be set manually and saved for during startup.

Mode 9) If the digital mode works, then RF programming of the radio. This will allow anyone to send you repeater information from their memory locations. I will work by selecting a memory channel to rx, and pressing a button. Then on another radio you can send the programming info.








Last Updated on Friday, 03 January 2014 16:10