Saturday, November 12, 2011

New theme, TM-241, etc

I'm trying out a new theme to go with the changes behind the scenes at Blogger. It's a little less plain than my old one but I'm not sure if the navigation is going to be a pain, especially for people with older computers. If anyone experiences that, leave me a message on this post?

I haven't forgotten about my work on reverse engineering the remote control protocol for the Kenwood TM-241a radio. I've been very busy with school work lately. I'm in my final month of my Associates degree at IvyTech for Computer Information Technology. I am on track to keep my 4.0 GPA too, which is great. It's caused me no end of stress right now though. I'm on a program that let people who had their jobs displaced to other countries go back to school for a 2-year degree. Many of us did so with the idea that the economy was going to be in much better shape by now. At least, I did. I've been applying for positions since June and haven't had much luck even getting interviews. Once my education program ends, so does my unemployment. Shortly after that... we're going to be in trouble. Of course, one of the places I have applications at right now may come through and save us at the last second. Not that I can count on that though.

I'm thinking about trying some ads on here to see if I can get a little ad money.

If anyone knows anyone hiring within 30-60 minutes of Richmond, IN.. please, let me know. I'll have an Associates degree and I also already have my A+ certification. I'll be taking the Network+ soon and should get that easily.

Speaking of the Kenwood TM-241a work.. I haven't managed the basic application to fuzz out the numbers. It seems doing serial comms under .NET is a little hairy. Also, the Bus Pirate's binary mode is easy to get into but a little hard to use so far. I'm a little inexperienced in it, so it might just be I'm not understanding it right. From what little by-hand fuzzing I've done using a terminal mode on the Bus Pirate.. I feel like my original theory is wrong. I was hoping it would be a simple 3 byte command.. an address and two bytes for the command. The protocol to send the display information out seems to have 1 nibble of data along with 1 nibble of check information. So for example, 0x00 0x04 0x04 0x04 0x08 might be a valid packet with the first nibble having data and the second nibble being a check digit of some kind. The nibbles might have BCD numbers or be bit-level information for single LCD elements. My theory with the control scheme was with 1 byte for address, and 2 bytes for data.. that's 2 nibbles or one whole byte for data giving 256 possible combinations of buttons or commands.

Now, in previous experiments I have managed to affect something while sending data. Once I managed to have the radio skip around in the memory channels by significant steps. Another time, before I figured out the exact communication settings, I managed to overwrite the memory channels with bogus data. That's probably the greatest clue that what I may be dealing with is direct control over the internal memory of the radio. If so, my job is significantly harder. I need to figure out how to address specific areas of memory and what the contents mean, all while not being able to read it directly.


Or can I? Looking at the service manual, there's no information on what the main cpu is, and it looks like no external memory. If I could figure out what the cpu is, I can at least figure out my constraints. Working further on fuzzing the interface, I may be able to figure out the correct way to issue address commands and data. The main questions are: How many bytes do I need for an address? Do they require the checkdigits like what is used to talk to the LCD? How many bytes do I send after the address? Checkdigits? What is the constraints on memory area I can address? With that, I can start poking values into memory to see what happens. I know there's a soft power off feature, so you can turn the radio off from the remote control interface. There's also got to be a method to key the transmit, because the PTT line is one used for the communications.

There's apparently an internal basic scripting language on the newer Bus Pirate firmwares. I may need to look into upgrading mine. If it doesn't work, I have a cheap ICSP capable programmer here that I can maybe revert it with.

No comments:

Post a Comment