Sunday, September 2, 2012

TM-241a Remote Control commands

I made a pretty nifty discovery the other night. While I had zero luck trying to talk to my TM-241a with only my Bus Pirate... It can talk to it when I am piggybacking on the RC-10 I bought. There's one other variable here that I don't know if it changed anything or not... I updated the flash on the Bus Pirate since I was working on scanning for codes earlier in the year. I'm not entirely sure if the original firmware was running a serial clock on data out or not. That is absolutely essential for the radio to pay any attention to what you are saying.

Bus Pirate runs at 3.3v but can tolerate 5v logic, measurements seem to suggest to me that the radio uses 5v logic but then again, the measurements I've made were with the Bus Pirate and not a DMM.

Looks like the RC-10 brings RD (pin 6) to logic 1 (low) for about 250ms when the radio first turns on. I'm thinking that must be how it is telling the radio it is there. What I don't know is how the clock works. It doesn't run all the time, only when data is being sent or received. Also, when you adjust a control on the radio itself, it sends the data out on it's own. I'm thinking that the clock is run by whichever device has data to send. It also looks like the RC-10 sends 0xFF for each byte that the radio sends out. Maybe an acknowledgement signal of some sort?

Still working on the list of commands. Found a fair few sniffing the TX from the RC-10, but found even more after I separated those into groups and then sent the missing values from the groups. Seems like only 6 bits matter out of the bytes. There are two commands, VOL UP and VOL DWN, which use 2 bytes. 0x3C B0/0xBC 0xB0. I still haven't mastered these because they seem to continue to affect the volume after I send them. It either maxes out, or drops to 0. Only if the radio is told to use the remote unit's volume control instead of it's own. If it is, it's own volume control no longer does anything until a command is sent to re-enable it.

My progress is a bit hindered by the fact that my unit has the infamous LCD problem. It's full of garbled junk, and most of the time the elements are all faded out. Completely useless, but sometimes it works. Sometimes I can apply pressure and it works. I need to open it up and reseat the cable but I just haven't done it yet.

Ordered some parts on Ebay to make a sort of breakout box. Got some header pins, a jack that can accept a mic plug, and some other things like jumpers. I already have some perfboard with traces on it. I'll make it so I can plug my Bus Pirate into that and quickly disconnect the RC-10 to test things without it helping me. One of my major goals with this project is to make something standalone that can be used without a RC-10/RC-20 unit helping. It'll probably be a month before all of the stuff arrives though.

There are a couple of things I'd like to discover. I've found some things out already, and have a lot of buttons mapped but I can't completely replace direct control with an RC unit just yet. Some functions haven't been discovered yet. One other thing bugs me... When I first started working on this and didn't know what the protocol was I tried several other things with my Bus Pirate, one of which was I2C. Using the scan mode, I was hoping to discover if it was I2C and if so, what address. Somehow I accidentally overwrote the first couple memories in the radio with completely junk data. I may have blogged about that once actually, it's stuff that is impossible to enter in even with a keypad. I'm thinking there must be some mode to directly communicate and control the memory contents. I'd love to figure out how.

Wednesday, August 29, 2012

MSP430 Morse Code

 Just a small project I worked on this past weekend 8/24-8/25. I have several of these cheap MSP430 Launchpad dev kits from TI. What a deal they are too, $4.30 each. I intended on configuring it to further my Kenwood TM241a project, but got sidetracked and made a program to send my callsign in Morse Code. I ended up using Energia, which is a port of the Arduino IDE but this one makes MSP430 programs. It seems most of the same commands are supported, but not all.

I really need to get setup to program in C or even try my hand at ASM. I tried ASM on the PIC microcontrollers a couple of years ago but gave up on it fairly quick. Maybe I'd do better now? I'm not sure the Wiring language would produce code fast enough to bit bang 1200 baud serial with a clock.

Code for my project is below. It would be fairly easy to modify this to make a beacon, or foxhunting cpu, or even an ID for a repeater or standalone rig. If you do something with it, I'd appreciate a link back to my radio blog, and maybe drop me a line to let me know. I'd probably write an entry about it and link to your site.

It's not technically hard to add other characters and I think it's fairly self-explanatory. I'm not 100% happy with using the IF statements to cycle through the letters. I'd be happier with an array and a For loop with an index number but this works. I tried to set up a constant type like an UIntTable to store the characters, but I only received error messages when I tried to use that. It may not be fully supported in Energia yet, or probably I didn't fully understand it.

I know I'm not the first person to do this by a long shot, but it was a fun challenge and it did help me familiarize myself somewhat in Energia, maybe next time I'll rewrite this in C? I see there are videos of others who have written Morse Code projects for the MSP430 on Youtube with a little more pizzazz than mine, such as audio out and a serial terminal for input.
James Hall - N9XLC
Small program to push out my callsign via the red LED on a MSP430 board.
Developed 8/24/2012-8/25/2012

Started off modifying, then totally replacing the code in the 'Blink' example project.
This could probably be wrapped up in a function to send out arbitrary sentences.
Only enough morse code is implemented to get my callsign out, but it would be trivial to add the rest.
Could be used to blink out current temp or maybe short status info in morse code in other projects.
 #define output 2 // pin 2 has the red led on a msp430 board, pin 14 is the green led.
unsigned int mask = 1;
int dot = 1;
int dash = 3; //dash is equal to 3 dots
int lspace = 1; //spacing in same letter is 1 dot
int llspace = 3; //spacing between two letters in same word is 3 dots
int wspace = 7; //spacing between two words is 7 dots.

int didot = 2;
int didash = 3;
int spacems = 100; //100ms is a little slower than 20wpm (60ms) so maybe 13-15wpm?
// 10 dot, 11 dash, 00 end
// unsigned int is 16 bits
unsigned int cwN = 11; //0000 0000 0000 1011 <-read right-to-left
unsigned int cw9 = 767; //0000 0010 1111 1111
unsigned int cwX = 235; //0000 0000 1110 1011
unsigned int cwL = 174; //0000 0000 1010 1110
unsigned int cwC = 187; //0000 0000 1011 1011
byte testbyte;
void setup() {                
  // initialize the digital pin as an output.
  // Pin 14 has an LED connected on most Arduino boards:
  pinMode(output, OUTPUT);     
  pinMode(14, OUTPUT);
 // pinMode(5, INPUT);

void loop() {
  digitalWrite(14, LOW);
  digitalWrite(output, LOW);
  unsigned int cwout;
  unsigned int mask = 3;
  int callsign = 1;
while(callsign) {
 if (callsign == 1) {cwout = cwN;}
 if (callsign == 2) {cwout = cw9;}
 if (callsign == 3) {cwout = cwX;}
 if (callsign == 4) {cwout = cwL;}
 if (callsign == 5) {cwout = cwC; callsign = 0;}

    while (cwout) {
     testbyte = cwout & mask;
       if (testbyte == 2 ) {
          digitalWrite(output, HIGH);
          delay(dot * spacems);
          digitalWrite(output, LOW);
           if (testbyte == 3 ) {
            digitalWrite(output, HIGH);
            delay(dash * spacems);
            digitalWrite(output, LOW);
       delay(spacems * dot); //inner letter spacing 
     cwout >>= 2; 
 delay (spacems * dash); //outer letter spacing


delay (spacems * wspace); //word spacing

Thursday, August 23, 2012

Modding old radios

I'm kind of curious if there's any activity around modifying older radios. I have a couple of HTX-202's that I'm eyeing for some work one day. My favorite one is actually the first Ham Radio I ever owned, it was new in box from Radio Shack circa 1993/1994. Probably 1994, but I'm not sure how long I had it before I officially had my ticket. The other one is a Hamvention special some guy in the flea market was apparently desperate to get rid of.

My original is exhibiting the ER-1 code, for a dead/dying memory backup battery. The Hamvention one has some weird squelch problem where it won't always open squelch when it receives a signal. It also had ER-2 when I first turned it on, but that was easily cleared. It also is in seriously bad need of being disassembled so I can spit and polish the case some. This Hamvention 202 was really beat up in it's former life.

According to the service manual, these radios are split up into two main PCBs, an RF board and a CPU board. I wonder if I can figure out how to control the RF board with a homebrew CPU board. Then flash, or some other non-volatile memory could be used to store the programming. Other features could be added as well. DCS maybe?

I remember finding a page about EF Johnson radios for 900mhz where someone made an external control system for one that made it frequency agile. Of course, now that I want to link to it, it's nowhere to be found.

Here are a couple of relevant links but talking about FRS radios:

Thursday, August 2, 2012

TP-Link TL-WR703N

I know this isn't strictly Ham Radio but it could be useful for HSMM.

These units are around $24 on ebay, shipped from China.

Found this on Hackaday not too long ago. Basically this device is meant to be a little 3g travel router. You can plug in a 3g USB adapter and share that Internet connection to multiple devices over wifi. It also supports ethernet. Of course, the unit I bought had a Chinese GUI so that might have been a bit hard.

Fortunately, OpenWRT has been ported to this. Here are the instructions to install it:

You are looking for squashfs-factory.bin. I wish I could remember where I read how to flash this with the Chinese GUI. Here's where you need to go. Login to the GUI at with admin/admin as username and password. Then on the left-hand side, scroll to the bottom and pick the last link. Then when the sub-menu appears, pick the 3rd link down. There's a long textbox area with a button next to it, if you click that button then you can pick the image you want to flash it with. Then click the other button on the screen to start the flash. It will take several minutes. Once it is done you won't get a webpage back. Plug into the unit with an ethernet cable and then telnet to the default IP address of and set a password for root. Once you do that it automatically disables telnet and enables ssh. You can still use telnet until you log out though.

Here are some links that I'm reading about this so far:

You can install a web interface again, I haven't made mine work since I got it installed yet. I will be making another blog post on this. It defaults to Access Point mode when it first comes back up. I set mine up to run in client mode connected to my existing Wifi in order to give it access to the Internet so I could download packages on it.

There are people tapping into the GPIO (general purpose input/output) lines built into this device. So for $24 you can get a 400mhz linux computer, with Ethernet, Wifi and USB ports and several GPIO that is about the size of a new package of Post-It notes. It also uses only about 100ma as well. Beyond HSMM, this could also be handy for use in remotely controlling radios, maybe with a usb sound card you could even do something like echolink on it.

I hope to read about what others are doing with it. My focus is more on using it to setup home automation sort of things. I'm waiting on some solid-state relays and I plan on using one to control the lights in my garage, as well as giving me a real-time readout of the garage door's status.

Tuesday, May 29, 2012

Alinco DX-SDR

Not my video

Alinco is bringing out a new HF radio that uses SDR technology. I have received a brochure in PDF form (not posted here due to not knowing if I'm allowed) with a few details on it, subject to change. It appears to be a 10-160 all-mode radio. According to the above video it doesn't come with a head but you will be able to get one for it. It is meant to plug into a PC which will be running SDR software, I'm guessing much like the Flexradios do?
  • TX 10-160m
  • RX .15-30Mhz looks like
  • FM/SSB/CW 100W
  • AM 40W
  • looks like SDR bandwidth is either 15khz or 20.5khz? Very odd.
The specs say the receiver is a double conversion superhet and lists modulation methods for the transmitter side. This is very confusing to me because I expect SDRs to have direct conversion receivers. It may be that the radio is fairly conventional and the SDR is an IF type. There is an SDR entry in their table with the associated text being "3rd IQ", I suppose that could be a typo and really mean "3rd IF". One bullet point says that the receive and transmit audio is through the PC's mic/speakers. But then the table lists SSB as balanced modulation and FM as DSP modulated. I would hope the TX could be modulated by the SDR software on the computer but time will tell.

No indication has been made to me at this time on how the radio connects to the PC. I would hope that one USB cable is all you would need for CAT control and also an audio device for the IQ TX/RX to the computer so people could use their usual soundcard device for the TX/RX audio. This would also reduce the necessary cabling which is always a positive thing. Plus you could add a small single-board-computer such as the Raspberry Pi to enable such a device for Ethernet and then find new applications for it. Mount the radio remotely at the antenna to minimize line losses. Stick it on a mountain, establish a wifi link and allow shared access with your Amateur Radio Club. Network it and operate from anywhere in your house or property with wifi or ethernet connections.

As said earlier, I believe a head is going to be released that will allow standalone operation without a PC. 

This, along with Yaesu's new digital HT, seems to be the start of exciting times in Ham Radio. It's a good sign if more manufacturers are going to enter the marketplace with products based on these non-traditional technologies.

Sunday, May 20, 2012

Yeasu FT-1D redux
Found a copy of the brochure on the FT-1D radio at the above website. No real surprises for me. It's fairly thin but really looks a lot like some of their newer handies. VX7R comes to mind.

  • data transfer speed of 9.6kbps - I would ask if it's compatible with packet but then I realize it doesn't really matter because there's no really a lot of the 9600baud packet stuff out there and it's surely not.
  • 1 button switch between digital and analog modes
  • Wide-band RX .5-999Mhz
  • micro SD slot seems to provide:
    • GPS log - location and tracking
    • picture image data
    • memory backup/clone
    • potentially other uses not listed in the brochure "and other useful information is stored on the micro SD card"
  • USB connector - this surprised me a bit. It seems the optional microphone plugs in here.
    • There's reference to a firmware update function available by plugging the PC into there.
    • I wonder if it's a USB2GO type of device. If the optional microphone plugs in there then I'd bet that it is actually using USB protocols to communicate.
  • optional microphone - I really saw this one coming.
    • NOT included
    • 320x240 or 160x120 modes
    • Image can not be viewed on FT1D, LCD limitation of course
    • Image is time and date stamped, has geotag from GPS
    • 20 seconds TX for 320x240, 4s TX 160x120
    • Jpeg format
    • I wonder how much this mediocre accessory will add to the cost of the radio?
  • Digital ARTS
    • Auto-Range Transponding System
    • A technology that lets you know when you move out of range of a sister station. I'm guessing it has a watchdog timer and sends a ping out every so often. If you get a ping, the watchdog is reset. If the watchdog runs out, you're alerted. Just a guess.
    • Does anyone use this? I have a FT-50R with the older ARTS and I've never once used it.
  • GPS
  • "E-GPS" a way to transmit GPS data to other users. Sounds like a proprietary version of APRS to me. There's a distinct lack of reference to APRS in this document.
  • GSM - Group Short Message
    • Texting for Ham Radio. But it looks like it has two major limitations: Your message goes to everyone in the vicinity/group and it's 80 characters. SMS is 160.
    • At least you can request a receipt response.
    • Maybe, maybe you can limit who is notified of a message. I know due to the nature of Ham Radio there's no expectation of privacy so you can't block other people from reading messages, but they could at least let you choose who is notified of a new message.
The last piece of the puzzle that I'm still waiting to learn is price. As of May 20 2012, universal-radio has yet to publish anything about MSRP:
I would note, one of their bullet points is APRS but I think that was an assumption on their part, there's no reference to it in the brochure.

Thursday, May 17, 2012

Yaesu FT1D

I caught the gibgab about this today. Looking forward to more details coming out of the Hamvention. (I'm probably not going, water heater going out on me) seems to have the most information about it currently:
Price undecided
Silver color
The end of March or in the shortest
■ Compatible with dual communication mode analog / digital
■ common with the option VX8G
■ APRS function
■ featured wide-band receiver
■ Built-in AM bar antenna capable of receiving AM / FM
■ listening quietly vibrator function, valid at large noise!
■ Equipped with GPS logger
■ GSM (group message function)
Send and receive messages in katakana / up to 80 characters in the alphabet
of about 0.15 seconds
■ Snapshot Snapshot (image data transfer)
In the display screen of the machine about 20 seconds Handy time display
can not be sent in digital mode] [FDMA. Set (320 × 240) QVGA size
■ Convenient, etc. / clone image data storage backup / the contents of
memory equipped with a micro SD card slot
■ Connecting the camera microphone (terminal MiniUSB) USB data, the
connection between an external device such as a PC. Useful, for example, a
firmware update.
■ Easy! E20 support (Itsuo / Easy to Operation)
Redesigned the system operation as easy to use, multi-functional. Enables
one-touch operation of frequently used functions
• The one-touch button digital mode in the D
Wires X corresponding key button key, but also what features a digital
· GM GSM (group message) key
■ E-GPS (GPS data transmission feature easy)
GPS data can be exchanged easily with fellow ham. One-touch display at the
same time as the direction and distance of transmission.

Some of the later text is badly translated and I don't know what it's getting at but it's talking about the price. There's also this leaked ad in Japanese:

It almost seems like someone has been listening when I've been ranting about amateur radio being at least 20 years behind cellphones. My thoughts from this information:
  • 1200/9600bps - D-star handhelds (and mobiles outside of ID-1) top out at 4800baud, but even then you can only use 791byte/s, I like
  • SD card - though I don't know the purpose yet. I see GPS in the same block so it may only be to save your GPS tracks. I would hope that it would serve other purposes as well.
  • GSM texting - If I'm reading the text from the forum post right. This is a big one that Ham Radio could've been doing since the early 90's with APRS but never got right. Even D-Star didn't get this right and it handles data all the time!
  • GPS built in - Look, if I can buy tiny usb dongles for $20 or less with GPS there's no imaginable reason why this feature should be rare OR expensive besides stealing money from your customers.
  • USB - I'm hoping for a lot here. It may only be so you can read the SD card on the computer. But there's a lot that can be done here. Data link to the radio for digital-modes, memory read/write, radio control, GPS, SD card, etc. Maybe audio modes would be too much to ask but I will anyways. Then they can make it charge the radio too.
  • Camera Mic - I am not hot on this. One of the things cellphones do that Ham Radio is sadly behind on is pictures. Sure, we had SSTV years before cellphones were invented. No one has ever put it in a handheld radio. And they still haven't. It's in a mic that is probably optional, and expensive. I see no way that you will be able to view the pictures on that display which rules out two way pictures. Even an old Nokia color display might've fit the bill here. I'm not going to complain about the resolution, anything is better than nothing I guess. 320x240 even.
  • Eh, it probably uses an AMBE codec from DVSI to compress the audio which is pretty much encryption. Encryption is encryption, even if the decryption key isn't a password but dollar bills $$$$. I'd give Yaesu a pass on this if it turns out they are going to open this radio up to third party development (which has really blown the smartphone market wide open. Remember when the Iphone was going to be locked down and the only way to run programs on it was going to be via web apps? Yeah, what happened when people hacked it to run native apps on it? Billions of dollars for Apple. Learn a lesson here Yaesu!) If they opened it up then maybe one day Codec2 could run on it and people would be more inclined to buy a radio that isn't under the constant threat of not catching on and dying off.
Yaesu better watch the price on this thing too. I think they will be smart enough to be competitive (cheaper) than D-Star radios at least. They are starting out at a natural disadvantage. In my opinion the best route to go would be to emulate the Chinese radio model as much as possible. Drastically undercut the competition in order to give more reasons to buy your product over theirs.
$500-600 will buy you a brand new, top of the line cellphone running Android, with a large high-resolution color touch-screen, built in GPS, Wifi, Bluetooth, MicroSD card slot, 5 MegaPixel camera,maybe a front facing camera for video conferencing, accelerometer, magnetometer, 6-32GB built in flash, USB charge, USB mass media (Flash and SD card access), USB data, etc

Yes, some of that stuff is possible because of mass production and the ability of manufacturers to make stuff cheaper the more they produce, I'm sure I'll remember the phrase for that after I publish. But we can benefit from that as well by using incredibly cheap components originally produced for cellphones. CPUs, flash, ram, even chips that integrate GPS, WiFi and Bluetooth.

I hope the traditional manufacturers are feeling pressure from the flood of cheap Chinese radios. Decades of little to no innovation should backfire as China moves into the market and undercuts Yaesu, Kenwood, Icom and even Alinco with radios that do the exact same functions for significantly less. Now the big manufacturers will either have to innovate or die. You know they're not feeling any pressure to innovate from most of their customers.

I'm glad to see someone trying to bring out a 21st century Ham Radio, but I'm feeling it's more akin to 1999 technology. To be honest, it's underwhelming. If the price is sweet then I'll consider buying one. I doubt it will be any less than a top of the line 2012 smartphone though. Maybe something will come out at the Hamvention that I can't glean from this information which will blow me away but I'm not expecting much.

Monday, April 9, 2012

TM-241a analyzing

Forgot about the simple logic analyzer mode on the Bus Pirate. Channel 1 is serial out. Channel 2 is clock. Channel 3 is serial in. Channel 0 is RD (Pin 6 on mic connector) This graphic looks a little glitchy. Since this is a digital sample, if you sample at too low of a frequency in relation to what you are sampling then you will end up with strange looking data. This may be at 5khz sample rate. You should have seen it at 1khz. I was playing with 10khz and 20khz sample rates which looked much better but had a shorter sample time. The Bus Pirate only has 4096 bytes of ram to save samples in. It wasn't designed as a logic analyzer, it just happens to be a bonus.

This is in a mode that I am calling RC-10 mode. In this mode the radio will allow you to use any and all of the buttons on the radio itself. It only clocks out data when you operate the controls on the radio or on the remote unit, and then the remote unit acts as the bus master. The radio will only send data out when the clock is running and it is receiving 0xFF on serial in. 1 byte out for each byte in. I'm still not sure how the radio indicates that it has data to send out. I think it may twiddle the serial out line a bit. I am currently unable to emulate even this mode so far. I may have to write some sort of bit bang code in order to get the Bus Pirate to handle UART in/out and also the clock line.

The other mode I am calling RC-20 mode and it's a little more mysterious, to me. If I hold RD high, and keep it high, then send something, anything, down serial in then the radio will start continuously sending display frames out the serial out line. It also clocks the clock line itself. I can't seem to make it see any data that I send after that point. Additionally, in contrast to the other mode of operation, once in this mode the radio completely ignores all operation of the controls on the radio itself. There must be some sort of protocol that I'm missing. Maybe something like pull the serial in line high for 50ms, then clock data in or something. Come to think of it, in this mode there is a one shot chance of changing the frequency. Sometimes it works once and then not again until I reset the radio. I wonder if I sent some 0xFF bytes down the line after that if it would work again. But then again, in the other made that only seems to happen so the radio will send out display packets. It does that anyways in this mode. It bears further experimentation.


Saturday, April 7, 2012

TM-241a Project update 4-7-12

Doh, I feel like such an idiot. Looking over the schematics for the TM241a and RC-20 manuals I see something I dismissed a long time ago. There's Serial In and Serial Out pins, but there's also a Serial CLK pin. Well, I was receiving data just fine without the clock, but apparently I've been spinning my wheels this whole time sending data to the transceiver. You have to clock the clock pin when sending data TO it. Unfortunately the Bus Pirate is apparently completely unable to clock it's clock pin in UART mode. Only in other modes like SPI and I2C. That sucks since I already have these nice probe cables for it and everything. I don't know if any generic FTDI type usb-serial chip does it. I think that's a pretty much dead part of the standard these days. I'd love to be proven wrong though.

Not even the latest v6.1 Bus Pirate firmware has support for this. You can see some commands in the help menu to twiddle the clock pin manually, but you get an error message in UART mode. :/

Tuesday, April 3, 2012

SDR with $20 TV Tuner card.
I was going to hold off posting about this until I got mine and could try it out, but I ordered 2 weeks ago and it hasn't shipped yet so I'll drop a line now. There's been some developments on this story since then anyways. Here's a video where someone is showing this running in real time in GNU Radio.

There's also suppose to be support in Windows now too.

Basically, these are $20 laptop TV Tuner dongles from China. USB connections and they are for DVB-T which is the European digital broadcast TV standard. The US uses ATSC for broadcast and QAM64, QAM128, QAM256 for cable typically. There's a fair bit of satellite stuff that uses DVB-S/S2 though. Someone did some sniffing of the card and discovered that the FM radio portion of it was actually a SDR. It's only 8-bit but the possible frequency range is 64-1700mhz.

I'm giddy over this for a couple of reasons. If it can be made to work cheaply, hello cheap receivers to stick in other places. Yeah, the downer is the processing power required for it to actually work. Processing power is cheap these days. Also, what a neat platform for a potentially automated receiver. No interface cables needed either, plug into USB and play.


TM241 analysis

Thought it'd be fun to post a picture of my radio with the probes on the mic jack. I'm using a plug I bought in a pack to make interface cables. The antenna behind the radio is actually the rubberducky for a handheld scanner. My TM-241a is sitting on a wood block to separate it from the Alinco DR-600 below it. (My next target? Heh) These probes connect to a Bus Pirate out of the picture. The one alligator clip stands in for a particularly weak probe clip that kept falling off.

As I write this, I'm almost done rescanning the 2 byte block. 0000-FFFF unless something happens between 00FB and 00FF then I don't think there's going to be anything here. :(

I think my next target will be trying to ape the kind of stream the radio sends out. (Maybe I'll even rig up something to spit it back to it, see what it thinks of that)

Of course, one possible application when I figure this out maybe making my own remote head. Others might use it to make a D-Star homebrew head that can control the radio as well as do the digital voice. Or maybe I'll eventually figure out multiple radios and make a protocol droid to translate from one control head to a different radio. RC-D710 maybe? As I posted before, It's possible to use that head with other radios, as an APRS tnc. But without control.

One thing I'd love to inspire is some sort of USB for radios. Or some sort of multivendor connection standard. It'd be great to connect multiple radios into a bus along with a control head that can operate all of them. I'm not talking just Ham Radios either.

Update: Scan finished. No hits in 0000-FFFF. :(

Sunday, April 1, 2012

TM241a Fuzzing

Okay, here are all of the possible combinations of data that I've tried:
(where I have "x" that's where I've stepped through 0-F in hex)
xxxx (Yes, every combination from 0000-FFFF)
That last one includes xxFF in the possibilities.

Nada. Nothing. Zilch. Zippo.

Like I've said before, the radio seems to follow a pattern for the second nibbles. Without the bitorder switched, the patterns are like this:
00 - Start
22622a1 Frequency
0222221 LCD elements
021 Mem Channel
01 Unknown (always 10 01)
FF - End

Sometimes S-Meter data shows up. It's the one element that breaks the pattern of the second nibble. But, the last 3 bits of it seems to always be 101. First 5 bits seems to be the S-meter bargraph length, or similar.
My thoughts have been on mimicing the patterns when trying to fuzz the data out.

I would also like to try to figure out what the I2C address search mode on the Bus Pirate looks like to a 1200 baud UART port. That may be my biggest clue because that's the one time I've really had an effect on the radio and it was completely junk data.

It could also be that the actual legit communications is so complex that it's not really possible to suss it out by searching a sequential pattern. I wouldn't think so, but there's got to be some sort of a memory access mode or I couldn't have entered corrupt data into Ch1 and 2 with the I2C search mode. The values were impossible to set by key entry alone. Heh, maybe the RC units communicate by writing to live memory. I wouldn't think so. I'd think a simple pattern of keycodes would be more than enough, but who knows what Kenwood was thinking when they designed these units.

I'd sure love to get my hands on one.

EDIT: Sigh, just noticed a rather glaring bug in my serial port TX in my program which probably resulted in me not sending out the values that I thought I was. In short, I have to run all of the above tests again. This time, sending the byte values out instead of the decimal representation of them. Snort. At least I didn't test 17 million values before discovering this tomfoolery.

April 1st

I'd like to officially register my annoyance of all of the fake news stories that every tech site, and some stores, seem to love to post on April 1st every year. It was tired in the 90s. It's over 10 years later. I need some sort of filter for this stuff.

TM241a Reverse Engineering Project Update

After a fairly long hiatus and a hard drive crash, I'm back at it working on this project. I am attempting to reverse engineer the remote control protocol in older Kenwood mobile radios. I'm using my TM241a but I understand that the RC-10 and RC-20 addons Kenwood used to make worked with a whole series of model numbers from TM-x21 through TM-x41 at least.

This was a secret from me until I found documentation and links talking about the RC10 and RC20 addons a year or two ago. I got my hands on operating manuals and service manuals for my radio, the RC-20 and the IF-20 addon. The IF-20 allowed you to connect up to 4 radios to a single RC-20. You could have 2,220,440 and 1.2 at your command if you were one of the lucky ones.

I've spent the last couple days poking around in the free Microsoft Visual Basic 2010 Express Edition writing a program to help me. My hardware interface consists of a Bus Pirate connected to the Mic plug on the radio using a spare plug I bought when working on a TNC project. I am running the Bus Pirate in transparent UART passthrough mode. Why not just use a usb-serial adapter? The Bus Pirate is already at the correct levels (TTL, not RS232) and I can program it to hold a pin HIGH, which is what the radio expects to enable it's remote control mode on the mic port.

Now, I can enter all of the Bus Pirate settings with a single button press on my program. I can read the display output continuously (though I still can't make sense of all of it yet). I can have a window with an active comparison going, output that is different is logged automatically. Right now, I'm running one of many routines to generate data and push it out the port. I'm trying to elicit a response from the radio by pretending to be an RC-20, or at least trying to guess what kinda of data one might send to it.

This would be unnecessary if I had access to either an RC-10 or RC-20, but alas they elude me. My fuzzing efforts are time consuming though. I've already ruled out 1 byte commands, sadly. That only took 255 guesses. I tried a 4 byte command guess with most of it filled in except for 3 nibbles. That took 4095 guesses. Nada. Now I'm sending 2 byte command strings, all guesses. That's 65535 guesses. Sadly, if I go up to 3 bytes then that's 16,777,215 combinations. Yes, almost 17 million!

BTW, I'm guessing about 40 times a second, so that's almost 30 minutes to run through 65535 guesses. 17 million isn't going to happen. There's a command for power on/off and transmit at least. Not to mention that while I was trying to figure out what protocol it used in the first place I accidentally entered junk data into it. Using the I2C address scan mode on my Bus Pirate somehow did it. That means there's a chance of a raw memory access mode. That could result in dangerous effects on my beloved radio, such as entering something that would cause the PLL to unlock permanently or TX at some weird frequency causing my finals to blow. I can't just let a fuzzing routine run all night while I'm asleep. A meltdown from excessive keydown is the least problem that could happen.

This is an example of the binary data the radio send out. It runs at 1200 baud 8,n,1 (ahh, bbs days)
00 82 22 A6 02 92 AA F1 40 42 02 12 02 22 01 E0 82 41 10 01 FF
The oddball part of this is that the bit order is reversed. ie 1100 would be 0011 actually.
If you reversed the bitorder and re-wrote the line:
00 14 44 56 04 94 55 F8 20 24 04 84 04 44 08 70 14 28 80 08 FF

The radio seems to use the first nibble for data, with the second nibble acting as some sort of checksum, or maybe even frame marker/address.
00 14 44 56 04 94 55 F8
0 1 4 5 0 9 5 F <- First nibbles only -- I'm on 145.095
0 4 4 6 4 4 5 8 <- Second nibbles only
Second nibbles of 0 and 8 seem to mark the beginning and end of subframes within the frame.

Second part of the frame from 20 through 08 seem to be fixed LCD elements (T +- BUSY etc)
70 - x8 are memory channels if you are in the MEM. This happens to be Memory Ch 12 for me.
70 14 28
7 1 2 <- ch 12.. Channels under 10 are 7 F x (where x is the channel #) so 7 F 9 is Ch. 09
0 4 8
...If I remember right, if you are in VFO or Call the Mem info is different, or missing entirely. That was in my notes that were lost forever in my hard drive crash a little while back.
80 08 are currently unknown for me.
00 and FF always mark the beginning and end of one whole frame.

Once you get the radio started, and all you need to do is send 1 byte of any sort at the right speed to it, then it continually sends display frames out at 1200 baud.
If you receive a signal, the S-meter data is sent out as well, in the form of setting one of the bits in the LCD element section and 2 additional bytes before the 80 08 pattern. It seems to have a hold pattern, if it's not changing then the radio stops sending the extra 2 bytes until it does change and then the radio will send out the changes again. I believe they resolve into the number of S-meter bargraph elements that should be lit up.

I'll keep plucking away at it. I do love a puzzle.

Sunday, March 11, 2012

Ubuntu liveUSB

A couple of weeks ago disaster struck! I went into my office to compute a bit only to get an omnious message from Windows to back up my hard drive as it was about to die. I don't know how it devined that though. I downloaded a SMART utility which told me that there were some dead spots but I though the drive would work around those. I quickly saved some of my more precious data, which was mostly digital camera pictures and movies. I also managed to save my browser data, a couple of VMs I was experimenting with and some other stuff but not everything. I left that afternoon and when we came back, the drive was dead. I felt a little like I lost an old friend too. I managed to order some new parts from Amazon, I usually use Newegg but Amazon was cheaper in this case. Got a new 500GB hard drive, as well as a Bluray burner and some media. The whole kit was a little pricy but I needed the hard drive to bring my computer back to life and I'm hoping to use the bluray stuff to make it easier to do backups.

While I was waiting on all of that stuff though, I went to Best Buy the next day and bought a couple of 16GB flash drives for around $13/each. What a deal! I used one to have another copy of pictures, etc. Before that, the only copy was on my Ubuntu fileserver where I had copied it to in a hurry when my main drive was dying. The other drive I installed Ubuntu to. I was running a LiveCD version of Ubuntu but annoyed with installing packages every time I rebooted. Wish I had the URL for the guide I followed, but it was very easy to put on USB flash drive. It setup a 4gb partition for user files, I resized the main partition and the user partition to give me more like 12gb of space. I ran like that for several days before my new components came in. I was actually kinda sad to go back to Windows after using it too. I've always liked Linux, really most of the reason I use Windows still is because of gaming and very few other applications. 99% of what I do is more than possible on Linux though. It was also nice to not have a hard drive chugging because Windows somehow needs to use swap space even though it has 6GB of ram.

As an aside, I'm working at a computer place in town now that has a nifty setup with Xen running multiple virtual machines for networking services. Some of those machines have at least 16GB of ram. I setup a machine to run Windows Server with SQL Server that could do 2 Xeon cpus and 18 sticks of ram. It had 5 sticks for 16GB (3x4GB, 2x2GB iirc). I guess if you put a bunch of 4GB sticks in it, you could run 72GB of ram! That's pretty spiffy! Of course, there's 9 slots per processor, and you can't run ram in 9 of them unless you have the 2nd processor also.

Moving forward, I'd like to maintain my Ubuntu LiveUSB and maybe even run from it some more. I'd also like to see if I can get my virtual machines to run in it. One of them is an old XP licensed from a computer I don't use anymore. I have that setup to run my old HP ScanJet that won't ever have Windows 7 drivers. That could possibly do some of my applications that I like to run. I'm sure I can use WINE, but maybe not? Plus I'm not sure stuff like PDF printers work under WINE.

I'm also thinking about running My Documents style directory from a USB flash drive. This isn't the first time I've lost documents, some of the fairly important, in a hard drive crash. I do need some sort of backup regimen also. If I can set things up right, I'd like to just go ahead and buy a new hard drive every year or 2 and transfer the contents of my operational drive to the new one to keep away from having a crash related to wear and tear. The question then is what to do with the used drives? Maybe I'll set them up to have online storage of stuff I have backed up on disc, but never original copies of data.

I also do need to concentrate data in one place. I'm fairly sure I lost a large archive of Ham Radio info because it was stored in some random place on my hard drive and I forgot to grab it when I could. Mostly cached copies of homebrew pages, so it's not original data but still there was a lot of it.

It is nice to boot up my VM with Windows XP on it and see the stuff there is untouched by my latest catastrophe. I might put more of my necessary programs into a VM like that, or that one at least, just to speed recovery from future crashes. It's very easy to save a copy of the hard drive image the VM programs use.

Man, this turned out longer than I thought it would be. Sorry for rambling.

Thursday, February 16, 2012

TM-241a Sniffing

May have found a RC-10 for sale. These were compatible with the remote control interface on this radio (and a few other Kenwoods) It looks like a car phone handset. Remember when cellphones came in a bag variety? Kinda like that. I'm hoping that I can use my Bus Pirate with it to sniff out the correct commands to control my radio. May be just what I need to get my TM-241a computer control project back up and running.

Saturday, January 28, 2012

Soundcard Radio Direction Finding

Found an interesting post and video about doing soundcard based radio direction finding:

The talk is a little awkward but he gets the point across. The major takeaway is that he is feeding the audio from the radio into one channel on his soundcard, say left channel, and then the other side is a pulse to indicate the antenna switcher has switched. Then these signals may be processed using DSP techniques to figure out what the phase of the audio signal is and match it to which antenna is active from the pulses on the other channel. It seems like a lot of expensive processing to do something that can be done in hardware but a computer gives you the opportunity to send the data elsewhere over packet or wifi. Coordination could also be accomplished.

The other interesting bit I liked from his video is his use of an antenna switcher IC meant for cellphones. It can work from 300khz to 3.5ghz so it has plenty of range. It's a tiny surface mount chip but he did find it in SSOP-16 which is easier to solder than a QFN. The SSOP-16 was mounted on a SparkFun carrier board to allow easier access to the pins for breadboarding.

I've wanted to experiment with RDF for awhile. Not only could you apply it to Ham Radio uses, such as finding interference or foxhunting or other roles.. but it could also be handy for scanner enthusiasts. Imagine scanning through a frequency range, hearing some traffic and being able to locate the traffic right to the building it's coming from. This would be very handy for maintaining lists of frequencies for different factories and other workplaces.