While I was searching around for information for the UV5R hacking I have previously done, I came across some schematics for the UV3R. From a first glance it looked like the CPU could be flashed. In fact, in the schematics it looked like they even left the programming pads on the PCB. The UV3R is very similar to the UV5R, except for its lower power and lack of a good LCD and a keypad. Other then that, the two radios have the same RDA1846 chip that is controlled by a CPU.

The CPU used on the UV3R is the MC81F8616 which is capable of being re-flashed many times. Better still, the manufacture of the the chip Abov has all the documentations, the compilers and the programmers for this chip.

Chip Documentation (MC81F8616):
http://www.abov.co.kr/eng/product/info/view.php?dev=mc81f8816
C Compiler: http://www.abov.co.kr/eng/tool/hms800_cc.php

This got me very encouraged since it would be much simpler to hack this radio then removing the CPU on the UV5R; I attempted before. I quickly ordered one, took it apart as soon as it arrived and traced the programming pads (I did not even use, just turn it on to make sure its not DOA).

After looking at the datasheets and their USB programmer program, I was able to trace the protocol and re flash the chip using an arduino. As expected, they had the security bit set, so I could not read the original firmware. However, I was able to erase the chip and upload new code. Fortunately it was not too difficult to figure out how everything functions thanks for the schematics and my previous experience hacking the uv5r. My biggest problem was getting the LCD to function properly since it was a bit mislabeled in the schematics.

As a proof of concept I had the radio tuned to 145.525MHz and listens to a signal. When a strong signal is received it played back 3 dtmf tones as can be seen in the video below.

Anyone is welcome to help and you can start by checking out the code from here:

https://github.com/lelazary/UV3RMod

I also started a thread on the UV3R yahoo groups for anyone wanting to pitch in ideas for the firmware (given the limitations of the RDA1846 chip and 16K of memory). I am not going to promise to implement everything, but if its not to difficult, I will try to. However, since this is going to be open source firmware, you could always try to change it yourself (I will always be willing to help).

Here are my list (if the feature makes it to the repository at
https://github.com/lelazary/UV3RMod/blob/master/WISHLIST
then it would probably be implemented):

Mode 1) Quick interface to program rx freq, tx freq, power and PL code very quickly for repeaters. No offset, you just start with the rx freq and shift it by whichever amount you want. This will allow allow you to turn off the tx, or operate satellites.
At any point during this mode, you can hold the mem channel and it will ask you which number you want to save this to.

Mode 2) Memory mode will allow you to go through your saved memory. At any point you can press menu and change more details about the channel.  The details will include power with granular level, DTMF TX/RX, and other functions TBD. This mode will show the channel name and the freq underneath it.

Mode 4) Satellite Mode: Auto tuning of the frequency with response to the Doppler shift.

Mode 5) Digital mode. Hopefully I could add some text base digital data for rx and tx. You might need to tx the text using morse code since there is no alpha numeric keypad on the radio. The digital mode will also include a store and repeat message forwarding.

Mode 6) Computer mode: All the functions of the radio including the RDA1846 registers, TX, and RX will be controlled through the serial port on the radio.

Mode 7) Fox/Hunt  mode. Can be used to transmit a signal intermittently (like call sign morse code). Or send the RSSI signal into the audio, and with a directional antenna you can go hunting.

Mode 8) Advance mode: Any RDA 1846 register can be set manually and saved for during startup.

Mode 9) If the digital mode works, then RF programming of the radio. This will allow anyone to send you repeater information from their memory locations. I will work by selecting a memory channel to rx, and pressing a button. Then on another radio you can send the programming info.

Programmer Protocol

The implementation of this protocol along with the arduino code and the ongoing firmware can be cloned from github.
https://github.com/lelazary/UV3RMod

Here is the protocol used to get into the chip and program it: A 9V is set on the reset pin (VPP) to enter programing mode.
Protocol sending over SPI LSB first. After almost every byte, the chip will pulse the data line to indicate ACK.

Get Chip ID: 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82

Program fuse bits

Get Chip ID   : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay
Set Mode      : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for response should be 0x01
30ms delay
set 20FF to 0 : 0x55 0xAA 0x5A 0xA5 0x02 0x00 0x00 0x03 0x05 0x00 wait 1ms for response should be 0x55

Erase Chip   :
Get Chip ID   : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay
Erase         : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x03 0x01 wait 1ms for response should be 0x55
2 sec delay
set 20FF to 0 : 0x55 0xAA 0x5A 0xA5 0x02 0x00 0x00 0x03 0x05 0x00 wait 1ms for response should be 0x55

Read Data:
Get Chip ID    : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay30ms delay
Set Read range: 0x55 0xAA 0x5A 0xA5 0x05 0x00 0x00 0x04 0xC0 0x00 0xC0 0xFF 0x00 <wait for data to go high> read 255 bytes
30ms delay
Set Memory Mode: 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for 0x00

Program Data:
Get Chip ID                 : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay
Set Memory Mode             : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for 0x00
30ms delay
Set program range and data  : 0x55 0xAA 0x5A 0xA5 0x80 0xC0 0x00 0x00 <128 bytes> wait 1ms for 0x55

Set Memory Mode: 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for 0x00

DIY instructions for performing this hack

Disclaimer: This hack is a work in progress. If you perform this hack you might transmit on frequencies outside the allowable amateur bands. For now I am keeping the TX amplifiers off, so the radio will not transmit more then a hundred feet. However, anyone can always go into the code and turn them back on. If you do so, you are responsible to insure that you know what you are doing, and take the necessary precaution when transmitting.  I will not be responsible for any damage cause by the radio or to the radio. Remember, once you erase the original firmware, there is no way of getting it back, so the radio will be a brick until you upload the firmware; but if you got this far, then that is exactly what you want.

For this hack you will need an arduino,  NPN transistor (I used 2n394), 1K and 10K resistors, and a 9 volt battery. You could just use a 9V battery and a 10K resistor, but you would need to manually connect the VPP to 10K -> 9V and GND. If you want to do any kind of development, then the transistor is your option.
Connect everything according to the diagram bellow:

I made a small interface with the transistor and a connector so I can plug and unplug the programmer. When the programmer is plugged in, the radio will not function. You will need to disconnect the GND,VPP and VDD for the radio to boot up normally. A connector would allow you to plug the radio for programming and unplug it for testing.

Once you have everything connected, check out the code from here:
https://github.com/lelazary/UV3RMod

Upload the arduino sketch programmer/chipFlash/chipFlash.ino into the arduino
Go into the programmer directory, connect the programmer and the +5V power supply that came with the radio and run the python script uv3rFlash.py . If you choose not to build the transistor circuit then start with the vpp connect to GND, switch it to +9V, run the command, and switch it back to GND.

./uv3rFlash.py -p /dev/ttyUSB0 -e

This will erase the chip using the arduino attached to /dev/ttyUSB0. If you are on windows then use COM5 instead of the /dev/ttyUSB0 or whichever com port the arduino is using.

Then you can run

./uv3rFlash.py -p /dev/ttyUSB0 -w ../firmware/uv3r_firmware.hex

If there are no errors, unplug the programmer, and you should have a brand new firmware on the radio

Troubleshooting:
If something is not working correctly, you can go into the arduino serial monitor program and use the raw commands to see what is going own.

//Protocol
//   CMD      Param               Description
//   S                                        Enter ISP mode
//   C                                        Exit  ISP mode
//   I                                          Get Chip ID
//   F             HH                      Flash config register with hex HH
//   E                                         Erase flash memory
//   P            AAAA LL DDDD…     Program memory with starting at address AAAA length LL and data DDDDDD (2char hex code)
//   R           SSSS EEEE           Read memory from address SSSS to EEEE
//On success return OK
//On failure return ERR

For example typing
SIC <enter>
will start the ISP mode, get the chip id and then close ISP mode. I looks like the chip id is 82, so that is what I am checking in the code. If you are not getting 00 for the id, then something is probably wrong with the connections (check the +5 and vpp).

You may also be interested in these posts on my website:

UV5R hack
http://www.liorelazary.com/index.php?option=com_content&view=article&id=49:hacking-the-baofeng-uv5r&catid=14:baofeng-uv5r&Itemid=17

TX d-start data with the UV5R and filters off.
http://www.liorelazary.com/index.php?option=com_content&view=article&id=50:txrx-digital-data-using-the-uv5r&catid=14:baofeng-uv5r&Itemid=17

Good Luck.

A reader from North Carolina, USA, wrote to me and asked the following:

A question: I am a just a general class ham. I would like to know exactly what it takes to operate on PSK. I have a TS140s, a key and a dipole at 50′. I also have a Compaq laptop computer with a sound card. Can someone tell me what I need to buy — not just in generalities — to help me get up and running with this mode?

Would those of us with some experience with PSK (definitely not me!) take a shot at answering him? If so, please reply in comments. Thanks in advance!

Ironically – Building the Elecraft K3 has let me to reflect. This K3 project is special to me and has drawn some interesting questions. I have been asked by several people including friends and coworkers and some outside my family what I did on my vacation days and when I tried to explain that I was working on building a Ham Radio – Elecraft K3 which I knew they would have no idea about the brand but I always take shot at it.

The reaction has been staggering – so you are building something that is taking days if not weeks to do that you could have purchased all put together and ready to use by someone else. On top of that you are setting up camera and blogging about it. What a waste of time seems to be the consensus.

The joy of building something – anything it doesn’t have to be a Heathkit, Elecraft or even a Lego set (which I enjoy building as well) is a primal instinct for me. I like to create, build, see a result and when I’m able to use this radio on the air knowing that I had large part in the assembling is going to make me even more proud to use it.

I am capturing this memory for me, writing about it for me and I want to share with others so maybe they will consider building something whether it is this radio or not to enhance their life. Setting up a camera, editing footage, blogging and building all takes time certainly and I know over 7000 (by my serial number) have built an Elecraft K3 before me. Maybe they have done this – maybe not – maybe they will enjoy looking back at someone else’s experience. Maybe no one will watch or read…. That’s entirely possible as well… But the project is mine ☺ I will still have the memory.

Life is short and sometimes you have to savor experiences – let them burn a memory for you that you will have for a long time. This is one for me… I know I could have bought this radio built, I know I could put it all together in a day very quickly (possibility ☺) and I know some will never understand…

Nick N1IC

To see my full build story: http://nicktoday.com/elecraft-k3-and-n1ic-my-build-page-1

X1M QRP SSB/CW Transceiver Kit

I’ve been watching this little thing for a few weeks.  They showed up on the Kight Radio Store web page and after a few days, when I decided to pull the trigger, they had sold out.  Today they are back in stock, and one of them is on its way to me (hopefully).  Construction is described as easy assembly which I gather makes it similar to the KX3 kit.  Here are the features and specs from Kight Radio:

Transceiver: X1M [v2.01] 
Frequency range: 0.1 ~ 30mhz transceiver;
Modes: ssb / cw
Power output: 5 Watts (max);
Operating voltage: minimum 9.6v (dc), max 14.5v (dc);
Operating current: 0.35a (min), 1.2a (max);
Preamplifier;
Memory 100 channels ;
RIT function;
Automatic internal CW keyer
Back-light  on/off
Keyboard can be locked;
Dimensions: 97 * 40 * 155 (mm)
Weight: 0.65
Receiving sensitivity: better than 0.45uV
Frequency stability: better than 0.5ppm
Frequency accuracy: better than 0.5ppm (boot 5 minutes)

An interesting additional feature says this equipment can be connected to HAM RADIO DELUXE software.  The user can choose any ICOM equipment, but the IC-718 is recommended.

The text also states that the version they are shipping to the USA is set up to transmit only on the Amateur bands.

I’ll let you know how it goes.

RoIP stands for Radio over the Internet Protocol and you can use this technology to connect remote radios over any distance, easily.

There are, of course, very complicated and elegant communications systems that do this already such as Echolink, D-STAR, Tetra and DMR/Mototrbo, but tonight I homebrewed my very own, modest private link in half an hour – and you can too!

If you have a rig with a packet data port and an external sound interface, such as a Signalink USB, then all you need is some software and a mobile phone, for example.

Above: Signalink USB and FT-817 set to 2m FM calling….

I used a fantastic free app called Zello. Zello is a walkie talkie emulator for your smartphone but also has a PC programme counterpart. The clever bit is that it has a VOX function with several adjustments for sensitivity and delay. My project enabled me to talk remotely over 2m using my smartphone!

Above: Zello app ‘PTT’ button

So, by pressing ‘PTT’ on my smartphone and making a direct call to my computer, the VOX switch was activated on my Signalink USB interface and my FT-817 transmitted. When the squelch was opened on my ‘817 by the station I was talking to (and this is the clever bit) the Zello programme on my computer used its VOX feature to transmit back to my smartphone.

 

 

 

 

 

 

 

 

Above: Zello VOX settings on PC and  Zello GUI on Windows XP

Now I know that Ham Radio Deluxe can be established to give full remote control over my rig, but that’s for another day. This is one solution to automatically link two radios that anyone can do.

This afternoon Hanz, W1JSB and I met at the Franklin Falls Dam. Our plan was simple… lift a half wave wire with a kite and work some DX on 20 meters. We managed to work Belgium and the Ukraine… but it wasn’t all clear sailing.

We sat at a picnic table several hundred feet above the river. A stiff breeze lifted the kite about 80 feet into the air. We attached the far end of our 33 foot wire to a loop in the middle of the kite string. We connected the near end to the Par matchbox and then to the rig… an HB-1B running 4 watts. It wasn’t vertical, but it was a respectable sloper.

After a few calls, I worked ON8VP in Belgium. Peter gave me a 559 and we finished a quick exchange. His signal was strong, and I have no doubt that had the wire been vertical, I would have been stronger to him. But I was pretty happy to make a contact.

Next, I heard UY6IM in the Ukraine calling CQ. As the wind faltered and the kite lowered, Roman answered my call and gave me a 559. Then it happened.

The kite dropped below the hillside and most of the wire lay on the ground. Roman couldn’t hear me send his report. Fortunately, he didn’t hear me swear either. Darn it… (OK… Dam it.) Hanz raced down the hillside to recover the fallen kite. Right away it lifted into the sky again. By this time Roman was calling CQ again. I answered… gave him a 599 and called it quits after he acknowledged the report. Right after that, the kite dropped once again. It was frustrating.

Hanz wanted to give it a try, so I ran down and tried to get the kite airborne once again. No luck. We packed up. Of course, as soon as we did, the wind came up again. The experiment was fun, but I think I’ll stick with trees.

Hanz W1JSB and I hiked down to the Pemigewasset River today. It was our first radio outing of the year… and it was fantastic! We worked Germany, Romania, Slovak Republic and Wisconsin.

We walked down the steep hill into the Corps of Engineers flood control area along the road. In the winter it’s used only by snowmobiles, cross-country skiers and sometimes horseback riders. The snow is just starting to melt. We’ve had two days in the mid-40s. The brook is showing signs of life. It’s grand.

We walked in about a mile and turned toward the river into a field. We found a little bare spot of ground near some bushes and decided to set up there. I flung the water bottle with the antenna line into a tree and Hanz pulled it up.

We used the HB-1B at 4 watts on 20 meters with a 33 foot end fed wire. I took the first turn and right away heard OM1ADX calling CQ. Martin in the Slovak Republic had a beautiful signal. He gave me a 559. Hanz made a video of the QSO.

View it here.

After that, Hanz took over. He worked two stations in a row toward the lower end of the band. First he called DL6LBI in Germany. Ingo answered him right away and gave Hanz a 579. The Wisconsin QSO Party was in full swing so there were plenty of WI stations for the asking. Hanz worked K9LGU. The really interesting QSO came next.
Hanz went up to 14.060 and heard a very weak station calling CQ. It was Catalin in Romania… YO8RIX and he was only running 500 mw with a K1 and a loop antenna. Amazing.

It was so much fun to get out in the warm sunshine and operate again. The winter’s been long. On the walk back Hanz and I talked about some of the places we plan to hike to with our radios this summer. There will be lots of good exercise and radio expeditions ahead.