Here’s another update of interesting important stuff spewing forth from the internet.

The Noise Blankers continue to run amuck on these interwebz, with cutting edge reporting like this: Amateur Radio Club Indicted on Ferritte Trafficking Charges, Special Event Station to Mark Departure of Mother-In-Law, and Man Claims CQ Contest Victory Despite No Contacts. In a related matter, still no word on the status of the Lost Island DX Society (LIDS).

The FISTS CW Club has a web page that measures your callsign weight. The basic idea is that shorter is better, so plug your callsign in and the ham with the lowest score wins! Mine weighs 52, what’s yours?

The ARRL Field Day information is available for download. The logo looks pretty good this year!

Plain Old Telephone Service (POTS) is on the way out.

Lots of new content on HamRadioSchool.com.  Stu W0STU has been discussing the Technician License Question of the Week and I contributed some Shack Talk articles.

And remember, everything on the internet is true because the government is watching it.

73, Bob K0NR

While I was searching around for information for the UV5R hacking I have previously done, I came across some schematics for the UV3R. From a first glance it looked like the CPU could be flashed. In fact, in the schematics it looked like they even left the programming pads on the PCB. The UV3R is very similar to the UV5R, except for its lower power and lack of a good LCD and a keypad. Other then that, the two radios have the same RDA1846 chip that is controlled by a CPU.

The CPU used on the UV3R is the MC81F8616 which is capable of being re-flashed many times. Better still, the manufacture of the the chip Abov has all the documentations, the compilers and the programmers for this chip.

Chip Documentation (MC81F8616):
http://www.abov.co.kr/eng/product/info/view.php?dev=mc81f8816
C Compiler: http://www.abov.co.kr/eng/tool/hms800_cc.php

This got me very encouraged since it would be much simpler to hack this radio then removing the CPU on the UV5R; I attempted before. I quickly ordered one, took it apart as soon as it arrived and traced the programming pads (I did not even use, just turn it on to make sure its not DOA).

After looking at the datasheets and their USB programmer program, I was able to trace the protocol and re flash the chip using an arduino. As expected, they had the security bit set, so I could not read the original firmware. However, I was able to erase the chip and upload new code. Fortunately it was not too difficult to figure out how everything functions thanks for the schematics and my previous experience hacking the uv5r. My biggest problem was getting the LCD to function properly since it was a bit mislabeled in the schematics.

As a proof of concept I had the radio tuned to 145.525MHz and listens to a signal. When a strong signal is received it played back 3 dtmf tones as can be seen in the video below.

Anyone is welcome to help and you can start by checking out the code from here:

https://github.com/lelazary/UV3RMod

I also started a thread on the UV3R yahoo groups for anyone wanting to pitch in ideas for the firmware (given the limitations of the RDA1846 chip and 16K of memory). I am not going to promise to implement everything, but if its not to difficult, I will try to. However, since this is going to be open source firmware, you could always try to change it yourself (I will always be willing to help).

Here are my list (if the feature makes it to the repository at
https://github.com/lelazary/UV3RMod/blob/master/WISHLIST
then it would probably be implemented):

Mode 1) Quick interface to program rx freq, tx freq, power and PL code very quickly for repeaters. No offset, you just start with the rx freq and shift it by whichever amount you want. This will allow allow you to turn off the tx, or operate satellites.
At any point during this mode, you can hold the mem channel and it will ask you which number you want to save this to.

Mode 2) Memory mode will allow you to go through your saved memory. At any point you can press menu and change more details about the channel.  The details will include power with granular level, DTMF TX/RX, and other functions TBD. This mode will show the channel name and the freq underneath it.

Mode 4) Satellite Mode: Auto tuning of the frequency with response to the Doppler shift.

Mode 5) Digital mode. Hopefully I could add some text base digital data for rx and tx. You might need to tx the text using morse code since there is no alpha numeric keypad on the radio. The digital mode will also include a store and repeat message forwarding.

Mode 6) Computer mode: All the functions of the radio including the RDA1846 registers, TX, and RX will be controlled through the serial port on the radio.

Mode 7) Fox/Hunt  mode. Can be used to transmit a signal intermittently (like call sign morse code). Or send the RSSI signal into the audio, and with a directional antenna you can go hunting.

Mode 8) Advance mode: Any RDA 1846 register can be set manually and saved for during startup.

Mode 9) If the digital mode works, then RF programming of the radio. This will allow anyone to send you repeater information from their memory locations. I will work by selecting a memory channel to rx, and pressing a button. Then on another radio you can send the programming info.

Programmer Protocol

The implementation of this protocol along with the arduino code and the ongoing firmware can be cloned from github.
https://github.com/lelazary/UV3RMod

Here is the protocol used to get into the chip and program it: A 9V is set on the reset pin (VPP) to enter programing mode.
Protocol sending over SPI LSB first. After almost every byte, the chip will pulse the data line to indicate ACK.

Get Chip ID: 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82

Program fuse bits

Get Chip ID   : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay
Set Mode      : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for response should be 0x01
30ms delay
set 20FF to 0 : 0x55 0xAA 0x5A 0xA5 0x02 0x00 0x00 0x03 0x05 0x00 wait 1ms for response should be 0x55

Erase Chip   :
Get Chip ID   : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay
Erase         : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x03 0x01 wait 1ms for response should be 0x55
2 sec delay
set 20FF to 0 : 0x55 0xAA 0x5A 0xA5 0x02 0x00 0x00 0x03 0x05 0x00 wait 1ms for response should be 0x55

Read Data:
Get Chip ID    : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay30ms delay
Set Read range: 0x55 0xAA 0x5A 0xA5 0x05 0x00 0x00 0x04 0xC0 0x00 0xC0 0xFF 0x00 <wait for data to go high> read 255 bytes
30ms delay
Set Memory Mode: 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for 0x00

Program Data:
Get Chip ID                 : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x00 wait 1ms for response should be 0x82
30ms delay
Set Memory Mode             : 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for 0x00
30ms delay
Set program range and data  : 0x55 0xAA 0x5A 0xA5 0x80 0xC0 0x00 0x00 <128 bytes> wait 1ms for 0x55

Set Memory Mode: 0x55 0xAA 0x5A 0xA5 0x01 0x00 0x00 0x05 0x08 wait 1ms for 0x00

DIY instructions for performing this hack

Disclaimer: This hack is a work in progress. If you perform this hack you might transmit on frequencies outside the allowable amateur bands. For now I am keeping the TX amplifiers off, so the radio will not transmit more then a hundred feet. However, anyone can always go into the code and turn them back on. If you do so, you are responsible to insure that you know what you are doing, and take the necessary precaution when transmitting.  I will not be responsible for any damage cause by the radio or to the radio. Remember, once you erase the original firmware, there is no way of getting it back, so the radio will be a brick until you upload the firmware; but if you got this far, then that is exactly what you want.

For this hack you will need an arduino,  NPN transistor (I used 2n394), 1K and 10K resistors, and a 9 volt battery. You could just use a 9V battery and a 10K resistor, but you would need to manually connect the VPP to 10K -> 9V and GND. If you want to do any kind of development, then the transistor is your option.
Connect everything according to the diagram bellow:

I made a small interface with the transistor and a connector so I can plug and unplug the programmer. When the programmer is plugged in, the radio will not function. You will need to disconnect the GND,VPP and VDD for the radio to boot up normally. A connector would allow you to plug the radio for programming and unplug it for testing.

Once you have everything connected, check out the code from here:
https://github.com/lelazary/UV3RMod

Upload the arduino sketch programmer/chipFlash/chipFlash.ino into the arduino
Go into the programmer directory, connect the programmer and the +5V power supply that came with the radio and run the python script uv3rFlash.py . If you choose not to build the transistor circuit then start with the vpp connect to GND, switch it to +9V, run the command, and switch it back to GND.

./uv3rFlash.py -p /dev/ttyUSB0 -e

This will erase the chip using the arduino attached to /dev/ttyUSB0. If you are on windows then use COM5 instead of the /dev/ttyUSB0 or whichever com port the arduino is using.

Then you can run

./uv3rFlash.py -p /dev/ttyUSB0 -w ../firmware/uv3r_firmware.hex

If there are no errors, unplug the programmer, and you should have a brand new firmware on the radio

Troubleshooting:
If something is not working correctly, you can go into the arduino serial monitor program and use the raw commands to see what is going own.

//Protocol
//   CMD      Param               Description
//   S                                        Enter ISP mode
//   C                                        Exit  ISP mode
//   I                                          Get Chip ID
//   F             HH                      Flash config register with hex HH
//   E                                         Erase flash memory
//   P            AAAA LL DDDD…     Program memory with starting at address AAAA length LL and data DDDDDD (2char hex code)
//   R           SSSS EEEE           Read memory from address SSSS to EEEE
//On success return OK
//On failure return ERR

For example typing
SIC <enter>
will start the ISP mode, get the chip id and then close ISP mode. I looks like the chip id is 82, so that is what I am checking in the code. If you are not getting 00 for the id, then something is probably wrong with the connections (check the +5 and vpp).

You may also be interested in these posts on my website:

UV5R hack
http://www.liorelazary.com/index.php?option=com_content&view=article&id=49:hacking-the-baofeng-uv5r&catid=14:baofeng-uv5r&Itemid=17

TX d-start data with the UV5R and filters off.
http://www.liorelazary.com/index.php?option=com_content&view=article&id=50:txrx-digital-data-using-the-uv5r&catid=14:baofeng-uv5r&Itemid=17

Good Luck.

After seeing the piece about making the Raspberry Pi into a WSPR transmitter, I was also intrigued that it could be made to be an FM transmitter using the PiFM code.

Sure enough it can! I followed the instructions on the Imperial College Robotics website then downloaded the code and compiled it up. The default sound file that’s transmitted is a simple tone, but you could easily record a WAV file announcing your callsign!

What a clever bit of code by Oliver Mattos and Oskar Weigl! I’m not a bad programmer, but I wouldn’t have known where to start with this!

I didn’t even bother putting an aerial on the GPIO pin – I wasn’t looking for DX! The RF signal was strong enough to be detected by handheld receivers on the desk.

Great fun! Just the sort of thing for a snowy March day.

I am so pleased with the Raspberry Pi. What fun I have had with it, since I got it at Christmas. Unwisely, I have agreed to do a talk about ‘Life of My Pi’ at the Harwell Amateur Radio Club on April 9th. I’d better get around to preparing it, but there’s certainly going to be plenty of material.

Do you Google+ ?

After an initial flurry on interest in Google+ I couldn’t quite decide what it was for. Like many people I keep contact with friends and family on facebook and it servers a purpose, I can’t say I actually like the platform but it does keep me in contact. Google+ is a similar swervice but for a while I couldn’t understand what it was actually for. If nobody I knew was on it then what use is it to me?

Over the past few months a number of different additions have been made to it. There are now communities that seem to be well populated including several for Ham radio.

Again I wasn’t really sure how these things would benefit me, especially as time seems to disappear very quickly at the moment. But yesterday it struck me that you get out what you put in. Not exactly innovative thinking but I posted a question on one community and was pleasantly surprised to see the responses came quickly and they were relevant. Having tested the water I think its time I used it a bit more, not just a personal news service from various blogs and sites now that Google Reader is going to be shut down.

So if you fancy dipping a toe into the various communities I can recommend it. I struggle to actually explain what the service is but as a geek I’ve found it useful in keeping myself up to date with my interests.

Thanks to the Southgate Amateur Radio news, I’ve just seen that Guido, PE1NNZ has turned a Raspberry Pi into a 10mW WSPR transmitter that works up to 250MHz. Just a low pass filter and an antenna are required in addition to the Raspberry Pi and the software.

The code is available here

The Readme file at Github says the following:

Makes a very simple WSPR beacon from your RasberryPi by connecting GPIO