Info: other compatible firmwares with tools #6
Comments
|
UV18PRO_6818_V1.14_230330.zip Upon reverse engineering their upgrade tool (written in .NET, can be examined using ILSPY), you will be pleasantly surprised. Within a class named BootHelper, a list of possible models or manufacturers is defined, including JJCC, Baofeng, SenHaiX, and others. Using this list of models, one can locate firmware upgrade packages and new version upgrade tools from various manufacturers. Further decompilation can reveal additional model lists. Later, I discovered that this is a solution provider company called KeDiHeng. They specialize in purchasing and customizing MCUs from MCU manufacturers like Gigadevice/Artery, branding them with the name KDH32xxxx, and using them in their design. The encrypted firmware's suffix "kdh" is also an abbreviation of their company name. They specifically design handheld radio solutions (including PCBs + firmware) for radio manufacturers. It's possible that dozens or even hundreds of different models of radios on the market are designed by their team. These designs share similar hardware designs and software codebases. This suggests that if an excellent open-source system is designed or ported, potentially tens millions of handheld radios already in the market could immediately receive upgrades and enhancements, greatly benefiting users. |
|
BTW, you can directly reach me with the email address on my github profile. |
|
Thanks, I have already looked on those tools with ILSpy last week, there are actually other flasher models, one of the other interesing ones is for RT-850 (which has open firmware and seems to use same CPU as the BF-5RH) and uses UTF-16 to store hex files with firmware inside of the flasher. This type is also used for Abbree AR-2520 with larger memory and up to 25W power (and CPU probably like the one in UV-17/UV-18 Pro). EDIT:
That's the one I have used but it did not work from my gmail for some reason. |
|
Attached AR2520 internel photo fyi |
|
So my speculation about the Abbree AR-2520 CPU has proven correct. Interestingly your internal photo shows different footprint than one seen in a video from earlier last year on top side. This is GPS (labeled as V2 by sellers) or non-GPS version? Unfortunately, I had no luck yet identifying the UV17/18 Pro CPUs yet, they do not seem to be Gigadevice/Artery/STM32G0 ones. I will try to continue looking. |
|
My AR2520 is V2 version which with GPS. There is also a preserved Bluetooth? chip pad. |
|
Yes, this was discussed within the video I was mentioning, some of the radios have Bluetooth for Android app management option, but it has not been installed in this device. One of AR-2520s is on a way to me now, theoretically this one should be easier to hack with the existing RT-890 codebase than UV-5R*/UV-1* PRO The second slot seems to be for SD card reader |
That's easy, I just need to open my radio and share some photo here. Here is the UV17 Pro.
|
|
And here is the UV18 Pro, these photo were taken few months ago. The MCU was rebranded as KD32F401RBT6, I will detect its real mcuid by openocd later.
|
|
The UV-17 Pro is If I were to guess, both the new UV-17 Pro and UV-18 Pro Max use the same CPU as in the UV-18 Pro post as seen on the photo. I think it could be some clone of LQFP64 STM32F401RBT6 but with limitations (it reminds me of the "TYT" CPU in newer RT3s/UV-1701s the people of OpenGD77 core development team had issues with, as they did not support all of the features of original and FreeRTOS was not running on them before they added some fixes). However, I was not able to find startup_stm32f401xb.s (only startup_stm32f401xc.s/startup_stm32f401xe.s To mod the firmware, there is, however an additional complication of it using NRF FD6818 TRX. BTW, your collection of radios is impressive, although if I am a freak with that as well and have ordered quite a lot of them in past (mainly the DMR models), I cannot compare. |
|
OK, so now I found out I stripped the initial 16 bytes of the UV files with the tool when I was tired yesterday evening so nothing made sense. But it is not making it now either, as the table in UV-17 Pro/UV-18 Pro Max corresponds to AT32F415 table seen in other devices now not the STM device. Maybe they forgot to change it in SDK and yet it works? |
You are right if you were talking about the factory firmware style. The right one besides UV17 Pro is UV17L which using AT32F421?(i guess, not validated).
Never mind bro! Almost every radio I bought had been or will be disassembled. |
|
UV17L has similar HW like the BF UV-5RH/AT1846S in the non-RF part, and same CPU (SYN2A-000). Only the Pro/UV-1XH/UV-21H models have CPU with more flash/RAM to be able to handle the GPS (and kdhx firmware). Actually I think the GUI has differences only because of different images representing the interface being uploaded to flash. |
|
Regarding performance improvement, I found a solution last year, you can use AT32F402CCT7, which is fully pin-compatible with AT32F421C8T7, and has a 226MHz operating frequency, 256KB Flash and a maximum of 102KB of RAM. Of course, there is an additional 20KB system bootloader that can be used as code flash. There is just one problem. It is really difficult for ordinary users to use a heat gun to replace the MCU. |
|
I have contacted several Chinese radio companies (both manufacturers and solution designers) and they have received my feedbacks. On the one hand, I encourage them to use MCUs with redundant performance so that their products will have the opportunity to be enhanced by the open source community in the future. At the same time, I am also pushing them to reserve audio path for M17 open source digital communication. If you are interested in M17 or OpenRTX, please follow the community. Baofeng may release related products in coming few months. |
|
Hi, so either my suspicion that the CPU does not match the firmware was right, or something else wrong is happening: I have flashed the UV-18 Pro Max firmware to the radio (the one with airband) after doing sanity check I was able to do (checking the the HW revision in the firmware file matches the one of the radio display) and the radio boots into the GUI but the reaction including the audio playback is slowed down to <10%. Either the CPU is set up wrong
The conclusion to this is probably following: |
|
UV18Pro_NRF_NORX_V1.03_240306(1).zip |
|
That did the trick, main parts of radio are working again (GPS may have problems due to cold start or antenna connection after disassembly, I have to check which), so with correct firmware to restore the potential to upload own test firmware increased. If I have decoded it correctly, this actual model is not equipped with the FM radio chip and the main loop with tasks was stuck waiting for it to answer which lead to the degraded performance... I was not able to identify the missing components, but I did not guess it was that. But the FM radio is working in the firmware, maybe through FD6818? |
|
So I have played with the radios I have, and tried to extract the bootloaders. For RT-890 I have modified the OEFW firmware to dump these areas, for UV-18 Pro I was repeatedly failing to succeed when building with make and AT32 IDE, but finally figured about an hour ago how to add the missing platformio packages and then the compilation resulted in working firmware. Attached are the dumps of bootloaders and system bootloaders. dumped-rt890.zip (the sys bootloader vector table looks strange, however). I have reversed most of the bootloader from the repo and RT-890 BL, but there are no suprising hidden commands, the bootloaders match the protocol from the flashers. The ABBREE AR-2520 arrived, but unfortunately there is a V2 firmware, which differs from the V1 available on the Internet so I am stuck until/if I ever get the V2 equivalent FW because I would brick the device experimenting with it. EDIT: Not surpisingly, the UV18Pro BL does not have the 0x5 command for switching upload to sysbootloader area, otherwise the functionality is similar to the one of UV-5RH. |
I have looked at the specifics of M17 and I am afraid even with the reserve audio path the presently used AT32F415 128kB/32kB MCUs will not get even close to required minimal configuration for M17. Now a possibility would be an external MCU with serial communication (like the M17 serial mike redone to be handheld) and USART communication, but I have studied the publicly available BK4819 and FD6818 datasheets and they do not mention possibility of MSK 9600 bps mode needed for this type of operation. So the best such handheld radio would be probably something like "MD-389/MD-UV399 plus" with 10 W MD-UV380/390 GPS base hardware where OpenGD-77 is now in beta state, and BK4819 (or if we hack it, as it seems similar register-wise, also FD6818) with the audio path routed to the MCU. But this are becoming quite expensive even with the present 10W HW. |
Hello OK2MOP, Can you tell me how i can contact you? I tried to upgrade UV-17ProGPS from version 1.03 to 1.11 and now, the unit is bricked. can you explore the file and give a solution for recovery? |
|
UV17PRO_401 _NRF_V1.11_240808.zip |
|
Hello, good morning! I have a Baofeng UV 17 Pro GPS, the original firmware is 1.03. I updated it with the firmware UV17PRO_401 _NRF_V1.11, and the radio crashed. I need to downgrade it to F.W1.03 (I don't have a tool to extract it from another radio I have here). I couldn't find it available anywhere! =( Dailton, Brazil. |
Another public available fw file for UV17PRO is UV17PRO_6818_V1.18_230115.zip, try it. |
|
Another public available fw file for UV17PRO is UV17PRO_6818_V1.18_230115.zip, try it. Thanks, I'll test it here! |
Hello good evening! I installed the fw UV17PRO_6818_V1.18, the radio came back, but it was slow (with a delay of one second in the commands, and not all the functions came back). I have another UV 17 pro GPS with fw 1.03, I'm going to buy an SPI communicator to extract and try to recover it.
|
|
It seems like the same issue like I had for UV-18 Pro 1.03 vs other firmware. You have the same MCU but something (probably external XTAL) is missing. Unless something like UV18Pro_NRF_NORX_V1.03_240306.zip exists for UV17Pro, you are probably stuck. Because the 1.03 is actually a newer firmware, and the 1.18 is for older hardware revision of this model. |
It's interesting how FW 1.03 is more up-to-date than 1.18, but I've already been told that. In the original FW1.03, the AM modulation saturates the audio when an aircraft is close by (I really like this VHF band). I'm going to try to copy FW 1.03 from the other radio by buying an SPI communiqué from some Chinese website. I'm also going to get another radio that has FW 1.27 here. If I can get it, I'll put it here for download =) |
|
Theoretically it could be possible to extract firmware over SWD MCU pins but I am not sure if this model has the L1 readout protection enabled or not (the same revision of UV18Pro had the protection enabled, if I remember correctly). Partial extraction is possible with special dumper due to bootloader implementation, but you would be missing at least first 1 kB of firmware since you need to replace it with the dumper, so it will not help. Please note that the firmware is stored inside of the MCU, not in SPI flash. That contains only data. So extraction from other radio will not be possible the way you are mentioning in previous post. If you do not have the other radio, and plan to buy it, I strongly suggest against it (you may even receive a different HW revision) as these models have/had very bad second harmonic of VHF and transmit into military band. The same base solution platform is used for Talkpod A36+ MAX (8W version only!) which does not have a GPS, but Andrej is working on open firmware and has most of the functions already working, but the HW and MCU are different so that firmware will not work for this radio either. EDIT: Just for information, even for disabled readout protection you would need DAPLink/STLinkV2 and access to SWDIO and SDWCLK pins for firmware extraction. |
Thanks for the information, my friend =). When I bought this Baofeng, the seller (Chinese website store) said it was FW 1.27 (the airband is much better), but it arrived with FW 1.03 =( Actually, I'm more used to Quansheng or Radtel, Baofeng is more complicated!
|
|
I just received my Baofeng UV-17 Pro GPS with FW 1.03 and AirBand reception is very pour when compared to my other radios like TIDRADIO H3, Talkpod A36Plus , Quansheng UV K5, Radtel RT-470 V1. Do I understand correctly that FW 1.27 would improve thing for Baofeng UV-17 Pro GPS ? |
|
NO. FW 1.27 is for older hardware revision, if you flash this firmware, you will brick your device. 1.03 is actually more recent |
So at the moment there is no better firmware solution for this radio? |
|
No, and there is not even a dump of the firmware available (and the radio is probably protected against dumping it) so you cannot go back. Plus note that the issue may not only be in firmware, but also in hardware, because it uses (at least in this revision) FD6818 not BK4819 radio so the performance may be different because of that (the radios you have mentioned use BK4819). There is calibration data stored in flash, but I am not aware of a setting which would control AM reception |
I'VE BEEN TRYING TO FIND OUT THESE DAYS. NOW AS FOR THE BAOFENG UV17 PRO GPS, It has two types of board (hardware).
There's a really cool Facebook group, the name is: "Baofeng UV-17 Pro GPS" Someone correct me if I'm wrong! |
|
Hi friends, I would like to know where I can get the original firmware for the BF.17 PRO GPS In the new BF uv-k61, good equipment but the menu leaves a lot to be desired. Is there anyone who can improve the menu so that it is more modern? Anyway, I have the firmware for the uv k61 equipment in case anyone wants to do the tests. |
|
UV17PRO_6818_V1.18_230115 |
|
Hello. I have Baofeng K5Plus (MCU SYN2A-000, radio FD6818). The MCU is broken and needs to be replaced. Does anyone have a processor firmware for this radio station? |
|
Hello, SYN2A-000 is AT32F421C8T7 (QFP-48) MCU. But there is a caveat - the system bootloader area is overwritten by part of the firmware (kdhT firmwares) or custom bootloader (kdhx) so you need SWD and modyfing the control register to do that. See @amoxu comment above where he replaced it with AT32F402CCT7. If you are really advanced user with great QFP soldering skills, you could try it, but otherwise I suggest you do not bother and buy a new radio (there will be a Radtel soon - RT-900? with same code base and BK4829 - right now KSUT sells it as UV110D, but with broken calibration for L/M on VHF - and they want to make the firmware/tools open source)
|
Hello,
as the E-mail address in commits is probably not working and I was not able to contact repo owner directly, I attach here just a small update for potential additional reverse engineering:
73, Pavel, OK2MOP
The text was updated successfully, but these errors were encountered: