Info: other compatible firmwares with tools

[OK2MOP]

Hello, as the E-mail address in commits is probably not working and I was not able to contact repo owner directly, I attach here just a small update for potential additional reverse engineering:

1. the decryption/encryption tools work also for Radtel .kdhT and .kdhX firmware files (RT-470, RT-490) and potentially other firmware updates I was not able to get (e.g. JJCC8629 is a possible candidate)
   • .kdhT is equivalent to the .BF file with two-part firmware file (with second FW part which includes code in the original SYSTEM bootloader area)
   • .kdhX is just a single encrypted firmware (decryptable with decrypt binary) in main code memory
2. Some radios (like UV-17/18/21 Pro use different LPQFP48 CPU with 128kB flash and 32kB RAM. As I do not have access to the firmware besides RT-490 (with two different versions of FW 1.03, for old V1 radio and newer V2 radio), I can only guess which:
   • for old V1 RT-490 the CPU is unknown (around 86-88 records in vector table - I was not able to match it to any Artery AT32 CPUs)
   • for newer (end of 2022+) V2, the CPU it is probably an AT32F415CCT7 clone (but one of the last reserved vectors is set to default handler instead of 0 so it is not a perfect match)
   • if anybody can share Baofeng UV18PRO or UV17PRO firmware, I would like to look at it

73, Pavel, OK2MOP

[amoxu]

UV18PRO_6818_V1.14_230330.zip UV17PRO_6818_V1.18_230115.zip Attached fw file for your information.

Upon reverse engineering their upgrade tool (written in .NET, can be examined using ILSPY), you will be pleasantly surprised. Within a class named BootHelper, a list of possible models or manufacturers is defined, including JJCC, Baofeng, SenHaiX, and others. Using this list of models, one can locate firmware upgrade packages and new version upgrade tools from various manufacturers. Further decompilation can reveal additional model lists.

Later, I discovered that this is a solution provider company called KeDiHeng. They specialize in purchasing and customizing MCUs from MCU manufacturers like Gigadevice/Artery, branding them with the name KDH32xxxx, and using them in their design. The encrypted firmware's suffix "kdh" is also an abbreviation of their company name. They specifically design handheld radio solutions (including PCBs + firmware) for radio manufacturers.

It's possible that dozens or even hundreds of different models of radios on the market are designed by their team. These designs share similar hardware designs and software codebases. This suggests that if an excellent open-source system is designed or ported, potentially tens millions of handheld radios already in the market could immediately receive upgrades and enhancements, greatly benefiting users.

[amoxu]

BTW, you can directly reach me with the email address on my github profile.

[OK2MOP]

Thanks, I have already looked on those tools with ILSpy last week, there are actually other flasher models, one of the other interesing ones is for RT-850 (which has open firmware and seems to use same CPU as the BF-5RH) and uses UTF-16 to store hex files with firmware inside of the flasher. This type is also used for Abbree AR-2520 with larger memory and up to 25W power (and CPU probably like the one in UV-17/UV-18 Pro).

EDIT:

BTW, you can directly reach me with the email address on my github profile.

That's the one I have used but it did not work from my gmail for some reason.

[amoxu]

Attached AR2520 internel photo fyi

[OK2MOP]

So my speculation about the Abbree AR-2520 CPU has proven correct. Interestingly your internal photo shows different footprint than one seen in a video from earlier last year on top side. This is GPS (labeled as V2 by sellers) or non-GPS version?

Unfortunately, I had no luck yet identifying the UV17/18 Pro CPUs yet, they do not seem to be Gigadevice/Artery/STM32G0 ones. I will try to continue looking.

[amoxu]

My AR2520 is V2 version which with GPS.

There is also a preserved Bluetooth? chip pad.

[OK2MOP]

Yes, this was discussed within the video I was mentioning, some of the radios have Bluetooth for Android app management option, but it has not been installed in this device.

One of AR-2520s is on a way to me now, theoretically this one should be easier to hack with the existing RT-890 codebase than UV-5R/UV-1 PRO

The second slot seems to be for SD card reader

[amoxu]

Unfortunately, I had no luck yet identifying the UV17/18 Pro CPUs yet, they do not seem to be Gigadevice/Artery/STM32G0 ones. I will try to continue looking.

That's easy, I just need to open my radio and share some photo here.

Here is the UV17 Pro.

[amoxu]

And here is the UV18 Pro, these photo were taken few months ago.

The MCU was rebranded as KD32F401RBT6, I will detect its real mcuid by openocd later.

[OK2MOP]

The UV-17 Pro is probably clearly the old hardware based on the 2022 year on the PCB (there are two variants in the wild, does it have the blue/white screen?). You did not have to disassemble it for me, hope it was OK to re-assemble. The "fingerprint" of vector table does not seem to match the CPU type in the decompiled firmware by a lot, so the firmware is probably for the other (new) version with FD6818.

If I were to guess, both the new UV-17 Pro and UV-18 Pro Max use the same CPU as in the UV-18 Pro post as seen on the photo. I think it could be some clone of LQFP64 STM32F401RBT6 but with limitations (it reminds me of the "TYT" CPU in newer RT3s/UV-1701s the people of OpenGD77 core development team had issues with, as they did not support all of the features of original and FreeRTOS was not running on them before they added some fixes). However, I was not able to find startup_stm32f401xb.s (only startup_stm32f401xc.s/startup_stm32f401xe.s and they have different size of vector table) to confirm this yet.

To mod the firmware, there is, however an additional complication of it using NRF FD6818 TRX.

BTW, your collection of radios is impressive, although if I am a freak with that as well and have ordered quite a lot of them in past (mainly the DMR models), I cannot compare.

[OK2MOP]

OK, so now I found out I stripped the initial 16 bytes of the UV files with the tool when I was tired yesterday evening so nothing made sense. But it is not making it now either, as the table in UV-17 Pro/UV-18 Pro Max corresponds to AT32F415 table seen in other devices now not the STM device. Maybe they forgot to change it in SDK and yet it works?

[amoxu]

does it have the blue/white screen?).

You are right if you were talking about the factory firmware style. The right one besides UV17 Pro is UV17L which using AT32F421?(i guess, not validated).

You did not have to disassemble it for me, hope it was OK to re-assemble.

Never mind bro! Almost every radio I bought had been or will be disassembled.

[OK2MOP]

UV17L has similar HW like the BF UV-5RH/AT1846S in the non-RF part, and same CPU (SYN2A-000). Only the Pro/UV-1XH/UV-21H models have CPU with more flash/RAM to be able to handle the GPS (and kdhx firmware).

Actually I think the GUI has differences only because of different images representing the interface being uploaded to flash.

[amoxu]

Regarding performance improvement, I found a solution last year, you can use AT32F402CCT7, which is fully pin-compatible with AT32F421C8T7, and has a 226MHz operating frequency, 256KB Flash and a maximum of 102KB of RAM. Of course, there is an additional 20KB system bootloader that can be used as code flash. There is just one problem. It is really difficult for ordinary users to use a heat gun to replace the MCU.

[amoxu]

I have contacted several Chinese radio companies (both manufacturers and solution designers) and they have received my feedbacks.

On the one hand, I encourage them to use MCUs with redundant performance so that their products will have the opportunity to be enhanced by the open source community in the future.

At the same time, I am also pushing them to reserve audio path for M17 open source digital communication. If you are interested in M17 or OpenRTX, please follow the community.

Baofeng may release related products in coming few months.

[OK2MOP]

Hi, so either my suspicion that the CPU does not match the firmware was right, or something else wrong is happening: I have flashed the UV-18 Pro Max firmware to the radio (the one with airband) after doing sanity check I was able to do (checking the the HW revision in the firmware file matches the one of the radio display) and the radio boots into the GUI but the reaction including the audio playback is slowed down to <10%. Either the CPU is set up wrong or the peripherals inside are different, e.g. the radio is not FD6818 and some calls time out preventing the reaction. Disassembled the radio and the CPU cannot be verified, the FD6818 is there. In any case, do not flash the firmware to your radio as it will also probably make it unusable (or maybe not, my HW revision is listed as 1.5 and yours is 1.3). But in firmware both HW versions are V1.30 (and my FW version was V1.3)

The conclusion to this is probably following: With the different firmware and hardware revisions not distinguishable by the HW version and the need to actually disassemble the radio to check the variant, it will be probably impossible to create open-source reverse-engineered firmware which would be usable by different people.

[amoxu]

UV18Pro_NRF_NORX_V1.03_240306(1).zip Try this.

[OK2MOP]

That did the trick, main parts of radio are working again (GPS may have problems due to cold start or antenna connection after disassembly, I have to check which), so with correct firmware to restore the potential to upload own test firmware increased.

If I have decoded it correctly, this actual model is not equipped with the FM radio chip and the main loop with tasks was stuck waiting for it to answer which lead to the degraded performance... I was not able to identify the missing components, but I did not guess it was that. But the FM radio is working in the firmware, maybe through FD6818?

[OK2MOP]

So I have played with the radios I have, and tried to extract the bootloaders. For RT-890 I have modified the OEFW firmware to dump these areas, for UV-18 Pro I was repeatedly failing to succeed when building with make and AT32 IDE, but finally figured about an hour ago how to add the missing platformio packages and then the compilation resulted in working firmware. Attached are the dumps of bootloaders and system bootloaders.

dumped-rt890.zip (the sys bootloader vector table looks strange, however). dumped-uv18pro.zip

I have reversed most of the bootloader from the repo and RT-890 BL, but there are no suprising hidden commands, the bootloaders match the protocol from the flashers.

The ABBREE AR-2520 arrived, but unfortunately there is a V2 firmware, which differs from the V1 available on the Internet so I am stuck until/if I ever get the V2 equivalent FW because I would brick the device experimenting with it.

EDIT: Not surpisingly, the UV18Pro BL does not have the 0x5 command for switching upload to sysbootloader area, otherwise the functionality is similar to the one of UV-5RH.

[OK2MOP]

At the same time, I am also pushing them to reserve audio path for M17 open source digital communication. If you are interested in M17 or OpenRTX, please follow the community.

Baofeng may release related products in coming few months.

I have looked at the specifics of M17 and I am afraid even with the reserve audio path the presently used AT32F415 128kB/32kB MCUs will not get even close to required minimal configuration for M17. Now a possibility would be an external MCU with serial communication (like the M17 serial mike redone to be handheld) and USART communication, but I have studied the publicly available BK4819 and FD6818 datasheets and they do not mention possibility of MSK 9600 bps mode needed for this type of operation.

So the best such handheld radio would be probably something like "MD-389/MD-UV399 plus" with 10 W MD-UV380/390 GPS base hardware where OpenGD-77 is now in beta state, and BK4819 (or if we hack it, as it seems similar register-wise, also FD6818) with the audio path routed to the MCU. But this are becoming quite expensive even with the present 10W HW.