Tuxprogrammer
commented
1 month ago Not sure if this is more appropriate to post here or to post in your repo, so apologies if this isn't relevant.
I am working on my newly purchased GM-5RH radios to see what I can do about unlocking them. They report at firmware version 5RHL 1.05 GMRS with hardware revision V01.
One note is that this model requires a different nonce to begin serial communication. I had to change PROGRAMBFNORMALU to PROGRAMBFGMRS05U to get it working. I've used the reading portion of your tool without writing because I'm not sure about bricking these just yet and got the following log:
using ttyUSB0
res:06
res:01 36 01 74 04 00 05 20 02 00 02 60 82 87 8A 98
res:5RH +L00000
res:06
read[F240]:52 F2 40 40 82 87 8A 98 A0 B4 09 09 0A 0A 0A 0B 0B 00 00 00 30 30 30 30 30 30 09 00 00 00 00 00 00 0E 0E 0E 0C 0C 0C 0B 0B 0C 0C 0C 0C 10 10 10 10 00 00 00 01 01 36 01 74 01 04 00 05 20 01 02 00 02 60 00It seems like 0xF255 reports the value 0x30 on my specific radio? I think the firmware might be different between these two.
Is there a way I can dump the firmware out of the radio to back it up before I try to flash an alternative firmware?
Also worth noting on this radio: despite it not having airband capability, I was able to flash an AM channel to the memory by patching the BF GMRS CPS app but when I try to go to the channel on the radio, it is like the channel doesn't exist. Either by directly typing the channel number or going up/down in the menu. The channels do show up in CHIRP as AM though if you dump the memory.
Thank you!
Aguspeke
porkfreezer
OK2MOP
I did some rev engineering on the firmware 5RH_NRF_Fangti_V0.14_231124.BF to figure out how to unlock all channels. The external flash location 0xF255 contains a value that sets the limits, with '3' being the most restrictive (ITU1) '5' regular amateur bands and other values fully open.
Here is a little tool that does the job based on the code from the chirp project.
https://github.com/AlphaRne/baofengCtrl