Skip to content

Latest commit

 

History

History
364 lines (301 loc) · 23.1 KB

README.org

File metadata and controls

364 lines (301 loc) · 23.1 KB

Tytera MD380 firmware experiments

Introduction

The code here is currently based on work from Pat Hickey, taken from https://github.com/pchickey/md380-re.

Goal: I want to write my own firmware for the MD380, similar to the md380-re project. If I’m successful, I actually want to be able to run this firmware :-) But don’t hold you breath: most software projects on GitHub/BitBucket/etc are abandonware (e.g. md380-re), so why should this project should have a better future?!?!

To get my feet wet a bit, i first want to understand the Tytera recovery bootloader, µC/OS and RTOS a bit.

Holger, DH3HS

Resources

TYT MD380

Reverse engineering:

Radio manuals:

Grab bags:

Random twitter channels:

About AMBE+ encoding/decoding

Similar devices:

STM32F4

(there are more links to PDF documents in the list of used integrated circuits)

Software setup [16%]

  • [X] get FreeRTOS to compile
  • [ ] add infrastructore to wrap & flash it
  • [ ] let the app interact
  • [ ] add USB support
  • [ ] add syslog
  • [ ] add memory access

Hardware access [0%]

  • Buttons
    • [ ] detect buttons
    • [ ] detect long / short presses
  • LED
    • [ ] direct output
    • [ ] PWM output
  • Backlight
    • [ ] direct output
    • [ ] PWM output
  • Volume - Button
  • Power off
  • Channel
  • LCD
  • Frequency synthesizer
  • FM
  • DMR
  • USB

Hardware details

<<chips>>List of used integrated circuits

  • DS: Data Sheet
  • RM: Reference Manual
  • PM: Programming Manual

These integrated are used according to the schematics (which is known to be not exact):

ICTypeUsageLocal PDFs
U101<<U101>>NJM2902VQuad OpAmp, AF_OUT to QT_DQT_INDS
U102<<U102>>NJM2902VQuad OpAmp, AF_OUT to 2T/5T and VOL_OUTDS
U103<<U103>>NJM2100VDual OpAmp for Microphone, also VOXDS
U104<<U104>>UMC4NSwitch, 5R_A from FM_SW for U101DS
U105XC6204B502MRLDO regulator, MIC_5V for U103 by MICPWR_SWDS
U201<<U201>>HR_C5000Digital Basebandchinese, english
U202missingnot in schema
U203TC75S51FSingle OpAmp, LINEOUT towards VOL_OUTDS
U204TDA2822DAudio amplifier, VOL_OUT towards speakerDS
U301STM32F405VGT6MCURM, PM, DS
U302W25Q128FVSIGFlashDS
U303PST9124MCU and C59000 reset circuitDS
U303missingnot in schema
U305nc?Flash
U307HR_V3000SALPU AES key?
U401LM2734XBuck converter for “3V3”DS
U402XC6204B502MRLDO regulator for “5T”DS
U403XC6204B502MRLDO regulator for “5R”DS
U404XC6204B502MRLDO regulator for “5C”DS
U405nc?nc, from BAT+ to BACK3V3
U501GT3136Receiver, LO, IF Amp, Lim, DemodDS
U502<<U502>>NJM2904VDouble OpAmpDS
U503UMC4NSwitch, DMR_VCC for U201 via DMR_SWDS
U504missingnot in schema
U505<<U505>>UMC4NSwtch, APT/TV for U505 via RF_APC_SWDS
U601SKY72310Frequency SynthesizerDS
U602XC6204B332MRLDO Regulator for “PLL3V3”DS
U603NJM2904VSingle OpAmpDS
U604UMC4NSwitch, RX_VCOVCC via VCOVCC_SWDS
-ILI9481 ?LCD panelDS

<<mcu>>Processor

Schematics page 3, left side of CPU

Note 1: the schematics is known to be not correct, so take the information here with caution. Processor pins that I haven’t verified are still in parentheses. I’ll use the disassembly of the bootloader, firmware, the applets in the md380tools project or information from the GPIO alternate function registers for this, but so far I’m quite at the beginning …

Note 2: the `CS8x0: blah’ texts denote the signal description from the CS 8x0 Service manual. They might be wrong or misleading, especially the active high/low notations. But they give an additional hint …

Processor pinSignalDirNotes
(PA10)DMR_SW<<DMR_SW>>ICS8x0: “DMR Receive IF Switch(High Active)”
(PA9)VCOVCC_SW<<VCOVCC_SW>>O?CS8x0: “RXVCO/TXVCO Control(High for RX)”
(PB11)ECN3I?encoder switch, probably for the channel
(PB10)ECN2I?encoder
(PE15)ECN1I?encoder
(PE14)ENC0I?encoder
(PE13)FM_MUTEOmutes AF_OUT, VOL_OUT, 2T/5T, CS8x0: “FM RX Mute(High Active)”
(PE12)EXT_PTTI?3.5mm jack shield
(PE11)PTT_KEYIhardware PTT key
(PE10)LCD_D7LCD
(PE9)LCD_D6LCD
(PE8)LCD_D5LCD
(PE7)LCD_D4LCD
(PB2)FM_SW<<FM_SW>>OCS8x0: “FM Receive IF Switch(High Active)”
(PB1)BUSYIGT3136, CS8x0: “Carrier Detect Input”
(PB0)RSSII?GT3136, CS8x0: “RSSI Detect Input”
(PC5)5TCOPMIC XC6204, controls signal “5T”
(PC4)RF_APC_SW<<RF_APC_SW>>OM2904 OPAMP, CS8x0: “RF Amplifier Switch(High Active)”
(PA7)POW_COcontrol BAT7V5, maybe used for power off
(PA6)K1keypad?
(PA5)MOD2_BIASOCS8x0: “TCXO Frequency D/A Adjust”
(PA4)APC/TVOM2904 OPAMP, sender? CS8x0: “APC/TV D/A Output”
(PA3)VOX<<VOX>>Ifrom microphone integrator
(PA2)QT_DQT_IN<<QT_DQT_IN>>Iaudio output from U101, switched by FM_SW
(PA13)W/N_SWOwide/narrow switch?

Schematics page 3, bottom side of CPU

Processor pinSignalDirNotes
(PA8)SAVEOPMIC XC6204, control signal “5V”
(PC9)5RCOPMIC XC6204, control signal “5R”
(PC8)BEEPOgoes to VOL_OUT, 2T/5T, DTMF_OUT, CS8x0: “BEEP/ALARM/DTMF Output”
(PC7)CTC/DCS_OUTOM2904 OPAMP, CS8x0: “CTCSS/DCS TCXO Output”
(PC6)LCD_LAMPOLCD backlight
(PD15)LCD_D1LCD
(PA1)BATI?maybe to measure the battery power
(PA0)TX_LEDOred
(PC3)2T/5T<<2T/5T>>IHR C5000, CS8x0: “2T/5T data input”, this is AF_OFOUT amplified U102
(PC2)RF_TX_INTERI?HR C5000
(PC1)SYS_INTERI?HR C5000
(PC0)TIME_SLOT_INTERI?HR C5000
(PC15)OSC32_OUT
(PC14)OSC_32IN
(PC13)BSHIFTOgoes to 8MHz quartz
(PE5)PLL_DAT<<PLL_DAT>>, DMR_SDISKY72310 DATA, HR C5000 U_SDI
(PE4)DMR_SDOHR C5000 U_SDO
(PE3)DMR_SCL, PLL_CLK<<PLL_CLK>>HR C5000 U_SCLK, HR C5000 CLK
(PE2)DMR_CSHR C5000 U_CS
(PE6)DMR_SLEEPO?HR C5000 PWD, CS8x0: “DMR POWERDOWN(High Active)”

Schematics page 3, right side of CPU

Processor pinSignalDirNotes
(PA14)MICPWR_SW<<MICPWR_SW>>OPMIC XC6204, control signal “MIC_5V”, CS8x0: “MIC Power Switch(High Active)”
(PA15)I2S_FSHR C5000 C_CS
(PC10)I2S_CKHR C5000 C_SCLK
(PC11)I2S_RXHR C5000 C_SDI
(PC12)I2S_TXHR C5000 C_SDO
(PD0)LCD_D2LCD
(PD1)LCD_D3LCD
(PD2)K2keypad?
(PD3)K3keypad?
(PD4)LCD_RDLCD
(PD5)LCD_WRLCD
(PD6)LCD_CSLCD
(PD7)FLASH_CSW25Q128FVSIG CSN
(PB3)FLASH_SCLKW25Q128FVSIG SCK
(PB4)FLASH_SDOW25Q128FVSIG SO
(PB5)FLASH_SDIW25Q128FVSIG SI
(PB6)SCLHR V3000S, ALPU AES key?
(PB7)SDAHR V3000S, ALPU AES key?
(PB8)SPK_COspeaker mute?
(PB9)AFCO
(PE0)RX_LEDgreen
(PE1)ncnc
(PA11)USB_D-USB
(PA12)USB_D+USB

Schematics page 3, top side of CPU

Processor pinSignalDirNotes
(PB12)V_CSHR C5000 V_CS
(PB13)V_SCLKHR C5000 V_SCLK
(PB14)V_SDOHR C5000 V_SDO
(PB15)V_SDIHR C5000 V_SDI
(PD8)FLASH_CS1nc?
(PD9)FLASH_CS2nc?
(PD10)PLL_LD<<PLL_LD>>SKY72310 PS
(PD11)PLL_CS<<PLL_CS>>SKY72310 /CS
(PD12)LCD_RSLCD
(PD13)LCD_RSTLCD
(PD14)LCD_D0LCD

<<lcd>>LCD

SignalProcessor pin
LCD_D0PD14
LCD_D1PD15
LCD_D2PD0
LCD_D3PD1
LCD_D4PE7
LCD_D5PE8
LCD_D6PE9
LCD_D7PE10
LCD_RDPD4
LCD_WRPD5
LCD_CSPD6
LCD_RSPD12
LCD_RSTPD13

<<fsynth>>Frequency synthesizer

NoPINDirMCU pinNotes
4PSAOPLL_LDphase detector out-of-lock signal, open collector
20DATAIPLL_DATSDI data
22CLKIPLL_CLKSDI clock
InCSiPLL_CSSDI, l-h transition stores clocked in data

Radare and the boot loader

Get radare

$ git clone --depth 1 https://github.com/radare/radare2

(Re)Compile radare

cd radare
git clean -fdx
git pull
sys/build.sh `pwd`/dist
make symstall

I use a little helper script …

#!/bin/sh
LD_LIBRARY_PATH=
for _FILE in /usr/src/radare2/libr/*/libr_*.so; do
	_DIR=$(dirname "$_FILE")
	if [ -z "$LD_LIBRARY_PATH" ]; then
		LD_LIBRARY_PATH="$_DIR"
	else
		LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$_DIR"
	fi
done
export LD_LIBRARY_PATH

_FILE="$(basename $0)"
test "$_FILE" = "r2" && _FILE="radare2"

/usr/src/radare2/binr/$_FILE/$_FILE $*

… that I link to ”~/bin/r2”, ”~/bin/r2pm” and so on. That way I can have the always the newest radare from git and still don’t pollute my ”/usr” or ”/usr/local” with it.

Use radare

A dissambly subproject for the bootloader is in the subdirectory ”disasm/”:

cd disasm
./disasm_boot.sh

Some commands that I use interactively in Radare2:

s nseek around
/v 0xe000ed08search for data e000ed08
/x 08ed00e0:ffff0000search for data e000xxxx
pd 10 @ hit1_0show code around address
afanalyze function
afranalyze function recursively
aa*analzye all “flags” starting with sym.* and “entry0”
aac(slow) analyze all function calls
f~fcnlist functions that are still unnamed
Venter visual mode, pP there to change display mode

There are also a bunch of commands in the ”*.r” files which I don’t usually use interactively. Just look there directly.