The code here is currently based on work from Pat Hickey, taken from https://github.com/pchickey/md380-re.
Goal: I want to write my own firmware for the MD380, similar to the md380-re project. If I’m successful, I actually want to be able to run this firmware :-) But don’t hold you breath: most software projects on GitHub/BitBucket/etc are abandonware (e.g. md380-re), so why should this project should have a better future?!?!
To get my feet wet a bit, i first want to understand the Tytera recovery bootloader, µC/OS and RTOS a bit.
Holger, DH3HS
Reverse engineering:
- Reverse Engineering the Tytera MD380, a local copy of the relevant pages from the original PoC GTFO #10 paper.
- Reverse-engineering a Digital Two-way radio talk on Youtube, pretty much the same as the PDF. It however emphasizes on the XOR encryption of the images in the last quarter.
- The slides used in this talk contain additional information.
Radio manuals:
- MD-380 english manual
- german manual from DG9VH
- Full schematics, not just the 2 pages at the end of the PoCG paper
Grab bags:
- USB cable pinout from VE3WZW
- Format of the test calibration data
- various resources from KB9MWR
- various resources from DL4YHF
- german blog posts from DG9VH
- DARC Saarland has also a good amount of (german language) resources
- MD380tools https://github.com/travisgoodspeed/md380tools GitHub project
- MD380tools Google groups channel
- Hashtag #md380 on Twitter
Random twitter channels:
About AMBE+ encoding/decoding
- http://github-com/szechyjs/dsd can decode AMBE+
- Decoding AMBE+ in MD380 Firmware in Linux, in PoC GTFO #13.
Similar devices:
- STM32F4 processor series page at www.st.com
- STM43F405VG page at www.st.com
- STCubeF4 code examples
- Cortex M4 Technical Reference Manual
(there are more links to PDF documents in the list of used integrated circuits)
- [X] get FreeRTOS to compile
- [ ] add infrastructore to wrap & flash it
- [ ] let the app interact
- [ ] add USB support
- [ ] add syslog
- [ ] add memory access
- Buttons
- [ ] detect buttons
- [ ] detect long / short presses
- LED
- [ ] direct output
- [ ] PWM output
- Backlight
- [ ] direct output
- [ ] PWM output
- Volume - Button
- Power off
- Channel
- LCD
- Frequency synthesizer
- FM
- DMR
- USB
- DS: Data Sheet
- RM: Reference Manual
- PM: Programming Manual
These integrated are used according to the schematics (which is known to be not exact):
IC | Type | Usage | Local PDFs |
---|---|---|---|
U101<<U101>> | NJM2902V | Quad OpAmp, AF_OUT to QT_DQT_IN | DS |
U102<<U102>> | NJM2902V | Quad OpAmp, AF_OUT to 2T/5T and VOL_OUT | DS |
U103<<U103>> | NJM2100V | Dual OpAmp for Microphone, also VOX | DS |
U104<<U104>> | UMC4N | Switch, 5R_A from FM_SW for U101 | DS |
U105 | XC6204B502MR | LDO regulator, MIC_5V for U103 by MICPWR_SW | DS |
U201<<U201>> | HR_C5000 | Digital Baseband | chinese, english |
U202 | missing | not in schema | |
U203 | TC75S51F | Single OpAmp, LINEOUT towards VOL_OUT | DS |
U204 | TDA2822D | Audio amplifier, VOL_OUT towards speaker | DS |
U301 | STM32F405VGT6 | MCU | RM, PM, DS |
U302 | W25Q128FVSIG | Flash | DS |
U303 | PST9124 | MCU and C59000 reset circuit | DS |
U303 | missing | not in schema | |
U305 | nc? | Flash | |
U307 | HR_V3000S | ALPU AES key? | |
U401 | LM2734X | Buck converter for “3V3” | DS |
U402 | XC6204B502MR | LDO regulator for “5T” | DS |
U403 | XC6204B502MR | LDO regulator for “5R” | DS |
U404 | XC6204B502MR | LDO regulator for “5C” | DS |
U405 | nc? | nc, from BAT+ to BACK3V3 | |
U501 | GT3136 | Receiver, LO, IF Amp, Lim, Demod | DS |
U502<<U502>> | NJM2904V | Double OpAmp | DS |
U503 | UMC4N | Switch, DMR_VCC for U201 via DMR_SW | DS |
U504 | missing | not in schema | |
U505<<U505>> | UMC4N | Swtch, APT/TV for U505 via RF_APC_SW | DS |
U601 | SKY72310 | Frequency Synthesizer | DS |
U602 | XC6204B332MR | LDO Regulator for “PLL3V3” | DS |
U603 | NJM2904V | Single OpAmp | DS |
U604 | UMC4N | Switch, RX_VCOVCC via VCOVCC_SW | DS |
- | ILI9481 ? | LCD panel | DS |
Schematics page 3, left side of CPU
Note 1: the schematics is known to be not correct, so take the information here with caution. Processor pins that I haven’t verified are still in parentheses. I’ll use the disassembly of the bootloader, firmware, the applets in the md380tools project or information from the GPIO alternate function registers for this, but so far I’m quite at the beginning …
Note 2: the `CS8x0: blah’ texts denote the signal description from the CS 8x0 Service manual. They might be wrong or misleading, especially the active high/low notations. But they give an additional hint …
Processor pin | Signal | Dir | Notes |
---|---|---|---|
(PA10) | DMR_SW<<DMR_SW>> | I | CS8x0: “DMR Receive IF Switch(High Active)” |
(PA9) | VCOVCC_SW<<VCOVCC_SW>> | O? | CS8x0: “RXVCO/TXVCO Control(High for RX)” |
(PB11) | ECN3 | I? | encoder switch, probably for the channel |
(PB10) | ECN2 | I? | encoder |
(PE15) | ECN1 | I? | encoder |
(PE14) | ENC0 | I? | encoder |
(PE13) | FM_MUTE | O | mutes AF_OUT, VOL_OUT, 2T/5T, CS8x0: “FM RX Mute(High Active)” |
(PE12) | EXT_PTT | I? | 3.5mm jack shield |
(PE11) | PTT_KEY | I | hardware PTT key |
(PE10) | LCD_D7 | LCD | |
(PE9) | LCD_D6 | LCD | |
(PE8) | LCD_D5 | LCD | |
(PE7) | LCD_D4 | LCD | |
(PB2) | FM_SW<<FM_SW>> | O | CS8x0: “FM Receive IF Switch(High Active)” |
(PB1) | BUSY | I | GT3136, CS8x0: “Carrier Detect Input” |
(PB0) | RSSI | I? | GT3136, CS8x0: “RSSI Detect Input” |
(PC5) | 5TC | O | PMIC XC6204, controls signal “5T” |
(PC4) | RF_APC_SW<<RF_APC_SW>> | O | M2904 OPAMP, CS8x0: “RF Amplifier Switch(High Active)” |
(PA7) | POW_C | O | control BAT7V5, maybe used for power off |
(PA6) | K1 | keypad? | |
(PA5) | MOD2_BIAS | O | CS8x0: “TCXO Frequency D/A Adjust” |
(PA4) | APC/TV | O | M2904 OPAMP, sender? CS8x0: “APC/TV D/A Output” |
(PA3) | VOX<<VOX>> | I | from microphone integrator |
(PA2) | QT_DQT_IN<<QT_DQT_IN>> | I | audio output from U101, switched by FM_SW |
(PA13) | W/N_SW | O | wide/narrow switch? |
Schematics page 3, bottom side of CPU
Processor pin | Signal | Dir | Notes | ||||
---|---|---|---|---|---|---|---|
(PA8) | SAVE | O | PMIC XC6204, control signal “5V” | ||||
(PC9) | 5RC | O | PMIC XC6204, control signal “5R” | ||||
(PC8) | BEEP | O | goes to VOL_OUT, 2T/5T, DTMF_OUT, CS8x0: “BEEP/ALARM/DTMF Output” | ||||
(PC7) | CTC/DCS_OUT | O | M2904 OPAMP, CS8x0: “CTCSS/DCS TCXO Output” | ||||
(PC6) | LCD_LAMP | O | LCD backlight | ||||
(PD15) | LCD_D1 | LCD | |||||
(PA1) | BAT | I? | maybe to measure the battery power | ||||
(PA0) | TX_LED | O | red | ||||
(PC3) | 2T/5T<<2T/5T>> | I | HR C5000, CS8x0: “2T/5T data input”, this is AF_OFOUT amplified U102 | ||||
(PC2) | RF_TX_INTER | I? | HR C5000 | ||||
(PC1) | SYS_INTER | I? | HR C5000 | ||||
(PC0) | TIME_SLOT_INTER | I? | HR C5000 | ||||
(PC15) | OSC32_OUT | ||||||
(PC14) | OSC_32IN | ||||||
(PC13) | BSHIFT | O | goes to 8MHz quartz | ||||
(PE5) | PLL_DAT<<PLL_DAT>>, DMR_SDI | SKY72310 DATA, HR C5000 U_SDI | |||||
(PE4) | DMR_SDO | HR C5000 U_SDO | |||||
(PE3) | DMR_SCL, PLL_CLK<<PLL_CLK>> | HR C5000 U_SCLK, HR C5000 CLK | |||||
(PE2) | DMR_CS | HR C5000 U_CS | |||||
(PE6) | DMR_SLEEP | O? | HR C5000 PWD, CS8x0: “DMR POWERDOWN(High Active)” |
Schematics page 3, right side of CPU
Processor pin | Signal | Dir | Notes |
---|---|---|---|
(PA14) | MICPWR_SW<<MICPWR_SW>> | O | PMIC XC6204, control signal “MIC_5V”, CS8x0: “MIC Power Switch(High Active)” |
(PA15) | I2S_FS | HR C5000 C_CS | |
(PC10) | I2S_CK | HR C5000 C_SCLK | |
(PC11) | I2S_RX | HR C5000 C_SDI | |
(PC12) | I2S_TX | HR C5000 C_SDO | |
(PD0) | LCD_D2 | LCD | |
(PD1) | LCD_D3 | LCD | |
(PD2) | K2 | keypad? | |
(PD3) | K3 | keypad? | |
(PD4) | LCD_RD | LCD | |
(PD5) | LCD_WR | LCD | |
(PD6) | LCD_CS | LCD | |
(PD7) | FLASH_CS | W25Q128FVSIG CSN | |
(PB3) | FLASH_SCLK | W25Q128FVSIG SCK | |
(PB4) | FLASH_SDO | W25Q128FVSIG SO | |
(PB5) | FLASH_SDI | W25Q128FVSIG SI | |
(PB6) | SCL | HR V3000S, ALPU AES key? | |
(PB7) | SDA | HR V3000S, ALPU AES key? | |
(PB8) | SPK_C | O | speaker mute? |
(PB9) | AFCO | ||
(PE0) | RX_LED | green | |
(PE1) | nc | nc | |
(PA11) | USB_D- | USB | |
(PA12) | USB_D+ | USB |
Schematics page 3, top side of CPU
Processor pin | Signal | Dir | Notes |
---|---|---|---|
(PB12) | V_CS | HR C5000 V_CS | |
(PB13) | V_SCLK | HR C5000 V_SCLK | |
(PB14) | V_SDO | HR C5000 V_SDO | |
(PB15) | V_SDI | HR C5000 V_SDI | |
(PD8) | FLASH_CS1 | nc? | |
(PD9) | FLASH_CS2 | nc? | |
(PD10) | PLL_LD<<PLL_LD>> | SKY72310 PS | |
(PD11) | PLL_CS<<PLL_CS>> | SKY72310 /CS | |
(PD12) | LCD_RS | LCD | |
(PD13) | LCD_RST | LCD | |
(PD14) | LCD_D0 | LCD |
- Maybe an ILI9481?
Signal | Processor pin |
---|---|
LCD_D0 | PD14 |
LCD_D1 | PD15 |
LCD_D2 | PD0 |
LCD_D3 | PD1 |
LCD_D4 | PE7 |
LCD_D5 | PE8 |
LCD_D6 | PE9 |
LCD_D7 | PE10 |
LCD_RD | PD4 |
LCD_WR | PD5 |
LCD_CS | PD6 |
LCD_RS | PD12 |
LCD_RST | PD13 |
No | PIN | Dir | MCU pin | Notes |
---|---|---|---|---|
4 | PS | AO | PLL_LD | phase detector out-of-lock signal, open collector |
20 | DATA | I | PLL_DAT | SDI data |
22 | CLK | I | PLL_CLK | SDI clock |
I | nCS | i | PLL_CS | SDI, l-h transition stores clocked in data |
$ git clone --depth 1 https://github.com/radare/radare2
cd radare git clean -fdx git pull sys/build.sh `pwd`/dist make symstall
I use a little helper script …
#!/bin/sh LD_LIBRARY_PATH= for _FILE in /usr/src/radare2/libr/*/libr_*.so; do _DIR=$(dirname "$_FILE") if [ -z "$LD_LIBRARY_PATH" ]; then LD_LIBRARY_PATH="$_DIR" else LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$_DIR" fi done export LD_LIBRARY_PATH _FILE="$(basename $0)" test "$_FILE" = "r2" && _FILE="radare2" /usr/src/radare2/binr/$_FILE/$_FILE $*
… that I link to ”~/bin/r2
”, ”~/bin/r2pm
” and so on. That way I can
have the always the newest radare from git and still don’t pollute my
”/usr
” or ”/usr/local
” with it.
A dissambly subproject for the bootloader is in the subdirectory ”disasm/
”:
cd disasm ./disasm_boot.sh
Some commands that I use interactively in Radare2:
s n | seek around |
/v 0xe000ed08 | search for data e000ed08 |
/x 08ed00e0:ffff0000 | search for data e000xxxx |
pd 10 @ hit1_0 | show code around address |
af | analyze function |
afr | analyze function recursively |
aa* | analzye all “flags” starting with sym.* and “entry0” |
aac | (slow) analyze all function calls |
f~fcn | list functions that are still unnamed |
V | enter visual mode, pP there to change display mode |
There are also a bunch of commands in the ”*.r
” files which I don’t
usually use interactively. Just look there directly.