• Effective immediately we will be deleting, without notice, any negative threads or posts that deal with the use of encryption and streaming of scanner audio.

    We've noticed a huge increase in rants and negative posts that revolve around agencies going to encryption due to the broadcasting of scanner audio on the internet. It's now worn out and continues to be the same recycled rants. These rants hijack the threads and derail the conversation. They no longer have a place anywhere on this forum other than in the designated threads in the Rants forum in the Tavern.

    If you violate these guidelines your post will be deleted without notice and an infraction will be issued. We are not against discussion of this issue. You just need to do it in the right place. For example:
    https://forums.radioreference.com/rants/224104-official-thread-live-audio-feeds-scanners-wait-encryption.html

BCD99T Firmware Mod - Open out-of-band

Status
Not open for further replies.

TEKurtz

Member
Joined
Oct 4, 2009
Messages
96
Location
Hartford County, CT
I had the good fortune of finding a RR member [n3617400] who has been working on modifying Uniden scanner firmwares and I thought I'd share his work.
This particular modified firmware opens up all 'out of band' or locked out frequencies.


If you are interested breathing a little new life back into an already aging scanner you can download it here: https://files.secureserver.net/0scXn1H3oPb3j0

n361740 (aka JohnDoe) has made all the firmware changes he's going to make with the 996T, his latest project is the HomePatrol1.

You can see some of his work on his YouTube Channel Homebrew on HomePatrol-1 - YouTube or you can follow him on Twitter @OpenUniden
 
Last edited:

kma371

Member
Joined
Feb 20, 2001
Messages
6,190
The two freqs in the screen shots are standard coverage for that receiver so I'm confused?
 

TEKurtz

Member
Joined
Oct 4, 2009
Messages
96
Location
Hartford County, CT
I was using the less than optimal Tapatalk app when I posted, there was a whole section cut out of the post.
Disregard the bit about the talkgroups.
The firmware opens up any band that's been locked out.
 

TEKurtz

Member
Joined
Oct 4, 2009
Messages
96
Location
Hartford County, CT
Right now, this firmware opens all frequencies in the stock spectrum. With that said, It's possible that if enough interest was present he might be able to be convinced to open up the spectrum.
 

kma371

Member
Joined
Feb 20, 2001
Messages
6,190
Right now, this firmware opens all frequencies in the stock spectrum. With that said, It's possible that if enough interest was present he might be able to be convinced to open up the spectrum.
Ok, I see the correct pictures now, but is the intent to open the cell band?

If it is, I'm still very confused with those hoping to "open" portions of the band that are blocked. This would have been great years ago, but now there is nothing there worth listening to.

If the intent is NOT to open the cell band, is there anything that we are missing that we would be able to listen to?
 

TEKurtz

Member
Joined
Oct 4, 2009
Messages
96
Location
Hartford County, CT
First, there is nothing much to hear as far as cellular transmissions go. Unless you can decode them (which no scanner can).

As far as what you hear depends on your area, there is a lot of public safety and commercial pager traffic to decode in my area in the low 800's.
A lot of wireless analog mic's use 700.

I just loaded the firmware myself less than 48 hours ago, so I'm sure I'll find more in the near future.
 

TEKurtz

Member
Joined
Oct 4, 2009
Messages
96
Location
Hartford County, CT
This was his 'trial hack'. for the most part he's moved on to more exciting mods. Keep an eye on this guy, I think he's going to do some great things for Uniden scanner users.
He's already talking about tearing through the BCD536HP. With it's processor, ram and wifi radio it really opens up the possibilities.
 

Boatanchor

Member
Joined
Jul 17, 2011
Messages
990
Thanks for the additional pics.

I look forward to reading similar posts relating to the 996XT firmware appearing :)

The fact that the Uniden firmware has been hacked is very 'interesting' news :)

I for one would like the 800Mhz band 'opened up'. There are a few local radio station STL's that just happen to be located
within the blocked sections.
 

PiccoIntegra

Member
Joined
Dec 19, 2002
Messages
527
Location
North Texas
I look forward to reading similar posts relating to the 996XT firmware appearing :)

The fact that the Uniden firmware has been hacked is very 'interesting' news :)
Now that the cat is out of the bag...

It's certainly possible. I have a fully disassembled 996XT firmware image, and it's very similar to its T model predecessor. For anyone curious, you can't load the XT firmware to the T models. There are too many obstacles to overcome, it's not worth the effort. In fact, none of the firmware images can be used on other models. The processors, M32R, are the same(BCT15, 996X/T, 396X/T), but pin usage is different on all models. The BCT15X got a processor downgrade to the M16C. The only exception may be with the UB models. It might be possible to load a modified US version to the UB version. But I've never explored that.

..but I won't be distributing copyrighted material. Someone else will have to take that chance. I suppose an IDA script could be written(I've toyed with it) to take care of everything without needing to include the Uniden firmware image. But that is way too much work. I suppose a patching program could be written(very simple to do) without the need for any disassembler, but someone will have to figure out which bytes to modify and then recalculate the CRC values the radio is expecting. I don't plan to ever buy an XT model, so someone else will have to tackle that.

My intentions were to find undiscovered serial commands, and undocumented parameters for known commands. There is a whole subset of developer commands(Thanks John Doe!) that were a huge disappointment. There are also some new test mode stuff on the XT models. These can be accessed from the keypad while turning on, or with an undocumented serial command. Again, I don't have an XT so I can't test them.

I'll give Uniden huge props(as if they care) for being forthcoming in regards to the serial protocol documentation. There isn't much that they left out. The stuff left out, mostly dev level commands, don't need to be played with by someone that doesn't know how to recover their radio. As long as you don't corrupt the bootloader, you can recover from just about anything.

I don't think a third party firmware could ever come remotely close to what Uniden gets out of these things. They have so many years now with their code base(it carries over from all models) that it would be a monumental achievement to match their work.
 
Status
Not open for further replies.
Top