• To anyone looking to acquire commercial radio programming software:

    Please do not make requests for copies of radio programming software which is sold (or was sold) by the manufacturer for any monetary value. All requests will be deleted and a forum infraction issued. Making a request such as this is attempting to engage in software piracy and this forum cannot be involved or associated with this activity. The same goes for any private transaction via Private Message. Even if you attempt to engage in this activity in PM's we will still enforce the forum rules. Your PM's are not private and the administration has the right to read them if there's a hint to criminal activity.

    If you are having trouble legally obtaining software please state so. We do not want any hurt feelings when your vague post is mistaken for a free request. It is YOUR responsibility to properly word your request.

    To obtain Motorola software see the Sticky in the Motorola forum.

    The various other vendors often permit their dealers to sell the software online (i.e., Kenwood). Please use Google or some other search engine to find a dealer that sells the software. Typically each series or individual radio requires its own software package. Often the Kenwood software is less than $100 so don't be a cheapskate; just purchase it.

    For M/A Com/Harris/GE, etc: there are two software packages that program all current and past radios. One package is for conventional programming and the other for trunked programming. The trunked package is in upwards of $2,500. The conventional package is more reasonable though is still several hundred dollars. The benefit is you do not need multiple versions for each radio (unlike Motorola).

    This is a large and very visible forum. We cannot jeopardize the ability to provide the RadioReference services by allowing this activity to occur. Please respect this.
  • Effective immediately we will be deleting, without notice, any negative threads or posts that deal with the use of encryption and streaming of scanner audio.

    We've noticed a huge increase in rants and negative posts that revolve around agencies going to encryption due to the broadcasting of scanner audio on the internet. It's now worn out and continues to be the same recycled rants. These rants hijack the threads and derail the conversation. They no longer have a place anywhere on this forum other than in the designated threads in the Rants forum in the Tavern.

    If you violate these guidelines your post will be deleted without notice and an infraction will be issued. We are not against discussion of this issue. You just need to do it in the right place. For example:
    https://forums.radioreference.com/rants/224104-official-thread-live-audio-feeds-scanners-wait-encryption.html

TK-810 reverse engineering programming...

Status
Not open for further replies.
Joined
Apr 9, 2018
Messages
239
Location
CO, USA
#1
It seems this particular old model was some sort of either low production or an OEM for something, so there seems to be so little information on the web about it. Anyway I ended up acquiring the base of one and now wonder how to program it.

After painstaking googling, one result I saw is that there is a KPT-20 or something around that programs the device. Unfortunately I don't think I can acquire one, so after being inspired by a youtube video on a different product, I decided to go the other route: directly hacking the EEPROM. It appears to be a common 93C46 1Kbit serial.

After painstakingly desoldering the EEPROM from the radio, I noticed the programming port on the board is actually connected to the EEPROM through 10K resistors. If anyone is interested, the 8 pin slot connector that's visible after removing the covers is labeled 1-8 on the connector and

Port pin - 93c46 pin - description
1 - 4: DO output TO KPT-20
2 - 3: DI input FROM KPT-20
3 - 2: CLK
4 - 1: CS
5 - nc
6 - through LDO?: VCC
7 - 5: VSS
8 - nc

It seems to be a card edge type connector, a bit of PCB with fingers on each side may work. I am not 100% sure how pin 6 needs to be connected, there is one surface mount device that power appears to go through before hitting VCC of the 93C46. VSS goes directly to the 93C46 ground, and the others are through 10K resistors. Because of how this is hooked up, the KPT-20 appears to only be able to program the 93C46 and not able to control the radio. And this also means that any generic 93C46 programmer should be able to read/write the EEPROM without needing to desolder it. I may have to go through this route because despite there now being a socket, swapping the chip for testing will get tiresome fast.

Anyone happen to have some dumps of this EEPROM and how (you think?) the radio is programmed? I was hoping perhaps with this info, reverse engineering the content would be a feasible way to bring life back into these old radios? I have yet to read my EEPROM as I just found out my chip programmer computer died. Anyway, I was planning to write random values into the EEPROM and use a DMM/frequency counter on the VCOs to see what they do.

Other things I found about my radio: its channel selector is mechanically locked to two channels, but this restriction can be removed and the lone 7-seg display will count 1 to 9, then 0, 1, 2, and back to 1 -- meaning that it's trying to display 1 2 3 4 5 6 7 8 9 10 11 12 but only the last digit. There's a 10-pin spot I may be able to solder in another 7-seg LED. Unsure if it's CC or CA yet, will get there later.

I was intending to see if I can use this for 70cm ham if possible. However I'm not licensed yet (still studying!) so I will need to keep a "low profile" (well, more like, if I'm forced to use the RF for reverse engineering, I'll have to dump the RF into a dummy load and not into the air.)

Thanks for any insight or perhaps this is a way to kill my VCOs/etc. if I try to reverse engineer this way?

Anyone know or have specs to this radio, and whether it's worth to reuse like this?
 
Joined
Apr 9, 2018
Messages
239
Location
CO, USA
#2
I have found that the TKR-820 eeprom hacks presented on the web works with the TK-810!!! However there's not enough information to make heads or tails for tone generation for repeater hookup (since the TKR-820 is a repeater and the tone handling is done in another EEPROM). I guess getting CTCSS working would be the newest challenge!

I also note that the reception of some frequencies programmed are really weak for some reason or another, at least compared to the sensitivity of my other radio (the icom).

So far no damage to the radio, or at least as far as I know, and no idea if transmitting works, at least until I can build a dummy load (and acquire a microphone with PTT button) to test ... EEPROM dumps with known programming are still welcome!
 
Joined
Sep 20, 2008
Messages
5,241
Location
In the 'patch
#3
I have found that the TKR-820 eeprom hacks presented on the web works with the TK-810!!! However there's not enough information to make heads or tails for tone generation for repeater hookup (since the TKR-820 is a repeater and the tone handling is done in another EEPROM). I guess getting CTCSS working would be the newest challenge!

I also note that the reception of some frequencies programmed are really weak for some reason or another, at least compared to the sensitivity of my other radio (the icom).

So far no damage to the radio, or at least as far as I know, and no idea if transmitting works, at least until I can build a dummy load (and acquire a microphone with PTT button) to test ... EEPROM dumps with known programming are still welcome!
For tone generation, if you can not figure it out, this: http://www.com-spec.com/tone_signaling/images/pdf TS-64WDS Manual.pdf may be of help. external board, that would have to be interfaced.

As for sensitivity, the receiver likely needs to be aligned. the bandwidth with out retuning, is likely very narrow.
 

EricCottrell

Member
Database Admin
Joined
Nov 8, 2002
Messages
2,248
Location
Boston, Ma
#4
Hello,

The repeater has a tone decoder as well as a tone encoder, so it is slightly more complicated. The tone is likely encoded with the frequency information in the eeprom in the radio rather than a separate board.

From the repeater description, pin 6 holds the microprocessor in reset so that it does not try to access the eeprom at the same time it is being programed.

CN1 on the TKR-820 display unit is the programing connector and has a similar pinout.
Pin 1 DO Data Output
Pin 2 DI Data Input
Pin 3 CLK Clock
Pin 4 EN1 Enable 1
Pin 5 EN2 Enable 2 (Not Used)
Pin 6 RST Reset Grounding to Pin 7 will put the processor in Reset
Pin 7 GND Ground
Pin 8 NC Not Connected

73 Eric
 
Joined
Apr 9, 2018
Messages
239
Location
CO, USA
#5
Interesting. I was kind of surprised, then again I shouldn't be surprised because they are different manufacturers.

I suppose the intent of this effort is to program both radios into the ham bands. Both of them also seemed to have been originally programmed into the 460MHz region before I started futzing with it. The experimental frequency I wanted to use is closer to 450MHz, so there is a significant jump, which indeed agree with possibly needing realignment - but the icom radio was able to take the jump without much difficulty. This is despite seeming to have three different versions of the hardware and the desired frequency is outside of the suspected version that I have.

As an experiment I programmed in GMRS frequencies, and my FRS radio was able to transmit to both of them loud and clear at 20-30 ft. GMRS frequencies are 462MHz which is much closer to the original programming.

From what I found from the Kenwood KPT-20 documentation, the TK-810 seemingly should be good from 300-520MHz, but that part of the flowchart is really confusing.
 
Joined
Apr 9, 2018
Messages
239
Location
CO, USA
#6
This is another anomaly that I don't quite understand. There is this board in the tray on the upper side of the radio marked with "TONE" - I wonder if this board handles the CTCSS completely analog?

The CPU board does not appear to have many pins to the radio board, making me suspect there's a possibility this is done in analog, but the KPT-20 documentation implies it can be handled in the eeprom.
 

Attachments

Joined
Sep 20, 2008
Messages
5,241
Location
In the 'patch
#7
This is another anomaly that I don't quite understand. There is this board in the tray on the upper side of the radio marked with "TONE" - I wonder if this board handles the CTCSS completely analog?

Probably a matrix to select PL. probably can’t do split PL. same tone in and out.


Sent from my iPhone using Tapatalk
 

EricCottrell

Member
Database Admin
Joined
Nov 8, 2002
Messages
2,248
Location
Boston, Ma
#8
This is another anomaly that I don't quite understand. There is this board in the tray on the upper side of the radio marked with "TONE" - I wonder if this board handles the CTCSS completely analog?

The CPU board does not appear to have many pins to the radio board, making me suspect there's a possibility this is done in analog, but the KPT-20 documentation implies it can be handled in the eeprom.
Hello,

The DIP Switches in the picture sets the tone. It is not uncommon for an older radio to only support one PL Tone. You can sometimes see remnants of this today, like both the police and fire using the same PL, or departments in the same mutual aid region all using the same PL. For example, 131.8 is a common PL for BAPERN in my local area.

73 Eric
 
Joined
Apr 9, 2018
Messages
239
Location
CO, USA
#9
Oddly enough my guess is that this radio is also set to 131.8 based on the DIP switches.

So perhaps what you guys are saying is my job's done - There's nothing else that lurks in the eeprom that I can configure? Still seems weird that the KPT-20 can program some of these things, but perhaps not on the TK-810...
 
Status
Not open for further replies.
Top