|
|
|
|
| Uniden Scanners A forum for the discussion of all Uniden scanning radios and receivers. |
11-09-2005, 02:22 AM
|
|
Member
|
|
Database Admin
|
|
Join Date: Dec 2002
Location: Oklahoma City, OK
Posts: 1,414
|
|
246T Firmware Raw Data
I recently found a firmware dump on this website: http://home.ica.net/~phoenix/wap/BC246T and was looking through it. My question is how could this data be grabbed from the scanner? Obviously, the new firmware update is transmitted from the computer into the scanner, so my thought is that maybe someone figured out how to tap the com port output and grab the raw data as if it were the scanner receiving the data. I looked at the firmware update setup program and data file and couldn't find this data contained inside, although the file sizes seemed about right. I'm thinking it was compressed inside the setup program. I really don't know how it was obtained, but that's not as important to me as the next question. If the firmware was grabbed and changed to raw data, is there any way to take that raw data and send it to the scanner? If so, it would not be hard to make slight modifications to the firmware. It would be a worthwhile mod to try to change the startup text and if that worked, then more advanced things could be done. For example, attempting to bypass the "Press any key..." for Close Call by changing a byte or two in the right place. Anyone who's disassembled Windows executables or messed around a lot with computer programming knows what I'm talking about, and it wouldn't be that hard. Any ideas are appreciated. Thanks.
|
11-09-2005, 02:50 AM
|
|
Member
|
|
|
Join Date: Feb 2001
Location: Lansing, MI
Posts: 7,298
|
|
The startup text is changed by the software, that's not in the firmware... And I wonder how it would "not be hard" to make modifications. When you disassemble Windows exe files, you still know that the program is Windows based and can make a lot of assumptions. I can't imagine the firmware is based in a method that we can make the same assumptions about...
- Rob
|
11-09-2005, 02:57 AM
|
|
Member
|
|
Database Admin
|
|
Join Date: Dec 2002
Location: Oklahoma City, OK
Posts: 1,414
|
|
Quote:
|
Originally Posted by rdale
The startup text is changed by the software, that's not in the firmware... And I wonder how it would "not be hard" to make modifications. When you disassemble Windows exe files, you still know that the program is Windows based and can make a lot of assumptions. I can't imagine the firmware is based in a method that we can make the same assumptions about...
|
Instead of the "startup text", let me be more accurate and say the firmware version for example. Something that would be a minor character change that you could verify on the scanner. And as far as being difficult to modify, well no it's probably not in "Windows" assembly, but I'm sure we could figure something out with enough trial and error. Most programming follows basic order and patterns in one way or another. Not to mention that if you look through the firmware dump, it looks like it was written in a high-level language, similar to c++. There are a few variable names and such inside the dump. You can view it easily with a hex editor like Cygnus or with Visual C++.
|
11-09-2005, 04:06 AM
|
|
Member
|
|
Database Admin
|
|
Join Date: Dec 2002
Location: Oklahoma City, OK
Posts: 1,414
|
|
A few more details...
Let me add a little data to support my idea. Here is a tiny portion of disassembled "code" from the 2.05 firmware binary in hex form:
|.-.....Custom %d|
|.SAME %d.Close C|
|all.On.Close Cal|
|l.Off.().01. DCS|
|%s. C%s.%x.%04xM|
|Hz..%04x.%x.%u. |
Anyone who has programmed with c++ would say that this looks a whole lot like c++ code. My guess is that it is either c++ or visual basic. So you may guess that possibly the firmware has a few functions like CloseCall.On() and CloseCall.Off(). Not all that impressive, right? Well, if you can find the function for viewing the CloseCall hit, you may be able to change a byte a few times until you find what you're looking for. In a lot of code, changing a 74 to a 75 and visa versa can change the result of an If statement, altering the code. A little complicated, but not impossible for someone who's determined.
Also, in the above code, those %d, %s, %x, and %u are used in c++ to insert variables into text strings. For example, you might say, printf("test %d, %d", num1, num2); and the values of num1 and num2 are printed after "test ". Different modifiers (%...) are used for different types of variables. You may be able to very easily alter how a text string is displayed on the scanner screen. Like instead of "156.225 103.5", you may be able to change it to "156.225 >> 103.5". Again, no big deal. But it's a start to modifying or customizing your firmware. Legally, you may not be able to distribute your "version" because of Uniden's copyright.
Hope that explains what I mean a little better.
|
11-09-2005, 04:55 AM
|
|
Member
|
|
|
Join Date: Feb 2001
Location: Lansing, MI
Posts: 7,298
|
|
I'm a VB'er and that is not even close to VB. Actually I don't see anything that resembles "code" in c++ either. Those % statements are used in plenty of languages, and Close Call.ON may be nothing more than a menu selection. So you could call it "Find Freqs" instead ;> I see where you are going, but I don't think anyone can make something out of it other than change the text (if that, it may require a checksum that would be pretty hard to determine.) |
11-09-2005, 05:24 AM
|
 |
Member
|
|
|
Join Date: Dec 2002
Location: Regina, Sask.
Posts: 532
|
|
Well at least you get an idea of some of the function names being used. One in particular was "cc_found_mode()". The % statements are used in many languages, but in the ones I tinker with it always constitutes the use of a variable.
Will this be the pre-cursor to the creation of 3rd party firmwares? We will have to wait and see.
Regards,
Richster.
|
11-09-2005, 05:49 AM
|
|
Member
|
|
|
Join Date: Dec 2002
Location: Regina, Sask.
Posts: 532
|
|
Quote:
|
Originally Posted by rdale
I'm a VB'er and that is not even close to VB. |
You're right rdale. I just went through a couple of "dorky" programs I created with VB-6 with a hex editor, and it doesn't look close at all. Mind you, these simple programs I created were meant to work with a computer. Since this dump represents code designed to work with a scanner, would it look very different?
Regards,
Richster. |
11-09-2005, 06:07 AM
|
|
Member
|
|
Database Admin
|
|
Join Date: Dec 2002
Location: Oklahoma City, OK
Posts: 1,414
|
|
Quote:
|
Originally Posted by richster
You're right rdale. I just went through a couple of "dorky" programs I created with VB-6 with a hex editor, and it doesn't look close at all. Mind you, these simple programs I created were meant to work with a computer. Since this dump represents code designed to work with a scanner, would it look very different? |
When I said it looks similar to VC++ or VB, I meant that the code syntax somewhat reminds me of those languages, not the hex output. Disassembled code from either language is MUCH larger and has all of the Windows code in it as well. However, it should be noted that at least with vc++, you can write a bare bones windows application with about 4 lines of code plus the required windows library files, equating to a program about 24K in size. What I was trying to say is that the syntax of Object.Function() , like CloseCall.On(), is slightly similar to vb or vc++. With this in mind, I'm willing to bet that the folks at Uniden are using a high-level compiler w/ an object-oriented language to write their firmware, and that the compiler is specially built to specs for the processor inside the 246T. Years ago, before Windows, people wrote software differently for different kinds of processors. Windows fixed that problem. But the processor inside the scanner is probably a bare-bones 8086 or something just fast enough to run the scanner, similar to that of a graphing calculator.
Again, I want to restate my point that even though slight modifications of text may seem trivial, they may open the door to more important modifications. Eventually, the firmware could even be disassembled as a whole and then it would be easy to see how this new technology works. But before any of this can be addressed, the question must be answered of whether it's possible to upload raw firmware data to the scanner. Somehow it was taken out of the program, so isn't there a way to put it back in?
|
11-09-2005, 09:34 AM
|
|
Member
|
|
|
Join Date: Jan 2003
Location: Boston, MA
Posts: 129
|
|
You are not seeing any "functions" or "procedures" in these files. You can't relate the text in the HEX file to any sort of higher launguage (well...not by simply looking at it). The text between the "| |" is simply the ascii representation of the hex data to the left of it. All of the text that you can read (the text that is english) are simply text tables stored in the program memory that are used for standard display output. These are not functions.
Technically you could change the text displayed on the screen by changing the corresponding hex values. However, that would be as far as I would go without having any information on what microprocessor is used, and without dissasembling the code to assembly. Anyone who has cracked one open know what type of processor is used? Its probably some flavor of a fairly standard processor (8051 family possibly) but stamped with a uniden PN, which makes this difficult to determine as well.
Last edited by gr8amp; 11-09-2005 at 09:51 AM..
Reason: Additional question
|
11-09-2005, 10:53 AM
|
|
Member
|
|
Database Admin
|
|
Join Date: Nov 2002
Location: Boston, Ma
Posts: 922
|
|
Quote:
|
Originally Posted by Gilligan
I recently found a firmware dump on this website: http://home.ica.net/~phoenix/wap/BC246T and was looking through it. My question is how could this data be grabbed from the scanner? Obviously, the new firmware update is transmitted from the computer into the scanner, so my thought is that maybe someone figured out how to tap the com port output and grab the raw data as if it were the scanner receiving the data. I looked at the firmware update setup program and data file and couldn't find this data contained inside, although the file sizes seemed about right. I'm thinking it was compressed inside the setup program. I really don't know how it was obtained, but that's not as important to me as the next question. If the firmware was grabbed and changed to raw data, is there any way to take that raw data and send it to the scanner? If so, it would not be hard to make slight modifications to the firmware. It would be a worthwhile mod to try to change the startup text and if that worked, then more advanced things could be done. For example, attempting to bypass the "Press any key..." for Close Call by changing a byte or two in the right place. Anyone who's disassembled Windows executables or messed around a lot with computer programming knows what I'm talking about, and it wouldn't be that hard. Any ideas are appreciated. Thanks. |
Hello,
The program is a Motorola control channel decode program like Trunker so the only thing coming out of the scanner is the discriminator audio. I think Trunk is the Oz version of Trunker.
As someone who does embedded programming I will say that it is not as easy as it looks. The text strings can be easily found and changed but code is another matter. This does not address the fact that most firmwares have a check method to detect if the image is corrupted. So changing one byte and uploading it will result in a big static piece of metals and plastics. You just hope Uniden has a good procedure to reload firmware over the serial port and not by soldering wires to the board and using a special program.
You need to get a disassembler, compiler, debugger, and other tools for the processor being used. For some embedded processors this can be $$$. You need to know assembly language and the instruction set of the processor involved. VB experence will be of little help. You have to spend a month or two full time figuring out how the code works.
73 Eric
|
11-10-2005, 04:50 AM
|
|
Member
|
|
|
Join Date: Dec 2002
Location: Regina, Sask.
Posts: 532
|
|
Eric has definatley got the right idea. I took a couple of semesters of machine language (assembly) back in the 80's. LOL that's right 80's, along with the main language I was learning at that time, Cobalt. At that time it was the fastest language (may still be) because there was no interpreter involved, plus being the computers "native tongue" you can do alot including dissassembling code.
I don't know who's website Gilligan found, but that is one smart looking tap on that 246T. Plus I don't know what kind of slicer he/she is using, but that screenshot of slicer.exe is cleanest looking signal I have ever seen. The final thing what amazed me was the screen shot of Demo88 they are using. I have never seen a 4.53p version!!
Regards,
Richster.
|
11-10-2005, 05:52 AM
|
|
Member
|
|
Database Admin
|
|
Join Date: Dec 2002
Location: Oklahoma City, OK
Posts: 1,414
|
|
I found that website by looking at slicerwizard's profile ( http://www.radioreference.com/forums/member.php?u=1411). He had it listed as his homepage. I still would like to know if there would be a way to send the firmware back to the scanner (modified). It would probably be a method like a program pretending to be the setup program, or swapping the firmware data into the setup program provided by Uniden. When I went looking for a discriminator tap for the 246T, he responded as follows:
Quote:
|
Originally Posted by slicerwizard
|
|
11-10-2005, 06:32 AM
|
|
Member
|
|
|
Join Date: Dec 2002
Location: Regina, Sask.
Posts: 532
|
|
Quote:
|
Originally Posted by Gilligan
I found that website by looking at slicerwizard's profile ( http://www.radioreference.com/forums/member.php?u=1411). He had it listed as his homepage. I still would like to know if there would be a way to send the firmware back to the scanner (modified). It would probably be a method like a program pretending to be the setup program, or swapping the firmware data into the setup program provided by Uniden. When I went looking for a discriminator tap for the 246T, he responded as follows: |
Oh hell! That explains everything then. Especially the Demo88 version. I don't have an answer to your question Gilligan. The languages I know well were obsolete over 10 years ago. I would imagine if anyone would know an answer to you're question it would be Andy. Try sending him a PM.
Regards,
Richster. |
11-10-2005, 08:45 AM
|
|
Member
|
|
Database Admin
|
|
Join Date: Dec 2002
Location: Oklahoma City, OK
Posts: 1,414
|
|
I sent him a short PM before I opened this thread, but no reply as of yet. Thanks.
|
11-11-2005, 06:24 PM
|
|
Member
|
|
|
Join Date: Feb 2003
Posts: 424
|
|
I did find this from the Firmware Update .... the ST6UNST.LOG file that clearly tells me that it is VB. Hope this helps .... I would love to make a change to the 246 one that annoys me. If anyone figures out how to make it tick. Be sure to let us all know.
************************************************** **************
NOTE: Beginning of the bootstrapper section
CONFIG: Title: "BC246TVUP_V2_05"
ACTION: RegKey: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion", "SharedDLLs"
ACTION: SystemFile: "D:\WINDOWS\SYSTEM32\VB6STKIT.DLL"
(File currently on disk was already up to date)
ACTION: SystemFile: "D:\WINDOWS\SYSTEM32\COMCAT.DLL"
(File currently on disk was already up to date)
ACTION: SystemFile: "D:\WINDOWS\SYSTEM32\STDOLE2.TLB"
(File currently on disk was already up to date)
ACTION: SystemFile: "D:\WINDOWS\SYSTEM32\ASYCFILT.DLL"
(File currently on disk was already up to date)
ACTION: SystemFile: "D:\WINDOWS\SYSTEM32\OLEPRO32.DLL"
(File currently on disk was already up to date)
ACTION: SystemFile: "D:\WINDOWS\SYSTEM32\OLEAUT32.DLL"
(File currently on disk was already up to date)
ACTION: SystemFile: "D:\WINDOWS\SYSTEM32\MSVBVM60.DLL"
(File currently on disk was already up to date)
ACTION: DllSelfRegister: "D:\WINDOWS\SYSTEM32\COMCAT.DLL"
ACTION: TLBRegister: "D:\WINDOWS\SYSTEM32\STDOLE2.TLB"
ACTION: DllSelfRegister: "D:\WINDOWS\SYSTEM32\OLEPRO32.DLL"
ACTION: DllSelfRegister: "D:\WINDOWS\SYSTEM32\OLEAUT32.DLL"
ACTION: DllSelfRegister: "D:\WINDOWS\SYSTEM32\MSVBVM60.DLL"
NOTE: End of the bootstrapper section
NOTE: Now spawning the main Setup program 'Setup1.exe'....
ACTION: CreateDir: "D:\Program Files\BC246TVUP_V2_05"
ACTION: CreateDir: "D:\Documents and Settings\Kevin\Start Menu\Programs\Uniden"
ACTION: PrivateFile: "D:\Program Files\BC246TVUP_V2_05\200508030205.dat"
(File was not found or was an older version -- new file copied)
ACTION: SharedFile: "D:\WINDOWS\system32\comctl32.ocx"
(File currently on disk was already up to date)
ACTION: SharedFile: "D:\WINDOWS\system32\MSCOMM32.OCX"
(File currently on disk was already up to date)
ACTION: SharedFile: "D:\WINDOWS\system32\comdlg32.ocx"
(File currently on disk was already up to date)
ACTION: PrivateFile: "D:\Program Files\BC246TVUP_V2_05\BC246TVUP_V2_05.exe"
(File was not found or was an older version -- new file copied)
ACTION: DllSelfRegister: "D:\WINDOWS\system32\comctl32.ocx"
ACTION: DllSelfRegister: "D:\WINDOWS\system32\MSCOMM32.OCX"
ACTION: DllSelfRegister: "D:\WINDOWS\system32\comdlg32.ocx"
ACTION: ShellLink: "Uniden", "BC246TVUP_V2_05"
ACTION: RegKey: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion", "App Paths\BC246TVUP_V2_05.exe"
ACTION: RegValue: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\App Paths\BC246TVUP_V2_05.exe", ""
Just my 2 cents.
__________________
Kevin
Scanning the Airwaves
Last edited by edmscan; 11-11-2005 at 06:33 PM..
|
11-11-2005, 06:32 PM
|
|
Member
|
|
|
Join Date: Jan 2003
Location: Boston, MA
Posts: 129
|
|
Quote:
|
Originally Posted by edmscan
I would say that it is written in VB. The reason I say this is that sure what you are showing in this entry is not VB.
You just have to look at when you actually run the program normally and do the update.... it is using VB runtime files if my memory serves me correctly. I am not able to look at the firmware install right now ... but what I remember it is VB.
Just my 2 cents. |
I am not sure exactly what you are saying here,the second sentence leaves me a bit confused, but it seems as if you are talking about the program that is run on a computer to load the firmware to the radio. The file presented above is the data that is actually loaded into the scanner. I can say with a fair bit of certainty that this wasn't written in VB. |
11-11-2005, 06:39 PM
|
|
Member
|
|
|
Join Date: Feb 2003
Posts: 424
|
|
I did modify my first entry .... but correct me if I am wrong, but this sure does look like VB to me.
I have done my fair share of programming and have learned that what you are looking at above is not 'code' ... but rather if what you say is right, it is what is sent to the scanner.
The 'data' above doesn't reflect what language the program is written in .... but the log file contents that I posted above DOES tell me that this is a VB program.
Sorry if I confused you ... but this should make it very evident to anyone that knows VB programs.
__________________
Kevin
Scanning the Airwaves
|
11-11-2005, 07:17 PM
|
|
Member
|
|
|
Join Date: Jan 2003
Location: Boston, MA
Posts: 129
|
|
Quote:
|
Originally Posted by edmscan
I did modify my first entry .... but correct me if I am wrong, but this sure does look like VB to me.
I have done my fair share of programming and have learned that what you are looking at above is not 'code' ... but rather if what you say is right, it is what is sent to the scanner.
The 'data' above doesn't reflect what language the program is written in .... but the log file contents that I posted above DOES tell me that this is a VB program.
Sorry if I confused you ... but this should make it very evident to anyone that knows VB programs. |
It seems we are talking about 2 different programs here. You are talking about the program that is run on your PC that sends the data to the scanner. Yes, this looks to be written in VB, but really has nothing to do with how the scanner operates. It just provides a friendly way to load the program memory within the scanner. The data presented in the first post is the actual program that runs on the scanner. This was likely written in assembly language or C++. This "program" is what needs to be modified to change the way the scanner operates, not the VB program that you run on your PC. As Eric has explained, this wouldn't be an easy task without having a LOT more information on the hardware, and without having the proper development equipment.
|
11-11-2005, 07:17 PM
|
|
Member
|
|
Database Admin
|
|
Join Date: Dec 2002
Location: Oklahoma City, OK
Posts: 1,414
|
|
Okay, I think I see the confusing part of those last few replies. The setup program for the firmware update probably is in VB, but we're talking about the actual firmware file that is uploaded to the scanner, which is in whatever machine/processor language the scanner uses. A lot of people use VB for setup programs because it's so quick and easy. But that's completely different from the firmware data we're talking about modifying. I'm not saying the above info isn't useful -- indeed it is. It tells what the setup program is actually doing. The ultimate question remains where inside the setup file, or outside of it, is the actual firmware code (file) that is uploaded to the scanner. That's what we would need to modify the firmware. Let's try to keep this thread going a little while until we make a little progress -- I don't think anyone has dreamed of modifying firmware before now, but it is possible in theory. Thanks. |
11-11-2005, 08:54 PM
|
|
Member
|
|
|
Join Date: Feb 2001
Location: Lansing, MI
Posts: 7,298
|
|
"The ultimate question remains where inside the setup file, or outside of it, is the actual firmware code (file) that is uploaded to the scanner."
Let's think... We run the setup file which installs the firmware updating PROGRAM. Then we download the firmware itself. We run the program, tell the program where the firmware file is, and it's sent to the PC. So the firmware updating PROGRAM (which is in VB) has NOTHING to do with modifying the firmware. The firmware is NOT written in VB.
"but it is possible in theory."
I really don't think it is. I have no doubt that there is a keycode that needs to be included in the file. But feel free to try it yourself - just update one of the text strings and reupload it to the scanner and see. If it works, your theory is correct. I think my theory will end up accurate ;>
- Rob
Reply With Quote |
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 07:01 AM.
|
|
|
|
| |
|
|
