RadioReference on Facebook   RadioReference on Twitter   RadioReference Blog
 

Go Back   The RadioReference.com Forums > Scanners and Receivers Forums > Uniden Forums > Uniden Thread Archives

Uniden Thread Archives A depository of archived threads from the original Uniden forum.

 
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 01-21-2014, 12:09 AM
TEKurtz's Avatar
Member
   
Join Date: Oct 2009
Location: Simsbury, CT
Posts: 76
Default BCD99T Firmware Mod - Open out-of-band

I had the good fortune of finding a RR member [n3617400] who has been working on modifying Uniden scanner firmwares and I thought I'd share his work.
This particular modified firmware opens up all 'out of band' or locked out frequencies.


If you are interested breathing a little new life back into an already aging scanner you can download it here: https://files.secureserver.net/0scXn1H3oPb3j0

n361740 (aka JohnDoe) has made all the firmware changes he's going to make with the 996T, his latest project is the HomePatrol1.

You can see some of his work on his YouTube Channel Homebrew on HomePatrol-1 - YouTube or you can follow him on Twitter @OpenUniden

Last edited by TEKurtz; 01-21-2014 at 1:16 AM..
Sponsored links
  #2 (permalink)  
Old 01-21-2014, 12:14 AM
kma371's Avatar
DB Admin
  RadioReference Database Admininstrator
Database Admin
 
Join Date: Feb 2001
Location: San Joaquin County, CA
Posts: 3,610
Default

The two freqs in the screen shots are standard coverage for that receiver so I'm confused?
  #3 (permalink)  
Old 01-21-2014, 12:18 AM
mancow's Avatar
Member
  Premium Subscriber
Premium Subscriber
 
Join Date: Feb 2003
Location: N.E. Kansas
Posts: 4,457
Default

Yea I'm confused as well.
  #4 (permalink)  
Old 01-21-2014, 12:22 AM
Boatanchor's Avatar
Member
   
Join Date: Jul 2011
Location: A state of flux :-)
Posts: 323
Default

Quote:
Originally Posted by kma371 View Post
The two freqs in the screen shots are standard coverage for that receiver so I'm confused?
Yes, frequencies displayed are 'standard' coverage for the 996T.

Good try, but no banana
__________________
What can go wrong, will go wrong!

FuncubeDongle Pro+ - PSR600 - PSR500 - BCD996XT - BCD396XT - TM9155 - IC-208H, amongst others :-)
  #5 (permalink)  
Old 01-21-2014, 12:22 AM
TEKurtz's Avatar
Member
   
Join Date: Oct 2009
Location: Simsbury, CT
Posts: 76
Default

I was using the less than optimal Tapatalk app when I posted, there was a whole section cut out of the post.
Disregard the bit about the talkgroups.
The firmware opens up any band that's been locked out.
Sponsored links
  #6 (permalink)  
Old 01-21-2014, 12:27 AM
TEKurtz's Avatar
Member
   
Join Date: Oct 2009
Location: Simsbury, CT
Posts: 76
Default BCD99T Firmware Mod - Open out-of-band

These two photos were supposed to be in the thread



  #7 (permalink)  
Old 01-21-2014, 12:32 AM
mancow's Avatar
Member
  Premium Subscriber
Premium Subscriber
 
Join Date: Feb 2003
Location: N.E. Kansas
Posts: 4,457
Default

How far will it tune?
  #8 (permalink)  
Old 01-21-2014, 12:37 AM
TEKurtz's Avatar
Member
   
Join Date: Oct 2009
Location: Simsbury, CT
Posts: 76
Default

Right now, this firmware opens all frequencies in the stock spectrum. With that said, It's possible that if enough interest was present he might be able to be convinced to open up the spectrum.
  #9 (permalink)  
Old 01-21-2014, 12:41 AM
kma371's Avatar
DB Admin
  RadioReference Database Admininstrator
Database Admin
 
Join Date: Feb 2001
Location: San Joaquin County, CA
Posts: 3,610
Default

Quote:
Originally Posted by TEKurtz View Post
Right now, this firmware opens all frequencies in the stock spectrum. With that said, It's possible that if enough interest was present he might be able to be convinced to open up the spectrum.
Ok, I see the correct pictures now, but is the intent to open the cell band?

If it is, I'm still very confused with those hoping to "open" portions of the band that are blocked. This would have been great years ago, but now there is nothing there worth listening to.

If the intent is NOT to open the cell band, is there anything that we are missing that we would be able to listen to?
Sponsored links
  #10 (permalink)  
Old 01-21-2014, 12:55 AM
TEKurtz's Avatar
Member
   
Join Date: Oct 2009
Location: Simsbury, CT
Posts: 76
Default BCD99T Firmware Mod - Open out-of-band

First, there is nothing much to hear as far as cellular transmissions go. Unless you can decode them (which no scanner can).

As far as what you hear depends on your area, there is a lot of public safety and commercial pager traffic to decode in my area in the low 800's.
A lot of wireless analog mic's use 700.

I just loaded the firmware myself less than 48 hours ago, so I'm sure I'll find more in the near future.
  #11 (permalink)  
Old 01-21-2014, 1:04 AM
TEKurtz's Avatar
Member
   
Join Date: Oct 2009
Location: Simsbury, CT
Posts: 76
Default BCD99T Firmware Mod - Open out-of-band

This was his 'trial hack'. for the most part he's moved on to more exciting mods. Keep an eye on this guy, I think he's going to do some great things for Uniden scanner users.
He's already talking about tearing through the BCD536HP. With it's processor, ram and wifi radio it really opens up the possibilities.
  #12 (permalink)  
Old 01-21-2014, 1:13 AM
Boatanchor's Avatar
Member
   
Join Date: Jul 2011
Location: A state of flux :-)
Posts: 323
Default

Thanks for the additional pics.

I look forward to reading similar posts relating to the 996XT firmware appearing

The fact that the Uniden firmware has been hacked is very 'interesting' news

I for one would like the 800Mhz band 'opened up'. There are a few local radio station STL's that just happen to be located
within the blocked sections.
__________________
What can go wrong, will go wrong!

FuncubeDongle Pro+ - PSR600 - PSR500 - BCD996XT - BCD396XT - TM9155 - IC-208H, amongst others :-)
  #13 (permalink)  
Old 01-21-2014, 1:16 AM
Boatanchor's Avatar
Member
   
Join Date: Jul 2011
Location: A state of flux :-)
Posts: 323
Default

Now we just need DSDPlus to be included and we are good to go..
__________________
What can go wrong, will go wrong!

FuncubeDongle Pro+ - PSR600 - PSR500 - BCD996XT - BCD396XT - TM9155 - IC-208H, amongst others :-)
  #14 (permalink)  
Old 01-21-2014, 2:21 AM
Member
   
Join Date: Sep 2002
Location: Toronto, Ontario
Posts: 2,312
Default

Quote:
Originally Posted by Boatanchor View Post
Now we just need DSDPlus to be included and we are good to go..
There is a hidden switch for that but it is not well defined anywhere.
  #15 (permalink)  
Old 01-21-2014, 2:45 AM
Boatanchor's Avatar
Member
   
Join Date: Jul 2011
Location: A state of flux :-)
Posts: 323
Thumbs up

Lol
__________________
What can go wrong, will go wrong!

FuncubeDongle Pro+ - PSR600 - PSR500 - BCD996XT - BCD396XT - TM9155 - IC-208H, amongst others :-)
Sponsored links
        
  #16 (permalink)  
Old 01-21-2014, 1:01 PM
PiccoIntegra's Avatar
Member
   
Join Date: Dec 2002
Location: North Texas
Posts: 162
Default

Quote:
Originally Posted by Boatanchor View Post
I look forward to reading similar posts relating to the 996XT firmware appearing

The fact that the Uniden firmware has been hacked is very 'interesting' news
Now that the cat is out of the bag...

It's certainly possible. I have a fully disassembled 996XT firmware image, and it's very similar to its T model predecessor. For anyone curious, you can't load the XT firmware to the T models. There are too many obstacles to overcome, it's not worth the effort. In fact, none of the firmware images can be used on other models. The processors, M32R, are the same(BCT15, 996X/T, 396X/T), but pin usage is different on all models. The BCT15X got a processor downgrade to the M16C. The only exception may be with the UB models. It might be possible to load a modified US version to the UB version. But I've never explored that.

..but I won't be distributing copyrighted material. Someone else will have to take that chance. I suppose an IDA script could be written(I've toyed with it) to take care of everything without needing to include the Uniden firmware image. But that is way too much work. I suppose a patching program could be written(very simple to do) without the need for any disassembler, but someone will have to figure out which bytes to modify and then recalculate the CRC values the radio is expecting. I don't plan to ever buy an XT model, so someone else will have to tackle that.

My intentions were to find undiscovered serial commands, and undocumented parameters for known commands. There is a whole subset of developer commands(Thanks John Doe!) that were a huge disappointment. There are also some new test mode stuff on the XT models. These can be accessed from the keypad while turning on, or with an undocumented serial command. Again, I don't have an XT so I can't test them.

I'll give Uniden huge props(as if they care) for being forthcoming in regards to the serial protocol documentation. There isn't much that they left out. The stuff left out, mostly dev level commands, don't need to be played with by someone that doesn't know how to recover their radio. As long as you don't corrupt the bootloader, you can recover from just about anything.

I don't think a third party firmware could ever come remotely close to what Uniden gets out of these things. They have so many years now with their code base(it carries over from all models) that it would be a monumental achievement to match their work.
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 2:10 PM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
All information here is Copyright 2012 by RadioReference.com LLC and Lindsay C. Blanton III.Ad Management by RedTyger
Copyright 2011 by RadioReference.com LLC Privacy Policy  |  Terms and Conditions