RadioReference on Facebook   RadioReference on Twitter   RadioReference Blog
 

Go Back   The RadioReference.com Forums > Scanners and Receivers Forums > Uniden Forums > Uniden Thread Archives

Uniden Thread Archives A depository of archived threads from the original Uniden forum.

 
 
LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 09-10-2006, 9:22 AM
N9JIG's Avatar
Master of my domain
  Shack Photos
Shack photos
RadioReference Database Admininstrator
Database Admin
Amateur Radio Operator
Amateur Radio
 
Join Date: Dec 2001
Location: Northern IL
Posts: 2,176
Default Theoretical only question: Hack Firmware?

Let me start by saying I do not advocate this at all, just wondering if it is possible. I know it would violate the warranty at best and be illegal/violate software patents at worst.

Now, is it possible to hack the firmware of the current Uniden scanner models like the 330, 396, 996 and 15?

Could one who knows how to do this sort of thing build a firmware version that provides some sort of alternate feature set?

How about something innocuous like changing the tones used for beeps or Fire Tone Out alerts?

What about something more useful like altering step sizes available to the user?
__________________
Sponsored links
  #2 (permalink)  
Old 09-10-2006, 11:16 AM
K9GTJ's Avatar
Member
  Shack Photos
Shack photos
Amateur Radio Operator
Amateur Radio
 
Join Date: May 2006
Location: Kokomo, IN
Posts: 704
Default

I am sure it is possibble. I know Canon DSLR camera firmware has been hacked to add back features which were left off the lower end models.
__________________
BCD996XT | BCD396T | BR330T | BCD996T | BCT15 | BC370CRS
Kokomo, Indiana Live Public Safety Stream | Kokomo-Weather | K9GTJ
  #3 (permalink)  
Old 09-10-2006, 11:31 AM
N_Jay's Avatar
Not Posting
   
Join Date: May 2004
Location: Outside the big city in the Midwest
Posts: 10,285
Default

IN theory "anything is possible", but of course one of the "possibilities" is that what you are trying to do is impossible.

Anyone with the coding skill and interest could hack the software.

The issue is it is very hard to get the hacks right without documentation on the original code and the hardware it runs on.

This is assuming what you want to do is within the capabilities of the hardware and there are enough MIPS and MEM.
  #4 (permalink)  
Old 09-10-2006, 12:35 PM
Member
   
Join Date: Dec 2002
Location: Los Altos, CA
Posts: 1,510
Default

It's most certainly possible. The firmware is released in motorola s-record format. And the CPU type is known. All that is required is time and interest. I haven't heard anything about it, so I would say both are lagging...
  #5 (permalink)  
Old 09-10-2006, 3:58 PM
Member
   
Join Date: Dec 2002
Posts: 22
Default

I've been doing a little research on the issue, specifically with the BC296D. Given the litigious nature of corporations these days, publishing findings, even done without the benefit of any inside information, is something of a risky proposition. But theoretically speaking, I do believe it is possible, if maybe not completely feasible.

First of all, the firmware is distributed within the Uniden firmware update downloads in S-record format, but if you were to convert the S-record file to a binary file and look at it in a hex editor, you might expect to see (for example) the text strings that make up the extensive menus. However, you won't see the strings. The bytes in the S-record file have an offset applied to each byte that obscure the data, and these offsets appear to be slightly different for different areas of the firmware. I am not sure why this is done, but I can confirm that this is the case. (Please note that this is not a form of encryption. It is somewhat akin to obfuscating a message by using the next letter in the alphabet, for example, by writing TDBOOFS instead of SCANNER.) Now, with that being said, there is software available that will log all data received and sent by the serial port to a file. If you run this software while doing a scanner firmware update, you will see the transformed S-records sent to the scanner with the offsets removed. If you take this S-record data and convert it to a binary file, then it is easy to see the strings in the clear and know that the data is in its correct intended format.

The processor type, as mentioned, is known; at this point, if you have access to a disassembler and the will and fortitude to figure out how the firmware works, you could theoretically figure out how the BC296D firmware works. This is a huge job and is probably a futile exercise. A better strategy would be to figure out how the microcontroller interacts with each of the peripherals (keyboard, LCD display, scroll wheel, various DDS synthesizers, etc.). The processor in the BC296D has a number of general purpose I/O ports whose inputs and output control many of these peripherals. So, if you were to look for those portions of the code where the GPIOs are manipulated, you might be able to make some educated guesses as to which port control which peripheral and how it's done. You will need good deductive reasoning skills, a lot of trial and error and a lot of luck.

If I were to perform the procedure, the first place I would start would be with the firmware update procedure, for two reasons. First of all, if I were going to modify the firmware to patch portions of the code in order to test out some theories and upload it to my scanner, I would want to make absolutely sure that whatever I did wouldn't hinder my ability to upgrade the scanner in the future, or, worse yet, render it inoperable forever. The processor in question has some amount of flash memory in which the firmware and the firmware update procedure (accessed via the L/O-SCAN-6 keypad combination) resides and I understand that parts of the flash can be locked and prevented from being rewritten. One would have to be very careful with this facility when modifying the contents of the scanner. Secondly, this would be a great starting point to figuring out how the keyboard is accessed. You know that one of the first things that the firmware has to do is to see if L/O-SCAN-6 is depressed, and if so, enter the firmware update procedure. I would imagine that you'd see some ports being accessed to check for certain values and dispatch either to the firmware update procedure or to normal scanning mode. Tracing through the disassembly requires a lot of careful notetaking, researching how the microcontroller reacts to certain instructions and it's a not an exercise for the faint at heart.

Perhaps the best way to conduct experiments is to modify the firmware such that before the scanner goes into regular scanning mode, you have a chance to read and write the RAM and/or SFRs on the microcontroller and execute code in RAM by writing data to the serial port. You could then write programs with your assembler, store the bytes in RAM by uploading them through the serial port, and then executing the code. The benefit here is that you don't have to modify and upload the firmware every time you wanted to run some code. (Just make sure that you provide a way to get back to normal scanner mode.)

It would take a concerted effort by a large group of individuals cognizant in embedded systems and assembly language to figure out how the entire BC296D firmware worked. I don't think we will ever see this. However, I do not doubt that a few tenacious individuals would be able to at least figure out how to tune a station, read the keyboard and access the display and maybe create some experimental firmware that showed off these concepts. You're never going to see a completely fully-featured replacement for the original firmware.
Sponsored links
  #6 (permalink)  
Old 08-12-2013, 8:30 PM
scanningisfun's Avatar
Member
  Amateur Radio Operator
Amateur Radio
 
Join Date: Jun 2010
Location: Andover, Kansas
Posts: 634
Default

First, I'm not a programmer. I've been interested in this topic for the past couple of days. I wanted mess with my firmware file, so I did. I know this topic is old, but the info in this thread is helpful, especially the above post.

To start, I opened up my 396XT firmware in Srecordizer, which is a program that separates the Motorola Srecord format. Knowing that nothing useful was going to happen by looking at the plain file, I used SRecord 1.62 compiled for Windows to convert the firmware into a binary file. I opened the binary in HxD and was able to pick out some text. I could see things like cc on, cc off, cc dnd, etc. I could also see some of the text that you see when monitoring a P25 system (lnk, dat, enc). With that being said, not much was able to be read. I took the advice to run a serial dump while updating the firmware. I was surprised to see that the dump was not different, but exactly the same as the actual firmware file byte for byte. I then found a command line tool made for Linux called Binwalk, which is a firmware analysis tool. I mainly use a Windows laptop, and I didn't want to go through the trouble of porting Binwalk. Luckily, we have an iMac running Lion upstairs. I turned on SSH, samba file sharing, and VNC so I could use the Mac for the purposes of running Binwalk. After getting through the pains of installing Homebrew, Python, Python Modules, and Binwalk, I was ready to run the firmware file. I ran the Srecord file, and not the binary. I was surprised to see multiple hits off of the file. There are multiple places in the firmware where it found "Windows CE RTOS." Knowing that Windows CE is used for embedded systems, I'm sure that is what it uses. I haven't done anything else, and will proablaby have to do some research before I do. I'm just interested in learning how it works. I'm not doing this to make any custom firmware. Again, I'm not a programmer, and don't know much when it comes to programming.

Jacob
  #7 (permalink)  
Old 08-12-2013, 9:27 PM
n3617400's Avatar
Member
   
Join Date: Jun 2013
Posts: 147
Default

Quote:
Originally Posted by N9JIG View Post
Now, is it possible to hack the firmware of the current Uniden scanner models like the 330, 396, 996 and 15?
Screenshots of my BCD-996T as answer.
Attached Images
  
  #8 (permalink)  
Old 08-12-2013, 9:59 PM
n3617400's Avatar
Member
   
Join Date: Jun 2013
Posts: 147
Default

Quote:
Originally Posted by scanningisfun View Post
There are multiple places in the firmware where it found "Windows CE RTOS."
Firmware of BCD-396XT v.1.11.01 does not contain the string "Windows CE RTOS", but contain "NORTi(c)MiSPO". Other RTOS.
  #9 (permalink)  
Old 08-12-2013, 10:13 PM
scanningisfun's Avatar
Member
  Amateur Radio Operator
Amateur Radio
 
Join Date: Jun 2010
Location: Andover, Kansas
Posts: 634
Default

Quote:
Originally Posted by n3617400 View Post
Firmware of BCD-396XT v.1.11.01 does not contain the string "Windows CE RTOS", but contain "NORTi(c)MiSPO". Other RTOS.
I thought I was on to something when I saw when I saw what I found. I'll look up what you have.

Edit: Google Chromes built in translator helps a lot.

Jacob

Last edited by scanningisfun; 08-12-2013 at 10:21 PM..
Sponsored links
  #10 (permalink)  
Old 08-13-2013, 12:50 AM
gtaman's Avatar
Member
   
Join Date: Oct 2010
Location: Columbus Ohio
Posts: 456
Default

I know there is a way to force flash a uniden scanner with foreign firmware that has all bands unlocked.
__________________
Proud owner of a HARRIS FALCON III AN PRC-152 Multiband Radio.
  #11 (permalink)  
Old 08-13-2013, 1:26 AM
Member
   
Join Date: May 2002
Posts: 443
Default firmware change ...

I have a link to a web page that describe the uniden firmware hack and describe the structure of the software blocks and also a screen shot of a new firmware installed in the scanner that show 12345 instead of the regular working firmware as a concept proof so yes it can be done ....
  #12 (permalink)  
Old 08-13-2013, 10:50 AM
alwayslookin's Avatar
Member
  Premium Subscriber
Premium Subscriber
 
Join Date: Nov 2007
Location: Southern Indiana
Posts: 118
Default

Is this possible to do on the 996XT? If so I would love to learn how to change things.
  #13 (permalink)  
Old 08-13-2013, 1:23 PM
Member
   
Join Date: Apr 2009
Location: Midwest
Posts: 118
Default

I think it's great that you can hack the firmware, but looking at the screenshot there is nothing to listen to, unless you can figure out how to decode TDMA.
If you could decode TDMA, NXDN, or D-star it would be awesome, otherwise I am not sure what you are missing.
  #14 (permalink)  
Old 08-13-2013, 1:56 PM
gtaman's Avatar
Member
   
Join Date: Oct 2010
Location: Columbus Ohio
Posts: 456
Default

Quote:
Originally Posted by Farscan View Post
I think it's great that you can hack the firmware, but looking at the screenshot there is nothing to listen to, unless you can figure out how to decode TDMA.
If you could decode TDMA, NXDN, or D-star it would be awesome, otherwise I am not sure what you are missing.
Wireless mics, cell noise. That's about all.
__________________
Proud owner of a HARRIS FALCON III AN PRC-152 Multiband Radio.
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 10:51 PM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
All information here is Copyright 2012 by RadioReference.com LLC and Lindsay C. Blanton III.Ad Management by RedTyger
Copyright 2011 by RadioReference.com LLC Privacy Policy  |  Terms and Conditions