Theoretical only question: Hack Firmware?

Status
Not open for further replies.

N9JIG

Sheriff
Moderator
Joined
Dec 14, 2001
Messages
5,568
Location
Far NW Valley
Let me start by saying I do not advocate this at all, just wondering if it is possible. I know it would violate the warranty at best and be illegal/violate software patents at worst.

Now, is it possible to hack the firmware of the current Uniden scanner models like the 330, 396, 996 and 15?

Could one who knows how to do this sort of thing build a firmware version that provides some sort of alternate feature set?

How about something innocuous like changing the tones used for beeps or Fire Tone Out alerts?

What about something more useful like altering step sizes available to the user?
 

K9GTJ

Member
Joined
May 20, 2006
Messages
602
Location
Kokomo, IN
I am sure it is possibble. I know Canon DSLR camera firmware has been hacked to add back features which were left off the lower end models.
 
N

N_Jay

Guest
IN theory "anything is possible", but of course one of the "possibilities" is that what you are trying to do is impossible.

Anyone with the coding skill and interest could hack the software.

The issue is it is very hard to get the hacks right without documentation on the original code and the hardware it runs on.

This is assuming what you want to do is within the capabilities of the hardware and there are enough MIPS and MEM.
 

b52hbuff

Member
Joined
Dec 19, 2002
Messages
1,736
It's most certainly possible. The firmware is released in motorola s-record format. And the CPU type is known. All that is required is time and interest. I haven't heard anything about it, so I would say both are lagging...
 

chikin

Member
Joined
Dec 19, 2002
Messages
22
I've been doing a little research on the issue, specifically with the BC296D. Given the litigious nature of corporations these days, publishing findings, even done without the benefit of any inside information, is something of a risky proposition. But theoretically speaking, I do believe it is possible, if maybe not completely feasible.

First of all, the firmware is distributed within the Uniden firmware update downloads in S-record format, but if you were to convert the S-record file to a binary file and look at it in a hex editor, you might expect to see (for example) the text strings that make up the extensive menus. However, you won't see the strings. The bytes in the S-record file have an offset applied to each byte that obscure the data, and these offsets appear to be slightly different for different areas of the firmware. I am not sure why this is done, but I can confirm that this is the case. (Please note that this is not a form of encryption. It is somewhat akin to obfuscating a message by using the next letter in the alphabet, for example, by writing TDBOOFS instead of SCANNER.) Now, with that being said, there is software available that will log all data received and sent by the serial port to a file. If you run this software while doing a scanner firmware update, you will see the transformed S-records sent to the scanner with the offsets removed. If you take this S-record data and convert it to a binary file, then it is easy to see the strings in the clear and know that the data is in its correct intended format.

The processor type, as mentioned, is known; at this point, if you have access to a disassembler and the will and fortitude to figure out how the firmware works, you could theoretically figure out how the BC296D firmware works. This is a huge job and is probably a futile exercise. A better strategy would be to figure out how the microcontroller interacts with each of the peripherals (keyboard, LCD display, scroll wheel, various DDS synthesizers, etc.). The processor in the BC296D has a number of general purpose I/O ports whose inputs and output control many of these peripherals. So, if you were to look for those portions of the code where the GPIOs are manipulated, you might be able to make some educated guesses as to which port control which peripheral and how it's done. You will need good deductive reasoning skills, a lot of trial and error and a lot of luck.

If I were to perform the procedure, the first place I would start would be with the firmware update procedure, for two reasons. First of all, if I were going to modify the firmware to patch portions of the code in order to test out some theories and upload it to my scanner, I would want to make absolutely sure that whatever I did wouldn't hinder my ability to upgrade the scanner in the future, or, worse yet, render it inoperable forever. The processor in question has some amount of flash memory in which the firmware and the firmware update procedure (accessed via the L/O-SCAN-6 keypad combination) resides and I understand that parts of the flash can be locked and prevented from being rewritten. One would have to be very careful with this facility when modifying the contents of the scanner. Secondly, this would be a great starting point to figuring out how the keyboard is accessed. You know that one of the first things that the firmware has to do is to see if L/O-SCAN-6 is depressed, and if so, enter the firmware update procedure. I would imagine that you'd see some ports being accessed to check for certain values and dispatch either to the firmware update procedure or to normal scanning mode. Tracing through the disassembly requires a lot of careful notetaking, researching how the microcontroller reacts to certain instructions and it's a not an exercise for the faint at heart.

Perhaps the best way to conduct experiments is to modify the firmware such that before the scanner goes into regular scanning mode, you have a chance to read and write the RAM and/or SFRs on the microcontroller and execute code in RAM by writing data to the serial port. You could then write programs with your assembler, store the bytes in RAM by uploading them through the serial port, and then executing the code. The benefit here is that you don't have to modify and upload the firmware every time you wanted to run some code. (Just make sure that you provide a way to get back to normal scanner mode.)

It would take a concerted effort by a large group of individuals cognizant in embedded systems and assembly language to figure out how the entire BC296D firmware worked. I don't think we will ever see this. However, I do not doubt that a few tenacious individuals would be able to at least figure out how to tune a station, read the keyboard and access the display and maybe create some experimental firmware that showed off these concepts. You're never going to see a completely fully-featured replacement for the original firmware.
 

scanningisfun

Member
Joined
Jun 29, 2010
Messages
685
First, I'm not a programmer. I've been interested in this topic for the past couple of days. I wanted mess with my firmware file, so I did. I know this topic is old, but the info in this thread is helpful, especially the above post.

To start, I opened up my 396XT firmware in Srecordizer, which is a program that separates the Motorola Srecord format. Knowing that nothing useful was going to happen by looking at the plain file, I used SRecord 1.62 compiled for Windows to convert the firmware into a binary file. I opened the binary in HxD and was able to pick out some text. I could see things like cc on, cc off, cc dnd, etc. I could also see some of the text that you see when monitoring a P25 system (lnk, dat, enc). With that being said, not much was able to be read. I took the advice to run a serial dump while updating the firmware. I was surprised to see that the dump was not different, but exactly the same as the actual firmware file byte for byte. I then found a command line tool made for Linux called Binwalk, which is a firmware analysis tool. I mainly use a Windows laptop, and I didn't want to go through the trouble of porting Binwalk. Luckily, we have an iMac running Lion upstairs. I turned on SSH, samba file sharing, and VNC so I could use the Mac for the purposes of running Binwalk. After getting through the pains of installing Homebrew, Python, Python Modules, and Binwalk, I was ready to run the firmware file. I ran the Srecord file, and not the binary. I was surprised to see multiple hits off of the file. There are multiple places in the firmware where it found "Windows CE RTOS." Knowing that Windows CE is used for embedded systems, I'm sure that is what it uses. I haven't done anything else, and will proablaby have to do some research before I do. I'm just interested in learning how it works. I'm not doing this to make any custom firmware. Again, I'm not a programmer, and don't know much when it comes to programming.

Jacob
 

n3617400

Member
Joined
Jun 28, 2013
Messages
231
Location
MOON 2112
Now, is it possible to hack the firmware of the current Uniden scanner models like the 330, 396, 996 and 15?

Screenshots of my BCD-996T as answer.
 

Attachments

  • picture_picblock_a_1.jpg
    picture_picblock_a_1.jpg
    57.7 KB · Views: 1,211
  • picture_picblock_a_2.jpg
    picture_picblock_a_2.jpg
    64.3 KB · Views: 1,213

scanningisfun

Member
Joined
Jun 29, 2010
Messages
685
Firmware of BCD-396XT v.1.11.01 does not contain the string "Windows CE RTOS", but contain "NORTi(c)MiSPO". Other RTOS.

I thought I was on to something when I saw when I saw what I found. I'll look up what you have.

Edit: Google Chromes built in translator helps a lot.

Jacob
 
Last edited:

ronenp

Member
Joined
May 8, 2002
Messages
592
firmware change ...

I have a link to a web page that describe the uniden firmware hack and describe the structure of the software blocks and also a screen shot of a new firmware installed in the scanner that show 12345 instead of the regular working firmware as a concept proof so yes it can be done ....
 

Farscan

Member
Premium Subscriber
Joined
Apr 25, 2009
Messages
110
Location
Midwest
I think it's great that you can hack the firmware, but looking at the screenshot there is nothing to listen to, unless you can figure out how to decode TDMA.
If you could decode TDMA, NXDN, or D-star it would be awesome, otherwise I am not sure what you are missing.
 

gtaman

Member
Joined
Oct 23, 2010
Messages
1,039
Location
GALAXY 19 91.0° W
I think it's great that you can hack the firmware, but looking at the screenshot there is nothing to listen to, unless you can figure out how to decode TDMA.
If you could decode TDMA, NXDN, or D-star it would be awesome, otherwise I am not sure what you are missing.

Wireless mics, cell noise. That's about all.
 
Status
Not open for further replies.
Top