AOR AR5000+3B Cellular mod

Status
Not open for further replies.

mikedh505

Newbie
Joined
Oct 5, 2011
Messages
2
Hello group,

About two years ago I bought an AOR AR5000+3B.
I love this radio if I could say only one thing about this
radio, it would be it is too sensitive, but then that would
be a compliment wouldn't it?

I would like this radio even more if I could open up the
cellular band.

This radio even has self protection circuits like my
Yeasu FT-2000. Being a HAM, I one time overloaded
the receiver. the radio stopped working, I could not
receive anything! Until I turned it off for a few minutes
when it came back up, it was back to normal, full
receive, no damage no foul.

I read on one of these threads that the Cellular band
can be opened up however the post did not allude to
instructions, all I need is some instructions on how
to do this. Give me some good instructions and I could
perform brain surgery.

Thank you in advance, and 73's to all.
 

burner50

The Third Variable
Joined
Dec 24, 2004
Messages
2,304
Location
NC Iowa
Even if you could open up the cellular band, you wouldn't hear anything.
 

scannerboy01

Member
Joined
Apr 1, 2010
Messages
261
Location
Alberta, Canada
Just to let you know, mikedh505, modifying your scanner to receive cellular is illegal and today's cellphones are on a highly advanced digital that scanners can't pick up even with modification.
 

MarkWestin

Member
Joined
Apr 21, 2005
Messages
659
Location
Caribou, Maine
I am sure that none of the previous answers are what you were hoping for and unfortunately this one isn't either. Unless your receiver was made prior to about 1992, Federal law won't allow the easy modification of a receiver to to pick up the cellular phone frequencies. This was done primarily by requiring a different CPU chip with the cell freqs blocked, covering certain areas of the RF circuits with a black substance and not releasing the service manuals or a schematic diagram. As others have indicated, the cell phones no longer are using analog signals in any frequency ranges. There are three ways (two really) to open up your receiver to receive these frequency ranges:
1. Get a CPU from a non-USA model and install it on your CPU board after removing your CPU. (I don't believe this option is possible for several reasons including availability to find the CPU chip for your board)
2. Find a non-USA CPU board and install it in your receiver. (probably not cost effective)
3. Sell your AR5000+3B and buy a AR5000+3U. (also probably not cost effective)

You may find "modification instructions" on some sites including "mods.dk" but these are usually for opening up the Japan Domestic models to full range specs.

Good luck with your search. (You'll need it)

Mark
 

krokus

Member
Premium Subscriber
Joined
Jun 9, 2006
Messages
6,156
Location
Southeastern Michigan
Wirelessly posted (BlackBerry8530/5.0.0.973 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/105)

1994 was the year that the ECPA was modified, to prevent analog cell freqs from being monitored, legally. (This all applies to the USA, other countries have their own laws, which I don't track.)

The analog cells are history now, and we're still left with no modern equipment that will receive those freqs. (For whatever moves onto those freqs.)
 

dkf435

Member
Joined
Apr 15, 2006
Messages
737
Location
Sweet Home/Foster OR
Up into the late 90s the AR5000 could be modded, would say a AR5000+3B no way blocks hard coded. Some of the early models only had the first half of the memories blocked, the back half was not. You can change between the two by I think pushing scan or search while turning on.
The blocked frequencies were stored in the CPU in hex. The limits would have to be overwritten with default place holders. Gommert Buysen from Butel software had a webpage up years ago about the AR5000 command set and the mods.

The mods do work on both the AR8000 and AR5000 early version . You will need computer with a REAL RS232 port!!! and terminal program.

Screwing around and bit banging stuff in CPUs can trash them and make boat anchors!!

This page has command set. Pay attention to the CM,DM,MM command password required.
PASSWORD AR5BA4 for older units atleast
AOR AR5000 remote commands

You could use these methods to also edit the band plan with default steps and modes.

This page has info about little quirks of the radio.
http://www.thiecom.de/ftp/aor/ar5000/information/ar5000-bulletin-e.pdf

David
 

mikedh505

Newbie
Joined
Oct 5, 2011
Messages
2
Hello Group,

Why? I really don't know. I guess I just would like to have
A fully functioning scanner that receives as much as
possible.

This is such a terrific radio that perhaps the golden rule
applies here : If it aint broke, Don't fix it. This radio is not
broke. So I simply wont open it up.

However, Thank you all for your excellent suggestions!

73's
 

kd7rto

Member
Joined
Dec 19, 2002
Messages
477
Location
Bountiful, Ut
Why do so many believe the premise that if you cannot demodulate intelligible audio, or decode readable lines of text, there is nothing of value to be gained from receiving the signal?

There is some sigint to be learned from any transmission over the air.
 

tulsascan

Member
Feed Provider
Joined
Feb 17, 2003
Messages
47
Location
Tulsa
if you want one with no gaps i have an AR8200 MK3 B that i would concider trading for the AR5000 the one i have was purchase with out gaps goverment model if interested contact me offsite
 

WayneH

Forums Veteran
Super Moderator
Joined
Dec 16, 2000
Messages
7,543
Location
Your master site
Why??????
If one works in the industry and deals with interference to cell or PCS band equipment having a small, portable receiver is very helpful. Not so much with a Uniden or GRE but actual communications receivers are helpful with sig meters. Even with the right paperwork ICOM will not sell an unblocked receiver (Gov only, no exceptions). Other than maybe Anritsu equipment everything is huge and bulky, and wants 110v.
 

dkf435

Member
Joined
Apr 15, 2006
Messages
737
Location
Sweet Home/Foster OR
An AR5000 with the SDU5500 and a Optoelectronics DC440 tone reader is a very powerful tool, add the Optoelectronics Scout to the mix and you can do alot.

David Kb7uns
 

Max440

Member
Joined
Oct 19, 2011
Messages
3
Unlock AOR5000+ ALOT more

AR5000 My EEPROM PLAZA
My AR5000 EEPROM PLAZA
Again AOR forgot to put some information
in the manual. But here is the secret told.
Last update: 29-Mar-1998
Frequency Counter:
counts since 18 January 1998
Press REFRESH to increase counter...
AUTHOR: Gommert Buysen The Netherlands January 1998
Version: 1.03
Important:
The information found at this page may not be correct. I received some updates for this
page. They will be available soon.
You DO NOT need any permission to copy or publish this information because I think
this is something everybody must know BUT always mention the author's name of this
original text. As I spend a lot of time in 'hacking' the 5000 this is the least you can do back
for this free information. And do not forget to name my website or add a link to it because
only here you will find the most up to date information. If you publish this information at
your site or in a magazine please send me a copy/web address.
Contents:
l Introduction
l Password
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (1 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
l The CM command
l The DM command
l The MM command
l The AR5000 memory map
l AR5000 US bandplan
l My unblocked European AR5000 EEPROM data
l My EEPROM browser
Introduction
The AR5000 is the most advanced receiver at the market. It is designed by people that
really know what a radio amateur needs. Unfortunately they always forget to give us all
the details about their remote commands. I think they use the advanced remote options to
program the AR5000 for several markets. By using the RS232 they don't need an
underpaid Japanese Girl to copy EPROM's and place them in every receiver. They just
plug in a RS232 connector and download the information to the receiver. It also allows
update of the preprogrammed bandplans because they usually do not fit the local market
(specially the dutch market). I have spend a lot of time in trying to get access to the
EEPROM and I finally found the secret. This page will give you some information but not
all information. So I need your help in order to update this page. If you find any
interesting information about memory area's or unblock information or what ever please
send me an email and I will put it at this page with your name offcourse. I hope you find
this information useful. Let me know what you think of it. I would like to remind you that
you must only change data unles you are ABSOLUTELY sure what you are doing or
make at least a copy of the old data. Ofcourse I'm not responsible for any damage or
whatever. As I wrote a program for the AR8000 that also makes a backup of the complete
EEPROM i'm planning to do the same for the 5000. In this way you can make a backup
and restore it if things go wrong. But as I still work on my ARC (AR8000 Remote
Control) program it will take some time before such a program will be released. If
somebody thinks he can write such a useful tool and wants so share it with others send me
a copy and I will put is at my AR5000 page.
Now enjoy the secrets of the AR5000!
Gommert Buysen January 1998 (written in the Netherlands)
The Password
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (2 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
The AR5000 remote command set has three undocumented commands: CM, DM, MM
used for direct EEPROM access. These commands DO NOT work unles you first send a
password. This password is
AR5BA4
The response will be a question mark (clever guys those AOR engineers) BUT this will
give access to the CM, DM and MM command untill you power off the AR5000.
The CM command
CM allows you to DIRECT change the EEPROM data. This is much better then with the
AR8000. There you can only read the EEPROM using the clone option after which you
can use a program to read/edit it. If you want to edit line F080, simply type CMF080. The
response will be the contents of that address. You can then type in the new data using a
simple terminal program. Example of typing CMF000 in terminal program:
CMF000
F000:00 00 10 00 00 00 10 00 18 00 14 FF 00 00 00 00.
F000: 'here is a cursor blinking'
If you type a new character the 5000 will echo the character back.
The DM command
DM allows you to get a list of 128 bytes of data at your screen.
Typing DMF000 in a terminal program will give:
DMF000
F000:00 00 10 00 00 00 10 00 18 00 14 FF 00 00 00 00
F010:00 00 15 30 00 00 90 00 18 00 14 FF 00 00 00 00
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (3 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
F020:00 01 80 00 00 00 00 50 18 00 14 FF 00 00 00 00
F030:00 01 84 20 00 00 00 50 18 00 12 FF 00 00 00 00
F040:00 02 00 00 00 00 00 50 18 00 13 FF 00 00 00 00
F050:00 02 30 00 00 00 10 00 18 00 21 FF 00 00 00 00
F060:00 02 50 00 00 00 00 50 18 00 13 FF 00 00 00 00
F070:00 03 20 00 00 00 10 00 18 00 21 FF 00 00 00 00
You can use all addresses between 0000 and FFFF.
Typing DMA will give you A000-A07F
Typing DMF will give you F000-F07F etc
The MM command:
To store new data you must use the MM command. This is useful when you use a
program that modifies the data. I'm working on a program that modifies the AR5000
bandplan.
If you want to send data to a specific address type:
MMF630 0461310000050000180030FF00010000
This is basicly the EEPROM address followed by all the 16 bytes.
Note there is a space between the address and the data but there are no spaces between the
data bytes.
AR5000 Memory Map (version 1.02)
After playing auround with my homebuild AR5000 EEPROM Browser I came up with
this AR5000 Memory map. Please send me your additional information or corrections.
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (4 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
I have updated this memory map with information from Francois, Yves and Jose.
(Francois really did a great job!!!)
(Unknown means data present.)
(FF data means area is filled with FF.)
0000-0CFF : Memory Bank 0 Data
0D00-0DFF: Search Bank 0 Data
0E00-0FFF: Search Bank 0Pass Data
1000-1CFF : Memory Bank 1 Data
1D00-1DFF: Search Bank 1 Data
1E00-1FF: Search Bank 1 Pass Data
2000-2CFF : Memory Bank 2 Data
2D00-2DFF: Search Bank 2 Data
2E00-2FFF: Search Bank 2 Pass Data
3000-3CFF : Memory Bank 3 Data
3D00-3DFF: Search Bank 3 Data
3E00-3FFF: Search Bank 3 Pass Data
4000-4CFF : Memory Bank 4 Data
4D00-4DFF: Search Bank 4 Data
4E00-4FFF: Search Bank 4 Pass Data
5000-5CFF : Memory Bank 5 Data
5D00-5DFF: Search Bank 5 Data
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (5 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
5E00-5FFF: Search Bank 5 Pass Data
6000-6CFF : Memory Bank 6 Data
6D00-6DFF: Search Bank 6 Data
6E00-6FFF: Search Bank 6 Pass Data
7000-7CFF : Memory Bank 7 Data
7D00-7DFF: Search Bank 7 Data
7E00-7FFF: Search Bank 7 Pass Data
8000-8CFF : Memory Bank 8 Data
8D00-8DFF: Search Bank 8 Data
8E00-8FFF: Search Bank 8 Pass Data
9000-9CFF : Memory Bank 9 Data
9D00-9DFF: Search Bank 9 Data
9E00-9FFF: Search Bank 9 Pass Data
Memory channel data: (by Francois Michaud) Each memory channel uses 32 bytes:
xx00 AA AA AA AA AA BB BB BB CD EF GH IJ KL MM OO PQ
xx10 RS TT VV VV WX YZ ab cd ee ee ee ee ee ee ee ee
AA: Frequency: 01 66 80 00 00 = 166.8 MHz
BB: Step: 00 50 00 = 5.0 kHz
C: Front end: 1= Auto Tune / 5=Manual
D: Memory select scan + Memory Pass.
Binary: x (select scan on/off) x (Pass on/off)
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (6 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
Select scan on / Pass on is hex 6 or binary x11x.
E: Auto Mode ON/OFF, DTMF ON/OFF, Tone Eliminator ON/OFF
Binary: (automode bit) (step adjust on/off) (DTMF bit) (Tone elim.bit)
0 Auto Mode OFF, DTMF OFF, Tone Elim. OFF, Step Adjust OFF
1 Auto Mode OFF, DTMF OFF, Tone Elim. ON, Step Adjust OFF
2 Auto Mode OFF, DTMF ON, Tone Elim. OFF, Step Adjust OFF
3 Auto Mode OFF, DTMF ON, Tone Elim. ON, Step Adjust OFF
8 Auto Mode ON, DTMF OFF, Tone Elim. OFF, Step Adjust ON
9 Auto Mode ON, DTMF OFF, Tone Elim. ON, Step Adjust ON
A Auto Mode ON, DTMF ON, Tone Elim. OFF, Step Adjust ON
B Auto Mode ON, DTMF ON, Tone Elim. ON,, Step Adjust ON
F: CTCSS ON/OFF/SEARCH - Attenuator AUTO/ MANUAL
Binary: (CTCSS Search) (CTCSS On/OFF) (ATT Bit) (STEP ADJUST ON/OFF)
0 CTCSS OFF, Attenuator MANUAL
2 CTCSS OFF, Attenuator AUTO
4 CTCSS ON, Attenuator MANUAL
6 CTCSS ON, Attenuator AUTO
C CTCSS Search, Attenuator MANUAL
E CTCSS Search,Attenuator AUTO
G: Bandwidth uses lowest 3 bits. Meaning of highest bit is unknown.
0 = 0.5 kHz
1 = 3 kHz
2 = 6 kHz
3 = 15 kHz
4 = 30 kHz
5 = 110 kHz
6 = 220 kHz
H: Mode uses lowest 3 bits. Highest bit is Antenne Auto On/Off
0 = FM
1 = AM
2 = LSB
3 = USB
4 = CW
8=FM, Antenne AUTO ON
I: Audio De-emphasis:
0 = 5 uS
1 = 50 uS
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (7 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
2 = 75 uS
3 = 750 uS
4 = THRU uS
J: Audio Filters:
K: AGC,Offset direction (K=1 Offset +, K=5 Offset -)
L: Antenna Selection + Attenuator
Binary: (Antenna # / 2 bits )(ATT two bits)
Antenne number: 00 = 1 / 01 = 2 / 10 = 3 / 11 = 4
ATT: 00 = 0dB / 01 = -10dB / 10 = -20 dB
-20 dB only valid below 230 MHz
MM: Tone Eliminator Value 00 to FF (0 to 255)
OO: CTCSS Value, same value as in instruction set (14 = 156.7 Hz)
RR: hex valua indicating the relative setting of the front end tune.
TT: Offset value (Number of the Offset Memory 0 to 47 if Positive Offset, 81 to C7 if
Negative Offset, Add 80 to the number of the memory for Negative Offset)
VV: Memory channel number
X: SUB DIAL step:
ee: Text label (hexadecimal code of the ASCII character)
A000-A04F: User defined step offset data (01-19)
A050-A0FF: 'factory pre-programmed' step offset data (20-47)
(see page 22 of AR5000 manual version 1.0)
Note that changing these pre-programmed offsets also require reprogramming of your
offset reference in your automode bandplan.
A100: VFO A Data
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (8 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
A120: VFO B Data
A140: VFO C Data
A160: VFO D Data
A180: VFO E Data
A200-A20F: VFO PASS DATA 0 - 3
A210-A21F: VFO PASS DATA 4 - 7
A220-A22F: VFO PASS DATA 8 - 11
A230-A23F: VFO PASS DATA 12 - 15
A240-A24F: VFO PASS DATA 16 - 19
A250-A3FF: FF Data
A400: Priority Channel Data
A420-A4FF: FF Data
A500-A5FF: Unknown (here is CONFIG/OPTION and more stuff stored)
A600-A7FF: FF Data
A800-A8DF: Unknown
A8E0-A8FF: FF Data
A900-A9FF: Antenna 1 switching data
AA00-AAFF: Antenna 2 switching data
AB00-ABFF: Antenna 3 switching data
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (9 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
AC00-ACFF: Antenna 4 switching data
AD00-B1FF: FF Data
B200-B4FF : Search Bank 10 Data + Pass Data
B500-B7FF : Search Bank 11 Data + Pass Data
B800-BAFF : Search Bank 12 Data + Pass Data
BB00-BDFF : Search Bank 13 Data + Pass Data
BE00-C0FF : Search Bank 14 Data + Pass Data
C100-C3FF : Search Bank 15 Data + Pass Data
C400-C6FF : Search Bank 16 Data + Pass Data
C700-C9FF : Search Bank 17 Data + Pass Data
CA00-CCFF : Search Bank 18 Data + Pass Data
CD00-CEFF : Search Bank 19 Data + Pass Data
CF00-CFFF: FF Data
D000-D00F: Unknown
D010-D2FF: FF Data
D300-DEFF: Unknown
DF00-E21F: FF Data
E220-E231: Unknown
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (10 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
Jose found these names written in ascii code at:
E500-E50F: K.YAMASHIRO
E510-E51F: Y.HASHIMOTO
E520-E52F: M.SHIMIZU
E530-E53F: Y.NOMURA
USA Blocked 5000:
EE00:08 49 00 00 00 08 24 01 00 00 FF FF FF FF FF 00
EE10:08 94 00 00 00 08 69 01 00 00 FF FF FF FF FF FF
European Unblocked 5000:
EE00:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
EE10:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
EFF0-EFF1 : Version information.
My version is 03.10. Yves (enjoy your beer in the internet-cafe!) from Brussel has a 5000
and his version is 04.00. Jose has found 97 07 10 at EFF0-EFF2. Please mail me your
AR5000 type (old or +3) with serial number and version.
F000-F7FF: AUTOMODE bandplan
The Automode bandplan
The bandplan is stored between F000 and F7FF (128 entries).
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (11 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
Here is an example of my bandplan stored at address F630:
F630:04 61 31 00 00 02 00 00 18 60 30 FF 00 01 00 00
Each entry exists of 16 bytes:
F000: AA AA AA AA AA BB BB BB DD EF GH II JJ KK KK KK
AA: 5 bytes with the frequency: eg 102.50 Mhz is 01 02 50 00 00
BB: 3 bytes with the step: eg 12.50 kHz is 01 25 00
DD: LPF/HPF/de-emphasis settings.
I have seen 10,18 and 98 at this address.
E: Step adjust OFF = 0 ON = 6
F: unknown
G: Bandwidth ( 0=0.5kHz (if filter is installed) , 1=3kHz , 2=6kHz , 3=15kHz , 4=30kHz ,
5=110kHz , 6=220 kHz)
H: Mode ( 0=FM , 1=AM , 2=LSB , 3=USB , 4 =CW , 5=Synchr.AM , 6 ,7)
Mode 5, 6 and 7 are only valid for AR5000+3 (tnx Iance!)
II: In my bandplan always FF.
JJ: Reference to "factory pre-programmed" offset. 20 refers to offset #20. 2A refers to
offset #30 etc. Note that you can change the pre-programmed data that is stored at address
A050 but make sure these settings match. For negative offset add 80 to the value so offset
#21 negative will be A1.
KK: Step offset used when Step adjust is on.
Example of the step-adjust: In my country we have a cellular band between 461.310 Mhz
and 465.990 Mhz with 20 kHz step. As this requires an offset I have programmed my
bandplan as follows:
Fxxx: 04 61 31 00 00 02 00 00 18 60 30 FF 00 01 00 00
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (12 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
So the step itself is 20 Khz and because the step-adjust is switched on the frequentie is
shifted by 10 kHz
I did yet not play with the LPF/HPF de-emphasis data byte. If you find something out
please let me know.
European Unblocked AR5000 EEPROM DATA:
My complete EEPROM data is available in text format. Click here to download 5000data.
txt in zip format.
This is the EEPROM data of an unblocked European AR5000. The cellular block is stored
at EE00 and EE10 in US AR5000's. Remove the data and replace it with FF will open up
your cellular band.
My EEPROM browser
To browse my EEPROM I wrote a simple tool in Visual Basic. With that I can play with
the AR5000 and check if data changes. At the moment I can not send data to the AR5000
with the browser but it is a start. Although it is not a good excuse, time is the problem as
for the moment i'm flying and driving a lot through Europe to solve other problems..
If you want to reveive a simple EEPROM browser,that only reads data from the eeprom,
please mail me at arcsoftware@geocities.com.
Thanks for reading this information. Remember to mention my name when you copy/
publish it. If you find any more details please mail them to me. Check this page for update
information.
Gommert Buysen, Breda The Netherlands.
Top
Please send your AR5000 link to me.
Back to my AR5000 Homepage
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (13 of 14)27/02/2008 05:46:06
AR5000 My EEPROM PLAZA
This page hosted by Get your own Free Home Page
file:///G|/Scanners/AR 5000/AR5000 My EEPROM PLAZA.htm (14 of 14)27/02/2008 05:46:06 There you have it anything you want to do with your AR5000 Enjoy. Max440
 

dkf435

Member
Joined
Apr 15, 2006
Messages
737
Location
Sweet Home/Foster OR
AR5000 My EEPROM PLAZA
My AR5000 EEPROM PLAZA
Again AOR forgot to put some information
in the manual. But here is the secret told.
<snip>


I have been looking for my print out of that site. Those are the instructions. Also just purchased a ARD 25 and hooked it up to the AR5000 and it works fairly good for sniffing around for things .

David Kb7uns
 
Last edited by a moderator:
Status
Not open for further replies.
Top