• To anyone looking to acquire commercial radio programming software:

    Please do not make requests for copies of radio programming software which is sold (or was sold) by the manufacturer for any monetary value. All requests will be deleted and a forum infraction issued. Making a request such as this is attempting to engage in software piracy and this forum cannot be involved or associated with this activity. The same goes for any private transaction via Private Message. Even if you attempt to engage in this activity in PM's we will still enforce the forum rules. Your PM's are not private and the administration has the right to read them if there's a hint to criminal activity.

    If you are having trouble legally obtaining software please state so. We do not want any hurt feelings when your vague post is mistaken for a free request. It is YOUR responsibility to properly word your request.

    To obtain Motorola software see the Sticky in the Motorola forum.

    The various other vendors often permit their dealers to sell the software online (i.e., Kenwood). Please use Google or some other search engine to find a dealer that sells the software. Typically each series or individual radio requires its own software package. Often the Kenwood software is less than $100 so don't be a cheapskate; just purchase it.

    For M/A Com/Harris/GE, etc: there are two software packages that program all current and past radios. One package is for conventional programming and the other for trunked programming. The trunked package is in upwards of $2,500. The conventional package is more reasonable though is still several hundred dollars. The benefit is you do not need multiple versions for each radio (unlike Motorola).

    This is a large and very visible forum. We cannot jeopardize the ability to provide the RadioReference services by allowing this activity to occur. Please respect this.

ASK byte moved in MTS2000, can't find it

radicalbill

Member
Joined
Mar 9, 2007
Messages
171
Location
Malta, NY
I have several MTS2000 model III radios
They are
H01UCH6PW1BN
Codeplug: 000F
Firmware: 08.73
Package: H37
Flash code: 200004-000000-2 & 000004-000000-6

I have read that the byte that controls the ASK is at 0X282 with the checksum at 0X289, that is the most current, the previous location was 0X28E,

but,

the location has moved again

The 2 lines before and after this area in the codeplug are now all 00

Does anyone know where they moved the ASK byte to for this model radio with this flashcode and firmware ?

I don't have a clean s-record for the radios before they were ASK'd

I am not even sure if they would take an old S-record now that they have been ASK'd

If anyone can help, I would really appreciate it

Otherwise, I have a bunch of paperweights

Thanks in advance

Bill
KC2OVX
 

Chance

Member
Joined
Dec 19, 2002
Messages
84
Location
Sachse, Texas
Just saw your post. It did move to a new location in the latest firmware. I see you posted on other forum too. Will help try to troubleshoot over there.

These were my findings for a batch of radios I got off eBay. Will update if we find it is different on your radios.

The ASK Flag can be found in the most significant bit of 0x282. Make sure to update checksum at 0x289. In my case the byte was 80. So it became 00. And the checksum was 14, subtract 80 and it became 94.

I wrote a quick .Net/C# program to take care of the programming for a batch of B5 radios had for $5 a piece on eBay. Many thanks to Mars and the Python scripts written by Paul Banks.

Communications log. (Adjust your values accordingly in bold.)

Sending 01 02 00 40 9E
Echoed: 01 02 00 40 9E

Entering SBEP Mode
Sending 00 12 01 06 02
Echoed: 00 12 01 06 02
Ack: 50
Entered SBEP Mode


Sending F5 17 00 02 82 00 6F
Echoed: F5 17 00 02 82 00 6F
Ack: 50
Received 00 02 82


Sending F5 17 00 02 89 94 D4
Echoed: F5 17 00 02 89 94 D4
Ack: 50
Received 00 02 89

Exited SBEP Mode

Sending 00 00 01 08 7C
Echoed: 00 00 01 08 7C
 

radicalbill

Member
Joined
Mar 9, 2007
Messages
171
Location
Malta, NY
Are these locations in the S-record, because the codeplug, these locations are all 00

I am guessing these values need to be changed in the S-record

Can you confirm ? And is it safe to use Lab on a radio that has been ASKd ?
 

Chance

Member
Joined
Dec 19, 2002
Messages
84
Location
Sachse, Texas
I am not familiar with anything other than the official Windows version of Motorola CPS. All 0's in that location would definitely be a problem. Does the radio even turn on? I once tried for fun setting a flash to all 0's and it would no longer boot. I take it you're able to read the radio in CPS to know ASK is on, so I don't think it is the case.

I sniffed the serial port to see the commands that it uses and found how to retrieve the flash contents directly. I then started reverse engineering the block types to figure out where I need to look. I am not that familiar with the S-RECORD format. It's mostly just a legacy thing back when floppy disks and other storage was not that reliable. I know you have to calculate the checksum for the block record.. and then a checksum for the S-RECORD... I just skipped that extra link in the chain.

You can use an advanced serial port software terminal like Real Term and send the bytes that I have above, if you wanted to give it a shot in the dark on one of your radios. Set the speed to 9600 BPS. Send the hex values and you should see the returns noted above.

Are you running old old RSS on DOS? Otherwise if you can connect the cable to a modern computer, I can send you a .Net program that reads from the serial port. I've been swamped at work and my time just freed back up to get back to finished hacking the rest of this radio. I'll refresh what I know tomorrow and then I'm sure we can figure it out. There's a lot of these ASK'd radios out there for next to nothing.
 

radicalbill

Member
Joined
Mar 9, 2007
Messages
171
Location
Malta, NY
I am using the CPS 02.03

I can read the codeplug just fine. I just can't write it back, it gives me the error that it needs the ASK

Here is one of the codeplugs

If you can send me the program that would be great

Since I can access CPS, your software should work, if the location has not moved

Thanks again

Bill
KC2OVX
 

Attachments

Chance

Member
Joined
Dec 19, 2002
Messages
84
Location
Sachse, Texas
CPG files are encrypted and only readable by CPS. I wasn't able to tell anything from it.

Attached is a very crude version of a project I just started. Only the Read button is functional. Select your Com Port and hit read. It will read the entire contents of the flash memory to a HEX file. The file will be in the same folder as the executable with a prefix of MTS2000. Attach that file I can confirm the ASK location and send back another EXE file that will write the correct fix.

Unzip the attached file and click JediComlink. You might get a security message. If so, right click on the file and uncheck the unblock option and/or tell Windows smart screen to ignore.

You'll need the .Net framework 4.6.1 which is likely already installed if you have Windows 10 and get Windows updates. I've tested it with a "ribless" cable and with with a RIB. Despite old RSS and CPS not running on newer CPU's, there should be no issue with timing or the need to run on a slower machine.

Looking forward to see what you have. And to getting the ASK removed.
 

Attachments

Chance

Member
Joined
Dec 19, 2002
Messages
84
Location
Sachse, Texas
If you see the following, it is seeing the RIB or RIB-less cable but not communicating with the radio.

....
Entering SBEP Mode
Sending 00 12 01 06 02
Echoed: xxxxxxxxxx
Received: F0
Ack: F8
Entered SBEP Mode

Sending F5 11 20 00 00 00 D9
Echoed: F5 11 20 00 00 00 D9
The operation has timed out.
....
 

Chance

Member
Joined
Dec 19, 2002
Messages
84
Location
Sachse, Texas
If you see this it is not seeing the RIB or the RIB-Less interface:

...
Entering SBEP Mode
Sending 00 12 01 06 02
The operation has timed out.
....

(No "Echoed" as in above)... Basically, with the rib attached it echos everything you send on the com port.
 

Chance

Member
Joined
Dec 19, 2002
Messages
84
Location
Sachse, Texas
This may answer your original question. Sorry, I had to go back through the motions to catch up again. Yes that area is filled with a lot of 0's.

76163
 

Chance

Member
Joined
Dec 19, 2002
Messages
84
Location
Sachse, Texas
Just to add a little more on the code plugs. Values are not stored in particular addresses. Instead there are a series of blocks. Between different firmware and/or CPS versions the location where a block might shift around.

0x0200 is where the first block is written. Block 30 starts here and is 79 bytes in length for the latest firmware. Then Block 31 contains the ASK setting.

This is what I know about Block 30 so far:

Block 30 Length 79 Starting At 0200
Unknown Bytes: 3E 00
Serial: 466ABY4692
Model: H01UCF6PW1BN
Unknown Bytes: 00 00 00 00
Codeplug Time: 12/26/2013 12:05:00 PM
Unknown Bytes: 03 00 1D
Code Plug Size 2060
.....Bunch of Pointers to other Block types, including Block 31.

Block 31 Length 55 Starting At 0251
Unknown Bytes
37 31 01 FC 91 2E 80 10 45 02 00 02 04 08 28 05
03 0A 06 04 0E 05 03 0E 05 03 28 09 00 00 0A 0A
00 01 01 01 00 00 00 00 00 28 00 00 00 00 00 00
00 80 00 00 00 00 00 00 14

80 in the last line is the ASK flag value.
 

radicalbill

Member
Joined
Mar 9, 2007
Messages
171
Location
Malta, NY
I can't get the 4.6.1 or the 4.7.2 to install

I have Windows 7 Ultimate 32 bit, quad core 4.0 Ghz machine with 4.0 GB ram

Not sure what to do now. I don't have any laptops with Windows 10 on them and only 32 bit OS will work to communicate with the radio
I figured that out when I tried using my desktop 64 bit machine and it would not read the radios

I will look for a solution on-line to this install problem, but if you have any other ideas, I really could use the help.

Thanks
 

Chance

Member
Joined
Dec 19, 2002
Messages
84
Location
Sachse, Texas
I'll try to build for an older version of .Net.. Part of the program to read and splice the code-plug blocks I have some newer C# code. If I strip it down to only what is necessary to read/write, I think I can make it work under the 2.0 framework. Be back soon.
 

Chance

Member
Joined
Dec 19, 2002
Messages
84
Location
Sachse, Texas
Try this version. It is compiled under .Net 4.0. Note that the only thing needed now is the actual .EXE file. All the other files in the last ZIP are not needed.
 

Attachments

Chance

Member
Joined
Dec 19, 2002
Messages
84
Location
Sachse, Texas
While waiting for your response... I also wrote an emulator for CPS to talk to. I can freely read and write from CPS to a virtual device. I thought I could get smart with the CPG you sent and have it write the un-encrypted version to my virtual devices.... But... CPS insists on doing a full Read of the device before doing a Write. I spoofed the serial number...but still wasn't enough.

However it greatly sped up the process of finding which CPS values map to which byte in a codeplug block.. My hopes are to make a programmer outside of CPS for the Jedi Series... Time will tell ;-)
 

radicalbill

Member
Joined
Mar 9, 2007
Messages
171
Location
Malta, NY
Now that is amazing. I wish I could do what you do. It dumped the whole radio into a hex file. This is s/n 466AYL2580
It has flash code 200004-000000-2

I have other radios, same model, I will dump those as well.

Hopefully they are all the same
 

Attachments

Chance

Member
Joined
Dec 19, 2002
Messages
84
Location
Sachse, Texas
I'll get to looking at it. Be back shortly. BTW, the program I sent does work on 64 bit. It's only the CPS that has a problem on 64 bit.
 

Chance

Member
Joined
Dec 19, 2002
Messages
84
Location
Sachse, Texas
Yep. You have it set in that exact place I mentioned. Though the checksum will be different. I just changed the HEX file and was able to get CPS to write to my emulator. Ended up being a neat way to test a change first... Will be back shortly, probably an hour, with a .EXE file
 

radicalbill

Member
Joined
Mar 9, 2007
Messages
171
Location
Malta, NY
I looked at each radios HEX in a hex editor and they all look like they have 80 at 282 and 74 at 289
I am attaching the 5 radio dumps here
Thanks
 

Attachments

Top